Secure Use of Portable Devices

Portable devices such as laptops, Personal Digital Assistants (PDAs), Blackberries, iPhones, Droids, and other smart phones that now include functions such as Internet and email have become indispensable tools for conducting business in today's highly mobile society. However, they present significant challenges for the protection of classified and other sensitive information. This discussion of portable devices is in three parts:

  • Government rules for use of wireless devices.
  • Use of Virtual Private Networks (VPNs) for secure communication .
  • Other wireless communications.

Government Rules for Use of Wireless Devices

Security measures for portable devices depend, in part, on the classification or sensitivity of the information on these devices. Access via portable devices to classified information on classified networks such as DoD's SIPRNet (Secret Internet Protocol Router Network and JWICS (Joint Worldwide Intelligence Communications System) or the Intelligence Community's Intellipedia is discouraged to the extent possible. It is required, however, for some senior military and civilian officials that have bona fide requirements for 24-hour access to secure electronic or voice communication or otherwise require the capability to process classified information in a mobile environment in order to accomplish their mission.

This requirement to access classified information through a portable device is met by a special type of smartphone, similar to a BlackBerry, that is certified for classified electronic or voice communications up to the TOP SECRET/SCI level. It is called a Secure Mobile Environment Portable Electronic Device, or a SME PED for short. Like any classified information, the SME PED must be kept under physical control or locked in a secure area at all times.

The Department of Defense has a separate sensitive but unclassified network called the NIPRNet, short for Non-classified Internet Protocol Router Network. It is used to support a wide range of sensitive but unclassified military activities. At military installations it also provides military users with a gateway to the public Internet.

Department of Defense policy dated July 2007 requires the encryption of all data that has not been officially approved for public release that "is stored on mobile computing devices such as laptops and personal digital assistants (PDAs), or removable storage media such as thumb drives and compact discs."1  This policy "applies to all DoD components and their supporting commercial contractors that process sensitive DoD information."1 A subsequent Defense Information Systems Agency paper clarified a number of questions about this policy. 2

  • Encryption is needed on portable devices and storage media because these devices are frequently lost or stolen, with the potential compromise of personally identifiable information or other sensitive government information on these devices.
  • All unclassified DoD information must be treated and protected as sensitive until it is reviewed and approved for public release.
  • The encryption must meet the Federal Information Processing Standard (FIPS) 140-2 developed by the National Institute of Standards and Technology (NIST). There are a number of other types of encryption that do not meet this standard.
  • This policy applies to desktop computers only to the extent that they are used to encrypt non-publicly released unclassified information on removable storage media. This policy does apply to cell phones when they are used as personal digital assistants or smartphones and store unclassified DoD data that has not been approved for public release.

Virtual Private Network

Many people need a secure channel to their office network when working from home, out in the field on business, or traveling on temporary duty. Organizations that handle sensitive information often have what is called a virtual private network (VPN) that enables secure wireless communication to and from office from anywhere in the world.

A VPN works by using the shared public Intranet while creating a secure "tunnel" that is comparable to a dedicated telephone land line. Data sent through this "tunnel" cannot be accessed or modified by anyone who doesn't possess the secret key. Additional common security measures include encrypting the data and multi-factor authentication of users of this system.

A VPN can be accessed remotely from one's home desktop computer or by laptop from a wireless connection. Government regulations require that anyone accessing a government VPN must use a government-owned computer that is used only for government business. The government can then ensure that the computer has the appropriate configuration with all the appropriate security settings.

Other Wireless Communications

Many airport waiting areas, hotels, coffee shops, restaurants, pubs, community centers, and other public locations provide wireless access points where it is convenient to send or receive email or surf the Internet. You need to know that providers of this service are not responsible for ensuring the security of this wireless network. Eavesdroppers and hacker hang out around these locations looking for access to any computer that is not protected with a firewall, strong passwords, and encryption.

The various mobile devices can, if so desired, be obtained with encryption capability, and this is recommended. Some publicly available email services support encryption if properly configured. Government organizations and many defense industry businesses require encryption for access to their network, and many security-conscious organizations provide their own communications devices to those personnel who need remote access. This ensures that the devices have appropriate encryption and security software with proper settings.

Many frequent users of portable devices set up a wireless home network. For information about such networks, see Secure Use of Personal Computer.

Related Topics:
Risks During Foreign Travel

1. "Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media," Department of Defense Memorandum dated July 3, 2007, accessed August 2010 at
"Frequently Asked Questions: DoD Policy Memorandum 'Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media,'" Defense Information Systems Agency, March 19, 2008. Accessed August 2010 at