During the past 12 months, there have been more than 100 privacy breaches resulting in the loss of personally identifiable information (PII) for an estimated 96,800 Marines, Sailors, civilians and their family members. While these warfighters and warfighting-support personnel are defending our country, it is our responsibility to ensure the privacy of their personal information and prevent identity theft.
PII, as defined by the Office of Management and Budget (OMB) Memo 06-19 of July 12, 2006, is "information which can be used to distinguish or trace an individual's identity such as their name, Social Security number, biometrics records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc."
The Department of the Navy Chief Information Officer (DON CIO), in collaboration with the Department of Defense (DoD), Navy and Marine Corps, is working to ensure that all sensitive information, including PII that resides on portable devices, is protected.
What is DAR and why must we encrypt it?
Data at rest (DAR) refers to any data residing on hard drives, thumb drives, laptop computers, etc. In some cases, the data are designated as Controlled Unclassified Information (CUI), which includes For Official Use Only (FOUO), Sensitive But Unclassified (SBU) and PII.
Protecting data at rest is critical in today's technology rich environment because people are much more mobile. DoD and DON personnel take their work with them using various devices and media, such as laptop computers, thumb drives and personal digital assistants (PDAs).
The fact that these devices are portable and becoming increasingly smaller makes them inherently more vulnerable to theft or loss than a desktop computer. Further, PII stored on these devices are often unaccounted for and unprotected. Encrypting data at rest will strengthen security and mitigate the impact of lost or stolen data for DON personnel.
OMB and the DoD have released policy for encrypting PII (see References on the next page). These policies direct that all unclassified DAR that have not been approved for public release and are stored on mobile computing devices must be treated as sensitive data and encrypted using commercially available encryption technology.
DON Enterprise DAR Solution
The DoD Enterprise Software Initiative (ESI) and the General Services Administration's federal SmartBUY program are designed to promote effective software management by leveraging the government's immense buying power. In preparation for the DAR requirement, the ESI and SmartBUY programs evaluated, competed and selected 11 DAR encryption products.
However, the DON strategy is to implement an enterprise solution set. To this end, the DON CIO is reviewing the encryption products on the ESI and SmartBUY list with the Navy, Marine Corps and the Navy Marine Corps Intranet (NMCI) team to determine which of these products are most suitable to meet the needs of our warfighters and warfighting-support personnel.
The DON is narrowing down the list to a smaller solution set, so it can capitalize on the Department's buying power and ensure the best price. In addition, choosing a small set of products for an enterprise solution will reduce the number of software applications that will be required to go through the certification and accreditation process. This will also help to reduce costs. Finally, choosing an enterprise solution will ensure that all DAR encryption purchases made departmentwide will be interoperable.
Once the team has identified the solution set, the DON CIO will notify DON personnel and provide detailed information about the timeline for delivery. The goal is to begin implementing mandatory encryption of DAR on or about the third quarter of fiscal year 2008.
A Layered Approach to Security
Encrypting data at rest and signing and encrypting e-mail using public key infrastructure (PKI) certificates on your CAC are both part of the Department's layered approach to securing information.
Data at rest, which resides on various devices, and data in transit (or e-mail) will be encrypted, thus fortifying the DON's security. The encryption that is used in e-mail with PKI is the same as the encryption used for DAR. In short, both provide the same level of protection.
All government desktop computers, laptop PCs, PDAs, thumb drives, CDs and DVDs must use the DAR encryption software. By encrypting all data, users will not have to decide what is CUI or PII data and run the risk that some sensitive information will fall through the cracks. Using this layered approach, DON information, whether it is data at rest or data in transit, will always be protected.
Rolling Out DAR
The DAR software will be rolled out to every NMCI workstation, similar to the way cryptographic logon was delivered. Messages will be released detailing when users will receive the software and if they will need to take any action. The software will be sent to users' computers overnight. Users will come to work the next morning and their computers will have the DAR software installed. The NMCI network will receive the software first, followed by Navy One-Net, IT-21 and the Marine Corps Enterprise Network (MCEN).
OMB policy does not mandate encryption of unclassified data on servers or backups. However, encrypting media on servers and backups is a good idea, and the DON may mandate it in the future. At this time, the Department is focusing on the devices that are most vulnerable to theft or loss — those that are portable.
Until the DAR encryption solution is deployed, WinZip 9.0 should be used to encrypt sensitive information. WinZip is a standard application on all NMCI computers; instructions on how to use WinZip are located on the NMCI homepage.
It is everyone's responsibility to ensure proper handling of sensitive information. The deployment of a data at rest encryption solution does not replace the need to be good stewards of the information with which we are entrusted. Think about the information you want to take outside the DON network — if you do not really need it — then leave it.
If you need the information on travel or at home, follow appropriate DoD and DON policies for obtaining the required authorization to transport/store the data and ensure it is encrypted.
It is important to note that only government-owned thumb drives, laptop PCs and portable media can be used to transport or store PII or other sensitive information.
The following policies can be found on the DON CIO Web site at www.doncio.navy.mil.
OMB Policy Memo 06-16, June 23, 2007, Protection of Sensitive Unclassified Agency Information.
DoD Memo July 3, 2007, Encryption of Sensitive Unclassified Data at Rest (DAR) on Mobile Computing Devices and Removable Storage Media Used Within the DoD.
DON CIO message dated 171952ZAPR2007, Safeguarding Personally Identifiable Information (PII).
Mr. Darin Dropinski is the deputy team leader for information assurance and network security.
Mr. James Mauck is the subject matter expert for information assurance and network security.