DOD releases second half of security policy

(Updated Feb. 27, 2003, 2:02 p.m.)

The Pentagon released an information assurance policy today that sets specific controls and standards for how users should secure Defense Department networks.

Directive 8500.2 is the second part of a strategy to address the changing security needs in the department.

DOD issued the first part, 8500.1, last October. It supplied a framework for DOD to follow to protect its information systems, said Robert F. Lentz, director of information assurance for the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence.

Lentz said 8500.1 told users what the DOD is doing. The second part tells users how to secure their networks.

'This is what the customer out in the field was begging for'specifications,' Lentz said. 'Specifics regarding security and stuff across the gamut of the architecture.'

The policy covers several areas including levels of access control and firewall protection. It places Defense information systems in four categories:

  • automated applications

  • enclaves, which include networks

  • outsourced IT processes

  • platform IT interconnections such as weapons systems and sensors.


  • The category assigned to a system 'is directly associated with the importance of the information [it contains], relative to the achievement of DOD goals and objectives, particularly the warfighters' combat mission,' according to the policy.

    The 8500.2 policy, signed by Defense CIO John Stenbit, instructs Defense agency leaders to provide security training to all military and civilian personnel, including contractors, that meets an employee's job level of responsibility for working with DOD information systems.

    The policy establishes information assurance managers and officers to ensure that DOD systems meet IA specifications.

    According to 8500.2, information transmitted on Defense networks is shared across the Global Information Grid and is becoming more vulnerable to attacks and denial of service. The vulnerabilities stem from "increased reliance on commercial information technology and services; increased complexity and risk propagation through interconnection; the extremely rapid pace of technological change; a distributed and nonstandard management structure; and the relatively low cost of entry for adversaries."


    inside gcn

    • analytics (Wright Studio/Shutterstock.com)

      3 data strategies to help crackdown on internal corruption

    Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above

    More from 1105 Public Sector Media Group