Building a secure, global DOD mobile enterprise to support warfighters

With U.S. military forces increasingly mobile, the Joint Information Environment (JIE) is envisioned as a robust and resilient enterprise that delivers faster collaboration and better-informed decisions through secure, seamless access to information anytime and from any authorized device.

To that end, the Defense Information Systems Agency is developing enterprise-level secure classified and protected unclassified mobile solutions that support the warfighter globally.

DISA will begin offering mobile services as a subscription-based service in fiscal 2014. Those mobile solutions will not only take advantage of commercial-carrier infrastructure and provide entry points for classified services, they will also capitalize on the enterprise capabilities of JIE.

"Mobility is the first phase of the JIE because what we don't want to do with some of the JIE pieces is to take a disparate, wired architecture at the service level that's been out there for many years and bring it into a joint environment," said John Hickey, DISA's program manager for DOD mobility. "We're building mobility at the enterprise level [from the start], so we're looking at those joint information environments and looking to provide the efficiencies early on that create the interoperability."

DISA is leading the Defense Department effort to create an enterprise solution to support mobility requirements by using commercial-carrier networks capable of handling classified data. The agency is taking a phased approach to implementing the program, which will provide DOD's more than 3 million employees with a range of mobile devices and enable them to use those devices, regardless of location, to share classified and protected data across all components.

Currently, more than 600,000 DOD employees use government-issued mobile devices, several thousand of which are capable of handling classified data. The goal of the DISA-led mobility program is to ensure that mobile devices — as well as their apps, email and other functions, and the wireless networks that support them — can operate securely regardless of the environment and can adapt to rapidly changing technology and scale to accommodate increasing numbers of users.

"The enterprise services that DISA can provide will achieve efficiencies across the agencies and capabilities for the warfighter," Hickey said. "The key is the information [and] the applications, whether it's email or a voice-over-IP solution at the enterprise level. It also has to have the built-in security standards that we require to protect the information. And it has to be cost-effective."

Putting the plan in place

In February, the DOD CIO's office released itsCommercial Mobile Device Implementation Plan to serve as a framework for the department's use of secure classified and protected unclassified mobile solutions that rely on commercial technology. DOD's plan focuses on three key areas of mobility: mobile devices, wireless infrastructure and mobile applications.

"This is not simply about embracing the newest technology, it is about keeping the department's workforce relevant in an era when information accessibility and cybersecurity play a critical role in mission success," DOD CIO Teri Takai said.

Given DOD's mission and inherent concerns about the security of commercial mobile technologies, the department is trying to institute security standards and a certification process that is agile enough to keep pace with the fast rate of technological change. At the same time, DOD wants to promote the development and use of mobile applications that "improve functionality, decrease costs and enable increased personal productivity."

Under the plan, DISA is charged with establishing a DOD Mobility Program Management Office by fiscal 2014 that will provide guidelines for secure classified and unclassified mobile communications capabilities.

According to the implementation plan, the DOD CIO's goal is to develop an overall governance process, a centralized library, and a development framework in which mobile applications can be quickly developed, purchased, certified and distributed to users. In October 2012, DISA released a request for proposals for a combined DOD-wide mobile device management (MDM) and mobile application store (MAS) solution. A single award is expected later this year, with a one-year period of performance and four six-month options.

As the RFP states, the MDM capability should function as a traffic cop that enforces policy for network and end devices. The MDM solution would institute the policy, security and permissions that define the functions the user is allowed to conduct on the mobile device. The MAS, operating in conjunction with the MDM, would serve as an online digital electronic software distribution system by obtaining user application permission rights from the MDM.

The MDM and MAS solution would be deployed DOD-wide to the combatant commands, military services, Defense Intelligence Agency, National Geospatial-Intelligence Agency, National Reconnaissance Office, National Media Exploitation Center, National Security Agency, Coast Guard, National Guard, reserves and possibly more components in the future. The objective of the enterprise MAS is to optimize the functionality and distribution of mobile apps to mobile devices while minimizing replication, cost and downtime.

"As end-user dependence on mobile devices rises, enterprise management implemented via an MDM becomes necessary to ensure secure mobile device operation and maintenance in a cost-efficient manner," the Commercial Mobile Device Implementation Plan states. Furthermore, MDM capabilities "ensure [that] the security of the entire user community is not compromised by an improperly configured or operated device."

However, the plan also states that "until the development of multi-level security is a viable construct," separate MDM systems in the classified and unclassified DOD information domains will be implemented. An enterprise-level service capability for unclassified information processing will be accomplished by an MDM system, with an enterprise MAS that will deliver, update and delete applications on mobile devices without the user having to return the device for service.

"On the unclassified side, that mobile application store will include commercial apps, as well as government-developed apps, and the review of the code and how we put those apps out, as well as the licenses that we procure for some of the enterprise capability," Hickey said. "We have to maintain control of the number of devices that use those applications, much like a commercial environment."

