%3Aquality(100)&w=640&q=75){kind=logo}
A Secure Device Is Not a Secure Communications System
Secure devices aren’t enough — you need a fully certified communications system.
Apr 8, 2026
·Blog
·Baldeep Dogra
%3Aquality(100)&w=3840&q=75)
NATO recently approved select Apple® iPhone and iPad models to operate within the indigo secure mobility framework. Back in September 2025, BlackBerry® UEM received Germany's Federal Office for Information Security, BSI certification for managing Apple indigo devices — hardened Apple devices with specialized security configurations for government use.
These announcements mark meaningful moments for government mobility. But they also draw attention to a distinction that senior decision-makers cannot afford to overlook: a certified device and a certified communications system are fundamentally different things. Conflating the two creates a security gap that adversaries are ready to exploit. Recognizing what each certification actually covers, and where they end, is the important takeaway from both announcements.
Related Reading: Trust Without Borders: How BSI Certification Reinforces the Global Impact of BlackBerry UEM
What NATO’s Apple Approval Actually Means
Earning NATO approval means the Apple device meets baseline requirements for handling classified information in eligible environments. This is a legitimate achievement. Modern smartphone hardware has matured significantly, and NATO's approval reflects that progress.
However, the strictest frameworks for true secure communications do not stop at the device. They account for the entire communications chain; how messages move across networks, how encryption is implemented and governed, how identities are verified, and how operational policies are enforced across entire fleets of users and devices.
A device can pass hardware evaluation and still leave sensitive communications exposed if the surrounding communications infrastructure is ungoverned, uncertified, or built on consumer-grade software.
So while devices may be approved NATO approved within indigo, the management of those devices must also meet certification standards. BlackBerry® UEM, via NIAP Common Criteria and NATO Restricted alignment, supports truly secure communications.
The Gap Between the Endpoint and the System
Consider what happens when a sensitive communication takes place: A message originates on a device, travels across a network, passes through encryption layers managed by a third-party provider, and arrives at another endpoint. At every stage, there are questions that device certification alone cannot answer, including:
Who verified the identity of each participant before the conversation began?
How is metadata, call timing, frequency and sender location protected from interception and analysis?
Where are encryption keys stored, and who controls them?
What happens if a device is lost or compromised mid-operation?
How does an administrator revoke access instantly across the entire fleet?
These are not hypothetical concerns. The 2024 Salt Typhoon espionage operation demonstrated how deeply adversaries can infiltrate telecommunications networks, gaining access to sensitive communications among government officials and military personnel through infrastructure vulnerabilities — not device-level weaknesses.
Similarly, the SignalGate incident exposed classified information not because of a device flaw, but because a consumer-grade messaging application lacked the identity validation and access controls required for high-stakes operational environments.
A trusted device running an ungoverned application, connected to infrastructure outside organizational control, does not constitute a secure communications system.
What Secure Government Communications Actually Require
Securing communications for national security, defense, and critical infrastructure demands protection at every layer, not just the endpoint. The distinction matters because each layer represents a potential point of failure.
End-to-End Encrypted Voice and Messaging
Encryption must extend beyond message content. Metadata, who is communicating, when, how frequently, and from where, can reconstruct patterns of operation, expose organizational structure, and identify high-value targets. Secure government communications conceal these patterns, not just the content of messages themselves.
Strict Identity Validation
Every participant in a sensitive conversation must be verified through cryptographic credentials tied to their role and clearance. Open registration models, where users join with a phone number or username, have no place in mission-critical environments. The SignalGate incident made this point clearly: without enrollment controls and access governance, unauthorized participants can enter classified conversations through simple human error.
Mobile Device Security and Policy Enforcement
Sensitive data must reside in secure containers on mobile devices, isolated from personal applications and protected with encryption at rest. Administrators must retain the ability to revoke access instantly if a device is lost or becomes non-compliant, removing operational data from the device even if it is not under direct management.
Sovereign Control Over Infrastructure
Government organizations cannot accept communications infrastructure governed by foreign jurisdictions or third-party providers. Platforms such as Microsoft Teams, Zoom, and WhatsApp store encryption keys externally, creating legal exposure under instruments like the U.S. Cloud Act and subjecting communications to foreign jurisdiction laws. True sovereignty requires the ability to deploy on-premises, in air-gapped environments, or in sovereign-managed clouds — with encryption keys generated, stored, and managed exclusively by the customer organization.
Independent Certification of the Entire System
Device certification and communications platform certification serve fundamentally different purposes. NIAP Common Criteria certification (EAL4+) and specifically NATO’s Information Assurance Product Catalogue (NIAPC) including alignment with NATO Restricted requirements, is the baseline for evaluating secure communications systems, covering not just hardware, but also the communications application, cryptographic modules, key management infrastructure, identity controls, and operational governance.
