A new DoD policy encourages use of the World Wide Web as a powerful communications tool. But at the same time, the policy calls for tighter security controls and a stronger focus on matching web sites to the organization's mission.
"The policy encourages people to use web technology," said Bill Leonard, security programs director for assistant secretary of defense for Command, Control, Communications and Intelligence. "But the most important thing we're telling people is to focus on who your target audience is for the information you're trying to convey and how sensitive that information is."
The new web policy clarifies and extends the rules for posting information on public DoD web sites. In the past, restrictions on web publication applied to information that was either classified, sensitive in nature, or not cleared for public release. The new policy, published Nov. 25, broadens these restrictions to include information of questionable public value that creates a potential security risk if made easily available to a worldwide audience. Information intended only for an internal audience, Leonard said, should be posted on Intranet, or closed-loop sites.
The new web guidelines are an outgrowth of a Sept. 24 directive from Deputy Defense Secretary John Hamre to ensure that publicly accessible DoD web sites don't compromise national security or place personnel at risk. Hamre created a task force and ordered a review of operational, public affairs, acquisition, technology, privacy, legal and security issues associated with the use of DoD web sites.
Leonard said the new policy isn't intended to decrease the number of defense sites on the web. "The web is integral to a lot of our overall objectives and imperatives-disseminating accurate information rapidly," he said. "But you need to have a strategy for how and why." Organizations need to establish their information objectives, analyze and determine their customer base, then "embrace technology to maximize the benefits, balanced against the risks," Leonard said.
Leonard said many of the sites reviewed by the task force were strong, focused and easy to use, but many others "appeared to be there only because the technology is available," he said.
Leonard's office will provide policy and procedural guidance for the establishment and operation of web sites. DoD public affairs will provide policy oversight to ensure the credibility and effective dissemination of defense information. Public affairs also will continue to operate DefenseLINK as the principle gateway to DoD's web presence. DefenseLINK will serve as a central registration point for DoD web sites.
Service departments also will set up central registration points. Sites must register with their service component or directly with DefenseLINK.
The policy gives commanders the lead in establishing and maintaining appropriate web sites. "It's not a webmaster responsibility," Leonard said. Comparing it to a soccer game, he said, "When opponents score a goal, people point their fingers at the goalie. But that ball got past 10 other people on the team. It's the same in posting information to the web site. It's clearly a command responsibility."
The new policy also calls for the Reserve to conduct operational security assessments of DOD web sites. These assessments will help DoD increase awareness of the total defense presence on the web, Leonard said. "When commands look at their sites, they'll only be looking at a piece of the technology," he said. "We need to look at it from a DoD perspective. The Reserve approach will give us the capability to increase our awareness."
The Reserve will provide feedback to components, as well, letting them know what other information on the web might have an impact on their sites, Leonard said.
With the new policy published and posted to the web, the next milestone comes in late March, when components complete a second, more detailed scrub of their web sites.
"In the meantime, we'll continue to look towards new technology," Leonard said. "We're confident the long-term solution is to come up with an information delivery system that is relatively transparent to the user but will make it much easier to maintain information security."
NEXT STORY: BLM director's 'demotion' examined