DoDD DoDI

Similar documents
DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

This is to certify that. Chris FitzGerald. has completed the course. Systems Security Engineering _eng 2/10/08

Committee on National Security Systems. CNSS Policy No. 14 November 2002

INFORMATION ASSURANCE DIRECTORATE

Department of Defense INSTRUCTION

INFORMATION ASSURANCE DIRECTORATE

10th International Command and Control Research and Technology Symposium The Future of C2

INFORMATION ASSURANCE DIRECTORATE

Appendix 12 Risk Assessment Plan

Appendix 12 Risk Assessment Plan

An Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP)

INFORMATION ASSURANCE DIRECTORATE

NIST Security Certification and Accreditation Project

Streamlined FISMA Compliance For Hosted Information Systems

Progress Report National Information Assurance Partnership

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE

MICROSOFT (MS) WINDOWS DEFENDER ANTIVIRUS SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release 4 27 APRIL 2018

Test & Evaluation of the NR-KPP

National Information Assurance (IA) Policy on Wireless Capabilities

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Executive Order 13556

Achieving a FIPS Compliant Wireless Infrastructure using Intel Centrino Mobile Technology Clients

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

DATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW. Version 2, Release October Developed by DISA for the DoD

CNSS Advisory Memorandum Information Assurance December 2010 Advisory Memorandum

Building an Assurance Foundation for 21 st Century Information Systems and Networks

MICROSOFT SQL SERVER 2016 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release March 2018

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

National Policy Governing the Use of High Assurance Internet Protocol Encryptor (HAIPE) Products

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

National Information Assurance Partnership (NIAP) 2017 Report. PPs Completed in CY2017

INFORMATION ASSURANCE DIRECTORATE

COTS, Subversions, and the Foreign Supply Chain issues for DoD Systems. Dr. Ben A. Calloni, P.E. Lockheed Martin Fellow, Software Security

SIPRNet Contractor Approval Process (SCAP) December 2011 v2. Roles and Responsibilities

Cybersecurity in Acquisition

FiXs - Federated and Secure Identity Management in Operation

TABLE OF CONTENTS. Page REFERENCES 5 DEFINITIONS 8 ABBREVIATIONS AND/OR ACRONYMS 18 C1. CHAPTER 1 - INTRODUCTION 20

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Cybersecurity Challenges

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

DIACAP IA CONTROLS. Requirements Document. Sasa Basara University of Missouri-St. Louis

Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?

DOD INSTRUCTION COMMERCIAL WIRELESS LOCAL-AREA NETWORK (WLAN) DEVICES, SYSTEMS, AND TECHNOLOGIES

Department of Defense INSTRUCTION. DoD Information Assurance Certification and Accreditation Process (DIACAP)

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

UNICOS/mp Common Criteria Evaluation

International Standard ISO/IEC 17799:2000 Code of Practice for Information Security Management. Frequently Asked Questions

Safeguarding Unclassified Controlled Technical Information

Department of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview

We are releasing 7 pages of responsive documents. Pursuant to FOIA, certain information has been redacted as it is exempt from release.

Defining IT Security Requirements for Federal Systems and Networks

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

CYBER RESILIENT AND SECURE WEAPON SYSTEMS ACQUISITION / PROPOSAL DISCUSSION

Net-Centric Systems Design and Requirements Development in today s environment of Cyber warfare

T&E IN CYBERSPACE (UCR TESTING)

DoDI IA Control Checklist - MAC 1-Classified. Version 1, Release March 2008

DoD Mobility Mobility Product Security Certification Processes

Forensics and Biometrics Enterprise Reference Architecture (FBEA)

INFORMATION ASSURANCE DIRECTORATE

DoD ANNEX FOR PROTECTION PROFILE FOR APPLICATION SOFTWARE V1.2. Version 1, Release February Developed by DISA for the DoD

STUDENT GUIDE Risk Management Framework Step 5: Authorizing Systems

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

Helping Meet the OMB Directive

Securing Content in the Department of Defense s Global Information Grid

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Forecast to Industry Program Executive Office Mission Assurance/NetOps

