DCDS-1 Dedicated IA Services
Overview
Acquisition or outsourcing of dedicated IA services such as incident monitoring, analysis and response; operation of IA devices such as firewalls; or key management services are supported by a formal risk analysis and approved by the DoD Component CIO.
| MAC / CONF | Impact | Subject Area |
|---|---|---|
| MACI MACII MACIII | Medium | Security Design and Configuration |
Details
| Threat |
|---|
| Many dedicated IA services introduce ancillary security and financial risks which may not be readily apparent to organizations. Formal risk management techniques must be employed to fully understand the scope of implementing IA services. |
| Guidance |
|---|
| 1. Each Component shall adopt or develop a documented formal risk analysis process in which to evaluate the acquisition or outsourcing of dedicated IA services such as incident monitoring, analysis and response; operation of IA devices such as firewalls; or key management services. 2. Minimum factors to consider when evaluating dedicated IA shall include potential cost, schedule and technical risk. Ideally, consideration would be given in terms of the Mission Assurance Categories, provided in DoDI 8500.2 Enclosure 2.3. The risk analysis findings shall be presented to the DoD Component CIO for action. |
References
- DoDD 8000.1, Management of DoD Information Resources and Information Technology, 27 February 2002
- DoDI 8500.2, Information Assurance (IA) Implementation, para E2.1.38, 06 February 2003