The Department of Defense (DoD) is concerned about the exposure of Personally Identifiable Information (PII) or other sensitive data that is stored on Mobile Computing Devices (MCD) such as laptops and Personal Digital Assistants (PDAs) as well as removable storage media (RSM) including portable hard drives (USB, Firewire, eSATA), flash memory, CDs, DVDs, etc. The solution to protect this "Data at Rest" (DAR) is NIST FIPS 140-2 compliant encryption.
The Army's first published DAR guidance was published on 28 September 2006, Memorandum "Army Data-At-Rest (DAR) Protection Strategy." According to this memo, Army policy, standards, and guidance have existed since 2003 and relied upon voluntary management enforcement. The scope of this memo was "all mobile Information Systems (ISs)." Other requirements: identify and label laptops designated for travel, account for and secure Univeral Serial Bus (USB) (i.e. thumb drives), ensure compliance with reporting procedures, and leverage Encrypting File System (EFS) to enable file encryption and see the DAR and "Road Warrior" BBPs for further guidance. At the time of this memo, Credant and PointSec were the approve whole disk encryption tools approved for use in the Army.
DoDD 5400.11, May 8, 2007, paragraph E2.2 defines Personal Information and Personally Identifiable Information (PII):
E2.2. Personal Information. Information about an individual that identifies, links, relates, or is unique to, or describes him or her (e.g., a social security number; age; military rank; civilian grade; marital status; race; salary; home or office phone numbers; other demographic, biometric, personnel, medical, and financial information, etc). Such information also is known as personally identifiable information (e.g., information which can be used to distinguish or trace an individual’s identity, such as his or her name; social security number; date and place of birth; mother’s maiden name; and biometric records, including any other personal information which is linked or linkable to a specified individual.
Apparently, there is "sensitive" and "non-sensitive" PII. "Sensitive" PII must comply with encryption requirements. See NIST SP 800-122, "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)," April 2010 for further information concerning low, moderate, and high impact PII. PHI is a subset of PII which requires additional safeguards.
Data At Rest (DAR) is a term that is sometimes used to refer to all data in computer storage while excluding data that is traversing a network or temporarily residing in computer memory to be read or updated.
Per DoD Policy Memorandum "Department of Defense (DoD) Guidance on Protecting Personally Identifiable Information (PII)," August 18, 2006:
DoD Components are directed to ensure that all PII not explicitly cleared for public release is protected according to Confidentiality Level Sensitive, as established in reference (c).
Reference (c) is DoD Instruction 8500.2, "Information Assurance (IA) Implementation," February 6, 2003.
PII electronic records need to be assigned a High or Moderate PII Impact Category and protected at Confidentiality Level (CL) of Sensitive or higher unless cleared for public release. If the electronic PII records are assigned a High Impact Category, the records cannot be routinely processed or stored on mobile computing devices or removable electronic media without express approval of the Designated Accrediting Authority (DAA). Further, the MCD or RSM shall be restricted to workplaces that satisfy Physical and Environmental Controls for CL Sensitive. If the MCD or RSM is removed, it must be a) signed in/out by a supervising official designated in wirting by the organizational security official, b) require certificate-based authentication using DoD or DoD-approved PKI certificate on an approved hardware token to access the device, c) implement a screen lock not to exceed 30 minutes, and d) encrypt all data at rest (all hard drives or other storage media within the device as well as removable media created by or written from the device while present in the protected workplace) using NIST-certified (FIPS 140-2) cryptography.
If PII assigned the High Impact Category is access remotely, the following requirements must be met a) only DoD authorized devices shall be used for remote access, b) remote access must be implemented via certificate-based authentication using a DoD or DoD-approved PKI certificate or an approved hardware token, c) the remote device must have a screen lock not to exceed 30 minutes (IA Control PESL-1), d) the remote device gaining access must conform to IA Control ECRC-1, Resource Control, e) download and local/remote storage of PII records is prohibited unless expressly approved by the DAA. Any High Impact PII records stored on removable electronic media taken outside protected workplaces shall be signed in and out by a supervising official and shall be encrypted. See the memorandum for further guidance regarding reporting loss or suspected loss (paragraph 4.3).
