Army, DOD IG disagree over mobile device management

Army officials have taken issue with a recent Defense Department Inspector General report that found the Army is deficient in tracking, configuring and managing its commercial devices.

The DOD IG report was released March 26 but then was pulled from the agency's website with no explanation; a spokesperson there declined to comment. The report was re-posted on April 4 with new detailed comments from a representative from the Army CIO/G-6 office. (Read the report.)

The inspector sought to determine whether the Army has an effective cybersecurity program surrounding the service's use of commercial mobile devices (CMDs). According to the report, the answer was no – and as a result, Army networks are more vulnerable to cybersecurity attacks and data leaks.

"Specifically, the Army CIO did not appropriately track CMDs and was unaware of more than 14,000 CMDs used throughout the Army," Alice Carey, assistant inspector general for readiness, operations and support, wrote in her findings.

Additionally, the Army also failed to ensure its commands properly configured devices to store protected information and to use a mobile device management application to do so. The service also lacks requirements for properly sanitizing devices and controlling their use as removable media, and for training and use agreements specifically for CMDs, the report stated.

"The Army CIO should develop clear and comprehensive policy to include requirements for reporting and tracking all CMDs," Carey wrote, noting that policy should include mobile pilots. "In addition, the Army CIO should extend existing information assurance requirements to the use of all CMDs."

While an Army CIO cybersecurity directorate wrote that the office's leadership agrees with some of the report's recommendations, he also defended existing Army policies.

In the written response included in the DOD IG report, Maj. Gen. Stuart Dyer, director of the Army CIO/G-6 cybersecurity directorate and senior information assurance officer, pointed to policies already in place to secure devices as well as ongoing plans to transition some management responsibilities to the Defense Information Systems Agency.

Dyer emphasized that Army CIO/G-6 Lt. Gen. Susan Lawrence in November 2011 signed a memorandum directing Army organizations to register each mobile pilot. He also noted that the Army cybersecurity directorate runs a SharePoint portal where Army components must register mobile pilots and provide project information.

"The registration process ensures that sensitive information and personal identifiable information is not allowed and the platform cannot connect to the Army e-mail system. On 3 April 2012 the Secretary of the Army signed a memorandum titled 'Mobile Computing Devices' and stated no unauthorized CMDs will be connected to the NIPRNet or used to conduct official business," Dyer wrote. "In summary, no CMDs are currently allowed for Army use outside of authorized pilots and policy and guidance has been promulgated."

Dyer also wrote that his office would extend information assurance requirements to CMDs, but it would not establish CMDs as a separate or stand-alone information system as the report suggests.

According to the DOD IG, those efforts are inadequate.

With the final version of the DOD IG report now published, the Army CIO/G-6 office is putting together additional response, an Army official said.

"Security of the commercial mobile devices that connect us to our network is a very high priority for the Army," said Margaret McBride, Army CIO/G-6 spokeswoman. "The CIO/G-6 is working with the DOD IG's office to prepare a response to their final report's finding."