10.8.26 Government Furnished and Personally Owned Mobile Device Security Policy

Manual Transmittal

February 28, 2017

Purpose

(1) This transmits the new IRM 10.8.26, Information Technology (IT) Security, Government Furnished and Personally Owned Mobile Device Security Policy.

Background

Government furnished and non-government furnished/personally owned mobile devices are vulnerable to theft and the loss of all data stored on them, which places the information they contain at risk of disclosure or compromise. Many theft rings operating today at airports, hotels, and other public places target mobile devices. Additionally, the use of mobile devices in public places (e.g., airports, restaurants, conferences, public transportation) and transmitting information through public telecommunications networks, presents a significant risk of unauthorized persons observing and gaining access to the information that is being processed. Therefore, IRS employees, contractors, and volunteers shall abide by all requirements provided within this policy to help protect their government furnished and non-government furnished/personally owned mobile devices, and the information contained on them, from these risks.

The Information Technology (IT) organization has implemented the "Bring Your Own Device" (BYOD) program to permit IRS personnel to use non-government furnished/personally owned mobile devices for business purposes. This program offers the convenience of using an approved non-government furnished/personally owned mobile device to access, process, transmit, or store IRS information. Therefore, those IRS employees who choose to participate in the program shall abide by the requirements specified within this policy. The IRS must be able to ensure that agency data is protected at all places and all times.

Federal Information Processing Standard (FIPS) 200 mandates the use of National Institute of Standards and Technology (NIST) Special Publication 800-53 as an initial set of baseline security controls for the creation of agency IT security policy.

IRM 10.8.26 is part of the Security, Privacy and Assurance policy family, IRM Part 10 series for IRS Information Technology, Cybersecurity.

Material Changes

(1) The previous version of this policy was titled “IT Security, Mobile Computing Device Security Policy”.

(2) This policy has been updated to revise and incorporate requirements for government furnished and non-government furnished/personally owned mobile devices that access, process, transmit, or store IRS information, in support of the Bring Your Own Device (BYOD) program.

(3) Several requirements from obsolesced Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) have been removed, relocated to the appropriate Security Control Exhibits or IRM, or replaced where technically feasible.

(4) Interim Guidance Memo IT-10-0115-0001, Security Requirement Exhibits, dated January 15, 2015, has been incorporated and includes security requirements for the approved mobile device technologies which are maintained in an Excel spreadsheet, and accessible on the IRS IT Security Policy SharePoint site. See Exhibit 10.8.26-1, Mobile Device Technical Security Requirements for further guidance.

(5) The following sections have been updated/clarified with this version of policy:

  1. Added the following sections/updated section titles and content:
    - 10.8.26.2.1, Government Furnished Mobile Device Users
    - 10.8.26.2.2, Non-Government Furnished/Personally Owned (BYOD) Mobile Device Users
    - 10.8.26.3.1.1, Access Control for Government Furnished Mobile Devices
    - 10.8.26.3.1.2, Access Control for Non-Government Furnished/Personally Owned (BYOD) Mobile Devices
    - 10.8.26.3.1.4, Access to Sensitive Information (formerly 10.8.26.3.1.2, Sensitive Information)
    - 10.8.26.3.8.1, Travel
    - 10.8.26.3.9.1, Rules of Behavior for Government Furnished Mobile Devices (formerly Rules of Behavior)
    - 10.8.26.3.9.2, Rules of Behavior for BYOD Participants
    - 10.8.26.3.10, PS-6 Access Agreements
    - Exhibit 10.8.26-1, Mobile Device Technical Security Requirements
    - Exhibit 10.8.26-2, Mobile Device Operating System (OS) Configuration Settings
    - Exhibit 10.8.26-3, Glossary and Acronyms
    - Exhibit 10.8.26-4, References

  2. Removed the following sections:
    - IRS Mobile Computing Device Users (formerly 10.8.26.2.1)
    - Wireless Access (formerly 10.8.26.3.1.3)
    - Access Control for Mobile Devices (formerly 10.8.26.3.1.4)
    - 10.8.26.3.11.1, Bluetooth
    - 10.8.26.3.11.2, Public Key Infrastructure (PKI) (Digital Certificates)
    - 10.8.26.3.11.3, Encryption
    - 10.8.26.3.11.4, Network Protection and Design
    - 10.8.26.3.11.5, Wireless Mobile Computing Devices
    - Exhibit 10.8.26-1, Mobile Computing Device Checklists
    - Exhibit 10.8.26-2, Laptops
    - Exhibit 10.8.26-3, Android
    - Exhibit 10.8.26-4, Apple iOS 4
    - Exhibit 10.8.26-5, Apple iOS 5
    - Exhibit 10.8.26-6, Apple iOS 6
    - Exhibit 10.8.26-7, BlackBerry Handheld Software Configuration Settings
    - Exhibit 10.8.26-8, BlackBerry Playbook Tablet
    - Exhibit 10.8.26-9, BlackBerry 10 OS
    - Exhibit 10.8.26-10, BlackBerry Enterprise Server
    - Exhibit 10.8.26-11, Windows Phone
    - Exhibit 10.8.26-12, Good Mobility Suite (GMS) Windows Phone
    - Exhibit 10.8.26-13, Mobile Device Management (MDM)

  3. Restructured the Manual Transmittal, Introductory sections, and Risk Acceptance and Risk-Based Decisions section, as well as the Exhibits, including the Glossary and Acronyms section (now combined) to match standardized Security Policy language.

  4. Updated links throughout the document to reflect new/revised organizational links.

  5. Clarified details in the Roles and Responsibilities section.

(6) Editorial changes (including grammar, spelling, and clarification) were made throughout the IRM.

Effect on Other Documents

IRM 10.8.26 dated August 19, 2014, is superseded. This IRM supersedes all prior versions of IRM 10.8.26, and supplements: IRM 10.8.1, IT Security, Policy and Guidance and IRM 10.8.2, IT Security, IT Security Roles and Responsibilities.

Audience

IRM 10.8.26 applies to and shall be distributed to all employees, contractors, vendors, and volunteers responsible for ensuring the security of government furnished and approved non-government furnished/personally owned (BYOD) mobile devices.

Effective Date

(02-28-2017)

S. Gina Garza
Chief Information Officer

Overview

  1. This IRM establishes policy to implement the minimum security controls required to manage and safeguard government furnished and non-government furnished/personally owned mobile devices that have been approved for use by employees participating in the Bring Your Own Device (BYOD) program, and the data stored on them.

  2. The requirements defined within this IRM are a culmination of National Institute of Standards and Technology (NIST), Department of the Treasury, Defense Information Systems Agency (DISA), National Security Agency (NSA) and industry best practices. These practices are geared toward providing the IRS with security policies that can satisfy the breadth and depth of mobile device security requirements designed to achieve a minimum level of security assurance within the IRS.

    Note:

    In accordance with IRM 10.8.1, in an effort to reference the origin of a security requirement (NIST, Treasury, etc.), a requirement may have its origin referenced in parenthesis at the end of the requirement; such as (CA-1), (AC-3_T.001), or (IRS-defined).

Purpose

  1. This IRM establishes the minimum baseline security policy and requirements in order to:

    1. Protect the critical infrastructure, including government furnished and approved non-government furnished/personally owned mobile devices from attacks that exploit IRS assets and other approved devices used to access, process, transmit or store IRS information.

    2. Enable government furnished and approved non-government furnished/personally owned mobile devices that meet the security requirements of this policy, to operate and support the business needs of the organization.

    3. Prevent unauthorized access to government furnished and approved non-government furnished/personally owned mobile devices when being used to access, process, transmit or store IRS information.

