DoD Instruction 8500.2 - Common Access Card (CAC)
DoD Instruction 8500.2 - Common Access Card (CAC)
DoD Instruction 8500.2 - Common Access Card (CAC)
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
DODI <strong>8500.2</strong>, February 6, 2003<br />
as management review items. Specific reporting formats and frequency shall be<br />
established by the <strong>DoD</strong> CIO and coordinated through the DIAP.<br />
E3.2.4. IA Technical Framework. Under NSA leadership in partnership with the<br />
NIST, system security engineers, system owners and users, scientists, researchers,<br />
product and service vendors, and representatives of standards bodies and other consortia,<br />
work together to maintain the Information Assurance Technical Framework (IATF)<br />
(reference (k)). The IATF is a common reference guide for selecting and applying<br />
adequate and appropriate IA and IA-enabled technology in accordance with the<br />
architectural principles of defense-in-depth described in the following subparagraphs:<br />
E3.2.4.1. Technical Defense in Multiple Locations. Because adversaries can<br />
attack a target from multiple points via insiders or outsiders, protection mechanisms<br />
must be distributed among multiple locations and address multiple defensive focus<br />
areas, including networks and infrastructures, enclave boundaries, and computing<br />
environments.<br />
E3.2.4.2. Layered Technical Defenses. Even the best available IA products<br />
have inherent weaknesses. Eventually an adversary will likely find an exploitable<br />
vulnerability. An effective countermeasure is the deployment of multiple defense<br />
mechanisms between the adversary and the target. In order to reduce the likelihood or<br />
affordability of successful attacks, each mechanism should present unique obstacles and<br />
include both protection and detection measures.<br />
E3.2.4.3. Specified Robustness. The strength and level of confidence<br />
required of each IA solution is a function of the value of what is being protected (e.g.,<br />
the mission assurance category or confidentiality level of the information being<br />
supported by the <strong>DoD</strong> information system) and the threat. In order to ensure that each<br />
component of an IA solution is correctly implementing its intended security services and<br />
is protecting its information from the identified threat, each component within the<br />
network system needs to provide an appropriate level of robustness.<br />
32 ENCLOSURE 3