National Academies Press: OpenBook

Information Assurance for Network-Centric Naval Forces (2010)

Chapter: 6 Organizational Considerations

« Previous: 5 Application of Risk Analysis as a Basis for Prioritizing Needs
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

6
Organizational Considerations

In previous chapters the committee described the challenge that cyberthreats present to the Department of the Navy’s (DON’s) use of network-centric operations and its dependence on commercial off-the-shelf (COTS) information technology (IT). Potential operational and technical responses that the DON might take to maintain information assurance (IA) in the face of this challenge and how it might orchestrate those responses through a risk-based management approach were also discussed.

This chapter examines potential organizational responses. It will be seen that there are many organizations, inside and outside the DON, that impact IA with respect both to the operations of naval networks and to the acquisition of naval network-based capabilities. Given this organizational complexity as well as the operational and technical complexity inherent in addressing the growing IA risks, it is recommended that the DON consider organizational realignments to better focus on the IA issues related to naval information systems and networks.

JOINT SERVICE NATURE OF INFORMATION ASSURANCE

The issues of information assurance and, more broadly, mission assurance from an information perspective for the Navy and Marine Corps are not solely Navy and Marine Corps issues. For parts of their information network infrastructure, the Navy and Marine Corps are highly dependent on joint capabilities and sometimes on systems provided by the other Services. Thus, in general, the Navy and Marine Corps will achieve mission assurance only through joint participation. Likewise, joint capabilities systems of systems are dependent on the Navy and

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

Marine Corps for building and operating their elements of the joint construct in ways that support the policies of the whole.

Key Trends in Cross-Service Integration

A key trend in the U.S. military is joint network-centric operations. The long-term vision is to decouple the various operational functions (e.g., sensing, targeting, weapons delivery, transport, and logistics) from individual Service platforms. A Navy ship should be able to launch a weapon on a target located by national means, provide target designation for a weapon launched by the Air Force, and draw on any Service’s (or commercial) logistics stores and systems. While full network-centric capabilities are still years away, some capabilities are current and are being continually improved.

The key enabler for joint network-centric operations is information sharing. The U.S. satellite communications architecture already provides services to all Services over the same satellite links, and the Defense Information Systems Agency (DISA) provides a global communications backbone to all of the Services. Another element of cross-Service convergence is technical—namely, the increasing integration of different information service types onto fewer technical platforms. This integration is a two-edged sword. On the one hand, it leads to superior information sharing, greater efficiency, lowered costs for a given level of service, and fewer types of technical platforms to defend. On the other hand, extensive system integration could permit the possibility of losses of large-scale capabilities from single attacks. Some particular examples include the following:

  • Extensive use of commercially hosted fiber-optic and wideband satellite communications—which has provided global broadband communications at low cost, but is significantly vulnerable to disruption and jamming;

  • Network layer convergence to everything-over-Internet Protocol (IP) and the ongoing phaseout of switched network infrastructure—which greatly enhances network manageability and allows use of the rapidly innovating commercial IP services. However, it also opens military networks to the vulnerabilities of IP and single points of failure;1 and

  • The convergence of unclassified and classified networks onto shared IP bandwidth enabled by cryptographic separation—which facilitates large upgrades in bandwidth, especially for classified services; reduces the costs of providing

1

As pointed out in the classic paper of Bellovin, the vulnerabilities of IP are intrinsic in the protocols and are not simply due to implementation issues. See Steven M. Bellovin, 1989, “Security Problems in the TCP/IP Protocol Suite,” ACM SIGCOMM Computer Communication Review, Vol. 19, No. 3, pp. 10-19, July. See also Steven Bellovin, 2004, “A Look Back at ‘Security Problems in the TCP/IP Protocol Suite,’ ” presented at the 20th Annual Computer Security Applications Conference, December. Available at <http://www.cs.columbia.edu/~smb/papers/ipext.pdf>. Accessed May 1, 2009.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

network services by eliminating many legacy systems; and improves network manageability. However, it opens classified networks to denial-of-service attacks hosted on unclassified networks and provides an opportunity (albeit a slim one) for a compromise of the separation mechanism.

Joint Support to Navy and Marine Corps Systems

The examples above illustrate the dependence of the Navy and Marine Corps on joint systems. Without communications systems shared with the other Services (and in some cases with commercial industry and foreign partners), the capabilities of the Navy and Marine Corps would be reduced. Understanding how much they could be reduced is itself an important element of risk management and mission assurance that was highlighted earlier in this report.

The Department of Defense (DOD), as a whole, must act to ensure that plans assigned to each command are adequately supported by department-wide decisions. The Navy needs to be proactive in ensuring that plan elements assigned to the combatant Navy and Marine Corps are effectively supported in capability acquisitions. The committee finds that there are several areas where these issues are particularly evident, and there is evidence that strategies and decisions are not consistent across the whole stakeholder set.

For scenarios in which cyberattack is likely but extensive jamming and kinetic attacks are not, the most operationally effective and cost-effective approach to communications acquisition is to buy commercial fiber-optic and satellite capacity. For scenarios in which the full spectrum of threat attacks is likely, the most effective course is to acquire protected communication capabilities. The current mixed strategy being pursued by the DOD is to acquire some of each of these capabilities.

The DON must recognize the complexities inherent in pursuing the current mixed strategy. Applications that work well when high-bandwidth communications are available may not work well (or at all) in a reduced-bandwidth environment. An application and concept of operations (CONOPS) set that is designed to work well in a low-bandwidth environment must be extensively tested and exercised within that low-bandwidth environment. The operational reality might require neither the unattacked high-bandwidth services nor the secure core of low-bandwidth services, but rather a dynamically changing intermediate state. It may be that neither of the configurations that works well at either end of the service levels will work well in a dynamically changing middle ground. Moreover, the dynamically changing case is likely to be the most difficult to simulate and test.

The spectrum of potential threat environments from low to high poses a basic strategic challenge to deployed Navy and Marine Corps forces. The DON should study, in conjunction with the intelligence and research communities, whether alternative approaches to communications and application development could

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

yield capabilities that are robustly functional across the spectrum of threat levels. This may require a partial reversal of the march toward all-COTS products, but might yield an operational system that is more robust, secure, and maintainable than the current approach of multiple fallback modes.

The DON must also strongly advocate within the joint community for the development of the capabilities that are uniquely important to Navy and Marine Corps forces. The Navy, in particular, has a dependence on mobile satellite communications that is deeper than that of the other Services. It is particularly important to the Navy that secure and protected communications capacity suitable for Navy platforms be deployed adequately for the Navy to realize the benefits of network-centric operations.

DON Support to Joint Systems

Due to the interdependence among DOD and DON systems, each Service has responsibility for keeping its own equipment and technology up to date and operational. The Joint Task Force–Global Network Operations (JTF–GNO) monitors the joint enterprise, but depends on the Services to maintain their connected systems adequately. With regard to low-sophistication cyberattacks, the updating process is central. For high-sophistication attacks, continuous patching and upgrades may yield little additional assurance. For the high-sophistication case, the DON needs an entirely different class of monitoring techniques and a science and technology (S&T)-based estimation approach, such as described in Chapter 5, to develop threat models and mitigations.

