Changelog for the DoD Cybersecurity Policy Chart
The goal of the DoD Cybersecurity Policy Chart is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.
This page highlights and lists the updates to the DoD Cybersecurity Policy Chart.
28 October 2024
# | Document Names | Change/Justification |
---|---|---|
1 | Cybersecurity Maturity Model Certification (CMMC) Program | Added new CMMC final rule 32 CFR Part 170, published 15 October 2024, which becomes effective on 16 Dec 2024. The link in the chart is to the amendment published at 89 FR 83214 since the CFR Part has not been updated yet. “When this 32 CFR part 170 CMMC Program rule and the complementary 48 CFR part 204 CMMC Acquisition rule are finalized and following a phased implementation plan, solicitations and resulting defense contracts involving the processing, storing, or transmitting of FCI or CUI on a non-Federal system will, unless waived, have a CMMC level and assessment type requirement that a contractor must meet to be eligible for a contract award.” |
2 | NSTISSD-600 Communications Security Monitoring | Updated link for CNSS site (CAC required). |
16 September 2024
# | Document Names | Change/Justification |
---|---|---|
1 | DoDI 8520.04 “Access Management for DoD Information Systems” | New issuance by DoD CIO, published 3 September 2024. |
2 | CNSSI 1253F, Atch 4.2 (Intelligence Overlay) | Overlay, which was approved in November 2023, was recently posted to the CNSS site (CAC required). |
27 June 2024
# | Document Names | Change/Justification |
---|---|---|
1 | Fulcrum: The DoD IT Advancement Strategy | This strategy, released publicly on 25 June, supersedes the 2019 Digital Modernization Strategy. |
2 | NIST SP 800-171 Revision 3, Protecting CUI in Non-Federal Systems and Organizations | This document supersedes NIST SP 800-171 Rev. 2 (01/28/2021). |
3 | DIB CS Program Security Classification Guide | Per the supersession paragraph in this document, it replaces DoDM O-5205.13 cancelled in May 2023. |
4 | NSA CS Advisories and Guidances | This replaces Security Configuration Guides as a reference for NSA issuance of cybersecurity guidance separate from STIGs and SRGs. |
5 | Miscellaneous Changes | Updated the link to the NIST SP 800-172. Updated the link to DoDI 8530.01. Updated the link to ICD 503. |
1 May 2024
# | Document Names | Change/Justification |
---|---|---|
1 | CNSSI 4005, Safeguarding Communications Security (COMSEC) Facilities and Materials | This document supersedes the prior version from August 2011. Requires CAC for access. |
2 | NIST SP 800-218A, Secure Software Development Framework (SSDF) for Generative Artificial Intelligence and Dual Use Foundation Models | This new publication addresses how to apply the SSDF, set out in NIST SP 800-218, to GenAI and dual use foundation models. |
3 | Miscellaneous Changes | Updated the link to the DIB Cybersecurity Strategy. |
29 March 2024
# | Document Names | Change/Justification |
---|---|---|
1 | The NIST Cybersecurity Framework (CSF) 2.0 (Feb 26, 2024)) | The NIST Cybersecurity Framework (CSF) 2.0 provides updated guidance to industry, government agencies, and other organizations to manage cybersecurity risks. When compared to CSF 1.1, CSF 2.0 adds the “Govern” function to the existing five functional areas, expands coverage beyond critical infrastructure to all areas, includes supply chain security, and enhances customizability for tailored implementation strategies. |
2 | Defense Industrial Base (DIB) Cybersecurity Strategy 2024 (March 21, 2024) | This strategy is designed to strengthen DoD governance structure for DIB Cybersecurity, enhance the Cybersecurity posture of DIB contractors, preserve the resiliency of critical DIB capabilities in a cyber-contested environment, and improve collaboration with numerous components, program managers (PMs), and DIB. |
3 | Executive Order (EO) 14117: Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (Feb 28, 2024) | The Executive Order (EO) calls for the Department of Justice (DOJ) to promulgate regulations to prevent the large-scale transfer of sensitive personal data and US Government-related data to "countries of concern,” as defined in the EO. This EO recognizes that disclosure of sensitive personal data may rise to a national security issue in some cases. |
4 | Directive-type Memorandum (DTM) 24-001 – “DoD Cybersecurity Activities Performed for Cloud Service Offerings” (Feb 27, 2024) | Focusing on Cloud Service Offerings (CSOs), this DTM establishes policy, assigns responsibilities, and provides procedures for cybersecurity and defensive cyberspace operations (DCO) activities that are performed by a cybersecurity service provider (CSSP), DoD entity, or commercial entity on behalf of the mission owner or authorizing official. |
5 | Miscellaneous Changes | Set new indicator for updated hyperlinks (dotted lines) to avoid confusion with updated/new policies. *Revised language in “About this Chart” section to be clearer and more concise. |
28 February 2024
# | Document Names | Change/Justification |
---|---|---|
1 | DoD Instruction 5200.44: Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (Feb 16, 2024) | This instruction supersedes the existing version of DoD Instruction 5200.44, “Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN),” published November 5, 2012. The updated instruction implements the DoD’s trusted systems and networks (TSN) strategy through program protection and cybersecurity implementation to provide uncompromised weapon and information systems, with a focus on supply chain risk management measures. |
2 | STIGS, SRGS, and TCGs | Added Tenant Configuration Guides (TCGs), which address Microsoft 365 tenant configuration requirements. |
3 | General Document Review | Reviewed policy chart for broken and out-of-date links; documents with updated links are highlighted with red boxes. |
09 January 2024
# | Document Names | Change/Justification |
---|---|---|
1 | 2023 Department of Defense Data, Analytics, and Artificial Intelligence Adoption Strategy | This DoD Strategy, released in November 2023, supersedes and replaces the 2020 DoD Data Strategy and the 2019 DoD AI Strategy in the Policy Chart. |
2 | 2023 National Intelligence Strategy | This Strategy replaces the 2019 National Intelligence Strategy in the Policy Chart. |
3 | 2022 National Military Strategy | This Strategy, posted in May 2023, replaces the existing 2018 National Military Strategy in the Policy Chart. |
4 | NIST SP 800-221 Enterprise Impact of Information and Communications Technology Risk: Governing and Managing ICT Risk Programs Within an Enterprise Risk Portfolio | Posting this NIST Special Publication, published in November 2023, to the Policy Chart. This document is intended to help individual organizations within an enterprise improve their ICT risk management (ICTRM). This can enable enterprises and their component organizations to better identify, assess, and manage their ICT risks in the context of their broader mission and business objectives. |
5* | (Removal of) DoD 8570.01M Information Assurance Workforce Improvement Program | Removed DoD 8570.01M from the Policy Chart as it was superseded by DoDM 8140.03 Cyberspace Workforce Qualification and Management Program, effective February 15, 2023. |
6** | Color Key box | Fixed several links in Color Key box, including fixing the CYBERCOM link to point to the correct site. |
21 November 2023
# | Document Names | Change/Justification |
---|---|---|
1 | 2023 DoD Strategy for Operations in the Information Environment | The purpose of the 2023 Department of Defense (DoD) Strategy for Operations in the Information Environment (SOIE), which has been posted to the Lead and Govern subsection, is to improve the Department’s ability to plan, resource, and apply informational power to enable integrated deterrence, campaigning, and building enduring advantages as described in the 2022 National Defense Strategy (NDS). |
2 | NIST SP 800-53A Rev. 5 Assessing Security and Privacy Controls in Information Systems and Organizations | This Special Publication was updated on November 7, 2023. NIST issued a patch release of SP 800-53A (Release 5.1.1) that includes: • Minor grammatical edits and clarification • One new control and three supporting control enhancement assessment procedures to correspond with the new SP 800-53 control, IA-13. |
3* | UFC 4-010-06 Cybersecurity Of Facility-Related Control Systems (FRCS) | This UFC’s link has been updated in the Policy Chart and describes requirements for incorporating cybersecurity in the design of all facility-related control systems which include a network. It also covers the cybersecurity aspects of control system design, and the requirements of this UFC must be coordinated with the control system design and the criteria relevant to the control system. |
23 October 2023
# | Document Names | Change/Justification |
---|---|---|
1 | NIST SP 800-82 Rev. 3 Guide to Operational Technology (OT) Security | This Publication supersedes and replaces NIST SP 800-82 Rev. 2 Guide to Industrial Control Systems (ICS) Security in the Policy Chart. This document provides guidance on how to secure operational technology (OT) while addressing their unique performance, reliability, and safety requirements. |
2 | NIST SP 1800-22 Mobile Device Security: Bring Your Own Device (BYOD) | This Publication, released in September 2023, has been added to the Policy Chart. Bring Your Own Device (BYOD) refers to the practice of performing work-related activities on personally owned devices. This practice guide provides an example solution demonstrating how to enhance security and privacy in Android and Apple phones and tablets used in BYOD deployments. |
3 | DoDD 5101.23E Executive Agent for Advanced Cyber Training Curricula | Posting this Directive, effective October 18, 2023, to the Policy Chart. This Issuance designates effective and relevant Advanced Cyber Training (ACT) to be developed and delivered to the Military Services supporting the Cyber Mission Force (CMF). |
4 | DTM 17-007 Interim Policy and Guidance for Defense Support to Cyber Incident Response | Updating this Memorandum in the Policy Chart to Incorporate Change 7, which extends the expiration date for the DTM to December 19, 2023. |
22 September 2023
# | Document Names | Change/Justification |
---|---|---|
1 | 2023 DoD Cyber Strategy Summary | The 2023 DoD Cyber Strategy Summary, published in September 2023, replaces its Fact Sheet in the Lead and Govern subsection of the Policy Chart and provides additional unclassified details on the strategy. The full classified strategy establishes how the Department will operate in and through cyberspace to protect the American people and advance the defense priorities of the United States. |
17 August 2023
# | Document Names | Change/Justification |
---|---|---|
1 | CISA Cybersecurity Strategic Plan | The CISA Cybersecurity Strategic Plan for FY 2024-2026, has been posted to the Lead and Govern subsection of the Policy Chart. This strategy outlines a new vision for cybersecurity involving how to address immediate threats, harden the cyber terrain, and drive security at scale. |
2 | National Cyber Workforce and Education Strategy | This strategy, posted to the Lead and Govern subsection of the Policy Chart details how we will strengthen our cyber workforce, connect people to well-paying, quality jobs, and advance the welfare, prosperity, and security of our society through cyber education. |
3 | NIST SP 800-218 Secure Software Development Framework (SSDF) | NIST SP 800-218 SSDF, published in February of 2022, addresses software security and development practices in detail to ensure that the software being developed is well-secured. This document recommends the SSDF – a core set of high-level secure software development practices that can be integrated into each SDLC implementation. |
4 | DoD Cyber Workforce Strategy | This strategy establishes a unified direction for DoD cyber workforce management and, as the cyber domain continues to expand, the inclusion of emerging technology workforces. This strategy also provides a roadmap for how the cyber workforce will grow and adapt to guarantee our Nation's security. |
5 | DoDI 5000.82 Requirements for the Acquisition of Digital Capabilities | This DoD Instruction assigns program responsibilities concerning the acquisition of digital capabilities as defined in this issuance for the acquisition pathways of the adaptive acquisition framework described in DoD Instruction (DoDI) 5000.02. |
6 | DoDI 8530.03 Cyber Incident Response | This DoD issuance establishes policy, assigns responsibilities, and provides procedures for DoD cyber incident response (CIR). |
7 | 2018 DoD Cloud Strategy (Removed) | Removed from the Policy Chart, as it was replaced by the DoD Software Modernization Strategy. |
8 | DoD Information Sharing Strategy (Temp. Removed) | Removed from the DoD CIO Library Page, so this strategy has temporarily been removed pending further investigation. |
9 | DoD Information Security Continuous Monitoring (ISCM) Strategy (Note) | No change to strategy - RMFKS site is down for the time being but should be back online soon. |
14 July 2023
# | Document Names | Change/Justification |
---|---|---|
1 | National Cybersecurity Strategy Implementation Plan | Added to the Lead and Govern subsection of the policy chart and published in July 2023, the National Cybersecurity Strategy Implementation Plan lays out a vision for cyberspace and outlines a path for achieving the need for more capable actors in cyberspace and the need to increase incentives to make investments in long term resilience. |
2 | Department of Defense Outside the Continental United States (OCONUS) Cloud Strategy | Added to the Lead and Govern subsection of the policy chart and cleared for open publication on May 26, 2021, The Department of Defense (DoD) Outside the Continental United States (OCONUS) Cloud Strategy establishes the vision and goals for enabling a dominant all-domain advantage through cloud innovation at the tactical edge. |
3 | NIST SP 800-124 Rev. 2 Guidelines for Managing the Security of Mobile Devices in the Enterprise | Updating policy chart to include the change in this publication from Rev. 1 to Rev. 2, published in May 2023. |
4 | DoDI 8510.01 Risk Management Framework for DoD IT | Updated policy chart by removing DTM 20-004 “Enabling Cyberspace Accountability of DoD Components and Information Systems,” which was cancelled and incorporated into DoDI 8510.01 |
5 | Directive-Type Memorandum (DTM) 17-007 - Interim Policy and Guidance for Defense Support to Cyber Incident Response | Updated policy chart to include Change 6 of DTM 17 – 007, effective June 21, 2023. This memorandum provides supplementary policy guidance, assigns responsibilities, and details procedures for providing Defense Support to Cyber Incident Response (DSCIR). |
6 | CJCSI 5123.01I Charter of the JROC and Implementation of the JCIDS | Updating policy chart to include CJCSI 5123.01I from October 2021, which supersedes and cancels CJCSI 5123.01H. |
12 June 2023
# | Document Names | Change/Justification |
---|---|---|
1 | 2023 Department of Defense Cyber Strategy | Added to the Lead and Govern subsection of the policy chart, replacing the 2018 DoD Cyber Strategy. The 2023 DoD Cyber Strategy establishes how the Department will operate in and through cyberspace to protect the American people and advance the defense priorities of the United States. Since the titled document is classified, we have hyperlinked the 2023 DoD Cyber Strategy Fact Sheet for reference instead. |
2 | DoD Instruction 8520.02 Public Key Infrastructure and Public Key Enabling | DoDI 8520.02, effective May 18, 2023, reissues, and cancels policy from May 2011 under the same name. This Instruction establishes policy, assigns responsibilities, and prescribes procedures for DoD public key infrastructure (PKI) and public key enabling (PKE). |
3 | DoD Instruction 8520.03 Identity Authentication for Information Systems | DoDI 8520.03, effective May 19, 2023, reissues, and cancels policy from May 2011 under the same name. This Instruction stablishes policy, assigns responsibilities, and provides procedures for authenticating person and non-person entities (NPEs) to DoD information systems, including credential management. |
4 | DoD Instruction 8551.01 Ports, Protocols, and Services Management | DoDI 8551.01, effective May 31, 2023, reissues, and cancels policy from May 2014 under the same name. This Instruction establishes policy and standardizes procedures for cataloging, governing, and managing the use and management of protocols in the internet protocol suite, related protocols, and data services referred to as Department of Defense information network (DODIN) ports, protocols, and services (PPS). |
5 | DoD Manual 8530.01 Cybersecurity Activities Support Procedures | DoDM 8530.01, effective May 31, 2023, cancels DoD O-8530.1-M “Department of Defense Computer Network Defense (CND) Service Provider Certification and Accreditation Program,” from December 2003. This issuance assigns responsibilities and provides procedures for designated DoD Component-level organizations. |
16 May 2023
# | Document Names | Change/Justification |
---|---|---|
1 | DoD Cybersecurity Reference Architecture (Version 5.0) | Adding DoD CS Reference Architecture, cleared for open publication on February 7th, 2023, to the Lead and Govern subsection of the Policy Chart. This document’s purpose is to establish characteristics for cybersecurity architecture in the form of principles, fundamental components, capabilities, and design patterns to address threats in and outside network boundaries. |
2 | DoDI 8310.01 Information Technology Standards in the DoD | Highlighting update to this DoD Instruction effective April 7th, 2023. This issuance establishes policy, assigns responsibilities, and authorizes a process for identifying, developing, adopting, establishing, prescribing, and publishing technical standards for DoD information technology. |
13 March 2023
# | Document Names | Change/Justification |
---|---|---|
1 | 2023 National Cybersecurity Strategy | Added the National Cybersecurity Strategy, published on March 1st, 2023, to the Lead and Govern subsection on the Policy Chart. This strategy details the comprehensive approach that the Biden Administration is taking to better secure cyberspace and realize the benefits of the nation’s digital future. |
2 | DoD Cyber Workforce Strategy | Added the Department of Defense Cyber Workforce Strategy, published on March 1st, 2023, to the Lead and Govern subsection on the Policy Chart. This strategy “establishes a unified direction for DoD cyber workforce management and, as the cyber domain continues to expand, the inclusion of emerging technology workforces. |
