...Government Accountability Office Report to Congressional Committees June 2015 INSIDER THREATS DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems GAO-15-544 June 2015 INSIDER THREATS DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems Highlights of GAO-15-544, a report to congressional committees. Why GAO Did This Study What GAO Found Since 2010, the United States has suffered grave damage to national security and an increased risk to the lives of U.S. personnel due to unauthorized disclosures of classified information by individuals with authorized access to defense information systems. Congress and the President have issued requirements for structural reforms and a new program to address insider threats. The Department of Defense (DOD) components GAO selected for review have begun implementing insider-threat programs that incorporate the six minimum standards called for in Executive Order 13587 to protect classified information and systems. For example, the components have begun to provide insider-threat awareness training to all personnel with security clearances. In addition, the components have incorporated some of the actions associated with a framework of key elements that GAO developed from a White House report, an executive order, DOD guidance and reports, national security systems guidance, and leading practices recommended by the National...
Words: 17616 - Pages: 71
...Department of Defense INSTRUCTION NUMBER 8500.01 March 14, 2014 DoD CIO SUBJECT: Cybersecurity References: See Enclosure 1 1. PURPOSE. This instruction: a. Reissues and renames DoD Directive (DoDD) 8500.01E (Reference (a)) as a DoD Instruction (DoDI) pursuant to the authority in DoDD 5144.02 (Reference (b)) to establish a DoD cybersecurity program to protect and defend DoD information and information technology (IT). b. Incorporates and cancels DoDI 8500.02 (Reference (c)), DoDD C-5200.19 (Reference (d)), DoDI 8552.01 (Reference (e)), Assistant Secretary of Defense for Networks and Information Integration (ASD(NII))/DoD Chief Information Officer (DoD CIO) Memorandums (References (f) through (k)), and Directive-type Memorandum (DTM) 08-060 (Reference (l)). c. Establishes the positions of DoD principal authorizing official (PAO) (formerly known as principal accrediting authority) and the DoD Senior Information Security Officer (SISO) (formerly known as the Senior Information Assurance Officer) and continues the DoD Information Security Risk Management Committee (DoD ISRMC) (formerly known as the Defense Information Systems Network (DISN)/Global Information Grid (GIG) Flag Panel). d. Adopts the term “cybersecurity” as it is defined in National Security Presidential Directive-54/Homeland Security Presidential Directive-23 (Reference (m)) to be used throughout DoD instead of the term “information assurance (IA).” 2. APPLICABILITY a. This instruction applies to: (1) OSD, the...
Words: 19443 - Pages: 78
...Treats…………………………………….33 Policy 13: Policies and Procedures for Electronic Protected Health Information (ePHI) and Personally Identifiable Information (PII)...34-35 Policy 14: Wireless LAN Security Policy……………………..36 IS security Awareness policy…………………………………..37-38 Conclusion……………………………………………………………………39 References……………………………………………………………………40 Overview: DSA contractors has been awarded a contract with the Department of Defense. Our next task is to revamp the companies’ policy to ensure compliance with DOD policy. All employees have to be retrained on new policy to ensure that DSA medicate violations. The attitudes and atmosphere of change will also be needed to ensure compliance with DOD standards. Training sessions is scheduled for all employees and a policy handbook will be given to the each employee as references at the end of training. The security officer and his staff or human resources can be contacted for further clarification on any policy. Purpose: There are many policies and laws to adhere to in order to become compliant for the contract with the Department of Defense. Basic safeguards are required for any...
Words: 9781 - Pages: 40
...The Department of Defense (DoD) manages one of the largest and most targeted networks, up to 250,000 attacks per day. (Daniel Gouré, 2015) As a member of this organization, I see the low level applications set forth by the strategic minds of the DoD Chief Information Officer and Secretary of Defense. As the organization that laid the foundation for the internet, the DoD has evolved over the years reacting to the vulnerabilities and threats to their vast information systems. Past breaches have illustrated how vulnerable the networks are, and we can look at history to see the development of the defense networks and security. The DoD made a large impact across the computer security field with their security handbook called the “Orange Book”. The official name for the Orange Book is “DoD 5200.28-STD, Department of Defense Trusted Computer System Evaluation Criteria”, which was first written in 1983 and further updated in 1985. (Department of Defense, 1985) It is the computer system criteria book within a series of security related guides and directives called the “Rainbow Series,” which are the numerous standards and guidelines published by the Department of Defense. The document laid the foundation for the communication between the developers and the customers. The model was based on systems meeting six security requirements: security policy, marking of objects, identification of subjects, accountability, assurance, and continuous protection. After evaluation, the system is placed...
