Information Technology

Acquisition Information Assurance Strategy

FavoriteLoadingAdd to favorites

 

The primary purpose of the , as implemented by DoD Instruction 5000.02 “Operation of the Defense Acquisition System”. As stated in Table 8 , Enclosure 5, of that instruction, the Acquisition IA Strategy provides documentation that “Ensure that the program has an information assurance strategy that is consistent with DoD policies, standards and architectures, to include relevant standards.” The Program Manager (PM) develops the Acquisition IA Strategy to help the program office organize and coordinate its approach to identifying and satisfying IA requirements consistent with DoD policies, standards, and architectures.[1]

The Acquisition IA Strategy serves a purpose separate from the documentation generated from the Risk Management Framework (RMF) or other Certification and Accreditation (C&A) processes. Developed earlier in the acquisition life cycle and written at a higher level, the Acquisition IA Strategy documents the program’s overall IA requirements and approach, including the determination of the appropriate certification and accreditation process. The Acquisition IA Strategy must be available for review at all Acquisition Milestone Decisions, including early milestones when C&A documentation would not yet be available. [1]

The Acquisition IA Strategy lays the groundwork for a successful C&A process by facilitating consensus among the Program Manager (PM), Component Chief Information Officer, and DoD Chief Information Officer on pivotal issues such as Mission Assurance Category, Confidentiality Level, and applicable Baseline IA Controls; selection of the appropriate C&A process; identification of the Designated Accrediting Authority and Certification Authority; and documenting a rough timeline for the C&A process.[1]

Key aspects of the Acquisition IA Strategy are:

Acquisition Information Assurance (IA) Strategy Template from DAG
1.0 Program Category and Life-Cycle Status
2.0 Mission Assurance Category (MAC) and Confidentiality Level
3.0 System Description
4.0 Threat Assessment
5.0 Risk Assessment
6.0 Information Assurance Requirements
7.0 Acquisition Strategy
8.0 Certification and Accreditation
9.0 IA Testing
10.0 IA Shortfalls
11.0 Policy/Directives
12.0 Relevant Associated Program Documents
13.0 Point of Contact

AcqLinks and References:

Become an AcqNotes Member to View Page Discussions