BYOD Pilot: Five Lessons Learned

As noted in a recent post, the U.S. Equal Employment Opportunity Commission (EEOC) has implemented a Bring-Your-Own-Device (BYOD) pilot program to meet urgent IT budget challenges. The EEOC, a relatively small agency with scarce IT funds, by federal government standards, was one of the first agencies to launch an innovative BYOD pilot. See “BYOD and Beyondhttps://www.govloop.com/profiles/blogs/do-you-byod

EEOC’s Chief Information Officer, Kimberly Hancher, has been leading the charge. Although the pilot is still in place, CIO Hancher and I discussed some of the key lessons learned thus far.

So far the pilot appears promising, according to CIO Hancher, as well as to employee participants in the program.

Also see, “EEOC cuts costs with BYOD pilot program

https://www.govloop.com/profiles/blogs/eeoc-cuts-costs-with-byod-pilot-program

These preliminary pointers may help other agencies in crafting viable and effective BYOD pilot programs and/or policies of their own.

Lessons Learned

1) Socialize the concept of BYOD within your agency.

Since this a new concept and the acronym is taking time to be universally recognized, it is advisable to spend time explaining the BYOD concept to the workforce — including at senior staff meetings and executive council sessions.

Making any major changes in a bureaucracy is never easy. Thus effectively communicating IT concepts to agency leadership is key to moving forward. Agency leaders must be on the same page and have a comprehensive understanding of cost savings and other benefits — not to mention IT logistical issues.

2) Work with your agency’s Legal Counsel and union early in the process.

Allow input on the BYOD program and policies from leadership officials. This is key to building consensus. To paraphrase President LBJ, it’s better to have them inside the tent dishing out, than outside the tent dishing in.

3) Select the most important security features for implementation.

Work to identify the Top 10 security settings or policies, implement them carefully, then cycle back to identify additional security measures after the first set are completed. Also see 5) below…

4) Create an “Acceptable Behavior Policy”

Have documented rules for what employees can and can’t do with Government data on personally-owned devices. Also, employees must agree to let agencies examine those devices should it become necessary.

5) Install necessary software to manage security settings

This is an important extension of 3) above. Under the EEOC pilot program, employees who want to use their own smartphone for official work purposes must agree to have third-party software installed. This allows the agency to manage security settings on the devices and remotely wipe devices clean of government emails and data if they are lost or stolen. But for those who love their smartphones and tablets, it appers to be a fair tradeoff for now.

DBG

*** All views and opinions expressed herein are those of the author only.

Leave a Comment

20 Comments

Leave a Reply

Lindsey Tepe

I really like first point about establishing buy-in. If employees don’t understand the BYOD program and its benefits, it’s hard to build momentum for change.

David B. Grinberg

Thanks for your comment, Lindsey, I appreciate the feedback. I’ve observed that the interesting and surprising part about socializing BYOD within a government workforce — based on my personal observation –is that some people may be surprised by who needs the socialization. The conventional wisdom appears to be that BYOD will attract younger folks to public service, as well as appeal to younger govies, because younger generations are more tech savvy. While this may to be true, I’ve also seen a fairly high number of career folks who are participating in BYOD. I’m referring to SES leaders and other federal executives (GS-13 to GS-15). This helps dispel another myth and stereotype about older workers adapting to, and mastering, new technology. People need to remember that age is just a number.

At my agency, for example, career program office directors and managers/supervisors over 40 have enthusiastically volunteered to be part of the BYOD pilot. Thus, age may not be as much as a factor as some believe when it comes to championing BYOD. The bottom line message from Uncle Sam when it comes to BYOD is: we want you — regardless of age.

