6
Organizational Considerations

In previous chapters the committee described the challenge that cyberthreats present to the Department of the Navy’s (DON’s) use of network-centric operations and its dependence on commercial off-the-shelf (COTS) information technology (IT). Potential operational and technical responses that the DON might take to maintain information assurance (IA) in the face of this challenge and how it might orchestrate those responses through a risk-based management approach were also discussed.

This chapter examines potential organizational responses. It will be seen that there are many organizations, inside and outside the DON, that impact IA with respect both to the operations of naval networks and to the acquisition of naval network-based capabilities. Given this organizational complexity as well as the operational and technical complexity inherent in addressing the growing IA risks, it is recommended that the DON consider organizational realignments to better focus on the IA issues related to naval information systems and networks.

JOINT SERVICE NATURE OF INFORMATION ASSURANCE

The issues of information assurance and, more broadly, mission assurance from an information perspective for the Navy and Marine Corps are not solely Navy and Marine Corps issues. For parts of their information network infrastructure, the Navy and Marine Corps are highly dependent on joint capabilities and sometimes on systems provided by the other Services. Thus, in general, the Navy and Marine Corps will achieve mission assurance only through joint participation. Likewise, joint capabilities systems of systems are dependent on the Navy and



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 110
6 Organizational Considerations In previous chapters the committee described the challenge that cyberthreats present to the Department of the Navy’s (DON’s) use of network-centric opera- tions and its dependence on commercial off-the-shelf (COTS) information tech - nology (IT). Potential operational and technical responses that the DON might take to maintain information assurance (IA) in the face of this challenge and how it might orchestrate those responses through a risk-based management approach were also discussed. This chapter examines potential organizational responses. It will be seen that there are many organizations, inside and outside the DON, that impact IA with respect both to the operations of naval networks and to the acquisition of naval network-based capabilities. Given this organizational complexity as well as the operational and technical complexity inherent in addressing the growing IA risks, it is recommended that the DON consider organizational realign- ments to better focus on the IA issues related to naval information systems and networks. JOINT SERVICE NATURE OF INFORMATION ASSURANCE The issues of information assurance and, more broadly, mission assurance from an information perspective for the Navy and Marine Corps are not solely Navy and Marine Corps issues. For parts of their information network infrastruc - ture, the Navy and Marine Corps are highly dependent on joint capabilities and sometimes on systems provided by the other Services. Thus, in general, the Navy and Marine Corps will achieve mission assurance only through joint participation. Likewise, joint capabilities systems of systems are dependent on the Navy and 110

OCR for page 110
111 ORGANIZATIONAL CONSIDERATIONS Marine Corps for building and operating their elements of the joint construct in ways that support the policies of the whole. Key Trends in Cross-Service Integration A key trend in the U.S. military is joint network-centric operations. The long- term vision is to decouple the various operational functions (e.g., sensing, target - ing, weapons delivery, transport, and logistics) from individual Service platforms. A Navy ship should be able to launch a weapon on a target located by national means, provide target designation for a weapon launched by the Air Force, and draw on any Service’s (or commercial) logistics stores and systems. While full network-centric capabilities are still years away, some capabilities are current and are being continually improved. The key enabler for joint network-centric operations is information sharing. The U.S. satellite communications architecture already provides services to all Services over the same satellite links, and the Defense Information Systems Agency (DISA) provides a global communications backbone to all of the Services. Another element of cross-Service convergence is technical—namely, the increasing integration of different information service types onto fewer technical platforms. This integration is a two-edged sword. On the one hand, it leads to superior information sharing, greater efficiency, lowered costs for a given level of service, and fewer types of technical platforms to defend. On the other hand, extensive system integration could permit the possibility of losses of large-scale capabilities from single attacks. Some particular examples include the following: • Extensive use of commercially hosted fiber-optic and wideband satellite communications—which has provided global broadband communications at low cost, but is significantly vulnerable to disruption and jamming; • Network layer convergence to everything-over-Internet Protocol (IP) and the ongoing phaseout of switched network infrastructure—which greatly enhances network manageability and allows use of the rapidly innovating commercial IP services. However, it also opens military networks to the vulnerabilities of IP and single points of failure;1 and • The convergence of unclassified and classified networks onto shared IP bandwidth enabled by cryptographic separation—which facilitates large upgrades in bandwidth, especially for classified services; reduces the costs of providing 1As pointed out in the classic paper of Bellovin, the vulnerabilities of IP are intrinsic in the protocols and are not simply due to implementation issues. See Steven M. Bellovin, 1989, “Security Problems in the TCP/IP Protocol Suite,” ACM SIGCOMM Computer Communication Review, Vol. 19, No. 3, pp. 10-19, July. See also Steven Bellovin, 2004, “A Look Back at ‘Security Problems in the TCP/IP Protocol Suite,’ ” presented at the 20th Annual Computer Security Applications Conference, December. Available at . Accessed May 1, 2009.

