Cybersecurity-Related

Policies and Issuances

GOAL 1: ORGANIZE
Lead and Govern
EO 13636: Improving Critical
Infrastructure Cybersecurity

PPD 21: Critical Infrastructure Security

and Resilience

DoDD 8000.01
Management of the DOD Information
Enterprise

DoDI 8500.01
Cybersecurity

National Strategy for Information

Sharing and Safeguarding

The DoD Cyber Strategy

U.S. Intl Strategy for Cyberspace

25 Point Implementation Plan to

Reform Federal IT Mgt.

NIST Framework for Improving

Critical Infrastructure Cybersecurity

Quadrennial Defense Review (QDR)

Report

National Defense Strategy (NDS)

CNSSP-24
Policy on Assured Info Sharing (AIS)
for National Security Systems(NSS)

DoD Defending Networks, Systems

and Data Strategy

DoD Strategy for Operating in

Cyberspace

DoD Cyber, Identity & Information

Assurance Strategic Plan

National Military Strategy (NMS)

National Military Strategy for

Cyberspace Operations (NMS-CO)

National Military Strategic Plan for the

War on Terrorism

GOAL 1: ORGANIZE

GOAL 2: ENABLE

GOAL 3: ANTICIPATE

GOAL 4: PREPARE

Design for the Fight

Secure Data in Transit

Understand the Battlespace

Develop and Maintain Trust

Common Criteria Evaluation and

Validation Scheme (CCEVS)

FIPS 140-2
Security Requirements for
Cryptographic Modules

SP 800-153
Guidelines for Securing Wireless Local
Area Networks

FIPS 199
Standards for Security Categorization
of Federal Info. and Info. Systems

SP 800-59
Guideline for Identifying an Information
System as a NSS

CNSSP-12
National IA Policy for Space Systems
Used to Support NSS

CNSSP-21
National IA Policy on Enterprise
Architectures for NSS

CNSSP-11
Natl Policy Governing the Acquisition
of IA and IA-Enable IT

DFARS
Subpart 208.74, Enterprise Software
Agreements

CNSSP-1
National Policy for Safeguarding and
Control of COMSEC Material

CNSSP-15
Use of Pub Standards for Secure
Sharing of Info Among NSS

SP 800-60 R1
Guide for Mapping Types of Info and
Info Systems to Security Categories

SP 800-92
Guide to Computer Security Log
Management

NSTISSD-600
Communications Security (COMSEC)
Monitoring

NSTISSI-7002
TEMPEST Glossary

DoDD 5000.01
The Defense Acquisition System

DoDD 7045.20
Capability Portfolio Management

CNSSP-17
Policy on Wireless Communications:
Protecting Natl Security Info

CNSSP-19
National Policy Governing the Use of
HAIPE Products

SP 800-101, R1
Guidelines on Mobile Device Forensics

NISTIR 7693
Specification for Asset Identification 1.1

CNSSI-5002, National Information

Assurance (IA) Instruction for
Computerized Telephone Systems

DoDD 3100.10
Space Policy

DoDD 8115.01
IT Portfolio Management

DoDI 5000.02
Operation of the Defense Acquisition
System

CNSSP-25
National Policy for PKI in National
Security Systems

NSTISSP-101
National Policy on Securing Voice
Communications

DoDI S-5240.23
Counterintelligence (CI) Activities in
Cyberspace

DoDD 3020.40
DoD Policy and Responsibilities for
Critical Infrastructure

DoDD 5144.02
DoD Chief Information Officer

DoDI 5200.44
Protection of Mission Critical Functions
to Achieve TSN

DoDI 7000.14
Financial Management Policy and
Procedures (PPBE)

NACSI-2005
Communications Security (COMSEC)
End Item Modification

CNSSI-5000
Guidelines for Voice Over Internet
Protocol (VoIP) Computer Telephony

DoDI 8115.02
IT Portfolio Management
Implementation

DoDI 8330.01
Interoperability of IT and National
Security Systems (NSS)

CNSSI-5001
Type-Acceptance Program for VoIP
Telephones

NACSI-6002
Natl COMSEC Instruction Protection of
Govt Contractor Telecomms

DoDI 8510.01
Risk Management Framework
for DoD IT

DoDI 8580.1
Information Assurance (IA) in the
Defense Acquisition System

NSTISSI-7003
Protective Distribution Systems (PDS)