David B. Grinberg

Chris, as noted above, the software allows the agency to manage security settings on the devices and remotely wipe devices clean of government emails and data if they are lost or stolen. I believe it’s a mobile device management cloud provider that is used to configure the exchange of electronic mail between the providers’ host and the agency’s email gateway– thus allowing for wireless synchronization of agency email, calendar and contacts, as well as mobile device management services. Moreover, in order to protect sensitive data, BYOD orientation sessions are scheduled to train pilot participants on critical security ramifications and procedures. I’m not at liberty to get into more specifics about specific security software being used during the pilot. Thanks for the questions, Chris. I hope my response is somewhat useful.

Anastasia Bodnar

David, this is very exciting news. I hope your pilot is a great success and that BYOD spreads quickly throughout government. It really makes no sense to issue additional devices to people if they already own products they know and love.

One question I have is about software. How do you deal with the issue of buying needed software for an employee but then installing that software on a personally owned device? Universities often have annual licenses, and if you are no longer a student you can’t renew the license.

Second, how does IT deal with the diversity of devices that might be used? Will IT staff need additional training or will more IT staff need to be hired?

I know security is a big concern for people, but it can be done. My spouse worked for a law firm this summer and they had a BYOD policy. Those without smart phones were able to checkout a Blackberry, but those who already had Blackberries, iPhones, or Android phones could have security software installed. I can’t think of many industries with more secrets than law… if they can do it, certainly most of government can too. I’m sure the security software you are using is similar to the one used in law based on your description.

Keep up the good work!

Dennis Snyder

May I ask what EEOC’s legal department determined with respect to augmentation? Augmentation is a concept of appropriations law that is derived from statute, specifically 31 U.S.C.§ 3302(b) (miscellaneous receipts rule) and 31 U.S.C.§ 1301(a) (restricting the use of appropriated funds to their intended purposes). The Government Accountability Office has held that an agency may not augment its appropriations from outside sources without specific statutory authority. The concept is related to the separation of powers doctrine. When Congress makes an appropriation, it is also establishing an authorized program level. It is, in effect, telling the agency that it cannot operate beyond the level that it can finance under its appropriation. The objective of the rule against augmentation of appropriations is to prevent a government agency from undercutting the Congressional power of the purse by exceeding the amount Congress has appropriated for that activity.

In this case, the employee purchases equipment for use on the job, but is not compensated. The government then further restricts the employee from full use of their personally owned device by applying security settings and patches, albeit with employee approval under the terms of agreement.

If EEOC does not own, nor has contracted the use of BYOD equipment, then it would appear EEOC has exceeded its authority to operate within the Congressionally approved budget under the augmentation rules above.

I’m sure this has been sorted out by legal. Just wondering how they determined their decision and whether it has been contested.

David B. Grinberg

Thanks for the feedback, Dennis. I’ll have to check on your specific technical legal/budget question and get back to you on it. However, I can offer the following reply for now:

Personally, I’m not familiar with the term “augmentation” as you describe it for purposes of federal appropriations in general, and BYOD pilots in particular — nor am I an attorney expert qualified to provide an official response. I’m sure you are well aware that much larger federal agencies and Cabinet-level Departments have launched broader BYOD pilot programs.

As noted above, the EEOC’s pilot program was launched “to meet urgent IT budget challenges.” Also, it’s my understanding that the agency significantly reduced contractor services, eliminated some software maintenance, and slashed the agency’s budget for mobile devices prior to implementing the pilot.

My understanding is that the BYOD pilot was coordinated for months through the agency’s IT Investment Review Board, the Office of Legal Counsel and the local union (AFGE), among others. Thus, I’m fairly certain that all relevant and necessary appropriations strictures were strictly followed regarding the transition to a Cloud-based provider for the pilot.

Also, as you probably know, the White House has said it will issue official government-wide BYOD guidance soon, as part of its larger Digital Government Strategy. As noted in a prior post, the White House issued a Presidential Memorandum in March 2012 regarding preliminary guidelines for agencies — http://www.whitehouse.gov/the-press-office/2012/05/23/presidential-memorandum-building-21st-century-digital-government. The White House memo to agency heads government-wide states, among other things:

This memorandum shall be implemented consistent with applicable law and subject to the availability of appropriations, and with appropriate protections for privacy and civil liberties. The Director of the Office of Management and Budget is authorized and directed to publish this memorandum in the Federal Register.”

