The Marine Corps is a “couple weeks” away from a beta test that it hopes will pave the way for a possible overhaul of Defense Department mobility policies. The goal is to let users bring personally-owned devices onto DoD networks potentially as soon as next year.
DoD technology leaders have remained skeptical for years about whether a “bring your own device” approach could surmount the Pentagon’s significant legal, security and policy obstacles. But for the Marines, the urgency to at least give BYOD a try almost is entirely about money.
“Fiscal 2016 and sequestration is right around the corner. We want to present a solution that’s going to mitigate some of the threat to those operating and maintenance dollars that we are going to have to cut,” said Rob Anderson, who leads IT vision and strategy at the Marine Corps’ headquarters. “From the Marine Corps’ perspective, we’re just going to start canceling people’s phones. That’s seriously what’s going to happen in the Marine Corps unless we change something.”
The Navy and Marine Corps already have made significant strides in reducing their mobile device costs since they consolidated their hardware and service plans under a single contract structure administered by the Naval Supply Systems Command. But the two services still are paying about $480 per year for every user they outfit with a government-owned device.
On the other hand, Anderson reckons that a mobility-as-a-service structure the Marine Corps is in the process of constructing would cost it about $40 per user, per year.
That cost structure would cover the fees that commercial wireless carriers would charge to supply a government-controlled secure container that runs on a user’s personally-owned device and meets DoD security specifications which require government data to be completely walled-off from personal data.
“It’s a no-brainer. It means that we can eliminate one device and bring 10
people onto the network for the same price,” Anderson told a mobility forum organized by Government Executive on Thursday in Washington. “And when you start looking at big numbers, the Department of Defense has 400,000 (mobile device) users. If we stopped paying for voice and data plans for 300,000 of those, we would save $144 million a year. Once we do that, how many more users can we get into the network at a rate of $40 a year? The numbers are substantial. And $144 million is a lot of money that can do other things too. It buys a lot of gas.”
Stepping into the BYOD coal mine
But Anderson said it’s far from certain that the BYOD plan will work, which is why the Marines are launching a small beta test beginning next month.
It will involve just 17 Marine Corps members, using devices on loan from the commercial wireless carriers. Anderson personally will serve as a one-man helpdesk for each of canaries who enter the Marine Corps’ BYOD coal mine so that he can track any issues that might crop up during the test phase.
The Marine Corps has been tinkering with the idea of a BYOD test since this past spring, but Anderson said a full rollout has been delayed until now because the service’s limited IT engineering staff has been consumed with the task of transitioning its IT networks away from the Navy-Marine Corps Intranet and into the government-operated Marine Corps Enterprise Network.
But if the Marines don’t experience any major hiccups during the test, Anderson predicts there will be a change in DoD policy that lets the Corps implement a full-scale BYOD strategy by midway through next year.
“Once the test is done, we’ll aggregate the data and I’ll probably end up writing a paper that talks about what happened, the trending from the users, the problems from an engineering perspective and how we’re going to turn this into an enterprise solution,” he said. “A beta of 17 people is a little bit different from a user base of 80,000 Marines. So I’d expect there will be a hiatus for a few months after the test devices get turned back in, and it’s probably going to take about that long for the BYOD user agreement to be vetted by our legal counsel.”
But Anderson said he thinks DoD will have policies in place that let it move forward with its BYOD plans by the early third quarter of 2015, assuming that the test doesn’t surface any major policy problems that officials haven’t yet considered.
“If the testing doesn’t prove positive, we’re going to tell everybody that this whole thing isn’t going to work. But at least we’re experimenting with it,” he said.
Data spillage policy needed
Among the many complications the Navy Department’s lawyers will need to tackle as they build the BYOD user agreement is the thorny question of how and under which circumstances the government can delete data from a personally-owned device if it suspects the device has been compromised for one reason or another.
But Anderson said the Marine Corps also needs to work through issues like data spillage, in cases where, for example, a user accidentally transfers secret- level data into a mobile device security container that’s only been approved for unclassified data.
“In the end, I think we’re going to need a joint memo from the DoD chief information officer and the undersecretary of Defense for intelligence on the procedures that need to be followed when there’s a spillage of secret data,” Anderson said. “The other issue is [top secret/sensitive compartmentalized information], and that’s going to require a joint memo between DoD and the Office of the Director of National Intelligence to identify the procedures to remove TS/SCI data. At this point in time though, these are just ideas and we haven’t been able to move forward. I’m going to be advancing them when I give a brief at the Pentagon later today.”
But Anderson said he’s confident, so far, that the main obstacles to BYOD in DoD are policy ones, not technological ones.
He said commercially-available solutions that can encrypt data to acceptable level — and delete it there’s an indication that it’s gotten into the wrong hands — have made major advances in recent years. It’s mostly a matter of submitting those solutions to the National Security Agency’s information assurance directorate, the governmental body in charge of certifying that that those practices are good enough for government data.
“If you just look at what’s happened with mobile operating systems over the last few months, I think we’re at the point where the security of the devices themselves is less of an issue. The data that resides in that government- managed security container is already pretty doggone secure. And if Apple can’t break into the data that’s stored inside its own operating system, isn’t that good enough? I would surely think so.”