All government organisations and their Arm’s Length Bodies (ALBs) shall manage corporately owned mobile phones and tablets which access, process or store OFFICIAL government and/or citizen data via critical systems, using an appropriate Mobile Device Management (MDM) solution.
Government needs to maintain the security of government and citizen data in order to continue to operate effectively. Data breaches can have a negative impact on the operation of government’s essential functions, its delivery of public services, and the rights, freedoms and safety of individuals. Implementing the controls described in this policy will help government organisations and their ALBs to keep their corporately owned mobile devices secure and prevent data breaches.
This policy is intended for:
Data breaches pose the following risks:
5.1. This policy applies to government organisations and their ALBs.
5.2. This policy applies to corporately owned mobile phones and tablets which access, process or store OFFICIAL government and/or citizen data via critical systems. (See 5.3 for definition of “critical systems”.)
5.3. “Critical systems” are those which support the operation of the organisation’s essential services, day-to-day business and mission, and without which the organisation would not be able to operate. For example, the primary organisational corporate network.
5.4. This policy applies to devices deployed under the following models:
5.5. Note: This policy does not apply to the BYOD (Bring Your Own Device) model - when an organisation actively manages access to its data and systems by devices which it does not own.
6.1. This policy contains both mandatory and advisory elements, using the same language as Functional Standard GovS 007: Security:
Government organisations and their ALBs shall:
6.2. Corporately manage all mobile devices which access, process or store OFFICIAL government and/or citizen data via critical systems. (See 5.3 for definition of “crit ical systems”.)
6.3. For COPE (Corporately Owned, Personally Enabled) devices:
6.4. Ensure that mobile devices — including mobile device operating systems, firmware and apps — will be supported by the manufacturer/developer for the entire duration of their intended use.
6.5. Actively manage updates and patches to mobile device operating systems, firmware and apps according to best practice.
6.6. Apply Data Loss Prevention (DLP) and document labelling policies to reduce the risk of unauthorised sharing of government data via mobile devices, including via third-party applications. For example, using the available configuration guidance for using Microsoft 365 in line with the Government Security Classifications Policy. Organisations shall have regard to the Cabinet Office policy on use of non-corporate communication channels (NCCCs) for government business when applying DLP and document labelling policies, ensuring that users have the means to comply with their records management obligations.
6.7. Limit remote access to corporate networks and information systems to mobile devices which are authorised, authenticated, up-to-date and compliant with policy.
6.8. Implement technical controls to protect government data in transit between mobile devices and corporate networks and information systems.
6.9. Maintain the ability to remove non-compliant mobile device access to corporate networks and information systems.
6.10. Formally review and approve third-party applications as part of the organisation’s software asset management process, taking into account:
6.11. Know which permissions are requested by approved applications and understand the resulting access to government data. For example, permissions for the app to access the device’s location, contacts, files, camera or microphone.
6.12. Where technically possible, implement technical controls to manage which permissions third-party applications can request and configure them to prevent third-party applications from accessing government data.
6.13. Configure mobile devices so that they will not install or run third-party applications from any other source apart from the corporately managed or corporately approved application marketplace.
6.14. Implement technical controls so that only corporately approved applications can be installed and run on mobile devices using an allow list. In exceptional circumstances only, organisations may instead implement a deny list of applications that are specifically prohibited.
Note: Organisations may implement additional app controls as they see fit. For example, a deny list applied to the personally enabled parts of a COPE device in addition to an allow list applied to the corporately managed parts.
6.15. Include mobile devices in logging and monitoring activity, to collect the following data and to scan for indicators of compromise (where technically possible depending on device platform and in compliance with the relevant provisions in the UK GDPR and the Data Protection Act 2018 to protect the privacy of users’ non-corporate data):
6.16. Maintain an Acceptable Use Policy (AUP) which reflects the requirements of this policy, to ensure that end-users understand the intended use of mobile devices and how to keep them secure and up-to-date — such as behaviours they need to adopt, actions they need to take and what their security responsibilities are for the duration of their employment. AUPs shall also include information for end-users on how to report a problem with their device and get help, and how to raise a request for new features or functionality.
6.17. Undertake a Data Protection Impact Assessment (DPIA) in order to identify and minimise risks to users’ personal data held on mobile devices and provide users with a Privacy Notice which clearly sets out:
6.18. Include the implementation of this MDM policy in the organisation’s formal governance and risk management processes.
Government organisations and their ALBs should:
6.19. Undertake a technical assessment of third-party applications as part of the formal review and approvals process (see 6.10).
6.20. Maintain the ability to enforce a remote wipe of corporate devices.
6.21. Implement controls which prohibit unauthorised users from unenrolling the device or removing the corporate MDM solution.
7.1. Organisations shall take a threat-driven, risk-based approach to implementation, proportionate to the prevailing level of cyber risk, within practicable timescales, and in line with their organisation’s business objectives and priorities.This means that organisations have the flexibility to decide how to meet the requirements of this policy in practice.
7.2. Where an organisation is not compliant with the requirements of this policy, this risk shall be formally managed and the appropriate risk mitigations put in place in line with the organisation’s risk tolerance.
7.3. If applicable, organisations should have a plan in place to work towards future compliance with this policy, in a way that meets their business objectives and priorities and to ensure continuous improvement over time.
Organisations need to read this policy document in conjunction with:
9.1. Implementing the controls set out in this policy will help government organisations to demonstrate that they have met the required security outcomes in the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF), including but not limited to:
9.2. The mandatory elements of this policy are aligned with the Baseline Government CAF profile. Those that exceed the requirements of the Baseline profile do so because they are essential to achieving the policy’s core aims.
9.3. Further guidance for government organisations on how to meet the required security outcomes in the CAF is provided on security.gov.uk.