The US Department of Defense (DoD) recently released its Commercial Mobile Device (CMD) Implementation Plan that will allow to equip the DOD’s 600,000 mobile-device users with secure classified and protected unclassified mobile solutions.
This plan updates the DOD’s mobile strategy.
The following video presents some of the Mobile Technology applications (and security challenges) in the US Army:
The following is a very interesting DoD press briefing on the CMD Implementation Plan (25 February 2013):
The DoD implements two separated working paths for accomplishement of the plan:
1. The Defense Information Systems Agency (DISA) released (October 2012) the Mobile Device Management (MDM) / Mobile Application Store (MAS) Request for Proposal (RFP). The MDM capability will function as a "traffic cop" enforcing policy for network and user end devices.
2. DISA’s mobility pilot started on May 2012 and builds enterprise mobile capabilities. The participants partner with DISA for the pilot’s unclassified side, while teaming up with the NSA to address the classified side of mobility. The following table lists several component mobility pilots and initial operational uses:
The goal - development of an enterprise mobile device management (MDM) capability and mobile application store (MAS) to support multivendor (Blackberry, iOS, Windows and Android), CAC-enabled, government-furnished devices by February 2014.
The scope - establishment of a separated, reliable, secure and flexible wireless infrastructure, for unclassified (DISA) and classified (NSA) devices, and mobile application.
The interesting news - a deployment plan of a new NSA security architecture that permits the use of commercial products for classified communications for the first time.
The Commercial Mobile Device Working Group (CMDWG) - will review and approve standards, policies, and processes for the management of mobility solutions and mobile applications on an ad-hoc basis.
The (several) callenges:
The Commercial Mobile Device Working Group (CMDWG) - will review and approve standards, policies, and processes for the management of mobility solutions and mobile applications on an ad-hoc basis.
The (several) callenges:
- The transfer from decentralized to certralized MDM services.
- The optional usage of commercial devices, MDM / MAS solutions and accreditable cloud solutions.
- Federated management and certification for mobile applications.
- For the device security compliance proceess DISA is using new Security Requirements Guides, a set of security standards that each device or application must comply with (instead of using the STIG process, which is relatevely long).
- Continuous monitoring and enforcement of policy compliance for configuration of applications and OSs.
- Secured authentication of mobile devices and users in unclassified networks.
- Processing of classified information on commercial mobile infrastructure, devices and applications:
- Establishement of separated MDM / MAS infrastructure for classified information.
- Encrypting information using a minimum of two independent layers of Suite B commercial encryption.
- Deployment of CMD architectures and implementations using NSA approved standards.
- Protection of voice communications on carrier infrastructure and also using gateways for interoperability with the PSTN.
- Use of secured hardware tokens for trusted user identification and authentication to SIPRNet.
