Want to know if you can use your cellphone in a room? Try asking your boss.
A new policy put in place by the Committee on National Security Systems gives the official in charge of a secure space the authority to decide if mobile devices will be allowed in the area.
“This is a policy that determines how to appropriately use mobile devices in secure spaces,” said Therese Firmin, the Defense Department’s deputy chief information security officer, during a Nov. 29 speech at an AFCEA event in Washington. “These are secure spaces that include top secret, collateral and below. It doesn’t mandate that these devices be allowed.”
The new policy does not apply to sensitive compartmented information facilities or SCIFs, which are used for certain times of classified information.
The policy, which was signed by DoD’s Deputy Chief Information Officer for Cyber Security Essye Miller and issued Nov. 20, is a recognition of the growing use of mobile devices in the DoD workplace.
The directive stated the government relies on mobile technologies to provide departments and agencies with increased productivity and mission flexibility.
Of course, adding mobile devices to any situation compromises security. There are plenty of horror stories of hackers getting into phones and enabling the camera or microphone — something that would be particularly harmful in a secure environment.
But, the policy is a nod to what mobile devices can accomplish in the workplace and it potentially allows employees, contractors, agents and visitors to bring their mobile devices into a secure area with the official in charge of that area’s consent.
Those in charge of secure spaces can’t just decide to make the change off the cuff either. The policy requires them to submit a justification based on mission need to the department before they can open the areas to mobile devices.
Reasons acceptable for allowing mobile devices in a secure area include command and control, counterintelligence, testing, training, research, developmental activities and, obviously, communication.
They must also officially determine the risk associated with adding mobile devices to an area. The policy requires officials to lay out vulnerabilities associated with the mobile device and the networks it connects to. The policy asks officials to submit known and potential threats to national security systems and information used in secure areas and the potential risks to spaces near the area where mobile devices are allowed.
The policy “takes into account the whole environmental aspect, also what devices you are using, what devices you intend to allow, what are the threats against those devices, what type of data do you process. There’s a whole set of things that need to be considered,” Firmin said. “It is not a blanket approval. You need prior approval, you can’t just say, ‘Hey, there’s a policy I’m going to bring my device in because the policy says.’ There really needs to be a thoughtful process and that’s what we’re encouraging.
DoD is trying to open up its ability to harness new technologies or technologies already used in the private sector without compromising security.
Last month, DoD CIO John Zangardi signed a memo outlining a new process for securing mobile apps that sets a baseline standard, promotes reciprocity across the military and clarifies which apps need to go through this new approach.
“For the Department of Defense, mobility has been increasingly vital to fulfilling its mission from digital flight bags to logistical support,” said Tom Suder, president of Apcerto, which provides a mobile application security platform. “This memo codifies security to an appropriately high level. I suspect civilian agencies would start to follow the DoD’s lead on this mandatory National Information Assurance Partnership (NIAP) certification policy.”
The memo is a first step in onboarding some apps to DoD-issued devices.