The Navy and Marine Corps are dependent on joint capabilities, but so too are those joint networks and applications dependent on the Navy and Marine Corps. If the participants in the joint network fail in their individual responsibilities, they may impact the network as a whole and the other participants. In consequence, the Navy and Marine Corps, as organizations, must consider the broader impact of their own policies and acquisitions on the health of the joint capabilities as a whole.

DOD AND DON RESPONSIBILITIES FOR INFORMATION ASSURANCE

DOD Information Assurance Responsibilities

Providing IA in the context of joint network-centric operations is the responsibility of a number of DOD organizations including the DON. The IA responsibilities of the DOD and the DON are defined in public law and in various DOD and DON instructions, directives, and memoranda.

The DOD is required to have a defense IA program under Section 2224, “Defense Information Assurance Program,” of Title 10, United States Code. Under

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

the provisions of the Clinger-Cohen Act of 1996,2 the DOD is required to have a chief information officer (CIO) reporting directly to the Secretary of Defense. In DOD Directive 5144.1,3 the Secretary has designated the Assistant Secretary of Defense for Networks and Information Integration (ASD[NII]) as the DOD CIO. DOD Directive 8500.14 establishes DOD IA policy and assigns organizational responsibilities. DOD Instruction 8500.25 provides guidance and describes procedures for implementing DOD Directive 8500.1. DOD Instruction 8580.16 describes how IA is integrated into the defense acquisition system.

The ASD(NII)/DOD CIO develops and promulgates IA policies, oversees appropriations for and manages the Defense Information Assurance Program (DIAP), and works with the Under Secretary of Defense for Acquisition, Technology and Logistics (USD[AT&L]) to ensure that the DOD acquisition process incorporates IA considerations consistent with the Clinger-Cohen Act requirements. The Deputy Assistant Secretary of Defense for Information and Identity Assurance (DASD[IIA]) reports to the ASD(NII) and is responsible for the DIAP and the Global Information Grid (GIG) IA portfolio, among other responsibilities. The Director of DISA assists the ASD(NII) in executing his or her responsibilities—including, in particular, the development of a single IA approach for protection of the Defense Information Systems Network (DISN).

The USD(AT&L) is tasked to ensure that IA is considered in all acquisition milestone decisions, program decision reviews, and contract awards. With the assistance and advice of the Director, Defense Research and Engineering (DDRE), the USD(AT&L) monitors and oversees IA research and technology investments, including those of the National Security Agency (NSA) and the Defense Advanced Research Projects Agency (DARPA).

The Chairman, Joint Chiefs of Staff (CJCS), provides advice and assessment of military IA capability needs and develops, coordinates, and promulgates IA policies, doctrines, and procedures for joint and combined operations.

The Commander, U.S. Strategic Command (USSTRATCOM), coordinates and directs DOD-wide computer network defense (CND) operations.

2

National Defense Authorization Act for FY 1996, Public Law 104-106, formerly called the “Information Technology Management Reform Act,” February 10, 1996.

3

Department of Defense. 2005. Department of Defense Directive No. 5144.1, Washington, D.C., May 2. Available at <http://www.dtic.mil/whs/directives/corres/pdf/514401p.pdf>. Accessed May 1, 2009.

4

Department of Defense. 2002. Department of Defense Directive No. 8500.1, Washington, D.C., October 24. Available at <http://www.niap-ccevs.org/cc-scheme/policy/dod/d85001p.pdf>. Accessed May 1, 2009.

5

Department of Defense. 2003. Department of Defense Directive No. 8500.2, Washington, D.C., February 6. Available at <http://www.niap-ccevs.org/cc-scheme/policy/dod/d85002p.pdf>. Accessed May 1, 2009.

6

Department of Defense. 2004. Department of Defense Directive No. 8580.1, Washington, D.C., July 9. Available at <http://www.defenselink.mil/cio-nii/docs/DoDI_8580.1pdf>. Accessed May 1, 2009.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

The Director, NSA (DIRNSA), provides IA support to the DOD components, including the providing of IA and Information System Security Engineering (ISSE) services; manages the development of the IA Technical Framework (IATF); and establishes criteria and processes for evaluating and validating all IA and IA-enabled IT products used in DOD information systems. With the Director, Defense Intelligence Agency (DIA), the DIRNSA provides an IA intelligence capability. The DIRNSA is also the agent for the GIG Information Assurance Portfolio (GIAP); the GIAP management office is located at NSA and staffed with NSA and DISA personnel.

The heads of the DOD components are responsible for developing and implementing an IA program focused on DOD component-specific information and systems.

DON Information Assurance Responsibilities

Responsibilities for the IA program of the DON are defined in Secretary of the Navy Instruction 5239.3A.7

The DON CIO is responsible for carrying out for the Secretary of the Navy (SECNAV) the IA responsibilities assigned to the Navy by public law and by DOD directives and instructions. In particular, the DON CIO issues IA policies, integrates IA requirements with DON planning and into the DON major system acquisition management process, and serves as the focal point for IA coordination with other elements of the DOD. The DON CIO is assisted by a senior IA official (SIAO), as required by the Federal Information Security Management Act of 2002 (Public Law 107-347), and by the DON Deputy CIO (Navy) and DON Deputy CIO (Marine Corps). The Deputy CIO (Navy) is the Deputy Chief of Naval Operations for Communication Networks (OPNAV N6) and the Deputy CIO (Marine Corps) is the Director, Command, Control, Communications, and Computers.

The Assistant Secretary of the Navy for Research, Development and Acquisition (ASN[RDA]) integrates IA requirements into acquisition management of all DON IT systems and maintains an S&T program in information assurance.

The Chief of Naval Operations (CNO) develops and implements IA programs and procedures for information systems supporting Navy operations and assets, serves as the resource sponsor for Navy IA, appoints designated approving authorities (DAAs) for information systems under Navy authority, and develops Navy IA education, training, and awareness programs.

7

Secretary of the Navy. 2004. SECNAV Instruction 5239.3A re: Department of the Navy Information Assurance Policy, Department of the Navy, Washington, D.C., December 20. Available at <http://doni.daps.dla.mil/Directives/05000%20General%20Management%20Security%20and%20Safety%20Services/05-200%20Management%20Program%20and%20Techniques%20Services/5239.3A.pdf>. Accessed May 1, 2009.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

In Office of the Chief of Naval Operations Instruction 5239.1C,8 the CNO assigned responsibility to OPNAV N6 for the Navy IA program, in coordination with the ASN(RDA) and the Deputy Assistant Secretary of the Navy for Command, Control, Communications, Computers and Intelligence/Electronic Warfare/Space (DASN[C4I/EW/Space]). OPNAV N6 sponsors, authorizes, and budgets for IA requirements and is instructed to “adopt an Information Technology (IT) lifecycle risk management program….” The Commander, Naval Network Warfare Command (NETWARCOM), gathers and prioritizes Navy IA operational requirements from all echelon II commands. The Program Executive Office for Command, Control, Communications, Computers and Intelligence (PEO C4I) serves as the IA acquisition program manager and overall systems security engineering lead. The Director, Office of Naval Intelligence (ONI), assists OPNAV N6 and PEO C4I in the risk management process by gathering relevant threat information to assist in defining system security requirements.

