This policy establishes the minimum requirements for the management and use of mobile devices at the NIH.

NIH Institutes and Centers (ICs) shall implement this policy or may create more stringent policies and procedures, but none less restrictive.

This policy applies to “NIH mobile devices” (i.e., cell phones, smart phones, tablets), approved for use by the NIH, that wirelessly or physically connect to internal NIH information technology (IT) resources, including the NIH network (NIHnet) or synchronizing with the NIH enterprise services such as email, cloud-hosted file storage and collaboration sites. It does not apply to laptops.

There are two classes of NIH mobile devices: Government Furnished Equipment (GFE) that are acquired and managed by NIH; and Non-Government Furnished Equipment (Non-GFE), including personally owned devices and devices provisioned by other entities, such as a contractor or as part of a research contract.

This policy does not apply to mobile devices that only connect to the NIH guest network and do not store, process or transmit NIH information.

This policy does not supersede any other applicable law or higher-level agency directive.

1. NIH mobile devices may only access NIH IT resources through the approved enterprise-wide Mobile Device Management (MDM) service.
   1. Government furnished mobile devices must be enrolled in this MDM service before being allowed direct access to NIH IT resources.
   2. Mobile devices that are personally owned or contractor-furnished mobile devices may only access NIH IT resources through an application “container” managed by the approved, enterprise-wide MDM service.
2. Acceptance of the appropriate NIH Rules of Behavior and End User Agreement will be required for users with mobile devices enrolled in the NIH enterprise MDM service and connecting to NIH IT resources (see appendices 1 and 2). Accepted user agreements will be maintained by: 1) the users’ respective IC in accordance with applicable IC procedures and NIH records schedules; or 2) the NIH Information Security and Privacy Awareness training system.
3. Mobile devices used for official business must not be modified to circumvent the manufacturer’s operating system security features (e.g., “jailbreaking” or “rooting”) or attempt to circumvent the NIH configurations and security controls implemented as part of the MDM service.
4. Each IC will designate and maintain one or more Mobile points of contact (POC) to ensure their IC manages all government furnished mobile devices consistent with this policy and any applicable IC policies and procedures.
5. All mobile devices—both government furnished and non-government furnished—must comply with the NIH MDM technical specifications.
6. All mobile devices must be password-protected. Enhanced authentication may be used for devices that have the functionality (e.g., biometrics).
7. All mobile devices must implement a time-out function that requires a user to re-authenticate after inactivity.   
8. Lost or stolen mobile devices—both government furnished and non-government furnished—must be reported to the NIH IT Service Desk within one hour (60 minutes) so that the government information on the device can be remotely removed.
9. Lost or stolen government furnished mobile devices must be reported to the IC property custodian so that a Report of Survey can be conducted.
10. ICs must ensure their offboarding processes for Federal staff and contractors include measures to ensure that government furnished devices are returned to their respective IC Mobile POC before separation,  and that non-government furnished devices have the NIH MDM container removed within 24 hours of separation.
11. More than one line of service/telecommunications account on a given device through the addition of SIM cards or other means are prohibited on government furnished mobile devices.
12. Purchases of wireless telecommunications rate plans (except those devices used in scientific research) must conform with the NIH-negotiated rates with the wireless carriers. Contact your IC Mobile POC to access those rate plans.
13. Government furnished mobile devices are not accountable property, except for tablets. Tablets (with or without wireless capability) must be maintained as accountable property in the NIH property management system. 
14. All government furnished mobile devices that include phone capabilities shall have the phone number maintained in the NIH Enterprise Directory for emergency alert (Alert NIH) notifications.

The primary individuals listed below may assign a designee, as appropriate, to carry out these responsibilities:

1. NIH Chief Information Officer (NIH CIO)

The NIH CIO establishes and ensures the implementation of this policy at NIH consistent with all other Federal, HHS, and NIH rules and regulations.

2. IC Executive Officers (IC EO)

The IC EO is responsible for designating one or more IC Mobile point(s) of contact (POC) and ensuring any IC policies are consistent with (or more restrictive) this policy.

3. IC Mobile Points of Contact (POC)

The IC Mobile POC(s) is responsible for ensuring overall management of mobile devices consistent with the requirement of this policy and any IC related policies and procedures, including ensuring the accuracy of inventory information, adequacy of off-boarding procedures, and collection and maintenance of the IC’s NIH Rules of Behavior and End User Agreement documentation.