A year later, the DoD made this policy stricter in DoD Policy Memorandum, "Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media," July 3, 2007. This memorandum states:
(1) All unclassified DoD data at rest that has not been approved for public release and is stored on mobile computing devices such as laptops and personal digital assistants (PDAs), or removable storage media such as thumb drives and compact discs, shall be treated as sensitive data and encrypted using commercially available encryption technology. Minimally, the cryptography shall be National Institute of Standards and Technology (NIST) Federal Information Processing Standard 140-2 (FIPS 140-2) compliant and a mechanism shall be established to ensure encrypted data can be recovered in the event the primary encryption system fails or to support other mission regulatory requirements. DoD information that has been approved for public release does not require encryption.
What? What happened to information categorized as sensitive (Privacy Act Information (PII), Health Insurance Portability and Accountability Act Information (HIPAA), Proprietary contract information, Information classified as 'for official use only' (FOUO))? According to this memorandum, all DAR needs to be encrypted unless it has been cleared for public release (see DoD Directive 5230.9, “Clearance of DoD Information for Public Release”, April 9, 1996, certified current as of November 9, 2003 for guidance). The 3 July 2007 memorandum also established the following policy concerning the Trusted Platform Module (TPM):
(4) In anticipation of emerging encryption product capabilities, as well as requirements for device authentication, DoD Components shall ensure all new computer assets (e.g., server, desktop, laptop, PDA) procured to support the DoD enterprise include a Trusted Platform Module (TPM) version 1.2 or higher where such technology is available. Written justification must be provided to the responsible Designated Approving Authority if assets are procured without TPM technology in cases where it is available.
JTF-GNO Communications Tasking Order (CTO 08-001) was published 8 January 2008. This CTO simply directs DoD COCOMS/Services/Agencies/Field Activities (DoD Components) and NetOps Centers to implement the DAR requirements as specified in DoD Policy Memo, Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media, 3 JUL 07. The only other tasks concern reporting. Further JTF-GNO guidance is published in JTF-GNO Warning Order (WARNORD) 07-047, Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media Used Within the Department of Defense (DoD) (only available on SIPRNET, it is not listed on https://www.cybercom.mil/J3/orders/Pages/warnords.aspx).
Per ALARACT 134/2008, 28 May 2008, only the following products are approved for implementation of DAR requirements: Mobile Armor's Data Armor and File Armor, Microsoft's Encrypting File System (EFS), and BitLocker. See this site for detailed guidance from the Army on DAR and BitLocker. Per this ALARACT, MCDs or RSM that cannot be encrypted using an approved DAR solution are prohibited from storing sensitive data. Note this ALARACT re-emphasizes the definition of sensitive data:
8.1 SENSITIVE OR OPERATIONAL INFORMATION IS CATEGORIZED AS ALL UNCLASSIFIED ARMY INFORMATION NOT SPECIFICALLY CREATED FOR PUBLIC RELEASE OR ACCESS.
Probably the best place to continue to follow DAR policy is the DISA IASE web site (https://iase.disa.mil), on their Policy page, look for Frequently Asked Questions, DoD Policy Memorandum "Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media" (last updated March 19, 2008). In the first paragraph, this document clearly reiterates that DoD took the protection of PII one step further, and requires encryption on all unclassified data on MCDs and RSM.
More to come...
(Privacy Overlay, Privacy Family control family catalog from NIST SP 800-53, 8 additional families)
Explanation/comments from the Army Data At Rest Best Business Practice (BBP).
References:
ARCYBER OPORD 2017-009, "Removable Media Use with Army Networks," 6 October 2016. FRAGORD 01, 31 Octobe r2016.
DoDI 8500.2, "Information Assurance (IA) Implementation," February 6, 2003
DoDD 8000.1, "Management of DoD Information Resources and Information Technology," February 27, 2002 (certified current as of November 21, 2003)
OMB M-03-22, "OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 26, 2003
DoD Directive 5230.9, “Clearance of DoD Information for Public Release”, April 9, 1996, certified current as of November 9, 2003
DoD CIO Memorandum, "Department of Defense (DoD) Privacy Impact Assessment (PIA) Guidance," 28 October 2005
DoDD 5400.11, "DoD Privacy Program", November 16, 2004 (updated May 8, 2007)
OMB M-06-16, "Protection of Sensitive Agency Information," June 2006
OMB M-06-19, "Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments," July 12, 2006
DoD Policy Memorandum, "Protection of Sensitive DoD Data At Rest on Portable Computing Devices," April 18, 2006
Army Memorandum, "Army Data-At-Rest (DAR) Protection Strategy," 26 September 2006.
