Tutorial: BlackBerry - FISMA Compliance for Government Agencies | Page 2

The problem with including a large BlackBerry platform in with either the enterprise messaging C&A, or the C&A of the GSS is that BlackBerry security controls might not receive the attention, analysis, and testing necessary to truly evaluate the risks that their usage poses to the agency.

Blackberry Security Controls
If your agency is a civilian agency, the BlackBerry security controls that you'll want to consider are listed in NIST SP 800-53, Rev 2. That document is freely available for anyone to download from NIST's Web site. 800-53, Rev 2 describes what security controls need to be considered and satisfied. The agency security policy should also be reviewed to see if there are specific policies just for PDAs.

If your agency is a Department of Defense or intelligence agency, they may not even allow BlackBerries, or any PDAs to be used at all. If that is the case, no C&A for BlackBerries is required. If BlackBerries (or other PDAs) are used at DoD or intelligence agencies, the security controls that will need to considered will be those required by the DIACAP, DCID 6_3, ICD 503, NIACAP, or NISCAP processes, though some of these agencies may also mandate usage of 800-53 Rev 2 security controls as well.

The compliance and oversight department can direct the C&A team to which methodology and process from which to obtain the mandated security controls.

Questions on BlackBerry C&A That Will Need to be Answered
During your Blackberry C&A project, many questions will need to be considered and answered. The below list offers a minimum set of questions that should be answered during C&A of the BlackBerry platform:

  • What C&A package will BlackBerries be discussed in?

  • What are the agency PDA security policies?

  • Are the security policies being followed?

  • What BlackBerry security controls should be tested?

  • What vulnerabilities exist on your BlackBerry platform?

  • What risk do the BlackBerry vulnerabilities pose to the agency?

  • What are the recommendations for mitigating high risk BlackBerry vulnerabilities?

    A Word to the Wise
    Agencies that don't identify, document, and test BlackBerry and PDA security controls are in violation of FISMA, and are leaving their agency open to unknown risks. Blackberries are vulnerable to the same type of security vulnerabilities that most desktop platforms are vulnerable to. Without proper configuration and lockdown, U.S. federal agencies (and private companies) that use BlackBerries are susceptible targets that will become exploited —eventually.

    Blackberry Security Resources
    There are some excellent resources available to assist agencies in understanding how to ensure that their Blackberry platform complies with FISMA. Some of these resources include:

    Wireless STIG Blackberry Security Checklist

    Blackberry Enterprise Solution Security

    Recommend Security Controls for Federal Information Systems (800-53, Rev 2)

    Guidelines on Cell Phone and PDA Security

    FISMA Resources


    security, Blackberry, certification, government, FISMA
    Previous 12