7.5. Information Assurance (IA)
7.5.1. Information Assurance (IA) Overview
7.5.2. Mandatory Policies
7.5.2.1. DoD Directive 5000.01, "The Defense Acquisition System"
7.5.2.2. DoD Instruction 5000.02, "Operation of the Defense Acquisition System"
7.5.2.3. DoD Directive 8500.01E, "Information Assurance (IA)"
7.5.2.4. DoD Instruction 8500.2, "Information Assurance (IA) Implementation"
7.5.2.5. DoD Instruction 8580.1, "Information Assurance (IA) in the Defense Acquisition System"
7.5.2.6. DoD Instruction 8510.01, "DoD Information Assurance Certification and Accreditation Process (DIACAP)"
7.5.2.7. DoD Directive 8570.01, "Information Assurance Training, Certification, and Workforce Management"
7.5.2.8. DoD Instruction 8581.01, "Information Assurance (IA) Policy for Space Systems Used by the Department of Defense"
7.5.2.9. Other Processes
7.5.2.10. DoD Strategy for Operating in Cyberspace (July 14, 2011)
7.5.2.11 Critical Program Information
7.5.1. Information Assurance (IA) Overview
Most programs delivering capability to the warfighter or business domains will use information technology (IT) to enable or deliver that capability. For those programs, developing a comprehensive and effective approach to IA is a fundamental requirement and will be key in successfully achieving program objectives. The Department of Defense defines IA as "measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities." DoD policy and implementing instructions on information assurance are in the 8500 series of DoD publications. Program Managers (PMs) and functional proponents for programs should be familiar with statutory and regulatory requirements governing information assurance, and understand the major tasks involved in developing an IA organization, defining IA requirements, incorporating IA in the program's architecture, developing an Acquisition IA Strategy (when required), conducting appropriate IA testing, and achieving IA certification and accreditation for the program. The information in the following sections explains these tasks, the policy from which they are derived, their relationship to the acquisition framework, and the details one should consider in working towards effective IA defenses-in-depth in a net-centric environment.
Note: DAG Section 7.5 will be re-written to reflect the re-issuance of DoDI 8500.01 Cyber security and DoDI 8510.01 Risk Management Framework (RMF) for DoD Information Technology (IT) instructions are signed and published. Until then, the current information provided in Section 7.5 remains valid.
7.5.2. Mandatory Policies
7.5.2.1. DoD Directive 5000.01, "The Defense Acquisition System"
Paragraph E1.1.9. "Information Assurance," states:
Acquisition managers shall address information assurance requirements for all weapon systems; Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance systems; and IT programs that depend on external information sources or provide information to other DoD systems. DoD policy for information assurance of IT, including NSS, appears in DoD Directive 8500.01E.
7.5.2.2. DoD Instruction 5000.02, "Operation of the Defense Acquisition System"
Table 8, "Title 40/CCA Compliance," in enclosure 5 requires the following of acquisition PMs:
Ensure that the program has an information assurance strategy that is consistent with DoD policies, standards and architectures, to include relevant standards.
7.5.2.3. DoD Directive 8500.01E, "Information Assurance (IA)"
This directive establishes policy and assigns responsibilities under 10 U.S.C. 2224 to achieve DoD information assurance through a defense-in-depth approach that integrates the capabilities of personnel, operations, and technology, and supports the evolution to network centric warfare. According to DoD Directive 8500.01E, all acquisitions of DoD Information Systems (to include Automated Information System applications, Outsourced IT-based Processes, and platforms or weapon systems) with connections to the Global Information Grid, must be certified and accredited.
This Directive will be re-written and combined with the revised DoDI 8500.2 and published in Q4FY13 as DoDI 8500.01. The ramifications of the revised policy will move the DoD to the Risk Management Framework as implemented by the National Institute of Standards and Technology (NIST) 800 series Special Publications.
