NASA Internal Memo: ActiveSync Security Policies to be Applied to Mobile Devices Connecting to NOMAD

Subject:  ActiveSync Security Policies to be Applied to Mobile Devices

Connecting to NOMAD.

From:  Centerwide Announcement

Date:  September 10, 2013

TO: Resident Staff

FROM: Director, Information Technology, Ames Chief Information Security Officer

SUBJECT: ActiveSync Security Policies to be Applied to Mobile Devices Connecting to NOMAD.

WHAT IS IT?

Beginning the week of September 9, and in adherence to the recent NASA CIO directive, new security policies (Microsoft Exchange ActiveSync (EAS)) are being applied to all NOMAD mailboxes. This is to address the growing number of personal devices being used to access NASA email, including syncing with calendaring and other MS Outlook features. These new security features will help better protect NASA assets, while allowing the flexibility to Bring Your Own Device (BYOD).  Once EAS is applied, to NOMAD mailboxes, end-users will be prompted to set-up a password the next time they connect with a government or personal mobile device (iPhones, iPads, Windows Mobile Devices, Android devices and any ActiveSync devices). This change only affects devices running a mobile operating system such as Apple iOS or Google Android. It does not affect laptops, nor does it affect access to email via webmail.

Those already accessing NOMAD, with a mobile device, are being sent specific details of these new policies. There are several key highlights we wanted to underscore for everyone at the Center:

a. The use of your own mobile device (i.e., cell phone or tablet) to retrieve your NASA email/calendar or to conduct NASA business is entirely voluntary. Users should refrain from using a personal mobile device to access NASA information and systems if uncomfortable, unable, or unwilling to comply with these minimum security requirements. As the use of personal mobile devices is purely optional, employees cannot be expected to use their own devices to accomplish their assigned tasks if they choose not to do so. Your supervisor may not require you to do so. If a mobile device is required for you to perform your assigned duties, management will provide you with an appropriate NASA-owned device consistent with the Negotiated Agreement, unless you voluntarily choose to use your own device. You cannot be required to provide your personal email address or cell-phone number to management.

b. Employees using their own mobile device for downloading NASA email /calendar directly via their phone’s mail client should be aware that NASA has the ability to access your device and to erase (“wipe”) it. While the current NASA policy is that no such access or wiping will occur without the employee’s explicit permission, it remains possible that such adverse events could nonetheless occur inadvertently. Therefore, employees should backup their personal phones often to reduce their vulnerability of data loss.

c. The new interim policy makes no restrictions whatsoever on your ability to access your NASA email /calendar via webmail using your personal mobile device or computer. Webmail access also does not allow NASA to access or wipe your device.

NASA does NOT offer help desk support for personal mobile devices. If you choose to use a personal mobile device to access NASA email and calendaring resources, and it is negatively impacted, you are responsible for fixing or replacing it.

When accepting the policy, you’ll be prompted to set a passcode. This feature is in place to thwart criminal access to your device, and includes an automatic device-wipe after 10 failed log-in attempts. Depending on your mobile device operating system (OS), consecutive password attempts may be limited to the mobile OS you are using. Some require delays between password entries, in the event of accidental attempts, while others require user input after so many failed attempts. It is critical you create a passcode you won’t forget, as all data on the device (photos, music, documents, calendar items, etc.) will be wiped, with no way to retrieve it.

WHAT IS THE IMPACT?

Microsoft Exchange ActiveSync (EAS) policies help improve NASA’s security posture, while allowing end-users the flexibility to use their personal devices to conduct business and stay connected. Also important is thwarting malicious attacks from those preying on NASA assets and ensuring the capability, at the request of the user, to wipe a device remotely if it is lost or stolen. As we move into a new era of mobility and flexibility, it continues to be everyone’s responsibility to remain vigilant in protecting NASA’s data and equipment, and now that equipment may just be your own personal device.

WHEN IS IT HAPPENING?

Microsoft Exchange ActiveSync (EAS) policies are being applied to NOMAD mailboxes, across the Agency, the week of September 9, 2013.

WHAT ACTIONS ARE REQUIRED?

No actions are required, this email is informational. Here are some informational links, if you’d like to see more detail:

OCIO BYOD FAQs:

http://inside.nasa.gov/ocio/content/faqs-regarding-mobile-computing-devices ActiveSync use-cases: