Whats New in IA Today

1
Track 1 Session 2 Information Assurance
Whats New in IA Today!
Ms. Melissa Hicks Army Office of Information
Assurance Compliance /Policy
Ms. Melissa Hicks, Army Office of Information
Assurance Compliance Melissa-hicks_at_us.army.mil
2
Agenda
Track 1 Session 2 Information Assurance Whats
New in IA Today!

• AR 25-2 History
• Key Provisions
• Summary and Impact of Changes
• Policy Changes in Progress

3
AR 25-2 History

• Implements
• DoD Directive 8500.1, Information Assurance,
  dated 24 Oct 2002
• DoD Instruction 8500.2, Information Assurance
  Implementation, dated 13 Feb 2003
• CJCSM 6510.01, Information Assurance and
  Computer Network Defense, dated 23 Mar 2003
• Superseded AR 380-19, Information Systems
  Security, and interim IA policy and guidance
  issued via messages, memorandums, and HQDA
  letters
• Impacts
• AR 25-1, Army Knowledge Management IT
  Management
• AR 70-1, Army Acquisition Policy

4
The Revision of AR 25-2

• Revised AR 25-2 underwent an extensive review
• - HQDA Staff Agencies
• MACOMs
• PEOs/PMs
• - National Unions

5
AR 25-2 Key Provisions

• Applies to all Army owned or controlled IT
  systems and technologies
• Included punitive language
• Defined IA personnel hierarchy
• Introduced and implemented the concept of
  Defense-in Depth (DiD)
• Recognized users as the foundation of the DiD
  strategy
• Introduced the concept of IA Best Business
  Practices (IA BBPs)

6
Summary and Impact of Changes
Administrative/editorial changes throughout the
document. Impact Provides new office symbols,
updates IA course names, moves items to new
paragraphs, provides clarification,
etc. Punitive Paragraphs. Entire paragraphs are
no longer punitive. Impact Punitive portions of
the paragraph are now identified in bolded text.
Assigns authority and responsibility to
personnel as directed by the punitive
paragraphs. Provides examples of sanctions that
may be taken against military and civilian
personnel.
7
Summary and Impact of Changes

• Applicability section. Added waiver request
  information.
• Impact Waiver request requires formal legal
  review by the activitys senior legal officer and
  endorsement by commander or senior leader.
• Chapter 2. Clarifies existing organizational
  responsibilities and inserts new organizations
  and responsibilities.
• Adds labor relations requirement. (2-24h)
• Impact Requires that the implementation of this
  regulation is accomplished in compliance with all
  statutory and contractual labor relations
  obligations.
• Adds users prohibited activities.(4-5a)
• Impact Adds the prohibited activities moved
  from 3-3c(2).

8
Summary and Impact of Changes
Adds CAC as a two-factor authentication
mechanism.(4-5c(7)) Impact CAC shall be used as
the primary authenticator for access. Changes
automatic screen lock to 15 minutes.(4-5c(8)) Impa
ct Supersedes the 10 minute requirement IAW DoDI
8500.2 and DISA STIGs. Provides DAA authority to
extend (not disable) feature. Consolidates and
clarifies minimum configuration management (CM)
requirements.(4-5f) Impact Requires all CM plans
to include a maintenance and update strategy to
proactively manage all IS and networks with the
latest security or application updates. Includes
the configuration management controls from para
4-6 (Software Security).
9
Summary and Impact of Changes

• Adds a new Notice and Consent Warning Banner
  (4-5n)
• Impact
• AR 25-2 is the authoritative source for the
  Notice and Consent Banner and supersedes the
  notice and consent banner in current AR 380-53.
• Banner has received appropriate legal review and
  concurrence by affected offices. Updated to
  reflect emerging case law justifying the need for
  change.
• Users have no expectation of privacy with
  respect to any information, either official or
  personal, that is transmitted or stored on
  government owned IS.
• Users consent to monitoring and information
  retrieval for any lawful purpose, including but
  not limited to, a properly authorized law
  enforcement or counter-intelligence
  investigation, information systems monitoring, an
  Inspector General investigation, or other
  authorized administrative investigation.

10
Summary and Impact of Changes

• Clarifies supervisory and management monitoring
  activities(4-5t)
• Impact The published AR 25-2 restricts the
  Commanders ability to examine computer files to
  support an internal investigation.
• This paragraph is now expanded and provides
  clarification on supervisory and management
  monitoring activities.
• It restores the Commanders ability, under
  lawful authority, to examine archived electronic
  mail, personal computer file directories, hard
  disk drive files, and other information stored on
  the IS.

11
Summary and Impact of Changes
Expands database security and management to
contracted facilities (4-7) Impact Outlines
specific requirements that must be met for
databases located in contractor owned, operated
or managed networks. Removes prohibition on use
of commercial data recovery services
(4-10e(5)) Impact The use of commercial data
recovery services will be documented in the CA
package. Notification provided to CIO/G-6
CISO. Clarifies password requirements.
(4-12) Impact Stresses the implementation of
authentication techniques such as biometrics,
single-sign on access control devices and CACs as
primary access credential in lieu of passwords.
Clarifies that the use of one-time passwords is
acceptable. Procedural guidance moved to the BBP
for Army Password Standards.
12
Summary and Impact of Changes
Adds description and criteria for IT-IV
positions. (4-14) Impact DoDI 8500.2 provides
description and criteria for IT-I and IT-II
positions. The current AR 25-2 provides
standards for IT-I, IT-II, and IT-III positions.
The revised regulation adds criteria for IT-IV.
IT-IV positions are defined as personnel in
temporary, intermittent, or seasonal positions
requiring restricted user-level access to
unclassified, non-sensitive ISs only. The
revisions also adds language to clarify
requirements for all IT positions. Adds
description and criteria for International Fellow
Program. (4-15) Impact Provides criteria for
allowing international military students,
attending resident Army command colleges, access
to Army information systems. Adds criteria for
operating non-compliant IS (4-27) Impact
Organizations and individuals will operate
non-compliant assets only with an approved
Mitigation Action Plan (MAP). MAPs focus on
systems not able to comply within the period
specified in the IAVA notification message. If
an IAVA message states DAG3 approval only
neither the local DAA, NETCOM OIAC nor the
CIO/G6 can approve the MAP.
13
Summary and Impact of Changes

• Changes criteria for COMSEC (6-1)
• Impact DES is not authorized within the Army.
• NIST/NIAP approved cryptographic systems or
  foreign cryptographic systems to be employed in
  the tactical force structure will be approved on
  a case-by-case basis by the HQDA CIO/G-6.
• Company and Below Units may use NIST/NIAP
  approved cryptographic systems for protecting
  Non-mission/Non-operational unclassified or
  sensitive information upon approval.
• Adds the DIACAP program.
• Impact Provides criteria for the new DIACAP
  processes and associated BBP standards to be
  implemented.

14
The Future

• Adjudicate deferred comments from Revision 1
  staffing
• Continue to revise IA Personnel Roles
  Responsibilities
• Extract technical requirements and standards
  into BBPs
• Leverage Rapid Revision options for regulation
  publication
• Provide 30 day concurrence/comment period

15
AR 25-2 SMEs
16
AR 25-2 is Available on the Army Publishing
Directorates Website http//www.apd.army.mil O
r the AKO portal (https//akocomm.us.army.mil/usap
a) Or the Army Home page (http//www.army.mil/us
apa)
17
AR 25-2 Point of Contact Melissa
Hicks 703-602-1221 Melissa-Hicks_at_us.army.mil
18
CDS 101

• What is a Cross Domain Solution?
• An information assurance solution that provides
  the ability to manually and/or automatically
  access and/or transfer between two or more
  differing security domains. CJCSI 6211.02B
• Three Categories of CDS
• Transfer
• Access (Includes multi-domain thin client
  systems)
• Multi-Level

19
Army CDMO Services Outreach

• Advocacy for Army Customers
• Facilitation through Connection Approval Process
• Cradle to Grave oversight
• Advice, Guidance, Informal Education
• Documentation Review
• Technical Assistance Referral
• Website Knowledge Center
• Get with the Army CDMO before proceeding!

20
Contact Us

• army.cdmo_at_us.army.mil
• (703) 602-3400 (DSN 332)
• https//informationassurance.us.army.mil/crossdoma
  in/
• http//www.us.army.smil.mil/suite/page/8237
  (AKO credentials or CAC Validation for
  Access)

21
Questions ??
https//informationassurance.us.army.mil
(AKO credentials or CAC Validation for Access)
22
BACKUPS
23
CDS DOs DONTs

• DO
• Engage Early As Soon As Requirement Determined
• Allow Plenty of Time CDS Approval Takes Time
• Expect Setbacks Schedule Delays
• DONT
• Roll Your Own
• Commission CDS Market Survey
• Expend Resources before requirement is validated
• Open CDS Request without Army CDSO go-ahead
• Go Around CDS PMO to Vendor

24
Baseline CDs List
Not Certified for Collateral