DOD plans information assurance policy
- By Matthew French
- Sep 17, 2003
A comprehensive information assurance architecture should be in place about a year from now, the director of information assurance for the Defense Department said today.
The department has long been pursuing an architecture that it can point to as a model for how problems associated with information assurance can be overcome. Toward that goal, the department will issue four documents in the next four months, said Robert Lentz, DOD's director of information assurance.
"The information assurance architecture is clearly the most important thing we're working on right now," Lentz said. "And these four policy documents will play a very important role in bringing that architecture into being."
The first two, due in a matter of weeks, will be for wireless and what he termed "ports and protocol." The other two policy areas — certification and accreditation and education and training — will follow by early January.
"Wireless is something we've been working on for some time now," Lentz said, speaking this morning at the E-Gov Information Assurance conference. "It's almost ready to go. Ports and protocol should be out in the next six to eight weeks as well."
Ports and protocol represents a fundamental change in thinking about DOD's Computer Network Defense, replacing the philosophy of "deny by exception" with "permit by exception," according to Defense documents.
Perhaps the trickiest policy to be developed so far, Lentz said, is for education and training. While certification and accreditation deals with networks, education and training deals with people.
"We've never done a personnel-oriented policy in information assurance before," he said.
Lentz and his boss, DOD chief information officer John Stenbit, have asserted that the largest security hole in the department's information assurance battle is the people connected to the network. Defense networks have been crippled not necessarily because of malicious intent, but because personnel either weren't trained properly or ignored safety protocols.