7.5.10. Information Assurance (IA) Certification and Accreditation (C&A)
7.5.11. Software Security Considerations
7.5.10. Information Assurance (IA) Certification and Accreditation (C&A)
In accordance with DoD Directive 8500.01E, all acquisitions of AISs (to include MAISs), outsourced IT-based processes, and platforms or weapon systems with connections to the GIG must be certified and accredited. The primary methodology for certifying and accrediting DoD information systems is the DoD Information Assurance Certification and Accreditation Process (DIACAP) of DoD Instruction 8510.01.
7.5.11. Software Security Considerations
For the acquisition of software-intensive IT, especially IT used in National Security Systems, PMs should consider the significant operational threat posed by the intentional or inadvertent insertion of malicious code. The risks associated with these supply chain risk management (SCRM) issues are being managed within the context of program protection planning. See Chapter 13, Program Protection Planning, regarding requirements for SCRM key practices and intelligence support from Defense Intelligence Agency SCRM Treat Assessment Center (TAC).