NIST Cybersecurity Practice Guide, Draft Special Publication 1800-4: "Mobile Device Security: Cloud and Hybrid Builds"

Washington, DC - As mobile technologies mature, employees increasingly want to use mobile devices to access corporate enterprise services, data, and other resources to perform work-related activities. Unfortunately, security controls have not kept pace with the security risks that mobile devices can pose. If sensitive data is stored on a poorly secured mobile device that is lost or stolen, an attacker may be able to gain unauthorized access to that data. Even worse, a mobile device with remote access to sensitive organizational data could be leveraged by an attacker to gain access not only to that data, but also any other data that the user is allowed to access from that mobile device.

The challenge lies in ensuring the confidentiality, integrity, and availability of the information that a mobile device accesses, stores, and processes. Despite the security risks posed by today’s mobile devices, enterprises are under pressure to accept them due to several factors, such as anticipated cost savings and employees’ demand for more convenience.

To address this cybersecurity challenge, NCCoE security engineers developed an example solution that demonstrates how commercially available technologies can meet an organization’s needs to secure sensitive enterprise data accessed by and/or stored on employees’ mobile devices.

The guide demonstrates how security can be supported throughout the mobile device lifecycle. This includes:

configuring a device to be trusted by the organization
maintaining adequate separation between the organization’s data and the employee’s personal data stored on or accessed from the mobile device
handling the de-provisioning of a mobile device that should no longer have enterprise access (e.g., device lost or stolen, employee leaves the company

The guide is available for download in PDF or for Web viewing in HTML5.

We look forward to receiving your comments on the draft guide—the approach, the architecture, and possible alternatives.

The comment period is open through January 8, 2016. Comments will be made public after review and can be submitted anonymously. Submit comments online or via email to This email address is being protected from spambots. You need JavaScript enabled to view it..