FBI Mobility Program Office Unit Chief David Waters explained why the bureau treats the smartphone — not the data center — as the practical security perimeter for agents working “anytime, anywhere.”
“That is our security perimeter. Getting that data to agents, where they actually access their data, that’s the security perimeter,” he said.
Waters’ office “does pretty much everything mobile” for the bureau, including devices, mission apps and the integrations that make them usable in the field. The mission is simple to state but hard to execute: Ensure that personnel can securely reach the information they need, wherever they are.
“Those that are out in the field have access to information anytime, anywhere,” he said, addressing last October’s Google Cloud Public Sector Summit in Washington, D.C.
That edge-first reality shapes how the FBI thinks about risk. Agents often operate on untrusted networks, domestically and overseas, where capable adversaries probe phones as the easiest path into sensitive systems. The response, Waters said, is to control as much of the stack as possible — “the chain of custody from the hardware to the software to the app vetting and everything” — so the device itself becomes a hardened boundary.
Click the banner below for a different kind of workflow.
Standardize the Hardware and Software Stack, Then Harden Devices
Before the pivot, fragmentation slowed the team and raised risk.
“We had four devices that had different operating systems, different patch levels, a very complex way of updating those devices that was very hard to manage,” Waters said. Some builds fell out of support; patch reality varied by model and carrier.
The remedy was consolidation around a unified, identity-centric stack with strict, end-to-end controls with Google Android smartphones.
“Our goal was to simplify the chain of custody, from the hardware to the software stack to the mobile apps, so it’s easier for my team to manage those devices,” Waters said. That simplification enabled firmer policy enforcement, especially on software supply. “We have a very rigorous app vetting process. We don’t just allow any app,” he added.
That control is not theoretical. Waters cited threats “from the hardware, the software, to the carrier networks” and described close work with platform providers — including Android Enterprise — to harden devices, close vulnerabilities faster and support global operations. The objective is “controlling that whole unified stack.”
Click the banner below to keep up with the IT, cyber and AI experts making government efficiency a reality.
Treat Phones as Sensors
Even as cloud and network telemetry have improved, Waters argued, mobile endpoints must emit better, richer signals for security operations.
“One of the biggest tools for us is our mobile device,” he said. He wants vendors to surface more actionable data “about that device, that vector, so we can leverage that” in real time. That feeds analytics with ground-truth posture — from device health and configuration to app behavior — so response can be faster and more precise.
Simplify ‘From Silicon to Cloud’
Waters’ guiding principle is plain: less complexity equals less risk.
“Simplify as much as possible, from the silicon all the way to the cloud. Simplify it as much as possible so it’s easier in the moment,” he said. Standardizing models and operating systems cuts configuration drift, accelerates updates and reduces the attack surface in ways teams can measure.
Click the banner below for the latest federal IT and cybersecurity insights.
Waters’ recommendations:
- Inventory and reduce variants. Start with a clear map of device models, OS lines and patch levels, then narrow support. Waters’ experience shows that fragmentation drives overhead and slows remediation.
- Enforce an allow list and rigorous app vetting. Treat mobile software as a supply chain risk; require evidence of security posture and update cadence for apps allowed onto mission devices.
- Integrate device telemetry into SecOps. Demand higher-fidelity signals from endpoints and wire them into detection and response workflows so policy can close loops automatically at the edge.
- Control the chain of custody. Align hardware roots of trust, OS security features, identity and app controls so there are fewer seams to exploit—especially on untrusted carrier networks abroad.
- Measure what matters. Unification is not a tool count; it’s about faster, provable outcomes, including patch latency, mobile endpoint detection and response coverage, phishing catch rates on devices and mean time to respond when alerts originate at the edge.
For the FBI’s Mobility Program Office, smartphones are no longer a peripheral risk to be managed — they’re the front door to mission data and therefore the security edge. Waters’ message to federal peers is clear: Collapse complexity, control the stack and instrument the devices people actually use. After implementing these steps, the edge stops being the softest target and becomes an asset that speeds operations without compromising them.
Photo courtesy of the FBI
