DOD puts security onus on commanders

In its latest effort to improve network security, Pentagon officials are making individual commanders accountable for protecting data that passes through their systems.

The goal is to get individual commands to take information assurance seriously, Defense Department officials said. That responsibility extends to systems used by contractors as well as DOD staff.

Individuals will be responsible for that data regardless of their security clearance levels, said Robert Lentz, information assurance director for the chief information officer's office at DOD. The plan "assigns responsibility to people within the infrastructure in terms of their information assurance roles," he said.

"There is a designated approval authority and it forces commanders to pay attention to their own [information technology] hierarchies," Lentz said.

The new instruction, issued last month and referred to as DOD Instruction 8500.2, is designed to ensure that information awareness training and education are provided to all military and civilian personnel, specific to their responsibilities for developing, using and maintaining DOD information systems.

"The Department of Defense has a crucial responsibility to protect and defend its information and supporting information technology," the policy states.

The guidance follows up on DOD Directive 8500.1 issued in October 2002. The earlier directive makes it departmentwide policy for security requirements to be identified and included in the design, acquisition, installation, operation, upgrade and replacement of all DOD information systems.

The newly issued instructions offer DOD agencies guidance for implementing the October directive, said Donald Jones, an information assurance directorate staff member.

The DOD CIO and DOD's information assurance directorate will now develop certification criteria so that the commanders can demonstrate that their systems comply with the policy, he said.

"This is not just a policy to deal with confidential information, but the whole gamut: confidential, classified, sensitive and public information," Lentz said.

Army CIO Lt. Gen. Peter Cuviello said the release and approval of the information assurance instructions were "a good thing because we've never had this before." Now the challenge is to add some more specific details for the services to follow, he said.

"Now, we're providing input back into [the Defense secretary's office] about how to take this to the next level of detail and put some meat into all the things we're responsible for doing," Cuviello said.

***

Rest assured

Defense Department Instruction 8500.2 says the defense information awareness program was based on five essential competencies, including:

* The ability to assess security needs and capabilities.

* The ability to develop a purposeful security design or configuration that adheres to a common architecture.

* The ability to implement required controls or safeguards.

* The ability to test and verify.