Defending DOD networks with a single security architecture

The DOD's vision of the Joint Information Environment includes enhanced network security through standardized configurations and shared security protocols at the enterprise level.

As the Defense Department moves to a network architecture that will one day serve the core needs of all the military services, it envisions a Joint Information Environment (JIE) that comprises shared IT infrastructure, enterprise services and a single security architecture (SSA) to achieve full spectrum superiority, improve mission effectiveness, increase security and realize IT efficiencies. Through the implementation of JIE, Pentagon planners hope to reduce the department’s overall IT footprint, standardize configurations, create shared security protocols at the enterprise level and simplify data routing.

The Defense Information Systems Agency is responsible for leading JIE technology synchronization and is creating a set of common IT services to support JIE based on trusted identity and access management, data center consolidation, and enterprise services such as DOD Enterprise Email, collaboration and file storage. Cybersecurity also constitutes a significant portion of JIE, which seeks to enhance network security by employing an SSA to better protect DOD networks, while giving warfighters easier access and allowing for better information sharing among all mission partners.

The SSA is designed to enable DOD’s cyber operators at every level to see the status of their networks for operations and security and enable commonality in how cyber threats are countered. By implementing a standardized security architecture, the U.S. military wants to be able to know who is operating on its networks and what they are doing and be able to attribute their actions with a high degree of confidence.

“The single security architecture is one of the major components of JIE,” said Mark Orndorff, DISA’s chief information assurance executive and program executive officer for mission assurance and netops. “The No. 1 most important advantage is the ability to actively defend the DOD networks in a time frame that we need to execute cyber defensive operations. What I mean by that is the single security architecture will allow us to understand what’s going on across the entire DOD network with global cyber situational awareness to a level that we can’t do today.”

According to Orndorff, the SSA will minimize complexity for a synchronized cyber response, maximize operational efficiencies, and reduce the risks while reducing the number of organizationally owned firewalls and unique routing algorithms and the inefficient routing of information that currently exists. In addition, a standardized security architecture will better protect the integrity of information from unauthorized access while increasing the ability to respond to security breaches across the system and improving how DOD operates and secures its networks globally, he said.

The SSA “will allow us to implement security controls and countermeasures across the entire network in real time,” Orndorff said. “Today we’ve got a lot of decentralized implementations of some pretty sophisticated and robust capabilities. But they’re implemented in pockets, so we don’t share information across all the pockets and don’t have the ability to simultaneously change policies or controls across all those pockets instantly or at the same time.”

Eliminating overlap and duplication

The problem is that mission assurance services are currently implemented via a complex set of overlapping and duplicative roles and responsibilities. JIE’s SSA is a multiphase approach that solves that problem by collapsing the network security boundaries, reducing the external attack surface, and standardizing the management, operational and technical security controls to ensure the confidentiality, integrity and availability of DOD’s information assets within all required mission contexts while also facilitating rapid attack detection, diagnosis, containment and response.

“We had in a lot of cases more security layers than we actually need,” Orndorff said. “As we design this under the single security architecture, we feel like we can get the right security controls in the right places in the network and eliminate a lot of the duplicate layers that exist in the architecture today. We’re going to pick the key places to control network traffic and the key places to implement security capabilities. And then the security layers that exist today over and above the ones that need to be there for this design…will be eliminated.”

SSA provides for a common approach to the structure and defense of computing and the networks across all DOD organizations. For example, the SSA describes how core DOD data centers and the server computing resources they contain must be structured, what cyber defenses are required on those computers, and what cyber firebreaks are necessary as part of the internal networks of the data center. In addition, the SSA also describes how remote management and automation of data centers is to be structured and secured, and what cyberattack detection, diagnosis and reaction capabilities the data center and the remote management system must have.

“We are shifting a bit in the approach so that more security will be wrapped around the data centers and the applications,” Orndorff said. “So we’re getting a shift in terms of trying to do security at the network boundaries to look at where the applications and data are and better aligning our security architecture to that, which will free up some of the network boundary base defenses.”

Another high-priority objective for the SSA is to enable dynamic information sharing with DOD and its mission partners by shifting the focus from securing systems and networks to securing data and its use.

“If you secure the systems and the data, you’re in a better position to understand the exact security requirements of that system and what that system is trying to support,” Orndorff said. “If you are trying to secure at the network layer, it’s a much more complicated problem and harder to tune the security policy to accomplish what needs to be accomplished without impacting information sharing and the dynamics of the missions that DOD needs to support.”

DOD’s first installment of JIE is coming together initially in Europe. JIE Increment 1 is based in the U.S. European Command area of responsibility. DISA is building on the successes of that pilot project and will bring the process to the Pacific Command to learn further lessons about what works and doesn’t work as DOD seeks to create a set of standards and an architectural construct that will facilitate jointness among all the military services’ networks.

“We have a formal JIE Increment 1 that is being worked in Europe with multiple upgrades planned out between now and the end of this calendar year,” Orndorff said. “While Increment 1 is being worked, follow-on planning for another increment planned for the Pacific [Command] and all the additional phases will be scheduled. In the background, we have work under way within [the continental United States] that aligns with JIE and will help set the conditions, so as we move from the formal Increment 1 work in Europe into other parts of the world, we aren’t sitting still.”

Enabling mobile forces

Mobility is another challenge that isn’t limited to JIE but is common across DOD as it becomes an increasingly mobile force. One of JIE’s primary goals is to provide the warfighter with secure access to information from any mobile device, with an SSA that is available globally and accessible at the tactical edge.

With the commercial explosion of smart phones and the popularity of the Android and iOS operating systems, DISA is trying to take advantage of the commercial marketplace and determine how it can best be used to address DOD’s needs.

“If we try to impose our security requirements on the commercial mobile devices, we’d end up with a device that nobody would ever want or use,” Orndorff said. “The approach we’ve taken is to build a mobile ecosystem that leverages all the benefits of the single security architecture so that when you’re using a DOD-provisioned mobile device, you get all the benefits of the security architecture and infrastructure that we have to mitigate a lot of the risk associated with a generic mobile device operating in the wild.”

DISA wants to ensure that DOD users stay compliant with security rules and regulations. In the past, DOD mandated specific configuration settings for mobile devices through the use of security technical implementation guides (STIGs), which are developed by DISA and updated periodically in an effort to keep pace with documented emerging threats and changes to technology. However, the agency has changed that model by giving industry the responsibility for writing the guides.

“Where we’re headed is we’re giving the vendors the security requirements guide, and the vendors are writing the STIGs for their device,” Orndorff said. “Industry will deliver to the department the STIG and the device, and we will go through a very quick, streamlined process to review what they’ve submitted and then release that as a DOD STIG for general use across the department.”

“Our expectation is that we will be issuing STIGs right in line with the release of the commercial mobile devices to the marketplace,” he added. “There won’t the long lag that has been an issue in the past, plus we will have better-quality STIGs because the experts from industry will be writing them as they build their products.”

NEXT STORY: False sense of cybersecurity

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.