A so-called DMZ - demilitarized zone - would be created to eliminate "the need for most DoD assets to directly connect with the public Internet, which greatly reduces its surface and exposure to attacks," according to an exhibit in the DISA budget.
DISA's Information Systems Security Program (ISSP) would use the money to purchase hardware and support migration of application servers - which would separate networks that should have access to the Internet from those that should not - to the DMZ.
In the budget, DISA cautioned:
"A reduction in funding for ISSP will greatly hamper DISA's support of DoD's efforts to provide coordinated information assurance capabilities to the warfighter and our coalition partners."
Seeking clarification of the statement, Mark Orndorff, director of DISA's program executive office for mission assurance and NetOps, responded in an e-mail message:
"It's not a 'warning to appropriators' but just a statement that the ISSP budget is required to provide IA capabilities to the warfighters and collation partners. DISA (is) providing capabilities to DoD and not just for DISA. The budget reflects an executable baseline and we're not raising an issue related to the change from last year to this year."
DISA's fiscal 2011 ISSP procurement budget totals $14.6 million, up from $10.4 million in the current fiscal year, but down from $47.9 million in fiscal 2009 budget, caused, in part, to accounting changes.
According to DISA, its IT security budget for the fiscal year beginning Oct. 1 also includes:
$1.8 million for the Host-Based Security System that DISA contends would significantly reduces the risk of cyber attack on Defense Department computers and provide a consistent way to accomplish configuration and management control across all endpoints. With the funds, DISA would purchase hardware and software to expand the capabilities of the Host-Based Security System to counter new and emerging threats. It also would provide improved situational awareness capabilities to the commanders through additional data/alert feeds.
$2.3 million for hardware and maintenance support to upgrade the Secret Internet Protocol Router Network firewall to defend network boundaries from external attack. SIPRNet connects Defense and State Departments systems.
$2.2 million for an insider-threat capability to prevent potential internal attacks from individuals with authorized access to DoD networks. DISA would invest in hardware and software to automate the detection and mitigation of insider threats.
$2.5 million for its Cross Domain Enterprise Service that provides hardware and software for the transfer of information between DoD's classified and unclassified networks with high assurance, speed and integrity. The service effort allows increased dissemination of information among all DoD users while decreasing costs. With the funds, DISA would acquire hardware and software to continue expanding the service's capability and integrate new hardware and software at its sites to accommodate additional customers.