By Josh Rogin
Jan. 8, 2007
The Defense Department is looking to protect all data at rest (DAR) on
mobile computers and storage devices using commercial encryption
software. DOD will soon award one or more enterprisewide software
agreements under the DOD Enterprise Software Initiative (DOD-ESI) and
the General Services Administrations Federal SmartBUY program.
The department is calling on industry to submit software solutions to
encrypt all DAR storage devices, including hard drives of laptop and
desktop computers, tablet PCs, smart phones, personal digital
assistants, and removable storage devices, according to a
DOD estimates the agreements will cover more than 1 million laptops and
1 million other mobile devices. DOD wants to award blanket purchase
agreements with multiple vendors co-branded as DOD-ESI and SmartBuy
agreements under Part 8 of the Federal Acquisition Regulation. Although
the focus will be on products and maintenance, professional services
will also be included in the contracts.
The Air Force is the executive agent for enterprise software initiatives
dealing with information assurance. The 754th Electronics Systems Group,
based at Maxwell Air Force Base, Ala., will develop the acquisition
strategy and manage the DAR agreements.
Meanwhile, the Office of the Assistant Secretary of Defense for Networks
and Information Integration/DOD Chief Information Officer is developing
a departmentwide policy memorandum for DAR encryption that is in draft
The offices DAR Tiger Team (DARTT) is working on that policy, which will
institute a phased approach for DAR encryption of all mobile computing
devices and removable media, and require all DOD computers to have a
Trusted Platform Module chip certified by the National Information
Assurance Partnership. The policy will also recommend stronger internal
controls and management at DOD components.
DARTT released a request for quotes at an industry day Dec. 20, 2006.
The purchase agreements, which have a duration of five years, should be
awarded in March, according to documents that accompanied the RFQ.
In June, the Office of Management and Budget issued a memorandum
requiring that all federal agencies take steps to ensure DAR encryption.
Departments should encrypt all data on mobile computer and devices, use
two-factor authentication and a time-out function for all remote
computer access, and to log all extracts from databases holding
In an effort to properly safeguard our information assets while using
information technology, it is essential for all departments and agencies
to know their baseline of activities, the memo states.
In August 2006, Army CIO Lt. Gen. Steven Boutelle authorized all Army
components to purchase encryption software from Credant Technologies for
use on all laptops that travel. Data at rest is data at risk, he says.
Publicity stemming from several recent laptop losses and thefts at
various federal agencies has pushed DOD to move to protect DAR, said
Mark Zelinger, president of Zelinger Associates. By selecting a certain
number of preapproved DAR software products, DOD can force special
pricing, he added.
Subscribe to InfoSec News