Army has lost control of its mobile devices, says DOD IG
The inspector general of the Defense Department reports that the Army's Chief Information Office/G-6 has, in essence, lost control over commercial mobile devices (CMD) within the Army, and that more than 14,000 smartphones and tablets are untracked.
The inspector general of the Defense Department reports that the Army’s Chief Information Office/G-6 has, in essence, lost control over commercial mobile devices (CMD) within the Army, and that more than 14,000 smartphones and tablets are untracked. The upshot is that the Army CIO office does not have an effective cybersecurity program that identifies and mitigates risks surrounding CMDs and removable media, according to the DOD IG.
“The Army did not implement an effective cybersecurity program for commercial mobile devices,” wrote Alice Carey, assistant DOD inspector general for readiness, operations and support, in a memorandum dated March 26. “If the devices remain unsecure, malicious activities could disrupt Army networks and compromise sensitive DOD information.”
According to the IG report, entitled, Improvements Needed With Tracking and Configuring Army Commercial Mobile Devices, the “Army CIO did not implement an effective cybersecurity program for CMDs. Specifically, the Army CIO did not appropriately track CMDs and was unaware of more than 14,000 CMDs used throughout the Army.” (The figure excludes Blackberry devices.)
Additionally, the Army CIO did not ensure that commands configured CMDs to protect stored data. According to the DOD IG, the CIOs at the U.S. Military Academy (USMA), West Point, NY, and the Army Corps of Engineers’ Engineer Research and Development Center (ERDC), Vicksburg, MS, did not use a mobile device management application to configure CMDs to protect stored data, which means that they did not have the capability to remotely wipe data stored on CMDs that were transferred, lost, stolen or damaged.
Also, the CIOs at USMA and ERDC allowed users to store sensitive data on CMDs that acted as removable media.
“These actions occurred because the Army CIO did not develop clear and comprehensive policy for CMDs purchased under pilot and non-pilot programs,” states the IG report. In addition, the Army CIO inappropriately concluded that CMDs were not connecting to Army networks and storing sensitive information.
“As a result, critical information assurance controls were not appropriately applied, which left the Army networks more vulnerable to cybersecurity attacks and leakage of sensitive data.”
In response, the Army and Defense Information Systems Agency (DISA) agreed to develop a mobile device management (MDM) process to verify that users of CMDs are following Army and DOD information assurance policies and implementing the appropriate security controls to protect CMDs. Establishment of MDM and mobile application store architectures will be designed to make all CMDs managed mobile devices, which would result in the ability to observe every DOD-managed CMD, as well as the applications operating on the devices.
Additionally, the Army will gain the ability to wipe or remove a device from the environment, as well as monitor applications used, websites visited, plus data viewed, saved or modified on the mobile devices.
To that end, the Army issued a request for proposal for the MDM and mobile application store and expects to make an award this month, with initial operating capability expected by October 2013, with full operating capability available before the end of fiscal year 2014.