The National Security Agency is disbanding its mobility mission management office.
The 3-year-old office is going away not because it failed, but rather it was too successful.
Mark Althouse, the outgoing technical director of NSA’s Mobility Mission Management Office, said over the last three years, the organization has focused on integrating mobility and security into back-end and programmatic apps.
But now with the rise of smartphones and tablets, NSA decided the mobility office can be absorbed back into the business and mission areas.
“The organization was a matrixed organization within Information Assurance Directorate, was stood up to get us on the right track on that, and we recently stood down that organization and baked that whole mobile mission across that IAD mission,” Althouse said Wednesday at the Federal Mobile Computing Summit sponsored by MobileGov in Washington. “From being something that is kind of an interesting corollary to the networks that we have and our ability to do our work in a connected world, mobile is really becoming the focus. We will be doing more and more things on mobile, and really the whole communication ecosystem is moving in that direction.”
Althouse said his role will change to be a technical director in an engineering unit where the mobility expertise will be combined.
NSA closed down the Mobility Mission Management Office in July, and the final pieces are coming into place over the next month or so.
“All of the particular projects and things we were doing transitioned into the line organizations,” he said. “It was easier spinning it down than standing it up. Mobility will be spread across [the line organizations and] probably focused in the engineering organization, because we are developing the architectures and solutions. But we’ve got analysts, customer advocates and others dealing with the customers who come in and say, ‘We have a problem. I want my users to be able to connect from here to that.’ And then we have to figure out if we have a solution for them.”
Success with derived credentials
One such solution is the use of derived credentials for mobile devices to improve their security.
Althouse said NSA has been using this fairly new security concept for a few years with the Defense Department’s unclassified Blackberry 10 devices. Derived credentials are cryptographic software stored on a mobile device instead of a smart card under the Homeland Security Presidential Directive-12 or Common Access Card.
In March, the National Institute of Standards and Technology issued a draft special publication detailing how derived credentials could work on HSPD-12 smart cards. NIST now is reviewing public comments and is expected to issue a final special publication in the coming months.
Althouse said NSA now is taking that experience and seeing how it can expand it to other devices and other classification levels.
“The challenge is making sure that credential is stored within the device in a highly assured manner, and not just encrypted and stored in software, because there are ways to find out where it is and crack that back, but actually store it in hardware,” he said. “The device has to have a hardware security module of some type that can store that credential, can store the keys and ideally has the capability to do that private key generation with the certificate when it’s put in the device, stored there and never leaves.”
NIAP to issue mobile app profile
Althouse added NSA put these requirements for derived credentials in its mobile device fundamentals protection profile. He said industry can use that profile as it develops future devices and cybersecurity software.
He said NIAP already issued security protection profiles for a voice over IP, virtual private network, mobile device management and email apps for mobile devices.
“The point of doing that is a company can develop a product, have it tested and certified against a NIAP protection profile and then it can be used as an element of a secure architecture that would come out of our commercial solutions for classified program,” Althouse said. “We’ve been working hard over the last few years to get the full family of protection profiles to cover the entirety of mobile technology, so we can point vendors to say that’s your certification path to bring you on to the approved products list.”
The Defense Department earlier this month approved its first device using the Microsoft Windows 8.1 operating system, said Greg Youst, the Defense Information Systems Agency’s chief mobility engineer.
Youst said DISA reduced the amount of time to get products through security process and onto the approved products list to 45 days from seven months, on average.
“We are working with Windows phone next,” Youst said. “We need to learn to keep up with mobility.”
Youst said DoD, like any organization, must understand the risks it’s facing, particularly to its data, and make decisions that take into account both security and mission usability.
“Mobility isn’t just the edge device, but the whole schematic, including your infrastructure and data,” he said. “We must understand the impact and not be afraid to take on some risk.”
Althouse said vendors understand the government has more rigorous requirements for mobile products and services. He said NSA is reaching out to other critical infrastructure sectors that require strict cybersecurity requirements to see if they have mobile devices or software that meets the NIAP requirements and could be brought into the military.