Security Publications

Security Guidance for First Responder Mobile and Wearable Devices

July 2022
Citation: NISTIR 8235
Public safety officials utilizing public safety broadband networks will have access to devices, such as mobile devices, tablets, and wearables. These devices offer new ways for first responders to complete their missions but may also introduce new security vulnerabilities to their work environment. To investigate this impact, the security objectives identified in NIST Interagency Report (NISTIR) 8196, Security Analysis of First Responder Mobile and Wearable Devices, were used to scope the analysis of public safety mobile and wearable devices and the current capabilities that meet those security objectives. The purpose of this effort is to provide guidance that enables jurisdictions to select and purchase secure devices, and assist industry to design and build secure devices tailored to the needs of first responders.

Mobile Application Single Sign-On

August 2021
Citation: NIST SP 1800- 13
On-demand access to public safety data is critical to ensuring that public safety and first responder (PSFR) personnel can deliver the proper care and support during an emergency. This requirement necessitates heavy reliance on mobile platforms that may be used by PSFR personnel to access sensitive information, such as personally identifiable information, law enforcement sensitive information, and protected health information. However, complex authentication requirements can hinder the process of providing emergency services, and any delay—even seconds—can become a matter of life or death.

Background on Identity Federation Technologies for the Public Safety Community

June 2021
Citation: NISTIR 8336
This report provides the public safety and first responder (PSFR) community with a basic primer on identity federation—a form of trust relationship and partnership involving the verification of a claimed identity. Identity federation technologies can help public safety organizations (PSOs) to share information with each other more easily while also protecting that data from unauthorized access. Identity federation technologies can also help PSOs transition services to the cloud and facilitate the use of mobile devices such as smartphones. The intent of this report is to aid the PSFR community in adopting identity federation technologies, with different portions of the report aimed at general audiences, technically capable readers, and federation technology implementers. This report was developed in joint partnership between the National Cybersecurity Center of Excellence (NCCoE) and the Public Safety Communications Research (PSCR) Division at NIST.

Identity as a Service for Public Safety Organizations

June 2021
Citation: NISTIR 8335
On-demand access to public safety data is critical to ensuring that public safety and first responder (PSFR) personnel can protect life and property during an emergency. The increasing use of cloud technologies can improve data access but also causes authentication challenges. The objective of this report is to inform public safety organizations (PSOs) about identity as a service (IDaaS) and how they can benefit from using it. This report also lists questions that PSOs can ask IDaaS providers when evaluating their services to ensure that the PSOs’ authentication needs are met and the risk associated with authentication is mitigated properly. This report was developed in joint partnership between the National Cybersecurity Center of Excellence (NCCoE) and the Public Safety Communications Research (PSCR) Division at NIST.

Using Mobile Device Biometrics for Authenticating First Responders

June 2021
Citation: NISTIR 8334
Many public safety organizations (PSO's) are adopting mobile devices, such as smartphones and tablets, to enable field access to sensitive information for first responders. Most recent mobile devices support one or more forms of biometrics for authenticating users. This report examines how first responders could use mobile device biometrics in authentication and what the unsolved challenges are. This report was developed in joint partnership between the National Cybersecurity Center of Excellence (NCCoE) and the public Safety Communications Research (PSCR) Division at NIST

Security Analysis of First Responder Mobile and Wearable Devices

May 11, 2020
Citation: NISTIR 8196
Public safety practitioners utilizing the forthcoming Nationwide Public Safety Broadband Network (NPSBN) will have smartphones, tablets and wearables at their disposal. Although these devices should enable first responders to complete their missions, any influx of new technologies will introduce new security vulnerabilities. This document analyzes the needs of public safety mobile devices and wearables from a cybersecurity perspective, specifically for the fire service, emergency medical service (EMS), and law enforcement. To accomplish this goal, cybersecurity use cases were analyzed, previously known attacks against related systems were reviewed, and a threat model was created. The overarching goal of this work is to identify security objectives for these devices, enabling jurisdictions to more easily select and purchase secure devices and industry to design and build more secure public safety devices.

Security Analysis of First Responder 3 Mobile and Wearable Devices

February 7, 2019
Citation: NISTIR 8196
With the upcoming public safety broadband networks (PSBNs), mobile and wearable devices will become ideal options for first responders (firefighters, law enforcement and EMS). This document reviews the current and potential use cases of these mobile and wearable devices by first responders and then analyzes these devices from a cybersecurity perspective. Ultimately, the goal of this analysis is to identify security objectives for mobile and wearable devices to assist jurisdictions with selecting secure devices and enable industry to design and produce securer public safety devices. This document is intended for those acquiring mobile devices and wearables for deployment in public safety scenarios. This document may also be useful for those designing public safety smartphones, tablets, and wearable devices.

Considerations for Identity Management in Public Safety Networks

March 30, 2015
Citation: NISTIR 8014
This document analyzes approaches to identity management for public safety networks in an effort to assist individuals developing technical and policy requirements for public safety use. These considerations are scoped into the context of their applicability to public safety communications networks with a particular focus on the nationwide public safety broadband network (NPSBN) based on the Long Term Evolution (LTE) family of standards. A short background on identity management is provided alongside a review of applicable federal and industry guidance. Considerations are provided for identity proofing, selecting tokens, and the authentication process. While specific identity management technologies are analyzed, the document does not preclude other identity management technologies from being used in public safety communications networks.

Public Safety Mobile Application Security Requirements Workshop Summary

January 22, 2015
Citation: NISTIR 8018
This document captures the input received from the half-day workshop titled "Public Safety Mobile Application Security Requirements" organized by the Association of Public-Safety Communications Officials (APCO) International, in cooperation with FirstNet and the Department of Commerce and held on February 25, 2014. This first-of-its-kind workshop was attended by public safety practitioners, mobile application developers, industry experts, and government officials who contributed their experience and knowledge to provide input in identifying security requirements for public safety mobile applications.

Usability and Security Considerations for Public Safety Mobile Authentication

July 27, 2016
Citation: NISTIR 8080
There is a need for cybersecurity capabilities and features to protect the Nationwide Public Safety Broadband Network (NPSBN). However, cybersecurity requirements should not compromise the ability of first responders to complete their missions. In addition, the diversity of public safety disciplines means that one solution may not meet the usability needs of different disciplines. Understanding how public safety users operate in their different environments will allow for usable cybersecurity capabilities and features to be deployed and used. Although first responders work in a variety of disciplines, this report is focused on the Fire Service, Emergency Medical Services (EMS), and Law Enforcement. This report describes the constraints presented by the personal protective equipment, specialized gear, and unique operating environments and how such constraints may interact with mobile authentication requirements. The overarching goal of this work is analyzing which authentication solutions are the most appropriate and usable for first responders using mobile devices in operational scenarios.

Identifying and Categorizing Data Types for Public Safety Mobile Applications Workshop Report

June 01, 2016
Citation: NISTIR 8135
The Association of Public-Safety Communications (APCO), in cooperation with FirstNet and the Department of Commerce held a half-day workshop on June 2, 2015 titled "Identifying and Categorizing Data Types for Public Safety Mobile Applications." The goal of this workshop was to begin identifying different types of data that will flow through applications that operate on the National Public Safety Broadband Network (NPSBN). A diverse group of first responders, industry leaders, and government representatives attended the workshop. This document describes the workshop and captures the input received from the workshop attendees.