Department of Defense Awards Honeywell STIG Cybersecurity Certification for Mobility Edge™ Platform Ruggedized Mobile Computers
Barry J. Ewell
March 30, 2021
The United States Department of Defense (DoD) cybersecurity requirements are among the most stringent in the world. The Defense Information Systems Agency (DISA) is responsible for setting cybersecurity standards for the DOD. These standards, referred to as STIGs (Security Technical Implementation Guides), help prevent unauthorized access and malicious attacks by fortifying and protecting information systems and software. The STIG is a critical component in a broader pursuit to have a product listed on the DoD Approved Products List (or APL).
Following a two-year series of ever-increasing cybersecurity milestones, Honeywell is awarded the STIG certification for the Mobility Edge platform ruggedized mobile computers (i.e., CK65, CT60 XP, and CT40 XP, CN80G) and is now listed on the DoD Approved Products List (APL). It's the green light that allows Honeywell-approved devices to be plugged into the DoD Information Network. The CN80G is the very first ruggedized device ever to be listed on the APL. Honeywell STIG approved ruggedized devices will be used in a wide variety of use cases which include: Asset Management, Supply Warehousing & DC’s, Logistics & Transportation.
What is unique is that this certification is on the Honeywell Android Mobility Edge platform of devices and not just on one device. This affirms the Mobility Edge platform's strength and design as a top choice for DoD and commercial enterprises. The following provides a little more detail about the APL:
· Approved Products List. A product listed on the Approved Products List (APL) lets the potential DoD customer know that the vendor has proactively addressed all the requirements for Information Assurance/Cyber as required by DoDD 8500.1. This ensures that once procured; the DoD customer can receive the required 'Authorization to Operate' (ATO).
· DoD Directive 8500.1. DoD Directive 8500.1 requests that all information systems shall be certified and accredited (C&A) in accordance with DoD Instruction 5200.40. C&A requires that the system be configured and deployed secure, which is the purpose of the STIG. Additionally, the STIG also is fed into the tool used by the DoD IA teams to determine compliance with the required security controls.
· Honeywell's Mobility Edge™ delivers an innovative solution to these challenges. Mobility Edge offers an integrated, repeatable, scalable approach to device management based on a common hardware and software platform. Designed for Android, it delivers a unified platform on which all software solutions are based. Businesses can develop and deploy faster while reducing development costs. Honeywell is deeply committed to the longevity and quality of the Mobility Edge platform. Honeywell ruggedized devices on the Android Mobility Edge platform offer the longest lifecycle in the industry with support through six Android releases. The following products are built on the Mobility Edge platform: Honeywell™ CT40, CT40XP, CT60, CT60XP, CN80, CN80G, CK65, RT10A, and Thor™ VM1A, and VM3A.
Let's do a deeper dive on STIG to help you gain a little more insight into Honeywell's journey to achieve this level of cybersecurity excellence.
What is STIG, and why does it matter?
STIG is the standard DoD organizations set themselves for standardizing security protocols with networks, servers, computers and more. All DoD IT assets must meet STIG compliance before they are allowed on DoD networks. STIGs provide configurable operational security guidance for products being used by the DoD.
STIGs, along with vendor confidential documentation, also provide a basis for assessing compliance with cybersecurity controls/control enhancements, which support system Assessment and Authorization (A&A) under the DoD Risk Management Framework (RMF).
STIGs are used by the various DoD agencies to configure and assess a product's security profile. These are also used to determine authorization to operate these products and ensuring confidentiality, integrity and availability of the DoD Information Network (DoDIN) for the warfighter.
What STIG means to Honeywell Customers. While Honeywell's STIG certification is an essential milestone for working with the DoD, it also provides assurances to our world-wide customer base that Honeywell Mobility Edge platform devices can stand up to the strictest of cybersecurity standards. We design security into our products, policies, and processes.
Our security built-in, design-to-delivery process has a strong emphasis on programming security into products to anticipate and mitigate risk. We do this by embedding deep domain knowledge of industry-leading security practices throughout our full design and development process to ensure our solutions are as secure as possible from the start. We also make our solutions as free of vulnerabilities to attack as possible through such measures as continuous testing, authentication safeguards, and adherence to best programming practices. To continue our focus and lead the way in the industry, we put in place the industry's first Cybersecurity Risk Manager and developed strategic partnerships with leading cybersecurity product vendors.
