Acquisition IA Strategy Development, Review and Approval Process

1. Acquisition IA Strategy Development, Review and Approval Process 25 March 2013 UNCLASSIFIED

2. IA Strategy – Key Success Factors • What do “successful” IA Strategies have in common? • Oversight organizations pro-actively reach out and ensure the PMO is aware of the requirement, and has the latest policy and guidance • PMO develops an early, very rough draft IA strategy document • The PMO engages DoD CIO staff early in the draft stage • An IA WIPT or similar stakeholder working group is involved in content review/validation (not necessarily content development) • Critical content areas are addressed commensurate to life cycle stage (see next slide) • PMO, WIPT, PEO/SYSCOM/MAJCOM, Component IA and DoD CIO conduct concurrent reviews to reduce cycle time • IA Strategy review and approval is decoupled from CCA compliance package review and approval process “Success” is an Acquisition IA Strategy that is compliant and meaningfully informs the overall system acquisition. UNCLASSIFIED

3. IA Strategy – Key Stakeholders • PMO • System User organizations • Information suppliers/consumers • Connecting organizations (networks/enclaves/hosts) • Information System Security Engineering (ISSE) organization • PEO/SYSCOM/MAJCOM • Component IA staffs • Designated Approving Authority (DAA) • Certifying Authority (CA) • NSA (GIG IA Architecture) • DoD CIO - DIAP Stakeholder involvement is simple: Do you agree with the program’s approach to satisfying IA? UNCLASSIFIED

4. IA Strategy – Critical Content Criteria Acquisition IA Strategy essential content for compliance: • Milestone A (25% solution, 7 pages) Program info (ACAT, system type, MC/ME) DoD 8500 series applicability (policy and standards) Mission Assurance Category (MAC) and Confidentiality Level C&A method, key roles identified • Milestone B (85% solution, 15 pages), add: Expanded system description IA acquisition approach IA architecture (system and GIG alignment) C&A detail (schedule/roles/boundaries) IA testing • Milestone C (95% solution, 15 pages), add Update for schedule and reality changes • Full Rate Production/Deployment (100% solution, 15 pages), add Update for schedule and reality changes Content criticality is a function of current life cycle stage. UNCLASSIFIED

5. Acquisition IA Strategy Review and Approval Process MS – 90 days MS – 120 days MS – 150 days MS – 180 days Event-driven Event-driven PEO, SYSCOM, MAJCOM Compliance requirement discovery or active engagement PMO/WIPT address comments – smooth submission PMO/WIPT address comments – revised submission PMO/WIPT develop early rough draft IAS DoD CIO -DIAP Early Coordination Review Component IA staff DoD CIO - DIAP Component staffing process… Artifact #1 Component CIOApproved Program “X” IA Strategy Document Artifacts are for “plug-in” to CCA Confirmation Package (or incorporation by reference). IA Strategy attached to Program Protection Plan (PPP) Component CIO approval DoD CIO - DIAP Formal Review Artifact #2 DoD CIO Formal Review Report for Program “X” IA Strategy MS – 58 days MS – 60 days The overall timeline depends on the maturity of other program factors. The Acquisition IA Strategy can not “wag the dog”. UNCLASSIFIED

6. Contact Information David Fowler, IBM DoD CIO/DCIO Cybersecurity Defense-wide Information Assurance Program (DIAP) (571) 372-7849 L1: david.fowler.ctr@osd.mil L2: david.fowler.ctr@osd.smil.mil David Tuteral, IBM DoD CIO/DCIO Cybersecurity Defense-wide Information Assurance Program (DIAP) (571) 372-4703 L1: david.tuteral.ctr@osd.mil L2: david.tuteral.ctr@osd.smil.mil UNCLASSIFIED