CHIPS Articles: New Department of the Navy IT Policies Signed

The policy follows a recent pilot sponsored by the DON CIO with Amazon Web Services to move publicly accessible data to a commercial hosting environment. The Secretary of the Navy’s public-facing information portal is now hosted in the Amazon Web Services cloud infrastructure. The innovative decision to host the data in a commercial cloud environment resulted from an analysis of several factors, the most important being the type of data stored in the portal, hosting costs and security requirements.

The new policy will enable the department’s systems that host publically releasable information to move to commercial cloud service providers, as long as all requirements are met at the best value. The experience the DON gains through initial application of cloud computing, in conjunction with security requirements, will inform future decisions on how to best apply this technology.

The National Institute of Standards and Technology defines cloud computing as: “A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

In the simplest terms, cloud computing focuses on storing and accessing data and programs over the Internet instead of on your computer’s hard drive. End users access cloud-based applications through a Web browser or a lightweight desktop or mobile app while the software and user’s data are stored on servers at a remote location.

As a business model, cloud computing can help the DON achieve economies of scale with improved manageability and ability to adjust resources to meet end user demand, improve system performance and reduce infrastructure costs.

DON Policy for Electronic Record Keeping Systems and Applications
The purpose of the memo is to delineate records management (RM) policy for electronic information systems (EISs) and records management applications (RMAs) within the Department of the Navy. This policy pertains to new, updated and existing DON EISs and RMAs. Enclosures (1) through (4) provide detailed information essential to policy compliance.

In addition to complying with Department of Defense (DoD) and DON policies and federal statutes and regulations, effective EIS RM facilitates information discovery and visibility, which improves information sharing. Additionally, effective EIS RM facilitates removal of obsolete data, improves security, and helps maintain current, authoritative information sources. The new policy was signed by the DON CIO Terry Halvorsen March 21, 2013.

DON Certification and Accreditation Pilot
This memo outlines the certification and accreditation pilot of information technology systems within the Department of the Navy.

DoD Instruction 8500.2, Information Assurance (IA) Implementation, of Feb. 6, 2003 and DoD Instruction 8510.01, DoD Information Assurance Certification and Accreditation Process (DIACAP), of Nov. 28, 2007 require certification and accreditation (C&A) of information technology systems within the Department of Defense. Flexibility within the policies allows the Department of the Navy to explore process changes that may reduce costs yet maintain a secure environment. The DON plans to investigate these possibilities by piloting a streamlined C&A process. In this pilot, the DON will prepare for transition to the Risk Management Framework, employ security measures focused on mission impact and real threat information, eliminate duplicative and unnecessary efforts, and reduce the overall cost of C&A. The pilot will employ mission-based approaches to system accreditation. It will investigate alternatives for interim approval timelines and conditions for specialized environments. The pilot will also evaluate prioritized security controls and increased C&A reciprocity between the Navy and Marine Corps. The DON Chief Information Officer and the Service Designated Accrediting Authorities will supervise the pilot to ensure acceptable security is maintained.