Not everyone in the Defense Department needs the latest and greatest mobile devices. “And that’s not going to happen,” said DOD chief information officer Teri Takai.
But the good news, according to Takai, is that the DOD has made tremendous progress in its ability to approve mobile devices for deployment throughout the military and get smartphones into the hands of those who need them. Takai spoke recently at the MobileGov Summit in Washington.
“There was a perception that this was a device problem,” Takai said. But that’s no longer the case. The DOD has approved Samsung and BlackBerry devices for enterprise use as well as Apple iOS 7 devices in unclassified environments and is working on approving Microsoft Windows 8–based mobile devices.
In addition, the DOD went operational with its mobile device management platform in January, enabling the Defense Information Systems Agency (DISA) to rapidly and securely configure, deploy and manage mobile devices and applications.
Now the DOD is focused on advancing its mobile program through derived credentials, mobile app certification and continuous monitoring. Takai said the department is moving past device-specific issues and looking at ways to make approved devices more useful.
For starters, the DOD is exploring new identity management and authentication solutions for mobile users. Calling the adaptation of the department’s Common Access Card (CAC) to mobile devices “a challenge,” Takai indicated that the answer might rest in derived credentials.
Derived credentials are chip-based information access controls stored in an approved mobile device. They can be issued via tokens on a mobile device, as long as a user already holds an approved government ID. In effect, the approved device itself becomes a user’s secure ID and means of authentication.
Last August, the National Institute of Standards and Technology released Federal Information Processing Standard 201-2 [PDF], the specification for federal Personal Identification Verification (PIV) cards, which now includes provisions for derived credentials. NIST is currently working on Special Publication 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials. The PIV card is the federal civilian equivalent of the department’s CAC.
Takai said moving to a derived credential for mobile devices will require policy changes and new identity-management procedures, but that the writing was on the wall once DOD was able to deploy mobile devices in large numbers.
“We knew … that [the CAC] was going to be very cumbersome when you get large numbers of devices deployed,” Takai said. With derived credentials, “the device will not have to be recertified every time it’s utilized.”
Secure Mobile Apps
In addition to establishing trust between mobile users and systems, the DOD is taking steps to better secure mobile applications.
Takai said DOD needs to work with manufacturers to vet the software they load onto their devices. According to Takai, the department must embrace commercial devices, because doing so drives down cost. But the DOD must also be able to trust the software that comes loaded on commercial devices. A common mobile-development framework, plus automated application-vetting tools and processes, will help establish application security, Takai said.
In conjunction with DISA’s mobile-device management program, the DOD is launching a mobile application store to help distribute, update or delete mobile apps on DOD-approved devices.
Going forward, Takai said the department is exploring ways of supplementing its MDM/MAS platform with continuous monitoring technology. Continuous diagnostics and mitigation (CDM) is a relatively new cybersecurity initiative in the federal government, whereby agencies use network sensors and software to automatically detect and remedy security-compliance issues.
“We’re moving continuous monitoring into the mobile world,” Takai said.