Encrypting data at rest: how will it help our marines and sailors?

CHIPS, Oct-Dec, 2007 by Darin Dropinski, James Mauck

During the past 12 months, there have been more than 100 privacy breaches resulting in the loss of personally identifiable information (PII) for an estimated 96,800 Marines, Sailors, civilians and their family members. While these warfighters and warfighting-support personnel are defending our country, it is our responsibility to ensure the privacy of their personal information and prevent identity theft.

PII, as defined by the Office of Management and Budget (OMB) Memo 06-19 of July 12, 2006, is "information which can be used to distinguish or trace an individual's identity such as their name, Social Security number, biometrics records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc."

The Department of the Navy Chief Information Officer (DON CIO), in collaboration with the Department of Defense (DoD), Navy and Marine Corps, is working to ensure that all sensitive information, including PII that resides on portable devices, is protected.

What is DAR and why must we encrypt it?

Data at rest (DAR) refers to any data residing on hard drives, thumb drives, laptop computers, etc. In some cases, the data are designated as Controlled Unclassified Information (CUI), which includes For Official Use Only (FOUO), Sensitive But Unclassified (SBU) and PII.

Protecting data at rest is critical in today's technology rich environment because people are much more mobile. DoD and DON personnel take their work with them using various devices and media, such as laptop computers, thumb drives and personal digital assistants (PDAs).

The fact that these devices are portable and becoming increasingly smaller makes them inherently more vulnerable to theft or loss than a desktop computer. Further, PII stored on these devices are often unaccounted for and unprotected. Encrypting data at rest will strengthen security and mitigate the impact of lost or stolen data for DON personnel.

DAR Policy

OMB and the DoD have released policy for encrypting PII (see References on the next page). These policies direct that all unclassified DAR that have not been approved for public release and are stored on mobile computing devices must be treated as sensitive data and encrypted using commercially available encryption technology.

DON Enterprise DAR Solution

The DoD Enterprise Software Initiative (ESI) and the General Services Administration's federal SmartBUY program are designed to promote effective software management by leveraging the government's immense buying power. In preparation for the DAR requirement, the ESI and SmartBUY programs evaluated, competed and selected 11 DAR encryption products.

However, the DON strategy is to implement an enterprise solution set. To this end, the DON CIO is reviewing the encryption products on the ESI and SmartBUY list with the Navy, Marine Corps and the Navy Marine Corps Intranet (NMCI) team to determine which of these products are most suitable to meet the needs of our warfighters and warfighting-support personnel.

[ILLUSTRATION OMITTED]

The DON is narrowing down the list to a smaller solution set, so it can capitalize on the Department's buying power and ensure the best price. In addition, choosing a small set of products for an enterprise solution will reduce the number of software applications that will be required to go through the certification and accreditation process. This will also help to reduce costs. Finally, choosing an enterprise solution will ensure that all DAR encryption purchases made departmentwide will be interoperable.

Once the team has identified the solution set, the DON CIO will notify DON personnel and provide detailed information about the timeline for delivery. The goal is to begin implementing mandatory encryption of DAR on or about the third quarter of fiscal year 2008.

A Layered Approach to Security

Encrypting data at rest and signing and encrypting e-mail using public key infrastructure (PKI) certificates on your CAC are both part of the Department's layered approach to securing information.

Data at rest, which resides on various devices, and data in transit (or e-mail) will be encrypted, thus fortifying the DON's security. The encryption that is used in e-mail with PKI is the same as the encryption used for DAR. In short, both provide the same level of protection.

All government desktop computers, laptop PCs, PDAs, thumb drives, CDs and DVDs must use the DAR encryption software. By encrypting all data, users will not have to decide what is CUI or PII data and run the risk that some sensitive information will fall through the cracks. Using this layered approach, DON information, whether it is data at rest or data in transit, will always be protected.

Rolling Out DAR

The DAR software will be rolled out to every NMCI workstation, similar to the way cryptographic logon was delivered. Messages will be released detailing when users will receive the software and if they will need to take any action. The software will be sent to users' computers overnight. Users will come to work the next morning and their computers will have the DAR software installed. The NMCI network will receive the software first, followed by Navy One-Net, IT-21 and the Marine Corps Enterprise Network (MCEN).