An Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP)

Transcription

1 An Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP) Solutions Built On Security Prepared for The IT Security Community and our Customers Prepared by Lunarline, Inc I ST, NW, Suite 500 Washington, DC March 2006 By Mike Bendel

2 Table of Contents 1. Purpose DIACAP Defined The Net-Centric Data Strategy Global Information Grid (GIG) DIACAP and GIG Mission Assurance Categories (MACs) Confidentiality Levels (CLs) Mission Assurance Categories (MACs) & Confidentiality Levels (CLs) MAC, CL, & Information Assurance (IA) Controls IA Control Examples The DIACAP Knowledge Service (KS) Enterprise Mission Assurance Support services (emass) DIACAP Roles & Responsibilities The DIACAP Enterprise Governance Structure The DIACAP Process Stages & Phase One The DIACAP Process: Phase Two The DIACAP ScoreCard The DIACAP Process: Phase Three The DIACAP Process: Phase Four The DIACAP Process: Phase Five The DIACAP Process: Summarized Transition to DIACAP Transition Timeline and Instructions DITSCAP & DIACAP Compared APPENDIX A: REFERENCES List of Tables Table 1: MAC Levels... 6 Table 2: CL Levels...6 Table 3: IA Control Subject Areas... 7 Table 4: Minimum Required Baseline Scores Table 5: DIACAP Phase Review Table 6: Phases: DIACAP vs. DITSCAP Table 7: DIACAP & DITSCAP Compared Table of Figures Figure 1: The emass Welcome Page Figure 2: Register the IA Program Figure 3: The emass System Page Figure 4: The DIACAP ScoreCard... 14

3 1. Purpose The purpose of this article is to give an overview of the new Department of Defense IA Certification and Accreditation Process (DIACAP) and two associated Web-based services the DIACAP Knowledge Service (KS) and the Enterprise Mission Assurance Support Service (emass). 2. DIACAP Defined DIACAP, based on DoDI 8510.bb, is a new process for the Certification and Accreditation (C&A) of all Department of Defense (DoD) information systems (IS) and for determining whether these systems should be authorized to operate. It cancels DODI and DoD M and replaces DITSCAP. DIACAP is latest method for identifying, implementing, and validating information assurance controls and for managing information assurance posture across DoD information systems consistent with the Federal Information Security Management Act (FISMA). DIACAP is also a guide for compliance with the Global Information Grid (GIG). DIACAP is a dynamic process in which IA posture is reviewed not less than annually. It has a DoD enterprise C&A decision structure and implements enterprise level baseline IA Controls based on the IS Mission Assurance Category (MAC) and Confidentiality Level (CL). IA Controls may be augmented at the DoD Component level and the IS level. DIACAP places the responsibility of establishing DIACAP objectives, context & decision structure on DoD Senior Information Assurance Official (SIAO) and the Principle Approving Authority (PAA) representatives. Compliance with assigned IA Controls and the IS C&A decision status is conveyed by the DIACAP Scorecard. DIACAP assigns, implements, and validates DoDI standardized IA Controls and manages IA posture across DoD information systems consistent with DoD regulatory policy (IA 8500 series) and legislative policy (FISMA). It provides for the availability of C&A status of DoD information systems across the Global Information Grid (GIG) and supports transition to GIG standards, e.g., from fixed system boundaries to a net-centric environment. 3. The Net-Centric Data Strategy The Net-Centric Data Strategy (May 9, 2003*) is a key enabler of the DoD s transformation. This Strategy provides the foundation for managing the Department s data in a net-centric environment, ensuring several things: 1) Data are visible, accessible, and understandable when needed and where needed to accelerate decision making. 2) Tagging of all data (intelligence, non-intelligence, raw, and processed) with metadata enables discovery by known and unanticipated users in the DoD.

