{"title":"Department of Defense Instruction 8500.2 “Information Assurance (IA) Implementation:” A retrospective","authors":"P. Campbell","doi":"10.1109/CCST.2012.6393557","DOIUrl":null,"url":null,"abstract":"From the time of its publication on February 6, 2003, the Department of Defense Instruction 8500.2 “Information Assurance (IA) Implementation” (DoDI 8500.2) has provided the definitions and controls that form the basis for IA across the DoD. This is the document to which compliance has been mandatory. For over 9 years, as the world of computer security has swirled through revision after revision and upgrade after upgrade, moving, for example, from DITSCAP to DIACAP, this instruction has remained unrevised, in its original form. As this venerable instruction now nears end of life it is appropriate that we step back and consider what we have learned from it and what its place is in context. In this paper we first review the peculiar structure of DoDI 8500.2, including its attachments, its “Subject Areas,” its “baseline IA levels,” its implicit use of type, signatures (full, half, left, and right), and signature patterns, along with span, and class. To provide context and contrast we briefly present three other control sets, namely (1) the DITSCAP checklists that preceded DoDI 8500.2, (2) the up and coming NIST 800-53 that it appears will follow DoDI 8500.2, and (3) Cobit from the commercial world. We then compare the scope of DoDI 8500.2 with those three control sets. The paper concludes with observations concerning DoDI 8500.2 and control sets in general.","PeriodicalId":405531,"journal":{"name":"2012 IEEE International Carnahan Conference on Security Technology (ICCST)","volume":"34 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2012-12-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2012 IEEE International Carnahan Conference on Security Technology (ICCST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CCST.2012.6393557","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 10
Abstract
From the time of its publication on February 6, 2003, the Department of Defense Instruction 8500.2 “Information Assurance (IA) Implementation” (DoDI 8500.2) has provided the definitions and controls that form the basis for IA across the DoD. This is the document to which compliance has been mandatory. For over 9 years, as the world of computer security has swirled through revision after revision and upgrade after upgrade, moving, for example, from DITSCAP to DIACAP, this instruction has remained unrevised, in its original form. As this venerable instruction now nears end of life it is appropriate that we step back and consider what we have learned from it and what its place is in context. In this paper we first review the peculiar structure of DoDI 8500.2, including its attachments, its “Subject Areas,” its “baseline IA levels,” its implicit use of type, signatures (full, half, left, and right), and signature patterns, along with span, and class. To provide context and contrast we briefly present three other control sets, namely (1) the DITSCAP checklists that preceded DoDI 8500.2, (2) the up and coming NIST 800-53 that it appears will follow DoDI 8500.2, and (3) Cobit from the commercial world. We then compare the scope of DoDI 8500.2 with those three control sets. The paper concludes with observations concerning DoDI 8500.2 and control sets in general.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
