7.5.5. Integrating Information Assurance (IA) into the Acquisition Process
7.5.5. Integrating Information Assurance (IA) into the Acquisition Process
Table 7.5.5.T1, IA Compliance by Acquisition Program Type is designed to help PMs determine the degree to which the 8500 series applies to a system acquisition and whether an Acquisition IA Strategy is required.
Table 7.5.5.T1. IA Compliance by Acquisition Program Type
Acquisition Programs for:
|
Acquisition IA Strategy
|
Compliance with 8500 Series
|
No IT
|
Not Required
|
Not Required
|
Non-MC/ME AIS
|
Not Required *
|
Required
|
Non-MC/ME MAIS
|
Not Required *
|
Required
|
MC/ME AIS
|
Required
|
Required
|
MC/ME MAIS
|
Required
|
Required
|
Outsourced IT-based Processes that are not MC/ME
|
Not Required *
|
Required
|
Outsourced IT-based Processes that are MC/ME
|
Required
|
Required
|
Platform IT products/weapons systems that are, or have:
|
|
|
MC/ME
|
Network Interconnections to the GIG
|
|
No
|
No
|
Not Required *
|
Recommended **
|
No
|
Yes
|
Not Required *
|
Required
|
Yes
|
No
|
Required
|
Recommended **
|
Yes
|
Yes
|
Required
|
Required
|
Legend: AIS = Automated Information System GIG = Global Information Grid IT = Information Technology MAIS = Major Automated Information System MC/ME = Mission Critical / Mission Essential PM = Program / Project Manager
|
* Although not required by DoD, the Component may require an Acquisition IA Strategy. ** PMs would be prudent to comply with all DoDI 8500.2 IA controls appropriate to the system.
|
Because requirements for IA vary greatly across acquisition programs, PMs should examine acquisition programs carefully to identify applicable IA requirements. The following guidelines derived from DoD Directive 8500.01E apply:
- Programs that do not involve the use of IT in any form have no IA requirements. PMs should carefully examine programs, however, since many programs have IT (such as automatic test equipment) embedded in the product or its supporting equipment.
- Programs that include IT always have IA requirements, but these IA requirements may be satisfied through the normal system design and test regimen, and may not be required to comply with DoD Directive 8500.01E. Acquisitions that include Platform IT with no network interconnection to the GIG fit into this category. However, such programs require an Acquisition IA Strategy if they are designated Mission Critical or Mission Essential.
- Acquisitions of Platforms with network interconnections to the GIG must comply with the IA requirements of DoD Directive 8500.01E and DoD Instruction 8500.2.
- Acquisitions of AIS applications or outsourced IT processes also must comply with DoD Directive 8500.01E and DoDI 8500.2.
- Programs that include IT, and that are designated Mission Critical or Mission Essential, require an Acquisition IA Strategy without regard to the applicability of DoD Directive 8500.01E. The DoD Component Chief Information Officer (CIO) is responsible for approving the Acquisition IA Strategy. Subsequent to DoD Component CIO approval, in accordance with DoD Instruction 8580.1, the DoD CIO must review the Acquisition IA Strategy.