An IA Control describes an objective IA condition achieved through the application of specific safeguards or through the regulation of specific activities. The objective condition is testable, compliance is measurable, and the activities required to achieve the IA Control are assignable and thus accountable.  The IA Controls subject area consists of eight groups indicating the major focus for which the control is assigned. Below is a break out of the subject areas for the DoDI 8500.2 IA Controls and Defense in Depth (DiD) strategies examples for each. 

Continuity – COxx – IA Control

The COxx series of the IA Controls deal with the continuity of a system. Developing a comprehensive continuity, disaster recovery, emergency management plan for the system satisfies many of the COxx IA Controls.

Examples of DiD Strategy Areas: 

• Data Backup Procedures

• Alternate Site Designation

• Protection of Backup and Restoration Assets 

Security Design and Configuration – DCXX – IA Control

The DCxx series deals with designing and maintaining a secure baseline. Dealing with these IA Controls will require an intimate knowledge of the systems software, hardware, and network configuration. You will need to know the DoD policy for securing IA enable products to understand what is fully required or if the control is even applicable.  

Examples of DiD Strategy Areas:

•  Software Controls

• Ports, Protocols, and Services

• Configuration Management Process

Enclave Computing Environments – EVxx – IA Controls

Enclave computing environments are IA Controls that deal with security features within the local area network or enclave. It will help to have some understanding of network security because some of the IA Controls address things like VPN and Remote Authentication.

Examples of DiD Strategy Areas: 

• Audit Trail Monitoring, Analysis and Reporting

• Changes to Data

Identification & Authentication – IAxx – IA Controls

Identification & Authentication address specific issues that deal with logon and passwords.

Examples of DiD Strategy Areas:

•  Key Management

• Token and Certificate Standards

Physical & Environment – PExx – IA Controls

Physical & Environmental IA Controls deal with physical security of the sites, safety issues and environmental controls such as humidity systems.

Examples of DiD Strategy Areas:

• Emergency Lighting

• Fire Detection

• Fire Inspection

Personnel – PRxx – IA Controls

These IA Controls deal with the training and access level for each person with direct contact with the system.

Examples of DiD Strategy Areas:

• Security Rules of Behavior or Acceptable Use Policy

• Access to Information

• Maintenance Personnel

Vulnerability and Incident Management – Vixx – IA Controls 

 Control area deals with the vulnerability management process that is employed to include the process for applying patches/Information Assurance Vulnerability Management (IAVMs). Requires explanation of what, if any, methods are used to systematically identify any software or hardware vulnerabilities. Also looks at what mechanisms are in place to proactively mitigate new vulnerabilities when they are detected.  Check of Incident response plans and notification process for team member/roles of the incident response team.

Examples of DiD Strategy Areas:

• Incident Response Planning

• Vulnerability Management