9: Safety and Security
Promote the Safe and Secure Adoption of New Technologies Other Information:
Agencies need to continue to integrate effective security and privacy measures into the design and adoption of all new technologies
introduced to the federal environment, including mobile devices, applications, and wireless networks, consistent with existing
policies, and incorporate commercial security and privacy capabilities by default, augmenting controls and policies as required.
To enable agencies to share security testing information and prevent unnecessary duplication, the Department of Homeland Security
(DHS) and the Department of Defense (DOD) will work with the National Institute of Standards and Technology (NIST) to develop
a security baseline within 12 months that provides standardized security requirements for mobile and wireless adoption in
the Federal Government. This will include the development of mobile and wireless security reference architectures that incorporate
security and privacy by design while accounting for different agencies’ mission needs. For example, the Federal Government’s
evolving enterprise wireless networks may have varying needs to support unclassified and classified high-bandwidth traffic,
mission critical wireless coverage to in-building and terrestrial environments, and data offloading. A government-wide mobile
and wireless security baseline will enable adoption of the “do once, use many times” approach to mobile and wireless security
assessment, authorization, and continuous monitoring. Going forward, we must pilot, document, and rapidly scale new approaches
to secure data and mobile technologies and address privacy concerns (see section 3 for role of the Digital Services Advisory
Group in facilitating this process). Such pilots and documentation will help advance our security posture and communicate
the Federal Government’s expectations on product capabilities to the private sector. Shifting to the cloud is one area of
opportunity. For example, if applications, operating systems, and data reside in an appropriately secured cloud environment
rather than on a device, this will limit the potential impact to an agency in the event a device is lost, stolen, or compromised.
Other opportunity areas include adopting advanced mobile device management solutions to support continuous monitoring, strengthening
identity and access management, and accepting externally-issued credentials on public-facing websites.
Indicator(s):
|
