DoDD 5000.01 The Defense Acquisition System

DoDI 5000.02TOperation of the Defense Acquisition

System

DoDD 8140.01Cyberspace Workforce Managem ent

DoDI 8510.01 Risk Management Framework

for DoD IT

DoDI 8580.1 Information Assurance (IA) in the

Defense Acquisition System

DoDD 3100.10

Space Policy

DoDI 1000.25 DoD Personnel Identity Protection

(PIP) Program

CNSSP-12

National IA Policy for Space Systems

Used to Support NSS

DoDD 8115.01 IT Portfolio Management

DoDI 8320.02 Sharing Data, Info, and IT Services in

the DoD

DoDI 8115.02 IT Portfolio Management

Implementation

DoDI S-5200.16 Objectives and Min Stds for COMSEC

Measures used in NC2 Comms

CJCSI 6510.02E

Cryptographic Modernization Plan

CJCSI 6510.06C

Communications Security Releases to

Foreign Nations

CNSSD-500 Information Assurance (IA) Education,

Training, and Awareness

CNSSI-4012 National IA Training Standard for

Senior Systems Managers

DoDI 8170.01 Online Information Management and

Electronic Messaging

CNSSI-4013 National IA Training Standard For

System Adm inistrators (SA)

CNSSI-4016 National IA Training Standard For Risk

Analysts

FIPS 199 Standards for Security Categorization

of Federal Info. and Info. Systems

CNSSP-11 Nat’l Policy Governing the Acquisition

of IA and IA-Enabled IT

CNSSP-14 National Policy Governing the Release

of IA Products/Services…

NIST SP 800-53 R5 Security & Privacy Controls for Federal Information Systems

NIST SP 800-53A R4Assessing Security & Privacy Controls

in Fed. Info. Systems & Orgs.

NIST SP 800-37 R2 Guide for Applying the Risk Mgt

Framework to Fed. Info. Systems

NIST SP 800-60, Vol 1, R1 Guide for Mapping Types of Info and Info Systems to Security Categories

NIST SP 800-59 Guideline for Identifying an Information

System as a NSS

DoDI 8100.04

DoD Unified Capabilities (UC)

DoDI 4650.01 Policy and Procedures for Mgt and Use

of the Electromagnetic Spectrum

DoDD 7045.20 Capability Portfolio Management

HSPD-12 Policy for a Common ID Standard for Federal Employees and Contractors

DoDI 5200.48 Controlled Unclassified

Information(CUI)

FIPS 201-2 Personal Identity Verification (PIV) of Federal Employees and Contractors

DoDI 5200.08 Security of DoD Installations and Resources and the DoD PSRB

DoDI 5205.13 Defense Industrial Base (DIB) Cyber

Security (CS) / IA Activities

CNSSI-4008 Program for the Mgt and Use of Nat’l

Reserve IA Security Equipment

NSTISSI-4015 National Training Standard for System

Certifiers

Build and Operate a Trusted DoDIN

DoDI 8420.01 Commercial WLAN Devices, Systems,

and Technologies

DFARS Subpart 208.74, Enterprise Software

Agreements

CJCSI 5123.01H Charter of the JROC and

Implementation of the JCID

DoDI 7000.14 Financial Management Policy and

Procedures (PPBE)

CNSSI-1253 Security Categorization and Control Selection for Nat’l Security Systems

Common Criteria Evaluation and Validation Scheme (CCEVS)

ABOUT THIS CHART

 This chart organizes cybersecurity policies and guidance by Strategic Goal

and Office of Primary Responsibility (see Color Key). Double-clicking* on

the box directs users to the most authoritative publicly accessible source.

 Policies in italics indicate the document is marked for limited distribution or

no authoritative public-facing hyperlink is currently available.

 The linked sites are not controlled by the developers of this chart. We

regularly check the integrity of the links, but you may occasionally

experience an error message due to problems at the source site or the

site's decision to move the document. Please let us know if you believe the

link is no longer valid.

 CNSS policies link only to the CNSS site.

 Boxes with red borders reflect recent updates.

 *Note: It is best to open this PDF directly in a browser. However, if you are

unable to open the links directly from this PDF document, place your cursor

over the target box and right-click to copy the link location. Open a web

browser and paste the copied link into the address bar .

