The Department of Defense’s (DoD) ambitious smartphone program may or may not reach its goal of providing advanced mobile communication devices to the warfighter, but it certainly has already scored one noteworthy achievement: creating stories for journalists. At last count, Google News has 300+ entries for “military smartphone.” Most of these stories report that the single biggest obstacle to smartphones deployment is security.
Actually, security is a problem for more than smartphones. The DoD’s drive toward greater acquisition of Commercial Off The Shelf (COTS) products means that system integrators will be fabricating solutions from parts with unsecured supply chains. Businesses are maximizing margins by using the cheapest parts from any available supplier, which means that even the simplest electronic device may draw from multiple unknown sources.
Unfortunately, smartphones are especially vulnerable to security breaches. The same software that makes it easy to download cute applications with a single click also makes smartphones susceptible to hacking.
Some contend that compliance with government security standards fall into the “Don’t try this at home” category, i.e. hire a professional to ensure conformity. However, if you are willing to cut through a forest of acronyms, a number of online resources are available:
Security Technical Implementation Guide (STIG)-These guides establish the methodology for configuring devices and applications to a specific level of security. They are designed for use by DoD personnel. The Defense Information Systems Agency (DISA) has STIG page with a list of guides and other info on the Information Assurance Support Environment (IASE) web site.
DoD Information Assurance Certification and Accreditation Process (DIACAP) –If you think DoD Information Technology Security Certification & Accreditation Process (DITSCAP) is the program for verifying minimal risk for information systems, then you probably think that keys are still used to lock hotel rooms. DIACAP has superseded DITSCAP. Two DIACAP sites worth noting are an IASES overview page and list of recommended reading.
FIPS 140-2- This is most recent version of the federal encryption standard. The Cryptographic Module Validation Program (CMVP) verifies compliance. The National Institute for Standards and Technology (NIST) maintains a Computer Security Resource Center, which maintains a list of the approved testing laboratories.
National Checklist Program (NCP)- This is the “…the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications.” In its National Vulnerability Database website, the NIST has a repository page.
Are there any other online resources you would recommend for meeting government standards on security?