Department of Defense INSTRUCTION

Recommendations

Info

DoDI 5000.02, January 7, 2015 (4) Ensure FAR Clause 52.204-21 is included in solicitations and contracts when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system. (5) Ensure Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 (Reference (al)) is included in all solicitations and contracts, including solicitations and contracts using Part 12 of the FAR procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of commercially available off-the-shelf items. Use other appropriate DF ARS and FAR requirements for solicitations and contracts that include the clause; and if a cyber incident is reported, assess what unclassified CDI was compromised, and mitigate impacts as a result of the loss of CDI. (6) Assess unclassified controlled technical information losses associated with cyber incidents reported under contracts that contain DFARS Clause 252.204–7012. Refer to the Guidance to Stakeholders for Implementing DFARS Clause 252.204-7012 for detailed guidance on these assessments. Use the Joint Acquisition Protection and Exploitation Cell (JAPEC) to assist in tracking and correlating threat intelligence reports to further inform courses of action. (7) Encourage contractor and industry participation in public-private information sharing activities, such as those described in DoDIs 8500.01 (Reference (x)) and 5205.13 (Reference (co)), and codified in Part 236 of Title 32, Code of Federal Regulations (Reference (cp)) or those developed under Executive Order (E.O.) 13691 (Reference (cq)). b. Design for Cyber Threat Environments. In order to design, develop, and acquire systems that can operate in applicable cyber threat environments, Program Managers will: (1) Derive cybersecurity and other system requirements into system performance specifications and product support needs as follows: (a) Use the draft or validated capability development document (CDD) or equivalent capability requirements document, the concept of operations, the operational mode summary/mission profiles, and the assessed threats to the military capability provided by the Defense Intelligence Agency (DIA) or DoD Component intelligence and counterintelligence activities to inform requirements derivation activities. (b) Ensure KPPs and attributes establish system survivability and sustainment measures, and may establish information system security measures, such as cryptography and key distribution, based on confidentiality, integrity, and availability needs. (c) Use requirements derivation methods, such as system modeling and analysis, security use and abuse or misuse cases, criticality analysis, and vulnerability analysis to determine cybersecurity requirements that are sufficient to minimize vulnerabilities introduced by design, implementation, system interfaces, and access points. Change 2, 02/02/2017 174 ENCLOSURE 14
DoDI 5000.02, January 7, 2015 (2) Allocate cybersecurity and related system security requirements to the system architecture and design, and assess for vulnerabilities. (a) The system architecture and design will address, at a minimum, how the system: 1. Manages access to and use of the system and system resources. 2. Is structured to protect and preserve system functions or resources, e.g., through segmentation, separation, isolation, or partitioning. 3. Maintains priority system functions under adverse conditions. 4. Is configured to minimize exposure of vulnerabilities that could impact the mission, including through techniques such as design choice, component choice, security technical implementation guides, and patch management in the development environment (including integration and T&E), in production and throughout sustainment. 5. Monitors, detects, and responds to security anomalies. services. 6. Interfaces with DoD Information Network (DoDIN) or other external security (b) Identify the digitized T&E data that will contribute to assessing progress toward achieving cybersecurity requirements. The T&E strategy should include not only the explicit cybersecurity requirements, but also all key interfaces. This is the key first step of the T&E planning process to support design and development. To support the architecture and design considerations in paragraph 5.b.(2)(a) of this enclosure, determine the avenues and means by which the system and supporting infrastructure may be exploited for cyber-attack and use this information to design T&E activities and scenarios. (c) Apply DoDIs 8500.01 (Reference(x)) and 8510.01 (Reference(bg)) in accordance with DoD Component implementation and governance procedures. Program Managers will use program protection planning, system security engineering, developmental test and evaluation (DT&E), sustainment activities, and cybersecurity capabilities or services external to the system (e.g., common controls) to meet risk management framework for DoD IT objectives. Program Managers will collaborate with designated authorizing officials from program inception and throughout the life cycle, to ensure system and organizational cybersecurity operations are in alignment, and to avoid costly changes late in a program's development. (3) Ensure cybersecurity and related system security requirements, design characteristics, and verification methods to demonstrate the achievement of those requirements are included in the technical baseline and maintain bi-directional traceability among requirements throughout the system life cycle. (4) Include cybersecurity and related system security in the conduct of technical risk management activities and change management processes to address risk identification, Change 2, 02/02/2017 175 ENCLOSURE 14
