DoD Instruction 8500.2 - Common Access Card (CAC)
DoD Instruction 8500.2 - Common Access Card (CAC)
DoD Instruction 8500.2 - Common Access Card (CAC)
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
DODI <strong>8500.2</strong>, February 6, 2003<br />
E3.4.1.4. Platform It Interconnection. Platform IT refers to computer<br />
resources, both hardware and software, that are physically part of, dedicated to, or<br />
essential in real time to the mission performance of special purpose systems such as<br />
weapons, training simulators, diagnostic test and maintenance equipment, calibration<br />
equipment, equipment used in the research and development of weapons systems,<br />
medical technologies, transport vehicles, buildings, and utility distribution systems, such<br />
as water and electric. The availability, integrity, confidentiality, authentication, and<br />
non-repudiation requirements of the data it processes in direct support of its intended<br />
purpose are inherently addressed in the system design and operation. When platform IT<br />
interconnects with external networks in order to exchange information, the IA<br />
requirements generated by the exchange must be explicitly addressed as part of the<br />
interconnection. If not already established, as part of the interconnection negotiation,<br />
the platform shall identify the mission assurance category and confidentiality level of its<br />
interconnecting IT. The connecting enclave must meet or exceed the mission assurance<br />
category and confidentiality level of the interconnecting platform IT. If the mission<br />
assurance category or confidentiality level of the platform IT is lower than that of the<br />
connecting enclave, the enclave is responsible for assuring that the enclave's integrity,<br />
availability, and confidentiality are not degraded by the interconnection. The enclave is<br />
also responsible for providing any additional measures required to extend IA services,<br />
such as identification and authentication to the platform IT during the interconnection or<br />
to protect the platform IT from interconnection risk, such as unauthorized access.<br />
E3.4.2. As early as possible in the life cycle of IT-dependent programs,<br />
information owners shall establish the mission assurance category, security<br />
classification, sensitivity, and need-to-know of information and information systems.<br />
Information owners shall also establish the permissible uses of information and<br />
associated mission or business rules of use, and ensure that the distinction between<br />
information that is operationally sensitive and information that can be made available to<br />
the public is clear to all. In turn, mission assurance category establishes the<br />
requirements for availability and integrity, and security classification, sensitivity, and<br />
need-to-know establish confidentiality requirements. Enclosure 4 of this <strong>Instruction</strong><br />
provides detailed lists of the IA Controls necessary to achieve the baseline levels of<br />
availability, integrity, and confidentiality for mission assurance category and<br />
classification. The IA Controls provide a common management language for<br />
establishing IA needs; interacting with system security engineers to ensure a purposeful<br />
design to meet those needs consistent with <strong>DoD</strong> and <strong>DoD</strong> Component-level guidance;<br />
testing and validating the implemented IA solutions; managing changes to the validated<br />
baseline, negotiating interconnections, and reporting IA readiness. The baseline IA<br />
Controls identified in enclosure 4 must be explicitly addressed as part of an information<br />
system security engineering process. They may also be supplemented as follows:<br />
41 ENCLOSURE 3