Draft NIST SP 800-124 Rev. 2, Guidelines for Managing the ...

1 Draft NIST Special Publication 800-124 1 Revision 2 2 Guidelines for Managing the Security of 3 mobile devices in the Enterprise 4 5 6 7 Joshua M Franklin 8 Gema Howell 9 Vincent Sritapan 10 Murugiah Souppaya 11 Karen Scarfone 12 13 14 15 This publication is available free of charge from: 16 17 18 19 20 21 22 23 24 25 26 27 28 29 C O M P U T E R S E C U R I T YDraft NIST Special Publication 800-124 30 Revision 2 31 32 Guidelines for Managing the Security 33 of mobile devices in the Enterprise 34 35 36 *Joshua M Franklin Murugiah Souppaya 37 Gema Howell Computer Security Division 38 Applied Cybersecurity Division Information Technology Laboratory 39 Information Technology Laboratory 40 41 Vincent Sritapan Karen Scarfone 42 Science and Technology Directorate Scarfone Cybersecurity 43 Department of Homeland Security Clifton, VA 44 45 *Former employee; all work for this publication was done while at NIST 46 47 48 This publication is available free of charge from: 49 50 51 52 53 March 2020 54 55 56 57 58 Department of Commerce 59 Wilbur L.

2 Ross, Jr., Secretary 60 National Institute of Standards and Technology 61 Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology 62 63 Authority 64 This publication has been developed by NIST in accordance with its statutory responsibilities under the 65 Federal Information Security Modernization Act (FISMA) of 2014, 44 3551 et seq., Public Law 66 ( ) 113-283. NIST is responsible for developing information security standards and Guidelines , including 67 minimum requirements for federal information systems, but such standards and Guidelines shall not apply 68 to national security systems without the express approval of appropriate federal officials exercising policy 69 authority over such systems. This guideline is consistent with the requirements of the Office of management 70 and Budget (OMB) Circular A-130.

3 71 Nothing in this publication should be taken to contradict the standards and Guidelines made mandatory and 72 binding on Federal agencies by the Secretary of Commerce under statutory authority. Nor should these 73 Guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, 74 Director of the OMB, or any other Federal official. This publication may be used by non-governmental 75 organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, 76 however, be appreciated by NIST. 77 National Institute of Standards and Technology Special Publication 800-124 Revision 2 78 Natl. Inst. Stand. Technol. Spec. Publ. 800-124 Rev. 2, 59 pages (March 2020) 79 CODEN: NSPUE2 80 This publication is available free of charge from: 81 82 83 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an 84 experimental procedure or concept adequately.

4 Such identification is not intended to imply recommendation or 85 endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best 86 available for the purpose. 87 There may be references in this publication to other publications currently under development by NIST in accordance 88 with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, 89 may be used by federal agencies even before the completion of such companion publications. Thus, until each 90 publication is completed, current requirements, Guidelines , and procedures, where they exist, remain operative. For 91 planning and transition purposes, federal agencies may wish to closely follow the development of these new 92 publications by NIST.

5 93 Organizations are encouraged to review all Draft publications during public comment periods and provide feedback to 94 NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at 95 96 97 Public comment period: March 24, 2020 through June 26, 2020 98 National Institute of Standards and Technology 99 Attn: Applied Cybersecurity Division, Information Technology Laboratory 100 100 Bureau Drive (Mail Stop 2000), Gaithersburg, MD 20899-2000 101 Email: 102 103 All comments are subject to release under the Freedom of Information Act (FOIA). 104 105 NIST SP 800-124 REV. 2 ( Draft ) Guidelines FOR Managing THE SECURITY OF mobile devices IN THE ENTERPRISE ii Reports on Computer Systems Technology 106 107 The Information Technology Laboratory (ITL) at the National Institute of Standards and 108 Technology (NIST) promotes the economy and public welfare by providing technical 109 leadership for the Nation s measurement and standards infrastructure.

