DOD working to fill in the blanks on BYOD strategy

Defense Department workers looking to use at work those new iPhones, tablets and smart phones they received as holiday gifts will have to wait a bit longer, as DOD officials continue to parse out their policy for the use of personal mobile devices in the workplace. 

More than 40 percent of government workers are thought to use their personal devices for work tasks, yet only 12 percent of them are encouraged by their agencies to “bring their own devices” (BYOD), a 1105 Government Information Group survey has found. 

DOD, however, stands apart from other government agencies because it makes its own policies, said Jon Green, director of government solutions for Aruba Networks, an infrastructure provider focused on connecting mobile devices to their applications.  

In a bid to capitalize on the full potential of mobile devices, DOD outlined is intentions for a strategy last June, saying it wasn’t just about keeping up with technology, but also “keeping the DOD workforce relevant.” The strategy is centered on beefing up the enterprise infrastructure to support mobile devices, creating strategies and policy and developing DOD web-enabled applications. 

“It feels to me that they’re getting ready for a pretty major ramp-up,” Green said. “They’re trying to be full-speed ahead, but they’re also trying to do it in a way where they don’t break things.” 

DOD is shoring up the infrastructure requirements by upgrading spectrum management, expanding wireless infrastructure that would enable commercial devices access to classified material and establishing a security architecture, such as Mobile Device Management (MDM), which allows enterprise control over a commercial device.

In the short term, however, personal devices stand an easier chance of connecting to the Internet in the DOD workplace than gaining access to the DOD network.

“For today, the proposition of connecting these devices to the actual DOD Unclassified NIPRNet type network, that’s a pretty high bar to meet for most mobile devices,” Green said. DOD requires that devices use Federal Information Processing Standard (FIPS) validated encryption, which isn’t currently built into commercial devices such as iPads or Android tablets. Additionally, DOD network access requirement of authenticating identity by a Common Access Card (CAC) is complicated by a scarcity of smart-card readers for commercial devices.

“The gist of it is, if you can get that traffic outside to the public Internet, then they have some very small requirements,” Green explained. Those mandates would include encryption, although not FIPS validated encryption; authenticating users getting onto the network; and running wireless intrusion detection. “That’s a pretty low bar. A lot of people can run those requirements,” he added.

“I feel like [other agencies] are a little bit ahead in terms of having a policy that is actually written down,” Green said. “There are a lot of agencies that don’t have any policy at all, so the default is to say ‘no.’ It’s the wrong approach because they’re denying themselves a useful tool.”