The CNO has appointed the Commander, NETWARCOM, as the Navy operational DAA (ODAA) for all operating Navy collateral/General Services (GENSER) information systems, networks, and telecommunications systems and has assigned the Navy echelon II commanders as the developmental DAAs.9 He has appointed the Commander, Space and Naval Warfare Systems Command (SPAWAR), as the Navy certification authority for collateral/GENSER classified and unclassified, information, telecommunications, and network systems.

Other important responsibilities of the Commander, NETWARCOM, as defined in Office of the Chief of Naval Operations Instruction 5239.1C include computer network vulnerability testing and providing training to fleet units. As discussed below, NETWARCOM also has an operational role in conducting and directing CND.

The Commandant of the Marine Corps (CMC) has IA responsibilities parallel to those of the CNO.

The process by which naval IA policies are translated into system capabilities is illustrated in Figure 6.1. A DON program manager receives IA policy guidance from a number of sources, including the FORCEnet Enterprise Architecture, the DOD IT Standards Registry (DISR), and the GIG IA Technical Framework (GIATF). As indicated above, a number of DOD and Navy organizations are involved in setting these policies.

Each program’s ISSE activity is responsible for discovering users’ information protection needs and then designing and making information systems to safely resist the threats to which the program may be subjected. According to

8

Chief of Naval Operations. 2008. OPNAV Instruction 5239.1C., Department of the Navy, Washington, D.C., August 20. Available at <http://www.fas.org/irp/doddir/navy/opnavinst/5239_1c.pdf>. Accessed May 1, 2009.

9

OPNAV 89 was appointed as the DAA for special access programs, and the Director, ONI, as the Navy liaison to the NSA DAA for all sensitive compartmented information (SCI) program systems.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
FIGURE 6.1 Process for information assurance (IA) policies translation into the Department of the Navy system capabilities. NOTE: Acronyms are defined in Appendix A.

FIGURE 6.1 Process for information assurance (IA) policies translation into the Department of the Navy system capabilities. NOTE: Acronyms are defined in Appendix A.

DOD Instruction 8580.1, for any acquisitions of Automated Information Systems (AIS), outsourced IT-based processes, and platforms or weapon systems with IT interconnections to the GIG, the program manager needs to appoint an IA manager. The IA manager determines the system mission assurance category (MAC) and confidentiality level, identifies and implements appropriate system baseline IA controls, and plans and executes the certification and accreditation (C&A) process. For acquisitions that are designated as “mission-critical” or “mission-essential” systems, the IA manager must also prepare and submit an acquisition IA strategy.10

Acquisition IA strategies for all acquisition category (ACAT) IAM, ACAT IAC, and ACAT ID programs11 must be approved by the DOD component CIO and submitted to the DOD CIO for review prior to all acquisition milestone decisions, program decision reviews, and acquisition contract awards. The heads of the DOD components are delegated the authority to conduct reviews of acquisition IA strategies on behalf of the DOD CIO for all other acquisitions, and may delegate authority to approve acquisition IA strategies.

10

DOD Instruction 8580.1 provides definitions and guidance for “mission essential” and “mission critical” designations for IT systems. Such designations must be made by a Component Head, a Combatant Commander, or their designee. Available at <http://www.defenselink.mil/cio-nii/docs/DoDI_85801.pdf>. Accessed February 11, 2009.

11

Acquisition Category (ACAT) I programs are major defense acquisition programs. For ACAT ID programs, the USD(AT&L) is the Milestone Decision Authority (the “D” in “ID” refers to the Defense Acquisition Board). For ACAT IAC programs, the head of the DOD component is the Milestone Decision Authority (the “C” in “IAC” refers to the Component CIO). For ACAT IAM programs, the ASD(NII)/DOD CIO is the Milestone Decision Authority (the “M” in “IAM” refers to the Major Automated Information Systems Review Council).

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

The PEO C4I and the Navy PEO for Enterprise Information Systems (EIS) under the ASN(RDA) manage most programs involving IT. However, PEO Ships (e.g., DDG-1000, LPD 17 [landing platform dock]) and PEO Aircraft Carriers (e.g., CVN-76 [nuclear-powered aircraft carrier]), and the Marine Corps Systems Command manage several programs in which computing and networking infrastructure are being procured along with ships. The program management offices for the PEO C4I and the PEO EIS are staffed largely with personnel drawn from SPAWAR.

According to Secretary of the Navy Instruction 5400.15C, the commanders of Naval Air Systems Command (NAVAIR), Naval Sea Systems Command (NAVSEA), SPAWAR, and Marine Corps Systems Command (MARCORSYSCOM) exercise technical authority (TA)12 and certification authority for weapons and IT systems. In particular, program managers must obtain certification from SPAWAR or MARCORSYSCOM that a weapon and/or information system being developed has satisfied information assurance requirements. As mentioned above, operational system accreditation resides with the Commander, NETWARCOM, as the ODAA.

From an operational perspective, at the DOD level, USSTRATCOM has been assigned responsibility for coordinating and directing CND. The JTF–GNO is the USSTRATCOM element that implements this responsibility. The DISA commander is dual-hatted as the JTF–GNO commander. Navy CND is the responsibility of the NETWARCOM and of its subordinate element, the Navy Cyber Defense Operations Command (NCDOC), which is the Navy CND service provider. The Marine Corps network defense falls to the Marine Corps Network Operations and Security Center (MCNOSC).

From the above descriptions, it is apparent that numerous DOD and DON organizations are involved in IA. These organizations are endeavoring to work collaboratively, and have developed various forums such as the Naval NETWAR FORCEnet Enterprise (NNFE)13 and the Cyber Asset Reduction and Security (CARS) Task Force to facilitate this collaboration. Nevertheless, the committee is concerned that there is too great an opportunity for debilitating delays in responding to IA problems and for critical errors in responding to IA problems—both due to seams in the process of developing IA policy, developing requirements for IA, funding the acquisition of IA capabilities, developing and acquiring systems requiring IA, and operating these systems.

The next section addresses more centralized organizational options for the Navy to consider in order to avoid these seams. (See Table 6.1 for a summary of current Department of the Navy information assurance responsibilities.)

12

Technical authority is the authority, responsibility, and accountability to establish, monitor, and approve technical standards, tools, and processes in conformance with applicable DOD and DON policy, requirements, architectures, and standards.

13

The NNFE focuses on command, control, communications, computers, combat systems, and intelligence (C5I) systems and appropriate business IT solutions. It is chaired by the Commander, NETWARCOM, acting as the chief executive officer; the Commander, SPAWAR, acts as the chief operations officer, and OPNAV N6 acts as the chief financial officer.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

TABLE 6.1 Current Naval Information Assurance (IA) Responsibilities

Functional Area

Organization

Responsibilities

Operational requirements

OPNAV N6

Assure overall IA program execution in coordination with ASN(RDA) and DASN C4I; sponsor, authorize, and budget for IA requirements.

 

NETWARCOM

Serve as Navy Computer Network Defense (CND) Service Provider and coordinate defense of Navy computer networks as directed by JTF–GNO; provide CND training to fleet units as requested by fleet commanders; prioritize Navy IA operational requirements via input from Echelon II commands.

