The Pentagon has long expressed the need to automate its mobile device management, but in most cases, it hasn’t made progress.
The Defense Information Systems Agency, however, hopes to change that for its classified networks with a new acquisition.
DISA issued a request for information Wednesday searching for existing automated provisioning tools to support devices used in the Department of Defense Mobility Classified Capability (DMCC) program, which allows “classified mobile access to the Secret Internet Protocol Router Network (SIPRNet).”
The existing process for connecting is labor-intensive and antiquated, as DISA explains in the solicitation, and it brings about security concerns. To give access to the high-level DOD officials cleared to access the classified network with approved devices, “the DMCC Program provisions every device to ensure they meet the required security and Information Assurance (IA) configurations prior to issuance to the customers.” That “represents a high risk to mission readiness, creates gaps in mobile security and communication,” it says.
DISA is looking to move quickly with the eventual acquisition, “anticipating a one-year period of performance, beginning in July 2018.” Therefore, the automated provisioning tool must be an existing commercial capability.
In the RFI, DISA details the type of functions such a tool must automate, such as installing and managing user certificates for public key infrastructure; setting up and managing use of a virtual private network; setting device passwords; and more.
Access to the classified SIPRNet, however, only represents a portion of the Pentagon’s mobile device management concerns — there’s also the much larger Non-classified Internet Protocol Router Network which allows access to a larger host of mobile devices. “More than 100,000 service members and civilians are using unclassified mobility solutions provided by the Defense Information Systems Agency,” the agency said in a release on its website this week. The department is also becoming more accepting of “bring your own device” programs, in some cases.
Many DOD components are working on so called automated comply-to-connect efforts. Per the National Security Agency, comply-to-connect enforces “that patches and hardened configuration are applied to devices before they connect and updated continually.” But it’s inconsistent across the entirety of the DOD.
Language accompanying the Senate version of the 2019 National Defense Authorization Act criticizes the department’s failure to implement “a strategy for automated comply-to-connect and continuous monitoring capabilities,” as required by previous legislation, and threatens future funding for the DOD Cybersecurity Scorecard.
“Meanwhile, DOD components are in a constant scramble to produce through manual data calls the regular cybersecurity scorecard for the Secretary of Defense, but this scorecard is neither up-to-date nor accurate, as the Department has no method for detecting the large number of unknown devices and unaccounted for software instances running on its networks,” the legislation says. “That unknown software on unknown devices represents a substantial risk, in addition to the risk posed by cumbersome, rigid, and manually managed patching and access procedures.” The Senate acknowledges “that commercial products exist to solve these serious problems.”