Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
DCIT-1 IA for IT Services
Overview
Acquisition or outsourcing of IT services explicitly addresses Government, service provider, and end user IA roles and responsibilities.
| MAC / CONF | Impact | Subject Area |
|---|---|---|
| MACI MACII MACIII | High | Security Design and Configuration |
Details
| Threat |
|---|
| IA roles that are not clearly defined and expressed during the acquisition or outsourcing of IT services create a confusing environment where IA responsibility can be easily passed and accountability is nonexistent. By clearly defining and expressing IA roles, organizations ensure IA ownership, accountability, and IA consideration throughout the entire systems lifecycle. |
| Guidance |
|---|
| During acquisition or outsourcing of IT services, contracts and other documentation identifying roles shall include Government, service provider, and end user IA roles and responsibilities for example: PM, IAM, User Representative, CA, DAA, SIAO, and CIO. |
References
- DoDI 8500.2, Information Assurance (IA) Implementation, para. E3.3.5 - E3.3.6, 06 February 2003
- NIST SP 800-35, Guide to Information Technology Security Services. October 2003
- NIST SP 800-64, Security Considerations in the Information System Development Lifecycle. June 2004