Navy CIO Outlines 2010 GoalsAmong Objectives: 25% Cut PII Breaches, 90%-plus FISMA Scores
The No. 1 goal of the Campaign Plan is securing networks and critical infrastructures to maximize mission assurance. Among those outcomes: a 25 percent cut in personally identifiable information security breaches. Carey also promises that the Navy will score 90 percent or higher on Federal Information Security Management Act performance measurements.
"As the office responsible for IT strategy, policy and guidance, we must find ways to enable the innovative use of IM/IT (information management/information technology) to meet the needs of the warfighter, while continuing to provide secure and reliable networks to defend our cyber investments and information at the least cost," Carey wrote in the forward of the report. "Each of us in the chain of command needs to be aligned to the outcomes that best support our warfighters."
The plan lists seven IT security tactics:
- Secure sensitive information residing on or transiting Navy information systems, mobile assets and storage media through the implementation of defense-in-depth methodologies.
- Ensure that a privacy impact assessment is completed and reviewed every three years for all systems that contain personally identifiable information, or PII.
- Develop and implement programs to change behavior and business processes to reduce reliance on PII, and implement consistent accountability and consequences regarding the suspected and actual loss of PII.
- Develop and implement a department-wide Social Security number and high risk PII reduction plan.
- Partner with the Department of Defense's Defense Industrial Base Cybersecurity Taskforce to ensure clear policy, consistent oversight and streamlined processes to secure Navy sensitive information on Defense Industrial Base networks.
- Ensure a consistent Navy certification and accreditation process that is aligned with federal and DoD processes.
- Ensure Navy critical infrastructure - physical and cyber - is identified through comprehensive assessments to support informed risk management decisions.
Here are the IT security outcomes Carey expects the Navy to achieve in the coming fiscal year:
- Enterprise tools for encryption of data at rest available for purchase by Navy commands through the DOD's Enterprise Software Initiative/SmartBUY program.
- Common-access-card-enabled Navy personal-electronic devices to ensure proper protection of information contained on these extensions of Navy networks.
- Version II of the Navy's computer network defense roadmap that communicates the Navy's investment strategy for sustaining and improving network defense.
- A Navy identity management strategy that communicates a holistic framework for identity management efforts within the service branch.
- New department policy for privacy that ensures all Navy personnel are trained in safeguarding and handling PII, including reporting requirements for suspected or actual loss of PII.
- A 25 percent reduction from 2008 levels in the number of personnel affected by high-risk PII breaches.
- Greater assurance that the Navy is protecting IT resources, measured through Federal Information Security Management Act performance measurement scores of 90 percent or higher for systems with authority to operate, annual system security reviews, annual security controls testing, annual contingency plan evaluations and privacy impact assessments.
- A streamlined Navy certification and accreditation process that aligns with DoD and federal initiatives and codified business rules and processes.
- Enterprise tool developed by the Navy CIO and made available to enable critical-infrastructure-protection self assessments.
Besides information security, the other goals outlined in the Navy's 2010 Campaign Plan include work to create a future networking environment, effective management and use of the spectrum, improved management of IT investments, improved information sharing and knowledge management, a capable and trained IT workforce, and an aligned governance structure for agile decision making.
"As we focus on these," Carey said, "we will always keep in mind that support to the warfighter is our first and most urgent priority."