Apple iOS 6 mobile devices have the green light to join Defense Department networks.
The Defense Information Systems Agency approved the Apple operating system today just about two weeks after sanctioning the use of Samsung Knox, running the Android operating systems, and Blackberry 10 devices.
Every device needs a Security Technical Implementation Guide (STIG). A STIG outlines the security requirements for a device joining the department’s IT network. Once a STIG is completed, the department can start soliciting vendors to buy the devices and help integrate them into the overall IT infrastructure.
DISA’s approval of the Apple iOS 6 STIG is another piece of DoD’s Commercial Mobile Device Implementation Plan. The department hopes to add about 100,000 multivendor devices, from mobile phone to tablets, to its network by February 2014.
Next step is mobile device management contract
Right now, DoD has more than 600,000 commercial mobile devices interacting with its networks, most of which are BlackBerry devices. DoD is testing about 41,000 Apple and 8,700 Android devices.
DISA will set up a mobility device management (MDM) system later this year. The contract is in source selection now, and DISA anticipates making an award in early summer.
The MDM is a key piece to ensuring the security of mobile devices. DISA said the MDM will provide a process for managing and distributing mobile applications and an enhanced cyber defense infrastructure.
“All of these pieces must be in place to allow the secure use of commercial mobile devices on department networks,” said Mark Orndorff, DISA information assurance executive and program executive officer for mission assurance and network ops, in a release. “DISA is running a pilot program today where we bring this all together.”
In the past, it was difficult for mobile devices to join Defense networks because of the dense logistics involved with approving security and technical requirements. DISA recently changed its approval policies to speed up the process. Part of the new policy lets DoD approve use of the devices even before they’re commercially available to the public.
Specifically, DoD now uses Security Requirements Guides (SRG), a map of security requirements vendors need to follow for their devices and services to join defense networks. If they match the requirements, they complete their own STIGs. Before, the department had to produce its own STIG for each device.
DISA shifts workload to vendors
SRGs are the critical piece in DISA’s accelerated approval process. By lining up the security requirements up front, the work involved with investigating and preparing a mobile device falls to the vendor.
“Most of the work is done from the vendor side; we just do a review,” John Hickey, DISA’s mobility program manager, told Federal News Radio earlier this week. “That’s totally different than what we’ve done in the past, where we wait for a product to come out, then we start asking, ‘Can you lock this down?’ That’s a long process. This is a success story and an example of how you do it in the future.”
Back when DISA had to produce its own STIGs, the process was onerous. It could sometimes take so long, by the time a device was approved for the network it was technologically obsolete.
DoD is working towards shrinking its security approval process to 30 days.
None of the STIGs for any of the mobile devices allow personal devices to connect to DoD networks.