Words: 2282 - Pages: 10
...detailed information of the projects' purpose and what it actually accomplished. All commands within the Department of Defense (DoD) are directed to implement the Host-Based Security System (HBSS). This is a multifaceted software security application used within the DoD to protect vital network resources from exploitation. Protecting vital data on information systems by ensuring the information’s availability, integrity, authentication, confidentiality and non-repudiation is called Information Assurance (IA). The process used within the DoD to certify information systems meet documented IA requirements is known as the DIACAP process. The DIACAP process was established in order to comply with the Federal Information Security Management Act 2002 (FISMA). The DIACAP directly supports and identifies the IA security tool, HBSS and fully implements those practices as prescribed in accordance with DoD I 8500.1M. All organizations within the DoD are mandated to comply with DoD I 8500.1M and Fragmentary Order (FRAGO) 13 to remain connected to the DoD’s GRID. This project envelops all applicable DIACAP processes necessary to obtain the accreditations for the Centrixs-M software application. This project outlines the process used to develop a complete set of HBSS policies for the Centrixs-M software application. The development phase of this project includes the site configuration within the ePO system tree, deployment of the McAfee agents, and the configuration of secure site as...
Words: 527 - Pages: 3
...Emerging Cybersecurity Policies in the Federal Government Information Assurance Officer and Risk Management Analyst Department of Defense. Emerging Cybersecurity Policies in the Federal Government Information Assurance Officer and Risk Management Analyst Department of Defense. CSEC 655 UMUC Individual Assignment 1 September 16, 2014 CSEC 655 UMUC Individual Assignment 1 September 16, 2014 Table of Contents Emerging Cybersecurity Policies in the Federal Government 3 Emerging Policies and Practices 4 Defense in Depth (DID) 5 Security Risk Frameworks 6 Test Driven Development 8 Business Service Frameworks 9 Acceptance and Preparation for Failure 11 The Federal Government and these Emerging Policies and Practices 13 The Feds and Defense in Depth 14 The Feds and Security Risk Frameworks 14 The Feds and Test Driven Development 16 The Feds and Business Service Frameworks 17 The Feds and Acceptance and Preparation for Failure 19 How could the Feds continue to improve 20 References 22 Emerging Cybersecurity Policies in the Federal Government One of the largest and most important enterprises there is to protect in the cyber security realm are the various networks that make up the federal government. This massive undertaking to secure the systems, networks, and data of the various governmental agencies is a never ending uphill battle. The requirements of the federal government enterprise to be globally far reaching, as well...
Words: 6354 - Pages: 26
...OVERVIEW UNITED STATES DEPARTMENT OF DEFENSE FISCAL YEAR 2014 BUDGET REQUEST APRIL 2013 OFFICE OF THE UNDER SECRETARY OF DEFENSE (COMPTROLLER) / CHIEF FINANCIAL OFFICER Preface The Overview Book has been published as part of the President’s Annual Defense Budget for the past few years. This continues for FY 2014, but with modifications as proposed by congressional staff. From FY 1969 to FY 2005 OSD published the “Annual Defense Report” (ADR) to meet 10 USC Section 113 requirements. Starting with the President’s FY 2006 Budget, this report was no longer produced. Subsequently, the Overview began to fill this role. This year to ensure compliance with Section 113, new chapters are added to include reports from each Military Department on their respective funding, military mission accomplishments, core functions, and force structure. Key initiatives incorporated in the FY 2014 Defense budget. Our budget is formulated based on aligning program priorities and resources based on the President’s strategic guidance. This year’s budget involves key themes to: achieve a deeper program alignment of our future force structure with resource availability; maintain a mission ready force; continue to emphasize efficiencies by being even better stewards of taxpayer dollars; and continue to take care of our people and their families. Implementing Defense Strategic Guidance. The FY 2014 budget request continues the force structure reductions made in the FY 2013 budget request. Following...
