Information Security: Challenges to Improving DOD's Incident Response Capabilities

In early 2001, DOD issued policy for computer network defense that includes responsibilities and procedures for incident response (DOD Directive O-8530.1, 1/8/2001, and DOD Instruction O-8530.2, 3/9/2001). In August 2002, DOD's information assurance (IA) leadership group approved a department-wide IA strategic plan that included objectives, metrics and measures for incident response. During March 2003 DOD published the Joint Task Force (JTF) Computer Network Operations (CNO) Tactics, Techniques & Procedures (TTP), and a Chairman of the Joint Chiefs of Staff Manual called Defense-in-Depth: Information Assurance (IA) and Computer Network Defense. The TTP: (1) is linked to the Department's Information Assurance Strategic Plan; (2) represents a comprehensive incident reporting and response plan; and (3) addresses objectives, goals, priorities, and organizational resources. The JCS manual contains detailed Department-wide incident reporting and response guidance and describes the process by which the Defense Information Systems Agency and the US Strategic Command monitor and report compliance to the Secretary of Defense. These actions help establish clear areas of responsibility, a unified management approach, and detailed procedures as essential controls within the Department's effort to deploy an effective departmentwide incident response plan.

DOD has several efforts underway to establish an infrastructure for monitoring, integrating, and analyzing intrusions and system weaknesses, including a study of computer network defense infrastructure, an assessment of technologies to mitigate insider threats, and guidance for intrusion detection (CJCSM 6510.01M). Further, the Department has completed several initiatives to advance timely integration of threat and intrusion data. For example: (1) the information assurance strategic plan, approved in August 2002, established objectives, metrics, and a management process that will facilitate integration of data and tools across the department; (2) a common structure has been established for DOD's threat database to facilitate inputs from all DOD components; (3) DOD published the Joint Task Force Computer Network Operations Tactics, Techniques & Procedures (TTP) in March 2003 (the TTP communicates the priority and urgency needed to respond to computer incidents); (4) DOD has expedited the development of systems and processes to address incident and computer intrusions through the implementation of After Action Reviews, changes to the Commander's Critical Information Requirements (CCIR) that now require incident close-out reports in the form of a standard Joint Universal Lessons Learned (JULL) that is disseminated to all DOD organizations; (5) DOD plans to continue its efforts to identify and use computer network defense sensors; and (6) furthermore, DOD plans to advance its efforts to develop and enhance systems for learning lessons from intrusion events and for distributing those lessons appropriately. These measures, which include procedures regarding insider attacks and all computer vulnerabilities and risks, were implemented as priorities and accelerated so that they were operational in March 2003. When these measures are coupled with automated systems used for Information Assurance Vulnerability Alerts and the Information Assurance Vulnerability Managegment program and other procedures within these processes, they provide mechanisms for timely implementation of responsive Defense-wide incident and intrusion systems and processes that will allow all DOD components to effectively use data from intrusion detection systems.

DOD published the Joint Task Force (JTF) Computer Network Operations (CNO) Tactics, Techniques, and Procedures (TPP) in March 2003 that contains standardized terminology for computer incidents. The TPP provides a set of common terms and their definitions as they pertain to computer incidents that will advance DOD efforts to effectively communication and share information about such incidents throughout the Department. Furthermore, DOD's instruction for information assurance (the 8500 series of regulations) adopts the National Information Systems Security Glossary (NSTISSI No. 4009), which includes terms related to computer incidents. Additionally, USSPACECOM has expanded that standard with a lexicon of key computer network defense terms.

DOD developed policies for conducting vulnerability assessments (the DODD 8500 series of regulations and instructions). In addition, the Information Assurance Strategic Plan, approved in August 2002, contains objectives, metrics, and a process to establish priorities and monitor the results of assessments. Also during March 2003, DOD published the Joint Task Force (JTF)-Computer Network Operations (CNO) Tactics, Techniques, and Procedures (TTP), and a related Joint Chief of Staff (JCS) manual (Defense-In-Depth: Information Assurance (IA) and Computer Network Defense (CND) regarding computer network defense. The TTP established a JTF-CNO unit to conduct vulnerability assessments and the JCS manual described detailed procedures and policies for the conduct and prioritization of such assessments. These actions constitute the Department's presentation of a systematic approach for assessment of risks and potential effects to mission-critical, high-risks systems, networks and capabilities and will enhance DOD organizations' ability to respond to and manage computer incidents.

During March 2003 DOD published the Joint Task Force (JTF)-Computer Network Operations (CNO) Tactics, Techniques, and Procedures (TTP) and a related Joint Chief of Staff (JCS) manual regarding computer network defense. The TTP created an Advanced Technology Unit that performs all vulnerability assessments. Additionally, the JCS manual updated and refined the Information Assurance Vulnerability Alert (IAVA) process, renaming it the Information Assurance Vulnerability Management (IAVM) Program. The JCS manual also describes detailed procedures and policies that pertain to the conduct and prioritization of vulnerability assessments. IAVAs are generated as part of these assessments whenever a critical vulnerability exists that poses a threat to the Department. The Defense Information Systems Agency, JTF-CNO, and the US Strategic Command (USSTRATCOM) process and distribute IAVAs to all DOD components. All components, in turn must acknowledge receipt of IAVAs, describe corrective actions for the IAVAs and the timetable for such corrections. The USSTRATCOM centrally manages the monitoring of IAVAs and tracks compliance across DOD. Compliance metrics are generated and reported to USSTRATCOM, the Joint Staff, and the Secretary of Defense through the Office of the Assistant Secretary of Defense-Networks and Information Integration. These activities afford the Department a mechanism to determine that recommended corrections based on vulnerability reviews have been made and corrective actions are applied to similar systems throughout the Department.