DoDD 8100.02
Use of Commercial Wireless Devices,
Services, and Tech in the DoD GIG

RMF Knowledge Service

DoD CIO Memo

Interim Guidance on Networthiness of
IT Connected to DoD Networks

DoDD 8521.01E
Department of Defense Biometrics

DoDI 4650.01
Policy and Procedures for Mgt and Use
of the Electromagnetic Spectrum

MOA between DoD CIO and ODNI CIO

Establishing Net-Centric Software
Licensing Agreements

DoD CIO G&PM 12-8430

Acquiring Commercial Software

DoDI 8100.04
DoD Unified Capabilities (UC)

DoDI 8420.01
Commercial WLAN Devices, Systems,
and Technologies

DODAF (Version 2.02)

DoD Architecture Framework

CJCSI 3170.01I
Joint Capabilities Integration and
Development System (JCIDS)

DoDI 8523.01
Communications Security (COMSEC)

DoDI S-5200.16
Objectives and Min Stds for COMSEC
Measures used in NC2 Comms

CJCSI 6510.02D
Cryptographic Modernization Plan

CJCSI 6510.06B
Communications Security Releases to
Foreign Nations

CJCSI 6212.01F
Net Ready Key Performance
Parameter

Joint Publication 6-0

Joint Communications System

Alignment Framework for the GIG IA

Architecture (AFG) version 1.1

IA Component of the GIG Integrated

Architecture, v1.1

IATF Release 3.1

Information Assurance Technical
Framework

CNSS
National Secret Fabric Architecture
Recommendations

Develop the Workforce

CNSSD-500
Information Assurance (IA) Education,
Training, and Awareness

NSTISSD-501
National Training Program for
INFOSEC Professionals

Manage Access
HSPD-12
Policy for a Common ID Standard for
Federal Employees and Contractors
FIPS 201-2
Personal Identity Verification (PIV) of
Federal Employees and Contractors

M-05-24
Implementation of HSPD-12
CNSSP-3
National Policy for Granting Access to
Classified Cryptographic Information

NSTISSI-4011
National Training Standard for
INFOSEC Professionals

CNSSP-16
National Policy for the Destruction of
COMSEC Paper Material

CNSSI-1300
Instructions for NSS PKI X.509

CNSSI-4012
National IA Training Standard for
Senior Systems Managers

CNSSI-4013
National IA Training Standard For
System Administrators (SA)

NSTISSI-3028
Operational Security Doctrine for the
FORTEZZA User PCMCIA Card

NSTISSI-4001
Controlled Cryptographic Items

CNSSI-4014
National IA Training Standard For
Information Systems Security Officers

NSTISSI-4015
National Training Standard for System
Certifiers

NSTISSI-4003
Reporting and Evaluating COMSEC
Incidents

CNSSI-4005
Safeguarding COMSEC Facilities and
Materials, amended by CNSS-008-14

NSTISSI-4006
Controlling Authorities for COMSEC
Material

DoDD 1000.25
DoD Personnel Identity Protection
(PIP) Program

DoDI 5200.08
Security of DoD Installations and
Resources and the DoD PSRB

DoDI 8520.02
Public Key Infrastructure (PKI) and
Public Key (PK) Enabling

DoDI 8520.03
Identity Authentication for Information
Systems

DoDM 1000.13, Vol. 1

DoD ID Cards: ID Card Life-cycle

NSTISSI-4000
COMSEC Equipment Maintenance
and Maintenance Training

CNSSI-4016
National IA Training Standard For Risk
Analysts
DoD 8570.01-M
Information Assurance Workforce
Improvement Program

DoDD 8140.01
Cyberspace Workforce Management
DoDI 8550.01
DoD Internet Services and InternetBased Capabilities

Partner for Strength

SP 800-144
Guidelines on Security and Privacy in
Public Cloud Computing

CNSSP-14
National Policy Governing the Release
of IA Products/Services

CNSSI-1253
Security Categorization and Control
Selection for Natl Security Systems

