Track 2, Session 4

1
DAIG Information Assurance (IA) UpdateCOL
Frederick HenryChief, DAIG-IA DivisionAugust
2008
2

• Overview
• Role of the IG
• DAIG focus in the IA Model
• Division Mission/Structure
• Re-engineering IA Compliance
• Four Phase IA Compliance Model
• IA Compliance Strategy Reference Guide
• 1st, 2nd and 3rd QTR FY 08 Inspection Trends
• Way Ahead

3
Role of the Inspector General

• Assist commanders with improving readiness and
  warfighting capability!
• Information Assurance is a Command
  responsibility that can profoundly impact
  operational readiness
• DAIG directed by the CSA to assist Army
  Leadership in improving the IA posture of the
  Total Army
• Only IG IA Division in DoD

General von Steuben
Coach, Teach and Train
4
Information Assurance (IA)

• Measures that protect and defend information and
  information systems by ensuring their Integrity,
  Confidentiality, Availability, Authentication,
  and Non-repudiation. These measures include
  providing for restoration of information systems
  by incorporating Protection, Detection, and
  Reaction capabilities.

Information Assurance Definition Model
DAIG Focus

• Policy compliance
• Training awareness
• Program Management
• Systemic findings

4
Source Army Regulation 25 - 2
5
1. Conduct IA Compliance Inspections

• IG IA Division Mission

Conduct cyclic information assurance (IA)
compliance inspections of all Army Active,
Reserve and National Guard components (Total
Army).
Mission Essential Task List (METL)
2. Conduct Systemic IA Inspections
3. Establish partnerships with IA stakeholders
4. Recruit, Train and Retain IA SMEs
5. Provide IA trends to Army Leadership
6
Organizational Structure

• Team Leaders Experienced FA 53s
• Deputy Team Leaders (YA-3)
• Lead IA Specialist
• Strong IA operational/technical background
• IA Specialist (YA-2)
• Technical/operational background
• Primary inspectors

• IA Technical Certification Focus
• Framed after DoDD 8570.1
• IA Management Level 3 Div Chief/Deputy
• IA Management Level 2 TL/Dep TL
• IA Technical Level 2 IA Specialist

Team Composition (3x) 1 x TL 1 x Deputy TL 2 x
IA Specialist
Conducting a Troop to Task Bottom Up Review
7
Re-Engineering IA Compliance
DAIG Compliance Imperatives

• Minimize impact on resources
• Reduce Inspection (s) burden
• Increase Compliance Awareness
• Report IA Trends to Senior Leadership
• Increase Total Army IA Posture

Army IA Compliance Framework

Army IA Compliance Challenges

• Strategic communications engagements
• Tell the IA story to Army stakeholders

• Policy Ambiguity
• Selective Compliance
• Redundant Efforts
• Resource Shortfalls
• Lack of Awareness
• Turf Wars
• Stovepipe solutions
• Socialization
• Institutionalization

IA Compliance Awareness

• Socializationchange culture
• Compliance Enablers
• Process/system improvement

Leader Engagement

• Self Assessment Virtual Tool
• Resource de-confliction
• Focused phased activities

4 x Phase Compliance Model

• Baseline Total Army
• Defines Army IA Compliance
• Authoritative Standards

Trends
Set Conditions for Total Army Success
8
4 Phase IA Compliance Model

• Developed by DAIG-IA in coordination with the
  CIO/G-6
• Attempts to fix responsibility across each phase
• Reinforces procedure, process and system
  improvement
• Standardize IA Compliance improvement activities
  across the Total Army

Four Phase IA Compliance Model
Phase 1
Phase 2
Phase 3
Phase 4
Self-Assessment
Assistance
Compliance
Follow Up
Identify IA Compliance Shortcomings
Apply Corrective Actions
Compliance Validation
POAM
9
4 Phase IA Compliance Model Phase 1 (Conduct IA
Self Assessment)

