Security Shouldn't Be an Afterthought
Defining the Federal Mobile StrategyFederal Chief Information Office Steven VanRoekel is outlining an initiative to seize on what he characterizes as "the mobile revolution" to fundamentally change the way the government serves the public and its employees through the Internet.
The initiative, known as the Federal Mobile Strategy, consists of six key components:
See Also: How to Take the Complexity Out of Cybersecurity
- Incorporate the power and possibilities of mobility into federal government efforts.
- Build mobile technologies/services for reuse and share common services among agencies and public developers.
- Efficiently manage mobile and wireless acquisition, inventory and expenses.
- Create a government-wide foundation to provide mobility services and functionality needed in all agencies.
- Foster collaboration to accelerate mobility across government.
- Establish governance structure for federal mobility.
Not explicitly mentioned in these six components are security and privacy. In addressing the mobility initiative this past week, VanRoekel made passing references to security and privacy in a speech delivered at the Consumer Electronics Show in Las Vegas and in a White House blog:
"There is more we can do to seize the mobile opportunity, and we need to be bold in doing it. ... We need to reexamine how we build applications and services. We need to focus on the fundamentals, ensure security and privacy concerns are addressed, and incorporate Shared First and Future First principles into everything we do. This doesn't mean reinventing the wheel. Models such as FedRAMP are already helping the government 'build once, use many times,' and these innovations can be extended to mobile."
Security and privacy shouldn't be afterthoughts.
Perhaps in VanRoekel's mind, security and privacy are givens. In his first speech as federal CIO on Oct. 25 (see Hand-in-Hand: Security and Innovation), VanRoekel outlines the Shared First and Future First principles, saying:
"We shouldn't make the false choice between security and innovation. In fact, innovation can make us more secure as long as we build security into everything we do."
The Federal Risk and Authorization Management Program (see FedRAMP Security Controls Unveiled) is a collaborative vetting process federal agencies will follow to select cloud providers, with security at its core.
The Federal Mobile Strategy involves soliciting suggestions from the public at the website mobility-strategy.ideascale.com on how to implement it. A few of the suggestions posted noted the dearth of security in the strategy:
"As I was reviewing the draft strategy, I found it really surprising with all the issues of BYOD, Privacy, Data @ Rest, DataNTransit and DataNUse that there is no mention of IT, IA (information assurance) or cybersecurity"
And, in another post:
" The civilian side of the federal government currently has no common policies or guidelines in place on how to evaluate, validate, protect or secure mobile technologies - including mobile infrastructure, mobile devices, mobile apps, mobile data practices, etc. I suggest that the government create reasonable security guidelines so that the important work of protecting the federal computing infrastructure is not duplicated in every agency or is not done at all. We can have both reduced expenses and increased security with a little strategy and execution. "
As of Friday afternoon, 31 ideas about how to execute a federal mobile strategy had been posted. You can add your thoughts through Jan. 20.
Let's hope security and privacy are ingrained in every aspect of the Federal Mobile Strategy by the time it becomes official federal government policy.