CNSSI-1253F, Atchs 1-5

Security Overlays

Assure Information Sharing

DoDI 8320.02
Sharing Data, Info, and IT Services in
the DoD

DoDI 8582.01
Security of Unclassified DoD
Information on Non-DoD Info Systems

CNSSI-4007
Communications Security (COMSEC)
Utility Program

CNSSI-4008
Program for the Mgt and Use of Natl
Reserve IA Security Equipment

DoD Information Sharing Strategy

ASD(NII)/DoD CIO Memo

Use of Peer-to-Peer File Sharing
Applications Across DoD

DoDI 5205.13
Defense Industrial Base Cyber
Security / IA Activities

DoD 5220.22-M
National Industrial Security Program
Operating Manual (NISPOM)

United States Intelligence Community

Information Sharing Strategy

CJCSI 6211.02D
Defense Information System Network:
(DISN) Responsibilities

ICD 503
IT Systems Security Risk Management
and C&A

CJCSM 3213.02C, Ch 1
Joint Staff Focal Point

DoDI 8581.01
IA Policy for Space Systems Used by
the DoD

Strengthen Cyber Readiness

FIPS 200
Minimum Security Requirements for
Federal Information Systems

SP 800-37 R1
Guide for Applying the Risk Mgt
Framework to Fed. Info. Systems

SP 800-53 R4
Security & Privacy Controls for
Federal Information Systems

SP 800-53A R4
Assessing Security & Privacy Controls
in Fed. Info. Systems & Orgs.

SP 800-61 Rev 2
Computer Security Incident Handling
Guide

SP 800-124, Rev 1
Guidelines for Managing the Security of
Mobile Devices in the Enterprise

SP 800-128
Guide for Security-Focused
Configuration Mgt of Info Systems

CNSSAM IA 1-10, Reducing Risk of

Removable Media in NSS

DoDI O-8530.2
Support to Computer Network
Defense (CND)

DoDD O-8530.1
Computer Network Defense (CND)

DoDI 8551.1
Ports, Protocols, and Services
Management (PPSM)

DoDM 5105.21V1, SCI Admin Security

Manual: Info and Info Sys Security

DoD O-8530.1-M
CND Service Provider Certification and
Accreditation Program

CJCSI 6510.01F
Information Assurance (IA) and
Computer Network Defense (CND)

ABOUT THIS CHART

This chart organizes cybersecurity policies and guidance by
Strategic Goal and Office of Primary Responsibility (see Color
Key). Double-clicking on the box directs users to the
authoritative source.
Policies in italics indicate the document is marked for limited
distribution or no authoritative public-facing hyperlink is
currently available.
The linked sites are not controlled by the developers of this
chart. We check the integrity of the links on a regular basis, but
you may occasionally experience an error message due to
problems at the source site or the site's decision to move the
document. Please let us know if you believe the link is no
longer valid.
CNSS policies only link to the CNSS site, per restrictions
implemented by its website design.
Boxes with red borders reflect recent updates.
Note: Users of the iPad, iPhone or iPod Touch may find they
can view this Chart but that its hyperlinks are inoperable,
because of Apple's decision not to fully support certain Adobe
products. For those who desire a workaround for this issue,
there are apps in the iTunes store for less than $1.00.
For the latest version of this chart go to http://iac.dtic.mil/csiac/
ia_policychart.html. You can sign up to be alerted by e-mail to
any updates to this document.

Title 10
Armed Forces
(2224, 3013(b), 5013(b), 8013(b))

Title 14
Cooperation With Other Agencies
(Ch. 7: 141,144,145,148,149,150)

Title 32
National Guard
(102)

Title 40
Public Buildings, Property, and Works
(Ch. 113: 11302, 11315, 11331)

Title 44
Federal Information Security Mgt Act,
(3541 et seq)

Title 50
War and National Defense
(3002, 1801)

Clinger-Cohen Act, Pub. L. 104-106

UCP
Unified Command Plan
(US Constitution Art II, Title 10 & 50)

NATIONAL / FEDERAL
Computer Fraud and Abuse Act
Title 18 (1030)

Pen Registers and Trap and Trace

Devices
Title 18 (3121 et seq.)

