An interagency panel chaired by the Pentagon CISO recently issued a directive for the minimum requirements that must be met for the use of government-managed mobile devices in secured spaces.
The directive — issued by the Committee for National Security Systems, which consists of top information security officials from defense, intelligence and national security agencies — lists a minimum set of requirements that must be met before a senior security official can decide whether mobile devices can be used in a controlled area that contains national security systems.
Therese Firmin, the deputy CISO of the Defense Department, explained Wednesday at the AFCEA Mobile Summit that the new directive simply allows for the use mobile devices in secured spaced, but “it doesn’t mandate that these devices be allowed [there].”
“It sets out a whole list of criteria, and you need to document your risk acceptance decision behind that,” said Firmin, whose boss — DOD CISO Essye Miller — signed the directive as chair of the CNNS.
The document takes into account both environmental and device-specific considerations, such as the known vulnerabilities of a device or uncontrolled adjacent spaces.
But more than anything, once the basic criteria are met, it’s a judgement call by the “risk-decision owner” based on the mission need.
“So what mission are you wanting to promote by bringing devices into your secure area?” Firmin said. “Things like counterintelligence, cover, testing, training, research and development are all valid missions, but it’s up to that security authority in consultation with the authorizing official to make that final decision on whether or not they’re going to allow that to happen.”
For that reason, an approval for on secured area is “not a blanket approval,” she said. The directive explains that a “[cognizant security authority] may disallow the introduction and use of a mobile device in one secure space but allow the introduction and use of the same mobile device in another secure space, based on the CSA’s risk determination and the considerations above.”
The directive does not apply to sensitive compartmentalized information facilities, better known as SCIFs, or special access program facilities. And, of course, in no case is a non-government-managed mobile device allowed in a secured space.
This memo comes on the heels of the Defense Department CIO issuing another policy in October setting the requirements baseline for downloading applications to Pentagon devices.
“It allows us to let the user operate their devices as they would their own personal devices in some sense,” Firmin said. “But we make a clear separation between managed applications and unmanaged applications,” the latter of which can be used with approval from an authorizing official. She said the two types of applications are required to be separated in the device so they don’t interact. “How that’s done is up to the vendor.”