OCR for page 110
112 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES network services by eliminating many legacy systems; and improves network manageability. However, it opens classified networks to denial-of-service attacks hosted on unclassified networks and provides an opportunity (albeit a slim one) for a compromise of the separation mechanism. Joint Support to Navy and Marine Corps Systems The examples above illustrate the dependence of the Navy and Marine Corps on joint systems. Without communications systems shared with the other Services (and in some cases with commercial industry and foreign partners), the capabili - ties of the Navy and Marine Corps would be reduced. Understanding how much they could be reduced is itself an important element of risk management and mission assurance that was highlighted earlier in this report. The Department of Defense (DOD), as a whole, must act to ensure that plans assigned to each command are adequately supported by department-wide deci - sions. The Navy needs to be proactive in ensuring that plan elements assigned to the combatant Navy and Marine Corps are effectively supported in capability acquisitions. The committee finds that there are several areas where these issues are particularly evident, and there is evidence that strategies and decisions are not consistent across the whole stakeholder set. For scenarios in which cyberattack is likely but extensive jamming and kinetic attacks are not, the most operationally effective and cost-effective approach to communications acquisition is to buy commercial fiber-optic and satellite capac - ity. For scenarios in which the full spectrum of threat attacks is likely, the most effective course is to acquire protected communication capabilities. The current mixed strategy being pursued by the DOD is to acquire some of each of these capabilities. The DON must recognize the complexities inherent in pursuing the current mixed strategy. Applications that work well when high-bandwidth communica - tions are available may not work well (or at all) in a reduced-bandwidth environ - ment. An application and concept of operations (CONOPS) set that is designed to work well in a low-bandwidth environment must be extensively tested and exercised within that low-bandwidth environment. The operational reality might require neither the unattacked high-bandwidth services nor the secure core of low-bandwidth services, but rather a dynamically changing intermediate state. It may be that neither of the configurations that works well at either end of the service levels will work well in a dynamically changing middle ground. More - over, the dynamically changing case is likely to be the most difficult to simulate and test. The spectrum of potential threat environments from low to high poses a basic strategic challenge to deployed Navy and Marine Corps forces. The DON should study, in conjunction with the intelligence and research communities, whether alternative approaches to communications and application development could

OCR for page 110
113 ORGANIZATIONAL CONSIDERATIONS yield capabilities that are robustly functional across the spectrum of threat levels. This may require a partial reversal of the march toward all-COTS products, but might yield an operational system that is more robust, secure, and maintainable than the current approach of multiple fallback modes. The DON must also strongly advocate within the joint community for the development of the capabilities that are uniquely important to Navy and Marine Corps forces. The Navy, in particular, has a dependence on mobile satellite communications that is deeper than that of the other Services. It is particularly important to the Navy that secure and protected communications capacity suitable for Navy platforms be deployed adequately for the Navy to realize the benefits of network-centric operations. DON Support to Joint Systems Due to the interdependence among DOD and DON systems, each Service has responsibility for keeping its own equipment and technology up to date and operational. The Joint Task Force–Global Network Operations (JTF–GNO) moni- tors the joint enterprise, but depends on the Services to maintain their connected systems adequately. With regard to low-sophistication cyberattacks, the updating process is central. For high-sophistication attacks, continuous patching and upgrades may yield little additional assurance. For the high-sophistication case, the DON needs an entirely different class of monitoring techniques and a science and technology (S&T)-based estimation approach, such as described in Chapter 5, to develop threat models and mitigations. The Navy and Marine Corps are dependent on joint capabilities, but so too are those joint networks and applications dependent on the Navy and Marine Corps. If the participants in the joint network fail in their individual responsibilities, they may impact the network as a whole and the other participants. In consequence, the Navy and Marine Corps, as organizations, must consider the broader impact of their own policies and acquisitions on the health of the joint capabilities as a whole. DOD AND DON RESPONSIBILITIES FOR INFORMATION ASSURANCE DOD Information Assurance Responsibilities Providing IA in the context of joint network-centric operations is the respon - sibility of a number of DOD organizations including the DON. The IA responsi - bilities of the DOD and the DON are defined in public law and in various DOD and DON instructions, directives, and memoranda. The DOD is required to have a defense IA program under Section 2224, “Defense Information Assurance Program,” of Title 10, United States Code. Under

