7.5.6. Program Manager (PM) Responsibilities
7.5.6.1. Platform Information Technology (IT) Systems
7.5.6.2. Automated Information Systems (AIS)
7.5.6.3. Outsourced Information Technology (IT)-based Processes
7.5.6.4. Privacy Impact Assessment (PIA)
7.5.6.1. Platform Information Technology (IT) Systems
PMs for acquisitions of platforms with internal IT (including platforms such as weapons systems, sensors, medical technologies, or utility distribution systems) remain ultimately responsible for the platform's overall IA protection. If the Platform IT has an interconnection to the GIG, in accordance with DoD Instruction 8500.2, the PM must identify all assurance measures needed to ensure both the protection of the interconnecting GIG enclave, and the protection of the platform from connection risks (such as unauthorized access), that may be introduced from the enclave. However, connecting enclaves have the primary responsibility for extending needed IA services (such as Identification and Authentication) to ensure an assured interconnection for both the enclave and the interconnecting platform. These IA requirements should be addressed as early in the acquisition process as possible.
PMs for acquisitions of platforms with IT that does not interconnect with the GIG retain the responsibility to incorporate all IA protective measures necessary to support the platform's combat or support mission functions. The definition of the GIG recognizes "non-GIG IT that is stand-alone, self-contained or embedded IT that is not or will not be connected to the enterprise network." Non-GIG IT may include "closed loop" networks that are dedicated to activities like weapons guidance and control, exercise, configuration control or remote administration of a specific platform or collection of platforms. The primary test between whether a network is part of the GIG or is non-GIG IT is whether it provides enterprise or common network services to any legitimate GIG entity. In any case, PMs for systems that are not connected to GIG networks should consider the IA program provisions in DoD Directive 8500.01E and DoD Instruction 8500.2, and should employ those IA controls appropriate to their system.
7.5.6.2. Automated Information Systems (AIS)
PMs for acquisitions of AIS applications are responsible for coordinating with enclaves that will host (run) the applications early in the acquisition process to address operational security risks which the system may impose upon the enclave, as well as identifying all system security needs that may be more easily addressed by enclave services than by system enhancement. The baseline IA Controls serve as a common framework to facilitate this process. The Designated Accrediting Authority for the enclave receiving an AIS application is responsible for incorporating the IA considerations for the AIS application into the enclave's IA plan. The burden for ensuring that an AIS application has adequate assurance is a shared responsibility of both the AIS application PM and the Designated Accrediting Authority for the hosting enclave; however, the responsibility for initiation of this negotiation process lies clearly with the PM. PMs should, to the extent possible, draw upon the common IA capabilities that can be provided by the hosting enclave.
7.5.6.3. Outsourced Information Technology (IT)-based Processes
PMs for acquisitions of Outsourced IT-based Processes must comply with the IA requirements in the 8500 policy series. They are responsible for delivering outsourced business processes supported by private sector information systems, outsourced information technologies, or outsourced information services that present specific and unique challenges for the protection of the GIG. The PM for an Outsourced IT-based process should carefully define and assess the functions to be performed and identify the technical and procedural security requirements that must be satisfied to protect DoD information in the service provider's operating environment and interconnected DoD information systems.
A unique type of Outsourced IT-based Process is "Managed Enterprise Services." These are defined as "Private sector information systems, outsourced information technologies, or outsourced information services managed, maintained and administered as a performance-based service (whether delivered from vendor facilities or within DoD facilities) that delivers a DoD-wide service included within the Enterprise Information Environment Mission Area (EIEMA), as an outsourced IT-based process." Managed Enterprise Services envision two broad categories of implementation scenarios:
- In one scenario, the service is hosted at vendor facilities, and accordingly, DoD does not have significant control of the operations of the Managed Enterprise Service.
- In the second scenario, the Managed Enterprise Service is hosted in a DoD facility, but operations are provided by one or more vendors. Managed services that are DoD Component-wide or that belong to the warfighter or business mission areas are outside the scope of Managed Enterprise Services. If your acquisition includes Managed Enterprise Services, see DoD CIO Memorandum "Certification and Accreditation Requirements for DoD-wide Managed Enterprise Services Procurements," dated June 22, 2006.
7.5.6.4. Privacy Impact Assessment (PIA)
A PIA is an analysis of whether personally identifiable information (PII) when collected in electronic form is stored, shared, and managed in a manner that protects the privacy of individuals. Section 208 of Public Law 107-347 requires that a PIA be conducted prior to developing or purchasing any DoD information system that will collect, maintain, use, or disseminate PII about members of the public. The DoD Instruction 5400.16 provides procedures for completing and approving PIAs and expanded the requirement to include federal personnel, DoD contractors and, in some cases, foreign nationals.