DoD Instruction 8500.2 - Common Access Card (CAC)
DoD Instruction 8500.2 - Common Access Card (CAC)
DoD Instruction 8500.2 - Common Access Card (CAC)
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
DODI <strong>8500.2</strong>, February 6, 2003<br />
uniform and systematic way to assess and specify IA across multiple <strong>DoD</strong> information<br />
systems and to ensure that emerging systems take advantage of supporting IA<br />
infrastructures and common IA services. The architecture is not an end in itself and<br />
should not be exhaustive; rather, it is the basis for a <strong>DoD</strong> Component-level IA master<br />
plan that can be decomposed into specific IA planning guidance for IT enclaves and<br />
acquisition programs. The planning guidance shall identify shortfalls in the current IA<br />
operational or technical configuration; support strategic operational and acquisition<br />
decisions; promote maximum use of supporting IA infrastructures such as the KMI; and<br />
promote the use of IA standards and evaluated or validated products.<br />
E3.3.4. Information assurance shall be traced as a programmatic entity in the<br />
Planning, Programming, and Budgeting System (PPBS) and visibility extended into<br />
budget execution. Strategic IA goals and annual IA objectives shall be established<br />
according to the <strong>DoD</strong> Information Management Strategic Plan (reference (ai)), and<br />
funding and progress toward those objectives shall be tracked, reported, and validated.<br />
E3.3.5. Information assurance roles and responsibilities at all organizational and IT<br />
levels shall be clearly delineated in policy and doctrine. Information assurance policies<br />
should explicitly address roles and responsibilities at organizational and IT interfaces,<br />
the expected behavior of all personnel, and the consequences of inconsistent behavior<br />
or non-compliance. Doctrine and procedures that document how policy objectives are<br />
to be achieved should be developed and regularly updated or expanded to keep pace with<br />
new threats and the management challenges that accompany the introduction of new<br />
technology. Policy and doctrine formulation and currency shall be a management<br />
review item.<br />
E3.3.6. IA functions may be performed full time by a <strong>DoD</strong> employee in an IT<br />
position, part time by a <strong>DoD</strong> employee in a designated IA role, or by a support<br />
contractor. All personnel performing IA functions must satisfy both preparatory and<br />
sustaining <strong>DoD</strong> standard training and certification requirements as a condition of<br />
privileged access to any <strong>DoD</strong> information system. <strong>DoD</strong> Component-level IA programs<br />
shall include a standard convention for naming and describing IA functions; tracking their<br />
association with positions, roles, and contracts; and tracking the training and certification<br />
of personnel assigned to the positions, roles or contracts. Training programs shall take<br />
advantage of the core curriculum products offered by DISA, and comply with the training<br />
standards established by the Committee on National Security Systems (CNSS). 13<br />
Required versus actual IA workforce training and certification shall be a management<br />
review item. Required versus actual compliance with qualifiying criteria for designated<br />
IT position categories and security clearances shall be a management review item.<br />
___________<br />
13<br />
Formerly the National Security Telecommunications and Information Systems Security Committee (NSTISSC).<br />
37 ENCLOSURE 3