[ Pobierz całość w formacie PDF ]
d. Partner with DoD Component Acquisition Executives to ensure that all IT is acquired in
accordance with DoD cybersecurity policy and that program risk relating to the development of
cybersecurity requirements is assessed, communicated to the Milestone Decision Authority and
managed early in the system development life cycle.
14. DoD RISK EXECUTIVE FUNCTION. The risk executive function, as described in
Reference (ch), is performed by the DoD ISRMC. The DoD risk executive:
a. Ensures risk-related considerations for individual ISs and PIT systems, including
authorization decisions, are viewed from a DoD-wide perspective with regard to the overall
strategic goals and objectives of DoD in carrying out its missions and business functions.
b. Ensures that management of IT-related security risks is consistent across DoD, reflects
organizational risk tolerance, and is considered along with other organizational risk in order to
ensure mission or business success.
15. PAO. PAOs:
a. Oversee and establish guidance for the strategic implementation of cybersecurity and risk
management within their MAs.
b. Appoint flag-level (e.g., general officer, senior executive) PAO representatives to, and to
oversee, the DoD ISRMC.
c. Assist the DoD CIO and DoD SISO in assessing the effectiveness of DoD cybersecurity.
16. AO. AOs:
a. Ensure that:
(1) For DoD ISs and PIT systems under their purview, cybersecurity-related
positions are identified in their organization� s manpower structure in accordance with
References (w), (ba), and DoDI 1100.22 (Reference (dx)).
(2) Appointees to cybersecurity-related positions are given a written statement of
cybersecurity responsibilities.
(3) ISSMs meet all requirements specified in Reference (v).
48 ENCLOSURE 3
�DoDI 8500.01, March 14, 2014
b. Render authorization decisions for DoD ISs and PIT systems under their purview in
accordance with Reference (q).
c. Establish guidance for and oversee IS-level risk management activities consistent with
Commander, USSTRATCOM, and DoD Component guidance and direction.
d. Must be U.S. citizens and DoD officials with the authority to assume responsibility
formally for operating DoD ISs or PIT systems at an acceptable level of risk to organizational
operations (including mission, functions, image, or reputation), organizational assets,
individuals, other organizations, and the Nation.
17. ISOs of DoD IT. ISOs of DoD IT:
a. Plan and budget for security control implementation, assessment, and sustainment
throughout the system life cycle, including timely and effective configuration and vulnerability
management.
b. Ensure that SSE is used to design, develop, implement, modify, and test and evaluate
the system architecture in compliance with the cybersecurity component of the DoD Enterprise
Architecture (as described in Reference (r)) and to make maximum use of enterprise
cybersecurity.
c. Ensure authorized users and support personnel receive appropriate cybersecurity
training.
d. Coordinate with the DoD Component TSN focal point to ensure that TSN best practices,
processes, techniques, and procurement tools are applied prior to the acquisition of IT or the
integration of IT into ISs when required in compliance with Reference (bm).
18. ISSM. ISSMs:
a. Develop and maintain an organizational or system-level cybersecurity program that
includes cybersecurity architecture, requirements, objectives and policies, cybersecurity
personnel, and cybersecurity processes and procedures.
b. Ensure that IOs and stewards associated with DoD information received, processed,
stored, displayed, or transmitted on each DoD IS and PIT system are identified in order to
establish accountability, access approvals, and special handling requirements.
c. Maintain a repository for all organizational or system-level cybersecurity-related
documentation.
d. Ensure that ISSOs are appointed in writing and provide oversight to ensure that they are
following established cybersecurity policies and procedures.
49 ENCLOSURE 3
�DoDI 8500.01, March 14, 2014
e. Monitor compliance with cybersecurity policy, as appropriate, and review the results
of such monitoring.
f. Ensure that cybersecurity inspections, tests, and reviews are synchronized and coordinated
with affected parties and organizations.
g. Ensure implementation of IS security measures and procedures, including reporting
incidents to the AO and appropriate reporting chains and coordinating system-level responses to
unauthorized disclosures in accordance with Reference (bo) for classified information or
Reference (bp) for CUI, respectively.
h. Ensure that the handling of possible or actual data spills of classified information resident
in ISs, are conducted in accordance with Reference (bo).
i. Act as the primary cybersecurity technical advisor to the AO for DoD IS and PIT systems
under their purview.
j. Ensure that cybersecurity-related events or configuration changes that may impact DoD
IS and PIT systems authorization or security posture are formally reported to the AO and other
affected parties, such as IOs and stewards and AOs of interconnected DoD ISs.
k. Ensure the secure configuration and approval of IT below the system level (i.e., products
and IT services) in accordance with applicable guidance prior to acceptance into or connection to
a DoD IS or PIT system.
19. INFORMATION SYSTEM SECURITY OFFICER (ISSO) (formerly known as IA
Officers). When circumstances warrant, a single individual may fulfill both the ISSM and the
ISSO roles. ISSOs:
a. Assist the ISSMs in meeting their duties and responsibilities.
b. Implement and enforce all DoD IS and PIT system cybersecurity policies and procedures,
as defined by cybersecurity-related documentation.
c. Ensure that all users have the requisite security clearances and access authorization, and
are aware of their cybersecurity responsibilities for DoD IS and PIT systems under their purview
before being granted access to those systems.
d. In coordination with the ISSM, initiate protective or corrective measures when a
[ Pobierz całość w formacie PDF ]
zanotowane.pldoc.pisz.plpdf.pisz.pldomowewypieki.keep.pl