Page 1 and 2:
The linked image cannot be displaye
Page 3 and 4:
DoDI 5000.02, January 7, 2015 the M
Page 5 and 6:
DoDI 5000.02, January 7, 2015 DAB r
Page 7 and 8:
DoDI 5000.02, January 7, 2015 c. Ge
Page 9 and 10:
DoDI 5000.02, January 7, 2015 a. Th
Page 11 and 12:
DoDI 5000.02, January 7, 2015 (b) M
Page 13 and 14:
DoDI 5000.02, January 7, 2015 (d) M
Page 15 and 16:
DoDI 5000.02, January 7, 2015 (e) M
Page 17 and 18:
DoDI 5000.02, January 7, 2015 3. Fi
Page 19 and 20:
DoDI 5000.02, January 7, 2015 1. Mi
Page 21 and 22:
DoDI 5000.02, January 7, 2015 by a
Page 23 and 24:
DoDI 5000.02, January 7, 2015 (e) S
Page 25 and 26:
DoDI 5000.02, January 7, 2015 addre
Page 27 and 28:
DoDI 5000.02, January 7, 2015 (a) T
Page 29 and 30:
DoDI 5000.02, January 7, 2015 syste
Page 31 and 32:
DoDI 5000.02, January 7, 2015 appro
Page 33 and 34:
DoDI 5000.02, January 7, 2015 e. Ad
Page 35 and 36:
DoDI 5000.02, January 7, 2015 TABLE
Page 37 and 38:
DoDI 5000.02, January 7, 2015 SOFTW
Page 39 and 40:
DoDI 5000.02, January 7, 2015 Affor
Page 41 and 42:
DoDI 5000.02, January 7, 2015 Safeg
Page 43 and 44:
DoDI 5000.02, January 7, 2015 REFER
Page 45 and 46:
DoDI 5000.02, January 7, 2015 (ar)
Page 47 and 48:
DoDI 5000.02, January 7, 2015 (ck)
Page 49 and 50:
DoDI 5000.02, January 7, 2015 Table
Page 51 and 52:
DoDI 5000.02, January 7, 2015 (8)
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
DoDI 5000.02, January 7, 2015 INFOR
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
DoDI 5000.02, January 7, 2015 5. RE
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
DoDI 5000.02, January 7, 2015 (3)c.
Page 81 and 82:
DoDI 5000.02, January 7, 2015 a. If
Page 83 and 84:
DoDI 5000.02, January 7, 2015 6. CC
Page 85 and 86:
DoDI 5000.02, January 7, 2015 comma
Page 87 and 88:
DoDI 5000.02, January 7, 2015 (2) P
Page 89 and 90:
DoDI 5000.02, January 7, 2015 suffi
Page 91 and 92:
DoDI 5000.02, January 7, 2015 (e) A
Page 93 and 94:
DoDI 5000.02, January 7, 2015 secon
Page 95 and 96:
DoDI 5000.02, January 7, 2015 for s
Page 97 and 98:
DoDI 5000.02, January 7, 2015 For A
Page 99 and 100:
DoDI 5000.02, January 7, 2015 softw
Page 101 and 102:
DoDI 5000.02, January 7, 2015 assoc
Page 103 and 104:
DoDI 5000.02, January 7, 2015 ENCLO
Page 105 and 106:
DoDI 5000.02, January 7, 2015 e. Pr
Page 107 and 108:
DoDI 5000.02, January 7, 2015 gover
Page 109 and 110:
DoDI 5000.02, January 7, 2015 destr
Page 111 and 112:
DoDI 5000.02, January 7, 2015 ENCLO
Page 113 and 114:
DoDI 5000.02, January 7, 2015 b. Le
Page 115 and 116:
DoDI 5000.02, January 7, 2015 (c) C
Page 117 and 118:
DoDI 5000.02, January 7, 2015 7. OT
Page 119 and 120:
DoDI 5000.02, January 7, 2015 10. R
Page 121 and 122:
DoDI 5000.02, January 7, 2015 (b) F
Page 123 and 124: DoDI 5000.02, January 7, 2015 test
Page 125 and 126: DoDI 5000.02, January 7, 2015 14. T
Page 127 and 128: DoDI 5000.02, January 7, 2015 7014)
Page 129 and 130: DoDI 5000.02, January 7, 2015 c. Th
Page 131 and 132: DoDI 5000.02, January 7, 2015 a. Ma
Page 133 and 134: DoDI 5000.02, January 7, 2015 meeti
Page 135 and 136: DoDI 5000.02, January 7, 2015 and s
Page 137 and 138: DoDI 5000.02, January 7, 2015 b. Af
Page 139 and 140: DoDI 5000.02, January 7, 2015 ENCLO
Page 143 and 144: DoDI 5000.02, January 7, 2015 Repor
Page 145 and 146: DoDI 5000.02, January 7, 2015 a. Do
Page 147 and 148: DoDI 5000.02, January 7, 2015 (4) T
Page 149 and 150: DoDI 5000.02, January 7, 2015 (1) T
Page 151 and 152: DoDI 5000.02, January 7, 2015 d. Ap
Page 155 and 156: DoDI 5000.02, January 7, 2015 (f) S
Page 157 and 158: DoDI 5000.02, January 7, 2015 b. Th
Page 159 and 160: DoDI 5000.02, January 7, 2015 (3) A
Page 163 and 164: DoDI 5000.02, January 7, 2015 4. RA
Page 165 and 166: DoDI 5000.02, January 7, 2015 (d) F
Page 167 and 168: DoDI 5000.02, January 7, 2015 (i) A
Page 169 and 170: DoDI 5000.02, January 7, 2015 and f
Page 173: DoDI 5000.02, January 7, 2015 d. Sy
Page 177 and 178: DoDI 5000.02, January 7, 2015 (13)
Page 179 and 180: DoDI 5000.02, January 7, 2015 throu
Page 181 and 182: DoDI 5000.02, January 7, 2015 (5) I
Page 183 and 184: DoDI 5000.02, January 7, 2015 updat
Page 185 and 186: DoDI 5000.02, January 7, 2015 Table
Page 187 and 188: DoDI 5000.02, January 7, 2015 Table
show all

Department of Defense INSTRUCTION

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?