GovLoop - Knowledge Network for Government

 

As noted in a recent post, the U.S. Equal Employment Opportunity Commission (EEOC) has implemented a Bring-Your-Own-Device (BYOD) pilot program to meet urgent IT budget challenges.  The EEOC, a relatively small agency with scarce IT funds, by federal government standards, was one of the first agencies to launch an innovative BYOD pilot. See "BYOD and Beyond" http://www.govloop.com/profiles/blogs/do-you-byod

EEOC's Chief Information Officer, Kimberly Hancher, has been leading the charge. Although the pilot is still in place, CIO Hancher and I discussed some of the key lessons learned thus far. 

So far the pilot appears promising, according to CIO Hancher, as well as to employee participants in the program.

Also see, "EEOC cuts costs with BYOD pilot program"

http://www.govloop.com/profiles/blogs/eeoc-cuts-costs-with-byod-pil...

These preliminary pointers may help other agencies in crafting viable and effective BYOD pilot programs and/or policies of their own.

Lessons Learned


1) Socialize the concept of BYOD within your agency.

Since this a new concept and the acronym is taking time to be universally recognized, it is advisable to spend time explaining the BYOD concept to the workforce -- including at senior staff meetings and executive council sessions. 

Making any major changes in a bureaucracy is never easy. Thus effectively communicating IT concepts to agency leadership is key to moving forward. Agency leaders must be on the same page and have a comprehensive understanding of cost savings and other benefits -- not to mention IT logistical issues.


2) Work with your agency’s Legal Counsel and union early in the process.

Allow input on the BYOD program and policies from leadership officials. This is key to building consensus. To paraphrase President LBJ, it's better to have them inside the tent dishing out, than outside the tent dishing in.

3) Select the most important security features for implementation.

Work to identify the Top 10 security settings or policies, implement them carefully, then cycle back to identify additional security measures after the first set are completed.  Also see 5) below...

4) Create an "Acceptable Behavior Policy"

Have documented rules for what employees can and can't do with Government data on personally-owned devices. Also, employees must agree to let agencies examine those devices should it become necessary.

5) Install necessary software to manage security settings

This is an important extension of 3) above. Under the EEOC pilot program, employees who want to use their own smartphone for official work purposes must agree to have third-party software installed. This allows the agency to manage security settings on the devices and remotely wipe devices clean of government emails and data if they are lost or stolen. But for those who love their smartphones and tablets, it appers to be a fair tradeoff for now.

  

DBG

*** All views and opinions expressed herein are those of the author only.

 

 

 

Views: 1104

Tags: BYOD, CIO, EEOC, IT, bring-your-own-device, costa, pilot program, tech

Comment

You need to be a member of GovLoop - Knowledge Network for Government to add comments!

Join GovLoop - Knowledge Network for Government

Comment by David B. Grinberg on December 19, 2012 at 3:48pm

Paul, per your question I suggest checking out the following GovLoop discussions and blogs here.  I hope this helps. 

 

Comment by Paul Alberti on December 18, 2012 at 11:45am

I am doing some initial research in HR's role in a BYOD environment.  Does anyone have any input, policy docs, lessons learned?  If people tend to work extra hours, work over vacation time, what are the HR implications - if any?

Comment by Julie Chase on November 19, 2012 at 4:30pm

I read the report on Government Executive.  Interesting to know that I am not alone in my thoughts on BYOD.  I brought this up at work last week in a group at lunch.  And rolling eyes and waving of hands told me all I needed to know.  It was unanimous.  The entire group nixed the idea.

Comment by David B. Grinberg on November 15, 2012 at 5:51pm

GovExec.com reports AGAIN on GovLoop BYDO report and related GovLoop discussion...

BrittanyB. writes in the "Wired Workplace" column: 

"There’s an interesting conversation going on at GovLoop about the blog post I wrote late last month on GovLoop’s recent report on bring your own device, or BYOD, policies and the ability of such policies to enable cost savings and boost employee productivity.  One of the major drivers of BYOD is the potential costsavings for federal agencies. At the same time, agencies face a major hurdle in determining how to reimburse federal employees to ensure they are not personally incurring the cost of increased data usage from work-related activities.  GovLoop Community Manager Andrew Kzmarzick notes in the report that agencies might consider overcoming this hurdle by looking at other ways in which government reimburses employees."