  2. This policy provides BYOD program participants with the Rules of Behavior that they shall abide by in order to prevent IRS data from being insecurely stored on a mobile device or carried over an insecure network where it could be subject to unauthorized access or disclosure.

  3. It is acceptable to configure settings to be more restrictive than those defined in this IRM.

  4. To configure less restrictive controls requires a risk-based decision (RBD). See the Risk-Based Decisions section within this IRM for additional guidance.

Authority

  1. IRM 10.8.1, IT Security, Policy and Guidance, establishes the security program and the policy framework for the IRS.

  2. The requirements within this IRM for mobile devices must comply with and supplement the security controls defined in IRM 10.8.1.

Scope

  1. The provisions in this manual apply to:

    1. All offices and business, operating, and functional units within the IRS.

    2. Bring Your Own Device (BYOD) participants, unless otherwise specified as only government furnished mobile devices.

    3. When government furnished or approved non-government furnished/personally owned mobile devices are used to accomplish the IRS mission.

      Note:

      For the purpose of this IRM, laptops are categorized as a mobile device with computing and communication (e.g., wireless, local area network (LAN)) capability, and shall comply with all IRM 10.8.1, TD-P 85-01, and other related IRM policy requirements for mobile devices. (IRS-defined)

    4. Individuals and organizations having contractual arrangements with the IRS, including employees, contractors, vendors, volunteers and outsourcing providers, who use or operate mobile devices that store, process, or transmit IRS information or connect to an IRS network or system.

      Note:

      When the terms "mobile devices" and "mobile device users" are used within this IRM, they refer to both government furnished and approved non-government furnished/personally owned mobile devices and users unless otherwise noted.

    5. All IRS information systems and mobile devices that access, process, transmit, or store classified information., See IRM 10.9.1, National Security Information, for additional procedures for protecting classified information.

Risk Acceptance and Risk-Based Decisions

  1. Any exception to this policy requires that the Authorizing Official (AO) make a Risk-Based Decision (RBD).

  2. RBD requests shall be submitted in accordance with IRM 10.8.1 and use Form 14201, as described in the Risk Acceptance Request and Risk-Based Decision standard operating procedures (SOP), available on the Enterprise Federal Information Security Modernization Act (FISMA) Compliance SharePoint site via the Risk Acceptance Requests link at:
    https://portal.ds.irsnet.gov/sites/CyberSRM/SitePages/RiskDecisions.aspx.

  3. Refer to IRM 10.8.1 for additional guidance about risk acceptance.

Roles and Responsibilities

  1. IRM 10.8.2, IT Security, Roles and Responsibilities, defines IRS-wide roles and responsibilities related to IRS information and computer security, and is the authoritative source for such information.

  2. The supplemental roles and responsibilities provided below are specific to the security of all government furnished and approved non-government furnished/personally owned mobile devices. Refer to IRM 10.8.2 for additional information regarding organizational and individual roles and responsibilities related to information and computer security.

Government Furnished Mobile Device Users

  1. Government furnished mobile device users shall be responsible for ensuring the physical and logical security of their assigned equipment. (IRS-defined)

    Note:

    An example of how an employee shall ensure the logical security of a mobile device by exercising due care in preventing viruses and malware from being installed on their mobile devices by not opening attachments and documents from untrusted sources; (i.e., attachments and documents from a personal email)

  2. Managers of employees who have been assigned government furnished mobile devices shall ensure their employees exercise due care in safeguarding these devices and the data they contain. (IRS-defined)

  3. Refer to IRM 10.8.27, Information Technology (IT) Security, Personal Use of Government Furnished Information Technology Equipment and Resources, for guidance pertaining to the prohibited uses of government furnished mobile devices.

Non-Government Furnished/Personally Owned (BYOD) Mobile Device Users

  1. BYOD participants shall: (IRS-defined)

    1. Understand that if their approved non-government furnished/personally owned mobile device is not compliant with IRS security policies or if it presents any unacceptable risk to the IRS’s networks or data, that it will not be allowed to connect to the IRS’s systems.

    2. Consent to remote inspection and monitoring of the IRS-approved mobile access solution (e.g., Good for Enterprise business software) on their approved non-government furnished/personally owned mobile device, using technology centrally managed by IRS IT organization.

    3. Ensure they are the only person who has access to their approved non-government furnished/personally owned mobile devices when being used to view or process IRS information.

    4. Ensure a valid password is successfully entered prior to logging onto the mobile device.

    5. Ensure a valid password is successfully entered prior to logging into the IRS-approved mobile access (e.g., Good for Enterprise business software) solution.

    6. See the Rules of Behavior for BYOD Participants section within this IRM for further requirements when using their approved non-government furnished/personally owned mobile device to access, process, transmit, or store IRS information.

  2. BYOD participants shall not: (IRS-defined)

    1. Use the screen capture function on their mobile device while logged into the IRS-approved mobile access solution (e.g., Good for Enterprise business software).

      Note:

      Using the screen capture function while logged into the IRS-approved mobile access solution (e.g., Good for Enterprise business software), could place IRS sensitive information (e.g., Sensitive But Unclassified (SBU) and Personally Identifiable Information (PII)) at risk of disclosure.

    2. Share their IRS-approved mobile access solution (e.g., Good for Enterprise business software) password with anyone.

IT Security Controls

  1. In accordance with the requirements defined in IRM 10.8.1, this IRM shall be evaluated to ensure consistency with the IRS mission, functions, and associated laws, directives, regulations, and standards.

  2. The IT security controls within this manual provide a range of safeguards and countermeasures for the government furnished and approved non-government furnished/personally owned mobile devices that access, process, transmit, or store IRS information.

  3. The security controls in this IRM supplement the requirements defined in IRM 10.8.1.

  4. Refer to IRM 10.8.1 for further information pertaining to the security controls not addressed within this IRM.

AC - Access Control

  1. Mobile devices connected to IRS networks or processing IRS information shall comply with IRM 10.8.1 and the security requirements of those networks. (IRS-defined)

Access Control for Government Furnished Mobile Devices
  1. Government furnished mobile devices shall not be used by anyone other than authorized personnel (e.g., the person to whom it is assigned, IT personnel performing maintenance/repairs, the manager of the person to whom it is assigned, personnel conducting an official audit) (IRS-defined)

  2. The AO shall ensure that a security risk analysis is performed on a mobile device operating system (OS) application prior to being approved for use on a government furnished mobile device. (SRG-MPOL-067)

  3. Prior to an application being accredited by the AO, distributed, or installed on a government furnished mobile device, a risk analysis shall be performed. before the application is accredited by the AO. (SRG-MPOL-003; WIR-SPP-021)

  4. Measures shall be taken to ensure that the Instant Messaging (IM) client on government furnished mobile devices connects only to security-compliant, IRS-controlled IM servers. (SRG-MPOL-065; WIR-SPP-009)

  5. All non-core applications on government furnished mobile devices shall be approved by the AO. (SRG-MPOL-066; WIR-SPP-020)

  6. The AO shall verify that local sites where government furnished mobile devices are provisioned, issued, and managed, are conducting annual self-assessments. (SRG-MPOL-046)

  7. The IRS IT organization shall maintain results and mitigation actions, from mobile device integrity validation tool scans on government furnished mobile devices, for a minimum of one (1) year. (SRG-MPOL-048)

  8. The IRS IT organization shall review government furnished mobile device integrity scan results at least daily. (SRG-MPOL-050)

  9. The IRS shall ensure that the Personal Use Policy:

    1. Specifies what types of personal files, if any, are permitted on the government furnished mobile device. Refer to IRM 10.8.27 for additional guidance. (SRG-MPOL-055)