4. Management Officials

Management officials, in their supervisory role, are responsible for informing users (employees, contractors, interns, etc.) of their rights and responsibilities, including the dissemination of the information in this policy.

5. NIH Mobile Device User

All NIH staff that use mobile devices to access NIH IT resources are responsible for ensuring compliance with this policy, and for reading, agreeing, and adhering to the applicable NIH Rules of Behavior and End User Agreement (See appendices 1 and 2).

All mobile devices must comply with this policy.

Where deviations from this policy are necessary, requests for exceptions should be submitted to nihciocommunications@nih.gov, and will be evaluated by the NIH Chief Information Officer (CIO). A waiver request must include a business case for the exception that specifies how enforcement of this policy would restrict the mission of NIH and the compensating controls that will be implemented.

1. HHS Policy for Mobile Devices and Removable Media, available at:
   https://intranet.hhs.gov/working-at-hhs/cybersecurity/ocio-policies
2. HHS Memorandum - Use of Government Furnished Equipment (GFE) During Foreign Travel, available at: https://intranet.hhs.gov/working-at-hhs/cybersecurity/policies-standards-memoranda-guides/memoranda
3. NIH IT General Rules of Behavior, available at:
   https://ocio.nih.gov/InfoSecurity/Policy/Pages/Default.aspx
4. NIH Procedure for Reporting Lost or Stolen Equipment, available at:
   https://myitsm.nih.gov/nav_to.do?uri=%2Fkb_view_customer.do%3Fsys_kb_id%3D36f553edd1b1890062e3f01615533b2a  
5. NIH Policy Manual, Chapter 1743 Managing Federal Records, available at:  https://policymanual.nih.gov/1743/
6. NIH Information Security Policy Handbook, available at:
   https://ocio.nih.gov/InfoSecurity/Policy/Pages/default.aspx
   1. NIH Media Sanitization and Disposal Guidelines
   2. NIST Special Publication 800-88, Guidelines for Media Sanitization, available at:
      https://www.nist.gov/publications/nist-special-publication-800-88-revision-1-guidelines-media-sanitization  

Jailbreaking – In the mobile technology context, the term “jailbreaking” has colloquially meant removing limitations on devices running the Apple iOS operating system, permitting root access to the operating system, and allowing the download of additional applications and themes that may or may not be authorized by the manufacturer. The term has also sometimes been applied to the process of gaining root access to non-Apple devices, known as “rooting.”

Mobile Device – Small footprint computing devices that can be easily transported, such as cell phones, smart phones, and tablet computers (not laptops), approved for use by the NIH to wirelessly or physically connect to internal NIH information technology (IT) resources.

NIH Staff – Employees, contractors, students, guest researchers, visitors, and others who have access to NIH IT resources through the NIH Active Directory account structure.

NIH Information Technology (IT) resources – Any information technology systems, services, and data that is accessed via the NIH network (NIHnet), including use and synchronizing with NIH enterprise services such as email and cloud-hosted file storage and collaboration sites.

Government Furnished Equipment (GFE) – Devices and equipment that are purchased and funded by the NIH for use by NIH staff

MDM container – An application used to separate and secure NIH data and resources from the rest of the device. The container prevents malware, intruders, system resources or other applications from interacting with the application and data protected by the container.   The container provides the ability to erase NIH specific data and components without affecting the rest of the device.

Non-Government Furnished Equipment (Non-GFE) - personally owned devices and devices that are provided by other entities, such as a contractor or as part of a research contract.

Sensitive information – At NIH, sensitive information is “information that has a degree of confidentiality such that its loss, misuse, unauthorized access, or modification could compromise the element of confidentiality and thereby adversely affect national health interests, the conduct of NIH programs, or the privacy of individuals entitled under the Privacy Act or the Health Insurance Portability and Accountability Act (HIPAA).”  IT security personnel and system owners can equate this definition of sensitive information with data that has a FIPS 199 security impact level of Moderate or High for the confidentiality security objective.  This definition of sensitive information is media neutral, applying to information as it appears in either electronic or hardcopy format. Examples of sensitive information include, but are not limited to, Personally Identifiable Information (PII) and Protected Health Information (PHI).