NIST Makes Revisions to Mobile Security Guidelines Amid Increased Telework
The National Institute of Standards and Technology released an update to their Guidelines for Managing the Security of Mobile Devices in the Enterprise. This update to the mobile device guidelines is the first since 2013 and, while it was not done due to the surge in employees on telework, NIST leaders do note its particular importance during the current situation.
NIST IT Security Engineer Gema Howell began the rewrite at the end of 2018, noting the rapid changes which had occurred in the last five years. While the structure of the guidelines is largely the same, Howell told FedScoop the changes are βreally focused on device-side threats, considerations and things you can do on the device.β
βWhat we want folks to be aware of are the many changes in the industry and the solutions available to them to help secure their mobile devices that are being used during this telework time to access their enterprise resources,β Howell explained.
The guidelines place a particular focus on the risks associated with mobile applications and new mobile authentication options which include biometrics rather than the traditional four-digit personal identification number.
The guidelines include an outline of the mobile device deployment lifecycle:
β’ Identifying mobile requirements, which now involves choosing a use case.
β’ Reviewing inventory.
β’ Picking a deployment model β enterprise use only or bring-your-own-device.
β’ Selecting Android, iOS or both.
β’ Determining the needed security tools.
Howell explains that in 2013 this cycle was limited by the number and types of devices available at that time, while now there are far more options. The NIST team chose to add a step in the device deployment cycle involving performing risk assessments to help users determine which devices are best for their needs while maintaining security standards.
The guidelines document is open to public comment through June 26, 2020. NIST will then review the feedback received and update the guidelines before releasing either a second or final version.