OCR for page 110
114 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES the provisions of the Clinger-Cohen Act of 1996,2 the DOD is required to have a chief information officer (CIO) reporting directly to the Secretary of Defense. In DOD Directive 5144.1,3 the Secretary has designated the Assistant Secretary of Defense for Networks and Information Integration (ASD[NII]) as the DOD CIO. DOD Directive 8500.14 establishes DOD IA policy and assigns organiza- tional responsibilities. DOD Instruction 8500.25 provides guidance and describes procedures for implementing DOD Directive 8500.1. DOD Instruction 8580.16 describes how IA is integrated into the defense acquisition system. The ASD(NII)/DOD CIO develops and promulgates IA policies, oversees appropriations for and manages the Defense Information Assurance Program (DIAP), and works with the Under Secretary of Defense for Acquisition, Tech - nology and Logistics (USD[AT&L]) to ensure that the DOD acquisition process incorporates IA considerations consistent with the Clinger-Cohen Act require - ments. The Deputy Assistant Secretary of Defense for Information and Identity Assurance (DASD[IIA]) reports to the ASD(NII) and is responsible for the DIAP and the Global Information Grid (GIG) IA portfolio, among other respon - sibilities. The Director of DISA assists the ASD(NII) in executing his or her responsibilities—including, in particular, the development of a single IA approach for protection of the Defense Information Systems Network (DISN). The USD(AT&L) is tasked to ensure that IA is considered in all acquisition milestone decisions, program decision reviews, and contract awards. With the assistance and advice of the Director, Defense Research and Engineering (DDRE), the USD(AT&L) monitors and oversees IA research and technology investments, including those of the National Security Agency (NSA) and the Defense Advanced Research Projects Agency (DARPA). The Chairman, Joint Chiefs of Staff (CJCS), provides advice and assessment of military IA capability needs and develops, coordinates, and promulgates IA policies, doctrines, and procedures for joint and combined operations. The Commander, U.S. Strategic Command (USSTRATCOM), coordinates and directs DOD-wide computer network defense (CND) operations. 2 National Defense Authorization Act for Fy 1996, Public Law 104-106, formerly called the “In- formation Technology Management Reform Act,” February 10, 1996. 3 Department of Defense. 2005. Department of Defense Directive No. 5144.1, Washington, D.C., May 2. Available at . Accessed May 1, 2009. 4 Department of Defense. 2002. Department of Defense Directive No. 8500.1, Washington, D.C., October 24. Available at . Accessed May 1, 2009. 5 Department of Defense. 2003. Department of Defense Directive No. 8500.2, Washington, D.C., February 6. Available at . Accessed May 1, 2009. 6 Department of Defense. 2004. Department of Defense Directive No. 8580.1, Washington, D.C., July 9. Available at . Accessed May 1, 2009.

OCR for page 110
115 ORGANIZATIONAL CONSIDERATIONS The Director, NSA (DIRNSA), provides IA support to the DOD compo - nents, including the providing of IA and Information System Security Engineer- ing (ISSE) services; manages the development of the IA Technical Framework (IATF); and establishes criteria and processes for evaluating and validating all IA and IA-enabled IT products used in DOD information systems. With the Director, Defense Intelligence Agency (DIA), the DIRNSA provides an IA intelligence capability. The DIRNSA is also the agent for the GIG Information Assurance Portfolio (GIAP); the GIAP management office is located at NSA and staffed with NSA and DISA personnel. The heads of the DOD components are responsible for developing and imple- menting an IA program focused on DOD component-specific information and systems. DON Information Assurance Responsibilities Responsibilities for the IA program of the DON are defined in Secretary of the Navy Instruction 5239.3A.7 The DON CIO is responsible for carrying out for the Secretary of the Navy (SECNAV) the IA responsibilities assigned to the Navy by public law and by DOD directives and instructions. In particular, the DON CIO issues IA poli - cies, integrates IA requirements with DON planning and into the DON major system acquisition management process, and serves as the focal point for IA coordination with other elements of the DOD. The DON CIO is assisted by a senior IA official (SIAO), as required by the Federal Information Security Management Act of 2002 (Public Law 107-347), and by the DON Deputy CIO (Navy) and DON Deputy CIO (Marine Corps). The Deputy CIO (Navy) is the Deputy Chief of Naval Operations for Communication Networks (OPNAV N6) and the Deputy CIO (Marine Corps) is the Director, Command, Control, Com - munications, and Computers. The Assistant Secretary of the Navy for Research, Development and Acquisi- tion (ASN[RDA]) integrates IA requirements into acquisition management of all DON IT systems and maintains an S&T program in information assurance. The Chief of Naval Operations (CNO) develops and implements IA pro - grams and procedures for information systems supporting Navy operations and assets, serves as the resource sponsor for Navy IA, appoints designated approving authorities (DAAs) for information systems under Navy authority, and develops Navy IA education, training, and awareness programs. 7 Secretary of the Navy. 2004. SECNAV Instruction 5239.3A re: Department of the Navy Information Assurance Policy, Department of the Navy, Washington, D.C., December 20. Available at . Accessed May 1, 2009.

OCR for page 110
116 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES In Office of the Chief of Naval Operations Instruction 5239.1C,8 the CNO assigned responsibility to OPNAV N6 for the Navy IA program, in coordination with the ASN(RDA) and the Deputy Assistant Secretary of the Navy for Com - mand, Control, Communications, Computers and Intelligence/Electronic Warfare/ Space (DASN[C4I/EW/Space]). OPNAV N6 sponsors, authorizes, and budgets for IA requirements and is instructed to “adopt an Information Technology (IT) life- cycle risk management program. . . .” The Commander, Naval Network Warfare Command (NETWARCOM), gathers and prioritizes Navy IA operational require - ments from all echelon II commands. The Program Executive Office for Com - mand, Control, Communications, Computers and Intelligence (PEO C4I) serves as the IA acquisition program manager and overall systems security engineering lead. The Director, Office of Naval Intelligence (ONI), assists OPNAV N6 and PEO C4I in the risk management process by gathering relevant threat information to assist in defining system security requirements. The CNO has appointed the Commander, NETWARCOM, as the Navy operational DAA (ODAA) for all operating Navy collateral/General Services (GENSER) information systems, networks, and telecommunications systems and has assigned the Navy echelon II commanders as the developmental DAAs.9 He has appointed the Commander, Space and Naval Warfare Systems Command (SPAWAR), as the Navy certification authority for collateral/GENSER classified and unclassified, information, telecommunications, and network systems. Other important responsibilities of the Commander, NETWARCOM, as defined in Office of the Chief of Naval Operations Instruction 5239.1C include computer network vulnerability testing and providing training to fleet units. As discussed below, NETWARCOM also has an operational role in conducting and directing CND. The Commandant of the Marine Corps (CMC) has IA responsibilities parallel to those of the CNO. The process by which naval IA policies are translated into system capabilities is illustrated in Figure 6.1. A DON program manager receives IA policy guid- ance from a number of sources, including the FORCEnet Enterprise Architecture, the DOD IT Standards Registry (DISR), and the GIG IA Technical Framework (GIATF). As indicated above, a number of DOD and Navy organizations are involved in setting these policies. Each program’s ISSE activity is responsible for discovering users’ informa - tion protection needs and then designing and making information systems to safely resist the threats to which the program may be subjected. According to 8 Chief of Naval Operations. 2008. OPNAV Instruction 5239.1C., Department of the Navy, Wash - ington, D.C., August 20. Available at . Accessed May 1, 2009. 9 OPNAV 89 was appointed as the DAA for special access programs, and the Director, ONI, as the Navy liaison to the NSA DAA for all sensitive compartmented information (SCI) program systems.

