When former federal chief information officer Vivek Kundra first brought up the idea of federal employees using their own smartphones or mobile devices on their agency’s network, many scoffed at the proposal.
But in the six months since Kundra, who left government earlier this month for a five-month fellowship at Harvard, made the pronouncement, the idea of employees bringing their own device to work is not such a far-out idea after all.
At the Veterans Affairs Department, Roger Baker, VA’s chief information officer and the department’s assistant secretary in the Office of Information and Technology, said the agency is six weeks away from opening up its network to employee devices from Apple.
“We are focusing on mobile device manager (MDM) to control what connects to our network,” Baker said at a recent conference on mobility. “We plan to create an apps store to ensure security of the software running on our network.”
VA has four pilots — in Washington, D.C.; Albany, N.Y; Battle Creek, Ill.; and Chillicothe, Ohio — testing this concept. Baker said VA’s plan to open up its network by Oct. 1 is on track.
Jaspool Sagoo, CDC’s chief technology officer, said the pilot programs are showing how employees can have limited access to email, calendar and other non-sensitive data on the agency’s network through their personal device.
“Recognizing the fact our users have bought these personal devices themselves, our pilot is centered around the usability of the devices to connect to CDC assets,” Sagoo said. “We are dealing with the MDM vendors in a containerized approach to see how well these devices will function in accessing limited CDC assets.”
The pilot started with fewer than 50 people and now has expanded to a few hundred.
“Dependent upon the outcome, if we don’t find any significant impediments from a security perspective, then we will recommend moving forward with allowing personal devices to connect to our network for access to resources,” Sagoo said.
He added this approach will be “equivalent to a remote emulation,” which lets software from the network run on the handheld device but expose the network to security risks. Employees also will not connect through a virtual private network and all data will be stored on the back-end servers controlled by CDC, Sagoo said.
For sensitive or personally identifiable information, CDC will continue to use government-furnished devices, he added.
Sagoo said until the device makers offer the ability to do full-disk encryption, personal smartphones will be used only for low-to-moderate level security.
Sagoo said the primary driver for mobile devices is a combination of business needs and pent-up demand by employees.
“We know that our workforce, especially in overseas countries, already are using a lot of these devices,” he said. “We have to make sure as they collect this sensitive data, the data is being stored on encrypted devices. That is really our main push in the field to make they meet all of the FIPS mandatory compliance requirements for encryption and also to make sure that somehow we can manage these devices and really make sure all aspects of their experience from IT usability to the transport and to the repositories are in compliance and protected.”
Sagoo said CDC believes it will get two main benefits from deploying smartphones.
“Security is an essential driver, but we also are looking at cost containment,” he said. “To that end, if we can get reductions in cost savings to the government by allowing people to use their personal devices together with their own data plans and give them a high satisfaction and provide them access to CDC assets then it’s a win-win for both the government and the employees.”
At VA, Baker said doctors and nurses, especially the 100,000 residents that work for the agency each year, are the primary drivers for letting personal smartphones on its network.
Baker has said many times, if he is only the “CI-NO”, the medical practitioners will find ways around him.
VA had to find a way to say yes that supports multiple devices, lets the agency push software updates to the device automatically and creates an apps store that is for employees only.
Baker said VA also must be able to wipe the devices should one be lost or infected with a virus and ensure no data is stored on the personal smartphones.
“We aren’t sure if we will build an apps store or put restrictions on an external one,” he said. “We likely will not pay for 3G for the devices we provide. It’s a basic budget decision. Most places our employees will work will have Wi-Fi.”
Baker said agencies just getting into mobile devices should keep a few things in mind, starting with making sure the CIO has the ability to see every device on the network at any time.
“If you don’t own your network or if you can’t point to the person who does, don’t let personal devices on your network,” he said. “I can turn on and turn off the devices on the network, but most CIOs don’t have that complete authority.”