Words: 74297 - Pages: 298
...clear where to start identifying the IA capabilities that should be included and assessed for a particular C&A effort. c. One of the biggest complaints about DITSCAP was that it required too much documentation and took too long to perform. d. DIACAP identifies four spreadsheets that summarize important C&A information. e. A second complaint about DITSCAP was that it only accommodated individual systems. f. DIACAP addresses the need to expand C&A to account for components outside of a site’s control. 2. What is DCID 6/3, and why would you use DCID 6/3 as opposed to DIACAP for Certification and Accreditation of a system? g. It is the policy for “Protecting Sensitive Compartmented Information Within Information Systems”. This directive establishes the security policy and procedures for storing, processing, and communicating classified intelligence information in information systems (ISs). For purposes of this Directive, intelligence information refers to Sensitive Compartmented Information and special access programs for intelligence under the purview of the DCI. An information system is any telecommunications and/or computer related equipment or interconnected system or subsystems of equipment that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of voice and/or data (digital or analog); it includes software, firmware, and hardware. ...
Words: 1031 - Pages: 5
...Introduction The Department of Defense (DOD) has several departments within the agency that companies will need to work with in order to carry out the terms of their contracts. When considering technology specifically, the DOD has the following departments ready to assist companies: Information Assurance Support Environment, Defense Information Systems Agency, Defense Technology Security Administration, Defense Cyber Crime Center, Defense Technical Information Center, and possibly others that were not immediately obvious (U.S. Department of Defense, 2015). The Information Assurance Support Environment produces Security Technical Implementation Guides (STIGs) for various computer topics, which can be utilized by companies who wish to do business with the DOD. These guides serve as a baseline for the company in regards to the technology specifications they should have in place in order to lock down their systems and network to make them less vulnerable to malicious attacks (Defense Information Systems Agency, 2015). Among these STIGs is one written specifically for the Windows 8 / 8.1 operating system (Information Assurance Support Environment, 2015). This STIG outlines some of the changes made by Microsoft to Windows 8 / 8.1 as well as their recommendations for securing computers, which use that operating system. Tools Windows 8 / 8.1 comes with many tools built into it that allow for the administrator to use in order to do a security audit. A keyboard shortcut of pressing...
Words: 855 - Pages: 4
...points to DoDD 8500.2, making it clear where to start identifying the IA capabilities that should be included and assessed for a particular C&A effort. c. One of the biggest complaints about DITSCAP was that it required too much documentation and took too long to perform. d. DIACAP identifies four spreadsheets that summarize important C&A information. e. A second complaint about DITSCAP was that it only accommodated individual systems. f. DIACAP addresses the need to expand C&A to account for components outside of a site’s control. 2. What is DCID 6/3, and why would you use DCID 6/3 as opposed to DIACAP for Certification and Accreditation of a system? g. It is the policy for “Protecting Sensitive Compartmented Information Within Information Systems”. This directive establishes the security policy and procedures for storing, processing, and communicating classified intelligence information in information systems (ISs). For purposes of this Directive, intelligence information refers to Sensitive Compartmented Information and special access programs for intelligence under the purview of the DCI. An information system is any telecommunications and/or computer related equipment or interconnected system or subsystems of equipment that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of voice and/or data (digital or analog); it includes software, firmware, and hardware. h. DCID...
Words: 1031 - Pages: 5
...Department of Defense INSTRUCTION NUMBER 8510.01 November 28, 2007 ASD(NII)/DoD CIO SUBJECT: References: DoD Information Assurance Certification and Accreditation Process (DIACAP) (a) Subchapter III of Chapter 35 of title 44, United States Code, “Federal Information Security Management Act (FISMA) of 2002” (b) DoD Directive 8500.01E, “Information Assurance (IA),” October 24, 2002 (c) DoD Directive 8100.1, “Global Information Grid (GIG) Overarching Policy,” September 19, 2002 (d) DoD Instruction 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003 (e) through (ab), see Enclosure 1 1. PURPOSE This Instruction: 1.1. Implements References (a), (b), (c), and (d) by establishing the DIACAP for authorizing the operation of DoD Information Systems (ISs). 1.2. Cancels DoD Instruction (DoDI) 5200.40; DoD 8510.1-M; and ASD(NII)/DoD CIO memorandum, “Interim Department of Defense (DoD) Information Assurance (IA) Certification and Accreditation (C&A) Process Guidance” (References (e), (f), and (g)). 1.3. Establishes or continues the following positions, panels, and working groups to implement the DIACAP: the Senior Information Assurance Officer (SIAO), the Principal Accrediting Authority (PAA), the Defense Information Systems Network (DISN)/Global Information Grid (GIG) Flag Panel, the IA Senior Leadership (IASL), the Defense (previously DISN) IA Security Accreditation Working Group (DSAWG), and the DIACAP Technical Advisory Group (TAG). 1.4. Establishes a C&A process...
