The Defense Information Systems Agency’s (DISA) Purebred solution, a government-owned, secure credentialing process for mobile devices, provides over-the-air derived credentials to more than 100,000 Department of Defense (DOD) -issued commercial mobile devices.
Purebred enables signed and encrypted email and secure web browsing without continuous need for a smart card reader and user Common Access Card (CAC). Additionally, it supports key issuance and recovery for all DOD CAC holders under DOD Public Key Infrastructure (PKI) through a supervised initial device enrollment implemented by a Purebred agent.
“We wanted to make mobile credentialing easy to roll out at scale across the DOD enterprise,” said Brandon Iske, DISA Purebred program manager, when credentials were issued to the 100,000th device March 24. “The value of Purebred is in its ability to support and evolve with DOD’s enterprise Identity Credential Access Management (ICAM) challenges and solutions.”
This means delivering a solution that provides high assurance in the enrollment and issuance process to minimize cyber risk, while being able to scale with minimal specialized personnel qualifications, Iske said.
The Purebred team monitors and collaborates with DOD mission partners and industry to expand device support and enable new use cases for DOD derived credentialing.
“We’ve built Purebred to scale, and seek out ways to assist mission partners with their PKI challenges. At the end of the day, we’re focused on enabling secure enterprise identity options that enable our DOD mission partners, regardless of the platform or software solutions they may choose,” said Iske.
One example is the Mobile Digital Signature (MDS) app, which was released in February. The DOD Mobile Unclassified Capability (DMUC) Project Management Office (PMO) linked DISA app developers with Purebred to develop the app, which allows users to sign PDF documents from their mobile device.
“Honestly I believe we are just seeing the beginning of how instrumental Purebred will be, and where our mission partners will use it to support mobile apps important to them,” said Al Smith, DMUC program manager.
In December, Purebred added support for the issuance of DOD credentials to USB security tokens. A common use case for a security token is for shared mobile devices, where storing user specific credentials isn’t feasible.
“We make a fundamental assumption with Purebred that the mobile device is assigned to a single person,” said Iske. “But what if you are sharing mobile devices in a maintenance depot, or checking devices in and out of an educational environment? You can get a security token that you plug into a device. This solution can also be integrated to leverage enterprise identity.”
In the past, this solution would have to meet the stringent training and auditing requirements that govern PKI Registration Authorities (RAs) — the people authorized to log into and generate credentials. The Purebred team, however, narrowed the scope of the Purebred agents’ role using system controls to govern user credentials. The results are Purebred agent duties that are managed by a PKI team, or the mobility service desk that supports day-to-day mobility activations and operations.
“At the end of the day, we are a centralized credential issuance system with registration apps on all major device platforms. The server operates as the ‘registration authority’, so to speak; and the Purebred agent interacts with the website to trigger issuance. It’s like a fancy vending machine, managed to control the vending out of credentials,” Iske said.
Purebred does this by leveraging the CAC to generate short-lived, one-time passwords to secure the initial enrollment, then uses the CAC issuance history as authoritative data to issue new mobile credentials. Additionally, the solution recovers the user’s latest email encryption key for complete interoperability.
Purebred enables DOD organizations to manage their own enrollments and support via local service desks as part of the mobile services they provide to their organization. Iske attributes the rapid adoption of the Purebred solution to the tiered management model, increased mobile functionality, and the significant growth of defense mobile capabilities over the last few years.
“This time last year, we’d credentialed about 20,000 devices with around 1,200 certified Purebred agents. Today we’re over 100,000 devices with more than 3,500 agents, and the way we’ve structured the solution, we can continue to scale to support mission partner demand,” Iske said.
The program office is currently supporting the DOD community by provisioning as many as 1,000 devices a day.
Purebred credentialing capability is accessible to all DMUC subscribers or other DOD organization-specific mobility solutions.
“We work directly with the [military] services and agencies, and we want to make sure everyone knows this capability is available to all DOD organizations at no cost and can be leveraged locally,” said Iske.