DoDD 8500.1 DoDI 8500.2

Transcription

DoDD 8500.1
DoDI 8500.2
Tutorial Lecture for students pursuing
NSTISSI 4011 INFOSEC Professional
COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2
1
Scope of DoDD 8500.1
•
Information Classes:
– Unclassified
– Sensitive information
– Classified
•
All ISs to include:
– All DoD owned or controlled information systems
– Information systems under contract to DoD
– Outsourced information based processes (ex. Those
supporting e-commerce or e-business)
– Information systems of non-appropriated fund (NAF) activities
– Stand-alone information systems
– Mobile computing devices (i.e. laptop, PDA, handheld)
2
DoDD 8500.1 Policy
•
Information Assurance Requirements and new/upgraded systems
– According to this directive, IA requirements will be identified and included in the design, acquisition,
installation, upgrade, or replacement of any information system within DoD. Also, Public Key
Infrastructure (PKI) certificates and biometrics will be incorporated into all new and upgraded systems
whenever possible.
•
All DoD information systems shall maintain an appropriate level of confidentiality, integrity, authentication,
non-repudiation, and availability that reflects a balance among:
– the importance and sensitivity of the information and information assets
– documented threats and vulnerabilities
– the trustworthiness of users and interconnected systems
– the impact or destruction of the system
– cost effectiveness
•
For IA purposes, all DoD Systems are organized and managed within 4 categories
– Automated Information Systems (AIS) applications
– Enclaves (includes networks)
– outsourced IT-based processes
– Platform IT interconnections
•
IA readiness is a critical element of overall mission readiness. It will be monitored, reported, and evaluated
throughout DoD and validated by the DoD CIO.
3
DoDD 8500.1 Information Assurance
•
DoDD 8500.1 became effective on 24 October 2002. (Certified current as of 21 Nov 2003). Its
purpose is to establish policy and assign responsibilities in order to achieve Department of
Defense (DoD) information assurance (IA). It accomplishes this by utilizing a defense-in-depth
approach that integrates the capabilities of personnel, operations, and technology, and
supports the evolution to network-centric warfare.
•
This directive supercedes the following documents:
–
–
–
–
•
DoD Directive 5200.28 -- “Security Requirements for Automated Information Systems”
DoD 5200.28-M -- “ADP Security Manual”
DoD 5200.28-STD -- “DoD Trusted Computer Security Evaluation Criteria”
DoD Chief Information Officer (CIO) Memorandum 6-8510
It designates the Secretary of the Army as the Executive Agent for the integration of common
biometric technologies throughout the Department of Defense.
4
DoDD 8500.1 COTS IA Compliance
•
National Security Telecommunications and Information Systems Security Policy Number 11
–
•
NSTISSP #11 is a national security community policy governing the acquisition of information assurance (IA) and IA enabled
information technology products. The policy was issued by the Chairman of the National Security Telecommunications and
Information Systems Security Committee (NSTISSC), now known as the Committee on National Security Systems (CNSS) in
January 2000 and revised in June 2003. The policy mandates, effective 1 July 2002, that departments and agencies within the
Executive Branch shall acquire, for use on national security systems, only those COTS products or cryptographic modules
that have been validated with the International Common Criteria for Information Technology Security Evaluation, the National
Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS), or by the National
Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS)
The objective of NSTISSP #11 is to ensure that COTS IA and IA-enabled IT products acquired by the U.S.
Government for use in national security systems perform as advertised by their respective manufacturers, or
satisfy the security requirements of the intended user. To achieve this objective, the policy requires COTS
products be evaluated and validated in accordance with either the International Common Criteria for
Information Technology Security Evaluation, or the National Institute of Standards and Technology (NIST)
Federal Information Processing Standard (FIPS) 140-2. Supportive of the intent and implementation of
NSTISSP #11, the NSA and NIST have collaborated to establish the following two evaluation and validation
programs:
–
–
National Information Assurance Partnership's (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) Program
http://niap.nist.gov/cc-scheme/index.html
NIST Federal Information Processing Standard (FIPS)Cryptographic Module Validation Program (CMVP)
http://csrc.nist.gov/cryptval/cmvp.htm
5
8500 Series IA
Compliance
Decision Tree
** Compliance with
applicable
guidance in the
8500 series is
recommended
for all other
systems with
embedded IT
assets.
6
IA Compliance by Acq. Program Type
7
DoDI 8500.2 Overview
