Build and Operate a Trusted DoDIN Cybersecurity-Related

Policies and Issuances

Developed by the DoD
ORGANIZE
Deputy CIO for Cybersecurity
Lead and Govern Last Updated: November 29, 2021
Send questions/suggestions to
United States Intelligence Community
Information Sharing Strategy 2019 National Intelligence Strategy [email protected]
Summary of the 2018 DoD
DoD Information Sharing Strategy
Artificial Intelligence Strategy

ORGANIZE ENABLE ANTICIPATE PREPARE AUTHORITIES

Understand the Battlespace Develop and Maintain Trust Title 10, US Code Title 14, US Code
Design for the Fight Secure Data in Transit Armed Forces Cooperation With Other Agencies
(§§2224, 3013(b), 5013(b), 8013(b)) (Ch. 7)
FIPS 140-3 NIST SP 800-153 FIPS 199 NIST SP 800-59 CNSSP-12 CNSSP-21
NIST SP 800-119 CNSSP-11 Security Requirements for Guidelines for Securing Wireless Local
Guidelines for the Secure Deployment Nat’l Policy Governing the Acquisition Standards for Security Categorization Guideline for Identifying an Information National IA Policy for Space Systems National IA Policy on Enterprise Title 32, US Code Title 40, US Code
Cryptographic Modules Area Networks of Federal Info. and Info. Systems System as a NSS Architectures for NSS National Guard Public Buildings, Property, and Works
of IPv6 of IA and IA-Enabled IT Used to Support NSS
(§102) (Ch. 113: §§11302, 11315, 11331)
CNSSP-1 CNSSP-15 NIST SP 800-60, Vol 1, R1 NIST SP 800-92
CNSS DFARS Use of Pub Standards for Secure NIST 800-160, vol.1, Systems Security CNSSI-5002, Telephony Isolation Used
National Policy for Safeguarding and Guide for Mapping Types of Info and Guide to Computer Security Log Engineering: ... Engineering of for Unified Comms. Implementations w/ Title 44, US Code Title 50. US Code
National Secret Fabric Architecture Subpart 208.74, Enterprise Software Control of COMSEC Material Sharing of Info Among NSS
Recommendations Agreements Info Systems to Security Categories Management Trustworthy Secure Systems in Physically Protected Spaces Federal Information Security Mod. Act, War and National Defense
CNSSP-19 (Chapter 35) (§§3002, 1801)
CNSSP-17 CNSSD-520
DoDD O-5100.19 (CAC req’d) Policy on Wireless Communications: National Policy Governing the Use of NISTIR 7693
DoDD 5000.01 Critical Information Communications Use of Mobile Devices to Process Nat’l DoDD 3020.40 DoDD 3100.10 UCP
The Defense Acquisition System Protecting Nat’l Security Info HAIPE Products Specification for Asset Identification 1.1 Mission Assurance
(CRITCOM) System Sec.Info Outside Secure Spaces Space Policy Clinger-Cohen Act, Pub. L. 104-106 Unified Command Plan
CNSSP-25 NSTISSP-101 (US Constitution Art II, Title 10 & 50)
National Policy for PKI in National National Policy on Securing Voice CNSSP-28 DoDI S-5240.23
DoDD 7045.20 DoDD 8115.01 Security Systems Communications Cybersecurity of Unmanned National Counterintelligence (CI) Activities in Strengthen Cyber Readiness NATIONAL / FEDERAL
Capability Portfolio Management IT Portfolio Management Security Systems Cyberspace
NACSI-2005 CNSSI-5000
DoDI 5000.02T DoDI 5000.87 Communications Security (COMSEC) Voice Over Internet Protocol (VoIP) NIST SP 800-18, R1 NIST SP 800-30, R1
Operation of the Defense Acquisition Operation of the Software Acquisition End Item Modification Computer Telephony (Annex I, VoSIP) Prevent and Delay Attackers Guide for Developing Security Plans Guide for Conducting Risk Computer Fraud and Abuse Act Federal Wiretap Act
Title 18 (§1030) Title 18 (§2510 et seq.)
System Pathway
NACSI-6002
and Prevent Attackers from Staying for Federal Information Systems Assessments
CNSSI-5001
Type-Acceptance Program for VoIP Nat’l COMSEC Instruction Protection of Pen Registers and Trap and Trace
DoDI 5200.44 DoDI 7000.14 Gov’t Contractor Telecomm’s FIPS 200 NIST SP 800-37 R2 Stored Communications Act
Financial Management Policy and Telephones NIST SP 800-126, R3 NIST SP 800-137 Devices
Protection of Mission Critical Functions Minimum Security Requirements for Guide for Applying the Risk Mgt Title 18 (§2701 et seq.)
