DOD releases second half of security policy
- By Dawn S. Onley
- Feb 27, 2003
(Updated Feb. 27, 2003, 2:02 p.m.)
The Pentagon released an information assurance policy today that sets specific controls and standards for how users should secure Defense Department networks.
Directive 8500.2 is the second part of a strategy to address the changing security needs in the department.
DOD issued the first part, 8500.1, last October. It supplied a framework for DOD to follow to protect its information systems, said Robert F. Lentz, director of information assurance for the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence.
Lentz said 8500.1 told users what the DOD is doing. The second part tells users how to secure their networks.
'This is what the customer out in the field was begging for'specifications,' Lentz said. 'Specifics regarding security and stuff across the gamut of the architecture.'
The policy covers several areas including levels of access control and firewall protection. It places Defense information systems in four categories: automated applicationsenclaves, which include networksoutsourced IT processesplatform IT interconnections such as weapons systems and sensors.
The category assigned to a system 'is directly associated with the importance of the information [it contains], relative to the achievement of DOD goals and objectives, particularly the warfighters' combat mission,' according to the policy.
The 8500.2 policy, signed by Defense CIO John Stenbit, instructs Defense agency leaders to provide security training to all military and civilian personnel, including contractors, that meets an employee's job level of responsibility for working with DOD information systems.
The policy establishes information assurance managers and officers to ensure that DOD systems meet IA specifications.
According to 8500.2, information transmitted on Defense networks is shared across the Global Information Grid and is becoming more vulnerable to attacks and denial of service. The vulnerabilities stem from "increased reliance on commercial information technology and services; increased complexity and risk propagation through interconnection; the extremely rapid pace of technological change; a distributed and nonstandard management structure; and the relatively low cost of entry for adversaries."