Presumed sensitive

DOD policy orders encryption of all data on mobile devices

[The policy] will help to ensure that we protect all DOD information on devices and media while outside a protected workplace. 'DAVID WENNERGREN, DEFENSE DEPARTMENT

Sasan Afsoosi

The Defense Department this summer began requiring its personnel to encrypt practically all data stored on laptop PCs and personal digital
assistants or saved to removable storage devices such as thumb drives
or CDs.

Department information technology officials responsible for implementing the directive will also have to submit a report to the chief information officer's office by Dec. 31 detailing their progress in complying with the policy.

The new policy, spelled out in a July memo from DOD CIO John Grimes, requires encryption of all at-rest data considered sensitive under the agency's broad new definition if the data is on an easily transportable computing device or removable drive.

DOD users are to treat data as sensitive information if it resides on mobile
devices or removable storage media unless it has been cleared for public
release.

Requiring encryption for a greatly expanded cross section of DOD data files ' not just for classified information and records containing personally identifiable information ' means the department intends to safeguard virtually all data taken into the field and at risk of loss or misuse.

The policy 'will help to ensure that we protect all DOD information on devices and media while outside a protected workplace,' said David Wennergren, deputy CIO at DOD.

The policy requires DOD to buy commercially available encryption tools through blanket purchase agreements covered by DOD's Enterprise Software Initiative.

Prepared for recovery

The encryption software must conform to the National Institute of Standards and Technology's Federal Information Processing Standard 140-2 and include a mechanism for DOD to recover encrypted data if necessary.

In addition, the memo imposes a requirement that all new computers bought by DOD include the Trusted Platform Module, a hardware component used to set up and run standardized security configurations for corporations and governments.

Now built into virtually all computers shipped to corporate and government customers, TPM is a chip that encrypts the data on individual computers and allows organizations to set up and operate standardized security rules and configurations using capabilities built into the TPM hardware and security software created for the platform.

Running a unified, enterprisewide data security program will require DOD to manage IT security differently than it has in the past, but the department shouldn't have any problem buying systems with the TPM chip built in, said Brian Berger, executive vice president of marketing and sales at Wave Systems, a developer of security software for TPM.

Standard equipment

'All of the PC manufacturers the government deals with today already provide TPM as a standard item, so for the government this is like buying the next version of commercial desktops or laptops,' Berger said.

In fact, the PC industry has already sold an estimated 50 million computers with built-in TPMs, and the cost of the technology is already built into the base cost of PCs for corporate or government buyers, Berger said.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above