Redefining DOD’s Bring Your Own Device Policy

The U.S. Army’s recent Bring Your Own Device (BYOD) pilot program redefines and creates a new standard for the Department of Defense (DOD) by integrating information-age technology and forward thinking. The previous BYOD understanding was to allow a service member to use their personal device to physically connect to the government network and access the entire environment, similar to using government-furnished equipment. This understanding equates to a major cybersecurity incident. This is not what the army is doing. During the Armed Forces Communications & Electronics Association (AFCEA) TechNet Augusta conference on April 26, 2022, Lieutenant General John Morrison, Jr., U.S. Army deputy chief of staff, G-6, announced the army’s BYOD pilot program. Lieutenant General Morrison explained how the army will allow the use of a personal device with a secure capability on it that will allow the user to log back into the army’s network and conduct official business. This use case changes and redefines BYOD to solve an information-age requirement. DOD should redefine BYOD as enabling a personal device to gain trusted access to the government’s network to conduct normal, official business while maintaining cybersecurity compliancy. The implied and forward-thinking aspect of this new definition is that government data should no longer be authorized to be stored on personal devices.

Directly connecting one’s personal device to the government’s network creates a cybersecurity incident because personal devices are not subject to DOD’s strict cybersecurity directives, which enable a secure environment for U.S. warfighters. Most service members would never want to surrender full control and monitoring of their personal device to the government in order to access their work email or access a work-related file. However, the current DOD definition of BYOD necessitates the government either take full control of a workstation or the user consent to monitor the workstation in order to conduct official business. Additionally, BYOD implies huge cost savings for the government by having the user purchase, operate, and maintain their workstation. This perspective is a miscalculation because most service members would not allow the government to take full control or consent to monitoring of their personal device.

DOD’s refined, information age-based BYOD definition should be to provide a vetted user secure access from their personal device to the government’s environment to conduct normal, official business while maintaining compliance with DOD cybersecurity directives. For DOD BYOD, one should always start and stay at the unclassified level. This means accessing networks and information ranging from authorized for public release to, but not beyond, controlled unclassified information (CUI). Allowing classified information on personal devices remains an oxymoron.

Breaking down this new definition, a vetted user is one who has already completed the system access authorization process to verify the user has a requirement to access government information up to CUI. Providing secure access from a personal device has a two-part meaning. First, the BYOD solution must comply with the DOD login standard using public key infrastructure (PKI) certificates. Second, the BYOD solution cannot allow government data to move to or be stored on the personal device. This technology constraint implements some of the basic tenets of zero-trust architecture.

Conducting normal, official business equates to accessing the productivity suite of applications which, for DOD, are within Microsoft Office 365. This new DOD BYOD definition results in a service member using their personal device to login with PKI certificates to the government’s environment to access productivity applications without government data being stored on their device.

The Army’s Approach to BYOD

The army’s BYOD pilot program answers all aspects of the updated DOD BYOD definition. Under the army’s program, the collection of the army’s MobileConnect, Hypori Halo, and the Defense Information Systems Agency’s Purebred applications provide a soldier secure access to the army’s enterprise cloud environment, cArmy. The MobileConnect app provides the smartphone access to army unclassified sites without the need for a PKI-enabled common access card (CAC). Hypori’s Halo app provides a secure connection to cArmy. The cArmy environment hosts the army’s Microsoft Office 365 suite. Lastly, all DOD-furnished smartphones use Purebred as it installs soft or derived PKI certificates on the mobile device without having the user present their CAC for authentication.

Most importantly, the Hypori Halo app restricts data from being stored on the personal device and maintains DOD’s strict cybersecurity regulations. Specifically, the Hypori Halo app presents the data from cArmy in a secure, streaming pixel format. From the user’s perspective, they are accessing and interacting with their productivity suite in a normal fashion. No data is stored on the personal device at any time. This solution has passed a rigorous red team assessment from the army’s Threat Systems Management Office.

Ultimately, the U.S. Army’s BYOD pilot program is a DOD first and should be the model for redefining the BYOD solution across DOD.

Colonel Atiim Phillips is a military fellow with the International Security Program at the Center for Strategic and International Studies in Washington, D.C.

The views expressed do not reflect the official position of the Department of the Navy or the Department of Defense.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2022 by the Center for Strategic and International Studies. All rights reserved.