Comment by David B. Grinberg on November 15, 2012 at 12:32pm

Thanks, Steve. 

Yes, GovLoop's BYOD report is nothing short of totally AWESOME and a must-read for anyone interested in this trending IT topic.

Government Executive recently had a nice article featuring GovLoop's BYOD survey. In short, the GovLoop team rocks!!!

DBG

Comment by GovLoop on November 15, 2012 at 11:48am

For a ton of great info on BYOD use in the public sector, check out GovLoop's report, "Exploring Bring Your Own Device in the Public Sector."

Comment by David B. Grinberg on August 23, 2012 at 5:35pm

Below is the full text of the EEOC case study on BYOD, as contained in the new White House guidance issued earlier today:

U.S. Equal Employment Opportunity Commission (EEOC) BYOD Pilot
Transitioning from Blackberry Usage to Bring-Your-Own-Device
http://www.whitehouse.gov/digitalgov/bring-your-own-device#eeoc

 

Kimberly Hancher
Chief Information Officer
U.S. Equal Employment Opportunity Commission

Executive Summary

The U.S. Equal Employment Opportunity Commission (EEOC) recently implemented a Bring-Your-Own-Device (BYOD) pilot program to meet urgent IT budget challenges. Employees who want to use their own smartphone for official work purposes must agree to have third-party software installed. This allows the agency to manage security settings on the devices and remotely wipe devices clean of government emails and data if they are lost or stolen.

The EEOC is among the first Federal agencies to implement a BYOD pilot and the preliminary results appear promising. Last year, the EEOC was paying $800,000 for its Government issued BlackBerry devices. Subsequently, the EEOC’s FY2012 IT budget was cut from $17.6 million to $15 million, nearly a 15% reduction. The EEOC’s Chief Information Officer, Kimberly Hancher, significantly reduced contractor services, eliminated some software maintenance, and slashed the agency’s budget for mobile devices -- leaving only $400,000 allocated for Fiscal Year 2012. Along with the other cost reduction measures, CIO Hancher took the issue to the agency’s IT Investment Review Board. She suggested a two-pronged approach to cost reduction:

Optimize rate plans for agency provided mobile devices, and
Implement a BYOD pilot program.
In November 2011, EEOC’s IT staff pressed the wireless carrier, a GSA Networx contract provider, to help cut costs or risk losing the EEOC’s BlackBerry business. Although the carrier was initially reluctant to work expeditiously, the EEOC stood firm in pursuing rate plan optimization. Zero-use devices were eliminated and all remaining devices were moved to a bundled rate plan with shared minutes. FY 2012 costs were reduced by roughly $240,000 through these actions.

The next step was to launch a BYOD pilot program focused on enticing current users of Government provided BlackBerry devices to opt out. For months, EEOC’s Hancher worked with information security staff, agency attorneys and the employees’ union to draft rules that balanced employee privacy and Government security. By June 2012 many BlackBerry users “opted out” and voluntarily joined the BYOD pilot program.

EEOC’s BYOD pilot focused on providing employees with access to agency email, calendars, contacts and tasks. With the mobile device management software, employees may read and write emails with or without Internet connectivity. A few senior executives who own Apple iPads will be provided "privileged" access to the agency’s internal systems through the secure Virtual Private Network (VPN).

BYOD Challenge

The EEOC’s BYOD program grew out of the necessity of meeting new budget challenges with limited resources. The agency was faced with a 15 percent reduction in its IT operating budget for FY 2012. At first, it was not evident there was much room for needed cuts. Therefore, EEOC decided to conduct research into how employees were using their agency-issued Blackberry devices – and the results were surprising:

“Seventy-five percent of our users never made phone calls from their BlackBerrys,”according to Hancher. “Email is the killer app. They either used the phone on their desk or they used their personal cell phone to make calls because it’s just easier. We also found there were a number of zero-use devices. People have them parked in their desk drawer, and the only time they use it is when they travel.”

During the first quarter of FY 2012, initial efforts went into cutting the recurring costs of the nearly 550 agency-issued Blackberry devices. After conducting an analysis of device usage, the EEOC swiftly submitted orders to the carrier eliminating zero-use devices, demanded that disconnect orders were promptly terminated, and called for remaining Government devices to be moved to a bundled plan with shared voice minutes and unlimited data.

