After several years of hand-wringing about how to fit modern mobile devices into the Defense Department’s cybersecurity regime, the Pentagon is planning a major ramp-up in its effort to deploy Apple and Android devices. In all, 40,000 of those smartphones and tablets should be on military networks within the next year.
In the short term at least, the Pentagon’s inventory of iPhones and Samsung devices still will be dwarfed by the BlackBerry, the federal government’s tried- and-true approach to mobility. Nonetheless, the plan represents a dramatic increase in DoD’s adoption of the Apple and Android-based devices that now overwhelmingly dominate the commercial market. The Defense Information Systems Agency has only deployed 4,000 so far.
The adoption of those devices is possible because DISA, Apple, Samsung — and BlackBerry too — have coalesced around a process that meets DoD’s security needs without requiring major customizations after the phones have entered the commercial market.
DISA’s ambition has been to grant a security blessing to commercial mobile devices no later than a month after they hit retail shelves.
But Mark Orndorff, DISA’s mission assurance executive, said DoD has been able to beat that goal through partnerships that have given the mobile device industry’s main players more insight into DoD’s security needs, allowing DISA to produce hardened versions of mobile devices and operating systems that are suitable for the Pentagon on the same day those systems are released to retail shelves.
“In our initial partnerships with Apple, Samsung and BlackBerry, we’re releasing at least interim approvals at the same time the products are commercially released,” Orndorff said. “We’ve got the process well-greased, so when the iPhone 6 was released, it was also available to the Department of Defense. We’ve been able to do the same with Samsung and Blackberry.”
Orndorff said DISA is in talks with several other mobile device manufacturers who are also interested in participating in DoD’s commercial mobile device program, but he did not specify those prospective vendors.
“They’re working to get into that same tempo with us and I expect that we’ll soon have their technologies available to us,” he said. “But I think our process is sound, and I think we’re able to keep up with the release of commercial technologies as other vendors work with us to get into the [National Information Assurance Partnership] and work with us on our security guides.”
DISA already is in charge of the security approval process for most of the information technologies DoD uses. But beyond serving as a security guard, the agency also is aiming to become the mobility service provider for all of the military departments and defense agencies via a single mobile device management system and centralized application store.
So far, DISA’s customer base for mobile devices is made up predominantly of Army users. The Navy and Marine Corps —at least for unclassified phones —are mostly leveraging the Navy Department’s own contracts.
DISA’s next target market is the Air Force, said Kimberly Rice, DISA’s mobility program manager.
“I think we’re going to continue to grow and see our numbers increase,” Rice said. “As we keep moving down the path, the MDM and some of the additional security requirements we’ll need to address will mean that we’re going have to keep getting better. We also have a lot of users out there that are under contracts. Just because a new device is out doesn’t mean that they can get a new device right away. So I think it’s going to be a ramp-up that’s going to be in line with whatever our customers have in terms of their service plans and coverage.”
Things are more complicated when it comes to devices that can support classified data. The SME-PED, the handheld device DoD has been using since 2008 for secret- level communications, will reach its scheduled end-of-life this year, and DISA won’t begin to replace those devices on a large scale until 2015.
DISA has managed to retrofit one modern smartphone — the Motorola RAZR MAXX — with technologies that allow it to safely transmit classified data. That phone is intended to be the first replacement for the SME-PED, but DISA has only deployed 270 units so far under its Defense Mobile Classified Capability program.
Rice said the agency plans to deliver up to 1,500 devices by the end of 2015, but DoD customers still are concerned about whether DISA will be able to supply enough new devices to replace the aging SME-PEDs, which can only operate on 2G networks that commercial wireless carriers are gradually decommissioning.
“We have a requirements tasker that’s going out across the department to verify what the customer base is and how many folks are going to need replacement devices,” Rice said. “Right now, based on the numbers we’ve gotten back, we think we have enough devices to support that requirement. We’re working to make sure that as the requirement is refined, we’ll be able to handle that capacity as well. We’re looking at being able to support at least 3,000 users by the end of 2015, and we’re going to make sure we’ve got that available quantity.”
DISA also has been conducting pilot programs geared toward handling top-secret- level communications, but for voice only —not data. Rice said she expected DISA to have sufficient inventories of devices to satisfy the department’s demand for that level of classification by next year as well.