 

OPNAV N89

Computer Network Defense Service Provider for special access systems.

 

MCCDC/HQMC

Identify USMC IA requirements and capabilities.

 

JTF–GNO

Direct and coordinate the defense of all DOD computer networks.

 

DISA

Establish connection requirements and approval for the Defense Information Systems Network.

 

ONI

Provide threat input and IA risk management assistance to OPNAV N6 and PEO C4I.

Policy

DON CIO/DASN C4I

Provide overall DON IA policy guidance and focal point for IA; coordination with other elements of the DOD.

 

OPNAV N6/HQMC

Approve and issue IA policy, systems management, and metrics documents for Navy and USMC.

 

NETWARCOM

Provide guidance for implementation of Navy C&A policy; write safeguarding and accounting policies for DON COMSEC materials.

Manpower and training

OPNAV N6

Oversee Navy IA training requirements and provide requirements to the Personnel and Training and Standing Team (PTST).

 

OPNAV N1

Develop Navy schoolhouse IA training and education; ensure that IA training is incorporated into pertinent Navy training and appropriate formal schools.

 

NETWARCOM

Manage the DON communication security training program.

 

PTST

Identify Navy IA billet and establish IA training requirements for military and civilian personnel.

 

HQMC/MCCDC

Develop USMC IA training, manpower, and education requirements.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

Functional Area

Organization

Responsibilities

Acquisition

ASN(RDA)

Oversee acquisition of all DON IA capabilities and ensure compliance.

 

OPNAV N6

Draft and maintain Navy’s IA acquisition master plan; coordinate fleet requirements for acquisition of communications security.

 

PEO C4I

Manage the Navy’s IA acquisition programs and projects, including R&D and full life-cycle support.

 

PEOs

Oversee program acquisition execution in area of jurisdiction.

 

SYSCOMs

Oversee program acquisition execution in area of jurisdiction.

 

MARCORSYSCOM

Procure USMC IA programs.

 

DISA

Direct the procurement of DOD-wide IA products and licenses.

Certification and accreditation

SPAWAR

Serve as Navy’s certification authority for information and network systems.

 

NETWARCOM

Serve as Navy’s accreditation authority for information and network systems.

 

PEOs

Apply IA architectures and IA requirements in program execution.

 

SYSCOMs

Integrate IA requirements in design of information systems.

 

MARCORSYSCOM

Serve as USMC certification and accreditation authority for systems.

 

HQMC

Serve as USMC certification and accreditation authority for networks.

NOTE: Acronyms are defined in Appendix A.

SOURCE: Derived from Office of the Chief of Naval Operations Instruction 5239.1C, Department of Defense Instruction 8500.2, and Department of Defense Instruction 8580.1.

INTEGRATED POLICY DEVELOPMENT AND ORGANIZATIONAL SUPPORT

The previous chapters of this report offer the background and context in which information assurance should be viewed by the DON for today’s and tomorrow’s warfighting environment. The subsections in this final major section of Chapter 6 illuminate IA policies and processes as currently addressed and implemented, and identify weaknesses in achieving the necessary IA posture and

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

readiness that the department requires. Suggestions and specific recommendations for organizational integration that has promise to achieve more effective information assurance are offered.

For purposes of clarity and precision, the term “networks” is used in what follows to refer to large general-purpose or enterprise systems such as the Navy/Marine Corps Intranet (NMCI), the Marine Corps Enterprise Network (MCEN), shipboard local area networks (LANs), aviation general-purpose networks, and DOD networks such as the Non-Classified Internet Protocol Router Network (NIPRnet) and the Secure Internet Protocol Router Network (SIPRnet) and so on, used for command, control, and intelligence purposes. But the term “networks” is not used to refer to combat system networks such as the Joint Tactical Information Distribution System, Multi-functional Information Distribution System, or Cooperative Engagement Capability. In a Venn diagram of networks and applications, applications are included in the network set only for considerations of hosting, transport, and policies relative to degradation of performance. In practice, a network designated approving authority would accredit the use of a certified application to use a network. However, the network authority would not get involved with the application’s function—that is the purview of the application’s process owner.

Although the committee was briefed and saw evidence on the convergence of combat system command and control with intelligence networks, its deliberations were premised on the continued separation of these networks in naval warfare.

Mention is also made of “life-cycle information assurance.” By this term, the committee is referring to the need to provide information assurance capability throughout the life cycle of a system. This especially becomes significant when a system transitions from the acquisition community to the operating forces and is subjected to operations and maintenance (O&M) resource pressures.

The discussion below articulates the reasons why information assurance is critically important for future naval warfighting success—and, correspondingly, why the Department of the Navy needs to place its development and management in the hands of a dedicated cadre, provided with appropriate educational and training support.

Intellectual Property

The DON does not currently own or control the designs of the critical technology components that comprise the information capabilities designed and operated as part of the network-centric command-and-control systems. However, the DON does design how commercial off-the-shelf components are integrated and used to achieve desired warfighting and system capabilities. The use of COTS components offers significant economic and performance advantages, but they come with inherent IA risks outlined and discussed in previous chapters. In order to respond to the high level of IA risk associated with a COTS component strategy,

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

the committee believes that the DON will need to have a cadre of officers, enlisted personnel, government civilians, and contractors who can responsibly integrate COTS components into sensitive network-centric warfare applications, with sufficient attention to IA so as to manage the trade-offs between IA and mission performance in system design and mission operations. The IA management team must develop the strategies to cope with changing disruptive threats during the life subcycles of design, development, and field support.

The committee’s opinion is that the department is not structured to accomplish this objective effectively today. There currently exist multiple stakeholders, including acquisition authorities, resource sponsors, systems commands, PEOs, and operational commands, with varying authorities relative to achieving information superiority. This structure results in the knowledge, authority, and accountability being very broadly dispersed—in the committee’s view, too broadly dispersed to deal with the recognized complexities associated with IA in a timely manner, with time controlled by ever-changing adversarial capabilities.

Architectural Alignment

Information assurance today suffers from a “traditional” and overly limiting definition of practice. Information assurance is more than simply ensuring proper password practices, guarding against network intrusions by installing firewalls, and providing patch updates when required. In its broadest sense, IA can be described as the absolutely essential, always ongoing process, involving people, procedures, and technology, required to protect a highly networked naval force against attacks to its communications capabilities and the data therein. A successful cyberattack will put critical DON data and information in jeopardy and thus potentially reduce the capability of the DON to execute its missions. In that sense, the committee, through its deliberations, assesses that there are multiple seams across the information assurance area in the DON that might prevent the development and execution of a unified, integrated information assurance strategy. Coordination among policy, acquisition, financial resource allocation, operations, and manpower and training functions and authorities is greatly complicated by these seams. As an example and consequence, the synchronization of software architecture, hardware architecture, and organizational design/enterprise architectures either does not routinely occur or is accomplished with difficulty. This results in the lack of an authoritative information assurance architecture that is adequately scoped and programmed and in a lack of configuration control relative to information assurance. It also does not easily permit adjustments related to unanticipated changes in threat, potentially rendering newly developed capabilities as higher-than-desired risk elements for the naval forces structure. This misalignment can exist within the DON and across the agencies and the other military Services.

