DOD puts security onus on commanders

In its latest effort to improve network security, Pentagon officials are making individual commanders accountable for protecting data that passes through their systems.

The goal is to get individual commands to take information assurance seriously, Defense Department officials said. That responsibility extends to systems used by contractors as well as DOD staff.

Individuals will be responsible for that data regardless of their security clearance levels, said Robert Lentz, information assurance director for the chief information officer's office at DOD. The plan "assigns responsibility to people within the infrastructure in terms of their information assurance roles," he said.

"There is a designated approval authority and it forces commanders to pay attention to their own [information technology] hierarchies," Lentz said.

The new instruction, issued last month and referred to as DOD Instruction 8500.2, is designed to ensure that information awareness training and education are provided to all military and civilian personnel, specific to their responsibilities for developing, using and maintaining DOD information systems.

"The Department of Defense has a crucial responsibility to protect and defend its information and supporting information technology," the policy states.

The guidance follows up on DOD Directive 8500.1 issued in October 2002. The earlier directive makes it departmentwide policy for security requirements to be identified and included in the design, acquisition, installation, operation, upgrade and replacement of all DOD information systems.

The newly issued instructions offer DOD agencies guidance for implementing the October directive, said Donald Jones, an information assurance directorate staff member.

The DOD CIO and DOD's information assurance directorate will now develop certification criteria so that the commanders can demonstrate that their systems comply with the policy, he said.

"This is not just a policy to deal with confidential information, but the whole gamut: confidential, classified, sensitive and public information," Lentz said.

Army CIO Lt. Gen. Peter Cuviello said the release and approval of the information assurance instructions were "a good thing because we've never had this before." Now the challenge is to add some more specific details for the services to follow, he said.

"Now, we're providing input back into [the Defense secretary's office] about how to take this to the next level of detail and put some meat into all the things we're responsible for doing," Cuviello said.

***

Rest assured

Defense Department Instruction 8500.2 says the defense information awareness program was based on five essential competencies, including:

* The ability to assess security needs and capabilities.

* The ability to develop a purposeful security design or configuration that adheres to a common architecture.

* The ability to implement required controls or safeguards.

* The ability to test and verify.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.