Since the introduction into the commercial marketplace of a new generation of smartphones several years ago, technology users in the Defense Department have been clamoring for permission to use Apple, Android and other up-to-date handhelds in their day-to-day work.
The arduous security review process DoD requires for IT, however, has so far prevented military users from connecting the latest mobile technology to government networks.
Indeed, in more than one case, the legwork and paperwork needed to secure and approve a device took so long that it was off the market by the time it got DoD’s green light.
But that process underwent a dramatic shakeup this week, when the Defense Information Systems Agency, the DoD component in charge of IT security reviews, published a security technical implementation guide (STIG) for Samsung Knox, a hardened version of Android, before the operating system is even available on the commercial market.
John Hickey, DISA’s mobility program manager, said the agency was able to sign off on Knox quickly, because Samsung’s engineers had already closely examined DoD’s security requirements, made sure their version of the operating system adhered to them and wrote a STIG themselves.
“Most of the work is done from the vendor side; we just do a review,” he said in an interview. “That’s totally different than what we’ve done in the past, where we wait for a product to come out, then we start asking, ‘Can you lock this down?’ That’s a long process. This is a success story and an example of how you do it in the future.”
The approvals DISA issued this week for Knox and for BlackBerry 10 followed a revamped security approval process for IT. Rather than having the department itself create STIGs after products are already on the market, DoD is publishing Security Requirements Guides for various types of information technology so that vendors know the government’s requirements ahead of time, bake them into their products, and ideally, create their own STIGs that detail any additional measures that need to be taken to secure their products to DoD’s specifications.
DoD aims to approve new devices in 30 days
Hickey said the new process is critical to DoD’s goal — articulated in its recent mobile device implementation plan — of approving new mobile devices within 30 days of their introduction to the marketplace. The quick approval process is repeatable for other devices, he said, but depends on manufacturers’ willingness to work with the department ahead of their products’ official release.
“They have to look and talk and communicate with us early on and ask those hard questions inside their development cycle,” he said. “They also have to be willing to invest some work and some engineering talent. And we have to grow the government side so that we can be agile as we have more and more devices come into the environment. So we’re taking steps on our side to beef up the mobile approval process as well.”
But Hickey said at this point, most firms don’t need to be convinced that it’s worth investing some extra time and money to meet DoD’s requirements.
The department is already working through the federal digital strategy working group to offer its STIG and SRG process as a potential governmentwide answer to security approvals. And he said DoD’s security requirements aren’t terribly different from what many large private sector enterprises would like to have in their deployed mobile devices.
“If it was just DoD, there’s not enough of a market for them to justify making all these changes. But what DoD is proposing can translate to the banking world and other areas,” he said. “DoD’s ability to put a standard out there that they can use and say, ‘This is a good standard, it has the security built into it’ is something that can translate into the commercial marketplace. I think that’s why it was successful with Samsung.”
The approved STIG doesn’t mean that Samsung Knox devices will be immediately allowed on DoD networks, even if they were in production. Nor will Apple handhelds be permitted when their STIGs are approved in the coming days. First, DISA needs to implement a DoD-wide mobile device management system and app store. The agency expects to make an award for that solution sometime early this summer, officials said.