Mobile Devices and Applications

Introduction

This chapter provides guidance on CMS policies surrounding the use and management of mobile devices, as well as developing and managing CMS mobile applications and CMS services that communicate with mobile devices. This guidance is based on the following documents, as well as industry best practices and other guidance sources.

• HHS Policy for Mobile Devices and Removable Media (version 1.0, August 2019)
• HHS Mobile Applications Privacy Policy (version 1.0, September 2018)
• NIST SP 800-124 Revision 2, Guidelines for Managing the Security of Mobile Devices in the Enterprise (May 2023)
• NIST SP 800-163 Revision 1, Vetting the Security of Mobile Applications (April 2019)

CMS policy aligns with HHS policy and thus references to HHS apply directly to CMS. CMS has the option to create more stringent policies in the future.

The HHS Mobile Applications Privacy Policy and HHS Policy for Mobile Devices and Removable Media provide guidance for managing and securing mobile devices, developing CMS mobile applications, and the protection of personal information (such as personally identifiable information [PII], sensitive personal information [SPI], and other sensitive information) on mobile devices.

• The HHS Mobile Applications Privacy Policy focuses on providing guidelines to protect privacy in HHS mobile applications used by the public or HHS employees

• The HHS Policy for Mobile Devices and Removable Media focuses on protecting information and information systems from risks related to the use of mobile devices for government businesses and the risks of using mobile devices to access HHS information systems remotely from outside of HHS facilities. The HHS Policy for Mobile Devices and Removable Media pertains to all HHS employees, contractors, and other personnel who use mobile devices (including authorized non-Government Furnished Equipment (GFE) mobile devices) or removable media to store, process, and/or transmit HHS information, or remotely access HHS information systems.

What Are Mobile Devices?

NIST SP 800-53 Rev. 5 provides the following definition for a mobile device:

A portable computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, and/or built-in features for synchronizing local data with remote locations.

Mobile devices include cell phones, smart phones, tablets, laptops, and other devices that store, process, and transmit HHS information. Note that the focus in this section will be non-laptop devices, as the security capabilities currently available for laptops are different than those available for smartphones, tablets, and other mobile device types. Also, mobile devices contain features that are not generally available in laptops (e.g., multiple wireless network interfaces, Global Positioning System, various sensors).

From a policy perspective, mobile devices fall into two categories: either government furnished equipment (GFE) or non-GFE devices, which may be personally owned or provided by a contractor or business partner. The HHS Policy for Mobile Devices and Removable Media provides details on the use of both GFE and non-GFE devices and what resources and HHS systems can be accessed.

Threat, Risks, and Vulnerabilities

Mobile devices pose threats, risks, and vulnerabilities if not provisioned or used correctly. Common threats related to mobile devices include:

• Compromise of the mobile device from vulnerabilities in the device operating system or installed app
• Device loss or theft
• User credential theft through phishing, wireless eavesdropping, or social engineering
• Device misconfiguration exposing enterprise information

All of these threats create risk to the confidentiality and integrity of CMS information. Mobile devices with remote access to sensitive data or CMS systems could be compromised to gain unauthorized access, which can put CMS information at risk and leave systems vulnerable to future attacks. Mobile devices that store, process, or transmit CMS information must be encrypted in compliance with CMS requirements. A failure to keep mobile software up to date can create a risk of compromise to the device.

To protect against these threats, the HHS Mobile Device and Removable Media Policy requires several core security principles be followed, including:

• All mobile devices with access to HHS systems or information must be managed using a Mobile Device Management (MDM) solution, which enables:

• management and control of device configuration

• segregation of personal and federal information, including the ability to remotely sanitize federal information stored on the device

• controlled access to CMS resources

• monitoring of malware detection and analysis tools to ensure they are installed, implemented, and up to date

• Mobile device data must be encrypted to protect against device theft and loss
• Mobile devices must be explicitly authorized and tracked, including the mobile devices/device types and operating system/patch levels required for devices which access HHS systems or information
• Multi-factor authentication must be implemented for the mobile device and for access to HHS information systems and resources including changing all vendor-supplied and default passwords to a complex password compliant with the HHS IS2P

The HHS Policy for Mobile Devices and Removable Media includes a threat model requirement that encourages operating divisions / organizations to assess the threat landscape in creating a mobile device program to address business specific risks. Requirements include developing threat models and performing risk assessments for each of the remote access methods, each type and ownership category of mobile devices, and the locations from which HHS information systems will be accessed remotely (e.g., user's home, contractor facilities, domestic travel locations, and international travel locations). The goal of this assessment is to create a tiered access approach which limits risk by permitting the most controlled and secure devices to have greater access to HHS information systems and resources, and restricting devices that have less control to have less access or no access.

