NIST Invites Comments on Practice Guide for Improving Mobile Device Security

The National Cybersecurity Center of Excellence (NCCoE) requests comments on a draft guide to help organizations better secure and manage their mobile devices.

The draft NIST Cybersecurity Practice Guide Mobile Device Security: Cloud & Hybrid Builds (Special Publication 1800-4) demonstrates how commercially available technologies can help companies secure sensitive data accessed by and/or stored on mobile devices used by employees.

"Mobile devices extend or eliminate the notion of traditional organization boundaries, posing challenges that nearly all businesses regardless of sector or organization size," said Nate Lesser, deputy director of the NCCoE, part of the National Institute of Standards and Technology (NIST). "Our guidance can help organizations reduce their risk and increase their ability to see and respond to security issues."

Security controls at many organizations have not kept pace with risks that mobile devices can pose. To address this challenge, NCCoE security engineers re-created a typical IT scenario involving commonly used devices, organizational email, calendaring and contact-management software. They then developed several configurations of commercial management and security technologies to improve mobile device security. The example solution detailed in the guide shows organizations how to configure a device so that it can be trusted, as well as how to remove the device from systems should it be lost or stolen or when an employee leaves the company.

The draft guide maps security characteristics to standards and best practices from NIST and other organizations. It provides instructions for implementers and security engineers on installing, configuring, and integrating the example mobile device security solution into existing IT infrastructures.

While the guide uses a suite of commercial products as part of the example solution, it does not endorse any particular products or guarantee regulatory compliance. The NCCoE's example solution may be adopted or be used as a starting point for tailoring and implementing parts of a solution.

The draft guide can be downloaded from the NCCoE website, which includes a form for submitting comments. The public comment period is open through Jan. 8, 2016.

The guide is part of the center's new series of publications, called NIST Cybersecurity Practice Guides (Special Publication Series 1800), which target complex cybersecurity challenges in the public and private sectors. The practical, user-friendly guides show members of the information security community how to implement example solutions intended to help them align more easily with relevant standards and best practices.

The NCCoE is the nation's cybersecurity laboratory, addressing businesses' most pressing cybersecurity problems with practical, standards-based solutions using commercially available technologies. The center collaborates with industry, academic and government experts to build modular, open, end-to-end reference designs that are broadly applicable and repeatable.