The Defense Information Systems Agency is in the midst of implementing a commercial mobile device plan that will allow for quicker adoption of the latest smartphones and tablets.
The initiative could bring a wave of diverse, new technologies to the Pentagon and let employees more effectively work on the go. Devices will operate under a common infrastructure that DISA officials hope will cut costs and reduce vulnerabilities to network intrusions.
“Today, when you think of our unclassified networks and our classified networks, we’re not always connected with commercial technology,” said John Hickey, DISA’s mobility program manager. “We’re essentially always connected with satellites or government-specific systems that we’ve developed from a radio standpoint.”
DISA in February issued an implementation plan focusing on mobile devices, applications and wireless services.
To help put that plan into action, the agency stood up a program office for mobility services that currently supports over 1,300 devices used by personnel from across the services and Joint Staff, Hickey told National Defense.
One of the implementation plan’s major goals was the selection of a mobile device manager who will act as a “traffic cop,” with responsibilities such as monitoring the use of smartphones and tablets and enforcing department policy. The manager also will oversee a department-specific mobile applications store.
DISA in June awarded a $2.9 million contract to Bethesda, Md.-based Digital Management Inc., to fill this role. The initial contract covers the first year. The agency has the option of renewing the contract every six months for two years after that, bringing the total award to nearly $16 million, said a DISA news release.
According to the original request for proposals, the mobile device manager “institutes the policy, security and permissions that define the functions the user is enabled to conduct on the mobile device. This capability ensures the security of the entire user community is not compromised by an incorrectly configured device.”
The company will manage malware-detection software and the digital distribution of software over devices. It also will have the power to remotely configure or erase data from smartphones and tablets.
One of the major drivers for instituting a mobile device manager is cost, Hickey said.
“We only want to pay somebody to look at the device once from a security standpoint,” he said. “We don’t want five, six, 10, 15 contractors at various subordinate commands to do that.”
Having one entity in charge of instituting policy for all commercial mobile devices also means that the department can take advantage of buying software licenses or technology services in bulk.
“If everybody does their own voice-over IP voice solution, you’re going to lose interoperability if those systems aren’t tied together and integrated, so that’s really where the bang is,” Hickey said. “You can get better cost when you go out, and you buy things off an open, competed, large-volume contract. … Sometimes those can be very expensive licenses, and we want to reduce that overall cost.”
There are two primary ways mobile device managers work, Hickey said. In a “container” method, sensitive data is segregated to a separate part of the device with a higher level of encryption.
In the second method, a virtual private network, or VPN, extends a remote private network across a public network, allowing data to be sent across the Internet while maintaining the same security of a private network.
“The container itself is an application-level VPN, so they’re not that much different from that standpoint,” he said.
Hickey would not speak specifically as to how mobile device management would ultimately be employed. “There are many combinations,” he said.
The mobility pilot program — which tested various commercial devices and wireless carriers — used a container method. DISA is also building VPN “gateways” that will connect the Defense Department’s unclassified and classified networks and mobile devices over the Internet, Hickey said.
In April, the agency put out its first commercial mobile device able to be used across the department’s classified network, Hickey said. The smartphone — a Motorola Razr Maxx that runs on the Android operating system — is now in the hands of select personnel in the Joint Staff and combatant commands.
Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, highlighted his new secure mobile phone during a June speech at the Brookings Institution.
“This phone would make both Batman and James Bond jealous,” he said. “With tools like this, the smartphone generation joining our military will help us pioneer a new era of mobile command and control.”
The mobile device manager will also oversee an applications store, where users will be able to download approved commercial and military-specific apps to their phones in the same manner as Apple’s App Store or Google Play. The manager would be able to deliver, update and delete them from devices without the user’s permission.
A commercial mobile device working group currently is working with the military services on a process to vet apps, Hickey said. That group is considering how best to do security and functionality testing on applications. The certification process will also take into account if an app is proxied in a foreign country. In some cases, an application will only be approved for certain user groups.
“We have over 100 apps that we are either in the middle of evaluating [or] have already evaluated,” Hickey said. Most of those are commercial apps, but some are unclassified applications that are being created by various military services or agencies.”
There are also classified apps in development that can be viewed as a “widget” through a browser, he said.
DISA ultimately wants to have a framework available to programmers that would allow them to more easily develop and submit applications for approval. Dempsey reiterated this point during his speech.
