From: FederalNewsRadio.com 1500AM
By Jason Miller
The Defense Department is expanding the number and types of devices that are covered under its cybersecurity regulations.
DoD’s Chief Information Officer Teri Takai is expected to issue the new regulations in October.
Daryl Haegley, the program manager for business enterprise integration in the office of the deputy undersecretary of Defense for installations and the environment, said Wednesday DoD is updating the 8500 series guidance as part of the evolution of cyber directives. In the 1990s, DoD initially focused on communication security, or ComSec. It then moved to information assurance, and now it’s full on cybersecurity.
So with that full on cybersecurity approach, DoD will tell its agencies and services to focus on more than just email or business systems, but anything that is connected to the network.
“It says specifically that all information services and platform IT need cybersecurity considerations. So now it makes on par the industrial control system world and the information service world,” Haegley said at a panel discussion sponsored by Government Executive magazine in Washington. “They define IT here, information services — your email, the things that travel on servers, laptops and smartphones and those sort of things — information security for that. Then platform IT or operational technology or industrial control systems, those networks also have their own category and they also will need the cybersecurity evaluations.”
Industrial control systems (ICS) are those that run the water, air conditioning, heating, electrical, telecommunications and other facilities or physical security systems.
New risk management framework
Haegley said DoD also is updating regulations that would move the Pentagon closer to the civilian government around risk management, which would be a significant change. The National Institute of Standards and Technology recently updated its special publication 800-37 to address cyber risk management.
“Essentially what the CIO and DoD also helped them understand, the old DICAP process — the certification process that was long and it took a number of years sometimes to get things through. Then once you had a stamp, you were good for three years. You had to check back in in three years,” he said. “That is not keeping pace with what we need for good security practice. DoD is now going to adopt this risk management framework and apply that to its information security and ICS security requirements. In the instruction, it essentially mirrors a lot that is already in that special publication, but there are some nuances.”
DoD created the Defense Information Assurance Certification and Accreditation Process (DICAP) in 2007.
Haegley said he couldn’t discuss the specific differences between DoD’s new risk management framework and the NIST publication because the document still is in draft form.
A third major change in these new upcoming directives is around reciprocity of certifications. Haegley said DoD will tell the military services and agencies to trust each other when approving products or services that meet the new standards.
Leave a Reply