Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
Army tired of waiting for new mobile devices
Tuesday - 3/20/2012, 5:24am EDT
The handheld devices made by Research in Motion have been the only broadly-deployed pieces of hardware that met the Defense Department's security requirements, such as encryption that fits the federal security standard known as FIPS 140-2, enterprise device management and integration with the military's Common Access Card, letting users sign and encrypt email.
The Army is looking for an entirely new process for putting mobile gear in the hands of users.
Maj. Gen. Steven Smith, cybersecurity chief for the Army chief information officer (DoD)
Having a new device certified under the DoD's Security Technical Implementation Guide (STIG) process is neither easy nor quick, Smith said. It took DoD many, many months to compile a STIG for its first non-Blackberry device: an Android-based tablet known as the Dell Streak.
"We just got a STIG issued for a great mobile product that vendors no longer even sell. They won't even discount the price. Sure, we'll take 100,000 of those," Smith said to laughter at an industry event in National Harbor, Md. "We've got to get out of this business."
Though the Army wants to get out of the arduous business of testing and certifying each new device and each new mobile operating system against existing protocols, it's not entirely sure what comes next. So, the Army, the Defense Information Systems Agency and the National Security Agency are preparing to release a broad agency announcement to ask industry to put forth its best ideas.
"We want to get to the point where you bring your own device," he said. "We might even get to the point where we get out of the government-furnished equipment business altogether. I don't know. But I've told Gen. [Susan] Lawrence we're not going to do STIGs anymore."
BYOD is possible
Lt. Gen. Lawrence, Smith's boss and the Army's CIO, said the bring your own device strategy would work if industry can prove some reliable and secure ways to turn mobile devices into something like thin clients that access Army systems without storing any sensitive data. Then, previously vexing problems like encryption of data at rest become a non-issue.
"When you log in with your device of choice, you're going to agree that you're going to allow us to scan you for malware and viruses and insider threats," Lawrence said. "And we're going to keep the data in the cloud. It's not going to reside on the device. When you log in, we can decide which parts of the cloud you should have access to. At the end of the day, you can go lose your Droid and I don't care." Smith said the Army also wants industry to tell it how to solve its Common Access Card (CAC) problem. Currently, users have to insert their physical PKI-enabled cards into a separately-attached sled whenever they want to use their Blackberrys to send a digitally-signed email.
"Our end users hate those CAC card readers when they have to go sync those puppies up, and we make them do it every time. The things eat batteries like nobody's business," Smith said. "So what do they do? They don't bother. And they'd really like to go out to other devices where the user experience is much better."
Army officials aren't saying exactly when they'll release the broad agency announcement, but Smith indicated the timeline is aggressive: the Army wants to make awards under the BAA by the end of this calendar year.
Lawrence said the new mobile path will rely on a lot of the work the Army acquisition community has already been doing under the banner of the Army Common Operating Environment.
Computing environments are changing
The idea is to adopt industry-led standards, then broadly publish whatever the Army comes up with so industry knows what's acceptable before it makes an offer on a given procurement. Mobile technology is one of several "computing environments" the Army has defined and has been working on.
Lt. Gen. Susan Lawrence, Army CIO (DoD)
The shift to commercial mobile devices and other commercial-off-the-shelf technologies is part of a broader transformation the Army is preparing for as it moves from 10 years of nonstop deployments back to being an Army that's based primarily in the continental United States. As it stands today, the technology gap between a soldier in Afghanistan and a soldier in North Carolina is huge.
Lawrence recalled one conversation with a formerly-deployed commander, Gen. Lloyd Austin, who is now the Army's vice chief of staff.
"He said, 'Susan, you give me everything I need to command and control the fight out there, but when I come home to Fort Bragg, I come home to the stone ages,'" she said.
He's right, Lawrence said. The Army spent lots of money making sure its urgent operational needs were fulfilled. The end result is state-of-the-art battlefield systems that generally work very well — at least in Afghanistan.
Army fixing camps, stations networks
But they can't interface with networks that were allowed to grow their own way on individual posts, camps and stations where troops will now spend most of their time preparing for the next battle.
Lawrence said about 85 percent of Army bases in the continental U.S. are running on what she said are "antiquated" networks. As troops come home, making sure those IT systems are at least as what they had in combat is the Army's next focus point.
"We're just going to have to bite the bullet and resign and redesign the entire architecture of the networks we have in the continental United States," she said. "Today, we have at least 500 local-level entry points [to the Internet]. It just makes us an absolute sieve. We have to collapse those behind about 20 or so regional entry points, put sensors on them and truly start doing some defense of our network and protection of our information."
The Army maintains it already has a big jump on centralizing and managing its IT functions. For example, bases no longer run their own email systems.
The Army restarted it migrations of accounts to a new enterprise email system Monday after a Congressionally-mandated pause. The service expects to finish moving all of its own personnel to enterprise email — both secret and non-secret accounts — by March of next year.
Other parts of DoD want in, Lawrence said. The Pentagon's Joint Staff will migrate its email to the new system this week, and the National Security Agency has asked to come on board. DoD joint combatant commands, including the U.S. European Command, Africa Command are part of the current migration. DoD's Southern Command has asked to join in as well, Lawrence said.