The report notes that a specific DoD memorandum from two years ago laid out security objectives for commercial mobile devices, including using an enterprise management system, encrypting and sanitizing sensitive DoD information stored on them, e-mail encryption and installing "designated authority-approved software and applications," plus training.
At the two sites the IG DoD visited, no mobile-device management application had been put into use by the CIOs there, and password configuration of devices often left to individual users. It noted sometimes cadets at the U.S. Military Academy used the mobile devices they'd been given as personal devices and as "removable media to transfer and store sensitive case files and evidence related to Cadet Honor Committee hearings."
In one instance at the U.S. Army Corps of Engineers, the IG DoD found one user with a non-pilot CMD using it to transfer research documents and personally identifiable information from a networked computer.
The report concluded the Army CIO hadn't adequately tracked the devices in question, noting in several hundred cases it looked at, the Army CIO was unaware of the devices in use and maintained faulty accounting about it all.
Army and Command CIOs have taken some actions to improve, the report states, either by ordering the activities such as using CMDs as removable media to cease or placing a moratorium on acquisition of new CMDs The report mentions use of the AirWatch MDM software to address some of the IG DoD concerns.
The report concludes the CIO of the Army needs to develop a clear and comprehensive policy for reporting and tracking all commercial mobile devices. The head of the Army CIO Cybersecurity Directorate responded to the IG DoD that it maintained a SharePoint Portal and directed all Army organizations entering into a pilot to register and provide pilot documentation, among other steps. It also said it was working to manage mobile devices through an MDM system. Though expressing some dissatisfaction, the IG DoD indicated it approved of the Army CIO's response that the Defense Information Systems Agency and the Army would have every mobile device and the applications on them under managementas well as have a Mobile Application Store--at full operating capability before the end of fiscal year 2014.
Sign up for CIO Asia eNewsletters.