The Federal CIO Council’s Federal Mobility Group (FMG) has released the final version of its in-depth international travel guidance report. The new document details a series of best practices agencies can adopt to safeguard Government-Furnished Equipment (GFE) mobile devices—mobile phones, tablets, and laptop computers—against attacks while in use during travel to foreign countries.
- Mobile devices have evolved to become a critical link between a traveler and their home office, providing them access to business applications and data they would otherwise lack. Ensuring this line of communication is private and secure is imperative to protect the government traveler, hers or his GFE mobile devices as well as the backend enterprise systems that empower mobility.
The new travel guidance is the product of a cooperative effort between FMG and the Education, Energy, Defense, Homeland Security, Interior, Justice, and Treasury departments plus the General Services Administration and National Space and Aeronautics Administration. It also was distributed to industry stakeholders, who provided comment and feedback that were incorporated into the final document.
Titled the International Travel Guidance for Government Mobile Devices, the document outlines best practices for the configuration and use of GFE mobile devices to safeguard government data and information, backend enterprise systems, and users while they are on international travel outside the continental United States (OCONUS), to U.S. territories, and to foreign embassies and consulates located in the U.S., which are considered foreign territory. It outlines physical and cybersecurity threats to GFE; procedures for before, during, and upon completion of travel; and other considerations for GFE users on temporary international travel.
Because of their portability and always-on state, mobile devices are susceptible to compromise, theft, physical damage, and loss, regardless of the user’s location. Use of mobile devices during foreign travel often intensifies this risk. Both government and personal information are at risk, including government and personal user account information, contacts, and application data. Moreover, government and industry employees often are targeted by foreign adversaries seeking to access the government’s confidential data and intellectual property and, in some cases, the personal data of government employees.
Use of mobile devices OCONUS presents additional security risk. If compromised, a device’s camera, microphone, Global Positioning System, functions, and other sensors may be used to eavesdrop on or track the traveler. Once compromised, a mobile device may be used to steal information or attack enterprise IT systems.
The travel guidance document is structured as follows:
- Section 2 provides an overview of roles and responsibilities regarding use of mobile devices during international travel.
- Section 3 informs readers of physical and cybersecurity threats applicable to international travel as background for the best practices discussed in Section 4.
- Section 4 discusses best practices to mitigate the threats discussed in Section 3, organized by procedures for before, during, and upon return from international travel.
- Section 5 summarizes the best practices for each phase of travel.
- Appendix A includes a set of checklists agencies can use for best practices and/or when developing their agency-specific policy.
Additionally, the report recommends extra guidance for high-profile U.S. Government personnel, who are top targets of foreign adversaries and thus should not carry their regular-issued GFE mobile device when traveling internationally. Instead, these personnel should be provided a disposable or loaner commercial mobile device when they travel to a high-threat environment.
The best practices, which mitigate a range of threats that might be encountered in foreign countries, detailed in the newly issued FMG report will help agencies minimize an adversary’s ability to extract sensitive data from GFE mobile devices and limit damage should a device be compromised.
Click here to download a copy of the FMG-developed International Travel Guidance for Government Mobile Devices.