4 3) All data is posted to shared spaces for users to access except when limited by security, policy, or regulations. 4) Organizing around Communities of Interest (COIs) that are supported by Warfighter, Business, and Intelligence Domains. 4. Global Information Grid (GIG) What is the Global Information Grid (GIG)? The GIG comprises a seamless and secure end-to-end IA Architecture requiring shared enterprise services with streamlined management capabilities. The concept of individual systems will no longer exist. It encompasses DoD, the Intelligence Community (IC), Federal, industry, and international partnership communities. The network-centric objectives of the Global Information Grid (GIG) are based on an information sharing environment that empowers the user with the ability to securely access all relevant information and recognizes the individual user as an information source. Access privileges will be required in order to ensure information is available to those who need it and protected from those without appropriate privileges. The GIG supports all Department of Defense, National Security and related Intelligence Community missions and functions in war and in peace. The GIG encompasses the globally interconnected, end-to end set of information capabilities, associated processes and personnel for collecting, disseminating, distributing and managing information on demand by warfighters, policy makers and support personnel. GIG enables the formation of dynamic communities of interest (COIs). In some circumstances, these COIs will be formed on short notice and may exist for a relatively short timeframe. GIG requires greatly enhanced IA solutions to support the paradigm shift from "Need to know" to "need to share". Information sharing will require user access that crosses traditional system and classification boundaries. GIG will permit provisional access to data for users not normally possessing access privileges, but who may need access in certain mission-critical situations. It will require that users, and perhaps even automated processes, have the ability to override data owner and originator security settings in support of operational need. 5. DIACAP and GIG How is DIACAP related to the GIG? The DIACAP is a central component of GIG IA C&A Strategy. DIACAP satisfies the need for a dynamic C&A process for the GIG and net-centric applications which cannot be met with the current C&A methodology.

5 The DIACAP supports Information Systems transitioning to netcentric environments and GIG Standards by: 1. Ensuring uniformity of approach 2. Managing and disseminating Information Assurance Design, implementation, validation, sustainement and approach 3. Being able to handle differing system 4. facilitating a dynamic environment Information Assurance will be implemented with Information Assurance Controls as defined by DoDI and maintained through a DoD wide configuration management process that considers the GiG architecture and risk assessments conducted at the DoD component level in accordance with FISMA. The DIACAP will support the ongoing validation to maintain the Information Assurance posture of an Information System. DoD component IA Programs are the primary method of supporting the DoD Information Assurance Program. The status of all systems in the DIACAP program will be available to all who have authorized access. 6. Mission Assurance Categories (MACs) The Mission Assurance Category (MAC) reflects the importance of information relative to the achievement of DoD goals and objectives, especially concerning the Warfighter s combat mission. MACs are primarily used to determine the requirements for availability and integrity. The DoD has three defined mission assurance categories: MAC I: Information that is determined to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness. MAC II: Information that is important to the support of deployed and contingency forces. MAC III: Information that is necessary for the conduct of day-to-day business, but does not materially affect support to deployed or contingency forces in the short-term. Table 1 shows the required levels of integrity and availability for each MAC level.

6 Table 1: MAC Levels MAC Integrity Level Availability Level MAC I High High MAC II High Medium MAC III Basic Basic 7. Confidentiality Levels (CLs) The Confidentiality Level (CL) measures a system s confidentiality requirements based on whether the system processes classified, sensitive, or public information. Table 2 maps each CL to its required level of confidentiality. Table 2: CL Levels CL Definition Level Required Classified Systems processing classified information High Sensitive Systems processing sensitive information Medium Public Systems processing public information Basic Since the CL measures the need for confidentiality, it is used to determine acceptable access factors, like requirements for individual security clearances or background investigations, access approvals and need-to know determinations. Interconnection controls and approvals and acceptable methods by which users may access the system are also determined by the CL of a system. 8. Mission Assurance Categories (MACs) & Confidentiality Levels (CLs) MACs and CLs are independent, that is a MAC I system may process public information and a MAC III system may process classified information. The nine combinations of mission assurance category and confidentiality level establish nine baseline IA levels that may coexist within the Global Information Grid (GIG): MAC I, Classified MAC I, Sensitive MAC I, Public

7 MAC II, Classified MAC II, Sensitive MAC II, Public MAC III, Classified MAC III, Sensitive MAC III, Public 9. MAC, CL, & Information Assurance (IA) Controls A MAC and a CL is assigned to each DoD information system. Which IA controls are appropriate for a system is determined by the assigned MAC and CL. IA Controls are the baseline requirements for IA C&A and help ensure that the levels of confidentiality, integrity, and availability meet system security requirements. The MAC IA Controls focus on integrity and availability while the CL IA Controls focus on confidentiality and integrity. Table 3 shows the IA control subject areas. Table 3: IA Control Subject Areas Control Subject Area Name # of Controls DC Security Design & Configuration 31 IA Identification & Authentication 9 EC Enclave & Computing Environment 48 EB Enclave Boundary Defense 8 PE Physical & Environmental 27 PR Personal 7 CO Continuity 24 VI Vulnerability & Incident Management IA Control Examples Examples of Confidentiality IA Controls Identification and Authentication IAGA-1 Group Identification and Authentication (NIST SP , IA-2) Group authenticators for application or network access may be used only in conjunction with an individual authenticator. Any use of group authenticators not based on the DoD PKI has been explicitly approved by the DAA.

