Appendix A List of Acronyms¶

AD	Active Directory
API	Application Programming Interface
ATARC	Advanced Technology Academic Research Center
ATS	App Transport Security
BYOD	Bring Your Own Device
CIS	Center for Internet Security
CN	Common Name
COMSEC	Communications Security
COPE	Corporate-Owned Personally-Enabled
CRADA	Cooperative Research and Development Agreement
DHS	Department of Homeland Security
DN	Distinguished Name
EMM	Enterprise Mobility Management
FIPS	Federal Information Processing Standards
GDPR	General Data Protection Regulation
HTTP	Hypertext Transfer Protocol
HTTPS	Hypertext Transfer Protocol Secure
IBM	International Business Machines
ICS	Industrial Control System
IEC	International Electrotechnical Commission
iOS	iPhone Operating System
IP	Internet Protocol
ISO	International Organization for Standardization
ITL	Information Technology Laboratory
mDL	Mobile Driver’s License
MDM	Mobile Device Management
MSCT	Mobile Services Category Team
MTD	Mobile Threat Defense
NCCoE	National Cybersecurity Center of Excellence
NDES	Network Device Enrollment Service
NIAP	National Information Assurance Partnership
NICE	National Initiative for Cybersecurity Education
NIST	National Institute of Standards and Technology
NISTIR	NIST Interagency Report
OS	Operating System
OWASP	Open Web Application Security Project
PII	Personally Identifiable Information
PRAM	Privacy Risk Assessment Methodology
REST	Representational State Transfer
SCEP	Simple Certificate Enrollment Protocol
SMTP	Simple Mail Transport Protocol
SP	Special Publication
SSID	Service Set Identifier

Appendix B Glossary¶

Access Management	Access Management is the set of practices that enables only those permitted the ability to perform an action on a particular resource. The three most common Access Management services you encounter every day perhaps without realizing it are: Policy Administration, Authentication, and Authorization [B32].
Availability	Ensure that users can access resources through remote access whenever needed [B33].
Bring Your Own Device (BYOD)	A non-organization-controlled telework client device [B33].
Confidentiality	Ensure that remote access communications and stored user data cannot be read by unauthorized parties [B33].
Data Actions	System operations that process personally identifiable information (PII) [B34].
Disassociability	Enabling the processing of PII or events without association to individuals or devices beyond the operational requirements of the system [B34].
Eavesdropping	An attack in which an attacker listens passively to the authentication protocol to capture information which can be used in a subsequent active attack to masquerade as the claimant [B35] (definition located under eavesdropping attack).
Firewall	Firewalls are devices or programs that control the flow of network traffic between networks or hosts that employ differing security postures [B36].
Integrity	Detect any intentional or unintentional changes to remote access communications that occur in transit [B33].
Manageability	Providing the capability for granular administration of PII including alteration, deletion, and selective disclosure [B34].
Mobile Device	A portable computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, tablets, and E-readers [B31].
Personally Identifiable Information (PII)	Any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual‘s identity, such as name, Social Security number, date and place of birth, mother‘s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information [B37] (adapted from Government Accountability Office Report 08-536).
Predictability	Enabling of reliable assumptions by individuals, owners, and operators about PII and its processing by a system [B34].
Privacy Event	The occurrence or potential occurrence of problematic data actions [B2].
Problematic Data Action	A data action that could cause an adverse effect for individuals [B2].
Threat	Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service [B8].
Vulnerability	Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source [B8].

