NSF OIG Flags Mobile Device Policy and Compliance Gaps

The Office of the Inspector General (OIG) at the National Science Foundation (NSF) found that NSF could improve its mobile device security after finding devices that were not enrolled in the agency’s management program, and finding inappropriate apps on work devices. The agency agreed with those recommendations.

NSF owns around 698 iPhone and iPad devices in total, but the report found 102 of those were either not enrolled or were enrolled incorrectly in the agency’s mobile device management (MDM) program. The OIG’s office pointed to the lack of a mechanism to ensure that devices are correctly enrolled. The report also found that some employee personal devices had accidentally been enrolled as NSF-owned, allowing the agency access to personal content. Additionally, OIG found that users could access NSF email on devices not enrolled in NSF’s MDM program, which warranted a fix of technical controls.

While NSF policy allows “occasional personal use of NSF-supplied technology and communication resources when the cost to the Government is negligible and the personal use does not interfere with official business,” the report found that some devices had apps aimed at entertainment, gambling, or financial gain. While OIG did not exhaustively review the 7,652 apps on NSF-owned devices, neither did the agency, and the report pointed to a limited review of prohibited apps as a “missed [opportunity] to detect and deter inappropriate use of NSF-owned mobile devices.”

The report also points to the agency’s mobile device recertification process as an area for improvement. OIG highlights the lack of detail in NSF’s policies, and the lack of recourse for not finishing the recertification process. The report also calls on NSF to better manage data plans and inform users of their data usage. Finally, OIG noted the lack of web filter report reviews, leading NSF to miss “the opportunity to detect and remedy inappropriate use of electronic devices connected to its network.”

The report offers seven recommendations to address these issues, including new guidance to review and delete apps that are not necessary for agency business, ensuring that all devices are enrolled in MDM, and educating users annually. NSF agreed to all seven recommendations in the report.

Recent