Deputy Defense Secretary Patrick M. Shanahan issued a memo Aug. 3 to Defense Department personnel which prohibits the use of fitness trackers, smartphones, tablets, smartwatches, and related software and applications in all operational areas due to the potential for unintentional “security consequences and increased risk to the joint force and mission.”
The details of the memo, titled, Use of Geolocation-Capable Devices, Applications, and Services, are reprinted below.
The rapidly evolving market of devices, applications, and services with geolocation capabilities (e.g., fitness trackers, smartphones, tablets, smartwatches, and related software applications) presents significant risk to Department of Defense (DoD) personnel both on and off duty, and to our military operations globally. These geolocation capabilities can expose personal information, locations, routines, and numbers of DoD personnel, and potentially create unintended security consequences and increased risk to the joint force and mission.
Effective immediately, DoD personnel are prohibited from using geolocation features and functionality on both non-government and government-issued devices, applications, and services ·while in locations designated as operational areas (OAs). Combatant Commanders or their designees:
• May authorize the use of geolocation capabilities on non-government devices, applications, and services in OAs after conducting a threat-based comprehensive Operations Security (OPSEC) survey, in accordance with DoD Directive 5205.02E, "DoD Operations Security Program."
• May authorize the use of geolocation capabilities on government-issued devices, applications, and services in OAs based upon mission necessity, taking into account the potential OPSEC risks.
• Will ensure all personnel under their purview receive training in accordance with this memorandum.
For all other locations, installations, and activities, the heads of DoD Components will consider the inherent risks associated with geolocation capabilities on devices, applications, and services, both non-government and government-issued, by personnel both on and off duty. When information derived from these capabilities poses a threat to personnel and operations, commanders and supervisors at all levels:
• Will provide OPSEC training and guidance, in accordance with DoD Directive 5205.02E, commensurate with the risk and local operating conditions.
• Should apply a tiered structure for categorizing location and operations sensitivity while incorporating risk factors to ensure restrictions are consistently and rationally applied.
No later than 30 days from the date of this memorandum the DoD Chief Information Officer (CIO) and the Under Secretary of Defense for Intelligence (USD(I)) will jointly develop geolocation risk management guidance and training to inform commanders and heads of DoD Components when making risk decisions regarding these devices. DoD CIO, in collaboration with USD(I), will update the annual Cybersecurity Awareness training to assist DoD personnel in identifying and understanding risks posed by geolocation capabilities embedded in devices and applications. The geolocation risk management guidance and training will be posted at - https://iase.disa. mil.
My point of contact for this effort is Carrie Wibben, firstname.lastname@example.org, (703) 692-3758.
You can follow the Department of Defense on Facebook,Twitter! and on the web - www.defense.gov.