As with many other system attributes, information assurance cannot be “installed” at system testing. The needs and requirements for information assur-

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

ance and its effect on the hardware, software, and the operational environment must be continuously considered as a system is being designed and developed. Information assurance, including the potential need for adjustments due to changing threats, has to be considered in the early design decisions and trade-offs at the front end of the life cycle or it will be very difficult and costly to deal with later during development or in operation.

Outsourcing and Acquisition

The acquisition of major naval networks from industry is clear recognition that the intellectual property for these networks does not wholly reside in the DON or DOD. Moreover, the lack of a fully authoritative and effective DON information assurance CONOPS and information assurance enterprise architectures complicates major network acquisitions such as the NMCI, the DDG-1000 Total Ship Computing Environment, the LPD 17 Shipboard Wide Area Network, the USS Ronald Reagan CVN 76 Integrated Communication Advanced Network, and the Littoral Combat Ship network platforms, including both its hardware and software. Potential implications include the following:

  • The life-cycle information assurance and the required strong configuration control handoff from systems commands and PEOs to the fleet degrading over time. Operational and resource pressures can negatively impact IA system upgrades and personnel training and can create challenges to life-cycle configuration management;

  • The Navy’s losing the capability to understand or effectively manage network-centric technology processes owing to the dispersion of know-how regarding threats, system IA architecture and design, system development, and system field operations. The lack of a dedicated, coherent “network workforce” community at all of the systems commands and in the fleet amplifies this trend; and

  • The Navy’s not fully integrating contractors into its operational processes although it has outsourced much of its required technological capabilities to industry. Of even greater concern is how much second- and third-level outsourcing has occurred, resulting in additional vendors and correspondingly reduced visibility.

Organizational Structure

Structurally complicating the complete elimination of the IA seams resulting from differing policies, requirements, financial resource allocations, acquisitions, operations, and manpower and training functions is that there are two military Services within the DON. This necessarily involves consideration of multiple and varied requirements affecting network-centric operations. Priority differences within the Navy and the Marine Corps can often yield different results for network-centric capability, which often must be reconciled at the SECNAV level

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

or go unresolved. For policy and acquisition issues, this is typically accomplished by two different organizations within the department that address network-centric, IA issues: (1) the DON CIO organization and (2) the ASN(RDA) organization.

A depiction of the many entities involved in the IA process for the DON was presented previously (see Table 6.1). The committee assesses the information assurance governance in the department to be too complicated and far less than optimal. In fact, as a National Research Council committee concluded in 2000, “Currently no single individual within the Department of the Navy has IA governance responsibility and authority.”14 This remains the case today.

Need for Organizational Realignment

The reasons cited in this chapter, combined with the above cited description of information assurance governance in the DON, suggest the need for organizational realignment. The department should examine alternatives to acquiring and managing networks that provide tightly controlled IA discipline with respect to architecture conformance, life-cycle support, and configuration management; an ability to accommodate technology insertion; and a structure to facilitate risk management. In an effort to gain insight into organizational models that might help to accomplish these objectives, the committee examined the Naval Nuclear Propulsion Program (NNPP) and the Department of the Army Chief Information Officer/Assistant Chief of Staff for Information Management (DOA CIO/G6) organization.

Naval Nuclear Propulsion Program

The Naval Nuclear Propulsion Program is known for its effective management and accountability for safety assurance. For example, after the Columbia Space Shuttle accident in 2003, the Director, NNPP, was called to testify before Congress on the NNPP and its culture of safety “that has allowed Naval Reactors to be successful for the last 55 years.”15 More recently, the Director, NNPP, was assigned by the Secretary of Defense to investigate the mistaken delivery by the U.S. Air Force of fuses used in intercontinental ballistic missiles to Taiwan.16

14

Naval Studies Board, National Research Council. 2000. Network Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities, National Academy Press, Washington, D.C., pp. 217-218.

15

Statement of Admiral F.L. “Skip” Bowman, USN, Director, Naval Nuclear Propulsion Program, before the House Committee on Science, Washington, D.C., October 29, 2003. See also, NNBE Benchmarking Team, 2003, NASA/Navy Benchmarking Exchange (NNBE), Vol. II, Progress Report, Naval Sea Systems Command and National Aeronautics and Space Administration, Washington, D.C., July 15.

16

Secretary of Defense Task Force on DoD Nuclear Weapons Management. 2008. Report of the Secretary of Defense Task Force on DOD Nuclear Weapons Management, Phase I: The Air Force’s Nuclear Mission, Washington, D.C., September.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

Under Executive Order 12344,17 the NNPP was established as a program carried out by the DON and the Department of Energy (DOE) and led by a director with technical background and experience in naval nuclear propulsion who serves for a term of 8 years.18 The director, if a Navy officer (all directors have been Navy officers so far), is an admiral reporting directly to the CNO and having direct access to the Secretary of the Navy, and is also an assistant secretary of the DOE. The NNPP has total responsibility for all aspects of Navy nuclear propulsion, including research, design, construction, testing, operation, maintenance, and ultimate disposition of naval nuclear propulsion plants; the safety of reactors, including the prescribing and enforcement of standards and regulations; personnel, including training and concurrence in the selection of all personnel who operate reactors; and administration, including oversight of procurement, logistics, and fiscal management.

The NNPP and the position of Director, NNPP, are certainly unique aspects of the Navy management structure, in response to the high-priority need for specialization and safety accountability. Because of the authorities granted the director, the potential seams between policy, requirements, budgeting, research, acquisition, operations, and training and personnel management that the committee observed for IA and networking are not present for nuclear reactors. The committee understands that there are significant differences between providing reactors and networks for ships and that the governance structure of the NNPP is due to unique factors—including the legacy of Admiral Hyman Rickover, USN—that could not simply be replicated for IA and networks.

Nonetheless, the committee believes that there are strong parallels between the nuclear propulsion area and the IA area. In the analysis of the committee, the parallels—which include the need for strong alignment of authorities and responsibilities; the need for strong leadership and continuity (in the case of the NNPP, facilitated by the qualifications, high rank, and long tenure of the director); the emphasis on selection and training of technically qualified personnel; and the need for strong, continuing technical support (in the case of the NNPP, provided by the DOE laboratories)—call for a similar organizational response. A takeaway lesson from the NNPP model is that there is a clear and strong sense of ownership of the nuclear propulsion mission and the applicable authorities.

Department of the Army Chief Information Officer

The DOA CIO/G-6 provides architecture, governance, portfolio management, strategy, C4 IT acquisition oversight, and operational capabilities to enable joint

17

Ronald Reagan, President of the United States. 1982. Executive Order 12344 (Naval Nuclear Propulsion Program), The White House, Washington, D.C., February 1.

18

The program is also known as the Naval Sea Systems Command (NAVSEA) Nuclear Propulsion Directorate (08), or NAVSEA 08.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
FIGURE 6.2 Organizational structure of the Department of the Army, Chief Information Office (CIO)/G-6.

