Session 1:  Information Assurance and the Law

Speaker:  Mr. Tom King, NETCOM General Counsel

Legislation, privacy concerns, constitutional protection, computer incident response, Internet and the electronic workplace, and unauthorized software use--these are just some of the legal challenges facing today’s Army information security and the IT professionals.  This topic will drill down to the legal matters associated with developing and maintaining information assurance policies and examines the jurisdiction and venue issues that accompany employee “expectation of privacy”, electronic surveillance and monitoring, and the due diligence of Army organizations and agencies to respond to threats associated with the use of electronic resources.  The speaker will take a hard look at the legal issues, surrounding objectionable material, and the liabilities to entities and individuals related to such materials. The audience will learn about laws requiring protection of certain types of critical data, and about a variety of regulatory schemes and reporting requirements, potential liability, and legal recourses for failing to deploy proper safeguards or respond adequately to information security threats or vulnerabilities.

Session 2:  What’s New in IA Today!

Speaker:  Ms. Melissa Hicks, Information Assurance & Compliance Directorate/Office of Information Assurance and Compliance

Whether on the battlefield or in day-to-day homeland defense, our nation’s safety depends on the integrity and availability of its secure information infrastructure.  Information Assurance provides the strategy, vision, and key benefits that contribute to mission success.  This session will present the what, who, where, when and how to succeed with your Information Assurance strategy, implementation, awareness and compliance campaigns. The Army’s IA policy and best practices continue to shape the framework for which the strategic, operational, and tactical communities can depend on information knowledge that is timely and executable.  This presentation will highlight models of success as well as key initiatives to integrate information assurance into the acquisition community for supplier assurance, data protection, enterprise architecture, information sharing and future combat.

Session 3:  DIACAP Army Guidance and Transition

Speaker: Ms. Sally Dixon, Certification and Accreditation /Office of Information and Compliance

Information technology is changing the way DoD acquires, uses, and certifies and accredits its information systems and networks. This session will provide an overview of the Defense Information Assurance Certification and Accreditation Process (DIACAP), and present guidance and best practices to achieve successful transition and optimal implementation of DIACAP. The move to a more centralized view of security will be a major culture shift and will require a completely different way of thinking about information security and Certification and Accreditation (C&A) functions. The more manageable DIACAP process is broken down into three major elements:  (1) process improvement which includes establishing a governance structure for principals in the War-fighter, business, intelligence, and core enterprise mission areas, (2) enterprise standards and procedures, and training programs for C&A practitioners; (3) and a web DIACAP web based knowledge enhancement services for information exchange; and automation tools to reduce the C&A process time from months to days. To that end the Army is leading the way in establishing guidelines and methodologies to effectively, efficiently, and painlessly implement the changeover.

Session 4 - Data Protection is Everyone's Business

Speaker - Mr. Paul Amos, Director Integrated Plans Directorate/ESTA

Sensitive data is no longer confined within just one part of the Army organization. With the increasing proliferation of enterprise applications, devices, and the mobile workforce, there are more ways than ever for sensitive information to move inside and outside the Army enterprise.  While business demands that this information continue to flow between the Army enterprise, its sister services, and coalition partners, the Army is also dealing with a wide reaching variety of policies and technology for securing Army data and personally identifiable information.  

• Data at Rest is data at Risk! Found in multiple nodes within the Enterprise – on PCs, laptops, servers, and mobile storage devices, such as USB tokens and flash drives – find out what’s really at risk and how to protect it.
• Data in Motion is data at Risk! The need to secure Army information—and comply with a growing body of regulations that govern the transmission of private data—have made OMB, DoD, and Army policies for encryption solutions “must have” best practices.
• Data in Use is data at Risk! Knowing and controlling how information and personally identifiable data is used has become a business-critical challenge for the Army and DoD raising the difficulty and complexity of protection mechanisms and increasing the demand for better encryption tools and technology.

In this session you will learn how and why data must be protected wherever it resides, wherever it goes, and wherever it is used.