8 Security Design and Configuration DCAS-1 Acquisition Standards (NIST SP , SA-2) The acquisition of all IA-and IA-enabled GOTS IT products is limited to products that have been evaluated by the NSA or in accordance with NSA-approved processes. The acquisition of all IA-and IA-enabled COTS IT products is limited to products that have been evaluated or validated through one of the following sources the International Common Criteria (CC), the NIAP Evaluation and Validation Program, or the FIPS validation program. Robustness requirements, the mission, and customer needs will enable an experienced information systems security engineer to recommend a Protection Profile, a particular evaluated product or a security target with the appropriate assurance requirements for a product to be submitted for evaluation. Examples of Integrity IA Controls Identification and Authentication IAKM-2 Key Management (NIST SP IA-2, IA-4, IA-5) Symmetric Keys are produced, controlled and distributed using NSA-approved key management technology and processes. Asymmetric Keys are produced, controlled, and distributed using DoD PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key. Identification and Authentication IATS-2 Token and Certificate Standards (NIST SP , IA-2) Identification and authentication is accomplished using the DoD PKI Class 3 or 4 certificate and hardware security token (when available) or an NSA-certified product. Examples of Availability IA Controls Security Design and Configuration DCAR-1 Procedural Review (NIST SP , CA-2) An annual IA review is conducted that comprehensively evaluates existing policies and processes to ensure procedural consistency and to ensure that they fully support the goal of uninterrupted operations. Security Design and Configuration DCSD-1 IA Documentation (NIST SP , PS-2, PL-2) All appointments to required IA roles are established in writing, to include assigned duties and appointment criteria such as training, security clearance, and IT-designation. A System Security Plan is established that describes the technical, administrative, and

9 procedural IA program and policies that govern the DoD information system, and identifies all IA personnel and specific IA requirements and objectives. 11. The DIACAP Knowledge Service (KS) What is the DIACAP Knowledge Service (KS)? The KS is a Web-based, DoD PKenabled DIACAP knowledge resource for DIACAP. It provides a wealth of tools, such as GIG IA C&A guidelines, diagrams, process maps, and documents, to support and aid in DIACAP execution. The KS is a collaboration workspace for the DIACAP user community to develop, share and post lessons learned & best practices. It is also a source for IA news and events and other IA-related information resources. With the DIACAP KS, you can find the most current GIG IA C&A guidelines and determine which enterprise level IA Controls apply to a given information system. The KS has implementation guidance, validation procedures and expected results for each DoDI IA Control. You can also hear about real-world experiences implementing DIACAP, get access to forms and templates and find out about latest IA news. The DIACAP KS is available on-line without charge. 12. Enterprise Mission Assurance Support services (emass) What is Enterprise Mission Assurance Support services (emass)? emass is a Webbased suite of integrated services for select core IA program management processes, the first of which is the implementation and management of C&A based on the requirements of the DIACAP. It is an OASD(NII) Research & Development Initiative designed to support the DoD 8500-series policy framework. It will support DCID 6/3 (Intelligence Community) and NIST SP /53 (Civil) in future iterations. It is considered a DoD Core Enterprise Services (CES) candidate for IA program management. It is an IATAC endeavor that is government owned, not proprietary. The benefits of emass are automation, accountability, extensibility, and flexibility. emass creates a C&A package for the management of each registered information system. DoD PKI and auditing features enable montioring of each transaction. emass is scalable to any enterprise, regardless of size and mission. It was designed to support multiple IA requirements types. emass will be available without charge for licensing or development upgrades; However, organizational investment is required for hardware, COTS software licenses and training.