OCR for page 110
117 ORGANIZATIONAL CONSIDERATIONS FORCEnet Enterprise Architecture DOD IT Standard Registr y GIG IA Technical Framework Program Program Program Information Security Milestone Certification and Reviews Accreditation System Engineering FIGURE 6.1 Process for information assurance (IA) policies translation into the Depart - ment of the Navy system capabilities. NOTE: Acronyms are defined in Appendix A. DOD Instruction 8580.1, for any acquisitions of Automated Information Systems (AIS), outsourced IT-based processes, and platforms or weapon systems with IT Figure 6-1 interconnections to the GIG, the program manager needs to appoint an IA man - R01471 ager. The IA manager determines the system mission assurance category (MAC) and confidentiality level, identifies and implements appropriate system baseline vector editable IA controls, and plans and executes the certification and accreditation (C&A) process. For acquisitions that are designated as “mission-critical” or “mission- essential” systems, the IA manager must also prepare and submit an acquisition IA strategy.10 Acquisition IA strategies for all acquisition category (ACAT) IAM, ACAT IAC, and ACAT ID programs11 must be approved by the DOD component CIO and submitted to the DOD CIO for review prior to all acquisition milestone deci - sions, program decision reviews, and acquisition contract awards. The heads of the DOD components are delegated the authority to conduct reviews of acquisition IA strategies on behalf of the DOD CIO for all other acquisitions, and may delegate authority to approve acquisition IA strategies. 10 DOD Instruction 8580.1 provides definitions and guidance for “mission essential” and “mis - sion critical” designations for IT systems. Such designations must be made by a Component Head, a Combatant Commander, or their designee. Available at . Accessed February 11, 2009. 11Acquisition Category (ACAT) I programs are major defense acquisition programs. For ACAT ID programs, the USD(AT&L) is the Milestone Decision Authority (the “D” in “ID” refers to the Defense Acquisition Board). For ACAT IAC programs, the head of the DOD component is the Mile - stone Decision Authority (the “C” in “IAC” refers to the Component CIO). For ACAT IAM programs, the ASD(NII)/DOD CIO is the Milestone Decision Authority (the “M” in “IAM” refers to the Major Automated Information Systems Review Council).

OCR for page 110
118 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES The PEO C4I and the Navy PEO for Enterprise Information Systems (EIS) under the ASN(RDA) manage most programs involving IT. However, PEO Ships (e.g., DDG-1000, LPD 17 [landing platform dock]) and PEO Aircraft Carriers (e.g., CVN-76 [nuclear-powered aircraft carrier]), and the Marine Corps Systems Com- mand manage several programs in which computing and networking infrastructure are being procured along with ships. The program management offices for the PEO C4I and the PEO EIS are staffed largely with personnel drawn from SPAWAR. According to Secretary of the Navy Instruction 5400.15C, the commanders of Naval Air Systems Command (NAVAIR), Naval Sea Systems Command (NAVSEA), SPAWAR, and Marine Corps Systems Command (MARCORSySCOM) exercise technical authority (TA)12 and certification authority for weapons and IT sys- tems. In particular, program managers must obtain certification from SPAWAR or MARCORSySCOM that a weapon and/or information system being developed has satisfied information assurance requirements. As mentioned above, operational sys- tem accreditation resides with the Commander, NETWARCOM, as the ODAA. From an operational perspective, at the DOD level, USSTRATCOM has been assigned responsibility for coordinating and directing CND. The JTF–GNO is the USSTRATCOM element that implements this responsibility. The DISA com- mander is dual-hatted as the JTF–GNO commander. Navy CND is the responsibil- ity of the NETWARCOM and of its subordinate element, the Navy Cyber Defense Operations Command (NCDOC), which is the Navy CND service provider. The Marine Corps network defense falls to the Marine Corps Network Operations and Security Center (MCNOSC). From the above descriptions, it is apparent that numerous DOD and DON organizations are involved in IA. These organizations are endeavoring to work collaboratively, and have developed various forums such as the Naval NETWAR FORCEnet Enterprise (NNFE)13 and the Cyber Asset Reduction and Security (CARS) Task Force to facilitate this collaboration. Nevertheless, the committee is concerned that there is too great an opportunity for debilitating delays in respond - ing to IA problems and for critical errors in responding to IA problems—both due to seams in the process of developing IA policy, developing requirements for IA, funding the acquisition of IA capabilities, developing and acquiring systems requiring IA, and operating these systems. The next section addresses more centralized organizational options for the Navy to consider in order to avoid these seams. (See Table 6.1 for a summary of current Department of the Navy information assurance responsibilities.) 12 Technical authority is the authority, responsibility, and accountability to establish, monitor, and approve technical standards, tools, and processes in conformance with applicable DOD and DON policy, requirements, architectures, and standards. 13 The NNFE focuses on command, control, communications, computers, combat systems, and intelligence (C5I) systems and appropriate business IT solutions. It is chaired by the Commander, NETWARCOM, acting as the chief executive officer; the Commander, SPAWAR, acts as the chief operations officer, and OPNAV N6 acts as the chief financial officer.