Appendix C References¶

B1(1,2): National Institute of Standards and Technology (NIST). NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (Cybersecurity Framework). Apr. 16, 2018. [Online]. Available: https://www.nist.gov/cyberframework.
B2(1,2,3,4): NIST. NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0 (Privacy Framework). Jan. 16, 2020. [Online]. Available: https://www.nist.gov/privacy-framework.
B3(1,2,3): W. Newhouse et al., National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication (SP) 800-181 rev. 1, NIST, Gaithersburg, Md., Nov. 2020. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181r1.pdf.
B4: NIST. Risk Management Framework (RMF) Overview. [Online]. Available: https://csrc.nist.gov/projects/risk-management/risk-management-framework-(rmf)-overview.
B5: NIST. Mobile Threat Catalogue. [Online]. Available: https://pages.nist.gov/mobile-threat-catalogue/.
B6: J. Franklin et al., Guidelines for Managing the Security of Mobile Devices in the Enterprise, NIST SP 800-124 Revision 2, NIST, Gaithersburg, Md., May. 2023. Available: https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/final.
B7: J. Franklin et al., Mobile Device Security: Cloud and Hybrid Builds, NIST SP 1800-4, NIST, Gaithersburg, Md., Feb. 21, 2019. Available https://doi.org/10.6028/NIST.SP.1800-4.
B8(1,2,3): Joint Task Force Transformation Initiative, Guide for Conducting Risk Assessments, NIST SP 800-30 Revision 1, NIST, Gaithersburg, Md., Sept. 2012. Available: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final.
B9: NIST. NIST Privacy Risk Assessment Methodology. Jan. 16, 2020. [Online]. Available: https://www.nist.gov/privacy-framework/nist-pram.
B10: Joint Task Force, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, NIST SP 800-37 Revision 2, NIST, Gaithersburg, Md., Dec. 2018. Available: https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final.
B11: Open Web Application Security Project (OWASP). “OWASP Mobile Top 10,” [Online]. Available: https://owasp.org/www-project-mobile-top-10/.
B12: NIST. Privacy Engineering Program: Privacy Risk Assessment Methodology, Catalog of Problematic Data Actions and Problems. [Online]. Available: https://www.nist.gov/itl/applied-cybersecurity/privacy-engineering/resources.
B13: Qualcomm. “Mobile Security Solutions.” [Online]. Available: https://www.qualcomm.com/products/features/mobile-security-solutions.
B14: National Information Assurance Partnership (NIAP). U.S. Government Approved Protection Profile—Extended Package for Mobile Device Management Agents Version 3.0. Nov. 21, 2016. [Online]. Available: https://www.niap-ccevs.org/MMO/PP/ep_mdm_agent_v3.0.pdf.
B15: International Business Machines (IBM). About enterprise app wrapping. Aug. 09, 2022 last updated. [Online]. Available: https://www.ibm.com/docs/en/maas360?topic=overview-about-enterprise-app-wrapping.
B16: NIAP. U.S. Government Approved Protection Profile—Module for Virtual Private Network (VPN) Gateways 1.1. July 01, 2020. [Online]. Available: https://www.niap-ccevs.org/Profile/Info.cfm?PPID=449&id=449.
B17: NIAP. U.S. Government Approved Protection Profile—collaborative Protection Profile for Network Devices Version 2.2e. Mar. 27, 2020. Available: https://www.niap-ccevs.org/Profile/Info.cfm?PPID=447&id=447.
B18: NIAP. Approved Protection Profiles. [Online]. Available: https://www.niap-ccevs.org/Profile/PP.cfm.
B19: Qualcomm. “Qualcomm Secure Boot and Image Authentication Technical Overview.” [Online]. Available: https://www.qualcomm.com/media/documents/files/secure-boot-and-image-authentication-technical-overview-v1-0.pdf.
B20: Google Android. Android Management API. [Online]. Available: https://developers.google.com/android/management.
B21: Apple Inc. “Preventing Insecure Network Connections.” [Online]. Available: https://developer.apple.com/documentation/security/preventing_insecure_network_connections.
B22: Apple Inc. “Identifying the Source of Blocked Connections.” [Online]. Available: https://developer.apple.com/documentation/security/preventing_insecure_network_ connections/identifying_the_source_of_blocked_connections.
B23: Android.com. “Network security configuration.” Dec. 27, 2019. [Online]. Available: https://developer.android.com/training/articles/security-config.
B24: NowSecure.com. “A Security Analyst’s Guide to Network Security Configuration in Android P.” [Online]. Available: https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/.
B25: Apple Inc. “Overview: Managing Devices & Corporate Data on iOS.” July 2018. [Online]. Available: https://www.apple.com/business/docs/resources/Managing_Devices_and_Corporate_Data_on _iOS.pdf.
B26: Google Android. “Build Android management solutions for enterprises.” [Online]. Available: https://developers.google.com/android/work.
B27: International Business Machines (IBM). “Web Services.” [Online]. Available: https://www.ibm.com/docs/en/maas360?topic=web-services.
B28: IBM. “IBM Community Public Wikis.” [Online]. Available: https://www.ibm.com/developerworks/community/wikis/home?lang=en-us#!/wiki/W0dcb4f3d0760_48cd_9026_a90843b9da06/page/MaaS360%20REST%20API%20Usage.
B29: IBM. “MaaS360 Data Privacy Information.” [Online]. Available: https://www.ibm.com/support/pages/maas360-data-privacy-information
B30: NIST. Minimum Security Requirements for Federal Information and Information Systems, Federal Information Processing Standards Publication (FIPS) 200, Mar. 2006. Available: https://csrc.nist.gov/publications/detail/fips/200/final.
B31(1,2): Joint Task Force Transformation Initiative, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, NIST, Gaithersburg, Md., Jan. 2015. Available: https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final.
B32: IDManagement.gov. “Federal Identity, Credential, and Access Management Architecture.” [Online]. Available: https://arch.idmanagement.gov/services/access/.
B33(1,2,3,4,5): M. Souppaya and K. Scarfone, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, NIST SP 800-46 Revision 2, NIST, Gaithersburg, Md., July 2016. Available: https://csrc.nist.gov/publications/detail/sp/800-46/rev-2/final.
