5 December 2018
| Document Name | Change/Justification |
|---|---|
| CJCSI 3170.01, Joint Capabilities Integration and Development System (JCIDS) | Manual was converted to a “living document” available at the new hyperlink |
| UCP Unified Command Plan | Updated link to unclassified site that identifies the 10 Combatant Commands and provides information on each. |
If you see any links that have changed, policies that have been updated or added, or any other changes that should be made to the chart, please send an email to info@csiac.org
25 September 2018
| Document Name | Change/Justification |
|---|---|
| National Cyber Strategy | Replaces the 2003 National Cyber Strategy. |
| 2018 DoD Cyber Strategy | Update to the 2015 DoD Cyber Strategy. It was signed on 27 July, but a publicly accessible, unclassified summary became available on 18 Sep. The hyperlink is to the unclassified summary. |
| CNSSP-28, “Cybersecurity of Unmanned National Security Systems,” 6 July 2018 | New policy. |
| DoDI 8560.01, “Communications Security (COMSEC) Monitoring,” 22 Aug 2018 | Incorporated and canceled DoD Instruction 8560.01, “Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing,” October 9, 2007. |
| DoD Cybersecurity Policy Chart | Added additional CSIAC contact information to the upper left corner of the chart. |
14 August 2018
| Document Name | Change/Justification |
|---|---|
| 2018 DoD Cyber Strategy | Update to the 2015 DoD Cyber Strategy. It was signed on 27 July, but a publicly accessible version is not yet available, so the name is italicized in the chart indicating no public-facing hyperlink is available. |
| CNSSI-5000, Annex I, Voice Over Secure Internet Protocol (VoSIP) | Annex released on 21 June 2018. |
12 June 2018
| Document Name | Change/Justification |
|---|---|
| Directive-Type Memorandum (DTM) 17-007 – “Interim Policy and Guidance for Defense Support to Cyber Incident Response” | NIST Released NIST SP 800-126, R3, SCAP 1.3 on 14 Feb 2018 |
| CJCSI 6510.02E, Cryptographic Modernization Plan | Updated from CJCSI 6510.02D |
| CJCSM 3213.02D, Joint Staff Focal Point | Updated from CJCSM 3213.02C |
| NIST SP 800-171, R1, Protecting CUI in Nonfederal Systems and Organizations | Rev. 1 final release date was 6/7/2018. |
| NIST SP 800-125A, R1, Security Recommendations for Hypervisor Platforms | Rev. 1 final release date was 6/7/2018. |
| National Security Strategy | Moved from National/Federal to Organize/Lead and Govern |
9 April 2018
| Document Name | Change/Justification |
|---|---|
| NIST SP 800-126, R2 SCAP 1.2 | NIST Released NIST SP 800-126, R3, SCAP 1.3 on 14 Feb 2018 |
| NIST SP 800-171 | NIST Released NIST SP 800-171, R1, on 20 Feb 2018 |
| NIST SP 800-125A | Added NIST SP 800-125A, Security Recommendations for Hypervisor Deployment on Servers, 23 Jan 2018 |
| DoD Directive 3020.26, “Department of Defense Continuity Programs,” January 9, 2009, as amended | Reissued and canceled by DoDD 3026, DoD Continuity Policy, 14 Feb 2018 |
| CJCSI 3170.01I, Joint Capabilities Integration and Development System (JCIDS) | Updated link. |
| Stored Communications Act, 18 USC §2701 et seq. | The Stored Communications Act was amended by the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which was passed as part of the Consolidated Appropriations Act of 2018, signed into law on 23 March 2018. NOTE: The link to the Government Publishing Office’s text of the law currently does not reflect these most recent changes, nor does the House of Representatives official United States Code website. Both are expected to be updated after some time. |
1 February 2018
| Document Name | Change/Justification |
|---|---|
| 2017 National Defense Strategy | Released on 19 January 2018, it replaces the 2012 National Defense Strategy. Since the National Defense Strategy is classified, the link is to the unclassified summary. |
| Quadrennial Defense Review | Removed from chart, based on the 2017 National Defense Authorization Act (NDAA), which replaced the legislative foundation of the Quadrennial Defense Review with requirements to be included in a National Defense Strategy. |
| Strategic Instruction (SI) 527-01 DoD INFOCON System Procedures, 27 March 2015 | Superseded SD 527-01, 27 Jan 2006. |
| NIST Framework for Improving Critical Infrastructure Cybersecurity | Updated broken link. |
| CJCSM 6510.02, Information Assurance Vulnerability Management Program | Added this older policy to the chart. Policy is in italics because it is FOUO and so no publicly accessible link can be provided. |
Hat tip to Lawrence E. Cernicky for suggesting last 3 updates listed above.