OCR for page 110
119 ORGANIZATIONAL CONSIDERATIONS TABLE 6.1 Current Naval Information Assurance (IA) Responsibilities Functional Area Organization Responsibilities Operational OPNAV N6 Assure overall IA program execution in coordination requirements with ASN(RDA) and DASN C4I; sponsor, authorize, and budget for IA requirements. NETWARCOM Serve as Navy Computer Network Defense (CND) Service Provider and coordinate defense of Navy computer networks as directed by JTF–GNO; provide CND training to fleet units as requested by fleet commanders; prioritize Navy IA operational requirements via input from Echelon II commands. OPNAV N89 Computer Network Defense Service Provider for special access systems. MCCDC/HqMC Identify USMC IA requirements and capabilities. JTF–GNO Direct and coordinate the defense of all DOD computer networks. DISA Establish connection requirements and approval for the Defense Information Systems Network. ONI Provide threat input and IA risk management assistance to OPNAV N6 and PEO C4I. Policy DON CIO/DASN C4I Provide overall DON IA policy guidance and focal point for IA; coordination with other elements of the DOD. OPNAV N6/HqMC Approve and issue IA policy, systems management, and metrics documents for Navy and USMC. NETWARCOM Provide guidance for implementation of Navy C&A policy; write safeguarding and accounting policies for DON COMSEC materials. Manpower and OPNAV N6 Oversee Navy IA training requirements and provide training requirements to the Personnel and Training and Standing Team (PTST). OPNAV N1 Develop Navy schoolhouse IA training and education; ensure that IA training is incorporated into pertinent Navy training and appropriate formal schools. NETWARCOM Manage the DON communication security training program. PTST Identify Navy IA billet and establish IA training requirements for military and civilian personnel. HqMC/MCCDC Develop USMC IA training, manpower, and education requirements. continued

OCR for page 110
120 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES TABLE 6.1 Continued Functional Area Organization Responsibilities Acquisition ASN(RDA) Oversee acquisition of all DON IA capabilities and ensure compliance. OPNAV N6 Draft and maintain Navy’s IA acquisition master plan; coordinate fleet requirements for acquisition of communications security. PEO C4I Manage the Navy’s IA acquisition programs and projects, including R&D and full life-cycle support. PEOs Oversee program acquisition execution in area of jurisdiction. SySCOMs Oversee program acquisition execution in area of jurisdiction. MARCORSySCOM Procure USMC IA programs. DISA Direct the procurement of DOD-wide IA products and licenses. Certification SPAWAR Serve as Navy’s certification authority for information and and network systems. accreditation NETWARCOM Serve as Navy’s accreditation authority for information and network systems. PEOs Apply IA architectures and IA requirements in program execution. SySCOMs Integrate IA requirements in design of information systems. MARCORSySCOM Serve as USMC certification and accreditation authority for systems. HqMC Serve as USMC certification and accreditation authority for networks. NOTE: Acronyms are defined in Appendix A. SOURCE: Derived from Office of the Chief of Naval Operations Instruction 5239.1C, Department of Defense Instruction 8500.2, and Department of Defense Instruction 8580.1. INTEgRATED POLICY DEVELOPMENT AND ORgANIzATIONAL SUPPORT The previous chapters of this report offer the background and context in which information assurance should be viewed by the DON for today’s and tomorrow’s warfighting environment. The subsections in this final major section of Chapter 6 illuminate IA policies and processes as currently addressed and implemented, and identify weaknesses in achieving the necessary IA posture and

OCR for page 110
128 SECNAV CMC CNO ASN(RDA) Naval Networks DASN C4I DON CIO NAVY/USMC NAVY/USMC HQMC/ Fleet Commanders OPNAV MARFORS SYSCOMs PEOs MCCDC NETWARCOM* MCNOSC MCIOC (*NETWARCOM would have certification and accreditation authority in this model.) FIGURE 6.3 Organizational model—Option 1: Adding “Naval Networks” organization (senior flag or general officer with triple hat) to the Secretary of the Navy (SECNAV), the Chief of Naval Operations (CNO), and the Commandant of the Marine Corps (CMC). NOTE: MAR - FORS, Marine forces. Other acronyms are defined in Appendix A. Figure 6-3 R01471 vector editable

