The group in charge of guaranteeing the safety of many military links into the larger network has improved practices and revised a major contract.
The Defense Information Systems Agency’s (DISA’s) Field Security Operations (FSO) Division is responsible for certifying and accrediting many military systems before they connect to the Global Information Grid (GIG). In addition to working on DISA projects, the division performs tasks for various groups including some combatant commands and joint elements in the U.S. Defense Department.
Keeping networks secure is one of the most important and challenging tasks for the U.S. Defense Department as it continues its morph into a network-centric force. The Defense Information Systems Agency’s Field Security Operations Division has the responsibility for ensuring the strength of those networks by certifying and testing them against threats. A few recent, and some gradual, changes have occurred to streamline the security process, as more systems connect into the Global Information Grid. The review process involves multiple levels of urgency along with a range of possible violations.
One of the most recent changes to the handling of security issues was announced early this year when the Field Security Operations (FSO) Division made a change to the personnel involved in the process. In the past, the FSO Division operated with two private corporations that divided the work. In January, the division switched to a performance-based contract merging two contracts into one and awarding it to a single company, EDS. The company’s former competitor, SAIC, is now a subcontractor. “They basically merged together in this effort and got the bigger contract,” Bill Keely, chief of the FSO Division, explains.
According to Keely, the new arrangement makes it easier for the division to schedule reviews. It needs to turn to only one company to arrange matters instead of dealing with two separate teams who lacked any contractual relationship. Coordination is key, because the division handles an intense workload, often sending out seven to eight teams in a week to perform various assignments.
Other major changes for the FSO Division over the past 12 years include the broadening of the scope of work and the increasing amount of cases undertaken. For example, one type of review the division conducts is enhanced compliance validation. Teams of six personnel go out at the request of the Joint Task Force-Global Network Operations (JTF-GNO) and validate that policy is being followed at different locations. The work takes one to two weeks to complete. Currently, the FSO Division performs approximately 100 such reviews a year, and Keely expects that pace to increase. As recently as 2003, the division conducted only 25 a year. “This is part of supporting U.S. STRATCOM’s [Strategic Command’s] drive to increase accountability on the network,” Keely says.
Another category of reviews involves those associated with certification and accreditation. In these technical reviews, the experts look at policies associated with the system to see how they are being implemented. The military needs to know the risk it takes when a system becomes operational, so the FSO Division serves as the certifying authority for the Defense Information Systems Agency (DISA) and works at the command of system accreditors, which send out a division team to certify different systems. The teams provide evidence through their assessments, and the accrediting authority makes risk decisions based on that evidence. Besides doing that work for DISA, the FSO Division also acts as the certifying authority for several combatant commands (COCOMs), another relatively new assignment. The FSO Division acts as their designated accrediting authority, just as it does for DISA.
In addition, the past 12 years have resulted in workload growth for the FSO Division. It now handles about 100 different checklists for various applications, operating systems and technologies. Slightly more than a decade ago, the division had only five checklists. “The number of types of technologies we have to deal with has expanded, and our ability to deal with those has greatly expanded,” Keely says. Another change is the transition from working largely on DISA-specific taskings to undertaking jobs for the COCOMs as well as Defense Department elements, especially the joint ones. Keely shares that the military services mainly handle their own reviews; his division is involved closely with agencies, COCOMs and various Defense Department activities.
The many checklists used by the FSO Division typically include three grades of criticality. Category Three is the lowest category, encompassing the violations with the least priority. Category One is the most critical and can stop a system from going live if risks are not well mitigated. An overabundance of the middle-range Category Two violations also will stop a system from going live. If violations from either Category One or Two are found on a system already up and running, the FSO Division alerts the JTF-GNO and recommends that the task force send out a Global Information Grid (GIG) alert. The JTF then gives the offending organization a deadline to resolve the issue before the system is disconnected. Keely says that this process has been taken seriously by connected sites in the last six months and that STRATCOM is using the process to enforce compliance.
Keely’s associate, Drew Franklin, a team lead for teams who conduct security reviews across the Defense Department, offers examples of types of serious violations, including a network not configured in accordance with department guidelines, the lack of a firewall and an improperly configured boundary router. Those violations are significant because through them, an attacker could gain access to the network. In fact, what makes a violation a Category One offense is its ability to expose the system to enemies that can gain route access to systems.
