The National Academies Press

Currently Skimming:

6 Organizational Considerations
Pages 110-138

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 110... ... JOINT SERVICE NATURE OF INFORMATION ASSURANCE The issues of information assurance and, more broadly, mission assurance from an information perspective for the Navy and Marine Corps are not solely Navy and Marine Corps issues. For parts of their information network infrastruc ture, the Navy and Marine Corps are highly dependent on joint capabilities and sometimes on systems provided by the other Services. Read the entire page →
From page 111... ... and the ongoing phaseout of switched network infrastructure -- which greatly enhances network manageability and allows use of the rapidly innovating commercial IP services. However, it also opens military networks to the vulnerabilities of IP and single points of failure;1 and • The convergence of unclassified and classified networks onto shared IP bandwidth enabled by cryptographic separation -- which facilitates large upgrades in bandwidth, especially for classified services; reduces the costs of providing 1As pointed out in the classic paper of Bellovin, the vulnerabilities of IP are intrinsic in the protocols and are not simply due to implementation issues. Read the entire page →
From page 112... ... The spectrum of potential threat environments from low to high poses a basic strategic challenge to deployed Navy and Marine Corps forces. The DON should study, in conjunction with the intelligence and research communities, whether alternative approaches to communications and application development could Read the entire page →
From page 113... ... In consequence, the Navy and Marine Corps, as organizations, must consider the broader impact of their own policies and acquisitions on the health of the joint capabilities as a whole. DOD AND DON RESPONSIBILITIES FOR INFORMATION ASSURANCE DOD Information Assurance Responsibilities Providing IA in the context of joint network-centric operations is the respon sibility of a number of DOD organizations including the DON. Read the entire page →
From page 114... ... The USD(AT&L) is tasked to ensure that IA is considered in all acquisition milestone decisions, program decision reviews, and contract awards. Read the entire page →
From page 115... ... is the Deputy Chief of Naval Operations for Communication Networks (OPNAV N6) and the Deputy CIO (Marine Corps) Read the entire page →
From page 116... ... , as the Navy certification authority for collateral/GENSER classified and unclassified, information, telecommunications, and network systems. Other important responsibilities of the Commander, NETWARCOM, as defined in Office of the Chief of Naval Operations Instruction 5239.1C include computer network vulnerability testing and providing training to fleet units. Read the entire page →
From page 117... ... For acquisitions that are designated as "mission-critical" or "missionessential" systems, the IA manager must also prepare and submit an acquisition IA strategy.10 Acquisition IA strategies for all acquisition category (ACAT) IAM, ACAT IAC, and ACAT ID programs11 must be approved by the DOD component CIO and submitted to the DOD CIO for review prior to all acquisition milestone deci sions, program decision reviews, and acquisition contract awards. Read the entire page →
From page 118... ... , which is the Navy CND service provider. The Marine Corps network defense falls to the Marine Corps Network Operations and Security Center (MCNOSC) Read the entire page →
From page 119... ... Service Provider and coordinate defense of Navy computer networks as directed by JTF–GNO; provide CND training to fleet units as requested by fleet commanders; prioritize Navy IA operational requirements via input from Echelon II commands. OPNAV N89 Computer Network Defense Service Provider for special access systems. Read the entire page →
From page 120... ... NOTE: Acronyms are defined in Appendix A SOURCE: Derived from Office of the Chief of Naval Operations Instruction 5239.1C, Department of Defense Instruction 8500.2, and Department of Defense Instruction 8580.1. Read the entire page →
From page 121... ... For purposes of clarity and precision, the term "networks" is used in what follows to refer to large general-purpose or enterprise systems such as the Navy/ Marine Corps Intranet (NMCI) , the Marine Corps Enterprise Network (MCEN) Read the entire page →
From page 122... ... This results in the lack of an authoritative information assurance architecture that is adequately scoped and programmed and in a lack of configuration control relative to information assurance. It also does not easily permit adjustments related to unanticipated changes in threat, potentially rendering newly developed capabilities as higherthan-desired risk elements for the naval forces structure. Read the entire page →
From page 123... ... Outsourcing and Acquisition The acquisition of major naval networks from industry is clear recognition that the intellectual property for these networks does not wholly reside in the DON or DOD. Moreover, the lack of a fully authoritative and effective DON information assurance CONOPS and information assurance enterprise architec tures complicates major network acquisitions such as the NMCI, the DDG-1000 Total Ship Computing Environment, the LPD 17 Shipboard Wide Area Network, the USS Ronald Reagan CVN 76 Integrated Communication Advanced Network, and the Littoral Combat Ship network platforms, including both its hardware and software. Read the entire page →
