Most agencies have some kind of bring-your-own-device policy, ranging from prohibition to qualified acceptance. However, when federal employees are teleworking, some BYOD creep can't be helped — even if an employee is using a government laptop, they're connecting over their personal WiFi.
At the same time, instances of malware tend to spike during holidays, snowstorms and any other time people are spending more time than usual at home.
To help agencies cope, the National Institute of Standards and Technology recently updated its telework BYOD guidance.
"Organizations are realizing that many data breaches occur when attackers can steal important information from a network by first attacking computers used for telework," said Murugiah Souppaya, a NIST computer scientist. "To prevent breaches when people are teleworking, organizations need to have stronger control over their sensitive data that can be accessed by — or stored on — telework devices."
The updated NIST documents — 800-46 and 800-114 — outline the new threat space created by the spread of BYOD and offers two new technologies that can help agencies manage the risks.
The first is a virtual mobile infrastructure (VMI), similar to a virtual desktop environment but engineered for mobile devices like phones and tablets. The virtue of a VMI solution is the temporary environment and the data used within are destroyed after the session ends, limiting what thieves can access through the device.
The second is a mobile device management (MDM) program, which pushes security policies down onto mobile devices from a central point, like an agency security operations center.
Along with tips for agencies, the draft documents also advises employees to thoroughly understand their department's BYOD policies.
The two documents are open for comment through April 15.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.