The Navy is ditching the requirement for its users to attach cumbersome smartcard readers to their mobile phones in order to sign and send encrypted emails, part of a broader effort across the service to retool the ways in which it handles identity management and eventually move beyond the Common Access Card.
Beginning in November, the Navy started transitioning its roughly 35,000 mobile device users to a derived credential system called Purebred, which is managed by the Defense Information Systems Agency. It offers similar levels of identity verification as DoD’s CAC, but since the PKI credentials are stored on the phone itself, it eliminates the need for a physical card to be read by the mobile device.
Capt. Ben McNeal, the program manager for naval enterprise networks, said the Navy had been a latecomer in implementing DoD policies for derived credentials, but that DISA’s Purebred program had matured to the point where the Navy felt comfortable implementing it across its enterprise.
“Because the Navy was behind, we had a large subset of the user population that did not do signed and encrypted emails via our mobility solution, because it required the CAC sled in order to be able to do that,” he said in an interview for Federal News Network’s On DoD. “Now, after we get through the initial implementation, we can enforce the policy that says all emails have to be signed and encrypted.”
The timing was also prompted by the fact that the technology the Navy had been using for mobile authentication is nearing its end of life. Next week, BlackBerry is scheduled to end support for the Good For Enterprise application the service was using.
The transition has not been entirely seamless. The process of getting those derived credentials onto government-issued smartphones requires a manual enrollment procedure for each user, overseen by designated “Purebred agents” at various Navy commands.
The new certificates are delivered over-the-air — and wireless connectivity is difficult-to-impossible in many areas of the Pentagon, let alone in the Navy’s afloat environments.
“Some of our most important users — our VIPs — are in the Pentagon, and that’s been our most challenging environment. Because with the exception of a few pocket areas, the cellular signals are almost nil,” McNeal said. “We really had to go find some innovative means to be able to get our Pentagon users up and running. And going through that (enrollment) is a little bit of a step, even in an optimal environment. It takes about 30 minutes to get set up, but the connectivity issues can sometimes extend that to an hour or beyond.”
And although the vast majority of the Navy’s authorized mobile users have Apple devices, Android has presented another challenge in the Purebred transition. The Android version of the endpoint management software the Navy is using — also made by BlackBerry — won’t be ready for Navy use until this summer, so the service has asked those users (about 2.5 percent of the total) to switch to iOS for now.
MyRecord mobile app pilot launched
However, the move to derived credentials is not the only approach the Navy is using to update the ways in which its mobile users authenticate themselves on government networks.
Simultaneously, the service has launched another pilot that lets sailors, including ones with only personally-owned devices, access some parts of their personnel records. The MyRecord mobile application is the Navy’s first true “CAC-less” app, and uses commercial two-factor authentication services to verify users’ identities.
McNeal said that even though the Navy is currently moving down two pathways for identity verification — one for government-furnished devices and another for personally-owned ones — the long-term intent is to “marry up” those solutions into a single, cohesive identity management scheme.
“It is a big part of what we’re doing moving forward as we talk about our vision for transformation and cloud services,” he said. “Along with our cloud-first strategy is also how we optimize security to enable our user base to access data from any location at any time they’d like to access that data. As we move from a much more defense-in-depth-centric posture, identity is the new medium for security. I would equate it to once you are in the house, in today’s environment, you can go to any room that you’d like. With [the focus on] identity, we have the ability to control what room you go and what you access when you get to that room.”
To achieve that, next week, the Navy plans to release a problem statement to industry in pursuit of an integrated suite of identity management capabilities. It will do so through other transaction authority, via the Information Warfare Research Project, an OTA vehicle the Space and Naval Warfare Systems Command established last year.