“A federated app store will allow any DoD user to write and share phone and tablet apps. By using off-the-shelf technology, we are bringing the full force of the tech revolution into the classified environment,” he said.
A common infrastructure and manager for the store will help reduce costs and redundancies, Hickey said.
“You surely don’t want the services developing the same apps. You want a central location for those apps so they understand where all those apps are so that before they spend the resources at the lowest level, they go look at that, and then you can reduce code,” he said. “For the commercial apps, [it’s] the same concept. You get a cheaper price if you buy in bulk and volume.”
If the Defense Department begins employing a wider range of commercial technologies, that will give industry an added incentive to design purpose-built applications and software for the military, said Mark Neustadt, director of Department of Defense sales for Citrix, a Fort Lauderdale, Fla.–based software company that focuses on mobile and cloud computing.
“There will be new technologies and new companies that will emerge out of this. … I think it bodes well for business and gives creative people and thought leaders an opportunity to create products and solutions that help the mission and improve efficiencies in the DoD,” he said.
Now that a mobile device manager has been chosen, the department can begin a more widespread deployment of newly-approved smartphones and tablets.
In recent months, DISA approved iPhones and iPads with Apple’s iOS6 operating system, BlackBerry 10 smartphones and Playbook tablets, and Samsung Galaxy platforms that carry the Knox security suite and run on the Android operating system.
Before a new device or operating system can be brought onto the networks, it has to meet security standards. In the past, that meant manufacturers had to release a new smartphone or tablet commercially, and then DISA would issue a security technical implementation guide — or STIG — approving the device’s use.
Oftentimes, the next line of products was already on the market in the time it took for the original to be approved, said Paul Christman, vice president of the public sector for Dell Software. Dell was one of the competitors vying for the mobile device management contract.
DISA has reworked that policy, and now industry can build devices to the department’s parameters before the gadget is available to the public. The agency last fall publically released security requirement guidelines laying out the standards the device must meet before it will be approved.
Early and continued engagement between DISA and industry is important for shortening the time it takes to approve a device, Hickey said. Usually, if a vendor is interested in meeting the security requirement guidelines, the agency assigns someone from its field security office to help the company work through that process. After a STIG is developed, the product goes through a review cycle where it is tested to make sure it conforms to standards.
Engineers working on the BlackBerry 10 and Samsung Knox operating systems began collaborating with DISA personnel early into the system’s development cycle, Hickey said. In the case of Samsung Knox, the Defense Department was cleared to issue those devices at the same time it was commercially available.
Because the Defense Department market is small, Hickey said not all vendors are interested in spending the time needed to ensure their products conform to the Pentagon’s strict security standards. But those that do might see increased interest from other industries that want to make sure sensitive information stays protected.
“What we normally see with the security folks is if you get DoD’s stamp of approval, then other people obviously know that security has been looked at in their products,” he said. Other mobile device vendors have already approached DISA about what they can do to meet security requirements, he added. “I think this is just the beginning.”
Just because a device is issued a STIG does not mean the Pentagon will automatically be buying new smartphones and tablets to replace older models. “Actual orders will be tied to identification of specific operational requirements and funding availability of using organizations,” a DISA news release said.
Currently, BlackBerry products make up the majority of the Defense Department’s 600,000 mobile devices. About 470,000 are BlackBerrys, compared with 41,000 Apple and 8,700 Android devices.
Some have predicted that the Samsung Knox and iOS6 approvals could indicate fewer sales of BlackBerry 10, but company officials said they were confident BlackBerry products remain the easiest to deploy.
“BlackBerry is the only solution that provides all of the pieces — out of the box — to meet the needs of DoD. … Any other approval I’ve seen requires third-party software in addition to” the device, said Michael K. Brown, BlackBerry’s vice president of security product management and research.
Defense Department employees won’t be throwing out their government-issued smartphones in order to play Angry Birds on their personal iPhones any time soon. All new devices must be approved and distributed by the Pentagon, and a bring-your-own-device policy is still a long way off.
“Despite the benefits, existing DoD policies, operational constructs and security vulnerabilities currently prevent the adoption of devices that are unapproved and procured outside of official government acquisition,” the implementation plan said.
Still, Neustadt of Citrix believes DISA’s efforts may be a “stepping stone” to a BYOD policy.
“This is sort of a paradigm shift in that regard,” he said. Having a wider variety of smartphones and tablets on the network is “going to open the door for these devices to be implemented in lots of different ways.”Photo Credit: Thinkstock