    2. Specifies restrictions on the use of personal email. Refer to IRM 10.8.27 for additional guidance. (SRG-MPOL-056)

    3. Is approved by the AO. (SRG-MPOL-057)

  10. The IRS shall develop policy which ensures that a government furnished mobile device is wiped prior to issuance to IRS personnel. (SRG-MPOL-062)

Access Control for Non-Government Furnished/Personally Owned (BYOD) Mobile Devices
  1. Non-government furnished/personally owned mobile devices shall be required to pass compliance checks performed by the IRS-approved mobile access (e.g., Good for Enterprise business software) solution, prior to being approved for use in the BYOD program. (IRS-defined)

  2. Only approved non-government furnished/personally owned mobile devices shall be permitted to:

    1. Connect to IRS networks. (SRG-MPOL-042)

    2. Process or store IRS sensitive information, including IRS email. (SRG-MPOL-043)

  3. The IRS IT organization shall retain information system connection or processing agreements for approved non-government furnished/personally owned mobile devices that been approved for use in the BYOD program. (IRS-defined)

  4. The IRS shall periodically conduct manual audits of approved non-government furnished/personally owned mobile devices to verify that the device is not running unauthorized software or has not otherwise been modified in an unauthorized manner. (SRG-MPOL-045)

Remote Access
  1. The wireless remote access policy shall be signed by the site AO, Director, or other appropriate authority. (IRS-defined)

  2. The IRS wireless policy or wireless remote access policy shall include information on required Commercial Mobile Device (CMD) Wi-Fi security controls. (WIR-SPP-010)

    1. The IRS wireless security policy or wireless remote access policy shall include information on locations where CMD Wi-Fi access is approved or disapproved. The following locations will be specifically listed in the policy:

      • Public Wi-Fi Hotspot

      • Hotel Wi-Fi Hotspot

      • Home Wi-Fi network (user managed)

  3. Remote access shall only be accomplished with a government furnished mobile device via an IRS-approved Virtual Private Network (VPN) solution that uses FIPS 140-2 (or later) validated encryption technology. (IRS-defined)

  4. Remote access with an approved non-government furnished/personally owned mobile device shall only be accomplished using the IRS-approved mobile access (e.g., Good for Enterprise business software) solution. (IRS-defined)

  5. Refer to the Remote Access sections within IRM 10.8.1 and IRM 10.8.40, for additional guidance.

Access to Sensitive Information
  1. Sensitive information (e.g., SBU and PII) shall not be downloaded to mobile devices. (IRS-defined)

    1. Government furnished laptops are the only exception to this requirement.

  2. Sensitive information (i.e., Federal Taxpayer Information (FTI)/ 6103 information) shall not be viewed or discussed on mobile devices in public places (e.g., airports, coffee shops, hospitals, malls, etc.). (IRS-defined)

  3. Sensitive information stored or processed on a government furnished laptop shall be protected with the same requirements as hard-copy documents (e.g., markings, distribution, destruction) and in accordance with the requirements defined within IRM 10.8.1. (IRS-defined)

  4. Mobile devices shall not be used to access, process, transmit, or store classified data. (SRG-MPOL-075)

    1. Government furnished laptops are the only exception to this requirement.

AT - Awareness and Training

  1. All supplemental policies required to implement mobile device security solutions shall be documented and provided to mobile device users. (IRS-defined)

  2. All mobile device users (including BYOD participants) shall receive training on the IRS-approved mobile access solution (e.g., Good for Enterprise business software), and both the permissible and prohibited usage requirements for their mobile devices. The following areas shall be addressed before they are authorized access to an IRS network with a mobile device: (SRG-MPOL-077; WIR-SPP-006-01)

    1. Requirement that approved non-government furnished/personally owned mobile devices are not used to access, process, transmit, or store IRS information unless approved by the AO and the owner signs a forfeiture agreement in case of a security incident.

    2. Procedures for wireless device usage in and around classified processing areas.

    3. Requirement that mobile devices with digital cameras (still and video) are not allowed in any areas where classified documents or information are stored, transmitted, or processed.

    4. Procedures for a data spill.

    5. Requirement that wireless email devices and systems are not used to send, receive, store, or process classified messages.

    6. Requirement that mobile devices will not be connected to classified IRS networks or information systems.

    7. Requirement that a user immediately notifies the appropriate site contacts (e.g., Manager, CSIRC, etc.) when his/her CMD has been lost or stolen.

    8. Secure Bluetooth Smart Card Reader (SCR) usage:
      - Secure pairing procedures.
      - Perform secure pairing immediately after the SCR is reset.
      - Accept only Bluetooth connection requests from devices they control.
      - Monitor Bluetooth connection requests and activity in order to detect possible attacks and unauthorized activity.

    9. Procedures on how to sign and encrypt email.

    10. If Short Message Service (SMS) and/or Multi-media Messaging Service (MMS) are used, Information Assurance (IA) awareness training material should include SMS/MMS security issues.

    11. Requirement that Over-The-Air (OTA) wireless software updates should only come from IRS-approved sources.

    12. When approved non-government furnished/personally owned Wi-Fi Service is used, ensure that the following information is provided:
      - Procedures for setting up a secure Wi-Fi connection and verifying the active connection is to a known access point.
      - Approved connection options (i.e., enterprise, home, etc.).
      - Requirements for home Wi-Fi connections.

    13. Requirement that the Wi-Fi radio shall:
      - Be disabled by the user whenever a Wi-Fi connection is not being used.
      - Never be enabled if the government furnished mobile device is connected to a government furnished PC/laptop. Refer to IRM 10.8.1 for additional guidance.

    14. Do not discuss sensitive or classified information on non-secure (devices not FIPS 140-2 certified or NSA Type-1 certified for voice) cellular phones, cordless phones, and two-way radios used for voice communications.

    15. Do not connect mobile devices to any workstation that stores, processes, or transmits classified data. (Exception: SME PED).

    16. The installation of user-owned applications, including geo-location aware applications, on the mobile device. Refer to IRM 10.8.1 for further guidance.

    17. The use of the government furnished mobile device to view and/or download personal email.

    18. The downloading of user-owned data (music files, picture files, etc.) on government furnished mobile devices.

    19. The use of government furnished mobile devices to connect to user social media web accounts. Refer to IRM 10.8.27 for further guidance.

    20. Requirement that when the Bluetooth radio is authorized for use with an approved smartcard reader or hands-free headset, that the user will disable the Bluetooth radio whenever a Bluetooth connection is not being used.

    21. All radios on the government furnished mobile device (Wi-Fi, Bluetooth, near-field communications (NFC)) shall be turned off when not needed.

    22. Procedures on how to disable Location Services on the government furnished mobile device. Location Services shall be disabled for all applications or enabled only for applications approved by the AO for location based services.

    23. Additional BlackBerry requirements:
      i. If the use of the BlackBerry Keeper is approved by the AO, users shall be trained on password configuration and change requirements.
      -- Passwords shall be changed at least every 90 days.
      ii. When a SCR is used with a PC, users with PC administrative rights will not disable the RIM Bluetooth Lockdown tool on the PC.
      iii. When using an approved Bluetooth headset or hands-free device the following procedures will be followed:
      -- The user will pair only an approved device to the BlackBerry handheld.
      -- If the user receives a request for Bluetooth pairing on their BlackBerry handheld from a Bluetooth device other than their smart card reader (PIV reader) or headset, the request will not be accepted by the user.
      -- Pairing of a Bluetooth headset with the BlackBerry handheld will be completed in a non-public area whenever possible.

