Defense CIO will set security rules
- By Dawn S. Onley
- Oct 18, 2002
DOD CIO John Stenbit says many experts expect attacks on U.S. networks.
Henrik G. DeGyor
In a few weeks, Defense Department CIO John Stenbit will release a directive that sets standards to guide Defense agencies on how to secure their networks.
The directive, DOD 8500, will cover several security topics, such as levels of access control and firewall protection. It will be linked to initiatives at intelligence agencies.
Defense officials said they consider the directive to be the capstone in a recent series of information assurance policies at the department.
The policy also will set guidelines for the interoperation of information systems within the Global Information Grid.
'Warfighters must be able to trust all of the information' they get, said Robert F. Lentz, director of information assurance for the Office of Assistant Secretary of Defense for command, control, communications and intelligence. 'We have to provide security at the data content level, or we're not going to be successful.'Guidelines for use
The directive will set guidelines for IT products that Defense agencies use to enter, process, store, display or transmit sensitive information.
DOD has set forth several new security policies this year, such as the National Security Telecommunications and Information Systems Security Policy No. 11, which took effect July 1.
Under NSTISSP No. 11, all government agencies must use commercial software that has been validated to meet information assurance requirements for secure networks.
The soon-to-be-released directive will round out DOD's information assurance strategy, which outlines five broad goals for the department:
- providing command and control and situational awareness
- making sure information assurance is integrated into processes
- increasing security awareness throughout DOD's work force.
DOD 8500 is aimed at achieving a layered security approach or 'defense in breadth,' said Lentz. It will establish baseline controls so users can keep requirements in mind as they design networks, acquire products and implement lifecycle decisions.
'To help manage information assurance within the network, the directive establishes controls for basic, medium and high levels of availability, confidentiality and integrity,' Lentz said.
The policy will emphasize information assurance throughout the lifecycle of DOD information systems'beginning with the acquisition process.
The directive requires using security products that have been validated by the National Information Assurance Partnership using standards such as the International Common Criteria for IT Security Evaluation.
Lentz said the Defense policy would give warfighters a more complete sense of situational awareness by securing one of their most precious battlefield resources: information.
Harris Miller, president of the Information Technology Association of America, said the directive will 'impact every vendor that sells to the DOD.'
'I think there is some general anxiety about its implementation,' Miller said. 'Every time a firewall company or an antivirus company comes up with a new version, which can happen daily, does everything need to be evaluated? There are a lot of technical issues that are very important to the companies producing these products.'
Miller said ITAA had set up an internal task force to study the directive and its implementation.Network attacks
The war on terrorism has increased the need for security, Stenbit said. Many Defense leaders expect terrorists to attack U.S. networks, he said, and in fighting terrorism, Defense agencies have produced more data than ever before.
'Twenty-five years ago, basically we worked a switched telephone system,' Stenbit said. 'People who shot at people were in the same group that found the target. That's not what we are doing today.'
Today, Stenbit said, Americans and Northern Alliance fighters are riding horses in Afghanistan, finding targets and transmitting that information via satellite telephones and portable laser target designators to guide strikes by B-52 bombers.
This is possible because DOD has shifted from a switched telephone system to a broadcast system, Stenbit said. 'Anyone who finds a target today publishes it on a broadcast,' he said.
In this scenario, securing the bandwidth and the information is of paramount importance. But it also raises network security problems, Stenbit said.
The access controls in the new directive would help the department get a better handle on its information, Lentz said.
'Our goal is to make information available on a network that people depend on and trust,' Lentz said.