I hope this info is helpful, Dennis. Thanks again for your comments.

David B. Grinberg

Thanks for your comments, Anastasia. In addition to my reply to Dennis (below), I can tell you that more agency-specific information on the BYOD pilot should be forthcoming to coincide with the release of the White House official guidance (per my comments below).

On a personal note, I think it’s interesting how some critics may appear to lambaste Government generally for not being innovative enough with IT, and then sharpen their swords when agencies actually take concrete effective actions to be more innovative and better serve the IT needs of the workforce, while cutting costs at the same time — to the benefit of taxpayers and federal employees alike. I’m not trying to point fingers here, but rather make a general observation. Thanks again for your constructive feedback, Anastasia.

Julie Chase

RE: #5 Doesn’t installing the necessary software to manage security settings slow everything down? In DoD that is the problem with our network NMCI….slooooowwwwww. Security settings are update constamtly and overnite when everyone goes home for the day. The frustration is typing out an email and your screen freezes or flips out. The program you are working with suddenly disappears. We “know” it’s all the security that is being downloaded constantly. One of the benefits, (yes, I said benefit), is “storage”. In my case we only get so much storage….so we purchased 1TB ext hard drives (organizations cost and tons of fed tape just get the thing). I’m listening David, truly I am. Storage, intrigues me. I think it will be a hard sell to DoD, heck they don’t even like “the cloud” that everyone in gov is buzzing about.

David B. Grinberg

Great hearing from you again, Julie! While I’m sorry to hear that you’re still having some technical and logistical computer issues related to BYOD, I’m nonetheless happy that you appear to be seeing the light at the end of the tunnel — albeit a faint glimpse. Please see the following articles of interest about BYOD, DoD and security-related issues:

http://www.govplace.com/2012/07/pentagon-may-deploy-byod-policy-by-2014/

http://www.fiercemobilegovernment.com/story/carey-mobility-key-dods-future/2012-07-24

http://gov.aol.com/2012/07/24/federal-agencies-ponder-byod-policy-details/

http://www.itbusinessedge.com/cm/blogs/itdownloads/where-us-military-leads-on-cloud-byod-we-follow/?cs=50818

http://govwin.com/arossino_blog/three-issues-driving-mobile-device/618833

I hope these articles are helpful, Julie, in shedding more light on BYOD. Good luck with all your work.

Peter Sperry

I suspect the reason BYOD is more eagerly embraced by senior grades is they can afford to purchase two devices, one for personal use which is kept free of government spyware and one for office use which is expendable if necessary. Personally, I would be very happy to purchaes my own devices with my own money exclusively for office use because I would obtain better, more useful IT equipment; but only if I can maintian a strong firewall between my personal and government systems. Ideally, one should have a separate laptop/tablet for work and NEVER link it to any truly personal devices. Also remember that spyware can be transimtted by thumb drives so using one on your personal equipment after having connected it to your government devise can result in a nasty surprise.

Yes, BYOD, is an augmentation of appropriations and a gross violation of appropriations law as laid out in the GAO Redbook, but that may change in the future. Meanwhile many government agencies seem willing to risk an IG or GAO audit finding. I’ve never heard of anyone suffiering any career damage from one, so they probably have little to lose.

David B. Grinberg

Thanks for your always insightful comments, Peter. Here’s some feedback:

1) FYI, ‘ve noticed some lower-grade employees also participating in BYOD — I assume because the younger generation is usually more deft with the latest mobile devices and often “must” have them.

2) I have not examined whether senior grade-level folks use two devices (one for work and the other for personal use, as you infer), but that’s a really good question I will look into.