OCR for page 110
129 ORGANIZATIONAL CONSIDERATIONS ashore and for the education and training of a dedicated officer, enlisted, and civilian cyber workforce. The office would be appointive for at least the duration of the Program Objective Memorandum (POM) cycle (5 years) to ensure policy and execution continuity and accountability. The DNN would have dotted-line relationships with OPNAV N6 and Head- quarters, Marine Corps (HqMC) for requirements and resource issues; with NETWARCOM, MCNOSC, and the Marine Corps Information Operation Center for operational issues; and with the ASN(RDA) for acquisition issues. The DNN would also be responsible for integrating IA strategies and plans across all naval communities (surface, subsurface, expeditionary, air, space, and cyberspace), as well as with joint communities. The Director, Naval Networks, would have the authority to establish network “safe-to-operate” criteria to use as enforcement authority if a naval network was judged to be so impaired as to potentially harm naval operations.23 T his model would retain the Naval Network Warfare Command (NETWARCOM) at the Echelon III level as the functional and operational type commander for Navy networks, but would also grant NETWARCOM and HqMC C4 the authority to certify as well as accredit software and hardware systems on naval networks. This alternative would consolidate significant respon- sibility for IA policy, acquisition, financial resource allocation, operations, and manpower and training functions under the DNN. Establishing the position of DNN would recognize the critical importance of networking to current and future naval capabilities. It would also represent a historic step comparable to the establishment of the NNPP. The committee believes that acquiring network capability for the DON and providing the necessary life-cycle support and the needed education and training must be executed at the highest levels within the department to achieve the right organizational response. The DNN would also be given post-program, post- budget adjustment authority to accommodate exigencies that might occur during the development, production, and fielding of information and network systems, specifically to coordinate IA capabilities. This organizational alignment would afford great benefits by merging the DON CIO and the DASN C4I responsibilities. It would permit the DNN to employ both Clinger-Cohen Act and DOD Directive 5000 acquisition directives to optimal benefit for the DON. The combination of the offices would also bridge the transition of networks from the acquisition domain into the operating forces by the office’s reporting to SECNAV and to the CNO and CMC. This would give the Director, Naval Networks, the responsibility to ensure life-cycle support of networks. 23 Such a “safe-to-operate” decision may involve the important operational risk analysis of “network gain/loss” versus “operational gain/loss.” That is, leaving a network connected could allow an intrusion to propagate, but disconnecting the network could cause the failure of a mission and possible loss of life if the mission was dependent on network connectivity.

OCR for page 110
130 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES Like the Director, Naval Reactors, the DNN would have to have ready access to technical expertise to provide technical depth and continuity of knowledge. This would be provided by SPAWAR and the Navy laboratories, augmented as necessary by support from Federally-Funded Research and Development Centers and contractors. Sole execution authority within the DON would be given to NETWARCOM and HqMC C4 to both certify and accredit information systems, thus centralizing authority for this most critical IA requirement. NETWARCOM would designate certification authorities and establish independent verification and validation teams for periodically and frequently checking approved certifications in both the acquisition and operational stages. The DNN would coordinate with naval operational and intelligence agencies to develop cyberthreat analyses. Due to the DNN’s stature, tenure in office, and technical support, the DNN would be well positioned to address other key issues identified in this report, including energizing the Navy’s research program in IA and CND, integrating offensive and defensive cyber operations, and integrating all aspects of IA through a risk management approach. IA Organizational Model—Option 2 Option 2 (Figure 6.4) would establish a Network Programs Office (NPO) as a Direct Reporting Program Manager (DRPM) reporting to the ASN(RDA), trans- ferring or adding required support resources as needed from the Navy’s PEO C4I and PEO EIS and appropriate USMC PEOs, to ensure a high level of attention to challenging acquisitions and strict acquisition discipline for the delivery of afloat and ashore networks and for their life-cycle management and information assurance readiness. In this model, NETWARCOM is retained at the Echelon III level as the func - tional and operational type commander for Navy networks; likewise, MCNOSC retains its current authorities and responsibilities in the Marine Corps. As in Option 1, this option would also grant NETWARCOM and HqMC C4 the sole authority to certify as well as accredit software and hardware systems on naval networks. This alternative therefore modifies naval IA policy and acquisition only. It does not change financial resource allocation, operations, or manpower and training functions. The establishment of the Network Programs Office as a Direct Reporting Program Manager would provide the special scrutiny and oversight necessary for significant, challenging new acquisitions in the network domain. Sole authority within the DON is given to NETWARCOM and HqMC C4 both to certify and accredit information systems, thus centralizing authority for this most critical IA requirement.

