Endpoint Security

May 12, 2020

min read

NIST Updates Its Mobile Security Guidelines: What’s Changed Since 2013

Since the National Institute of Standards and Technology (NIST) first released its enterprise mobile device security guidelines Special Publication (SP) 800-124 in 2013, the work environment has gone through massive changes. Cloud technology and mobile devices are now everyday tools for organizations and more people are working remotely as a result. NIST’s revisions to its mobile guidelines, a first since the document’s inception, could not have come sooner.

In 2013, just 56% of Americans owned smartphones, according to the Pew Research Center. That number shot up to 81% by 2019. Within that time frame, enterprise usage of smartphones also ballooned. According to a 2019 Gartner, Inc. research, “The percentage of workers who consider the smartphone their main productivity device increased over two years, from 12% in 2016 to 28% in 2018. This trend was especially strong among younger people.”1 Seven years ago, mobile device management (MDM) was all organizations had to protect themselves. And phishing attacks were primarily malicious links you encountered while you read your work email from a desktop computer.

Institutions like NIST have taken a leading role in educating government agencies about mobile security. So while organizations are beginning to understand the importance of defending against mobile specific threats, it's imperative that the NIST keeps its guidance up to date. Here are some of the additions to the mobile security guidelines that are essential to the government and all organizations that rely on mobility to meet their missions.

Mobile Threat Defense

While NIST has included Mobile Threat Defense (MTD) in other guidelines, such as NIST SP 1800-21, it’s surprising that it didn’t make it into NIST SP 800-124 until now. In a cloud-first environment where people are working remotely, it has become critical to move key security functions to the endpoint. Traditional tools like MDM, while helpful in managing certain aspects of the device, doesn’t provide insight into app characteristics or protect against user behaviors, such as phishing. MTD protects at the endpoint, detecting and blocking mobile threats before a compromised device can even get access to an organization’s data.


Phishing is now the biggest threat vector for mobile so it’s great seeing the NIST acknowledge mobile phishing. The inclusion is crucial as more than 80% of cyberattacks start with phishing. Mobile devices often bypass traditional, perimeter-based security inspection, making them easy targets. And with a smaller form factor and multiple ways for threats to be delivered – from SMS to social media platforms – it’s much harder for a user to identify phishing threats on a smartphone than a desktop computer.

NIST’s updates to its mobile security guidelines are an excellent start to addressing the ever evolving world of mobile threats. By recognizing the existence of MTD, MAM, and mobile phishing, it’ll help the federal government recognize the importance of mobile security in a cloud-driven and mobile environment.

To learn more about how Lookout supports the federal government, please visit:

1Gartner, “Market Trends: Evolving Mobile Productivity Trends Lead to a Device-Type-Agnostic Workplace,” Mikako Kitagawa, Aug. 20, 2019. (Gartner subscription required)