8 January 2018
| Document Name | Change/Justification |
|---|---|
| EO 13636: Improve Critical Infrastructure Cybersecurity | Corrected link to Document. |
| The DoD Cybersecurity Policy Chart | Changed the gray/white background/text combos to gray/black. |
18 December 2017
| Document Name | Change/Justification |
|---|---|
| 2017 National Security Strategy | Released on 18 December 2017, it replaces the 2015 National Security Strategy. |
13 December 2017
| Document Name | Change/Justification |
|---|---|
| DoDI 8310.01 Information Technology Standards in the DoD | Added to chart |
| EO 13636: Improving Critical Infrastructure Cybersecurity | Corrected Link to document |
| DoDI 8582.01 Security of Unclassified DoD Information on Non-DoD Info Systems | Policy updated by DoDI 8310.01 |
| NSTISSI 7003 Protective Distribution Systems | Changed to CNSSI 7003, Protected Distribution Systems |
Hat tip to Kathy Yelshin for suggesting the addition of DoDI 8310.01.
Hat tip to Brent Stedry for suggesting the update to NSTISSI 7003.
6 November 2017
| Document Name | Change/Justification |
|---|---|
| NIST SP 800-18, Rev 1 | Corrected Link to document |
3 November 2017
| Document Name | Change/Justification |
|---|---|
| ASD(NII)/DoD CIO Memo on Use of Peer-to-Peer File Sharing Applications | Removed, was canceled by DoDI 8500.01, Cybersecurity |
| CNSSI-4001 | Added link. |
| CNSSI-4005 | Added link. |
| CNSSP-16 | Added link. |
| DoDD 3020.40 | Updated link. |
| DoDI 5200.01 | Updated link. |
| DoDI 8320.02 | Corrected link. |
| DoDI 8551.01 | Updated link. |
| Ethics Regulations | Updated link. |
| E. O. 13800 | Added. |
| FIPS 140-2 | Updated link. |
| FIPS 199 | Updated link. |
| FIPS 200 | Updated link. |
| ICD 503 | Updated link. |
| NISTR 7693 | Updated link. |
| NIST SP 800-18, Rev 1 | Updated link. |
| NIST SP 800-39 | Updated link. |
| NIST SP 800-59 | Updated link. |
| NIST SP 800-60, Vol 1, Rev 1 | Updated link. |
| NIST SP 800-92 | Updated link. |
| NIST SP 800-126, Rev 2 | Updated link. |
| NIST SP 800-128 | Updated link. |
| NIST SP 800-137 | Updated link. |
| NIST SP 800-153 | Updated link. |
| NSTISSI-4003 | Changed to CNSSI 4003 and added link. |
| NSTISSI-4006 | Changed to CNSSI 4006 and added link. |
| OMB A-130 | White House temporarily moved many policies to the Obama White House archives site, though these appear to be in full force unless or until formally rescinded or superseded. |
| Security Configuration Guides | Updated link. |
Hat tip to Maria Jenkins, contractor support to DCMA Cybersecurity, for identifying most of the above issues.
