Federal Agencies Face Mobile Tech Catch-22
Government agencies are caught between the desire to use the latest mobile technology and the need to stay compliant with security guidelines. "At the federal level, a lot of the technology issues are being addressed, but a lot of the policies and processes still need attention," said Dan Kent, federal chief technology officer for Cisco Systems.
01/08/13 5:00 AM PT
Federal agencies, far from settling for the status quo normally associated with government, are trying to keep up with the times and have solidly embraced mobile IT. The problem, however, is that they are frustrated by the inability to fully exploit the technology by having to meet federal operational requirements.
In a survey of 21 major agencies, the federal Chief Information Officers Council (CIO) found that "all but one of the agencies and sub-organizations interviewed have expanded, or are planning to expand, user options for mobile technologies beyond current implementations of laptops and mobile devices, often including newer models of smart phones and tablet computing devices."
In a report released in mid-December, the CIO described the challenges agencies face to fully deploy mobile IT.
"Agency senior executives understand that the use of mobile devices and tools is an immediate challenge, not one on the distant horizon. Agencies are already moving ahead with implementation of mobile technology and some are currently accepting the risks of the gaps identified in this report," the CIO said.
The gaps that need to be addressed are related to three major components:
- Security and Privacy: Gaps exist between federal security and privacy requirements and the availability of products that implement the required protections for user authentication, data encryption, application security testing and device sanitization.
- Policy and Legal: There is a continuing need to ensure that existing policies accommodate agency needs involving guidance and best practices, business and technical requirements, and the lack of legal precedent.
- Application and Infrastructure: Gaps also exist between the goals of supporting multiple devices and the cross-platform infrastructure needed for applications and devices involving legacy applications, infrastructure for mobile device management and network connectivity.
Vendors Concur on Challenges
The impediments identified in the report have been observed elsewhere.
"In general I would have to agree with the tone of the report on the challenges it cited," Dan Kent, federal chief technology officer for Cisco Systems, told the E-Commerce Times. "At the federal level, a lot of the technology issues are being addressed, but a lot of the policies and processes still need attention. At the operational level, where technology and policy are supposed to come together, I would say the government may be a year or two behind the commercial sector in mobile IT."
The issues highlighted in the report "are consistent with the challenges that many of our government customers have articulated," regarding mobile devices, said Tiffany Jones, area director for public sector programs and strategy at Symantec.
In addition to technical and operational factors, there is the financial and procurement issue. "There is a cost associated with the deployment of any new technology. Agencies must perform a rigorous analysis to understand the costs associated with devices, data plans, applications, and supporting infrastructure, and quantify how the technology will improve their ability to accomplish their mission," the report said. The lack of a government-wide contract vehicle for devices and data plans was noted as a cost barrier by agencies.
The CIO recommended that agencies define requirements for management and applications around various case uses to facilitate the adoption of mobile IT. The Council suggested using either federal-wide or agency policy and guidance to support flexible use of commercial devices, and developing an acquisition strategy that complies with government-wide policies and standards. Additionally, the council recommended that agencies assess the technical, legal, and privacy issues associated with bring your own device, and to continue the development of authentication and encryption protocols.
The Cost and Risk of Delay
However useful such policies might be, the nature of mobile technology introduces a sort of catch-22 factor. Waiting for the development of government policies incurs the risk of losing the benefits associated with mobile technologies.
"I'm not so sure a general procurement policy would address all the significant issues, although it might streamline the acquisition process," said Kent. "If you wait for all these policies to emerge you impede a lot of innovation from happening and the productivity enhancements that accompany them," he said. "The best way for the agencies to proceed is through the use of pilot procurement and deployment programs. You can learn a lot about encryption, or access, or other risks with a prudent pilot initiative," he said. Such an approach would allow for taking advantage of the technology while limiting much of the risk.
"We haven't been hearing too much about the lack of a general procurement policy, although if the General Services Administration rolled one out it might be helpful. What we found is that so many federal workers already have their own devices, their big problem is the ability to use those devices at work," Tiffany Jones, area director for public sector programs and strategy at Symantec, told the E-Commerce Times. "The bigger issues are the operational and security concerns."
The CIO report actually reflected the conflict between agencies waiting for some government-wide procurement and operation policy, and incurring the risks of immediate deployment of mobile IT.
"Some agencies are well into the planning stages for mobile technologies and will not delay deployment in anticipation of an acquisition vehicle," the report said.
"There is never going to be a single policy that will solve all of the issues associated with mobile device adoption," Parham Eftekhari, cofounder and executive vice president of the Government Technology Research Alliance, told the E-Commerce Times. "I found it interesting that not once in the entire report did I see the word 'culture' or 'training' used," he said. Often agencies mention technical impediments to technology adoption, whereas people and cultural issues are cited as the most important elements for success. "Without a culture that supports change and people well trained with regard to security, no mobile deployment will be successful."
The numerous barriers to mobile adoption indicate that federal agencies should utilize a holistic approach to securely deploy mobile IT, Eftekhari said. "The key to success is for agencies to first do the due diligence on their unique needs, concerns, and environments and then use the insights from multiple sources to develop a strategy that ensures security, better efficiency and smart use of taxpayer dollars."
Private Sector Has Much to Offer
While the CIO report covered significant factors dealing with device operation, security, and deployment, Jones observed that it did not fully address other issues, especially the protection of information that is communicated through, and stored by, mobile devices.
"There was very little focus on the aspect of providing access to highly valuable and even sensitive information," she said. "Today, a growing set of threat actors are not looking to access a mobile device as the end goal, but rather to get access to the information on that device or to gain access to the cloud that the device is accessing. There is a critical role for industry to play to help educate the federal government on information protection and mobility best practices, development of use cases, and establishment of standards."
Cisco and Symantec have developed offerings that have contributed to the productive and secure use of mobile IT in the private sector. Some of these offerings have either been modified for government agency use or could be easily adopted to fulfill the objectives posed by the CIO, according to both companies.
"The federal government must work collaboratively with industry to bridge the security gaps present in today's smart phones, tablets, and other mobile devices, while continuing to identify policy and legal issues that may need to be addressed to accommodate these new technologies and better fulfill agency mission requirements," the Council said.