NIST launches draft guide to improve mobile device security

by Brianna Crandall — November 30, 2015—The National Cybersecurity Center of Excellence (NCCoE), the nation’s cybersecurity laboratory and part of the National Institute of Standards and Technology (NIST), is requesting comments on a draft guide to help organizations better secure and manage their mobile devices.

The draft NIST Cybersecurity Practice Guide Mobile Device Security: Cloud & Hybrid Builds (Special Publication 1800-4) demonstrates how commercially available technologies can help companies secure sensitive data accessed by and / or stored on mobile devices used by employees.

Nate Lesser, deputy director of the NCCoE, explained:

Mobile devices extend or eliminate the notion of traditional organization boundaries, posing challenges that nearly all businesses regardless of sector or organization size. Our guidance can help organizations reduce their risk and increase their ability to see and respond to security issues.

Security controls at many organizations have not kept pace with risks that mobile devices can pose, points out NIST. To address this challenge, NCCoE security engineers re-created a typical information technology (IT) scenario involving commonly used devices, organizational e-mail, calendaring and contact-management software. They then developed several configurations of commercial management and security technologies to improve mobile device security.

The example solution detailed in the guide shows organizations how to configure a device so that it can be trusted, as well as how to remove the device from systems should it be lost or stolen or when an employee leaves the company.

The draft guide maps security characteristics to standards and best practices from NIST and other organizations. It provides instructions for implementers and security engineers on installing, configuring, and integrating the example mobile device security solution into existing IT infrastructures.

While the guide uses a suite of commercial products as part of the example solution, it does not endorse any particular products or guarantee regulatory compliance. NIST says the NCCoE’s example solution may be adopted or be used as a starting point for tailoring and implementing parts of a solution.

The draft guide can be downloaded from the NCCoE Web site, which includes a form for submitting comments. The public comment period is open through January 8, 2016.

The guide is part of the center’s new series of publications, called NIST Cybersecurity Practice Guides (Special Publication Series 1800), which target complex cybersecurity challenges in the public and private sectors. The practical, user-friendly guides show members of the information security community how to implement example solutions intended to help them align more easily with relevant standards and best practices.