Federal Mobile Security: MDM Adoption at 71 Percent, But Configuration Compliance Lags

DISA's FY2025 Federal Mobile Security Assessment found that 71 percent of federal agencies have deployed Mobile Device Management solutions — up from 52 percent in FY2023 — but only 34 percent configure MDM security profiles to DISA Security Technical Implementation Guide (STIG) requirements.

The gap between MDM deployment and STIG-compliant configuration represents the central finding: agencies are investing in MDM technology but not fully realizing its security value because configuration is not aligned to federal security standards.

The most commonly misconfigured settings include certificate-based authentication (required by DISA STIG, implemented by only 41 percent of MDM-deploying agencies), app vetting through approved government app stores (53 percent), and full-device encryption with hardware-backed key storage (68 percent).

DISA's threat analysis indicates that sophisticated adversaries specifically target government mobile devices as a lateral movement vector into agency networks. The assessment highlights the risk to federal data from 1.8 million government-issued mobile devices that are not STIG-compliant.

GovAcademy's Secure Mobile Workforce course (GA-044) addresses both the MDM deployment and STIG-compliant configuration challenges identified in the assessment. The 15-hour Professional course covers MDM platform selection and configuration, DISA STIG implementation for iOS and Android devices, and BYOD risk framework development.

Digital Identity, PIV/CAC and MFA (GA-014) complements the mobile security course by covering the phishing-resistant authentication requirements that DISA's assessment identifies as the highest-priority missing configuration element.

DISA has indicated it will use the assessment's findings to inform a revised MDM STIG baseline, with GovAcademy course updates to follow within 60 days of the revised STIG publication.