Chapter 17 - Agency-Issued Mobile Devices Including Cellular Telephones, Smartphones, and Tablets
Part 8 - Information Resources Management
Title | Section |
---|---|
Introduction | 8-17.1 |
Purpose | 8-17.1A |
Scope | 8-17.1B |
Policy | 8-17.1C |
Acronyms | 8-17.1D |
Definitions | 8-17.1E |
Responsibilities | 8-17.2 |
Ordering Officials | 8-17.2A |
First Level Supervisor | 8-17.2B |
Second Level Supervisor | 8-17.2C |
Property Management Officer/Asset Center Representative | 8-17.2D |
Device User | 8-17.2E |
Headquarters, Area, and Local IT Staff | 8-17.2F |
Requesting a Mobile Device | 8-17.3 |
Initial Request | 8-17.3A |
First Level Supervisor | 8-17.3B |
Second Level Supervisor | 8-17.3C |
Contract Personnel | 8-17.3D |
Ordering Official | 8-17.3E |
Rules for using Agency-Issued Mobile Devices | 8-17.4 |
Rules of Usage | 8-17.4A |
Security | 8-17.4B |
Abuse | 8-17.4C |
Exhibit | Description |
---|---|
Manual Exhibit 8-17-A, | "Mobile Devices Justification and User Agreement" |
- Purpose. This chapter establishes the Indian Health Service (IHS)-specific policy and procedures for issuance and use of Agency-issued mobile devices including cellular telephones, smartphones, and tablet devices to IHS users for the purpose of performing IHS work-related duties. It also addresses the process for addressing the misuse of these devices.
- Scope. This chapter applies to all IHS employees, United States Public Health Service Commissioned Corps Officers, contract personnel, interns, externs, and other non-governmental employees, including consultants, temporary staff, and business representatives (hereinafter, collectively referred to as IHS "users") who:
- Have been issued a mobile device by the IHS.
- Are authorized to approve or terminate Agency user accounts for mobile devices.
- Control the distribution and payment for services related to the use of mobile devices.
- Policy. It is the policy of the IHS that an Agency-issued mobile device may be authorized when the user's requirements for data access and connectivity to support the Agency's mission can be met with mobile technology.
- Acronyms.
(1) COR - Contracting Officer's Representative (2) HHS - Department of Health and Human Services (3) IHM - Indian Health Manual (4) IHS - Indian Health Service (5) ISSO - Information System Security Officer (6) IT - Information Technology (7) MMS - Multimedia Messaging Services (8) OIT - Office of Information Technology (9) SMS - Short Message Services - Definitions.
- Smartphone. A smartphone, or smart phone, is a mobile telephone with more advanced computing capability and connectivity than basic feature phones. The smartphone is the standard electronic device used for the transmission and receipt of voice and e-mail communications throughout the IHS.
- Tablet. A tablet computer, or simply tablet, is a mobile computer with display, circuitry and battery in a single unit. Tablets are equipped with sensors, including cameras, microphone, accelerometer and touchscreen, with finger or stylus gestures replacing computer mouse and keyboard. Tablets may include physical buttons, e.g., to control basic features such as speaker volume and power and ports for network communications and to charge the battery. An on-screen, pop-up virtual keyboard is usually used for typing. Tablets are typically larger than smart phones or personal digital assistants at 7 inches (18 cm) or larger, measured diagonally.
- Mobile Phone. A mobile phone (also known as a cellular phone, cell phone, and hand phone) is a phone that can make and receive telephone calls over a radio link while moving around a wide geographic area. It does so by connecting to a cellular network provided by a mobile phone service operator, allowing access to the public telephone network.
- Short Message Services. Short Message Services (SMS) is a communications protocol that supports the exchange of short text messages between mobile phone devices.
- Multimedia Messaging Services. Multimedia Messaging Services (MMS) is the telecommunications standard for phone messaging systems that allow sending messages with multimedia objects (images, audio, video, rich text) and text. It is mainly deployed in cellular networks along with other messaging systems like SMS, mobile instant messaging, and mobile e-mail.
- Ordering Officials. Designated IHS Ordering Officials are responsible for:
- Ordering, purchasing, and determining the most cost-effective voice and data plans for Agency-issued mobile devices issued to IHS staff for the purpose of conducting official IHS business activities.
