VARs Should Think Outside the Box for DoD RFI

Thanks to a month extension, contractors now have until early February to respond to the Defense Department's request for information (RFI) for a Public Key Infrastructure (PKI) system for devices. To earn the win, system integrators and solution providers should not only consider federal security standards and existing system permissions, but also the legacy hardware that's already in place.

The DoD Public Key Infrastructure Office released the RFI in mid-December, seeking help from industry for the development, implementation and deployment of a PKI encryption system that can securely authenticate at least 25 million of its network connected devices, including mobile and desktop computers, Web servers and portals, firewalls, VPN authentication servers, mail servers, telephones and cable and satellite modems. The deadline for vendors to respond was recently bumped from January 9 to February 2.

"In the past, when DoD talked about device authentication, they [meant at the] server level," says Keren Ware Cummins, vice president of public sector business at Phoenix Technologies, which is responding to the RFI. "But it's clear in this RFI that they're dramatically widening the net of what they want to authenticate [to incorporate] the end points. The RFI isn't just saying 'tell us how you might authenticate devices,' it's saying 'tell us how we can manage our devices in the context of the existing PKI.' That's very wise."

The RFI presses the need for solutions that allow trusted communication and use off-the-shelf products as much as possible, as well as those that use digital signatures or some equivalent means to authenticate users. Solutions must also meet Common Criteria security standards and comply with the Federal Information Processing Standard (FIPS) 140-2, which describes the security requirements that IT products should meet for sensitive, but unclassified use. Those requirements cover areas related to the secure design and implementation of a cryptographic module, and detail four levels of security.

That said, integrators shouldn't assume that FIPS 140-2 compliance necessarily means new hardware, Cummins says. "People think in terms of having to be FIPS 140-2 level 2 or level 3 compliant, which [requires a] hardware refresh, and see this RFI as a step toward buying a bazillion dollars worth of hardware; but [integrators can offer a] similar level of assurance with 140-2 level 1, which is tied instead to the physical device." The latest version of Phoenix Technologies' TrustConnector product, for example, authenticates laptops and desktops by tying into the x86 architecture and chip set. "Take trust down to the hardware and software level of the device you already have, and then tie to that cryptographically. That eliminates the need for an additional piece of hardware to achieve robust levels of assurance." That also decreases the burden of development and integration, while cutting costs for the government customer.

Furthermore, those able to accommodate the DoD's request with capable and cost-effective solutions could see huge opportunity down the road. "We're hearing anecdotally that a lot of civil agencies are getting interested in device authentication as a result of this RFI," Cummins says. "Any time DoD takes a big step and announces its intentions in such a broad way, civil agencies need to take notice and at least get something on the radar."