FIGURE 6.2 Organizational structure of the Department of the Army, Chief Information Office (CIO)/G-6.

network-centric operations for the Army.19 The DOA CIO/G-6 is a lieutenant general who reports to the Secretary of the Army and provides staff support to the Chief of Staff of the Army. The DOA CIO/G-6 organization is depicted in Figure 6.2.

The Army’s Network Enterprise Technology Command (NETCOM) reports directly to the DOA CIO/G-6 and operates and defends LandWarNet—the Army’s portion of the GIG. The NETCOM commander is a major general. Composed of more than 17,000 soldiers, civilians, and contractors, the signal commands and brigades of NETCOM are stationed and deployed worldwide, supporting Army, joint, interagency, and multinational operations, and the Pentagon.

The PEO EIS develops, acquires, integrates, deploys, and sustains network-centric information technology, business management, communications, and infrastructure systems. PEO EIS reports on a solid-line basis directly to the Assistant Secretary of the Army for Acquisition, Logistics and Technology (ASA[ALT]) and on a dotted-line basis to the DOA CIO/G-6.

The DOA CIO/G-6 is the principal focal point for the Army for information management matters with external organizations; it has authority over policy, requirements, budgeting, operations, and training and personnel management; it is the DAA for Army information systems20 (with the exception of Army sensitive compartmented information [SCI] systems); and supports the ASA(ALT) acquisition of information systems and parts of other major capabilities. While the mission, organization, and culture of the Department of the Army are not the same as those of the Department of the Navy—in particular, as noted above, the

19

Headquarters, Department of the Army. 2008. “Army Knowledge Management and Information Technology, Army Regulation 25-1,” Washington, D.C., December 4.

20

The CIO/G-6 may delegate the DAA role. The Army certification authority (CA) is the Army senior IA officer. The Director, Office of Information Assurance and Compliance (an element of NETCOM), has been appointed as the SIAO by the DOA CIO/G-6. The CA maintains a list of qualified government organizations to perform the certification activities.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

DON has two Services—the DOA CIO/G-6 organization provides an example of an alternative organization and governance structure for networks and IA, with the DOA CIO/G-6 explicitly tasked to fill the seams between the various Army organizations with a specific role regarding IA and networking.

Alternative Organizational Models

Based on its analysis of the current organizational structure of the Navy for networking and IA21 and after consideration of models such as the NNPP and the DOA CIO/G-6, the committee considered various new alternative organizational constructs. In anticipation that the DON may contemplate the inclusion of an organizational response in its efforts to address the information assurance challenges outlined in this report, the committee has developed four naval IA organizational model alternatives, which are presented below.

The most comprehensive organizational approach is considered in Option 1; Options 2 through 4 would involve somewhat less change. A chart depicts the structure of each. Elements of these options could also be selectively implemented.

IA Organizational Model—Option 1

Option 1 (Figure 6.3) would establish a new senior flag/general officer position, entitled Director, Naval Networks (DNN), to rotate between the Navy and Marine Corps, as the single authority for naval networks. The DNN would provide the strong leadership that is needed for secure operation of naval networks in a similar fashion to the strong leadership provided by the Director, Naval Reactors, for the secure operation of naval reactors. A uniformed officer is preferred over a civilian to emphasize clearly the operational importance of the position. This dual-reporting position would assume the current functions of the DON CIO and the DASN(C4I/EW/Space) and would report directly to the Secretary of the Navy, for acquisition oversight of naval network systems and fulfilling Clinger-Cohen Act responsibilities.22 The position would also report to the CNO and the CMC with responsibility for life-cycle management of information systems afloat and

21

The committee believes that management of IA cannot be separated from management of networking, in the meaning of the term defined earlier in this chapter. Therefore, its organizational recommendations cover both IA and networking.

22

The Clinger-Cohen Act of 1996 (Public Law 104-106) outlines the requirements for acquisition of information technologies in government agencies and the responsibilities of the agency chief information officer. Any DON IA organizational adaptation must also conform to the requirements of the Goldwater-Nichols DOD Reorganization Act of 1986 (Public Law 99-433). Under this act, the Secretary of the Navy has explicit authority to assign such of his powers, functions, and duties as he considers appropriate to the Under Secretary of the Navy and to the Assistant Secretaries. The Secretary of the Navy has made the ASN(RDA) responsible to “establish policy and procedures and manage all research, development and acquisition” within the department (Public Law 99-433, Section 5015).

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
FIGURE 6.3 Organizational model—Option 1: Adding “Naval Networks” organization (senior flag or general officer with triple hat) to the Secretary of the Navy (SECNAV), the Chief of Naval Operations (CNO), and the Commandant of the Marine Corps (CMC). NOTE: MARFORS, Marine forces. Other acronyms are defined in Appendix A.

FIGURE 6.3 Organizational model—Option 1: Adding “Naval Networks” organization (senior flag or general officer with triple hat) to the Secretary of the Navy (SECNAV), the Chief of Naval Operations (CNO), and the Commandant of the Marine Corps (CMC). NOTE: MARFORS, Marine forces. Other acronyms are defined in Appendix A.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

ashore and for the education and training of a dedicated officer, enlisted, and civilian cyber workforce. The office would be appointive for at least the duration of the Program Objective Memorandum (POM) cycle (5 years) to ensure policy and execution continuity and accountability.

The DNN would have dotted-line relationships with OPNAV N6 and Headquarters, Marine Corps (HQMC) for requirements and resource issues; with NETWARCOM, MCNOSC, and the Marine Corps Information Operation Center for operational issues; and with the ASN(RDA) for acquisition issues. The DNN would also be responsible for integrating IA strategies and plans across all naval communities (surface, subsurface, expeditionary, air, space, and cyberspace), as well as with joint communities. The Director, Naval Networks, would have the authority to establish network “safe-to-operate” criteria to use as enforcement authority if a naval network was judged to be so impaired as to potentially harm naval operations.23

This model would retain the Naval Network Warfare Command (NETWARCOM) at the Echelon III level as the functional and operational type commander for Navy networks, but would also grant NETWARCOM and HQMC C4 the authority to certify as well as accredit software and hardware systems on naval networks. This alternative would consolidate significant responsibility for IA policy, acquisition, financial resource allocation, operations, and manpower and training functions under the DNN.

Establishing the position of DNN would recognize the critical importance of networking to current and future naval capabilities. It would also represent a historic step comparable to the establishment of the NNPP.

The committee believes that acquiring network capability for the DON and providing the necessary life-cycle support and the needed education and training must be executed at the highest levels within the department to achieve the right organizational response. The DNN would also be given post-program, post-budget adjustment authority to accommodate exigencies that might occur during the development, production, and fielding of information and network systems, specifically to coordinate IA capabilities. This organizational alignment would afford great benefits by merging the DON CIO and the DASN C4I responsibilities. It would permit the DNN to employ both Clinger-Cohen Act and DOD Directive 5000 acquisition directives to optimal benefit for the DON. The combination of the offices would also bridge the transition of networks from the acquisition domain into the operating forces by the office’s reporting to SECNAV and to the CNO and CMC. This would give the Director, Naval Networks, the responsibility to ensure life-cycle support of networks.