7 February 2023
# | Document Name | Change/Justification |
---|---|---|
1 | DoD Information Security Continuous Monitoring (ISCM) Strategy | Added the DoD ISCM Strategy, signed in January 2023, to the Lead and Govern subsection in the Policy Chart. This strategy details how the DOD ISCM Program will modernize the existing Continuous Monitoring frameworks to increase cyber agility and enable continuous cybersecurity readiness using a data-driven approach. |
20 December 2022
# | Document Name | Change/Justification |
---|---|---|
1 | DoD Security Classification Guides | Removed the box for NSA IA Guidance due to long-term site errors and replaced it with a link to DoD’s Security Classification Guides. This site serves as a reference for the classification of data, which plays a key role in cybersecurity. |
13 December 2022
# | Document Name | Change/Justification |
---|---|---|
1 | Department of Defense Zero Trust Strategy (2022) | The 2022 DoD Zero Trust Strategy was cleared for open publication on November 22nd and updated in the Lead and Govern section of the Policy Chart. This strategy document provides guidance for advancing Zero Trust concept development; gap analysis, requirements development, implementation, execution decision-making, and ultimately procurement and deployment of required ZT capabilities. |
2 | NIST SP 800-160 Vol. 1 Rev. 1 “Engineering Trustworthy Secure Systems” | Supersedes NIST SP 800-160 Vol. 1 “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems” and updated in the Policy Chart under Develop and Maintain Trust section. |
21 November 2022
# | Document Name | Change/Justification |
---|---|---|
1 | 2022 National Security Strategy | The 2022 National Security Strategy was officially published in Oct 2022, and replaces the previous interim strategy located in the Cybersecurity Policy Chart. |
2 | 2022 National Defense Strategy | The public version of the 2022 National Defense Strategy (NDS) was released in Oct 2022, and replaces the NDS placeholder in the Policy Chart. This strategy document includes the 2022 Nuclear Posture Review and the 2022 Missile Defense Review. |
13 October 2022
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSI 1253E, Attachment 5 Classified System Overlay | This attachment overlay, released on September 30 2022 and highlighted under the “CNSSI-1253F, Atchs 1-5” box on the chart, lists additional privacy and control baselines to CNSSI 1253. It identifies security control specifications needed to safeguard classified information stored, processed, or transmitted by national security systems (NSS). This overlay is baseline independent and can be used with any NSS baseline (security and privacy) to safeguard classified information. |
2 | DoDI 8330.01 Interoperability of Information Technology, Including National Security Systems | DoDI 8330.01, effective as of September 27, 2022, provides direction for certifying the interoperability of IT and NSS systems. The Purpose of this Instruction includes establishing the Interoperability Steering Group (ISG), and establishing the governing policy and responsibilities for interoperability requirements development, test, certification, and prerequisites for connection of IT, including NSS. |
3 | CJCSI 6510.02F Cryptographic Modernization Planning | This Instruction, updated in August of 2022, has been adjusted in the Policy Chart. This Instruction provides policy and guidance for planning, programming and implementing the modernization of Type 1 cryptographic products certified by the NSA and held by the DoD. |
01 September 2022
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSI 1253 Categorization and Control for National Security Systems | CNSSI 1253, updated by CNSS on July 29, 2022, to build on and serve as a companion document to NIST SP 800-53, Rev. 5 and NIST SP 800-37, Rev. 2. |
2 | DoD Directive 5000.01 The Defense Acquisition System | DoDI 5000.01 The Defense Acquisition System, with an objective of supporting National Defense Strategy, was updated in the Policy Chart as Change 1 became effective July 28, 2022. |
26 July 2022
# | Document Name | Change/Justification |
---|---|---|
1* | NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations | No update to Policy, but the chart has been edited to reflect the proper document title. The box title has been changed from “Security and Privacy Controls for Federal Information Systems” to “Security and Privacy Controls for Information Systems and Organizations” |
2* | NIST SP 800-53A Rev. 5 Assessing Security and Privacy Controls in Information Systems and Organizations | No update to Policy, but the chart has been edited to reflect the proper document title. The box title has been changed from “Assessing Security and Privacy Controls in Federal Information Systems” to “Assessing Security and Privacy Controls in Information Systems and Organizations” |
3 | CNSSI 4009 Committee on National Security Systems (CNSS) Glossary | CNSSI 4009 has been updated in March of 2022 to include new terms and to adjust definitions of current terms in the Glossary |
4 | DoD Instruction 8510.01 Risk Management Framework for DoD Systems | DoDI 8510.01, updated as of 19 July 2022, establishes the cybersecurity Risk Management Framework (RMF) for DoD Systems and establishes policy, assigns responsibilities, and prescribes procedures for executing and maintaining the RMF |
21 June 2022
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSP-32 Cloud Security for National Security Systems | This Policy Document, released on 22 May 2022, establishes the minimum security requirements for National Security Systems (NSS) migrating to or operating in a cloud environment. This Policy derives its authority from National Security Directive 42, which outlines the roles and responsibilities for securing NSS. |
2 | DoD Instruction 5000.02 Operation of the Adaptive Acquisition Framework (AAF) | DoDI 5000.02, with Change 1 effective on 8 June 2022, restructures defense acquisition guidance to improve process effectiveness and implement the AAF. Change 1 cancels DoDI 5000.02T in accordance with the 2020 coordination of this issuance and subsequent approval of the transition plan and updates the transition plan to document its completion and final location of information. |
1 April 2022
# | Document Name | Change/Justification |
---|---|---|
1 | 2022 National Defense Strategy | An unclassified version of the 2022 NDS has not yet been released, but the link will be posted once it is released. For now, the link for the 2022 National Defense Strategy will direct users to the Fact Sheet. |
2 | NIST SP 800-172A - Assessing Enhanced Security Requirements for Controlled Unclassified Information | This publication, released in March 2022, provides federal agencies and nonfederal organizations with assessment procedures that can be used to carry out assessments of the requirements in NIST Special Publication 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. |
3 | CNSSP 1 – National Policy for Safeguarding and Control of COMSEC Materials | This policy, released in March 2022, is an update of an existing Policy Chart item and establishes the policy on Safeguarding and Control of COMSEC Material for National Security Systems (NSS). |
4 | CNSSD 600 – Directive on Communications Security (COMSEC) Monitoring *CAC required |
This directive, released in March 2022, provides policy and basic procedures for the establishment of COMSEC monitoring programs consistent with law, Executive Orders, and applicable Presidential Directives. |
22 February 2022
# | Document Name | Change/Justification |
---|---|---|
1 | DoD Software Modernization Strategy | This DoD Strategy document, cleared for open publication on 2 Feb 2022, provides a goal of delivering better software faster. Projected outcomes include shifting secure software delivery left through modern infrastructure and platforms and enabling this shift through true process transformation and people development. |
2 | FIPS 201-3 Personal Identity Verification (PIV) of Federal Employees and Contractors | This Publication, released in January 2022, supersedes FIPS 201-2 and establishes a standard for a Personal Identity Verification (PIV) system that meets the control and security objectives of Homeland Security Presidential Directive-12. |
3* | NIST SP 800-53A R5 Assessing Security & Privacy Controls in Federal Information Systems & Organizations | This Publication, released in January 2022, supersedes NIST SP 8-53A R4, and provides a methodology and set of procedures for conducting assessments of security and privacy controls employed within systems and organizations within an effective risk management framework. |
4** | DoDD 5200.47E Anti-Tamper (AT) | This Directive is replacing DoDD 5000.01 in the Policy Chart as it references Cybersecurity more specifically than the broad scope of DoDD 5000.01. It addresses the identification and protection of Critical Program Information (CPI) in accordance with DoDI 5200.39 Critical Program Information (CPI) Identification and Protection Within Research, Development, Test, and Evaluation (RDT&E). |
5** | DoDI 5000.02 Operation of the Adaptive Acquisition Framework | This Instruction replaces DoDI 5000.02T in the Policy Chart in order to maintain the chart’s Cybersecurity relevance. DoDI 5000.02 restructures defense acquisition guidance to improve process effectiveness and implement the Adaptive Acquisition Framework (AAF). When the AAF realignment is complete, an administrative change to this issuance will cancel DoDI 5000.02T. |
6 | CNSSP-200 National Policy on Controlled Access Protection | This Policy, released in January 2022, defines a minimum level of protection for automated information systems operated by executive branch, agencies and departments of the Federal Government and their contractors. |
11 January 2022
# | Document Name | Change/Justification |
---|---|---|
1 | EO 14028 on Improving the Nation’s Cybersecurity | Added the number of the Executive Order to assist in locating the document on the policy chart. The link remains in the National/Federal subcategory. |
2 | NIST SP-800-213 IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements | This Publication, released in November 2021, contains background and recommendations to help organizations consider how an IoT device they plan to acquire can integrate into a system. |
3 | CNSSI 1300 Secret NSS PKI X.509 Certificate Policy | This Instruction, updated in December 2021, establishes the requirements for Federal Departments and Agencies to implement the National Security Systems Public Key Infrastructure to manage and support their Secret NSS networked systems. |
4 | DoDI 8140.02 Identification, Tracking, And Reporting of Cyberspace Workforce Requirements | This Instruction, published in December 2021, establishes policy, assigns responsibilities, and provides guidance for the identification, tracking, data collection, and reporting requirements of DoD Cyberspace Workforce Framework (DCWF)work roles. |
29 November 2021
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSD-505 Supply Chain Risk Management | This directive released on 11/17/2021 updates formats and references regarding supply chain risk management (SCRM) capabilities for National Security Systems (NSS). This Directive provides a “whole of government approach” resulting in enhanced inter-agency collaboration and the sharing of lessons learned to address SCRM. |
2 | CNSSD-520 The Use of Mobile Devices to Process National Security Information Outside of Secure Spaces | This directive released 11/09/2021 provides specific instructions for the control and use of mobile devices that are intended to store, process, and transmit NSI outside of secure spaces, both domestically and limited overseas, to ensure that mobile devices are protected commensurate to the threat environment and level of information stored, processed, transmitted, or communicated. |
3 | CNSSI 1011 Implementing Host-Based Security Capabilities on National Security Systems | This Instruction released on 09/09/2021 provides operational guidance and assigns responsibilities for deploying host-based security capabilities for National Security Systems. |
4 | CNSSI 1013 Network Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS) on National Security Systems | This Instruction released on 09/09/2021 provides operational guidance and assigns responsibilities for deploying network intrusion detection systems and network intrusion prevention systems (IDS/IPS) capabilities for National Security Systems (NSS). |
19 October 2021
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSD-504 Directive on Protecting National Security Systems from Insider Threat | Updated policy document from September 2021 added to the Develop the Workforce subcategory. Update only corrects for format and references. This document establishes that cybersecurity procedures should be implemented to protect against insider threats. |
2 | CNSSP-22 Cybersecurity Risk Management | Policy updated September 2021. This policy document provides guidance for organizations that own, operate, or maintain national security systems (NSS) to establish an integrated, organization-wide Cybersecurity Risk Management Program among other cyber risk mitigation activities. |
3 | CNSSI-5000 Voice Over Internet Protocol (VoIP) Telephony | Policy updated September 2021. This policy document contains requirements for providing on-hook and off-hook audio security for VoIP (video/voice) systems located in areas where NSS are located. |
8 September 2021
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSP-10 National Policy Governing Use of Approved Security Containers in Information Security Applications | New policy document from April 28, 2021 added to the Manage Access subcategory. Document establishes the Policy on the use of approved security containers in Information System Security applications. |
2 | CNSSP-11 National Policy Governing the Acquisition of Information Technology Products | Policy updated July, 9, 2021. This policy governs the acquisition policies regarding national security systems. |
3 | CNSSP-14 National Policy Governing the Release of IA Products/Services | Policy updated May 19, 2021. This policy governs the release of Information Assurance (IA) products and services to U.S. persons or activities that are not part of the federal government. |
4 | CNSSP-16 National Policy for the Destruction of COMSEC Paper Material | Policy updated May 5, 2021. This policy requires departments and agencies to use crosscut shredders that meet the new NSA specification for the destruction of paper-based COMSEC material. It also defines parameters for the use of crosscut shredders currently in inventory until such time as new shredders are obtained. |
5 | CNSSP-18 National Policy on Classified Information Spillage | Policy updated May 19, 2021. This policy applies to the spillage of classified national security information on any IS, be it government or nongovernment systems. It provides a framework for the consistent handling of the spillage of classified national security information. |
6 | CNSSI-1001 National Instruction on Classified Information Spillage | Policy updated June 15, 2021. This instruction establishes the minimum actions required when responding to an information spillage of classified national security information. |
24 June 2021
# | Document Name | Change/Justification |
---|---|---|
1 | White House – President Biden: Executive Order on Improving the Nation’s Cybersecurity | New document from 05/12/21 added to the National/Federal subcategory concerning improving cybersecurity capabilities of the nation. Specifically, the administration commits to prioritizing the prevention, detection, assessment, and remediation of cyber incidents. |
2 | * DoDD 5101.21E DoD Executive Agent for Unified Platform and Joint Cyber Command and Control (JCC2) | New document from 06/04/20 added to the Strengthen Cyber Readiness subcategory regarding closing critical cyberspace capability gaps, and ensuring the delivery of resilient, agile, secure, and effective cyberspace capability solutions to the warfighter. |
26 May 2021
# | Document Name | Change/Justification |
---|---|---|
1 | NIST SP 1800-25 Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events | New document added to the Strengthen Cyber Readiness subcategory. Published December 2020. Document explores methods to effectively identify assets (devices, data, and applications) that may become targets of data integrity attacks, as well as the vulnerabilities in the organization’s system that facilitate these attacks. |
2 | CNSSI-4007 Communications Security (COMSEC) Utility Program * | Relocated document link from Manage Access to Sustain Missions subcategory |
3 | DoDD 5144.02 DoD Chief Information Officer | Relocated document from Develop and Maintain Trust to Sustain Missions subcategory |
27 April 2021
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSI-4007 Communications Security (COMSEC) Utility Program | Relocated document link from Partner for Strength to the Manage Access subcategory |
2 | DOD Instruction 5000.90, Cybersecurity for acquisition decision authorities and program managers* | Change 10 was issued to update the instruction. Originating Component: Office of the Under Secretary of Defense for Acquisition and Sustainment. Added to the Prevent and Delay Attackers and Prevent Attackers from Staying subcategory. Effective: December 31, 2020 |
3 | Added Directive-type Memorandum 20-004 Enabling Cyberspace Accountability of DoD Components and Information Systems | Added this new document link to the Design for the Fight subcategory. November 13, 2020. DTM 20-004, “Enabling Cyberspace Accountability of DoD Components and Information Systems” |
4 | MOA Between DoD and DHS (Jan. 19, 2017) | Relocated document link from Design for the Fight to the Partner for Strength subcategory |
19 March 2021
# | Document Name | Change/Justification |
---|---|---|
1 | Interim National Security Strategic Guidance* | The new Administration has issued interim guidance to which all Departments and Agencies should align their actions as the White House team begins work on a new National Security Strategy. Published: Mar 21 |
2 | National Cyber Strategy | Document link fixed. https://dodcio.defense.gov/Portals/0/Documents/Cyber/ICAM_Strategy.pdf |
3 | DoD Information Sharing Strategy | Document link fixed. https://dodcio.defense.gov/Portals/0/Documents/InfoSharingStrategy.pdf |
4 | DoD Identity, Credential, and Access Management (ICAM) Strategy | Document link added. https://dodcio.defense.gov/Portals/0/Documents/Cyber/ICAM_Strategy.pdf |
