Build and Operate a Trusted DoDIN Cybersecurity-Related

Policies and Issuances

Developed by the DoD
ORGANIZE
Deputy CIO for Cybersecurity
Lead and Govern Last Updated: January 11, 2022
Send questions/suggestions to
United States Intelligence Community
Information Sharing Strategy 2019 National Intelligence Strategy [email protected]
Summary of the 2018 DoD
DoD Information Sharing Strategy
Artificial Intelligence Strategy

ORGANIZE ENABLE ANTICIPATE PREPARE AUTHORITIES

Understand the Battlespace Develop and Maintain Trust Title 10, US Code Title 14, US Code
Design for the Fight Secure Data in Transit Armed Forces Cooperation With Other Agencies
(§§2224, 3013(b), 5013(b), 8013(b)) (Ch. 7)
FIPS 140-3 NIST SP 800-153 FIPS 199 NIST SP 800-59 CNSSP-12 CNSSP-21
NIST SP 800-119 CNSSP-11 Security Requirements for Guidelines for Securing Wireless Local
Guidelines for the Secure Deployment Nat’l Policy Governing the Acquisition Standards for Security Categorization Guideline for Identifying an Information National IA Policy for Space Systems National IA Policy on Enterprise Title 32, US Code Title 40, US Code
Cryptographic Modules Area Networks of Federal Info. and Info. Systems System as a NSS Architectures for NSS National Guard Public Buildings, Property, and Works
of IPv6 of IA and IA-Enabled IT Used to Support NSS
(§102) (Ch. 113: §§11302, 11315, 11331)
CNSSP-1 CNSSP-15 NIST SP 800-60, Vol 1, R1 NIST SP 800-92
CNSS DFARS Use of Pub Standards for Secure NIST 800-160, vol.1, Systems Security CNSSI-5002, Telephony Isolation Used
National Policy for Safeguarding and Guide for Mapping Types of Info and Guide to Computer Security Log Engineering: ... Engineering of for Unified Comms. Implementations w/ Title 44, US Code Title 50. US Code
National Secret Fabric Architecture Subpart 208.74, Enterprise Software Control of COMSEC Material Sharing of Info Among NSS
Recommendations Agreements Info Systems to Security Categories Management Trustworthy Secure Systems in Physically Protected Spaces Federal Information Security Mod. Act, War and National Defense
CNSSP-19 (Chapter 35) (§§3002, 1801)
CNSSP-17 CNSSD-520
DoDD O-5100.19 (CAC req’d) Policy on Wireless Communications: National Policy Governing the Use of NISTIR 7693
DoDD 5000.01 Critical Information Communications Use of Mobile Devices to Process Nat’l DoDD 3020.40 DoDD 3100.10 UCP
The Defense Acquisition System Protecting Nat’l Security Info HAIPE Products Specification for Asset Identification 1.1 Mission Assurance
(CRITCOM) System Sec.Info Outside Secure Spaces Space Policy Clinger-Cohen Act, Pub. L. 104-106 Unified Command Plan
CNSSP-25 NSTISSP-101 (US Constitution Art II, Title 10 & 50)
National Policy for PKI in National National Policy on Securing Voice CNSSP-28 DoDI S-5240.23
DoDD 7045.20 DoDD 8115.01 Security Systems Communications Cybersecurity of Unmanned National Counterintelligence (CI) Activities in Strengthen Cyber Readiness NATIONAL / FEDERAL
Capability Portfolio Management IT Portfolio Management Security Systems Cyberspace
NACSI-2005 CNSSI-5000
Voice Over Internet Protocol (VoIP) NIST SP 800-18, R1 NIST SP 800-30, R1
DoDI 5000.02T DoDI 5000.87 Communications Security (COMSEC) Guide for Developing Security Plans Guide for Conducting Risk
Operation of the Defense Acquisition Operation of the Software Acquisition End Item Modification Computer Telephony (Annex I, VoSIP) Prevent and Delay Attackers Computer Fraud and Abuse Act Federal Wiretap Act
for Federal Information Systems Assessments Title 18 (§1030) Title 18 (§2510 et seq.)
