DOD getting its IA act together

As the Defense Department moves toward making data available on networks, the agency is also working to improve the security of those networks.

As part of that effort, DOD is working to implement a comprehensive information assurance (IA) architecture.

DOD officials have been working on the official document for about six months, and want to have a more substantive plan prepared by this time next year, according to Robert Lentz, DOD's IA director.

IA has long been tagged as the agency's soft underbelly, with information becoming nearly as important as weapons systems in recent conflicts.

DOD chief information officer John Stenbit has made network-centric operations his main priority. Under that concept, the days of "pushing" information to the troops would end to be replaced by an era where troops "pull" the information that they need, which is available security over these hardened networks.

To that end, protecting those networks has become Lentz' driving mission.

"The information assurance architecture is clearly the most important thing we're working on right now," Lentz said. Pentagon officials have been working with other interested agencies, including the National Security Agency and Defense Information Systems Agency.

"The true art of this architecture is in the collaboration, rather than behind closed doors at NSA" or the Office of the Secretary of Defense, Lentz said.

The department has long been pursuing an architecture that it can point to as a model for how to overcome problems associated with IA.

DOD has a monumental task before it, and will have to work hard to develop standards before the architecture really has any teeth, according to John Pescatore, vice president for Internet security research at Gartner Inc.

"DOD is starting at the standards level, and that makes the most sense," Pescatore said. "That's where we've seen DOD have some success."

Because most DOD employees work on similar platforms — Microsoft Corp.'s Windows-based PCs — officials' jobs can be made easier by taking users out of the loop and implementing security across the board. Employees are widely considered the greatest threat to any information security policy or architecture.

"In any architecture they do, they should come up with standard policies for desktops and require that security tools be put on them," Pescatore said.

The information architecture will work across multiple security domains, from top secret to unclassified, said Glenda Turner, a senior policy advisor for IA and the IA architecture lead within the department.

"We have been working on IA for a long, long time," she said. As part of the goal to have an architecture in place in early fiscal 2005, DOD will issue four documents during the next four months.

Perhaps the trickiest policy to be developed so far, Lentz said, is education and training. While certification and accreditation deals with networks, education and training deals with people. "We've never done a personnel-oriented policy in information assurance before," he said.

Lentz and Stenbit have asserted that the largest security hole in the department's information assurance battle is the people connected to the network. Defense networks have been crippled not necessarily because of malicious intent, but because personnel either weren't trained properly or ignored safety protocols.

When the architecture is available, its impact will be felt first by those who make acquisition decisions because its rules will present added security criteria. Ultimately, the implementation and upkeep of IA will fall to every person in DOD.

Auditors from the General Accounting Office earlier this year said DOD lacks policies needed to tightly guard data and ways to enforce the policies it does have. Although the department has an Information Assurance Program, DOD "does not have the mechanisms in place for comprehensively measuring compliance with federal and defense information security policies and ensuring that those policies are consistently practiced throughout DOD," the auditors said.

***

Goals of assurance

The Defense Department is in the process of developing information assurance (IA) architecture.

The goal areas are:

Protect information to safeguard data as it is being created, used, modified, stored, moved and destroyed.

Defend systems and networks by recognizing, reacting to and responding to threats and vulnerabilities.

Provide situational awareness/IA command and control to offer a shared understanding among decision-makers.

Transform and enable IA capabilities for development and delivery and to improve government-to-government, government-to-industry, and intradefense coordination to reduce risk.

Create an IA-empowered workforce that is trained, highly skilled, knowledgeable and aware of its role in assuring information.