DOD wireless policy starts with LANs
CIO to issue further guidance on remote access, cellular technologies.
- By Dawn S. Onley
- Jun 16, 2006
For nearly two years, the Defense Department has gone back and forth over what to include in the scope of a modified wireless policy and how to coordinate implementation across the services and agencies.
'We had originally intended to address possibly both cellular and [IEEE] 802.11 wireless technologies, but realized ... this scope was too broad,' said Danny Price, deputy director of policy in the Communications Directorate of the Office of the Assistant Secretary of Defense for Network and Information Integration.
Another holdup was the need to work out longstanding issues over legacy systems and how best to migrate to the new environment, he said.
But after months of work, Defense CIO John Grimes tweaked the focus on June 2 and approved a memorandum aimed at boosting security on wireless LANs connected to the Global Information Grid. The supplemental policy requires the IEEE 802.11i standards be used for wireless LANs and devices, and technologies that can store, process or transmit unclassified information.
This supplemental memo will be the first of many from the CIO's office addressing wireless security. Other updates will include wireless remote access and cellular technologies, Price said.
'Its goal is to enhance overall security guidance and to create a foundation ... for increased interoperability that embraces open standards regarding WLAN technologies,' Grimes said.
The initial Defense wireless policy, which was published in Directive 8100.2 in April 2004, was far-reaching in nature and required that all commercial wireless technologies use cryptographic modules validated to Federal Information Processing Standard 140-2.
That won't change. The memo still requires FIPS-140-2 validation 'at a minimum.' But it also requires that wireless devices on GIG comply with standards of the National Information Assurance Partnership, a collaboration between the National Institute of Standards and Technology and the National Security Agency.
The updates go a step further than the initial policy to 'mandate the newest security capabilities,' said Col. Stephen J. Jurinko, director of the Army Office of Information Assurance and Compliance at the Network Enterprise Technology Command.
'As wireless technologies mature, more commercial wireless security solutions are available for Army use,' Jurinko said. 'For example, wireless standards that offer Layer 2 security and encryption solutions, such as 802.11i, bring new standards of security and interoperability'all advantageous to the Army.'
Plans to migrate legacy WLAN systems to the new standard must be submitted to the director of the Communications Directorate within the CIO's office by December and then annually thereafter.
The policy also states that for all new acquisitions, starting in fiscal 2007, Defense services and agencies must implement WLAN solutions that are 802.11i compliant and certified for WiFi Protected Access 2.
In the submitted plans, the services will have to detail their compliance status and any issues or challenges with implementing the wireless policy.
Under the supplemental guidance, DOD requires WLAN devices to use strong identification and authentication tools at the device and network levels in accordance with published policies and procedures. The network intrusion detection systems must be able to 'continuously monitor wireless activity and wireless-related policy violations on DOD wired and wireless networks.'
Defense officials see the policy placing DOD in the wireless security lead across the government.