Mobility

Army, DOD IG disagree over mobile device management

soldier using tablet pc

Are the Army's policies regarding commercial mobile devices strong enough? (Stock image)

Army officials have taken issue with a recent Defense Department Inspector General report that found the Army is deficient in tracking, configuring and managing its commercial devices.

The DOD IG report was released March 26 but then was pulled from the agency's website with no explanation; a spokesperson there declined to comment. The report was re-posted on April 4 with new detailed comments from a representative from the Army CIO/G-6 office. (Read the report.)

The inspector sought to determine whether the Army has an effective cybersecurity program surrounding the service's use of commercial mobile devices (CMDs). According to the report, the answer was no – and as a result, Army networks are more vulnerable to cybersecurity attacks and data leaks.

"Specifically, the Army CIO did not appropriately track CMDs and was unaware of more than 14,000 CMDs used throughout the Army," Alice Carey, assistant inspector general for readiness, operations and support, wrote in her findings.

Additionally, the Army also failed to ensure its commands properly configured devices to store protected information and to use a mobile device management application to do so. The service also lacks requirements for properly sanitizing devices and controlling their use as removable media, and for training and use agreements specifically for CMDs, the report stated.

"The Army CIO should develop clear and comprehensive policy to include requirements for reporting and tracking all CMDs," Carey wrote, noting that policy should include mobile pilots. "In addition, the Army CIO should extend existing information assurance requirements to the use of all CMDs."

While an Army CIO cybersecurity directorate wrote that the office's leadership agrees with some of the report's recommendations, he also defended existing Army policies.

In the written response included in the DOD IG report, Maj. Gen. Stuart Dyer, director of the Army CIO/G-6 cybersecurity directorate and senior information assurance officer, pointed to policies already in place to secure devices as well as ongoing plans to transition some management responsibilities to the Defense Information Systems Agency.

Dyer emphasized that Army CIO/G-6 Lt. Gen. Susan Lawrence in November 2011 signed a memorandum directing Army organizations to register each mobile pilot. He also noted that the Army cybersecurity directorate runs a SharePoint portal where Army components must register mobile pilots and provide project information.

"The registration process ensures that sensitive information and personal identifiable information is not allowed and the platform cannot connect to the Army e-mail system. On 3 April 2012 the Secretary of the Army signed a memorandum titled 'Mobile Computing Devices' and stated no unauthorized CMDs will be connected to the NIPRNet or used to conduct official business," Dyer wrote. "In summary, no CMDs are currently allowed for Army use outside of authorized pilots and policy and guidance has been promulgated."

Dyer also wrote that his office would extend information assurance requirements to CMDs, but it would not establish CMDs as a separate or stand-alone information system as the report suggests.

According to the DOD IG, those efforts are inadequate.

With the final version of the DOD IG report now published, the Army CIO/G-6 office is putting together additional response, an Army official said.

"Security of the commercial mobile devices that connect us to our network is a very high priority for the Army," said Margaret McBride, Army CIO/G-6 spokeswoman. "The CIO/G-6 is working with the DOD IG's office to prepare a response to their final report's finding."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Mon, Apr 8, 2013 Jack

Huge Kudos to Army IG! Paper tiger policies are worthless without the ability to monitor and enforce. Great job and thanks for sticking to your guns. A great article on doing commercial and BYOD right is here: http://gcn.com/articles/2013/03/29/byod-getting-it-right-the-first-time.aspx

Mon, Apr 8, 2013 Beltway Billy

This is easily solved. The DoD has offered free antivirus & CAC-in software for years. They could just as easily extend the contract with McAfee or Symantec or XYZ to also provide free, easy, default mobile device management and security for all Army users (GFE and personal devices). Right now hundreds of pilots all have these little stovepipe MDMs. This service would be the required-minumum for GFE devices w/o senstive info. Improved services would be required if you want to do sensitve stuff. Easy solution, just buy it and advertise it.

Mon, Apr 8, 2013 Beltway Bill yes I said do do

One minor clarification wrt email. Pretty much any device (virii ridden home gaming PC, locked down iPhone, govt laptop, etc.) can CAC-into many DoD Outlook Web Access (OWA) sites, AKOP/DKO, and other sites. Thus you can indeed do, and many do do, email on CMDs.

Mon, Apr 8, 2013 Government emp

In my work with Government Financial accounting, whenever there was an audit, we had opportunities to question and discuss the findings before posting. No one could 'pull' the original report after posting. We could only respond. Interesting that this was pulled. Was it because the IG felt the process or report wasn't accurate or was there pressure from outside for more favorable findings?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group