Department of Defense Chief Information Officer John Sherman issued a new directive Monday aimed at ensuring DOD components are vigilant about who has access to sensitive information.
The move comes after troves of classified U.S. national security documents were posted online on social platforms such as Discord and Secretary of Defense Lloyd Austin launched a “comprehensive” review of the Pentagon’s security programs, policies and procedures for protecting that type of data. In a memo issued last week, Austin suggested new guidance would also be forthcoming from Sherman.
By May 26, the chief information officers of the military services and other DOD components “must certify their compliance of the systems and networks the Component owns and/or manages to DoD CIO via the CyberScope tool” on “implementation of Least Privilege and Access Control security controls,” and ensure “optimized” audit capabilities” and “optimized” user activity monitoring (UAM), per Sherman’s memo issued Monday, which contained the subject line: “Data Call to Confirm Compliance and Measures for Safeguarding and Handling Classified National Security Information.”
The information gathered will help inform a “cybersecurity scorecard” that he’ll be keeping, he noted.
Regarding Least Privilege and Access Control, “system owners of data repositories must take measures to restrict access to classified data (to include limitations on printing of classified information, review of distribution lists, and requirements to encrypt emails) based on need to know in addition to all other requirements for access to such classified information and not simply level of clearance,” Sherman wrote.
System owners must also review and minimize privileges for software products to execute, and remove privileged accounts and access for people who no longer need it, per the guidance.
Additionally, they must make sure auditing capabilities are activated on systems that are involved with processing, storing, or transmitting classified info, as well as deploy “[unified access management, or UAM] capabilities, triggers, and analysis on classified end points,” Sherman noted.
“Insider threat cells” or similar organizations need to actively manage and monitor these UAM capabilities. And officials must validate the status of their UAM programs “on systems providing web hosting and collaboration capabilities” for top secret data on top secret systems, he noted.
Sherman said he will work with the CIO of the Office of the Director of National Intelligence as well as the undersecretary of defense for intelligence and security to guide implementation for systems hosting sensitive compartmentalized information. The SCI designation is meant to be especially restrictive of who has access to that info.
“Reporting of SCI systems, including [the Joint Worldwide Intelligence Communications System] will be through ODNI channels,” Sherman wrote, adding that he will finalize “minimum UAM triggers” that Defense Department components must use as part of their insider threat programs.