Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 10/21/02 issue

Defense CIO will set security rules

By Dawn S. Onley, GCN Staff

In a few weeks, Defense Department CIO John Stenbit will release a directive that sets standards to guide Defense agencies on how to secure their networks.

The directive, DOD 8500, will cover several security topics, such as levels of access control and firewall protection. It will be linked to initiatives at intelligence agencies.

Defense officials said they consider the directive to be the capstone in a recent series of information assurance policies at the department.

The policy also will set guidelines for the interoperation of information systems within the Global Information Grid.

“Warfighters must be able to trust all of the information” they get, said Robert F. Lentz, director of information assurance for the Office of Assistant Secretary of Defense for command, control, communications and intelligence. “We have to provide security at the data content level, or we’re not going to be successful.”

Guidelines for use

The directive will set guidelines for IT products that Defense agencies use to enter, process, store, display or transmit sensitive information.

DOD has set forth several new security policies this year, such as the National Security Telecommunications and Information Systems Security Policy No. 11, which took effect July 1. Under NSTISSP No. 11, all government agencies must use commercial software that has been validated to meet information assurance requirements for secure networks.

The soon-to-be-released directive will round out DOD’s information assurance strategy, which outlines five broad goals for the department:
  • protecting information
  • defending systems
  • providing command and control and situational awareness
  • making sure information assurance is integrated into processes
  • increasing security awareness throughout DOD’s work force.
DOD 8500 is aimed at achieving a layered security approach or “defense in breadth,” said Lentz. It will establish baseline controls so users can keep requirements in mind as they design networks, acquire products and implement lifecycle decisions.

“To help manage information assurance within the network, the directive establishes controls for basic, medium and high levels of availability, confidentiality and integrity,” Lentz said.

The policy will emphasize information assurance throughout the lifecycle of DOD information systems—beginning with the acquisition process.

The directive requires using security products that have been validated by the National Information Assurance Partnership using standards such as the International Common Criteria for IT Security Evaluation.