Appendix B
Terms of Reference
At the request of the Chief of Naval Operations, the Naval Studies Board of the National Academies will conduct a study to examine information assurance for network-centric naval forces. Specifically, the study will:
-
Review the Department of Defense and the Department of the Navy responsibilities for information assurance, to include policies, plans, and manuals, and identify competing and non-competing areas of responsibility between the Departments and within the Department of the Navy, as well as recommend any organizational adaptations which facilitate rapid progress;
-
Review recent information assurance-related studies conducted by and for the Department of Defense and Department of the Navy, and summarize their key recommendations and implementation status;
-
Examine the Department of Defense and Department of Navy research, development, and acquisition process for information assurance, and recommend alternative approaches to the process that allow for greater flexibility and response time in meeting the information assurance requirements of network-centric naval forces;
-
Assess potential information assurance vulnerabilities for network-centric naval forces, to include the “last mile” of information passed to embarked forces, and identify the appropriate technology and operational means to mitigate their vulnerabilities when operating only with U.S. military forces, or coalition forces;
-
Identify methodologies, including experimentation, for dealing with degraded performance and the loss of warfighting system integrity, particularly important to the effectiveness of network-centric naval forces, due to a lack of information assurance;
-
Review and recommend information assurance best practices from critical industrial and commercial operations applicable to the Department of Navy and its FORCEnet initiatives;
-
Assess the role of different information architecture constructs, including information assurance approaches, for managing risks (e.g., building specially-protected “sub-nets” to handle particularly sensitive, high consequence information); and
-
Recommend investment analysis approaches, excluding cost as a consideration, for managing cyber attack risks to network-centric naval forces that address the consequences of possible cyber attacks, the likelihoods of these attacks actually occurring, and the uncertainties surrounding assumptions about these risks.
This 12-month study will produce two reports: (1) a letter report following the second full committee meeting that summarizes the key information assurance initiatives underway within the Naval NETWAR/FORCEnet Enterprise and recommends any near-term information assurance needs for network-centric naval forces, to include any defense-related efforts that the naval forces should take advantage of and/or assure compatibility with; and (2) a comprehensive report that addresses the full terms of reference.