5.1. The Assistant Secretary of Defense (Command, Control, Communications, and Intelligence) (ASD(C3I))
shall:
5.1.1. Oversee and review implementation of this
Directive.
5.1.2. Develop overall AIS security policies and
procedures in accordance with U.S. national policies and Directives in
coordination with the Under Secretary of Defense (Policy) (USD(P)), and
consistent with DoD policies under DoD 5200.1-R (reference (b)), DoD Directive 7920.1 (reference (l)), DCID No.1/16 (reference (g)), and DoD Instruction
5210.74 (reference (m)).
5.1.3. Promulgate Instructions, Standards, Manuals, and
other issuances, as required, in accordance with this Directive.
5.1.4. Represent the Department of Defense on interagency
committees engaged in development of security policy, standards, and
criteria for AISs.
5.2. The Deputy Under Secretary of Defense (Policy) (DUSD(P)) shall continue to review,
oversee, and formulate overall policies that govern DoD security practices
and programs, to include developing, coordinating, and presenting DoD
positions on the following:
5.2.1. Information Security.
5.2.2. Physical Security.
5.2.3. Personnel Security.
5.2.4. Industrial Security.
5.3. The Director, Defense Investigative Service (DIS), shall implement an AIS security program for DoD
contractor AISs in accordance with DoD Directive 5220.22 (reference (n)) and DoD 5220.22-R
(reference (o)).
5.4. The Director, Defense Communications Agency (DCA), shall implement an AIS security program for
long-haul communication systems that do not handle SCI and shall certify
devices that perform secured or protected telecommunications switching
functions.
5.5. The Director, Defense Intelligence Agency (DIA), shall implement a program for the security of
DoD Component and DoD contractor AISs and networks (e.g., the DoD
Intelligence Information System network) that handle SCI. The program shall
not apply to AISs and networks under the cognizance of the National Security
Agency and/or the Central Security Service (NSA/CSS).
5.6. The National Security Agency and/or the Central Security Service (NSA/CSS) shall:
5.6.1. Implement an AIS security program for all
AISs under NSA/CSS jurisdiction, including those of NSA/CSS
contractors.
5.6.2. As requested, provide DoD Components with
communications and computer security assistance and advice in support of
effective AIS security measures.
5.6.3. Establish and maintain technical standards
and criteria for evaluating and certifying trusted computer products. Review, at
least yearly, DoD 5200.28-STD (reference (k)) and
provide recommendations for revision to the ASD(C3I).
5.6.4. Provide training for DoD Components in
evaluation techniques and procedures as applicable to reference (k), and
certify such DoD Components to conduct evaluations.
5.6.5. Evaluate computer products intended for use
by DoD Components or contractors as trusted computer products. These
evaluations may be conducted on computer products developed or derived by
either industry or Government sources. Also, perform quality assurance and
certify evaluations performed by DoD Components.
5.6.6. Maintain and publish the EPL of evaluated
industry and Government-developed or-derived trusted computer
products.
5.6.7. Conduct, approve, and sponsor research and
development of techniques and equipment for trusted computer products and
for computer security evaluation and verification methods and
techniques.
5.6.8. Serve as the focal point for technical
matters on using trusted computer products and systems and, with DoD
Component computer security testing and evaluation activities, provide
technical advice to the DoD Components on using trusted products and
systems.
5.6.9. Ensure that AIS security posture assessments,
made in accordance with the DoD computer security program, are
incorporated into NCSC goals and objectives.
5.6.10. Annually assess the overall AISs security
posture and disseminate information on hostile threats against DoD
AISs.
5.6.11. Operate a central technical center to
provide, as requested, technical assistance to evaluate and certify the
computer-based security features of AISs used in operational
environments.
5.6.12. Prescribe the minimum security standards,
methods, and procedures for safeguarding an AISs classified and sensitive
technical security material, techniques, and information.
5.6.13. Review and approve standards, techniques,
systems, and equipments far telecommunications and automated information
systems security.
5.7. The Joint Chiefs of Staff (JCS) shall:
5.7.1. Implement an AIS security program under this
Directive and SM-313-83 (reference
(h)) for
AISs of DoD Components and their contractors that handle SIOP-ESI.
5.7.2. Provide a source of education and training
for managers in AIS security through the Department of Defense Computer
Institute (DoDCI) of the National Defense University (NDU) (DoD Directive 5200.2
(reference (p))).
5.8. The Heads of DoD Components shall:
5.8.1. Implement and maintain an overall AIS
security program designed to ensure compliance with this Directive.
5.8.2. Ensure that contractual requirements to
protect classified and sensitive unclassified information are provided to
their contractors.
5.8.3. Ensure that funding and resources are
programmed for staffing, training, and supporting for this AIS security
program and for implementation of AISs safeguards, as required, within the
DoD Component.
5.8.4. Assign official(s) as the DAA (e.g., senior
AIS policy official) responsible for accrediting each AIS under his or her
jurisdiction and for ensuring compliance with AIS security
requirements.
5.8.5. Establish and maintain an AIS security
training and awareness program for all DoD military, civilian, and
contractor personnel requiring access to AISs.
5.8.6. Ensure that periodic independent reviews of
the security and protection of their AISs are done to ensure compliance with
stated AIS security goals. Such reviews may be done using the procedures in DoD
Directive 5010.38 (reference
(q)).
5.8.7. Support the Computer Security Technical
Vulnerability Reporting Program in accordance with DoD Instruction 5215.2 (reference (i)).
5.9. Each Designated Approving Authority (DAA) shall:
5.9.1. Review and approve security safeguards of
AISs and issue accreditation statements for each AIS under the DAA’s
jurisdication based on the acceptability of the security safeguards for
the AIS.
5.9.2. Ensure that all the safeguards required, as
stated in the accreditation documentation for each AIS, are implemented
and maintained.
5.9.3. Identify security deficiencies and, where the
deficiencies are serious enough to preclude accreditation, take action
(e.g., allocate additional resources) to achieve an acceptable security
level.
5.9.4. Ensure that an Information System Security
Officer (ISSO) is named for each AIS, and that he or she receives
applicable training to carry out the duties of this function. It is
recommended that the ISSO not report to operational elements of the AIS
over which security requirements of this Directive must be enforced.
5.9.5. Require that an AIS security education and
training program be in place.
5.9.6. Ensure that data ownership is established for
each AIS, to include accountability, access rights, and special handling
requirements.
5.10. Each Information System Security Officer (ISSO) shall:
5.10.1. Ensure that the AIS is operated, used,
maintained, and disposed of in accordance with internal security policies
and practices.
5.10.2. Have the authority to enforce security
policies and safeguards on all personnel having access to the AIS for
which the ISSO has cognizance.
5.10.3. Ensure that users have the required
personnel security clearances, authorization and need-to-know, have been
indoctrinated, and are familiar with internal security practices before
access to the AIS.
5.10.4. Ensure that audit trails are reviewed
periodically.
5.10.5. Begin protective or corrective measures if a
security problem exists.
5.10.6. Report security incidents in accordance with
DoD 5200.1-R (reference (b)) and to the DAA
when an AIS is involved.
5.10.7. Report the security status of the AIS, as
required by the DAA.
5.10.8. Evaluate known vulnerabilities to ascertain
if additional safeguards are needed.
5.10.9. Maintain a plan for system security
improvements and progress towards meeting the
accreditation.
