60 likes | 186 Views
Acquisition IA Strategy Development, Review and Approval Process. 25 March 2013. UNCLASSIFIED. IA Strategy – Key Success Factors. What do “successful” IA Strategies have in common?
E N D
Acquisition IA Strategy Development, Review and Approval Process 25 March 2013 UNCLASSIFIED
IA Strategy – Key Success Factors • What do “successful” IA Strategies have in common? • Oversight organizations pro-actively reach out and ensure the PMO is aware of the requirement, and has the latest policy and guidance • PMO develops an early, very rough draft IA strategy document • The PMO engages DoD CIO staff early in the draft stage • An IA WIPT or similar stakeholder working group is involved in content review/validation (not necessarily content development) • Critical content areas are addressed commensurate to life cycle stage (see next slide) • PMO, WIPT, PEO/SYSCOM/MAJCOM, Component IA and DoD CIO conduct concurrent reviews to reduce cycle time • IA Strategy review and approval is decoupled from CCA compliance package review and approval process “Success” is an Acquisition IA Strategy that is compliant and meaningfully informs the overall system acquisition. UNCLASSIFIED
IA Strategy – Key Stakeholders • PMO • System User organizations • Information suppliers/consumers • Connecting organizations (networks/enclaves/hosts) • Information System Security Engineering (ISSE) organization • PEO/SYSCOM/MAJCOM • Component IA staffs • Designated Approving Authority (DAA) • Certifying Authority (CA) • NSA (GIG IA Architecture) • DoD CIO - DIAP Stakeholder involvement is simple: Do you agree with the program’s approach to satisfying IA? UNCLASSIFIED
IA Strategy – Critical Content Criteria Acquisition IA Strategy essential content for compliance: • Milestone A (25% solution, 7 pages) Program info (ACAT, system type, MC/ME) DoD 8500 series applicability (policy and standards) Mission Assurance Category (MAC) and Confidentiality Level C&A method, key roles identified • Milestone B (85% solution, 15 pages), add: Expanded system description IA acquisition approach IA architecture (system and GIG alignment) C&A detail (schedule/roles/boundaries) IA testing • Milestone C (95% solution, 15 pages), add Update for schedule and reality changes • Full Rate Production/Deployment (100% solution, 15 pages), add Update for schedule and reality changes Content criticality is a function of current life cycle stage. UNCLASSIFIED
Acquisition IA Strategy Review and Approval Process MS – 90 days MS – 120 days MS – 150 days MS – 180 days Event-driven Event-driven PEO, SYSCOM, MAJCOM Compliance requirement discovery or active engagement PMO/WIPT address comments – smooth submission PMO/WIPT address comments – revised submission PMO/WIPT develop early rough draft IAS DoD CIO -DIAP Early Coordination Review Component IA staff DoD CIO - DIAP Component staffing process… Artifact #1 Component CIOApproved Program “X” IA Strategy Document Artifacts are for “plug-in” to CCA Confirmation Package (or incorporation by reference). IA Strategy attached to Program Protection Plan (PPP) Component CIO approval DoD CIO - DIAP Formal Review Artifact #2 DoD CIO Formal Review Report for Program “X” IA Strategy MS – 58 days MS – 60 days The overall timeline depends on the maturity of other program factors. The Acquisition IA Strategy can not “wag the dog”. UNCLASSIFIED
Contact Information David Fowler, IBM DoD CIO/DCIO Cybersecurity Defense-wide Information Assurance Program (DIAP) (571) 372-7849 L1: david.fowler.ctr@osd.mil L2: david.fowler.ctr@osd.smil.mil David Tuteral, IBM DoD CIO/DCIO Cybersecurity Defense-wide Information Assurance Program (DIAP) (571) 372-4703 L1: david.tuteral.ctr@osd.mil L2: david.tuteral.ctr@osd.smil.mil UNCLASSIFIED