6 ITL develops tests, test 110 methods, reference data, proof of concept implementations, and technical analyses to advance 111 the development and productive use of information technology. ITL s responsibilities include the 112 development of management , administrative, technical, and physical standards and Guidelines for 113 the cost-effective security and privacy of other than national security-related information in 114 Federal information systems. The Special Publication 800-series reports on ITL s research, 115 Guidelines , and outreach efforts in information system security, and its collaborative activities 116 with industry, government, and academic organizations. 117 118 Abstract 119 120 mobile devices were initially personal consumer communication devices but they are now 121 permanent fixtures in enterprises and are used to access modern networks and systems to process 122 sensitive data.

7 This publication assists organizations in Managing and securing these devices by 123 describing available technologies and strategies. Security concerns inherent to the usage of 124 mobile devices are explored alongside mitigations and countermeasures. Recommendations are 125 provided for deployment, use and disposal of devices throughout the mobile -device lifecycle. 126 The scope of this publication includes mobile devices , centralized device management and 127 endpoint protection technologies, while including both organization-provided and personally 128 owned deployment scenarios. 129 Keywords 130 131 enterprise mobility management (EMM); mobile ; mobile device management ( MDM); mobile 132 security; smartphones; tablets. 133 134 135 NIST SP 800-124 REV. 2 ( Draft ) Guidelines FOR Managing THE SECURITY OF mobile devices IN THE ENTERPRISE iii Acknowledgments 136 The authors wish to thank the Federal CIO Council s mobile Technology Tiger Team and the 137 Advanced Technology Academic Research Center (ATARC) mobile Working Groups.

8 The 138 authors especially appreciate the contributions of Wayne Jansen, who coauthored the original 139 version of this publication. The authors also thank all the individuals and organizations that 140 provided comments on the publication, including Andrew Regenscheid and Nelson Hastings of 141 NIST; Jeffrey A. Myers of the Department of Homeland Security (DHS); Deborah Shands and 142 Kareem Eldefrawy of SRI International; and Michael Peck and Terri Phillips of MITRE. 143 Trademarks 144 All registered trademarks or other trademarks belong to their respective organizations. 145 146 NIST SP 800-124 REV. 2 ( Draft ) Guidelines FOR Managing THE SECURITY OF mobile devices IN THE ENTERPRISE iv Call for Patent Claims 147 This public review includes a call for information on essential patent claims (claims whose use 148 would be required for compliance with the guidance or requirements in this Information 149 Technology Laboratory (ITL) Draft publication).

9 Such guidance and/or requirements may be 150 directly stated in this ITL Publication or by reference to another publication. This call also 151 includes disclosure, where known, of the existence of pending or foreign patent applications 152 relating to this ITL Draft publication and of any relevant unexpired or foreign patents. 153 ITL may require from the patent holder, or a party authorized to make assurances on its behalf, 154 in written or electronic form, either: 155 a) assurance in the form of a general disclaimer to the effect that such party does not hold 156 and does not currently intend holding any essential patent claim(s); or 157 b) assurance that a license to such essential patent claim(s) will be made available to 158 applicants desiring to utilize the license for the purpose of complying with the guidance 159 or requirements in this ITL Draft publication either: 160 i.

10 Under reasonable terms and conditions that are demonstrably free of any unfair 161 discrimination; or 162 ii. without compensation and under reasonable terms and conditions that are 163 demonstrably free of any unfair discrimination. 164 Such assurance shall indicate that the patent holder (or third party authorized to make assurances 165 on its behalf) will include in any documents transferring ownership of patents subject to the 166 assurance, provisions sufficient to ensure that the commitments in the assurance are binding on 167 the transferee, and that the transferee will similarly include appropriate provisions in the event of 168 future transfers with the goal of binding each successor-in-interest. 169 The assurance shall also indicate that it is intended to be binding on successors-in-interest 170 regardless of whether such provisions are included in the relevant transfer documents.