In December 2011, the EEOC launched the first official phase of its BYOD pilot. A BYOD advisory group was created to help the Office of Information Technology flesh out the new program. The advisory group was asked to identify cloud providers for mobile device management, identify security risks, research privacy concerns, draft Rules of Behavior, and create an internal website on the agency’s intranet. The advisory group worked for months to socialize the concept of BYOD within the agency’s workforce. In turn, nearly 40 employees volunteered to exchange EEOC-issued BlackBerry devices in favor of using their own personal smartphones.

Alpha Phase

During the alpha phase of the BYOD pilot, the EEOC’s IT group worked with the mobile device management cloud provider to configure the exchange of electronic mail between the providers’ host and the EEOC’s email gateway. The IT staff was enthusiastic about the transition to a cloud provider, having managed the agency’s BlackBerry Enterprise Services (BES) for many years. The cloud provider would assist with setup, configuration and end-user support. Under the BYOD pilot, the cloud provider conducts all technical support for pilot participants with iOS devices (iPhone and iPads), as well as all Android devices (smartphones and tablets). The EEOC decided to use its existing on-premise BES for additional support as needed.

Within the first few months of alpha pilot’s launch, the advisory group reached out to other federal agencies to examine their BYOD programs. The EEOC’s first draft of the BYOD Rules of Behavior was circulated among the advisory group, the technical team and the IT Security Officers.

After a number of revisions, the draft policy was ready to share with the union. The Deputy CIO and Chief IT Security Officer met with the union several times to discuss the issues. Again, the Rules of Behavior document was revised and improved upon. An “expectation of privacy” notice was written in bold on Page 1 of the four-page policy.

In March 2012, the BYOD team solicited feedback from the alpha team. A work breakdown structure was created to guide activities and tasks that needed to be completed before launching the next phase of the pilot -- the beta phase. Then, in June 2012, the EEOC provided several choices for the 468 employees who still used agency-issued BlackBerry devices:

Voluntarily return your BlackBerry and bring your own Android, Apple or BlackBerry smartphone or tablet to work.
Return your BlackBerry and get a Government-issued cell phone with voice features only.
Keep your BlackBerry with the understanding that EEOC does not have replacement devices.
The BYOD pilot is expected to run through September 2012, or longer, depending on the agency’s comfort level that all policy issues have been appropriately addressed. CIO Hancher projects between 10 percent and 30 percent of BlackBerry users will opt in for the BYOD program. The CIO examined incorporating an incentive to opt out, but could not find a precedent for offering a nominal stipend or reimbursement for business expenses and equipment allocation. Therefore, EEOC decided to proceed with the BYOD pilot and to revisit other outstanding issues once Government-wide BYOD guidance was released. In order to protect sensitive corporate data, EEOC is scheduling some BYOD orientation sessions to train its workforce on critical security ramifications and procedures.

One goal of EEOC’s BYOD pilot is to obtain feedback and comment on the first version of the Rules of Behavior. The CIO fully expects modifications to the BYOD policy as the pilot evolves. Some outstanding questions, for example, include whether an enforceable waiver should be added exempting employees from holding the organization accountable. Can the agency offer an equipment allocation or reimbursement for a portion of the data/voice services?

Acceptable Behavior Policy

EEOC is currently in the process of reviewing and revising its Acceptable Behavior Policy for personal mobile devices. The policy document was developed as part of a working group that included the agency's Office of Legal Counsel. Employees who choose to opt into the BYOD program are required to read and sign the policy document first.

CIO Hancher said one thing agencies need to make sure of is that they have documented rules for what employees can and cannot do with Government data on personally-owned devices. Moreover, she said that employees must agree to let agencies examine those devices should it become necessary. EEOC's IT staff is meeting with employees to help decide which device or devices to use and what the likely effects will be. At the current time, personal smartphone devices are the only mobility option for new employees at EEOC.

BYOD Pilot Results

From 2008 to 2011, EEOC's BlackBerry provisioning program grew from about 100 devices to approximately 550 devices. By December 2011 about 23% of the workforce was provided with Government-issued smartphones. Realizing that this pattern was unsustainable, CIO Hancher, with support from the executive leadership and the union, set out to revamp the mobile device program.

