Tutorial: BlackBerry - FISMA Compliance for Government Agencies

All U.S. federal agencies are required to comply with the Federal Information Security Management Act (FISMA) of 2002. The process that agencies use to comply with FISMA is known as Certification and Accreditation (C&A). During C&A, an agency has to identify and document the existing security controls, perform a risk analysis to test the controls, and then have an independent set of auditors document their findings. It's a little more involved than that, but that is the short story.

All agency-owned Personal Digital Assistants (PDAs) must be C&Aed along with the rest of the agencies systems and major applications. The PDA/smartphone of choice for the U.S. government is the BlackBerry. Therefore, understanding Blackberry security controls, threats, and vulnerabilities is essential to all U.S. government agencies.

The set of documents that are produced during the C&A process are assembled into a package known as the C&A package. An important decision that agencies need to make is what applications and systems are described in which C&A package.

Key questions that need to be answered are where does one application end and another begin? Where are the boundaries? Who is the business owner? Should BlackBerry security controls be documented and evaluated in a C&A package by themselves, in a C&A package with the enterprise messaging application, or in a C&A package with the enterprise general support systems?

While there may be guidelines that individual agencies have on BlackBerry C&A initiatives, the answer to that last question is that from a regulatory perspective it really doesn't matter. BlackBerry security controls can be documented, evaluated, and discussed in any C&A package.

However, what makes sense for one federal agency on how to handle Blackberry C&A might not make sense for another agency. Here are some considerations that each agency will want to make when considering BlackBerry C&A.

Scoping Your BlackBerry C&A Project
If the agency is relatively small, and there are small number of BlackBerries in use, it is likely not worth the resources and expense it will take to put together an entire C&A package just for BlackBerries. If you have a small number of BlackBerries, record the security controls and security tests and findings either in with the enterprise messaging application's C&A package, or in with the General Support Systems (GSS) C&A package.

Agencies with a large number of BlackBerries may want to create a C&A package just for their BlackBerry platform—particularly if numerous features are enabled on the BlackBerries.

Remember, BlackBerries are not just mobile phones—they can hold gigabytes (GB) of information. And they are wireless devices. While they may seem just like an "auxiliary" platform, they are a full featured platform with numerous capabilities, features, and potential vulnerabilities.

It is possible to lockdown and disable some BlackBerry features. However, as the number of enabled features goes up, the number of potential vulnerabilities goes up as well.

More BlackBerries, and more enabled features, mean that there is more to consider, more to discuss, and more security controls to test. If the scope of your BlackBerry platform is large (numerous users and many features enabled), it can simplify the C&A to consider the BlackBerry platform in its own C&A package.


security, Blackberry, certification, government, FISMA
12 Next