Defense-wideInformation Assurance

Program(DIAP)

CAPT J. Katharine Burton, USN

Staff Director, DIAP

703.602.9988

Katharine.Burton@osd.milhttp://www.c3i.osd.mil/org/sio/ia/diap/

The Challenge

NIPRNET Growth 20% customer growth* 400% growth in traffic* 1554 customers 4,000 dial-up users

SIPRNET Growth 200% customer growth* 600% growth in traffic* 811 customers 1,200 dial-up users

The InternetBill Cheswick

Lucent Technologies

Growing dependence on information systems

Rapid growth in computer networks

Vulnerability to internal and external attack

Defense Department Systems 2-3 Million Computers 100,000 Local Area Networks 100 Long-distance Networks * Since 1996

Low High

High

Low

PotentialDamage

Probability of occurrence

2000

2002

2005

The Threat is Increasing

Source: 1996 DSB Summer Study

HackerCriminal

Espionage

Terrorist

State Sponsored

Threats & Vulnerabilities

Operations

Aircraft Accident

Rodent Infestation

IllnessEpidemic

Fire

Chemical Spill

HW/SWFailure

HVAC Failure

Power Outage

Substance Abuse

Floods

EarthquakeLightning

Severe Storms

ExtremeTemperatures

ElectricInterference

Vandalism

Industrial EspionageBomb

Threat

Unauthorized Disclosure Modification of

Data

Theft of Assets

Terrorism

Unauthorized System/Facility

Access

Sabotage

Human Omissions

Administrative Error

Inadvertent Disclosure

Human Error

Management Error

Intentional

Human

Unintentional

Man-made

Environmental

Natural

Info

rmati

on S

uperi

ori

ty

Focused Logistics

Precision Engagement

Dominant Maneuver

Full Dimensional Protection

Innovati

on

FullSpectrum

Dominance

Joint Vision 2020

Dedicated individuals and innovative organizations transforming the joint force for the 21st Century to achieve full spectrum dominance :

- persuasive in peace- decisive in war- preeminent in any form of conflict

DOD IA Goal

Ensure DoD’s vital information resources

are secure and protected

Ref: DoD CIO October 1999, DoD Information Management (IM) Strategic Plan (ver 2.0)

Information Superiority

“.. The capability to collect, process, and disseminate an uninterrupted

flow of information while exploiting or denying an adversary’s ability

to do the same.”

Joint Vision 2020

DoD IA Vision

Information Superiority for the DoD, achieved through a balanced

integration of highly skilled personnel, operational policy and capability, and

leading edge technology.

Information Assurance is essential to achieve and maintain Information Superiority.

Elements of Information Assurance

INFORMATION

AvailabilityIntegrity

Au

then

tica

tio

n

Confidentiality

No

n-rep

ud

iation

AVAILABILITYTimely, reliable access to

data and information services for authorized users.

CONFIDENTIALITYAssurance that information is not disclosed to unauthorized

persons, processes, or devices.

INTEGRITYCondition existing when data is unchanged from its source and

has not been accidentally or maliciously modified, altered, or

destroyed.

AUTHENTICATIONSecurity measure designed to establish the validity of a

transmission, message, user, or system or a means of verifying an individual's authorization to receive specific categories of

information.

NON-REPUDIATIONAssurance the sender of data

is provided with proof of delivery and the recipient is provided with proof of origin,

so neither can later deny having processed the data.

Information Assurance Challenges

Interconnected, interdependent systems underscore need for broad understanding of threats and vulnerabilities

Security-enabled commercial products - strong encryption with key recovery (Except for Digital Signature)

Global Security Management Infrastructure

Cyber situation awareness - Cyber attack, sensing, warning and response capability

Risk accepted by one is shared by all

Information AssuranceInformation Assurance

THROUGH: ACTIVE CYBER DEFENSETHROUGH: ACTIVE CYBER DEFENSE

PROTECT DETECT & REPORT REACT

Founded On:Founded On:

People Operations Technology

Via:Via:

Information Assurance PolicyInformation Assurance Policy

achieved

Defense in Depth Strategy

Integrates the capabilities of people, operations and technology to establish a multi-layer, multi-dimension protectionFour Areas of focus:

1 - Local Computing Environments or Enclaves2 - Enclave Boundaries3 - Networks that link enclaves4 - Supporting Infrastructures

DIAP Mission

To ensure the DoD’s vital information resources are secured and protected

by unifying/integrating IA activities to achieve information superiority

DIAP Staff Director

Deputy Staff Director

Admin Assistant

Policy

Joint Staff Liaison

Agency Liaison

Law Enforcement & CI Coordinator

Reserve Component

Liaison

Service Liaison

IC CoordinatorSolutions

Research & Technology

Architecture

Acquisition & Product Support

Critical Infrastructure

Technology andCapabilities Development

Human ResourcesOperations andCapabilities Deployment

Readiness

Net Ops

AS&W

Assessments

Connection Approval,

Recert

Requirements

ResourceManagement

Team Education

Training

IA Scholarships

AwarenessActivities

Personnel & Manpower

WebsiteSupport

C3I Major IA Initiatives

Crypto Modernization Public Key Infrastructure Computer Network Defense

Attack Sensing and Warning JTF-CND IAVA

Human Resources Policy Technology

All IA related DoD issuances will be realigned to 8500 Series

8500 - General

8510 - Certification and Accreditation

8520 - Security Management (SMI, PKI, KMI, EKMS)

8530 - Computer Network Defense

8540 - Interconnectivity/Multi-Level Security

8550 - Network/Web (Access, content, Privileges)

8560 - Assessments (VAAP, Red Team, TEMPEST Testing)

8570 - Education, Training, Awareness

8580 - Other

IA Policy Framework

Government Information Security

Reform (GISR)

Required by Subtitle G of National Defense Authorization Act of 2001

DoD Integrated Process Team (IPT) to develop DoD plan and course of action

Report due to Congress Oct 2001 Addresses Secret and Classified

Systems

Information Assurance Panel (IAP)

Panel under the Military Communication Electronics Board (MCEB)

First met October 1999

Co -chaired by DIAP and J6K

Members: Military Services, DISA, NSA, DIA, DLA, NRO, NIMA, DSS, BMDO, DECA, DFAS, DTRA, IC CIO, USSPACECOM

Information Assurance Panel (IAP) Task Forces

Hum an Resources W ork ing G roup C om m unity R isk W ork ing G roup

D IT S C A P W ork ing G roup C O M S E C M oderniza tion W ork ingG roup

D oD F irew a l l Pol icyW ork ing G roup

M obile C ode T es tingW ork ing G roup

Ports and ProtocolsW ork ing G roup

PK E nabl ingW ork ing G roup

IAP

MC EB

The Weak Link

In IA we’re only as strong as our weakest link!

A Risk Accepted By One is a Risk Shared By AllA Risk Accepted By One is a Risk Shared By All

BACKUP SLIDES