Department of Defense INSTRUCTION

Recommendations

Info

DoDI 5000.02, January 7, 2015 (7) Test the system for cybersecurity vulnerabilities using realistic threat exploitation techniques in an operational environment and remediate as appropriate. (a) Coordinate with the appropriate operational test agency to support the execution of a cybersecurity cooperative vulnerability and penetration assessment. This assessment must include the enumeration of all significant vulnerabilities and the identification of exploits which may be employed against those vulnerabilities. (b) Coordinate with the appropriate operational test agency to support the execution of a cybersecurity adversarial assessment, following the cooperative vulnerability and penetration assessment, to examine and characterize the operational impact of the vulnerabilities and exploits previously identified. f. Operations and Support Phase. During the operations and support phase, Program Managers will: (1) Request cyber threat information on threats targeting program information and systems in operation from DIA or DoD Component intelligence and counterintelligence activities and make use of updated threat assessments to inform impact to operational systems, technology refresh and disposal plans. (2) Protect digitized program and system information, CPI, and system from adversary targeting during fielding and sustainment activities such as maintenance, training and operational exercises. (3) Protect support systems and system spares from impairing cyber threats mission critical system functions. (4) Respond to vulnerability alerts and apply security patches promptly. (5) Periodically assess cybersecurity and other program security risks during system upgrades (e.g., technology refresh, modifications, engineering changes or future increments). (6) Update all aspects of program protection planning for the program and the system as cyber threats and systems evolve. (7) Before system disposal, remove all CPI and system data. 86. RESOURCES FOR EXECUTING CYBERSECURITY AND RELATED PROGRAM SECURITY ACTIVITIES. Table 12 lists and describes various resources and publications available for the Program Manager to use in executing cybersecurity and related program security procedures detailed in this enclosure. Change 2, 02/02/2017 184 ENCLOSURE 14
DoDI 5000.02, January 7, 2015 Table 12. Cybersecurity and Related Program Security Resources and Publications Category Information Protection Protection of Information on Networks OPSEC Protection of IT and Information Systems Title of Resource and Description FAR Clause 52.204-2 (Reference (ak)) This clause applies to the extent that the contract involves access to information classified Confidential, Secret, or Top Secret. The clause is related to compliance with the National Industrial Security Operating Manual and any revisions to that manual for which notice has been furnished to a contractor. FAR Clause 52.204-21 (Reference (ak)) This clause applies to information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Websites) or simple transactional information, such as necessary to process payments. DFARS Clause 252.204-7012 (Reference (al)) The clause requires a company to safeguard CDI, as defined in the Clause, and to report to the DoD the possible exfiltration, manipulation, or other loss or compromise of unclassified CDI; or other activities that allow unauthorized access to the contractor’s unclassified information system on which unclassified CDI is resident or transiting. The company must submit the malware to DoD if the company is able to isolate it and send it safely. For more information on implementing this clause, also see “Guidance to Stakeholders for Implementing Defense Federal Acquisition Regulation Supplement Clause 252.204-7012,” (Reference (ct)) released by the Office of the Deputy Assistant Secretary of Defense for Systems Engineering. DoD Instruction 5205.13 (Reference (co)) - Establishes an approach for protecting unclassified DoD information transiting or residing on unclassified defense industrial base information systems and networks. - Increases DoD and defense industrial base situational awareness. - Establishes a DoD and defense industrial base collaborative information sharing environment. - DoD CIO manages the Defense Industrial Base Cyber Security/ Information Assurance Program. - Codified in Part 236 of Title 32, Code of Federal Regulations (Reference (cp)). E.O. 13691 (Reference (cq)) Encourages and promotes sharing of cybersecurity threat information within the private sector and between the private sector and government. DoD Directive 5205.02E (Reference (cn)) Establishes process for identifying critical information and analyzing friendly actions attendant to military operations and other activities to: - Identify those actions that can be observed by adversary intelligence systems. - Determine indicators and vulnerabilities that adversary intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries, and determine which of these represent an unacceptable risk. - Select and execute countermeasures that eliminate the risk to friendly actions and operations or reduce it to an acceptable level. DoD Instruction 8500.01 (Reference (x)) Establishes a DoD cybersecurity program to protect and defend DoD information and information technology. DoD Instruction 8510.01 (Reference (bg)) Establishes the DoD decision process for managing cybersecurity risk to DoD information technology. Change 2, 02/02/2017 185 ENCLOSURE 14
