Description:
OBJECTIVE: Users of DoD business systems need a secure, more efficient means to access systems performing recruiting, personnel, travel and training functions. An integrated approach is needed to make maximum use of mobile, hand held technology while maintaining information security. DESCRIPTION: There are several initiatives throughout DoD that focus on: portal consolidation, the delivery and use of hand-held devices (e.g. tablets, mobile phones and other PDAs) for mobile users, and a DoD enterprise marketplace for widgets and web apps that can be rendered in i-frames for user configurability with browsers. This task is to investigate current DoD and commercial products and initiatives for mobile users and develop a security approach that supports integration of these devices for use with business systems. The security challenges (e.g. protection and integrity of data in transit and at rest) associated with use of the latest hand-held devices need to be investigated and a strategy for resolution of these security concerns needs to be identified and proven. A light weight mobile device management approach is desired which balances the use of server side platforms with a more containerized solution. The approach should support a cloud construct. A common user interface is needed to give users the flexibility to configure according to their specific needs. It needs to make use of widgets developed to perform simple business functions and provide interfaces to all the appropriate business systems. These widgets need to be discoverable and able to be downloaded from a DoD repository. In addition to the challenge associated with data security, single sign-on access control should be considered to simplify user access to needed systems. Mobile users of business systems also need the ability to download and use simple web apps. A standard approach and web apps need to be developed that provide functionality in disconnected, intermittent, and limited communications conditions as well as safeguard the data (i.e. personally identifiable information) that is used by the particular business application. Additionally, an approach for the use of these user-facing capabilities needs to be integrated with portal consolidation strategies. The ideal solution would provide for device diversity such that multiple OS systems can be supported as well as various mobile platforms ranging from laptops, to tablet to smart phones. Securing and compliance verification should also be a capability as well as software distribution. Emerging techniques using hardware devise virtualization should be explored to determine if this technique could provide improved security and manageability. PHASE I: Feasibility evaluation includes: the investigation of current DoD capabilities and initiatives, research and development of a strategy and security approach that allows for adaptation of these capabilities for users of business systems, and recommendations for the products and security that would be best suited for use with business systems and to be piloted in Phase II. The strategy, approach, and recommendations need to ensure data security, access controls, performance, cost, and effectiveness for the user within a mobile device management architecture. Architectural standards and constraints for these capabilities should be defined as well as an improved mobile device policy. PHASE II: Piloting of the security approach for using these capabilities should include best-of-breed for selected types of user devices, environment and need. The pilots should include demonstration of appropriate security for data and access controls using a representative set of web apps and widgets as extensions of selected business systems. Typical users should be included in the demonstrations with feedback regarding utility. Cost estimates and benefits analysis should be performed. PHASE III: A plan for execution needs to be coordinated with all appropriate stakeholders. A secure prototype capability should be implemented as a reference implementation. Documentation of the information assurance principles and design guidance needs to be established that is acceptable for IA accreditation of systems implementing mobile user devices. PRIVATE SECTOR COMMERCIAL POTENTIAL/DUAL-USE APPLICATIONS: The private sector application will be a device such as the I Pad or similar device. Developers of computer based tablets would benefit.