    24. Additional iOS device (iPhone and iPad) requirements:
      i. Procedures on how to disable the device Bluetooth radio when not being used.
      ii. Procedures on how to disable the device Wi-Fi radio when not being used.
      iii. Procedures on how to disable "Ask to Join Networks" Wi-Fi feature. This feature shall be disabled at all times on a government furnished mobile device.
      iv. iMessage should be considered an unsecure messaging application, similar to cellular SMS. Sensitive information shall not be sent via iMessage.
      v. Procedures for disallowing applications access to the mobile device’s PIM date (calendar, address book, etc.) when prompted during application install. The only allowed exception is for the IRS-approved mobile access solution (e.g., Good for Enterprise business software).

    25. Additional Android requirements:
      i. Procedures on how to disable the device Bluetooth radio when not being used.
      ii. Procedures on how to disable the device Wi-Fi radio when not being used.

  3. Training material shall be developed that states only IRS-approved non-government furnished/personally owned mobile devices:

    1. Shall be used to send, receive, store, or process sensitive/OUO data and information or connect to IRS networks. (SRG-MPOL-075)

    2. Shall be used to access IRS email systems. (SRG-MPOL-076)

  4. The mobile device management server administrator shall receive required training annually. (SRG-MPOL-078)

    1. The mobile device management server administrator shall receive training on the following:
      i. Administrative service accounts shall not be used to log into the mobile device management server or any server service.
      ii. Activation passwords or PINs. Refer to IRM 10.8.1 for further guidance.
      iii. A new activation password shall be selected each time one is assigned (e.g., the same password cannot be used for all users or for a group of users).
      iv. User and group accounts on the mobile device management server. Refer to IRM 10.8.1 for further guidance.

    2. The mobile device management server administrator training shall be renewed annually. (IRS-defined)

  5. BYOD participants shall be required to take Operational Security (OPSEC) training that provides usage guidelines and vulnerability mitigation techniques for non-government furnished/personally owned mobile devices being used to access IRS networks and data. (SRG-MPOL-079)

  6. The AO shall verify that each mobile device user completes the required mobile device user training annually. (SRG-MPOL-080; WIR-SPP-006-02)

  7. Mobile device users shall receive training on the following required topics before they are authorized to access an IRS network via a wireless remote access device: (IRS-defined)

    1. User authentication and content encryption requirements.

    2. Enabling wireless interfaces only when needed.

    3. Enabling the VPN connection to the IRS network immediately after establishing a wireless connection (using an approved VPN client).

    4. All Internet browsing being done on the IRS network, only after the VPN connection has been established.

    5. No split tunneling of VPN.

    6. Locations where wireless remote access is authorized or not authorized (e.g., home, airport, hotel, etc.).

    7. Wireless client configuration requirements.

    8. Use of WPA2 Personal (AES) on home WLAN.

    9. Home WLAN password and SSID requirements - Discontinue the use of devices suspected of being tampered with and notify the site AO.

CA - Security Assessment and Authorization (SA&A)

  1. Mobile devices that access, process, transmit, or store IRS information shall:

    1. Be documented in a Security Assessment and Authorization (SA&A) package in accordance with IRM 10.8.1, Treasury Directive Publication (TD-P) 85-01, Department of the Treasury IT Security Program, and NIST Special Publication (SP) 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems. (IRS-defined)

      Note:

      Each individual mobile device does not need to have an SA&A for it; however, each mobile device configuration needs to go through the SA&A process and documented in the package.

  2. Mobile devices shall be approved by the AO prior to accessing IRS networks and data. (IRS-defined)

  3. Mobile devices that process SBU and PII are subject to a full security assessment prior to use. (IRS-defined)

    1. Cybersecurity Security Assessment Services (SAS) shall identify any security risk(s) and document the assessment of risk in a Security Assessment Report (SAR).

    2. The AO shall make a determination if the identified risk(s) are acceptable or not.

  4. An authorization process shall be developed and published that states the process to obtain approval before both government furnished and non-government furnished/personally owned mobile devices approved for use in the BYOD program, can connect to an IRS information system(s). (SRG-MPOL-070)

CM - Configuration Management

  1. Configuration management procedures shall be developed for government furnished mobile devices in accordance with IRM 10.8.1 and this IRM. (IRS-defined)

  2. The IRS shall establish and maintain baseline configurations and inventories, including application software, throughout the respective System Development Life Cycle (SDLC) (i.e., IRS Enterprise Lifecycle (ELC)), of government furnished mobile devices that access, process, transmit, or store IRS information.

  3. The IRS shall store and maintain baseline configuration of each CMD, including application software, in accordance with the requirements defined in IRM 10.8.1 and the IRM 2.14, Asset Management series. (SRG-MPOL-047)

  4. The IRS IT organization shall establish SOPs for provisioning government furnished mobile devices prior to issuing them to employees and installing applications on the device. (SRG-MPOL-061)

  5. For guidance on operating system-specific configuration settings, see the Exhibits within this IRM. (IRS-defined)

  6. SCRs used with government furnished mobile devices shall have the IRS-approved software version installed. (IRS-defined)

  7. Government furnished and non-government furnished/personally owned mobile devices shall be set to implement the security requirements within this IRM and IRM 10.8.1. (IRS-defined)

  8. Non-government furnished/personally owned mobile devices that are rooted or jailbroken shall not be permitted. (IRS-defined)

    1. Mobile device management servers shall be configured to detect rooted or jailbroken devices.

    2. Detected rooted or jailbroken devices shall be wiped.

      Note:

      Rooted and jailbroken are terms that describe the process of modifying the mobile device’s operating system, often with the goal of running unsigned code or performing unsupported customizations to the operating system. Unlocking allows users to operate a mobile device on a cellular network it is not authorized to connect to.

IA - Identification and Authentication

  1. Identification and Authentication requirements for mobile devices shall be in accordance with IRM 10.8.1.

  2. Passwords/passcodes shall be created and maintained in accordance with IRM 10.8.1 and the appropriate underlying OS IRM where applicable. (IRS-defined)

  3. Government furnished mobile device users shall be prevented from changing the user profile on their assigned mobile devices. (IRS-defined)

IR - Incident Response

  1. Refer to IRM 10.8.1 for incident response requirements not addressed within this IRM.

Incident Reporting Requirements
  1. The detection of any incidents regarding mishandling, tampering, theft, or loss of a government furnished or non-government furnished/personally owned mobile device, shall be reported by users immediately to their manager and the IRS Computer Security Incident Response Center (CSIRC), the enterprise-wide reporting entity. (SRG-MPOL-081)

  2. Employees shall cooperate with CSIRC during the investigation of any incidents reported by them. (TD P 85-01 Vol. I, Section 2.15)

  3. The IRS’s Incident Response Plan shall include response procedures to follow when a mobile device (e.g., smartphones, tablets, laptops, Bring Your Own Device (BYOD)) is reported lost or stolen. (SRG-MPOL-082; WIR-SPP-007-01)

    1. The required response actions shall be followed when a mobile device is reported lost or stolen. (WIR-SPP-007-02)

  4. The IRS shall follow the incident handling policy if PII is found on a mobile device not authorized to process, store, or transmit PII. (SRG-MPOL-052)

  5. The IRS shall establish a Standard Operating Procedure (SOP) for data spills on mobile devices. (SRG-MPOL-053; WIR-SPP-003-01)

    1. If a data spill occurs on a wireless email device or system, the required data spill procedures shall be followed. (WIR-SPP-003-02)

  6. Refer to the following resources for additional incident reporting requirements not addressed within this IRM:

    1. IRM 10.2.8, Physical Security Program, Incident Reporting.

    2. The IRS CSIRC, Cyber Incident Reporting Procedures, at: http://www.csirc.web.irs.gov/reporting/

MP - Media Protection

  1. Government furnished mobile devices with removable memory cards (e.g., MicroSD) shall abide by the following requirements: (IRS-defined)

    1. Data stored on the card shall be encrypted with a FIPS 140-2 (or later) validated encryption technology solution.

    2. The card shall be bound to the mobile device such that it cannot be read by any other mobile device or computer.

  2. BYOD participants shall not store any IRS data on a removable memory card. (IRS-defined)

Sanitization and Disposal
  1. The IRS IT organization shall develop procedures for the sanitization and disposal of government furnished mobile devices. (IRS-defined)

    1. Procedures shall be followed to ensure that all IRS mobile devices that have processed sensitive information are disposed of.