10 The following three figures give an introduction to the emass interface. Figure 1: The emass Welcome Page Figure 2: Register the IA Program

11 Figure 3: The emass System Page 13. DIACAP Roles & Responsibilities There are various roles and Responsibilities within the DIACAP. The Designated Approval Authority (DAA) has the authority and ability to evaluate the mission, business cases, and budgetary needs for the system in view of the security risks. The DAA determines the acceptable level of residual risk and makes the authorization decision. The Information Assurance Manager (IAM)/Certification Authority (CA) is the one who manages the certification process. The IAM/CA performs a comprehensive evaluation of the technical and non-technical aspects of the certification effort, reports the status of the certification and recommends to the DAA whether to authorize the system. The program Manager/System Manager (PM/SM) represents the interests of the system throughout its life cycle. The User Representative (UR) is concerned with system availability, integrity, and confidentiality as they relate to the system s mission. The Validation Tester tests the system against the IA Controls to ensure the system is compliant 14. The DIACAP Enterprise Governance Structure

12 The DIACAP Enterprise Governance Structure is intended to synchronize and integrate DIACAP activities across all levels. The Governance Structure is comprised of three major elements: accreditation structure, configuration control and management (CCM) structure, and C&A process administration and certification structure. The accreditation structure is aligned to GIG Mission Areas and addresses cross-cutting issues. In the configuration control and management structure, the DIACAP Technical Advisory Group (TAG) supports the KS content including the IA Controls. In the C&A process administration and certification structure, the authority and responsibility for certification are vested in the DoD Component Senior IA Officials (SIAOs). SIAOs serve as the Certifying Authority (CA) and the CIO is responsible for administration of the overall C&A process. 15. The DIACAP Process Stages & Phase One There are five phases that summarize DIACAP activities: 1. Initiate and Plan IA C&A; 2. Implement and Validate Assigned IA Controls; 3. Make Certification Determination & Accreditation Decisions; 4. Maintain Authority to Operate and Conduct Reviews; and 5. Decommission. The five steps taken during the first phase are: 1. Register the System with DoD Component IA Program 2. Assign IA Controls 3. Assemble a DIACAP Team 4. Review DIACAP intent, and 5. Initiate IA Implementation Plan. 16. The DIACAP Process: Phase Two The second DIACAP Phase is Implement and Validate. The three steps in this phase are: 1. Execute and Update IA Implementation Plan 2. Conduct Validation Activities and 3. Compile Validation Results. The following two Identification & Authentication controls are useful in the second and third steps of this phase:

13 Validating IA Controls (IAKM-2 Key Management) Production, Control, and Distribution of Asymmetric Keys (NIST SP , IA-5) Validation Test: Review system documentation. Ensure that asymmetric keys, if utilized, are produced, controlled, and distributed using appropriate DoD PKI assurance level certificates and hardware security tokens that protect the user s private key (i.e. CAC). Record the results. Test Preparation: Obtain system documentation addressing the production, control, and distribution of asymmetric keys. Expected Results: Asymmetric keys utilize appropriate DoD PKI assurance level certificates and hardware security tokens. Validating IA Controls (IAKM-2 Key Management) Symmetric Keys (NIST SP , IA-5) Test Script: Review system documentation. Ensure that symmetric keys, if utilized, are produced, controlled and distributed using NSA-approved key management technology and processes. Record the results. Test Preparation: Obtain system documentation addressing the production, control, and distribution of symmetric keys. Expected Results: Symmetric keys are produced, controlled, and distributed using NSA-approved key management technology and processes. The DIACAP Scorecard is an important tool for this stage of the DIACAP process because it shows the implemented and validated controls. 17. The DIACAP ScoreCard The DIACAP ScoreCard is a summary report that shows the certified or accredited implementation status of a DoD information system's assigned IA Controls and supports or conveys the accreditation decision. The DIACAP ScoreCard is intended to convey information about the IA posture of the evaluated system in a format that can be easily understood by managers and can be easily exchanged electronically.