Page 1 and 2:
The linked image cannot be displaye
Page 3 and 4:
DoDI 5000.02, January 7, 2015 the M
Page 5 and 6:
DoDI 5000.02, January 7, 2015 DAB r
Page 7 and 8:
DoDI 5000.02, January 7, 2015 c. Ge
Page 9 and 10:
DoDI 5000.02, January 7, 2015 a. Th
Page 11 and 12:
DoDI 5000.02, January 7, 2015 (b) M
Page 13 and 14:
DoDI 5000.02, January 7, 2015 (d) M
Page 15 and 16:
DoDI 5000.02, January 7, 2015 (e) M
Page 17 and 18:
DoDI 5000.02, January 7, 2015 3. Fi
Page 19 and 20:
DoDI 5000.02, January 7, 2015 1. Mi
Page 21 and 22:
DoDI 5000.02, January 7, 2015 by a
Page 23 and 24:
DoDI 5000.02, January 7, 2015 (e) S
Page 25 and 26:
DoDI 5000.02, January 7, 2015 addre
Page 27 and 28:
DoDI 5000.02, January 7, 2015 (a) T
Page 29 and 30:
DoDI 5000.02, January 7, 2015 syste
Page 31 and 32:
DoDI 5000.02, January 7, 2015 appro
Page 33 and 34:
DoDI 5000.02, January 7, 2015 e. Ad
Page 35 and 36:
DoDI 5000.02, January 7, 2015 TABLE
Page 37 and 38:
DoDI 5000.02, January 7, 2015 SOFTW
Page 39 and 40:
DoDI 5000.02, January 7, 2015 Affor
Page 41 and 42:
DoDI 5000.02, January 7, 2015 Safeg
Page 43 and 44:
DoDI 5000.02, January 7, 2015 REFER
Page 45 and 46:
DoDI 5000.02, January 7, 2015 (ar)
Page 47 and 48:
DoDI 5000.02, January 7, 2015 (ck)
Page 49 and 50:
DoDI 5000.02, January 7, 2015 Table
Page 51 and 52:
DoDI 5000.02, January 7, 2015 (8)
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
DoDI 5000.02, January 7, 2015 INFOR
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
DoDI 5000.02, January 7, 2015 5. RE
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
DoDI 5000.02, January 7, 2015 (3)c.
Page 81 and 82:
DoDI 5000.02, January 7, 2015 a. If
Page 83 and 84:
DoDI 5000.02, January 7, 2015 6. CC
Page 85 and 86:
DoDI 5000.02, January 7, 2015 comma
Page 87 and 88:
DoDI 5000.02, January 7, 2015 (2) P
Page 89 and 90:
DoDI 5000.02, January 7, 2015 suffi
Page 91 and 92:
DoDI 5000.02, January 7, 2015 (e) A
Page 93 and 94:
DoDI 5000.02, January 7, 2015 secon
Page 95 and 96:
DoDI 5000.02, January 7, 2015 for s
Page 97 and 98:
DoDI 5000.02, January 7, 2015 For A
Page 99 and 100:
DoDI 5000.02, January 7, 2015 softw
Page 101 and 102:
DoDI 5000.02, January 7, 2015 assoc
Page 103 and 104:
DoDI 5000.02, January 7, 2015 ENCLO
Page 105 and 106:
DoDI 5000.02, January 7, 2015 e. Pr
Page 107 and 108:
DoDI 5000.02, January 7, 2015 gover
Page 109 and 110:
DoDI 5000.02, January 7, 2015 destr
Page 111 and 112:
DoDI 5000.02, January 7, 2015 ENCLO
Page 113 and 114:
DoDI 5000.02, January 7, 2015 b. Le
Page 115 and 116:
DoDI 5000.02, January 7, 2015 (c) C
Page 117 and 118:
DoDI 5000.02, January 7, 2015 7. OT
Page 119 and 120:
DoDI 5000.02, January 7, 2015 10. R
Page 121 and 122:
DoDI 5000.02, January 7, 2015 (b) F
Page 123 and 124:
DoDI 5000.02, January 7, 2015 test
Page 125 and 126:
DoDI 5000.02, January 7, 2015 14. T
Page 127 and 128:
DoDI 5000.02, January 7, 2015 7014)
Page 129 and 130:
DoDI 5000.02, January 7, 2015 c. Th
Page 131 and 132:
DoDI 5000.02, January 7, 2015 a. Ma
Page 133 and 134: DoDI 5000.02, January 7, 2015 meeti
Page 135 and 136: DoDI 5000.02, January 7, 2015 and s
Page 137 and 138: DoDI 5000.02, January 7, 2015 b. Af
Page 139 and 140: DoDI 5000.02, January 7, 2015 ENCLO
Page 143 and 144: DoDI 5000.02, January 7, 2015 Repor
Page 145 and 146: DoDI 5000.02, January 7, 2015 a. Do
Page 147 and 148: DoDI 5000.02, January 7, 2015 (4) T
Page 149 and 150: DoDI 5000.02, January 7, 2015 (1) T
Page 151 and 152: DoDI 5000.02, January 7, 2015 d. Ap
Page 155 and 156: DoDI 5000.02, January 7, 2015 (f) S
Page 157 and 158: DoDI 5000.02, January 7, 2015 b. Th
Page 159 and 160: DoDI 5000.02, January 7, 2015 (3) A
Page 163 and 164: DoDI 5000.02, January 7, 2015 4. RA
Page 165 and 166: DoDI 5000.02, January 7, 2015 (d) F
Page 167 and 168: DoDI 5000.02, January 7, 2015 (i) A
Page 169 and 170: DoDI 5000.02, January 7, 2015 and f
Page 173 and 174: DoDI 5000.02, January 7, 2015 d. Sy
Page 175 and 176: DoDI 5000.02, January 7, 2015 (2) A
Page 177 and 178: DoDI 5000.02, January 7, 2015 (13)
Page 179 and 180: DoDI 5000.02, January 7, 2015 throu
Page 181 and 182: DoDI 5000.02, January 7, 2015 (5) I
Page 183: DoDI 5000.02, January 7, 2015 updat
Page 187 and 188: DoDI 5000.02, January 7, 2015 Table
show all

Department of Defense INSTRUCTION

Create successful ePaper yourself

Delete template?

Save as template?