B34(1,2,3,4): S. Brooks et al., An Introduction to Privacy Engineering and Risk Management in Federal Systems, NIST Interagency or Internal Report 8062, Gaithersburg, Md., Jan. 2017. Available: https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf.
B35(1,2): P. Grassi et al., Digital Identity Guidelines, NIST SP 800-63-3, NIST, Gaithersburg, Md., June 2017. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf.
B36: K. Stouffer et al., Guide to Industrial Control Systems (ICS) Security, NIST SP 800-82 Revision 2, NIST, Gaithersburg, Md., May 2015. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf.
B37: E. McCallister et al., Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122, NIST, Gaithersburg, Md., Apr. 2010. Available: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf.
B38: J. Franklin et al., Mobile Device Security: Corporate-Owned Personally-Enabled (COPE), NIST SP 1800-21, NIST, Gaithersburg, Md., July 22, 2019. Available: https://csrc.nist.gov/News/2019/NIST-Releases-Draft-SP-1800-21-for-Comment.
B39: NIST, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, NIST SP 800-52 Revision 2, August 2019. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final.
B40(1,2,3): Joint Task Force, Security and Privacy Controls for Information Systems and Organizations (Final Public Draft), NIST SP 800-53 Revision 5, NIST, Gaithersburg, Md., Sept. 2020. Available: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final.
B41: S. Frankel et al., Guide to SSL VPNs, NIST SP 800-113, NIST, Gaithersburg, Md., July 2008. Available: https://csrc.nist.gov/publications/detail/sp/800-113/final.
B42: M. Souppaya and K. Scarfone, Userʼs Guide to Telework and Bring Your Own Device (BYOD) Security,, NIST SP 800-114 Revision 1, NIST, Gaithersburg, Md., July 2016. Available: https://csrc.nist.gov/publications/detail/sp/800-114/rev-1/final.
B43: M. Ogata et al., Vetting the Security of Mobile Applications, NIST SP 800-163 Revision 1, NIST, Gaithersburg, Md., Apr. 2019. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-163r1.pdf.
B44: NIST, Protecting Controlled Unclassified Information in Nonfederal SystemsI, NIST SP 800-171 Revision 2, February 2020. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final.
B45(1,2): Center for Internet Security. Center for Internet Security home page. [Online]. Available: https://www.cisecurity.org/.
B46: Executive Office of the President, “Bring Your Own Device: A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs,” Aug. 23, 2012. Available: https://obamawhitehouse.archives.gov/digitalgov/bring-your-own-device.
B47: Federal CIO Council and Department of Homeland Security. Mobile Security Reference Architecture Version 1.0. May 23, 2013. [Online]. Available: https://s3.amazonaws.com/sitesusa/wp-content/uploads/sites/1151/2016/10/Mobile-Security-Reference-Architecture.pdf.
B48: Digital Services Advisory Group and Federal Chief Information Officers Council. Government Use of Mobile Technology Barriers, Opportunities, and Gap Analysis. Dec. 2012. [Online]. Available: https://s3.amazonaws.com/sitesusa/wp-content/uploads/sites/1151/2016/10/Government_Mobile_Technology_Barriers_Opportunities_and _Gaps.pdf.
B49(1,2): International Organization for Standardization. “ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements.” Oct. 2013. [Online]. Available: https://www.iso.org/standard/54534.html.
B50: “Mobile Computing Decision.” [Online]. Available: https://s3.amazonaws.com/sitesusa/wp-content/uploads/sites/1151/2016/10/Mobile-Security-Decision-Framework-Appendix-B.pdf.
B51: Mobile Services Category Team (MSCT) Advanced Technology Academic Research Center (ATARC). “Navigating the Future of Mobile Services.” Oct. 2017. [Online]. Available: https://atarc.org/wp-content/uploads/2019/01/ATARC-MSCT-Report-Navigating-Future-of-Mobile-Services-2.pdf.
B52: Mobile Services Category Team (MSCT). “Device Procurement and Management Guidance.” Nov. 2016. [Online]. Available: https://hallways.cap.gsa.gov/app/#/gateway/information-technology/4485/mobile-device-procurement-and-management-guidance.
B53: Mobile Services Category Team (MSCT). “Mobile Device Management (MDM), MDM Working Group Document.” Aug. 2017. [Online]. Available: https://s3.amazonaws.com/sitesusa/wp-content/uploads/sites/1197/2017/10/EMM_Deliverable.pdf.
B54: Mobile Services Category Team (MSCT). “Mobile Services Roadmap (MSCT Strategic Approach).” Sept. 23, 2016. [Online]. Available: https://atarc.org/project/mobile-services-roadmap-msct-strategic-approach/.
B55: NIAP. U.S. Government Approved Protection Profile—Extended Package for Mobile Device Management Agents Version 2.0. Dec. 31, 2014. [Online]. Available: https://www.niap-ccevs.org/MMO/PP/pp_mdm_agent_v2.0.pdf.
B56: NIAP. Approved Protection Profiles—Protection Profile for Mobile Device Fundamentals Version 3.1,. June 16, 2017. [Online]. Available: https://www.niap-ccevs.org/Profile/Info.cfm?PPID=417&id=417.
B57: NIAP. Approved Protection Profiles—Protection Profile for Mobile Device Management Version 4.0. Apr. 25, 2019. [Online]. Available: https://www.niap-ccevs.org/Profile/Info.cfm?PPID=428&id=428.
B58: NIAP. Product Compliant List. [Online]. Available: https://www.niap-ccevs.org/Product/.
B59: Office of Management and Budget, Category Management Policy 16-3: Improving the Acquisition and Management of Common Information Technology: Mobile Devices and Services, Aug. 4, 2016. Available: https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2016/m_16_20.pdf.
B60: NIST. United States Government Configuration Baseline (in development). [Online]. Available: https://csrc.nist.gov/Projects/United-States-Government-Configuration-Baseline.
B61: Department of Homeland Security (DHS). “DHS S&T Study on Mobile Device Security.” Apr. 2017. [Online]. Available: https://www.dhs.gov/publication/csd-mobile-device-security-study.
B62: NIST, NIST Interagency Report (NISTIR) 8170, Approaches for Federal Agencies to Use the Cybersecurity Framework, Mar. 2020. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8170-upd.pdf.
B63: NIST Privacy Framework and Cybersecurity Framework to NIST Special Publication 800-53, Revision 5 Crosswalk. [Online]. Available: https://www.nist.gov/privacy-framework/nist-privacy-framework-and-cybersecurity-framework-nist-special-publication-800-53.

