DOD expands encryption mandate

New policy requires military to protect all sensitive data on mobile devices

The Defense Department has tightened its rules for protecting sensitive but unclassified information. In what likely is the first time in government, DOD's chief information officer, John Grimes, is requiring DOD to encrypt all sensitive but unclassified data stored on mobile devices.

Grimes' July 3 memo mandates that such data stored on mobile devices must be encrypted in compliance with the National Institute of Standards and Technology's Federal Information Processing Standard 140-2. The term mobile devices describes laptop PCs, personal digital assistants and removable storage media, such as thumb drives and compact discs.

The memo is more than just a reminder to DOD employees to encrypt sensitive information and comply with the Office of Management and Budget policy, said Dave Wennergren, DOD's deputy CIO. 'It mandates encryption not only for high-impact, personally identifiable information records, but for all nonpublicly released information that is contained on mobile computing devices and removable storage media.'

Wennergren said the new policy also requires DOD components to purchase data-at-rest encryption products from the SmartBuy blanket purchase agreements, which the General Services Administration and DOD's Enterprise Software Initiative awarded in May.

'The memo will help to ensure that we protect all DOD information on devices and media while outside a protected workplace,' Wennergren said.

The policy instructs DOD officials to pay particular attention to the encryption of mobile devices used by senior DOD officials, such as flag officers and senior executives, who travel frequently outside the continental United States. Grimes said the loss or theft of mobile devices storing U.S. defense information abroad is especially severe.

All DOD components must report their progress at encrypting unclassified stored data by the end of the year.

Paul Kurtz, chief operating officer at Good Harbor Consulting, said the new policy is 'a watershed development within the federal government that has not received a lot of attention.'

'DOD is making an important step forward here to ensure that all data, except that approved for public release, is encrypted,' he said. 'It's watershed because, frankly, the rest of the federal government should operate the same way.'
Kurtz said government information, even if it is unclassified, can be used for criminal purposes if it falls into the wrong hands.

'There is an enormous amount of information that people might not necessarily think as of being of interest but may be of great interest to bad guys, whether criminal organizations, economic espionage or real-life espionage in the DOD world,'  Kurtz said.

As examples, Kurtz cited sensitive data from the Agriculture Department related to the agricultural market, or information from the Health and Human Services Department about government health programs.

'Many times, it's been the case that DOD has taken the next appropriate step forward,'  Kurtz said. 'What I suspect is that in time we will see OMB come down with guidance that any data that has not been cleared for public release should be encrypted.'

The FIPS 140-2 specification, approved in 2001, grew from Federal Standard 1027, General Security Requirements for Equipment, which used the now-outdated Data Encryption Standard. NIST is now working on the next iteration, FIPS 140-3.

Mary Mosquera contributed to this article.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Thu, Jan 12, 2012 Chris Ohio

good lord -- if you are going to write an article that references regulation, AFI, policy --- PLEASE --- include the regulation, AFI, and/or policy NUMBER so we can look them up.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group