The Cybersecurity Strategy is a required acquisition program document (per DoD Instruction 5000.02 and Clinger-Cohen Act) that details how a program will ensure that an Information Technology system can protect and defend itself from a cyber attack. The strategy is created and maintained by the Program Office and appended to the Program Protection Plan (PPP). It’s required for all Acquisition Category (ACAT) level programs.
Definition: Cybersecurity is the prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.
Definition: The Cybersecurity Strategy is a tool for PMs, Authorizing Officials (AO) or Authorizing Official Designated Representatives (AODR), and relevant review and approval authorities to plan for, identify, assess, mitigate, and manage risks as systems mature.
Cybersecurity Strategy Development
The Program Manager (PM) develops the Cybersecurity Strategy as early as possible, and continually updates and maintains it to mature at a rate commensurate with that of the program. The Cybersecurity Strategy reflects both the program’s long-term approach for and implementation of cybersecurity throughout the program lifecycle. Beginning at Milestone A, the PM will submit the Cybersecurity Strategy to the cognizant Component Chief Information Officer (CIO) for review and approval prior to milestone decisions or contract awards.
Guide: DoD CIO Cybersecurity Strategy Outline and Guidance – Aug 2020
Cybersecurity Strategy Outline: [1]
- Introduction
- Sources of Cybersecurity Requirements
- Management Approach
- Technical Approach
- Implementation Progress
- Operations and Sustainment
- Policy and Guidance
- Points of Contact(s)
- Other Considerations
- Signature Page
Cybersecurity Strategy Principals [1]
Program Offices should use the following principles to ensure the document is useful as a plan and working document for the program, and to support cybersecurity and acquisition review and
approval functions. These principles form the basis of CIO evaluation criteria in review of Cybersecurity Strategies:
- Evidence of comprehensive analysis, including System Security Engineering (SSE), Trusted Systems and Networks (TSN) Analysis, and system survivability, supporting the planning and
implementation of cybersecurity on the system, including the intended CONOPS, operating environment and tempo, understanding of expected level of threat leading to the determination of adequate system cybersecurity implementation and achievement of desired operational outcomes. - Evidence of traceability between security controls and the baselines (functional, allocated, and product), and understanding of the balance between risks and requirements trades.
- Consideration of cybersecurity in relation to the interdependency of this system with the system of systems in which it is intended to operate; the degree to which the capability depends on cybersecurity to perform its key functions and missions.
- Planning for cybersecurity testing and evaluation throughout the acquisition lifecycle, including testing of security controls in accordance with the RMF; ensuring cybersecurity requirements are testable and measurable.
- Evidence and understanding of ongoing risk management, including residual risks stemming from the failure to mitigate identified cybersecurity risks and vulnerabilities.
Cybersecurity Strategy Regulations
REGULATORY: for all other programs containing IT, including NSS. The Cybersecurity Strategy is an appendix to the Program Protection Plan (PPP). A draft update is due for the Development RFP Release and is approved at Milestone B. May include the approved DoD Risk Management Framework Security Plan for urgent needs. The DoD CIO is the approval authority for Acquisition Category (ACAT) ID and all ACAT IA programs; the Component CIO is the approval authority for all other ACATs. [2]
Cybersecurity Strategy Focus Areas
A cybersecurity strategy should focus on the key areas below to be comprehensive. These areas are:
- Computer Systems
- System Development
- Critical infrastructure
- Network security
- Application security
- Cloud security
- Policy
- Training
- Continuous Improvement
AcqLinks and References:
- [1] DoD CIO Cybersecurity Strategy Outline and Guidance – Aug 2020
- (Old) DoD CIO Cybersecurity Strategy Outline and Guidance – 10 Nov 15
- [2] DoD Instruction 5000.02 “Operation of the Defense Acquisition System”
- DoD Instruction 5000.90 “Cybersecurity for Acquisition Decision Authorities and Program Managers” – 31 Dec 2020
- Guide: Cybersecurity Test and Evaluation Guidebook – 27 Oct 2015
- Guide: PM Guidebook for Integrating Cybersecurity RMF into System Acquisition Lifecycle – Sep 2015
Updated: 7/4/2021
Rank: G16.5