 For the latest version of this chart or email alerts to updates go to https://

dodiac.dtic.mil/dod-cybersecurity-policy-chart/

FIPS 140-3 Security Requirements for

Cryptographic Modules

DoDI 8582.01Security of Non-DoD Info Sys Processing

Unclassified Nonpublic DoD Information

CJCSI 6211.02D Defense Information System Network:

(DISN) Responsibilities

DoDD 8100.02 Use of Commercial Wireless Devices, Services, and Tech in the DoD GIG

DoDI 8330.01 Interoperability of IT and National

Security Systems (NSS)

DoDI 8520.03

Identity Authentication for Information

Systems

CJCSI 3213.01D, Joint Operations Security

RMF Knowledge Service

NIST 800-160, vol.1, Systems Security Engineering: … Engineering of Trustworthy Secure Systems

Distribution Statement A: Approved for Public Release.

Distribution is unlimited.

Design for the Fight

ORGANIZE

Partner for Strength

Prevent and Delay Attackers

and Prevent Attackers from Staying

Understand the Battlespace

ANTICIPATE

Secure Data in Transit

ENABLE

DoDM 1000.13, Vol. 1

DoD ID Cards: ID Card Life-cycle

Manage Access

Assure Information Sharing

Develop and Maintain Trust

Strengthen Cyber Readiness

PREPARE

Sustain Missions

CJCSM 6510.01B

Cyber Incident Handling Program

DoDI 8530.01, Cybersecurity Activities Support to DoD Information Network

Operations

DoD O-8530.1-M (CAC req’d)CND Service Provider Certification and

Accreditation Program

DoDI 5200.39 CPI Identification and Protection within

RDT&E

CJCSI 6510.01F

Information Assurance (IA) and

Computer Network Defense (CND)

CNSSP-21 National IA Policy on Enterprise

Architectures for NSS

DoDI 8500.01Cybersecurity

DoDD 8521.01E Department of Defense Biometrics

DoDI 8523.01 Communications Security (COMSEC)

ORGANIZE

Lead and Govern

DoDI 8560.01

COMSEC Monitoring

DoDD S-3710.01National Leadership Comm and

Capability

DoDD 3700.01 DoD Command and Control (C2)

Enabling Capabilities

NIST SP 800-30, R1 Guide for Conducting Risk

Assessments

NIST SP 800-18, R1 Guide for Developing Security Plans

for Federal Information Systems

CNSSP-18 National Policy on Classified

Information Spillage

CNSSP-22, IA Risk Management Policy for National Security Systems

DoDD 3020.44 Defense Crisis M anagement

CNSSP-300 National Policy on Control of Comprom ising Emanations

NSA IA Directorate (IAD) Management Directive MD-110

Cryptographic Key Protection

DODAF (Version 2.02) DoD Architecture Framework

NIST SP 800-119Guidelines for the Secure Deployment

of IPv6

Joint Publication 6-0

Joint Communications System

NIST SP 800-39 Managing Information Security Risk

NIST SP 800-92Guide to Computer Security Log

Management

FIPS 200 Minim um Security Requirements for

Federal Information Systems

NSTISSI-3028 Operational Security Doctrine for the

FORTEZZA User PCM CIA Card

CNSSP-3 National Policy for Granting Access to Classified Cryptographic Information

CNSSP-16 National Policy for the Destruction of

COMSEC Paper Material

CNSSI-4001 Controlled Cryptographic Items

CNSSI-4003 Reporting and Evaluating COM SEC

Incidents

CNSSI-5000 Voice Over Internet Protocol (VoIP)

Computer Telephony (Annex I, VoSIP)

CNSSI-5001 Type-Acceptance Program for VoIP

Telephones

NACSI-6002 Nat’l COMSEC Instruction Protection of

Gov’t Contractor Telecomm’s

NSTISSP-101 National Policy on Securing Voice

Communications

CNSSP-1 National Policy for Safeguarding and

Control of COMSEC Material

CNSSP-17 Policy on Wireless Comm unications:

Protecting Nat’l Security Info

CNSSP-15 Use of Pub Standards for Secure

Sharing of Info Among NSS

CNSSP-25 National Policy for PKI in National

Security Systems

CNSSI-7003 Protected Distribution Systems (PDS)

CNSSP-19 National Policy Governing the Use of

HAIPE Products

NACSI-2005 Communications Security (COMSEC)

End Item Modification

CNSSI-4006 Controlling Authorities for COM SEC

Material

DoDD 3020.40 Mission Assurance

DoDD 5144.02 DoD Chief Information Officer

DoDI 8410.02

NetOps for the Global Information

Grid (GIG)

Defense Acquisition Guidebook Program Protection

CNSSI-1001 National Instruction on Classified

Information Spillage

CNSSI-4004.1, Destruction and Emergency Protection Procedures for

COMSEC and Class. Material

CNSSI-7000 TEMPEST Countermeasures for

Facilities

NSTISSI-7001 NONSTOP Countermeasures

DoDD 3020.26 DoD Continuity Policy

NSTISSD-501 National Training Program for

INFOSEC Professionals

CNSSI-4000 Maintenance of Communications Security (COMSEC) Equipment

NSTISSI-4011 National Training Standard for

INFOSEC Professionals

CNSSI-4014 National IA Training Standard For

Information Systems Security Officers

CNSSI-4007 Communications Security (COMSEC)

