DCSR-2

DCSR-2 Specified Robustness - Medium

Overview

At a minimum, medium-robustness COTS IA and IA-enabled products are used to protect sensitive information when the information transits public networks or the system handling the information is accessible by individuals who are not authorized to access the information on the system. The medium-robustness requirements for products are defined in the Protection Profile Consistency Guidance for Medium Robustness published under the IATF. COTS IA and IA-enabled IT products used for access control, data separation, or privacy on sensitive systems already protected by approved medium-robustness products, at a minimum, satisfy the requirements for basic robustness. If these COTS IA and IA-enabled IT products are used to protect National Security Information by cryptographic means, NSA-approved key management may be required.

MAC / CONF	Impact	Subject Area
SENSITIVE	High	Security Design and Configuration

Details

Threat
Utilizing GOTS or COTS IA and IA-enabled IT products that are designated at a lower robustness then is required will increase network vulnerability by not adequately protecting DoD data and information systems. By adhering to robustness requirements, organizations can be confident that they are applying the appropriate level of protection to their network.

Guidance
1. At a minimum, medium-robustness COTS IA and IA-enabled products shall be used to protect sensitive information when the information transits public networks or the system handling the information is accessible by individuals who are not authorized to access the information on the system. * 2. The medium-robustness requirements for products are defined in the Protection Profile Consistency Guidance for Medium Robustness published under the IATF. * 3. COTS IA and IA-enabled IT products used for access control, data separation, or privacy on sensitive systems already protected by approved medium-robustness products, at a minimum, shall satisfy the requirements for basic robustness. If these COTS IA and IA-enabled IT products are used to protect National Security Information by cryptographic means, NSA-approved key management may be required. * * Note: These requirement are more stringent than DCSR-1

Guidance

1. At a minimum, medium-robustness COTS IA and IA-enabled products shall be used to protect sensitive information when the information transits public networks or the system handling the information is accessible by individuals who are not authorized to access the information on the system. *
2. The medium-robustness requirements for products are defined in the Protection Profile Consistency Guidance for Medium Robustness published under the IATF. *
3. COTS IA and IA-enabled IT products used for access control, data separation, or privacy on sensitive systems already protected by approved medium-robustness products, at a minimum, shall satisfy the requirements for basic robustness. If these COTS IA and IA-enabled IT products are used to protect National Security Information by cryptographic means, NSA-approved key management may be required. *

* Note: These requirement are more stringent than DCSR-1

References

DoD CIO Guidance and Policy Memorandum No. 6-8510, DoD GIG IA, 16 June 2000
CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004
DoDI 8500.2, Information Assurance Implementation, para. E3.2.4.3, .1, .3, 06 February 2003
Information Assurance Technical Framework, Appendix E IATF Release 3.1. September 2002