The Defense Department is changing the way it approves smartphones and tablet computers for use on its network.
Instead of going through the lengthy security technical implementation guide (STIG) approval process, the Defense Information Systems Agency wants to put the ball in the vendors’ court.
Alex Froede is the Mobile Security support contractor specializing in DISA’s Security Technical Implementation Guides. He said the goal is to set high-level requirements across four areas and then ask the vendors to tell DoD how they are meeting those security requirements.
DoD then will review the vendors documents and decide whether they meet the Pentagon’s security requirements, Froede said at the Federal Mobility Computing Summit sponsored by Mobilegov in Washington.
“DISA’s certification authority would make a recommendation about whether the product or service deals with the risk appropriately,” he said. “Then it could be used by any of the services or Defense agencies, or any other federal agency for that matter.”
Froede said DoD is basing its efforts on the National Institute of Standards and Technology’s special publication 800-53 guidance and other security best-practices.
These are the four areas DISA will provide guidance to vendors:
Mobile operating systems: The guide will list the security requirements used by DoD for IOS, Android, Windows and Blackberry.
Mobile device management: This would outline the security baseline for the management of applications plus the integration and validation of those apps.
Mobile apps: This document isn’t a product guidance, but a security baseline for apps used on the DoD’s network. Froede said it will focus on vendors who provide network application scanning tools. He said some of these will be automated and some will be manual.
Mobile policy The guidance will address non-technical requirements for deploying mobile products and services, including providing training for end users and system administrators.
Froede said DISA will publish the draft guidance in the next few weeks.
“The results will be the development of STIGs much faster than today,” he said. “We hope the new STIG process will solve some of the problems found in how long it takes for us to get these out. People are willing to set up their devices to be secure if they are told how to do it. We think once the STIG is available, it will take one or two months to decide whether to approve it.”
Froede said one of the big benefits of this new approach is other agencies can review and use the vendor-developed security documents.
“They can read the approval decision and decide whether to use it or not,” he said.
The concept meshes with the Office of Management and Budget’s Digital Government Strategy. OMB wants agencies to share apps more readily and trust each other about the security of these systems and apps.