Windows Mobile DISA STIG

The U.S. Defense Information Systems Agency (DISA) has approved Windows Mobile for wireless e-mail throughout the Department of Defense. The decision will enable millions of users to access secure/unclassified Defense networks on Windows Mobile devices through a secure Bluetooth Common Access Card (CAC) reader.

Providing secure mobile messaging

Responding to an ever increasing and sophisticated number of cyber attacks, in 2004 the Department of Defense mandated that active duty military personnel, reserve personnel, civilian employees, and eligible contractor personnel be issued a CAC to access unclassified networks. CACs, which are now widely used for credentials throughout the DoD, feature a chip which electronically verifies a user’s identity and enables access to computers, networks, and facilities without the need to use passwords.

“The DoD asked Microsoft to develop a secure, CAC-based mobile messaging solution for DoD usage. We are excited to offer a mobile two-factor authentication mechanism utilizing the widely deployed CAC cards,” said Rick Engle a Mobile Solutions Architect at Microsoft Federal.

The Windows Mobile Messaging solution is based on the Exchange Server 2003 SP2 platform, which offers integrated mobile messaging and leverages a security architecture developed specifically by Microsoft to U.S. Government requirements, known as Coarse of Action 2 (COA2). COA2 was designed to provide smartcard/CAC support for Outlook Web Access and Exchange ActiveSync (Mobile e-mail) users. The solution’s design recognizes the intent of the CAC Smartcard policy, relying on a CAC for access to the device, CAC authentication to the network, and use of CAC for Secure/Multipurpose Internet Mail Extensions to support encrypting messages and signing messages for non-repudiation. Microsoft has partnered with Trust Digital and BAI for an holistic solution.

Developing DISA STIG

A formal request was made to the DISA Field Security Operations (FSO) office, effectively initiating evaluation of Windows Mobile as an approved messaging platform for DoD usage. Once an evaluation is requested, DISA develops a Security Technical Implementation Guide (STIG), which provides a checklist for prescriptive guidance on setting up a product to be used securely on DoD networks.

As a trusted advisor to the U.S. Government, it was our goal to make certain that we developed a solution that would most efficiently and cost effectively extend the government’s large investment in Microsoft tools and technologies into the field. This is all about un-tethering previously deskbound applications (which are frequently based on Microsoft platforms) and getting the most return on investment for those purchases. The Windows Mobile DISA STIG complements mission critical work we are doing across the U.S. Federal Government. Systems Integrator partners such as General Dynamics and L3 Communications have chosen the Microsoft platform to develop an NSA-approved Secure Mobile Environment Portable Electronic Device (SME PED). The SME PED is capable of Secure wireless access to the SIPRNET and NIPRNET and supports DoD 8100.2 requirements. All of this work falls under the banner of Mission Critical Microsoft, an initiative we have undertaken to demonstratively show the power of our large developer base and the ability for partners to readily customize a device for their own specific needs or applications. Other examples would be customized work we have done or are doing with Accenture, BearingPoint, Harris Corporation, Northrop Grumman, Lockheed Martin, BAE, and other tier I systems integrators. By continuing to expand our mobile partner ecosystem, we are able to produce a range of options for our government customers and ultimately to save tax payer dollars.

The solution provides some unique capabilities such as two-factor access to Windows Mobile devices, CAC-based authentication to the network, and CAC-enabled S/MIME support that enables signing and encrypting e-mail messages and attachments. All local and network encryption utilizes FIPS 140-2 Level 1 algorithms for encryption.

Leveraging the Platform