Department of Defense Instruction NUMBER 8530.01 March 7, 2016
This Instruction goes a long way towards defining a single network view - military systems at all levels, contractor systems that process government information both classified and unclassified, and cloud computing infrastructures that DoD can influence. The idea will be to manage and secure that single entity network, something I have advocated for many years.
While this is a good view to take, the control lies with Cyber Command, a military organization, and broadly defines affiliated networks as some belonging to commercial businesses affiliated with DoD. We went down that road when I was working for government, and our Congressional leaders quickly had words with the DoD community so that it would not extend its mandate to parts of the commercial infrastructure where it had no business going. DoD reversed course after that, at least until now, but they never give up.
This instruction goes a long way towards reestablishing the kind of network definition that Cyber Command wanted when General Alexander was its Director. General Alexander was also the Director of the National Security Agency (NSA), which kind of made a few people in Congress nervous. Rightfully so.
Applies to the DoDIN. The DoDIN includes DoD information technology (IT) (e.g., DoD-owned or DoD-controlled information systems (ISs), platform information technology (PIT) systems, IT products and services) as defined in DoDI 8500.01 (Reference (h)) and control systems and industrial control systems (ICSs) as defined in National Institute (NIST) Special Publication (SP) 800-82 (Reference (i)) that are owned or operated by or on behalf of DoD Components.
Quite a few DoD regulations use this kind of language. They define something for a reader just once at the beginning, and use acronyms after that. By the end, nobody is really sure what the policy says. This applies to commercial cloud services and to defense contractors under the National Industrial Security Program, which are not just DoD contractors, but any agency that participates. Almost all agencies do. It also adds unclassified information called CUI which it had no policy basis to add. The NISP covers only classified information.
I certainly hope Congress is paying attention to this. It is a clear grab by NSA for most of the agencies in the Federal architecture and a few parts that clearly are not part of it. If they win, they will have a clear path to controlling all Federal systems.
No comments:
Post a Comment