Upload
jemima-wilkins
View
214
Download
1
Embed Size (px)
Citation preview
Acquisition IA Strategy Development, Review and
Approval Process
25 March 2013
UNCLASSIFIED
2
IA Strategy – Key Success Factors
What do “successful” IA Strategies have in common?
Oversight organizations pro-actively reach out and ensure the PMO is aware of the requirement, and has the latest policy and guidance
PMO develops an early, very rough draft IA strategy document The PMO engages DoD CIO staff early in the draft stage An IA WIPT or similar stakeholder working group is involved in content
review/validation (not necessarily content development) Critical content areas are addressed commensurate to life cycle stage (see
next slide) PMO, WIPT, PEO/SYSCOM/MAJCOM, Component IA and DoD CIO
conduct concurrent reviews to reduce cycle time IA Strategy review and approval is decoupled from CCA compliance
package review and approval process
“Success” is an Acquisition IA Strategy that is compliant and meaningfully informs the overall system acquisition.
“Success” is an Acquisition IA Strategy that is compliant and meaningfully informs the overall system acquisition.
UNCLASSIFIED
3
IA Strategy – Key Stakeholders
PMO System User organizations Information suppliers/consumers Connecting organizations (networks/enclaves/hosts) Information System Security Engineering (ISSE)
organization PEO/SYSCOM/MAJCOM Component IA staffs Designated Approving Authority (DAA) Certifying Authority (CA) NSA (GIG IA Architecture) DoD CIO - DIAP
Stakeholder involvement is simple: Do you agree with the program’s approach to satisfying IA?
Stakeholder involvement is simple: Do you agree with the program’s approach to satisfying IA?
UNCLASSIFIED
4
IA Strategy – Critical Content Criteria
Acquisition IA Strategy essential content for compliance:
• Milestone A (25% solution, 7 pages)Program info (ACAT, system type, MC/ME)DoD 8500 series applicability (policy and standards)Mission Assurance Category (MAC) and Confidentiality LevelC&A method, key roles identified
• Milestone B (85% solution, 15 pages), add:Expanded system descriptionIA acquisition approachIA architecture (system and GIG alignment)C&A detail (schedule/roles/boundaries)IA testing
• Milestone C (95% solution, 15 pages), addUpdate for schedule and reality changes
• Full Rate Production/Deployment (100% solution, 15 pages), addUpdate for schedule and reality changes
Content criticality is a function of current life cycle stage.Content criticality is a function of current life cycle stage.
UNCLASSIFIED
5
Acquisition IA Strategy Review and Approval Process
The overall timeline depends on the maturity of other program factors. The Acquisition IA Strategy can not “wag the dog”.
The overall timeline depends on the maturity of other program factors. The Acquisition IA Strategy can not “wag the dog”.
Component IA staff
Compliance requirement discovery or
active engagement
PMO/WIPT develop early
rough draft IAS
PEO, SYSCOM, MAJCOM
DoD CIO - DIAP
PMO/WIPT address
comments – smooth
submission
Component staffing process…
Component CIO approval
DoD CIO -DIAP Early
Coordination Review
PMO/WIPT address
comments – revised
submission
DoD CIO - DIAP Formal Review
Artifact #1Component CIO
Approved Program “X”
IA Strategy Document
Artifact #1Component CIO
Approved Program “X”
IA Strategy Document
Artifact #2DoD CIO
Formal Review Report for
Program “X” IA Strategy
Artifact #2DoD CIO
Formal Review Report for
Program “X” IA Strategy
Artifacts are for “plug-in” to CCA Confirmation
Package (or incorporation by reference).
Event-driven
MS – 60 daysMS – 58 days
MS – 90 daysMS – 120 daysMS – 150 daysMS – 180 daysEvent-driven
UNCLASSIFIED
IA Strategy attached to Program
Protection Plan (PPP)
Contact Information
6
David Fowler, IBMDoD CIO/DCIO CybersecurityDefense-wide Information Assurance Program (DIAP)(571) 372-7849L1: [email protected]: [email protected]
David Tuteral, IBMDoD CIO/DCIO CybersecurityDefense-wide Information Assurance Program (DIAP)(571) 372-4703L1: [email protected]: [email protected]
UNCLASSIFIED