An enterprise-level service capability for unclassified information processing will be accomplished by an MDM system with an enterprise MAS. The MDM system will be a decentralized capability hosted at several DISA Defense Enterprise Computing Centers.

"Right now, we don't have an MDM on the classified [side], but we're working with [the National Security Agency] on what could meet our very unique security requirements," Hickey said. "We're in the planning stages right now."

DISA's objective is to establish an enterprise mobility architecture that will provide secure delivery of email, mobile applications, voice services and other data services, including initial network operations and reporting capabilities. DISA will implement the MDM and MAS in three phases.

Phase 1, which includes the purchase of 1,500 devices, will deploy voice and data services via a commercial wireless network and award a contract for the initial MDM and MAS. Phase 2 will provide the capability to manage as many as 5,000 devices. Phase 3 is an operational capability that will be offered as a subscription-based service to support 100,000 devices.

"We're looking to have 5,000 devices by the end of this fiscal year [2013]," Hickey said. "With Android, Apple, BlackBerry and Windows, we see demand from all over for different mobile devices."

"Our goal is to be device-agnostic," he added. "That's what we've said all along to create competition in this space, lower our overall costs and improve the capability. DISA is not in the business of trying to determine a specific device [for everyone to use]. That is up to DOD users to decide. We're providing a service."

Mobility pilots, spiral development

Currently, DISA is conducting both unclassified and classified operational pilot projects to test existing mobile technologies. The projects evaluate select mobile capabilities, including information assurance, security, logistics and performance. This series of pilots will incorporate lessons learned, ensure interoperability, refine technical requirements, influence commercial standards and create operational efficiencies, officials said.

"The biggest difference between unclassified and classified [devices] is that we require a second layer of encryption on the classified device, as well as we route all the traffic through what we call a mobile gateway," Hickey said. "That provides us with the capability to look at the information that is inbound and outbound. And it ties back into our secure voice-over-IP network."

In May 2012, DISA began its mobility pilot activities to build an enterprise mobile capability that is the wireless entry point into the Global Information Grid. The agency plans to complete an initial operational capability by October. The military services and combatant commands are partners for the unclassified portion of the pilot projects, while NSA is a partner for the classified side.

"On the classified side, we just delivered the first device in partnership with NSA on the secret fabric infrastructure for voice," Hickey said. "We're working some of the data pieces for that now. The next step on the classified side is to work the top secret classified capability."

Centralized management and control of secure classified mobile communications services and devices will be provided with classified voice and data communications up to the top secret level.

"NSA has developed some unique applications to monitor the device. We've developed a gateway to allow the device to come onto the classified network," Hickey said. "So far, we have been able to communicate with all our legacy devices that are on the desktop and classified, such as Secure Terminal Equipment and [Secure Telephone Unit], as well as our Red Switch capability. We've had some success on our voice capability. The next piece that is coming is a tie-in to our enterprise email on the classified side."

Three commercial carriers — AT&T, Sprint and Verizon — are participating in DISA's mobility pilot project. Hickey said the agency is also looking to add T-Mobile. The ultimate goal is for DISA to capitalize on commercial-carrier networks that are capable of handling classified data.

"The reason why we went with an NSA solution [on the classified side] was because the commercial companies weren't quite ready for some of the unique encryption pieces that we wanted to enable," Hickey said. "We partnered with NSA in this area to come up with the capability that we just delivered. What we're doing is working with NSA on their protection profiles and other initiatives, as well as our security requirements guides, so that we have the vendors come to us with capabilities that meet DOD security requirements."

DOD's mobile enterprise will use commercial cellular and wireless devices to access classified data and voice services while minimizing the risk when connecting to existing enterprise services. Commercial carriers and other unclassified access networks provide the controlled connectivity between users and the mobile enterprise.

"We're looking at how we can control the devices, what devices are approved and a phased approach through short, spiral 60- to 90-day cycles to deliver capability," Hickey said.

The series of rapid spirals is meant to provide the learning and expertise in deploying, operating, supporting and upgrading services to mobile devices while maintaining the security of DOD information systems. Spirals 1 and 2 focus on solutions for the processing of unclassified information, while Spiral 3 involves the initial implementation of a classified capability.

DISA is in Phase 2 of its mobility pilot. The first classified device — a Motorola Razr — came out recently, and there are approximately 1,000 unclassified devices in use.

"On the unclassified side, there are well over 20 pilots, and the goal of the DOD CIO is to make sure that pilots are innovative and that we don't hamper the good ideas and development that can happen at various levels," Hickey said. "We have approximately 500 devices that have been issued for what we call the operational system, and [we] have about the same number [of devices] in our development environment." And those numbers are "building pretty quickly."