    2. Government furnished mobile devices shall be cleansed by utilizing commercial disk-wiping software.

  2. The IRS IT organization shall keep an inventory of all disposed government furnished mobile devices. (IRS-defined)

  3. The IRS IT organization shall develop procedures for the sanitization of non-government furnished/personally owned mobile devices. (IRS-defined)

    1. Procedures shall be followed to ensure that all non-government furnished/personally-owed mobile device users have their IRS-approved mobile access solution (e.g., Good for Enterprise business software) user privileges disabled if a security incident occurs, the employee is no longer participating in the BYOD program, or upon departure from the agency. (IRS-defined)

  4. The IRS IT organization shall keep an inventory of all non-government furnished/personally owned mobile device users who have had their IRS-approved mobile access solution (e.g., Good for Enterprise business software) user privileges disabled. (IRS-defined)

  5. All mobile devices shall follow the device manufacturer’s instructions for wiping user data installed from the device memory and the media card. (IRS-defined)

  6. Prior to decommissioning or transferring to another government agency, mobile devices that will no longer be used (including configuration data), shall be sanitized from the host in accordance with IRM 2.14.1, Asset Management, IT Asset Management, IRM 2.7.4, IT Operations, Magnetic Media Management, and IRM 10.8.1. (SRG-MPOL-083; WIR-SPP-004)

    1. A “Wipe” command shall be performed on all new or reissued government furnished mobile devices. (WIR-SPP-008-01)

    2. An IRS security-compliant profile shall be pushed to government furnished mobile devices before issuing them to IRS personnel.

  7. Refer to the Media Sanitization section of IRM 10.8.1, for additional guidance.

PE - Physical and Environmental Protection

  1. At all times, government furnished and non-government furnished/personally owned mobile device users shall: (IRS-defined)

    1. Be responsible for the physical security of their mobile device(s).

    2. Secure their mobile device(s) when not in their possession.

    3. Never leave their powered-on mobile device unlocked when it is not in their presence.

    4. Secure their mobile device(s) (e.g., cable lock, screen lock) from theft or tampering when located in an IRS facility and at an approved telework location (e.g., home).

    5. When traveling; if additional screening is required during the airport screening process, inform the security agent that you cannot be separated from your government furnished mobile device (e.g., laptop) at any time, and that it must be kept in your possession.

  2. The IRS Physical Security organization shall develop and implement procedures for physical mobile device security compliance. (IRS-defined)

  3. Passwords/passcodes, hardware tokens, and/or smart cards shall not be stored on/or with a mobile device or laptop, unless encrypted or otherwise under the direct and continuous control of the authorized user. (IRS-defined)

  4. Mobile devices with wireless capability shall be restricted from any area where classified IRS systems process information or where classified information is discussed. (IRS-defined)

  5. When in a secure area, the following procedures shall be applied: (IRS-defined)

    1. Leave mobile devices outside of conference rooms (when possible).

    2. Ensure that all devices, if present, are in airplane mode with Wi-Fi turned off.

    3. Applications that record or video shall be removed, or their use restricted.

      Note:

      The act of recording/video also includes audio.

    4. Ensure the camera on the back of the device is blocked (e.g. opaque tape) to prevent photo or video recording.

  6. The IRS shall explicitly specify in each site’s physical security policy, whether mobile devices, containing cameras (still and video), are permitted or prohibited at that site. (SRG-MPOL-059; WIR-SPP-001)

  7. A list of high risk locations for the usage of mobile devices shall be developed, documented, and provided to security personnel and other applicable IRS personnel. (SRG-MPOL-072)

  8. Inspection and preventative measures shall be applied to mobile devices returning from locations the IRS deems to be of significant risk to IRS information systems. (SRG-MPOL-074)

  9. Refer to IRM 10.8.1, the IRM 10.2.x, Physical Security Program series of IRMs, and IRM 1.4.6, Managers Security Handbook for additional physical and environmental protection security guidance.

≡ ≡ ≡ ≡ ≡
  1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    Note:

    ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

      Note:

      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    Note:

    ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    Note:

    ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

      Note:

      ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  6. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    Note:

    ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  7. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    Note:

    ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

PL - Security Planning

  1. Refer to IRM 10.8.1 for security planning policy and procedures not addressed within this IRM.

Rules of Behavior for Government Furnished Mobile Devices
  1. Government furnished mobile devices shall not be used to access social media web accounts (Facebook, Twitter, etc.) unless documented in the appropriate security authorization documentation (e.g., System Security Plan (SSP)) and approved by the AO. (SRG-MPOL-077)

  2. Government furnished mobile device users shall not download personally owned data (music files, picture files, etc.) on their assigned device unless approved and documented by the appropriate AO. (SRG-MPOL-077)

  3. Personal email shall not be accessed, viewed, and/or downloaded on government furnished mobile devices unless approved and documented by the appropriate AO. (SRG-MPOL-056)

Rules of Behavior for BYOD Participants
  1. In order to connect a non-government furnished/personally owned mobile device to the IRS network with the capability of backing up, storing, or otherwise accessing IRS data of any type, BYOD participants shall: (IRS-defined)

    1. Understand and acknowledge that they shall comply with all rules and procedures made applicable to its use.

    2. Be responsible for the physical security of their mobile device.

    3. Be responsible for backing up their personal data.

    4. Understand that mobile devices which are not in compliance with IRS security policies or represent any unacceptable risk to the IRS network or data will not be allowed to connect to the IRS systems.

    5. Acknowledge and consent to remote inspection and monitoring of the IRS-approved mobile access solution (e.g., Good for Enterprise business software) on their personally owned mobile device, using technology centrally managed by IRS IT.

    6. Not store, process, access and/or transmit any sensitive taxpayer information (PII or SBU) or federal records, outside of the IRS-approved mobile access solution (e.g., Good for Enterprise business software).

    7. Only access the IRS network and data using their non-government furnished/personally owned mobile device via the IRS-approved mobile access solution (e.g., Good for Enterprise business software).

    8. Acknowledge that their right to use of the IRS-approved mobile access solution (e.g., Good for Enterprise business software) will be limited solely to access and use of IRS system resources.

    9. Agree to the removal of the IRS-approved mobile access solution (e.g., Good for Enterprise business software) from their mobile device if the authorized use is terminated for any reason.

  2. The IRS reserves the right to disconnect any non-government furnished/personally owned mobile device from IRS system resources if the mobile device is used in a way that puts IRS systems or data, or the data of taxpayers or other persons, at an unacceptable risk of harm or disclosure. (IRS-defined)

  3. The Government will not be liable for damages to my personal property that may occur during the course of performing IRS-related duties, except to the extent that the Government is held liable under the Federal Tort Claims Act: http://tort.laws.com/federal-tort-claims-act or the Military Personnel and Civilian Employee’s Claims Act: http://www.treasury.gov/about/role-of-treasury/orders-directives/Pages/td32-13.aspx. (IRS-defined)

PS-6 - Access Agreements

  1. Employees shall not be permitted to operate a government furnished or non-government furnished/personally owned mobile device without first signing a user agreement. (SRG-MPOL-086)

RA - Risk Assessment

  1. Risk assessments of mobile devices shall adhere to the requirements and be conducted using this manual, IRM 10.8.1 , the security checklists pertaining to this IRM, as well those of other pertinent IRMs (e.g., operating system, wireless). (IRS-defined)

    1. Any deficiencies in compliance shall be documented in a risk assessment report and brought to the attention of the responsible AO.

