Data Protection is Everyone s Business: Army s Data-At-Rest Initiative

1. Rule: Follow the exact same format in this slide template. Indicate your rank/title, first, last name, office symbol, AKO email address, office phone number.Rule: Follow the exact same format in this slide template. Indicate your rank/title, first, last name, office symbol, AKO email address, office phone number.

3. OMB M06-16 � 23 June 2006 - Protection of Sensitive Agency Information ��protection of Personally Identifiable Information (PII) �. transported outside of the agency�s secured, physical perimeter (this includes information transported on removable media and on portable/mobile devices..� DoD Policy Memorandum (OSD, Priscilla Guthrie) � 18 Aug 2006 � Department of Defense Guidance on Protecting Personally Identifiable Information (PII) � Encrypt all data at rest, i.e., all hard drives or other storage media within the device as well as all removable media�� LTG Boutelle memo dated 28 Sept 06 ��organizations with an existing DAR encryption capability, extend those capabilities to all remaining information systems where data is at risk�.for those lacking DAR encryption capability, leverage the existing MS EFS XP SP2 capability�.� VCSA ALARACT dated 27 Oct 06 �Ensure laptops authorized for travel are properly configured using an Army approved DAR solution or EFS XP SP2�..organizations with an existing DAR encryption capability, extend within limits of current resources, those capabilities to all remaining information systems where data is at risk.� Key Policy

4. DoD Policy Memorandum (OSD, John Grimes) � 21 Mar 2007 � Acquisition of DAR Technologies For Use Within the DoD Memo provide guidance for the enterprise-wide acquisition of DAR encryption technologies�..within the DoD. Establishes the DoD Enterprise Software Initiative (ESI) as the management mechanism for the acquisition of commercial encryption technology Established the DoD Data at Rest Tiger Team (DARTT) as the body that represents the interest of the Services for Joint DAR encryption requirements Strongly encourages the Services to procure encryption technologies through the ESI effort noted above. DoD Policy Memorandum (OSD, John Grimes) � July 2007 � Encryption of DAR on Mobile Computing and Removable Storage Devices for the DoD Establishes DoD policy that all data stored on hard drives of portable devices (travel laptops, PDAs) and removable storage devices (thumbnail drives, CDs, flash drives, etc) shall be encrypted using commercially available encryption technology Highly encourages Services to implement and verify stronger management controls for protection of DAR Sets priority to encrypting information on portable computing devices used by Senior officials and individuals that travel often Encourages Services: To support ESI acquisition efforts To purchase DAR encryption technologies resulting from the ESI effort once available

5. CIO/G6 ALARACT 10 Jul 07 �..12 DoD/GSA BPAs were awarded�. however the Department Of the Army plans to conduct further competition�.. The Army anticipates Army DAR award to be Sept 07 and release of revised DAR policy that will identify approved product. Product selected will meet the following minimum criteria: 1) Selected By The DoD/GSA Acquisition effort; 2) Appears on the Army�s Information Assurance Approved Products; 3) Supports multiple common Army Operating Systems; and 4) Provides Multi Functionality (File & Folder And Full Volume And Removable Media) via an single product Central Management Console. To Assist In The Army�s DAR procurement���will validate their respective DAR requirements for the categories� additionally, describe 1) Requirements in which you can pay for directly 2) Requirements in which you must reimburse the stock fund��. 1) Combination Of File And Folder And Full Disk Encryption Via A Single Product With Centralized Management Console; 2) Removable Storage Media Encryption. Include Quantity For Each Type (I.E., USB Drives); and, 3) Personal Digital Assistant (PDA) Encryption�.