3) My understanding about the BYOD pilot at EEOC, at least, is that there IS a strong firewall preventing government IT minders from viewing one’s personal use of mobile devices — but who really knows?

4) Regarding spyware, I think this will always be a major concern generally. You offer excellent advice on that matter as well.

Thanks again, Peter, for sharing your intricate knowledge and eye-opening views on this important issue.

David B. Grinberg

Below is the full text of the EEOC case study on BYOD, as contained in the new White House guidance issued earlier today:

U.S. Equal Employment Opportunity Commission (EEOC) BYOD Pilot
Transitioning from Blackberry Usage to Bring-Your-Own-Device
http://www.whitehouse.gov/digitalgov/bring-your-own-device#eeoc

Kimberly Hancher
Chief Information Officer
U.S. Equal Employment Opportunity Commission

Executive Summary

The U.S. Equal Employment Opportunity Commission (EEOC) recently implemented a Bring-Your-Own-Device (BYOD) pilot program to meet urgent IT budget challenges. Employees who want to use their own smartphone for official work purposes must agree to have third-party software installed. This allows the agency to manage security settings on the devices and remotely wipe devices clean of government emails and data if they are lost or stolen.

The EEOC is among the first Federal agencies to implement a BYOD pilot and the preliminary results appear promising. Last year, the EEOC was paying $800,000 for its Government issued BlackBerry devices. Subsequently, the EEOC’s FY2012 IT budget was cut from $17.6 million to $15 million, nearly a 15% reduction. The EEOC’s Chief Information Officer, Kimberly Hancher, significantly reduced contractor services, eliminated some software maintenance, and slashed the agency’s budget for mobile devices — leaving only $400,000 allocated for Fiscal Year 2012. Along with the other cost reduction measures, CIO Hancher took the issue to the agency’s IT Investment Review Board. She suggested a two-pronged approach to cost reduction:

Optimize rate plans for agency provided mobile devices, and
Implement a BYOD pilot program.
In November 2011, EEOC’s IT staff pressed the wireless carrier, a GSA Networx contract provider, to help cut costs or risk losing the EEOC’s BlackBerry business. Although the carrier was initially reluctant to work expeditiously, the EEOC stood firm in pursuing rate plan optimization. Zero-use devices were eliminated and all remaining devices were moved to a bundled rate plan with shared minutes. FY 2012 costs were reduced by roughly $240,000 through these actions.

The next step was to launch a BYOD pilot program focused on enticing current users of Government provided BlackBerry devices to opt out. For months, EEOC’s Hancher worked with information security staff, agency attorneys and the employees’ union to draft rules that balanced employee privacy and Government security. By June 2012 many BlackBerry users “opted out” and voluntarily joined the BYOD pilot program.

EEOC’s BYOD pilot focused on providing employees with access to agency email, calendars, contacts and tasks. With the mobile device management software, employees may read and write emails with or without Internet connectivity. A few senior executives who own Apple iPads will be provided “privileged” access to the agency’s internal systems through the secure Virtual Private Network (VPN).

BYOD Challenge

The EEOC’s BYOD program grew out of the necessity of meeting new budget challenges with limited resources. The agency was faced with a 15 percent reduction in its IT operating budget for FY 2012. At first, it was not evident there was much room for needed cuts. Therefore, EEOC decided to conduct research into how employees were using their agency-issued Blackberry devices – and the results were surprising:

“Seventy-five percent of our users never made phone calls from their BlackBerrys,”according to Hancher. “Email is the killer app. They either used the phone on their desk or they used their personal cell phone to make calls because it’s just easier. We also found there were a number of zero-use devices. People have them parked in their desk drawer, and the only time they use it is when they travel.”

During the first quarter of FY 2012, initial efforts went into cutting the recurring costs of the nearly 550 agency-issued Blackberry devices. After conducting an analysis of device usage, the EEOC swiftly submitted orders to the carrier eliminating zero-use devices, demanded that disconnect orders were promptly terminated, and called for remaining Government devices to be moved to a bundled plan with shared voice minutes and unlimited data.

