After two years of internal policy debate, the U.S. Department of Defense last week issued rules that all branches of the military - as well as contractors and visitors - must follow to secure commercial wireless equipment and services.

In particular, wireless LANs have raised Defense Department concerns because unencrypted traffic easily is intercepted through over-the-air "sniffing." The Defense Department's Directive 8100.2 requires any new military purchases of wireless equipment and services for unclassified data to use encryption. The encryption has to have gone through the National Institute of Standards (NIST) and Technology's Federal Information Processing Standard (FIPS) 140-2 cryptographic validation program. The Pentagon - which left room for exceptions on a case-by-case basis - also called the encryption of unclassified voice traffic "desirable."

FIPS 140-2 testing isn't easy, vendors point out. It took Fortress Technologies 18 months and more than $100,000 to get its products through the FIPS 140-2 testing process done by Coact, a NIST-accredited lab in Columbia, Md.

Wireless still is viewed as so risky, though, that Directive 8200.1, signed by Deputy Secretary of Defense Paul Wolfowitz, forbids use of wireless devices for storing or sending the more-secret classified data. In this case, the military authorities would have to give written permission and would require non-commercial encryption provided by the National Security Agency.

That doesn't surprise Maurice Smith, network security manager in the Fort Meade, Md., Army unit that handles toxicology analysis to check soldiers for illegal drug use. "We just don't allow wireless," says Smith, adding that his organization encrypts sensitive information about drug tests. The Army's toxicology division blocks access from the Internet with a Symantec 5420 multi-use gateway, which also runs anti-spam and anti-virus software.

Directive 8200.1 also contains a mandate requiring anti-virus software on wireless-capable handhelds and workstations. And the new rules forbid downloading of mobile code from sources not related to the Defense Department.

The directive gives the Army, Navy, Air Force and other military groups up to 180 days to report to Pentagon CIO Francis Harvey on implementation plans for new and legacy systems. But with discussion ongoing for some time between military departments, industry and the Pentagon, few expect wireless projects to go off-track.