  2. Government furnished mobile devices with wireless capabilities shall have the additional risks and mitigations associated with non-government facilities, identified in a risk assessment.

SC - System and Communications Protection

  1. IRS or Treasury-issued software certificates shall not be used for non-government furnished/personally owned mobile devices, unless they have been approved for use in the BYOD program. (SRG-MPOL-058) (IRS-defined)

  2. Mobile devices shall be provisioned with IRS PKI digital certificates, so users can digitally sign and encrypt email notifications or other email messages required by IRS policy. (SRG-MPOL-064; WIR-SPP-011)

    1. Non-government furnished/personally owned mobile devices shall have this capability via the IRS-approved mobile access solution (e.g., Good for Enterprise business software). (IRS-defined)

    2. AO approval shall be obtained prior to the use of software PKI certificates on mobile devices.

SI - System and Information Integrity

  1. Government furnished mobile device users shall not accept over-the-air (OTA) wireless software updates from the wireless carrier or other non-IRS sources unless the updates have been tested and IRS-approved. (SRG-MPOL-063)

    1. Mobile device software updates shall only originate from an approved IRS source. (WIR-SPP-008-02)

  2. Per IRM 10.8.50, IT Security, Servicewide Security Patch Management, security firmware updates and patches to government furnished mobile device hardware and software components shall be fully tested prior to deployment. (IRS-defined)

  3. The IRS shall ensure mobile operating systems, mobile applications, and mobile device management agents on managed mobile devices are updated in accordance with IRM 10.8.1 and IRM 10.8.50 after the updates/patches are available. (SRG-MPOL-069)

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    3. ≡ ≡ ≡ ≡ ≡ ≡ ≡

    4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    6. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    7. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    8. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    9. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    10. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    11. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    12. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    13. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    14. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    15. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  1. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

  2. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    1. ≡ ≡ ≡ ≡ ≡ ≡

    2. ≡ ≡ ≡ ≡ ≡ ≡

    3. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    4. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    5. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    6. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    7. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    8. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    9. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    10. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    11. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    12. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    13. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    14. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    15. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

