Federal CIO Council Releases BYOD Toolkit
Bring Your Own Device (“BYOD”) is the latest overnight IT sensation. But like most “overnight sensations” the foundational work took years before now familiar names “suddenly” hit the bright lights. In broader response to the ongoing Consumerization of Information Technology trend (“COIT”), no less than the Federal government has jumped on the BYOD bandwagon. Last week the Federal CIO Council released a BYOD resource toolkit for agencies contemplating BYOD programs. You can download the Toolkit in PDF at https://cio.gov/wp-content/uploads/downloads/2012/09/byod-toolkit.pdf or view it online. Not surprisingly, the CIO Council views BYOD as “a growing trend that is still in its infancy, but shows early promise as a driver of cost savings, increased productivity, and improved user experience.”
The “Bring Your Own Device – A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs” (“Toolkit”) is designed as an aid to agencies in furthering one key stated federal goal of the Digital Government Strategy (PDF), issued earlier this year on May 23, 2012, to enable today’s increasing mobile workforce to efficiently provide government services.
The accompanying Toolkit announcement states that it represents a “great starting point for agencies considering BYOD programs” but that more complicated issues related to BYOD need to be further addressed, such as “how the government can reimburse employees for voice and data costs as well as additional security, privacy, and legal considerations, including supply chain risk management and legal discovery.” Indeed.
Nevertheless, the Toolkit is a solid resource worth review by any organization – private, non-profit or governmental – exploring BYOD options and implementations. It provides:
- Key BYOD considerations
- Three case studies of agencies implementing BYOD and concludes with
- Five sample policies, covering mobile device usage, BYOD rules, wireless communication reimbursement and finally a wireless network access device policy.
What’s to be learned from the Toolkit? A good amount. For as the Toolkit notes “the key takeaway of our efforts is that while BYOD may not be right for every agency, it can, given the right environment, succeed in a secure and records-managed way.”
Key Considerations
A key BYOD issue all too commonly skirted in many articles on BYOD is the reality that BYOD proper is typically but one piece of a bigger shift in an entity’s technological pie, combing often enough concerted IT restructuring, data security life-cycle reviews, and budgetary reactions – as the case studies highlight.
The Toolkit depicts BYOD’s current characteristics as serving to offer choice to employees while, in theory (depending on a cost-benefit analysis) being cost-effective for both employees and employers. The key issues the Council identifies for consideration in any BYOD program include:
- Selection of an overall technical approach from one of the three identified approaches (based on either virtualization, a walled garden or a hybrid limited separation)
- Identifying and allocating roles and responsibilities (among and between the entity, users, help/service desks and the carrier(s)’ technical support)
- Providing appropriate incentives organizationally and for individuals
- Surveying employees on benefits and challenges specific to the entity
- Consideration of voluntary versus mandatory participation in a BYOD program and the potential impact on applicable terms of service
- Security assessments, including information security, operations security and transmission security; determining applicable security requirements, standards and selection of a system architecture to provide secure interoperability
- Establishing a balance between personal privacy and organization security
- Reviewing applicable ethical and legal questions (with the Toolkit identifying defining “acceptable use”, addressing legal discovery and liability issues and implication for equal rights employment
- Identifying supported devices and applications (with consideration of mobile device management (MDM) and mobile application management (MAM) enterprise systems; content storage, ownership of apps and data and data portability) and
- Asset management to address device disposal under various situations; reporting and tracking lost/stolen devices; funding for service and maintenance.
While the Toolkit doesn’t deep dive into the key considerations above, footnote 4 on page 8 does provide a hint of the many additional MDM/MAM issue and provides a beacon for future BYOD-related deliverables, including pending drafts and revisions to NIST special publications forthcoming: NIST SP 800-114 Revision 1 (Draft), User’s Guide to Telework and Bring Your Own Device (BYOD) Security and NIST SP 800-46 Revision 2 (Draft), Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security.
Case Studies From the Dept of the Treasury, EEOC and the State of Delaware
While the Toolkit doesn’t explain why the three case studies provided were selected, other than that they “highlight the successful implementation of a BYOD pilot or program at a government agency,” each provides a useful brief synopsis of “the specific challenges, approaches, and lessons learned.”
Case Study #1 - Department of the Treasury’s Alcohol and Tobacco Tax and Trade Bureau (“TTB”)
The TTB’s BYOD implementation depicts a program built of budgetary necessity that dovetailed neatly with the fact that the TTB’s workforce is widely dispersed with over 80% of employees teleworking on a regular basis. Its program highlights that its BYOD rollout was conducted hand-in-hand with a broader IT initiative to break the agency’s desktop and laptop refresh cycle through the introduction of a Linux based thin client that transformed user desktop/laptops into thin clients which delivered the “additional benefit of delivering every TTB application, with user data, to a wide range of user devices without the legal and policy implications that arise from delivering data to or allowing work to be accomplished directly on a personal device.”
The result today is that “about 70 percent of TTB personnel access all TTB computing resources through thin devices, provided by TTB as well as BYOD. There is no typical user setup. If the desired user configuration works, TTB allows it.”
