USG Data at Rest Encryption/Protection

(1)

USG Data at Rest

Encryption/Protection

Briefing for the Symantec Government g y

Symposium

Preventing Data Loss Panel Session Preventing Data Loss Panel Session

31 July 2008 31 July 2008

(2)

USG DAR/PII Encryption – Issues….

Policy awareness, compliance, and technology per OMB policy directive M-06-16 and DoD policy

memorandums on mobile computing devices and PII USG loss of laptops removable storage media

USG loss of laptops, removable storage media, sensitive data, and PII:

– Multiple government agency (Federal, State, Local) p g g y ( ) loss of laptops, PDAs, removable storage media

– DoD thumbdrives (Afghan bazaar)

B iti h t l f PII i i i id t

British government loss of PII via various incidents Numerous commercial PII incidents

(3)

Data at Rest Tiger Team (DARTT)

Background

g

Created by DoD CIO and DoD C4 Principals in Aug 06, joined by GSA/Civil Agencies in Dec 06, chartered PM via DoD CIO Acquisition Memo Mar 07

via DoD CIO Acquisition Memo Mar 07

Collaborative intergovernmental effort - 20 DoD

Components, 18 Federal agencies, State/Local, NATO Assessed shortfalls in USG DAR encryption policies,

practices, initiatives, and technology solutions;

focusing on mobile computing devices and PII data focusing on mobile computing devices and PII data Used an unprecedented, competitive, and rapid (Dec

06 - June 07) acquisition process (FAR Part 8) to

establish DoD ESI/GSA SmartBUY acquisition vehicles establish DoD ESI/GSA SmartBUY acquisition vehicles resulting in 11 BPAs (open to all USG agencies).

Innovative Tech Refresh/Upgrade process using GSA collaboration portal (https://collab.core.gov).

(4)

DARTT Status

11 BPAs awarded in June 07 with discounts up to 98% off GSA Schedule pricing

Unprecedented leveraging of USG customer baseUnprecedented leveraging of USG customer base

Over 917,600 DAR encryption licenses sold to Federal, State, and Local govt agencies since award

Represents $18M in sales with $82M in verifiable costRepresents $18M in sales with $82M in verifiable cost avoidance; or put another way, the USG has

purchased $100M worth of DAR encryption products (at GSA Schedule pricing) for an actual cost of $18M (at GSA Schedule pricing) for an actual cost of $18M Comprehensive DARTT information available to .gov

and .mil accounts at GSA collaboration portal:

https://collab core gov https://collab.core.gov

More information:

http://www.defenselink.mil/releases/release.aspx?releaseid=11025 http://www.defenselink.mil/releases/release.aspx?releaseid=11684p p http://www.defenselink.mil/releases/release.aspx?releaseid=12041

(5)

DARTT – the Good News….

Synchronization of govt policy & technology acquisition Collaborative effort across Federal, State, Local

agencies and NATO agencies and NATO

Public awareness campaign – recent DoD/GSA joint press releases; CNSS Annual Report (Mar 08); and articles in FedTech, FCW, GCN, Military Information Technology, and Network World magazines

Highly successful Technical Refreshment/Upgrade Highly successful Technical Refreshment/Upgrade

process (https://collab.core.gov) – DARTT has approved 3 vendor BPA contract modification

l 1 i

proposals, 1 more in-process.

DARTT’s on-going Advisory initiative; written and

disseminated two DARTT Advisories for the ColdBoot disseminated two DARTT Advisories for the ColdBoot and FireWire vulnerabilities for USG/public awareness.

(6)

DARTT Awards

S l j d f th DARTT

Several major awards for the DARTT program:

– DoD Excellence in Information Assurance Award (Feb 2008)

(Feb 2008)

– 2008 Intergovernmental Government Solutions

Award at the 28th Annual Management of Change

C f (J 2008)

Conference (June 2008)

– Executive Alliance nomination for Mid-Atlantic Project of the Year Award (June 2008)

(7)

DARTT Contacts:

Single source for comprehensive DARTT information:

David Hollis

Program Manager/Co-Chair

g p

https://collab.core.gov (GSA collaboration web site, .gov/.mil only)

Vendor and BPA ordering information:

htt // / tb [email protected] 703-602-9982 Sharon Terango http://www.gsa.gov/smartbuy or http://www.esi.mil/main.asp.

BPA Points of Contact for Federal and State/Local Agencies

Sharon Terango Co-chair

[email protected]

703-306-6104

Sharon Terango - SmartBUY IA PM (703) 306-6104

[email protected]

Michael Hargrove - SmartBUY Contracting Officer (703) 306-7701 [email protected]

Robby Ann Carter Technical Director

[email protected]

306 7701 [email protected]

BPA Points of Contact for DoD, IC, DHS, and NATO:

Maurice Griffin - ESI IA Software Product Manager (334) 416-4229 [email protected]

y @

(8)

BACKUP SLIDES

(9)

ACRONYMS

DAR – Data at Rest

DARTT – Data at Rest Tiger Team PII P ll Id tifi bl I f ti

PII – Personally Identifiable Information

ESI – DoD Enterprise Software Initiative

BPA Blanket Purchase Agreement

BPA – Blanket Purchase Agreement

RFQ – Request for Quote

FIPS – Federal Information Processing StandardsS ede a o a o ocess g S a da ds

FDE – Full Disk Encryption

FES – File/Folder Encryption System

RSM – Removable Storage Media

SME – Subject Matter Expert

(10)

Awardees

1 _{MTM Technologies / Mobile Armor} _{Mobile Guardian} _{FDE / FES Software} 2 _{Rocky Mountain Ram} _Safeboot _{FDE / FES SW & HW} 3 _{Carahsoft / Information Security Corp.} _{Secret Agent} _{FES Software}

4 _{Spectrum Systems} _Safeboot _{FDE / FES Software}

5 _SafeNet _ProtectDrive _{FDE Software}

6 _{Hi Tech Service / Encryption Solutions} _SkyLOCK _{FES Software} 7 _{Autonomic Resources / WinMagic &}

Spyrus

WinMagic SecureDoc & Spyrus Talisman SD

FDE / FES HW &SW 8 _{GovBUYS / WinMagic} _SecureDoc _{FDE / FES Software} 8 _{GovBUYS / WinMagic} _SecureDoc _{FDE / FES Software} 9 _{Intelligent Decisions / Credant}

Technologies

Mobile Guardian FES Software

10 _{Merlin Int’l / Guardian Edge}_e _{t / Gua d a} _dge _{Guardian Edge} _{FDE / FES Software} Technologies

Gua d a dge / S So t a e 11 _{immixTechnology / Pointsec Mobile}

Technologies

Pointsec FDE Software 12 _{GTSI Corp / Credant Technologies} _{Mobile Guardian} _{FES Software}

(11)

DARTT BPA Advantages

All awarded offers are FIPS 140-2 validated - vendor FIPS 140-2 Confirmation form on file in the

GSA/SmartBUY Program GSA/SmartBUY Program

Licenses are transferable within a federal agency and include secondary use rights

V l i i i b d ti f 10 000 33 000

Volume pricing is based on tiers for 10,000, 33,000, and 100,000 users

Competitive spot discounting is encouragedp p g g

Five option years after award date: June 15, 2007 The BPAs were awarded through a full and open

competition The 103 technical requirements were competition. The 103 technical requirements were provided by all federal agencies and were evaluated by an interagency USG team of information

/ t t k d f SME