23

Such a “safe-to-operate” decision may involve the important operational risk analysis of “network gain/loss” versus “operational gain/loss.” That is, leaving a network connected could allow an intrusion to propagate, but disconnecting the network could cause the failure of a mission and possible loss of life if the mission was dependent on network connectivity.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

Like the Director, Naval Reactors, the DNN would have to have ready access to technical expertise to provide technical depth and continuity of knowledge. This would be provided by SPAWAR and the Navy laboratories, augmented as necessary by support from Federally-Funded Research and Development Centers and contractors.

Sole execution authority within the DON would be given to NETWARCOM and HQMC C4 to both certify and accredit information systems, thus centralizing authority for this most critical IA requirement. NETWARCOM would designate certification authorities and establish independent verification and validation teams for periodically and frequently checking approved certifications in both the acquisition and operational stages. The DNN would coordinate with naval operational and intelligence agencies to develop cyberthreat analyses.

Due to the DNN’s stature, tenure in office, and technical support, the DNN would be well positioned to address other key issues identified in this report, including energizing the Navy’s research program in IA and CND, integrating offensive and defensive cyber operations, and integrating all aspects of IA through a risk management approach.

IA Organizational Model—Option 2

Option 2 (Figure 6.4) would establish a Network Programs Office (NPO) as a Direct Reporting Program Manager (DRPM) reporting to the ASN(RDA), transferring or adding required support resources as needed from the Navy’s PEO C4I and PEO EIS and appropriate USMC PEOs, to ensure a high level of attention to challenging acquisitions and strict acquisition discipline for the delivery of afloat and ashore networks and for their life-cycle management and information assurance readiness.

In this model, NETWARCOM is retained at the Echelon III level as the functional and operational type commander for Navy networks; likewise, MCNOSC retains its current authorities and responsibilities in the Marine Corps. As in Option 1, this option would also grant NETWARCOM and HQMC C4 the sole authority to certify as well as accredit software and hardware systems on naval networks. This alternative therefore modifies naval IA policy and acquisition only. It does not change financial resource allocation, operations, or manpower and training functions.

The establishment of the Network Programs Office as a Direct Reporting Program Manager would provide the special scrutiny and oversight necessary for significant, challenging new acquisitions in the network domain. Sole authority within the DON is given to NETWARCOM and HQMC C4 both to certify and accredit information systems, thus centralizing authority for this most critical IA requirement.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
FIGURE 6.4 Information assurance organizational model—Option 2: Adding a “Network Programs Office” (NPO) as a Direct Reporting Program Manager (DRPM) reporting to ASN(RDA). NOTE: CDR, commander; MARFORS, Marine forces. Other acronyms are defined in Appendix A.

FIGURE 6.4 Information assurance organizational model—Option 2: Adding a “Network Programs Office” (NPO) as a Direct Reporting Program Manager (DRPM) reporting to ASN(RDA). NOTE: CDR, commander; MARFORS, Marine forces. Other acronyms are defined in Appendix A.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
IA Organizational Model—Option 3

Option 3 would elevate NETWARCOM to the Echelon II level reporting to the CNO, thus recognizing the Navy-wide criticality of information assurance and networks (Figure 6.5). This model also grants NETWARCOM and HQMC C4 the sole authority to certify as well as to accredit software and hardware systems on naval networks. This alternative modifies policy and potentially financial resource allocation, and also modifies manpower and training functions. It does not change acquisition and operations.

Placing NETWARCOM as an Echelon II command would recognize the Navy-wide importance of information assurance and make this important function report directly to the CNO. Establishing NETWARCOM as an Echelon II command would give NETWARCOM the clear enforcement responsibility for network IA policy and operations across the entire Navy enterprise. Increased influence with OPNAV in the Program Planning and Budgeting System process would result, as NETWARCOM will provide information and network requirements directly to the OPNAV staff. As in Options 1 and 2, sole authority within the DON would be given to NETWARCOM and HQMC C4 both to certify and to accredit information systems, thus centralizing authority for this most critical information assurance requirement.

IA Organizational Model—Option 4

The committee’s Option 4 model represents the least amount of change with respect to current naval IA operations. This option would grant NETWARCOM and HQMC C4 the sole authority to certify as well as to accredit software and hardware systems on naval networks (Figure 6.6). Thus, this alternative would only modify naval IA policy responsibilities. It would not change acquisition, financial resource allocation, operations, and manpower and training functions. (See Table 6.2 for a summary comparison of each option discussed above.)

Summary Discussion

The committee consulted with several senior naval officials who were selected on the basis of their potentially providing the committee with new insights concerning possible organizational recommendations. These officials included the current Director of Naval Nuclear Propulsion, the former ASN(RDA), and the current Commander of NETWARCOM. They were also chosen to help the committee understand issues associated with the currently “federated” approach for governing naval IA and addressing IA issues. On the basis of its discussion with the selected officials, the committee’s own analysis and experienced-based personal views, and the Navy’s projections regarding the growing threats to information assurance, the committee believes that Option 1

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
FIGURE 6.5 Information assurance organizational model—Option 3: The Naval Network Warfare Command (NETWARCOM) with additional information assurance authorities at the Echelon II level. NOTE: CDR, commander; MARFORS, Marine forces. Other acronyms are defined in Appendix A.

FIGURE 6.5 Information assurance organizational model—Option 3: The Naval Network Warfare Command (NETWARCOM) with additional information assurance authorities at the Echelon II level. NOTE: CDR, commander; MARFORS, Marine forces. Other acronyms are defined in Appendix A.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
FIGURE 6.6 Information assurance organizational model—Option 4: The Naval Network Warfare Command (NETWARCOM) and the Marine Corps Network Operations and Security Command (MCNOSC) with additional information assurance authorities. NOTE: CDR, commander; MARFORS, Marine forces. Other acronyms are defined in Appendix A.

FIGURE 6.6 Information assurance organizational model—Option 4: The Naval Network Warfare Command (NETWARCOM) and the Marine Corps Network Operations and Security Command (MCNOSC) with additional information assurance authorities. NOTE: CDR, commander; MARFORS, Marine forces. Other acronyms are defined in Appendix A.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

TABLE 6.2 Comparison of Alternative Organizational Model Constructs and Their Impact on Naval Information Assurance Functional Areas

Proposed Organizational Construct

Naval Information Assurance Functional Area Impacted

Policy

Acquisition

Resource Allocation

Operations

Manpower and Training

Naval Networks (Option 1)

Combine DON CIO and DASN (C4I/EW/Space)

Combine DON CIO and DASN C4I

Combine DON CIO and DASN C4I

Safe to operate

Directs naval networks manpower and training

 

Adds cyberthreat analysis to NETWARCOM, MCNOSC

 

Coordinate with OPNAV N6

 

 

 

Manager, cyber workforce

 

Sole authority for C&A to NETWARCOM, HQMC C4

 

 

 

Direct Reporting Network Programs Office (Option 2)

Sole authority for C&A to NETWARCOM, HQMC C4

DRPM ASN(RDA)

No change

Adds cyberthreat analysis to NETWARCOM, MCNOSC

No change

NETWARCOM Echelon II (Option 3)

Sole authority for C&A to NETWARCOM, HQMC C4

No change

Program Objective Memorandum (POM) Major actor

Adds cyberthreat analysis to NETWARCOM, MCNOSC

Directs naval networks manpower and training

NETWARCOM, HQMC C4 Additional IA Authorities (Option 4)

Sole authority for C&A to NETWARCOM, HQMC C4

No change

No change

Adds cyberthreat analysis to NETWARCOM, MCNOSC

No change

NOTE: Acronyms are defined in Appendix A.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

would best position the Navy and the Marine Corps to address current and future information assurance and cyber-related challenges and to facilitate rapid IA progress. The committee does not suggest that the models described above are exhaustive in their scope; of the four organizational models presented, however, Option 1 provides the most clear and comprehensive naval IA governance authority and responsibility for addressing the IA issues outlined throughout this report, including the previously discussed governance seams between naval IA functions of policy, acquisition, financial resource allocation, operations, and manpower and training. The Option 1 model provides a clear and strong signal for the ownership and accountability of the bedrock DON information assurance mission.