5 | NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information** | New Documentation. https://doi.org/10.6028/NIST.SP.800-172 Published: Feb 21 |
6 | DoDI 5000.02T Operation of the Defense Acquisition System | Change 10 published on 31 December 2020. Document link updated. https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/500002Tp.pdf?ver=2020-09-15-152849-783 |
7 | DoDI 8510.01 Change 3, “Risk Management Framework (RMF) for DoD Information Technology (IT)” | Document link updated. Change 3 Published: 29 Dec 20 |
8 | DoDI 8523.01, “Communications Security” | Document link updated. Reissued: 6 Jan 21 |
9 | DoDI 8581.01 IA Policy for Space Systems Used by the DoD | Document removed. Canceled: Aug 2020 |
16 March 2021
# | Document Name | Change/Justification |
---|---|---|
1 | Interim National Security Strategic Guidance* | The new Administration has issued interim guidance to which all Departments and Agencies should align their actions as the White House team begins work on a new National Security Strategy. Published: Mar 21 |
2 | National Cyber Strategy | Document link fixed. https://dodcio.defense.gov/Portals/0/Documents/Cyber/ICAM_Strategy.pdf |
3 | DoD Information Sharing Strategy | Document link fixed. https://dodcio.defense.gov/Portals/0/Documents/InfoSharingStrategy.pdf |
4 | DoD Identity, Credential, and Access Management (ICAM) Strategy | Document link added. https://dodcio.defense.gov/Portals/0/Documents/Cyber/ICAM_Strategy.pdf |
5 | NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information** | New Documentation. https://doi.org/10.6028/NIST.SP.800-172 Published: Feb 21 |
6 | DoDI 5000.02T Operation of the Defense Acquisition System | Change 10 published on 31 December 2020. Document link updated. https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/500002Tp.pdf?ver=2020-09-15-152849-783 |
7 | DoDI 8510.01 Change 3, “Risk Management Framework (RMF) for DoD Information Technology (IT)” | Document link updated. Change 3 Published: 29 Dec 20 |
8 | DoDI 8523.01, “Communications Security” | Document link updated. Reissued: 6 Jan 21 |
30 November 2020
# | Document Name | Change/Justification |
---|---|---|
1 | NIST SP 800-207, Zero Trust Architecture | New document added. This document contains an abstract definition of zero trust architecture (ZTA) and gives general deployment models and use cases where zero trust could improve an enterprise’s overall information technology security posture. Published: August 2020 |
2 | NIST SP 800-209, Security Guidelines for Storage Infrastructure | New document added. Comprehensive security recommendations for storage infrastructures. The security focus areas covered in this document not only span those that are common to the entire IT infrastructure—such as physical security, authentication and authorization, change management, configuration control, and incident response and recovery—but also those that are specific to storage infrastructure, such as data protection, isolation, restoration assurance, and data encryption. Published: 26 October 2020 |
3 | NIST SP 1800-16, Securing Web Transactions: TLS Server Certificate Management | New document added. NIST SP 1800-16 describes the TLS certificate management challenges faced by organizations; provides recommended best practices for large-scale TLS server certificate management; describes an automated proof-of-concept implementation that demonstrates how to prevent, detect, and recover from certificate-related incidents; and provides a mapping of the demonstrated capabilities to the recommended best practices and to NIST security guidelines and frameworks. Published: 06 June 2020 |
4 | NIST SP 800-210, General Access Control Guidance for Cloud Systems | New document added. This document presents cloud access control characteristics and a set of general access control guidance for cloud service models: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service). Published: July 2020 |
5 | DoDD O-5100.19, Critical Information Communications (CRITICOM) System (CAC-required) | New document added. Assigns responsibility and prescribes procedures for the establishment of software acquisition pathways IAW Section 800 of Public Law 116-92. Published: 02 October 2020 |
6 | DoDI 5000.87, Operation of the Software Acquisition Pathway | USD(I) was changed to USD(I&S) to reflect office name change. |
7 | DoDI 5205.83, DoD Insider Threat and Management and Analysis Center (DITMAC) | New document added. Enterprise-level capability for managing and analyzing insider threats. Change 1: 29 October 2020 |
8 | DoDM 3305.09, Cryptologic Accreditation and Certification | New document added. Provides accreditation guidance and procedures for DoD education and training institutions that support the cryptologic community. Change 2: 01 October 2020 |
9 | DoDM 5205.02E, DoD Operations Security (OPSEC) Program Manual | New document added. To provide baseline requirements to ensure national security-related missions and functions are protected (to include information systems) Change 2: 29 October 2020 |
10 | Cybersecurity Maturity Model Certification (CMMC), v. 1.02 | New document added. Certification developed to enhance the protection of FCI and CUI within the DIB. Version dated 18 March 2020. |
13 October, 2020
# | Document Name | Change/Justification |
---|---|---|
1 | 14 U.S.C. Ch. 7 | Replaced with new hyperlink to authoritative source |
2 | DoDI 8531.01 | The link to DoDI 8531.01 mistakenly linked to DoDI 8530.01 and has been fixed. |
09 October, 2020
# | Document Name | Change/Justification |
---|---|---|
1 | Title 14, U.S. Code, Cooperation with Other Agencies | Replaced with new hyperlink |
2 | NIST Special Publication 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations | Long awaited and very important update, published September 2020, supersedes Rev. 4 |
3 | CNSSD 507: National Directive for Identity, Credential, and Access Mgmt. Capabilities on the U.S. Federal Secret Fabric | Provides a minimum set of requirements for Identity, Credential, and Access Management (ICAM) implementation and management that applies to the Federal Secret Fabric. Updated July 7, 2020. |
4 | DoD Directive 8140.01, Cyberspace Workforce Management | Published October 5, 2020, superseding the earlier version dated August 11, 2015 |
5 | DoD Instruction 8531.01, DoD Vulnerability Management | Released on September 15, 2020 |
6 | DoD Data Strategy | The DoD Data Strategy supports the National Defense Strategy and Digital Modernization, published October 9, 2020 |
7 | DTM 17-007, Ch. 3, Defense Support to Cyber Incident Response | Change 3 issued May 29, 2020 |
30 July 2020
# | Document Name | Change/Justification |
---|---|---|
1 | DoDI 8320.02: Sharing Data, Information, and Technology (IT) Services in the Department of Defense | Incorporating Change 1, Effective June 24, 2020 SUMMARY OF CHANGE 1. The change to this issuance updates references and organizational titles and removes expiration language in accordance with current Chief Management Officer of the Department of Defense direction. |
2 | DoD Identity, Credential, and Access Management (ICAM) Strategy | ICAM Strategy signed on 17 July 2020 |
3 | MOA Between DoD and DHS | Removed “requires CAC” language; CAC no longer required to view MOA. |
4 | RMF Knowledge Service | Italicized to reflect no publicly accessible version available. Available with CAC only. |
5 | About This Chart | Added note to open PDF document directly in a web browser |
6 | USD(I&S)* | USD(I) was changed to USD(I&S) to reflect office name change. |
22 June 2020
# | Document Name | Change/Justification |
---|---|---|
1 | HSPD-12* | Updated Link |
2 | NIST SP 800-37, R1* | Replaced by NIST SP 800-37, R2 |
3 | NIST SP 800-163* | Replaced by NIST SP 800-163, R1 |
4 | CJCSI 3213.02D, Joint Operations Security* | Should be labeled as CJCSI 3213.01D |
5 | NIST SP 800-34, R1* | Updated Link |
6 | OMB Circular A-130 | Updated Link |
7 | DoD Cybersecurity Risk Reduction Strategy | New Policy / Link to Document not publicly available. |
8 | “About This Chart” | Added instructions for how to follow the link to a policy for those whose organizational policies block them from hyperlinking directly from a .pdf document. |
29 May 2020
# | Document Name | Change/Justification |
---|---|---|
1 | National Strategy to Secure 5G | New policy added |
2 | DoD 5G Strategy | New policy added |
3 | N/A | Moved Executive Orders and Presidential Directives from “Lead and Govern” to “National/Federal” to make room for new strategies. |
1 April 2020
# | Document Name | Change/Justification |
---|---|---|
1 | NIST Framework for Improving Critical Infrastructure Cybersecurity | Updated link |
2 | Common Criteria Evaluation and Validation Scheme (CCEVS) | Updated to reflect change in CCEVS as of February 2020 |
3 | DoDI 5000.02T Operation of the Defense Acquisition System | Updated to reflect change in January 2020 |
4 | DoDI 8510.01, Risk Management Framework for DoD IT | Updated link |
5 | Joint Publication 6-0, Joint Communications System | Updated link |
6 | MOA Between DoD and DHS (Jan 19, 2017, requires CAC) | Updated link |
7 | DoDI 8420.01 Commercial WLAN Devices, Systems, and Technologies | Updated link |
8 | DoD O-8530.1-M (CAC req’d) CND Service Provider Certification and Accreditation Program | Updated link |
9 | DoDD 3020.40, Mission Assurance | Updated link |
10 | DoDD 3100.10, Space Policy | Updated link |
11 | Defense Acquisition Guidebook | Updated link |
12 | Title 14, US Code, Cooperation With Other Agencies (Ch. 7) | Updated link |
13 | NISTIR 7298, Rev. 3, Glossary of Key Information Security Terms | Updated link to point to Rev. 3. |
14 | NIST SP 800-125A, R1, Security Recommendations for Hypervisor Platforms | Updated link |
15 | NIST SP 800-88, R1,Guidelines for Media Sanitization | New policy added |
13 March 2020
# | Document Name | Change/Justification |
---|---|---|
1 | NIST SP 800-171, R2 Protecting CUI in Nonfederal Systems and Organizations | Superseded R1 of NIST SP 800-171 on 21 Feb 2020 |
2 | DoDI 5200.48 Controlled Unclassified Information(CUI) | New issuance, cancels DoD 5200.01 Volume 4. Issued 6 Mar 2020. |
3 | NIST SP 800-63 series Digital Identity Guidelines | NIST SP 800-63-3, 800-63A, 800-63B, and 800-63C were all updated on 2 Mar 2020 |
19 February 2020
# | Document Name | Change/Justification |
---|---|---|
1 | DoDI 8170.01, Online Information Management and Electronic Messaging | Updated hyperlink |
18 February 2020
# | Document Name | Change/Justification |
---|---|---|
1 | DoDD 8140.01, Cyberspace Workforce Management | Updated hyperlink |
2 | DoDI 8170.01, Online Information Management and Electronic Messaging | Supersedes DoD Instruction 8550.01, “DoD Internet Services and Internet-Based Capabilities,” September 11, 2012 (which was removed from the chart) |
3 | Joint Special Access Program (SAP) Implementation Guide (JSIG) | Updated hyperlink |
29 January 2020
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSI-5002, Telephony Isolation Used for Unified Communications Implementations within Physically Protected Spaces | Supersedes CNSSI No. 5002, National Information Assurance (IA) Instruction for Computerized Telephone Systems (February 2012) on December 18, 2019. |
2 | DTM 17-007, Defense Support to Cyber Incident Response | Updated hyperlink |
17 December 2019
# | Document Name | Change/Justification |
---|---|---|
1 | NIST SP 800-34, R1 Contingency Planning Guide for Federal Information Systems | New addition to chart to address contingency planning.* |
2 | NIST SP 800-82, R2 Guide to Industrial Control Systems (ICS) Security | New addition to chart to address ISC cybersecurity.* |
3 | DoDI 8582.01, Security of Non-DoD Information Systems Processing Unclassified Nonpublic DoD Information | Policy was updated on 9 Dec 2019. |
4 | UFC 4-010-06, Cybersecurity of Facility-Related Control Systems | New addition to chart to address cybersecurity issues for facility-related control systems.* |
5 | Security Technical Implementation Guides (STIGs) | Hyperlink updated to link to DISA’s updated website and new URL.† |
6 | Security Configuration Guides (SCGs) | Hyperlink updated to link to NSA’s updated website and new URL. |
7 | NSA IA Guidance | New addition to the chart includes 123 “security tip” documents for mitigating cyber risk |
27 November 2019
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSD 506, National Directive to Implement PKI on Secret Networks | New addition to the Policy Chart |
2 | CNSSD 520, The Use of Mobile Devices to Process National Security Information Outside of Secure Spaces | New addition to the Policy Chart |
30 October 2019
# | Document Name | Change/Justification |
---|---|---|
1 | DoDI 5205.13 Defense Industrial Base (DIB) Cyber Security (CS) / IA Activities | Change 2 issued on 21 August 2019 |
2 | DoDI 8500.01, Cybersecurity | Change 1 issued on 7 Oct 2019 |
3 | NIST 800-128, Guide for Security-Focused Configuration Management of Information Systems | Updated 10 October 2019 |
4 | NIST 800-160, Vol. 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems | Added to the chart to reflect the increasing importance of this topic. |
5 | FIPS Pub 140-3, Security Requirements for Cryptographic Modules | Superseded FIPS Pub 140-2. FIPS 140-3 was published on 22 Mar 2019, but didn’t officially become effective under the implementation schedule until 22 Sep 2019. |
25 October 2019
# | Document Name | Change/Justification |
---|---|---|
1 | DoDI 5205.13 Defense Industrial Base (DIB) Cyber Security (CS) / IA Activities | Change 2 issued on 21 August 2019 |
2 | DoDI 8500.01, Cybersecurity | Change 1 issued on 7 Oct 2019 |
3 | NIST 800-128, Guide for Security-Focused Configuration Management of Information Systems | Updated 10 October 2019 |
4 | NIST 800-160, Vol. 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems | Added to the chart to reflect the increasing importance of this topic. |
23 July 2019
# | Document Name | Change/Justification |
---|---|---|
1 | DoD Digital Modernization Strategy | Added this new Strategy released on 12 July 2019 |
2 | DoDM O-5205.13, Defense Industrial Base (DIB) Cybersecurity (CS) Program Security Classification Manual (SCM) | Change 1 issued on 14 Jun 2019. (Note: This document requires a DoD PKI certificate for access.) |
3 | Directive-Type Memorandum (DTM) 17-007 – “Interim Policy and Guidance for Defense Support to Cyber Incident Response” | Change 2 issued on 6 Jun 2019 |
22 May 2019
# | Document Name | Change/Justification |
---|---|---|
1 | EO 13873: Securing the Information and Communications Technology and Services Supply Chain | Added this new Executive Order signed 15 May 2019 |
2 | EO 13800: Strengthening Cybersecurity of Fed Nets and CI | Updated link to the Federal Register’s permalink |
3 | EO 13636: Improving Critical Infrastructure Cybersecurity | Updated link to the Federal Register’s permalink |
4 | NIST SP 800-163, Vetting the Security of Mobile Applications | Added this new publication, published on 19 Apr 2019 |
5 | DoD Information Technology Environment Strategic Plan | Moved from the Lead and Govern block to the National/Federal block to make room for the new Executive Order. |
6 | Cybersecurity Policy Chart | Updated the red text in the bottom center of the chart to reflect the new location that DTIC established for updated versions of the chart. |
28 February 2019
# | Document Name | Change/Justification |
---|---|---|
1 | 2019 National Intelligence Strategy | Added this updated strategy |
2 | Department of Defense (DoD) Cloud Strategy | Added this new strategy |
3 | Summary of the 2018 DoD Artificial Intelligence Strategy | Added an unclassified summary of this new strategy |
4 | CYBERCOM Orders | The Operational section of the chart removed older references to STRATCOM policies and has replaced it with a reference to CYBERCOM orders and JFHQ-DODIN orders. Neither is hyperlinked because these orders are not available to the public. |
5 | JFHQ-DODIN Orders | See above |
15 January 2019
# | Document Name | Change/Justification |
---|---|---|
1 | CJCSI 5123.01H, Charter of the JROC and Implementation of the JCID | As of 18 Aug 2018, CJCSI 5123.01H stated that “CJCSI 3170.01 Series, “Joint Capabilities Integration and Development System (JCIDS),” is hereby canceled, with content moved to Enclosure D of this CJCSI.” |
2 | Department of Defense (DoD) Joint Special Access Program (SAP) Implementation Guide (JSIG) | Policy added to chart to expand coverage to JSAP. |
7 January 2019
# | Document Name | Change/Justification |
---|---|---|
1 | DoDI 5200.39, Critical Program Information (CPI) Identification and Protection Within Research, Development, Test, and Evaluation (RDT&E) | Added per the suggestion of Ms. Creel of the CERT Division, Software Engineering Institute, Carnegie Mellon University. |
5 December 2018
# | Document Name | Change/Justification |
---|---|---|
1 | CJCSI 3170.01, Joint Capabilities Integration and Development System (JCIDS) | Manual was converted to a “living document” available at the new hyperlink |
2 | UCP Unified Command Plan | Updated link to unclassified site that identifies the 10 Combatant Commands and provides information on each. |
25 September 2018
# | Document Name | Change/Justification |
---|---|---|
1 | National Cyber Strategy | Replaces the 2003 National Cyber Strategy. |
2 | 2018 DoD Cyber Strategy | Update to the 2015 DoD Cyber Strategy. It was signed on 27 July, but a publicly accessible, unclassified summary became available on 18 Sep. The hyperlink is to the unclassified summary. |
3 | CNSSP-28, “Cybersecurity of Unmanned National Security Systems,” 6 July 2018 | New policy. |
4 | DoDI 8560.01, “Communications Security (COMSEC) Monitoring,” 22 Aug 2018 | Incorporated and canceled DoD Instruction 8560.01, “Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing,” October 9, 2007. |
5 | DoD Cybersecurity Policy Chart | Added additional CSIAC contact information to the upper left corner of the chart. |
14 August 2018
# | Document Name | Change/Justification |
---|---|---|
1 | 2018 DoD Cyber Strategy | Update to the 2015 DoD Cyber Strategy. It was signed on 27 July, but a publicly accessible version is not yet available, so the name is italicized in the chart indicating no public-facing hyperlink is available. |
2 | CNSSI-5000, Annex I, Voice Over Secure Internet Protocol (VoSIP) | Annex released on 21 June 2018. |
12 June 2018
# | Document Name | Change/Justification |
---|---|---|
1 | Directive-Type Memorandum (DTM) 17-007 – “Interim Policy and Guidance for Defense Support to Cyber Incident Response” | NIST Released NIST SP 800-126, R3, SCAP 1.3 on 14 Feb 2018 |
2 | CJCSI 6510.02E, Cryptographic Modernization Plan | Updated from CJCSI 6510.02D |
3 | CJCSM 3213.02D, Joint Staff Focal Point | Updated from CJCSM 3213.02C |
