For about the last 10 years, one could sum up the Army’s mobile strategy with one word: Blackberry.
The handheld devices made by Research in Motion have been the only broadly-deployed pieces of hardware that met the Defense Department’s security requirements, such as encryption that fits the federal security standard known as FIPS 140-2, enterprise device management and integration with the military’s Common Access Card, letting users sign and encrypt email.
The Army is looking for an entirely new process for putting mobile gear in the hands of users. “We just can’t keep up,” said Maj. Gen. Steven Smith, the cybersecurity chief for the Army Chief Information Officer. “I feel like I’m trying to avoid a train wreck while I’m tied to the train tracks.”
Having a new device certified under the DoD’s Security Technical Implementation Guide (STIG) process is neither easy nor quick, Smith said. It took DoD many, many months to compile a STIG for its first non-Blackberry device: an Android-based tablet known as the Dell Streak.
“We just got a STIG issued for a great mobile product that vendors no longer even sell. They won’t even discount the price. Sure, we’ll take 100,000 of those,” Smith said to laughter at an industry event in National Harbor, Md. “We’ve got to get out of this business.”
Though the Army wants to get out of the arduous business of testing and certifying each new device and each new mobile operating system against existing protocols, it’s not entirely sure what comes next. So, the Army, the Defense Information Systems Agency and the National Security Agency are preparing to release a broad agency announcement to ask industry to put forth its best ideas.
“We want to get to the point where you bring your own device,” he said. “We might even get to the point where we get out of the government-furnished equipment business altogether. I don’t know. But I’ve told Gen. [Susan] Lawrence we’re not going to do STIGs anymore.”
BYOD is possible
Lt. Gen. Lawrence, Smith’s boss and the Army’s CIO, said the bring your own device strategy would work if industry can prove some reliable and secure ways to turn mobile devices into something like thin clients that access Army systems without storing any sensitive data. Then, previously vexing problems like encryption of data at rest become a non-issue.
“When you log in with your device of choice, you’re going to agree that you’re going to allow us to scan you for malware and viruses and insider threats,” Lawrence said. “And we’re going to keep the data in the cloud. It’s not going to reside on the device. When you log in, we can decide which parts of the cloud you should have access to. At the end of the day, you can go lose your Droid and I don’t care.” Smith said the Army also wants industry to tell it how to solve its Common Access Card (CAC) problem. Currently, users have to insert their physical PKI-enabled cards into a separately-attached sled whenever they want to use their Blackberrys to send a digitally-signed email.
“Our end users hate those CAC card readers when they have to go sync those puppies up, and we make them do it every time. The things eat batteries like nobody’s business,” Smith said. “So what do they do? They don’t bother. And they’d really like to go out to other devices where the user experience is much better.”
Army officials aren’t saying exactly when they’ll release the broad agency announcement, but Smith indicated the timeline is aggressive: the Army wants to make awards under the BAA by the end of this calendar year.
Lawrence said the new mobile path will rely on a lot of the work the Army acquisition community has already been doing under the banner of the Army Common Operating Environment.
Computing environments are changing
The idea is to adopt industry-led standards, then broadly publish whatever the Army comes up with so industry knows what’s acceptable before it makes an offer on a given procurement. Mobile technology is one of several “computing environments” the Army has defined and has been working on. “This is going to save a lot of time and money,” Lawrence said. “If you want to sell to the Army, we’re going to tell you what you have to do and the environment you have to operate in. We owe you that. I’m standing back up a configuration control board so we can publish that to industry and keep it updated. [DoD CIO Teri] Takai is thinking about doing that at the joint level, which is the right thing to do.”
The shift to commercial mobile devices and other commercial-off-the-shelf technologies is part of a broader transformation the Army is preparing for as it moves from 10 years of nonstop deployments back to being an Army that’s based primarily in the continental United States. As it stands today, the technology gap between a soldier in Afghanistan and a soldier in North Carolina is huge.
Lawrence recalled one conversation with a formerly-deployed commander, Gen. Lloyd Austin, who is now the Army’s vice chief of staff.
“He said, ‘Susan, you give me everything I need to command and control the fight out there, but when I come home to Fort Bragg, I come home to the stone ages,'” she said.
He’s right, Lawrence said. The Army spent lots of money making sure its urgent operational needs were fulfilled. The end result is state-of-the-art battlefield systems that generally work very well — at least in Afghanistan.
Army fixing camps, stations networks
But they can’t interface with networks that were allowed to grow their own way on individual posts, camps and stations where troops will now spend most of their time preparing for the next battle.
Lawrence said about 85 percent of Army bases in the continental U.S. are running on what she said are “antiquated” networks. As troops come home, making sure those IT systems are at least as what they had in combat is the Army’s next focus point.
“We’re just going to have to bite the bullet and resign and redesign the entire architecture of the networks we have in the continental United States,” she said. “Today, we have at least 500 local-level entry points [to the Internet]. It just makes us an absolute sieve. We have to collapse those behind about 20 or so regional entry points, put sensors on them and truly start doing some defense of our network and protection of our information.”
The Army maintains it already has a big jump on centralizing and managing its IT functions. For example, bases no longer run their own email systems.
The Army restarted it migrations of accounts to a new enterprise email system Monday after a Congressionally-mandated pause. The service expects to finish moving all of its own personnel to enterprise email — both secret and non-secret accounts — by March of next year.
Other parts of DoD want in, Lawrence said. The Pentagon’s Joint Staff will migrate its email to the new system this week, and the National Security Agency has asked to come on board. DoD joint combatant commands, including the U.S. European Command, Africa Command are part of the current migration. DoD’s Southern Command has asked to join in as well, Lawrence said.