7.5.2.4. DoD Instruction 8500.2, "Information Assurance (IA) Implementation"
This instruction implements policy, assigns responsibilities, and prescribes procedures for applying integrated, layered protection of the DoD information systems and networks under DoD Directive 8500.01 E. This Instruction is under revision. The ramifications of the revised policy will institute a shift from the current DoD IA control catalog to the NIST SP 800-53, "Recommended Security Controls for Federal Information Systems and Organizations".
7.5.2.5. DoD Instruction 8580.1, "Information Assurance (IA) in the Defense Acquisition System"
This instruction implements policy, assigns responsibilities, and prescribes procedures necessary to integrate information assurance (IA) into the Defense Acquisition System; describes required and recommended levels of IA activities relative to the acquisition of systems and services; describes the essential elements of an Acquisition IA Strategy and its applicability and prescribes an Acquisition IA Strategy submission and review process.
7.5.2.6. DoD Instruction 8510.01, "DoD Information Assurance Certification and Accreditation Process (DIACAP)"
This instruction establishes the DoD information assurance (IA) certification and accreditation (C&A) process for authorizing the operation of DoD information systems consistent with the Federal Information Security Management Act and DoD Directive 8500.01E. The instruction superseded DoD Instruction 5200.40 (DITSCAP) and DoD 8510.1-M (DITSCAP Manual). The DIACAP process supports net-centricity through an effective and dynamic IA C&A process. It also provides visibility and control of the implementation of IA capabilities and services, the C&A process, and accreditation decisions authorizing the operation of DoD information systems, to include core enterprise services and web services-enabled software systems and applications. This Instruction is under revision with the new version due Q4FY13. The ramifications of the revised policy will institute a shift from the current DIACAP process to DoD’s adoption, implementation, execution, and maintainance of the NIST RMF.
7.5.2.7. DoD Directive 8570.01, "Information Assurance Training, Certification, and Workforce Management"
This directive establishes policy and assigns responsibilities for DoD IA training, certification, and workforce management. Along with the accompanying manual, it provides guidance and procedures for the identification and categorization of positions and certification of personnel conducting IA functions within the DoD workforce supporting the DoD Global Information Grid (GIG) per DoD Instruction 8500.2. The DoD IA Workforce includes, but is not limited to, all individuals performing any of the IA functions described in the manual.
7.5.2.8. DoD Instruction 8581.01, "Information Assurance (IA) Policy for Space Systems Used by the Department of Defense"
This instruction implements requirements of National Security Directive 42 by establishing IA policy and assigning responsibilities for all space systems used by the Department of Defense in accordance with Committee on National Security Systems Policy No. 12. The instruction supplements IA policy and requirements contained in DoDD 8500.01E and DoDI 8500.2.
7.5.2.9. Other Processes
Other Certification and Accreditation processes (such as Intelligence Community Directive (ICD) 503 "Intelligence Community Information Technology Systems Security Risk Management, Certification and Accreditation") are applicable for systems processing Sensitive Compartmented Information.
7.5.2.10. DoD Strategy for Operating in Cyberspace (July 14, 2011)
This strategy recognizes that cyberspace is a key sector of the global economy. The security and effective operation of U.S. critical infrastructure – including energy, banking and finance, transportation, communication, and the Defense Industrial Base – rely on cyberspace, industrial control systems, and information technology that may be vulnerable to disruption or exploitation. This strategy notes that foreign cyberspace operations against U.S. public and private sector systems are increasing in number and sophistication.
“Accordingly, Program Managers must ensure procedures and processes are in place for the protection of DoD program information residing on or transiting corporate unclassified networks and information systems. The objective is to protect DoD information, not just DoD systems, and it relates to all programs, not just those IT focused. Several policy documents provide additional guidance in this area for inclusion in developing the IA Strategy and RFP IA clauses.
7.5.2.11. Critical Program Information
DoDD 5200.39 Critical Program Information establishes policy to provide comprehensive protection of CPI through the integrated and synchronized application of CI, Intelligence, Security, systems engineering, and other defensive countermeasures to mitigate risk. Failure to apply consistent protection of CPI may result in the loss of confidentiality, integrity, or availability of CPI, resulting in the impairment of the warfighter’s capability and DoD’s technological superiority.
DAG Tutorial 
