7.5.7. Information Assurance (IA) Controls
7.5.7.1. Mission Assurance Category (MAC) and Confidentiality Level
7.5.7.2. Baseline IA Controls
7.5.7.3. IA Requirements Beyond Baseline IA Controls
7.5.7.4. Security Pre-Configuration of Global Information Grid (GIG) Information Technology (IT) Components
7.5.7.1. Mission Assurance Category (MAC) and Confidentiality Level
DoD Instruction 8500.2, Enclosure 3, establishes fundamental IA requirements for DoD information systems in the form of two sets of graded baseline IA Controls. PMs are responsible for employing the sets of baseline controls appropriate to their programs. The baseline sets of IA controls are pre-defined based on the determination of the Mission Assurance Category (MAC) and Confidentiality Levels as specified in the formal requirements documentation or by the User Representative on behalf of the information owner. IA Controls addressing availability and integrity requirements are keyed to the system's MAC based on the importance of the information to the mission—particularly the warfighters' combat mission. IA Controls addressing confidentiality requirements are based on the sensitivity or classification of the information. There are three MAC levels and three confidentiality levels with each level representing increasingly stringent IA requirements. The three MAC levels are identified in Table 7.5.7.1.T1.
Table 7.5.7.1.T1. Mission Assurance Category (MAC) Levels for IA Controls
MISSION ASSURANCE CATEGORY
|
|
Definition
|
Integrity
|
Availability
|
1
|
These systems handle information that is determined to be vital to the operational readiness of mission effectiveness of deployed and contingency forces in terms of both content and timeliness.
|
HIGH
|
HIGH
|
2
|
These systems handle information that is important to the support of deployed and contingency forces.
|
HIGH
|
MEDIUM
|
3
|
These systems handle information that is necessary for the conduct of day-to-day business, but does not materially affect support to deployed or contingency forces in the short-term.
|
BASIC
|
BASIC
|
The other major component in forming the baseline set of IA controls for every information system is determined by selecting the appropriate confidentiality level based on the sensitivity of the information associated with the information system. DoD has defined three levels of confidentiality, identified in Table 7.5.7.1.T2.
Table 7.5.7.1.T2. Confidentiality Levels for IA Controls
Confidentiality Level
|
Definition
|
Classified
|
Systems processing classified information
|
Sensitive
|
Systems processing sensitive information as defined in DoD Directive 8500.01E, to include any unclassified information not cleared for public release
|
Public
|
Systems processing publicly releasable information as defined in DoD Directive 8500.01E (i.e., information that has undergone a security review and been cleared for public release)
|
7.5.7.2. Baseline Information Assurance (IA) Controls
The specific set of baseline IA controls that the PM should address is formed by combining the appropriate lists of Mission Assurance Category (MAC) and Confidentiality Level controls specified in the DoD Instruction 8500.2. Table 7.5.7.2.T1 illustrates the possible combinations.
Table 7.5.7.2.T1. Possible Combinations of Mission Assurance Category and Confidentiality Level
Combination
|
Mission Assurance Category
|
Confidentiality Level
|
DoDI 8500.2 Enclosure 4 Attachments
|
1
|
MAC 1
|
Classified
|
1 and 4
|
2
|
MAC 1
|
Sensitive
|
1 and 5
|
3
|
MAC 1
|
Public
|
1 and 6
|
4
|
MAC 2
|
Classified
|
2 and 4
|
5
|
MAC 2
|
Sensitive
|
2 and 5
|
6
|
MAC 2
|
Public
|
2 and 6
|
7
|
MAC 3
|
Classified
|
3 and 4
|
8
|
MAC 3
|
Sensitive
|
3 and 5
|
9
|
MAC 3
|
Public
|
3 and 6
|
There are a total of 157 individual IA Controls from which the baseline sets are formed. Each IA Control describes an objective IA condition achieved through the application of specific safeguards, or through the regulation of specific activities. The objective condition is testable, compliance is measurable, and the activities required to achieve the objective condition for every IA Control are assignable, and thus accountable. The IA Controls specifically address availability, integrity, and confidentiality requirements, but also take into consideration the requirements for non-repudiation and authentication.
It is important to exercise due diligence in establishing the MAC level of an information system. The baseline set of IA controls for availability and integrity are purposefully graded to become increasingly stringent for the higher MAC levels. The required resource costs to achieve compliance with the baseline IA controls at the higher MAC levels can be very significant as befits information and information systems on which a warfighter's mission readiness or operational success depends. The IA controls also become increasingly stringent or robust at the higher Confidentiality levels.
7.5.7.3. Information Assurance (IA) Requirements Beyond Baseline IA Controls
There are several additional sources of IA requirements beyond the Baseline IA Controls.
A system being acquired may have specific IA requirements levied upon it through its controlling capabilities document (i.e., Capstone Requirements Document, Initial Capabilities Document, Capability Development Document, or Capability Production Document). These IA requirements may be specified as performance parameters with both objective and threshold values.
All IA requirements, regardless of source, are compiled in the system's DoD Information Assurance Certification and Accreditation Process (DIACAP) Implementation Plan (similar to the system Requirements Traceability Matrix used in the DoD Information Technology Security Certification and Accreditation Process, superseded by the DIACAP). The DIACAP Implementation Plan documents all IA controls and requirements assigned, whether implemented or "inherited," and for each displays the implementation status, resources required, and the estimated completion date.
7.5.7.4. Security Pre-Configuration of Global Information Grid (GIG) Information Technology (IT) Components
To prevent exposing the GIG to avoidable vulnerabilities, all IT components (both hardware and software), for which security guidelines and enhanced configuration management processes have been developed, should be pre-configured before their connection to the GIG (i.e. integrated/connected to a DoD AIS, enclave/network, or platform IT).
The Department regularly publishes security configuration guidelines enabling IT components to deliver the highest level of inherent security. These guidelines can be obtained from the following sites: Security Technical Implementation Guides from the Defense Information Systems Agency, and Security Configuration Guides from the National Security Agency.
The pre-configuration of GIG IT components to the appropriate security configuration guideline by the vendor should be made a preference in selecting components for procurement. To implement this, solicitations should specify the relevant guideline, and evaluation factors for award should include pre-configuration as a factor. Requiring activities should coordinate with their supporting contracting office to determine the appropriate weight for this factor. Note that this is preference, not a mandatory requirement.
Regardless of whether GIG IT components are procured and delivered in a pre-configured state, system managers and IA managers are responsible for ensuring that IT components (both hardware and software), for which security guidelines have been developed, are appropriately configured prior to their installation/connection to the GIG.