BYOD and Mobile Computing at NASA
By John Sprague, Enterprise Applications Service Executive
As NASA employees, we expect “anytime, anywhere” access to our information. New devices (laptops, tablets, smartphones), applications, and operating systems bring tremendous opportunities for productivity and innovation, but they also bring challenges in securing and maintaining NASA information. In the coming months, the NASA Office of the Chief Information Officer (OCIO) will develop a formal policy to govern the use of personal devices, to be known as “Bring Your Own Device (BYOD).”
The possible benefits of BYOD to NASA employees are as varied as the many kinds of devices in use: increased productivity, higher employee morale, lowered costs, greater innovation, and better work-life balance.
NASA BYOD will encompass the policy work of the BYOD Integrated Transition Team (ITT), the Mobile Device Management Integrated Process Team (IPT), the Institute of Electrical and Electronics Engineers (IEEE) 802.1x IPT, and the future Mobile Applications Management IPT. The Mobile Device Management IPT has been developing the requirements for a commercial product that manages mobile devices.
The first step in managing mobile devices was the implementation of Exchange ActiveSync policies on all NASA e-mail accounts on September 10, 2013. Notices regarding this change went out via e-mail in early September. These ActiveSync policies have been established to ensure that any mobile device that connects to NASA e-mail servers, whether it is Government-furnished or personally owned, meets minimum security standards. It is important to enforce these minimum standards, such as basic lock out code protection, to safeguard NASA data on your device in the event that it is lost and/or falls into the wrong hands. IEEE 802.1x is an international standard for network access control, and the IEEE 802.1x IPT’s task is to identify long-term user/device network identification, authentication, and management requirements and to develop an implementation plan.
The NASA OCIO held the first BYOD ITT kickoff meeting on August 15. Team members representing Centers, Mission Directorates, the Office of the General Council, the Office of Human Capital Management, IT security, and others met to start forging a BYOD policy that fits NASA. Their main goal is to develop a formal policy governing the use of personal devices to access NASA information. Sub-teams were formed to accomplish the following tasks:
- Communicate monthly status to stakeholders and coordinate with other teams
- Identify/benchmark BYOD at other Federal agencies
- Review the Mobile Device Management and IEEE 802.1x charters
- Identify relevant NASA publication directives, regulations, and National Institute of Standards and Technology (NIST) standards
- Develop a communication plan
- Identify risks & use cases
- Develop business cases
- Recommend infrastructure changes
- Recommend incentives
- Draft policy and present it to stakeholders for approval
Looking at the big picture, BYOD falls within the category of mobility. NASA’s mobility vision, adopted at the NASA Mobility Summit Meeting in summer 2012, states that NASA personnel “will be able to securely and seamlessly access and share any authorized information, anyplace, anytime, using any device.” The aim of NASA’s mobility vision is to provide services while protecting sensitive data. Participation in BYOD is voluntary, and NASA is not compensating employees for any costs associated with using personal devices. This may change in the future, after a full BYOD policy and program are developed and considered part of the BYOD ITT process; however, those details have yet to be determined.
In the meantime, NASA employees are required to adhere to certain minimum security standards in order to be able to connect to NASA data. Minimum standards include enabling lock out code protection and updating personal devices to the latest security patches provided by vendors.
Under the current timeline, a draft BYOD policy will be presented to stakeholders by mid-February 2014. Implementation of the recommendations by the Mobile Device Management and IEEE 802.1x IPTs will follow. Although a communication plan is being developed, you can count on seeing outreach in the form of e-mail notices, frequently asked questions (FAQs), and briefings on any upcoming changes.
Protecting sensitive NASA data is a complex effort that involves managing lost or stolen devices, encryption technologies, commercial security patching, personal data, and privacy. It also requires familiarity with features on mobile devices that employees may not have used before. But the ultimate goal is to enable you, the NASA employee, to have a more functional and enhanced work environment. So what can you do? Follow current policies, support the new policy once it is finalized, and always remember to protect NASA data!
For more information, or if you have questions, please contact John Sprague at firstname.lastname@example.org or 202-558-8247.