For years, one of the primary challenges for Information Assurance (IA) personnel in the Navy, as well as the rest of the Department of Defense, has been finding and determining which policies apply for building and maintaining their information systems. In building, operating and securing the DoD's Global Information Grid (GIG), a wide range of directives, instructions, manuals and other policies has been published. Unfortunately, the breadth and scope of these policies make locating the appropriate policy and obtaining the latest version of that policy difficult — until now.
To simplify the process for IA professionals, the Deputy Assistant Secretary of Defense (DASD) for Cyber, Identity and Information Assurance (CIIA) requested that the Defense-Wide Information Assurance Program (DIAP) develop a chart that pulls together all of the essential IA policies into a single document, known as the DoD IA Policy Chart, which is shown on the next two pages. The chart is designed around the following four goals as described in the CIIA Strategy.
These four goal areas are divided into activities that support each goal. In the lower half of the chart is a legend that identifies the originator of each policy by a color-coding scheme. There are boxes that provide the legal authority for the policies, the federal/national level of IA policies, as well as operational level documents that provide details on securing the GIG and its assets, that can be found on the left side of the IA Policy Chart. Embedded hyperlinks to all of the publicly accessible documents mean all of the policies are just a click away.
- Organize for unity of purpose and speed of action (shortened to "Organize" in the chart);
- Enable secure mission-driven access to information and services (shortened to "Enable" in the chart);
- Anticipate and prevent successful attacks on data and networks (shortened to "Anticipate" in the chart); and
- Prepare for and operate through cyber degradation or attack (shortened to "Prepare" in the chart).
Most of the policies listed on the DoD IA Policy Chart are Defense Department policies, although some have federal government origins. The managers of the IA Policy Chart at the DIAP, and several other individuals involved in various aspects of IA policy in government, receive regular updates on all changes for DoD-level IA policies. The chart’s policies and links are regularly updated to ensure the chart's currency.
Users who want to ensure they keep up with these changes can take advantage of the chart's automatic alert feature. This allows a user to be alerted automatically whenever the chart changes. Additionally, red borders are used to highlight those policies that have changed most recently.
Reaction to the DoD IA Policy Chart has been quite favorable.
"The IA policy chart is a one-stop shop for high-level policy," said Andrew Shaw, IT policy lead in the Naval Surface Warfare Center, Corona Division, command information office. "It gives the average IA person a great tool to see how certain policy documents interact and support one another and makes it that much easier for our community to provide information assurance."
In addition, the links to the chart have been featured on many IT-related websites such as the Department of the Navy Chief Information Officer Policy and Guidance website: www.doncio.navy.mil/Policy.aspx.
For the chart's future development, planners at the DIAP are considering several ideas. One near-term approach would be to link to other related policy charts as they are being developed, particularly at the service level. For example, a graduate student at the Naval Postgraduate School is developing a proposal for a similar policy chart for the Navy's IA policies. Other Defense Department components have also made inquiries about developing their own charts, and some international partners have discussed the possibility of charting their own IA policies.
Some are also looking at creating software applications so that these policies can be accessed by iPhones, BlackBerrys and other smart mobile devices. The smaller screen size would require the information to be presented in a modified mobile version.
The chart and background information can be accessed at: http://iac.dtic.mil/iatac/ia_policychart.html.
The page has a feedback feature for your comments or suggestions, which are always welcome.
John Dittmer is a Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP) and Project Management Professional (PMP). He is an associate consultant for Booz Allen Hamilton and supports the Defense-Wide Information Assurance Program (DIAP). Dittmer is a retired Navy Reserve lieutenant commander who has worked on a variety of Navy and DoD IT projects.