DoD Policy Memorandum, "Department of Defense Guidance on Protecting Personally Identifiable Information (PII)," August 18, 2006
Army Memorandum SUBJECT: Army Data-At-Rest (DAR) Protection Strategy, 28 SEP 2006
Army Best Business Practice (BBP) 06-ED-O-0008 "Data-At-Rest (DAR) Protection Mobile Devices using EFS Implementation Version 1.0," Issuance date: 12 OCT 2006
ALARACT 209/2006, Army Data-At-Rest (DAR) Protection Strategy, 27 October 2006
DoD Memorandum, "Acquisition of Data At Rest (DAR) encryption Technologies For Use Within The Department Of Defense (DoD)", 21 March 2007
OMB Memorandum 07-16, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information," May 22, 2007
ALARACT 147/2007, Army Protection of Personally Identifiable Information (PII) Awareness, 2 July 2007
DoD Policy Memorandum, "Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media," July 03, 2007
JTF-GNO Warning Order (WARNORD) 07-047, Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media Used Within the Department of Defense (DoD)"
JTF-GNO CTO 08-001, "JTF-GNO Communications Tasking Order (CTO) 08-001, Encryption of Sensitive Unclassified Data at Rest (DAR) on Mobile Computing Devices and Removable Storage Media Used Within the Department of Defense (DoD)", 8 January 2008
ALARACT 134/2008, Army Encryption of Data At Rest (DAR) Protection Strategy," 5/28/2008
Frequently Asked Questions "DoD Policy Memorandum "Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media," March 19, 2008
DoDI 5400.16, "DoD Privacy Impact Assessment (PIA) Guidance," February 12, 2009
7th Signal Command (T) OPORD 0910-300
BitLocker, Mobile Armor, BlackBerry DAR on AKO: https://www.us.army.mil/suite/files/20954405
The Army's first published DAR guidance was published on 28 September 2006, Memorandum "Army Data-At-Rest (DAR) Protection Strategy." According to this memo, Army policy, standards, and guidance have existed since 2003 and relied upon voluntary management enforcement. The scope of this memo was "all mobile Information Systems (ISs)." Other requirements: identify and label laptops designated for travel, account for and secure Univeral Serial Bus (USB) (i.e. thumb drives), ensure compliance with reporting procedures, and leverage Encrypting File System (EFS) to enable file encryption and see the DAR and "Road Warrior" BBPs for further guidance. At the time of this memo, Credant and PointSec were the approve whole disk encryption tools approved for use in the Army.
DoDD 5400.11, May 8, 2007, paragraph E2.2 defines Personal Information and Personally Identifiable Information (PII):
E2.2. Personal Information. Information about an individual that identifies, links, relates, or is unique to, or describes him or her (e.g., a social security number; age; military rank; civilian grade; marital status; race; salary; home or office phone numbers; other demographic, biometric, personnel, medical, and financial information, etc). Such information also is known as personally identifiable information (e.g., information which can be used to distinguish or trace an individual’s identity, such as his or her name; social security number; date and place of birth; mother’s maiden name; and biometric records, including any other personal information which is linked or linkable to a specified individual.
Apparently, there is "sensitive" and "non-sensitive" PII. "Sensitive" PII must comply with encryption requirements. See NIST SP 800-122, "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)," April 2010 for further information concerning low, moderate, and high impact PII. PHI is a subset of PII which requires additional safeguards.
Data At Rest (DAR) is a term that is sometimes used to refer to all data in computer storage while excluding data that is traversing a network or temporarily residing in computer memory to be read or updated.