Stored Communications Act

Title 18 (2701 et seq.)

Executive Order 13691

Promoting Private Sector Cybersecurity
Information Sharing

SP 800-18 R1
Guide for Developing Security Plans
for Federal Information Systems

SP 800-126 R2
SCAP Ver. 1.2

Foreign Intelligence Surveillance Act

Title 50 (1801 et seq)

Executive Order 13526

Classified National Security Information

SP 800-30, Rev. 1
Guide for Conducting Risk
Assessments

SP 800-39
Managing Information Security Risk

Executive Order 13231

as Amended by EO 13286 - Critical
Infrastructure Protection in the Info Age

NSD 42, National Policy for the

Security of Natl Security Telecom and
Information Systems

SP 800-137
Continuous Monitoring

DoDD 3700.01
DoD Command and Control (C2)
Enabling Capabilities

Executive Order 13587

Structural Reforms To Improve
Classified Nets

PPD 28, Signals Intelligence Activities

DoDD S-5100.44
Defense and National Leadership
Command Capability (DNLCC)

DoDI 8560.01
COMSEC Monitoring and Information
Assurance Readiness Testing

NSPD 54 / HSPD 23
Computer Security and Monitoring

A-130, Management of Fed Info

Resources

FAR
Federal Acquisition Regulation

Ethics Regulations

Sustain Missions

CJCSM 6510.01B
Cyber Incident Handling Program

Last Updated: August 15, 2015

Send questions/suggestions to
[email protected]
AUTHORITIES

SP 800-119
Guidelines for the Secure Deployment
of IPv6

Prevent and Delay Attackers

and Prevent Attackers from Staying

Developed by the DoD

Deputy CIO for Cybersecurity

CNSSP-18
National Policy on Classified
Information Spillage

CNSSP-22, IA Risk Management

Policy for National Security Systems,
amended by CNSS-021-13

2015 National Security Strategy

National Strategy to Secure

Cyberspace

CNSSP-300
National Policy on Control of
Compromising Emanations

CNSSI-1001
National Instruction on Classified
Information Spillage

NIST Special Publication 800 Series

NISTIR 7298, Rev 2, Glossary of Key

Information Security Terms

CNSSI-4004.1, Destruction and

Emergency Protection Procedures for
COMSEC and Class. Material

CNSSI-7000
TEMPEST Countermeasures for
Facilities

NSTISSI-7001
NONSTOP Countermeasures

DoDD 3020.26
Department of Defense Continuity
Programs

DoDD 3020.44
Defense Crisis Management

DoDI 8410.02
NetOps for the Global Information
Grid (GIG)

Defense Acquisition Guidebook

Section 7.5 Information Assurance

NSA IA Directorate (IAD) Management

Directive MD-10
Cryptographic Key Protection

CNSSD-502
National Directive On Security of
National Security Systems
CNSSD-901
Natl Security Telecomms and Info Sys
Security (CNSS) Issuance System

CNSSD-900, Governing Procedures of

the Committee on National Security
Systems
CNSSI-4009
National Information Assurance
Glossary

Federal Wiretap Act

Title 18 (2510 et seq.)

OPERATIONAL
SD 527-01
DoD INFOCON System Procedures

SI 504-04
Readiness Reporting

SI 507-01
NetOps Community of Interest (NCOI)
Charter

SI 701-01
NetOps Reporting

STRATCOM CONPLAN 8039-08

STRATCOM OPLANs

Color Key - OPRs

ASD(NII)/ASD(C3I)
/DOD CIO

NIST

USD(I)

CNSS/NSTISS

NSA

USD(P)

DISA

OSD

USD(P&R)

DNI

STRATCOM

Other Agencies

USD(AT&L)

Recently
updated box
Expired,
Update pending

JCS
NIAP

USD(C)

Computer Network Directives

(CTO, FRAGO, WARNORD)

SUBORDINATE POLICY
Security Configuration Guides (SCGs)

Component-level Policy
(Directives, Instructions, Publications,
Memoranda)

Security Readiness Review Scripts

(SRRs)

Security Technical Implementation

Guides (STIGs)

Distribution Statement A: Approved for Public Release. Distribution is unlimited.