VA looks to establish mobile device management protocols

The Department of Veterans Affairs expects to award a contract for mobile device management software by Sept. 30, enabling the VA to ultimately support up to 100,000 devices and allow employees and clinicians to use their own.

The “bring your own device” (BYOD) policy, however, will set limits regarding data security on personal devices to protect veterans' information, said Roger Baker, the VA's CIO. For example, thousands of medical students who practice annually at VA hospitals will be able to use their own mobile devices if they agree to certain restrictions.

Baker anticipates that the mobile device management (MDM) vendor will be announced next week, coinciding with the end federal fiscal year 2012.

The VA has awarded $500 million in IT contracts in September in order to get in under the fiscal year-end deadline, Baker said during a Sept. 26 briefing with reporters. The VA's external spending for IT in 2012 is between $2.3 billion and $2.5 billion.

The MDM software will be more robust than the mobile manager now in place and will be used across the VA enterprise. Over time, the VA expects the MDM platform to support up to 100,000 bought or brought devices, including Apple iPhones and iPads and other smartphones as they are introduced to the department, in addition to the currently managed Blackberries.

Once the MDM contract is awarded, the VA will consider designating an internal apps store, Baker said.

It’s not clear how many mobile devices the VA will buy, and officials don't expect to limit purchases to one particular brand.

“We will look at the business case for productivity and savings from having mobile devices,” Baker said, adding that “buying the devices has to be driven by the business requirement.” The services behind the device, including the MDM platform, systems and network, are specified and supported by the IT organization.
VA businesses will decide on their own how to use such devices, and whether that is best done through a BYOD or government-purchased program.

“Our major role where the device is concerned is specifying and enforcing information security for the device and the apps. From there, the type of device is so varied that we view it as a business device, not an IT device,” Baker said.

VA employees can already use their own devices to view data through the department’s access gateways. But to get inside the network to download and store information through a BYOD device, the user will need to agree to policies set by the VA's IT department.

With the MDM platform in place, the VA will verify that each device is not running software that could compromise security. According to Baker, a BYOD policy will require that employees:

• Acknowledge if their device has been “jail-broken.” If so, they will be denied access to the network.
• Acknowledge that because the device may at some point have VA information on it, the VA may wipe the device clean if it is determined the information is at risk.
• Agree to rules of behavior when using such devices if they plan to store VA data.
• Agree that the device, if used to store data, can be brought under VA control to verify the safety and uses of that data.

A key issue, Baker said, is the ability to remotely wipe, or erase, any sensitive data on a device. “They may have their iTunes store and the apps they’ve bought on it, so they would be able to reload it, but it will be inconvenient if we have to wipe it to protect VA information,” he said.

“There are a variety of things that 95 percent of the population will say 'that doesn’t bother me at all,' and 5 percent will say, 'no, you’re not going to do that with my device,'” Baker said, adding that it will be critical that “there is clear communication of expectations between (the) VA and the individual relative to what’s going to happen.”