- Maintaining the mobile device licensing information, including the identification numbers.
- Administering and processing of electronic device user account data, including the management and control of the IHS Form "Mobile Device Justification and User Agreement" and licensing agreements (see Manual Exhibit 8-17-A).
- Managing mobile device accounts and processing reimbursable charges.
- Deactivating accounts of users who do not complete the "Mobile Device Justification and User Agreement" form.
- Ensuring the mobile device ordered conforms to IHS and the Department of Health and Human Services (HHS) guidance regarding device type, device manufacturer, device version, device operating system, device security configuration, and appropriate use.
- First Level Supervisor. First Level Supervisors are responsible for:
- Recommending the issuance of a mobile device to a Federal user.
- Maintaining copies of all "Mobile Device Justification and User Agreement" forms for staff assigned a mobile device.
- Reporting suspected misuse of mobile devices.
- Second Level Supervisor. Second Level Supervisors are responsible for:
- Approving mobile devices issued to Federal users.
- Submitting a request to the Ordering Official to cancel a mobile device account when it is no longer needed for the purpose of conducting official IHS business.
- Reporting suspected misuse of mobile devices.
- Property Management Officer/Asset Center Representative. The Property Management Officer or Asset Center Representative is responsible for: Receiving and processing Form HHS-439 , "Personal Custody Property Record/Hand Receipt," for all Agency-issued mobile devices.
- Device User. Device users are responsible for:
- Maintaining mobile devices so they can be managed by the Agency's information technology (IT) staff.
- Using the mobile device for IHS business in connection with official duties, and adhering to the policy and procedures of this chapter regarding Limited Incidental Personal Use.
- Limited Incidental Personal Use is permitted as stated under Section 8-17.4A, "Rules of Usage" below.
- Headquarters, Area, and Local IT Staff. All designated Headquarters, Area, and local IT staff are responsible for:
- Ensuring the mobile device is configured so that it conforms to IHS and HHS guidance regarding device version, device operating system, and device security configuration.
- Conducting security investigations when an Agency-issued mobile device is lost or stolen.
- Deactivating mobile devices when lost or stolen.
- Managing and maintaining the mobile device with the IHS Mobile Device Management server.
- Removing the mobile device from service when it cannot be managed by the IHS Mobile Device Management server.
- Making changes as needed when a device is re-issued to another user.
8-17.3 REQUESTING A MOBILE DEVICE
- Initial Request. When a Federal user and supervisor determine an identified business need exists for the user to be issued an Agency-issued mobile device, the user will:
- Complete and sign a "Mobile Device Justification and User Agreement" form (see Manual Exhibit 8-17-A).
- Submit the completed and signed form to the first level supervisor.
- First Level Supervisor. The user's first level supervisor will indicate approval or disapproval of the user's request for an Agency-issued mobile device and submit the "Mobile Device Justification and User Agreement," form to the second level supervisor. After the second level supervisor approves and returns the signed form to the first level supervisor:
- The first level supervisor will retain the original signed copy of the "Mobile Device Justification and User Agreement" form in the user's personal administrative file.
- The first level supervisor will send a copy of the approved "Mobile Device Justification and User Agreement" form to the organization's Ordering Official.
- Second Level Supervisor. The second level supervisor will indicate approval or disapproval of the user's request for an Agency-issued mobile device and return the "Mobile Device Justification and User Agreement" form to the first level supervisor.
If the second level supervisor disapproves the request, the second level supervisor will attach a written explanation for disapproval to the agreement.
- Contract Personnel.
- The Contracting Officer's Representative (COR) is responsible for determining whether an identified business need exists for the use of an Agency-issued mobile device by contract personnel.
- The COR will initiate the process outlined above for obtaining permission for the use of an Agency-issued mobile device to assist in the performance of the contractor's duties.
- Ordering Official. The organization's Ordering Official will contact the service provider to order a mobile device or modify a current user account. The Ordering Official:
- Determines services needed by the account holder which may include:
- Procurement of a mobile device.
- Creation of a new user account.
- Deletion of an existing account.
- Orders the mobile device and device services, as needed.
- Confirms that the user has received all requested services.
