The Defense Department says it has a solid plan to use the current generation of commercially-available mobile devices on military networks and, just as importantly, to issue security approvals for those devices in a way that roughly matches up with the pace of the commercial marketplace.
The Pentagon’s path forward comes in the form of a commercial mobile device implementation plan, approved by Teri Takai, the DoD chief information officer, earlier this month and released to the public Tuesday. It lays out specific timelines for building a new device management architecture to support iPhone, Android and other off-the-shelf mobile devices on both classified and classified Defense networks. It also includes getting those devices past what have proved to be extremely high hurdles for approval based on the military’s bureaucratic process for issuing cybersecurity blessings.
DoD’s mobile strategy until recently could be summed up mostly with one word: BlackBerry. Out of the 600,000 mobile devices on military networks today, almost 500,000 were made by the company formerly known as RIM. Many of the rest are iOS and Android devices being operated in test projects by the military services.
But the time has come to begin turning those various pilot projects into a coherent, DoDwide mobile infrastructure, said Maj. Gen. Robert Wheeler, DoD’s deputy chief information officer for command, control, communications, computers and information infrastructure.
“We’re trying to take all the mobility spirals that we have out there today and find the best solution overall. They will slowly grow to that,” he said. “At some point in the future — and that point will vary by the service — they will become part of the enterprise. The services have signed up to that.”
The Defense Information Systems Agency will play a lead role in implementing the plan. The strategy largely is an articulation of the work DISA and the National Security Agency already have been doing in laying the groundwork for service members to use commercial devices.
DISA already has released requests for proposals to industry to create an enterprise-level app store and mobile device management system for DoD. Those awards are expected later this year. And the NSA has been working on ways to use off-the-shelf commercial devices on the military and intelligence community’s classified networks.
The plan the Pentagon released Tuesday calls for the devices to be capable of data and voice communication up to the top secret level by September, and both the classified and unclassified communications will be carried over the existing networks of commercial wireless carriers.
“The biggest difference between the classified and unclassified networks is that we’ll have a second layer of encryption on the classified network-commercial encryption, not Type 1 encryption-on the classified device,” said John Hickey, the mobility program manager for DISA. “It lets us leverage what technology’s already out there in the commercial space.”
Another key change in the plan is a significant overhaul to the way DoD reviews technology to make sure it’s safe for military networks.
The traditional process, using what are known as Security Technical Implementation Guides (STIGs), involves DISA security pros scouring through, for example, a new release of the Windows operating system, in order to decide which features need to be turned off, which settings need to be changed, and which patches need to be applied.
Besides BlackBerrys, DISA has only been able to put one mobile device through those painstaking paces, and by the time the STIG was approved, the manufacturer, Dell, had already retired the device from its lineup.
“In the mobile space, that model doesn’t work just because of the pure speed at which devices come into the market,” Hickey said.
So DISA has decided to get out of the business of poking through devices one-at-a-time to determine how to make them comply with DoD requirements. Instead, it’s begun publishing what it terms Security Requirements Guides: a set of standards that each device or application must comply with. It’s then up to device manufacturers or software programmers to present their own STIGs to DISA, whose only job will be to validate them after-the-fact.
In the new process, DoD says it will be entirely device-agnostic and operating system-agnostic, and it’s aiming to add new devices to its approved products list in a turnaround time of no more than 90 days.
“And I would tell you 90 days is the far end,” Hickey said. “We need to get closer to 30 days, and that’s our goal. The concept now is, ‘Here’s our requirements. Bring us a STIG and we’ll review it very, very quickly.’ We’ve gotten very positive feedback from industry on that, from mobile operating system makers as well as people in the mobile device management and application arena.”
Common contracts for devices, services
DoD’s timeline calls for 1,500 devices to be deployed by April and up to 25,000 by September, when it hopes to have a full-fledged mobile device management system in place. By February, DISA plans to be able to support up to 100,000 new devices.
By that point, DoD also hopes to have acquisition programs in place, in coordination with the General Services Administration, to handle strategic sourcing of handhelds and wireless service so that military commands aren’t handling those procurements on their own.
“We’re going to be able to offer an infrastructure cost and a cost for device and data plans. The Army already is using a blanket purchase agreement, and so is the Air Force, so the services have already done some consolidation,” Hickey said. “Those discussions are going to be had in the commercial mobile device working group. The devil-in-the-details is going to be worked out as we put the meat on there.”
Also yet to be decided is exactly how DoD will handle the vexing problem of two-factor security authentication on the new mobile devices. The current solution requires handheld users to attach a separate piece of hardware that reads the PKI credentials on their common access cards before they can access military networks.
Two-factor authentication still important
But DoD IT leaders are the first to admit that answer is cumbersome for a mobile workforce.
One answer might be to store those credentials on tiny microSD cards that can fit inside the devices themselves. They would use a process called “derived credentials,” currently being standardized for the federal government by the National Institute of Standards and Technology.
“The update to [Federal Information Processing Standard] 201-2 talks to derived credentials, and the goal is to get away from the clunky CAC reader,” he said. “There are technologies such as near-field communication, but the challenge is that the tunnel for NFC still needs some work to meet our security standards. microSD is something we’re looking at on the classified side. But when we have to scale all this to 600,000 devices, we want to do this smartly. We don’t want to have to manually derive credentials for every device and then have the potential for that credential to be copied or taken off.”
While the Pentagon is trying to lower the barriers to which devices are permitted on its networks, it’s still not even seriously contemplating a bring-your-own-device-strategy. BYOD is mentioned in one paragraph of the new document as a topic for further study.
But implementation is not in the immediately-foreseeable future, Wheeler said.
“The technology at this point, from a DoD perspective, is not mature enough,” he said. “But we’ll continue to test those and move forward down that line in the future.”