New NIST Guidelines for Securing Mobile Devices

According to the National Institute of Standards and Technology, mobile devices must support multiple security objectives, including availability, integrity and confidentiality. This means they must be secured against different threats, which is why NIST recently published draft guidelines outlining baseline security technologies that the mobile devices must include to remain safe.

Businesses and governments are increasingly relying on different mobile devices, including smart phones and tablets. The devices become more popular with their increasing capabilities, making it even more important for them to remain cyber-secure.

Government agencies and companies must give top priority to securing these products, particularly the employee-owned devices. Many companies allow their employees to use personal mobile devices, a situation that increases cybersecurity risks to company data, resources and networks.

NIST published guidelines on the security of hardware-rooted mobile devices, which define the pertinent security capabilities and components required to make the products more secure.

According to Andrew Regenscheid, the lead for Hardware-Rooted Security at NIST, many of the mobile devices in current use do not have a firm foundation required to develop security and trust. The guidelines are meant to help designers of the latest mobile devices to use trustworthy components or “roots of trust” that improve security by performing crucial security functions.

Desktop and laptop computers generally implement the roots of trust on separate and secure chips. The space and power limitations that the designers of mobile devices face lead to the use of different approaches. For example, manufacturers may leverage the built-in security features in the processors of their mobile devices.

The new guidelines address known security challenges on mobile devices based on three security capabilities. A smart phone or tablet that supports device integrity provides information about its operating status, health and configuration, and companies whose data is being accessed can verify this information.

Organization and personal data processes and components are kept separate using isolation capabilities. As a result, employees can use personal applications without interfering with the secure operations of a company.

The use of cryptography and restriction of information is made possible through protected storage.

According to the new guidelines, every mobile device must implement three security components to attain the required security, namely:

  • Roots of trust that combine software, firmware and hardware components.
  • Application programming interfaces that allows applications and OS to take advantage of roots of trust.
  • Policy enforcement mechanism to ensure management, processing and maintenance of mobile devices.

A simple but effective way to abide by the regulations is using RF shielded countermeasure enclosure.

This is where the new Signal Safeguard SSG-COM countermeasure RF shielded PED management system is able to protect information these devices from wireless attack offers the ability to meet these guidelines today! Standard locker boxes do not shield RF signals and encryption is not on standard PED devices at this time and leave them completely vulnerable to losing PII while at rest in general areas outside of a SCIF. While it may be years before encryption protection is standard on portable electronic devices, the SSG models utilize a type of Faraday shielding technology, among other features to meet these needs now and are currently utilized at many military and government agencies throughout the US.