• Purpose
• Identify IA Compliance strengths and weaknesses
• Develop an improvement plan addressing
  identified weaknesses
• Used by leadership as an Executive Management
  Tool

https//iatraining.us.army.mil
Question
Standard
Success Measure
Validation
Applicability
Assessment
For questions concerning the IA Self Assessment
Tool please e-mail netcom-iasat_at_hqda.army.mil
10
4 Phase IA Compliance ModelPhase 2 (Assistance)

• Apply corrective actions to IA compliance
  weaknesses identified during Self Assessment
  (Phase 1). Available resources to provide
  assistance include
• IG IA Staff Assistance Visits
• IG IA Personnel Support Structure
• Army Office of Information Assurance Compliance
• RCIO
• IAPM (Regional or Command)
• IAM / IANM / IASO / IANO
• SA / NA
• DAIG, IA Division

11
4 Phase IA Compliance Model Phase 3 (Compliance
Validation)

• DAIG is not the only organization conducting IA
  Compliance Inspections
• Commanders (i.e. ACOMs/ASCCs/DRUs) should use
  their command inspection program to assess the
  readiness of their IA Program
• The Army IA Compliance Checklist is for IA
  Compliance Inspections
• 15 functional areas (5 focus areas)
• Findings are briefed by the DAIG to Army Senior
  Leadership
• Checklist is reviewed and updated at least
  annually
• Modifications and revisions to the checklist are
  approved
• The checklist is available at the following
  site https//www.us.army.mil/suite/page/4755
  21

12
Army IA Compliance Checklist
Standards
Checklist Functional Areas
Minimum IA Technical Requirements Classified
Systems Management COMSEC Leadership IA
Assessment

• Incident Handling
• IA Training and Certification
• Information Assurance Vulnerability Management
  (IAVM)

IA Program Management Public Key
Infrastructure (PKI) Certification and
Accreditation Federal Information Security
Management Act (FISMA)

• Wireless Security
• Portable Electronic Devices (PED)
• Army Web RiskContent Management
• Personally Identifiable Information (PII)
  Protection

The Leadership IA Assessment is only used in
the IA Self Assessment Tool
13
4 Phase IA Compliance Model Phase 4 (Follow Up)
IA Compliance POAM

• The IA Compliance POAM template was developed
  by the DAIG, IA Division. The IA Compliance POAM
  helps to track all non-compliant findings
  discovered during Phase 3
• Commanders and their appointed IA personnel are
  responsible for taking corrective actions

14
IA Compliance Strategy Reference Guide

• Senior Army Leadership
• The Adjutant Generals
• Commanders
• Garrison Commanders
• DOIMs
• Inspectors General
• IA and non-IA Community

Target Audience
15
General Inspection Trends (1st, 2nd and 3rd QTR
FY 08) Based on IA Checklist Functional Areas

15
16
FY08 Inspections
17
Inspection Activities

• 1st , 2nd and 3rd Qtr FY 08
• Total Inspections 14
• AC 10
• RC 3
• ARNG 2
• USAR 1
• MWR 1
• DOIM 9
• Tenant Unit 5
• Units to Pass Inspection 0

• Army IA Checklist
• Primary assessment tool
• 14 Functional Areas
• 5 focus areas (must pass all focus areas)
• Minimum baseline standards for IA Program

• Systemic Non-Compliance Findings
• Lack resources (funding and workforce)
• Training and Certification
• Certification and Accreditation
• Lack of IA awareness

Root Cause Analysis Model
18
Functional Area Trends
Rate of Non Compliance
18
DAIG Non - Focus Area
DAIG Focus Area


FOR OFFICIAL
USE ONLY. This document contains information
which is Exempt from Mandatory Disclosure under
the Freedom of Information Act. Dissemination is
prohibited except as authorized by AR 20-1.
19
Functional Area Risk Exposure
Increased exposureincreased risk
Would you leave your arms room unsecure?
19


FOR OFFICIAL
USE ONLY. This document contains information
which is Exempt from Mandatory Disclosure under
the Freedom of Information Act. Dissemination is
prohibited except as authorized by AR 20-1.
20
Interesting Trends

