DISA Mobile Decision Sends Potent Signal

Jul 18, 2013 (08:07 AM EDT)

Read the Original Article at

10 Breakthrough DARPA Technologies
10 Breakthrough DARPA Technologies
(click image for larger view and for slideshow)
The Defense Information System Agency's just-awarded $16 million mobile device management (MDM) and mobile application store (MAS) contract award represents a seminal moment in the history of federal mobile computing and quite possibly the mobile industry at large.

The choice of consumer-off-the-shelf mobile devices and software applications by DISA, on behalf of the Department of Defense, sends a signal to all highly regulated organizations with mobile information assurance and security concerns that the United States government has determined that it's willing to treat mobile devices as first-class citizens on its networks. It's an admission that the growing use of smartphones, tablets and other small devices -- which are outpacing traditional PCs -- must be taken into account, the risks assessed, mitigated and eventually deployed. It also says the DOD is open to deploying commercially available mobile technology on a large scale.

Based on the publicly available request for proposal and DISA's performance work statement, it's evident the DISA MDM/MAS award reflected industry's input and consequently had multiple criteria, but central among them were the following information assurance criteria:

[ How do Brits get tips from the government on the run? Read British Increasingly Use Smartphones To Visit Government Websites. ]

-- The use of FIPS 140-2 compliant cryptographic modules, which call for the highest available advanced encryption standards.

-- The use of DOD public key infrastructure (PKI) and hardware security module support. PKI provides for a digital certificate that can identify an individual or an organization and directory services that can store and revoke the certificates.

-- The use of an on-device integrity checker that substantiates applications, offers tamper resistance, verifies the device's integrity and prevents the rooting of devices.

In recent months, seemingly all official deployments of mobile technology across the DOD have come to a screeching halt as every branch of military, facing sequestration and related budget cutbacks, looked to which way DISA would go.

Near-Term Ramifications

In the short term, the DISA award promises to change the U.S. federal mobile landscape in the most meaningful way since RIM's BlackBerry device was granted a waiver to send information outside the continental U.S. and became the de facto government furnished equipment device for all of the federal government. BlackBerry, as RIM calls itself now, has been leveraging this same interim authority to operate for years.

According to the request for proposal posting for this procurement, DISA requested four tranches of 25,000 units, for a total of 100,000 units, in the base year of the contract. Elsewhere in the performance work statement, it was noted that the solution should support a minimum of 162,500 devices, with the potential of 262,500 mobile devices by the end of the contract. An earlier version of the RFP posted on the GSA's Federal Business Opportunities site called for support for one million devices.

Given DISA's mission, to be the information provider to the Department of Defense, this award, in parallel with DISA's efforts to consolidate data centers across the DOD, effectively creates a one-stop shop for DOD personnel to purchase and operate mobile devices.

Long-Term Implications

The DOD is looking long-term as well, even as it acknowledged that the market remains in flux. As noted in DISA's performance work statement (PWS): "Because the current market landscape is still maturing from a security and architecture perspective, the critical requirements provided for this MDM/MAS acquisition are short-term and are limited in scope to provide the government the flexibility to adjust with evolving solutions. The current PWS is shaped to reflect the capabilities currently available in the marketplace. The government desires to see innovative solutions that may bring value to the government during contract performance."

Unlike the uptake and subsequent standardization on BlackBerry for mostly personal information management and email-appliance functionality, the DISA award signals something much more important: The tacit admission that mobile devices are here to stay and that they must be treated as primary devices for email but more importantly for a variety of line of business and mission-critical uses.

There have been large-scale government procurements and deployments of mobile devices in the past, including 160,000 special-purpose devices built on an HTC Windows Mobile platform for the 2010 US Decennial Census. (The original commitment to 500,000 units was cut back due to system integration and financial problems.) But none were quite as game-changing as DISA's deal is expected to be, but rather were "one off "or" ad hoc' initiatives.

The DISA award is likely to accelerate deployment of mobile security technology across other highly secure verticals. Industries such as banking and financial services, healthcare, pharmaceuticals, legal, accounting, utilities and critical infrastructure will take a cue from this award and will be more inclined to accept risks inherent in mobile technology.

Highly security-conscious industries often look at the U.S. government as the bellwether on information assurance. These industries are very mindful of data leakage prevention of personally identifiable information.

Banking is an industry with both a heavy focus on mobility and security. Mobile payments by smartphone have been ballyhooed for years as a new source of revenue. In the past, the banking industry and financial services in general have traditionally looked toward the Department of Defense as the gold standard of secure computing. The DISA award sends a powerful signal DOD's information assurance experts have weighed the pros and cons inherent in mobile computing and concluded that the risks are manageable.

Similarly, the healthcare industry is beginning to embrace mobile technology to better manage patient care, increase efficiencies and increase revenues. Like most bankers, healthcare professionals are extremely risk-averse. Healthcare providers are keenly aware of HIPAA compliance and similar legal statues regarding personally identifiable information. Just ask WellPoint, which agreed to pay the Department of Health and Human Services a $1.7 million fine this month to resolve a HIPAA data breach.

What the DISA award might signal to these and other industries is the mobile device ecosystem has reached a level of maturity sufficient to start making significant investment commitments for mobile computing. DISA might not necessarily be leading the charge outside of the world of defense. But it has defined what promises to be a widely-regarded roadmap for managing and securing secure mobile devices as well as the data that rides over them. That's why the value of DISA's award goes well beyond the amount of its contract award.