Appendix D Standards and Guidance¶

The following are references that informed the writing of this publication.

National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) Version 1.1 [B1]
NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0 (Privacy Framework) [B2]
NIST Mobile Threat Catalogue [B5]
NIST Risk Management Framework [B4]
NIST Special Publication (SP) 1800-4, Mobile Device Security: Cloud and Hybrid Builds [B7]
NIST SP 1800-21, Mobile Device Security: Corporate-Owned Personally-Enabled (COPE) [B38]
NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments [B8]
NIST SP 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy [B10]
NIST SP 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security [B33]
NIST SP 800-52 Revision 2, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations [B39]
NIST SP 800-53 Revision 4 (Final), Security and Privacy Controls for Information Systems and Organizations [B31]
NIST SP 800-53 Revision 5 (Final), Security and Privacy Controls for Information Systems and Organizations [B40]
NIST SP 800-63-3, Digital Identity Guidelines [B35]
NIST SP 800-113, Guide to SSL VPNs [B41]
NIST SP 800-114 Revision 1, Userʼs Guide to Telework and Bring Your Own Device (BYOD) Security [B42]
NIST SP 800-124 Revision 2, Guidelines for Managing the Security of Mobile Devices in the Enterprise [B6]
NIST SP 800-163 Revision 1, Vetting the Security of Mobile Applications [B43]
NIST SP 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations [B44]
NIST SP 800-181, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (2017) [B3]
NIST Federal Information Processing Standards Publication (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems [B30]
NIST Privacy Risk Assessment Methodology [B9]
Center for Internet Security [B45]
Executive Office of the President, Bring Your Own Device toolkit [B46]
Federal Chief Information Officers Council and Department of Homeland Security Mobile Security Reference Architecture, Version 1.0 [B47]
Digital Services Advisory Group and Federal Chief Information Officers Council, Government Use of Mobile Technology Barriers, Opportunities, and Gap Analysis [B48]
International Organization for Standardization (ISO), International Electrotechnical Commission (IEC) 27001:2013, “Information technology – Security techniques – Information security management systems – Requirements” [B49]
Mobile Computing Decision example case study [B50]
MSCT ATARC, “Navigating the Future of Mobile Services,” Working Group Document [B51]
MSCT, “Device Procurement and Management Guidance” [B52]
MSCT, “Mobile Device Management (MDM),” MDM Working Group Document [B53]
MSCT, “Mobile Services Roadmap, MSCT Strategic Approach” [B54]
National Information Assurance Partnership (NIAP), U.S. Government Approved Protection Profile—Extended Package for Mobile Device Management Agents Version 2.0 [B55]
NIAP, Approved Protection Profiles—Protection Profile for Mobile Device Fundamentals Version 3.1 [B56]
NIAP, Approved Protection Profiles—Protection Profile for Mobile Device Management Version 4.0 [B57]
NIAP, Product Compliant List [B58]
Office of Management and Budget, Category Management Policy 16-3: Improving the Acquisition and Management of Common Information Technology: Mobile Devices and Services [B59]
United States Government Configuration Baseline [B60]
Department of Homeland Security (DHS), “DHS S&T Study on Mobile Device Security” [B61]
NIST Interagency Report (NISTIR) 8170, Approaches for Federal Agencies to Use the Cybersecurity Framework [B62]

Appendix E Example Security Subcategory and Control Map¶

Using the developed risk information as input, the security characteristics of the example solution were identified. A security control map was developed documenting the example solution’s capabilities with applicable Subcategories from the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (Cybersecurity Framework) [B1]; NIST Special Publication (SP) 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations [B40]; International Organization for Standardization (ISO); International Electrotechnical Commission (IEC) 27001:2013 Information technology – Security techniques – Information security management systems – Requirements [B49]; the Center for Internet Security’s (CIS) control set Version 6 [B45]; and NIST SP 800-181, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (Work Roles from 2017 version) [B3].

Table E-1 below identifies the security characteristic standards mapping for the products as they were used in the example solution. The products may have additional capabilities that we did not use in this example solution. For that reason, it is recommended that the mapping not be used as a reference for all of the security capabilities these products may be able to address.

Table E‑1 Example Solution’s Cybersecurity Standards and Best Practices Mapping

Specific product used

Function

Applicable NIST Cybersecurity Framework Subcategories

Applicable NIST SP 800-53 Revision 5 Controls

ISO/IEC 27001:2013

CIS 6

Applicable NIST SP 800-181 NICE Framework Work Roles (2017)

Kryptowire Cloud Service

Application Vetting

ID.RA-1: Asset vulnerabilities are identified and documented.

CA-2, CA-7, CA-8: Security Assessment and Authorization

RA-3, RA-5: Risk Assessment

SA-4: Acquisition Process

SI-7: Software, Firmware, and Information Integrity

A.12.6.1: Control of technical vulnerabilities

A.18.2.3: Technical Compliance Review

CSC 4: Continuous Vulnerability Assessment and Remediation

SP-RSK-002: Security Control Assessor

SP-ARC-002: Security Architect

OM-ANA-001: Systems Security Analyst

ID.RA-3: Threats, both internal and external, are identified and documented.

RA-3: Risk Assessment

SI-7: Software, Firmware, and Information Integrity

PM-12, PM-16: Insider Threat Program

6.1.2: Information risk assessment process

CSC 4: Continuous Vulnerability Assessment and Remediation

SP-RSK-002: Security Control Assessor

OM-ANA-001: Systems Security Analyst

OV-SPP-001: Cyber Workforce Developer and Manager

OV-TEA-001: Cyber Instructional Curriculum Developer

PR-VAM-001: Vulnerability Assessment Analyst

DE.CM-4: Malicious code is detected.

SI-7: Software, Firmware, and Information Integrity

A.12.2.1: Controls Against Malware

CSC 4: Continuous Vulnerability Assessment and Remediation

CSC 7: Email and Web Browser Protections

CSC 8: Malware Defenses

CSC 12: Boundary Defense

PR-CIR-001: Cyber Defense Incident Responder

PR-CDA-001: Cyber Defense Analyst

DE.CM-5: Unauthorized mobile code is detected.