The HHS Policy for Mobile Devices and Removable Media also incorporates security controls for use of mobile devices. Specifically:

• Users must physically protect their mobile devices at all times

• Users are restricted from syncing GFE mobile devices with non-GFE mobile devices and laptops of unapproved personal, vendor or commercial cloud services and external devices.

• Users are required to read and adhere the acceptable use policy for mobile devices and removable media

• Users must use encrypted VPN communications to protect all federal information transferred to or from a mobile device

CMS Mobile Device Categories

Unmanaged Mobile Devices

Unmanaged mobile devices equate to personally owned mobile devices. These devices can access only public CMS systems and networks by default. Non-GFE mobile devices must not be allowed to access CMS systems and information if an MDM solution is not in place to assure complete segregation of personal and CMS information. Deviation from this requirement requires an approved risk assessment and a waiver granted.

CMS-Managed Mobile Devices

CMS-managed mobile devices shall be used only by the person authorized to use the device. CMS users must not load unauthorized software or illegal content onto their devices. CMS should monitor and log all wireless communication from mobile devices connected to the CMS network. CMS-managed mobile devices are subject to the following controls:

• Email and all website communications are subject to routine or automated scans and can be removed based on threat.

• Malware detection and analysis tools must be installed, configured, and kept up-to-date on both CMS-managed and Partner-managed mobile devices.

• All CMS-managed mobile devices must be enrolled in the CMS MDM solution to enable the remote erasure of data in the event the mobile device is lost or stolen.

• Users are not permitted to jailbreak their mobile device. Jailbroken or rooted mobile devices will be prevented access to CMS resources, information systems, and information.

• Any additional or new connectivity to be provided to the mobile device via hardware, software or other methods must be controlled and approved by CMS.

• All mobile devices, containers, and removable media must implement full-disk/full device encryption using FIPS 1402-2 / 140-3 validated cryptographic modules in compliance with HHS encryption requirements

• Users of mobile devices should enable Bluetooth and pair their devices only when it is needed and must disable Bluetooth when it is not being actively used.

• Strong authentication for mobile devices must be enforced in accordance with the HHS Information Security and Privacy Policy (IS2P) by implementing the following:

  • Strong password authentication for accessing the mobile device

  • Two-factor authentication for accessing the container and when connecting to CMS information systems

  • Configuring mobile devices with appropriate access restrictions in compliance with CMS policies

CMS may identify and differentiate applications that are allowlisted or denylisted for use on CMS-managed devices and may allow apps to be loaded on the CMS-managed mobile devices only from CMS authorized app stores. These apps can only be obtained from CMS-authorized or CMS-managed app stores or an app vetting process that complies with FISMA requirements.

CMS Partner-Managed Mobile Devices

Mobile devices managed by a CMS partner (i.e., contractors and other agencies with a business or government relationship with CMS) shall be used only by the person authorized to use the device. CMS should monitor and log all wireless communication from mobile devices connected to the CMS network. The following controls apply to CMS Partner-managed mobile devices:

• Any additional or new connectivity to be provided to the mobile device via hardware, software, or other methods must be controlled and approved by CMS.

• MDM software and malware detection and analysis tools must be installed, configured, and kept up-to-date on both CMS-managed and Partner-managed mobile devices. .

• All Partner-managed mobile devices must have the capability to remotely erase all federal information stored on the device in the event the mobile device is lost or stolen.

Guest Mobile Devices on the CMS Guest Network

• CMS-provided guest networks must comply with the HHS Policy for Mobile Devices and Removable Mediaand any applicable CMS ARS Security Controls including AC-18.

• All data transmitted on these devices over a CMS guest network may be monitored, recorded, and disclosed at the discretion of CMS.

• Users must not transmit sensitive information (e.g., PII, PHI, and CUI) and unencrypted federal information over guest wireless networks, including CMS guest wireless networks.

Mobile Software, Applications, and Data

Mobile applications can collect information from the device itself, such as location information and device identifiers. Operating divisions / organizations of CMS must have a baseline protection agreement for mobile applications comparable to the plan set up by HHS.

