Information Assurance and Network Security
What is it?
The Information Assurance (IA) program provides policy, mandates, and procedures targeted to protect information and information systems from unauthorized access, modification, or denial of service; and ensures the provisioning of access and service to authorized users. IA protects and defends information and ISs by ensuring availability, integrity, authentication, confidentiality, and non-repudiation throughout the entire life-cycle. IA includes measures to detect, document, respond, and counter threats targeting the spectrum of military operations. This cyberspace environment is characterized by rapidly emerging technology that is subject to an increasingly sophisticated and organized cyber-attack encompassing opportunistic or criminal intruders through nation state, trans-national terrorist organizations capable of entering networks from worldwide locations. Combined with the tenants of Network Security, the protection of networks and their services from unauthorized modification, destruction, or disclosure; IA provides assurances that the network performs its critical functions correctly. IA defends the Army's LandWarNet by employing a robust defense-in-depth strategy that integrates people, technology, and operations. IA is implemented through a competent and trained workforce that employs multiple protective measures layered from the network perimeter to the desktop.
What has the Army done?
Army's IA approach concentrates on protecting information, defending systems and networks, providing IA situational awareness, fostering innovation, and creating an empowered workforce. In Fiscal Year 2008 the Army highlights below focus on efforts to lead DoD on several strategic fronts:
- DoD Selection and Acquisition of a Data At Rest Encryption Solution for the protection of sensitive data on mobile computing devices and removable media. As member of the DoD Data At Rest Tiger Team (DARTT) and the Army’s DARTT, the Army was instrumental in developing technical requirements to be used by DoD for the selection and subsequent award of Data At Rest encryption solutions. In addition to its support to the DoD DARTT, the Army’s tiger team surveyed the Army for the ideal solution, and assisted in identifying risks and mitigation strategy for the Army interim solution of a data at rest encryption product. The Army currently leads DoD in the OMB mandated implementation of a DAR solution to protect sensitive information and mobile devices. The Army negotiated a cost effective enterprise license agreement and technical services, developed training, procurement instructions, and implementation guidance.
- IA Domain and Optimized Portfolio Management. OIA&C mapped the IA domain strategy to multiple mission areas to include: enterprise information environment, business, warfighting, and defense intelligence to optimize IA portfolio investments for maximum return. Army alignment with the DoD Global Information Grid /Enterprise structure is key to success.
- Leveraged existing individual IA Domain Architectures to build a comprehensive LandWarNet IA Architecture in support of the DoD GIG IA Vision encompassing federated users, IA meta-data labeling strategies, a common net-centric computer network defense infrastructure, insider threat mitigation, and mission-prioritized resource planning and execution. The Army’s LandWarNet Information Assurance Architecture (LIAA) was introduced to DoD in 2008.
- In a collaborative effort with the DAIG IA Compliance division, Army IA developed a four-phase IA compliance model and IA self-assessment checklist for implementation across the Army. The purpose of the model and the list is to increase awareness, standardize and validate IA compliance activities, and measure leader success for executing the command IA program.
- In addition to its robust training program for IA professionals, the Army has instituted Mobile Training Teams (MTT) for key security training courses, such as the Certified Information Systems Security Professional (CISSP). The MTTs travel to sites around the Army to execute training that mandates certification as validation of the knowledge and skills of the Army's military, civilian, and contractor IA workforce.
- The Army continues to forge the way in its efforts to reduce network vulnerabilities and prevent pilfering of private or sensitive data by combing the web for "at-risk" data through the Army Web Risk Assessment Cells, and protecting against data theft or loss by means of encrypting data at rest and in transit.
- The Information Assurance Vulnerability Management process to find, fix, report, and verify compliance with DoD mandates has improved significantly with the deployment of DoD provided automated scanning and remediation tools, innovative reporting capabilities, and increased compliance verification inspections.
- The Army continues to influence the IA tools selection and acquisition for STRATCOM ESSG IA/CND Tools and ESSG TAG. A Concept of Operations (CONOPS) for the wireless discovery tool, “Flying Squirrel” was recently adopted by Joint Forces Command and incorporated into Army procedures.
- Army improved its Certification and Accreditation posture incorporating all mission support systems into the Army Program Management System (APMS), exceeding the goal for Authorities to Operate (ATO), and doubling the percentage of systems that had executed an annual Contingency Plan, IA Security Controls and Security review.
Why is this important to the Army? Information Assurance protects the capability of the LandWarNet to provide reliable communications for a global force and dramatically improves the decision-making concept of operations so that the Army has increased combat power, speed of command, greater lethality, and increased survivability of forces.