How Mobile Devices Can Complicate NIST 800-171
Apr. 18th, 2019
NIST 800-171 has a variety of requirements that are meant to ensure that sensitive information that resides on a contractor’s system remains protected. One set of requirements mandates that mobile devices follow information security protocol in order to guard against a breach. This requires contractors to devise and apply a solution so their employees do not have to carry a separate device for work matters. The good news is there are solutions available that allow employees to work on their own phones.
An organization cannot simply allow users to connect to its system from their own mobile device. This would make the information housed on the system rife for hacking. Mobile devices can carry malware which can infect the information system of the employer. In order to prevent this, there must be multi-factor authentication and other strong security protections in order for the employee to access controlled unclassified information from their mobile device. In the past, this was extraordinarily difficult to accomplish.
Now, much of the focus of securing this information is on the data itself as opposed to the device, allowing users to bring their own device. This is done through a containerized workspace that can completely separate business data from personal data. This will segregate the personal functions on the phone and keep them entirely walled off from the business functions, allowing employees to access work information without being imbued with anything originating from the personal side.
Still, not every type of architecture can satisfy the mobile requirements of NIST 800-171. There must be an effort focused on making this data difficult to access. In other words, a user should not be able to simply go on to their mobile device and immediately be able to access any sensitive information that they wish. Companies should consider biometrics and password management solutions in addition to multi-factor authentication. This should be used in conjunction with 256-bit encryption to protect the sensitive data and allows for a secure solution that can be integrated with a user’s own device.
When this system is successfully in use, the information will be compartmentalized on the employee’s device. Should they no longer need or have permission to access the data, it can easily be removed from the user’s device without affecting anything else housed on the device? Ensuring a physical partition on the mobile device is one of the only ways that will permit companies to allow employees to use their personal devices for work. Outside of that, the company will have to provide not only the device but will have to pay for a monthly service for its employees.
It is imperative that users apply the same cybersecurity principles and rules to mobile devices. NIST 800-171 demands it, and if contractors do not follow these cybersecurity standards, they will eventually be out of the government contracting business. Should their networks be breached from a mobile device, the contractor will face serious business and reputational consequences. For more information about NIST 800-171 requirements, contact ComplyUp.