NASA will be implementing the IT security measures described in the attached memo this week. I am sending this note to all of HEOMD so that you have a clearer understanding of what this means to you and any personal devices you connect to NASA's email / NOMAD ActiveSync service, and so you aren't taken by surprise if or when your personal device starts asking you to do things, like setting an unlock code.

- ActiveSync is the primary means of connecting a device such as an iPhone, iPad, Android or other type of device to NOMAD so that you can access your NASA email on the device. ActiveSync has the ability to 'push' certain policies to any device that uses ActiveSync to connect to NASA's email system. When you configure and connect your device to NASA's email system, though you may select "Microsoft Exchange" as the connectivity option, ActiveSync is the actual service and protocol that does the work to create and maintain the connection and to get and send your email.

- Understand that NASA has not banned use of your own personal devices to access NOMAD / NASA email, though NASA does have the authority and ability to do so. The phrase "Bring Your Own Device", or "BYOD" is used to denote such devices that are not issued by NASA or the Government, but which are instead personally owned.

- For some odd reason, there are a significant number of non-NASA issued and non-Government devices that are accessing NOMAD via ActiveSync. Even more odd is that the number of new non-NASA devices that connect to NOMAD increases significantly in the days and weeks immediately after Christmas. (Yeah, I know why, but I want to add a sense of mystery here).

- Accessing email and other NASA information that is not for public release via personal devices does pose some risk to NASA data; implementing certain security precautions on a device helps reduce that risk significantly should that device be lost or stolen, regardless of whether it is a government-owned or personally owned device. Connecting to NOMAD via a personal device is a privilege, not a right. With the privilege come some restrictions, and some risks. By connecting your personal device to NOMAD or the NASA internal network, you are implicitly accepting those restrictions and risks.

- The attached policy is a compromise between allowing use of personal devices and banning personal devices entirely from connecting to NOMAD. The goal here is to ensure that some minimum security is enabled on any device that NASA does not manage and that is connecting to NOMAD.

- The policies that NASA's NOMAD / ActiveSync server will be pushing to your personal device at a minimum will enable several capabilities on your device to improve its security. First, the policies will ensure that a PIN or passcode is set and that must be used to unlock the device so that if it is lost or stolen, it will not be easy for an unauthorized individual to gain access to your email. Second, where a device can implement this, the policies pushed will set the device to be auto-wiped if there are more than 10 failed attempts to unlock the device; this is to reduce the likelihood of a brute-force guessing of the unlock code. Third, the policies will ensure that encryption capabilities for data-at-rest are turned on for your personal device.

- Each device is different, so I'm not certain what the effects will be on every type of device. I do know that for iOS devices such as iPhones or iPads the changes won't be too onerous. iOS uses data-at-rest encryption by default, so that is already turned on. If you do not have an unlock code set on your iOS device, once the policies are pushed, you will be prompted to set at minimum a 4 digit unlock code, and your device will auto-lock after 15 minutes being idle. Also, failure to input the correct unlock code after 10 tries will auto-wipe the device. Also, the option is there for a remote wipe of your device from ActiveSync, but that option will not be used without the device owner's direct permission and by their request. Again, I am not certain what you will see or how other devices will react to the policies being pushed.

- Contrary to the nonsense you've been reading at nasawatch or elsewhere, NASA does not obtain control of your personal device; NASA cannot remotely read the contents of your device; NASA does not know your unlock code; and NASA will not remotely trigger a wipe of your personal device without your direct authorization to do so. We are NASA, not NSA. Don't drop the first 'A', eh?

Follow this link:

NASA HEOMD Internal Memo on Personnal Electronic Devices