TEL2813/IS2820 Security Management

Affordable Security. Sarah Pramanik April 10, 2013

Security Management Models And Practices Feb 5, 2008

DoD Internet Protocol Version 6 (IPv6) Contractual Language

Cyber Security Summit 2014 USCENTCOM Cybersecurity Cooperation

INFORMATION ASSURANCE DIRECTORATE

Cybersecurity & Privacy Enhancements

FISMA Cybersecurity Performance Metrics and Scoring

Cybersecurity Risk Management

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

SYSTEMS ASSET MANAGEMENT POLICY

Information Technology Branch Organization of Cyber Security Technical Standard

Information Assurance and DoD: A Partnership with Industry

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Information Systems Security Requirements for Federal GIS Initiatives

CIS 444: Computer. Networking. Courses X X X X X X X X X

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk

Guide for Assessing the Security Controls in Federal Information Systems

DFARS Cyber Rule Considerations For Contractors In 2018

Requirements for Building Effective Government WLANs

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

Dr. Steven J. Hutchison Principal Deputy Developmental Test and Evaluation

Agenda. Bibliography

GSAW Information Assurance in Government Space Systems: From Art to Engineering

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

AMRDEC CYBER Capabilities

Transcription:

DoDD 8500.1 DoDI 8500.2 Tutorial Lecture for students pursuing NSTISSI 4011 INFOSEC Professional 1

Scope of DoDD 8500.1 Information Classes: Unclassified Sensitive information Classified All ISs to include: All DoD owned or controlled information systems Information systems under contract to DoD Outsourced information based processes (ex. Those supporting e-commerce or e-business) Information systems of non-appropriated fund (NAF) activities Stand-alone information systems Mobile computing devices (i.e. laptop, PDA, handheld) 2

DoDD 8500.1 Policy Information Assurance Requirements and new/upgraded systems According to this directive, IA requirements will be identified and included in the design, acquisition, installation, upgrade, or replacement of any information system within DoD. Also, Public Key Infrastructure (PKI) certificates and biometrics will be incorporated into all new and upgraded systems whenever possible. All DoD information systems shall maintain an appropriate level of confidentiality, integrity, authentication, non-repudiation, and availability that reflects a balance among: the importance and sensitivity of the information and information assets documented threats and vulnerabilities the trustworthiness of users and interconnected systems the impact or destruction of the system cost effectiveness For IA purposes, all DoD Systems are organized and managed within 4 categories Automated Information Systems (AIS) applications Enclaves (includes networks) outsourced IT-based processes Platform IT interconnections IA readiness is a critical element of overall mission readiness. It will be monitored, reported, and evaluated throughout DoD and validated by the DoD CIO. 3

DoDD 8500.1 Information Assurance DoDD 8500.1 became effective on 24 October 2002. (Certified current as of 21 Nov 2003). Its purpose is to establish policy and assign responsibilities in order to achieve Department of Defense (DoD) information assurance (IA). It accomplishes this by utilizing a defense-in-depth approach that integrates the capabilities of personnel, operations, and technology, and supports the evolution to network-centric warfare. This directive supercedes the following documents: DoD Directive 5200.28 -- Security Requirements for Automated Information Systems DoD 5200.28-M -- ADP Security Manual DoD 5200.28-STD -- DoD Trusted Computer Security Evaluation Criteria DoD Chief Information Officer (CIO) Memorandum 6-8510 It designates the Secretary of the Army as the Executive Agent for the integration of common biometric technologies throughout the Department of Defense. 4

DoDD 8500.1 COTS IA Compliance National Security Telecommunications and Information Systems Security Policy Number 11 NSTISSP #11 is a national security community policy governing the acquisition of information assurance (IA) and IA enabled information technology products. The policy was issued by the Chairman of the National Security Telecommunications and Information Systems Security Committee (NSTISSC), now known as the Committee on National Security Systems (CNSS) in January 2000 and revised in June 2003. The policy mandates, effective 1 July 2002, that departments and agencies within the Executive Branch shall acquire, for use on national security systems, only those COTS products or cryptographic modules that have been validated with the International Common Criteria for Information Technology Security Evaluation, the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS), or by the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) The objective of NSTISSP #11 is to ensure that COTS IA and IA-enabled IT products acquired by the U.S. Government for use in national security systems perform as advertised by their respective manufacturers, or satisfy the security requirements of the intended user. To achieve this objective, the policy requires COTS products be evaluated and validated in accordance with either the International Common Criteria for Information Technology Security Evaluation, or the National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 140-2. Supportive of the intent and implementation of NSTISSP #11, the NSA and NIST have collaborated to establish the following two evaluation and validation programs: National Information Assurance Partnership's (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) Program http://niap.nist.gov/cc-scheme/index.html NIST Federal Information Processing Standard (FIPS)Cryptographic Module Validation Program (CMVP) http://csrc.nist.gov/cryptval/cmvp.htm 5