Words: 16882 - Pages: 68
...Introduction of the purpose and importance of risk management Risk management planning is a critical and often overlooked process on every project. Allowing for the proper amount of risk planning in your project schedule can mean the difference between project success and project failure when those potential risks become real issues. The plan is only the output of the process. It details how the process will be implemented, monitored, and controlled through the life of this project. It details how the group will manage risks but doesn’t attempt to define the responses to individual risks. Risks come about for many reasons, some are internal to the project, and some are external such as but not limited to the project environment, the management process, planning process, inadequate resources, and other unforseen instances that can contribute to risk. Risks associated with the project generally concern the objectives, which turn to impact time, cost, or quality, or combination of those three things. Risk management provides assurance that an organization can create and implement an effective plan to prevent losses or reduce the impact if the a loss occurs. A good plan includes strategies and techniques for recognizing and confronting the threats, solutions for both preventing and solving the situation and indicates financial opportunities. An effective risk management practice does not terminate risks. However, an effective and operational risk management practice demonstrates...
Words: 3711 - Pages: 15
...social interaction, economic stability, job security and information dominance. Information Dominance is “the degree of information superiority that allows the possessor to use information systems and capabilities to achieve an operational advantage in a conflict or to control the situation in operations other than war while denying those capabilities to the adversary (US Cyber Command, 2012).” Corporations as well as many of the world’s governments have risen and fallen due to their degree of Information Dominance and Information Security. Cyber-attacks have increased exponentially within the last 10 years. Battlefield lines that were once drawn in the sand no longer exist. Cyber-attacks can occur from any location in the world and at any time. A Cyber-terrorist has the ability to use current communication infrastructure to launch an attack that could cripple a nation. In 2012, Defense Secretary, Leon Panetta spoke at the Business Executives for National Security (BENS) summit. He expresses that “An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches," he said. "They could for example derail passenger trains, or even more dangerous trains loaded with lethal chemicals," he said. "They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country. The most...
Words: 3217 - Pages: 13
...Running Head: Military SCM & JIT Military Supply Chain Management and Just-In-Time Lionel O. Wright Integrated Logistics Management – LGMT682 February 15, 2011 Professor Joseph Garmon [pic] TABLE OF CONTENTS Abstract ……………………………………………………………………………………. 3 Introduction …………………………………………………………………………………4 Traditional Military Supply Chains …………………………………………………………4 Military Supply Chains and the New Environment …………………………………………6 Why Move Towards Lean (JIT) Initiatives? ……………………………………………….16 What is JIT Management? ………………………………………………………………….20 Military Supply Chains since JIT ….………………………………………………………..23 Adopting an Integrated Approach …………………………………………………………..26 Conclusion…………………………………………………………………………………...31 References…………………………………………………………………………………...34 ABSTRACT According to Van Creveld, “Strategy, like politics, is said to be the art of the possible; but surely what is possible is determined not merely by numerical strengths, doctrine, intelligence, arms and tactics, but, in the first place, by the hardest facts of all: those concerning requirements, supplies available and expected, organization and administration, transportation and arteries of communication…before a commander can even start thinking of maneuvering or giving battle, of marching this way and that, of penetrating, enveloping, encircling, of annihilating or wearing down, in short of putting into practice...
Words: 8424 - Pages: 34
...Addendum Acceptable Use Policy Fort Bliss Campus Area Network and Department of Defense of Non-classified Internet Protocol Network Purpose. This is an addendum to the Fort Bliss Campus Area Network (FBCAN) and Department of Defense (DoD) Non-classified Internet Protocol Network (NIPRNET) Acceptable Use Policy. Nothing in this addendum invalidates the FBCAN AUP that I previously signed. Understanding of User Access Responsibility. Use of any government provided wireless service is for official use and authorized purposes as set forth in DoD 5500.7-R, Joint Ethics Regulation, or as further limited by this policy. Minimum Security Requirements. The following minimum security requirements apply to the use of wireless devices and services. I will be held responsible for damage caused to a Government system or data through negligence or a willful act. I understand that all charges incurred in excess of the normal monthly service charge will be the responsibility of the user. Charges will be incurred for the following misuses of the device: exceeding allocated minutes per month, use of text messaging, downloading of any services, ring tones, games, etc.; neglect or abusive damage to the device or accessory. I am not authorized and will not use Bluetooth technology (to include voice transmission) with Blackberry devices except for the authorized CAC sled found on the Army approved list. I will ensure the Blackberry handheld device is cradled or synchronized at least once every 30 days...
Words: 984 - Pages: 4
