DOD wireless policy starts with LANs

CIO to issue further guidance on remote access, cellular technologies.

Interoperability certifications: WLAN-enabled devices, including network interface cards and access points that store, process or transmit unclassified information, must be WiFi Alliance-certified for IEEE 802.11 a, b or g interoperability and WiFi Protected Access 2 (WPA2) enterprise certified for 802.11i interoperability.


Data at rest: Data-at-rest encryption should be implemented using either individual files, the file system or a whole disk encryption/memory card. All sensitive unclassified data must be encrypted.


WLAN security standards: WLAN-enabled devices, systems and technologies must use a robust defense-in-depth security approach that includes confidentiality, integrity and availability mechanisms. DOD components must ensure that standards-based authentication and encryption are used.


Exceptions to the policy:
Designated Approval Authorities must approve a documented justification for the use of noncompliant WLAN devices, systems or technologies during the DOD Information Technology Security Certification and Accreditation Process (DITSCAP).


Certain Type 1 wireless LAN devices are proprietary in nature and not interoperable with 802.11i solutions. The use of these devices is acceptable, granted the DAA includes justification during the DITSCAP process.

For nearly two years, the Defense Department has gone back and forth over what to include in the scope of a modified wireless policy and how to coordinate implementation across the services and agencies.


'We had originally intended to address possibly both cellular and [IEEE] 802.11 wireless technologies, but realized ... this scope was too broad,' said Danny Price, deputy director of policy in the Communications Directorate of the Office of the Assistant Secretary of Defense for Network and Information Integration.
Another holdup was the need to work out longstanding issues over legacy systems and how best to migrate to the new environment, he said.


But after months of work, Defense CIO John Grimes tweaked the focus on June 2 and approved a memorandum aimed at boosting security on wireless LANs connected to the Global Information Grid. The supplemental policy requires the IEEE 802.11i standards be used for wireless LANs and devices, and technologies that can store, process or transmit unclassified information.


This supplemental memo will be the first of many from the CIO's office addressing wireless security. Other updates will include wireless remote access and cellular technologies, Price said.


'Its goal is to enhance overall security guidance and to create a foundation ... for increased interoperability that embraces open standards regarding WLAN technologies,' Grimes said.


The initial Defense wireless policy, which was published in Directive 8100.2 in April 2004, was far-reaching in nature and required that all commercial wireless technologies use cryptographic modules validated to Federal Information Processing Standard 140-2.


That won't change. The memo still requires FIPS-140-2 validation 'at a minimum.' But it also requires that wireless devices on GIG comply with standards of the National Information Assurance Partnership, a collaboration between the National Institute of Standards and Technology and the National Security Agency.


The updates go a step further than the initial policy to 'mandate the newest security capabilities,' said Col. Stephen J. Jurinko, director of the Army Office of Information Assurance and Compliance at the Network Enterprise Technology Command.


'As wireless technologies mature, more commercial wireless security solutions are available for Army use,' Jurinko said. 'For example, wireless standards that offer Layer 2 security and encryption solutions, such as 802.11i, bring new standards of security and interoperability'all advantageous to the Army.'


Plans to migrate legacy WLAN systems to the new standard must be submitted to the director of the Communications Directorate within the CIO's office by December and then annually thereafter.


The policy also states that for all new acquisitions, starting in fiscal 2007, Defense services and agencies must implement WLAN solutions that are 802.11i compliant and certified for WiFi Protected Access 2.


In the submitted plans, the services will have to detail their compliance status and any issues or challenges with implementing the wireless policy.


Under the supplemental guidance, DOD requires WLAN devices to use strong identification and authentication tools at the device and network levels in accordance with published policies and procedures. The network intrusion detection systems must be able to 'continuously monitor wireless activity and wireless-related policy violations on DOD wired and wireless networks.'


Defense officials see the policy placing DOD in the wireless security lead across the government.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above