14 The I-Assure implementation of the DIACAP ScoreCard is an automated client-side application enables the assessor to evaluate the effectiveness of the controls in place for an IT system through a series of questions and answers. Figure 4: The DIACAP ScoreCard Also in the Implement and Validate DIACAP phase, it is important to compare the system s MAC and CL controls against standard minimum baseline requirements. This helps to measure the effectiveness of these controls in terms of confidentiality, integrity, and availability. The following table shows these minimum baseline scores: Table 4: Minimum Required Baseline Scores Required Minimum Baseline Scores for CL Required Minimum Baseline Scores for MAC CL MAC Confidentiality Integrity Availability Total Required Minimum Baseline Scores Classified MAC I Sensitive MAC I Public MAC I Classified MAC II Sensitive MAC II Public MAC II Classified MAC III Sensitive MAC III Public MAC III

15 18. The DIACAP Process: Phase Three C&A Decisions are made during the third DIACAP phase. The three steps in this stage are: 1. Analyze Residual Risk 2. Issue Certification Determination 3. Make Accreditation Decisions. The Analyze Residual Risk step is performed by the IAM or the CA. They assess residual risk to the DoD Component information environment, to the information exposed to the DoD information system, and to the mission being supported by the DoD information system. The DAA makes an accreditation decision based on a review of the materials in the DIACAP package and recommendations from the IAM/CA. Example Contents of DIACAP Package: System Identification Profile DIACAP Strategy IA Implementation Plan DIACAP Scorecard Certification Determination DIACAP Plan of Actions and Milestones (POA&M), as required Accreditation Decision Artifacts and Evidence of Compliance There are four possible accreditation decisions: 1. Approval to Operate (ATO) 2. Interim Approval to Operate (IATO) 3. Interim Approval to Test (IATT), and 4. Denial of Approval to Operate (DATO). When an ATO is given, a DoD information system is authorized to process, store, or transmit information, granted by a DAA. Authorization is based on an acceptable IA design and implementation of assigned IA Controls. An IATO is a temporary approval granted by a DAA to operate based on an assessment of the implementation status of the assigned IA Controls. An IATT is a temporary approval granted by a DAA to conduct system testing based on an assessment of the implementation status of the assigned IA Controls. A DATO is a DAA determination that a DoD information system cannot operate because of an inadequate IA design or failure to implement assigned IA Controls.

16 19. The DIACAP Process: Phase Four The fourth DIACAP stage is Maintain ATO/Reviews. The four steps in this phase are: 1. Initiate and Update Lifecycle Implementation 2. Plan for IA Controls 3. Maintain Situational Awareness, and 4. Maintain IA Posture. Types of Phase 4 Activities 1. Exercise configuration management of the IA Controls Implementation Plan for the operational system, which permits IT component swaps and minor software releases. 2. Incorporate any new or modified IA Controls into IA Implementation Plan, or any corrections of other identified security vulnerabilities. 3. Update DIACAP Package and IA Controls Scorecard. 4. Conduct monitoring as specified in the IA Implementation Plan. 5. Conduct vulnerability scans and penetration tests. 6. Re-verify identified IA Controls. 7. Validate continued compliance with necessary IA Controls and IA Controls Scorecard. 20. The DIACAP Process: Phase Five The fifth and final DIACAP process stage, the Decommission Stage, has one important step: Disposition of the DIACAP registration information and system-related data. In the Decommission Stage, the DIACAP registration information and system-related data or objects in GIG supporting IA infrastructure and core enterprise services are securely disposed.

17 21. The DIACAP Process: Summarized The following table summaries the DIACAP phases and the steps in each phase: Table 5: DIACAP Phase Review Phases Initiate & Plan Implement & Validate Make C&A Decisions Maintain ATO/Reviews Decommission Steps Register the System with DoD Component IA Program Assign IA Controls Assemble a DIACAP Team Review DIACAP intent Initiate IA Implementation Plan Execute and Update IA Implementation Plan Conduct Validation Activities Compile Validation Results Analyze Residual Risk Issue Certification Determination Make Accreditation Decisions Initiate and Update Lifecycle Implementation Plan for IA Controls Maintain Situational Awareness Maintain IA Posture Disposition of DIACAP Registration Information & System-Related Data 22. Transition to DIACAP Why is the DoD changing from DITSCAP to DIACAP at this time? The DoD is transforming its information security posture in response to changes in Information Technology (IT) and Federal requirements and guidelines. There have been many changes in the way the DoD acquires, uses, and operates IT. Also, the E-Government Act Title III of the E-Government Act, Federal Information Security Management Act (FISMA), which requires Federal departments and agencies to develop, document, and implement an organization-wide program to provide information assurance. DIACAP ensures DoD C&A is consistent with FISMA, DoDD and DoDI

