DOD wireless policy: If you use it, secure it
Wireless access to IT resources can be convenient and can enhance productivity, but it also opens up a can of worms for those who must secure and manage the connections and resources.
The security-minded folks at the Defense Department recognized this problem and responded with a policy for implementing commercial wireless technology on DOD systems.
The policy, contained in Directive 8100.2, applies to all DOD organizational entities and all electronic devices capable of wireless interaction with nonclassified DOD systems.
The department is in the process of updating its policy, but the current directive warns that all 'wireless devices, services and technologies that are integrated or connected to DOD networks are considered part of those networks,' and all security directives apply to them.
In addition, the policy states:
- Strong authentication, non-repudiation and personal identification are required at the device and network levels.
- 'Encryption of unclassified data for transmission to and from wireless devices is required,' using a FIPS-140-2 cryptographic module.
- Data stored on end devices must be encrypted using a FIPS-140-2 cryptographic module.
- A security review is required before wireless technology is introduced into a DOD system, wireless devices are not allowed in classified environments and scans must be conducted for rogue connections.
- Devices cannot operate wirelessly when connected directly to the wired network.
These requirements are for data transmissions. Encryption of unclassified voice traffic is recommended but not required, except for voice over IP, which must have FIPS-140-2 encryption.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.