In December 2011, the EEOC launched the first official phase of its BYOD pilot. A BYOD advisory group was created to help the Office of Information Technology flesh out the new program. The advisory group was asked to identify cloud providers for mobile device management, identify security risks, research privacy concerns, draft Rules of Behavior, and create an internal website on the agency’s intranet. The advisory group worked for months to socialize the concept of BYOD within the agency’s workforce. In turn, nearly 40 employees volunteered to exchange EEOC-issued BlackBerry devices in favor of using their own personal smartphones.

Alpha Phase

During the alpha phase of the BYOD pilot, the EEOC’s IT group worked with the mobile device management cloud provider to configure the exchange of electronic mail between the providers’ host and the EEOC’s email gateway. The IT staff was enthusiastic about the transition to a cloud provider, having managed the agency’s BlackBerry Enterprise Services (BES) for many years. The cloud provider would assist with setup, configuration and end-user support. Under the BYOD pilot, the cloud provider conducts all technical support for pilot participants with iOS devices (iPhone and iPads), as well as all Android devices (smartphones and tablets). The EEOC decided to use its existing on-premise BES for additional support as needed.

Within the first few months of alpha pilot’s launch, the advisory group reached out to other federal agencies to examine their BYOD programs. The EEOC’s first draft of the BYOD Rules of Behavior was circulated among the advisory group, the technical team and the IT Security Officers.

After a number of revisions, the draft policy was ready to share with the union. The Deputy CIO and Chief IT Security Officer met with the union several times to discuss the issues. Again, the Rules of Behavior document was revised and improved upon. An “expectation of privacy” notice was written in bold on Page 1 of the four-page policy.

In March 2012, the BYOD team solicited feedback from the alpha team. A work breakdown structure was created to guide activities and tasks that needed to be completed before launching the next phase of the pilot — the beta phase. Then, in June 2012, the EEOC provided several choices for the 468 employees who still used agency-issued BlackBerry devices:

Voluntarily return your BlackBerry and bring your own Android, Apple or BlackBerry smartphone or tablet to work.
Return your BlackBerry and get a Government-issued cell phone with voice features only.
Keep your BlackBerry with the understanding that EEOC does not have replacement devices.
The BYOD pilot is expected to run through September 2012, or longer, depending on the agency’s comfort level that all policy issues have been appropriately addressed. CIO Hancher projects between 10 percent and 30 percent of BlackBerry users will opt in for the BYOD program. The CIO examined incorporating an incentive to opt out, but could not find a precedent for offering a nominal stipend or reimbursement for business expenses and equipment allocation. Therefore, EEOC decided to proceed with the BYOD pilot and to revisit other outstanding issues once Government-wide BYOD guidance was released. In order to protect sensitive corporate data, EEOC is scheduling some BYOD orientation sessions to train its workforce on critical security ramifications and procedures.

One goal of EEOC’s BYOD pilot is to obtain feedback and comment on the first version of the Rules of Behavior. The CIO fully expects modifications to the BYOD policy as the pilot evolves. Some outstanding questions, for example, include whether an enforceable waiver should be added exempting employees from holding the organization accountable. Can the agency offer an equipment allocation or reimbursement for a portion of the data/voice services?

Acceptable Behavior Policy

EEOC is currently in the process of reviewing and revising its Acceptable Behavior Policy for personal mobile devices. The policy document was developed as part of a working group that included the agency’s Office of Legal Counsel. Employees who choose to opt into the BYOD program are required to read and sign the policy document first.

CIO Hancher said one thing agencies need to make sure of is that they have documented rules for what employees can and cannot do with Government data on personally-owned devices. Moreover, she said that employees must agree to let agencies examine those devices should it become necessary. EEOC’s IT staff is meeting with employees to help decide which device or devices to use and what the likely effects will be. At the current time, personal smartphone devices are the only mobility option for new employees at EEOC.

