NASA Mobile Security Requirements: Why Now?

On August 29, 2013, NASA Chief Information Officer Larry Sweet sent out an Agency message to all NASA employees entitled “Bring Your Own Device (BYOD) and Mobile Computing at NASA,” which included a memorandum of minimum security requirements for personal mobile devices (available online ). The memo alerted employees to the enforcement of several requirements regarding the NASA e-mail system that would begin on September 10.

Many have asked, “Where did these requirements come from, and why are they coming out now?” Well, as we all know, mobile devices (e.g., smartphones, tablets, etc.) are playing an increasingly important role in our lives. As we start to use these new and exciting technologies at home, we often want to use them in all aspects of our life–including at work. However, the introduction of such devices into the marketplace and then into the workplace often precedes NASA’s ability to test and secure them. As a result, they present unique technological, legal, and security challenges for you and for our IT staff.

Historically, NASA has not blocked or prevented the use of mobile devices to access NASA e-mail and resources. However, due to the exponential growth of these unmanaged systems in the NASA environment over the past few years, it has become imperative for NASA to acknowledge and address the risk they present to our resources and data.

So, instead of simply “turning access off” and forbidding the use of mobile devices (which would have certainly addressed the risk), the NASA CIO decided to implement a minimum set of basic security requirements and capabilities to support NASA employees while a broader BYOD effort is pursued. Many of these security requirements are general best practices that are already in use by employees on their personal devices.

That being said, we did want to address a few questions and concerns that have been raised, particularly those related to using a personal mobile device to connect to the NASA e-mail system:

Does NASA now have the ability to access any information on my personal device?

No, absolutely not. NASA cannot access any data on your personal device; it can only confirm that your device exists and has connected to our system.

Did NASA install any software on my device?

No. Any changes in the security configuration of your personal device to support NASA’s minimum requirements take place within the device’s own native capabilities. No software or additional “profiles” have been installed.

Can NASA “control” my device?

No, NASA cannot control your device. Any capabilities that are enforced by NASA are native capabilities that already exist on your device.

What about the ability for NASA to “remotely wipe” my device if it is lost or stolen?

The ability to “remotely wipe” your device in the event that it is lost or stolen does exist; however, NASA will never use this capability without an explicit request and coordination with you. Moreover, NASA is not “controlling” your device if and when the remote wipe capability is used, but is instead requesting that the device trigger its own, internal, native wipe capability.

Additional guidance and many other frequently asked questions (FAQs) can be found online at http:// inside.nasa.gov/ocio/content/faqs- regarding-mobile-computing-devices. Check back often, as these FAQs are being continually updated as you and your coworkers provide feedback and ask questions.

The goal of these initial security requirements is to enable every NASA employee to continue using personal devices. We are striving to support a better work-life balance while also addressing some very basic and self-evident risks that these devices pose to NASA data and systems. Lee Stone, president of IFPTE local 30 and co-chair of the NASA Labor-Management Forum, says, “Labor supports the responsible implementation of a voluntary ‘Bring Your Own Device’ policy for NASA. With the proper balance of privacy for the employee and data security for the Agency, we hope the policy will achieve mutual benefit, as well as value for the taxpayer.”

Any use of personal devices to conduct NASA business at this time is purely optional, and in the event that you do not feel comfortable, or are unwilling to comply, with any of these basic requirements, you may simply choose not to connect. Employees cannot be required or expected to use their own devices to accomplish their assigned tasks if they choose not to do so.

Look for more information on NASA’s support of BYOD in the near future. And, as always, thank you for all the work you do every day to help us achieve NASA’s mission!By Daniel Conway, NASA IT Security (ITS) Division, IT Talk, NASA CIO October – December 2013

X