OCR of the Document

View the Document >>

Department of Defense, Department of Defense Instruction Number 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks, November 5, 2012

Department of Defense INSTRUCTION NUMBER 5200 44 November 5 2012 Incorporating Change 1 Effective August 25 2016 DoD CIO USD AT L SUBJECT Protection of Mission Critical Functions to Achieve Trusted Systems and Networks TSN References See Enclosure 1 1 PURPOSE This Instruction in accordance with the authorities in DoD Directive DoDD 5134 01 Reference a and DoDD 5144 102 Reference b a Establishes policy and assigns responsibilities to minimize the risk that DoD’s warfighting mission capability will be impaired due to vulnerabilities in system design or sabotage or subversion of a system’s mission critical functions or critical components as defined in this Instruction by foreign intelligence terrorists or other hostile elements b Implements the DoD’s TSN strategy described in the Report on Trusted Defense Systems Reference c as the Strategy for Systems Assurance and Trustworthiness through Program Protection and information assurance IA cybersecurity implementation to provide uncompromised weapons and information systems The TSN strategy integrates robust systems engineering supply chain risk management SCRM security counterintelligence intelligence information assurance cybersecurity hardware and software assurance and information systems security engineering disciplines to manage risks to system integrity and trust c Incorporates and cancels Directive-Type Memorandum 09-016 Reference d d Directs actions in accordance with the SCRM implementation strategy of National Security Presidential Directive 54 Homeland Security Presidential Directive 23 Reference e section 806 of Public Law 111-383 Reference f DoD Instruction DoDI 5200 39 Reference g DoDD 5000 01 Reference hg DoDI 5000 02 Reference ih DoDD DoDI 8500 01E01 Reference ji and Committee on National Security Systems Directive CNSSD No 505 Reference kj and National Institute for Science and Technology Special Publication 800-161 Reference k 2 APPLICABILITY This Instruction applies to DoDI 5200 44 November 5 2012 a OSD the Military Departments the Office of the Chairman of the Joint Chiefs of Staff CJCS and the Joint Staff the Combatant Commands the Office of the Inspector General of the Department of Defense the Defense Agencies the DoD Field Activities and all other organizational entities within the DoD hereinafter referred to collectively as the “DoD Components” b All DoD information systems and weapons systems that are or include systems described in subparagraphs 2 b 1 through 2 b 3 hereinafter referred to collectively as “applicable systems” 1 National security systems as defined by section 3542 3552of title 44 United States Code U S C Reference l Although DoD’s Non-classified Internet Protocol Router Network NIPRNet and its enclaves are considered national security systems in accordanc CJCS Instruction 6211 02D Reference m they are exempted from this instruction due t need to prioritize use of limited TSN enterprise capabilities unless paragraph 2 b 2 or 2 b applies 2 Mission Assurance Category MAC I systems as defined by Reference j Any DoD system with a high impact level for any of the three security objectives confidentiality in and availability in accordance with the system categorization procedures in DoDI 8510 01 Reference n or 3 Other DoD information systems that the DoD Component’s acquisition executive or chief information officer or designee determines are critical to the direct fulfillment of military or intelligence missions which may include some connections to or enclaves of NIPRNet and some industrial control systems c All mission critical functions and critical components within applicable systems identified through a criticality analysis including spare or replacement For parts the purposes of this Instruction only information and communications technology ICT components in applicable systems shall be considered for the processes described herein until this Applicability section is modified in accordance with Enclosure 2 paragraph 1 f 3 DEFINITIONS See Glossary 4 POLICY It is DoD policy that a Mission critical functions and critical components within applicable systems shall be provided with assurance consistent with criticality of the system and with their role within the system b All-source intelligence analysis of suppliers of critical components shall be used to inform risk management decisions 2 Change 1 08 25 2016 DoDI 5200 44 November 5 2012 c Risk to the trust in applicable systems shall be managed throughout the entire system lifecycle The application of risk management practices shall begin during the design of applicable systems and prior to the acquisition of critical components or their integration within applicable systems whether acquired through a commodity purchase system acquisition or sustainment process Risk management shall include TSN process tools and techniques to 1 Reduce vulnerabilities in the system design through system security engineering 2 Control the quality configuration software patch management and security of software firmware hardware and systems throughout their lifecycles including components or subcomponents from secondary sources Employ protections that manage risk in the supply chain for components or subcomponent products and services e g integrated circuits fieldprogrammable