Audit: VA's Mobile Encryption CompliantSecurity of iPhones, iPads Reviewed
A federal audit report has verified that the Department of Veterans Affairs is complying with federal encryption requirements in its initial use of iPhones and iPads even though the devices lack the required type of hardware encryption.
The Federal Information Security Management Act, commonly known as FISMA, requires that encrypted government computers use FIPS 140-2 certified hardware encryption. The hardware encryption on the Apple devices has not yet been certified as being FIPS 140-2 compliant. However, the VA is using FIPS 140-2 encryption for all applications on the Apple devices, the audit by the VA Inspector General confirmed.
"We determined that the VA's approach for allowing only FIPS 140-2 certified applications to access sensitive data or storing encrypted data on the mobile devices met FISMA security requirements for data protection," the audit report states.
But the report noted that the VA could improve security controls and systems management by "ensuring an accurate inventory and consistent configuration of the mobile devices."
Roger Baker, the VA's assistant secretary for information technology, concurred with the report's findings.
The audit was triggered by a complaint received on a confidential hotline that the VA was circumventing FISMA and other rules in rolling out the Apple devices. Also, Sen. John Kyl, R-Ariz., requested an inquiry of how the VA was applying encryption to the mobile devices.
Mobile Device Plans
Baker announced last fall that the VA would accommodate the use of as many as 100,000 iPads and iPhones, primarily for clinical purposes, within 18 months as many desktop computers are phased out. And to control costs, many of those mobile devices will be personally owned.
In January, Baker said implementation would not exceed the 1,000 Apple devices rolled out during a pilot project - and would not include personally-owned devices - until a more robust, enterprisewide mobile device management system, using the cloud computing model, is implemented. During an April 25 news media conference call, Baker said the mobile device management system has not yet been selected and likely won't be implemented until later in the summer (see: VA's CIO Provides Mobile Device Update). He confirmed again May 23 that the system acquisition was still pending.