Secure app store, more mobile devices coming to DoD

Thursday - 4/5/2012, 5:12am EDT

Bruce Bennett, program executive officer for communications, Defense Information Systems Agency

Download mp3

If all goes according to plan, the Defense Department is about a month and a half away from opening its own walled-off, DoD-only app store for secure mobile devices.

Along with that, the military is promising a speedier security review process so that smartphones aren't obsolete by the time they're allowed to connect to Defense networks. The actions are part of the Pentagon's first comprehensive effort to build a departmentwide infrastructure to support a new generation of mobile devices Defense personnel have wanted to use for years.

"You're going to see things coming out of my office fast and furious," said Bruce Bennett, the program executive officer for communications in the Defense Information Systems Agency. "Our goal is to have a complete infrastructure up within the next 15 months. And we'll have usable enterprise mobile capabilities up and running within the next quarter."

The mobile infrastructure will initially be geared to support devices and applications based on Google's Android, Apple's iOS, Research in Motion's Blackberry and Microsoft's Windows Mobile operating systems.

While the individual military services each have their own set of mobile infrastructure and app store pilot projects underway in various stages of progression, Bennett said the DoD goal is to streamline and tie together those efforts rather than take them over.

"That has never worked in the past and it's never going to work in the future," he said. "What we have to do is figure out what is common across all of them, set it up as a common service, and then allow each of them to do what is unique to the Air Force, Army, Navy or other federal agencies."

Common services DISA will provide across the entire DoD infrastructure will include providing a single face to commercial mobile network providers so that military services don't have to negotiate their own service contracts and security protocols with telecoms. Military branches will be allowed to run their own app stores if they choose, but they would be interoperable with and accessible from the DoDwide marketplace DISA will operate.

For that new federated store, DoD envisions a security approval process for new apps that would operate at light speed, by Pentagon standards: DISA hopes to publish a security requirements guide for mobile apps within the next 60 days. After that, vendors or individuals who want to build apps for the new secure store would have to certify their software meets those requirements. Then, a DoD certification lab would check their work and give a thumbs-up-or-down within no more than 72 hours.

"We're trying to put all those processes in place to work at the same time and speed that the Apple App Store works," Bennett said. "We want to do these things in real-time, because the applications are being produced in real time."

For the most part, DoD expects the apps that populate its initial store to be only minor variations on the popular software that mobile users can already find in the Apple store and the Android Marketplace. Bennett said he expected 10 percent or so of the apps to have specialized DoD focuses. The rest would be slightly tweaked versions of commercial mobile software.

"We are not going to reinvent the wheel," he said. "Most applications are developed by individuals and small companies, and we're going to leverage the same thing. We're going to look at the apps that are most suitable for our warfighters. The only thing we might have to do is ask the developers to disable Bluetooth, or change the software so that instead of relying on the Apple cloud or the Google cloud, it points to the DoD cloud. That might be the only change it needs to have for it to be acceptable for us."

Even if the approval process for new apps would be relatively painless, the approval process for the devices that would run them has been anything but.

Five years after the introduction of the first iPhone, the device is still verboten on DoD networks except for test purposes because DISA has not yet finished work on a security technical implementation guide (STIG) that would document how to patch and configure Apple's operating system to meet DoD security standards. As for Android, a STIG has been published for one device, but the manufacturer had already stopped producing it by the time the STIG was finalized.

Army officials said recently they wanted to abandon the STIG security approval process entirely and find a faster way to certify mobile devices. A solicitation asking industry for help is expected soon.