DOD issues more IA instructions

Information Assurance Support Environment

The Pentagon recently issued the second part of its information assurance (IA) policy that sets guidelines on using Defense Department networks.

DOD Instruction 8500.2 sets forth implementation of the rules and policies in Directive 8500.1, which was issued in late October 2002.

The directive calls for the different agencies within DOD to protect its data as it is shared across the Global Information Grid (GIG). Instruction 8500.2, dated Feb. 6, "implements policy, assigns responsibilities, and prescribes procedures for applying integrated, layered protection of the DOD information systems and networks."

"The Department of Defense has a crucial responsibility to protect and defend its information and supporting information technology," the 8500.2 policy states. "Factors that contribute to its vulnerability include increased reliance on commercial [IT] and services; increased complexity and risk propagation through interconnection; the extremely rapid pace of technological change; a distributed and nonstandard management structure; and the relatively low cost of entry for adversaries."

Donald Jones, a member of the IA Directorate for the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence, said 8500.2 offers the different parts of DOD the guidance necessary to implement the rule in 8500.1.

DOD Directive 8500.1 makes it departmentwide policy for IA requirements to be identified and included in the design, acquisition, installation, operation, upgrade and replacement of all DOD information systems.

"The guidance [8500.1] was developed largely in response to changing security needs brought about by DOD's growing dependence on interconnected information systems, particularly desktop computer networks, and increased concern about the protection of unclassified but sensitive information," according to a DOD spokesperson.

8500.2 indicates the Defense IA program is predicated upon five essential competencies that ensure a successful risk management program, which include:

* The ability to assess security needs and capabilities.

* The ability to develop a purposeful security design or configuration that adheres to a common architecture and maximizes the use of common services.

* The ability to implement required controls or safeguards.

* The ability to test and verify.

* The ability to manage changes to an established baseline securely.