WebSDR Encryption

2 Background – WebSDR SDRs designated For Official Use Only (FOUO) since 2006 – DoD R (Appendix 3) says the data which is FOUO should be sent by secure communications where practical – Encryption of FOUO required by DLA in 2008 – DLA Information Security office reviewed DoD WebSDR (March 25, 2009) Confirmed SDRs meet OPSEC criteria for unclassified FOUO and, therefore, require encryption Determined that no amount of information could be removed from the SDRs to negate the need for FOUO designation (April 7, 2009)

3 Purpose of within DoD WebSDR Program used extensively to facilitate multiple business processes – Action Copy Distribution: Used transmit SDRs to organizations not supported by application capable of interfacing with DAASC. Principally, interim measure for Components where DLMS implementation is delayed – Electronic Submitter Record: Customers using the Web-originated SDR for submission receive an automatic confirmation copy of the SDR for their records – Customer Response: Customers using the Web for submission receive the action activity’s response via to either their account – Distribution Copies: Customers may designate up to two additional distribution copies to be sent to interested parties by identifying the activity or the address during submission. Distribution copies may also be triggered by specific pre-programmed business rules – Air Force Security Assistance: Multiple parties must review Foreign Military Sales (FMS) SDRs which have a wider scope of reportable events than U.S. customer SDRs. These are routed to the appropriate AFMC office using WebSDR distribution – Unique Business Processes: Facilitates expedited processing for frustrated freight SDRs reported by transshippers (pending system enhancements for DLA ICP and depot distribution)

4 Breakdown of s Sent by DoD WebSDR Using 1 March to 30 March, 2009 Category s Sent% Unique Addresses Unique Domains MIL 32, %1, GOV %39 15 OTHER 2,7887.8% ,7732,

5 WebSDR Encryption POAM Under Development DAAS Secure/Multipurpose Internet Mail Extensions (S/MIME) capability under development July 31, 2009: Begin encryption for specific high volume DoD users. – Four AF IM addresses receiving 1, ,000 SDR messages monthly. – 45 DoD addresses receiving > 75 messages monthly, roughly 2/3 of WebSDR Develop message center approach – users will be able to access SDRs from their in-box account within message center – Subject line display with key information so that users can better prioritize workload prior to opening each SDR – User select SDRs for review or initiates further action directly from the message center

6 WebSDR Encryption POAM Under Development Dual transmission style: encrypted SDR vs. “you’ve got mail” message – Application determines suitability of encryption for each specific address Encrypted SDRs will carry full data content plus hyperlink to message center to facilitate web-based processing Users without encryption capability will receive notification with hyperlink indicating SDR is in available in a new external web repository – Alternative reply format: limited content -- document number and reply code w/POC Significant areas of concern – Require new communication approach for very low volume users that report discrepancies via the DLA Customer Interaction Center (CIC) Alternative: print/fax/conversion: DAAS mailer or CIC action – Distribution Copy SDRs for addresses identified without prior registration Requested POAM completion date: December 31, 2009