DoD Instruction 8500.2 - Common Access Card (CAC)
DoD Instruction 8500.2 - Common Access Card (CAC)
DoD Instruction 8500.2 - Common Access Card (CAC)
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
DODI <strong>8500.2</strong>, February 6, 2003<br />
E3.3.11. In summary, elements of a <strong>DoD</strong> Component IA program include an IA<br />
architecture and supporting master plan, coordination of IA investments, clear<br />
assignment of organizational roles and responsibilities, and development and<br />
management of a professional IA workforce. The <strong>DoD</strong> Component IA program shall be<br />
integrated with the Defense IA program through the tracking and reporting of<br />
management review items, the identification of IA program plans and needs, and<br />
collaboration with other <strong>DoD</strong> Components for IA solutions.<br />
E3.4. ELEMENTS OF A <strong>DoD</strong> INFORMATION SYSTEM IA PROGRAM<br />
E3.4.1. The foundation level of the <strong>DoD</strong> IA management structure is composed of<br />
IA programs at the individual <strong>DoD</strong> information system. For IA management purposes,<br />
<strong>DoD</strong> information systems are organized into the four categories defined in enclosure 2<br />
of this <strong>Instruction</strong> and further described below:<br />
E3.4.1.1. AIS Applications. An AIS application is the product or deliverable<br />
of an IT acquisition program. It has readily identifiable security requirements that must<br />
be addressed as part of the acquisition and are the responsibility of the acquisition<br />
program manager (PM). These requirements are established by its mission assurance<br />
category and information classification or sensitivity and need-to-know. The IA<br />
solutions that satisfy the identified requirements must comply with the <strong>DoD</strong><br />
Component-level IA architecture, and to the extent possible, draw upon the common IA<br />
capabilities provided by hosting enclaves. An AIS application's mission assurance<br />
category and security classification remain fixed by its information and user base; they<br />
do not inflate to match an enclave's. Thus, <strong>DoD</strong> AIS applications may be hosted in an<br />
enclave with a higher mission assurance category or security classification, but never in<br />
one with a lower mission assurance category or security classification. An AIS<br />
application is also subject to <strong>DoD</strong> IA management processes and controls that focus on<br />
the protection and availability of the GIG itself (e.g., ports and protocols and mobile<br />
code). Responsibility for IA services is negotiated with hosting enclaves through<br />
information systems security engineering (ISSE) and the IA certification and<br />
accreditation process. An AIS application is deployed to an enclave for operations, at<br />
which time responsibility for operational security is assumed by the enclave. The<br />
acquisition program manager retains responsibility for addressing security in new<br />
releases of the AIS application.<br />
E3.4.1.2. Enclaves. An enclave is a collection of computing environments<br />
that is connected by one or more internal networks and is under the control of a single<br />
authority and security policy. Examples include local area networks and the operational<br />
39 ENCLOSURE 3