Tutorial: BlackBerry - FISMA Compliance for Government Agencies | Page 2
Blackberry Security Controls
If your agency is a civilian agency, the BlackBerry security controls that you'll want to consider are listed in NIST SP 800-53, Rev 2. That document is freely available for anyone to download from NIST's Web site. 800-53, Rev 2 describes what security controls need to be considered and satisfied. The agency security policy should also be reviewed to see if there are specific policies just for PDAs.
If your agency is a Department of Defense or intelligence agency, they may not even allow BlackBerries, or any PDAs to be used at all. If that is the case, no C&A for BlackBerries is required. If BlackBerries (or other PDAs) are used at DoD or intelligence agencies, the security controls that will need to considered will be those required by the DIACAP, DCID 6_3, ICD 503, NIACAP, or NISCAP processes, though some of these agencies may also mandate usage of 800-53 Rev 2 security controls as well.
The compliance and oversight department can direct the C&A team to which methodology and process from which to obtain the mandated security controls.
Questions on BlackBerry C&A That Will Need to be Answered
During your Blackberry C&A project, many questions will need to be considered and answered. The below list offers a minimum set of questions that should be answered during C&A of the BlackBerry platform:
A Word to the Wise
Agencies that don't identify, document, and test BlackBerry and PDA security controls are in violation of FISMA, and are leaving their agency open to unknown risks. Blackberries are vulnerable to the same type of security vulnerabilities that most desktop platforms are vulnerable to. Without proper configuration and lockdown, U.S. federal agencies (and private companies) that use BlackBerries are susceptible targets that will become exploited eventually.
Blackberry Security Resources
There are some excellent resources available to assist agencies in understanding how to ensure that their Blackberry platform complies with FISMA. Some of these resources include:
Wireless STIG Blackberry Security Checklist
Blackberry Enterprise Solution Security
Recommend Security Controls for Federal Information Systems (800-53, Rev 2)
Guidelines on Cell Phone and PDA Security