DOD expands encryption mandate

New policy requires military to protect all sensitive data on mobile devices

The Defense Department has tightened its rules for protecting sensitive but unclassified information. In what likely is the first time in government, DOD's chief information officer, John Grimes, is requiring DOD to encrypt all sensitive but unclassified data stored on mobile devices.

Grimes' July 3 memo mandates that such data stored on mobile devices must be encrypted in compliance with the National Institute of Standards and Technology's Federal Information Processing Standard 140-2. The term mobile devices describes laptop PCs, personal digital assistants and removable storage media, such as thumb drives and compact discs.

The memo is more than just a reminder to DOD employees to encrypt sensitive information and comply with the Office of Management and Budget policy, said Dave Wennergren, DOD's deputy CIO. 'It mandates encryption not only for high-impact, personally identifiable information records, but for all nonpublicly released information that is contained on mobile computing devices and removable storage media.'

Wennergren said the new policy also requires DOD components to purchase data-at-rest encryption products from the SmartBuy blanket purchase agreements, which the General Services Administration and DOD's Enterprise Software Initiative awarded in May.

'The memo will help to ensure that we protect all DOD information on devices and media while outside a protected workplace,' Wennergren said.

The policy instructs DOD officials to pay particular attention to the encryption of mobile devices used by senior DOD officials, such as flag officers and senior executives, who travel frequently outside the continental United States. Grimes said the loss or theft of mobile devices storing U.S. defense information abroad is especially severe.

All DOD components must report their progress at encrypting unclassified stored data by the end of the year.

Paul Kurtz, chief operating officer at Good Harbor Consulting, said the new policy is 'a watershed development within the federal government that has not received a lot of attention.'

'DOD is making an important step forward here to ensure that all data, except that approved for public release, is encrypted,' he said. 'It's watershed because, frankly, the rest of the federal government should operate the same way.'
Kurtz said government information, even if it is unclassified, can be used for criminal purposes if it falls into the wrong hands.

'There is an enormous amount of information that people might not necessarily think as of being of interest but may be of great interest to bad guys, whether criminal organizations, economic espionage or real-life espionage in the DOD world,'  Kurtz said.

As examples, Kurtz cited sensitive data from the Agriculture Department related to the agricultural market, or information from the Health and Human Services Department about government health programs.

'Many times, it's been the case that DOD has taken the next appropriate step forward,'  Kurtz said. 'What I suspect is that in time we will see OMB come down with guidance that any data that has not been cleared for public release should be encrypted.'

The FIPS 140-2 specification, approved in 2001, grew from Federal Standard 1027, General Security Requirements for Equipment, which used the now-outdated Data Encryption Standard. NIST is now working on the next iteration, FIPS 140-3.

Mary Mosquera contributed to this article.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.