It’s been a little more than a year since former federal Chief Information Officer Vivek Kundra first broached the subject of a bring-your-own-device (BYOD) strategy for mobile technology in federal agencies, but many federal technology leaders are already picking up the idea and running with it even as they wrestle through the security, privacy and policy issues that will make those strategies work.
The government’s much-anticipated digital services strategy, released in May, promised to deliver governmentwide guidance and best practices on BYOD through a yet-to-be-convened interagency advisory panel. In the meantime, some agencies have moved quickly to embrace the idea, hoping to realize at least two potential benefits: reduced IT costs and the idea that employees will be happier and more productive if they’re working on devices they actually like.
A February survey by the IT company CDW-G found 62 percent of agencies already are letting employees use personal devices for work purposes, and that 40 percent of employees who are allowed to bring their own devices are doing so.
Swapping government equipment for personal devices
The General Services Administration is one agency that’s enthusiastically embraced the idea of giving workers the choice of turning in their government-furnished equipment and using their own technology. GSA recently finished putting together a code of conduct for personally owned devices and is about six months into the implementation of a BYOD program.
“Going to BYOD has been pretty simple for GSA from a business standpoint,” said Perryn Ashmore, who works in the CIO’s office at GSA’s Federal Acquisition Service, during a recent ACT-IAC panel discussion moderated by Federal News Radio’s Jason Miller. “And from a mobility standpoint, it’s imperative. You cannot conduct business on a Blackberry, but you can on a tablet. I run the portfolio of acquisition applications, and all of those applications are being built with the view toward a tablet user. It’s a big push. The challenges are the idea of creating a world of haves and have-nots, and the question of how much support you give the end-user.”
GSA is in the middle of a transformation project that’s structured in part around the idea that employees should be able to do their work on any device at any time.
Accordingly, new office space the agency is building in Washington has office seating for about 3,000 employees — only about a third of the total employee base who would normally call the facility home during a workday.
The rest will be mobile workers or teleworkers, said Dan Reece, the director of the continuous process improvement program at GSA’s headquarters.
“Right now the challenge is transforming our culture from what’s been the federal norm, where you show up and you have your desk and do you work, to doing your work wherever you need to as you need to,” he said. “For us, that means going to different office locations and using a hoteling station for a couple hours. In other instances, it’s going to a café or a restaurant or other venue. We don’t have to be bound to an assigned workspace. We really can be mobile and adapt to our customer requirements as we need to.”
GSA is supporting Apple, Android and Blackberry devices. When users bring their technology onto GSA’s network, they digitally sign a set of rules of behavior and agree to allow the agency to install security software and policy rules that govern certain features of their device. They also assent to GSA remotely wiping the device of all data if it’s lost or otherwise compromised.
Ashmore said GSA employees have willingly accepted that deal, though there has been pushback when the agency has found it necessary to enforce the rules and actually wipe a device.
“One of the things we’ve done to mitigate that is to back up the contents of the device to the GSA infrastructure,” he said. “But when you want to download personal apps onto your device, which is totally legit, the only restriction we have is that we lock you to the registered marketplaces like the iTunes marketplace.”
EEOC experiments with BYOD
The Equal Employment Opportunity Commission is also experimenting with BYOD. The agency has just begun a pilot program within the last few weeks, but the push came more from budget pressure than user demand.
EEOC CIO Kimberly Hancher said the small agency was faced with a sudden 15 percent reduction in its IT budget for 2012, and it didn’t appear at first that there was much fat to cut out.
“I had to cut my Blackberry budget in half in order to make this budget,” she said. “I talked with EEOC leadership, and we talked about various approaches. We could wait six months and then eliminate all Blackberrys, or we could take them away from half of our employees right away. Those were not popular options.”
So Hancher said they decided to do some research into how EEOC employees were using those devices and came up with a few surprises.
“Seventy-five percent of our users never made phone calls from their Blackberrys,” she said. “Email is the killer app. They either used the phone on their desk or they used their personal cell phone to make calls because it’s just easier. We also found there were a number of zero-use devices. People have them parked in their desk drawer, and the only time they use it is when they travel.”
By restructuring their plans with mobile service providers, switching to a shared pool of voice minutes and cancelling service to completely idle devices, EEOC cut its Blackberry costs by 30 percent.
The next step is BYOD, and Hancher said at least for now, personal devices are the only mobility option for new employees at EEOC.
“Because we’re in a budget crunch, if a new employee comes and ask for a Blackberry, I say, ‘Oh, I’m so sorry, I don’t have any at the moment. But we are doing a BYOD pilot if you’d like to participate. And if we get some Blackberrys returned, I’ll be happy to give you that used Blackberry.’”
Rob Burton, a former OMB official who now works as an attorney at the Venable law firm, worries that agencies are rushing into BYOD before all the necessary privacy and security considerations have been thought through and put on paper. Because of that, any potential cost savings might turn out to be illusory.
He said that what his firm’s private sector clients have found out.
“One reason is because of all these legal things roaming around,” he said. “Procedures have to be put in place and enforcement and compliance with these procedures is huge, and it’s costly. So the idea that this is going to save tons of money is a big question mark in the long run. But the train is gone. The train is moving at a very fast speed. So for industry and for government, it’s not a matter of whether we should do this, it’s a matter of how we do this and how we do it effectively.”
Burton said one thing agencies need to make sure of is that they have documented rules for what employees can and can’t do with government data on personally-owned devices, and that employees agree to let agencies examine those devices should it become necessary.
“You also better have a waiver where the employee holds the organization harmless,” he said. “Companies are doing this. It’s better do to it than not, and lawyers can then have debates over whether or not the waiver is enforceable. But if you don’t have one, there’s no debate. Training is absolutely critical too, and we’re not seeing companies doing much training on the security ramifications and procedures to protect sensitive corporate data, and I think some of the same challenges exist for the government in that regard.”
Establishing a BYOD policy
Hancher said her agency has done its homework. EEOC is currently on draft number eight of its acceptable behavior policy for personal devices, a document she developed as part of a working group with the agency’s legal counsel and HR staff.
“We wrote it out in black and white, so that as people opted in to BYOD, they could choose not to opt-in if they had a problem with it,” she said. “We wrote another document for use of government-provided mobile devices, and they’re very different in terms of expectations of privacy. We’re now at the point where we’re giving every Blackberry user a choice. We tell them we’d like them to do this because it helps us to get through our budget crunch, it gives them choice, we think they’ll be more productive using their device of choice. But we also tell them that if they really can’t give up their Blackberry, keep it.
Choice and letting employees opt-in to BYOD is also key at GSA, Ashmore said. It’s a somewhat different model than the one initially suggested by Kundra last year when he floated the idea of giving all employees a stipend to buy their own equipment rather than having government-furnished mobile devices at all. Ashmore said it’s difficult to see how that would work in practice.
“In the public service, I just don’t even know how you begin to say, ‘I’m going to give you money to go buy devices.’ I just don’t know how you get there,” he said. “I think that conversation should not be had. The choice is simply whether you’re going to use the equipment I’ve issued you, or, if you’re going to take care of it yourself, show me [that you can comply with policy]. We’re catching up with the training. We work every day on taking people who’ve been at a desk for 30 years and training them on these technologies. Let’s just say it’s interesting.”
Bring your own device,