18 23. Transition Timeline and Instructions The current draft of DoDI 8510.bb provides a timeline and instructions for transition from DITSCAP to DIACAP. DIACAP should be immediately initiated in unaccredited new start or operational information systems. Transition actions and timelines for a system that is currently under DITSCAP vary depending on the DITSCAP phase and status of the SSSA, the DITSCAP Accreditation Decision, and incorporation of 8500 IA controls. Under specific circumstances, a system may continue under DITSCAP and be granted an Accreditation Decision under DITSCAP, while development of a DIACAP transition plan and schedule is required. If a system has a DITSCAP ATO more than three years old, DIACAP should be initiated. 24. DIACAP & DITSCAP Compared Table 6 shows how the DIACAP phases differ from the DITSCAP phases. Table 6: Phases: DIACAP vs. DITSCAP DIACAP Initiate & Plan IA C&A Implement & Validate IA Controls Make Certification Determination & Accreditation Decision IATO/ATO Maintain ATO DITSCAP Definition Verification Validation IATO/ATO Post-Accreditation Table 7 shows some of the differences between DIACAP and DITSCAP.

19 Table 7: DIACAP & DITSCAP Compared DIACAP All systems inherit enterprise standards and requirements Certification Authority is a qualified, resourced, and permanent member of CIO staff No pre-defined phases. Each system works to a plan that aligns to the system life cycle Accreditation status communicated by assigned IA Controls compliance ratings and letter and status code (ATO, IATO, IATT, DATO) in DIACAP Scorecard Automated tools, enterprise managed KS, requirements tied to architecture ATO means security risk is at an acceptable level to support mission and live data Continuous, asynchronous monitoring; reviewed not less than annually; FISMA reporting DITSCAP Security requirements and standards uniquely determined by each system DAA and Certifier selected by/for each system Policy advocated tailoring, but process was hard-coded to phases Accreditation status communicated via letter and status code (ATO, IATO) in SSAA No process improvement Inaccurate association of ATO with perfect and unchanging security Fire and forget accreditation; 3 year white glove inspection reaccredidation

20 APPENDIX A: REFERENCES Publication DIACAP KB DoDI 8510.bb DoD 8510.b-M emass GiG IA, USC 3542 NIST Special Publication (SP) FIPS 199 FIPS 201 OMB A130, Appendix III FISMA, 2002 DoD Acquisition Guidebook DoDI DoD M DoDD DoDI Publication Information DIACAP Knowledge Base Overview. Briefing. Washington, DC: DoD PKI C&A Working Group, March Defense Information Assurance Certification and Accreditation Process (DIACAP). DoD Instruction 8510.bb. Washington, DC: U.S. Department of Defense, draft Defense Information Assurance Certification and Accreditation Process (DIACAP) Manual Draft Annotated Outline. DoD 8510.b-M. Washington, DC: U.S. Department of Defense, draft emass Overview. Briefing. Washington, DC: DoD PKI C&A Working Group, March GIG IA Strategy (Draft). Fort Meade, MD: National Security Agency (NSA) Information Assurance Directorate, June Public Printing and Documents, Chapter 35 Coordination of Federal Information Policy, Subchapter III Information Security. U.S. Code 44, Section Washington, DC: U.S. Congress, National Institute of Standards and Technology Special Publication , Recommended Security Controls for Federal Information Systems, February Standards for Security Categorization of Federal Information and Information Systems. FIPS 199. Washington, DC: U.S. National Institute of Standards and Technology, Federal Information Processing Standards Publication 201, Personal Identity Verification for Federal Employees and Contractors, February Office of Management and Budget, Circular A-130, Appendix III, Transmittal Memorandum #4, Management of Federal Information Resources, Nov Federal Information Security Management Act (FISMA). Washington, DC: U.S. Congress, DoD Acquisition Guidebook. Washington, DC: U.S. Department of Defense, Operation of the Defense Acquisition System. DoDI Washington, DC: U.S. Department of Defense, National Industrial Security Program Operating Manual (NISPOM). DoD Washington, DC: U.S. Department of Defense, Information Assurance. DoD Directive Washington, DC: U.S. Department of Defense, Information Assurance Implementation. DoD Instruction Washington, DC: U.S. Department of Defense, 2003.