4 | NIST SP 800-171, R1, Protecting CUI in Nonfederal Systems and Organizations | Rev. 1 final release date was 6/7/2018. |
5 | NIST SP 800-125A, R1, Security Recommendations for Hypervisor Platforms | Rev. 1 final release date was 6/7/2018. |
6 | National Security Strategy | Moved from National/Federal to Organize/Lead and Govern |
9 April 2018
# | Document Name | Change/Justification |
---|---|---|
1 | NIST SP 800-126, R2 SCAP 1.2 | NIST Released NIST SP 800-126, R3, SCAP 1.3 on 14 Feb 2018 |
2 | NIST SP 800-171 | NIST Released NIST SP 800-171, R1, on 20 Feb 2018 |
3 | NIST SP 800-125A | Added NIST SP 800-125A, Security Recommendations for Hypervisor Deployment on Servers, 23 Jan 2018 |
4 | DoD Directive 3020.26, “Department of Defense Continuity Programs,” January 9, 2009, as amended | Reissued and canceled by DoDD 3026, DoD Continuity Policy, 14 Feb 2018 |
5 | CJCSI 3170.01I, Joint Capabilities Integration and Development System (JCIDS) | Updated link. |
6 | Stored Communications Act, 18 USC §2701 et seq. | The Stored Communications Act was amended by the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which was passed as part of the Consolidated Appropriations Act of 2018, signed into law on 23 March 2018. NOTE: The link to the Government Publishing Office’s text of the law currently does not reflect these most recent changes, nor does the House of Representatives official United States Code website. Both are expected to be updated after some time. |
1 February 2018
# | Document Name | Change/Justification |
---|---|---|
1 | 2017 National Defense Strategy | Released on 19 January 2018, it replaces the 2012 National Defense Strategy. Since the National Defense Strategy is classified, the link is to the unclassified summary. |
2 | Quadrennial Defense Review | Removed from chart, based on the 2017 National Defense Authorization Act (NDAA), which replaced the legislative foundation of the Quadrennial Defense Review with requirements to be included in a National Defense Strategy. |
3 | Strategic Instruction (SI) 527-01 DoD INFOCON System Procedures, 27 March 2015 | Superseded SD 527-01, 27 Jan 2006. |
4 | NIST Framework for Improving Critical Infrastructure Cybersecurity | Updated broken link. |
5 | CJCSM 6510.02, Information Assurance Vulnerability Management Program | Added this older policy to the chart. Policy is in italics because it is FOUO and so no publicly accessible link can be provided. |
8 January 2018
# | Document Name | Change/Justification |
---|---|---|
1 | EO 13636: Improve Critical Infrastructure Cybersecurity | Corrected link to Document. |
2 | The DoD Cybersecurity Policy Chart | Changed the gray/white background/text combos to gray/black. |
18 December 2017
# | Document Name | Change/Justification |
---|---|---|
1 | 2017 National Security Strategy | Released on 18 December 2017, it replaces the 2015 National Security Strategy. |
13 December 2017
# | Document Name | Change/Justification |
---|---|---|
1 | DoDI 8310.01 Information Technology Standards in the DoD | Added to chart |
2 | EO 13636: Improving Critical Infrastructure Cybersecurity | Corrected Link to document |
3 | DoDI 8582.01 Security of Unclassified DoD Information on Non-DoD Info Systems | Policy updated by DoDI 8310.01 |
4 | NSTISSI 7003 Protective Distribution Systems | Changed to CNSSI 7003, Protected Distribution Systems |
6 November 2017
# | Document Name | Change/Justification |
---|---|---|
1 | NIST SP 800-18, Rev 1 | Corrected Link to document |
3 November 2017
# | Document Name | Change/Justification |
---|---|---|
1 | ASD(NII)/DoD CIO Memo on Use of Peer-to-Peer File Sharing Applications | Removed, was canceled by DoDI 8500.01, Cybersecurity |
2 | CNSSI-4001 | Added link. |
3 | CNSSI-4005 | Added link. |
4 | CNSSP-16 | Added link. |
5 | DoDD 3020.40 | Updated link. |
6 | DoDI 5200.01 | Updated link. |
7 | DoDI 8320.02 | Corrected link. |
8 | DoDI 8551.01 | Updated link. |
9 | Ethics Regulations | Updated link. |
10 | E. O. 13800 | Added. |
11 | FIPS 140-2 | Updated link. |
12 | FIPS 199 | Updated link. |
13 | FIPS 200 | Updated link. |
14 | ICD 503 | Updated link. |
15 | NISTR 7693 | Updated link. |
16 | NIST SP 800-18, Rev 1 | Updated link. |
17 | NIST SP 800-39 | Updated link. |
18 | NIST SP 800-59 | Updated link. |
19 | NIST SP 800-60, Vol 1, Rev 1 | Updated link. |
20 | NIST SP 800-92 | Updated link. |
21 | NIST SP 800-126, Rev 2 | Updated link. |
22 | NIST SP 800-128 | Updated link. |
23 | NIST SP 800-137 | Updated link. |
24 | NIST SP 800-153 | Updated link. |
25 | NSTISSI-4003 | Changed to CNSSI 4003 and added link. |
26 | NSTISSI-4006 | Changed to CNSSI 4006 and added link. |
27 | OMB A-130 | White House temporarily moved many policies to the Obama White House archives site, though these appear to be in full force unless or until formally rescinded or superseded. |
28 | Security Configuration Guides | Updated link. |
15 Aug 2017
# | Document Name | Change/Justification |
---|---|---|
1 | DoDD 8000.01 | Change issued 27 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
2 | DoDD 8140.01 | Change issued 31 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
3 | DoDI 8510.01 | Change issued 28 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
4 | DoDI 8520.03 | Change issued 27 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
5 | DoDI 8530.01 | Change issued 25 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
6 | DoDI 8551.01 | Change issued 27 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
7 | MOA Between DoD & DHS | MOA signed 19 January 2017 regarding Department of Defense and U.S. Coast Guard cooperation on cybersecurity and cyberspace operations. |
30 Jun 2017
# | Document Name | Change/Justification |
---|---|---|
1 | All DoDDs, DoDIs, DoDMs, and other DoD issuances | 46 hyperlinks changed to reflect the movement of the official DoD Issuances website to a new URL. |
2 | DoD Acquisition Guidebook | Hyperlink changed to reflect updated URL for the DAG. Link is to Chapter 9, which is the deepest link permitted, but subpart 3.2.2, Risk Management Framework for DoD IT is the pertinent reference. |
05 Jun 2017
# | Document Name | Change/Justification |
---|---|---|
1 | National Strategy for Information Sharing and Safeguarding (2012) | Updated link: https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/internationalstrategy_cyberspace.pdf |
2 | U.S. International Strategy for Cyberspace (2011) | Updated link: https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/internationalstrategy_cyberspace.pdf |
3 | 25 Point Implementation Plan to Reform Federal IT Management (2010) | Removed. |
4 | NIST Framework for Improving Critical Infrastructure Cybersecurity (2014) | Updated link: https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf |
5 | National Defense Strategy (NDS) (2012) | Updated broken link: http://www.acqnotes.com/Attachments/2012%20National%20Defense%20Strategy.pdf |
6 | IA Component of the GIG Integrated Architecture, Version 1.1 (2002) | Removed. |
7 | Alignment Framework for the GIG IA Architecture (AFG) Version 1.1 (2002) | Removed. |
8 | IATF Release 3.1 Information Assurance Technical Framework (2002) | Removed. |
9 | DoDI 5000.02 Operation of the Defense Acquisition System (2017) | Updated broken link: http://www.dtic.mil/whs/directives/corres/pdf/500002_dodi_2015.pdf |
10 | DoD CIO Memo (2011) Interim Guidance on Networthiness of IT Connected to DoD Networks | Removed. |
11 | DoD CIO G&PM 12-8430 (2001) Acquiring Commercial Software | Removed. |
12 | NSTISSI-4000 to: CNSSI-4000 Maintenance of Communications Security (COMSEC) Equipment (2012) | Link Broken/Document Type Changed: https://www.cnss.gov/CNSS/issuances/Instructions.cfm |
13 | ICD 503 IC Information Technology Systems Security Risk Management | Updated link: https://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives |
14 | OMB M-05-24 Implementation of HSPD-12 | Removed. |
15 | From NSTISSI to CNSSI 4001 Controlled Cryptographic Items (2013) | Document Type Change/Updated link: https://www.cnss.gov/CNSS/issuances/Instructions.cfm |
16 | DoDI 5200.01 Dod Information Security Program And Protection Of Sensitive Compartmented Information (SCI) (2016) | Updated broken link: http://www.dtic.mil/whs/directives/corres/pdf/520001p.pdf |
17 | DoD Information Sharing Strategy (2007) | Updated broken link: http://dodcio.defense.gov/Portals/0/Documents/DIEA/InfoSharingStrategy.pdf |
18 | ASD(NII)/DoD CIO Memo Use of Peer-to-Peer File Sharing Applications Across DoD | Removed. This Memo was canceled by DoDI 8500.01, Cybersecurity |
19 | CJCSI 6211.02D Defense Information System Network (DISN) Responsibilities (2012) | Updated broken link: http://www.jcs.mil/Portals/36/Documents/Library/Instructions/6211_02a.pdf?ver=2016-02-05-175050-653 |
20 | CJCSM 6510.01B Cyber Incident Handling Program (2014) | Updated broken link: http://www.jcs.mil/Portals/36/Documents/Library/Manuals/m651001.pdf?ver=2016-02-05-175710-897 |
21 | CJCSI 6510.01F Information Assurance (IA) And Support To Computer Network Defense (CND) (2015) | Updated broken link: http://www.jcs.mil/Portals/36/Documents/Library/Instructions/6510_01.pdf?ver=2016-02-05-175054-497 |
22 | NSTISSD-600 Communications Security Monitoring (1990) | Added link: https://www.cnss.gov/CNSS/issuances/Directives.cfm |
23 | DoDD 3020.40 Mission Assurance (MA) (2016) | Ttitle and Link Updated: http://www.dtic.mil/whs/directives/corres/pdf/302040_dodd_2016.pdf |
24 | DoDI 8581.01 Information Assurance (IA) Policy for Space Systems Used by the Department of Defense (2010) | Keep |
25 | DoDD S-5100.44 and DoDD S-3710.01 | Replacement/Updated Link. Replaced DoDD S-5100.44, Defense and National Leadership Command Capability (DNLCC) with DoDD S-3710.01, National Leadership Command Capability (NLCC) New link: http://www.dtic.mil/whs/directives/corres/pdf/S371001_placeholder.pdf |
26 | CNSSP-300 National Policy on Control of Compromising Emanations (2006) | Updated broken link: https://www.cnss.gov/CNSS/issuances/Policies.cfm |
27 | CNSSI-4004.1 Destruction and Emergency Protection Procedures for COMSEC and Classified Material (2008) | Updated broken link: https://www.cnss.gov/CNSS/issuances/Instructions.cfm |
28 | Defense Acquisition Guidebook Sect 7.5 Information Assurance (2013) and the DAG (2016) | Replaced/Updated Link. Replaced Defense Acquisition Guidebook Sect 7.5 Information Assurance (2013) with the DAG (2016) New link: https://dap.dau.mil/glossary/pages/178.aspx?scroll=0 |
29 | 2015 National Security Strategy | Updated broken link: http://www.jcs.mil/Portals/36/Documents/Publications/2015_National_Military_Strategy.pdf |
30 | NSD 42 | Updated link: https://www.cnss.gov/cnss/assets/authorities/NSD-42.pdf |
31 | OMB A-130 (2016) | Updated broken link: https://www.federalregister.gov/documents/2016/07/28/2016-17872/revision-of-omb-circular-no-a-130-managing-information-as-a-strategic-resource |
32 | CNSSI 4009 Committee on National Security Systems (CNSS) Glossary (2015) | Updated Title. |
33 | Security Configuration Guides (SCGs) | Consider Deleting. Current link takes you to “Media Destruction Guidance”. A search of the term SCG nets many different websites. Is there a particular site to reference? |
34 | Security Reference Review Scripts | Consider Deleting/Broken Link. A search of the term SCG nets many different websites. Is there a particular site to reference? |
35 | Component—Level Policy | Consider Deleting/Broken Link. This is too vague considering that everything on the chart has specific references. |
21 Aug 2016
# | Document Name | Change/Justification |
---|---|---|
1 | Presidential Policy Directive 41: United States Cyber Incident Coordination | New PPD issued. |
2 | CJCSI 6212.01F Net Ready Key Performance Parameter | Canceled by CJCSI 5123.01G, 12 Feb 15 |
3 | DoD 5220.22-M, Ch. 2 National Industrial Security Program Operating Manual (NISPOM) | Change 2 published May 18, 2016. Updated link. |
4 | DoDD 8000.01 Management of the DOD Information Enterprise | Policy and link updated. |
5 | DoDD 8521.01E Department of Defense Biometrics | Updated link. |
6 | DoDI O-8530.1 | Superseded by DoDI 8530.01, link updated. |
7 | DoDI O-8530.2 | Superseded by DoDI 8530.01, link updated. |
8 | DoDI 5200.01 DoD Information Security Program and Protection of SCI | Added as a new policy based on recent update. |
9 | DoDI 5200.08 | Change 3 issued, link updated. |
10 | SP 800-30, Rev. 1, Guide for Conducting Risk Assessments | Moved to: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf |
11 | SP 800-126 Rev. 2, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 | Moved to: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-126r2.pdf |
12 | SP 800-128, Guide for Security-Focused Configuration Management of Information Systems (August 2011) | Moved to: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-128.pdf |
13 | SP 800-137, Information Security Continuous | http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf |
27 Oct 2015
# | Document Name | Change/Justification |
---|---|---|
1 | National Strategy for Information Sharing and Safeguards | Updated link: https://www.whitehouse.gov/sites/default/files/docs/2012sharingstrategy_1.pdf |
2 | Quadrennial Defense Review Report | Updated link: http://archive.defense.gov/pubs/2014_Quadrennial_Defense_Review.pdf |
3 | National Defense Strategy | Updated link: http://www.defense.gov/Portals/1/Documents/pubs/2008NationalDefenseStrategy.pdf |
4 | DoD Cyber Strategy | Updated link: http://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf |
5 | DoD Strategy for Operating in Cyberspace | Removed as superseded by the DoD Cyber Strategy |
6 | National Military Strategic Plan for the War on Terrorism | Updated link: https://digitalndulibrary.ndu.edu/cdm/compoundobject/collection/strategy/id/9695/rec/8 |
7 | Title 44 – Federal Information Security Modernization Act (Ch. 35) | Updated link to reflect the amendments effected by the Federal Information Security Modernization Act to amend the Federal Information Security Management Act. Updated link: https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf |
8 | CNSSI 1300 | De-italicized to show that a publicly accessible link is available at: https://www.cnss.gov/CNSS/issuances/Instructions.cfm |
9 | DFARS Subpart 208.74 | Updated link: http://www.acq.osd.mil/dpap/dars/dfars/html/current/208_74.htm |
10 | DoDD 8570.01 | Directive was superseded by 8140.01. |
11 | DoDD 5000.02 | Updated broken link: http://www.dtic.mil/whs/directives/corres/pdf/500002p.pdf |
12 | CJCSI 6211.02D | Updated link: http://www.dtic.mil/cjcs_directives/cdata/unlimit/6211_02a.pdf |
15 Aug 2015
# | Document Name | Change/Justification |
---|---|---|
1 | National Military Strategy (NMS) | Link updated to 2015 NMS: http://www.jcs.mil/Portals/36/Documents/Publications/National_Military_Strategy_2015.pdf |
2 | National Security Strategy (NSS) | 2015 NSS added: https://www.whitehouse.gov/sites/default/files/docs/2015_national_security_strategy_2.pdf |
3 | National Military Strategy for Cyberspace Operations (NMS-CO) | Updated link: http://nsarchive.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-023.pdf |
4 | DoDD 8140.01 Cyberspace Workforce Management | Signed 11 Aug 2015, cancelled DoD Directive 8570.01, “Information Assurance (IA) Training, Certification, and Workforce Management,” August 15, 2004, as amended. |
5 | DoDI 8330.01 Interoperability of IT and National Security Systems (NSS) | Correct spacing in title. |
6 | CJCSI 3170.01H Joint Capabilities Integration and Development System (JCIDS) | Updated to CJCSI 3170.01I: https://dap.dau.mil/policy/Documents/2015/CJCSI_3170_01I.pdf |
7 | Presidential Memo, “Classified Information and Controlled Unclassified Information, “27 May 09” | Memo withdrawn. Removed from chart. |
8 | FAR Federal Acquisition Regulation | Updated link: https://www.acquisition.gov/?q=browsefar |
24 Apr 2015
# | Document Name | Change/Justification |
---|---|---|
1 | The DoD Cyber Strategy | New Issuance, 23 Apr 2015 |
2 | Comprehensive National Cybersecurity Initiative | Removed |
3 | DoDI S-5240.23, Counterintelligence (CI) Activities in Cyberspace | Added new link to aid those with SIPRNet access to find document. |
4 | DoDI S-5200.16, Objectives and Min Stds for COMSEC Measures used in NC2 Comms | Added new link to aid those with SIPRNet access to find document. |
5 | DoDD S-5100.44, Defense and National Leadership Command Capability (DNLCC) | Added new link to aid those with SIPRNet access to find document. |
6 | DoDD O-5100.30, Department of Defense (DoD) Command and Control (C2) | Superseded by DoD DoDD 3700.01, DoD Command and Control (C2) Enabling Capabilities |
7 | DoDD O-8530.1, Computer Network Defense (CND) | Added new link to aid those with a DoD PKI cert to access this document. |
8 | DoDI O-8530.2, Support to Computer Network Defense (CND) | Added new link to aid those with a DoD PKI cert to access this document. |
9 | DoD O-8530.1-M, CND Service Provider Certification and Accreditation Program | Added new link to aid those with a DoD PKI cert to access this document. |
17 Feb 2015
# | Document Name | Change/Justification |
---|---|---|
1 | Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing | New Issuance, 13 Feb 2015 |
2 | National Security Strategy | New Issuance, Feb 2015 |
3 | NIST SP – 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach | New link includes updates as of 6 May 2014 |
4 | SP 800-61 Rev. 2, Computer Security Incident Handling Guide | Updated link |
5 | FIPS 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors | Superseded by FIPS 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors |
6 | DoD Defending Networks, Systems, and Data Strategy | New direct link |
7 | DoD Cyber, Identity & Information Assurance Strategic Plan | Updated link |
8 | National Military Strategy | Updated link |
9 | CNSSAM IA 1-10, Reducing Risk of Removable Media in NSS | Updated link |
10 | CNSSI-1300, Instructions for NSS PKI X.509SP | Updated link |
11 | DoDI 5000.02, Operation of the Defense Acquisition System | Updated link |
12 | DoD CIO Memo Interim Guidance on Networthiness of IT Connected to DoD Networks | Updated link |
13 | NSSMOA between DoD CIO and ODNI CIO Establishing Net-Centric Software Licensing Agreements | Updated link |
14 | Title 44 – Federal Information Security Mgt Act, (§3541 et seq) | Updated link |
15 | NSTISSI-4002 Classification Guide for COMSEC Information | Removed to make room for new E.O. 13691 (the NSTISSI-4002 did not have a public-facing link anyway) |
16 | Security Technical Implementation Guides (STIGs) | Updated link |
17 | About this chart box | Updated the text |
Changelog for the DoD Cybersecurity Policy Chart
The goal of the DoD Cybersecurity Policy Chart is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.
