Devices bring new security policies

The advent of a new generation of handheld devices certified for handling classified and unclassified data is expected to usher in a set of new security policies governing when, where and how officials may use those systems. Existing security doctrine provides some guidance on the proper use of the new devices, but the National Security Agency has begun drafting more detailed policies, NSA spokeswoman Andrea Martino said.

Two companies, General Dynamics C4 Systems and L-3 Communications, each developed a prototype for NSA’s Secure Mobile Environment Portable Electronic Device (SME-PED) program. The agency is expected to award indefinite-delivery,
indefinite-quantity contracts to both vendors later this month for the delivery and deployment of SME-PEDs,  once they pass NSA’s certification process.

The new systems will let officials in the military, the Homeland Security Department and other agencies send classified e-mail messages, access classified networks or make top-secret phone calls on the go.

The technology is a first in many respects, said Lt. Col. Clinton Wallington, director of the Army’s advanced technology office. “It’s SIPRnet on the hip,” he said, referring to the Defense Department’s Secure IP Router Network for classified information. With the same device and the push of a button, users can operate in an insecure mode to browse the Web and send unclassified e-mail messages.
The device’s hybrid status has some observers wondering about security policies that SME-PED users will need to follow. “Can I take it home with me? Do I have to store it in a safe overnight? Can I pull it out on the Metro?” asked one DOD official.

When operated in unclassified mode, the Common Access Card-enabled SME-PEDs are considered high-value items, but storing them in a safe is not necessary, Martino said. However, using the devices in secure mode in public places, such as Metro trains in the metropolitan Washington area, is not desirable, she added.

Col. John Blaine, chief of the wireless integration branch at the Air Force Communications Agency, said he expects the next update of the Defense Information Systems Agency’s security technical implementation guidance for wireless devices to answer some of the policy questions about SME-PEDs. Blaine pointed out that although many people are still in the dark about the specifics of SME-PED security, both vendors’ devices must obtain NSA certification before such questions can be answered.

“All we can do now is wait,” Blaine said.

Martino declined to say when the devices might be certified because the schedule is still in development.

General Dynamics officials said they will ship their product to NSA for certification in August, but they will start production after NSA awards a contract later this month. L-3’s device most likely will not be certified before December, government sources say.

Martino said unit prices for the SME-PEDs are still in negotiation. As for monthly wireless costs, the vendors are having discussions with carriers to create a one-stop shop for the SME-PED under the General Services Administration’s Networx program, she said.

Wallington said the Army plans to give SME-PEDs to officials in leadership positions who need secret communications channels at all times. “We’re not going to give these to the common soldiers,” he said.

The Air Force could use the systems to quickly relay targeting information for time-sensitive strikes, Blaine said.