Many government agencies, particularly large agencies, face enormous obstacles in simply compiling and inventory of the software and hardware under in their system. The difficulty is understandable: I know of one agency responsible for 220,000 makes and models of medical devices (note that this number refers to “makes and models” only. The actual number of devices is much, much higher). In addition, the devices are online intermittently, and many of them are on air-gapped (i.e., physically separate networks), complicating the use of automated tools for identification and inventory. Also, many of these devices use protocols other than the standard TCP/IP that fuels the Internet, so even if they are online and accessible remotely, it may be necessary to use equipment or software using specialized communication protocols.
Moreover, the inventory is hardly static, since doctors and hospitals naturally and rightly procure the best equipment available to provide optimum health care. Physical inventory is complicated enough, then, to say nothing of managing the configuration of those devices, and the software they run.
Most agencies don’t have medical devices, but nearly all have to deal with user-owned devices, such as phones, tablets, and “non-GFE” (i.e., personally-owned) computers. Managing such devices, to say nothing of their software, can be a gargantuan task for harried security and IT professionals.
How can agencies leverage technology to tackle this beast? After all, it is rather difficult to secure a device if you are unaware that it exists. For IOT devices such as the medical devices in the first example, you will need a system that can “speak” multiple protocols, compile an inventory, and control network access based on the security status of those devices. Mobile device management (MDM) systems abound, and are invaluable for tracking, managing, and securing both government furnished equipment (GFE) and personally-owned devices accessing government networks and systems.