Q&A: Update on FISMA Mobility Metrics for Federal Agency Leaders

A core part of enhancing mobile security of the federal government are the requirements outlined in the Federal Information Security Modernization Act of 2014 (FISMA), which requires agency leaders to embrace unified security protections for their networks.

Through this effort, program officials and the head of each agency conduct annual reviews of information security programs, and report on their compliance via the FISMA Scorecard and external audits, such as those conducted by the U.S. Government Accountability Office (GAO).

Victoria Mosby, Federal Sales Engineer for Lookout, recently participated in the 2019 ATARC Mobile Technology Summit panel titled, “Mobile Security and FISMA Metrics,” which provided a working discussion for the further development of the FISMA mobility metrics.

In this Q&A, Mosby shares the following insights into the topics that were covered at the panel, and what more needs to be done to strengthen government’s overall mobile security posture.

‍

In terms of the FISMA mobility metrics, please explain why proper definitions are important when it comes to “mobile devices” and “mobile endpoint.”

Mosby: During the session, several members of the government in attendance made it clear that they have a hard time identifying what is meant by “mobile devices” and “mobile endpoints.”

The confusion stems largely from the definition of what counts as “mobile.” Smartphones and tablets clearly fall into that scope, but many argue that laptops would technically be included as well. Some panelists also brought up how “mobile” is also a term for any device that actively sits outside of the agency’s network, but still has access to agency data and resources (i.e. raspberry pi, mobile hotspots, etc.).

In order to ensure all parties – across agencies and internal units (i.e. IT, Operations, Security, etc) – pull the same metrics, a formal definition of what is meant by “Mobile Devices/Endpoints” as it pertains to FISMA mobility metrics needs to be established.

As of right now, the existing mobility metrics within FISMA focus on MDMs which in turn would be related to smartphones and tablets. If this is the line FISMA wants to continue with, that should be made clear with any newly established metrics.

‍

What are some of the new metrics that have been discussed in the working group?

Mosby: During our session, we came up with a short list of high-level metrics that we believe would provide value to FISMA and agencies. Many of these point to the need for agencies to enhance their overall device inventory processes for better management and understanding of overall usage by employees. Following are the metrics we came up with at the conference:

1. Number of mobile devices (both GFE and non-GFE)
2. Number of managed mobile devices (i.e. those managed by an EMM/MDM, this can be GFE or non-GFE)
3. Number of devices that locally store PII and/or agency data
4. Number of devices that can remotely access PII and/or agency data

As part of our discussion about actual metrics, there was a general consensus that additional granularity would be helpful, especially when it comes to the number of mobile devices. The panel participants believe that the number of devices is an important metric that should be part of the FISMA requirements.

‍

What trends around device and OS vulnerabilities were discussed?

Mosby: During our discussion about metrics of value, there was a segue into collecting certain information for trending purposes. The recommendations below were made with smartphones and tablets specifically in mind, but could likely be expanded to include other endpoint devices.

The purpose of these particular data metrics was to observe and understand, over time, which agencies were likely more susceptible to device/OS vulnerabilities because of the type of devices they allowed access to their data within their fleet.

More specifically, allowing devices with a high number of vulnerabilities or those unable to update to the latest OS/SP puts the agency and its data at risk of compromise. Having statistical trends for each agency would allow OMB, and other budgetary sources, to properly allocate resources to those agencies for upgrades, or put out policies that require only up-to-date devices be allowed access to agency data.

• Number of compromises by device type over X months
• Number of devices w/ active vulnerabilities at the Operating System or Security Patch level
• Number of active devices in the agency’s fleet that cannot be updated to the latest OS/SP due to device sunsetting
• Number of active devices in the agency’s fleet whose OS/SP will be sunset in the next one-three months

‍

Please tell us about the need for training when it comes to mobile devices.

Mosby: Many of the government attendees in the sessions pointed out that they, and many of their colleagues, aren’t familiar with the differences between enterprise mobility management (EMM)/ mobile device management (MDM), mobile app vetting, and mobile threat protection (MTD), and how each of these solutions play a key role in the ecosystem of a mobile device security framework.

Many agencies have an EMM/MDM to manage their mobile devices from an asset tracking and IT and compliance policy perspective. An EMM/MDM is primarily a configuration management and policy enforcement tool. This tool allows them to set specific rules for their mobile devices that have to be followed or access to agency data and resources is revoked. In some cases, it can even result is the locking or wiping of the overall device. However, that’s generally the extent of an EMM/MDM’s purview.

In order to truly understand the security ecosystem of a given device, the agency would need to implement a mobile threat protection solution, like Lookout, which can monitor the device’s app inventory, system files, network connections and more for malicious activity.

This in-depth visibility into the security health of the device can further update the EMM/MDM with the state of the device, and apply IT and compliance policies against the device when issues arise.

Digging deeper, a mobile app vetting solution allows administrators to truly understand the scope and security of the code and libraries of a given app (typically in-house built applications). These in-depth teardowns of mobile apps can provide in-house development teams with visibility into their own coding practices and ensure that their apps meeting government compliance standards such as STIGs, NIST and NIAP controls.

Mobile app vetting is also useful for evaluating third-party applications, especially those installed on Bring Your Own Devices/Company Owned/Personally Enabled (BYOD/COPE) devices. Lookout actually provides app analysis risk reports on all apps in an agency’s inventory.

Only Lookout delivers comprehensive mobile security to federal agencies to secure both devices and internal app stores while protecting employee privacy. Learn more.