DOD wants to authenticate devices

The Defense Department wants to verify the identities of at least 25 million of its Internet-enabled devices, similar to how it authenticates human users, according to a request for information (RFI) the department has released.

Vendors have until Jan. 9, 2006 to respond to the request, which would create an enterprisewide device authentication program.

DOD’s Public Key Infrastructure (PKI) Program Management Office wants to develop, deploy and operate a PKI system for devices on DOD networks.

Devices that can use PKI certificates include laptop and desktop computers, routers, servers, firewalls, mobile phones (including voice-over-IP technology), cable and satellite modems, and portable media players, according to the RFI.

The PKI office is looking for solutions that allow trusted communication and use off-the-shelf products as much as possible, the RFI said.

Vendor responses must identify existing DOD resources for tracking PKI certificates and use existing permissions to pass through DOD firewalls.

Vendor suggestions must use digital signatures or equivalent means to authenticate users, the RFI stated. They must also meet Common Criteria security standards and comply with the Federal Information Processing Standard (FIPS) 140-2.

The Common Criteria are a set of internationally recognized standards of assurance for sharing classified information among government agencies. Meeting those standards is essential for companies that want federal contracts that include handling classified information. FIPS 140-2 sets minimum cryptography standards in federal security products.

The solutions must also use IPSec measures to protect classified information and be compatible with IPv6.

Finally, vendor suggestions should move DOD toward adopting Internet Engineering Task Force standards instead of proprietary DOD ones so the department can adapt to changing IPs and eventually use a wide variety of certificates, the RFI said.