This page highlights and lists the updates to the DoD Cybersecurity Policy Chart.
27 June 2024
# | Document Names | Change/Justification |
---|---|---|
1 | Fulcrum: The DoD IT Advancement Strategy | This strategy, released publicly on 25 June, supersedes the 2019 Digital Modernization Strategy. |
2 | NIST SP 800-171 Revision 3, Protecting CUI in Non-Federal Systems and Organizations | This document supersedes NIST SP 800-171 Rev. 2 (01/28/2021). |
3 | DIB CS Program Security Classification Guide | Per the supersession paragraph in this document, it replaces DoDM O-5205.13 cancelled in May 2023. |
4 | NSA CS Advisories and Guidances | This replaces Security Configuration Guides as a reference for NSA issuance of cybersecurity guidance separate from STIGs and SRGs. |
5 | Miscellaneous Changes | Updated the link to the NIST SP 800-172. Updated the link to DoDI 8530.01. Updated the link to ICD 503. |
1 May 2024
# | Document Names | Change/Justification |
---|---|---|
1 | CNSSI 4005, Safeguarding Communications Security (COMSEC) Facilities and Materials | This document supersedes the prior version from August 2011. Requires CAC for access. |
2 | NIST SP 800-218A, Secure Software Development Framework (SSDF) for Generative Artificial Intelligence and Dual Use Foundation Models | This new publication addresses how to apply the SSDF, set out in NIST SP 800-218, to GenAI and dual use foundation models. |
3 | Miscellaneous Changes | Updated the link to the DIB Cybersecurity Strategy. |
29 March 2024
# | Document Names | Change/Justification |
---|---|---|
1 | The NIST Cybersecurity Framework (CSF) 2.0 (Feb 26, 2024)) | The NIST Cybersecurity Framework (CSF) 2.0 provides updated guidance to industry, government agencies, and other organizations to manage cybersecurity risks. When compared to CSF 1.1, CSF 2.0 adds the “Govern” function to the existing five functional areas, expands coverage beyond critical infrastructure to all areas, includes supply chain security, and enhances customizability for tailored implementation strategies. |
2 | Defense Industrial Base (DIB) Cybersecurity Strategy 2024 (March 21, 2024) | This strategy is designed to strengthen DoD governance structure for DIB Cybersecurity, enhance the Cybersecurity posture of DIB contractors, preserve the resiliency of critical DIB capabilities in a cyber-contested environment, and improve collaboration with numerous components, program managers (PMs), and DIB. |
3 | Executive Order (EO) 14117: Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (Feb 28, 2024) | The Executive Order (EO) calls for the Department of Justice (DOJ) to promulgate regulations to prevent the large-scale transfer of sensitive personal data and US Government-related data to "countries of concern,” as defined in the EO. This EO recognizes that disclosure of sensitive personal data may rise to a national security issue in some cases. |
4 | Directive-type Memorandum (DTM) 24-001 – “DoD Cybersecurity Activities Performed for Cloud Service Offerings” (Feb 27, 2024) | Focusing on Cloud Service Offerings (CSOs), this DTM establishes policy, assigns responsibilities, and provides procedures for cybersecurity and defensive cyberspace operations (DCO) activities that are performed by a cybersecurity service provider (CSSP), DoD entity, or commercial entity on behalf of the mission owner or authorizing official. |
5 | Miscellaneous Changes | Set new indicator for updated hyperlinks (dotted lines) to avoid confusion with updated/new policies. *Revised language in “About this Chart” section to be clearer and more concise. |
28 February 2024
# | Document Names | Change/Justification |
---|---|---|
1 | DoD Instruction 5200.44: Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (Feb 16, 2024) | This instruction supersedes the existing version of DoD Instruction 5200.44, “Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN),” published November 5, 2012. The updated instruction implements the DoD’s trusted systems and networks (TSN) strategy through program protection and cybersecurity implementation to provide uncompromised weapon and information systems, with a focus on supply chain risk management measures. |
2 | STIGS, SRGS, and TCGs | Added Tenant Configuration Guides (TCGs), which address Microsoft 365 tenant configuration requirements. |
3 | General Document Review | Reviewed policy chart for broken and out-of-date links; documents with updated links are highlighted with red boxes. |
09 January 2024
# | Document Names | Change/Justification |
---|---|---|
1 | 2023 Department of Defense Data, Analytics, and Artificial Intelligence Adoption Strategy | This DoD Strategy, released in November 2023, supersedes and replaces the 2020 DoD Data Strategy and the 2019 DoD AI Strategy in the Policy Chart. |
2 | 2023 National Intelligence Strategy | This Strategy replaces the 2019 National Intelligence Strategy in the Policy Chart. |
3 | 2022 National Military Strategy | This Strategy, posted in May 2023, replaces the existing 2018 National Military Strategy in the Policy Chart. |
4 | NIST SP 800-221 Enterprise Impact of Information and Communications Technology Risk: Governing and Managing ICT Risk Programs Within an Enterprise Risk Portfolio | Posting this NIST Special Publication, published in November 2023, to the Policy Chart. This document is intended to help individual organizations within an enterprise improve their ICT risk management (ICTRM). This can enable enterprises and their component organizations to better identify, assess, and manage their ICT risks in the context of their broader mission and business objectives. |
5* | (Removal of) DoD 8570.01M Information Assurance Workforce Improvement Program | Removed DoD 8570.01M from the Policy Chart as it was superseded by DoDM 8140.03 Cyberspace Workforce Qualification and Management Program, effective February 15, 2023. |
6** | Color Key box | Fixed several links in Color Key box, including fixing the CYBERCOM link to point to the correct site. |
21 November 2023
# | Document Names | Change/Justification |
---|---|---|
1 | 2023 DoD Strategy for Operations in the Information Environment | The purpose of the 2023 Department of Defense (DoD) Strategy for Operations in the Information Environment (SOIE), which has been posted to the Lead and Govern subsection, is to improve the Department’s ability to plan, resource, and apply informational power to enable integrated deterrence, campaigning, and building enduring advantages as described in the 2022 National Defense Strategy (NDS). |
2 | NIST SP 800-53A Rev. 5 Assessing Security and Privacy Controls in Information Systems and Organizations | This Special Publication was updated on November 7, 2023. NIST issued a patch release of SP 800-53A (Release 5.1.1) that includes: • Minor grammatical edits and clarification • One new control and three supporting control enhancement assessment procedures to correspond with the new SP 800-53 control, IA-13. |
3* | UFC 4-010-06 Cybersecurity Of Facility-Related Control Systems (FRCS) | This UFC’s link has been updated in the Policy Chart and describes requirements for incorporating cybersecurity in the design of all facility-related control systems which include a network. It also covers the cybersecurity aspects of control system design, and the requirements of this UFC must be coordinated with the control system design and the criteria relevant to the control system. |
23 October 2023
# | Document Names | Change/Justification |
---|---|---|
1 | NIST SP 800-82 Rev. 3 Guide to Operational Technology (OT) Security | This Publication supersedes and replaces NIST SP 800-82 Rev. 2 Guide to Industrial Control Systems (ICS) Security in the Policy Chart. This document provides guidance on how to secure operational technology (OT) while addressing their unique performance, reliability, and safety requirements. |
2 | NIST SP 1800-22 Mobile Device Security: Bring Your Own Device (BYOD) | This Publication, released in September 2023, has been added to the Policy Chart. Bring Your Own Device (BYOD) refers to the practice of performing work-related activities on personally owned devices. This practice guide provides an example solution demonstrating how to enhance security and privacy in Android and Apple phones and tablets used in BYOD deployments. |
3 | DoDD 5101.23E Executive Agent for Advanced Cyber Training Curricula | Posting this Directive, effective October 18, 2023, to the Policy Chart. This Issuance designates effective and relevant Advanced Cyber Training (ACT) to be developed and delivered to the Military Services supporting the Cyber Mission Force (CMF). |
4 | DTM 17-007 Interim Policy and Guidance for Defense Support to Cyber Incident Response | Updating this Memorandum in the Policy Chart to Incorporate Change 7, which extends the expiration date for the DTM to December 19, 2023. |
22 September 2023
# | Document Names | Change/Justification |
---|---|---|
1 | 2023 DoD Cyber Strategy Summary | The 2023 DoD Cyber Strategy Summary, published in September 2023, replaces its Fact Sheet in the Lead and Govern subsection of the Policy Chart and provides additional unclassified details on the strategy. The full classified strategy establishes how the Department will operate in and through cyberspace to protect the American people and advance the defense priorities of the United States. |
17 August 2023
# | Document Names | Change/Justification |
---|---|---|
1 | CISA Cybersecurity Strategic Plan | The CISA Cybersecurity Strategic Plan for FY 2024-2026, has been posted to the Lead and Govern subsection of the Policy Chart. This strategy outlines a new vision for cybersecurity involving how to address immediate threats, harden the cyber terrain, and drive security at scale. |
2 | National Cyber Workforce and Education Strategy | This strategy, posted to the Lead and Govern subsection of the Policy Chart details how we will strengthen our cyber workforce, connect people to well-paying, quality jobs, and advance the welfare, prosperity, and security of our society through cyber education. |
3 | NIST SP 800-218 Secure Software Development Framework (SSDF) | NIST SP 800-218 SSDF, published in February of 2022, addresses software security and development practices in detail to ensure that the software being developed is well-secured. This document recommends the SSDF – a core set of high-level secure software development practices that can be integrated into each SDLC implementation. |
4 | DoD Cyber Workforce Strategy | This strategy establishes a unified direction for DoD cyber workforce management and, as the cyber domain continues to expand, the inclusion of emerging technology workforces. This strategy also provides a roadmap for how the cyber workforce will grow and adapt to guarantee our Nation's security. |
5 | DoDI 5000.82 Requirements for the Acquisition of Digital Capabilities | This DoD Instruction assigns program responsibilities concerning the acquisition of digital capabilities as defined in this issuance for the acquisition pathways of the adaptive acquisition framework described in DoD Instruction (DoDI) 5000.02. |
6 | DoDI 8530.03 Cyber Incident Response | This DoD issuance establishes policy, assigns responsibilities, and provides procedures for DoD cyber incident response (CIR). |
7 | 2018 DoD Cloud Strategy (Removed) | Removed from the Policy Chart, as it was replaced by the DoD Software Modernization Strategy. |
8 | DoD Information Sharing Strategy (Temp. Removed) | Removed from the DoD CIO Library Page, so this strategy has temporarily been removed pending further investigation. |
9 | DoD Information Security Continuous Monitoring (ISCM) Strategy (Note) | No change to strategy - RMFKS site is down for the time being but should be back online soon. |
14 July 2023
# | Document Names | Change/Justification |
---|---|---|
1 | National Cybersecurity Strategy Implementation Plan | Added to the Lead and Govern subsection of the policy chart and published in July 2023, the National Cybersecurity Strategy Implementation Plan lays out a vision for cyberspace and outlines a path for achieving the need for more capable actors in cyberspace and the need to increase incentives to make investments in long term resilience. |
2 | Department of Defense Outside the Continental United States (OCONUS) Cloud Strategy | Added to the Lead and Govern subsection of the policy chart and cleared for open publication on May 26, 2021, The Department of Defense (DoD) Outside the Continental United States (OCONUS) Cloud Strategy establishes the vision and goals for enabling a dominant all-domain advantage through cloud innovation at the tactical edge. |
3 | NIST SP 800-124 Rev. 2 Guidelines for Managing the Security of Mobile Devices in the Enterprise | Updating policy chart to include the change in this publication from Rev. 1 to Rev. 2, published in May 2023. |
4 | DoDI 8510.01 Risk Management Framework for DoD IT | Updated policy chart by removing DTM 20-004 “Enabling Cyberspace Accountability of DoD Components and Information Systems,” which was cancelled and incorporated into DoDI 8510.01 |
5 | Directive-Type Memorandum (DTM) 17-007 - Interim Policy and Guidance for Defense Support to Cyber Incident Response | Updated policy chart to include Change 6 of DTM 17 – 007, effective June 21, 2023. This memorandum provides supplementary policy guidance, assigns responsibilities, and details procedures for providing Defense Support to Cyber Incident Response (DSCIR). |
6 | CJCSI 5123.01I Charter of the JROC and Implementation of the JCIDS | Updating policy chart to include CJCSI 5123.01I from October 2021, which supersedes and cancels CJCSI 5123.01H. |
12 June 2023
# | Document Names | Change/Justification |
---|---|---|
1 | 2023 Department of Defense Cyber Strategy | Added to the Lead and Govern subsection of the policy chart, replacing the 2018 DoD Cyber Strategy. The 2023 DoD Cyber Strategy establishes how the Department will operate in and through cyberspace to protect the American people and advance the defense priorities of the United States. Since the titled document is classified, we have hyperlinked the 2023 DoD Cyber Strategy Fact Sheet for reference instead. |
2 | DoD Instruction 8520.02 Public Key Infrastructure and Public Key Enabling | DoDI 8520.02, effective May 18, 2023, reissues, and cancels policy from May 2011 under the same name. This Instruction establishes policy, assigns responsibilities, and prescribes procedures for DoD public key infrastructure (PKI) and public key enabling (PKE). |
3 | DoD Instruction 8520.03 Identity Authentication for Information Systems | DoDI 8520.03, effective May 19, 2023, reissues, and cancels policy from May 2011 under the same name. This Instruction stablishes policy, assigns responsibilities, and provides procedures for authenticating person and non-person entities (NPEs) to DoD information systems, including credential management. |
4 | DoD Instruction 8551.01 Ports, Protocols, and Services Management | DoDI 8551.01, effective May 31, 2023, reissues, and cancels policy from May 2014 under the same name. This Instruction establishes policy and standardizes procedures for cataloging, governing, and managing the use and management of protocols in the internet protocol suite, related protocols, and data services referred to as Department of Defense information network (DODIN) ports, protocols, and services (PPS). |
5 | DoD Manual 8530.01 Cybersecurity Activities Support Procedures | DoDM 8530.01, effective May 31, 2023, cancels DoD O-8530.1-M “Department of Defense Computer Network Defense (CND) Service Provider Certification and Accreditation Program,” from December 2003. This issuance assigns responsibilities and provides procedures for designated DoD Component-level organizations. |
16 May 2023
# | Document Names | Change/Justification |
---|---|---|
1 | DoD Cybersecurity Reference Architecture (Version 5.0) | Adding DoD CS Reference Architecture, cleared for open publication on February 7th, 2023, to the Lead and Govern subsection of the Policy Chart. This document’s purpose is to establish characteristics for cybersecurity architecture in the form of principles, fundamental components, capabilities, and design patterns to address threats in and outside network boundaries. |
2 | DoDI 8310.01 Information Technology Standards in the DoD | Highlighting update to this DoD Instruction effective April 7th, 2023. This issuance establishes policy, assigns responsibilities, and authorizes a process for identifying, developing, adopting, establishing, prescribing, and publishing technical standards for DoD information technology. |
13 March 2023
# | Document Names | Change/Justification |
---|---|---|
1 | 2023 National Cybersecurity Strategy | Added the National Cybersecurity Strategy, published on March 1st, 2023, to the Lead and Govern subsection on the Policy Chart. This strategy details the comprehensive approach that the Biden Administration is taking to better secure cyberspace and realize the benefits of the nation’s digital future. |
2 | DoD Cyber Workforce Strategy | Added the Department of Defense Cyber Workforce Strategy, published on March 1st, 2023, to the Lead and Govern subsection on the Policy Chart. This strategy “establishes a unified direction for DoD cyber workforce management and, as the cyber domain continues to expand, the inclusion of emerging technology workforces. |
7 February 2023
# | Document Name | Change/Justification |
---|---|---|
1 | DoD Information Security Continuous Monitoring (ISCM) Strategy | Added the DoD ISCM Strategy, signed in January 2023, to the Lead and Govern subsection in the Policy Chart. This strategy details how the DOD ISCM Program will modernize the existing Continuous Monitoring frameworks to increase cyber agility and enable continuous cybersecurity readiness using a data-driven approach. |
20 December 2022
# | Document Name | Change/Justification |
---|---|---|
1 | DoD Security Classification Guides | Removed the box for NSA IA Guidance due to long-term site errors and replaced it with a link to DoD’s Security Classification Guides. This site serves as a reference for the classification of data, which plays a key role in cybersecurity. |
13 December 2022
# | Document Name | Change/Justification |
---|---|---|
