DoD Instruction 8500.2 - Common Access Card (CAC)

More documents

Recommendations

Info

DODI 8500.2, February 6, 2003 in attachments 1, 2, and 3. In other cases, an IA Control may only apply to a given mission assurance category or confidentiality level. For example, ECCM-1, COMSEC, states, "COMSEC activities comply with DoD Directive C-5200.5." It applies only to classified information systems, and appears only in attachment 4. E4.1.5. The organization of IA into three major service areas instead of the five that are included in the DoD definition is a convenience, and is intended to neither contradict nor supplant the definition. Within this organizing scheme, the IA Controls that deliver identification and authentication and non-repudiation overlap the other three service areas to varying degrees, but are most generally included in integrity. Some integrity IA Controls also support confidentiality. When an IA Control is required for both integrity and confidentiality, the higher level prevails. E4.1.6. The set of IA Controls applicable to any given DoD information system is always a combination of the IA Controls for its mission assurance category and the IA Controls for its confidentiality level, as listed in Table E4.T2., below. Table E4.T2. Applicable IA Controls by Mission Assurance Category and Confidentiality Level Mission Assurance Category and Confidentiality Level MAC I, Classified MAC I, Sensitive MAC I, Public MAC II, Classified MAC II, Sensitive MAC II, Public MAC III, Classified MAC III, Sensitive MAC III, Public Applicable IA Controls Attachments A1 and A4 Attachments A1 and A5 Attachments A1 and A6 Attachments A2 and A4 Attachments A2 and A5 Attachments A3 and A6 Attachments A3 and A4 Attachments A3 and A5 Attachments A3 and A6 E4.1.7. Operating Environment. For information assurance purposes, two important characteristics of a DoD information system determine the overall robustness of its operating environment: internal system exposure and external system exposure. 50 ENCLOSURE 4
DODI 8500.2, February 6, 2003 E4.1.7.1. Internal system exposure is a measure of the difference between the established security criteria for individual access and the actual accessprivileges of authorized users. The greater the difference, the higher the internal system exposure and the lower the overall robustness of the operating environment. For example, a system containing classified information that grants access to personnel without security clearances has a higher level of internal system exposure and a lower level of environmental robustness than a system that limits access to persons that are cleared for access to all information on the system. E4.1.7.2. External system exposure is a measure of the degree of isolation from other information systems, either through physical or cryptographic means. The greater the isolation, the lower the external system exposure and the higher the overall robustness of the operating environment. For example, a standalone information system or local area network has a lower level of system exposure and a higher level of environmental robustness than a system that uses the Internet for user connectivity. E4.1.7.3. The DoD baseline IA controls enforce DoD policies that limit internal and external system exposure according to confidentiality level, as summarized in Table E4.T3., below: 51 ENCLOSURE 4
Page 1 and 2: Department of Defense INSTRUCTION N
Page 3 and 4: DODI 8500.2, February 6, 2003 5.1.3
Page 5 and 6: DODI 8500.2, February 6, 2003 5.6.
Page 11 and 12: DODI 8500.2, February 6, 2003 5.12.
Page 13 and 14: DODI 8500.2, February 6, 2003 E1. E
Page 15 and 16: DODI 8500.2, February 6, 2003 E2. E
Page 17 and 18: DODI 8500.2, February 6, 2003 are t
Page 19 and 20: DODI 8500.2, February 6, 2003 proce
Page 21 and 22: DODI 8500.2, February 6, 2003 E2.1.
Page 23 and 24: DODI 8500.2, February 6, 2003 enabl
Page 27 and 28: DODI 8500.2, February 6, 2003 E2.A1
Page 29 and 30: DODI 8500.2, February 6, 2003 NSTIS
Page 37 and 38: DODI 8500.2, February 6, 2003 unifo
Page 45 and 46: DODI 8500.2, February 6, 2003 Table
Page 47 and 48: DODI 8500.2, February 6, 2003 Inves
Page 49: DODI 8500.2, February 6, 2003 Table
Page 53 and 54: DODI 8500.2, February 6, 2003 E4.T4
Page 55 and 56: DODI 8500.2, February 6, 2003 Subje
Page 101 and 102:
DODI 8500.2, February 6, 2003 Subje
show all

DoD Instruction 8500.2 - Common Access Card (CAC)

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?