DoD Instruction 8500.2 - Common Access Card (CAC)
DoD Instruction 8500.2 - Common Access Card (CAC)
DoD Instruction 8500.2 - Common Access Card (CAC)
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
DODI <strong>8500.2</strong>, February 6, 2003<br />
E3.3.7. All <strong>DoD</strong> employees and IT users shall maintain a degree of understanding<br />
of IA policies and doctrine commensurate with their responsibilities. They shall be<br />
capable of appropriately responding to and reporting suspicious activities and<br />
conditions, and they shall know how to protect the information and IT they access. To<br />
achieve this understanding, all <strong>DoD</strong> employees and IT users shall receive both initial and<br />
periodic refresher IA training. Required versus actual IA awareness training shall be a<br />
management review item.<br />
E3.3.8. All changes to the configuration of the GIG (e.g., the introduction of new<br />
IT, changes in the capability of existing IT, changes to the infrastructure, procedural<br />
changes, or changes in the authorized or privileged user base) shall be reviewed for IA<br />
impact and managed accordingly. <strong>DoD</strong> Component configuration management policies<br />
and processes shall address mobile code management, and the registration and<br />
management of ports, protocols and services, which shall be management review items.<br />
Strong configuration management is a foundation requirement for successful<br />
vulnerability management, and the two functions shall be highly coordinated. As<br />
potential threats and vulnerabilities are identified, they must be prioritized, tracked and<br />
mitigated. <strong>DoD</strong> Component IA programs shall provide a capability to track compliance<br />
with <strong>DoD</strong> directives and taskings to mitigate vulnerabilities or respond to threats in a<br />
coordinated manner. Additionally, <strong>DoD</strong> Component IA programs shall provide the<br />
capability to systematically identify and assess vulnerabilities and to direct and track<br />
coordinated mitigations. To the extent that system capabilities permit, mitigations shall<br />
be independently validated. Compliance with <strong>DoD</strong>-directed solutions, such as<br />
USSTRATCOM Command Tasking Orders (CTOs), Information Assurance Vulnerability<br />
Alerts (IAVAs), and Information Operation Conditions (INFOCONs) shall be a<br />
management review item.<br />
E3.3.9. The <strong>DoD</strong> Component IA program shall ensure that mechanisms and<br />
procedures are employed to monitor all <strong>DoD</strong> information systems for unauthorized<br />
activity; to detect, report, and document unauthorized activity, such as attempted or<br />
realized penetrations of those systems; and to institute appropriate countermeasures or<br />
corrective actions. Such activities shall be according to <strong>DoD</strong> <strong>Instruction</strong> O-8530-2<br />
(reference (h)) and related <strong>DoD</strong> guidance.<br />
E3.3.10. The <strong>DoD</strong> Component IA program shall regularly and systematically assess<br />
the IA posture of <strong>DoD</strong> Component-level information systems, and <strong>DoD</strong><br />
Component-wide IA services and supporting infrastructures through combinations of<br />
self-assessments, independent assessments and audits, formal testing and certification<br />
activities, host and network vulnerability or penetration testing, and IA program reviews.<br />
38 ENCLOSURE 3