DOD expands encryption mandate

New policy requires military to protect all sensitive data on mobile devices

The Defense Department has tightened its rules for protecting sensitive but unclassified information. In what likely is the first time in government, DOD's chief information officer, John Grimes, is requiring DOD to encrypt all sensitive but unclassified data stored on mobile devices.

Grimes' July 3 memo mandates that such data stored on mobile devices must be encrypted in compliance with the National Institute of Standards and Technology's Federal Information Processing Standard 140-2. The term mobile devices describes laptop PCs, personal digital assistants and removable storage media, such as thumb drives and compact discs.

The memo is more than just a reminder to DOD employees to encrypt sensitive information and comply with the Office of Management and Budget policy, said Dave Wennergren, DOD's deputy CIO. 'It mandates encryption not only for high-impact, personally identifiable information records, but for all nonpublicly released information that is contained on mobile computing devices and removable storage media.'

Wennergren said the new policy also requires DOD components to purchase data-at-rest encryption products from the SmartBuy blanket purchase agreements, which the General Services Administration and DOD's Enterprise Software Initiative awarded in May.

'The memo will help to ensure that we protect all DOD information on devices and media while outside a protected workplace,' Wennergren said.

The policy instructs DOD officials to pay particular attention to the encryption of mobile devices used by senior DOD officials, such as flag officers and senior executives, who travel frequently outside the continental United States. Grimes said the loss or theft of mobile devices storing U.S. defense information abroad is especially severe.

All DOD components must report their progress at encrypting unclassified stored data by the end of the year.

Paul Kurtz, chief operating officer at Good Harbor Consulting, said the new policy is 'a watershed development within the federal government that has not received a lot of attention.'

'DOD is making an important step forward here to ensure that all data, except that approved for public release, is encrypted,' he said. 'It's watershed because, frankly, the rest of the federal government should operate the same way.'
Kurtz said government information, even if it is unclassified, can be used for criminal purposes if it falls into the wrong hands.

'There is an enormous amount of information that people might not necessarily think as of being of interest but may be of great interest to bad guys, whether criminal organizations, economic espionage or real-life espionage in the DOD world,'  Kurtz said.

As examples, Kurtz cited sensitive data from the Agriculture Department related to the agricultural market, or information from the Health and Human Services Department about government health programs.

'Many times, it's been the case that DOD has taken the next appropriate step forward,'  Kurtz said. 'What I suspect is that in time we will see OMB come down with guidance that any data that has not been cleared for public release should be encrypted.'

The FIPS 140-2 specification, approved in 2001, grew from Federal Standard 1027, General Security Requirements for Equipment, which used the now-outdated Data Encryption Standard. NIST is now working on the next iteration, FIPS 140-3.

Mary Mosquera contributed to this article.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Thu, Jan 12, 2012 Chris Ohio

good lord -- if you are going to write an article that references regulation, AFI, policy --- PLEASE --- include the regulation, AFI, and/or policy NUMBER so we can look them up.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group