DOD expands encryption mandate

New policy requires military to protect all sensitive data on mobile devices

The Defense Department has tightened its rules for protecting sensitive but unclassified information. In what likely is the first time in government, DOD's chief information officer, John Grimes, is requiring DOD to encrypt all sensitive but unclassified data stored on mobile devices.

Grimes' July 3 memo mandates that such data stored on mobile devices must be encrypted in compliance with the National Institute of Standards and Technology's Federal Information Processing Standard 140-2. The term mobile devices describes laptop PCs, personal digital assistants and removable storage media, such as thumb drives and compact discs.

The memo is more than just a reminder to DOD employees to encrypt sensitive information and comply with the Office of Management and Budget policy, said Dave Wennergren, DOD's deputy CIO. 'It mandates encryption not only for high-impact, personally identifiable information records, but for all nonpublicly released information that is contained on mobile computing devices and removable storage media.'

Wennergren said the new policy also requires DOD components to purchase data-at-rest encryption products from the SmartBuy blanket purchase agreements, which the General Services Administration and DOD's Enterprise Software Initiative awarded in May.

'The memo will help to ensure that we protect all DOD information on devices and media while outside a protected workplace,' Wennergren said.

The policy instructs DOD officials to pay particular attention to the encryption of mobile devices used by senior DOD officials, such as flag officers and senior executives, who travel frequently outside the continental United States. Grimes said the loss or theft of mobile devices storing U.S. defense information abroad is especially severe.

All DOD components must report their progress at encrypting unclassified stored data by the end of the year.

Paul Kurtz, chief operating officer at Good Harbor Consulting, said the new policy is 'a watershed development within the federal government that has not received a lot of attention.'

'DOD is making an important step forward here to ensure that all data, except that approved for public release, is encrypted,' he said. 'It's watershed because, frankly, the rest of the federal government should operate the same way.'
Kurtz said government information, even if it is unclassified, can be used for criminal purposes if it falls into the wrong hands.

'There is an enormous amount of information that people might not necessarily think as of being of interest but may be of great interest to bad guys, whether criminal organizations, economic espionage or real-life espionage in the DOD world,'  Kurtz said.

As examples, Kurtz cited sensitive data from the Agriculture Department related to the agricultural market, or information from the Health and Human Services Department about government health programs.

'Many times, it's been the case that DOD has taken the next appropriate step forward,'  Kurtz said. 'What I suspect is that in time we will see OMB come down with guidance that any data that has not been cleared for public release should be encrypted.'

The FIPS 140-2 specification, approved in 2001, grew from Federal Standard 1027, General Security Requirements for Equipment, which used the now-outdated Data Encryption Standard. NIST is now working on the next iteration, FIPS 140-3.

Mary Mosquera contributed to this article.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Thu, Jan 12, 2012 Chris Ohio

good lord -- if you are going to write an article that references regulation, AFI, policy --- PLEASE --- include the regulation, AFI, and/or policy NUMBER so we can look them up.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above