gate arrays FPGA printed circuit boards when they are identifiable to the supplier as having a DoD end-use 3 Detect the occurrence of reduce the likelihood of and mitigate the consequences of unknowingly using products containing counterfeit components or malicious functions in accordance with DoDI 4140 67 Reference o 4 Detect vulnerabilities within custom and commodity hardware and software through rigorous test and evaluation capabilities including developmental acceptance and operational testing 5 Implement tailored acquisition strategies contract tools and procurement methods for critical components in applicable systems to include covered procurement actions in accordance with Reference f 6 Implement item unique identification IUID for national level traceability of critical components in accordance with DoDI 8320 04 Reference mp d The identification of mission critical functions and critical components as well as TSN planning and implementation activities including risk acceptance as appropriate shall be documented in the Program Protection Plan PPP Reference n in accordance with Reference plans and documentation in accordance with Reference oi h and in relevant IA cybersecurity e In applicable systems integrated circuit-related products and services shall be procured from a trusted supplier using trusted processes accredited by the Defense Microelectronics Activity DMEA when they are custom-designed custom-manufactured or tailored for a specific DoD military end use generally referred to as application-specific integrated circuits ASIC 5 RESPONSIBILITIES See Enclosure 2 6 RELEASABILITY UNLIMITED Cleared for public release This Instruction is approved for public release and is available on the Internet from the DoD Issuances Website at http www dtic mil whs directives 3 Change 1 08 25 2016 DoDI 5200 44 November 5 2012 7 EFFECTIVE DATE This Instruction a I is effective November 5 2012 b Must be reissued cancelled or certified current within 5 years of its publication in accordance with DoDI 5025 01 Reference p If not it will expire effective November 5 2022 and be removed from the DoD Issuances Website Teresa M Takai DoD Chief Information Officer Frank Kendall Under Secretary of Defense for Acquisition Technology and Logistics Enclosures 1 References 2 Responsibilities Glossary 4 Change 1 08 25 2016 DoDI 5200 44 November 5 2012 ENCLOSURE 1 REFERENCES a DoD Directive 5134 01 “Under Secretary of Defense for Acquisition Technology and Logistics USD AT L ” December 9 2005 as amended b DoD Directive 5144 1 “Assistant Secretary of Defense for Networks and Information Integration DoD Chief Information Officer ASD NII DoD CIO ” May 2 2005 DoD Directive 5144 02 “DoD Chief Information DoD Officer CIO ” November 21 2014 c Report on Trusted Defense Systems in response to the National Defense Authorization Act for Fiscal Year 2009 December 22 2009 1 d Directive-Type Memorandum 09-016 “Supply Chain Risk Management SCRM to Improve the Integrity of Components Used in DoD Systems ” March 25 2010 hereby cancelled e National Security Presidential Directive 54 Homeland Security Presidential Directive 23 “Cybersecurity Policy ” January 8 2008 2 f Section 806 of Public Law 111-383 “The National Defense Authorization Act for Fiscal Year 2011 ” January 7 2011 g DoD Instruction 5200 39 “Critical Program Information CPI Protection Within the Department of Defense ” July 16 2008 hg DoD Directive 5000 01 “The Defense Acquisition System ” May 12 2003 ih DoD Instruction 5000 02 “Operation of the Defense Acquisition System ” December 8 2008 January 7 2015 ji DoD Directive 8500 01E “Information Assurance IA ” October 24 2002 DoD Instruction 8500 01 “Cybersecurity ” March 14 2014 kj Committee on National Security Systems Directive No 505 “Supply Chain Risk Management SCRM ” March 7 2012 3 k National Institute for Science and Technology Special Publication 800-161 “Supply Ch Risk Management Practices for Federal Information Systems and Organizations ” April 2015 l Section 3542 3552 title 44 United States Code m Chairman of the Joint Chiefs of Staff Instruction 6211 02D “Defense Information Syste Network DISN Responsibilities ” January 24 2012 n DoD Instruction 8510 01 “Risk Management Framework RMF for DoD Information Technology IT ” March 12 2014 o DoD Instruction 4140 67 “DoD Counterfeit Prevention Policy ” April 26 2013 mp DoD Instruction 8320 04 “Item Unique Identification IUID Standards for Tangible Personal Property ” June 16 2008September 3 2015 n Office of the Under Secretary of Defense for Acquisition Technology and Logistics “Program Protection Plan Outline and Guidance ” July 18 2011 4 o DoD Instruction 8500 2 “Information Assurance IA Implementation ” February 6 2003 p DoD Instruction 5025 01 “DoD Directives Program ” September 26 2012 1 Available to authorized users by request from the Office of the USD AT L Available to authorized users by request from the National Security Council 3 Available to authorized users by request from the Committee on National Security Systems 4 Available at www acq osd mil se docs PPP-Outline-and-Guidance-v1-July2011 docx 2 Change 1 08 25 2016 5 ENCLOSURE 1 DoDI 5200 44 November 5 2012 q Defense Federal Acquisition Regulation Supplement current edition 4 r Defense Acquisition Guidebook current edition 5 s Section 937 of Public Law 113-66 “The National Defense Authorization Act for Fiscal Year 2014 ” December 26 2013 t Policy Memorandum 15-001 – Joint Federated