OCR for page 110
SECNAV CMC CNO ASN(RDA) DON CIO DASN C4I NAVY/USMC NAVY/USMC DRPM Fleet CDRs OPNAV HQMC MARFORS SYSCOMs PEOs NPO MCNOSC MCIOC NETWARCOM* (*NETWARCOM would have certification and accreditation authority in this model.) FIGURE 6.4 Information assurance organizational model—Option 2: Adding a “Network Programs Office” (NPO) as a Direct Reporting Program Manager (DRPM) reporting to ASN(RDA). NOTE: CDR, commander; MARFORS, Marine forces. Other acronyms are defined in 131 Appendix A. Figure 6-4 R01471 vector editable

OCR for page 110
132 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES IA Organizational Model—Option 3 Option 3 would elevate NETWARCOM to the Echelon II level reporting to the CNO, thus recognizing the Navy-wide criticality of information assurance and networks (Figure 6.5). This model also grants NETWARCOM and HqMC C4 the sole authority to certify as well as to accredit software and hardware systems on naval networks. This alternative modifies policy and potentially financial resource allocation, and also modifies manpower and training functions. It does not change acquisition and operations. Placing NETWARCOM as an Echelon II command would recognize the Navy-wide importance of information assurance and make this important func - tion report directly to the CNO. Establishing NETWARCOM as an Echelon II command would give NETWARCOM the clear enforcement responsibility for network IA policy and operations across the entire Navy enterprise. Increased influence with OPNAV in the Program Planning and Budgeting System process would result, as NETWARCOM will provide information and network require - ments directly to the OPNAV staff. As in Options 1 and 2, sole authority within the DON would be given to NETWARCOM and HqMC C4 both to certify and to accredit information systems, thus centralizing authority for this most critical information assurance requirement. IA Organizational Model—Option 4 The committee’s Option 4 model represents the least amount of change with respect to current naval IA operations. This option would grant NETWARCOM and HqMC C4 the sole authority to certify as well as to accredit software and hardware systems on naval networks (Figure 6.6). Thus, this alternative would only modify naval IA policy responsibilities. It would not change acquisition, financial resource allocation, operations, and manpower and training functions. (See Table 6.2 for a summary comparison of each option discussed above.) Summary Discussion The committee consulted with several senior naval officials who were selected on the basis of their potentially providing the committee with new insights concerning possible organizational recommendations. These offi- cials included the current Director of Naval Nuclear Propulsion, the former ASN(RDA), and the current Commander of NETWARCOM. They were also chosen to help the committee understand issues associated with the currently “federated” approach for governing naval IA and addressing IA issues. On the basis of its discussion with the selected officials, the committee’s own analysis and experienced-based personal views, and the Navy’s projections regarding the growing threats to information assurance, the committee believes that Option 1

OCR for page 110
SECNAV CMC CNO DON CIO ASN(RDA) DASN C4I Fleet NAVY/USMC NAVY/USMC HQMC/ NETWARCOM* OPNAV MNOSC MCIOC MARFORS CDRs SYSCOMs PEOs MCCDC (*NETWARCOM would have cer tification and accreditation authority in this model.) FIGURE 6.5 Information assurance organizational model—Option 3: The Naval Network Warfare Command (NETWARCOM) with addi - tional information assurance authorities at the Echelon II level. NOTE: CDR, commander; MARFORS, Marine forces. Other acronyms are defined in Appendix A. 133 Figure 6-5 R01471 vector editable

OCR for page 110
134 SECNAV CNO CMC DON CIO ASN(RDA) DASN C4I NAVY/USMC NAVY/USMC Fleet CDRs OPNAV HQMC MARFORS SYSCOMs PEOs NETWARCOM* MCNOSC MCIOC (*NETWARCOM would have certification and accreditation authority in this model.) FIGURE 6.6 Information assurance organizational model—Option 4: The Naval Network Warfare Command (NETWARCOM) and the Marine Corps Network Operations and Security Command (MCNOSC) with additional information assurance authorities. NOTE: CDR, commander; MARFORS, Marine forces. Other acronyms are defined in Appendix A. Figure 6-6 R01471 vector editable

OCR for page 110
TABLE 6.2 Comparison of Alternative Organizational Model Constructs and Their Impact on Naval Information Assurance Functional Areas Naval Information Assurance Functional Area Impacted Proposed Organizational Construct Policy Acquisition Resource Allocation Operations Manpower and Training Naval Networks (Option 1) Combine DON CIO Combine DON Combine DON CIO Safe to operate Directs naval networks and DASN (C4I/EW/ CIO and DASN and DASN C4I manpower and training Space) C4I Adds cyberthreat Coordinate with analysis to Manager, cyber Sole authority OPNAV N6 NETWARCOM, workforce for C&A to MCNOSC NETWARCOM, HqMC C4 Direct Reporting Network Sole authority DRPM No change Adds cyberthreat No change Programs Office (Option 2) for C&A to ASN(RDA) analysis to NETWARCOM, NETWARCOM, HqMC C4 MCNOSC NETWARCOM Echelon II Sole authority No change Program Objective Adds cyberthreat Directs naval networks (Option 3) for C&A to Memorandum (POM) analysis to manpower and training NETWARCOM, Major actor NETWARCOM, HqMC C4 MCNOSC NETWARCOM, HqMC C4 Sole authority No change No change Adds cyberthreat No change for C&A to analysis to Additional IA Authorities NETWARCOM, NETWARCOM, (Option 4) HqMC C4 MCNOSC NOTE: Acronyms are defined in Appendix A. 135

