SAP Policy Flashcards
Section 119, Title 10 United States Code
SAPs Congressional Oversight, requires SAPs to report to Congress annually. It also subjects SAPs to oversight in the form of inspections and audits.
Executive Order 13526
“Classified National Security Information,” is the foundation of national policy for classified information. This Executive Order directs the Information Security Oversight Office (ISOO) under the direction of the National Archives, to develop implementing guidance. They issued ISOO Directive No. 1, “Classified National Security Information,” which sets forth more specific guidance to agencies on the implementation of the Executive Order
DoDI 5205.11
Management, Administration, and Oversight of DoD SAPs, is the implementing document for the DoDD 5205.07. It disseminates policy, assigns responsibilities, and prescribes procedures for implementation and use in the management, administration, and oversight of all DoD SAPs.
DoD Manual 5205.07 v1
Volume 1 assigns responsibilities; implements policy established in DoD Instruction or DoDI (Dee-oh-Dee-Eye) 5205.11 and describes the general procedures for the administration of DoD SAP security.
DoD Manual 5205.07 v2
Volume 2 assigns responsibilities and provides procedures for personnel security for DoD SAPs.
DoD Manual 5205.07 v3
Volume 3 implements policy established in DoDI (Dee-oh-Dee-Eye) 5205.11 and assigns responsibilities and provides procedures for physical security for DoD SAPs.
DoD Manual 5205.07 v4
Volume 4 provides guidance and procedures for the application of control markings on DoD SAP information
DoD Manuals Overview
The DoD Manuals were published by the DoD and applies to all DoD SAPs. It standardizes the foundational SAP security guidance throughout the DoD, outlining the minimum security procedures for DoD SAPs. This policy applies to all Industry as well as to all non-DoD organizations that require access to DoD SAPs.
Executive Order 13526 - Classified National Security Information
Prescribes a uniform system for classifying, safeguarding, and declassifying national security information • Directs the Information Security Oversight Office (ISOO) to develop implementing guidance
Information Security Oversight Office (ISOO) 32 CFR Parts 2001 and 2003 Classified National Security Information; Final Rul
Defines specific guidance to agencies on the implementation of the Executive Order 13526
DoD 5220.22-M: National Industrial Security Program Operating Manual (NISPOM
Establishes the standard procedures and requirements for all government contractors with regard to protection of classified information in the interest of national security
DoDM 5200.01-M, Volume 1-4, Information Security Manua
• Prescribes the defined procedures for the DoD Information Security Program
DoD 5200.02-R: Personnel Security Program
• Outlines the responsibilities of personnel to safeguard classified information
DoD 5200.08-R: Physical Security Progra
Implements the policies and minimum standards for the physical security of DoD installations and resources
DoDD 5205.02E: DoD OPSEC Program
Implements policy, assigns responsibilities, and provides procedures for managing DoD operations security (OPSEC) program
Section 119, Title 10 United States Code: Special Access Programs Congressional Oversight
Outlines SAP oversight and reporting requirements
DoDD 5205.07, Special Access Program Policy
Outlines policy and responsibilities on the oversight and management of all DoD Special Access Programs (SAPs)
DoDI O-5205.11, Management, Administration, and Oversight of DoD Special Access Programs
• Implements DoD Directive 5205.07 • Disseminates policy, assigns responsibilities, and prescribes procedures for implementing and using in the management, administration, and oversight of all DoD SAPs
DoD Directive 5205.07, Volumes 1-4
Implements policy established in DoDD 5205.07, assign responsibilities, and provide security procedures for DoD SAP information
The DoDI 8500.01
Cybersecurity document outlines the overarching risk management process
The DoD 5200.01
DoD Security Policy which addresses the processes, roles, and responsibilities
The DoD 8510.01
Risk Management Framework which outlines the risk management framework that applies to DoD information technology and identifies the process to follow and specific roles and responsibilities
The DoD 8530.01
Cybersecurity Activities Support to DoD Information Network Operations which states that the DoD needs to ensure information is confidently protected by vulnerability assessment and analysis, vulnerability management malware protection, continuous monitoring, cyber incident handling, DoDIN user activity monitoring for the DoD Insider Threat Program, and warning intelligence and attack sensing and warning (AS&W)
The NIST 800-30
Guide for Conducting Risk Assessments
When you compile and look at all of these policies and drivers together, the overarching Security Policy emerges. It is to do the following
Identify and protect national security information and controlled unclassified information (CUI) in accordance with national-level policy issuances • Promote information sharing, facilitate judicious use of resources, and simplify management through implementation of uniform and standardized processes • Employ, maintain, and enforce standards for safeguarding, storing, destroying, transmitting, and transporting classified information • Actively promote and implement security education and training throughout the Department of Defense • Mitigate the adverse effects of unauthorized access to classified information by investigating and acting upon reports of security violations and compromises of classified information
DoD cybersecurity policy elements
The DoD cybersecurity policies include risk management, operational resilience, integration and interoperability, cyberspace defense, performance, DoD information, identity assurance, information technology, cybersecurity workforce, and mission partners.
