Building the IA Offensive Line
INFORMATION ASSURANCE DIRECTOR FOCUSES
ON DEVELOPING PEOPLE TO PROTECT NETWORK SECURITY.
The Department of Defense has been making significant progress in recent months to implement various information assurance initiatives, including a directive establishing policy for information assurance training and certification, according to DoD Information Assurance Director Robert Lentz.
The department hopes to fully set up workforce certification in information assurance within five years, Lentz said in a recent interview. What DoD really requires, he suggested, is the equivalent of a driver’s license for information assuance.
“If you want to run a motor generator in the Army, you have to go out and get a training certificate,” he said. “We did not have that up until this directive was issued for those people that are key system administrators or network administrators or security officers who are managing this very expansive and complex network.
“Through this directive, we have now put into place a process for getting up to 90,000 or 100,000 personnel who will ultimately have to be certified on a regular basis to operate and to perform those duties in these key positions,” Lentz continued. “That driver’s license is what we are attempting to get out of that directive.
The DoD directive on IA training was issued in August 2004, and the Office of the Secretary of Defense for Networks and Information Integration (ASD NII) issued a manual to support the directive last fall. Now, ASD NII is getting into the details of setting up a certification solution for training, certifying and managing the information assurance workforce throughout DoD.
Within five years, Lentz plans to finalize a certification program to deal with up to 100,000 personnel in various IA capacities. As the first part of that effort, DoD components must identify the specific positions dealing with information assurance and record those in a database. From there, administrators must work to determine what training each annotated position requires and enact a program to deliver that certification.
“It will take a little bit of time, as you can imagine, to get all of the databases coded and all of the positions properly annotated for certifiable positions needing certain certifications, and then get the schoolhouses with the requisite amount of training to support those required certifications,” Lentz noted.
“The key to this directive is that it is really based on commercial certification providers,” he continued. “We are going to be leveraging those commercial services to get those certifications. It allows us to do it faster and, by using those commercial certification providers, it allows for a heck of a lot more agility in allowing us to adapt continuously to the changing art form of network security.”
DoD has allocated about $100 million over five years to establish certification training programs and begin personnel activities to support them.
“That amount of money, in the neighborhood of about $20 million or so a year, is allocated to support that across the entire enterprise,” Lentz said. “As with any program, you always are searching for some newer techniques and tools that come along. But the baseline funding is in place.”
To jumpstart information assurance certification across the department, Lentz hopes to identify the top 15,000 or so personnel and certify those core positions within the next 18 months. Afterward, DoD could branch out and rapidly certify the remainder of the information assurance workforce within the next three to four years.
New personnel joining the department would receive training for their positions as quickly as possible to ensure a smooth transition into the new way of doing business, Lentz said. Those personnel would include military, civilian and contract employees as well as some foreign nationals responsible for DoD networks overseas.
Lentz stressed that the plan for information assurance certification was part of a larger plan to focus on the people responsible for maintaining DoD network security.
“We try to focus on in information assurance as a combination of technical means, operational means and people,” he said. “Those three legs of the stool will make or break our ability to protect and defend the network and information that is flowing across the network.
“The people part of it, in my mind, is really the offensive line to our ability to succeed or fail. You can have all of the great quarterbacks and running backs in the world, but you are not going to be that successful without that offensive line.”
CERTIFIED SECURE
Information assurance certification is not the only new initiative that Lentz is dealing with these days. Several other key programs have launched within the past several months to boost network security across DoD and between the department and some of its key collaborators.
John Grimes, the ASD NII and DoD chief information officer, this summer released the interim DoD Information Assurance Certification and Accreditation Process (DIACAP).
“That policy is a very critical policy that will set in place a transformative process for having enterprise certification and accreditation based on a service-oriented architecture and based on the security controls that we have in place. It is a very important bedrock policy for us as we move in a net-centric fashion,” Lentz remarked.
DIACAP details the standard processes for the identification, implementation and validation of information assurance controls of the use of DoD information systems and the management of information assurance across the defense enterprise. The process replaces a former standard, the Defense Information Technology Security Certification and Accreditation Process (DITSCAP).
In response, companies are rushing to ensure that their products meet the standards. For example, a company called SecureInfo recently announced that its SecureInfo RMS certification and accreditation software now conforms to DIACAP standards. The software automates certification and accreditation processes, enforcing DoD information assurance standards throughout federal networks.
In addition, Grimes and Air Force Major General Dale W. Meyerrose (Ret.), the CIO for the director of national intelligence, recently launched the Cross-Domain Management Office. The office examines and issues security solutions to protect information that travels between top secret, secret and sensitive and unclassified DoD and intelligence networks, as well as between DoD and security partners like the Department of Homeland Security and international coalition partners.
“It is a jointly led program office with the intelligence community because we want to flow information from the intelligence community assets throughout the entire range of areas of interest that we have out there that are growing every single day in leaps and bounds in the global war on terrorism,” Lentz said.
Meyerrose announced in June that one goal of his office was to reduce the number of cross-domain interfaces. He indicated plans to reduce the number of joint crossdomain solutions from what could be hundreds to only two dozen.
The DoD Enterprise Solutions Steering Group also is deploying new capabilities to boost information assurance while launching new activities to help secure networks.
IDENTITY INFRASTRUCTURE
Lentz’s office is also heavily involved with accelerating the deployment of public key infrastructure across DoD to meet the demands of Homeland Security Presidential Directive 12 (HSPD-12).
HSPD-12 requires all federal agencies to implement a security standard developed by the National Institute of Standards and Technology (NIST) for both physical and logical access to federal systems. At DoD, HSPD-12 initiatives are co-managed by the DoD CIO and the Office of the Undersecretary for Personnel and Readiness.
“HSPD-12 is another very important security control,” Lentz said. “We have a whole host of security controls and standards that we follow in DoD. Many of them are married up with the NIST national-level set of controls.”
The key principles of identity protection and management established under HSPD-12 become part of the information assurance standards that key personnel will be required to master as part of their roles and responsibilities. The HSPD-12 requirements will be one part of the greater set of information assurance regulations that personnel must learn when they obtain information assurance certification in the future, Lentz said.
“There is no doubt that not only today but in the future the Global Information Grid has as its basic foundation this idea of identity protection and management,” Lentz said. “Clearly, all sys-admins who really are very good see the great benefit of having strong access control. You want to get rid of passwords, but you want to have people on the net that you know are the right people to be on the net. That will make your job better and more effective as a sys-admin. So it is going to be a fundamental criteria for how we operate.”
Lentz pointed out that personal identity verification through the use of smart cards—as many agencies are preparing for HSPD-12 compliance—is not new at DoD. In the late 1990’s, the department first deployed a PKI system across its networks, linking it to its common access card, which DoD employees used to log in to networks. ♦
