What would be in an updated CAPR 110-1?

[Pylon]

CAPR 110-1 CAP Internet Operations.  It was last updated in 2000, and as was aptly pointed out by Eclipse in another thread: that was pretty much before the Internet as we know it.  The Internet and how CAP uses it (and how every organization uses it) is vastly different from the year 2000.


Setting aside best practices, how to's, suggestions, tips, and ideas to focus on regulatory standards: what would you suggest belongs in a modern version of CAPR 110-1?


Some suggestions of mine:

   
• Required privacy policy page on websites (perhaps even provided by NHQ and run by CAP Legal)
• Requiring the commander and the ITO at minimum (two separate members) to have the password/login credentials for CAP internet accounts to ensure the unit and not any individual maintains control.
• Require CAP senior member oversight for any CAP internet presences that a cadet works on.
• Remove the stupid disclaimer about links and endorsements.  Nobody assumes in the modern day that external links imply endorsement and you won't find this plastered on any other major non-profit or for-profit companies' sites.

What do you think belongs in a modern CAPR 110-1?

[krnlpanick]

In an ideal world:

1) Every site must have linked from every page
   a) Privacy Policy
   b) Terms of Use
   c) Security Story

2) All restricted information must be stored behind a n-tier authentication strategy utilizing at least a something you know and something you have methodology to secure non-public content
   a) Something you know - a password, passcode or pass-phrase consisting of at least 8 characters and containing upper-case, lower-case, at least one digit and at least one special character. Passwords must be changed at least every 90 days and new passwords must have a Levenshtein Distance of at least 4 from the previous 5 passwords.
   b) Something you have - a one-time token generated using either a hardware key-fob, smart-phone application, or desktop application
   c) Access to sensitive documents (personnel records, etc) or current user account information shall require re-authentication prior to access being granted.

3) Applications must undergo an annual application security review by a skilled professional 3rd party or NHQ/Region/Wing designee.
   a) Findings must be reported to the Wing ITO and a remediation plan developed within 45 days of receiving the report from the assessor

4) FOUO communications must be digitally signed using a key distributed from the Wing Certificate Authority or above.

5) All members must undergo OPSEC and Basic Internet Safety courses prior to being granted access to the NHQ, Region, Wing, Group or Unit website.

I am sure I could keep going on this all day long, and like I said - this is just some of the regulations I would propose for an ideal regulation regarding internet safety, security and policy. I have a feeling most of the ITOs in the organization would really hate my set of regs, but hey, they banks love em!

[Phil Hirons, Jr.]

2) All restricted information must be stored behind a n-tier authentication strategy utilizing at least a something you know and something you have methodology to secure non-public content
   a) Something you know - a password, passcode or pass-phrase consisting of at least 8 characters and containing upper-case, lower-case, at least one digit and at least one special character. Passwords must be changed at least every 90 days and new passwords must have a Levenshtein Distance of at least 4 from the previous 5 passwords.
   b) Something you have - a one-time token generated using either a hardware key-fob, smart-phone application, or desktop application
   c) Access to sensitive documents (personnel records, etc) or current user account information shall require re-authentication prior to access being granted.

NHQ's websites don't even meet this standard.

I'd like to see it made regulation that NHQ IT is responsible to provide authentication services (an API) for all levels to use. Your membership lapses? You lose access to any region, wing, group or squadron tools right away.

[coudano]

How about getting with the ninety's, and eliminating the very first (stupid) statement in the reg

While not intended as a substitute for conventional communication methods, the Internet  can be used to accomplish fast and economical communications that can aid CAP missions and provide information to  the general public.

Can we not agree, by now, that 'da internets' *IS* now a conventional communication method?
...and then start setting our policies according to that?



We also need to get rid of this little (self-evidently false, not to mention ridiculous) gem:

Warning: The information you  are receiving is protected from interception or disclosure.  Any person who intentionally distributes, reproduces or discloses its contents is subject to the penalties set forth in  18 United States Code  Section 2511 and/or related state and federal laws of the United States.

How about 'internet operations' that do not take place on cap.gov servers?

How about in such sites, the username and password to the site must be shared with a minimum number of people (3?).  Maybe the squadron commander, a deputy, IT, and PAO.  So that when member snuffy made a geocities site for the squadron one night, and then quits, the squadron retains 'control' of it.

How about mandatory, periodic, security testing, especially for sites that might be injection and/or xss vulnerable.  Failure to pass security audit results in shutting down the 'internet operation'

How about mandatory, periodic, content reviews.  Failure to review and/or update content every X often shuts down the 'internet operation'

How about "internet operations" PRIMARILY as a public affairs function, and not an "IT" function...

Does anyone even use the cap.gov domain anymore (?)   I stopped trying, when getting anything resembling customer service out of the CGA became unbearable.

[A.Member]

I agree that CAPR 110-1 needs revision but it's a slippery slope.  CAPP 227 is a bit more updated (2007) and while not a reg, it does provide some guidance around skillsets and function.

If a regulation is created, it must be followed and measured.  What is the consequence of non-compliance?   This is a real challenge for this organization which relies on volunteers (most of whom, to be quite frank, not particularly skilled) to maintain IT operations .   At the same time, we continue to require the collection of more and more personal data.   Something needs to change, to that there is no question.  However, the solution is not as simple as "create a reg and make it so", especially considering the heavy payload of regs that currently exist.

