Below is the full text of the EEOC’s case study, part of the official White House guidance on BYOD issued earlier today government-wide as part of the Administration’s new Digital Government Strategy.
“Should feds get reimbursed for BYOD?”
“BYOD Pilot: Five Lessons Learned”
“BYOD and Beyond”
U.S. Equal Employment Opportunity Commission BYOD Pilot
Transitioning from Blackberry Usage to Bring-Your-Own-Device
Chief Information Officer, EEOC
[Note: illustrations & photos added]
The U.S. Equal Employment Opportunity Commission (EEOC) recently implemented a Bring-Your-Own-Device (BYOD) pilot program to meet urgent IT budget challenges. Employees who want to use their own smartphone for official work purposes must agree to have third-party software installed. This allows the agency to manage security settings on the devices and remotely wipe devices clean of government emails and data if they are lost or stolen.
The EEOC is among the first Federal agencies to implement a BYOD pilot and the preliminary results appear promising. Last year, the EEOC was paying $800,000 for its Government issued BlackBerry devices. Subsequently, the EEOC’s FY2012 IT budget was cut from $17.6 million to $15 million, nearly a 15% reduction. The EEOC’s Chief Information Officer, Kimberly Hancher, significantly reduced contractor services, eliminated some software maintenance, and slashed the agency’s budget for mobile devices — leaving only $400,000 allocated for Fiscal Year 2012. Along with the other cost reduction measures, CIO Hancher took the issue to the agency’s IT Investment Review Board. She suggested a two-pronged approach to cost reduction:
Optimize rate plans for agency provided mobile devices, and
Implement a BYOD pilot program.
In November 2011, EEOC’s IT staff pressed the wireless carrier, a GSA Networx contract provider, to help cut costs or risk losing the EEOC’s BlackBerry business. Although the carrier was initially reluctant to work expeditiously, the EEOC stood firm in pursuing rate plan optimization. Zero-use devices were eliminated and all remaining devices were moved to a bundled rate plan with shared minutes. FY 2012 costs were reduced by roughly $240,000 through these actions.
The next step was to launch a BYOD pilot program focused on enticing current users of Government provided BlackBerry devices to opt out. For months, EEOC’s Hancher worked with information security staff, agency attorneys and the employees’ union to draft rules that balanced employee privacy and Government security. By June 2012 many BlackBerry users “opted out” and voluntarily joined the BYOD pilot program.
EEOC’s BYOD pilot focused on providing employees with access to agency email, calendars, contacts and tasks. With the mobile device management software, employees may read and write emails with or without Internet connectivity. A few senior executives who own Apple iPads will be provided “privileged” access to the agency’s internal systems through the secure Virtual Private Network (VPN).
The EEOC’s BYOD program grew out of the necessity of meeting new budget challenges with limited resources. The agency was faced with a 15 percent reduction in its IT operating budget for FY 2012. At first, it was not evident there was much room for needed cuts. Therefore, EEOC decided to conduct research into how employees were using their agency-issued Blackberry devices – and the results were surprising:
“Seventy-five percent of our users never made phone calls from their BlackBerrys,” according to Hancher. “Email is the killer app. They either used the phone on their desk or they used their personal cell phone to make calls because it’s just easier. We also found there were a number of zero-use devices. People have them parked in their desk drawer, and the only time they use it is when they travel.”
During the first quarter of FY 2012, initial efforts went into cutting the recurring costs of the nearly 550 agency-issued Blackberry devices. After conducting an analysis of device usage, the EEOC swiftly submitted orders to the carrier eliminating zero-use devices, demanded that disconnect orders were promptly terminated, and called for remaining Government devices to be moved to a bundled plan with shared voice minutes and unlimited data.
In December 2011, the EEOC launched the first official phase of its BYOD pilot. A BYOD advisory group was created to help the Office of Information Technology flesh out the new program. The advisory group was asked to identify cloud providers for mobile device management, identify security risks, research privacy concerns, draft Rules of Behavior, and create an internal website on the agency’s intranet. The advisory group worked for months to socialize the concept of BYOD within the agency’s workforce. In turn, nearly 40 employees volunteered to exchange EEOC-issued BlackBerry devices in favor of using their own personal smartphones.
During the alpha phase of the BYOD pilot, the EEOC’s IT group worked with the mobile device management cloud provider to configure the exchange of electronic mail between the providers’ host and the EEOC’s email gateway. The IT staff was enthusiastic about the transition to a cloud provider, having managed the agency’s BlackBerry Enterprise Services (BES) for many years. The cloud provider would assist with setup, configuration and end-user support. Under the BYOD pilot, the cloud provider conducts all technical support for pilot participants with iOS devices (iPhone and iPads), as well as all Android devices (smartphones and tablets). The EEOC decided to use its existing on-premise BES for additional support as needed.
