Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- The Intersection: Where Technology Meets Transformation
- Maximizing ROI Through Data Center Consolidation
- Mobile Device Management
- The Modern Federal Threat Landscape
- Moving to the Cloud. What's the best approach for me
- Navigating Tough Choices in Government Cloud Computing
- Satellite Communications: Acquiring SATCOM in Tight Times
- Transformative Technology: Desktop Virtualization in Government
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
DoD to rev up the cyber approval process for mobile devices
Thursday - 8/9/2012, 10:44am EDT
Instead of going through the lengthy security technical implementation guide (STIG) approval process, the Defense Information Systems Agency wants to put the ball in the vendors' court.
Alex Froede is the Mobile Security support contractor specializing in DISA's Security Technical Implementation Guides. He said the goal is to set high-level requirements across four areas and then ask the vendors to tell DoD how they are meeting those security requirements.
DoD then will review the vendors documents and decide whether they meet the Pentagon's security requirements, Froede said at the Federal Mobility Computing Summit sponsored by Mobilegov in Washington.
"DISA's certification authority would make a recommendation about whether the product or service deals with the risk appropriately," he said. "Then it could be used by any of the services or Defense agencies, or any other federal agency for that matter."
Froede said DoD is basing its efforts on the National Institute of Standards and Technology's special publication 800-53 guidance and other security best-practices.
These are the four areas DISA will provide guidance to vendors:
- Mobile operating systems: The guide will list the security requirements used by DoD for IOS, Android, Windows and Blackberry.
- Mobile device management: This would outline the security baseline
for the management of applications plus the integration and validation of those apps.
- Mobile apps: This document isn't a product guidance, but a security
baseline for apps used on the DoD's network. Froede said it will focus on vendors who provide network application scanning tools. He said some of these will be
automated and some will be manual.
- Mobile policy The guidance will address non-technical requirements for deploying mobile products and services, including providing training for end users and system administrators.
Froede said DISA will publish the draft guidance in the next few weeks.
"The results will be the development of STIGs much faster than today," he said. "We hope the new STIG process will solve some of the problems found in how long it takes for us to get these out. People are willing to set up their devices to be secure if they are told how to do it. We think once the STIG is available, it will take one or two months to decide whether to approve it."
DoD decided to finally change the STIG development process after it took more than one year to approve the Dell Streak tablet — only for the company to discontinue making and supporting the product shortly afterwards.
Froede said one of the big benefits of this new approach is other agencies can review and use the vendor-developed security documents.
"They can read the approval decision and decide whether to use it or not," he said.
The concept meshes with the Office of Management and Budget's Digital Government Strategy. OMB wants agencies to share apps more readily and trust each other about the security of these systems and apps.