Table 12 – Cybersecurity and Related Program Security Resources and Publications

Table 12 is located in Enclosure 14 Section 6 Resources for Executing Cybersecurity and Related Program Security Activities.

 

Table 12. Cybersecurity and Related Program Security Resources and Publications
Category Title of Resource and Description
Information Protection

FAR Clause 52.204-2 (Reference (ak))
This clause applies to the extent that the contract involves access to information classified Confidential, Secret, or Top Secret. The clause is related to compliance with the National Industrial Security Operating Manual and any revisions to that manual for which notice has been furnished to a contractor.

Protection of Information on Networks

FAR Clause 52.204-21 (Reference (ak))
This clause applies to information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Websites) or simple transactional information, such as necessary to process payments.

DFARS Clause 252.204-7012 (Reference (al))
The clause requires a company to safeguard CDI, as defined in the Clause, and to report to the DoD the possible exfiltration, manipulation, or other loss or compromise of unclassified CDI; or other activities that allow unauthorized access to the contractor’s unclassified information system on which unclassified CDI is resident or transiting. The company must submit the malware to DoD if the company is able to isolate it and send it safely.
For more information on implementing this clause, also see “Guidance to Stakeholders for Implementing Defense Federal Acquisition Regulation Supplement Clause 252.204-7012,” (Reference (ct)) released by the Office of the Deputy Assistant Secretary of Defense for Systems Engineering.

DoD Instruction 5205.13 (Reference (co))
   – Establishes an approach for protecting unclassified DoD information transiting or residing on unclassified  
     defense industrial base information systems and networks.
   – Increases DoD and defense industrial base situational awareness.
   – Establishes a DoD and defense industrial base collaborative information sharing environment.
   – DoD CIO manages the Defense Industrial Base Cyber Security/ Information Assurance Program.
   – Codified in Part 236 of Title 32, Code of Federal Regulations (Reference (cp)).

E.O. 13691 (Reference (cq))
Encourages and promotes sharing of cybersecurity threat information within the private sector and between the private sector and government.

OPSEC

DoD Directive 5205.02E (Reference (cn))
Establishes process for identifying critical information and analyzing friendly actions attendant to military operations and other activities to:
   – Identify those actions that can be observed by adversary intelligence systems.
   – Determine indicators and vulnerabilities that adversary intelligence systems might obtain that could be
     interpreted or pieced together to derive critical information in time to be useful to adversaries, and
     determine which of these represent an unacceptable risk.
   – Select and execute countermeasures that eliminate the risk to friendly actions and operations or reduce it
     to an acceptable level.

Protection of IT and Information Systems

DoD Instruction 8500.01 (Reference (x))
Establishes a DoD cybersecurity program to protect and defend DoD information and information technology.

DoD Instruction 8510.01 (Reference (bg))
Establishes the DoD decision process for managing cybersecurity risk to DoD information technology.

System Protection

DoDI 5200.39 (Reference (ai))
Provides policy and procedures for protecting CPI. CPI includes U.S. capability elements that contribute to the warfighters’ technical advantage, which if compromised, undermine U.S. military preeminence. U.S. capability elements may include, but are not limited to, software algorithms and specific hardware residing on the system, its training equipment, or maintenance support equipment.

DoDI 5200.44 (Reference (aj))
Establishes policy and procedures for managing supply chain risk. A supply chain is at risk when an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.

Section 933 of the National Defense Authorization Act for Fiscal Year 2013, Public Law 112-239 (Reference (l))
Requires use of appropriate automated vulnerability analysis tools in computer software code during the entire life cycle, including during development, operational testing, operations and sustainment phases, and retirement.

Section 937 of Public Law 113-66 (Reference (bj))
Requires the DoD to establish a joint federation of capabilities to support trusted defense system needs to ensure the security of software and hardware developed, maintained, and used by the DoD.

DoD Instruction 8530.01 (Reference (cu))
Establishes policy and assigns responsibilities to protect the DoDIN against unauthorized activity, vulnerabilities, or threats.

Joint Federated Assurance Center, chartered under Section 937 of Public law 113-66 (Reference (bj))
Federation of subject matter experts and capabilities to support program hardware and software assurance needs.

National Cyber Range (NCR)
The NCR is institutionally funded by AT&L Test Resource Management Center to provide cybersecurity T&E as a service to DoD Customers. The NCR provides secure facilities, computing resources, repeatable processes and skilled workforce as a service to Program Managers. The NCR Team helps the Program Manager plan and execute a wide range of event types including S&T experimentation, architectural evaluations, security control assessments, cooperative vulnerability, adversarial assessments, training and mission rehearsal. The NCR creates hi-fidelity, mission representative cyberspace environments and also facilitates the integration of cyberspace T&E infrastructure through partnerships with key stakeholders across DoD, the Department of Homeland Security, industry, and academia.

Threat Assessment and Integration

Defense Intelligence Agency
Produces intelligence and counterintelligence assessments, to include assessment of supplier threats to acquisition programs providing critical weapons, information systems, or service capabilities, and system threat intelligence reports.

Defense Security Service
Provides cleared U.S. defense industry with information about foreign intelligence threats and ensures that cleared U.S. defense industry safeguards the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts.

JAPEC
Collaboration among the acquisition, intelligence, counterintelligence, law enforcement, and operations communities to prevent, mitigate, and respond to data loss.

Risk, Issue, and Opportunity Management

“Department of Defense Risk, Issue, and Opportunity Management Guide for Defense Acquisition Programs” (Reference (cv))
A guidance document that addresses the significant relationship between program success and effective risk management.

Cybersecurity
T&E

DOT&E, “Procedures for Operational Test and Evaluation of Cybersecurity in Acquisition Programs” (Reference (cs))
A guidance document that describes approaches for operational cybersecurity testing.

“Department of Defense Cybersecurity Test and Evaluation Guidebook” (Reference (cr))
A guidance document that addresses planning, analysis, and implementation of cybersecurity T&E for chief developmental testers, lead DT&E organizations, operational test agencies, and the larger test community.
Share This