DOD sets net security plan
- By Dawn S. Onley
- Mar 06, 2003
'This is what the customer out in the field was begging for'specifications.' <>
'DOD's Robert F. Lentz
The Pentagon's latest information assurance directive offers specifics that Defense Department users need to secure military systems, but some observers fear that the new policy could complicate the acquisition and budget processes.
DOD last month released the policy, which assigns specific controls for Defense IT systems depending on the confidentiality levels of the information stored on them.
Directive 8500.2, a 102-page document designed to train users on how to secure Defense networks, is the second part of an overall strategy to address changing security needs in the department, Defense brass said.
DOD issued the first part, 8500.1, in October.
'This is what the customer out in the field was begging for'specifications regarding security and stuff across the gamut of the architecture,' said Robert F. Lentz, director of information assurance for the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence.
The guidance is critical in a time when Defense systems remain on high alert for cyberattacks and the department is reliant on commercial IT products and services, government analysts said. But some fear it could add additional hoops for software vendors and Defense users to jump through in procurement and budgeting.More hoops?
'The issue for this is it's a good architecture, good planning, good policy, but you're putting a lot of weight on the National Information Assurance Partnership and the Common Criteria. Where does that leave you?' said James Lewis, a senior fellow with the Center for Strategic and International Studies in Washington. 'It's a never-ending process.'
The requirement would likely increase the time it takes to get hardware and software through the review process, Lewis said. He added that he expects software vendors and Defense users to pressure NIAP, which conducts security tests on IT products, to improve its speed of delivery as the policy is enforced.
But Lewis also lauded DOD for being ahead of other agencies in implementing a sweeping information assurance policy.
Jay Korman, a Defense analyst with DFI International in Washington, agreed.
'Overall, it is critical to where the DOD wants to go,' Korman said. 'There's been a lot of discussion in the DOD that the acquisition priority is off-base. It is [buying] platforms, sensors and networks, in that order.'
But this policy finally gives networks the attention and priority they deserve, Korman said.
'Until we give warfighters networks that are secure, there will be a hesitancy' to trust them as an important warfare tool, he said.
The policy covers several areas, including levels of access control and firewall protection. It places Defense information systems in four groups:
- Automated applications
- Enclaves, such as networks
- Outsourced IT processes
- Platform IT interconnections, such as weapon systems and sensors.
Systems also will be assigned to one of three mission assurance categories, 'directly associated with the importance of the information, relative to the achievement of DOD goals and objectives, particularly the warfighters' combat mission,' according to the policy.
For example, a Mission Assurance Category I system requires high integrity and high availability; a MAC II system would need high integrity and medium availability; and a MAC III system, basic integrity and availability.
The 8500.2 policy, signed by Defense CIO John Stenbit, instructs Defense agency chiefs to provide security training to all military and civilian personnel, including contract workers. The training must meet an employee's job level of responsibility for working with DOD information systems, the guidance said.
The policy establishes information assurance managers and officers to ensure that DOD systems meet security specifications.