Shows & Panels
- AFCEA Answers
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Connected Government
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Cyber Imperative
- Cyber Solutions for 2013 and Beyond
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Mission-critical Apps in the Cloud
- The Path from Legacy Systems
- The Real Deal on Digital Government
- The Reality of Continuous Monitoring... Is Your Agency Secure?
- Veterans in Private Sector: Making the Transition
Shows & Panels
DoD to rev up the cyber approval process for mobile devices
Thursday - 8/9/2012, 10:44am EDT
Instead of going through the lengthy security technical implementation guide (STIG) approval process, the Defense Information Systems Agency wants to put the ball in the vendors' court.
Alex Froede is the Mobile Security support contractor specializing in DISA's Security Technical Implementation Guides. He said the goal is to set high-level requirements across four areas and then ask the vendors to tell DoD how they are meeting those security requirements.
DoD then will review the vendors documents and decide whether they meet the Pentagon's security requirements, Froede said at the Federal Mobility Computing Summit sponsored by Mobilegov in Washington.
"DISA's certification authority would make a recommendation about whether the product or service deals with the risk appropriately," he said. "Then it could be used by any of the services or Defense agencies, or any other federal agency for that matter."
Froede said DoD is basing its efforts on the National Institute of Standards and Technology's special publication 800-53 guidance and other security best-practices.
These are the four areas DISA will provide guidance to vendors:
- Mobile operating systems: The guide will list the security requirements used by DoD for IOS, Android, Windows and Blackberry.
- Mobile device management: This would outline the security baseline
for the management of applications plus the integration and validation of those apps.
- Mobile apps: This document isn't a product guidance, but a security
baseline for apps used on the DoD's network. Froede said it will focus on vendors who provide network application scanning tools. He said some of these will be
automated and some will be manual.
- Mobile policy The guidance will address non-technical requirements for deploying mobile products and services, including providing training for end users and system administrators.
Froede said DISA will publish the draft guidance in the next few weeks.
"The results will be the development of STIGs much faster than today," he said. "We hope the new STIG process will solve some of the problems found in how long it takes for us to get these out. People are willing to set up their devices to be secure if they are told how to do it. We think once the STIG is available, it will take one or two months to decide whether to approve it."
DoD decided to finally change the STIG development process after it took more than one year to approve the Dell Streak tablet — only for the company to discontinue making and supporting the product shortly afterwards.
Froede said one of the big benefits of this new approach is other agencies can review and use the vendor-developed security documents.
"They can read the approval decision and decide whether to use it or not," he said.
The concept meshes with the Office of Management and Budget's Digital Government Strategy. OMB wants agencies to share apps more readily and trust each other about the security of these systems and apps.