Nearly three months after Defense Department Chief Information Officer Terry Halvorsen issued a new policy requiring the department to upgrade all Windows-based legacy systems to Windows 10, a verbal execution order has gone out that puts the unprecedented migration effort into motion.
The order stems from a November 2015 policy memorandum directing all Department of Defense commands, agencies, and field activities to plan for the rapid upgrade of all Windows systems to the Windows 10 operating system by January 2017. According to the memo, “it is important for the Department to rapidly transition to Microsoft Windows 10 in order to improve our cybersecurity posture, lower the cost of IT, and streamline the IT operating environment.”
The actual deployments, however, are poised to begin this month. “The DOD recently issued a verbal directive, which makes it official. Now, all DOD agencies will begin deployments right away, with the goal of completing migrations within one year,” said an official with knowledge of the project.
A Pentagon spokesperson said “a formal implementation directive” has not been published yet, but added that the migration of more than 3 million desktops, laptops and tablets will not include mobile phones.
“With deployments starting right away, all DOD agencies must upgrade approximately 4 million devices and systems with a goal of deploying within one year,” wrote Susie Adams, Microsoft’s chief technology officer, in a blog post Wednesday. “This is an unprecedented move for the DOD and the largest enterprise deployment of Windows 10 to date.”
In addition to news of the verbal execution order, Microsoft announced two new security certifications that Adams said may help move the Windows 10 upgrades along at a faster pace. According to Adams, the National Information Assurance Program (NIAP) has certified Windows 10 against the Mobile Device Fundamentals Common Criteria protection profile, confirming that Windows 10 meets specific government criteria and standards. In addition, the Surface family of devices is now fully certified and available through the Defense Information Systems Agency (DISA) Unified Capabilities Approved Products List.
“This means that Surface has met the strict security and interoperability requirements set by the DOD, and can be easily worked into deployment plans for all defense agencies,” Adams wrote.
In a separate blog post, Yusuf Mehdi, corporate vice president of Microsoft’s Windows and Devices Group, offered a list of Windows 10 security enhancements that the Pentagon can leverage.
- Windows Hello: One of the greatest weaknesses in any security environment is the use of passwords, which can easily be hacked and used to gain access to secure resources and data. With Windows 10, agencies can identify individuals and restrict access through integrated multifactor authentication using biometric mechanisms like facial recognition or fingerprints using the Windows Hello and Windows Passport features.
- Enhanced Threat Resistance and Device Security. Working from a Trusted Platform Module (TPM)-approved chip, tools include familiar features like Secure Boot, which helps prevent malware from embedding itself within hardware or starting before the OS, and Trusted Boot, which helps maintain the integrity of the rest of the operating system. Device Guard ensures that only signed applications and code can run on these devices. And Credential Guard safeguards credentials inside a hardware-based virtualized environment and breaks the popular “pass the hash” used in many major breaches.
- Windows Defender. This integrated security application provides anti-malware service, which currently protects almost 300 million Windows devices every day.
- Enterprise Data Protection. Currently in testing with enterprise customers and available soon, Enterprise Data Protection provides separation between both corporate and personal data, and prevents corporate data from being copied out of corporate files to non-corporate files and locations, such as public websites or social channels. Additionally, when EDP is used with Rights Management Services, it can protect data locally, adding another layer of protection even when data roams or is shared.