It should be an assigned/signed device with biometric and passcode access configured... At least it was in a couple proposals I helped define for credentialing emergency responders... though the contract definitely went with a different supplier than the one I was working with.
I'm mostly speaking to the device security. I'm no hacker and what I was working on was mostly making sure that people operating as emergency responders are who they say they are when you're disconnected from a centralized network.
