By David MacFarlane, Director of Security Assurance, BlackBerry
BlackBerry is synonymous with security, and has used its expertise to serve government organizations for more than a decade. With BlackBerry 10 smartphones and BlackBerry Enterprise Service 10, BlackBerry continues to earn approvals in new markets as well as higher data classifications, which reinforces our reputation for excellence in cybersecurity among governments around the world.
(As of February 2015, BlackBerry holds 70+ security certifications and approvals from governments.)
We have achieved a number of significant certifications and I’d like to highlight a few that make our team of security researchers and experts especially proud of the work that we do.
In partnership with Secusmart GmbH, the BlackBerry 10 solution with SecuSUITE has been selected by the German Procurement Office and Federal Office for Information Security (BSI) to provide classified data and voice communications for the German government. The BSI announcement was followed by further approvals for classified communications from the European Union Information Assurance Council, NATO and other government organizations. In the past, classified information was only processed by purpose-built solutions with very high costs. The approval of BlackBerry 10 for classified communication gives customers the mobile security they require at a more accessible price and with many of the features they want in a device.
Leading the Industry
After becoming the first mobile solution to achieve Authority to Operate (ATO), BlackBerry 10 became the only mobile solution cleared for Full Operational Capability (FOC) for the United States Department of Defense (DoD). Achieving this level of acceptance requires numerous stages of approvals:
- Security Technical Implementation Guide (STIG)
STIGs are configuration guides that users and administrators use to securely operate products within DoD. STIGs are developed by product vendors in conjunction with the Defense Information Systems Agency (DISA) to satisfy a set of security requirements, and verified by DISA through conformance testing.
- Authority To Operate (ATO)
ATOs are granted for products with STIGs to be implemented in the DoD network for small deployment purposes. At this stage of deployment, products are further tested for any operation and integration issues with existing DoD infrastructure.
- Initial Operation Capability (IOC)
IOC is the initial attainment of products to be operated by trained DoD personnel. At this point the products are deployed in the DoD network for production use.
- Full Operation Capability (FOC)
In the FOC stage, products are fully deployed and in operation and support phase. This is the last and final step to product approval, acceptance and acquisition in the DoD.
In addition to demonstrating our mobile security leadership by earning certifications such as these, we also feel a strong responsibility to contribute to the community in order to help our industry create secure products. That’s why we’re happy to announce the release of ALF, an open-source framework to help developers, testers and researchers perform security testing through a process called fuzzing.
Fuzzing is a technique that provides random data to the inputs of a software program and monitors for unexpected behaviors like crashes and memory leaks which can lead to security issues. We hope this simple tool will encourage others to perform fuzzing on their own software and help to make us all a little safer.
These are just a few examples that show the hard work we put into maintaining BlackBerry’s legacy of keeping data safe. When it comes to mobile security, there is simply no denying that BlackBerry is ahead of the curve. With more than 50 certifications and approvals in 15 years of government and enterprise deployments, BlackBerry continues to provide the most tested, trusted and proven mobile security solutions in the market today.