With the appropriate assignment of authority and responsibility to the Director of Naval Networks, Option 1 would more closely resemble the clear cyber command lines of authority and responsibility found in the Headquarters (HQ) U.S. Army.24 The Army HQ’s model for managing cyber-related activities is in contrast to the current DON federated approach for managing naval IA and networking, and would appear to provide the opportunity for clearer governance responsibilities and cleaner, unambiguous lines of authority.25 By providing a single focal point for naval cyber matters, the proposed naval Option 1 construct would also facilitate relationships with joint organizations, ensuring that the DON speaks with a single voice.

As a less dramatic potential naval IA organizational approach, a “strong federated” governance model—an option in which each of multiple parties has well-defined responsibilities with a clear understanding of the relations among those responsibilities, an improvement over the current “weak federated” model—is also recognized by the committee to provide a partial solution to naval IA governance issues. However, a federated approach lacks clear accountability for many crosscutting IA and network operations-related issues, and it leaves unreconciled potentially critical IA issues such as (1) the need for fast response and decision making in the time of crisis, (2) the development and continuity of deep knowledge and properly trained manpower in crosscutting cyber technical areas, (3) the ongoing requirement for IA resource prioritization with different organizational points of impact, and (4) the development of required expertise to manage and balance more systematically the high-level IA-related trade-offs and operational risks.

24

See Army Regulation 25-1, Headquarters, Department of the Army, Washington D.C., December 4, 2008; and Capt Carla Pampe, USAF, 8th Air Force Public Affairs Office, 2006, “Air Force Officials Consolidate Network Ops,” Department of the Air Force, Barksdale Air Force Base, La., July. Available at <http://www.af.mil/news/story.asp?id=123023090>. Accessed May 1, 2009.

25

Note, however, that Army cyber field support operations are distributed between NETCOM and the Intelligence and Security Command (including its subordinate element, the 1st Information Operations Command [Land]), whereas the Navy’s cyber operations are consolidated under NETWARCOM.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

As with any suggested organizational model, the preferred centralized command model for naval IA presented by the committee will have disadvantages as well as advantages. For example, centralized organizational structures are sometimes viewed as less innovative, and perhaps less adaptive, than structures in which multiple or occasional competing authorities coexist. Also, less centralized structures are typically better at horizontal and multiple-direction communication than are the centralized structures, which are sometimes dominated by hierarchical, top-to-bottom communications.

Nonetheless, the committee’s opinion is that the organizational structure required to address the four potentially critical IA issues just listed, coupled with the growing cyberthreat and the resulting need for clear IA accountability, point to Option 1 as the preferred model. While Options 2, 3, and 4 are less-extensive variations of the theme expressed in Option 1, the committee’s opinion is that IA and related network operations will demand more clear governance authority and single-line accountability than are provided by Options 2, 3, and 4, especially as network-centric operations, information assurance, and cyberwarfare all grow in importance over the coming years.26

A DON decision and potential implementation of Option 1, or of any model outlined above, would obviously require further in-depth study and deliberation. However, the urgency of addressing information assurance and cyberdefense needs calls for a new organizational model on which serious examination should begin immediately. The committee recognizes that an organizational change to the recommended Option 1 would be a major step for the DON; however, the committee also believes that, as suggested by one senior Navy leader, such a change is better achieved through the vision and drive of a determined group of naval leaders than in response to a major cyber-related catastrophic event.


MAJOR FINDING: The governance of information assurance is widely distributed across naval forces, with many parties playing roles, resulting in many governance seams. In particular, there is no centralized authority or organizational mechanism in place in the Department of the Navy for governing IA and end-to-end cyber operations. For example, a shared scope of governance of security policy and fiscal authority for naval networks resides throughout the DON, including with the Department of the Navy Chief Information Officer; the Deputy CNO for Network Operations; Headquarters, Marine Corps; Naval Network Warfare Command; Echelon II Chief Information Officers; Commander–Naval Installation Command; Program Executive Officers; and Navy Systems Command.

26

For example, a significant finding from the investigation of recent errors involving the mistaken shipment of nuclear weapons by the U.S. Air Force was the lack of clear lines of authority, which allowed safety assurance practices to degrade over the years. In other words, “no one owned the problem.” ADM Kirkland Donald, USN, Director, Naval Nuclear Propulsion, private communication with committee co-chairs, October 10, 2008.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×

MAJOR RECOMMENDATION: The leadership of the Department of the Navy should examine more-centralized IA-related organizational structures for integrating its information assurance strategies and plans across all naval communities (surface, subsurface, expeditionary, air, space, and cyberspace), as well as for integrating those same strategies and plans with joint communities (Combatant Command, Office of the Secretary of Defense). The examination should address the needed IA governance and fiscal authorities for sustaining both current and future readiness levels, as well as which DON organizations are critical to defending against evolving cyberthreats—from the strategic to the tactical level.

Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 110
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 111
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 112
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 113
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 114
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 115
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 116
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 117
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 118
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 119
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 120
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 121
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 122
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 123
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 124
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 125
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 126
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 127
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 128
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 129
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 130
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 131
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 132
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 133
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 134
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 135
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 136
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 137
Suggested Citation:"6 Organizational Considerations." National Research Council. 2010. Information Assurance for Network-Centric Naval Forces. Washington, DC: The National Academies Press. doi: 10.17226/12609.
×
Page 138
Next: Appendixes »
Information Assurance for Network-Centric Naval Forces Get This Book
×
Buy Paperback | $62.00 Buy Ebook | $49.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Owing to the expansion of network-centric operating concepts across the Department of Defense (DOD) and the growing threat to information and cybersecurity from lone actors, groups of like-minded actors, nation-states, and malicious insiders, information assurance is an area of significant and growing importance and concern. Because of the forward positioning of both the Navy's afloat and the Marine Corps expeditionary forces, IA issues for naval forces are exacerbated, and are tightly linked to operational success. Broad-based IA success is viewed by the NRC's Committee on Information Assurance for Network-Centric Naval Forces as providing a central underpinning to the DOD's network-centric operational concept and the Department of the Navy's (DON's) FORCEnet operational vision. Accordingly, this report provides a view and analysis of information assurance in the context of naval 'mission assurance'.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!