7.5.3. Information Assurance (IA) Integration into the Acquisition Life Cycle
7.5.3.1. Before Milestone A
7.5.3.2. Before Milestone B
7.5.3.3. Before Milestone C
7.5.3.4. After Milestone C or before the Full Rate Production Decision Review (or equivalent for MAIS Programs)
7.5.3.1. Before Milestone A
Examine program and system characteristics to determine whether compliance with DoD Directive 8500.01E is recommended or required, and whether an Acquisition IA Strategy is required. (Click here for guidelines on making this determination.)
Establish an IA organization. Appoint a trained IA professional in writing as the IA Manager. This and other IA support may be organic to the program office, matrixed from other supporting organizations (e.g., Program Executive Office), or acquired through a support contractor.
Begin to identify system IA requirements. Click here for Baseline IA Controls or IA Requirements Beyond Baseline Controls.
Develop an Acquisition IA Strategy, if required. Click here for IA Compliance Decision Tree or here for an Acquisition IA Strategy Template. Acquisition IA strategies developed in preparation for Milestone A will be more general, and contain a lesser level of detail than acquisition IA strategies submitted to support subsequent Milestone decisions. Click here to see the Acquisition IA Strategy Instructions.
7.5.3.2. Before Milestone B
If program is initiated post-Milestone A, complete all actions for Milestone A.
Update and submit the Acquisition IA Strategy. Acquisition IA Strategy Template.
Secure resources for IA. Include IA in program budget to cover the cost of developing, procuring, testing, certifying and accrediting, and maintaining the posture of system IA solutions. Ensure appropriate types of funds are allocated (e.g., Operations & Maintenance for maintaining IA posture in out years).
Initiate the DoD Information Assurance Certification and Accreditation Process (DIACAP), or other applicable Certification & Accreditation process (such as Intelligence Community (ICD) 503 "Intelligence Community Information Technology Systems Security Risk Management, Certification and Accreditation" for systems processing Sensitive Compartmented Information).
7.5.3.3. Before Milestone C
Incorporate Information Assurance (IA) solutions through:
- Employment of Information Systems Security Engineering (ISSE) efforts to develop or modify the IA component of the system architecture to ensure it is in compliance with the IA component of the GIG architecture and makes maximum use of enterprise IA capabilities and services.
- Procurement of IA/IA-enabled products. DoD Instruction 5000.02, paragraph 6 of Enclosure 5, states that: "When the use of commercial IT is considered viable, maximum leverage of and coordination with the DoD Enterprise Software Initiative shall be made." The Enterprise Software Initiative (ESI) includes commercial IA tools and should be used as the preferred source for the procurement of IA tools. The ESI Home Page lists covered products and procedures. DFARS (SUBPART 208.74) lists additional requirements for compliance with the DoD ESI. In addition to ESI, the NSTISSP-11 (NIAP) should be used for IA and IA-enabled products.
- Implementation of security policies, plans, and procedures.
- Conducting IA Training.
Test and evaluate IA solutions. See Chapter 9, Test and Evaluation (T&E), for information on testing.
- Developmental Test.
- Security Test & Evaluation, Certification and Accreditation activities.
- Operational Test.
Accredit the system under the DIACAP or other applicable Certification and Accreditation process. For systems using the DIACAP, an Authorization to Operate should be issued by the Designated Accrediting Authority.
7.5.3.4. After Milestone C or before the Full Rate Production Decision Review (or equivalent for MAIS Programs)
Maintain the system's security posture throughout its life cycle. This includes periodic re-accreditation.
Assess IA during IOT&E on the mature system.
DAG Tutorial 