Assurance Center JFAC Charter 6 February 9 2015 su DoD Instruction O-5240 24 “Counterintelligence CI Activities Supporting Research Development and Acquisition RDA ” June 8 2011 as amended tv Supply Chain Risk Management SCRM Program Office Trusted Mission Systems and Networks Directorate “Key Practices and Implementation Guide for the DoD Comprehensive National Cybersecurity Initiative 11 - Supply Chain Risk Management Pilot Program ” February 25 2010 7 uw Section 11101 of title 40 United States Code vx Committee on National Security Systems Instruction No 4009 “Committee National on Security Systems CNSS Information Assurance IA Glossary ” April 26 2010 April 6 8 2015 wy DoD 5240 1-R “Procedures Governing the Activities of DoD Intelligence Components That Affect United States Persons ” December 1 1982 4 Available at http www acq osd mil dpap dars dfarspgi current index html Available at http akssdag dau mil 6 Available at http www acq osd mil se docs JFAC -Charter-Signed-9Feb2015 pdf 7 Available to authorized users at https diacap iaportal navy mil ks pages SCRM aspx https rmfks osd mil rmf Guidance RMFRelatedTopics Pages SCRM aspx 8 Available at www cnss gov Assets pdf cnssi_4009 pdf https www cnss gov CNSS issuances Instructions cfm 5 Change 1 08 25 2016 6 ENCLOSURE 1 DoDI 5200 44 November 5 2012 ENCLOSURE 2 RESPONSIBILITIES 1 UNDER SECRETARY OF DEFENSE FOR AQUISITION TECHNOLOGY AND LOGISTICS USD AT L The USD AT L in accordance with Reference a shall a In coordination with the DoD Chief Information Officer CIO oversee the implementation of this Instruction and issue supporting guidance as necessary b Coordinate with the DoD CIO and the Heads of the DoD Components to develop TSN requirements best practices and mitigations Develop guidance for identification and protection of mission critical functions and critical components develop programming recommendations for TSN align DoD TSN enterprise resources e g test and evaluation training and develop TSN training for appropriate DoD Components and contractor personnel c In coordination with the DoD CIO and the Director National Security Agency Chief Central Security Service DIRNSA CHCSS advance the state of the art in assurance tools techniques and methods for creating and identifying non-cryptologic software and hardware that is free from exploitable vulnerabilities and malicious intent d In coordination with the DoD CIO and the Heads of the DoD Components integrate the identification and protection of mission critical functions and critical components into system engineering acquisition logistics and materiel readiness policies to ensure implementation of TSN concepts in technology demonstration or other research projects defense acquisition programs commodity purchases operations and maintenance activities and end-of-life disposal procedures e In coordination with the DoD CIO incorporate TSN concepts and the authorities in Reference f into the Defense Federal Acquisition Regulation Supplement Reference q Defense Acquisition Guidebook Reference r and solicitation and contract language f In coordination with the DoD CIO the Under Secretary of Defense for Intelligence USD I and the Heads of the DoD Components evaluate the feasibility and usefulness of applying the processes that are described for critical ICT components for applicable systems in accordance with this Instruction to non-ICT components that are critical to DoD weapons and information systems and issue policy as appropriate In the event that demand for threat assessments exceeds resources establish in coordination with the DoD CIO the USD I and the Heads of the DoD Components the prioritization for threat assessment support g In coordination with the DoD CIO the Director Defense Intelligence Agency DIA and the Heads of the DoD Components develop a strategy for managing risk in the supply chain for integrated circuit-related products and services e g FPGAs printed circuit boards that are identifiable to the supplier as specifically created or modified for DoD e g military temperature range radiation hardened Change 1 08 25 2016 7 ENCLOSURE 2 DoDI 5200 44 November 5 2012 h In coordination with DoD CIO and participating DoD Components develop maintain and offer software and hardware assurance capabilities across the DoD Components as required by Section 937 of Public Law 113-66 Reference s and Policy Memorandum 15Joint Federated Assurance Center JFAC Charter Reference t 2 DIRECTOR DMEA The Director DMEA under the authority direction and control of USD AT L shall in coordination with DoD CIO and the Heads of the DoD Components perform the accreditations of trusted suppliers review those accreditations on an annual basis issue follow-on guidance for the use of trusted suppliers and establish criteria for accrediting trusted suppliers of integrated circuit-related products and services 3 DoD CIO The DoD CIO shall a Coordinate with the USD AT L and the Heads of the DoD Components as a subject matter expert on SCRM activities within TSN implementation of TSN across the DoD and development of TSN training requirements best practices and mitigations b Integrate TSN concepts into IA security controls and other policies and processes e g Reference n as appropriate c Issue guidance e g information system security engineering guidance and develop programming recommendations to ensure the integration of TSN concepts and processes into the acquisition and maintenance of DoD