New Defense wireless policy tightens security
- By Dawn S. Onley
- Jun 13, 2006
After more than two years of modifying and updating a 2004 wireless policy, the Defense Department has released a memorandum aimed at boosting security on wireless local area networks connected to the Global Information Grid.
The supplemental policy
, signed off on June 2 by Defense CIO John Grimes, requires the IEEE 802.11i standards to be used for wireless LANs and devices, and technologies that can store, process or transmit unclassified information. The old policy required that wireless devices use cryptographic modules validated to Federal Information Processing Standard 140-2.
That won't change. The memo still requires FIPS-140-2 validation 'at a minimum.' But wireless devices connected to the GIG must also be validated under the National Institute of Standards and Technology Common Criteria.
'Its goal is to enhance overall security guidance and to create a foundation and road map for increased interoperability that embraces open standards regarding WLAN technologies,' Grimes said of the supplemental policy.
Grimes also is requiring that WLAN devices use strong identification and authentication tools at the device and network levels in accordance with published DOD policies and procedures. And the memo requires Defense components to 'ensure that network intrusion detection systems continuously monitor wireless activity and wireless-related policy violations on DOD wired and wireless networks.'
The memo requires these wireless intrusion detection systems to scan for and detect authorized and unauthorized activities, 24 hours a day, seven days a week. The systems must also have a location-sensing capability to provide personnel with information on potential intruders.
Plans to migrate legacy WLAN systems to the new standard must be submitted to the director of the Communications Directorate within the CIO's office by December. The policy also states that for all new acquisitions, starting in fiscal 2007, Defense services and agencies must implement WLAN solutions that are 802.11i compliant and WiFi Protected Access 2 enterprise certified.