System Pathway
NACSI-6002
and Prevent Attackers from Staying
CNSSI-5001
Type-Acceptance Program for VoIP Nat’l COMSEC Instruction Protection of NIST SP 800-39 NIST SP 800-126, R3 Pen Registers and Trap and Trace
DoDI 5200.44 DoDI 7000.14 Gov’t Contractor Telecomm’s FIPS 200 NIST SP 800-37 R2 Stored Communications Act
Protection of Mission Critical Functions Financial Management Policy and Telephones Minimum Security Requirements for Guide for Applying the Risk Mgt Managing Information Security Risk SCAP Ver. 1.3 Devices
Title 18 (§2701 et seq.) Title 18 (§3121 et seq.)
to Achieve TSN Procedures (PPBE) DoDD 8100.02 Federal Information Systems Framework to Fed. Info. Systems
CNSSI-7003 Use of Commercial Wireless Devices, NIST SP 800-213
DoDI 8115.02 DoDI 8310.01 Protected Distribution Systems (PDS) NIST SP 800-53A R4 NIST SP 800-137 Executive Order 13231
Services, and Tech in the DoD GIG NIST SP 800-53 R5 IoT Device Cybersecurity Guidance for Foreign Intelligence Surveillance Act
IT Portfolio Management Information Technology Standards Assessing Security & Privacy Controls Continuous Monitoring as Amended by EO 13286 - Critical
Security & Privacy Controls for the Federal Government Title 50 (§1801 et seq)
Implementation in the DoD DoDI 4650.01 Federal Information Systems in Fed. Info. Systems & Orgs. Infrastructure Protection in the Info Age
DoDD 8521.01E Policy and Procedures for Mgt and Use NIST SP 1800-25 Data Integrity:
DoDI 8510.01 Department of Defense Biometrics of the Electromagnetic Spectrum NIST SP 800-124, R1 CNSSD-505 Executive Order 13587
DoDI 8330.01 NIST SP 800-61, R2 Identifying and Protecting Assets Executive Order 13526
Risk Management Framework Supply Chain Risk Management Structural Reforms To Improve
Interoperability of IT and National Computer Security Incident Handling Guidelines for Managing the Security of Against Ransomware Classified National Security Information
Security Systems (NSS) for DoD IT DoDI 8100.04 DoDI 8420.01 Guide Mobile Devices in the Enterprise Classified Nets
DoD Unified Capabilities (UC) Commercial WLAN Devices, Systems, CNSSD-520 DoDD 3700.01
DoDI 8580.1 and Technologies NIST SP 800-128 NIST SP 800-163, R1 The Use of Mobile Devices to Process DoD Command and Control (C2) Executive Order 13691 EO 13636: Improving Critical
Information Assurance (IA) in the RMF Knowledge Service Guide for Security-Focused Vetting the Security of National Security Information Outside... Enabling Capabilities Promoting Private Sector Infrastructure Cybersecurity
Defense Acquisition System DoDI 8523.01 DoDI S-5200.16 Cybersecurity Information Sharing
Objectives and Min Stds for COMSEC Configuration Mgt of Info Systems Mobile Applications
Communications Security (COMSEC) DoDD S-3710.01 DoDI 8140.02 Identification, Tracking,
Measures used in NC2 Comms National Leadership Command And Reporting of Cyberspace NSD 42, National Policy for the
MOA between DoD CIO and ODNI CIO DODAF (Version 2.02) NIST SP 1800-26 CNSSI-1011 EO 13800: Strengthening
CJCSI 6510.06C Data Integrity: Detecting & Responding Implementing Host-Based Security Capability Workforce Requirements Security of Nat’l Security Telecom and
Establishing Net-Centric Software DoD Architecture Framework Cybersecurity of Fed Nets and CI
CJCSI 6510.02E to Ransomware Capabilities on NSS Information Systems
Licensing Agreements Communications Security Releases to
Cryptographic Modernization Plan DoDD 5101.21E
Foreign Nations DoDI 8500.01 EO 13873: Securing the Information
DTM 20-004 Enabling Cyberspace CNSSI-1013 CNSSI-1253 Unified Platform and Joint EO 14028: Improving the Nation’s
Common Criteria Evaluation and Cybersecurity and Communications Technology and
Accountability of DoD Components and Network Intrusion Detection Sys & Security Categorization and Control Cyber Command and Control (JCC2) Cybersecurity
Information Systems
Validation Scheme (CCEVS) Manage Access Intrusion Prevention Sys (IDS/IPS) Selection for Nat’l Security Systems Services Supply Chain
DoDI 8560.01 Joint Special Access Program (SAP)
CJCSI 5123.01H HSPD-12 FIPS 201-2 CNSSI-1253F, Atchs 1-5 CNSSAM IA 1-10, Reducing Risk of Implementation Guide (JSIG) NSPD 54 / HSPD 23 PPD 21: Critical Infrastructure Security
