Policy Paper 1

Posted by dmuel003 on

Policy Paper 1: Air Force Instruction 17-130

Cybersecurity is a constant concern for private and government organizations around the world. As technology and availability increase, so too have attacks on organizations. There have been an increasing number of cyber-attacks in the past years and is projected to increase further in the years to come (Brooks, 2022). With increased integration and presence on the internet, it is important for any company or organization that has a network or is connected to the internet to have a cybersecurity policy with clear guidelines, definitions, and standards.

Merriam-Webster (2019) defines policy as “a high-level overall plan embracing the general goals and acceptable procedures, especially of a governmental body” and “a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions.” As such it is paramount that organizations prepare and implement policies to minimize, protect, and prevent attacks on their networks.

Establishing a policy can come from a response to an incident, lessons learned, new technology, preventative maintenance, and so on. Clark, Berson, Herbert (Eds.) (2014) mentioned U.S. armed forces’ threats to national security in the book At the Nexus of Cybersecurity and Public Policy. To paraphrase, the United States Air Force (USAF) whose capabilities include command, control, communications, intelligence, logistics, and administration. All of these are connected to the internet; so too are their adversaries. Should a criminal or nation-state actor gain access to military weapons, secrets, and capabilities, it would be a massive threat to national security. (pg. 15) However, by not being connected to the network, response and capabilities would be severely impacted. It is a double edge sword.

The USAF uses Air Force Instruction (AFI) 17-130 which is a policy that governs its Cybersecurity Program Management. AFI 17-130 exists to address the cybersecurity threats and vulnerabilities to its network by establishing a program that each Air Force command will establish. At its base, AFI 17-130 outlines the overview as to why the policy exists, who is responsible for what, and the cybersecurity framework that is to be followed. As stated earlier, the USAF capabilities are integrated over the internet thus the program must be established and maintained to ensure security.

AFI 17-130 obtains its enforcement and authorization from Air Force Policy Directive 17-1, Information Dominance Governance and Management, Headquarters Mission Directive 1-26, Chief, Information Dominance and Chief Information Officer, and Air Force Policy Directive (AFPD) 16-14, Security Enterprise Governance. These policies guide which roles must be created to be compliant, enforceable, and backed by authority. Simply having a policy without an entity to oversee a specific aspect of it could lead to poor security

The roles and responsibilities section of AFI 17-130 establishes the hierarchy and positions that carry out and enforce the policy. Each role from Deputy Chief Information Officer to Authorized User is outlined and detailed as to their policy-specific area of responsibility or their use guidelines. This establishes accountability should any aspect of the policy need enforcing or adjusting.

The cybersecurity framework that AFI 17-130 integrates is based on the National Institute of Standards and Technology Special Publication (NIST SP) 800-37 whose 5 functions are Identify, Protect, Detect, Respond, and Recover. (NIST, 2018) As with any organization, the USAF defines and identifies who is responsible for each function based on created roles above and established publications. It is worth mentioning that NIST was created in 1901 by the U.S. Congress and while NIST in recent years has taken steps to be more globally recognized, the International Organization of Standards (ISO) has taken that title. There does exist an overlap between NIST and ISO. (Elizabeth, 2021)

Having a cybersecurity policy is integral to any organization. Responsible parties, their function, and the reasons for the policy are all parts of the whole that should strive to minimize risk and maximize security. The maturation of any policy will require updates to meet the growing demand for cybersecurity.

References

Brooks, C. (2022). Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know. Jersey City, NJ. Forbes Media. Retrieved from https://www.forbes.com/sites/chuckbrooks/ 2022/06 /03/alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know/?sh=3746099e7864

Merriam-Webster. (2019). Definition of POLICY. Springfield, MA. Merriam-Webster Inc. Retrieved from https://www.merriam-webster.com/dictionary/policy

Clark, Berson, Herbert (Eds.) (2014). At the Nexus of Cybersecurity and Public Policy. National Academies Press. Retrieved from https://doi.org/10.17226/18749

Marion II, William (2020). AIR FORCE INSTRUCTION 17-130. Retrieved from https://static.e-publishing.af.mil/production/1/saf_cn/publication/afi17-130/afi17-130.pdf

Elizabeth. (2021). NIST vs ISO Compliance: What’s the Difference? Tugboat Logic. https://tugboatlogic.com/blog/nist-vs-iso-compliance-whats-the-difference/

NIST. (2018). Risk management framework for information systems and organizations: Risk Management Framework for Information Systems and Organizations. https://doi.org/10.6028/nist.sp.800-37r2

Leave a Reply

Your email address will not be published. Required fields are marked *