From page 124... ... The department should examine alternatives to acquiring and managing networks that provide tightly controlled IA discipline with respect to architecture conformance, life-cycle support, and configuration management; an ability to accommodate technology insertion; and a structure to facilitate risk management. In an effort to gain insight into organizational models that might help to accomplish these objectives, the committee examined the Naval Nuclear Propulsion Program (NNPP) Read the entire page →
From page 125... ... 1982. Executive Order 12344 (Naval Nuclear Propulsion Program) Read the entire page →
From page 126... ... The DOA CIO/G-6 is the principal focal point for the Army for information management matters with external organizations; it has authority over policy, requirements, budgeting, operations, and training and personnel management; it is the DAA for Army information systems20 (with the exception of Army sensitive compartmented information [SCI] systems) Read the entire page →
From page 127... ... , to rotate between the Navy and Marine Corps, as the single authority for naval networks. The DNN would provide the strong leadership that is needed for secure operation of naval networks in a similar fashion to the strong leadership provided by the Director, Naval Reactors, for the secure operation of naval reactors. Read the entire page →
From page 128... ... , the Chief of Naval Operations (CNO) , and the Commandant of the Marine Corps (CMC) Read the entire page →
From page 129... ... at the Echelon III level as the functional and operational type commander for Navy networks, but would also grant NETWARCOM and HqMC C4 the authority to certify as well as accredit software and hardware systems on naval networks. This alternative would consolidate significant responsibility for IA policy, acquisition, financial resource allocation, operations, and manpower and training functions under the DNN. Read the entire page →
From page 130... ... , transferring or adding required support resources as needed from the Navy's PEO C4I and PEO EIS and appropriate USMC PEOs, to ensure a high level of attention to challenging acquisitions and strict acquisition discipline for the delivery of afloat and ashore networks and for their life-cycle management and information assurance readiness. In this model, NETWARCOM is retained at the Echelon III level as the func tional and operational type commander for Navy networks; likewise, MCNOSC retains its current authorities and responsibilities in the Marine Corps. Read the entire page →
From page 131... ... FIGURE 6.4 Information assurance organizational model -- Option 2: Adding a "Network Programs Office" (NPO) as a Direct Reporting Program Manager (DRPM) Read the entire page →
From page 132... ... IA Organizational Model -- Option 4 The committee's Option 4 model represents the least amount of change with respect to current naval IA operations. This option would grant NETWARCOM and HqMC C4 the sole authority to certify as well as to accredit software and hardware systems on naval networks (Figure 6.6) Read the entire page →
From page 133... ... FIGURE 6.5 Information assurance organizational model -- Option 3: The Naval Network Warfare Command (NETWARCOM) with addi tional information assurance authorities at the Echelon II level. Read the entire page →
From page 134... ... FIGURE 6.6 Information assurance organizational model -- Option 4: The Naval Network Warfare Command (NETWARCOM) and the Marine Corps Network Operations and Security Command (MCNOSC) Read the entire page →
From page 135... ... for C&A to ASN(RDA) analysis to NETWARCOM, NETWARCOM, HqMC C4 MCNOSC NETWARCOM Echelon II Sole authority No change Program Objective Adds cyberthreat Directs naval networks (Option 3) Read the entire page →
From page 136... ... The Option 1 model provides a clear and strong signal for the ownership and accountability of the bedrock DON information assurance mission. With the appropriate assignment of authority and responsibility to the Direc tor of Naval Networks, Option 1 would more closely resemble the clear cyber command lines of authority and responsibility found in the Headquarters (Hq) Read the entire page →
From page 137... ... In particular, there is no centralized authority or organizational mechanism in place in the Department of the Navy for governing IA and endto-end cyber operations. For example, a shared scope of governance of security policy and fiscal authority for naval networks resides throughout the DON, including with the Department of the Navy Chief Information Officer; the Deputy CNO for Network Operations; Headquarters, Marine Corps; Naval Network Warfare Command; Echelon II Chief Information Officers; Commander–Naval Installation Command; Program Executive Officers; and Navy Systems Command. Read the entire page →
From page 138... ... 138 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES MAJOR RECOMMENDATION: The leadership of the Department of the Navy should examine more-centralized IA-related organizational structures for integrat ing its information assurance strategies and plans across all naval communities (surface, subsurface, expeditionary, air, space, and cyberspace) , as well as for integrating those same strategies and plans with joint communities (Combatant Command, Office of the Secretary of Defense) Read the entire page →

From page 110...

... JOINT SERVICE NATURE OF INFORMATION ASSURANCE The issues of information assurance and, more broadly, mission assurance from an information perspective for the Navy and Marine Corps are not solely Navy and Marine Corps issues. For parts of their information network infrastruc ture, the Navy and Marine Corps are highly dependent on joint capabilities and sometimes on systems provided by the other Services.

6 Organizational Considerations Pages 110-138

6 Organizational Considerations
Pages 110-138