Wednesday, 22 August 2007

Session 5:  Current Initiatives and the Road Ahead for the Army CAC/PKI Program

Speaker:  Ms. Tracy Traylor, IA Programs Directorate /Office of Information Assurance and Compliance

The Homeland Security Presidential Directive 12 (HSPD-12) phased implementation continued at its breakneck speed in 2006 and 2007.  The Army kept the momentum going with its migration of the interoperable, Personal Identification Verification (PIV) cards for logical and physical access.  The current DoD Common Access Card (CAC) remains the approved HSPD-12 compliant credential.  Federal policy (FIPS 201) Publication 201 calls for technical and policy changes to the smart card.  Emphasis on identity vetting before card issuance remains vital. DoD's sequential implementation of PIV I and II facilitated the transition process of the existing DoD CAC.  This session will expand your understanding of the multiple mandates of HSPD-12's Initial Operational Capability (IOC) and explain why it is critical to the Army achieving its goal. The audience will learn about the future of PIV II cards and what role Radio Frequency Identification (RFiD) technology will play. This capability is intended to fulfill the requirements of HSPD-12 to be both the primary authentication token for logical and physical access.  In addition, the session will preview the look ahead for fiscal years 2008 and beyond.   After October 2007, only the new card will be recognized by U. S. Federal agencies.  All cardholders must use this card for authentication.  Mandates for agencies to verify all employee (civilians and contracting support) background checks will be released in 2008.  The card will be interoperable for all agencies beginning in late 2008 - locking the back and front doors simultaneously, safely, and securely -- but not without challenges to the Army.

Session 6:  Training and Certification of the Army’s Cyber Workforce

Speaker:  Ms. Phyllis Bailey, Training & Policy Division Chief/Office of Information Assurance and Compliance

In today’s environment of emerging security threats, the Department of Defense has recognized the critical need for highly-qualified, experienced information assurance personnel. To ensure a knowledgeable and skilled workforce, the DoD has taken the necessary steps to develop a directive that involves the credentialing and continuing education of all DoD employees with privileged access to DoD information systems. The DoD 8570.1 mandate has been hailed as the landmark policy that requires continuous learning to maintain certification status.  To the Army IA community, this directive, and the department’s endorsement of commercial certifications for technical and managerial levels, represents welcome, progressive reform. This session will present who is affected by this mandate; how quickly the Army expects its personnel to obtain certification; what is the significance of this mandate and of the commercial certification; what current challenges will enterprise certification address; and what are the Army’s objectives and metrics for success.

Session 7:  The Art of Information Sabotage: Threat Factors in the Public Domain

Speaker:  Mr. LeRoy Lundgren, Deputy Director, Office of Information Assurance and Compliance

Loose Lips Sink Ships! So went the World War II slogan for protecting America’s information and its citizens from the enemy.  During those turbulent times in the United States’ history, every American citizen-Soldier understood how sacred it was to safeguard America’s information.  Today, the enemy’s tactics are unconventional, but the same code of conduct applies to prevent inadvertent disclosure of important information. The Internet, blogs, video logs, pod-casts, instant messaging, phishing schemes, news reports, and public websites serve as weapons of mass destruction for the enemy.  The U.S. intelligence community, Computer Emergency Response Teams (CERT), and academia have all identified these technological sources as significant challenges facing Information Assurance, law enforcement, and intelligence professionals today. Inadvertent release of information creates fertile ground for information warfare and information superiority for terrorist and extremist movements, organized criminals, nation state sponsors, and privacy hijackers.   This session will specifically address the dangers posed to the Army organizations and present policies, compliance, and remedies to counter and remain vigilant.

The Army’s Networthiness processes provide the “sanity check” for enterprise level review of systems, architecture, and design review.  Leading technology providers view achieving Certification of Networthiness (CoN) as a significant milestone in their business plan to increase their market share within the Army and their visibility within Department of Defense.  While this Certification is the gold-standard for the industry member, it is equally significant to the Army Information Assurance community!  Its applicability allows the Army to assess risk and threat matrices, verify, and validate not only the product’s capability, but its ability to perform in a secure environment.  The lean approach of the Army’s Networthiness process is pivotal to the comprehensive lifecycle management for design, development, and deployment of major programs.  Its best practices establish software/system configuration controls, risk assessment strategies, technical guidelines, and paves the way for the confidentiality, integrity, and availability of Army Enterprise services and applications.