DOD directive aims for layered security

Robert F. Lentz, director of information assurance for the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence

Defense Department agencies last month began following a new policy that sets standards for securing networks using a layered defense-in-depth approach.

Deputy secretary Paul Wolfowitz said he approved DOD Directive 8500.1 on Oct. 24 because of changing security needs in the department. The change was 'brought about by DOD's growing dependence on interconnected information systems, particularly desktop computer networks, and increased concern about the protection of unclassified but sensitive information,' Wolfowitz said in a statement.

The policy covers several security areas including levels of access control and firewall protection. It places Defense information systems in four categories: automated applications; enclaves, which include networks; outsourced IT-based processes; and platform IT interconnections such as weapons systems and sensors.

The category assigned to a system 'is directly associated with the importance of the information [it contains] relative to the achievement of DOD goals and objectives, particularly the warfighters' combat mission,' according to the policy.

Under the new directive, Defense agencies will monitor systems for intrusions. The level of monitoring will depend on the assigned mission assurance category and risk assessments.

The department has 3 million computers and 10,000 LANs. DOD reports about 40,000 security incidents a year, of which about 500 are truly intrusions, said Air Force Lt. Col. Ken McClellan, a Pentagon spokesman for command, control, communications and intelligence systems.

'I think the bottom line is that this is the first time we will have a formal, structured framework for users or warfighters to follow in protecting their information systems,' said Robert F. Lentz, director of information assurance for the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence.

Increased awareness

Lentz said the policy gives warfighters a greater sense of situational awareness by securing information.

'Warfighters must be able to trust all of the information that they need,' he said.

The policy establishes baseline controls for Defense agencies as they design networks, acquire products and implement lifecycle decisions, Lentz said. The rule also will require that by next October all Defense users log on to DOD systems and sign e-mail messages using a public-key infrastructure.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above