Additional frameworks such as NSA CSfC, FedRAMP High, NATO listings, and BSI validation extend this assurance across deployment models and threat environments. Together, they validate the full communications stack — not just the endpoint — because a device can pass hardware evaluation and still leave sensitive communications exposed if the surrounding infrastructure is ungoverned or uncertified.
Why Certifications Must Cover the Communications Layer
BlackBerry® SecuSUITE® provides end-to-end encrypted voice and messaging validated to both NATO-listed and BSI-approved standards. BlackBerry UEM is BSI-certified and delivers centralized management, secure provisioning, and policy enforcement across entire device fleets.
Together, they form a certified communications platform that protects operations regardless of the device used to access it.
This matters because government procurement decisions often focus on visible hardware. Devices are tangible, familiar, and relatively straightforward to evaluate. Communications infrastructure is less visible but operationally more consequential. An agency equipping personnel with approved devices is taking a sound step. Stopping there leaves the communications layer — the actual path of sensitive information — subject to risks the device certification was never designed to address.
The Right Question to Ask
NATO’s approval of Apple indigo is a positive development. It expands the options available to government organizations seeking certified hardware and demonstrates that modern mobile devices can meet stringent baseline requirements. Agencies operating in classified environments benefit when the pool of certified hardware grows.
The question government and critical infrastructure leaders should ask, however, is not only whether their devices are certified. The more apt question is whether their communications system — the software, the encryption infrastructure, the identity governance, the deployment model, the metadata controls, and the operational policies — meets the same standard.
A secure device enables government mobility. A secure communications platform enables government operations. Both matter, but they are not interchangeable.
Building Operational Trust Beyond the Endpoint
Confidence in secure communications must rest on independent, third-party validation of the entire system. For governments and critical infrastructure operators, certifications from authorities such as BSI provide assurance that technologies have been rigorously evaluated for high-risk environments — not merely reviewed against marketing claims.
BlackBerry has held these certifications across multiple jurisdictions for decades, undergoing ongoing security testing, red-team exercises, and supply-chain audits to maintain them. That sustained validation is not simply a compliance exercise. It is the foundation upon which organizations build operational trust when the stakes leave no room for uncertainty.
Apple's device approval reflects a maturing mobile security landscape. It should prompt organizations to assess whether their communications infrastructure is keeping pace — and whether the system protecting their most sensitive conversations holds the same level of validated assurance as the device in the field.
A Secure Device Is Not a Secure Communications System
Secure devices aren’t enough — you need a fully certified communications system.
Apr 8, 2026
·Blog
·Baldeep Dogra
NATO recently approved select Apple® iPhone and iPad models to operate within the indigo secure mobility framework. Back in September 2025, BlackBerry® UEM received Germany's Federal Office for Information Security, BSI certification for managing Apple indigo devices — hardened Apple devices with specialized security configurations for government use.
These announcements mark meaningful moments for government mobility. But they also draw attention to a distinction that senior decision-makers cannot afford to overlook: a certified device and a certified communications system are fundamentally different things. Conflating the two creates a security gap that adversaries are ready to exploit. Recognizing what each certification actually covers, and where they end, is the important takeaway from both announcements.
Related Reading: Trust Without Borders: How BSI Certification Reinforces the Global Impact of BlackBerry UEM
What NATO’s Apple Approval Actually Means
Earning NATO approval means the Apple device meets baseline requirements for handling classified information in eligible environments. This is a legitimate achievement. Modern smartphone hardware has matured significantly, and NATO's approval reflects that progress.
However, the strictest frameworks for true secure communications do not stop at the device. They account for the entire communications chain; how messages move across networks, how encryption is implemented and governed, how identities are verified, and how operational policies are enforced across entire fleets of users and devices.
A device can pass hardware evaluation and still leave sensitive communications exposed if the surrounding communications infrastructure is ungoverned, uncertified, or built on consumer-grade software.
So while devices may be approved NATO approved within indigo, the management of those devices must also meet certification standards. BlackBerry® UEM, via NIAP Common Criteria and NATO Restricted alignment, supports truly secure communications.
The Gap Between the Endpoint and the System
Consider what happens when a sensitive communication takes place: A message originates on a device, travels across a network, passes through encryption layers managed by a third-party provider, and arrives at another endpoint. At every stage, there are questions that device certification alone cannot answer, including:
Who verified the identity of each participant before the conversation began?
How is metadata, call timing, frequency and sender location protected from interception and analysis?
Where are encryption keys stored, and who controls them?
What happens if a device is lost or compromised mid-operation?
How does an administrator revoke access instantly across the entire fleet?
