The Acquisition Information Assurance (IA) Strategy provides documentation that ensures that the program has an information assurance strategy that is consistent with DoD policies, standards, and architectures, to include relevant standards. The Program Manager (PM) develops the Acquisition IA Strategy to help the program office organize and coordinate its approach to identifying and satisfying IA requirements consistent with DoD policies, standards, and architectures.[1]

The Acquisition IA Strategy serves a purpose separate from the documentation generated from the Risk Management Framework (RMF) or other Certification and Accreditation (C&A) processes. Developed earlier in the acquisition life cycle and written at a higher level, the Acquisition IA Strategy documents the program’s overall IA requirements and approach, including the determination of the appropriate certification and accreditation process. The Acquisition IA Strategy must be available for review at all Acquisition Milestone Decisions, including early milestones when C&A documentation would not yet be available. [1]

The Acquisition IA Strategy lays the groundwork for a successful C&A process by facilitating consensus among the Program Manager (PM), Component Chief Information Officer, and DoD Chief Information Officer on pivotal issues such as Mission Assurance Category, Confidentiality Level, and applicable Baseline IA Controls; selection of the appropriate C&A process; identification of the Designated Accrediting Authority and Certification Authority; and documenting a rough timeline for the C&A process.[1]

Key aspects of the Acquisition IA Strategy are:

• The Acquisition IA Strategy is a stand-alone document. Although other key documents can be referenced within the Acquisition IA Strategy to identify supplemental or supporting information, the Acquisition IA Strategy should contain sufficient internal content to clearly communicate the strategy to the reader.
• Configuration Control of the Acquisition IA Strategy should be maintained with respect to the program’s governing requirements document and the Information Support Plan (ISP).
• Acquisition Information Assurance (IA) Strategies must be submitted for approval and review in accordance with the Defense Acquisition Guidebook (DAG) – Table 7.5.9.2T1, which is based on submission requirements detailed in DoD Instruction 5000.02 “Operation of the Defense Acquisition System”, Enclosures 4 and 5.
• Address the Acquisition IA strategy in the program Acquisition Strategy.

Acquisition Information Assurance (IA) Strategy Template from Defense Acquisition Guidebook
1.0 Program Category and Life-Cycle Status
2.0 Mission Assurance Category (MAC) and Confidentiality Level
3.0 System Description
4.0 Threat Assessment
5.0 Risk Assessment
6.0 Information Assurance Requirements
7.0 Acquisition Strategy
8.0 Certification and Accreditation
9.0 IA Testing
10.0 IA Shortfalls
11.0 Policy/Directives
12.0 Relevant Associated Program Documents
13.0 Point of Contact

 

AcqLinks and References:

• Defense Acquisition Guidebook (DAG)
• [1] DoD Instruction 5000.02 “Operation of Defense Acquisition System”
• DoD Instruction 8500.01 Cybersecurity – 14 Mar 2014
• DoD Instruction 4360.08 “Procedures for Interoperability and Supportability of IT and NSS” – Enclosure 4
• DoD Instruction 5200.40 “DoD IT Security Certification and Accreditation Process (DITSCAP)” 30 Dec 1997
• DoD Instruction 8510.01 “Risk Management Framework for DoD Information Technology” – 24 May 2016

Update: 6/11/2018