Pentagon Wants to Scale Up Its Device Security Program

The Defense Department wants to make sure any device touching its network meets the Pentagon’s strict cybersecurity standards and is in the process of expanding its Comply-to-Connect, or C2C, program across the military.

C2C was started in November 2013 as a joint program between the National Security Agency, Marine Corps and Air Force, deployed to help the branches manage 20,000 endpoints—devices such as smartphones, laptops and desktops. Pilot programs at Marine Corps Base Camp Lejeune in North Carolina and Tinker Air Force Base in Oklahoma established a set of security compliance tools that prevented unsecured devices from connecting to the DOD Information Network, or DODIN.

“Building on the success of these pilots, demand for the capability increased throughout DoD network space,” according to a request for information issued Tuesday by the Defense Information Systems Agency.

DISA has already deployed C2C capabilities with the Navy and Marine Corps, according to the RFI, though these are only initial “pathfinder activities” that have yet to scale. The information request seeks industry feedback on software management platforms that could help the department grow and operationalize C2C capabilities.

The program works by proactively seeking out and tracking all devices connected to the network and continuously analyzing them to ensure compliance with all department cybersecurity requirements. The program is set up to both prevent access to the network and respond quickly to remove non-compliant devices.

“The C2C solution will allow real time visibility of all IP endpoint, network infrastructure, and internet of things devices,” the RFI states. “By identifying the non-compliant and previously unidentified devices, DoD will be able to isolate these assets and mitigate risk in an automated fashion, which will significantly increase the security posture of the DODIN.”

The program also creates segments within the DODIN based on “device type, operational/functional impact, sensitivity, and security risk,” the RFI states. “This segmentation will restrict an adversary’s ability to traverse the network, protect access to sensitive data, and allow easier remediation upon discovery providing an automation solution that is reliable, timely, and allows for comprehensive reporting on critical cyber security metrics.”

Program officials have a long way to go before C2C can scale across all of DOD, but the management software is a key first step, according to the RFI.

The RFI outlines several technical characteristics DISA wants in potential solutions, including:

• A single, converged platform to “discover, identify, categorize, classify and profile all devices” connected to the DODIN. To ensure the platform is a catch-all for everything touching the network, the software must use “the widest variety of both passive and active network-based and host-based discovery methodologies.”
• The ability to “automatically remediate deviations from established required compliance baselines” on non-compliant devices without the need to install endpoint management software on the device.
• The ability to segment networks—or manage segmentation—to block non-compliant devices. Then, once the devices have been updated, “segregate devices by type/function to limit access to only mission necessary network segments.” This capability should also be achieved without the use of an endpoint agent.
• Continuously monitor devices for compliance and ensure information sharing between various cybersecurity components.

Responses are due by 1 p.m. June 26. Questions on the RFI are due by 1 p.m. June 25 and will only be accepted by email.