Your BYOD Framework – A NASA Case Study

Our recent GovLoop report on mobility focused on the importance of centrally managing devices and the impact of mobile in government.

That’s why I was excited to sit in on a BYOD session at FOSE, one of the premiere events to educate government employees and share best practices on government IT. John Sprague, Enterprise Applications Service Executive, NASA Headquarters, talked about the challenges, best practices and provided a great use case of BYOD at NASA, which other agencies could benefit from.

Across all levels of government, agencies are working to understand how to best leverage mobility within the enterprise. For many, mobile presents an unprecedented opportunity to change the way we work, improve efficiencies and reach more employees. But in order to do so, there are many challenges facing government, such as managing:

• Unauthorized devices accessing your network
• Increased risk of information being compromised
• Blending of personal and private data
• Lost or stolen devices

Although these BYOD challenges exist, they can be overcome with smart policy and smart investments. At NASA, Sprague, working in the Office of the CIO, has led an innovative approach to tackling BYOD. And today, NASA is now very close to putting out their new policy.

Starting nearly a year ago, Sprague assembled a team to focus solely on personally owned devices, and create a recommended policy memorandum and changes to existing NASA policies and regulations. The scope of the new BYOD policy covers all the personally owned desktop, laptop, tablet, phones/smartphone and other personal devices within NASA.

In order to create the robust BYOD plan needed at an agency as complex as NASA, Sprague provided the framework he used to champion the BYOD policy. Below I’ve provided a synopsis of his work. It’s something that any agency looking to create a BYOD policy can start with and customize for their specific needs.

Get Executive Buy-In and Build a Coalition

“Something I had that was critical for me was that I had executive sponsorship and buy-in,” said Sprague. Within NASA, Sprague brought together all the key stakeholders to the table, which allowed NASA to fully grasp user needs. Sprague listed the team members to create the BYOD policy:

• NASA Associate CIO for Enterprise Services and Integration Division and the CTO for IT
• Team Champion: End User Service Executive
• Team members: team lead, deputy, representatives from centers, mission directorates, OCIO Innovation and tech division, strategies integration management, security, ICAM, center for informational mobile apps, enterprise service desk, union, office of general counsel and ad-hoc participants

Conduct Stakeholder Status Meetings

Sprague met monthly to coordinate with the various teams working on the project, and to be sure everyone was collaborating and sharing resources to drive an effective policy. This was also important because these meetings allowed teams to work together to understand one of the most essential elements of a BYOD policy – protecting data. “We wanted to make sure the data was secure, no data breaches or vulnerabilities – we had to be sure,” said Sprague. Working with teams, NASA also identified benchmarks, reviewed Mobile Device Management (MDM) and IEEE 802.1x standards to assure security efforts and data protection.

Resource Gathering

Throughout the process, the team did a robust search finding NASA publications and reviewing NIST standards. “We wanted to see what the actual requirement was, and some of those are evolving out there along the way, but the basic issue was that data was always protected for NASA,” said Sprague.

Develop Communications Plan

Once the plan goes live, NASA needs a way to share the policy and let everyone know that the plan is live. “Every NASA employee would get an email with a link to a policy to let them know it’s out,” said Sprague.

Identify Risks

Sprague’s Risk Team created a list of all risks created by adopting BYOD. By knowing what some potential risks may be, you can craft smart policy and be ready for anticipated roadblocks.

Identify Use Cases

Another best practice is to look at how people will actually be using mobile. At NASA, they listed out the common user demographics, and sought to understand their needs. They included:

• Visiting scientist and experts
• Interns
• Vendors
• Employees

NASA also realized they needed a way to look at how the users are accessing networks. They created five buckets to look at:

• Duration
• Vetted identity or not
• Risk levels
• Access and usage patterns
• Data types

Develop Business Cases

Another important element is developing a strong business case for development.

“A lot of research went into [creating a business case], we looked at other business cases from different agencies and companies, we grabbed everything we could that was public and available, and asked other agencies to share theirs, we wanted to make sure our business case was as strong as possible,” said Sprague.

Recommend Infrastructure Changes

“We had a team go off and look at BYOD infrastructure needs, and maybe have a BYOD wireless network, what would that incorporate, what would we need– since we’re spread out all over the world, and what the cost is associated with it,” said Sprague.

Once the policy is out, NASA will also put out a quick BYOD survey, asking questions such as how users want to participate in BYOD, what they want to do with BYOD, the frequency of use, as a means to improve the feedback loop and improve the policy.

Sprague’s presentation provided a great framework for how an organization can begin the discussion around BYOD, and champion mobility in government.

In our latest report, we talk about the power of MDM and how it can help you safely and securely adopt mobility. You can read the report here. And consider joining us next week at our event, we’ve got a great lineup of speakers – so hopefully you can join us. Register here.

Photo Credit: NASA Goddard Space Center Flickr Page Photostream,