Joint Publication 6-0 Policy for a Common ID Standard for Personal Identity Verification (PIV) of COMSEC Monitoring
Charter of the JROC and Security Overlays Removable Media in NSS Computer Security and Monitoring and Resilience
Joint Communications System Federal Employees and Contractors Federal Employees and Contractors
Implementation of the JCID
NIST SP 800-207 NIST SP 800-210 DoDI 5000.90, Cybersecurity for DoDI 5200.39 Sustain Missions
General Access Control Guidance for Acquisition Decision Authorities and CPI Identification and Protection within PPD 41: United States Cyber Incident
Zero Trust Architecture PPD 28, Signals Intelligence Activities
Develop the Workforce Cloud Systems Program Managers RDT&E Coordination
NIST SP 800-34, R1 NIST SP 800-82, R2
NIST SP 1800-16 Contingency Planning Guide for Guide to Industrial Control Systems
CNSSP-3 DoDI 5205.83 DoDI 8530.01, Cybersecurity Activities
NIST SP 800-181 R1 CNSSD-500 Securing Web Transactions: TLS National Policy for Granting Access to DoD Insider Threat and Management Support to DoD Information Network Federal Information Systems (ICS) Security FAR A-130, Management of Fed Info
Workforce Framework for Information Assurance (IA) Education, Server Certificate Management Classified Cryptographic Information and Analysis Center Operations Federal Acquisition Regulation Resources
Cybersecurity Training, and Awareness CNSSP-18
CNSSP-22, IA Risk Management
CNSSP-10 CNSSP-16 DoDI 8551.01 National Policy on Classified
NSTISSD-501 DoDI 8531.01, DoD Vulnerability Policy for National Security Systems
CNSSD-504 Protecting National Nat’l Policy Gov. Use of Approved Sec. National Policy for the Destruction of Ports, Protocols, and Services Information Spillage National Strategy to Secure
National Training Program for Containers in Info Security Applications COMSEC Paper Material Management Ethics Regulations
Security Systems from Insider Threat Management (PPSM) Cyberspace
INFOSEC Professionals CNSSP-300 CNSSI-1001
CNSSD-507 CNSSD-506 National Policy on Control of National Instruction on Classified
CNSSI-4000 NSTISSI-4011 DoD O-8530.1-M (CAC req’d) Compromising Emanations Information Spillage
National Directive for ICAM National Directive to Implement PKI on DoDM 5105.21V1, SCI Admin Security NIST SP 800-63 series
Maintenance of Communications National Training Standard for CND Service Provider Certification and NIST Special Publication 800-Series
Capabilities... Secret Networks Manual: Info and Info Sys Security Digital Identity Guidelines
Security (COMSEC) Equipment INFOSEC Professionals Accreditation Program CNSSI-4004.1, Destruction and CNSSI-4007
NSTISSI-3028 Emergency Protection Procedures for Communications Security (COMSEC)
CNSSI-4012 CNSSI-4013 CNSSI-1300 CJCSI 6510.01F COMSEC and Class. Material Utility Program
Operational Security Doctrine for the DTM 17-007, Ch. 2, Defense Support NIST SP 800-88, R1,Guidelines for NIST SP 800-101, R1
National IA Training Standard for National IA Training Standard For Instructions for NSS PKI X.509 Information Assurance (IA) and
FORTEZZA User PCMCIA Card to Cyber Incident Response Media Sanitization Guidelines on Mobile Device Forensics
Senior Systems Managers System Administrators (SA) Computer Network Defense (CND) CNSSI-7000
NSTISSI-7001
CNSSI-4003 TEMPEST Countermeasures for
CNSSI-4001 NONSTOP Countermeasures
CNSSI-4014 NSTISSI-4015 Reporting and Evaluating COMSEC CJCSM 6510.01B CJCSM 6510.02 Facilities NIST SP 800-125A, R1, Security NIST SP 800-209
Controlled Cryptographic Items
National IA Training Standard For National Training Standard for System Incidents Cyber Incident Handling Program IA Vulnerability Mgt Program Recommendations for Hypervisor Security Guidelines for Storage
Information Systems Security Officers Certifiers Platforms Infrastructure
DoDD 3020.26 DoDD 3020.44
CNSSI-4005 CNSSI-4006
DoD Continuity Policy Defense Crisis Management
CNSSI-4016 Safeguarding COMSEC Facilities and Controlling Authorities for COMSEC CNSSD-502
DoDD 8140.01 Material NISTIR 7298, R3, Glossary of Key
National IA Training Standard For Risk Materials, amended by CNSS-008-14 National Directive On Security of