If you see any links that have changed, policies that have been updated or added, or any other changes that should be made to the chart, please send an email to info@csiac.org
15 Aug 2017
| Document Name | Change/Justification |
|---|---|
| DoDD 8000.01 | Change issued 27 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
| DoDD 8140.01 | Change issued 31 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
| DoDI 8510.01 | Change issued 28 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
| DoDI 8520.03 | Change issued 27 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
| DoDI 8530.01 | Change issued 25 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
| DoDI 8551.01 | Change issued 27 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates. |
| MOA Between DoD & DHS | MOA signed 19 January 2017 regarding Department of Defense and U.S. Coast Guard cooperation on cybersecurity and cyberspace operations. |
30 Jun 2017
| Document Name | Change/Justification |
|---|---|
| All DoDDs, DoDIs, DoDMs, and other DoD issuances | 46 hyperlinks changed to reflect the movement of the official DoD Issuances website to a new URL. |
| DoD Acquisition Guidebook | Hyperlink changed to reflect updated URL for the DAG. Link is to Chapter 9, which is the deepest link permitted, but subpart 3.2.2, Risk Management Framework for DoD IT is the pertinent reference. |
05 Jun 2017
| Goals/Other | Sub-Section | Modification/Update |
|---|---|---|
| Organize | ||
| Lead and Govern | ||
| Link Broken: National Strategy for Information Sharing and Safeguarding (2012) New Link: https://obamawhitehouse.archives.gov/sites/default/files/docs/2012sharingstrategy_1.pdf |
||
| Link Broken: U.S. International Strategy for Cyberspace (2011) New Link: https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/internationalstrategy_cyberspace.pdf |
||
| Deleted: 25 Point Implementation Plan to Reform Federal IT Management (2010) | ||
| Link Broken: NIST Framework for Improving Critical Infrastructure Cybersecurity (2014) New Link: https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf |
||
| Link Broken: National Defense Strategy (NDS) (2012) New Link: http://www.acqnotes.com/Attachments/2012%20National%20Defense%20Strategy.pdf |
||
| Design for the Fight | ||
| Deleted: IA Component of the GIG Integrated Architecture, Version 1.1 (2002) | ||
| Deleted: Alignment Framework for the GIG IA Architecture (AFG) Version 1.1 (2002) | ||
| Deleted: IATF Release 3.1 Information Assurance Technical Framework (2002) | ||
| Link Broken: DoDI 5000.02 Operation of the Defense Acquisition System (2017) New Link: http://www.dtic.mil/whs/directives/corres/pdf/500002_dodi_2015.pdf |
||
| Deleted: DoD CIO Memo (2011) Interim Guidance on Networthiness of IT Connected to DoD Networks | ||
| Deleted: DoD CIO G&PM 12-8430 (2001) Acquiring Commercial Software | ||
| Develop the Workforce | ||
| Link Broken/Document Type Changed: NSTISSI-4000 to: CNSSI-4000 Maintenance of Communications Security (COMSEC) Equipment (2012) New Link: https://www.cnss.gov/CNSS/issuances/Instructions.cfm |
||
| Partner for Strength | ||
| Link Broken: ICD 503 IC Information Technology Systems Security Risk Management New Link: https://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives |
||
| Enable | ||
| Manage Access | ||
| Deleted: OMB M-05-24 Implementation of HSPD-12 | ||
| Document Type Change: From NSTISSI to CNSSI 4001 Controlled Cryptographic Items (2013) New Link: https://www.cnss.gov/CNSS/issuances/Instructions.cfm |
||
| Link Broken: DoDI 5200.01 Dod Information Security Program And Protection Of Sensitive Compartmented Information (SCI) (2016) New Link: http://www.dtic.mil/whs/directives/corres/pdf/520001p.pdf |
||
| Assure Information Sharing | ||
| Link Broken: DoD Information Sharing Strategy (2007) New Link: http://dodcio.defense.gov/Portals/0/Documents/DIEA/InfoSharingStrategy.pdf |
||
| Deleted: ASD(NII)/DoD CIO Memo Use of Peer-to-Peer File Sharing Applications Across DoD. This Memo was canceled by DoDI 8500.01, Cybersecurity | ||
| Link Broken: CJCSI 6211.02D Defense Information System Network (DISN) Responsibilities (2012) New Link: http://www.jcs.mil/Portals/36/Documents/Library/Instructions/6211_02a.pdf?ver=2016-02-05-175050-653 |
||
| Anticipate | ||
| Prevent and Delay Attackers and Prevent Attackers from Staying | ||
| Broken Link: CJCSM 6510.01B Cyber Incident Handling Program (2014) New Link: http://www.jcs.mil/Portals/36/Documents/Library/Manuals/m651001.pdf?ver=2016-02-05-175710-897 |
||
| Broken link: CJCSI 6510.01F Information Assurance (IA) And Support To Computer Network Defense (CND) (2015) New Link: http://www.jcs.mil/Portals/36/Documents/Library/Instructions/6510_01.pdf?ver=2016-02-05-175054-497 |
||
| Prepare | ||
| Develop and Maintain Trust | ||
