The Defense Department will permit some Android mobile devices to operate on its networks on a large-scale basis for the first time, a step the Pentagon has allowed, so far, only in limited pilot projects, DoD officials said Thursday.
The authorization came under the auspices of the release of a new package of security technical implementation guides (STIGs), which govern the lock-down process for commercial hardware and software on DoD networks.
In addition to permitting Android devices outfitted with Samsung’s Android Knox, a hardened version of Google’s mobile operating system, Defense is also granting approval for several recent products made by BlackBerry, the overwhelming incumbent in the market for DoD handhelds. The approval encompasses the Canadian company’s new BlackBerry 10 smartphones, its PlayBook tablets and the latest version of the proprietary back-end servers it uses to handle email.
“This is a significant step towards establishing a multi-vendor environment that supports a variety of state-of-the-art devices and operating systems,” said Damien Pickart, a DoD spokesman. “The level of security necessary departmentwide does not rest solely on any one mobile device. The network and software must also be secured and managed appropriately. An integral part of the secure mobility framework will be the mobility device management and mobile application store, which is in source selection now and anticipated for award in early summer.”
Tens of thousands of devices coming
The Pentagon has an ambitious plan to roll out up to 100,000 new secure mobile devices by the end of 2014. It’s also planning a big investment in a DoD-wide mobile device infrastructure. But the department believes that spending will pay for itself in short order. The implementation of DoD’s new enterprise mobility plan envisions the department buying tens of thousands of Apple, Android, Windows Mobile and BlackBerry devices during its first phases over the next year and a half, along with the procurement of a new integrated mobile device management (MDM) system and app store to serve the entire department.
While DoD hasn’t yet awarded a contract for the device management solution, it’s currently estimating that the cost of the overall mobility plan will be paid back within the first 15 months of its life as DoD components move from a go-it-alone approach to mobility to a more centralized strategy.
“All the front-end investment, all the networking, all the mobile device management, within about a year and a quarter, it will pay for itself,” said Maj. Gen. Robert Wheeler, DoD’s deputy chief information officer for command, control, communications and computers. “We’re talking about purely cutting down on the costs that we have today with our fragmented methodology. From a taxpayer perspective, it’s a good approach. But from the perspective of jumping the productivity curve, it’s an even better approach. We don’t even know how far we can go with this, and I think that’s the exciting part of it.”
Wheeler, who spoke Tuesday in Washington at a conference organized by the Mobile Work Exchange, said the cost savings estimate doesn’t include some of the spending reductions the military will see from replacing more costly desktop computers and laptops with off-the-shelf mobile devices, savings it also expects to be substantial.
Much of DoD’s strategy rests on the implementation of a centralized app store and device management system. The department is expected to make an award to build that infrastructure in the next several weeks.
Pilot programs already showing potential
When the enterprise solution is in place, it will replace more than 70 pilot programs the military services have been conducting in the effort to overcome security and other challenges around commercial mobile devices.
“We’re trying to take the best of all of these pilots and put them into our enterprise. We’re taking the pieces that have been successful and we’re discarding the pieces that have not been successful or too costly,” he said. “They have to follow three rules: it has to be as secure as things are today, it has to be cheaper, and it has to help us jump the productivity curve.”
Wheeler said some of the pilot programs have already yielded big savings in their own right. The Air Force, for example, took only a month to offset its investment in commercial tablet devices for on-board flight publications because of the money it saved by no longer having to carry up to 80 pounds of constantly-changing paper charts aboard each aircraft.
“You think of the fuel savings, you think of the ability to update it electronically, and it was a big savings. Everything after that first month that we owned it was just pure gravy,” he said.
DoD also has a fairly solid but still incomplete understanding of how to improve and accelerate its process for issuing security approval for new mobile devices on DoD networks. The department wants to bring that cycle down to less than 30 days for new commercial devices, new mobile operating systems and new mobile apps.
The current process takes about a year, as the department learned when it tried for the first time to grant approval for the use of a commercial device on classified networks.
The National Security Agency led the effort to turn an off-the-shelf Motorola Razr Maxx into a handheld that could be trusted on DoD’s Secret Internet Protocol Router Network (SIPRNet). It succeeded, and the device is in use today. But it was off the commercial market by the time the Pentagon’s security approval process was able to digest it.
“That was our first classified test phone, and we expected that to happen. But we also learned very quickly that that was not the way to do things in the future,” Wheeler said. “Thirty days is the way to go. If we don’t do this right and have the security requirements defined up front so that vendors understand them, we’re just adding risk to ourselves.”
With the new process, DoD plans to phase out the use of the SME-PED, the only mobile device that’s been allowed on classified networks until recently. The device, custom-built for DoD by General Dynamics, is several times thicker than a BlackBerry, can’t access 3G or 4G data networks and costs more than $8,000 per unit.
But Wheeler said DoD won’t be able to fully nail down the speedier approval process until its new mobile device manager is up and running.
Nor has the department figured out how it will handle two-factor authentication with the new crop of mobile devices. Officials want to move away from using clumsy add-on smart card readers that capture the credentials from users’ common access cards, and the problem is not yet solved.
“If you have 127 emails and it takes you one minute to go through each one of those because of this CAC card machine, you’re never going to get your job done,” Wheeler said. “You’re going to end up figuring out a way to work around the system in a way that lets you get your job done but not having the security you need. The way we’re doing this right now is cumbersome. It’s not the way we should be in five years. I don’t think it’s the way we should be in two years. I think there are technologies that are cheaper, faster, and can personally identify an individual through biometrics much faster than we can do today.”
Wheeler said DoD wants to insert new technology quickly, but it’s also taking a cautious approach in some areas. The department sees a bring-your-own-device (BYOD) strategy as too risky right now, so it’s watching the experience of other federal agencies. But by 2017, DoD expects wireless technology to be the primary way its uniformed and civilian employees handle day-to-day voice and data communication.