Logistics agency bolsters security
- By Wilson P. Dizard III
- Mar 07, 2003
ORLANDO, Fla.'The Defense Logistics Agency plans to meet a key technical milestone in systems security by year's end.
Dennis Heretick, program manager of DLA's information assurance program, told an audience at this week's Information Processing Interagency Conference here about the agency's defense-in-depth approach.
'In cyberwar, we are the warfighters,' he said. DLA systems administrators are on the front lines, Heretick said, providing logistical support to military units around the world,
The agency plans to reach the top Level 5 of the Federal Information Technology Security Assessment Framework by the end of the first quarter of fiscal 2004, Heretick said.
The FITSA security rating system, created by the federal CIO Council in 2000, has a five-step protocol for evaluating information assurance maturity. In progressive steps, it calls for documenting security policy, identifying procedures and controls, implementing them, validating their effectiveness and, at the highest level, fully integrating them into work processes.
DLA officials have allotted responsibility for improving information assurance to several project leads, who are responsible for:
'Enclave boundary defense, including firewalls
'Access controls, including public-key infrastructures
'Certification and accreditation
DLA information assurance specialists have drawn up a business plan and are rating organizations within the agency. The report card evaluations are based on open book tests, in which DLA officials know what answers are expected and how to achieve them. If they fail to implement the answers, they fail the tests.
So far, DLA has accredited all its deployed systems, networks and Web sites, Heretick said. It is aiming for continuous improvement in security policies, procedures, templates, handbooks and testing methods, he said. For example, the agency has standardized its far-flung operations on a single firewall product and plans to move to centralized firewall management.
The agency has not met all its report card goals, however. Heretick declined to specify the areas where it fell short. There are 47 risk control measures, he said.
Heretick used the metaphor that Victoria's Secret'a subsidiary of Intimate Brands Inc. of Columbus, Ohio'has estimated that if its Web site were to go down before Valentine's Day, it would lose 35 percent of the year's sales. 'In DLA, every day is Valentine's Day,' he said. 'Security is not separate from IT operations, it is part of IT operations.'