1 | Department of Defense Zero Trust Strategy (2022) | The 2022 DoD Zero Trust Strategy was cleared for open publication on November 22nd and updated in the Lead and Govern section of the Policy Chart. This strategy document provides guidance for advancing Zero Trust concept development; gap analysis, requirements development, implementation, execution decision-making, and ultimately procurement and deployment of required ZT capabilities. |
2 | NIST SP 800-160 Vol. 1 Rev. 1 “Engineering Trustworthy Secure Systems” | Supersedes NIST SP 800-160 Vol. 1 “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems” and updated in the Policy Chart under Develop and Maintain Trust section. |
21 November 2022
# | Document Name | Change/Justification |
---|---|---|
1 | 2022 National Security Strategy | The 2022 National Security Strategy was officially published in Oct 2022, and replaces the previous interim strategy located in the Cybersecurity Policy Chart. |
2 | 2022 National Defense Strategy | The public version of the 2022 National Defense Strategy (NDS) was released in Oct 2022, and replaces the NDS placeholder in the Policy Chart. This strategy document includes the 2022 Nuclear Posture Review and the 2022 Missile Defense Review. |
13 October 2022
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSI 1253E, Attachment 5 Classified System Overlay | This attachment overlay, released on September 30 2022 and highlighted under the “CNSSI-1253F, Atchs 1-5” box on the chart, lists additional privacy and control baselines to CNSSI 1253. It identifies security control specifications needed to safeguard classified information stored, processed, or transmitted by national security systems (NSS). This overlay is baseline independent and can be used with any NSS baseline (security and privacy) to safeguard classified information. |
2 | DoDI 8330.01 Interoperability of Information Technology, Including National Security Systems | DoDI 8330.01, effective as of September 27, 2022, provides direction for certifying the interoperability of IT and NSS systems. The Purpose of this Instruction includes establishing the Interoperability Steering Group (ISG), and establishing the governing policy and responsibilities for interoperability requirements development, test, certification, and prerequisites for connection of IT, including NSS. |
3 | CJCSI 6510.02F Cryptographic Modernization Planning | This Instruction, updated in August of 2022, has been adjusted in the Policy Chart. This Instruction provides policy and guidance for planning, programming and implementing the modernization of Type 1 cryptographic products certified by the NSA and held by the DoD. |
01 September 2022
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSI 1253 Categorization and Control for National Security Systems | CNSSI 1253, updated by CNSS on July 29, 2022, to build on and serve as a companion document to NIST SP 800-53, Rev. 5 and NIST SP 800-37, Rev. 2. |
2 | DoD Directive 5000.01 The Defense Acquisition System | DoDI 5000.01 The Defense Acquisition System, with an objective of supporting National Defense Strategy, was updated in the Policy Chart as Change 1 became effective July 28, 2022. |
26 July 2022
# | Document Name | Change/Justification |
---|---|---|
1* | NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations | No update to Policy, but the chart has been edited to reflect the proper document title. The box title has been changed from “Security and Privacy Controls for Federal Information Systems” to “Security and Privacy Controls for Information Systems and Organizations” |
2* | NIST SP 800-53A Rev. 5 Assessing Security and Privacy Controls in Information Systems and Organizations | No update to Policy, but the chart has been edited to reflect the proper document title. The box title has been changed from “Assessing Security and Privacy Controls in Federal Information Systems” to “Assessing Security and Privacy Controls in Information Systems and Organizations” |
3 | CNSSI 4009 Committee on National Security Systems (CNSS) Glossary | CNSSI 4009 has been updated in March of 2022 to include new terms and to adjust definitions of current terms in the Glossary |
4 | DoD Instruction 8510.01 Risk Management Framework for DoD Systems | DoDI 8510.01, updated as of 19 July 2022, establishes the cybersecurity Risk Management Framework (RMF) for DoD Systems and establishes policy, assigns responsibilities, and prescribes procedures for executing and maintaining the RMF |
21 June 2022
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSP-32 Cloud Security for National Security Systems | This Policy Document, released on 22 May 2022, establishes the minimum security requirements for National Security Systems (NSS) migrating to or operating in a cloud environment. This Policy derives its authority from National Security Directive 42, which outlines the roles and responsibilities for securing NSS. |
2 | DoD Instruction 5000.02 Operation of the Adaptive Acquisition Framework (AAF) | DoDI 5000.02, with Change 1 effective on 8 June 2022, restructures defense acquisition guidance to improve process effectiveness and implement the AAF. Change 1 cancels DoDI 5000.02T in accordance with the 2020 coordination of this issuance and subsequent approval of the transition plan and updates the transition plan to document its completion and final location of information. |
1 April 2022
# | Document Name | Change/Justification |
---|---|---|
1 | 2022 National Defense Strategy | An unclassified version of the 2022 NDS has not yet been released, but the link will be posted once it is released. For now, the link for the 2022 National Defense Strategy will direct users to the Fact Sheet. |
2 | NIST SP 800-172A - Assessing Enhanced Security Requirements for Controlled Unclassified Information | This publication, released in March 2022, provides federal agencies and nonfederal organizations with assessment procedures that can be used to carry out assessments of the requirements in NIST Special Publication 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. |
3 | CNSSP 1 – National Policy for Safeguarding and Control of COMSEC Materials | This policy, released in March 2022, is an update of an existing Policy Chart item and establishes the policy on Safeguarding and Control of COMSEC Material for National Security Systems (NSS). |
4 | CNSSD 600 – Directive on Communications Security (COMSEC) Monitoring *CAC required |
This directive, released in March 2022, provides policy and basic procedures for the establishment of COMSEC monitoring programs consistent with law, Executive Orders, and applicable Presidential Directives. |
22 February 2022
# | Document Name | Change/Justification |
---|---|---|
1 | DoD Software Modernization Strategy | This DoD Strategy document, cleared for open publication on 2 Feb 2022, provides a goal of delivering better software faster. Projected outcomes include shifting secure software delivery left through modern infrastructure and platforms and enabling this shift through true process transformation and people development. |
2 | FIPS 201-3 Personal Identity Verification (PIV) of Federal Employees and Contractors | This Publication, released in January 2022, supersedes FIPS 201-2 and establishes a standard for a Personal Identity Verification (PIV) system that meets the control and security objectives of Homeland Security Presidential Directive-12. |
3* | NIST SP 800-53A R5 Assessing Security & Privacy Controls in Federal Information Systems & Organizations | This Publication, released in January 2022, supersedes NIST SP 8-53A R4, and provides a methodology and set of procedures for conducting assessments of security and privacy controls employed within systems and organizations within an effective risk management framework. |
4** | DoDD 5200.47E Anti-Tamper (AT) | This Directive is replacing DoDD 5000.01 in the Policy Chart as it references Cybersecurity more specifically than the broad scope of DoDD 5000.01. It addresses the identification and protection of Critical Program Information (CPI) in accordance with DoDI 5200.39 Critical Program Information (CPI) Identification and Protection Within Research, Development, Test, and Evaluation (RDT&E). |
5** | DoDI 5000.02 Operation of the Adaptive Acquisition Framework | This Instruction replaces DoDI 5000.02T in the Policy Chart in order to maintain the chart’s Cybersecurity relevance. DoDI 5000.02 restructures defense acquisition guidance to improve process effectiveness and implement the Adaptive Acquisition Framework (AAF). When the AAF realignment is complete, an administrative change to this issuance will cancel DoDI 5000.02T. |
6 | CNSSP-200 National Policy on Controlled Access Protection | This Policy, released in January 2022, defines a minimum level of protection for automated information systems operated by executive branch, agencies and departments of the Federal Government and their contractors. |
11 January 2022
# | Document Name | Change/Justification |
---|---|---|
1 | EO 14028 on Improving the Nation’s Cybersecurity | Added the number of the Executive Order to assist in locating the document on the policy chart. The link remains in the National/Federal subcategory. |
2 | NIST SP-800-213 IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements | This Publication, released in November 2021, contains background and recommendations to help organizations consider how an IoT device they plan to acquire can integrate into a system. |
3 | CNSSI 1300 Secret NSS PKI X.509 Certificate Policy | This Instruction, updated in December 2021, establishes the requirements for Federal Departments and Agencies to implement the National Security Systems Public Key Infrastructure to manage and support their Secret NSS networked systems. |
4 | DoDI 8140.02 Identification, Tracking, And Reporting of Cyberspace Workforce Requirements | This Instruction, published in December 2021, establishes policy, assigns responsibilities, and provides guidance for the identification, tracking, data collection, and reporting requirements of DoD Cyberspace Workforce Framework (DCWF)work roles. |
29 November 2021
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSD-505 Supply Chain Risk Management | This directive released on 11/17/2021 updates formats and references regarding supply chain risk management (SCRM) capabilities for National Security Systems (NSS). This Directive provides a “whole of government approach” resulting in enhanced inter-agency collaboration and the sharing of lessons learned to address SCRM. |
2 | CNSSD-520 The Use of Mobile Devices to Process National Security Information Outside of Secure Spaces | This directive released 11/09/2021 provides specific instructions for the control and use of mobile devices that are intended to store, process, and transmit NSI outside of secure spaces, both domestically and limited overseas, to ensure that mobile devices are protected commensurate to the threat environment and level of information stored, processed, transmitted, or communicated. |
3 | CNSSI 1011 Implementing Host-Based Security Capabilities on National Security Systems | This Instruction released on 09/09/2021 provides operational guidance and assigns responsibilities for deploying host-based security capabilities for National Security Systems. |
4 | CNSSI 1013 Network Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS) on National Security Systems | This Instruction released on 09/09/2021 provides operational guidance and assigns responsibilities for deploying network intrusion detection systems and network intrusion prevention systems (IDS/IPS) capabilities for National Security Systems (NSS). |
19 October 2021
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSD-504 Directive on Protecting National Security Systems from Insider Threat | Updated policy document from September 2021 added to the Develop the Workforce subcategory. Update only corrects for format and references. This document establishes that cybersecurity procedures should be implemented to protect against insider threats. |
2 | CNSSP-22 Cybersecurity Risk Management | Policy updated September 2021. This policy document provides guidance for organizations that own, operate, or maintain national security systems (NSS) to establish an integrated, organization-wide Cybersecurity Risk Management Program among other cyber risk mitigation activities. |
3 | CNSSI-5000 Voice Over Internet Protocol (VoIP) Telephony | Policy updated September 2021. This policy document contains requirements for providing on-hook and off-hook audio security for VoIP (video/voice) systems located in areas where NSS are located. |
8 September 2021
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSP-10 National Policy Governing Use of Approved Security Containers in Information Security Applications | New policy document from April 28, 2021 added to the Manage Access subcategory. Document establishes the Policy on the use of approved security containers in Information System Security applications. |
2 | CNSSP-11 National Policy Governing the Acquisition of Information Technology Products | Policy updated July, 9, 2021. This policy governs the acquisition policies regarding national security systems. |
3 | CNSSP-14 National Policy Governing the Release of IA Products/Services | Policy updated May 19, 2021. This policy governs the release of Information Assurance (IA) products and services to U.S. persons or activities that are not part of the federal government. |
4 | CNSSP-16 National Policy for the Destruction of COMSEC Paper Material | Policy updated May 5, 2021. This policy requires departments and agencies to use crosscut shredders that meet the new NSA specification for the destruction of paper-based COMSEC material. It also defines parameters for the use of crosscut shredders currently in inventory until such time as new shredders are obtained. |
5 | CNSSP-18 National Policy on Classified Information Spillage | Policy updated May 19, 2021. This policy applies to the spillage of classified national security information on any IS, be it government or nongovernment systems. It provides a framework for the consistent handling of the spillage of classified national security information. |
6 | CNSSI-1001 National Instruction on Classified Information Spillage | Policy updated June 15, 2021. This instruction establishes the minimum actions required when responding to an information spillage of classified national security information. |
24 June 2021
# | Document Name | Change/Justification |
---|---|---|
1 | White House – President Biden: Executive Order on Improving the Nation’s Cybersecurity | New document from 05/12/21 added to the National/Federal subcategory concerning improving cybersecurity capabilities of the nation. Specifically, the administration commits to prioritizing the prevention, detection, assessment, and remediation of cyber incidents. |
2 | * DoDD 5101.21E DoD Executive Agent for Unified Platform and Joint Cyber Command and Control (JCC2) | New document from 06/04/20 added to the Strengthen Cyber Readiness subcategory regarding closing critical cyberspace capability gaps, and ensuring the delivery of resilient, agile, secure, and effective cyberspace capability solutions to the warfighter. |
26 May 2021
# | Document Name | Change/Justification |
---|---|---|
1 | NIST SP 1800-25 Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events | New document added to the Strengthen Cyber Readiness subcategory. Published December 2020. Document explores methods to effectively identify assets (devices, data, and applications) that may become targets of data integrity attacks, as well as the vulnerabilities in the organization’s system that facilitate these attacks. |
2 | CNSSI-4007 Communications Security (COMSEC) Utility Program * | Relocated document link from Manage Access to Sustain Missions subcategory |
3 | DoDD 5144.02 DoD Chief Information Officer | Relocated document from Develop and Maintain Trust to Sustain Missions subcategory |
27 April 2021
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSI-4007 Communications Security (COMSEC) Utility Program | Relocated document link from Partner for Strength to the Manage Access subcategory |
2 | DOD Instruction 5000.90, Cybersecurity for acquisition decision authorities and program managers* | Change 10 was issued to update the instruction. Originating Component: Office of the Under Secretary of Defense for Acquisition and Sustainment. Added to the Prevent and Delay Attackers and Prevent Attackers from Staying subcategory. Effective: December 31, 2020 |
3 | Added Directive-type Memorandum 20-004 Enabling Cyberspace Accountability of DoD Components and Information Systems | Added this new document link to the Design for the Fight subcategory. November 13, 2020. DTM 20-004, “Enabling Cyberspace Accountability of DoD Components and Information Systems” |
4 | MOA Between DoD and DHS (Jan. 19, 2017) | Relocated document link from Design for the Fight to the Partner for Strength subcategory |
19 March 2021
# | Document Name | Change/Justification |
---|---|---|
1 | Interim National Security Strategic Guidance* | The new Administration has issued interim guidance to which all Departments and Agencies should align their actions as the White House team begins work on a new National Security Strategy. Published: Mar 21 |
2 | National Cyber Strategy | Document link fixed. https://dodcio.defense.gov/Portals/0/Documents/Cyber/ICAM_Strategy.pdf |
3 | DoD Information Sharing Strategy | Document link fixed. https://dodcio.defense.gov/Portals/0/Documents/InfoSharingStrategy.pdf |
4 | DoD Identity, Credential, and Access Management (ICAM) Strategy | Document link added. https://dodcio.defense.gov/Portals/0/Documents/Cyber/ICAM_Strategy.pdf |
5 | NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information** | New Documentation. https://doi.org/10.6028/NIST.SP.800-172 Published: Feb 21 |
6 | DoDI 5000.02T Operation of the Defense Acquisition System | Change 10 published on 31 December 2020. Document link updated. https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/500002Tp.pdf?ver=2020-09-15-152849-783 |
7 | DoDI 8510.01 Change 3, “Risk Management Framework (RMF) for DoD Information Technology (IT)” | Document link updated. Change 3 Published: 29 Dec 20 |
8 | DoDI 8523.01, “Communications Security” | Document link updated. Reissued: 6 Jan 21 |
9 | DoDI 8581.01 IA Policy for Space Systems Used by the DoD | Document removed. Canceled: Aug 2020 |
