Views
1 year ago

Department of Defense INSTRUCTION

x9tnk

DoDI 5000.02, January 7,

DoDI 5000.02, January 7, 2015 6. CYBERSECURITY a. Cybersecurity Risk Management Framework (RMF). Cybersecurity RMF steps and activities, as described in DoD Instruction 8510.01 (Reference (bg)), should be initiated as early as possible and fully integrated into the DoD acquisition process including requirements management, systems engineering, and test and evaluation. Integration of the RMF in acquisition processes reduces required effort to achieve authorization to operate and subsequent management of security controls throughout the system life cycle. b. Cybersecurity Strategy. All acquisitions of systems containing IT, including NSS, will have a Cybersecurity Strategy. The Cybersecurity Strategy is an appendix to the Program Protection Plan (PPP) that satisfies the statutory requirement in section 811 of P.L. 106-398 (Reference (q)) for mission essential and mission critical IT systems. Beginning at Milestone A, the Program Manager will submit the Cybersecurity Strategy to the cognizant Component CIO for review and approval prior to milestone decisions or contract awards. (1) For ACAT ID, IAM, and IAC programs, the DoD CIO will review and approve the Cybersecurity Strategy prior to milestone decisions or contract awards. (2) CIOs will document the results of all reviews. (3) If contract award is authorized as part of an acquisition milestone decision, a separate review of the Cybersecurity Strategy prior to contract award is not required. (4) The approved Cybersecurity Strategy will be an appendix to the PPP. 7. TRUSTED SYSTEMS AND NETWORKS (TSN). Program managers of NSS; systems that have a high impact level for any of the three security objectives, Confidentiality, Integrity, or Availability; or other DoD information systems that the Component Acquisition Executive or Component CIO determines to be critical to the direct fulfillment of military or intelligence missions must identify and protect mission critical functions and components as required by DoD Instruction 5200.44 (Reference (aj)). TSN plans and implementation activities are documented in PPPs and relevant cybersecurity plans and documentation (see section 13 in Enclosure 3 of this instruction for additional details). Program managers will manage TSN risk by: a. Conducting a criticality analysis to identify mission critical functions and critical components and reducing the vulnerability of such functions and components through secure system design. b. Requesting threat analysis of suppliers of critical components (Supplier All Source Threat Analysis). c. Engaging the pertinent TSN focal point for guidance on managing identified risk. Change 2, 02/02/2017 150 ENCLOSURE 11

DoDI 5000.02, January 7, 2015 d. Applying TSN best practices, processes, techniques, and procurement tools prior to the acquisition of critical components or their integration into applicable systems. 8. LIMITED DEPLOYMENT FOR A MAJOR AUTOMATED INFORMATION SYSTEM (MAIS) PROGRAM. At Milestone C, the MDA for a MAIS program will approve, in coordination with the Director, Operational Test and Evaluation (DOT&E), the quantity and location of sites for a limited deployment of the system for Initial Operational Test and Evaluation. MDAs, in coordination with DOT&E, may also make this determination at Milestone B for incrementally deployed programs, consistent with the procedures in paragraph 5c(3)(d) in this instruction. 9. CLOUD COMPUTING. Cloud computing services can deliver more efficient IT than traditional acquisition approaches. Program managers will acquire DoD or non-DoD provided cloud computing services when the business case analysis determines that the approach meets affordability and security requirements. Program managers will ensure that cloud services are implemented in accordance with Defense Information Systems Agency (DISA) provided Cloud Computing Security Requirements Guidance; and will only use cloud services that have been issued both a DoD Provisional Authorization by DISA and an Authority to Operate by their Component's Authorizing Official. In addition, non-DoD cloud services used for Sensitive Data must be connected to customers through a Cloud Access Point that has been approved by the DoD CIO. Program managers report cloud service funding investments through the submission of the Office of Management of Budget (OMB) Exhibit 53 in accordance with OMB Circular A-11(Reference (c)). 10. DOD ENTERPRISE SOFTWARE INITIATIVE (ESI). When acquiring commercial IT, Program Managers must consider the DoD ESI, Federal Strategic Sourcing Initiative procurement vehicles, and Defense Component level Enterprise Software Licenses. The Defense Federal Acquisition Regulation Supplement subpart 208.74 (Reference (al)) and OMB Policy Memorandums M-03-14, M-04-08, M-04-16 and M-05-25 (References (bs) through (bv)) and the DoD ESI web site at http://www.esi.mil/ provide additional detail. 11. DOD DATA CENTER CONSOLIDATION. Any program manager who intends to obligate funds for data servers, data centers, or the information systems technology used therein, must obtain prior approval from the DoD CIO. The request must be signed by the Component CIO and include a completed request for the Authorization of Funds for Data Centers and Data Server Farms in accordance with section 2867 of P.L. 112-81 (Reference (v)). 12. IT, INCLUDING NSS, INTEROPERABILITY. To achieve the information superiority and interoperability goals of DoD Directive 5000.01 (Reference (a)), program managers will design, develop, test and evaluate systems to ensure IT interoperability requirements are achieved. At key decision points and acquisition milestones, interdependencies, dependencies, and Change 2, 02/02/2017 151 ENCLOSURE 11