Mobile Device Visibility on Federal Networks

CISA established the CDM program in 2012 to provide cybersecurity tools, integration services, and dashboards to help agencies strengthen their cybersecurity posture. CISA also oversees all federal assets via the CDM Federal Dashboard to ensure visibility in an increasingly complex threat landscape. To support that, Federal Civilian Executive Branch (FCEB) agencies must report on at least 90% of government-furnished equipment, including mobile devices, through CDM, per OMB M24-04.

CISA requires agencies to use EMM software for monitoring, controlling, and managing mobile devices, applications, content, and identity. This technology helps federal agencies enforce security policies and lays the foundation for zero trust. Integrating data from mobile devices into the CDM solution is challenging, though. Agencies use various EMM tools, including cloud Software as a Service (SaaS) offerings with API request limits and permission issues that complicate processing large amounts of data. Additionally, mobile assets do not include all the relevant CDM reporting data or indicate the asset is a mobile device instead of a desktop or laptop. 

In 2023, CISA asked Booz Allen to address these challenges and develop a solution that effectively integrates mobile data into the CDM solution distinctly from traditional assets. We worked with nine organizations that had four different EMM tools (VMWare Workspace One, Microsoft Intune, Ivanti Neurons, and IBM MaaS360). Each was configured to meet unique organizational device management standards, and none reported STIG-compliant configuration settings management (CSM) information. Further, the CDM data model assumes a standardized set of CSM compliance checks, but agency-configured compliance policies do not always map neatly to STIG rules. 

To better understand how the software was implemented at each organization, our engineers conducted a mobility gap analysis based on CISA’s CDM requirements and the agency’s current mobility setup. We identified which tool configurations and data policies would affect the hardware, software, and settings that must be reported in CDM agency and federal dashboards. We learned how organizational compliance policies were configured and sometimes needed additional data to properly determine compliance. We performed a gap analysis to determine whether the CDM solution Layer A (tools) configurations for mobile device management met CISA security requirements for mobile. We assessed CDM hardware asset management data target requirements for relevance to mobile asset characteristics and deprecated (from the EMM implementation) those developed for traditional hardware assets. Additionally, we provided technical recommendations to close security gaps, integrate mobile asset data, and develop configuration guides tailored to each agency. 

Booz Allen introduced seven data fields specific to mobile assets to the CDM solution and created custom data integration components. We also implemented logic to bring each agency’s mobile data into the CDM Federal Dashboard regardless of which EMM software it uses. Because not all EMM tools provided the required mobile data, Booz Allen developed logic to fill the gaps. Our team also mapped each device’s EMM-reported compliance status to government configuration standards to ensure maximum hardware and software security.

The CDM agency dashboards display comprehensive data on traditional assets, users, privileges, vulnerabilities, and non-traditional assets like mobile devices. The CDM Federal Dashboard receives data from the agency dashboards, providing CISA with increased visibility and helping it make more informed risk-based decisions. 

Booz Allen’s solution increased CISA’s visibility into 175,000+ government-furnished mobile devices through automated reporting, moving the organizations toward 90% visibility, in alignment with BOD 23-01. We ensured that EMM implementations meet CISA’s security standards and seamlessly integrate mobile data into the CDM solution, allowing CISA to enforce policies, manage configurations, and ensure authentication. Ultimately, this work strengthens data protection and provides crucial oversight of device inventory and compliance — all while empowering more informed security decisions. Additionally, with each implementation, we reduced the time to complete the integration work by reusing code, processes and project artifacts, and applied lessons learned — reducing implementation from 12 months at the first organization to an average of seven months for subsequent implementations.