16 March 2021
# | Document Name | Change/Justification |
---|---|---|
1 | Interim National Security Strategic Guidance* | The new Administration has issued interim guidance to which all Departments and Agencies should align their actions as the White House team begins work on a new National Security Strategy. Published: Mar 21 |
2 | National Cyber Strategy | Document link fixed. https://dodcio.defense.gov/Portals/0/Documents/Cyber/ICAM_Strategy.pdf |
3 | DoD Information Sharing Strategy | Document link fixed. https://dodcio.defense.gov/Portals/0/Documents/InfoSharingStrategy.pdf |
4 | DoD Identity, Credential, and Access Management (ICAM) Strategy | Document link added. https://dodcio.defense.gov/Portals/0/Documents/Cyber/ICAM_Strategy.pdf |
5 | NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information** | New Documentation. https://doi.org/10.6028/NIST.SP.800-172 Published: Feb 21 |
6 | DoDI 5000.02T Operation of the Defense Acquisition System | Change 10 published on 31 December 2020. Document link updated. https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/500002Tp.pdf?ver=2020-09-15-152849-783 |
7 | DoDI 8510.01 Change 3, “Risk Management Framework (RMF) for DoD Information Technology (IT)” | Document link updated. Change 3 Published: 29 Dec 20 |
8 | DoDI 8523.01, “Communications Security” | Document link updated. Reissued: 6 Jan 21 |
30 November 2020
# | Document Name | Change/Justification |
---|---|---|
1 | NIST SP 800-207, Zero Trust Architecture | New document added. This document contains an abstract definition of zero trust architecture (ZTA) and gives general deployment models and use cases where zero trust could improve an enterprise’s overall information technology security posture. Published: August 2020 |
2 | NIST SP 800-209, Security Guidelines for Storage Infrastructure | New document added. Comprehensive security recommendations for storage infrastructures. The security focus areas covered in this document not only span those that are common to the entire IT infrastructure—such as physical security, authentication and authorization, change management, configuration control, and incident response and recovery—but also those that are specific to storage infrastructure, such as data protection, isolation, restoration assurance, and data encryption. Published: 26 October 2020 |
3 | NIST SP 1800-16, Securing Web Transactions: TLS Server Certificate Management | New document added. NIST SP 1800-16 describes the TLS certificate management challenges faced by organizations; provides recommended best practices for large-scale TLS server certificate management; describes an automated proof-of-concept implementation that demonstrates how to prevent, detect, and recover from certificate-related incidents; and provides a mapping of the demonstrated capabilities to the recommended best practices and to NIST security guidelines and frameworks. Published: 06 June 2020 |
4 | NIST SP 800-210, General Access Control Guidance for Cloud Systems | New document added. This document presents cloud access control characteristics and a set of general access control guidance for cloud service models: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service). Published: July 2020 |
5 | DoDD O-5100.19, Critical Information Communications (CRITICOM) System (CAC-required) | New document added. Assigns responsibility and prescribes procedures for the establishment of software acquisition pathways IAW Section 800 of Public Law 116-92. Published: 02 October 2020 |
6 | DoDI 5000.87, Operation of the Software Acquisition Pathway | USD(I) was changed to USD(I&S) to reflect office name change. |
7 | DoDI 5205.83, DoD Insider Threat and Management and Analysis Center (DITMAC) | New document added. Enterprise-level capability for managing and analyzing insider threats. Change 1: 29 October 2020 |
8 | DoDM 3305.09, Cryptologic Accreditation and Certification | New document added. Provides accreditation guidance and procedures for DoD education and training institutions that support the cryptologic community. Change 2: 01 October 2020 |
9 | DoDM 5205.02E, DoD Operations Security (OPSEC) Program Manual | New document added. To provide baseline requirements to ensure national security-related missions and functions are protected (to include information systems) Change 2: 29 October 2020 |
10 | Cybersecurity Maturity Model Certification (CMMC), v. 1.02 | New document added. Certification developed to enhance the protection of FCI and CUI within the DIB. Version dated 18 March 2020. |
13 October, 2020
# | Document Name | Change/Justification |
---|---|---|
1 | 14 U.S.C. Ch. 7 | Replaced with new hyperlink to authoritative source |
2 | DoDI 8531.01 | The link to DoDI 8531.01 mistakenly linked to DoDI 8530.01 and has been fixed. |
09 October, 2020
# | Document Name | Change/Justification |
---|---|---|
1 | Title 14, U.S. Code, Cooperation with Other Agencies | Replaced with new hyperlink |
2 | NIST Special Publication 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations | Long awaited and very important update, published September 2020, supersedes Rev. 4 |
3 | CNSSD 507: National Directive for Identity, Credential, and Access Mgmt. Capabilities on the U.S. Federal Secret Fabric | Provides a minimum set of requirements for Identity, Credential, and Access Management (ICAM) implementation and management that applies to the Federal Secret Fabric. Updated July 7, 2020. |
4 | DoD Directive 8140.01, Cyberspace Workforce Management | Published October 5, 2020, superseding the earlier version dated August 11, 2015 |
5 | DoD Instruction 8531.01, DoD Vulnerability Management | Released on September 15, 2020 |
6 | DoD Data Strategy | The DoD Data Strategy supports the National Defense Strategy and Digital Modernization, published October 9, 2020 |
7 | DTM 17-007, Ch. 3, Defense Support to Cyber Incident Response | Change 3 issued May 29, 2020 |
30 July 2020
# | Document Name | Change/Justification |
---|---|---|
1 | DoDI 8320.02: Sharing Data, Information, and Technology (IT) Services in the Department of Defense | Incorporating Change 1, Effective June 24, 2020 SUMMARY OF CHANGE 1. The change to this issuance updates references and organizational titles and removes expiration language in accordance with current Chief Management Officer of the Department of Defense direction. |
2 | DoD Identity, Credential, and Access Management (ICAM) Strategy | ICAM Strategy signed on 17 July 2020 |
3 | MOA Between DoD and DHS | Removed “requires CAC” language; CAC no longer required to view MOA. |
4 | RMF Knowledge Service | Italicized to reflect no publicly accessible version available. Available with CAC only. |
5 | About This Chart | Added note to open PDF document directly in a web browser |
6 | USD(I&S)* | USD(I) was changed to USD(I&S) to reflect office name change. |
22 June 2020
# | Document Name | Change/Justification |
---|---|---|
1 | HSPD-12* | Updated Link |
2 | NIST SP 800-37, R1* | Replaced by NIST SP 800-37, R2 |
3 | NIST SP 800-163* | Replaced by NIST SP 800-163, R1 |
4 | CJCSI 3213.02D, Joint Operations Security* | Should be labeled as CJCSI 3213.01D |
5 | NIST SP 800-34, R1* | Updated Link |
6 | OMB Circular A-130 | Updated Link |
7 | DoD Cybersecurity Risk Reduction Strategy | New Policy / Link to Document not publicly available. |
8 | “About This Chart” | Added instructions for how to follow the link to a policy for those whose organizational policies block them from hyperlinking directly from a .pdf document. |
29 May 2020
# | Document Name | Change/Justification |
---|---|---|
1 | National Strategy to Secure 5G | New policy added |
2 | DoD 5G Strategy | New policy added |
3 | N/A | Moved Executive Orders and Presidential Directives from “Lead and Govern” to “National/Federal” to make room for new strategies. |
1 April 2020
# | Document Name | Change/Justification |
---|---|---|
1 | NIST Framework for Improving Critical Infrastructure Cybersecurity | Updated link |
2 | Common Criteria Evaluation and Validation Scheme (CCEVS) | Updated to reflect change in CCEVS as of February 2020 |
3 | DoDI 5000.02T Operation of the Defense Acquisition System | Updated to reflect change in January 2020 |
4 | DoDI 8510.01, Risk Management Framework for DoD IT | Updated link |
5 | Joint Publication 6-0, Joint Communications System | Updated link |
6 | MOA Between DoD and DHS (Jan 19, 2017, requires CAC) | Updated link |
7 | DoDI 8420.01 Commercial WLAN Devices, Systems, and Technologies | Updated link |
8 | DoD O-8530.1-M (CAC req’d) CND Service Provider Certification and Accreditation Program | Updated link |
9 | DoDD 3020.40, Mission Assurance | Updated link |
10 | DoDD 3100.10, Space Policy | Updated link |
11 | Defense Acquisition Guidebook | Updated link |
12 | Title 14, US Code, Cooperation With Other Agencies (Ch. 7) | Updated link |
13 | NISTIR 7298, Rev. 3, Glossary of Key Information Security Terms | Updated link to point to Rev. 3. |
14 | NIST SP 800-125A, R1, Security Recommendations for Hypervisor Platforms | Updated link |
15 | NIST SP 800-88, R1,Guidelines for Media Sanitization | New policy added |
13 March 2020
# | Document Name | Change/Justification |
---|---|---|
1 | NIST SP 800-171, R2 Protecting CUI in Nonfederal Systems and Organizations | Superseded R1 of NIST SP 800-171 on 21 Feb 2020 |
2 | DoDI 5200.48 Controlled Unclassified Information(CUI) | New issuance, cancels DoD 5200.01 Volume 4. Issued 6 Mar 2020. |
3 | NIST SP 800-63 series Digital Identity Guidelines | NIST SP 800-63-3, 800-63A, 800-63B, and 800-63C were all updated on 2 Mar 2020 |
19 February 2020
# | Document Name | Change/Justification |
---|---|---|
1 | DoDI 8170.01, Online Information Management and Electronic Messaging | Updated hyperlink |
18 February 2020
# | Document Name | Change/Justification |
---|---|---|
1 | DoDD 8140.01, Cyberspace Workforce Management | Updated hyperlink |
2 | DoDI 8170.01, Online Information Management and Electronic Messaging | Supersedes DoD Instruction 8550.01, “DoD Internet Services and Internet-Based Capabilities,” September 11, 2012 (which was removed from the chart) |
3 | Joint Special Access Program (SAP) Implementation Guide (JSIG) | Updated hyperlink |
29 January 2020
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSI-5002, Telephony Isolation Used for Unified Communications Implementations within Physically Protected Spaces | Supersedes CNSSI No. 5002, National Information Assurance (IA) Instruction for Computerized Telephone Systems (February 2012) on December 18, 2019. |
2 | DTM 17-007, Defense Support to Cyber Incident Response | Updated hyperlink |
17 December 2019
# | Document Name | Change/Justification |
---|---|---|
1 | NIST SP 800-34, R1 Contingency Planning Guide for Federal Information Systems | New addition to chart to address contingency planning.* |
2 | NIST SP 800-82, R2 Guide to Industrial Control Systems (ICS) Security | New addition to chart to address ISC cybersecurity.* |
3 | DoDI 8582.01, Security of Non-DoD Information Systems Processing Unclassified Nonpublic DoD Information | Policy was updated on 9 Dec 2019. |
4 | UFC 4-010-06, Cybersecurity of Facility-Related Control Systems | New addition to chart to address cybersecurity issues for facility-related control systems.* |
5 | Security Technical Implementation Guides (STIGs) | Hyperlink updated to link to DISA’s updated website and new URL.† |
6 | Security Configuration Guides (SCGs) | Hyperlink updated to link to NSA’s updated website and new URL. |
7 | NSA IA Guidance | New addition to the chart includes 123 “security tip” documents for mitigating cyber risk |
27 November 2019
# | Document Name | Change/Justification |
---|---|---|
1 | CNSSD 506, National Directive to Implement PKI on Secret Networks | New addition to the Policy Chart |
2 | CNSSD 520, The Use of Mobile Devices to Process National Security Information Outside of Secure Spaces | New addition to the Policy Chart |
30 October 2019
# | Document Name | Change/Justification |
---|---|---|
1 | DoDI 5205.13 Defense Industrial Base (DIB) Cyber Security (CS) / IA Activities | Change 2 issued on 21 August 2019 |
2 | DoDI 8500.01, Cybersecurity | Change 1 issued on 7 Oct 2019 |
3 | NIST 800-128, Guide for Security-Focused Configuration Management of Information Systems | Updated 10 October 2019 |
4 | NIST 800-160, Vol. 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems | Added to the chart to reflect the increasing importance of this topic. |
5 | FIPS Pub 140-3, Security Requirements for Cryptographic Modules | Superseded FIPS Pub 140-2. FIPS 140-3 was published on 22 Mar 2019, but didn’t officially become effective under the implementation schedule until 22 Sep 2019. |
25 October 2019
# | Document Name | Change/Justification |
---|---|---|
1 | DoDI 5205.13 Defense Industrial Base (DIB) Cyber Security (CS) / IA Activities | Change 2 issued on 21 August 2019 |
2 | DoDI 8500.01, Cybersecurity | Change 1 issued on 7 Oct 2019 |
3 | NIST 800-128, Guide for Security-Focused Configuration Management of Information Systems | Updated 10 October 2019 |
4 | NIST 800-160, Vol. 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems | Added to the chart to reflect the increasing importance of this topic. |
23 July 2019
# | Document Name | Change/Justification |
---|---|---|
1 | DoD Digital Modernization Strategy | Added this new Strategy released on 12 July 2019 |
2 | DoDM O-5205.13, Defense Industrial Base (DIB) Cybersecurity (CS) Program Security Classification Manual (SCM) | Change 1 issued on 14 Jun 2019. (Note: This document requires a DoD PKI certificate for access.) |
3 | Directive-Type Memorandum (DTM) 17-007 – “Interim Policy and Guidance for Defense Support to Cyber Incident Response” | Change 2 issued on 6 Jun 2019 |
22 May 2019
# | Document Name | Change/Justification |
---|---|---|
1 | EO 13873: Securing the Information and Communications Technology and Services Supply Chain | Added this new Executive Order signed 15 May 2019 |
2 | EO 13800: Strengthening Cybersecurity of Fed Nets and CI | Updated link to the Federal Register’s permalink |
3 | EO 13636: Improving Critical Infrastructure Cybersecurity | Updated link to the Federal Register’s permalink |
4 | NIST SP 800-163, Vetting the Security of Mobile Applications | Added this new publication, published on 19 Apr 2019 |
5 | DoD Information Technology Environment Strategic Plan | Moved from the Lead and Govern block to the National/Federal block to make room for the new Executive Order. |
6 | Cybersecurity Policy Chart | Updated the red text in the bottom center of the chart to reflect the new location that DTIC established for updated versions of the chart. |
28 February 2019
# | Document Name | Change/Justification |
---|---|---|
1 | 2019 National Intelligence Strategy | Added this updated strategy |
2 | Department of Defense (DoD) Cloud Strategy | Added this new strategy |
3 | Summary of the 2018 DoD Artificial Intelligence Strategy | Added an unclassified summary of this new strategy |
4 | CYBERCOM Orders | The Operational section of the chart removed older references to STRATCOM policies and has replaced it with a reference to CYBERCOM orders and JFHQ-DODIN orders. Neither is hyperlinked because these orders are not available to the public. |
5 | JFHQ-DODIN Orders | See above |
15 January 2019
# | Document Name | Change/Justification |
---|---|---|
1 | CJCSI 5123.01H, Charter of the JROC and Implementation of the JCID | As of 18 Aug 2018, CJCSI 5123.01H stated that “CJCSI 3170.01 Series, “Joint Capabilities Integration and Development System (JCIDS),” is hereby canceled, with content moved to Enclosure D of this CJCSI.” |
2 | Department of Defense (DoD) Joint Special Access Program (SAP) Implementation Guide (JSIG) | Policy added to chart to expand coverage to JSAP. |
7 January 2019
# | Document Name | Change/Justification |
---|---|---|
1 | DoDI 5200.39, Critical Program Information (CPI) Identification and Protection Within Research, Development, Test, and Evaluation (RDT&E) | Added per the suggestion of Ms. Creel of the CERT Division, Software Engineering Institute, Carnegie Mellon University. |
5 December 2018
# | Document Name | Change/Justification |
---|---|---|
1 | CJCSI 3170.01, Joint Capabilities Integration and Development System (JCIDS) | Manual was converted to a “living document” available at the new hyperlink |
2 | UCP Unified Command Plan | Updated link to unclassified site that identifies the 10 Combatant Commands and provides information on each. |
25 September 2018
# | Document Name | Change/Justification |
---|---|---|
1 | National Cyber Strategy | Replaces the 2003 National Cyber Strategy. |
2 | 2018 DoD Cyber Strategy | Update to the 2015 DoD Cyber Strategy. It was signed on 27 July, but a publicly accessible, unclassified summary became available on 18 Sep. The hyperlink is to the unclassified summary. |
3 | CNSSP-28, “Cybersecurity of Unmanned National Security Systems,” 6 July 2018 | New policy. |
4 | DoDI 8560.01, “Communications Security (COMSEC) Monitoring,” 22 Aug 2018 | Incorporated and canceled DoD Instruction 8560.01, “Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing,” October 9, 2007. |
5 | DoD Cybersecurity Policy Chart | Added additional CSIAC contact information to the upper left corner of the chart. |
14 August 2018
# | Document Name | Change/Justification |
---|---|---|
1 | 2018 DoD Cyber Strategy | Update to the 2015 DoD Cyber Strategy. It was signed on 27 July, but a publicly accessible version is not yet available, so the name is italicized in the chart indicating no public-facing hyperlink is available. |
2 | CNSSI-5000, Annex I, Voice Over Secure Internet Protocol (VoSIP) | Annex released on 21 June 2018. |
12 June 2018
# | Document Name | Change/Justification |
---|---|---|
1 | Directive-Type Memorandum (DTM) 17-007 – “Interim Policy and Guidance for Defense Support to Cyber Incident Response” | NIST Released NIST SP 800-126, R3, SCAP 1.3 on 14 Feb 2018 |
2 | CJCSI 6510.02E, Cryptographic Modernization Plan | Updated from CJCSI 6510.02D |
3 | CJCSM 3213.02D, Joint Staff Focal Point | Updated from CJCSM 3213.02C |
4 | NIST SP 800-171, R1, Protecting CUI in Nonfederal Systems and Organizations | Rev. 1 final release date was 6/7/2018. |
5 | NIST SP 800-125A, R1, Security Recommendations for Hypervisor Platforms | Rev. 1 final release date was 6/7/2018. |