BYOD Pilot Results

From 2008 to 2011, EEOC’s BlackBerry provisioning program grew from about 100 devices to approximately 550 devices. By December 2011 about 23% of the workforce was provided with Government-issued smartphones. Realizing that this pattern was unsustainable, CIO Hancher, with support from the executive leadership and the union, set out to revamp the mobile device program.

The initial alpha pilot was launched with 40 volunteers who turned in their Government BlackBerry in favor of using a personally owned smartphone/tablet (Android, Apple iOS or BlackBerry). EEOC used cloud based, software-as-a-service for wireless synchronization of agency email, calendar and contacts, as well as mobile device management services.

Within the first three months of 2012, the number of BlackBerry devices was cut from 550 to 462 and monthly recurring costs were lowered by 20-30% by optimizing the rate plans. By June 2012, EEOC launched the beta pilot inviting all BlackBerry users to opt in to BYOD and return their BlackBerry. However, EEOC will allow employees to continue using an EEOC provided BlackBerry if they choose not to opt into BYOD.

The current BYOD program requires employees to pay for all voice and data usage, including those for official work purposes. This cost issue may prompt some users to keep the BlackBerry. However, for EEOC’s younger employees, their personal devices appear to be an extension of their personalities, so to speak. For seasoned workers, their personal device allows them to do administrative work from home.

“While I’m not advocating working 24 by 7, it is just more comfortable to sit and do timecard approvals on a Friday night in the comfort of your home instead of during the prime time work day when your attention should be on more complex and business-oriented issues,”said CIO Hancher.

Lessons Learned

Socialize the concept of BYOD. Since this a new concept and the acronym is taking time to be universally recognized, it is advisable to spend time explaining the BYOD concept to the workforce, including at senior staff meetings and executive council sessions.
Work with the agency’s Legal Counsel and unions early in the process. Allow input on the BYOD program and policies from leadership officials.
Select important security features for implementation. Work to identify prioritized security settings or policies, implement them carefully, then cycle back to identify additional security measures after the first set are completed.
Hardware/Software

Notifylink MDM – Cloud provider licensed at $120 per user per year
GW Mail and GW calendar – $5 apps available through iTunes and Android Market
Disclaimer:

References to the product and/or service names of the hardware and/or software applications used in this case study do not constitute an endorsement of such hardware and/or software products.
END

——————————————————————————–

David B. Grinberg

Thanks, Steve.

Yes, GovLoop’s BYOD report is nothing short of totally AWESOME and a must-read for anyone interested in this trending IT topic.

Government Executive recently had a nice article featuring GovLoop’s BYOD survey. In short, the GovLoop team rocks!!!

DBG

David B. Grinberg

GovExec.com reports AGAIN on GovLoop BYDO report and related GovLoop discussion…

BrittanyB. writes in the “Wired Workplace” column:

“There’s an interesting conversation going on at GovLoop about the blog post I wrote late last month on GovLoop’s recent report on bring your own device, or BYOD, policies and the ability of such policies to enable cost savings and boost employee productivity. One of the major drivers of BYOD is the potential costsavings for federal agencies. At the same time, agencies face a major hurdle in determining how to reimburse federal employees to ensure they are not personally incurring the cost of increased data usage from work-related activities. GovLoop Community Manager Andrew Kzmarzick notes in the report that agencies might consider overcoming this hurdle by looking at other ways in which government reimburses employees.”

Julie Chase

I read the report on Government Executive. Interesting to know that I am not alone in my thoughts on BYOD. I brought this up at work last week in a group at lunch. And rolling eyes and waving of hands told me all I needed to know. It was unanimous. The entire group nixed the idea.

Paul Alberti

I am doing some initial research in HR’s role in a BYOD environment. Does anyone have any input, policy docs, lessons learned? If people tend to work extra hours, work over vacation time, what are the HR implications – if any?