Implications of the SECDEF Memo of June 30, 2023 WIDS systems in SCIFs and SAPFs
From IC Insider Bastille
By Dr. Brett Walkenhorst, CTO, Bastille
With the rise in regulations on wireless security, organizations across industries must ensure that they are maintaining regulatory compliance. With the recent SECDEF memo on WIDS systems in SCIFs and SAPFs, many organizations are wondering what their next steps should be in order to achieve compliance with these regulations. Here, we provide a background on the SECDEF memo, in addition to outlining how Bastille’s technology can be used to support regulatory compliance. Plus, we provide a general timeline for when and how these regulations will be enforced, and what that means for your organization’s security.
Background
On June 30th, 2023 the SECDEF issued recommendations after a 45-day review of the Department of Defense (DoD) security programs, policies, and procedures, which he directed on April 14, 2023. The review stemmed from the disclosure of classified information by Jack Teixeira, who was arrested and charged with six counts of sharing highly classified military documents about Russia’s war in Ukraine and other top national security issues in a chat room on the online community Discord. The examination aimed to improve the safeguarding of Classified National Security Information (CNSI) and address areas where accountability measures can be enhanced to prevent the compromise of such information. The review recognized the overall trustworthiness of DoD personnel with access to CNSI but identified areas for improvement.
Implications for the use of personal and portable electronic devices in SCIFs/SAPFs and WIDS detection systems
A key finding of the memo refers to threats related to personal and portable electronic devices and Wireless Intrusion Detection Systems (WIDS) systems, which can detect and mitigate their impacts. You can view the full SECDEF memo here for more detailed information.
To bolster security, a series of essential actions are underway. By September 30, 2023, users of SCIFs and SAPFs were required to certify their compliance with policy prohibiting the use of electronic devices in these spaces. Systems for detecting and countering potential breaches (e.g., WIDS) will need to be in place by September 30, 2024. By August 31, 2023, collaborative efforts also shaped a plan to optimize security training content and effectiveness. The ongoing process of refining security technology systems, led by the Defense Counterintelligence and Security Agency (DCSA) in partnership with key figures, aims to enhance information sharing and access protocols. This memo also necessitated the creation of an actionable plan to establish a Joint Management Office that oversees insider threats and cyber capabilities, enhancing threat monitoring across the Department of Defense’s networks.
The memo emphasizes the importance of continuous two-way communication between the Defense Counterintelligence and Security Agency (DCSA), individual unit commanders, supervisors, and DoD personnel to safeguard Classified National Security Information (CNSI). The USD(I&S) will provide quarterly updates on the progress of these directives and any additional recommendations related to improving DoD policies and procedures for protecting classified information.
Bastille’s Suitability to Address the SECDEF Memo Requirements
Electronic device detection and mitigation requirements by September 2024
Bastille is the only NIAP / Common Criteria-certified solution to help government agencies secure classified areas from threats posed by cellular and other wireless devices. Bastille works closely with CSfC on the upcoming WIDS Annex 2 and is deployed at various Intelligence Community organizations. Our growing customer portfolio includes DoD (Army, Navy, Marines, Air Force, Space Force), ODNI, NSA, Multiple Special Programs, NRO, DHS, Y12 National Security Complex, and more.
Bastille Solution
Bastille’s real-time Cellular, Bluetooth, BLE, Wi-Fi, and IoT detection and location system locates all authorized and unauthorized devices within a campus or forward-deployed location. Bastille is the only NIAP-certified product in this area.
Bastille accurately places dots on a floor-plan map for device location and sends alerts when a device is found where it should not be or doing what it should not do, such as within a geofenced area such as a SCIF.
Sample devices located include:
- Cell Phones: Individual phones located in real-time just by their cellular signal
- Wearables: e.g., Smartwatches such as Garmin Fenix, FitBit Biometric Human Performance Monitors, and other tactical gear
- Personal Medical Devices: e.g., Hearing aids
- Laptops & Tablets
- USB Cables with hidden Wi-Fi and Bluetooth data extraction capabilities
- Any device emitting cellular, Wi-Fi, Bluetooth, or BLE
Bastille Key Features
- Wireless Intrusion Detection System (WIDS): Bastille Networks offers a wireless intrusion detection system that monitors and detects unauthorized wireless devices and networks within an organization’s environment. This helps identify potential security vulnerabilities and unauthorized access points.
- Spectrum Analysis: Bastille offers full spectrum analysis to gain visibility into the RF (radio frequency) spectrum. This allows organizations to detect and analyze wireless devices. Bastille can detect devices connected to the network and those not connected to the network to identify potential threats or policy violations.
- Location and Geofencing: Bastille enables organizations to see where wireless devices are located in their buildings. Geofencing perimeters can be set to alert when a wireless device enters a secured area, generating an alert.
- Real-time Monitoring: Bastille’s solutions provide real-time wireless activity monitoring, allowing security teams to respond quickly to anomalies, unauthorized devices, and potential security breaches.
- 100% Passive Monitoring: Bastille is a 100% passive solution, meaning that no radio emissions are generated from our systems that might interfere with government communications or other systems. Bastille is certified as 100% passive by the FCC.
- Upgradable Software-Defined Radio-based solution: Bastille uses arrays of Software Defined Radios (SDR) to detect and locate wireless signals. These SDRs can be upgraded to meet new requirements and do not require hardware replacement to access new features.
- Device Profiling: The system can profile and classify wireless devices based on their behavior and characteristics. This helps organizations understand the types of devices present in their environment and whether they pose security risks.
- Threat Detection: Bastille’s technology is designed to detect various wireless threats, including rogue access points, denial-of-service (DoS) attacks, and unauthorized wireless devices attempting to connect to the network.
- Policy Enforcement: Bastille provides reporting and alerting to enable policy enforcement. Bastille also integrates with tools for enforcing wireless security policies, such as blocking unauthorized or suspicious devices or restricting device capabilities based on location or other parameters.
- Integration with Other Security Solutions: Bastille’s technology integrates with other security solutions, such as network access control (NAC) systems and security information and event management (SIEM) platforms, to provide a comprehensive security posture.
- Reporting and Analytics: The solutions include reporting and analytics features that allow organizations to review historical wireless activity, identify trends, and generate compliance reports.
TIMELINE
- SEPT 2023: “Issue policy guidance for use of personal or portable electronic devices within SCIFs and SAPFs by September 30, 2023.”
- SEPT 2024: “DoD Components will then program for appropriate electronic device detection systems and mitigation measures in all DoD SCIFs and SAPFs by September 30, 2024.”
- BASTILLE BRIEFING: Bastille stands by to arrange a virtual or in-person briefing regarding the requirements in the memo and how our customers are planning to address the requirements in line with the timeline expressed in the memo.
As wireless security continues to evolve, so too will its regulatory landscape. As an organization, it is imperative to stay up to date with regulatory compliance. Bastille is well equipped to handle many aspects of compliance including those outlined in the SECDEF memo.
About Bastille
Bastille’s mission is to continue to expand the capabilities of the leading Wireless Threat Intelligence Platform. Bastille makes invisible connections and threats visible.
About IC Insiders
IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.