DOD sets deadline for security training
Employees at all levels must comply; Army plans to standardize its courses
- By Dawn S. Onley
- Apr 22, 2005
More than 4 million Defense Department employees have six weeks to prove they understand the basics of IT security.
By June 6, department personnel from four-star generals to privates must take an information assurance training course 'as a condition of access' for using DOD information systems, according to a directive issued last summer by Paul Wolfowitz, deputy secretary of Defense.
The Army is taking this mandate one step further. Lt. Gen. Steve Boutelle, Army CIO, has ordered commanders at all levels to review 10 information assurance categories to gauge how well the service is performing its IA mission. The data will be reported back to the Army's Network Enterprise Technology Command, via the Secret IP Router Network.
Typically, the military trains its information technology specialists on ways to identify threats to the network and ways to protect the network.
The new mandate requires that all military computer users receive IA training by June this year, and then annually.
The Army has always conducted its IA training through online courses that were similar in scope, but not exactly the same. The Army's directors of information management ran the courses from their regional commands and personnel in the IA divisions, but no one else, were required to take them.
In the Army order, Boutelle asked commanders to examine 10 issues:
Overall IA program status. Are all information assurance employees and their training status reported in the Army's Asset and Vulnerability Tracking Resource? Are regular network scans being conducted?
Antivirus. What percentage of servers, desktop PCs and other information systems do not have current versions of antivirus software installed?
Publicly accessible Web servers. How many publicly accessible Web sites are in the command? Are all qualified .mil domain names for Army sites registered with the Department of Defense Web Site Registration System?
Punitive actions. Have commanders been briefed by senior IA officials on the consequences of non-compliance by all personnel?
Unauthorized and peer-to-peer software. Does the command have procedures for finding and eliminating unapproved peer-to-peer or user-configurable software?
Wireless solutions. How many commercial wireless networks are in the command? Have the appropriate wireless security procedures for Internet Protocol networks been implemented for any commercial wireless networks?
SIPRnet protection. How many SIPRnet connections are in the command?
Operational support. Does a single director of information management (DOIM) have oversight and visibility of the IT assets of all installation employees.
Passwords. Are procedures in place to ensure compliance with Army password standards? Are null or blank passwords identified and corrected on all systems?
Commander and user training. Have users received IA awareness training?
NETCOM, headquartered in Fort Huachuca, Ariz., operates, manages and defends the Army's portion of the Global Information Grid.
'IA awareness training was mandated as a means to ensure that all are reminded of the cyberthreat and their key role in defending against that threat by following information assurance policies and procedures,' said Roy Lundgren, director of the Army's Information Assurance and Compliance Directorate out of Network Enterprise Technology Command's offices in Arlington, Va.
Through this effort, the Army hopes to make IA training standard, which would mirror the Office of Management and Budget's CyberSecurity Line of Business Consolidation initiative and the Federal Information Security Management Act.
'Training needs significant improvement,' said George Bonina, Environmental Protection Agency's director of the IT security staff and member of the Cybersecurity Line of Business task force. 'We need better general user training and training of those people who have security responsibilities but are not IT security specialists, like systems administrators, system developers and project managers.'
The Army is striving to do just that.
'The Army has always had IA training for IT people, those folks in that security business,' said Stan Davis, project manager for the Army e-Learning Program, based in Newport News, Va. 'Now what is happening is everyone who is involved in [turning] on a computer has to be certified yearly.'
The Army is currently working up an additional policy that would require soldiers to take a standardized IA course through the Army e-Learning Program. That policy should be out by the end of summer, Davis added.