These are not hypothetical concerns. The 2024 Salt Typhoon espionage operation demonstrated how deeply adversaries can infiltrate telecommunications networks, gaining access to sensitive communications among government officials and military personnel through infrastructure vulnerabilities — not device-level weaknesses.
Similarly, the SignalGate incident exposed classified information not because of a device flaw, but because a consumer-grade messaging application lacked the identity validation and access controls required for high-stakes operational environments.
A trusted device running an ungoverned application, connected to infrastructure outside organizational control, does not constitute a secure communications system.
What Secure Government Communications Actually Require
Securing communications for national security, defense, and critical infrastructure demands protection at every layer, not just the endpoint. The distinction matters because each layer represents a potential point of failure.
End-to-End Encrypted Voice and Messaging
Encryption must extend beyond message content. Metadata, who is communicating, when, how frequently, and from where, can reconstruct patterns of operation, expose organizational structure, and identify high-value targets. Secure government communications conceal these patterns, not just the content of messages themselves.
Strict Identity Validation
Every participant in a sensitive conversation must be verified through cryptographic credentials tied to their role and clearance. Open registration models, where users join with a phone number or username, have no place in mission-critical environments. The SignalGate incident made this point clearly: without enrollment controls and access governance, unauthorized participants can enter classified conversations through simple human error.
Mobile Device Security and Policy Enforcement
Sensitive data must reside in secure containers on mobile devices, isolated from personal applications and protected with encryption at rest. Administrators must retain the ability to revoke access instantly if a device is lost or becomes non-compliant, removing operational data from the device even if it is not under direct management.
Sovereign Control Over Infrastructure
Government organizations cannot accept communications infrastructure governed by foreign jurisdictions or third-party providers. Platforms such as Microsoft Teams, Zoom, and WhatsApp store encryption keys externally, creating legal exposure under instruments like the U.S. Cloud Act and subjecting communications to foreign jurisdiction laws. True sovereignty requires the ability to deploy on-premises, in air-gapped environments, or in sovereign-managed clouds — with encryption keys generated, stored, and managed exclusively by the customer organization.
Independent Certification of the Entire System
Device certification and communications platform certification serve fundamentally different purposes. NIAP Common Criteria certification (EAL4+) and specifically NATO’s Information Assurance Product Catalogue (NIAPC) including alignment with NATO Restricted requirements, is the baseline for evaluating secure communications systems, covering not just hardware, but also the communications application, cryptographic modules, key management infrastructure, identity controls, and operational governance.
Additional frameworks such as NSA CSfC, FedRAMP High, NATO listings, and BSI validation extend this assurance across deployment models and threat environments. Together, they validate the full communications stack — not just the endpoint — because a device can pass hardware evaluation and still leave sensitive communications exposed if the surrounding infrastructure is ungoverned or uncertified.
Why Certifications Must Cover the Communications Layer
BlackBerry® SecuSUITE® provides end-to-end encrypted voice and messaging validated to both NATO-listed and BSI-approved standards. BlackBerry UEM is BSI-certified and delivers centralized management, secure provisioning, and policy enforcement across entire device fleets.
Together, they form a certified communications platform that protects operations regardless of the device used to access it.
This matters because government procurement decisions often focus on visible hardware. Devices are tangible, familiar, and relatively straightforward to evaluate. Communications infrastructure is less visible but operationally more consequential. An agency equipping personnel with approved devices is taking a sound step. Stopping there leaves the communications layer — the actual path of sensitive information — subject to risks the device certification was never designed to address.
The Right Question to Ask
NATO’s approval of Apple indigo is a positive development. It expands the options available to government organizations seeking certified hardware and demonstrates that modern mobile devices can meet stringent baseline requirements. Agencies operating in classified environments benefit when the pool of certified hardware grows.
The question government and critical infrastructure leaders should ask, however, is not only whether their devices are certified. The more apt question is whether their communications system — the software, the encryption infrastructure, the identity governance, the deployment model, the metadata controls, and the operational policies — meets the same standard.
A secure device enables government mobility. A secure communications platform enables government operations. Both matter, but they are not interchangeable.
Building Operational Trust Beyond the Endpoint
Confidence in secure communications must rest on independent, third-party validation of the entire system. For governments and critical infrastructure operators, certifications from authorities such as BSI provide assurance that technologies have been rigorously evaluated for high-risk environments — not merely reviewed against marketing claims.
BlackBerry has held these certifications across multiple jurisdictions for decades, undergoing ongoing security testing, red-team exercises, and supply-chain audits to maintain them. That sustained validation is not simply a compliance exercise. It is the foundation upon which organizations build operational trust when the stakes leave no room for uncertainty.
Apple's device approval reflects a maturing mobile security landscape. It should prompt organizations to assess whether their communications infrastructure is keeping pace — and whether the system protecting their most sensitive conversations holds the same level of validated assurance as the device in the field.