Pentagon expects to soon clear Apple, Android devices

Teri Takai, the Defense Department's chief information officer, promised Wednesday the department would quickly adopt commercial mobile tablet computers. According to a top Defense Information Systems Agency official, the agency expects to release security guidelines by August that will cover their use for a range of missions.

Mark Orndorff, program executive officer for mission assurance and network operations at DISA, told Nextgov the guidelines will cover both Google's Android operating system and Apple's iOS, which powers the iPhone and iPad. The guidelines will mitigate many of the security concerns that have precluded the devices' widespread use on Defense networks, although restrictions could prevail in some sensitive mission areas.

DISA is in "full and open discussion" with Apple to resolve security concerns with its operating system and has 10 outstanding issues, most of which Orndorff said he could not discuss due to confidentiality agreements with the company. One issue he did note was that Apple still has not received certification from the National Institutes of Standards and Technology for compliance with Federal Information Processing Standard 140-2 for encryption.

Orndorff said DISA has developed a workaround that will allow Defense organizations to adopt iPads and iPhones if they use GoodReader software from Good.iware, which encrypts individual files to ensure data is secure even if an iPhone or iPad is lost or stolen.

Officials at the Air Force Special Operations Command said last month the command planned to use GoodReader for encryption on the 2,861 iPad2s it plans to use to store digital charts and technical manuals for flight crews. Commercial users can download GoodReader from the Apple App store for $4.99.

Orndorff agreed that Defense has lagged the commercial market in adopting smartphones and tablet computers due to its security requirements, but said there will be more progress as DISA works with software and hardware companies to bake in its requirements before a product or new software release hits the market.

DISA is working with industry to "design and build in security upfront," Orndorff said, following a long-standing practice it has with Microsoft for that company to address Defense security requirements as it develops new versions of its operating systems.

Mobile device manufacturers will consider Defense requirements as part of their product cycles, Orndorff said, while DISA concurrently conducts risk analyses of the new products and software.

As far as current products are concerned, Orndorff said the key security concerns will be "absolutely resolved" within six months.