Per DoD Policy Memorandum "Department of Defense (DoD) Guidance on Protecting Personally Identifiable Information (PII)," August 18, 2006:
DoD Components are directed to ensure that all PII not explicitly cleared for public release is protected according to Confidentiality Level Sensitive, as established in reference (c).
Reference (c) is DoD Instruction 8500.2, "Information Assurance (IA) Implementation," February 6, 2003.
PII electronic records need to be assigned a High or Moderate PII Impact Category and protected at Confidentiality Level (CL) of Sensitive or higher unless cleared for public release. If the electronic PII records are assigned a High Impact Category, the records cannot be routinely processed or stored on mobile computing devices or removable electronic media without express approval of the Designated Accrediting Authority (DAA). Further, the MCD or RSM shall be restricted to workplaces that satisfy Physical and Environmental Controls for CL Sensitive. If the MCD or RSM is removed, it must be a) signed in/out by a supervising official designated in wirting by the organizational security official, b) require certificate-based authentication using DoD or DoD-approved PKI certificate on an approved hardware token to access the device, c) implement a screen lock not to exceed 30 minutes, and d) encrypt all data at rest (all hard drives or other storage media within the device as well as removable media created by or written from the device while present in the protected workplace) using NIST-certified (FIPS 140-2) cryptography.
If PII assigned the High Impact Category is access remotely, the following requirements must be met a) only DoD authorized devices shall be used for remote access, b) remote access must be implemented via certificate-based authentication using a DoD or DoD-approved PKI certificate or an approved hardware token, c) the remote device must have a screen lock not to exceed 30 minutes (IA Control PESL-1), d) the remote device gaining access must conform to IA Control ECRC-1, Resource Control, e) download and local/remote storage of PII records is prohibited unless expressly approved by the DAA. Any High Impact PII records stored on removable electronic media taken outside protected workplaces shall be signed in and out by a supervising official and shall be encrypted. See the memorandum for further guidance regarding reporting loss or suspected loss (paragraph 4.3).
A year later, the DoD made this policy stricter in DoD Policy Memorandum, "Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media," July 3, 2007. This memorandum states:
(1) All unclassified DoD data at rest that has not been approved for public release and is stored on mobile computing devices such as laptops and personal digital assistants (PDAs), or removable storage media such as thumb drives and compact discs, shall be treated as sensitive data and encrypted using commercially available encryption technology. Minimally, the cryptography shall be National Institute of Standards and Technology (NIST) Federal Information Processing Standard 140-2 (FIPS 140-2) compliant and a mechanism shall be established to ensure encrypted data can be recovered in the event the primary encryption system fails or to support other mission regulatory requirements. DoD information that has been approved for public release does not require encryption.
What? What happened to information categorized as sensitive (Privacy Act Information (PII), Health Insurance Portability and Accountability Act Information (HIPAA), Proprietary contract information, Information classified as 'for official use only' (FOUO))? According to this memorandum, all DAR needs to be encrypted unless it has been cleared for public release (see DoD Directive 5230.9, “Clearance of DoD Information for Public Release”, April 9, 1996, certified current as of November 9, 2003 for guidance). The 3 July 2007 memorandum also established the following policy concerning the Trusted Platform Module (TPM):
(4) In anticipation of emerging encryption product capabilities, as well as requirements for device authentication, DoD Components shall ensure all new computer assets (e.g., server, desktop, laptop, PDA) procured to support the DoD enterprise include a Trusted Platform Module (TPM) version 1.2 or higher where such technology is available. Written justification must be provided to the responsible Designated Approving Authority if assets are procured without TPM technology in cases where it is available.
JTF-GNO Communications Tasking Order (CTO 08-001) was published 8 January 2008. This CTO simply directs DoD COCOMS/Services/Agencies/Field Activities (DoD Components) and NetOps Centers to implement the DAR requirements as specified in DoD Policy Memo, Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media, 3 JUL 07. The only other tasks concern reporting. Further JTF-GNO guidance is published in JTF-GNO Warning Order (WARNORD) 07-047, Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media Used Within the Department of Defense (DoD) (only available on SIPRNET, it is not listed on https://www.cybercom.mil/J3/orders/Pages/warnords.aspx).
