2023 Federal Tech Trends: Device Lifecycle Management Is Helping with Compliance

Federal agency IT leaders must equip employees for success, regardless of where they are working, whether that’s at headquarters, at home or on the road.

They must do so while securing the agency’s information across an ever-expanding range of devices — desktops, laptops, tablets, smartphones, the occasional augmented reality headset — for as long as they are in service. Add a dizzying number of BYOD mobile devices, and IT teams have their hands full.

If agencies are unable to keep track of their devices, they simply cannot ensure the security of their information or maintain regulatory compliance. The task can be overwhelming.

“There are so many things you have to comply with, and they keep coming all the time,” says Sean Frazier, federal chief security officer at Okta. “You can get compliance fatigue when you look at all the things that exist.”

Frazier names a few to illustrate his point:

• President Joe Biden’s May 2021 executive order, which evolved into an official federal cybersecurity strategy, has increased the government’s focus on zero-trust compliance.
• Lawmakers are looking to reform the Federal Information Security Modernization Act of 2014, or FISMA, which governs agencies’ cybersecurity policies.
• Biden signed the FedRAMP Authorization Act in December 2022, codifying the 2011 Federal Risk Authorization Management Program into law and establishing official oversight of cloud security for federal agencies.
• The National Institute of Standards and Technology’s Special Publication 800-53 details the cybersecurity controls that agencies can use.
• The Defense Department revamped its Cybersecurity Maturity Model Certification program in November 2021 to streamline the process of handling controlled unclassified information.

Compliance dictates what federal agencies must do and how to do it, but it also can guide IT leaders on the most critical technology elements requiring care.

Establish a Holistic View of All Devices

Device lifecycle management helps agencies by cataloging minute details of each device in the agency’s environment. Device lifecycle management also can be part of a larger IT asset management system that involves software and networking equipment.

It is a key tool for IT leaders to know where each device is in its lifecycle and when it might be time to refresh or retire the asset.

As far as compliance is concerned, device lifecycle management is a way for IT leaders to know where the agency’s information lives and how it’s secured.

“One of the biggest things is taking security into account in the entire lifecycle,” Frazier says. “We still think of things as secure after the fact. We put it out there and oh, by the way, let’s make it secure. We can’t do that.

“As IT leaders, we have to be thinking for everything we build, from the time that we have it as a thought in our brain, we should be planning what the security is for that architecture,” he says. “We have to be thinking about the security implications.”

Conversations on device lifecycles often revolve around software because, as Frazier notes, “device lifecycle is software lifecycle,” and keeping both up to date is “a never-ending prospect.”

Process and policy are foundational to IT asset management, write David Comings and Randi Coughlin of CDW in a blog post. “They can ensure that unapproved or malicious downloads are discovered on the network and help automate security and compliance practices.”

EXPLORE: Federal agencies lead other industries in zero-trust adoption.

Consider the Costs of Managing Devices

Finances can be a limiting factor when establishing a device lifecycle management system. The agency must consider the cost of acquiring new devices and the cost of managing them, including efforts to maintain security and compliance.

On one hand, keeping devices in use for a longer time lowers the overall cost of ownership, but it extends the energy and resources of the IT team to manage them.

“The longer you’re hanging on to devices, the more types of things you’re likely to be supporting — the more varieties of desktop models or laptop models, the more and different nature of cellphone platforms and operating system versions. And each time you’re dealing with that, you increase the complexity of what you’re managing,” says Scott Buchholz, CTO for Deloitte’s government and public services practice.

“Who’s going to manage them? Is it the same group if it’s a desktop or a laptop as it is for a phone or a tablet?” Buchholz continues. “That can be a real pain, because it’s not just keeping things up to date on them, but it’s also fixing them when they break, servicing them and so forth.”

On the other hand, limiting the lifecycle of devices will narrow how much time the IT team spends managing those devices, but it can drive up costs as devices are refreshed more frequently.

“How important is it that an employee has a laptop that’s no more than two or three years old? Does it matter if it’s five?” Buchholz says. “What is the value of owning the hardware and maintaining the hardware versus essentially leasing the hardware for a period of time, knowing that they are depreciating assets, knowing that the refreshed lifecycles are what they are?

“That’s the challenge of leadership: making sure you’re balancing the pros and cons of those different areas,” he says.

Click the banner below to get Insider access to exclusive articles about federal IT trends.

Get Help Managing Device Lifecycles

Some agencies have the resources to manage devices on their own. For others, working with a trusted partner can help IT leaders with the process, keeping devices up to date and shoring up compliance. CDW, for example, can provide support throughout the four pillars of the device lifecycle: discover and design, deploy, manage, and refresh and recover. Amanda Zusman, a program manager in CDW’s product and partner management practice, details how that can happen.

LEARN ABOUT: The 4 pillars of modern workspace management.

Discover and design: Agencies get help purchasing devices, including identifying their objectives and mapping out a path to achieve them.

Deploy: Agencies work with a partner to deploy devices more efficiently and cost-effectively, including imaging, configuration and inventory staging.

Manage: Agencies receive assistance in seamlessly managing devices, enhancing security, collaborating and optimizing applications.

Refresh and recover: Agencies receive support in retiring, redeploying and recycling devices.

Having a partner managing an organization’s devices and ensuring their security throughout their lifecycle frees IT teams to focus on more valuable work, Zusman writes.