1 year ago

Department of Defense INSTRUCTION


DoDI 5000.02, January 7,

DoDI 5000.02, January 7, 2015 Table 10 11. Information Requirements Unique to the Urgent Needs Rapid Capability Acquisition Process INFORMATION REQUIREMENT RAPID URGENT CAPABILITY ACQUISITION DECISION EVENTS Development Production STATUTORY REQUIREMENTS ASSESSMENT APPROACH ● ● SOURCE 10 U.S.C. 2366 (Ref. (g)(h)) 10 U.S.C. 2399 (Ref. (g)(h)) STATUTORY; only required for programs responding to urgent needs urgently needed capabilities. - For programs on under Director, Operational Test and Evaluation (DOT&E) oversight, combined operational and live fire test plans will be submitted to DOT&E for approval at the Development Milestone;, and post-deployment assessment plans will be submitted to DOT&E for approval at the Production and Deployment Milestone. DOT&E will ensure that testing is tailored rigorous enough to rapidly evaluate critical operational issues. - Programs not on under DOT&E oversight are approved at the Service level; the program may require a rapid and focused operational assessment and live fire testing (if applicable) prior to deploying an urgent need solution. The Acquisition Approach will identify any requirements to evaluate health, safety, or operational effectiveness, suitability, and survivability. COURSE OF ACTION ANALYSIS ● Meets the assessment requirements of Subtitle III, Title 40, United States Code (Reference. (p)) (see Table 9 10 in Enclosure 1). (Ref. (p)) STATUTORY, replaces and serves as the AoA. Approved by the MDA. For JUONs, JEONs, critical warfighter issues identified by the Warfighter SIG, and Secretary of Defense RAA determinations, a copy is due to the Director, JRAC, within 3 business days of MDA approval. RAPID ACQUISITION AUTHORITY ● SEC. 806, P.L. 107-314 (Ref. (i)(cd)) (RAA) RECOMMENDATION STATUTORY. Optional request to the Secretary of Defense or Deputy Secretary of Defense for RAA. Considered as part of the development of the Acquisition Strategy. MDA approves the decision to request RAA at the Development Milestone. REGULATORY REQUIREMENT Disposition Authority’s Report to Para. 4e(5) of this enclosure the DoD Component Head Regulatory. Based on the disposition official’s recommendation in the Disposition Analysis, the Component Head will determine and document the disposition of the initiative and process it in accordance with applicable Component and requirements authority procedures. Due within 1 year of entering the Operations and Support Phase (or earlier, if directed). Table Notes: 1. A dot (●) in a cell indicates the specific applicability of the requirement to the life-cycle event 2. Documentation required for the identified events will be submitted no later than 45 calendar days before the planned review. 3. While these requirements are specific to programs responding to urgent needs, they are additive to the requirements identified in Tables 2 and 6 in Enclosure 1. Change 2, 02/02/2017 170 ENCLOSURE 13

DoDI 5000.02, January 7, 2015 ENCLOSURE 14 CYBERSECURITY IN THE DEFENSE ACQUISITION SYSTEM 1. INTRODUCTION a. Cyber Impact on Defense Acquisition (1) Cybersecurity is a requirement for all DoD programs and must be fully considered and implemented in all aspects of acquisition programs across the life cycle. DoD program offices, systems, and networks, and supporting contractor facilities, and activities, are at risk of cyberattacks by state and non-state threat actors. Malicious activity by threat actors includes remote unauthorized activity against DoD to: missions. (a) Exfiltrate operational and classified data to compromise or disrupt critical DoD (b) Exfiltrate intellectual property, designs, or technical documentation to weaken DoD technological and military advantage. (c) Insert compromised hardware or software to disrupt or degrade system performance. (d) Subvert or compromise DoD networks, systems, support infrastructure, and employees through malicious actions. (2) Responsibility for cybersecurity extends beyond network operators, software developers, and chief information officers, to every member of the acquisition workforce. Attention must be paid to cybersecurity at all acquisition category levels and all classification levels, including unclassified, throughout the entire life cycle; this includes systems that reside on networks and stand-alone systems that are not persistently connected to networks during tactical and strategic operations. b. Program Manager Responsibilities. Program managers, assisted by supporting organizations to the acquisition community, are responsible for the cybersecurity of their programs, systems, and information. This responsibility starts from the earliest exploratory phases of a program, with supporting technology maturation, through all phases of the acquisition. Acquisition activities include system concept trades, design, development, test and evaluation (T&E), production, fielding, sustainment, and disposal. Program managers will pay particular attention to the following areas where a cybersecurity breach or failure would jeopardize military technological advantage or functionality: (1) Program Information. This includes, but is not limited to: Change 2, 02/02/2017 171 ENCLOSURE 14