Procedures (PPBE) SCAP Ver. 1.3 Continuous Monitoring Title 18 (§3121 et seq.)
to Achieve TSN DoDD 8100.02 Federal Information Systems Framework to Fed. Info. Systems
CNSSI-7003 Use of Commercial Wireless Devices,
DoDI 8115.02 DoDI 8310.01 Protected Distribution Systems (PDS) Services, and Tech in the DoD GIG NIST SP 800-53 R5 NIST SP 800-53A R4 NIST SP 1800-25 Data Integrity: Executive Order 13231
NIST SP 800-39 Foreign Intelligence Surveillance Act as Amended by EO 13286 - Critical
IT Portfolio Management Information Technology Standards Security & Privacy Controls for Assessing Security & Privacy Controls Identifying and Protecting Assets Title 50 (§1801 et seq)
Implementation in the DoD DoDI 4650.01 Federal Information Systems in Fed. Info. Systems & Orgs. Managing Information Security Risk Infrastructure Protection in the Info Age
Against Ransomware
DoDD 8521.01E Policy and Procedures for Mgt and Use
DoDI 8330.01 DoDI 8510.01 Department of Defense Biometrics of the Electromagnetic Spectrum NIST SP 800-124, R1 Executive Order 13587
NIST SP 800-61, R2 Executive Order 13526
Interoperability of IT and National Risk Management Framework Computer Security Incident Handling Guidelines for Managing the Security of CNSSD-520 Structural Reforms To Improve
CNSSD-505 Classified National Security Information Classified Nets
Security Systems (NSS) for DoD IT DoDI 8100.04 DoDI 8420.01 Guide Mobile Devices in the Enterprise The Use of Mobile Devices to Process
Supply Chain Risk Management
DoD Unified Capabilities (UC) Commercial WLAN Devices, Systems, National Security Information Outside...
DoDI 8580.1 and Technologies NIST SP 800-128 NIST SP 800-163, R1 Executive Order 13691 EO 13636: Improving Critical
Information Assurance (IA) in the RMF Knowledge Service Guide for Security-Focused Vetting the Security of DoDD 3700.01 DoDD S-3710.01 Promoting Private Sector Infrastructure Cybersecurity
Defense Acquisition System DoDI 8523.01 DoDI S-5200.16 DoD Command and Control (C2) National Leadership Command Cybersecurity Information Sharing
Objectives and Min Stds for COMSEC Configuration Mgt of Info Systems Mobile Applications
Communications Security (COMSEC) Enabling Capabilities Capability
Measures used in NC2 Comms NSD 42, National Policy for the
MOA between DoD CIO and ODNI CIO DODAF (Version 2.02) NIST SP 1800-26 CNSSI-1011 EO 13800: Strengthening
CJCSI 6510.06C Data Integrity: Detecting & Responding Implementing Host-Based Security DoDD 5101.21E Security of Nat’l Security Telecom and
Establishing Net-Centric Software DoD Architecture Framework DoDI 8500.01 Cybersecurity of Fed Nets and CI
CJCSI 6510.02E to Ransomware Capabilities on NSS Unified Platform and Joint Information Systems
Licensing Agreements Communications Security Releases to Cybersecurity
Cryptographic Modernization Plan Cyber Command and Control (JCC2)
Foreign Nations EO 13873: Securing the Information
DTM 20-004 Enabling Cyberspace CNSSI-1013 CNSSI-1253 Executive Order on Improving the
Common Criteria Evaluation and Network Intrusion Detection Sys & Security Categorization and Control and Communications Technology and
Accountability of DoD Components and DoDI 8560.01 Nation’s Cybersecurity
Information Systems
Validation Scheme (CCEVS) Manage Access Intrusion Prevention Sys (IDS/IPS) Selection for Nat’l Security Systems Joint Special Access Program (SAP) Services Supply Chain
COMSEC Monitoring Implementation Guide (JSIG)
CJCSI 5123.01H HSPD-12 FIPS 201-2 CNSSI-1253F, Atchs 1-5 CNSSAM IA 1-10, Reducing Risk of NSPD 54 / HSPD 23 PPD 21: Critical Infrastructure Security
Joint Publication 6-0 Policy for a Common ID Standard for Personal Identity Verification (PIV) of Security Overlays Removable Media in NSS Computer Security and Monitoring and Resilience
Charter of the JROC and
Joint Communications System Federal Employees and Contractors Federal Employees and Contractors Sustain Missions
Implementation of the JCID
