BlackBerries and CACs Get Connected
By Mike Hernon - Published, December 3, 2007
The Department of the Navy is a dynamic enterprise with personnel constantly on the move between the office, temporary duty assignments and military deployments. Maintaining connectivity to voice and data services is essential to mobile workers so that they may perform their jobs as efficiently and effectively as possible. This capability, referred to as "enterprise mobility," is a critical component of the ongoing work to build the DON's net-centric environment.
As part of this effort, the DON provides BlackBerries, wireless handheld devices, to thousands of mobile users with services such as voice, e-mail and Web browsing, in addition to other productivity tools such as a calendar.
Since first launched within the Navy Marine Corps Intranet (NMCI) environment in 2003, Blackberries have provided significant benefits. Many users rely on them to perform a substantial portion of their daily work from locations other than their normal workplace. As a result, BlackBerry devices have become an integral part of the DON's enterprise mobility efforts.
However, with targeted e-mail spoofing and other attacks on the rise, emerging information assurance (IA) requirements for all portable electronic devices (PEDs) threatened to render BlackBerries unsuitable for some uses, particularly for e-mails that required encryption and decryption or a digital signature.
Without expansion of the Blackberry's capabilities, users would have experienced degraded service and the Department's efforts to build a net-centric environment would have faltered. Fortunately, the DON Wireless Working Group anticipated this potential disruption and worked with the vendor community to deliver a solution.
The solution is the pairing of the Department of Defense (DoD)-issued Common Access Card (CAC) reader with the BlackBerry device. The BlackBerry CAC reader (BB CAC) solution allows users to enjoy all the benefits of the BlackBerry that they have grown to rely on while at the same time meeting the strict new IA requirements for PEDs.
Unlike other portable CAC readers, the Research in Motion (RIM) Bluetooth-enabled Smart Card Reader connects wirelessly to the device. This is an essential requirement for a truly mobile application. It also provides an easy access solution. The use of secured Bluetooth technology permits users to carry the reader with the CAC in their pocket or on a lanyard and enjoy full functionality. A cautionary note: This is the only approved use of Bluetooth within the NMCI environment, so the BB CAC solution is indeed breaking new ground.
The BB CAC solution allows a BlackBerry to access the DoD-issued PKI certificates stored on the CAC and supports Advanced Encryption Standard and Secure/Multipurpose Internet Mail Extensions (S/MIME). Because the BB CAC solution is compatible with S/MIME software it provides an extra layer of security between the sender and recipient of a message using advanced e-mail encryption and digital signatures. More importantly, data at rest is also encrypted.
This DON Designated Accrediting Authority (DAA)-approved solution is compliant with the National Institute of standards and Technology (NIST)-issued FIPS 140-2 and the Defense Information Systems Agency's Wireless Security Technical Implementation Guide (STIG), with minor adjustments for the DON environment.
Before receiving approval for enterprise-wide deployment, DON CIO, the DON Wireless Working Group and Program Manager NMCI worked with vendors and the services to conduct a pilot program and user acceptability test. One goal of the pilot program was to demonstrate that the solution was compliant with all pertinent IA requirements while still providing the full range of BlackBerry functionality.
Another goal was to demonstrate to the DAAs the efficacy and security of the solution in actual use.
Sixty users within the Navy, Marine Corps, DON CIO, PM NMCI and the vendor community participated in the pilot. Customer feedback was critical in developing the final solution and was gathered through the use of surveys, help desk data and conference calls. The results of the pilot were then reviewed with the Navy and Marine Corps DAAs to garner their final approval for an enterprise roll out.
Pat Hajek, chair of the DON Wireless Working Group, put it this way, "The success of the user acceptability test was critical to gaining DAA approval and the key to that success was active participation from users throughout the DON community."
Recent guidance, such as DISA's May 2007 Wireless STIG, provide a default standardized security posture to further protect the DoD mobile environment. As a result, some BlackBerry users will experience changes in their device’s functionality. These changes are not related to the addition of the CAC reader, but are a result of the application of the unified DON security policy for all PEDs. The changes are summarized below.