Per ALARACT 134/2008, 28 May 2008, only the following products are approved for implementation of DAR requirements: Mobile Armor's Data Armor and File Armor, Microsoft's Encrypting File System (EFS), and BitLocker. See this site for detailed guidance from the Army on DAR and BitLocker. Per this ALARACT, MCDs or RSM that cannot be encrypted using an approved DAR solution are prohibited from storing sensitive data. Note this ALARACT re-emphasizes the definition of sensitive data:
8.1 SENSITIVE OR OPERATIONAL INFORMATION IS CATEGORIZED AS ALL UNCLASSIFIED ARMY INFORMATION NOT SPECIFICALLY CREATED FOR PUBLIC RELEASE OR ACCESS.
Probably the best place to continue to follow DAR policy is the DISA IASE web site (https://iase.disa.mil), on their Policy page, look for Frequently Asked Questions, DoD Policy Memorandum "Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media" (last updated March 19, 2008). In the first paragraph, this document clearly reiterates that DoD took the protection of PII one step further, and requires encryption on all unclassified data on MCDs and RSM.
More to come...
(Privacy Overlay, Privacy Family control family catalog from NIST SP 800-53, 8 additional families)
Explanation/comments from the Army Data At Rest Best Business Practice (BBP).
References:
ARCYBER OPORD 2017-009, "Removable Media Use with Army Networks," 6 October 2016. FRAGORD 01, 31 Octobe r2016.
DoDI 8500.2, "Information Assurance (IA) Implementation," February 6, 2003
DoDD 8000.1, "Management of DoD Information Resources and Information Technology," February 27, 2002 (certified current as of November 21, 2003)
OMB M-03-22, "OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 26, 2003
DoD Directive 5230.9, “Clearance of DoD Information for Public Release”, April 9, 1996, certified current as of November 9, 2003
DoD CIO Memorandum, "Department of Defense (DoD) Privacy Impact Assessment (PIA) Guidance," 28 October 2005
DoDD 5400.11, "DoD Privacy Program", November 16, 2004 (updated May 8, 2007)
OMB M-06-16, "Protection of Sensitive Agency Information," June 2006
OMB M-06-19, "Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments," July 12, 2006
DoD Policy Memorandum, "Protection of Sensitive DoD Data At Rest on Portable Computing Devices," April 18, 2006
Army Memorandum, "Army Data-At-Rest (DAR) Protection Strategy," 26 September 2006.
DoD Policy Memorandum, "Department of Defense Guidance on Protecting Personally Identifiable Information (PII)," August 18, 2006
Army Memorandum SUBJECT: Army Data-At-Rest (DAR) Protection Strategy, 28 SEP 2006
Army Best Business Practice (BBP) 06-ED-O-0008 "Data-At-Rest (DAR) Protection Mobile Devices using EFS Implementation Version 1.0," Issuance date: 12 OCT 2006
ALARACT 209/2006, Army Data-At-Rest (DAR) Protection Strategy, 27 October 2006
DoD Memorandum, "Acquisition of Data At Rest (DAR) encryption Technologies For Use Within The Department Of Defense (DoD)", 21 March 2007
OMB Memorandum 07-16, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information," May 22, 2007
ALARACT 147/2007, Army Protection of Personally Identifiable Information (PII) Awareness, 2 July 2007
DoD Policy Memorandum, "Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media," July 03, 2007
JTF-GNO Warning Order (WARNORD) 07-047, Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media Used Within the Department of Defense (DoD)"
JTF-GNO CTO 08-001, "JTF-GNO Communications Tasking Order (CTO) 08-001, Encryption of Sensitive Unclassified Data at Rest (DAR) on Mobile Computing Devices and Removable Storage Media Used Within the Department of Defense (DoD)", 8 January 2008
ALARACT 134/2008, Army Encryption of Data At Rest (DAR) Protection Strategy," 5/28/2008
Frequently Asked Questions "DoD Policy Memorandum "Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media," March 19, 2008
DoDI 5400.16, "DoD Privacy Impact Assessment (PIA) Guidance," February 12, 2009
7th Signal Command (T) OPORD 0910-300
BitLocker, Mobile Armor, BlackBerry DAR on AKO: https://www.us.army.mil/suite/files/20954405