• Major reasons for non-compliance
• Lack of awareness (37)
• Lack of resources (funding/workforce) (31)
• Top question (checklist) contributing to
  non-compliance
• Have all IA personnel in Technical Levels I-III
  completed required minimum training?
• 67 of all non-compliance correlates with a
  direct/indirect relationship with IA funding
• Units that conduct a candid Self Assessment
  (Phase 1) have a lower rate of risk exposure

20
21
Systemic Findings

• IA Program Management
• Not validating personnel security requirements
• Lack awareness of CIO/G-6 IA Best Business
  Practices (BBPs)
• Unfunded requirements in BBPs
• General lack of awareness and understanding of IA
  policy and procedures

22
Systemic Findings

• IA Training Certification
• DOD 8570.01-M
• Lack of understanding about IA position and
  personnel designation, certification, and
  training requirements
• Difficult to identifying proper amounts of
  funding
• Not using Army Training and Certification
  Tracking System (ATCTS)

23
Systemic Findings

• FISMA
• No functional COOP
• COOP personnel not properly trained
• Portable Electronic Device (PED)
• Limited knowledge of Data At Rest (DAR) and
  Personnel Identifiable Information (PII)
  requirements
• Use of personal devices on Army systems

Federal Information Security Management Act
(FISMA)
24
Systemic Findings

• Emerging Concerns
• Certification and Accreditation
• DIACAP requirements not understood
• Lack of guidance for the DIACAP Implementation
  Plan (DIP)
• Not allowing enough time for DIACAP process
• Not conducting annual review of IA controls
• Not following up on POAMs
• Wireless Security
• Misunderstanding and misuse of new wireless
  technologies and policies

Department of Defense Information Assurance
Certification and Accreditation Process (DIACAP)
25
Good News Story!

• Users are generally aware of who their
  supporting IA and IT personnel are
• Users are receiving initial and annual IA
  awareness training
• The IA Compliance Inspection process is
  generating enthusiasm among organizational
  leadership to learn more about IA and to improve
  their IA programs

25
26
Way Ahead

• IA Self Assessments
• Trend data shows strong correlation between risk
  exposure and completion of the self assessment
  (Phase 1)
• Practical exercise at the new DOIM Course (Phase
  1 2)
• DOIM Survey
• Approved for release by IMCOM data compiled by
  DAIG
• Planning for FY 09 Inspection Schedule
• Align several inspections with the SDOIM
  Implementation effort
• Cover down in each component
• Annual IA Report
• Present IA findings/trends to SA
• Show correlation of findings from DOIM survey and
  systemic trends
• Target 1 QTR FY 09

27
Contact Information

• COL Frederick Henry
• Chief, IA Division
• Cell (BB) 703 677-5713
• Voice 703 602-5992
• NIPR frederick.henry_at_us.army.mil
• SIPR frederick.henry_at_hdqa-s.army.smil.mil
• Mr Don Watson
• Deputy Chief, IA Division
• Cell (BB) 703 459-3265
• Voice 703 602-8496
• NIPR don.watson_at_us.army.mil
• SIPR don.watson_at_hdqa-s.army.smil.mil

28
Questions
28
29
Back Up Slides
30
IA Personnel Structure
IA Support
NETCOM
RCIO
Regional IAPM
Installation DOIM
RCERT/TNOSC
31
IA De-Confliction WG
Methodology

• Additional IA Stakeholders
• NETCOM
• RCIO
• Others

Legend DR Document Review Obs Observation

• DISA, DOT E 1st IO Command assessments based
  on DoD IA Controls
• IA Division inspections based on Army IA policy

31
32
IG IA Strategic Communications

• Stand-To articles (15 May 07)
• Interviews
• Inserts to publications
• TIG Bulletin
• IG IA Compliance Strategy Reference Guide
• DAIG IA Newsletter
• Briefings (conferences)
• LandWarNet Conference
• Tactical IA Conference
• Garrison CDR/CSM Conference
• NGB IT Conference
• IG Regional Conferences
• Working Groups (HQDA, DoD, and Joint)

32