This Template is courtesy of the Air Force, provided from the Air Force Acquisition Document Development & Management (ADDM) System, which is a restricted DoD site. Please note that this is an Air Force Template provided for your guidance, and that the other services or agencies may have different documentation requirements.
This document is current as of 3/9/2016 ADDM template source review.
Based on: Cybersecurity Strategy dated 10 NOV 2015
ADDM Application Link
Guidance:
1. This document provides an outline and high-level guidance on the expectations for the Cybersecurity Strategy as required by the Clinger-Cohen Act (40 U.S.C. Subtitle III) in the 2001 NDAA §811(P.L. 106-398), DoDI 5000.02 – Operation of the Defense Acquisition System, and DoDI 8500.01 – Cybersecurity. This document replaces the Acquisition Information Assurance (IA) Strategy outlined in DoDI 8580.1 - Information Assurance (IA) in the Defense Acquisition System. This revision reflects the thrust of cybersecurity and acquisition integration of these new policies, as well as DoDI 8510.01 - Risk Management Framework (RMF) for DoD Information Technology (IT) and the DoD Program Manager’s (PM) Guidebook for Integrating the Cybersecurity RMF into the DoD System Acquisition Lifecycle.
2. The Cybersecurity Strategy is a required acquisition program document created and maintained by the program office and appended to the Program Protection Plan (PPP). The PM and team develops the Cybersecurity Strategy as early as possible, and continually updates and maintains it to mature at a rate commensurate with that of the program. The Cybersecurity Strategy reflects both the program’s long-term approach for, and implementation of cybersecurity throughout the program lifecycle. The Cybersecurity Strategy is a tool for PMs, Authorizing Officials (AO) or Authorizing Official Designated Representatives (AODR), and relevant review and approval authorities to plan for, identify, assess, mitigate, and manage risks as systems mature.
3. The PM submits the Cybersecurity Strategy for review by the AO/AODR, and review and approval by the cognizant CIO at MS A; and updates and re-submits for review and approval at development RFP release decision, MS B, MS C, and FRP/FDD. For ACAT ID and IAM programs, DoD CIO is the approval authority. Approval of the Cybersecurity Strategy does not override complementary required policy processes.
4. The Cybersecurity Strategy consolidates elements of various program initiatives and activities relating to cybersecurity planning, implementation, and risk management. The reuse of existing analysis and documentation is strongly encouraged where practical for the development of the Cybersecurity Strategy. It is incumbent on the submitting Program Management Office (PMO) to ensure any referenced information is readily available to the document review/approval chain by providing copies of any supporting documents upon request, including requirements baselines, systems engineering, test, and RMF documentation.
5. Program offices should use the following principles to ensure the document is useful as a plan and working document for the program, and to support cybersecurity and acquisition review and approval functions. These principles form the basis of CIO evaluation criteria in review of Cybersecurity Strategies:
a. Evidence of comprehensive analysis, including System Security Engineering (SSE), Trusted Systems and Networks Analysis (TSN), and system survivability, supporting the planning and implementation of cybersecurity on the system, including the intended CONOPS, operating environment and tempo, understanding of expected level of threat leading to the determination of adequate system cybersecurity implementation and achievement of desired operational outcomes.
b. Evidence of traceability between security controls and the baselines (functional, allocated, and product), and understanding of the balance between risks and requirements trades.
c. Consideration of cybersecurity in relation to the interdependency of this system with the system of systems in which it is intended to operate; the degree to which the capability depends on cybersecurity for correct function or performance.
d. Planning for cybersecurity testing and evaluation throughout the acquisition lifecycle, including testing of security controls in accordance with the RMF; ensuring cybersecurity requirements are testable and measurable.
e. Evidence and understanding of ongoing risk management, including residual risks stemming from the failure to mitigate identified cybersecurity risks and vulnerabilities.
6. Program offices should utilize the following outline and the above principles in the preparation of their Cybersecurity Strategy documentation. As the document is updated throughout the lifecycle, sections should emphasize changes from previous Strategy submittal. The outline section sub-headings on the next pages contain short descriptions to guide strategy development and recommend the level of detail desired from the documentation, including suggested approximate page count. Specifically where sections ask for documentation to “list”, “describe”, or “discuss” requested information, “list” requires straightforward identification of information; “describe” requires a brief narrative, often focused on process; whereas “discuss” should be a more detailed. In addition to the outline, the attached Progress Summary referenced in section IV (A) should be used to convey completion of RMF and acquisition cybersecurity activities and will be submitted with each Cybersecurity Strategy to inform CIO review and approval. For additional guidance on content, resources, and references for the Cybersecurity Strategy, refer to the RMF Knowledge Service (https://rmfks.osd.mil).
The Cybersecurity Strategy is a template that includes a risk assessment, specific program IA requirements, accreditation procedures, IA testing process and a listing of potential IA shortfalls.