DISA Working to Secure the Mobile Enterprise
The Defense Information Systems Agency’s 2013-2018 Strategic Plan includes mobility as a key initiative that will “promote rapid delivery, scaling, and utilization of secure mobile capability leveraging commercial mobile technology to enable an agile deployment environment for new and innovative applications to support evolving warfighter requirements.”
DoD’s Mobile Device Strategy, released in June 2012, maximizes the potential uses of mobile devices, focusing on three key areas: wireless infrastructure, mobile devices, and mobile applications.
"DISA's top priority is producing enterprise capabilities that DoD and other federal partners can leverage," said John Hickey, program manager for mobility. "We are an integral part of what the DoD Chief Information Officer (CIO) is doing, supporting their strategic plan and we are currently working on an implementation plan.”
While the DoD CIO has the lead for the effort, DISA provided the technical pieces to support the implementation plan, which has already gone through reviews by the combatant commands and services.
With mission partners, DISA will further support the DoD mobility effort by creating common infrastructure and services for both unclassified and classified mobile solutions to allow efficient use of mobile technologies. This will meet an array of DoD requirements, establish security standards, and institute a certification process capable of adapting to rapidly-evolving mobile technologies.
“In the last year and a half, we’ve been taking a hard look at the devices, device management systems, and mobile applications,” said Hickey. “We’re looking where synergy and efficiency already exist, and where can we affect industry in providing additional security.”
DISA’s mobility pilot builds an enterprise mobile capability that is the wireless entry point into the Global Information Grid. The agency partners with the services for the pilot’s unclassified side, while teaming up with other federal partners to address the classified side of mobility.
The pilot is well underway, with more than 500 devices issued to Joint Staff, Army, and DISA users. Additional devices will be rolled out to the Air Force, Marine Corps, and Navy.
Three commercial carriers are participating in the mobility pilot — AT&T, Sprint, and Verizon. But, the agency is looking to expand the number of carriers.
"The concept is based on the ability to purchase multiple commercial devices and leverage them through multiple carriers," said Hickey. "Then, we have an implementation plan on how to go from a pilot and scale it to support larger operations."
In October 2012, DISA released a request for proposals for a combined DoD enterprise-wide mobile device management (MDM) and mobile application store (MAS). The MDM capability will enforce policy for network and end user devices. In combination with the MDM, the MAS will provide an online digital electronic software distribution system, obtaining user application permission rights from the MDM while minimizing replication, cost, and downtime.
A single contract award is anticipated with a one-year period of performance and four six-month option periods, and is expected by April.
As devices make their way in to the marketplace, secure use of those devices is paramount before connecting to department networks. While DISA issues Security Technical Implementation Guides and Security Requirements Guides for a number of devices, the goal is to get away from hardening the device after the fact. Hickey stresses the need to implement common security standards across devices, and mobile applications.
“It’s really industry who we’re providing security standards to,” said Hickey. “Standards that we want to see on the devices, internal to the devices, to securing the devices. We feel embedding the security into the device will help the rest of the government.”
The operational world becomes very small, very quickly. When our forces hit the ground they may not have all the required bandwidth. Hickey says if they can tie their mobile devices into a trusted wireless network and converge with the commercial world, commanders can see their total capability landscape.
“One thing is certain,” said Hickey. “If we do nothing, soldiers, sailors, airmen, and Marines will be innovative, and find ways to communicate. And many times those ways are not as secure as we like, posing a great risk to the unit or organization.”
Convergence with new and emerging technology is critical when looking at the future of the department, said Hickey, who fully recognizes the resource constrained environment. And mobile applications present another key area for mission partnership. Leveraging the commercial world to develop mobile applications that can tie into web services is essential. But there are challenges associated with applications.
Applications can present risk to users and networks. Not only must each DoD-owned device be secure, there must also be expected standards for applications on both the unclassified and classified sides. To address this, Hickey’s team developed governance for approving applications and understanding the capability of each.
Hickey presented this case regarding understanding the risks associated with mobile devices and applications:
“[Do] you use the ‘Pandora’ [Internet radio] application? Did you know that every time that music is playing, someone is pulling a GPS signal from you? While a music application is seemingly safe, we have some serious security concerns.”
Hickey says the agency must have set policies for mobile applications, based on how they are accessed and who the users will be.
“When we bring the power of these devices, we have to understand all the risks,” said Hickey. “We can’t turn everything off anymore, our customers won’t let us. We have to look at everything individually from the risk standpoint, and how those risks can change depending on where you are in the world.”
Posted January 9, 2013