Case Study #2 - U.S. Equal Employment Opportunity Commission (“EEOC”) BYOD Pilot
Striking a familiar refrain the Toolkit depicts the EEOC’s BYOD program are growing “out of the necessity of meeting new budget challenges with limited resources” as the EEOC faced “a 15 percent reduction in its IT operating budget for FY 2012.” In response the EEOC’s CIO reviewed the EEOC’s entire IT structure, which, in addition to other changes, slashed the agency’s budget for government-issued mobile devices, which were centered on the Blackberry platform.
The EEOC case study provides a nice roadmap for anyone pushing toward a BYOD while migrating from a single vendor source. Over alpha and beta phases of the rollout (in fact the beta phase is still ongoing and should conclude in Sept 2012) the EEOC not only moved toward a BYOD solution, but also toward a cloud-based provider to assist in device management. The case study further demonstrates that a BYOD rollout need not have “all the answers” at the start. Draft policies for BYOD Rules of Behavior were crafted in parallel with the pilot phases, development choices for existing Blackberry users, including a “status quo” option, and expressly includes BYOD training sessions to stress security and procedures.
Interestingly the pilot states one goal of the BYOD pilot was to obtain feedback on the first version of the Rules of Behavior, which continues to evolve in the face of outstanding questions, such as whether to include an enforceable waiver exempting employees from holding the EEOC accountable and reimbursement for a portion of the data/voice services.
The EEOC BYOD pilot “lessons learned” include recommendations to:
- Socialize the concept of BYOD to explain the BYOD concept to employees and managers
- Work with legal counsel and unions, if any, early in the process and allow input on the BYOD program and policies from thought leaders, and
- Select and prioritize important security features for initial implementation, and then expect to cycle back to identify additional security measures after the first set are completed.
Case Study #3 - State of Delaware BYOD Program Transitioning from State-owned Blackberries to a Personal Device Reimbursement Plan
You have to feel for Blackberry these days, at least if the recounted case studies are any guide. At least two of the three case studies involve pushing Blackberry out as the exclusive mobile option as BYOD moves in. As in the other two case studies, Delaware sought to “realize significant savings” as its Blackberry infrastructure reached the end of its lifecycle. The State decided to, within two years, migrate all users off its existing infrastructure toward the choice of using a personal device (with a proposed reimbursement) or a device running directly through the state’s wireless carrier with a goal of saving $2.5MM annually.
Among Delaware’s lessons learned were:
- Tax issues - When discussing reimbursement, the State had to structure the program so it was not providing a stipend, but in fact a reimbursement after the fact to avoid stipends being taxable under IRS regulations
- Freedom of Information Act issues, which the State has avoided in large part by keeping the stat’s e-mail centralized with a copy of every transaction on the central servers to provide a clean copy for discovery in litigation if necessary
- Unexpected carrier changes – The move by many carriers from common unlimited data plans to capping data plans has resulted in employees being unwilling to use personal devices for work as Delaware will not provide additional reimbursement if employees go over their data maximum.
Example Policies Sample Policies
The Toolkit’s sample policies are, in my opinion, a mixed bag, and include the following sample forms:
• #1: Policy and Guidelines for Government-Provided Mobile Device Usage
• #2: Bring Your Own Device—Policy and Rules of Behavior
• #3: Mobile Information Technology Device Policy
• #4: Wireless Communication Reimbursement Program
• #5: Portable Wireless Network Access Device Policy
Nevertheless the forms highlight general issues that IT departments, users, managers and legal should be considering in the BYOD arena. For instance, sample #2 – Policy and Rules of Behavior includes a list of user duties that include that a:
- User will not download or transfer sensitive business data to their personal devices;
- User will password protect the device;
- User agrees to maintain the original device operating system, keep the device current with security patches and updates, as released by the manufacturer, and not “Jail Break” the device;
- User agrees that the device will not be shared with other individuals or family members (NOTE: practically, if my kids are any indicia of the norm, I don’t see this working. People “temporarily lend” personal devices to family members constantly, for example, to answer a call while the owner is driving, review a just snapped picture, to play a game, etc. though such uses could be considered de minimis and perhaps such restrictions should reflect this to state users agree devices will not be shared with family members unless the user is immediately present to control the device); and
- User agrees to delete any sensitive business files that may be inadvertently downloaded and stored on the device through the process of viewing e-mail attachments. "Follow the premise, 'When in Doubt, Delete it Out'"
Take Aways and the Bottomline
The BYOD movement, barring some black swan type of event, is likely to continue to gather steam – though not without various detractors. And as the Toolkit notes, BYOD remains a nascent movement with real concerns and numerous issues to be worked through, along with the establishment of new practices and expectations each organization must developed and manage.
The successful case studies each reveal that successful BYOD implementations combine high level driving factors with a bottom-up buyin and IT, management and legal involvement throughout.
To discuss the Toolkit's lessons, discuss your own BYOD legal concerns or take advantage of our industry experience in technology rollouts, feel free to contact me or any of the attorneys at the InfoLawGroup.