Acquisition IA Strategy Development, Review and

Approval Process

25 March 2013

UNCLASSIFIED

2

IA Strategy – Key Success Factors

What do “successful” IA Strategies have in common?

Oversight organizations pro-actively reach out and ensure the PMO is aware of the requirement, and has the latest policy and guidance

PMO develops an early, very rough draft IA strategy document The PMO engages DoD CIO staff early in the draft stage An IA WIPT or similar stakeholder working group is involved in content

review/validation (not necessarily content development) Critical content areas are addressed commensurate to life cycle stage (see

next slide) PMO, WIPT, PEO/SYSCOM/MAJCOM, Component IA and DoD CIO

conduct concurrent reviews to reduce cycle time IA Strategy review and approval is decoupled from CCA compliance

package review and approval process

“Success” is an Acquisition IA Strategy that is compliant and meaningfully informs the overall system acquisition.

“Success” is an Acquisition IA Strategy that is compliant and meaningfully informs the overall system acquisition.

UNCLASSIFIED

3

IA Strategy – Key Stakeholders

PMO System User organizations Information suppliers/consumers Connecting organizations (networks/enclaves/hosts) Information System Security Engineering (ISSE)

organization PEO/SYSCOM/MAJCOM Component IA staffs Designated Approving Authority (DAA) Certifying Authority (CA) NSA (GIG IA Architecture) DoD CIO - DIAP

Stakeholder involvement is simple: Do you agree with the program’s approach to satisfying IA?

Stakeholder involvement is simple: Do you agree with the program’s approach to satisfying IA?

UNCLASSIFIED

4

IA Strategy – Critical Content Criteria

Acquisition IA Strategy essential content for compliance:

• Milestone A (25% solution, 7 pages)Program info (ACAT, system type, MC/ME)DoD 8500 series applicability (policy and standards)Mission Assurance Category (MAC) and Confidentiality LevelC&A method, key roles identified

• Milestone B (85% solution, 15 pages), add:Expanded system descriptionIA acquisition approachIA architecture (system and GIG alignment)C&A detail (schedule/roles/boundaries)IA testing

• Milestone C (95% solution, 15 pages), addUpdate for schedule and reality changes

• Full Rate Production/Deployment (100% solution, 15 pages), addUpdate for schedule and reality changes

Content criticality is a function of current life cycle stage.Content criticality is a function of current life cycle stage.

UNCLASSIFIED

5

Acquisition IA Strategy Review and Approval Process

The overall timeline depends on the maturity of other program factors. The Acquisition IA Strategy can not “wag the dog”.

The overall timeline depends on the maturity of other program factors. The Acquisition IA Strategy can not “wag the dog”.

Component IA staff

Compliance requirement discovery or

active engagement

PMO/WIPT develop early

rough draft IAS

PEO, SYSCOM, MAJCOM

DoD CIO - DIAP

PMO/WIPT address

comments – smooth

submission

Component staffing process…

Component CIO approval

DoD CIO -DIAP Early

Coordination Review

PMO/WIPT address

comments – revised

submission

DoD CIO - DIAP Formal Review

Artifact #1Component CIO

Approved Program “X”

IA Strategy Document

Artifact #1Component CIO

Approved Program “X”

IA Strategy Document

Artifact #2DoD CIO

Formal Review Report for

Program “X” IA Strategy

Artifact #2DoD CIO

Formal Review Report for

Program “X” IA Strategy

Artifacts are for “plug-in” to CCA Confirmation

Package (or incorporation by reference).

Event-driven

MS – 60 daysMS – 58 days

MS – 90 daysMS – 120 daysMS – 150 daysMS – 180 daysEvent-driven

UNCLASSIFIED

IA Strategy attached to Program

Protection Plan (PPP)

Contact Information

6

David Fowler, IBMDoD CIO/DCIO CybersecurityDefense-wide Information Assurance Program (DIAP)(571) 372-7849L1: david.fowler.ctr@osd.milL2: david.fowler.ctr@osd.smil.mil

David Tuteral, IBMDoD CIO/DCIO CybersecurityDefense-wide Information Assurance Program (DIAP)(571) 372-4703L1: david.tuteral.ctr@osd.milL2: david.tuteral.ctr@osd.smil.mil

UNCLASSIFIED