DoD looks to outsource management of its mobile devices

Two years after the Defense Information Systems Agency launched its first program to let iPhones and Android devices connect to DoD networks in a way that could be centrally managed and secured, officials are looking to outsource the entire affair to a private firm.

In a request for information initially posted in late October and updated over the past week, DISA officials started the shopping process for a “single service manager” that would assume responsibility for most of the functions the agency itself provides today, including mobile device management, an app store, helpdesk services and billing functions.

In part, DISA wants to know whether it’s feasible for one company to take over the end-to-end management of its mobility program at all security levels, including the ability to handle secret, and eventually, top-secret data.

The agency also wants any vendor managed solution to cost less than DISA’s own rate card: currently $161 per customer, per month for classified phones and $8 per month for unclassified devices.

The potential contract would last for up to five years and would serve anywhere between 100,000 and 300,000 users during a gradual phase-in from the government managed service to a privately operated one. But DoD is also asking vendors to submit their rough estimates for what they’d charge to cover an unlimited number of users on a per-person basis. The RFI also asks vendors if they could support a “bring your own device” approach, a topic DoD leaders have been lukewarm about thus far.

DISA officials are a bit cagey in this early stage of a potential procurement about exactly how they envision a private vendor managing DoD’s mobile devices. For instance, the RFI signals that any mobile device management (MDM) software a winning bidder might use would have to be approved through the National Information Assurance Partnership, but as one vendor pointed out, no MDM product — not even the one DISA is using right now — has gained NIAP certification. DISA’s answer: “The Government shall adhere to the evolving requirements of the NIAP.”

The quest for a vendor who can manage top-secret phones is another indicator that the Single Service Manager concept is still in an early stage. While DISA’s government managed program has begun to field secret-level devices to a limited number of users, the agency is still working through the legalities of letting DoD employees view top-secret data on commercial devices.

“We’re working on a top-secret device — they came in and put the first one on my desk last week and said, ‘here it is,’” Lt. Gen. Alan Lynn, DISA’s director told an AFCEA breakfast in northern Virginia this week. “But we’re still working through all the rules. The community right now is pretty locked into the idea that top-secret data has to be handled in a [sensitive compartmentalized information facility], so are you going to have to take your mobile device into a SCIF before you can use it, or just ignore that piece?”

The single service manager, as envisioned, also would need to use DoD PKI certificates for user authentication under the derived credential program the department has already begun, in which certificates are stored on the phone itself, eliminating the need to insert a user’s Common Access Card into a separate card reader to perform functions like signing and encrypting email.

A winning vendor who wanted to use a cloud environment to manage DoD’s mobile phones would have to be certified by the governmentwide FedRAMP process and also get an authority to operate through DISA’s “FedRAMP-Plus” process, an extra layer of security precautions DoD imposes for anything beyond low-sensitivity, unclassified data. Companies would need their products to be certified to at least the Impact Level 5 DoD laid out in its recent security requirements guide for cloud computing, and Impact Level 6 if they hope to operate a system that also deals with classified data.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.