Director View | Framework formed by best practices

The Defense-wide Information Assurance Program (DIAP) is leading a holistic approach to IA risk management that includes codifying best practices from across the Defense Department and developing a compliance and enforcement plan.

Although IA best practices are frequently mentioned in DOD, there is no set of codified practices. To tackle that challenge, DIAP — a component of DOD’s Office of the Chief Information Officer — called on the department’s IA community to identify a set of overarching concepts the entire enterprise could use.

After reviewing IA best practices at DOD, other federal agencies, academic institutions and industry, the team developed an initial list of concepts based on desired attributes and outcomes. Community leaders then reviewed and approved the list.

The resulting best-practice concepts are:

• Compliance and enforcement.
• Identity management.
• Access control.
• Configuration management.
• Layered defensive approach.
• Certification and accreditation.
• Contingency planning and management.
• Risk-based decisions.
• Maximized acquisition avenues for enterprise solutions.
• An educated and trained workforce.

The goal is to reduce our vulnerabilities to threats and meet the challenges of implementing IA security measures through the adoption of the best-practice concepts.

Most of the concepts are already mandated in the DOD 8500 policy series and described in the National Institute of Standards and Technology’s Special Publication 800-100.

The team identified 17 key initiatives based on their perceived value and relative ease of implementation. For instance, one key initiative is to implement strong access controls, with an associated activity to “require and enforce multifactor authentication, where appropriate and justified from risk assessment.”

The value of strong access control is high because such measures have made it more difficult for unauthorized users to gain access to computers and networks. The ease of implementation is demonstrated by DOD’s large-scale distribution of Common Access Cards.

Furthermore, DIAP is working to achieve the vision of institutionalizing IA compliance into the DOD culture. Currently, we have poor governance processes and limited mechanisms for assessing and enforcing compliance. To close the gap, we need to achieve three goals:

• Execute the IA compliance framework.
• Verify compliance with the IA policy, operations and program.
• Instill awareness of the compliance program across the department.

DIAP has developed a compliance and enforcement framework that can be used throughout DOD. The goal was to develop a structured, repeatable process to systematically implement and assess compliance and enforcement using the six elements of the compliance, assessment, monitoring, tracking, accountability and metrics for policy, operations and programs (CAMTAM-POP) approach.

Policy

DIAP is in the process of reviewing policies for compliance and enforcement with the goal of developing a CAMTAM checklist that component action officers can use as they develop and review IA policies. The DOD 8500 policy series mandates about 500 requirements, but not all are relevant or crucial. We will select the ones that are most critical for compliance and enforcement and conduct a gap analysis between compliance requirements and operational compliance to address the root causes of noncompliance.

Operations

Cybersecurity compliance requirements for systems and networks are defined in a series of DOD and Joint Staff policies and instructions and by specific components. In addition, DOD Instruction 8560.01, “Communications Security Monitoring and Information Assurance Readiness Testing,” specifies that the Strategic Command will develop procedures and oversee testing of the Global Information Grid for IA readiness.

Programs

The Global Information Grid IA Portfolio (GIAP) Office and the military services are charged with identifying resource gaps in IA implementation. DIAP continues to collaborate with the GIAP office to review gaps in implementing, assessing and enforcing selected initiatives and associated activities. The two offices will also work with other DOD components to validate the gap analysis and identify programmatic actions to reduce the gaps. That information will be used in conjunction with the Compliance Enforcement Plan to ensure adherence to the IA program requirements.

Metrics

It is essential to demonstrate the progress and value of compliance and enforcement through quantitative results rather than qualitative and anecdotal results. Identifying a standard set of relevant and meaningful outcome-oriented metrics is more challenging. We must continue to collaborate with other metric-related efforts departmentwide to improve the quality of the data used in the core metrics and encourage their adoption. Collecting and analyzing performance metrics are crucial to measuring the success of compliance and enforcement efforts.

The future in focus

To improve DOD’s IA posture in a complex and ever-changing global environment, officials must focus on harnessing and synchronizing departmentwide efforts, particularly with regard to best practices and enforcement of existing policies, operational orders and programs.

DIAP’s goal is to formalize the CAMTAM-POP framework and institutionalize it throughout DOD for identifying, assessing, monitoring and tracking compliance and for holding components accountable for compliance and enforcement. Officials must be able to base their decisions on knowledge of the potential risks facing their organization and others connected to GIG.