The Cybersecurity Strategy is a required acquisition program document (per DoD Instruction 5000.02 and Clinger-Cohen Act) that details how a program will ensure that an Information Technology system can protect and defend itself from a cyber attack. The strategy is created and maintained by the Program Office and appended to the Program Protection Plan (PPP). It’s required for all ACAT level programs.
The Program Manager (PM) develops the Cybersecurity Strategy as early as possible, and continually updates and maintains it to mature at a rate commensurate with that of the program. The Cybersecurity Strategy reflects both the program’s long-term approach for, and implementation of cybersecurity throughout the program lifecycle. The Cybersecurity Strategy is a tool for PMs, Authorizing Officials (AO) or Authorizing Official Designated Representatives (AODR), and relevant review and approval authorities to plan for, identify, assess, mitigate, and manage risks as systems mature. Beginning at Milestone A, the PM will submit the Cybersecurity Strategy to the cognizant Component Chief Information Officer (CIO) for review and approval prior to milestone decisions or contract awards.
Cybersecurity Strategy Outline: 
- Sources of Cybersecurity Requirements
- Cybersecurity Approaches
- Cybersecurity Implementation
- Risk Management
- Policy and Guidance
- Point of Contracts
- Other Considerations
REGULATORY: for all other programs containing IT, including NSS. The Cybersecurity Strategy is an appendix to the Program Protection Plan (PPP). A draft update is due for the Development RFP Release and is approved at Milestone B. May include the approved DoD Risk Management Framework Security Plan for urgent needs. The DoD CIO is approval authority for Acquisition Category (ACAT) ID and all ACAT IA programs; the Component CIO is approval authority for all other ACATs. 
AcqLinks and References:
-  DoD CIO Cybersecurity Strategy Outline and Guidance – 10 Nov 15
-  DoD Instruction 5000.02 “Operation of the Defense Acquisition System”
- Guide: Cybersecurity Test and Evaluation Guidebook – 27 Oct 2015
- Guide: PM Guidebook for Integrating Cybersecurity RMF into System Acquisition Lifecycle – Sep 2015