Cyberspace Workforce Management Information Security Terms
Analysts ABOUT THIS CHART DoDD 8000.01 National Security Systems
DoDI 1000.25 DoDI 5200.01 DoDD 5144.02
Management of the DOD Information
DoDM 3305.09 DoD 8570.01-M DoD Personnel Identity Protection DoD Information Security Program and  This chart organizes cybersecurity policies and guidance by Strategic Goal DoD Chief Information Officer
Enterprise CNSSD-900, Governing Procedures of CNSSD-901
Cryptologic Accreditation and Information Assurance Workforce (PIP) Program Protection of SCI and Office of Primary Responsibility (see Color Key). Double-clicking* on the Committee on National Security Nat’l Security Telecomm’s and Info Sys
Certification Improvement Program the box directs users to the most authoritative publicly accessible source. DoDI 5000.83 DoDI 8410.02 Systems Security (CNSS) Issuance System
DoDI 5200.08 DoDI 5200.48 Technology & Program Protection to
Security of DoD Installations and Controlled Unclassified  Policies in italics indicate the document is marked for limited distribution or NetOps for the Global Information
Maintain Technological Advantage Grid (GIG) CNSSI-4009
Resources and the DoD PSRB Information(CUI) no authoritative public-facing hyperlink is currently available. DoD Information Technology
Cmte on National Security Systems
Partner for Strength  The linked sites are not controlled by the developers of this chart. We Environment Strategic Plan
DoDI 8520.03 ICD 503 UFC 4-010-06, Glossary
DoDI 8520.02 IT Systems Security Risk Management Cybersecurity of Facility-Related
Public Key Infrastructure (PKI) and Identity Authentication for Information regularly check the integrity of the links, but you may occasionally
NIST SP 800-144 NIST SP 800-171, R2 experience an error message due to problems at the source site or the and C&A Control Systems
Public Key (PK) Enabling Systems
Guidelines on Security and Privacy in Protecting CUI in Nonfederal Systems site's decision to move the document. Please let us know if you believe the
OPERATIONAL
Public Cloud Computing and Organizations DoDM 5205.02 NSA IA Directorate (IAD) Management
DoDM 1000.13, Vol. 1 link is no longer valid. Defense Acquisition Guidebook
Directive MD-110
DoD Operations Security (OPSEC) Program Protection
NIST SP 800-172 CNSSP-14 DoD ID Cards: ID Card Life-cycle
Program Manual  CNSS policies link only to the CNSS site. Cryptographic Key Protection
CYBERCOM Orders JFHQ-DODIN Orders
Enhanced Security Requirements for National Policy Governing the Release  Boxes with red borders reflect recent updates.
Protecting CUI of IA Products/Services…
Assure Information Sharing  *Note: It is best to open this PDF directly in a browser. However, if you are
CNSSI-4008 DoDI 5205.13 unable to open the links directly from this PDF document, place your cursor
Program for the Mgt and Use of Nat’l Defense Industrial Base (DIB) Cyber CNSSP-24 DoDI 8170.01 over the target box and right-click to copy the link location. Open a web SUBORDINATE POLICY
Reserve IA Security Equipment Security (CS) / IA Activities Policy on Assured Info Sharing (AIS) Online Information Management and browser and paste the copied link into the address bar.
for National Security Systems(NSS) Electronic Messaging
DoDM O-5205.13 DoD 5220.22-M, Ch. 2  For the latest version of this chart or email alerts to updates go to https:// Security Configuration Guides
Component-level Policy
DIB CS/IA Program Security National Industrial Security Program dodiac.dtic.mil/dod-cybersecurity-policy-chart/ (Directives, Instructions, Publications,
DoDI 8320.02 DoDI 8582.01 (SCGs) Memoranda)
Classification Manual Operating Manual (NISPOM)
Sharing Data, Info, and IT Services in Security of Non-DoD Info Sys Processing
the DoD Unclassified Nonpublic DoD Information
Cybersecurity Maturity Model MOA Between DoD and DHS Security Technical Implementation
Certification (CMMC) (Jan. 19, 2017) CJCSI 6211.02D NSA IA Guidance Guides (STIGs)
CJCSI 3213.01D,
Defense Information System Network:
Distribution Statement A: Approved for Public Release.
Joint Operations Security
(DISN) Responsibilities Distribution is unlimited.