6. DoD ESI/GSA SmartBuy Co-Branded Effort All Federal Agencies NATO State and Local Governments DAR evaluation was conducted 30 April 07 to 18 May 07 All DoD Services, NSA, GSA, and DOI Successful vendors approved by the Decision Authority (Air Force) on 09 June 07 Enterprise Software Agreements (basically BPAs) will be awarded 15 June 07 Awarded 12 BPAs DoD/GSA DAR Effort

7. 1. Integrated (Hybrid) Full Disk Encryption / File & Folder Encryption System (FDE/FES) Solution An integrated FDE/FES solution combines the benefits of full disk and file/folder encryption, encrypting the entire contents of a hard drive as well as providing ability to encrypt individual files and folders for data at rest. 2. Full Disk Encryption (FDE) Solution FDE (aka whole disk encryption) is hardware or software encryption that encrypts every bit of data that is placed and stored on a disk. 3. File Encryption System (FES) Solution FES is a form of disk encryption where individual files or directories are encrypted by the files system itself, allowing users to specify which files or folders require encryption, allowing files or folders to be encrypted when necessary. FDE/FES 15 Total proposals 6 Awarded/5 products 9 Not awarded FDE: 6 Total Proposals 2 Awarded/2 products 4 Not awarded FES 9Total Proposals 4 Awarded/3 products 5 Not awarded DoD/GSA DAR Award

8. Army Interim DAR Strategy 

9. Next Steps Finalize DAR requirement from the field ALARACT 152/2007 Conduct further completion Not all 12 awardees, but product that also reside on the IAAPL Specific key Army DAR requirement Make award Enterprise in structure Sept 2007 Release revise DAR policy Sept 2007 Approved Product List Wavier Process Ordering Process Reporting Process

10. Army Long Term DAR Strategy The Army�s DAR Acquisition Strategy is flexible, layer combination of technology solutions phased in over a 1 to 2 years period addressing the most immediate needs first. Note � key is the coupling of these technologies with the requisite policy and governance. 1. Initial solution (Phase I) is as directed by CIO/G6: - utilize EFS and/or existing DAR solution - focuses on the most critical data and high risk users/devices 2. Interim solution (Phase II) is the 3rd party encryption solution: - based on all the Army�s requirements (includes pilots and DoD/Service input) - Army�s RFP out in Nov 06 and initial implementation by 01 Mar 07 - RFP will be structured with multiple short duration option periods to allow for a flexible, timely withdrawal to new enabling technologies/products such as MS VISTA - this solution should influence ESSG�s product selection - coupled with EFS, truly meets the OMB requirements for security/encryption of DAR - focuses on full volume encryption, additional OS, GFE, less critical devices and data 3. The long term solution (Phase II & IV) is a constant application of new products and technologies - will leverage VISTA/BITLOCKER in combination with EFS and Army�s 3rd party encryption solution - focus on DoD/PKI integration (MS VISTA/BITLOCKER), remaining device types, Non-GFE and finally the Tactical and SIPR environments.The Army�s DAR Acquisition Strategy is flexible, layer combination of technology solutions phased in over a 1 to 2 years period addressing the most immediate needs first. Note � key is the coupling of these technologies with the requisite policy and governance. 1. Initial solution (Phase I) is as directed by CIO/G6: - utilize EFS and/or existing DAR solution - focuses on the most critical data and high risk users/devices 2. Interim solution (Phase II) is the 3rd party encryption solution: - based on all the Army�s requirements (includes pilots and DoD/Service input) - Army�s RFP out in Nov 06 and initial implementation by 01 Mar 07 - RFP will be structured with multiple short duration option periods to allow for a flexible, timely withdrawal to new enabling technologies/products such as MS VISTA - this solution should influence ESSG�s product selection - coupled with EFS, truly meets the OMB requirements for security/encryption of DAR - focuses on full volume encryption, additional OS, GFE, less critical devices and data 3. The long term solution (Phase II & IV) is a constant application of new products and technologies - will leverage VISTA/BITLOCKER in combination with EFS and Army�s 3rd party encryption solution - focus on DoD/PKI integration (MS VISTA/BITLOCKER), remaining device types, Non-GFE and finally the Tactical and SIPR environments.

11. Questions