7.5.8. Information Assurance (IA) Testing
7.5.9. Acquisition Information Assurance (IA) Strategy
7.5.9.1. Development
7.5.9.2. Review Requirements
7.5.9.3. Additional Information
7.5.8. Information Assurance (IA) Testing
See Section 9.7.6, Information Assurance Testing.
7.5.9. Acquisition Information Assurance (IA) Strategy
The primary purpose of the Acquisition IA Strategy is to ensure compliance with the statutory requirements of Title 40/Clinger-Cohen Act and related legislation, as implemented by DoD Instruction 5000.02. As stated in Table 8, Enclosure 5, of that instruction, the Acquisition IA Strategy provides documentation that "Ensure that the program has an information assurance strategy that is consistent with DoD policies, standards and architectures, to include relevant standards." The PM develops the Acquisition IA Strategy to help the program office organize and coordinate its approach to identifying and satisfying IA requirements consistent with DoD policies, standards, and architectures.
The Acquisition IA Strategy serves a purpose separate from the documentation generated from the DIACAP or other Certification and Accreditation (C&A) processes. Developed earlier in the acquisition life cycle and written at a higher level, the Acquisition IA Strategy documents the program's overall IA requirements and approach, including the determination of the appropriate certification and accreditation process. The Acquisition IA Strategy must be available for review at all Acquisition Milestone Decisions, including early milestones when C&A documentation would not yet be available.
The Acquisition IA Strategy lays the groundwork for a successful C&A process by facilitating consensus among the PM, Component CIO, and DoD CIO on pivotal issues such as Mission Assurance Category, Confidentiality Level, and applicable Baseline IA Controls; selection of the appropriate C&A process; identification of the Designated Accrediting Authority and Certification Authority; and documenting a rough timeline for the C&A process.
7.5.9.1. Development
Acquisition IA Strategy Instructions.
Acquisition IA Strategy Template that can be tailored as appropriate.
7.5.9.2. Review Requirements
Acquisition IA Strategies must be submitted for approval and review in accordance with Table 7.5.9.2.T1, which is based on submission requirements detailed in DoD Instruction 5000.02, Enclosures 4 and 5. Sufficient time should be allowed for Acquisition IA Strategy preparation or update, DoD Component CIO review and approval, and DoD CIO review prior to applicable milestone decisions, program review decisions, or contract awards.
Table 7.5.9.2.T1. IA Strategy Approval and Review Requirements
Acquisition Category *
|
Events requiring prior Review
|
Acquisition IA Strategy Approval
|
Acquisition IA Strategy Review
|
ACAT IAM, IAC, and ID; and (if MAIS) ACAT IC
|
Milestone A, B, C, full rate production decision and acquisition contract award
|
Component CIO
|
DoD CIO
|
All other acquisitions
|
Milestone A, B, C, full rate production decision and acquisition contract award
|
Component CIO or Designee
|
Delegated to Component CIO
|
*Acquisition Category (ACAT) descriptions are provided in DoD Instruction 5000.02, Table 1
|
Click here to view the Acquisition IA Strategy Development, Review and Approval Process MS PowerPoint briefing that contains information on Acquisition IA Strategy key success factors, key stakeholders, critical content criteria, and the review and approval process.
7.5.9.3. Additional Information
Questions or recommendations concerning the Acquisition IA Strategy or its preparation or the Acquisition IA strategy template should be directed to the Defense-wide Information Assurance Program Office (DoD CIO-DIAP) at diap.acquisition@osd.mil.