DOD proposes systems security amendment to DFARS
- By Dawn S. Onley
- May 27, 2003
The Defense Department plans to remind its acquisition workers that they must adhere to two new policies for securing systems and networks.
DOD acquisition officials need to comply with directives 8500.1 and 8500.2 when buying technology, according to a proposed amendment to the Defense Federal Acquisition Regulation Supplement that addresses information assurance requirements related to IT acquisition.
Both directives implement the National Security Telecommunications and Information Systems Security Committee's Policy No. 11, which requires information assurance be added to all Defense systems used to enter, process, display or transmit national security information.
'For all acquisitions, the requiring activity is responsible for providing to the contracting officer statements of work, specifications or statements of objectives that meet information assurance requirements,' said the proposal, which the department released Friday.
The directives also require that vendors provide or use IT that has been accredited as meeting the appropriate requirements. Vendors must submit documentation proving accreditation.
The government can choose to 'conduct additional tests to ensure that IT delivered under a contract satisfies the information assurance standards,' the amendment added.
Directive 8500.2, released in February, is the second part of a strategy to address the changing systems security needs within the department. DOD issued the first part, 8500.1, in October. The directives create a framework for DOD to follow to protect its information systems.
The policies cover several areas, including access control and firewall protection. They also place Defense systems in four categories: Automated applications enclaves, which include networksOutsourced ITPlatform IT interconnections, such as weapons systems Sensors.
DOD will accept comments about the proposed amendment until July 22.