Today’s mobile Army workforce carries devices that have instant access to command and control, situational awareness and decision-
support systems. When not in use, the millions of files and bits of data stored on these computing devices are referred to as data at rest. If these devices aren’t properly secured, operational, research or mission-critical information becomes vulnerable and puts the Army and the nation at risk.
Mobile devices hosting sensitive, unprotected information can easily be pilfered or lost. Recent events, such as the theft of a Veterans Affairs Department notebook PC, demonstrate the vulnerability. Loss of physical control is a new risk on airlines that periodically prohibit carry-on mobile devices. Now, anyone having control of your luggage might gain access to your computer.
All data can be exploited, but data on mobile devices is particularly vulnerable to loss, theft or damage. The Army also faces threats from terrorists, foreign intelligence operatives and enemy states who specifically target mobile devices and their sensitive information.
In light of these risks, the Army is initiating a protection strategy for our mobile systems and data at rest. Leaders at every level are proactively identifying and securing the most vulnerable systems. We now require identification and encryption of data stowed on notebooks and removable media such as thumb drives. We are incorporating routine training, management and security into everyday operational processes.
Organizations with an existing data-at-rest encryption capability are extending those tools to secure other systems where data is at risk. Those without third-party encryption tools are leveraging the Microsoft Encrypting File System, which is part of Windows XP. The Army Network Enterprise Technology Command will shortly provide guidance on best practices for using EFS.
All data can be exploited, but data on mobile devices is particularly vulnerable to loss, theft or damage.
The Army will eventually select a bridge enterprise encryption tool to provide protection for notebook and desktop PCs while we upgrade to Vista, the next-generation Microsoft operating system. Vista will interact with the Defense Department’s Common Access Cards to enhance data protection and identity security. The Army plans to roll out Vista incrementally next year, beginning with an initial rollout to 5,000 users.
To achieve a bridge data-at-rest capability until Vista is fielded, the Army is using pilot programs, independent evaluations and partnerships with the other armed services to develop comprehensive enterprise requirements for Army, as well as joint, interagency and multinational environments.
We are currently evaluating technologies and applications for securing data at rest. The results of these implementations will help refine our enterprise-level requirements. We need a seamless, integrated approach that supports the complexity of the Army enterprise—its systems, data structures and repositories—while leveraging existing investments in our CACs. We are considering a full-and-open acquisition competition for the bridge tool and expect to issue a request for proposals early next year.
The key to successful implementation depends on workforce awareness of risks, policies, enforcement and the tools necessary to provide a seamless data-at-rest solution. We owe it to our nation to secure our sensitive information while still ensuring that data is available to authorized users, yet denied to our adversaries.
Lt. Gen. Steven W. Boutelle is CIO for the Army.
![1105 Media [purity]](/images/ds1_pntmlogo.gif "1105 Media [purity]"){kind=small}
