252 – Security Requirements
Definition
Any acquisition program must ensure that any technology developed and acquired must be safeguarded from unauthorized disclosure.
General/Information/Narrative
If a component, drawing, design, manual, or any item is deemed to be of national security interest, the United States government has the authority to place security restrictions on the storage, use, transmission, and disposal of that item. The requirements are outlined in the National Industrial Security Program (NISPOM).
In the Technology Development Phase, the program manager should be aware of national security interests related to new technology. During the Engineering Development Phase documentation and prototypes should be treated according to security restrictions. These security requirements become part of the operating requirements in the Production and Deployment Phase.
At the end of the item’s life cycle, it is necessary to properly dispose of it. If the item still is of national security interest, the proper disposal should be defined in the item’s security requirements. Otherwise, proper disposal is defined by the program manager.
Throughout the life cycle, the Program Manager is responsible for the following:
- Ensuring security requirements are included in the procurement
- Conducting security-risk analyses
- Ensuring appropriately certified software and hardware products are used
- Confirming that facilities meet security requirements
- Appointing a Computer Security Officer as required by regulations
- Coordinating the accreditation process for the system
Defense Approving Authority (DAA) Responsibilities:
- Evaluating a system's mission requirements
- Providing guidance to systems developers
- Formally approving security requirements
- Monitoring an accredited system to ensure that it is maintained and operating within an acceptable level of risk
- Overseeing security of the systems under its jurisdiction
The DAA has the authority to interrupt systems operations at any time for noncompliance of security requirements. (IRM 101, DAU)
Policies, Directives, Regulations, Laws
DoD 5220.22-M, National Industrial Security Program Operating Manual (NISPOM) (http://www.dss.mil/isp/fac_clear/download_nispom.html)
Best Practices, Lessons Learned, Stories, Guides, Handbooks, Templates, Example Tools, Communities of Practice, LEC Tools
PowerLOG supports this activity by documenting the demilitarization/disposal and physical security codes. PowerLOG is a logistics data management system developed to support the development, integration, and review of logistic product information throughout the acquisition life cycle. PowerLOG implements the Logistics Support Analysis Record (LSAR) requirements defined in MIL-STD-1388-2B as well as Logistics Product Data defined by GEIA-STD-0007. PowerLOG is available free to all Government agencies and their contractors and can be obtained by visiting: https://www.logsa.army.mil/lec/powerlog/.
Training Resources
Related Articles
Required for:
All programs must develop security requirements.
Responsible Activity:
The Program Manager is responsible for developing and implementing security measures. The Designated Approving Authority is responsible for approving the security measures and ensuring the security measures are followed consistently.
Definition General Info Policies Guides Communities Training Related