The initial alpha pilot was launched with 40 volunteers who turned in their Government BlackBerry in favor of using a personally owned smartphone/tablet (Android, Apple iOS or BlackBerry). EEOC used cloud based, software-as-a-service for wireless synchronization of agency email, calendar and contacts, as well as mobile device management services.

Within the first three months of 2012, the number of BlackBerry devices was cut from 550 to 462 and monthly recurring costs were lowered by 20-30% by optimizing the rate plans. By June 2012, EEOC launched the beta pilot inviting all BlackBerry users to opt in to BYOD and return their BlackBerry. However, EEOC will allow employees to continue using an EEOC provided BlackBerry if they choose not to opt into BYOD.

The current BYOD program requires employees to pay for all voice and data usage, including those for official work purposes. This cost issue may prompt some users to keep the BlackBerry. However, for EEOC’s younger employees, their personal devices appear to be an extension of their personalities, so to speak. For seasoned workers, their personal device allows them to do administrative work from home.

“While I’m not advocating working 24 by 7, it is just more comfortable to sit and do timecard approvals on a Friday night in the comfort of your home instead of during the prime time work day when your attention should be on more complex and business-oriented issues,”said CIO Hancher.

Lessons Learned

Socialize the concept of BYOD. Since this a new concept and the acronym is taking time to be universally recognized, it is advisable to spend time explaining the BYOD concept to the workforce, including at senior staff meetings and executive council sessions.
Work with the agency’s Legal Counsel and unions early in the process. Allow input on the BYOD program and policies from leadership officials.
Select important security features for implementation. Work to identify prioritized security settings or policies, implement them carefully, then cycle back to identify additional security measures after the first set are completed.
Hardware/Software

Notifylink MDM – Cloud provider licensed at $120 per user per year
GW Mail and GW calendar – $5 apps available through iTunes and Android Market
Disclaimer:

References to the product and/or service names of the hardware and/or software applications used in this case study do not constitute an endorsement of such hardware and/or software products.
END

--------------------------------------------------------------------------------

Comment by David B. Grinberg on August 10, 2012 at 1:39pm

FYI -- article from Federal Computer Week.  Note -- the reporter got the name wrong for EEOC's CIO -- it's Kimberly Hancher, not "Hencher" -- another small example of sloppy reporting. 

http://fcw.com/articles/2012/08/09/eeoc-byod-kim-hencher.aspx

Comment by David B. Grinberg on August 9, 2012 at 6:03pm

Thanks for your always insightful comments, Peter. Here's some feedback:

1) FYI, 've noticed some lower-grade employees also participating in BYOD -- I assume because the younger generation is usually more deft with the latest mobile devices and often "must" have them.

2) I have not examined whether senior grade-level folks use two devices (one for work and the other for personal use, as you infer), but that's a really good question I will look into. 

3) My understanding about the BYOD pilot at EEOC, at least, is that there IS a strong firewall preventing government IT minders from viewing one's personal use of mobile devices -- but who really knows? 

4) Regarding spyware, I think this will always be a major concern generally. You offer excellent advice on that matter as well. 

Thanks again, Peter, for sharing your intricate knowledge and eye-opening views on this important issue.

Comment by Peter Sperry on August 9, 2012 at 8:34am

I suspect the reason BYOD is more eagerly embraced by senior grades is they can afford to purchase two devices, one for personal use which is kept free of government spyware and one for office use which is expendable if necessary.  Personally, I would be very happy to purchaes my own devices with my own money exclusively for office use because I would obtain better, more useful IT equipment; but only if I can maintian a strong firewall between my personal and government systems.  Ideally, one should have a separate laptop/tablet for work and NEVER link it to any truly personal devices.  Also remember that spyware can be transimtted by thumb drives so using one on your personal equipment after having connected it to your government devise can result in a nasty surprise.

 

Yes, BYOD, is an augmentation of appropriations and a gross violation of appropriations law as laid out in the GAO Redbook, but that may change in the future.   Meanwhile many government agencies seem willing to risk an IG or GAO audit finding.  I've never heard of anyone suffiering any career damage from one, so they probably have little to lose.

© 2014   Created by GovLoop.

Badges  |  Report an Issue  |  Terms of Service