NIST SP 800-207 NIST SP 800-210 DoDI 5000.90, Cybersecurity for DoDI 5200.39
General Access Control Guidance for Acquisition Decision Authorities and CPI Identification and Protection within NIST SP 800-34, R1 NIST SP 800-82, R2 PPD 41: United States Cyber Incident
Zero Trust Architecture PPD 28, Signals Intelligence Activities
Develop the Workforce Cloud Systems Program Managers RDT&E Contingency Planning Guide for Guide to Industrial Control Systems Coordination
Federal Information Systems (ICS) Security
NIST SP 1800-16 CNSSP-3 DoDI 5205.83 DoDI 8530.01, Cybersecurity Activities
NIST SP 800-181 R1 CNSSD-500 Securing Web Transactions: TLS National Policy for Granting Access to DoD Insider Threat and Management Support to DoD Information Network FAR A-130, Management of Fed Info
Workforce Framework for Information Assurance (IA) Education, Server Certificate Management Classified Cryptographic Information and Analysis Center Operations CNSSP-18 Federal Acquisition Regulation Resources
Cybersecurity Training, and Awareness CNSSP-22, IA Risk Management
National Policy on Classified
Policy for National Security Systems
CNSSP-10 CNSSP-16 DoDI 8551.01 Information Spillage
NSTISSD-501 Nat’l Policy Gov. Use of Approved Sec. National Policy for the Destruction of DoDI 8531.01, DoD Vulnerability National Strategy to Secure
CNSSD-504 Protecting National Ports, Protocols, and Services
National Training Program for Containers in Info Security Applications COMSEC Paper Material Management Ethics Regulations
Security Systems from Insider Threat Management (PPSM) CNSSP-300 CNSSI-1001 Cyberspace
INFOSEC Professionals
National Policy on Control of National Instruction on Classified
CNSSD-507 CNSSD-506 DoD O-8530.1-M (CAC req’d)
CNSSI-4000 NSTISSI-4011 DoDM 5105.21V1, SCI Admin Security Compromising Emanations Information Spillage
National Directive for ICAM National Directive to Implement PKI on CND Service Provider Certification and NIST SP 800-63 series
Maintenance of Communications National Training Standard for Capabilities... Secret Networks Manual: Info and Info Sys Security NIST Special Publication 800-Series
Accreditation Program CNSSI-4007 Digital Identity Guidelines
Security (COMSEC) Equipment INFOSEC Professionals CNSSI-4004.1, Destruction and
NSTISSI-3028 Emergency Protection Procedures for Communications Security (COMSEC)
CNSSI-4012 CNSSI-4013 CNSSI-1300 CJCSI 6510.01F COMSEC and Class. Material Utility Program
Operational Security Doctrine for the DTM 17-007, Ch. 2, Defense Support NIST SP 800-88, R1,Guidelines for NIST SP 800-101, R1
National IA Training Standard for National IA Training Standard For Instructions for NSS PKI X.509 Information Assurance (IA) and
FORTEZZA User PCMCIA Card to Cyber Incident Response Media Sanitization Guidelines on Mobile Device Forensics
Senior Systems Managers System Administrators (SA) Computer Network Defense (CND) CNSSI-7000
NSTISSI-7001
CNSSI-4003 TEMPEST Countermeasures for
CNSSI-4001 NONSTOP Countermeasures
CNSSI-4014 NSTISSI-4015 Reporting and Evaluating COMSEC CJCSM 6510.01B CJCSM 6510.02 Facilities NIST SP 800-125A, R1, Security NIST SP 800-209
Controlled Cryptographic Items
National IA Training Standard For National Training Standard for System Incidents Cyber Incident Handling Program IA Vulnerability Mgt Program Recommendations for Hypervisor Security Guidelines for Storage
Information Systems Security Officers Certifiers Platforms Infrastructure
DoDD 3020.26 DoDD 3020.44
CNSSI-4005 CNSSI-4006
DoD Continuity Policy Defense Crisis Management
CNSSI-4016 Safeguarding COMSEC Facilities and Controlling Authorities for COMSEC CNSSD-502
DoDD 8140.01 Material NISTIR 7298, R3, Glossary of Key
National IA Training Standard For Risk Materials, amended by CNSS-008-14 National Directive On Security of
Cyberspace Workforce Management Information Security Terms
Analysts ABOUT THIS CHART DoDD 8000.01 National Security Systems
DoDI 1000.25 DoDI 5200.01 DoDD 5144.02
Management of the DOD Information