- Determines services needed by the account holder which may include:
8-17.4 RULES FOR USING AGENCY-ISSUED DEVICES
- Rules of Usage.
- Agency-authorized service plans are required for all IHS-issued mobile devices.
- Agency-paid service plans cannot be assigned to a user's personal mobile device.
- Personal use of IHS-issued mobile devices for communication or data access is allowed on an occasional and incidental basis, unless prohibited in writing. Personal usage should be brief and not violate IHS Standards of Conduct, as specified in the Part 8, Chapter 6, "Limited Personal Use of Information Technology Resources," Indian Health Manual (IHM) and the IHS Rules of Behavior.
- There shall be no expectation of privacy when using Agency-issued devices for any service including e-mail, PIN-to-PIN messaging, SMS, MMS, or web browsing. Logs, data, and other files created while using an Agency-issued mobile device are neither private nor confidential.
- With the pace of technological change, extra services may be available on Agency-issued mobile devices that are not typically authorized by the IHS. Since use of these extra services may incur additional costs to the Agency, the requesting user's second level supervisor must authorize any additional service selected.
- The "Mobile Device Justification and User Agreement" (Manual Exhibit 8-17-A) must clearly state the user's name, mobile telephone number if applicable, business need for the request, type of device, and an explanation of the reason(s) for the request.
- Security.
- Users must complete and sign the "Mobile Device Justification and User Agreement" form (Manual Exhibit 8-17-A) and receive supervisor approval before approval of a request for an Agency-issued mobile device. The "Mobile Device Justification and User Agreement" details the user's responsibilities in terms of security and usage limitations.
- Users of Agency-issued mobile devices are bound by the terms and conditions of the Part 8, Chapter 6, "Limited Personal Use of Information Technology Resources," IHM and the IHS Rules of Behavior.
- In the event an Agency-issued mobile device is lost, stolen, damaged or destroyed, users must follow established procedures in the IHM, Part 5, Management Services, Chapter 12, "Personal Property Management," Section 12, "Report of Survey."
- Information systems that are possibly lost or stolen require an F07-02B, Incident Reporting Form be completed within 30 minutes of initial discovery (Manual Exhibit 5-12-P). For further information regarding incident reporting, please refer to the IHS Division of Information Security, Standard Operating Procedure for Incident Reporting, SOP-DIS-09-02.
- In addition, the authorized user will immediately notify the IHS Information System Security Officer (ISSO) or the Area ISSO should the incident occur in an Area Office. The IHS or Area ISSO will immediately notify the IHS Central Messaging Service to ensure that all data is erased and that the mobile device is deactivated to prevent further use.
- If the IHS or the Area ISSO is unavailable, the user will immediately notify the IHS OIT Service Desk:
- Toll-free number is (888) 830-7280
- IHS OIT Service Desk email address
- Users must notify both the first and second level supervisors of the incident in writing, explaining the circumstances surrounding the incident.
- The supervisor (or person with the most knowledge regarding the circumstances) is responsible for initiating Form HHS-342, "Report of Survey" and submitting the form to the Property Management Officer for processing. The form must be submitted within three (3) business days after the user reports the Agency-issued mobile device incident.
- Click here for the Form HHS-342
- Agency-issued mobile devices are not approved for handling sensitive information unless properly encrypted. Users should exercise discretion when using mobile devices.
- Every Agency-issued mobile device must be configured to automatically lock-out after being inactive and utilize a user-defined password to unlock the device in accordance with applicable IT security guidance (see Part 8, Chapter 21, "Access Control," IHM). Mobile devices must be configured in accordance with applicable security guidance found in Part 8, Chapter 21, "Access Control," IHM. Users may not "jailbreak" devices or change configurations which cannot be securely maintained, as required.
- All deployed mobile devices will be enabled for remote erase.
- Devices which are no longer supported by the vendor and cannot receive security updates must be disconnected from service immediately and discontinued from use.
- Suspected misuse of an Agency-issued mobile device must be reported via email to the IHS Cybersecurity Incident Response Team.
- Users may be subject to disciplinary action for abuse or misuse of Agency-issued mobile device equipment as specified in IHM, Part 5, Chapter 12, "Personal Property Management."