Utility Program

NIST SP 800-128 Guide for Security-Focused

Configuration Mgt of Info Systems

NIST SP 800-126, R3SCAP Ver. 1.3

NIST SP 800-137Continuous Monitoring

Security Technical Implementation Guides (STIGs)

Component-level Policy (Directives, Instructions, Publications,

Memoranda)

NSA IA Guidance

SUBORDINATE POLICY

Security Configuration Guides

(SCGs)

OPERATIONAL

CNSSD-900, Governing Procedures of the Committee on National Security

Systems

Executive Order 13691Promoting Private Sector

Cybersecurity Information Sharing

FAR Federal Acquisition Regulation

NIST Special Publication 800-Series

NSD 42, National Policy for the Security of Nat’l Security Telecom and

Information Systems

A-130, Management of Fed Info Resources

NSPD 54 / HSPD 23 Computer Security and Monitoring

NATIONAL / FEDERAL

CNSSD-901 Nat’l Security Telecomm’s and Info Sys

Security (CNSS) Issuance System

CNSSD-502 National Directive On Security of

National Security Systems

Computer Fraud and Abuse Act Title 18 (§1030)

Federal Wiretap Act Title 18 (§2510 et seq.)

Pen Registers and Trap and Trace Devices

Title 18 (§3121 et seq.)

Executive Order 13526 Classified National Security Information

Foreign Intelligence Surveillance Act Title 50 (§1801 et seq)

Stored Communications Act Title 18 (§2701 et seq.)

Ethics RegulationsNational Strategy to Secure

Cyberspace

CNSSI-4009 Cmte on National Security Systems

Glossary

AUTHORITIES

Title 10, US Code Armed Forces

(§§2224, 3013(b), 5013(b), 8013(b))

Title 32, US Code National Guard

(§102)

Title 40, US Code Public Buildings, Property, and Works

(Ch. 113: §§11302, 11315, 11331)

Title 50. US Code War and National Defense

(§§3002, 1801)

Title 44, US CodeFederal Information Security Mod. Act,

(Chapter 35)

Clinger-Cohen Act, Pub. L. 104-106

Title 14, US Code Cooperation With Other Agencies

(Ch. 7)

UCP Unified Command Plan

(US Constitution Art II, Title 10 & 50)

CNSSI-4005Safeguarding COMSEC Facilities and Materials, am ended by CNSS-008-14

NIST SP 800-153Guidelines for Securing Wireless Local

Area Networks

CNSSI-1300Instructions for NSS PKI X.509

NIST SP 800-144Guidelines on Security and Privacy in

Public Cloud Computing

CNSSI-1253F, Atchs 1-5 Security Overlays

CNSSI-5002, Telephony Isolation Used for Unified Comms. Implementations w/

in Physically Protected Spaces

CNSSAM IA 1-10, Reducing Risk of Removable Media in NSS

MOA between DoD CIO and ODNI CIO Establishing Net-Centric Software

Licensing Agreements

NIST SP 800-61, R2 Computer Security Incident Handling

Guide

Executive Order 13231as Amended by EO 13286 – Critical

Infrastructure Protection in the Info Age

Executive Order 13587Structural Reforms To Improve

Classified Nets

DoDI 5200.44Protection of Mission Critical Functions

to Achieve TSN

DoDM 5105.21V1, SCI Admin Security Manual: Info and Info Sys Security

DoDD 8000.01 Management of the DOD Information

Enterprise

DoDM O-5205.13 DIB CS/IA Program Security

Classification Manual

NISTIR 7298, R3, Glossary of Key Information Security Terms

NIST SP 800-124, R1 Guidelines for Managing the Security of

Mobile Devices in the Enterprise

PPD 28, Signals Intelligence ActivitiesDevelop the Workforce

PPD 21: Critical Infrastructure Security and Resilience

EO 13800: Strengthening Cybersecurity of Fed Nets and CI

CNSSNational Secret Fabric Architecture

Recommendations

NISTIR 7693Specification for Asset Identification 1.1

NIST SP 800-171, R2 Protecting CUI in Nonfederal Systems

and Organizations

DoDI 5200.01DoD Information Security Program and

Protection of SCI

PPD 41: United States Cyber Incident Coordination

DoDI 8310.01 Information Technology Standards

in the DoD

CJCSM 6510.02

IA Vulnerability Mgt Program

NIST SP 800-88, R1,Guidelines for Media Sanitization

DTM 17-007, Ch. 2, Defense Support

to Cyber Incident Response

DoDI S-5240.23Counterintelligence (CI) Activities in

Cyberspace

CNSSP-28 Cybersecurity of Unmanned National

Security Systems

DoDI 8551.01 Ports, Protocols, and Services

Management (PPSM)

