DOD seeks commercial encryption software

The Defense Department is looking to protect all data at rest (DAR) on mobile computers and storage devices using commercial encryption software. DOD will soon award one or more enterprisewide software agreements under the DOD Enterprise Software Initiative (DOD-ESI) and the General Services Administration’s Federal SmartBUY program.The department is calling on industry to submit software solutions to encrypt all DAR storage devices, including hard drives of laptop and desktop computers, tablet PCs, smart phones, personal digital assistants, and removable storage devices, according to a pre-solicitation notice.DOD estimates the agreements will cover more than 1 million laptops and 1 million other mobile devices. DOD wants to award blanket purchase agreements with multiple vendors co-branded as DOD-ESI and SmartBuy agreements under Part 8 of the Federal Acquisition Regulation. Although the focus will be on products and maintenance, professional services will also be included in the contracts.The Air Force is the executive agent for enterprise software initiatives dealing with information assurance. The 754th Electronics Systems Group, based at Maxwell Air Force Base, Ala., will develop the acquisition strategy and manage the DAR agreements.Meanwhile, the Office of the Assistant Secretary of Defense for Networks and Information Integration/DOD Chief Information Officer is developing a departmentwide policy memorandum for DAR encryption that is in draft form.The office’s DAR Tiger Team (DARTT) is working on that policy, which will institute a phased approach for DAR encryption of all mobile computing devices and removable media, and require all DOD computers to have a Trusted Platform Module chip certified by the National Information Assurance Partnership. The policy will also recommend stronger internal controls and management at DOD components.DARTT released a request for quotes at an industry day Dec. 20, 2006. The purchase agreements, which have a duration of five years, should be awarded in March, according to documents that accompanied the RFQ.In June, the Office of Management and Budget issued a memorandum requiring that all federal agencies take steps to ensure DAR encryption. Departments should encrypt all data on mobile computer and devices, use two-factor authentication and a time-out function for all remote computer access, and to log all extracts from databases holding sensitive information.“In an effort to properly safeguard our information assets while using information technology, it is essential for all departments and agencies to know their baseline of activities,” the memo states.In August 2006, Army CIO Lt. Gen. Steven Boutelle authorized all Army components to purchase encryption software from Credant Technologies for use on all laptops that travel. “Data at rest is data at risk,” he says.Publicity stemming from several recent laptop losses and thefts at various federal agencies has pushed DOD to move to protect DAR, said Mark Zelinger, president of Zelinger Associates. By selecting a certain number of preapproved DAR software products, DOD can force special pricing, he added.