NIST drafts mobile security guidelines for responder tech

 

Connecting state and local government leaders

The National Institute of Standards and Technology’s reference design would improve interoperability between mobile platforms, applications and identity systems for public safety organizations.

There’s arguably been no corner of government that’s profited more from the mobile revolution than the first responder community. The ability to quickly access public safety data in the field is critical to first responders’ performance during emergencies.

With those benefits, however, come concerns over how to secure that access. At any one emergency site, there are likely to be a number of public safety personnel from several departments or jurisdictions, all working in different operational environments, using an array of applications on various devices and separate operating systems. That’s a nightmare for sharing, and for securing the highly sensitive information to which responders must all have access.

The National Institute of Standards and Technology is trying to overcome this concern with a proposed reference design for both multifactor authentication and mobile single sign-on.  The standards are aimed directly at this public safety/first responder community.

Developed by NIST’s National Cybersecurity Center of Excellence (NCCoE), in collaboration with the responder community, the draft discusses all the standards-based technical options and trade-offs that public safety organizations will need to build out a range of mobile security services for their users.

Based on commercially available and open source products, the reference design should also “improve interoperability between mobile platforms, applications and identity platforms regardless of the application development platform used in their construction,” the NCCoE said.

That approach fits exactly with the kind of concerns organizations such as the National Association of State Chief Information Officers have expressed about cybersecurity, particularly in the age of the Internet of Things.

Public safety agencies must have a better understanding of the risks of the Internet of Everything, as well as a way to mitigate those risks. “Success will be predicated on an open platform that allows partners working together to use the same baseline technologies,” according to a NASCIO study.

The NCCoE project draft lays out a number of scenarios in which its framework would apply and describes a high-level architecture that could be used for mobile devices. It stresses that the reference design and implementation use a standards-based approach that uses the “native capabilities” of the mobile OS of the device.

The NCCoE wants comments on the proposed Mobile Application Single Sign-On project by Sept. 16.

Separately, NIST has produced the first draft of a new Digital Authentication Guideline, a part of its SP 800-63 line of electronic authentication technical and procedural guidelines that began in 2004. Given the increasing attention to cybersecurity over the past few years, the new publication is a fairly extensive overhaul of the authentication requirements government agencies are expected to follow.

Much of the public attention on the draft guidelines has landed on the fact that NIST is recommending phasing out -- “deprecating” in NIST jargon -- the use of out-of-band secure message service (SMS) for authentication. That refers to situations when a bank, for example, will send a one-time code to a customer’s mobile phone that is used along with a password to gain access to accounts.

As NIST points out, there is a substantial risk that such an SMS message could be intercepted or redirected, particularly if the message is sent on a public network. Because of the risks involved, “implementers of new systems SHOULD carefully consider alternative authenticators,” NIST said. Out-of-band use of SMS in future releases of SP 800-63B likely won’t be allowed.

However, the guidelines offer far more, taking apart and putting back together again many different scenarios of multifactor authentication, as well as single-factor hardware and one-time password solutions. Many people have speculated on the end of the password for authentication purposes, but the guidelines stress its continuing value, albeit in very controlled circumstances.

The draft document also limits the value of previously accepted authentication methods, such as biometrics. At one time, biometrics were considered the best answer to access and security verification because of their supposed imperviousness to being copied or misused. Now, however, the NIST guidelines support “only limited use of biometrics for authentication,” and only when they are used with another authentication method.

NEXT STORY: DHS upgrades ICE forensics lab

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.