This post was written by Amy S. Mushahwar. 

On July 11, the National Institute of Standards and Technology (“NIST”) released Guidelines for Managing and Securing Mobile Devices in The Enterprise, its draft policy for securing mobile devices that will supplement its already-published general security recommendations for any IT technology. In these draft Guidelines, which are a revision of its 2008 publication Guidelines on Cell Phone and PDA Security, the NIST is updating its mobile security recommendations and focusing on new technologies, specifically smartphones and tablets. Once published, this could become the approved guidelines for all federal agencies and federal contractors, which could be particularly troublesome for those lacking mobile device security policies and other security measures.

Focused on providing cost-effective security guidelines, the NIST recommended centralized mobile device management technologies for both organization-owned and personally-owned (BYOD) devices, which manage the configuration and security of mobile devices while allowing other security features to be added as needed. Additionally, the NIST recommended: (1) developing system threat models for mobile devices and the resources that are accessed through the mobile devices; (2) instituting a mobile device security policy; (3) implementing and testing a prototype of the mobile device solution before putting it into production; (4) securing each organization-issued mobile device before allowing a user to access it; and (5) maintaining mobile device security regularly.

The NIST is accepting comments concerning the draft Guidelines until August 14.


Research and drafting assistance for this post was provided by Reed Smith Legal Intern Rachael E. Pashkevich.