The imperative for device management is key to the DOD's mobility plan

In the wake of a scathing internal Defense Department review of the Army’s commercial mobile device use, pressure is mounting on the Defense Information Systems Agency to find solid footing for mobile device management that will allow military personnel secure access to defense applications and data over government-issued devices.

In late March, the Defense Department’s Inspector General released a blistering review of the Army Chief Information Office’s tracking strategy over commercial mobile devices (CMDs) within the service. The Army CIO, according to the report, failed to implement an effective cybersecurity program for CMDs. The service lost control of more than 14,000 smartphones and tablets, which were largely left untracked, the IG said.

“These actions occurred because the Army CIO did not develop clear and comprehensive policy for CMDs purchased under pilot and non-pilot programs,” the IG report said, adding the Army CIO was wrong in assuming the devices were not connecting with service networks. “As a result, critical information assurance controls were not appropriately applied, which left the Army networks more vulnerable to cybersecurity attacks and leakage of sensitive data.”

The IG’s assessment, while harsh, highlights a growing issue amid scores of mobile access pilot programs at the individual services, according to an industry executive. “Somebody needs to be in charge here, and DISA is probably the natural agency to do that,” said Jon Green, director of government solutions for Aruba Networks, an infrastructure provider focused on connecting mobile devices to their applications.

DISA's Role

DISA is taking mobile device management (MDM) quite seriously. Stretching into fiscal 2014, MDM represents the longest phase in DOD’s ongoing wireless strategy, according to Maj. Gen. Robert Wheeler, speaking at the Mobile Work Exchange Spring 2013 Town Hall Meeting in Washington, D.C. recently. That strategy, said Wheeler—the DOD deputy chief information officer for control, communications and computers and information infrastructure—aims to eventually cut the cord, making wireless the primary data link by 2017.

In addressing the need to synchronize with the rapid deployment of commercial devices, Wheeler said the ultimate goal is for DOD to reduce certification turnaround to about 30 days. Currently, for example, the DOD adoption cycle can take about 12 months or more to certify new hardware.

The first step, however, is for DISA to acquire a MDM system. According to DISA spokesperson Alana Johnson, that award will be made in early summer.  “The MDM will establish the enterprise environment needed to securely operate mobile devices and ensure compliance with the Security Technical Implementation Guides (STIGs),” she said by email.

DOD is expected to purchase more than 100,000 mobile devices in fiscal 2014.

“I think MDM is an appropriate way to manage a government device,” Green said, quickly cautioning that the MDM solution will likely cause hiccups for personal device access on DOD networks.

You cannot run MDM if you want employees to supply their own device, he said. “They’re not going to pay for their own device and let someone else take control over it.”