Pentagon establishes security rules for tactical WMANs

The Defense Department has set basic security requirements for the military’s tactical use of wireless metropolitan area networks (WMANs) by specifying the types of encryption the military must use for classified and unclassified information.

The Jan. 30 directive establishes a policy for acquiring, implementing and operating wireless technologies based on the IEEE 802.16 standard. It focuses primarily on ensuring that appropriate security controls are applied to WMANs used in tactical environments.

Under the policy, tactical WMANs are considered national security systems. The policy requires the use of strong multifactor authentication, end-to-end encryption validated under Federal Information Processing Standard 140, use of transmission security techniques to limit exploitation of radio signals and the capability to screen for unauthorized devices on the network. WMANs are no longer allowed to operate in the 3.3 GHz to 3.65 GHz band because of interference issues.

The directive replaces a policy released in February 2007 governing the use of Advanced Wireless Services in the 3.4 GHz to 3.65 GHz band. The new directive does not apply to Sensitive Compartmented Information communications that fall under the authority of the director of national intelligence.

The Defense Information Systems Agency will develop security implementation guidelines for the policy, and the National Security Agency will assess WMAN risks and vulnerabilities and conduct security research.

In terms of standards, systems that handle unclassified information must use FIPS 140-validated encryption based on IEEE 802.16e-2005 and 128-bit Advanced Encryption Standard CCM to protect Layer 2 radio data frames. If devices that adhere to that standard are not available, another FIPS 140-validated device must be used. For classified information, an NSA Type 1 High Assurance IP Encryptor (HAIPE) must be used to protect data packets.

WMAN systems used solely for backhaul operations that do not directly connect with user devices are exempt from the policy, but DOD components must protect the data in transit by using FIPS 140-validated encryption modules for unclassified information and NSA Type 1 HAIPE for classified information.

The directive is effective immediately and will become a DOD Instruction within 180 days.