DOD releases second half of security policy

(Updated Feb. 27, 2003, 2:02 p.m.)

The Pentagon released an information assurance policy today that sets specific controls and standards for how users should secure Defense Department networks.

Directive 8500.2 is the second part of a strategy to address the changing security needs in the department.

DOD issued the first part, 8500.1, last October. It supplied a framework for DOD to follow to protect its information systems, said Robert F. Lentz, director of information assurance for the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence.

Lentz said 8500.1 told users what the DOD is doing. The second part tells users how to secure their networks.

'This is what the customer out in the field was begging for'specifications,' Lentz said. 'Specifics regarding security and stuff across the gamut of the architecture.'

The policy covers several areas including levels of access control and firewall protection. It places Defense information systems in four categories:

  • automated applications

  • enclaves, which include networks

  • outsourced IT processes

  • platform IT interconnections such as weapons systems and sensors.

  • The category assigned to a system 'is directly associated with the importance of the information [it contains], relative to the achievement of DOD goals and objectives, particularly the warfighters' combat mission,' according to the policy.

    The 8500.2 policy, signed by Defense CIO John Stenbit, instructs Defense agency leaders to provide security training to all military and civilian personnel, including contractors, that meets an employee's job level of responsibility for working with DOD information systems.

    The policy establishes information assurance managers and officers to ensure that DOD systems meet IA specifications.

    According to 8500.2, information transmitted on Defense networks is shared across the Global Information Grid and is becoming more vulnerable to attacks and denial of service. The vulnerabilities stem from "increased reliance on commercial information technology and services; increased complexity and risk propagation through interconnection; the extremely rapid pace of technological change; a distributed and nonstandard management structure; and the relatively low cost of entry for adversaries."


    • business meeting (Monkey Business Images/

      Civic tech volunteers help states with legacy systems

      As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

    • data analytics (

      More visible data helps drive DOD decision-making

      CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

    Stay Connected