information systems enclaves and services including the purchase and integration of ICT commodities 4 USD I The USD I shall a Guide collection of foreign intelligence and direct all-source analysis of supply chain risk b Integrate TSN concepts into USD I -managed policies and processes as appropriate c In coordination with the DIRNSA CHCSS develop processes and procedures for responding to suspected or actual supply chain exploits identified by the Heads of the DoD Components such as vulnerability assessments best practices and educational materials d Provide oversight for counterintelligence defense intelligence and security support protect critical mission functions and components 5 DIRNSA CHCSS The DIRNSA CHCSS under the authority direction and control of the USD I and in addition to the responsibilities in section 8 of this enclosure shall Change 1 08 25 2016 8 ENCLOSURE 2 DoDI 5200 44 November 5 2012 a Support the development and application of TSN requirements best practices and processes In the event that demand for support exceeds resources establish in coordination with the DoD CIO the USD I and the Heads of the DoD Components prioritization for support to achieve TSN b Advise and guide the Heads of the DoD Components in the application of processes tools techniques and methods to minimize vulnerabilities and risk of malicious intent in procured and developed software and hardware for applicable systems c In coordination with selected software assurance testing centers define processes tools techniques and standards to effectively test newly developed and acquired DoD software and hardware for applicable systems d Assess software analysis tools and practices and disseminate guidance on software and hardware vulnerability reduction and malicious intent identification to enable acquisition programs to manage risk effectively 6 DIRECTOR DIA The Director DIA under the authority direction and control of the USD I and in addition to the responsibilities in section 8 of this enclosure shall produce an intelligence and counterintelligence assessment of supplier threats to acquisition programs providing critical weapons information systems or service capabilities in accordance with DoDI O-5240 24 Reference su In the event that demand for support exceeds resources establish in coordination with USD AT L DoD CIO and the Heads of the DoD Components prioritization for support to conduct threat analysis of suppliers of critical components 7 UNDER SECRETARY OF DEFENSE FOR POLICY USD P The USD P shall in coordination with the USD I establish security policy for foreign national participation in system integration activities 8 HEADS OF THE DoD COMPONENTS The Heads of the DoD Components shall a Designate a TSN focal point or focal points with access to all DoD Components research development and acquisition and sustainment RDA activities for applicable systems in order to 1 Coordinate and prioritize requests for threat analysis of suppliers of critical components in accordance with Reference su 2 Coordinate and prioritize requests usefor of DoD Components and Enterprise TSN resources including TSN subject matter experts and tools including hardware and software assurance capabilities in accordance with References s and t Change 1 08 25 2016 9 ENCLOSURE 2 DoDI 5200 44 November 5 2012 3 Coordinate with the DoD CIO and USD AT L in the development of TSN requirements best practices and mitigations 4 Assure the identification of mission critical functions and critical components as well as TSN planning and implementation activities are documented in the PPP b Establish processes for managers of research development acquisition and sustainment RDA activities for applicable systems to manage risk to the trust in the system by 1 Conducting a criticality analysis to identify mission critical functions and critical components and reducing the vulnerability of such functions and components through secure system design 2 Requesting threat analysis of suppliers of critical components from the pertinent TSN focal point and managing access to and control of threat analysis products containing U S person information in accordance with Reference su 3 Engaging the pertinent TSN focal point for guidance on managing identified risk using DoD Components and Enterprise risk management resources 4 Applying TSN best practices processes techniques and procurement tools prior to the acquisition of critical components or their integration into applicable systems at any point in the system lifecycle Such tools and practices include contract requirements developed in accordance with USD AT L guidance provided pursuant to paragraph 1 e of this enclosure SCRM key practices Reference tv and the authorities prescribed in Reference f as appropriate 5 Documenting TSN plans and implementation activities in PPPs and relevant IA cybersecurity plans and documentation in accordance with Reference h c Assign DoD Components specialists to assist the Director DIA to conduct threat analysis of suppliers of critical components d Coordinate with the USD AT L and the DoD CIO regarding TSN training of all appropriate DoD Components and contractor personnel commensurate with their assigned responsibilities e Notify the cognizant Milestone Decision Authority Designated Accrediting Authority DAA Authorizing Official and the DoD CIO of significant threats that cannot be reasonably addressed through technical mitigation countermeasures