OCR for page 110
136 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES would best position the Navy and the Marine Corps to address current and future information assurance and cyber-related challenges and to facilitate rapid IA progress. The committee does not suggest that the models described above are exhaustive in their scope; of the four organizational models presented, how - ever, Option 1 provides the most clear and comprehensive naval IA governance authority and responsibility for addressing the IA issues outlined throughout this report, including the previously discussed governance seams between naval IA functions of policy, acquisition, financial resource allocation, operations, and manpower and training. The Option 1 model provides a clear and strong signal for the ownership and accountability of the bedrock DON information assurance mission. With the appropriate assignment of authority and responsibility to the Direc - tor of Naval Networks, Option 1 would more closely resemble the clear cyber command lines of authority and responsibility found in the Headquarters (Hq) U.S. Army.24 The Army Hq’s model for managing cyber-related activities is in contrast to the current DON federated approach for managing naval IA and networking, and would appear to provide the opportunity for clearer governance responsibilities and cleaner, unambiguous lines of authority.25 By providing a single focal point for naval cyber matters, the proposed naval Option 1 construct would also facilitate relationships with joint organizations, ensuring that the DON speaks with a single voice. As a less dramatic potential naval IA organizational approach, a “strong federated” governance model—an option in which each of multiple parties has well-defined responsibilities with a clear understanding of the relations among those responsibilities, an improvement over the current “weak federated” model—is also recognized by the committee to provide a partial solution to naval IA governance issues. However, a federated approach lacks clear accountability for many crosscutting IA and network operations-related issues, and it leaves unreconciled potentially critical IA issues such as (1) the need for fast response and decision making in the time of crisis, (2) the development and continuity of deep knowledge and properly trained manpower in crosscutting cyber technical areas, (3) the ongoing requirement for IA resource prioritization with different organizational points of impact, and (4) the development of required expertise to manage and balance more systematically the high-level IA-related trade-offs and operational risks. 24 See Army Regulation 25-1, Headquarters, Department of the Army, Washington D.C., Decem - ber 4, 2008; and Capt Carla Pampe, USAF, 8th Air Force Public Affairs Office, 2006, “Air Force Officials Consolidate Network Ops,” Department of the Air Force, Barksdale Air Force Base, La., July. Available at . Accessed May 1, 2009. 25 Note, however, that Army cyber field support operations are distributed between NETCOM and the Intelligence and Security Command (including its subordinate element, the 1st Informa- tion Operations Command [Land]), whereas the Navy’s cyber operations are consolidated under NETWARCOM.

OCR for page 110
137 ORGANIZATIONAL CONSIDERATIONS As with any suggested organizational model, the preferred centralized com- mand model for naval IA presented by the committee will have disadvantages as well as advantages. For example, centralized organizational structures are sometimes viewed as less innovative, and perhaps less adaptive, than structures in which multiple or occasional competing authorities coexist. Also, less central - ized structures are typically better at horizontal and multiple-direction commu - nication than are the centralized structures, which are sometimes dominated by hierarchical, top-to-bottom communications. Nonetheless, the committee’s opinion is that the organizational structure required to address the four potentially critical IA issues just listed, coupled with the growing cyberthreat and the resulting need for clear IA accountability, point to Option 1 as the preferred model. While Options 2, 3, and 4 are less-extensive variations of the theme expressed in Option 1, the committee’s opinion is that IA and related network operations will demand more clear governance authority and single-line accountability than are provided by Options 2, 3, and 4, especially as network-centric operations, information assurance, and cyberwarfare all grow in importance over the coming years.26 A DON decision and potential implementation of Option 1, or of any model outlined above, would obviously require further in-depth study and deliberation. However, the urgency of addressing information assurance and cyberdefense needs calls for a new organizational model on which serious examination should begin immediately. The committee recognizes that an organizational change to the recommended Option 1 would be a major step for the DON; however, the com- mittee also believes that, as suggested by one senior Navy leader, such a change is better achieved through the vision and drive of a determined group of naval leaders than in response to a major cyber-related catastrophic event. MAJOR FINDINg: The governance of information assurance is widely dis- tributed across naval forces, with many parties playing roles, resulting in many governance seams. In particular, there is no centralized authority or organizational mechanism in place in the Department of the Navy for governing IA and end- to-end cyber operations. For example, a shared scope of governance of security policy and fiscal authority for naval networks resides throughout the DON, includ- ing with the Department of the Navy Chief Information Officer; the Deputy CNO for Network Operations; Headquarters, Marine Corps; Naval Network Warfare Command; Echelon II Chief Information Officers; Commander–Naval Installation Command; Program Executive Officers; and Navy Systems Command. 26 For example, a significant finding from the investigation of recent errors involving the mistaken shipment of nuclear weapons by the U.S. Air Force was the lack of clear lines of authority, which allowed safety assurance practices to degrade over the years. In other words, “no one owned the problem.” ADM Kirkland Donald, USN, Director, Naval Nuclear Propulsion, private communication with committee co-chairs, October 10, 2008.

OCR for page 110
138 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES MAJOR RECOMMENDATION: The leadership of the Department of the Navy should examine more-centralized IA-related organizational structures for integrat - ing its information assurance strategies and plans across all naval communities (surface, subsurface, expeditionary, air, space, and cyberspace), as well as for integrating those same strategies and plans with joint communities (Combatant Command, Office of the Secretary of Defense). The examination should address the needed IA governance and fiscal authorities for sustaining both current and future readiness levels, as well as which DON organizations are critical to defend- ing against evolving cyberthreats—from the strategic to the tactical level.