Defense mobility policy: Slow and steady wins the race

Over the past several years, there has been a lot of progress in sorting out what mobile devices and applications defense personnel can use and what constitutes a truly secure wireless infrastructure. Yet there is still more work to be done.

The first major step toward a true mobility policy came in 2012 with the Department of Defense Mobile Strategy. In that document, DOD CIO Teresa M. Takai laid out the department’s IT goals and objectives related to wireless security, mobile device management and mobile and web-enabled apps. The document was followed a year later by an update that described a commercial mobile device implementation plan to allow secure classified and protected unclassified mobile solutions that use commercially available products.

Since that time, DOD has slowly but surely made progress. DISA is now the managing organization for mobility, charged with overseeing applications, approving devices, and making sure security is always front and center. DISA’s strategic plan lays this out in some detail, focusing on how it will improve mobile networks through better security.

Earlier this year, DISA also introduced an unclassified mobility capability that will provide defense employees with access to a larger range of mobile devices, applications and services. On the application front, it continues to improve the DOD Mobile App store, which currently supports about 100,000 users and nearly 2,000 unclassified mobile devices.

A work in progress

Despite the progress that has been made up to this point, there are still a lot of issues to work out. For example, today, many defense agencies have their own mobility pilots and in some cases, their own mobility policies. Since that’s the case, will there eventually be one comprehensive defense mobility policy? Where does the mobility guidance from the National Institute of Standards and Technology (NIST), Office of Management and Budget, NSA and the Department of Homeland Security fit in? What about Bring Your Own Device (BYOD)? Will there be an overall federal mobility policy that DOD will adapt for its own use?

Alan Webber, research director of innovation and transformation at IDC Government, believes that the mobility policy situation will shake out from the top down—with an overall federal government mobility policy as the model. From there, DOD can narrow and tighten the policy to suit its needs and if necessary, defense agencies can fine-tune it further. Webber believes an overall federal mobility policy will exist within three years.

Once that happens, the DOD still has to fine-tune government mobility policy to fit its needs, both in terms of application management and device management. While DISA has developed a functioning mobile application store that distributes applications to mobile devices for qualified defense personnel, there are still questions around management and security. For example, if an app is determined to have a vulnerability, what is the process of clearing the update and getting it back in the app store quickly? If it’s just an update to the user interface, does it go through the same process? And how should the DOD control the code?

Device management also is a tough nut for the DOD to crack. At the moment, NSA is working on policy to determine what devices are acceptable for classified use and which are useful to unclassified use. It’s complicated, Webber explained, because a device that DOD might consider non-classified might be considered classified by DHS. There has been progress in other areas of device management, however. Many devices are working their way through the current unclassified device process, as is Windows 8. DOD’s mobile device management (MDM) strategy also is solidifying, although more work has to be done in the areas of security and manageability. According to Takai’s statements at February’s MobileGov Summit, remaining challenges include developing policies and procedures for identity management and developing a standard configuration for the mobile devices it buys from industry, including which apps can be preloaded on devices.

While many say BYOD will never happen in DOD, others believe it will, at least in some form. It may take the form of personnel being able to choose from a list of approved devices rather than using anything they want, however. Takai herself has said that BYOD is a long-term objective.

“Right now, all of this is like stone soup—everyone is trying to do a piece of it,” Webber said. “But they will get there.”