Describe the Department of Defense's instruction 8500.01 on cybersecurity

  • 3 minutes

Department of Defense Instruction 8500.01 on cybersecurity cover page.

Before March 2014, the Department of Defense largely focused its policies and processes on foreign enemies and foreign countries/regions. In 2013, a National Security Agency contractor published large amounts of top secret government information. The Department of Defense and intelligence communities began to witness the effects these actions had caused.

On March 14 2014, the DoD issued Instruction 8500.01, which focuses on cybersecurity.

This instruction formally creates a government program dedicated to cybersecurity. Previously, there were pockets of data protection, data classification, and anti-malware, but this instruction brings everything under a single group.

Principal authorizing officer

The instruction establishes a DoD Principal Authorizing Officer (PAO), and a DoD Senior Information Security Officer (SISO), and continues the work of the DoD Information Security Risk Management Committee (DoD ISRMC).

Cybersecurity, not information assurance

The instruction also clarifies that going forward, the DoD will use the term "cybersecurity" rather than "Information Assurance (IA)." Before to the instruction, "cybersecurity" was often referred to as "Information Assurance." However, this memorandum codified the term and made sweeping changes to the nation's posture on securing government data.

Cybersecurity strategy

To address cybersecurity, it sets forth specific directions:

Risk Management

The instruction designates that the risk management process must be multi-tiered from the Enterprise level all the way down to the individual group level. This should be based upon NIST Special Publication 800-39 "Managing Information Security Risk: Organization, Mission, and Information System View".

The purpose of Special Publication 800-39 is to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems. Special Publication 800-39 provides a structured, yet flexible approach for managing information security risk that is intentionally broad-based, with the specific details of assessing, responding to, and monitoring risk on an ongoing basis provided by other supporting NIST security standards and guidelines.

The instruction notes that risks occur not just in IT, but also in global sourcing and distribution, cyberspace, military, intelligence, and business operations. It also notes that risk management needs to be addressed early as possible in acquisition of information technology.

Operational Resilience

The instruction notes that DoD IT:

  • Must ensure that information and services to authorized users "whenever and wherever required"
  • Must maintain their security posture
  • Must ensure their technology components rely on humans as little as possible

Integration and Interoperability

The instruction notes that cybersecurity must be fully integrated into system lifecycles; that interoperability will be achieved through architecture principles and a standards-based approach; and that DoD IT is interconnected, so the security of one system must not breach the security posture of another system.

Cyberspace Defense

The instruction authorizes defensive measures to be taken "within cyberspace to defeat specific threats that have breached or are threatening to beach system cybersecurity measures. Actions include detecting, characterizing, countering, mitigating threats."

Performance

The instruction states that performance will be measured and assessed for effectiveness; data will be collected to support reporting; and that standardized tools, methods, and processes will be used "to the greatest extent possible to eliminate duplicate costs."

DoD information

The instruction notes that DoD information will be given the appropriate level of confidentiality, integrity, and availability.

Identity Assurance

The instruction notes that:

  • Identity assurance must be used to eliminate anonymity
  • DoD will deploy a Public Key Infrastructure (PKI) to ensure identity assurance
  • Biometrics will be used to support identity assurance

Information Technology

The instruction also notes that:

  • "Any IT that receives, processes, stores, displays, or transmits DoD information will be acquired, configured, operated, maintained, and disposed of consistent with applicable DoD cybersecurity policies, standards, and architectures." This is a heavy tightening and reinforcement of the importance of securing the supply chain.
  • Risks introduced by faulty design, configuration, or use due to global sourcing will be managed, mitigated, and monitored.
  • Cybersecurity requirements must be identified throughout the entire lifecycle of systems.

CyberSecurity Workforce

The instruction also singles out personnel, noting that cybersecurity workforce functions must be identified and integrated into all phases of the system life cycle.

Mission Partners

The instruction also notes that DoD-originated and provided information residing on the information systems of mission partners must be safeguarded with documented agreements that indicate the required level of protection.

Responsibilities

This instruction goes into great detail on the exact responsibilities, as they relate to cybersecurity, for:

  • The DoD Chief Information Officer (CIO)
  • The Director of DISA
  • The Under Secretary of Acquisition, Technology, and Logistics (USD(AT&L))
  • The Deputy Assistant Secretary of Defense for Developmental Test and Evaluation (DASD(DT&E))
  • The Director of Operational Test and Evaluation (DOT&E)
  • The Under Secretary of Defense for Policy (USD(P))
  • The Under Secretary of Defense for Personnel and Readiness (USD(P&R))
  • The Under Secretary of Defense for Intelligence (USD(I))
  • The Director of the National Security Agency/Central Security Services (DIRNSA/CHCSS)
  • The Director of (DCSA)
  • The Director of the Defense Intelligence Agency (DIA)
  • The Chief Management Officer of the Department of Defense
  • DoD Component Heads
  • The Chairman of the Joint Chiefs of Staff (CJCS)
  • The Commander of US Cyber Command (USCYBERCOM)

Procedures

The instruction also goes into great detail on cybersecurity procedures surrounding:

  • Risk Management
  • Operational resilience
  • Integration and interoperability
  • Cyberspace defense
  • Performance
  • DoD information
  • Identity assurance
  • Information technology
  • Cybersecurity workforce
  • Mission partners
  • The DoD Senior Information Security Officer
  • DoD Component CIOs
  • DoD Risk Executive Function
  • The Principal Authorizing Officer
  • The Authorizing Officer
  • Information System Owners of DoD IT
  • Information System Security Managers
  • Information System Security Officers
  • Privileged Users
  • Authorized Users

Importance

This instruction sets forth very clear actions that all DoD components must undertake to protect DoD systems (in the cloud or on premises) as they relate to cybersecurity. They must ensure that data is labeled properly and only accessible by those who should have access to it.