SC-18: Mobile Code

SI-7: Software, Firmware, and Information Integrity

A.12.5.1: Installation of Software on Operational Systems

A.12.6.2: Restrictions on Software Installation

CSC 7: Email and Web Browser Protections

CSC 8: Malware Defenses

PR-CDA-001: Cyber Defense Analyst

SP-DEV-002: Secure Software Assessor

Zimperium Console version vGA-4.23.1

Cloud service that complements the zIPS Agent

ID.AM-1: Physical devices and systems within the organization are inventoried.

CM-8: Information System Component Inventory

PM-5: Information System Inventory

A.8.1.1: Inventory of Assets

A.8.1.2: Ownership of Assets

CSC 1: Inventory of Authorized and Unauthorized Devices

OM-STS-001: Technical Support Specialist

OM-NET-001: Network Operations Specialist

OM-ADM-001: System Administrator

zIPS agent Version 4.9.2 (iOS), 4.9.2 (Android)

Endpoint security for mobile device threats

ID.AM-2: Software platforms and applications within the organization are inventoried.

CM-8: Information System Component Inventory

PM-5: Information System Inventory

A.8.1.1: Inventory of Assets

A.8.1.2: Ownership of Assets

A.12.5.1: Installation of Software on Operational Systems

CSC 2: Inventory of Authorized and Unauthorized Software

SP-DEV-002: Secure Software Assessor

SP-DEV-001: Software Developer

SP-TRD-001: Research and Development Specialist

DE.CM-8: Vulnerability scans are performed.

RA-5: Vulnerability Monitoring and Scanning

A.12.6.1: Management of technical vulnerabilities

CSC 4: Continuous Vulnerability Assessment and Remediation

CSC 20: Penetration Tests and Red Team Exercises

PR-VAM-001: Vulnerability Assessment Analyst

PR-INF-001: Cyber Defense Infrastructure Support Specialist

PR-CDA-001: Cyber Defense Analyst

DE.AE-5: Incident alert thresholds are established.

IR-4: Incident Handling

IR-5: Incident Monitoring

IR-8: Incident Response Plan

A.16.1.4: Assessment of and decision on information security events

CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs

CSC 19: Incident Response and Management

PR-CIR-001: Cyber Defense Incident Responder

AN-TWA-001: Threat/Warning Analyst

DE.CM-5: Unauthorized mobile code is detected.

SC-18: Mobile Code

SI-7: Software, Firmware, and Information Integrity

A.12.5.1: Installation of Software on Operational Systems

A.12.6.2: Restrictions on Software Installation

CSC 7: Email and Web Browser Protections

CSC 8: Malware Defenses

PR-CDA-001: Cyber Defense Analyst

SP-DEV-002: Secure Software Assessor

IBM MaaS360 Mobile Device Management (SaaS) Version 10.73

Enforces organizational mobile endpoint security policy

ID.AM-1: Physical devices and systems within the organization are inventoried.

CM-8: System Component Inventory

PM-5: System Inventory

A.8.1.1: Inventory of Assets

A.8.1.2: Ownership of Assets

CSC 1: Inventory of Authorized and Unauthorized Devices

OM-STS-001: Technical Support Specialist

OM-NET-001: Network Operations Specialist

OM-ADM-001: System Administrator

ID.AM-2: Software platforms and applications within the organization are inventoried.

CM-8: System Component Inventory

PM-5: System Inventory

A.8.1.1: Inventory of Assets

A.8.1.2: Ownership of Assets

A.12.5.1: Installation of Software on Operational Systems

CSC 2: Inventory of Authorized and Unauthorized Software

SP-DEV-002: Secure Software Assessor

SP-DEV-001: Software Developer

SP-TRD-001: Research and Development Specialist

PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.

AC-3: Access Enforcement

IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-10, IA-11: Identification and Authentication Family

A.9.2.1: User Registration and De-Registration

A.9.2.2: User Access Provisioning

A.9.2.3: Management of Privileged Access Rights

A.9.2.4: Management of Secret Authentication Information of Users

A.9.2.6: Removal or Adjustment of Access Rights

A.9.3.1: Use of Secret Authentication Information

A.9.4.2: Secure logon Procedures

A.9.4.3: Password Management System

CSC 1: Inventory of Authorized and Unauthorized Devices

CSC 5: Controlled Use of Administrative Privileges

CSC 15: Wireless Access Control

CSC 16: Account Monitoring and Control

OV-SPP-002: Cyber Policy and Strategy Planner

OM-ADM-001: System Administrator

OV-MGT-002: Communications Security (COMSEC) Manager

PR.AC-3: Remote access is managed.

AC-1: Access Control Policy and Procedures

AC-17: Remote Access

AC-19: Access Control for Mobile Devices

AC-20: Use of External Systems

SC-15: Collaborative Computing Devices and Applications

A.6.2.1: Mobile Device Policy

A.6.2.2: Teleworking

A.11.2.6: Security of equipment and assets off premises

A.13.1.1: Network Controls

A.13.2.1: Information Transfer Policies and Procedures

CSC 12: Boundary Defense

OV-SPP-002: Cyber Policy and Strategy Planner

OV-MGT-002: Communications Security (COMSEC) Manager

PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions.

AC-1, AC-3: Access Control Policy and Procedures

IA-2, IA-4, IA-5: Identification and Authentication

PE-2: Physical Access Authorizations

A.7.1.1: Screening

A.9.2.1: User Registration and De-Registration

CSC 16: Account Monitoring and Control

OV-SPP-002: Cyber Policy and Strategy Planner

OV-MGT-002: Communications Security (COMSEC) Manager

PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained, incorporating security principles (e.g., concept of least functionality).

