Regulatory Update: Achieving Compliant PDA Use

SPECIAL REPORT: Smartphones & PDAs

By Barbara DePompa, 1105 Government Information Group Custom Media

While agencies involved in defense and intelligence must ensure smartphones and other wireless handheld devices must comply with regulations such as FIPS 140-2, which requires encryption of data and voice calls, the National Institute of Standards and Technology also offers guidelines for mitigating associated risks.


Although smartphones and Personal Digital Assistants (PDAs) have become indispensable tools for today's highly mobile workforce, these devices are not being used solely for voice calls, text messages, and managing personal information, but also for functions previously only thought possible on desktop or laptop computers, including sending and receiving electronic mail, browsing the web, storing and modifying documents, delivering presentations and remotely accessing data. NIST's Special Publication 800-124 offers guidelines for ensuring the usefulness of these tools, while mitigating the associated risks:

*Plan and address security concerns for organization-issued cell phones and PDAs. Addressing these issues from the beginning is easier and more effective than playing catch-up after the devices are already in use.

*Employ appropriate security management practices and controls over handheld devices. The devices should be managed as part of the enterprise’s IT assets, including applying security policies, risk assessment and management, configuration management, certification and accreditation and education.

*Deploy, configure and manage handheld devices in accordance with overall agency security requirements. This includes patching and upgrading, eliminating unneeded services, applying user authentication and access controls, securing data and communications, and performing security testing.

*Maintain the security of handheld devices throughout their lifecycle. This includes user education, device registration, control policies for client software and settings and for passwords, policies on communications links use and associated security, and remote diagnostics and auditing of devices on the network.


Meanwhile, the Secure Mobile Environment-Portable Electronic Device (SME-PED) is a developing standard for federal intelligence and defense sector handheld devices that was created in a partnership between the National Security Agency (NSA) and General Dynamics. SME-PED smart phones provide users with plug-in radio modules capable of operating on the code division multiple access cellular networks that operate in the U.S. and the Global System for Mobile Communications (GSMC) standard used by AT&T and T-Mobile, as well as most mobile network operators worldwide.


Security requirements to use the smartphone on a classified network led to the development of a sophisticated algorithm capable of fitting into the phone's memory, which boasts 128 megabytes of flash memory and 64 megabytes in the unclassified module and 64 megabytes of flash and RAM in the classified module. The smartphone provides a range of features found in commercial smartphones, such Microsoft Mobile applications, including e-mail, a web browser, chat software and viewers for Excel, PowerPoint and PDF files. Larger and costlier than most commercial smartphones and PDAs, the new devices will likely be attractive to users on classified government networks.