Within the first few months of alpha pilot’s launch, the advisory group reached out to other federal agencies to examine their BYOD programs. The EEOC’s first draft of the BYOD Rules of Behavior was circulated among the advisory group, the technical team and the IT Security Officers.
After a number of revisions, the draft policy was ready to share with the union. The Deputy CIO and Chief IT Security Officer met with the union several times to discuss the issues. Again, the Rules of Behavior document was revised and improved upon. An “expectation of privacy” notice was written in bold on Page 1 of the four-page policy.
In March 2012, the BYOD team solicited feedback from the alpha team. A work breakdown structure was created to guide activities and tasks that needed to be completed before launching the next phase of the pilot — the beta phase.
Then, in June 2012, the EEOC provided several choices for the 468 employees who still used agency-issued BlackBerry devices:
Voluntarily return your BlackBerry and bring your own Android, Apple or BlackBerry smartphone or tablet to work.
Return your BlackBerry and get a Government-issued cell phone with voice features only.
Keep your BlackBerry with the understanding that EEOC does not have replacement devices.
The BYOD pilot is expected to run through September 2012, or longer, depending on the agency’s comfort level that all policy issues have been appropriately addressed. CIO Hancher projects between 10 percent and 30 percent of BlackBerry users will opt in for the BYOD program. The CIO examined incorporating an incentive to opt out, but could not find a precedent for offering a nominal stipend or reimbursement for business expenses and equipment allocation. Therefore, EEOC decided to proceed with the BYOD pilot and to revisit other outstanding issues once Government-wide BYOD guidance was released. In order to protect sensitive corporate data, EEOC is scheduling some BYOD orientation sessions to train its workforce on critical security ramifications and procedures.
One goal of EEOC’s BYOD pilot is to obtain feedback and comment on the first version of the Rules of Behavior. The CIO fully expects modifications to the BYOD policy as the pilot evolves. Some outstanding questions, for example, include whether an enforceable waiver should be added exempting employees from holding the organization accountable. Can the agency offer an equipment allocation or reimbursement for a portion of the data/voice services?
Acceptable Behavior Policy
EEOC is currently in the process of reviewing and revising its Acceptable Behavior Policy for personal mobile devices. The policy document was developed as part of a working group that included the agency’s Office of Legal Counsel. Employees who choose to opt into the BYOD program are required to read and sign the policy document first.
CIO Hancher said one thing agencies need to make sure of is that they have documented rules for what employees can and cannot do with Government data on personally-owned devices. Moreover, she said that employees must agree to let agencies examine those devices should it become necessary. EEOC’s IT staff is meeting with employees to help decide which device or devices to use and what the likely effects will be. At the current time, personal smartphone devices are the only mobility option for new employees at EEOC.
BYOD Pilot Results
From 2008 to 2011, EEOC’s BlackBerry provisioning program grew from about 100 devices to approximately 550 devices. By December 2011 about 23% of the workforce was provided with Government-issued smartphones. Realizing that this pattern was unsustainable, CIO Hancher, with support from the executive leadership and the union, set out to revamp the mobile device program.
The initial alpha pilot was launched with 40 volunteers who turned in their Government BlackBerry in favor of using a personally owned smartphone/tablet (Android, Apple iOS or BlackBerry). EEOC used cloud based, software-as-a-service for wireless synchronization of agency email, calendar and contacts, as well as mobile device management services.
Within the first three months of 2012, the number of BlackBerry devices was cut from 550 to 462 and monthly recurring costs were lowered by 20-30% by optimizing the rate plans. By June 2012, EEOC launched the beta pilot inviting all BlackBerry users to opt in to BYOD and return their BlackBerry. However, EEOC will allow employees to continue using an EEOC provided BlackBerry if they choose not to opt into BYOD.
The current BYOD program requires employees to pay for all voice and data usage, including those for official work purposes. This cost issue may prompt some users to keep the BlackBerry. However, for EEOC’s younger employees, their personal devices appear to be an extension of their personalities, so to speak. For seasoned workers, their personal device allows them to do administrative work from home.
“While I’m not advocating working 24 by 7, it is just more comfortable to sit and do timecard approvals on a Friday night in the comfort of your home instead of during the prime time work day when your attention should be on more complex and business-oriented issues,”said CIO Hancher.
Socialize the concept of BYOD. Since this a new concept and the acronym is taking time to be universally recognized, it is advisable to spend time explaining the BYOD concept to the workforce, including at senior staff meetings and executive council sessions.
Work with the agency’s Legal Counsel and unions early in the process. Allow input on the BYOD program and policies from leadership officials.
Select important security features for implementation. Work to identify prioritized security settings or policies, implement them carefully, then cycle back to identify additional security measures after the first set are completed.
Notifylink MDM – Cloud provider licensed at $120 per user per year
GW Mail and GW calendar – $5 apps available through iTunes and Android Market
References to the product and/or service names of the hardware and/or software applications used in this case study do not constitute an endorsement of such hardware and/or software products.