Ensuring the security of the technologies connected into the GIG is important for the stability of the network and military information. The FSO Division performs certification and accreditation for many capabilities, but the service branches handle their own reviews. Here, Petty Officer 2nd Class Frederick Marshall, USN, assigned to the guided missile destroyer USS Hopper, receives hands-on information technology training.
Though none of the systems operating today are perfect in terms of security, Keely states that, “We want to be able to block all the unsophisticated attack methods so that we can focus on effectively defending against the sophisticated ones.” On the most critical systems, the FSO Division wants to ensure that even a breach by the most sophisticated hacker is a rare event.
Unfortunately for the FSO Division, sometimes it is hard to tell the difference between a formidable enemy and a more innocuous one. Low-grade hackers still make noise on the system that attracts the attention of security officials. Sophisticated hackers can cloak themselves in the disguise of these other enemies, making it difficult for officials to differentiate between the two. The FSO Division aims to eliminate the noise caused by the lesser threats so the focus remains on the more dangerous enemies, forcing them to use increasingly sophisticated methods, which the division can then address.
The threats facing military systems are varied and range from disgruntled employees to nation-state attacks. Keely and his staff worry about internal and external threats and want to address all levels of sophistication. A major concern is that a nation-state would start using cybermethods during a normal kinetic attack. “We’re also concerned about people having a persistent presence on our network so that in the future, they will have an advantage if hostilities ever happen,” he shares. Other worries include attackers infiltrating the networks and discovering secrets such as how to perform countermeasures against weapon systems or finding defense planning information. “So we’re worried about secrets being revealed, and we’re worried about systems being commandeered, and we’re worried about denial-of-service attacks,” Keely says.
Other changes to the FSO Division’s workload involve expanding the division’s scope and technical depth. Rather than focusing on information assurance, it now places more attention on network operations capability. “Instead of looking at a system being secure, we also now look at how well that system is being defended and reporting up whenever there is an attack going on,” Keely explains. “We’re not only assessing our ability to protect but also our overall ability to defend.” He expects the division’s reviews to become more focused on the network operations aspect of defense in the future.
Another capability within the FSO Division is the Incident Response and Recovery Team. When a security incident of a serious enough nature occurs to a military organization that subscribes or is assigned to FSO Division for computer network defense services, the division sends out a team to perform situational awareness, discover the extent of the damage and figure out the likely avenue of attack. The team also helps determine how a site can best recover. “That’s a post-incident review,” Keely says.
The FSO Division reviews other computer network defense service providers (CNDSP) as well. Every organization in the Defense Department must be or subscribe to one of these providers, and the division is charged with accrediting them. This ensures that the approximately two dozen of these agencies actually are completing the 125 or so different functions for which CNDSPs have responsibility. “So we do organizations; we do applications; we do enclaves; we have many different types of reviews that are going on,” Keely explains.
To manage all those responsibilities, the FSO Division does a selection of sites it will send teams to for the year. Part of that list involves sites the JTF-GNO is concerned about based on past experience or the importance of a particular location. The security review experts try to perform validations before anything is connected to the secret Internet protocol router network or the nonsecure Internet protocol router network. In terms of certification, all program managers must be certified before they come online.
Once the list of sites is finalized (there might be 150 listed for the year), the FSO Division then begins to work with the CNDSPs for any locations not under its authority. The division also coordinates directly with locations to ensure that personnel there are available to assist the review team when it arrives. Teams of six to 10 people are composed based on the technologies at a certain site. The team will do an inbriefing, and then each reviewer will have a checklist of the different technologies on the network that he or she has to evaluate. The team leader produces a daily report that is sent back to the JTF-GNO, and at the end of the process, the team presents an outbriefing to, as Keely explains, “the most senior person we can get in the room.” A final report is prepared usually by the end of the next week.
The teams also make recommendations to the site as well as fix some problems while on location. In general, 70 percent to 80 percent of the original schedule is maintained throughout the year. The Incident Response and Recovery Team cannot be scheduled in advance, but the FSO Division has a notional idea of how many requests to expect for those services.
Some debate swirls around whether to send the same team back into a situation where it already has experience or whether a fresh set of eyes is preferable. Keely believes that regardless of whether using the same team is best practice, using a single agency is the best solution because it offers a synergy and allows personnel to mature processes.
Defense Information Systems Agency Global Information Grid Operations: www.disa.mil/news/pressresources/factsheets/go.html
Joint Task Force-Global Network Operations: www.stratcom.mil/default.asp?page=factsheets&factsheet=gno