DoDM 3305.09 DoD 8570.01-M DoD Personnel Identity Protection DoD Information Security Program and  This chart organizes cybersecurity policies and guidance by Strategic Goal DoD Chief Information Officer
Enterprise CNSSD-900, Governing Procedures of CNSSD-901
Cryptologic Accreditation and Information Assurance Workforce (PIP) Program Protection of SCI and Office of Primary Responsibility (see Color Key). Double-clicking* on the Committee on National Security Nat’l Security Telecomm’s and Info Sys
Certification Improvement Program the box directs users to the most authoritative publicly accessible source. DoDI 5000.83 DoDI 8410.02 Systems Security (CNSS) Issuance System
DoDI 5200.08 DoDI 5200.48 Technology & Program Protection to
Security of DoD Installations and Controlled Unclassified  Policies in italics indicate the document is marked for limited distribution or NetOps for the Global Information
Maintain Technological Advantage Grid (GIG) CNSSI-4009
Resources and the DoD PSRB Information(CUI) no authoritative public-facing hyperlink is currently available. DoD Information Technology
Cmte on National Security Systems
Partner for Strength  The linked sites are not controlled by the developers of this chart. We Environment Strategic Plan
DoDI 8520.03 ICD 503 UFC 4-010-06, Glossary
DoDI 8520.02 IT Systems Security Risk Management Cybersecurity of Facility-Related
Public Key Infrastructure (PKI) and Identity Authentication for Information regularly check the integrity of the links, but you may occasionally
NIST SP 800-144 NIST SP 800-171, R2 experience an error message due to problems at the source site or the and C&A Control Systems
Public Key (PK) Enabling Systems
Guidelines on Security and Privacy in Protecting CUI in Nonfederal Systems site's decision to move the document. Please let us know if you believe the
OPERATIONAL
Public Cloud Computing and Organizations DoDM 5205.02 NSA IA Directorate (IAD) Management
DoDM 1000.13, Vol. 1 link is no longer valid. Defense Acquisition Guidebook
Directive MD-110
DoD Operations Security (OPSEC) Program Protection
NIST SP 800-172 CNSSP-14 DoD ID Cards: ID Card Life-cycle
Program Manual  CNSS policies link only to the CNSS site. Cryptographic Key Protection
CYBERCOM Orders JFHQ-DODIN Orders
Enhanced Security Requirements for National Policy Governing the Release  Boxes with red borders reflect recent updates.
Protecting CUI of IA Products/Services…
Assure Information Sharing  *Note: It is best to open this PDF directly in a browser. However, if you are
CNSSI-4008 DoDI 5205.13 unable to open the links directly from this PDF document, place your cursor
Program for the Mgt and Use of Nat’l Defense Industrial Base (DIB) Cyber CNSSP-24 DoDI 8170.01 over the target box and right-click to copy the link location. Open a web SUBORDINATE POLICY
Reserve IA Security Equipment Security (CS) / IA Activities Policy on Assured Info Sharing (AIS) Online Information Management and browser and paste the copied link into the address bar.
for National Security Systems(NSS) Electronic Messaging
DoDM O-5205.13 DoD 5220.22-M, Ch. 2  For the latest version of this chart or email alerts to updates go to https:// Security Configuration Guides
Component-level Policy
DIB CS/IA Program Security National Industrial Security Program dodiac.dtic.mil/dod-cybersecurity-policy-chart/ (Directives, Instructions, Publications,
DoDI 8320.02 DoDI 8582.01 (SCGs) Memoranda)
Classification Manual Operating Manual (NISPOM)
Sharing Data, Info, and IT Services in Security of Non-DoD Info Sys Processing
the DoD Unclassified Nonpublic DoD Information
Cybersecurity Maturity Model MOA Between DoD and DHS Security Technical Implementation
Certification (CMMC) (Jan. 19, 2017) CJCSI 6211.02D NSA IA Guidance Guides (STIGs)
CJCSI 3213.01D,
Defense Information System Network:
Distribution Statement A: Approved for Public Release.
Joint Operations Security
(DISN) Responsibilities Distribution is unlimited.