If all goes according to plan, the Defense Department is about a month and a half away from opening its own walled-off, DoD-only app store for secure mobile devices.
Along with that, the military is promising a speedier security review process so that smartphones aren’t obsolete by the time they’re allowed to connect to Defense networks. The actions are part of the Pentagon’s first comprehensive effort to build a departmentwide infrastructure to support a new generation of mobile devices Defense personnel have wanted to use for years.
“You’re going to see things coming out of my office fast and furious,” said Bruce Bennett, the program executive officer for communications in the Defense Information Systems Agency. “Our goal is to have a complete infrastructure up within the next 15 months. And we’ll have usable enterprise mobile capabilities up and running within the next quarter.”
The mobile infrastructure will initially be geared to support devices and applications based on Google’s Android, Apple’s iOS, Research in Motion’s Blackberry and Microsoft’s Windows Mobile operating systems.
While the individual military services each have their own set of mobile infrastructure and app store pilot projects underway in various stages of progression, Bennett said the DoD goal is to streamline and tie together those efforts rather than take them over.
“That has never worked in the past and it’s never going to work in the future,” he said. “What we have to do is figure out what is common across all of them, set it up as a common service, and then allow each of them to do what is unique to the Air Force, Army, Navy or other federal agencies.”
Common services DISA will provide across the entire DoD infrastructure will include providing a single face to commercial mobile network providers so that military services don’t have to negotiate their own service contracts and security protocols with telecoms. Military branches will be allowed to run their own app stores if they choose, but they would be interoperable with and accessible from the DoDwide marketplace DISA will operate.
For that new federated store, DoD envisions a security approval process for new apps that would operate at light speed, by Pentagon standards: DISA hopes to publish a security requirements guide for mobile apps within the next 60 days. After that, vendors or individuals who want to build apps for the new secure store would have to certify their software meets those requirements. Then, a DoD certification lab would check their work and give a thumbs-up-or-down within no more than 72 hours.
“We’re trying to put all those processes in place to work at the same time and speed that the Apple App Store works,” Bennett said. “We want to do these things in real-time, because the applications are being produced in real time.”
For the most part, DoD expects the apps that populate its initial store to be only minor variations on the popular software that mobile users can already find in the Apple store and the Android Marketplace. Bennett said he expected 10 percent or so of the apps to have specialized DoD focuses. The rest would be slightly tweaked versions of commercial mobile software.
“We are not going to reinvent the wheel,” he said. “Most applications are developed by individuals and small companies, and we’re going to leverage the same thing. We’re going to look at the apps that are most suitable for our warfighters. The only thing we might have to do is ask the developers to disable Bluetooth, or change the software so that instead of relying on the Apple cloud or the Google cloud, it points to the DoD cloud. That might be the only change it needs to have for it to be acceptable for us.”
Even if the approval process for new apps would be relatively painless, the approval process for the devices that would run them has been anything but.
Five years after the introduction of the first iPhone, the device is still verboten on DoD networks except for test purposes because DISA has not yet finished work on a security technical implementation guide (STIG) that would document how to patch and configure Apple’s operating system to meet DoD security standards. As for Android, a STIG has been published for one device, but the manufacturer had already stopped producing it by the time the STIG was finalized.
Army officials said recently they wanted to abandon the STIG security approval process entirely and find a faster way to certify mobile devices. A solicitation asking industry for help is expected soon.
But Bennett said a final STIG for Apple’s iOS is “very, very close,” and more Android handhelds and tablets will be approved soon. He said getting the first devices approved was the biggest hurdle and that the process will now accelerate.
“The lifecycle of smart devices is 12 to 15 months. We are now getting inside of that curve. We hope to be having STIGs approved and ready before the device is even released to the marketplace. That’s our ultimate goal,” he said. “We haven’t gotten there yet, and there’s still going to be a little bit of a lag. But like anything else, once you do it once, the second time is faster, the third time is faster, the fourth time is even faster. We’re hoping to start releasing security guides to device manufacturers so that when they start designing the next generation of handhelds, the special concerns that we have to ensure data assurance and integrity is already built-in.”
Another way DISA plans to accelerate the approval process is by delegating the STIG responsibilities to one of DoD’s full-time certification agencies rather than pulling DISA engineers from their day jobs to work on the task.
Bennett said DISA plans to hold an industry day somewhere in the greater Washington, D.C., area within the next two months to discuss the new DoD mobile framework and how its app store will work.
Over the long term, DoD plans to eventually run at least two app stores, one for programs that handle unclassified data and another for apps that work with secret or top secret material. Eventually, the stores might be able to consolidated into one, and users might be able to access data across various security domains on a single handheld device. But Bennett said that prospect is at least a couple years away and would rely on the National Security Agency reforming and refining security protocols that go far beyond mobile devices.