DOD Security Requirements Drive Commercial Smartphone Development
The Defense Department has long been the gold standard for securing and adopting technology in the federal government. Companies know if their solution is good enough for DOD, it’s likely to meet requirements set by civilian agencies and even their commercial customers.
In the mobility space, that’s a winning value proposition for big-name companies such as Samsung and Apple. While DOD may be only a small fraction of their customer base, the payoff for catering to DOD could be huge.
“What we’re trying to do is a forming between government and our industry partners to try to get to this desired end state,” said Rob Anderson, chief of Command, Control, Communications and Computers-Vision & Strategy Division at Marine Corps Headquarters. “I believe that our industry partners are realizing that if we can crack this nut on how to do personal devices on a government network, it’s going to open that aperture up for a very large segment that’s not even touched right now.”
Legal organizations and medical and financial institutions could benefit from the investments. Speaking Wednesday at the fourth annual Mobile Technology Summit, hosted by AFCEA Washington, D.C., Anderson noted the direct effect the Marine Corps has already had on one of its partners.
The service conducted a penetration test of a secure container to see if it could hack the device and extract usable data, Anderson explained. “[We] only got a snippet of that information,” he said. The results were relayed back to the company, and the platform was modified to address the security gap. The increased security added value to customers, and changes were made at no cost to the government, he added.
DOD has shared its requirements with industry, and companies are responding. Even Apple has taken steps to align with federal security standards. The company's iOS 6 operating system was approved for government use last year.
Not Everyone In Government Opposes Apple Encryption
The FBI director sees Apple’s new encryption feature in iOS 8.1 as an enabler for criminals seeking to evade the law, but others see it as a boost to government security and swear by it.
“IOS 8.1 cannot be broken into,” Anderson said. “There is absolutely no way, and I’m saying this because I’ve spoken to our Apple representatives extensively about the security platform,” as well as ethical hackers in industry.
A password-protected, secure container would add another layer of security to a device running iOS 8.1, he added.
The Marine Corps is leading a bring-your-own-device pilot that Anderson expects will evolve into a viable solution by next year.. The Corps expects that allowing Marines to connect their personal devices to the network will drastically reduce costs.
If a solution is not developed by the third quarter of fiscal 2015, which runs from April to June, Anderson said the Marine Corps’ inventory of mobile devices will drastically decrease because of reductions to the operations and maintenance budget.
One concern is how agencies would carry out requirements to continuously monitor devices if employees were using personal smartphones guarded by Apple encryption, said Mark Norton, senior systems engineer in DOD’s Office of the Chief Information Officer. And what about mobile users' First and Fourth Amendment rights?
Anderson said secure containers for mobile devices could provide monitoring and detailed reports of only what occurs within the government container. Data are transmitted between a secure VPN and an organizational cloud.
“The next piece to this, and where I think we’re really going to see a huge movement and leap forward in acceptance, is when these industry partners can locate their cloud resources in FedRAMP data centers,” he said.