Compliance Decision Tree ** Compliance with applicable guidance in the 8500 series is recommended for all other systems with embedded IT assets. 68500 Series IA

IA Compliance by Acq. Program Type 7

DoDI 8500.2 Overview Multi-Echelon Management Structure 8

DoDI 8500.2 Overview Multi-Echelon Management Structure 9

IA Controls (Enclosure 4, DoDI 8500.2) IA Control Subject Area. One of eight groups indicating the major subject or focus area to which an individual IA Control is assigned. (Next Slide) IA Control Number. A unique identifier comprised of four letters, a dash, and a number. The first two letters are an abbreviation for the subject area name and the second two letters are an abbreviation for the individual IA Control name. The number represents a level of robustness in ascending order that is relative to each IA Control. (Next Slide) IA Control Name. A brief title phrase that describes the individual IA Control. IA Control Text. One or more sentences that describe the IA condition or state that the IA Control is intended to achieve. 10

Another IA Control Example 11

IA Control Subject Areas Enclosure 4, DoDI 8500.2 In the example to the right --> the control level is two (2), which means there is a related IA Control, ECCT-1, that provides less robustness. There may also be an IA Control, ECCT-3, that provides greater robustness. 12

Baseline Information Assurance Levels Mandated DoDD 8500.1, described in DoDI 8500.2 All DoD information systems shall be assigned a mission assurance category. The mission assurance category reflects the importance of information relative to the achievement of DoD goals and objectives, particularly the warfighters' combat mission. DOD has three defined mission assurance categories: Mission Assurance Category I (MAC I) Systems handling information that is determined to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness. The consequences of loss of integrity or availability of a MAC I system are unacceptable and could include the immediate and sustained loss of mission effectiveness. MAC I systems require the most stringent protection measures. 13

DOD has three defined mission assurance categories: (cont.) Mission Assurance Category II (MAC II) Systems handling information that is important to the support of deployed and contingency forces. The consequences of loss of integrity are unacceptable. Loss of availability is difficult to deal with and can only be tolerated for a short time. The consequences could include delay or degradation in providing important support services or commodities that may seriously impact mission effectiveness or operational readiness. MAC II systems require additional safeguards beyond best practices to ensure adequate assurance. Mission Assurance Category III (MAC III) Systems handling information that is necessary for the conduct of day-today business, but does not materially affect support to deployed or contingency forces in the short term. The consequences of loss of integrity or availability can be tolerated or overcome without significant impacts on mission effectiveness or operational readiness. The consequences could include the delay or degradation of services or commodities enabling routine activities. MAC III systems require proactive measures, techniques, or procedures generally commensurate with commercial best practices. 14

Mission Assurance Category Summary DoDI 8500.2 Enclosure 3 The baseline sets of IA controls are pre-defined based on the determination of the Mission Assurance Category (MAC) and Confidentiality Levels as specified in the formal requirements documentation or by the info owner. IA Controls addressing availability, confidentiality, integrity, authentication and nonrepudiation requirements are keyed to the system s MAC based on the importance of the information to the mission, particularly the warfighters' combat mission, and on the sensitivity or classification of the information. 15

Mission Assurance Category Levels for IA Controls IA Controls addressing confidentiality requirements are based on the sensitivity or classification of the information. There are three MAC levels and three confidentiality levels with each level representing increasingly stringent information assurance requirements. 16

Determining Baseline IA Controls 17

JCIDS Process and Acquisition Decisions CJCSI 3170.01E 18

JCIDS and Information Assurance Information Assurance - Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality and nonrepudiation. This includes providing for restoration of information systems by incorporating protection, detection and reaction capabilities. Net-ready Key Performance Parameter (NR-KPP) - (see following) 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback