Building a secure, global DOD mobile enterprise to support warfighters

DISA is leading the Defense Department effort to create an enterprise solution to support a range of mobile devices that share classified and protected data regardless of location.

With U.S. military forces increasingly mobile, the Joint Information Environment (JIE) is envisioned as a robust and resilient enterprise that delivers faster collaboration and better-informed decisions through secure, seamless access to information anytime and from any authorized device.

To that end, the Defense Information Systems Agency is developing enterprise-level secure classified and protected unclassified mobile solutions that support the warfighter globally.

DISA will begin offering mobile services as a subscription-based service in fiscal 2014. Those mobile solutions will not only take advantage of commercial-carrier infrastructure and provide entry points for classified services, they will also capitalize on the enterprise capabilities of JIE.

"Mobility is the first phase of the JIE because what we don't want to do with some of the JIE pieces is to take a disparate, wired architecture at the service level that's been out there for many years and bring it into a joint environment," said John Hickey, DISA's program manager for DOD mobility. "We're building mobility at the enterprise level [from the start], so we're looking at those joint information environments and looking to provide the efficiencies early on that create the interoperability."

DISA is leading the Defense Department effort to create an enterprise solution to support mobility requirements by using commercial-carrier networks capable of handling classified data. The agency is taking a phased approach to implementing the program, which will provide DOD's more than 3 million employees with a range of mobile devices and enable them to use those devices, regardless of location, to share classified and protected data across all components.

Currently, more than 600,000 DOD employees use government-issued mobile devices, several thousand of which are capable of handling classified data. The goal of the DISA-led mobility program is to ensure that mobile devices — as well as their apps, email and other functions, and the wireless networks that support them — can operate securely regardless of the environment and can adapt to rapidly changing technology and scale to accommodate increasing numbers of users.

"The enterprise services that DISA can provide will achieve efficiencies across the agencies and capabilities for the warfighter," Hickey said. "The key is the information [and] the applications, whether it's email or a voice-over-IP solution at the enterprise level. It also has to have the built-in security standards that we require to protect the information. And it has to be cost-effective."

Putting the plan in place

In February, the DOD CIO's office released itsCommercial Mobile Device Implementation Plan to serve as a framework for the department's use of secure classified and protected unclassified mobile solutions that rely on commercial technology. DOD's plan focuses on three key areas of mobility: mobile devices, wireless infrastructure and mobile applications.

"This is not simply about embracing the newest technology, it is about keeping the department's workforce relevant in an era when information accessibility and cybersecurity play a critical role in mission success," DOD CIO Teri Takai said.

Given DOD's mission and inherent concerns about the security of commercial mobile technologies, the department is trying to institute security standards and a certification process that is agile enough to keep pace with the fast rate of technological change. At the same time, DOD wants to promote the development and use of mobile applications that "improve functionality, decrease costs and enable increased personal productivity."

Under the plan, DISA is charged with establishing a DOD Mobility Program Management Office by fiscal 2014 that will provide guidelines for secure classified and unclassified mobile communications capabilities.

According to the implementation plan, the DOD CIO's goal is to develop an overall governance process, a centralized library, and a development framework in which mobile applications can be quickly developed, purchased, certified and distributed to users. In October 2012, DISA released a request for proposals for a combined DOD-wide mobile device management (MDM) and mobile application store (MAS) solution. A single award is expected later this year, with a one-year period of performance and four six-month options.

As the RFP states, the MDM capability should function as a traffic cop that enforces policy for network and end devices. The MDM solution would institute the policy, security and permissions that define the functions the user is allowed to conduct on the mobile device. The MAS, operating in conjunction with the MDM, would serve as an online digital electronic software distribution system by obtaining user application permission rights from the MDM.

The MDM and MAS solution would be deployed DOD-wide to the combatant commands, military services, Defense Intelligence Agency, National Geospatial-Intelligence Agency, National Reconnaissance Office, National Media Exploitation Center, National Security Agency, Coast Guard, National Guard, reserves and possibly more components in the future. The objective of the enterprise MAS is to optimize the functionality and distribution of mobile apps to mobile devices while minimizing replication, cost and downtime.

"As end-user dependence on mobile devices rises, enterprise management implemented via an MDM becomes necessary to ensure secure mobile device operation and maintenance in a cost-efficient manner," the Commercial Mobile Device Implementation Plan states. Furthermore, MDM capabilities "ensure [that] the security of the entire user community is not compromised by an improperly configured or operated device."

However, the plan also states that "until the development of multi-level security is a viable construct," separate MDM systems in the classified and unclassified DOD information domains will be implemented. An enterprise-level service capability for unclassified information processing will be accomplished by an MDM system, with an enterprise MAS that will deliver, update and delete applications on mobile devices without the user having to return the device for service.

"On the unclassified side, that mobile application store will include commercial apps, as well as government-developed apps, and the review of the code and how we put those apps out, as well as the licenses that we procure for some of the enterprise capability," Hickey said. "We have to maintain control of the number of devices that use those applications, much like a commercial environment."

An enterprise-level service capability for unclassified information processing will be accomplished by an MDM system with an enterprise MAS. The MDM system will be a decentralized capability hosted at several DISA Defense Enterprise Computing Centers.

"Right now, we don't have an MDM on the classified [side], but we're working with [the National Security Agency] on what could meet our very unique security requirements," Hickey said. "We're in the planning stages right now."

DISA's objective is to establish an enterprise mobility architecture that will provide secure delivery of email, mobile applications, voice services and other data services, including initial network operations and reporting capabilities. DISA will implement the MDM and MAS in three phases.

Phase 1, which includes the purchase of 1,500 devices, will deploy voice and data services via a commercial wireless network and award a contract for the initial MDM and MAS. Phase 2 will provide the capability to manage as many as 5,000 devices. Phase 3 is an operational capability that will be offered as a subscription-based service to support 100,000 devices.

"We're looking to have 5,000 devices by the end of this fiscal year [2013]," Hickey said. "With Android, Apple, BlackBerry and Windows, we see demand from all over for different mobile devices."

"Our goal is to be device-agnostic," he added. "That's what we've said all along to create competition in this space, lower our overall costs and improve the capability. DISA is not in the business of trying to determine a specific device [for everyone to use]. That is up to DOD users to decide. We're providing a service."

Mobility pilots, spiral development

Currently, DISA is conducting both unclassified and classified operational pilot projects to test existing mobile technologies. The projects evaluate select mobile capabilities, including information assurance, security, logistics and performance. This series of pilots will incorporate lessons learned, ensure interoperability, refine technical requirements, influence commercial standards and create operational efficiencies, officials said.

"The biggest difference between unclassified and classified [devices] is that we require a second layer of encryption on the classified device, as well as we route all the traffic through what we call a mobile gateway," Hickey said. "That provides us with the capability to look at the information that is inbound and outbound. And it ties back into our secure voice-over-IP network."

In May 2012, DISA began its mobility pilot activities to build an enterprise mobile capability that is the wireless entry point into the Global Information Grid. The agency plans to complete an initial operational capability by October. The military services and combatant commands are partners for the unclassified portion of the pilot projects, while NSA is a partner for the classified side.

"On the classified side, we just delivered the first device in partnership with NSA on the secret fabric infrastructure for voice," Hickey said. "We're working some of the data pieces for that now. The next step on the classified side is to work the top secret classified capability."

Centralized management and control of secure classified mobile communications services and devices will be provided with classified voice and data communications up to the top secret level.

"NSA has developed some unique applications to monitor the device. We've developed a gateway to allow the device to come onto the classified network," Hickey said. "So far, we have been able to communicate with all our legacy devices that are on the desktop and classified, such as Secure Terminal Equipment and [Secure Telephone Unit], as well as our Red Switch capability. We've had some success on our voice capability. The next piece that is coming is a tie-in to our enterprise email on the classified side."

Three commercial carriers — AT&T, Sprint and Verizon — are participating in DISA's mobility pilot project. Hickey said the agency is also looking to add T-Mobile. The ultimate goal is for DISA to capitalize on commercial-carrier networks that are capable of handling classified data.

"The reason why we went with an NSA solution [on the classified side] was because the commercial companies weren't quite ready for some of the unique encryption pieces that we wanted to enable," Hickey said. "We partnered with NSA in this area to come up with the capability that we just delivered. What we're doing is working with NSA on their protection profiles and other initiatives, as well as our security requirements guides, so that we have the vendors come to us with capabilities that meet DOD security requirements."

DOD's mobile enterprise will use commercial cellular and wireless devices to access classified data and voice services while minimizing the risk when connecting to existing enterprise services. Commercial carriers and other unclassified access networks provide the controlled connectivity between users and the mobile enterprise.

"We're looking at how we can control the devices, what devices are approved and a phased approach through short, spiral 60- to 90-day cycles to deliver capability," Hickey said.

The series of rapid spirals is meant to provide the learning and expertise in deploying, operating, supporting and upgrading services to mobile devices while maintaining the security of DOD information systems. Spirals 1 and 2 focus on solutions for the processing of unclassified information, while Spiral 3 involves the initial implementation of a classified capability.

DISA is in Phase 2 of its mobility pilot. The first classified device — a Motorola Razr — came out recently, and there are approximately 1,000 unclassified devices in use.

"On the unclassified side, there are well over 20 pilots, and the goal of the DOD CIO is to make sure that pilots are innovative and that we don't hamper the good ideas and development that can happen at various levels," Hickey said. "We have approximately 500 devices that have been issued for what we call the operational system, and [we] have about the same number [of devices] in our development environment." And those numbers are "building pretty quickly."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.