UCF STIG Viewer Logo

DCIT-1 IA for IT Services


Overview

Acquisition or outsourcing of IT services explicitly addresses Government, service provider, and end user IA roles and responsibilities.

MAC / CONF Impact Subject Area
MACI
MACII
MACIII
High Security Design and Configuration

Details

Threat
IA roles that are not clearly defined and expressed during the acquisition or outsourcing of IT services create a confusing environment where IA responsibility can be easily passed and accountability is nonexistent.  By clearly defining and expressing IA roles, organizations ensure IA ownership, accountability, and IA consideration throughout the entire systems lifecycle.

Guidance
During acquisition or outsourcing of IT services, contracts and other documentation identifying roles shall include  Government, service provider, and end user IA roles and responsibilities for example: PM, IAM, User Representative, CA, DAA, SIAO, and CIO.

References

  • DoDI 8500.2, Information Assurance (IA) Implementation, para. E3.3.5 - E3.3.6, 06 February 2003
  • NIST SP 800-35, Guide to Information Technology Security Services. October 2003
  • NIST SP 800-64, Security Considerations in the Information System Development Lifecycle. June 2004