Federal agencies face a unique set of challenges. Since the publication of the Executive Order on Improving the Nation’s Cybersecurity (“EO”), the Office of Management and Budget (OMB) has released several directives. Despite the directives’ interconnected nature, Federal Civilian Executive Branch (FCEB) agencies still have budgetary constraints, meaning prioritizing their investments is mission-critical. Fundamentally, FCEB agencies need to find solutions that address as many security requirements while spending as little money as possible.
Limited Budgets in the Ever-Evolving Threat Landscape
According to Bloomberg, last year, attackers infiltrated the phones of US diplomats in Uganda using a kind of spyware known as Pegasus, one of the most sophisticated spyware that can access a victim’s messages, camera, and microphone without the victim clicking on a single link. The recent news has raised concerns among the House intelligence committee and is believed to be only the tip of the iceberg for federal agencies and the security of their devices.
Not only do FCEB agencies need to comply with federal initiatives, but they also must monitor the ever-evolving threat landscape to protect their corporate data. The problem is many struggle to allocate budgets effectively and efficiently.
In May 2022, FedScoop’s interviewed 177 pre-qualified federal agency IT decision-makers, noting:
- 1 in 5 defense/intelligence agencies predicted Zero Trust initiatives would consume 10% or more of their IT budgets.
- 2 in 3 respondents overall believed that Zero Trust initiatives would consume 4% or more of their IT budgets.
- 4 in 10 respondents cited the interdependency and complexity of existing technologies as a fundament Zero Trust challenge.
Similarly, Zimperium surveyed agency technology leaders and found:
- 58% prioritized OMB 22-01, focusing on endpoint detection and response.
- 24% prioritized OMB 22-09, focusing on Zero Trust Architectures.
- 18% prioritized OMB 21-31, focusing on investigation and remediation capabilities.
When comparing this data, the key takeaway is that agencies need solutions that solve more than one Zero Trust architecture pillar at a time not only to meet requirements but protect their devices.
Complexities and Interdependencies: The Mobile Device Problem
Mobile device security is increasingly essential to any agency compliance initiative, especially in a remote work environment. Not only do agencies need to incorporate mobile device security as part of their Zero Trust initiatives, but they also need to understand the breadth of compliance mandates addressing this issue.
For example, the following mandates and publications all mention mobile device security, but more specifically, they include mobile threat detection (MTD) either specifically or by implication:
- OMB 21-31: Mentioned within the logging requirements
- OMB 22-01: Definition of Endpoint Detection and Response (EDR) incorporates mobile phones
- CISA Capacity Enhancement Guide: References MTD specifically
- Federal Mobility Group (FMG): Mobile Security publication
- Chief Information Officer (CIO) FMG: International Travel Guidance incorporates always-on, on-device protections
- National Institute of Standards and Technology (NIST) Special Publication (SP) 1800-22: Bring Your Own Device (BYOD) reference architecture depicts on-device detection
- NIST SP 800-124 Rev. 2 “Guidelines for Managing Security of Mobile Devices”: References MTD
- Supply Chain Bill of Materials (SBOM) Department of Homeland Security (DHS) Supply Chain Risk Management Act of 2021: Addresses mobile device security
- CISA Binding Operational Directive (BOD) 22-01: Incorporates significant risk of known and exploited vulnerabilities requirement
- NIST 800-171 Rev 2/Cybersecurity Maturity Model Certification (CMMC Level 2): References NIST 800-124 “Guidelines for Managing the Security of Mobile Devices in the Enterprise,” which discusses MTD
No matter which mandate governs a federal agency’s compliance, they all incorporate MTD as a mobile security “must-have.”
Prioritizing Mobile Threat Defense for Federal Agency Compliance
Fundamentally, modern work requires mobile devices, and as agencies improve their cybersecurity posture, they need to incorporate mobile threat defense. With MTD, agencies achieve holistic endpoint security.
Traditional mobile device security provides capabilities that ensure mobile devices have organization-defined configurations in place, like most recent operating system updates. However, a gap still exists when trying to mitigate risks associated with other threats like:
- Mobile-device specific malware
- Side-loaded apps
This is why agencies need to prioritize MTD as part of their endpoint detection and remediation strategies, particularly as they continue to allow users to bring their own devices.
NIST 800-124 explains that MTD’s capabilities go beyond those provided by other mobile device security tools by:
- Continuously monitoring in real-time
- Assessing apps after deployment and during runtime
- Detecting and protecting mobile devices, apps, and end users against attack via wireless network
- Detecting attacks against an app or OS software, such as side-loaded apps
- Detecting and alerting users to unexpected interactions among apps or use of data on the device
Zimperium: Mobile Threat Defense for Federal Agencies
Prioritizing compliance requirements is both challenging and mission-critical. Agencies need to adopt the solutions that enable them to optimize their security stack and maximize their limited budgets. With mobile devices now the norm, prioritizing mobile device security and threat detection is fundamental to securing federal systems.
Approved to participate in the NIST “Zero Trust Cybersecurity: Implementing a Zero Trust Architecture Building Block Consortium,” Zimperium is working diligently to help the NCCoE design and build approaches to Zero Trust architectures that take mobile threats and mobile security into account.
Zimperium provides the only advanced mobile threat defense solution with on-device, machine learning-based security for Android, iOS, and Chromebooks. Zimperium zIPS™ detects threats across the kill chain, including device, network, phishing, and app attacks.
Zimperium was the first mobile threat defense (MTD) provider to be granted an Authority to Operate (ATO) status from the Federal Risk and Authorization Management Program (FedRAMP) and is used by many government organizations including the U.S. Department of Defense (DoD).