6 | National Security Strategy | Moved from National/Federal to Organize/Lead and Govern |
9 April 2018
# | Document Name | Change/Justification |
---|---|---|
1 | NIST SP 800-126, R2 SCAP 1.2 | NIST Released NIST SP 800-126, R3, SCAP 1.3 on 14 Feb 2018 |
2 | NIST SP 800-171 | NIST Released NIST SP 800-171, R1, on 20 Feb 2018 |
3 | NIST SP 800-125A | Added NIST SP 800-125A, Security Recommendations for Hypervisor Deployment on Servers, 23 Jan 2018 |
4 | DoD Directive 3020.26, “Department of Defense Continuity Programs,” January 9, 2009, as amended | Reissued and canceled by DoDD 3026, DoD Continuity Policy, 14 Feb 2018 |
5 | CJCSI 3170.01I, Joint Capabilities Integration and Development System (JCIDS) | Updated link. |
6 | Stored Communications Act, 18 USC §2701 et seq. | The Stored Communications Act was amended by the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which was passed as part of the Consolidated Appropriations Act of 2018, signed into law on 23 March 2018. NOTE: The link to the Government Publishing Office’s text of the law currently does not reflect these most recent changes, nor does the House of Representatives official United States Code website. Both are expected to be updated after some time. |
1 February 2018
# | Document Name | Change/Justification |
---|---|---|
1 | 2017 National Defense Strategy | Released on 19 January 2018, it replaces the 2012 National Defense Strategy. Since the National Defense Strategy is classified, the link is to the unclassified summary. |
2 | Quadrennial Defense Review | Removed from chart, based on the 2017 National Defense Authorization Act (NDAA), which replaced the legislative foundation of the Quadrennial Defense Review with requirements to be included in a National Defense Strategy. |
3 | Strategic Instruction (SI) 527-01 DoD INFOCON System Procedures, 27 March 2015 | Superseded SD 527-01, 27 Jan 2006. |
4 | NIST Framework for Improving Critical Infrastructure Cybersecurity | Updated broken link. |
5 | CJCSM 6510.02, Information Assurance Vulnerability Management Program | Added this older policy to the chart. Policy is in italics because it is FOUO and so no publicly accessible link can be provided. |
8 January 2018
# | Document Name | Change/Justification |
---|---|---|
1 | EO 13636: Improve Critical Infrastructure Cybersecurity | Corrected link to Document. |
2 | The DoD Cybersecurity Policy Chart | Changed the gray/white background/text combos to gray/black. |
18 December 2017
# | Document Name | Change/Justification |
---|---|---|
1 | 2017 National Security Strategy | Released on 18 December 2017, it replaces the 2015 National Security Strategy. |
13 December 2017
# | Document Name | Change/Justification |
---|---|---|
1 | DoDI 8310.01 Information Technology Standards in the DoD | Added to chart |
2 | EO 13636: Improving Critical Infrastructure Cybersecurity | Corrected Link to document |
3 | DoDI 8582.01 Security of Unclassified DoD Information on Non-DoD Info Systems | Policy updated by DoDI 8310.01 |
4 | NSTISSI 7003 Protective Distribution Systems | Changed to CNSSI 7003, Protected Distribution Systems |
6 November 2017
# | Document Name | Change/Justification |
---|---|---|
1 | NIST SP 800-18, Rev 1 | Corrected Link to document |
3 November 2017
# | Document Name | Change/Justification |
---|---|---|
1 | ASD(NII)/DoD CIO Memo on Use of Peer-to-Peer File Sharing Applications | Removed, was canceled by DoDI 8500.01, Cybersecurity |
2 | CNSSI-4001 | Added link. |
3 | CNSSI-4005 | Added link. |
4 | CNSSP-16 | Added link. |
5 | DoDD 3020.40 | Updated link. |
6 | DoDI 5200.01 | Updated link. |
7 | DoDI 8320.02 | Corrected link. |
8 | DoDI 8551.01 | Updated link. |
9 | Ethics Regulations | Updated link. |
10 | E. O. 13800 | Added. |
11 | FIPS 140-2 | Updated link. |
12 | FIPS 199 | Updated link. |
13 | FIPS 200 | Updated link. |
14 | ICD 503 | Updated link. |
15 | NISTR 7693 | Updated link. |
16 | NIST SP 800-18, Rev 1 | Updated link. |
17 | NIST SP 800-39 | Updated link. |
18 | NIST SP 800-59 | Updated link. |
19 | NIST SP 800-60, Vol 1, Rev 1 | Updated link. |
20 | NIST SP 800-92 | Updated link. |
21 | NIST SP 800-126, Rev 2 | Updated link. |
22 | NIST SP 800-128 | Updated link. |
23 | NIST SP 800-137 | Updated link. |
24 | NIST SP 800-153 | Updated link. |
25 | NSTISSI-4003 | Changed to CNSSI 4003 and added link. |
26 | NSTISSI-4006 | Changed to CNSSI 4006 and added link. |
27 | OMB A-130 | White House temporarily moved many policies to the Obama White House archives site, though these appear to be in full force unless or until formally rescinded or superseded. |
28 | Security Configuration Guides | Updated link. |
15 Aug 2017
# | Document Name | Change/Justification |
---|---|---|
1 | DoDD 8000.01 | Change issued 27 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
2 | DoDD 8140.01 | Change issued 31 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
3 | DoDI 8510.01 | Change issued 28 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
4 | DoDI 8520.03 | Change issued 27 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
5 | DoDI 8530.01 | Change issued 25 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
6 | DoDI 8551.01 | Change issued 27 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
7 | MOA Between DoD & DHS | MOA signed 19 January 2017 regarding Department of Defense and U.S. Coast Guard cooperation on cybersecurity and cyberspace operations. |
30 Jun 2017
# | Document Name | Change/Justification |
---|---|---|
1 | All DoDDs, DoDIs, DoDMs, and other DoD issuances | 46 hyperlinks changed to reflect the movement of the official DoD Issuances website to a new URL. |
2 | DoD Acquisition Guidebook | Hyperlink changed to reflect updated URL for the DAG. Link is to Chapter 9, which is the deepest link permitted, but subpart 3.2.2, Risk Management Framework for DoD IT is the pertinent reference. |
05 Jun 2017
# | Document Name | Change/Justification |
---|---|---|
1 | National Strategy for Information Sharing and Safeguarding (2012) | Updated link: https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/internationalstrategy_cyberspace.pdf |
2 | U.S. International Strategy for Cyberspace (2011) | Updated link: https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/internationalstrategy_cyberspace.pdf |
3 | 25 Point Implementation Plan to Reform Federal IT Management (2010) | Removed. |
4 | NIST Framework for Improving Critical Infrastructure Cybersecurity (2014) | Updated link: https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf |
5 | National Defense Strategy (NDS) (2012) | Updated broken link: http://www.acqnotes.com/Attachments/2012%20National%20Defense%20Strategy.pdf |
6 | IA Component of the GIG Integrated Architecture, Version 1.1 (2002) | Removed. |
7 | Alignment Framework for the GIG IA Architecture (AFG) Version 1.1 (2002) | Removed. |
8 | IATF Release 3.1 Information Assurance Technical Framework (2002) | Removed. |
9 | DoDI 5000.02 Operation of the Defense Acquisition System (2017) | Updated broken link: http://www.dtic.mil/whs/directives/corres/pdf/500002_dodi_2015.pdf |
10 | DoD CIO Memo (2011) Interim Guidance on Networthiness of IT Connected to DoD Networks | Removed. |
11 | DoD CIO G&PM 12-8430 (2001) Acquiring Commercial Software | Removed. |
12 | NSTISSI-4000 to: CNSSI-4000 Maintenance of Communications Security (COMSEC) Equipment (2012) | Link Broken/Document Type Changed: https://www.cnss.gov/CNSS/issuances/Instructions.cfm |
13 | ICD 503 IC Information Technology Systems Security Risk Management | Updated link: https://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives |
14 | OMB M-05-24 Implementation of HSPD-12 | Removed. |
15 | From NSTISSI to CNSSI 4001 Controlled Cryptographic Items (2013) | Document Type Change/Updated link: https://www.cnss.gov/CNSS/issuances/Instructions.cfm |
16 | DoDI 5200.01 Dod Information Security Program And Protection Of Sensitive Compartmented Information (SCI) (2016) | Updated broken link: http://www.dtic.mil/whs/directives/corres/pdf/520001p.pdf |
17 | DoD Information Sharing Strategy (2007) | Updated broken link: http://dodcio.defense.gov/Portals/0/Documents/DIEA/InfoSharingStrategy.pdf |
18 | ASD(NII)/DoD CIO Memo Use of Peer-to-Peer File Sharing Applications Across DoD | Removed. This Memo was canceled by DoDI 8500.01, Cybersecurity |
19 | CJCSI 6211.02D Defense Information System Network (DISN) Responsibilities (2012) | Updated broken link: http://www.jcs.mil/Portals/36/Documents/Library/Instructions/6211_02a.pdf?ver=2016-02-05-175050-653 |
20 | CJCSM 6510.01B Cyber Incident Handling Program (2014) | Updated broken link: http://www.jcs.mil/Portals/36/Documents/Library/Manuals/m651001.pdf?ver=2016-02-05-175710-897 |
21 | CJCSI 6510.01F Information Assurance (IA) And Support To Computer Network Defense (CND) (2015) | Updated broken link: http://www.jcs.mil/Portals/36/Documents/Library/Instructions/6510_01.pdf?ver=2016-02-05-175054-497 |
22 | NSTISSD-600 Communications Security Monitoring (1990) | Added link: https://www.cnss.gov/CNSS/issuances/Directives.cfm |
23 | DoDD 3020.40 Mission Assurance (MA) (2016) | Ttitle and Link Updated: http://www.dtic.mil/whs/directives/corres/pdf/302040_dodd_2016.pdf |
24 | DoDI 8581.01 Information Assurance (IA) Policy for Space Systems Used by the Department of Defense (2010) | Keep |
25 | DoDD S-5100.44 and DoDD S-3710.01 | Replacement/Updated Link. Replaced DoDD S-5100.44, Defense and National Leadership Command Capability (DNLCC) with DoDD S-3710.01, National Leadership Command Capability (NLCC) New link: http://www.dtic.mil/whs/directives/corres/pdf/S371001_placeholder.pdf |
26 | CNSSP-300 National Policy on Control of Compromising Emanations (2006) | Updated broken link: https://www.cnss.gov/CNSS/issuances/Policies.cfm |
27 | CNSSI-4004.1 Destruction and Emergency Protection Procedures for COMSEC and Classified Material (2008) | Updated broken link: https://www.cnss.gov/CNSS/issuances/Instructions.cfm |
28 | Defense Acquisition Guidebook Sect 7.5 Information Assurance (2013) and the DAG (2016) | Replaced/Updated Link. Replaced Defense Acquisition Guidebook Sect 7.5 Information Assurance (2013) with the DAG (2016) New link: https://dap.dau.mil/glossary/pages/178.aspx?scroll=0 |
29 | 2015 National Security Strategy | Updated broken link: http://www.jcs.mil/Portals/36/Documents/Publications/2015_National_Military_Strategy.pdf |
30 | NSD 42 | Updated link: https://www.cnss.gov/cnss/assets/authorities/NSD-42.pdf |
31 | OMB A-130 (2016) | Updated broken link: https://www.federalregister.gov/documents/2016/07/28/2016-17872/revision-of-omb-circular-no-a-130-managing-information-as-a-strategic-resource |
32 | CNSSI 4009 Committee on National Security Systems (CNSS) Glossary (2015) | Updated Title. |
33 | Security Configuration Guides (SCGs) | Consider Deleting. Current link takes you to “Media Destruction Guidance”. A search of the term SCG nets many different websites. Is there a particular site to reference? |
34 | Security Reference Review Scripts | Consider Deleting/Broken Link. A search of the term SCG nets many different websites. Is there a particular site to reference? |
35 | Component—Level Policy | Consider Deleting/Broken Link. This is too vague considering that everything on the chart has specific references. |
21 Aug 2016
# | Document Name | Change/Justification |
---|---|---|
1 | Presidential Policy Directive 41: United States Cyber Incident Coordination | New PPD issued. |
2 | CJCSI 6212.01F Net Ready Key Performance Parameter | Canceled by CJCSI 5123.01G, 12 Feb 15 |
3 | DoD 5220.22-M, Ch. 2 National Industrial Security Program Operating Manual (NISPOM) | Change 2 published May 18, 2016. Updated link. |
4 | DoDD 8000.01 Management of the DOD Information Enterprise | Policy and link updated. |
5 | DoDD 8521.01E Department of Defense Biometrics | Updated link. |
6 | DoDI O-8530.1 | Superseded by DoDI 8530.01, link updated. |
7 | DoDI O-8530.2 | Superseded by DoDI 8530.01, link updated. |
8 | DoDI 5200.01 DoD Information Security Program and Protection of SCI | Added as a new policy based on recent update. |
9 | DoDI 5200.08 | Change 3 issued, link updated. |
10 | SP 800-30, Rev. 1, Guide for Conducting Risk Assessments | Moved to: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf |
11 | SP 800-126 Rev. 2, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 | Moved to: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-126r2.pdf |
12 | SP 800-128, Guide for Security-Focused Configuration Management of Information Systems (August 2011) | Moved to: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-128.pdf |
13 | SP 800-137, Information Security Continuous | http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf |
27 Oct 2015
# | Document Name | Change/Justification |
---|---|---|
1 | National Strategy for Information Sharing and Safeguards | Updated link: https://www.whitehouse.gov/sites/default/files/docs/2012sharingstrategy_1.pdf |
2 | Quadrennial Defense Review Report | Updated link: http://archive.defense.gov/pubs/2014_Quadrennial_Defense_Review.pdf |
3 | National Defense Strategy | Updated link: http://www.defense.gov/Portals/1/Documents/pubs/2008NationalDefenseStrategy.pdf |
4 | DoD Cyber Strategy | Updated link: http://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf |
5 | DoD Strategy for Operating in Cyberspace | Removed as superseded by the DoD Cyber Strategy |
6 | National Military Strategic Plan for the War on Terrorism | Updated link: https://digitalndulibrary.ndu.edu/cdm/compoundobject/collection/strategy/id/9695/rec/8 |
7 | Title 44 – Federal Information Security Modernization Act (Ch. 35) | Updated link to reflect the amendments effected by the Federal Information Security Modernization Act to amend the Federal Information Security Management Act. Updated link: https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf |
8 | CNSSI 1300 | De-italicized to show that a publicly accessible link is available at: https://www.cnss.gov/CNSS/issuances/Instructions.cfm |
9 | DFARS Subpart 208.74 | Updated link: http://www.acq.osd.mil/dpap/dars/dfars/html/current/208_74.htm |
10 | DoDD 8570.01 | Directive was superseded by 8140.01. |
11 | DoDD 5000.02 | Updated broken link: http://www.dtic.mil/whs/directives/corres/pdf/500002p.pdf |
12 | CJCSI 6211.02D | Updated link: http://www.dtic.mil/cjcs_directives/cdata/unlimit/6211_02a.pdf |
15 Aug 2015
# | Document Name | Change/Justification |
---|---|---|
1 | National Military Strategy (NMS) | Link updated to 2015 NMS: http://www.jcs.mil/Portals/36/Documents/Publications/National_Military_Strategy_2015.pdf |
2 | National Security Strategy (NSS) | 2015 NSS added: https://www.whitehouse.gov/sites/default/files/docs/2015_national_security_strategy_2.pdf |
3 | National Military Strategy for Cyberspace Operations (NMS-CO) | Updated link: http://nsarchive.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-023.pdf |
4 | DoDD 8140.01 Cyberspace Workforce Management | Signed 11 Aug 2015, cancelled DoD Directive 8570.01, “Information Assurance (IA) Training, Certification, and Workforce Management,” August 15, 2004, as amended. |
5 | DoDI 8330.01 Interoperability of IT and National Security Systems (NSS) | Correct spacing in title. |
6 | CJCSI 3170.01H Joint Capabilities Integration and Development System (JCIDS) | Updated to CJCSI 3170.01I: https://dap.dau.mil/policy/Documents/2015/CJCSI_3170_01I.pdf |
7 | Presidential Memo, “Classified Information and Controlled Unclassified Information, “27 May 09” | Memo withdrawn. Removed from chart. |
8 | FAR Federal Acquisition Regulation | Updated link: https://www.acquisition.gov/?q=browsefar |
24 Apr 2015
# | Document Name | Change/Justification |
---|---|---|
1 | The DoD Cyber Strategy | New Issuance, 23 Apr 2015 |
2 | Comprehensive National Cybersecurity Initiative | Removed |
3 | DoDI S-5240.23, Counterintelligence (CI) Activities in Cyberspace | Added new link to aid those with SIPRNet access to find document. |
4 | DoDI S-5200.16, Objectives and Min Stds for COMSEC Measures used in NC2 Comms | Added new link to aid those with SIPRNet access to find document. |
5 | DoDD S-5100.44, Defense and National Leadership Command Capability (DNLCC) | Added new link to aid those with SIPRNet access to find document. |
6 | DoDD O-5100.30, Department of Defense (DoD) Command and Control (C2) | Superseded by DoD DoDD 3700.01, DoD Command and Control (C2) Enabling Capabilities |
7 | DoDD O-8530.1, Computer Network Defense (CND) | Added new link to aid those with a DoD PKI cert to access this document. |
8 | DoDI O-8530.2, Support to Computer Network Defense (CND) | Added new link to aid those with a DoD PKI cert to access this document. |
9 | DoD O-8530.1-M, CND Service Provider Certification and Accreditation Program | Added new link to aid those with a DoD PKI cert to access this document. |
17 Feb 2015
# | Document Name | Change/Justification |
---|---|---|
1 | Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing | New Issuance, 13 Feb 2015 |
2 | National Security Strategy | New Issuance, Feb 2015 |
3 | NIST SP – 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach | New link includes updates as of 6 May 2014 |
4 | SP 800-61 Rev. 2, Computer Security Incident Handling Guide | Updated link |
5 | FIPS 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors | Superseded by FIPS 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors |
6 | DoD Defending Networks, Systems, and Data Strategy | New direct link |
7 | DoD Cyber, Identity & Information Assurance Strategic Plan | Updated link |
8 | National Military Strategy | Updated link |
9 | CNSSAM IA 1-10, Reducing Risk of Removable Media in NSS | Updated link |
10 | CNSSI-1300, Instructions for NSS PKI X.509SP | Updated link |
11 | DoDI 5000.02, Operation of the Defense Acquisition System | Updated link |
12 | DoD CIO Memo Interim Guidance on Networthiness of IT Connected to DoD Networks | Updated link |
13 | NSSMOA between DoD CIO and ODNI CIO Establishing Net-Centric Software Licensing Agreements | Updated link |
14 | Title 44 – Federal Information Security Mgt Act, (§3541 et seq) | Updated link |
15 | NSTISSI-4002 Classification Guide for COMSEC Information | Removed to make room for new E.O. 13691 (the NSTISSI-4002 did not have a public-facing link anyway) |
16 | Security Technical Implementation Guides (STIGs) | Updated link |
17 | About this chart box | Updated the text |