Overview of the STIG Certification Process
A vendor who wishes to publish a STIG for their product initiates the process with Defense Information Security Agency (DISA) by completing a Vendor STIG Intent Form. A representative from the Risk Management Executive STIG team will follow-up with the vendor to initiate the process.
Vendor STIGs must be written against a published DoD Security Requirements Guide (SRG).
Technology-specific SRGs reflect what a technology family SHOULD be capable of in order to be secured. The STIG author (vendor) will assess the SRG controls against a product with one of four potential outcomes.
· Not Applicable – The feature does not exist in the product, and therefore cannot be exploited.
· Applicable – configurable – May or may not meet requirements based on settings.
· Applicable – inherently meets – not configurable, but meets the requirement by default.
· Applicable – does not meet – not configurable, and does not meet the requirement.
Upon completion of the SRG spreadsheet, the data is transformed into a STIG. The STIG, once written, will reflect what a specific product CAN do in a particular release and possible patch level. Published STIGs will only contain requirements that fall into the "applicable and configurable" category.
STIG Certification Earned by Passing Significant Milestones
Honeywell gained STIG Certification by meeting and passing significant and rigorous milestones performed in accredited labs. These are independent assessments of the security capabilities of Honeywell devices.
· National Information Assurance Partnership (NIAP) evaluation for National Security Systems (NSS) (http://www.niap-ccevs.org/) IAW CNSSP #11. NIAP certification is a commercial cybersecurity product certification mandated by federal procurement requirements (CNSSP 11) for use in U.S. National Security Systems (NSS). Its primary purpose is to certify commercial technology or products which will be used to handle sensitive data. Because of the NIAP certification, it means that the Honeywell security features and capabilities of the Mobility Edge platform devices have been evaluated and confirmed by a neutral third-party and verified by NSA's NIAP office. The devices can be used in any of the following applications:
o Intelligence activities
o Cryptographic activities related to national security
o Command and control of military forces
o Equipment that is an integral part of a weapon or weapons system(s)
o Critical to the direct fulfillment of military or intelligence mission (not including routine administrative and business applications)
· National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) (http://csrc.nist.gov/groups/STM/cmvp/) IAW Federal/DoD mandated standards. The agency provides the FIPS certification. FIPS stands for Federal Information Processing Standard, and the FIPS-140 series is a collection of computer security standards set by the National Institute of Standards & Technology (NIST) for the United States government. FIPS-140-2 refers to the benchmark for validating the effectiveness of cryptographic hardware. FIPS-140-2 is recognized as the best practice for testing and validating cryptographic hardware. FIPS 140-2 certifications:
o Signify that product has been formally tested and validated by the U.S. and Canadian Governments.
o Assures users that a specific technology or hardware has passed rigorous testing by an accredited lab.
o Ensures that the tests have been validated and that the product can be used to secure sensitive data.
· DoD Information Network (DODIN) Capabilities and Approved Product List (APL) (https://disa.mil/Mission-Support/Testing/DoDIN-APL) IAW DoDI 8100.04. The Department of Defense Information Network (DoDIN) Approved Products List (APL) is the single consolidated list of products that have completed Cybersecurity (CS) and Interoperability (IO) certification. The DoDIN APL process is used to test and certify products that affect communication and collaboration across the DoDIN and is an acquisition decision support tool for DoD organizations interested in procuring equipment to add to the DISN to support their mission.
Mobility Edge platform devices are available from Honeywell Safety and Productivity Solutions (SPS) which provides products, software and connected solutions that improve productivity, workplace safety and asset performance for our customers across the globe. We deliver on this promise through industry-leading mobile devices, software, cloud technology and automation solutions, the broadest range of personal protective equipment and gas detection technology, and custom-engineered sensors, switches and controls. For more information, please visit: sps.honeywell.com.
Contact a Honeywell Solutions Expert today! Call 1-800-934-3163.
Android is a trademark of Google, LLC.
Barry J. Ewell is a Senior Content Marketing Communications Specialist for Honeywell Safety and Productivity Solutions. He has been researching and writing on supply chain topics since 1991.