There is a theme emerging in federal IT when it comes to mobile computing, and it goes something like this: We get mobility, now we need to make it useful.
What seemed like a significant IT challenge a short time ago now appears more manageable, and agencies are moving beyond their focus on which mobile devices employees should be allowed carry and zeroing in on secure mobile applications.
“The fact that mobility has maybe moved a little bit to the background in terms of being an explicit area of focus is to some extent a recognition of all the progress we’ve made in mobility over the last couple of years,” said Rick Holgate, chief information officer for the Bureau of Alcohol, Tobacco, Firearms and Explosives, last week at the Federal Mobile Computing Summit in Washington, D.C.
“For many of us, in early 2012, before the Digital Government Strategy was out, mobility was this very new thing, and it caused a lot of trepidation and uncertainty,” Holgate said. “The government didn’t know how to embrace consumer mobile devices and didn’t really know how to deliver capabilities on those devices.”
Fast-forward to today: The federal IT community is much more mature in its approach to mobility, Holgate said. Technologies that might have been considered novel or innovative two years ago are now, in some cases, commodities.
“If you look at capabilities like mobile device management and mobile application management, you’re now seeing those capabilities deployed at the agency level as a common shared service,” Holgate said. “Something many of us hadn’t even heard of two or three years ago, or hadn’t even thought of as something that needed to be part of our infrastructure, is now a commodity share service. It’s a huge evolution for the federal government that we’ve made that much progress in that short amount of time.”
At this point, Holgate said, agencies have grown comfortable managing devices, they know how to support them and they’ve embraced the Mobile Security Baseline [PDF]. “Now it’s a matter of, ‘How do I deliver meaningful functionality on the devices through applications? How do I secure those applications, vet those applications and get that capability into the hands of users?’” Holgate said.
Taking Mobility for a Car Wash
If users are going to carry government-approved mobile devices, they expect them to accomplish specific tasks. That requires applications, whether agency-developed or agency-vetted.
While IT executives throughout government recognize the need for mobile applications, as well as the convenience of online stores to distribute the apps, they are equally convinced that whatever apps end up on workers’ devices must be rigorously screened to determine how their behavior impacts agency security.
The Homeland Security Department stresses that its Carwash mobile app development platform is available to other agencies. Carwash allows automated testing of mobile app code to ensure it complies with federal guidance as well as Section 508 of the Workforce Rehabilitation Act, which requires IT systems to be accessible by users with disabilities.
Margie Graves, deputy chief information officer of DHS, told summit attendees that robust, open testing would be critical to mobile app deployment.
“If you build those capabilities into the platform and you’re continuously testing, not only are you putting out mobile apps that you think are in the right sweet spot, but you’re also providing a capability so that as the environment changes, you can continuously vet those apps,” Graves said.
Earlier this month, Defense Department CIO Teri Takai had a similar message regarding mobile apps. Takai said DOD would be working with industry to vet the software that comes loaded on commercial mobile devices. She also said DOD would promote a common mobile-development framework and automated application-vetting tools to ensure secure apps.
The Rules of Mobility Are Driven By Users
Ultimately, mobile apps must meet the needs of users, otherwise they will seek functionality elsewhere — from unvetted sources online.
“Usability has to be at the center of whatever solution you’re putting in place,” said Rob Palmer, director of information assurance at DHS, at the summit.
Palmer said that with traditional IT systems, it was acceptable for systems to be locked down. And if there was a significant business reason for certain workers to have a particular configuration, they could go through a process to have it approved.
“But that has changed somewhat in the mobile environment,” Palmer said. “There are capabilities that aren’t traditional business capabilities that are expected. They’re not wishes anymore. So we’re finding ourselves as a security community trying to enable capabilities that may or may not have been part of the traditional business model.”
Using the FBI as an example, Palmer explained that there would certainly be agencies that could justify locked-down, continuously monitored, government-issued mobile solutions. But that wouldn’t work for every agency, nor would it be necessary.
“We also envision a time where BYOD isn’t as big an issue. It’s just the way [mobility] works. And if you walk that back, there are a lot of things that have to happen before that environment is realized,” Palmer said.
Giving voice to an IT challenge many agencies now face, Palmer asked, “How are we going to do CDM [continuous diagnostics and mitigation] on mobile devices?”
Now that agencies have a handle on what they’re monitoring, they will soon figure it out.