    16. ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡ ≡

Glossary and Acronyms

Term Definition or Description
A

Advanced Audio Distribution Profile (A2DP)
A Bluetooth profile that allows for the wireless transmission of stereo audio from an A2DP source (typically a phone or computer) to an ADP receiver (a set of Bluetooth headphones or stereo system).
Audio/Video Remote Control Profile (AVRCP) A Bluetooth profile that allows Bluetooth devices to control medial playback on remote devices.
Authorizing Official (AO) Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to an agency.
B
Biometric Associates, LP (BAL)
Developer of fingerprint identification system modules for biometric smartcards and subsystems.
BIOS (Basic Input/Output System) Software stored on a small memory chip on a computer’s motherboard that loads prior to the operating system and instructs the computer on how to perform a number of basic functions such as booting and keyboard controls.
BlackBerry Enterprise Server (BES) A middleware software package that is part of the BlackBerry wireless platform.
BlackBerry Web Desktop Manager (BWDM) A web application that provides users the ability to connect their BlackBerry devices to their computers using a USB connection or Bluetooth connection.
Bluetooth A wireless protocol developed as a cable replacement to allow equipped devices to communicate with each other within a short distance.
Bring Your Own Device (BYOD) Bring Your Own Device is a concept that allows employees to utilize their personally owned technology devices to stay connected to, access data from, or complete tasks for their organizations. At a minimum, BYOD programs allow users to access employer-provided services and/or data on their personal tablets/eReaders, smartphones, and other devices.
C
Center for Internet Security (CIS)
A nonprofit organization focused on enhancing the cybersecurity readiness and response of public and private sector entities, with commitment to excellence through collaboration.
Commercial Mobile Device (CMD) A subset of Portable Electronic Devices (PEDs) that provides one or more commercial wireless interfaces along with a compact user input interface (Touch Screen, Miniature Keypad, etc.) and excludes PEDs running a multi-user operating system (Windows OS, Mac OS, etc.). This definition includes, but is not limited to smart phones, tablets, and e-readers.
Computer Security Incident Response Center (CSIRC) Responsible for monitoring the IRS network 24 hours a day year-round for cyber attacks and computer vulnerabilities and for responding to various security incidents such as the theft of a laptop computer.
Controlled Unclassified Information (CUI) A new category of unclassified categories issued in a directive on May 9, 2008, by President George W. Bush. CUI replaces categories such as For Official Use Only (FOUO), Sensitive But Classified (SBU) and Law Enforcement Sensitive (LES) categories. Refers to unclassified information that is to be protected from public disclosure.
Data Spill The accidental or deliberate exposure of classified, sensitive or official information into an uncontrolled or unauthorized environment or to persons without a need-to-know. A data spill is sometimes referred to as unintentional information disclosure or a data leak.
D
Defense Information Systems Agency (DISA)
An agency composed of military, federal civilian, and contractors. DISA provides information technology and communications support to the President, Secretary of Defense, the military services, the combatant commands, and any individual or system contributing to the defense of the United States.
Dynamic Host Configuration Protocol (DHCP) A protocol used by network devices (clients) to obtain various parameters necessary for the clients to operate in an Internet Protocol (IP) network. By using this protocol, system administration workload greatly decreases, and devices can be added to the network with minimal or no manual configurations.
802.11 An evolving family of specifications for wireless local area networks (WLANs) developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE).
E
Encryption
Any procedure used in cryptography to convert plaintext into ciphertext to prevent anyone but the intended recipient from reading that data.
Enterprise Lifecycle (ELC) The dynamic, iterative process of changing the enterprise over time by incorporating new business processes, new technology, and new capabilities, as well as maintenance, disposition and disposal of existing elements of the enterprise.
Executable Disable Bit (EDB) Execute Disable Bit (EDB) - is an Intel hardware-based security feature that can help reduce system exposure to viruses and malicious code. EDB allows the processor to classify areas in memory where application code can or cannot execute. When a malicious worm attempts to insert code in the buffer, the processor disables code execution, preventing damage and worm propagation. To use Execute Disable Bit you must have a PC or server with a processor with Execute Disable Bit capability and a supporting operating system. EDB-enabled processors by Intel are indicated by a ″J″ after the CPU model number. Execute Disable Bit is abbreviated as EDB (by Intel) or XDB.
Extensible Authentication Protocol (EAP) An authentication framework frequently used in wireless networks and Point-to-Point connections.
F
Federal Information Processing Standard (FIPS)
Publicly announced standardizations developed by the United States federal government for use in computer systems by all non-military government agencies and by government contractors, when properly invoked and tailored on a contract.
Forfeiture Agreement A contractual agreement where one party may be required to forfeit specified property if the party fails to fulfill its contractual obligations.
G
Global Positioning System (GPS)
A space-based satellite navigation system that provides location and time information in all weather conditions, anywhere on or near the Earth where there is an unobstructed line of sight to four or more GPS satellites.
Good Mobile Control (GMC) Mobile device management from a web-based portal.
Good Mobile Messaging (GMM) Enterprise-class mobile email and personal information management (PIM).
Good Mobility Suite (GMS) A mobility platform that provides robust device management and security, enabling enterprise to easily mobilize email and applications such as instant messaging, intranets, CRM, field service and more.
H
HotSync
The trademark name for linking a Palm handheld device and a computer system to synchronize the two systems. HotSync is performed through the use of a HotSync cable or wireless connection. HotSync automates the synchronization process and exchanges updates and information between the device and computer.
I
IEEE 802.11
A family of IEEE standards that extend the common wired Ethernet local network standard into the wireless domain using the 5 GHz and 2.4 GHz public spectrum bands. It specifies an over-the-air interface between a wireless client and a base station or between two wireless clients. It is commonly referred to as "Wi-Fi" because the "Wi-Fi Alliance" provides certification for 802.11 products.
Information Technology (IT) The application of computers and telecommunications equipment to store, retrieve, transmit and manipulate data, often in the context of a business or other enterprise.
iOS (previously iPhone OS) A mobile operating system developed and distributed by Apple Inc.
J
Jailbreaking
A term that describes the process of modifying the iOS device's operating system, often with the goal of running unsigned code or performing unsupported customizations to the operating system. Unlocking allows users to operate an iOS device on a cellular network it is not authorized to connect to.
L
Light-Emitting Diode (LED)
A semiconductor light source. LEDs are used as indicator lamps in many devices and are increasingly used for general light.
M
Mobile Application Management (MAM)
Describes the software and services responsible for provisioning and controlling access to internally developed and commercially available mobile apps used in business settings on both company-provided and "bring your own" smartphones and tablet computers.
Mobile Devices/ Portable Electronic Devices (PEDs) Mobile devices/portable electronic devices have computing and wireless or Local Area Network (LAN) connectivity capabilities. These include, but are not limited to: laptops with wireless capabilities, cellular/personal communication system devices, audio/video/data recording or playback devices, scanning devices, remote sensors, messaging devices, (for example, Blackberries, Palm Pilots, Pocket PCs, iPhones, iPads), and two-way radios.
Mobile Data System (MDS) A system consisting of a client computer requesting information and a server supplying this information.
Mobile Device Integrity Scanning (MDIS) Used to audit the integrity of mobile devices.
Mobile Device Management (MDM) Software that secures, monitors, manages and supports devices deployed across mobile operators, service providers and enterprises.
Multimedia Messaging Service (MMS) A standard way to send messages that include multimedia content to and from mobile phones.
N
National Institute of Standards and Technology (NIST)
The federal technology agency that works with industry to develop and apply technology, measurements, and standards.
National Security Agency (NSA) Primarily tasked with global monitoring, collection, decoding, translation and analysis of information and data for foreign intelligence and counterintelligence purposes.
O
Operating System (OS)
A collection of software that manages computer hardware resources and provides common service for computer programs.
P
Personal Computer Memory Card International Association (PCMCIA)
An organization consisting of some 500 companies that has developed a standard for small, credit card-sized devices, called PC Cards.
Personally Identifiable Information (PII) All taxpayer information or any combination of information that can be used to uniquely identify, contact, or locate a person. A specific type of sensitive and SBU information that includes the personal information of taxpayers, and the personal information of employees, contractors, applicants, and visitors to the IRS. Examples of PII include, but are not limited to: name; home address; Social Security number; date of birth; home telephone number; biometric data (e.g., height, weight, eye color, fingerprints, etc.); and other numbers or information that alone or in combination with other data can identify an individual.
Public Application Store An app store (application store) is a publicly available online portal through which software programs are made available for procurement and download.
Public Key Infrastructure (PKI) A system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an internet transaction.
R
Radio-Frequency Identification (RFID)
The wireless non-contact use of radio-frequency electromagnetic fields to transfer data, for the purpose of automatically identifying and tracking tags attached to objects.
Read-Only Memory (ROM) A class of storage medium used in computers and other electronic devices. Data stored in ROM cannot be modified, or can be modified only slowly or with difficulty, so it is mainly used to distribute firmware (software that is very closely tied to specific hardware, and unlikely to need frequent updates).
Research in Motion (RIM) A Canadian telecommunication and wireless device company best known as the developer of the BlackBerry smartphone.
Risk Based Decision (RBD) Determination of a course of action predicated primarily on the assessment of risk and the expected impact of that course of action on that risk.
S
Sanitization
The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.
Secure Digital (SD) A non-volatile memory card format for use in portable devices, such as mobile phones, digital cameras and GPS navigation devices.
Secure Sockets Layer (SSL) Cryptographic protocols that are designed to provide communication security over the Internet.
Security Assessment Report (SAR) Reflects assessment activities conducted by assessors to determine security control effectiveness based on modifications to the security plan and deployed controls.
Security Assessment Services (SAS) Responsible for identifying any security risk and documenting the assessment of risk a SAR.
Security Technical Implementation Guide (STIG) A methodology for standardized secure installation and maintenance of computer software and hardware.
Sensitive But Unclassified (SBU) Information Any information that requires protection due to the risk and magnitude of loss or harm to the IRS or to the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), which could result from inadvertent or deliberate disclosure, alteration, or destruction.
Sensitive Information Information in which the loss, misuse, or unauthorized access to, or modification of, could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), but has not been specifically authorized under criteria established by an Executive Order or an act of Congress to be kept classified in the interest of national defense or foreign policy. Examples of such sensitive information include personal financial information and information that discloses law enforcement investigative methods. Other particular classes of information may have additional statutory limits on disclosure that require that information to also be treated as sensitive. Examples include tax information, which is protected by Section 6103 of the IRC (26 U.S.C. § 6103) and advanced procurement information, protected by the Procurement Integrity Act (41 U.S.C. § 423).
Short Messaging Service (SMS) A text messaging service component of phone, web, or mobile communication systems, using standardized communications protocols that allow the exchange of short text messages between fixed line or mobile phone devices.
Sleep Mode Sleep mode can go by many different names, including Stand By (for Microsoft Windows 98-Server 2003), Sleep (for Mac OS 8-Mac OS X, Windows Vista, Windows 7, Windows Server 2008), and Suspend (Windows 95, Linux). When placed in this sleep mode, aside from the RAM, which is required to restore the machine’s state, the computer attempts to cut power to all unneeded parts of the machine. Because of the large power savings, most laptops automatically enter this mode when the computer is running on batteries and the lid is closed. If however undesired, this behavior can be reconfigured in the operating system settings.
Smart Card Reader (SCR) A plastic card about the size of a credit card, with an embedded microchip that can be loaded with data, used for telephone calling, electronic cash payments, and other applications, and then periodically refreshed for additional use.
Smartphone A mobile phone built on a mobile operating system, with more advanced computing capability and connectivity than a feature phone.
Standard Operating Procedures (SOP) Established or prescribed methods to be followed routinely for the performance of designated operations or in designated situations.
Structured Query Language (SQL) A special-purpose programming language designed for managing data held in a relational database management system (RDBMS).
Subscriber Identity Module (SIM) An integrated circuit that securely stores the international mobile subscriber identity (IMS) and the related key used to identify and authenticate subscribers on mobile telephony devices (such as mobile phones and computers).
System Security Plan (SSP) A formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements.
Systems Development Life Cycle (SDLC) A process of creating or altering information systems, and the models and methodologies that people use to develop these systems.
T
Treasury Directive Publication (TD-P)
Documents that provide a baseline of IT security standards that apply to the Department of the Treasury bureaus, departmental offices (DO), Office of the Inspector General (OIG), and the Treasury Inspector General for Tax Administration (TIGTA), hereafter referred to collectively as bureaus.
Treasury Inspector General for Tax Administration (TIGTA) Provides oversight of the Department of Treasury matters involving Internal Revenue Service (IRS) activities, the IRS Oversight Board and the IRS Office of Chief Counsel.
U
Universal Serial Bus (USB)
An industry standard developed in the mid-1990s that defines the cables, connectors and communications protocols used in a bus for connection, communication, and power supply between computers and electronic devices.
Unlicensed Mobile Access (UMA) A technology that allows a UMA capable mobile phone to seamlessly switch back and forth between mobile phone networks and local area wireless networks.
User Based Enforcement (UBE) Settings are controlled by the user rather than a security policy server.
V
Virtual Private Network (VPN)
A computer network that links two computers or devices through an underlying local or wide area network, while encapsulating the data and keeping it private. It is comparable to a pipe within a pipe. Even though the outer pipe contains the inner one, the inner pipe has a wall that blocks other traffic in the outer pipe from mixing with the inner traffic. To the rest of the network, the VPN traffic just looks like another traffic stream.
Voice over Internet Protocol (VOIP) A methodology and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks.
W
Wide Area Network (WAN)
A network that covers a broad area (i.e., any telecommunications network that links across metropolitan, regional, or national boundaries) using private or public network transports.
Wi-Fi Protected Access (WPA) A security protocol and security certification program developed by the Wi-Fi Alliance to secure wireless computer networks.
Wireless A technology that enables devices to communicate without physical connections (without requiring network or peripheral cabling).
Wireless Local Area Network (WLAN) Links two or more devices using some wireless distribution method (typically spread-spectrum or OFDM radio), and usually providing a connection through an access point to the wider Internet.