or risk management procedures f Notify the USD I and DIRNSA CHCSS of discovered or suspected supply chain exploits for the purposes of further analysis and the development of enterprise remediation as appropriate Change 1 08 25 2016 10 ENCLOSURE 2 DoDI 5200 44 November 5 2012 g Integrate Component-unique TSN concepts into DoD Components policies and processes as appropriate h Ensure the Component Acquisition Executive or Chief Information Officer or designee designate DoD systems that are not national security systems or Mission Assurance Category I systems a high impact level for confidentiality integrity or availability as applicable systems in accordance with subparagraph 2 b 3 above the signature of this Instruction i Provide software and hardware assurance capabilities and resources and support th JFAC as required by References s and t Change 1 08 25 2016 11 ENCLOSURE 2 DoDI 5200 44 November 5 2012 GLOSSARY PART I ABBREVIATIONS AND ACRONYMS ASIC application-specific integrated circuits CJCS Chairman of the Joint Chiefs of Staff DIA DIRNSA CHCSS DMEA DoD CIO DoDD DoDI Defense Intelligence Agency Director National Security Agency Chief Central Security Service Defense Microelectronics Activity DoD Chief Information Officer DoD Directive DoD Instruction FPGA field-programmable gate arrays IA ICT IT IUID information assurance information and communications technology information technology item unique identification JFAC Joint Federated Assurance Center MAC Mission Assurance Category NIPRNet Non-classified Internet Protocol Router Network PPP Program Protection Plan RDA research development and acquisition SCRM supply chain risk management TSN trusted systems and networks USD AT L USD I USD P U S C Under Secretary of Defense for Acquisition Technology and Logistics Under Secretary of Defense for Intelligence Under Secretary of Defense for Policy United States Code PART II DEFINITIONS Unless otherwise noted these terms and their definitions are for the purposes of this Instruction Change 1 08 25 2016 12 GLOSSARY DoDI 5200 44 November 5 2012 critical component A component which is or contains ICT including hardware software and firmware whether custom commercial or otherwise developed and which delivers or protects mission critical functionality of a system or which because of the system’s design may introduce vulnerability to the mission critical functions of an applicable system criticality analysis An end-to-end functional decomposition performed by systems engineers to identify mission critical functions and components Includes identification of system missions decomposition into the functions to perform those missions and traceability to the hardware software and firmware components that implement those functions Criticality is assessed in terms of the impact of function or component failure on the ability of the component to complete the system missions s Criticality levels are defined in Reference n cybersecurity Defined in Reference e enclave Defined in Committee on National Security Systems Instruction No 4009 Refere x ICT Includes all categories of ubiquitous technology used for the gathering storing transmitting retrieving or processing of information e g microelectronics printed circuit boards computing systems software signal processors mobile telephony satellite communications and networks ICT is not limited to information technology IT as defined in section 11101 of title 40 U S C Reference uw Rather this term reflects the convergence of IT and communications industrial control system Defined in Reference x information system Defined in Committee on National Security Systems Instruction No 4009 Reference vx information systems security engineering Defined in Reference vx mission critical functions Any function the compromise of which would degrade the system effectiveness in achieving the core mission for which it was designed national security system Defined in Reference l RDA Defined in Reference r SCRM A systematic process for managing supply chain risk by identifying susceptibilities vulnerabilities and threats throughout DoD’s “supply chain” and developing mitigation strategies to combat those threats whether presented by the supplier the supplied product and its subcomponents or the supply chain e g initial production packaging handling storage transport mission operation and disposal software assurance The level of confidence that software functions as intended and is free of vulnerabilities either intentionally or unintentionally designed or inserted as part of the software throughout the lifecycle Change 1 08 25 2016 13 GLOSSARY DoDI 5200 44 November 5 2012 supply chain risk The risk that an adversary may sabotage maliciously introduce unwanted function or otherwise subvert the design integrity manufacturing production distribution installation operation or maintenance of a system so as to surveil deny disrupt or otherwise degrade the function use or operation of such system system security engineering An element of system engineering that applies scientific and engineering principles to identify security vulnerabilities and minimize or contain risks associated with these vulnerabilities U S person Defined in DoD 5240 1-R Reference wy weapon system A combination of one or more weapons with all related equipment materials services personnel and means of delivery and deployment if applicable required for selfsufficiency Change 1 08 25 2016 14 GLOSSARY