CM-8: System Component Inventory

SA-10: Developer Configuration Management

A.12.1.2: Change Management

A.12.5.1: Installation of Software on Operational

Systems

A.12.6.2: Restrictions on Software Installation

A.14.2.2: System Change Control Procedures

A.14.2.3: Technical Review of Applications After Operating Platform Changes

A.14.2.4: Restrictions on Changes to Software Packages

CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

CSC 9: Limitation and Control of Network Ports, Protocols, and Services

CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

SP-ARC-002: Security Architect

OV-SPP-002: Cyber Policy and Strategy Planner

SP-SYS-001: Information Systems Security Developer

OM-ADM-001: System Administrator

PR-VAM-001: Vulnerability Assessment Analyst

IBM MaaS360 Mobile Device Management Agent Version 3.91.5 (iOS), 6.60 (Android)

Endpoint software that compliments IBM MaaS360 Mobile Device Management console– provides root/jailbreak detection and other functions

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity.

SC-16: Transmission of Security and Privacy Attributes

SI-7: Software, Firmware, and Information Integrity

A.12.2.1: Controls Against Malware

A.12.5.1: Installation of Software on Operational Systems

A.14.1.2: Securing Application Services on Public Networks

A.14.1.3: Protecting Application Services Transactions

A.14.2.4: Restrictions on Changes to Software Packages

CSC 2: Inventory of Authorized and Unauthorized Software

CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

OV-SPP-002: Cyber Policy and Strategy Planner

SP-ARC-001: Enterprise Architect

Qualcomm (version is mobile device dependent)

Secure boot and image integrity

PR.DS-1: Data-at-rest is protected.

SC-28: Protection of Information at Rest

A.8.2.3: Handling of Assets

CSC 13: Data Protection

CSC 14: Controlled Access Based on the Need to Know

OV-SPP-002: Cyber Policy and Strategy Planner

PR-INF-001: Cyber Defense Infrastructure Support Specialist

OV-LGA-002: Privacy Officer/Privacy Compliance Manager

OV-MGT-002: Communications Security (COMSEC) Manager

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity.

SA-10(1): Developer Configuration Management

SI-7: Software, Firmware, and Information Integrity

A.12.2.1: Controls Against Malware

A.12.5.1: Installation of Software on Operational Systems

A.14.1.2: Securing Application Services on Public Networks

A.14.1.3: Protecting Application Services Transactions

A.14.2.4: Restrictions on Changes to Software Packages

CSC 2: Inventory of Authorized and Unauthorized Software

CSC 3: Secure Configurations for Hardware and Software on Mobile

OV-SPP-002: Cyber Policy and Strategy Planner

PR-CDA-001: Cyber Defense Analyst

SP-ARC-001: Enterprise Architect

PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity.

SA-10: Developer Configuration Management

SI-7: Software, Firmware, and Information Integrity

A.11.2.4: Equipment maintenance

Not applicable

OM-ADM-001: System Administrator

SP-AR C-001:Enterprise Architect

DE.CM-4: Malicious code is detected.

SC-35: External Malicious Code Identification

SI-7: Software, Firmware, and Information Integrity

A.12.2.1: Controls Against Malware

CSC 4: Continuous Vulnerability Assessment and Remediation

CSC 7: Email and Web Browser Protections

CSC 8: Malware Defenses

CSC 12: Boundary Defense

PR-CDA-001: Cyber Defense Analyst

PR-INF-001: Cyber Defense Infrastructure Support Specialist

Palo Alto Networks PA-220

Enforces network security policy for remote devices

PR.AC-3: Remote access is managed.

AC-1, AC-3: Access Control Policy and Procedures

AC-19: Access Control for Mobile Devices

A.6.2.1: Mobile Device Policy

A.6.2.2: Teleworking

A.11.2.6: Security of equipment and assets off-premises

A.13.1.1: Network Controls

A.13.2.1: Information Transfer Policies and Procedures

CSC 12: Boundary Defense

OV-SPP-002: Cyber Policy and Strategy Planner

OV-MGT-002: Communications Security (COMSEC) Manager

PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation).

AC-3: Access Enforcement

SC-7: Boundary Protection

A.13.1.1: Network Controls

A.13.1.3: Segregation in Networks

A.13.2.1: Information Transfer Policies and Procedures

A.14.1.2: Securing Application Services on Public Networks

A.14.1.3: Protecting Application Services Transactions

CSC 9: Limitation and Control of Network Ports, Protocols, and Services

CSC 14: Controlled Access Based on the Need to Know

CSC 15: Wireless Access Control

CSC 18: Application Software Security

PR-CDA-001: Cyber Defense Analyst

OM-ADM-001: System Administrator

PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions.

AC-3: Access Enforcement

IA-2, IA-4, IA-5, IA-8: Identification and Authentication (Organizational Users)

PE-2: Physical Access Authorizations

PS-3: Personnel Screening

A.7.1.1: Screening

A.9.2.1: User Registration and De-Registration

CSC 16: Account Monitoring and Control

OV-SPP-002: Cyber Policy and Strategy Planner

OV-MGT-002: Communications Security (COMSEC) Manager

PR.DS-2: Data-in-transit is protected.

AC-17(2): Protection of Confidentiality and Integrity Using Encryption

SC-8: Transmission Confidentiality and Integrity

A.8.2.3: Handling of Assets

A.13.1.1: Network Controls

A.13.2.1: Information Transfer Policies and Procedures

A.13.2.3: Electronic Messaging

A.14.1.2: Securing Application Services on Public Networks

A.14.1.3: Protecting Application Services Transactions

CSC 13: Data Protection

CSC 14: Controlled Access Based on the Need to Know

OV-SPP-002: Cyber Policy and Strategy Planner

OV-MGT-002: Communications Security (COMSEC) Manager

OV-LGA-002: Privacy Officer/Privacy Compliance Manager

PR.PT-4: Communications and control networks are protected.

