Following is a summary of recent guidance from the Federal Chief Information Officers Council on use of employees’ personal electronic devices for work purposes, what it called bring-your-own-device (BYOD).
Implementing a BYOD program is not mandatory. This document is intended to serve as a toolkit for agencies contemplating implementation of BYOD programs. The toolkit is not meant to be comprehensive, but rather provides key areas for consideration and examples of existing policies and best practices. In addition to providing an overview of considerations for implementing BYOD, the BYOD Working Group members developed a small collection of case studies to highlight the successful efforts of BYOD pilots or programs at several government agencies. The Working Group also assembled examples of existing policies to help inform IT leaders who are planning to develop BYOD programs for their organizations.
While the case studies and example policies that the BYOD Working Group has assembled are a great starting point for agencies considering BYOD programs, this work is not finished. The Federal Government still has more to do to address the more complicated issues related to BYOD. This includes how the government can reimburse Federal employees for voice/data costs incurred when they use their personal mobile devices instead of government-issued mobile devices, and additional security, privacy, and legal considerations including supply chain risk management and legal discovery.
Key Considerations
The implementation of BYOD needs to be an iterative process—support of BYOD for commodity enterprise technologies like email and collaboration systems can lay the foundation for expanding to more diverse, mission-specific applications and a broader scope of enterprise offerings. BYOD can be facilitated through applications native to the device, downloaded or installable applications, or even a web browser. The private and public sector entities who have adopted BYOD solutions report that allowing employees to use their personal mobile devices to access company resources often results in increased employee productivity and job satisfaction. From the Federal information security perspective, devices must be configured and managed with information assurance controls commensurate with the sensitivity of the underlying data as part of an overall risk management framework.
The BYOD Working Group observed additional characteristics about this growing trend:
*BYOD is about offering choice to customers. By embracing the consumerization of Information Technology (IT), the government can address the personal preferences of its employees, offering them increased mobility and better integration of their personal and work lives. It also enables employees the flexibility to work in a way that optimizes their productivity.
*BYOD can and should be cost-effective, so a cost-benefit analysis is essential as the policy is deployed. Such a cost-benefit analysis should take into account both potential increases in employee productivity and potential cost shifts. For example, providing employees access to government services on their personal devices should help reduce the number of government devices that are provided to staff as well as the life-cycle asset management costs associated with these devices. BYOD programs may, however, necessitate government reimbursement for voice/data costs incurred when employees use their personal mobile devices instead of government-issued mobile devices and additional enterprise infrastructure costs in handling the support of BYOD users. Additionally, overall costs may significantly increase for personnel who frequently communicate outside of the coverage area of their primary service provider and incur roaming charges.
*Implementation of a BYOD program presents agencies with a myriad of security, policy, techni¬cal, and legal challenges not only to internal communications, but also to relationships and trust with business and government partners. The magnitude of the issues is a function of both the sensitivity of the underlying data and the amount of processing and data storage allowed on the personal device based on the technical approach adopted. Generally speaking, there are three high-level means of implementing a BYOD program:
–Virtualization: Provide remote access to computing resources so that no data or corporate application processing is stored or conducted on the personal device;
–Walled garden: Contain data or corporate application processing within a secure application on the personal device so that it is segregated from personal data;
–Limited separation: Allow comingled corporate and personal data and/or application pro¬cessing on the personal device with policies enacted to ensure minimum security controls are still satisfied.
The growing trend of BYOD demonstrates that we as IT leaders have changed how we adopt technology. Gone are the days of long projects that address every demand. We must now integrate new technologies in a rapid, iterative, agile, interoperable, and secure method to meet changing market and customer needs. Device agnosticism is more important than ever. Our software, hardware, and applications must be compatible across common systems and personal devices. Our information security controls must also be consistent with existing law and standards to ensure confidentiality, integrity, and availability. 3 Because of these and other considerations, BYOD is not necessarily a good fit for all government agen¬cies—it has to fit the agency’s environment, support mission requirements, and meet the specific needs of staff.
The business case for implementing BYOD programs vary from agency to agency, but often involve the following drivers: to reduce costs, increase program productivity and effectiveness, adapt to a changing workforce, and improve user experience. Below is a list of points to consider when determining whether a BYOD program is right for your agency and its staff. The list, which is by no means exhaustive, includes policy and process considerations for Chief Information Officers, Chief Technology Officers, Chief Information Security Officers, Chief Human Capital Officers, Chief Financial Officers, Chief Acquisition Officers, and others.
*Technical approach
–Virtualization
–Walled garden
–Limited separation
*Roles and responsibilities
–Agency
–User
–Help/service desk(s)
–Carrier technical support
*Incentives for government and individuals
*Survey employees on benefits and challenges
*Consider voluntary vs. mandatory participation in BYOD program and impact on terms of service
–Education, use, and operation
–Establish orientation, trainings, and user agreements
–Establish associated policies collaboratively with union representative
–Ensure compliance with Fair Labor Standards Act (FLSA) requirements (e. g. , institute policies to ensure non-exempt employees do not conduct work after-hours unless directly authorized/instructed)
–Consider impact of connectivity and data plan needs for of chosen technical approach (e. g. , virtualization) on employee reimbursement
–Implement telework agreements consistent with the Telework Enhancement Act and OMB implementation requirements
*Security
–Assess and document risks in:
*Information security (operating system compromise due to malware, device misuse, and information spillover risks)
*Operations security (personal devices may divulge information about a user when conducting specific activities in certain environments)
*Transmission security (protections to mitigate transmission interception)
–Ensure consistency with government-wide standards for processing and storing Federal information
–Assess data security with BYOD versus the devices being replaced
–Securely architect systems for interoperability (government data vs. personal data)
*Privacy
–Identify the right balance between personal privacy and organizational security
–Document process for employee to safeguard personal data if / when government wipes the device
*Ethics / legal questions
–Define “acceptable use” from both government and individual perspective
–Address legal discovery (including confiscation rights) and liability issues (e. g. , through pre-defined opt-in requirements in terms of service)
–Consider implications for equal rights employment (e. g. , disparity in quality of personal devices)
*Service provider(s)
–Identify companies that could offer discounts to government employees
–Assess opportunities to leverage the Federal Strategic Sourcing Initiative
–Assess tax implications for reimbursement
*Devices and applications (apps)
–Identify permitted and supported devices to prevent introduction of malicious hardware and firmware
–Define content applications that are required, allowed, or banned and consider use of mobile device management (MDM) and mobile application management (MAM) enterprise systems to enforce policies4
–Adopt existing app development best practices to support device-agnosticism and data portability across platforms
–Address app compatibility issues (e. g. , accidental sharing of sensitive information due to differences in information display between platforms)
–Recommend approach to content storage (cloud vs. device)
–Clarify ownership of the apps and data
*Asset management
–Disposal of device if replaced, lost, stolen, or sold, or employment is terminated (must remove government information before disposal)
–Reporting and tracking lost / stolen personal devices
–Replacement of personal lost devices if employee chooses not to replace with personal funds
–Funding for service and maintenance
