In the view of the National Security Agency, just because information is classified doesn’t mean authorized users should only be able to view it while they’re tethered to their desks. So NSA is looking for ways to access classified information on tablets and smartphones over transport mechanisms and on devices that would have been unthinkable a few years ago.
The agency, which is in charge of ensuring the security of classified-level IT systems for the entire government, just launched a pilot program that it hopes will introduce the ability to use commercial mobile devices for classified data without any hardware modifications. The data those devices consume and transmit would be able to be exchanged over WiFi networks while a government employee is at work, and over the networks of commercial cellular providers when he or she isn’t.
“It’s going to introduce some new complexities for us, and it’s going to test the availability and effectiveness of commercial technology,” said Debora Plunkett, the director of the NSA’s information assurance directorate. “This is a significant demand signal for us, and we really have to deliver on it. This is going to help us update the next iteration of our mobility capability package, and it’s going to provide us with the technical guidance we need to deploy secure enterprise mobility.”
Plunkett said the pilot is part of NSA’s recognition that government employees increasingly demand the ability to use the latest generation of commercial mobile devices in their day to day jobs, and that the agency needs to be able to quickly sign off on ways to use those devices securely.
The project falls under the broader heading of NSA’s Commercial Solutions for Classified (CSfC) program, which aims to use commercial standards and commercial technologies in a layered approach to security. CSfC spurns the traditional approach in which the agency tells government contractors to build government-only solutions, a process that usually took years of development for each product.
“Capability and usability features that are the same or essentially the same, and do not lag behind those available in commercial devices will improve security by discouraging the use of communications methods that are more convenient, but less secure,” she told attendees at a mobility conference hosted by AFCEA DC. “They will reduce training and familiarization curves associated with new functionalities, and they will generally provide users with a host of efficiency tools that recognize the needs of a mobile workforce.”
In February 2012, NSA released its first capability package for mobility, intended to eventually become a guidebook for agencies on how to incorporate commercial technologies into national security systems without having to have the entire system specifically pre-cleared by NSA.
NSA has been adding new criteria to deal with different aspects of mobile technology since then. The latest version, released earlier this month, includes new guidance for agencies and vendors on mobile device management and protecting data at rest.
Plunkett said NSA now needs to do a better job of proactively releasing its security requirements for mobile devices to industry in the hopes that mobile device manufacturers will begin to use that guidance at the foundation of their gadgets’ designs.
“This is not a new message for us,” she said. “Addressing security as an afterthought will degrade the user experience, lead to development inefficiencies and really preclude or delay participation in our CSfC programs. In the past, it has not been unusual for a customer to come to me and say, ‘I’ve got a really great product. Can you make it secure? And, by the way, I’ve already bought 1,000 of them.’ That’s too late. I’m really happy that today, we’ve got more and more government customers coming to us at the front end, at the concept. They say, ‘I’ve got a need and I’ve got a great idea, can you help me?’ That’s when we can get to a win-win. We can make sure we can partner together inside the development cycle, making sure security and the needs of the user are both being addressed.”
While NSA wants to move away from government-only solutions, there are some areas in which it believes commercial providers haven’t advanced their products enough to completely meet the government’s security needs. One of them surrounds mobile device management (MDM) technology, something NSA will need if it’s going to scale up its project to use commercial devices on both WiFi and cellular networks.
“MDM has taken a significant step forward in the last year, but today’s products do not provide the full functionality and the robust security we need for the national security mission,” she said. “We need the ability to apply dynamic policy management for our end users. That policy will be enterprise-controlled, and dependent on the device type, on the user and the location, and possibly additional parameters. One big benefit is that the policy can be dynamically changed to accommodate mission conditions, like a [continuity of operations] scenario or a short window where an analyst might not be able to get to a secure facility.”
Plunkett said vendors have some very legitimate complaints about the amount of time and money it usually takes to put their products through the paces of the NSA vetting process before they’re approved for classified use. She says the agency is trying to do better, and it’s working on processes that it hopes will reduce the cycle time to around 90 days.
“We’re working to reduce the complexity of the requirements in the typical six- month evaluation using a new common criteria paradigm, but we need your help,” she said. “We need you to come ready to play, with robust documentation. We find that evaluations take the longest when vendors come and are not prepared without all the right documentation intact.”