This story has been updated.
The Veterans Affairs Department plans to field up to 100,000 tablet computers, the largest such deployment in the government, VA disclosed last week in a request to industry for technical help.
The department has developed a work around for federal wireless security standards that supports the devices' management in a vendor-operated cloud computing environment, according to the request.
VA plans to deploy Apple iPads as well as tablets that run on the Android and Windows operating systems. The Apple and Android operating systems currently are not compliant with Federal Information Processing Standard 140-2.
This security work around will allow for "enforcement of VA security, management and other applicable policies to the devices from an enterprise perspective," the request said.
VA Chief Information Officer Roger Baker earlier this year commissioned a study to "determine if the application programming interface list released by mobile vendors will be sufficient in mitigating the lack of FIPS 140-2 encryption on the device in the VA's network environment." That project concluded that mobile device management will be able to provide security for tablets running the Apple mobile operating system, according to VA.
Baker said in July that he would not require the use of FIPS 140-2, as Apple offers a suite of software from a number of vendors to securely connect its products to an enterprise network through mobile device management. Baker said he would "accept the risk . . . that the [software] is sufficiently strong."
He explained that information technology management is a "pragmatic science" and that if he just said no to the use of iPhones and iPads on the VA network while waiting for Apple to deliver FIPS 140-2 products, users would figure out how to do an end-run around him.
Mobile device management controls and protects data from a central location and locks down configuration settings; VA said it plans to do this through a vendor-owned and -managed cloud computing center.
The department also wants the mobile device management contractor to design, develop and test a private application store to deliver custom VA applications to Apple devices. The contractor's app store will allow end users to download VA enterprise apps, as well as provide a pass-through for accepted commercial apps, the department said.
Baker, interviewed Monday at the American Council for Technology-Industry Advisory Council Executive Leadership Conference in Williamsburg, Va., said VA has no immediate plans to purchase large quantities of iPads beyond the 1,000 obtained this month. In August, VA added tablet computers to its Commodity Enterprise Contract, a massive procurement of computer hardware including desktops, laptops, servers and network hardware.
Baker said the department opted for mobile device management services to secure iPads, as he believes it unlikely Apple will engineer a NIST-compliant device because the federal government is simply too small a portion of its market.
Application providers can engineer security into their software, according to Baker. "And then you look at it from an application-by-application standpoint. So the only applications you authorize to actually contain information on the device are ones that have FIPS 140-2 encryption inside the application so you know the info is being stored fully encrypted," he said.
VA staff is developing an iPad app version of VA's Computerized Patient Record interface, Baker said, which will allow VA doctors to download health care records onto a device in an encrypted form that only that doctor can access. The department also is working on numerous other internal apps, he said.
Rick Dakin, chief executive officer and co-founder of Coalfire Systems, a Louisville, Colo.-based information technology risk assessment and auditing firm, said there are problems with securing the apps rather than the device. He noted that when encrypted data is transmitted, a key to decode that data is in the message header, leaving the information vulnerable to attack. Dakin added that many mobile device management systems do not handle key management.
Dakin also questioned the security of commercial cloud computing, suggesting VA should ensure its data is segmented with limited access.
Still, from a personal point a view, Dakin endorsed VA's plans to deploy iPads without waiting for NIST certification. Usually the government is too slow to adopt new technology, he said: "We have to encourage government to adopt new technology to reduce cost and improve services. This is a given. They move too slow and operate too inefficiently today. We don't have to encourage them to be less efficient."
Bernie Skoch, a consultant and retired Air Force brigadier general with extensive security experience, questioned VA's decision not to adhere to FIPS 140-2 and to use a commercial cloud for mobile device management and its apps store, though he understood the underlying economic reasoning.
"There is sometimes a temptation to think an agency's security needs can be met with non-FIPS standards because, after all, this is 'just' the VA," Skoch said. "In my opinion, that's a mistake. Not only are there significant patient record privacy data at risk (though the commercial cloud vendors will assure us that is not an issue), but VA systems tie to [Defense Department] systems. That alone should be sufficient to require FIPS compliance," Skoch said.
Cloud computing services have a built-in allure to federal agencies because technical risk is low, development risk is low, integration costs are low, and interoperability is very high, Skoch said. But, he added, "the security risks are not insignificant."
VA put a fast turnaround on its mobile device management request for information to industry -- just six business days, with replies due this Friday.
This story will be updated again later today.