DOD created policy and procedures for status reporting on information assurance vulnerability alerts in the form of the DOD 8500 series of regulations and instructions. The Department also established a working group led by USSPACECOM to resolve issues with reporting processes. Additionally, DOD responded to this recommendation by adoption of a Chairman of the Joint Chiefs of Staff Manual called Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND) in March 2003. This manual refined procedures related to DOD's Vulnerability Compliance Tracking System (VCTS) and the Information Assurance Vulnerability Management (IAVM) Program. The manual provides a comprehensive and detailed system and procedures for: (1) informing all DOD components of vulnerabilities; (2) communicating repair steps to them; and (3) collecting from them, via the automated VCTS and IAVM procedures, the repair status of all information technology and related assets. All DOD components are required to register their system assets with the VCTS, thereby providing visibility of compliance with IAVAs and required repairs and patches. The VCTS and IAVM processes create a systemic series of controls and a Defense-wide mechanism to ensure all DOD components are informed of every system vulnerability and deficiency identified. Additionally, these actions provide assurance that corrections are received and appropriate corrective measures are implemented.

DOD has approved strategic goals and objectives that will increase the monitoring and awareness of vulnerabilities. Additionally, during March 2003, the Department published and disseminated the Joint Task Force (JTF)-Computer Network Operations (CNO) Tactics, Techniques, and Procedures (TTP) and a related Joint Chief of Staff (JCS) manual pertaining to computer network defense. These documents apply to all DOD components and their computers, networks and related operations. They describe mandatory procedures for acknowledging receipt of IAVAs, for applying corrective actions for the IAVAs and the timetable for such corrections inclusive of mission-critical systems, networks and capabilities. These documents also explain the procedures for monitoring IAVAs and for tracking compliance with IAVA-related requirements and the Information Assurance Vulnerability Management (IAVM) Program across DOD. Compliance metrics are generated and reported to the U. S. Strategic Command, the Joint Staff, and the Secretary of Defense. Further, these documents inform all DOD components of vulnerabilities, communicate repair steps, detail how the automated Vulnerability Compliance Tracking System (VCTS) and IAVM program are to be engaged and deployed, and how all information technology and related assets are to be registered with VCTS. The documents afford the Department a mechanism that heightens awareness of the value of complying with all aspects of the IAVA and IAVM processes, including all mission-critical systems, operations, and networks and technical bulletins and advisories distributed as part of the IAVA and IAVM processes.

In August 2002, detailed INFOCON instructions were developed and published on DOD's secure network, including actions specifically related to mission-critical systems. Additionally, in March 2003 DOD published the Joint Task Force Computer Network Operations Tactics, Techniques and Procedures (TTP). The TTP sets out detailed technical response actions for each of the several INFOCON levels. Furthermore, the Department also published and disseminated Joint Chiefs of Staff Manual, Defense-In-Depth: Information Assurance and Computer Network Defense that provides guidance on INFOCON levels and procedures. Consistent departmentwide incident response is fostered by these actions and these measures will limit the impact of cyber attacks by improve coordination with other federal systems.

In August 2002, DOD officials approved an information assurance strategic plan that includes goals, measures, and management process for managing vulnerabilities and responding to intrusions. Additionally, in March 2003 DOD published the Joint Task Force (JTF) Computer Network Operations Tactics, Techniques and Procedures (TTP) and of Chairman of the Joint Chiefs of Staff Manual, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense. The TTP establishes metrics for timeliness in reporting unauthorized incidents. Further, Chairman of the Joint Chiefs of Staff Instruction, Information Assurance and Computer Network Defense, introduced a tracking system for Information Assurance Vulnerability Alert (IAVA) patches. The JTF manual and DOD Instruction, Support to Computer Network Defense, established metrics for the IAVA process that strictly govern response times. For example, all DOD components must acknowledge receipt of each IAVA--which also contains a description of the corrective action required for the vulnerabilities--within 5 days; and generally, compliance status for the IAVA must be achieved and registered within 30 days. The U.S. Strategic Command (USSTRATCOM) centrally manages the monitoring of IAVAs and tracks compliance across DOD. Compliance metrics are generated and reported to USSTRATCOM senior leadership, the Joint Staff, and the Secretary of Defense through the Assistant Secretary of Defense, Networks and Information Integration. These actions appear to effectively establish a Departmentwide basis to: (1) help reduce the prevalence of known security vulnerabilities in systems and networks that support mission-critical operations and (2) facilitate timeliness in responding to known types of cyber attacks.