[ISN] DOD seeks commercial encryption software

From: InfoSec News (alerts@private)
Date: Tue Jan 09 2007 - 03:05:35 PST


By Josh Rogin
Jan. 8, 2007

The Defense Department is looking to protect all data at rest (DAR) on 
mobile computers and storage devices using commercial encryption 
software. DOD will soon award one or more enterprisewide software 
agreements under the DOD Enterprise Software Initiative (DOD-ESI) and 
the General Services Administrations Federal SmartBUY program.

The department is calling on industry to submit software solutions to 
encrypt all DAR storage devices, including hard drives of laptop and 
desktop computers, tablet PCs, smart phones, personal digital 
assistants, and removable storage devices, according to a 
pre-solicitation notice.

DOD estimates the agreements will cover more than 1 million laptops and 
1 million other mobile devices. DOD wants to award blanket purchase 
agreements with multiple vendors co-branded as DOD-ESI and SmartBuy 
agreements under Part 8 of the Federal Acquisition Regulation. Although 
the focus will be on products and maintenance, professional services 
will also be included in the contracts.

The Air Force is the executive agent for enterprise software initiatives 
dealing with information assurance. The 754th Electronics Systems Group, 
based at Maxwell Air Force Base, Ala., will develop the acquisition 
strategy and manage the DAR agreements.

Meanwhile, the Office of the Assistant Secretary of Defense for Networks 
and Information Integration/DOD Chief Information Officer is developing 
a departmentwide policy memorandum for DAR encryption that is in draft 

The offices DAR Tiger Team (DARTT) is working on that policy, which will 
institute a phased approach for DAR encryption of all mobile computing 
devices and removable media, and require all DOD computers to have a 
Trusted Platform Module chip certified by the National Information 
Assurance Partnership. The policy will also recommend stronger internal 
controls and management at DOD components.

DARTT released a request for quotes at an industry day Dec. 20, 2006. 
The purchase agreements, which have a duration of five years, should be 
awarded in March, according to documents that accompanied the RFQ.

In June, the Office of Management and Budget issued a memorandum 
requiring that all federal agencies take steps to ensure DAR encryption. 
Departments should encrypt all data on mobile computer and devices, use 
two-factor authentication and a time-out function for all remote 
computer access, and to log all extracts from databases holding 
sensitive information.

In an effort to properly safeguard our information assets while using 
information technology, it is essential for all departments and agencies 
to know their baseline of activities, the memo states.

In August 2006, Army CIO Lt. Gen. Steven Boutelle authorized all Army 
components to purchase encryption software from Credant Technologies for 
use on all laptops that travel. Data at rest is data at risk, he says.

Publicity stemming from several recent laptop losses and thefts at 
various federal agencies has pushed DOD to move to protect DAR, said 
Mark Zelinger, president of Zelinger Associates. By selecting a certain 
number of preapproved DAR software products, DOD can force special 
pricing, he added.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Tue Jan 09 2007 - 03:30:47 PST