The Department of Commerce (Commerce) is responsible under Homeland Security Presidential Directive 7 in coordination with other federal and nonfederal entities, for improving technology for cyber systems and promoting efforts to protect critical infrastructure. Within Commerce, the National Institute of Standards and Technology (NIST) is responsible for developing information security standards and guidelines, including minimum requirements for unclassified federal information systems, as part of its statutory responsibilities under the Federal Information Security Management Act (FISMA).

NTIA According to Commerce’s National Telecommunications and Information Administration (NTIA), it serves as the President’s principal adviser on telecommunications policies pertaining to economic and technological advancement and to the regulation of the telecommunications industry, including mobile telecommunications. NTIA is responsible for coordinating telecommunications activities of the executive branch and assisting in the formulation of policies and standards for those activities, including considerations of interoperability, privacy, security, spectrum use, and emergency readiness.

FCC The Federal Communications Commission’s (FCC) role in mobile security stems from its broad authority to regulate interstate and international communications, including for the purpose of “promoting safety of life and property.” In addition, FCC has established the Communications, Security, Reliability, and Interoperability Council (CSRIC). CSRIC is a federal advisory committee whose mission is to provide recommendations to FCC to help ensure, among other things, secure and reliable communications systems, including telecommunications, media, and public safety. A previous CSRIC included a working group that was focused on identifying cybersecurity best practices (including mobile security practices), and had representation from segments of the communications industry and public safety communities. The current CSRIC has focused on the development and implementation of best practices related to several specific cybersecurity topics. FCC has also established a Technological Advisory Council, which includes various working groups, one of which has been working since March 2012 to identify, prioritize, and analyze mobile security and privacy issues.

FTC The Federal Trade Commission (FTC) promotes competition and protects the public by, among other things, bringing enforcement actions against entities that engage in unfair or deceptive acts or practices. An unfair act is an act or practice that causes or is likely to cause substantial injury to consumers that is not reasonably avoidable by consumers and is not outweighed by countervailing benefits to consumers or to competition. A deceptive act or practice occurs if there is a representation, omission, or practice that is likely to mislead the consumer acting reasonably in the circumstances, to the consumer’s detriment. According to FTC, its authority to bring enforcement actions covers many of the entities that provide mobile products and services to consumers, including mobile device manufacturers, operating system developers, and application developers. FTC’s jurisdiction also extends to wireless carriers when they are not engaged in common carrier activities. For example, mobile phone operators engaging in mobile payments functions such as direct-to-carrier billing are under FTC’s jurisdiction.

DOD The Department of Defense (DOD) is responsible for security systems, including mobile devices that use its networks or contain DOD data. While it has no responsibility with regards to consumer mobile devices, its guidance can be useful for consumers. For example, the DOD Security Technical Implementation Guides are available to the public. These guides contain technical guidance to secure information systems or software that might otherwise be vulnerable to a malicious computer attack. In addition, certain guides address aspects of mobile device security.

OMB The Office of Management and Budget (OMB) is responsible for overseeing and providing guidance to federal agencies on the use of information technology, which can include mobile devices. One OMB memorandum to federal agencies, for example, instructs agencies to properly safeguard information stored on federal systems (including mobile devices) by requiring the use of encryption and a “time-out” function for re-authentication after 30 minutes of inactivity.