AC-3, AC-4, AC-17, AC-18: Access Control Family

CP-2: Contingency Plan

SC-7, SC-20, SC-21, SC-22, SC-23, SC-24, SC-25, SC-29, SC-32, SC-38, SC-39, SC-40, SC-41, SC-43: System and Communications Protection Family

A.13.1.1: Network Controls

A.13.2.1: Information Transfer Policies and Procedures

A.14.1.3: Protecting Application Services Transactions

CSC 8: Malware Defenses

CSC 12: Boundary Defense

CSC 15: Wireless Access Control

PR-INF-001: Cyber Defense Infrastructure Support Specialist

OV-SPP-002: Cyber Policy and Strategy Planner

PR-CDA-001: Cyber Defense Analyst

Appendix F Example Privacy Subcategory and Control Map¶

Using the developed privacy information as input, we identified the privacy characteristics of the example solution. We developed a privacy control map documenting the example solution’s capabilities with applicable Functions, Categories, and Subcategories from the National Institute of Standards and Technology (NIST) Privacy Framework [B2]; and NIST SP 800-53 Revision 5 [B40]; and NIST SP 800-181, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (Work Roles from 2017 version) [B3].

The table that follows maps component functions in the build to the related Subcategories in the NIST Privacy Framework as well as to controls in the NIST SP 800-53, Revision 5 controls catalog. Each column maps independently to the build component’s functions and, given the specific capabilities of this mobile device security solution, may differ from other NIST-provided mappings for the Privacy Framework and SP 800-53 revision. For example, build functions may provide additional capabilities beyond what is contemplated by a Privacy Framework Subcategory or that are implemented by additional controls beyond those that NIST identified as an informative reference for the Subcategory.

The table also identifies the privacy characteristic mapping for the products as they were used in the example solution. The products may have additional capabilities that we did not use in this example solution. For that reason, it is recommended that the mapping not be used as a reference for all the privacy capabilities these products may be able to address. The comprehensive mapping of the NIST Privacy Framework to NIST SP 800-53, Revision 5 controls can be found on the NIST Privacy Framework Resource Repository website, in the event an organization’s mobile device security solution is different to determine other controls that are appropriate for their environment [B63].

