DoD Instruction 8500.2 - Common Access Card (CAC)
DoD Instruction 8500.2 - Common Access Card (CAC)
DoD Instruction 8500.2 - Common Access Card (CAC)
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
DODI <strong>8500.2</strong>, February 6, 2003<br />
E3.4.4. All AIS applications shall employ ISSE as part of the acquisition process.<br />
Those AIS applications that undergo a system engineering process should initiate ISSE<br />
in parallel to ensure IA is built into the AIS application. Considering IA objectives,<br />
requirements, functions, architecture, design, testing, and implementation in conjunction<br />
with the corresponding system engineering analogues allows IA to be optimized based on<br />
the technical and non-technical considerations of the individual AIS application. All<br />
enclaves shall employ ISSE to implement or upgrade boundary defense and incident<br />
detection, to address configuration changes to other IA solutions that may impact<br />
enclave IA posture, and to implement interconnections across security domains. Using<br />
the IA Controls as the baseline, the ISSE process elicits detailed IA requirements;<br />
develops the physical and logical architecture, and technical specifications to satisfy<br />
those requirements at an acceptable level of risk; insures IA is integrated into the<br />
overall system acquisition and engineering process; and tests the system to verify the<br />
design and implementation of IA solutions. The ISSE process shall explicitly address<br />
all IA Controls by providing traceability from the IA Controls to the elicited<br />
requirements, the corresponding design, and the testing. It also identifies those IA<br />
Controls that are provided by the enclave, and identifies any additional IA Controls<br />
required to meet AIS application-specific or unusual circumstances.<br />
E3.4.5. As with the security engineering of AIS applications and enclaves, the IA<br />
Controls form a baseline for allocating IA responsibilities between outsourced service<br />
providers and <strong>DoD</strong> users, and for ensuring that IA requirements are explicitly addressed<br />
in the acquisition of outsourced IT based processes. They perform a like function for<br />
the allocation of IA responsibilities between enclaves and interconnecting platforms.<br />
The IA Controls establish the baseline for the IA capabilities to be provided by enclaves<br />
and the reference framework for the exchange of information for application hosting<br />
and for interconnection negotiation and approval. The <strong>DoD</strong> IA Controls establish a<br />
common dialogue among information owners, PMs, outsourced service providers,<br />
enclave managers, information assurance certifying and accrediting authorities, and<br />
information system security engineers. They aid in the negotiation and allocation of IA<br />
requirements and capabilities, enable traceability to specific IA solutions, and provide a<br />
consistent reference for certification activities and findings.<br />
E3.4.6. Information Assurance Managers (IAMs) are responsible for establishing,<br />
implementing and maintaining the <strong>DoD</strong> information system IA program, and for<br />
documenting the IA program through the <strong>DoD</strong> IA C&A process. The program shall<br />
include procedures for:<br />
43 ENCLOSURE 3