NIST, NCCoE Planning Big Updates to Mobile Security Guidance

mobile security endpoint cloud mobility BYOD

The National Institute of Standards and Technology (NIST) is updating two of its major publications regarding mobile device security, and NIST’s National Cybersecurity Center of Excellence (NCCoE) is expanding into uncharted territory.

Representatives from NIST, speaking today at an event hosted by ATARC, discussed why these updates have become so necessary amid an evolving security landscape.

The first relates to the security of mobile applications, including that agencies ensure they apply necessary security protocols throughout an application’s vetting process to ensure they are “reasonably free from vulnerabilities.”

Michael Ogata, computer scientist at NIST’s Applied Cybersecurity Division, is one of the lead authors of the first draft revision to SP 800-163, “Vetting the Security of Mobile Applications,” which was released in July. He charted the course of the new updates to the guidance, saying “the document greatly expands the scope of what mobile application vetting is.”

SP 800-163 outlines the mobile app security review process–including the application’s path through the vetting process and test infrastructure–and also explores evolving threats across the mobile landscape.

Ogata noted that some of the main things lacking from the initial publication were “reciprocity artifacts for security”–meaning information gleaned from other parts of agency or partner security infrastructure–and that “the document did not make any concrete statements about what types of app security requirements your organization should take into account when they’re building what their vetting process actually looks like.”

The publication will also try to arrive at a common language to describe threats, Ogata said, based on industry-accepted standards like Common Weakness Enumeration (CWE), Common Vulnerability Enumeration (CVE), and the Common Vulnerability Scoring Standard (CVSS).

SP 800-163 Draft Revision 1 is out for public comment until Sept. 6. But applications represent just one piece of the mobility management puzzle, and rapidly-expanding device proliferation is prompting NIST to update its “Guidelines for Managing the Security of Mobile Devices in the Enterprise,” known SP 800-124.

Gema Howell, another computer scientist at NIST’s Applied Cybersecurity Division who also works at the NCCoE, spoke about 800-124, which hasn’t been revised since 2013.

The main updates to the guidance will include an expansion of the management technology characteristics section–mobile data management (MDM), enterprise mobility management (EMM), and unified endpoint management (UEM), and the related software have all seen big developments in recent years, Howell indicated, so the publication is evolving to match.

The update will also delve into new deployment considerations, threats in the mobile ecosystem, and mitigation of those threats, which weren’t as prevalent five years ago.

“With more capabilities and more characteristics of these devices, more threats have shown, and so we’ve expanded on the different threats…privacy implications are discussed as well, location tracking, things like that,” Howell said. The update to SP 800-124 is expected in FY2019.

The NCCoE focuses on actually “applying NIST guidance to commercially-available products in real world scenarios,” Howell said. NCCoE has published a mobile threat catalog with 12 categories mapped to CVEs, and has also crafted mobile deployment architecture to help lock down some of the most common applications.

Looking forward, Howell said NCCoE is working on a build for bring-your-own-device (BYOD) deployments, that will include cloud-based tools to manage endpoints that aren’t provided by the government. Many agencies have remained reticent to adopt BYOD due to security concerns, but Howell said it will provide “an alternative to the fully-managed approach.” Both 800-163 and 800-124 will help inform that build, she said.

Recent