Table F‑1 Example Solution’s Privacy Standards and Best Practices Mapping

Product	Function	Applicable Privacy Framework Subcategories	Applicable NIST SP 800-53 Revision 5 Privacy-Related Controls	Applicable NIST SP 800-181, NICE Framework Work Roles (2017)
IBM MaaS360	MaaS360 can be used to capture an inventory of the types and number of devices deployed and shows the administrators what data is collected from each enrolled device.	ID.IM-P7: The data processing environment is identified (e.g., geographic location, internal, cloud, third parties).	CM-12: Information Location CM-13: Data Action Mapping PM-5(1): System Inventory \| Inventory of Personally Identifiable Information PT-3: Personally Identifiable Information Processing Purposes RA-3: Risk Assessment RA-8: Privacy Impact Assessment	OV-LGA-002: Privacy Officer/Privacy Compliance Manager OV-TEA-001: Cyber Instructional Curriculum Developer
	Administrators can view data elements in the administration portal. Users can see collected data within the MaaS360 application on their device. Users are advised about data collection practices in a window during enrollment. Data can be edited and deleted from within the administration console.	CT.DM-P1: Data elements can be accessed for review.	AC-2: Account Management AC-3: Access Enforcement AC-3(14): Access Enforcement \| Individual Access PM-21: Accounting of Disclosures	OM-DTA-002: Data Analyst
		CT.DM-P3: Data elements can be accessed for alteration.	AC-2: Account Management AC-3: Access Enforcement AC-3(14): Access Enforcement \| Individual Access PM-21: Accounting of Disclosures SI-18: Personally Identifiable Information Quality Operations	OM-DTA-002: Data Analyst
		CT.DM-P4: Data elements can be accessed for deletion.	AC-2: Account Management AC-3: Access Enforcement SI-18: Personally Identifiable Information Quality Operations	OM-DTA-002: Data Analyst
		CT.DM-P5: Data are destroyed according to policy.	MP-6: Media Sanitization SA-8(33): Security and Privacy Engineering Principles \| Minimization SI-18: Personally Identifiable Information Quality Operations SR-12: Component Disposal	OM-DTA-002: Data Analyst
		CT.DP-P4: System or device configurations permit selective collection or disclosure of data elements.	CM-6: Configuration Settings SA-8(33): Minimization SC-42(5): Collection Minimization SI-12(1): Information Management and Retention \| Limit Personally Identifiable Information Elements	OV-LGA-002: Privacy Officer/Privacy Compliance Manager
	Devices may be backed up to the cloud.	PR.PO-P3: Backups of information are conducted, maintained, and tested.	CP-4: Contingency Plan Testing CP-6: Alternate Storage Site CP-9: System Backup	OM-ADM-001: System Administrator
	Devices are issued identity certificates via on-premises certificate infrastructure.	PR.AC-P1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized individuals, processes, and devices.	IA-2: Identification and Authentication (Organizational Users) IA-3: Device Identification and Authentication IA-4: Identifier Management IA-4(4): Identifier Management \| Identifier User Status	SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst
	MaaS360 enforces a device personal identification number for access.	PR.AC-P2: Physical access to data and devices is managed.	PE-2: Physical Access Authorizations PE-3: Physical Access Control PE-3(1): System Access PE-4: Access Control for Transmission PE-5: Access Control for Output Devices PE-6: Monitoring Physical Access PE-18: Location of System Components PE-20: Asset Monitoring and Tracking	OM-DTA-001: Database Administrator OM-DTA-002: Data Analyst
		PR.DS-P1: Data-at-rest is protected.	MP-2: Media Access MP-4: Media Storage PM-5(1): System Inventory \| Inventory of Personally Identifiable Information SC-28: Protection of Information at Rest	OM-DTA-001: Database Administrator OM-DTA-002: Data Analyst
	Data flowing between the device and MaaS360 is encrypted with Transport Layer Security.	PR.DS-P2: Data-in-transit is protected.	PM-5(1): System Inventory \| Inventory of Personally Identifiable Information SC-8: Transmission Confidentiality and Integrity	PR-CIR-001: Cyber Defense Incident Responder
	Restrictions are used that prevent data flow between enterprise and personal applications.	PR.DS-P5: Protections against data leaks are implemented.	PM-5(1): System Inventory \| Inventory of Personally Identifiable Information AC-4: Information Flow Enforcement	PR-CIR-001: Cyber Defense Incident Responder
	Devices that are jailbroken or otherwise modified beyond original equipment manufacturer status can be detected.	PR.DS-P6: Integrity checking mechanisms are used to verify software, firmware, and information integrity.	PM-22: Personally Identifiable Information Quality Management SI-7: Software, Firmware, and Information Integrity SI-18: Personally Identifiable Information Quality Operations	OM-DTA-002: Data Analyst OM-ANA-001: Systems Security Analyst
Zimperium	Zimperium checks the device for unauthorized modifications.	PR.DS-P1: Data-at-rest is protected.	PM-5(1): System Inventory \| Inventory of Personally Identifiable Information SC-28: Protection of Information at Rest	SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst
		PR.DS-P2: Data-in-transit is protected.	PM-5(1): System Inventory \| Inventory of Personally Identifiable Information SC-8: Transmission Confidentiality and Integrity SC-11: Trusted Path	OM-DTA-002: Data Analyst OM-ANA-001: Systems Security Analyst
		PR.DS-P6: Integrity checking mechanisms are used to verify software, firmware, and information integrity.	PM-22: Personally Identifiable Information Quality Management SC-16: Transmission of Security Attributes SI-7: Boundary Protection SI-10: Network Disconnect SI-18: Personally Identifiable Information Quality Operations	OM-DTA-002: Data Analyst OM-ANA-001: Systems Security Analyst
Kryptowire (now known as Quokka)	Kryptowire can identify applications that do not use best practices, such as lack of encryption or hardcoded credentials.	CM.AW-P1: Mechanisms (e.g., notices, internal or public reports) for communicating data processing purposes, practices, associated privacy risks, and options for enabling individuals’ data processing preferences and requests are established and in place.	AC-8: System Use Notification	SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst
		CM.AW-P3: System/ product/ service design enables data processing visibility.	PL-8: Security and Privacy Architecture PM-5(1): System Inventory \| Inventory of Personally Identifiable Information	SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst
		CM.AW-P6: Data provenance and lineage are maintained and can be accessed for review or transmission/ disclosure.	AC-16: Security and Privacy Attributes SC-16: Transmission of Security Attributes	SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst
		PR.DS-P1: Data-at-rest is protected.	PM-5(1): System Inventory \| Inventory of Personally Identifiable Information SC-28: Protection of Information at Rest	SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst
		PR.DS-P2: Data-in-transit is protected.	PM-5(1): System Inventory \| Inventory of Personally Identifiable Information SC-8: Transmission Confidentiality and Integrity SC-11: Trusted Path	SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst
Palo Alto Networks PA-220	Provides firewall and virtual private network capabilities.	PR.DS-P2: Data-in-transit is protected.	PM-5(1): System Inventory \| Inventory of Personally Identifiable Information SC-8: Transmission Confidentiality and Integrity SC-11: Trusted Path	SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst
		PR.AC-P4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.	AC-2: Account Management AC-3: Access Enforcement AC-5: Separation of Duties AC-6: Least Privilege AC-24: Access Control Decisions	SP-ARC-002: Security Architect PR-CDA-001: Cyber Defense Analyst
		PR.AC-P5: Network integrity is protected (e.g., network segregation, network segmentation).	AC-4: Information Flow Enforcement AC-10: Access Control SC-7: Boundary Protection SC-10: Network Disconnect	OM-DTA-002: Data Analyst OM-ANA-001: Systems Security Analyst
		PR.PT-P3: Communications and control networks are protected.	AC-12: Session Termination AC-17: Remote Access AC-18: Wireless Access SC-5: Denial of Service Protection SC-7: Boundary Protection SC-10: Network Disconnect SC-11: Trusted Path SC-21: Secure Name/Address Resolution Service (Recursive or Caching Resolver) SC-23: Session Authenticity	OV-LGA-002: Privacy Officer/Privacy Compliance Manager PR-CDA-001: Cyber Defense Analyst
Qualcomm	The trusted execution environment provides data confidentiality and integrity.	PR.DS-P6: Integrity checking mechanisms are used to verify software, firmware, and information integrity.	PM-22: Personally Identifiable Information Quality Management SC-16: Transmission of Security and Privacy Attributes SI-7: Software, Firmware, and Information Integrity SI-10: Information Input Validation SI-18: Personally Identifiable Information Quality Operations	PR-INF-001: Cyber Defense Infrastructure Support Specialist OM-ANA-001: Systems Security Analyst