[ Pobierz całość w formacie PDF ]
b. Supports international cybersecurity and cyberspace defense activities of the DoD CIO.
c. Develops, coordinates, and promulgates cybersecurity policy, doctrine, and guidance for
joint and combined operations consistent with this instruction, as required.
d. Appoints a PAO for DoD ISs and PIT systems governed by the Warfighting Mission Area
as described in Reference (ac).
15. COMMANDER, USSTRATCOM. In addition to the responsibilities in section 13 of this
enclosure, the Commander, USSTRATCOM:
a. Coordinates and directs DoD information networks operations and defense in accordance
with the Unified Command Plan (Reference (cd)).
25 ENCLOSURE 2
DoDI 8500.01, March 14, 2014
b. Ensures that Commander, USSTRATCOM orders addressing cybersecurity are consistent
with the policy and guidance in this instruction and coordinated with the DoD CIO.
c. Chairs the DoD ISRMC and co-chairs the ESSG in accordance with References (aq) and
(aj).
d. Oversees and ensures timely implementation of international cybersecurity and
cyberspace defense agreements involving the geographic combatant commands.
e. Oversees DoD cybersecurity inspections as described in CJCSI 6510.01 (Reference (ce))
and operational risk assessments as described in NIST SP 800-30 (Reference (cf)) to maintain
and determine compliance with security policy, procedures, and practices.
26 ENCLOSURE 2
DoDI 8500.01, March 14, 2014
ENCLOSURE 3
PROCEDURES
1. INTRODUCTION
a. The purpose of the Defense cybersecurity program is to ensure that IT can be used in a
way that allows mission owners and operators to have confidence in the confidentiality, integrity,
and availability of IT and DoD information, and to make choices based on that confidence.
b. The Defense cybersecurity program supports DoD s vision of effective operations in
cyberspace where:
(1) DoD missions and operations continue under any cyber situation or condition.
(2) The IT components of DoD weapons systems and other defense platforms perform
as designed and adequately meet operational requirements.
(3) The DoD Information Enterprise collectively, consistently, and effectively acts in
its own defense.
(4) DoD has ready access to its information and command and control channels, and
its adversaries do not.
(5) The DoD Information Enterprise securely and seamlessly extends to mission
partners.
c. In accordance with DoDD 5105.53 (Reference (cg)), the Director of Administration and
Management is responsible for providing policy, oversight, direction, and control, including
exercise of the authorities of the Secretary of Defense pursuant to chapter 159 of Reference (bh),
for the management, operation, security, protection, safety, renovation, construction, and IT of
the Pentagon Reservation and supported DoD facilities and space in the National Capital Region,
including the Raven Rock Mountain Complex and alternate sites.
2. RISK MANAGEMENT
a. Cybersecurity Risk Management. Managing cybersecurity risks is a complex,
multifaceted undertaking that requires the involvement of the entire organization, from senior
leaders planning and managing DoD operations, to individuals developing, implementing, and
operating the IT supporting those operations. Cybersecurity risk management is a subset of the
overall risk management process for all DoD acquisitions as defined in Reference (av), which
includes cost, performance, and schedule risk associated with the execution of all programs of
record, and all other acquisitions of DoD. The risk assessment process extends to the logistics
support of fielded equipment and the need to maintain the integrity of supply sources.
27 ENCLOSURE 3
DoDI 8500.01, March 14, 2014
(1) DoD will use NIST SP 800-37 (Reference (ch)), as implemented by Reference (q), to
address risk management, including authorization to operate (ATO), for all DoD ISs and PIT
systems.
(2) DoD IS and PIT systems will transition to CNSSI 1253 (Reference (ci)), NIST SP
800-53 (Reference (cj)), and Reference (ch) in accordance with transition guidance provided in
Reference (q).
b. Integrated Organization-Wide Risk Management. Risk management can be viewed as a
holistic activity that is fully integrated into every aspect of the organization as described in
Reference (o). Figure 1 illustrates a three-tiered approach to risk management that addresses
risk-related concerns at the organization level, the mission and business process level, and the IS
level.
Figure 1. Three-Tiered Approach to Risk Management
STRATEGIC RISK
- Traceability and Transparency of
- Inter- Tier and Intra-Tier
Risk-Based Decisions Communications
TIER 1
- Feedback Loop for
- Organization-Wide
ORGANIZATION
Continuous Improvement
Risk Awareness
TIER 2
MISSION / BUSINESS PROCESSES
TIER 3
INFORMATION SYSTEMS
TACTICAL RISK
(1) Risk management at Tier 1 addresses risk from an organizational perspective. As
part of the feedback loop, Tier 1 risk management is informed and influenced by risk decisions
made in Tiers 2 and 3.
(a) A comprehensive IS security governance structure is established that provides
assurance that IS security strategies are aligned with and support mission and business
objectives, are consistent with applicable laws and regulations through adherence to policies and
internal controls, and provide assignment of responsibility.
(b) The DoD ISRMC, comprising the four MA PAOs and other major DoD and IC
stakeholders, provides the Tier 1 risk management governance for DoD.
28 ENCLOSURE 3
DoDI 8500.01, March 14, 2014
(2) Tier 2 addresses risk from a mission and business process perspective and is guided
by the risk decisions at Tier 1, and informed and influenced by risk decisions made in Tier 3.
(a) The activities at Tier 2 begin with the design, development, and implementation
of the mission and business processes defined at Tier 1.
(b) The PAOs for each DoD MA provide the Tier 2 governance for their respective
MAs.
(3) Tier 3 addresses risk from an IS and PIT system perspective and is guided by the risk
decisions at Tiers 1 and 2.
(a) Though the need for specific protections is identified at Tiers 1 and 2, it is at Tier
[ Pobierz całość w formacie PDF ]