References

Internal Revenue Manuals (IRMs)

  • IRM 1.4.6, Managers Security Handbook.

  • IRM 1.15.6, Records and Information Management, Managing Electronic Records.

  • IRM 2.7.4, IT Operations, Magnetic Media Management.

  • IRM 2.14.x, Asset Management series.

  • IRM 2.14.1, Asset Management, IT Asset Management.

  • IRM 10.2.x, Physical Security Program series.

  • IRM 10.2.1, Physical Security Program, Physical Security.

  • IRM 10.2.8, Physical Security Program, Incident Reporting.

  • IRM 10.2.11, Physical Security Program, Basic Security Concepts. .

  • IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

  • IRM 10.8.2, Information Technology (IT) Security, Roles and Responsibilities.

  • IRM 10.8.20, Information Technology (IT) Security, Windows Security Policy.

  • IRM 10.8.27, Information Technology (IT) Security, Personal Use of Government Furnished Information Technology Equipment and Resources.

  • IRM 10.8.40, Information Technology (IT) Security, Wireless Security Policy.

  • IRM 10.8.50, Information Technology (IT) Security, Service-wide Security Patch Management.

  • IRM 10.9.1, National Security Information.

  • IRM 10.23.x, Personnel Security series.

Internal Revenue Service (IRS) and Cybersecurity Memoranda

  • IT-10-0115-0001, Interim Guidance - Security Requirement Exhibits, January 15, 2015.

Department of the Treasury Publications

  • Treasury Directive (TD) Publication (P) 15-71, Department of Treasury Security Manual (June 17, 2011).

  • Treasury Directive (TD) Publication (P) 85-01, Treasury Information Technology Security Program, Volume I, Unclassified (Non-National Security) Systems (July 1, 2016)

Office of Management and Budget (OMB) Memorandum

  • Office of Management and Budget (OMB) Memorandum for Chief Acquisition Officers, Revisions to the Federal Acquisition Certification for Contracting Officer’s Representatives (FAC-COR) (September 6, 2011).

National Institute of Standards and Technology (NIST)

  • NIST SP 800-53 Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.

  • NIST SP 800-77, Guide to IPSec VPNs, December 2005.

  • NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices, November 2007.

  • NIST SP 800-113, Guide to SSL VPNs, July 2008.

Defense Information Systems Agency (DISA)

  • Defense Information Systems Agency (DISA) Apple iOS 7 Security Technical Implementation Guide (STIG), Version 1, Release 2, October 24, 2014.

  • Defense Information Systems Agency (DISA) Apple iOS 7 Security Technical Implementation Guide (STIG) Configuration Table, Version 1, Release 2 October 24, 2014.

  • Defense Information Systems Agency (DISA) Apple iOS 8 Interim Security Configuration Guide (ISCG), Version 1, Release 1, September 15, 2014.

  • Defense Information Systems Agency (DISA) Apple iOS 8 Interim Security Configuration Guide (ISCG) Configuration Table, Version 1, Release 1, September 15, 2014.

  • Defense Information Systems Agency (DISA) Apple iOS 9 Interim Security Configuration Guide (ISCG), Version 1, Release 1, October 5, 2015.

  • Defense Information Systems Agency (DISA) Apple iOS 9 Interim Security Configuration Guide (ISCG) Configuration Table, Version 1, Release 1, October 5, 2015.

  • Defense Information Systems Agency (DISA) BlackBerry Enterprise Server (BES) 5, Part 1 Security Technical Implementation Guide (STIG), Version 2, Release 8, July 24, 2015.

  • Defense Information Systems Agency (DISA) BlackBerry Enterprise Server (BES) 5, Part 2 Security Technical Implementation Guide (STIG), Version 2, Release 8, July 24, 2015.

  • Defense Information Systems Agency (DISA) BlackBerry Enterprise Server (BES) 5, Part 3 Security Technical Implementation Guide (STIG), Version 2, Release 8, July 24, 2015.

  • Defense Information Systems Agency (DISA) BlackBerry Enterprise Server (BES) 5, Security Technical Implementation Guide (STIG) Configuration Table, Version 2, Release 8, July 24, 2015.

  • Defense Information Systems Agency (DISA) BlackBerry OS 7.x.x, Security Technical Implementation Guide (STIG), Version 2, Release 9, October 23, 2015.

  • Defense Information Systems Agency (DISA) BlackBerry 10.2.x OS Security Technical Implementation Guide (STIG), Version 1, Release 6, July 24, 2015.

  • Defense Information Systems Agency (DISA) BlackBerry Enterprise Service 10.2.x BlackBerry Device Service (BDS) Security Technical Implementation Guide (STIG), Version 1, Release 5, October 23, 2015.

  • Defense Information Systems Agency (DISA) BlackBerry Enterprise Service 10.2.x BlackBerry Device Service (BDS) Security Technical Implementation Guide (STIG) Configuration Table, Version 1, Release 5, October 23, 2015.

  • Defense Information Systems Agency (DISA) Commercial Mobile Device (CMD) Policy Security Technical Implementation Guide (STIG), Version 2, Release 3, March 26, 2013.

  • Defense Information Systems Agency (DISA) General Mobile Device (Non-Enterprise Activated) Security Technical Implementation Guide (STIG), Version 1, Release 4, July 26, 2013..

  • Defense Information Systems Agency (DISA) Mobile Policy Security Requirements Guide (SRG), Version 1, Release 2, July 26, 2013.

  • Defense Information Systems Agency (DISA) PDA Security Technical Implementation Guide (STIG), Version 6, Release 8, April 25, 2014.

  • Defense Information Systems Agency (DISA) Samsung Android OS 5 with Knox 2.0 Security Technical Implementation Guide (STIG), Version 1, Release 1, August 24, 2015.

  • Defense Information Systems Agency (DISA) Samsung Android OS 5 with Knox 2.0 Security Technical Implementation Guide (STIG) Configuration Table, Version 1, Release 1, August 24, 2015.

  • Defense Information Systems Agency (DISA) Samsung Android (with Knox 2.x) Security Technical Implementation Guide (STIG), Version 1, Release 3, July 24, 2015.

  • Defense Information Systems Agency (DISA) Samsung Android (with Knox 2.x) Security Technical Implementation Guide (STIG) Configuration Table, Version 1, Release 3, July 24, 2015.

  • Defense Information Systems Agency (DISA) Microsoft Windows Phone 8.1 Security Technical Implementation Guide (STIG), Version 1, Release 2, July 24, 2015.

  • Defense Information Systems Agency (DISA) Microsoft Windows Phone 8.1 Security Technical Implementation Guide (STIG) Configuration Table, Version 1, Release 2, July 24, 2015.