Also, to an early point, internet options are NOT a PAO function.  They are indeed an IT function.  Content on the other hand, may be a PAO function, at least in part.

[coudano]

Also, to an early point, internet options are NOT a PAO function.  They are indeed an IT function.  Content on the other hand, may be a PAO function, at least in part.

I was suggesting getting the relationship right.
in terms of customer / provider relationship.

The customer is PAO.
The service provider is IT.

The demand for the service comes from the customer (PAO).
The IT shop "makes it happen" (provides service)

If IT goes and makes a site/infrastructure, but PAO never uses it, that site is useless.
See internet for examples.
--If the (non IT savvy) PAO just goes and makes a site, then the site is likely all jacked up.
See internet for examples.



Another customer might be communications...
Commander wants to convey information (demand)(customer)
IT shop makes it happen (service provider)

IT shop can make a pager distro, or an email list.  But if command never uses it, then it is useless.




This basic relationship is misunderstood, and misapplied all over business and the military.
No surprise that CAP doesn't get it right either.

[coudano]

A definition of "internet operations" might be in line as well.

It could be as narrow as "webpages and email"

or as broad as "anything transmitted across the IP structure"

[Walkman]

CAPR 110-1 CAP Internet Operations
  A. Don't post stupid things on an official CAP web site
  B. Don't post stupid pictures...see above

Hows that for a re-write?

[JeffDG]

I was suggesting getting the relationship right.
in terms of customer / provider relationship.

The customer is PAO.
The service provider is IT.

That's a verry narrow view of web sites/IT.

The "public" website is, or certainly should be, a small part of a web presence.  Public Affairs has no veto or responsibility for anything that's non-public.

[coudano]

It was only one example.

Other than maybe a security awareness content blurb, can you generate me an example of something that IT should be generating of its own volition, rather than as a response to a customer request?

[krnlpanick]

NHQ's websites don't even meet this standard.

Precisely...

I'd like to see it made regulation that NHQ IT is responsible to provide authentication services (an API) for all levels to use. Your membership lapses? You lose access to any region, wing, group or squadron tools right away.

I think that is a great idea - OpenID for CAP as it were. Also, if we don't do 2-tier authn at least we should be using certificates instead of just a password with a password policy that is not that great.

[JeffDG]

What I'd like to see in a revised CAPR 110-1 is as little as possible.

The less crap they throw in there as "mandatory" stuff the less flexibility we have to innovate and get things that actually work.

[Eclipse]

How about we just get away from home-brewed infrastructure altogether?

[JeffDG]

How about we just get away from home-brewed infrastructure altogether?

Because those "home brewed" solutions are the breeders of innovation and new ideas.

This "we must standardize" is just a rush to mediocrity.

[A.Member]

How about we just get away from home-brewed infrastructure altogether?

Because those "home brewed" solutions are the breeders of innovation and new ideas.

This "we must standardize" is just a rush to mediocrity.

I disagree.  There is nothing we are doing that is innovative or differentiating.  That's not our core business.  As such, we should be looking to out of the box, standard solutions that have half a prayer at being supported.

[Eclipse]

How about we just get away from home-brewed infrastructure altogether?

Because those "home brewed" solutions are the breeders of innovation and new ideas.

No, they are the breeders of home brew, and are constantly reinvented each time the web guy changes.

The wheel is perfectly fine, free, secure, and easy to use.  We don't need it reinvented every year.

[JeffDG]

How about we just get away from home-brewed infrastructure altogether?

Because those "home brewed" solutions are the breeders of innovation and new ideas.

No, they are the breeders of home brew, and are constantly reinvented each time the web guy changes.

The wheel is perfectly fine, free, secure, and easy to use.  We don't need it reinvented every year.

How would you know if there's innovation?

If everyone does the same thing everywhere, there's nobody asking "Hey, maybe we can do this better..."

So, you either thing that (a) We do everything the absolutely optimal way, and can fully standardize on that, and will be able to maintain that forever, or (b) Standards lock in mediocrity.

[Al Sayre]

CAPR 110-1 CAP Internet Operations
  A. Don't post stupid things on an official CAP web site
  B. Don't post stupid pictures...see above

Hows that for a re-write?

+1

[Eclipse]

How would you know if there's innovation?

That's the point "innovation" isn't necessary in this space.  Stable, consistent sharing of information is.  CAP is not Amazon.

(b) Standards lock in mediocrity.

They also insure consistency.  Our mission has nothing to do with FUN! EXCITING! INNOVATIVE! websites, and the amount
of wasted energy around them is simply astounding.  Whether it's the FNG who likes one product over another and decides
to host something better under his desk (until he quits the job or CAP), or the people everywhere in CAP burning precious
contact time "fixing what NHQ isn't doing", etc, etc.

[Phil Hirons, Jr.]

I disagree.  There is nothing we are doing that is innovative or differentiating.  That's not our core business.  As such, we should be looking to out of the box, standard solutions that have half a prayer at being supported.

+10,000

Aside from things like WMIRS almost all of CAP's internet needs are content management with some content requiring a login

Events and calendaring
News and pictures
Contact lists
etc.

Throw in some ability to connect these things to social media and you've got to have covered 90% of what's needed.