- Mandatory password use.
- Inactivity time-out at 15 minutes.
- Periodic challenge time (re-enter password) after 60 minutes. This means that the first successful challenge/response message exchange between the security device and the token places the node in an operational state that allows the authorized user access to the contents and/or networked resources of the node. Later challenge/response message exchanges are set to occur periodically to check whether the authorized user possessing the token has left the node unattended, thereby causing the node to be placed in a non-operational state.
- Automatic lockout and wipe of device after five failed password attempts.
- No global positioning system tracking.
- No camera functionality.
- Web access limited to NMCI access points.
- Non-RIM messaging services (such as AOL Instant Messenger/instant messaging computer program) are not allowed.
- Multimedia Messaging Service (MMS) messages may be received but not sent.
- All peer-to-peer (PtP, PIN-to-PIN (personal identification number)) messages must be S/MIME-encrypted. This is because PIN to PIN messages are not encrypted and transmit in plaintext, allowing anyone who intercepts them to read them.
- Except for the BB CAC, no other Bluetooth devices are allowed.
The BlackBerry phone can be used when the device is locked, but the address book will not be accessible. Most users will not be significantly affected by these enhancements unless, of course, they forget their password or CAC personal identification number. Adherence to these guidelines is mandatory and will protect the device from unauthorized access and known vulnerabilities.
Stay In Touch
To take advantage of this offering, you will need an NMCI-approved, Bluetooth-enabled BlackBerry and a RIM Bluetooth Smart Card Reader with packaged software, installation and configuration services.
If you already have an unclassified NMCI account as well as a DoD-issued CAC with PKI certificates loaded, you can add the CAC functionality to an existing BlackBerry by making sure your device is compatible — most devices acquired since January 2005 will be compatible. A list of compatible devices and detailed procurement instructions are available on the NMCI Homeport at https://www.homeport.navy.mil/services/mobile/blackberry/
If you need to buy a new Bluetooth-enabled BlackBerry, it, like all mobile devices, must be procured through the existing Fleet and Industrial Supply Center (FISC) San Diego or NMCI contract as mandated
by the deputy assistant secretary of the Navy for research, development and acquisition policy. Visit the NAVSUP Web site for information about the FISC contracts at https://www.navsup.navy.mil/ portal/page?_pageid=477,577778,477_ 577788 & _dad = p5s tar& _ s chema = P5STAR
BlackBerry CAC readers are available through the standard CLIN 23 offering as well as through the FISC contract. Both NMCI-supplied (CLIN 6400AA/AC) and government-supplied (CLIN 401AA/AC)
reader options are available.
Purchase of either offering includes the necessary drivers and ancillary software as well as installation and configuration services.
Currently the solution requires an on-site technician to install the software on both the desktop computer and BlackBerry. Additional configuration work is also performed on the BlackBerry enterprise server. A typical installation will take about 60 minutes. Sites with multiple devices being upgraded or installed will be able to schedule simultaneous installations. This will minimize the impact to workforce productivity and allow the technical support team to work more efficiently.
The introduction of the BlackBerry and wireless CAC reader combination promises to improve the productivity of DON mobile users while greatly enhancing the security of the device and its contents, should it be lost, stolen or otherwise compromised.
These enhancements will also minimize the impact to BlackBerry users as enterprise-wide use of digital signatures and encryption technologies becomes more pervasive. As the solution is rolled out across the Department, the DON's enterprise mobility and net-centric capabilities will be enhanced as mobile users will increasingly be able to perform job functions that previously required access to a wired workstation.
Although Research in Motion designed the BlackBerry Smartcard Reader with the security of DoD and DON in mind, the BB CAC solution described in this article was engineered to function specifically within the NMCI enclave.
As it is deployed throughout the enterprise, the solution will be leveraged to support other primary components of the Naval network, such as One-Net.
Mike Hernon is the former chief information officer for the city of Boston and currently serves as an independent consultant. He supports the DON CIO in a variety of areas within the enterprise services management group including telecommunications and wireless strategy and policy.