recommended reading

VA plans government's largest tablet computer deployment

This story has been updated.

The Veterans Affairs Department plans to field up to 100,000 tablet computers, the largest such deployment in the government, VA disclosed last week in a request to industry for technical help.

The department has developed a work around for federal wireless security standards that supports the devices' management in a vendor-operated cloud computing environment, according to the request.

VA plans to deploy Apple iPads as well as tablets that run on the Android and Windows operating systems. The Apple and Android operating systems currently are not compliant with Federal Information Processing Standard 140-2.

VA has asked industry to provide it with mobile device management services.

This security work around will allow for "enforcement of VA security, management and other applicable policies to the devices from an enterprise perspective," the request said.

VA Chief Information Officer Roger Baker earlier this year commissioned a study to "determine if the application programming interface list released by mobile vendors will be sufficient in mitigating the lack of FIPS 140-2 encryption on the device in the VA's network environment." That project concluded that mobile device management will be able to provide security for tablets running the Apple mobile operating system, according to VA.

Baker said in July that he would not require the use of FIPS 140-2, as Apple offers a suite of software from a number of vendors to securely connect its products to an enterprise network through mobile device management. Baker said he would "accept the risk . . . that the [software] is sufficiently strong."

He explained that information technology management is a "pragmatic science" and that if he just said no to the use of iPhones and iPads on the VA network while waiting for Apple to deliver FIPS 140-2 products, users would figure out how to do an end-run around him.

Mobile device management controls and protects data from a central location and locks down configuration settings; VA said it plans to do this through a vendor-owned and -managed cloud computing center.

The department also wants the mobile device management contractor to design, develop and test a private application store to deliver custom VA applications to Apple devices. The contractor's app store will allow end users to download VA enterprise apps, as well as provide a pass-through for accepted commercial apps, the department said.

Baker, interviewed Monday at the American Council for Technology-Industry Advisory Council Executive Leadership Conference in Williamsburg, Va., said VA has no immediate plans to purchase large quantities of iPads beyond the 1,000 obtained this month. In August, VA added tablet computers to its Commodity Enterprise Contract, a massive procurement of computer hardware including desktops, laptops, servers and network hardware.

Baker said the department opted for mobile device management services to secure iPads, as he believes it unlikely Apple will engineer a NIST-compliant device because the federal government is simply too small a portion of its market.

Application providers can engineer security into their software, according to Baker. "And then you look at it from an application-by-application standpoint. So the only applications you authorize to actually contain information on the device are ones that have FIPS 140-2 encryption inside the application so you know the info is being stored fully encrypted," he said.

VA staff is developing an iPad app version of VA's Computerized Patient Record interface, Baker said, which will allow VA doctors to download health care records onto a device in an encrypted form that only that doctor can access. The department also is working on numerous other internal apps, he said.

Rick Dakin, chief executive officer and co-founder of Coalfire Systems, a Louisville, Colo.-based information technology risk assessment and auditing firm, said there are problems with securing the apps rather than the device. He noted that when encrypted data is transmitted, a key to decode that data is in the message header, leaving the information vulnerable to attack. Dakin added that many mobile device management systems do not handle key management.

Dakin also questioned the security of commercial cloud computing, suggesting VA should ensure its data is segmented with limited access.

Still, from a personal point a view, Dakin endorsed VA's plans to deploy iPads without waiting for NIST certification. Usually the government is too slow to adopt new technology, he said: "We have to encourage government to adopt new technology to reduce cost and improve services. This is a given. They move too slow and operate too inefficiently today. We don't have to encourage them to be less efficient."

Bernie Skoch, a consultant and retired Air Force brigadier general with extensive security experience, questioned VA's decision not to adhere to FIPS 140-2 and to use a commercial cloud for mobile device management and its apps store, though he understood the underlying economic reasoning.

"There is sometimes a temptation to think an agency's security needs can be met with non-FIPS standards because, after all, this is 'just' the VA," Skoch said. "In my opinion, that's a mistake. Not only are there significant patient record privacy data at risk (though the commercial cloud vendors will assure us that is not an issue), but VA systems tie to [Defense Department] systems. That alone should be sufficient to require FIPS compliance," Skoch said.

Cloud computing services have a built-in allure to federal agencies because technical risk is low, development risk is low, integration costs are low, and interoperability is very high, Skoch said. But, he added, "the security risks are not insignificant."

VA put a fast turnaround on its mobile device management request for information to industry -- just six business days, with replies due this Friday.

This story will be updated again later today.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.