| Added Link: NSTISSD-600 Communications Security Monitoring (1990) New Link: https://www.cnss.gov/CNSS/issuances/Directives.cfm |
||
| Title and Link Updated: DoDD 3020.40 Mission Assurance (MA) (2016) New Link: http://www.dtic.mil/whs/directives/corres/pdf/302040_dodd_2016.pdf |
||
| Keep: DoDI 8581.01 Information Assurance (IA) Policy for Space Systems Used by the Department of Defense (2010) | ||
| Strengthen Cyber Readiness | ||
| Replaced: DoDD S-5100.44 with DoDD S-3710.01 DoDD S-3710.01, National Leadership Command Capability (NLCC), 5/27/2015 replaced DoDD S-5100.44, Defense and National Leadership Command Capability (DNLCC) New Link: http://www.dtic.mil/whs/directives/corres/pdf/S371001_placeholder.pdf |
||
| Sustain Missions | ||
| Link Broken: CNSSP-300 National Policy on Control of Compromising Emanations (2006) New Link: https://www.cnss.gov/CNSS/issuances/Policies.cfm |
||
| Link Broken: CNSSI-4004.1 Destruction and Emergency Protection Procedures for COMSEC and Classified Material (2008) New Link: https://www.cnss.gov/CNSS/issuances/Instructions.cfm |
||
| Replace: Defense Acquisition Guidebook Sect 7.5 Information Assurance (2013) with the DAG (2016) New Link: https://dap.dau.mil/glossary/pages/178.aspx?scroll=0 |
||
| National/Federal | ||
| Broken Link: 2015 National Security Strategy New Link: http://www.jcs.mil/Portals/36/Documents/Publications/2015_National_Military_Strategy.pdf |
||
| Updated Link: NSD 42 New Link: https://www.cnss.gov/cnss/assets/authorities/NSD-42.pdf |
||
| Broken Link: OMB A-130 (2016) New Link to Revised document: https://www.federalregister.gov/documents/2016/07/28/2016-17872/revision-of-omb-circular-no-a-130-managing-information-as-a-strategic-resource |
||
| Updated Title: CNSSI 4009 Committee on National Security Systems (CNSS) Glossary (2015) | ||
| Consider Deleting Security Configuration Guides (SCGs) – current link takes you to “Media Destruction Guidance”. A search of the term SCG nets many different websites. Is there a particular site to reference? | ||
| Consider Deleting/Broken Link: Security Reference Review Scripts – A search of the term SCG nets many different websites. Is there a particular site to reference? | ||
| Consider Deleting/Broken Link: Component—level policy. This is too vague considering that everything on the chart has specific references. |
21 Aug 2016
| Document Name | Change / Justification |
|---|---|
| Presidential Policy Directive 41: United States Cyber Incident Coordination | New PPD issued. |
| CJCSI 6212.01F Net Ready Key Performance Parameter | Canceled by CJCSI 5123.01G, 12 Feb 15 |
| DoD 5220.22-M, Ch. 2 National Industrial Security Program Operating Manual (NISPOM) | Change 2 published May 18, 2016. Updated link. |
| DoDD 8000.01 Management of the DOD Information Enterprise | Policy and link updated. |
| DoDD 8521.01E Department of Defense Biometrics | Updated link. |
| DoDI O-8530.1 | Superseded by DoDI 8530.01, link updated. |
| DoDI O-8530.2 | Superseded by DoDI 8530.01, link updated. |
| DoDI 5200.01 DoD Information Security Program and Protection of SCI | Added as a new policy based on recent update. |
| DoDI 5200.08 | Change 3 issued, link updated. |
| SP 800-30, Rev. 1, Guide for Conducting Risk Assessments | Moved to: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf |
| SP 800-126 Rev. 2, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 | Moved to: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-126r2.pdf |
| SP 800-128, Guide for Security-Focused Configuration Management of Information Systems (August 2011) | Moved to: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-128.pdf |
| SP 800-137, Information Security Continuous | http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf |
27 Oct 2015
| Document Name | Change / Justification |
|---|---|
| National Strategy for Information Sharing and Safeguards | Updated link to: https://www.whitehouse.gov/sites/default/files/docs/2012sharingstrategy_1.pdf |
| Quadrennial Defense Review Report | Updated link to: http://archive.defense.gov/pubs/2014_Quadrennial_Defense_Review.pdf |
| National Defense Strategy | Updated link to: http://www.defense.gov/Portals/1/Documents/pubs/2008NationalDefenseStrategy.pdf |
| DoD Cyber Strategy | Updated link to: http://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf |
| DoD Strategy for Operating in Cyberspace | Removed as superseded by the DoD Cyber Strategy |
| National Military Strategic Plan for the War on Terrorism | Updated link to: https://digitalndulibrary.ndu.edu/cdm/compoundobject/collection/strategy/id/9695/rec/8 |
| Title 44 – Federal Information Security Modernization Act (Ch. 35) | Updated link to reflect the amendments effected by the Federal Information Security Modernization Act to amend the Federal Information Security Management Act: https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf |
| CNSSI 1300 | De-italicized to show that a publicly accessible link is available at: https://www.cnss.gov/CNSS/issuances/Instructions.cfm |
| DFARS Subpart 208.74 | Updated link to: http://www.acq.osd.mil/dpap/dars/dfars/html/current/208_74.htm |
| DoDD 8570.01 | Directive was superseded by 8140.01. |
| DoDD 5000.02 | Updated broken link to: http://www.dtic.mil/whs/directives/corres/pdf/500002p.pdf |
| CJCSI 6211.02D | Updated link to: http://www.dtic.mil/cjcs_directives/cdata/unlimit/6211_02a.pdf |
15 Aug 2015
| Document Name | Change / Justification |
|---|---|
| National Military Strategy (NMS) | Link updated to 2015 NMS http://www.jcs.mil/Portals/36/Documents/Publications/National_Military_Strategy_2015.pdf |
| National Security Strategy (NSS) | 2015 NSS added: https://www.whitehouse.gov/sites/default/files/docs/2015_national_security_strategy_2.pdf |
| National Military Strategy for Cyberspace Operations (NMS-CO) | Former link changed. New link is http://nsarchive.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-023.pdf |
| DoDD 8140.01 Cyberspace Workforce Management | Signed 11 Aug 2015, cancelled DoD Directive 8570.01, “Information Assurance (IA) Training, Certification, and Workforce Management,” August 15, 2004, as amended. |
| DoDI 8330.01 Interoperability of IT and National Security Systems (NSS) | Correct spacing in title. |
| CJCSI 3170.01H Joint Capabilities Integration and Development System (JCIDS) | Updated to CJCSI 3170.01I at https://dap.dau.mil/policy/Documents/2015/CJCSI_3170_01I.pdf |
| Presidential Memo, “Classified Information and Controlled Unclassified Information, “27 May 09” | Memo withdrawn. Removed from chart. |
| FAR Federal Acquisition Regulation | Former link changed. New link is https://www.acquisition.gov/?q=browsefar |
24 Apr 2015
| Document Name | Change / Justification |
|---|---|
| The DoD Cyber Strategy | New Issuance, 23 Apr 2015 |
| Comprehensive National Cybersecurity Initiative | Removed |
| DoDI S-5240.23, Counterintelligence (CI) Activities in Cyberspace | Added new link to aid those with SIPRNet access to find document. |
| DoDI S-5200.16, Objectives and Min Stds for COMSEC Measures used in NC2 Comms | Added new link to aid those with SIPRNet access to find document. |
| DoDD S-5100.44, Defense and National Leadership Command Capability (DNLCC) | Added new link to aid those with SIPRNet access to find document. |
| DoDD O-5100.30, Department of Defense (DoD) Command and Control (C2) | Superseded by DoD DoDD 3700.01, DoD Command and Control (C2) Enabling Capabilities |
| DoDD O-8530.1, Computer Network Defense (CND) | Added new link to aid those with a DoD PKI cert to access this document. |
| DoDI O-8530.2, Support to Computer Network Defense (CND) | Added new link to aid those with a DoD PKI cert to access this document. |
| DoD O-8530.1-M, CND Service Provider Certification and Accreditation Program | Added new link to aid those with a DoD PKI cert to access this document. |
17 Feb 2015
| Document Name | Change / Justification |
|---|---|
| Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing | New Issuance, 13 Feb 2015 |
| National Security Strategy | New Issuance, Feb 2015 |
| NIST SP – 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach | New link includes updates as of 6 May 2014 |
| SP 800-61 Rev. 2, Computer Security Incident Handling Guide | Updated link |
| FIPS 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors | Superseded by FIPS 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors |
| DoD Defending Networks, Systems, and Data Strategy | New direct link |
| DoD Cyber, Identity & Information Assurance Strategic Plan | Updated link |
| National Military Strategy | Updated link |
| CNSSAM IA 1-10, Reducing Risk of Removable Media in NSS | Updated link |
| CNSSI-1300, Instructions for NSS PKI X.509SP | Updated link |
| DoDI 5000.02, Operation of the Defense Acquisition System | Updated link |
| DoD CIO Memo Interim Guidance on Networthiness of IT Connected to DoD Networks | Updated link |
| NSSMOA between DoD CIO and ODNI CIO Establishing Net-Centric Software Licensing Agreements | Updated link |
| Title 44 – Federal Information Security Mgt Act, (§3541 et seq) | Updated link |
| NSTISSI-4002 Classification Guide for COMSEC Information | Removed to make room for new E.O. 13691 (the NSTISSI-4002 did not have a public-facing link anyway) |
| Security Technical Implementation Guides (STIGs) | Updated link |
| About this chart box | Updated the text |
If you see any links that have changed, policies that have been updated or added, or any other changes that should be made to the chart, please send an email to info@csiac.org