DCAS-1

DCAS-1 Acquisition Standards

Overview

The acquisition of all IA- and IA-enabled GOTS IT products is limited to products that have been evaluated by the NSA or in accordance with NSA-approved processes. The acquisition of all IA- and IA-enabled COTS IT products is limited to products that have been evaluated or validated through one of the following sources - the International Common Criteria (CC) for Information Security Technology Evaluation Mutual Recognition Arrangement, the NIAP Evaluation and Validation Program, or the FIPS validation program. Robustness requirements, the mission, and customer needs will enable an experienced information systems security engineer to recommend a Protection Profile, a particular evaluated product or a security target with the appropriate assurance requirements for a product to be submitted for evaluation (See also DCSR-1).

MAC / CONF	Impact	Subject Area
CLASSIFIED SENSITIVE PUBLIC	High	Security Design and Configuration

Details

Threat
Procured IA- and IA- enabled GOTS and COTS IT products have the potential to introduce security vulnerabilities into information systems. Ensuring that products are successfully evaluated by the appropriate organization (e.g., NSA, NIST, etc.) to ensure that they have incorporated robust security features into their design and construction will mitigate the risk of inducing security vulnerabilities within a DoD information systems.

Threat

Procured IA- and IA- enabled GOTS and COTS IT products have the potential to introduce security vulnerabilities into information systems. Ensuring that products are successfully evaluated by the appropriate organization (e.g., NSA, NIST, etc.) to ensure that they have incorporated robust security features into their design and construction will mitigate the risk of inducing security vulnerabilities within a DoD information systems.

Guidance
1. The acquisition of all IA- and IA-enabled GOTS IT products shall be limited to products that have been evaluated by the NSA or in accordance with NSA-approved processes. 2. The acquisition of all IA- and IA-enabled COTS IT products shall be limited to products that have been evaluated or validated through one of the following sources: a. The International Common Criteria (CC) for Information Security Technology Evaluation Mutual Recognition Arrangement; b. The NIAP Evaluation and Validation Program; The NIAP program serves as the vehicle for evaluating IA and IA enabled COTS IT products. A complete list of products that have been evaluated under Common Criteria through NIAP can be found at the following website: http://niap.nist.gov/cc-scheme/vpl/vpl_type.html. Evaluated products can be located using a search by vendor, product name, technology type, and assurance level. c. The FIPS validation program. 3. Robustness requirements, the mission, and customer needs will enable an experienced information systems security engineer to recommend a Protection Profile, a particular evaluated product or a security target with the appropriate assurance requirements for a product to be submitted for evaluation (See also DCSR-1).

Guidance

1. The acquisition of all IA- and IA-enabled GOTS IT products shall be limited to products that have been evaluated by the NSA or in accordance with NSA-approved processes.
2. The acquisition of all IA- and IA-enabled COTS IT products shall be limited to products that have been evaluated or validated through one of the following sources:
  a. The International Common Criteria (CC) for Information Security Technology Evaluation Mutual Recognition Arrangement;
  b. The NIAP Evaluation and Validation Program; The NIAP program serves as the vehicle for evaluating IA and IA enabled COTS IT products. A complete list of products that have been evaluated under Common Criteria through NIAP can be found at the following website: http://niap.nist.gov/cc-scheme/vpl/vpl_type.html. Evaluated products can be located using a search by vendor, product name, technology type, and assurance level.
  c. The FIPS validation program.
3. Robustness requirements, the mission, and customer needs will enable an experienced information systems security engineer to recommend a Protection Profile, a particular evaluated product or a security target with the appropriate assurance requirements for a product to be submitted for evaluation (See also DCSR-1).

References

Common Criteria Version 2, Release 2, ISO International Standard 15408, or latest release, January 2004
National Security Telecommunications and Information Systems Security Policy (NSTISSP) No. 11,"National Policy Governing the Acquisition of Information Assurance (IA) and IA-enabled Information Technology Products."January 2000
DoD 5000.1, The Defense Acquisition System, 12 May 2003
DoD 5000.2, Operation of the Defense Acquisition System, 12 May 2003
DoDI 8580.1, Information Assurance (IA) in the Defense Acquisition System, 09 July 2004
FAQs for 8580.1, Frequently Asked Questions: DoDI 8580.1, 05 August 2004
IA in the Defense Acquisition Guidebook, IA Section of the Draft Defense Acquisition Guidebook, 09 July 2004
CJCSI - Information Assurance (IA) and Computer Network Defense (CND)
DoDD 8000.1, Management of DoD Information Resources and Information Technology, 27 February 2002
DoDI 8500.2, Information Assurance (IA) Implementation, para. E3.2.5 – E3.2.5.6, 06 February 2003