On August 29, 2013, NASA Chief Information Officer Larry Sweet sent out an Agency message to all NASA employees entitled "Bring Your Own Device (BYOD) and Mobile Computing at NASA," which included a memorandum of minimum security requirements for personal mobile devices (available online). The memo alerted employees to the enforcement of several requirements regarding the NASA e-mail system that would begin on September 10.

Many have asked, "Where did these requirements come from, and why are they coming out now?" Well, as we all know, mobile devices (e.g., smartphones, tablets, etc.) are playing an increasingly important role in our lives. As we start to use these new and exciting technologies at home, we often want to use them in all aspects of our life--including at work. However, the introduction of such devices into the marketplace and then into the workplace often precedes NASA's ability to test and secure them. As a result, they present unique technological, legal, and security challenges for you and for our IT staff.

Historically, NASA has not blocked or prevented the use of mobile devices to access NASA e-mail and resources. However, due to the exponential growth of these unmanaged systems in the NASA environment over the past few years, it has become imperative for NASA to acknowledge and address the risk they present to our resources and data.

So, instead of simply "turning access off" and forbidding the use of mobile devices (which would have certainly addressed the risk), the NASA CIO decided to implement a minimum set of basic security requirements and capabilities to support NASA employees while a broader BYOD effort is pursued. Many of these security requirements are general best practices that are already in use by employees on their personal devices.

That being said, we did want to address a few questions and concerns that have been raised, particularly those related to using a personal mobile device to connect to the NASA e-mail system:

Does NASA now have the ability to access any information on my personal device?

No, absolutely not. NASA cannot access any data on your personal device; it can only confirm that your device exists and has connected to our system.

Did NASA install any software on my device?

No. Any changes in the security configuration of your personal device to support NASA's minimum requirements take place within the device's own native capabilities. No software or additional "profiles" have been installed.

Original post:

NASA Mobile Security Requirements: Why Now?