Multi-Echelon Management Structure
8
DoDI 8500.2 Overview
Multi-Echelon Management Structure
9
IA Controls (Enclosure 4, DoDI 8500.2)
•
•
•
•
IA Control Subject Area. One of eight groups indicating the major
subject or focus area to which an individual IA Control is assigned.
(Next Slide)
IA Control Number. A unique identifier comprised of four letters, a dash,
and a number. The first two letters are an abbreviation for the subject
area name and the second two letters are an abbreviation for the
individual IA Control name. The number represents a level of
robustness in ascending order that is relative to each IA Control. (Next
Slide)
IA Control Name. A brief title phrase that describes the individual IA
Control.
IA Control Text. One or more sentences that describe the IA condition
or state that the IA Control is intended to achieve.
10
Another IA Control Example
11
IA Control Subject Areas
Enclosure 4, DoDI 8500.2
•
In the example to the right -->
the control level is two (2), which
means there is a related IA Control,
ECCT-1, that provides less
robustness. There may also be an IA
Control, ECCT-3, that provides
greater robustness.
12
Baseline Information Assurance Levels
• Mandated DoDD 8500.1, described in DoDI 8500.2
– All DoD information systems shall be assigned a mission
assurance category.
– The mission assurance category reflects the importance of
information relative to the achievement of DoD goals and
objectives, particularly the warfighters' combat mission.
• DOD has three defined mission assurance categories:
– Mission Assurance Category I (MAC I)
• Systems handling information that is determined to be vital to the
operational readiness or mission effectiveness of deployed and
contingency forces in terms of both content and timeliness. The
consequences of loss of integrity or availability of a MAC I system
are unacceptable and could include the immediate and sustained
loss of mission effectiveness. MAC I systems require the most
stringent protection measures.
13
DOD has three defined mission
assurance categories: (cont.)
– Mission Assurance Category II (MAC II)
• Systems handling information that is important to the support of deployed
and contingency forces. The consequences of loss of integrity are
unacceptable. Loss of availability is difficult to deal with and can only be
tolerated for a short time. The consequences could include delay or
degradation in providing important support services or commodities that
may seriously impact mission effectiveness or operational readiness. MAC
II systems require additional safeguards beyond best practices to ensure
adequate assurance.
– Mission Assurance Category III (MAC III)
• Systems handling information that is necessary for the conduct of day-today business, but does not materially affect support to deployed or
contingency forces in the short term. The consequences of loss of integrity
or availability can be tolerated or overcome without significant impacts on
mission effectiveness or operational readiness. The consequences could
include the delay or degradation of services or commodities enabling
routine activities. MAC III systems require proactive measures, techniques,
or procedures generally commensurate with commercial best practices.
14
Mission Assurance Category Summary
DoDI 8500.2 Enclosure 3
•
•
The baseline sets of IA controls are pre-defined based on the determination of the
Mission Assurance Category (MAC) and Confidentiality Levels as specified in the
formal requirements documentation or by the info owner.
IA Controls addressing availability, confidentiality, integrity, authentication and nonrepudiation requirements are keyed to the system’s MAC based on the importance of
the information to the mission, particularly the warfighters' combat mission, and on
the sensitivity or classification of the information.
15
Mission Assurance Category Levels for IA Controls
•
IA Controls addressing confidentiality requirements are based on
the sensitivity or classification of the information. There are three
MAC levels and three confidentiality levels with each level
representing increasingly stringent information assurance
requirements.
16
Determining Baseline IA Controls
17
JCIDS Process and Acquisition Decisions
CJCSI 3170.01E
18
JCIDS and Information Assurance
• Information Assurance - Information operations
that protect and defend information and
information systems by ensuring their availability,
integrity, authentication, confidentiality and nonrepudiation.
• This includes providing for restoration of
information systems by incorporating protection,
detection and reaction capabilities.
• Net-ready Key Performance Parameter (NR-KPP) (see following)
19

DoDD 8500.1 DoDI 8500.2

Transcription

Similar documents

Former Bally Total Fitness

fundraisers

DIACAP and the GIG IA Architecture

ioPAC 8500 Hardware User`s Manual

User manual

The Berlitz Kids® Experience

Harts Super Rugby Sign Up Sheet

Gear test - Ontario OUT OF DOORS

Unduh - Pancaran Group