Joint Special Access Program (SAP) Implementation Guide (JSIG)

CNSSP-24 Policy on Assured Info Sharing (AIS) for National Security Systems(NSS)

JFHQ-DODIN OrdersCYBERCOM Orders

NIST SP 800-163, R1 Vetting the Security of

Mobile Applications

DoD Information Technology Environment Strategic Plan

EO 13873: Securing the Information and Communications Technology and

Services Supply Chain

ICD 503 IT Systems Security Risk Management

and C&A

DoD 5220.22-M, Ch. 2 National Industrial Security Program

Operating Manual (NISPOM)

CNSSD-506 National Directive to Implement PKI on

Secret Networks

NIST SP 800-101, R1Guidelines on Mobile Device Forensics

CNSSD-520 Use of Mobile Devices to Process Nat’l

Sec.Info Outside Secure Spaces

UFC 4-010-06,Cybersecurity of Facility-Related

Control Systems

NIST SP 800-82, R2Guide to Industrial Control Systems

(ICS) Security

NIST SP 800-34, R1Contingency Planning Guide for

Federal Information Systems

DoD 8570.01-M Information Assurance Workforce

Improvement Program

DoDI 8520.02 Public Key Infrastructure (PKI) and

Public Key (PK) Enabling

NIST SP 800-63 seriesDigital Identity Guidelines

NIST SP 800-125A, R1, Security Recommendations for Hypervisor

Platforms

EO 13636: Improving Critical Infrastructure Cybersecurity

Cybersecurity-Related

Policies and Issuances Developed by the DoD

Deputy CIO for Cybersecurity Last Updated: January 11, 2022

Send questions/suggestions to

[email protected]

CNSSD-507 National Directive for ICAM

Capabilities…

DoDI 8531.01, DoD Vulnerability Management

NIST SP 800-181 R1Workforce Fram ework for

Cybersecurity

DoDI 5205.83DoD Insider Threat and Managem ent

and Analysis Center

DoDM 5205.02

DoD Operations Security (OPSEC)

Program Manual

DoDI 5000.87Operation of the Software Acquisition

Pathway

DoDD O-5100.19 (CAC req’d)Critical Information Communications

(CRITCOM) System

DoDM 3305.09

Cryptologic Accreditation and

Certification

NIST SP 1800-16Securing Web Transactions: TLS Server Certificate Management

NIST SP 800-207Zero Trust Architecture

NIST SP 800-210General Access Control Guidance for

Cloud Systems

NIST SP 800-209Security Guidelines for Storage

Infrastructure

2019 National Intelligence Strategy

Summ ary of the 2018 DoD

Artificial Intelligence Strategy

Cybersecurity Maturity Model Certification (CMMC)

DoD Information Sharing Strategy

United States Intelligence Community Information Sharing Strategy

DoDI 5000.83Technology & Program Protection to Maintain Technological Advantage

NIST SP 1800-26 Data Integrity: Detecting & Responding

to Ransomware

NIST SP 800-172 Enhanced Security Requirements for

Protecting CUI

MOA Between DoD and DHS (Jan. 19, 2017)

DTM 20-004 Enabling CyberspaceAccountability of DoD Components and

Information Systems

DoDI 5000.90, Cybersecurity for Acquisition Decision Authorities and

Program Managers

NIST SP 1800-25 Data Integrity: Identifying and Protecting Assets

Against Ransomware

EO 14028: Improving the Nation’s Cybersecurity

DoDD 5101.21E Unified Platform and Joint

Cyber Comm and and Control (JCC2)

CNSSP-10Nat’l Policy Gov. Use of Approved Sec. Containers in Info Security Applications

CNSSD-504 Protecting National Security Systems from Insider Threat

CNSSD-505Supply Chain Risk Management

CNSSD-520 The Use of Mobile Devices to Process National Security Information Outside…

CNSSI-1011Implementing Host-Based Security

Capabilities on NSS

CNSSI-1013 Network Intrusion Detection Sys & Intrusion Prevention Sys (IDS/IPS)

DoDI 8140.02 Identification, Tracking, And Reporting of Cyberspace

Workforce Requirements

NIST SP 800-213IoT Device Cybersecurity Guidance for

the Federal Government