NCCoE’s Latest Guidelines for BYOD Security and Privacy

Share this blog

Employees continue to grow more reliant upon their mobile devices, and that’s just as true in their professional lives as it is in their personal lives. With this increased reliance upon mobile devices for work-related activities, the specter of cybersecurity risks continues to grow as well.

Compared to traditional laptops and desktops, mobile devices are exposed to unique threats and require distinct security approaches and mechanisms. This growing risk is exacerbated by the proliferation of support for bring-your-own-device (BYOD) approaches. Most often, employee-owned devices lack critical security protections, and safeguarding these devices can present a number of distinct challenges for enterprise security teams.

Introducing the NCCoE’s Mobile Device Security Project

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity challenges. To help teams address the security and privacy challenges posed by BYOD, the NCCoE developed a mobile device security and privacy practice guide. The second draft of this guide, NIST Special Publication 1800-22, “Mobile Device Security: Bring Your Own Device (BYOD),” was published in November. (This version is available for public comment until January 13, 2023.)

“The NCCoE collaborated with industry stakeholders to provide a guide that businesses can use to integrate and configure the example mobile solution within their organization’s enterprise and to help achieve enhanced security and privacy throughout their enterprise,” said Gema Howell, NIST Computer Scientist.

Over the last several months, Zimperium has been working closely with the NCCoE on their mobile device security project. In addition to Zimperium, the NCCoE collaborated with such technology vendors as IBM, Kryptowire, Palo Alto Networks, and Qualcomm. Through this collaboration, the NCCoE and its partners have successfully developed an example solution that organizations can reference in order to bring increased security to their mobility programs.

How the Guide Can Help Your Organization

This practice guide is for organizations that want to allow employees to use personal mobile devices to conduct their work while protecting organizational assets and end-user privacy. This practice guide can help enterprises reduce their risk by showing how commercially available technologies, like Zimperium’s zIPS*, can be used to improve the security of their mobile infrastructure.

The NCCoE focused on instituting robust standards, industry best practices, and commercially available products. By applying the organization’s guidelines, teams can:

  • deploy technologies that improve the security of mobile devices and applications.
  • protect data from being accessed by unauthorized individuals when a device is stolen or misplaced.
  • improve system administrators’ ability to identify device and data compromise.
  • establish enhanced privacy protections that reduce risk to employees.


Moving forward, most organizations will be moving to adopt BYOD approaches if they haven’t already. Through BYOD, organizations can effectively respond to the dramatic shift to remote work—and they can cut costs in the process. By applying the best practices set forth by the NCCoE, teams will be able to boost security while continuing to provide their employees with the flexibility of mobile device use. We’re grateful to the NCCoE for delivering this guidance and look forward to collaborating further to continue to advance security solutions and practices.

Be sure to visit the NCCoE’s “Mobile Device Security: Bring Your Own Device” page, where you can download the guide and provide comments.

*While the example implementation uses certain products, including Zimperium’s zIPS, NIST and the NCCoE do not endorse these products. The guide presents the characteristics and capabilities of those products, which an organization’s security experts can use to identify similar standards-based products that will fit within their organization’s existing tools and infrastructure.

Jim Kovach
Author: Jim Kovach
Mobile Security Specialist, Public Sector. View the author's experience and accomplishments on LinkedIn.

Get started with Zimperium today