DOD expands encryption mandate

New policy requires military to protect all sensitive data on mobile devices.

The Defense Department has tightened its rules for protecting sensitive but unclassified information. In what likely is the first time in government, DOD's chief information officer, John Grimes, is requiring DOD to encrypt all sensitive but unclassified data stored on mobile devices.Grimes' July 3 memo mandates that such data stored on mobile devices must be encrypted in compliance with the National Institute of Standards and Technology's Federal Information Processing Standard 140-2. The term mobile devices describes laptop PCs, personal digital assistants and removable storage media, such as thumb drives and compact discs.The memo is more than just a reminder to DOD employees to encrypt sensitive information and comply with the Office of Management and Budget policy, said Dave Wennergren, DOD's deputy CIO. 'It mandates encryption not only for high-impact, personally identifiable information records, but for all nonpublicly released information that is contained on mobile computing devices and removable storage media.'Wennergren said the new policy also requires DOD components to purchase data-at-rest encryption products from the SmartBuy blanket purchase agreements, which the General Services Administration and DOD's Enterprise Software Initiative awarded in May.'The memo will help to ensure that we protect all DOD information on devices and media while outside a protected workplace,' Wennergren said.The policy instructs DOD officials to pay particular attention to the encryption of mobile devices used by senior DOD officials, such as flag officers and senior executives, who travel frequently outside the continental United States. Grimes said the loss or theft of mobile devices storing U.S. defense information abroad is especially severe. All DOD components must report their progress at encrypting unclassified stored data by the end of the year.Paul Kurtz, chief operating officer at Good Harbor Consulting, said the new policy is 'a watershed development within the federal government that has not received a lot of attention.' 'DOD is making an important step forward here to ensure that all data, except that approved for public release, is encrypted,' he said. 'It's watershed because, frankly, the rest of the federal government should operate the same way.'Kurtz said government information, even if it is unclassified, can be used for criminal purposes if it falls into the wrong hands. 'There is an enormous amount of information that people might not necessarily think as of being of interest but may be of great interest to bad guys, whether criminal organizations, economic espionage or real-life espionage in the DOD world,'  Kurtz said.As examples, Kurtz cited sensitive data from the Agriculture Department related to the agricultural market, or information from the Health and Human Services Department about government health programs.'Many times, it's been the case that DOD has taken the next appropriate step forward,'  Kurtz said. 'What I suspect is that in time we will see OMB come down with guidance that any data that has not been cleared for public release should be encrypted.'The FIPS 140-2 specification, approved in 2001, grew from Federal Standard 1027, General Security Requirements for Equipment, which used the now-outdated Data Encryption Standard. NIST is now working on the next iteration, FIPS 140-3.