CMS applications for mobile devices must comply with the CMS TRA, CMS ARS, RMH, and other guidance, and should follow these best practices:

• Use only CMS-authorized app stores to distribute apps

• Collect only information necessary to achieve CMS’s mission

• Use structured data entry methods, rather than freeform text entry, whenever possible to limit data collection and minimize data entry errors

• Use standard best practices for mobile data encryption, recovery, and disposition

• Ensure users have options to opt out and customize the mobile application’s features when appropriate, such as opting out of location-based services while still choosing to use other application services

• Display a heads-up notification to users any time an action may impact PII

• Leverage the OWASP Mobile Application Security Verification Standard (MASVS) as an industry standard for validating mobile application security

• Mobile applications must go through a privacy risk assessment, and meet the privacy requirements outlined in the CMS Risk Management Handbook Chapter 19: Privacy Procedures

Mobile Devices Business Rules and Recommended Practices

BR-MD-1: Mobile Devices (GFE and non-GFE) Must Be Authorized to Access CMS Systems and Government Data

To access non-public CMS systems and government data, GFE and non-GFE mobile devices require authorization.

Rationale:

Unauthorized mobile devices may lack important security controls and may be subject to security vulnerabilities which put the confidentiality and integrity of CMS information at risk. Mobile device vulnerabilities cold also be exploited by cybercriminals to access CMS systems. Authorization also enable CMS to track devices which have access to CMS systems, per HHS policy.

BR-MD-2: Mobile Devices Must Use Encrypted Communication to Access CMS Data

Mobile devices that access non-public CMS data must use encrypted communication channels between the device and the CMS services.

Rationale:

Mobile devices communicate via network paths that are subject to eavesdropping and interception, which can expose CMS sensitive information as well user credentials. Encrypting communications reduces the risk of data interception and ‘man-in-the-middle’ attacks.

BR-MD-3: Managed Mobile Devices Must Support Remotely Erasing All Stored Data If the Device Is Lost, Stolen, or Compromised

All mobile devices with access to CMS networks or systems must be managed via an MDM solution that can remotely sanitize mobile containers without impacting personal information on the mobile devices, and has the ability to remotely sanitize the entire mobile device when necessary. This applies to all mobile devices, both GFE and non-GFE, that are managed by CMS or CMS Partners.

Rationale:

Mobile devices are increasingly used for business purposes, increasing the likelihood that they contain sensitive data and applications. Sensitive information stored on mobile device could be compromised if the device falls into the wrong hands. Remote erase (also known as remote wipe) allows administrators to quickly remove sensitive information from the device.

BR-MD-4: Managed Mobile Devices Must Support Encryption for Internal and Removable Storage

This applies to all mobile devices, both GFE and non-GFE, that are managed by CMS or CMS Partners.

Rationale:

Mobile devices may contain sensitive personal or CMS business information that if breached, can cause significant problems for both the user and CMS. Encrypting data on mobile devices and any associated removable media renders the data unreadable if an unauthorized user gains access to the physical device.

BR-MD-5: Managed Mobile Devices Must Meet CMS Security Requirements

This includes, but is not limited to, CMS requirements for updated patches, complex passwords, smart card authentication, and collecting PII / PHI or sensitive data. This applies to all mobile devices, both GFE and non-GFE, that are managed by CMS or CMS Partners.

Rationale:

CMS security requirements for mobile devices are designed to reduce the risk of breach of CMS sensitive information through its remote access on a mobile device. These security requirements provide for protections as the user, access, application, and data levels to provide holistic protection for mobile devices and the data they contain.

BR-MD-6: Only CMS Authorized Applications May Be Installed on CMS-Managed Devices

CMS will identify and differentiate those applications that are allowlisted or denylisted for use on CMS approved devices. Apps that can be installed on the mobile devices are restricted to those within a CMS-authorized app store.

Rationale:

Apps downloaded through mobile device app stores are not guaranteed to be free of malware or other data-stealing capabilities. To reduce the risk of compromise of sensitive CMS or user data, or fraudulent access to CMS systems, mobile device users must only download approved apps from app-stores approved by CMS.

BR-MD-7: User Agreements Must Be In Place for Mobile Devices Accessing CMS Services and Data

Users are required to read and adhere the acceptable use policy for mobile devices and removable media, including the HHS Rules of Behavior for Use of HHS Information and IT Resources Policy. The agreements include requirements such as support for encryption, remote erasing, security controls, acceptable use, and trusted mobile applications.

Rationale:

Protecting CMS systems and information from the risks of mobile devices requires not only technical security controls but also the understanding and cooperation mobile device users. User agreements create awareness of CMS security requirements, commitment to follow them, and identify the potential repercussions for non-compliance.