DOD puts security onus on commanders

In its latest effort to improve network security, Pentagon officials are making individual commanders accountable for protecting data that passes through their systems.

The goal is to get individual commands to take information assurance seriously, Defense Department officials said. That responsibility extends to systems used by contractors as well as DOD staff.

Individuals will be responsible for that data regardless of their security clearance levels, said Robert Lentz, information assurance director for the chief information officer's office at DOD. The plan "assigns responsibility to people within the infrastructure in terms of their information assurance roles," he said.

"There is a designated approval authority and it forces commanders to pay attention to their own [information technology] hierarchies," Lentz said.

The new instruction, issued last month and referred to as DOD Instruction 8500.2, is designed to ensure that information awareness training and education are provided to all military and civilian personnel, specific to their responsibilities for developing, using and maintaining DOD information systems.

"The Department of Defense has a crucial responsibility to protect and defend its information and supporting information technology," the policy states.

The guidance follows up on DOD Directive 8500.1 issued in October 2002. The earlier directive makes it departmentwide policy for security requirements to be identified and included in the design, acquisition, installation, operation, upgrade and replacement of all DOD information systems.

The newly issued instructions offer DOD agencies guidance for implementing the October directive, said Donald Jones, an information assurance directorate staff member.

The DOD CIO and DOD's information assurance directorate will now develop certification criteria so that the commanders can demonstrate that their systems comply with the policy, he said.

"This is not just a policy to deal with confidential information, but the whole gamut: confidential, classified, sensitive and public information," Lentz said.

Army CIO Lt. Gen. Peter Cuviello said the release and approval of the information assurance instructions were "a good thing because we've never had this before." Now the challenge is to add some more specific details for the services to follow, he said.

"Now, we're providing input back into [the Defense secretary's office] about how to take this to the next level of detail and put some meat into all the things we're responsible for doing," Cuviello said.


Rest assured

Defense Department Instruction 8500.2 says the defense information awareness program was based on five essential competencies, including:

* The ability to assess security needs and capabilities.

* The ability to develop a purposeful security design or configuration that adheres to a common architecture.

* The ability to implement required controls or safeguards.

* The ability to test and verify.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.