The Homeland Security Department’s Customs and Border Protection agency is piloting the use of mobile devices in the field. Wolf Tombe, CBP’s chief technology officer, says the agency has rolled out the devices to a limited number of users, but once a few implementation challenges are met, the rollout will scale up to 500, including users in all of CBP’s mission offices. The goal is to rapidly scale to 1,000 users, then up to 5,000 users and beyond.
One of the implementation hurdles CBP is working to overcome is finding a way to securely authenticate users on smartphones with the Personal Identity Verification (PIV) cards that the agency’s users receive.
“We are currently exploring a number of options for authenticating these devices against the PIV cards,” Tombe says. “These include secure Bluetooth portable card readers and moving the PIV card certificates and credentials onto the government-owned smartphone or other mobile device. This is being explored in combination with a number of two-factor authentication mechanisms.”
Chris Silva, an industry analyst for the Altimeter Group who focuses on mobility, says CBP’s use of smart cards to access smartphones is likely where most federal agencies are headed. The armed forces have adopted the Common Access Card, or CAC, while many civilian agencies issue PIV cards.
“I think what you’ll see agencies do is use the CAC or PIV cards to access the device or to access a secure portion of the device,” says Silva.
Tombe says CBP wants PIV integration with mobile devices to deliver access to the agency’s internal mobile applications and mission data that may reside in agency applications and databases.
“The data is both data that’s available via the Internet and the use of a virtual private network or related technologies for real back-end data needed to accomplish work,” Tombe says.
A TSA Mobility Pilot
Rich Smith, acting executive director of operations for the Transportation Security Administration’s Office of IT, says TSA also has a pilot that’s testing mobile access to the network via PIV cards. TSA uses PIV card readers in notebooks and keyboards used by agency personnel to access the network.
Smith says TSA also plans to move forward on the Homeland Security Presidential Directive 12 (HSPD-12) authentication strategy for smartphones. He characterized the strategy as an initial operating capability based on metrics established by the Office of Management and Budget.
Smith says TSA plans a phased approach to implementing HSPD-12. In the first phase, the focus will be on implementing PIV card access to the network using individuals’ computers. For Phase 2, TSA will use PIV cards for access to applications and databases and further development of a mobile PIV solution.
While most agencies are taking a cautious approach with mobile accessories, Bill Keely, deputy chief technology officer for mission assurance at the Defense Information Systems Agency, says the Defense Department plans a fairly aggressive program.
“Our goal is for DOD employees to have the same access to information on their smartphones as they do on desktops or mobile notebooks,” Keely says.
Keely envisions an environment in which mobile accessories for smartphones deliver secure access to email, web pages, and DOD transaction and logistics systems.
He says DOD has deployed CAC readers on smartphones with limited success mainly because users find the CACs cumbersome to handle on smartphones.
But that’s not stopping the department, Keely says, adding that DOD plans to test several other smartphone accessories. These include software-based certificates and a sleeve-style smart-card reader, which encloses the entire phone in a form-fitting sleeve that offers access to an integrated smart-card reader. It is less bulky than the separate wireless CAC readers DISA first deployed. Other options include a trusted platform module chip that could authenticate a smartphone, and a dongle that could be attached to a phone much like an external hard drive on a PC or notebook computer.
“I don’t think that there will be a one-size-fits-all solution,” Keely says. “With somewhere between 3 to 4 million people in the military worldwide, that would be impossible. Moving forward, I see us going with a few different solutions.”
As Always, Security Comes First
Securing smartphones as they grant access to more services has been a challenge that has vexed IT managers at federal agencies. Topping the list: the obvious question of what happens if the phone is lost or stolen?
CBP’s Tombe says his agency plans to explore mobile device management solutions that can secure mobile devices via encryption that meets Federal Information Processing Standards. He says the MDM solutions allow for automatic wiping of a device in situations such as if a user tries too many unsuccessful logins or if the device goes beyond a geographic boundary.
“We are also working with our partner vendors to ensure that enhanced security controls in compliance with standards established by the National Institute of Standards and Technology are included by both hardware and software manufacturers,” Tombe says.
TSA’s Smith says smartphones are deployed either fully encrypted or with software that creates a virtual sandbox so that agency information is contained. “Once users report the phone is stolen or lost, TSA can remotely wipe the data,” Smith says.
Although relatively few agencies have mainstreamed smartphone accessories, efforts are well under way for the federal government to take the next step in mobility.