DoDI 8500.2 IA Controls have to be addressed and validated for DIACAP Compliance
IA Control Definition:
An objective DoDI 8500.2 IA condition of integrity, availability, or confidentiality achieved through the application of specific safeguards or through the regulation of specific activities that is expressed in a specified format (i.e., a control number, a control name, control text, and a control class). Specific management, personnel, operational, and technical controls are applied to each DoD information system to achieve an appropriate level of integrity, availability, and confidentiality in accordance with OMB Circular A-130 (reference (v)).
How DoDI 8500.2 IA Controls are implemented:
An IA Control describes an objective IA condition achieved through the application of specific safeguards or through the regulation of specific activities. The objective condition is testable, compliance is measurable, and the activities required to achieve the IA Control are assignable and thus accountable. DoDI 8500.2, Enclosure 3, establishes fundamental IA requirements for DoD Information Systems in the form of two sets of graded baseline IA Controls.
How IA Controls are assigned under DIACAP
The baseline sets of DoDI 8500.0 IA controls are pre-defined based on the determination of the Mission Assurance Category (“MAC”) and Confidentiality Levels. IA Controls addressing availability and integrity requirements are tied to the system’s MAC based on the importance of the information to the mission, particularly the war fighters’ combat mission. IA Controls addressing confidentiality requirements are based on the sensitivity or classification of the information. The set of IA Controls applicable to any given DoD information system is always a combination of the IA Controls for its Mission Assurance Category and the IA Controls for its Confidentiality Level.
These baseline IA levels are achieved by applying the specified set of IA Controls in a comprehensive IA program that includes acquisition, proper security engineering, connection management, and IA administration. An IA Control describes an objective IA condition achieved through the application of specific safeguards or through the regulation of specific activities. The objective condition is testable, compliance is measurable, and the activities required to achieve the IA Control are assignable and thus accountable.
DoDI 8500.2 IA Control matrix by subject area:
Below is a chart of the number of controls by DoDI 8500.2 IA control subject area. The number of controls required for accreditation under DIACAP will vary by the Mission Assurance Category and Classification of the system being certified. For the most part, systems will higher MAC/CL will be required to meet a greater number of controls (115 MAC I Classified) due to higher availability and integrity thresholds.
There are 115 total IA Controls for a MAC I Classified system, (32) for integrity, (38) for availability, and Confidentiality (45). As opposed to a MAC III Sensitive system 98 IA Controls.
|Abbreviation||Subject Area||Number IA Controls by Subject Area|
|DC||Security Design & Configuration||31|
|IA||Identification and Authentication||9|
|EC||Enclave and Computing Environment||48|
|EB||Enclave Boundary Defense||8|
|PE||Physical and Environmental||27|
|VI||Vulnerability and Incident Management||3|
DoDI 8500.2 IA Control Breakdown:
An IA Control is defined by the following information.
- Control Subject Area: One of eight groups indicating the major subject or focus area to which an individual IA Control is assigned.
- Control Name: A brief title phrase that describes the individual IA Control.
- Control Text: One or more sentences that describe the IA condition or state that the IA Control is intended to achieve.
- Control Number: A unique identifier comprised of four letters, a dash, and a number. The first two letters are an abbreviation for the subject area name and the second two letters are an abbreviation for the individual IA Control Name.