scope:

Scope and Applicability

a. This instruction is consistent with and supports references (b) and (c), and includes roles and responsibilities that enable the Office of the Chief of Naval Operations (OPNAV), the fleet, echelon 2 commands, Systems Commands (SYSCOM), type commands, program executive offices (PEO) and other development and acquisition activities to implement cybersecurity. It applies to all USN activities and organizations, as well as contractors, their sub-contractors and contractor facilities (with appropriate contract provisions) that perform the functions in subparagraphs 3a(1) through 3a(4).

(1) Design, construct, operate, maintain, upgrade, procure, test, access, use, oversee or manage Navy collateral and general service Top Secret and below USN networks and information systems (IS) used to receive, process, store, display or transmit DoD classified or unclassified information. This may or may not comprise a National Security System and includes use in foreign military sales (FMS) programs (incorporation of cyber capabilities in FMS platforms will be in line with technology releasability policies for FMS customers). IT is the collective term that encompasses IS, industrial control systems, IT products, IT services and any other IT asset to include: facility related control systems; combat and weapons systems; navigation systems; propulsion systems; hull, mechanical and electrical systems; and infrastructures or software contractually operated on behalf of the U.S. Navy. With regards to Risk Management Framework and the rest of this instruction, there is no assessment and authorization process distinction between types of IT. Similarly, CYBERSAFE assessments are required for all types of IT.

(2) Process data or information regardless of classification and not limited to national security information as defined in reference (d).

(3) Operate systems on behalf of USN or own facilities or systems that process any information associated with USN contracts. Contractors processing classified information must also comply with reference (e). Contractors processing personally identifiable information must also comply with reference (f) and DoD Instruction 8582.01 of 6 June 2012.

(4) Operate systems, infrastructure, software or platforms on behalf of USN or own facilities or systems that process any information associated with cloud service providers or cloud service offerings outlined in reference (g).

b. For the purposes of this instruction, the terms "fleet commanders" and "fleet" refer to operational forces inclusive of all warfighting domains, to include U.S. Fleet Forces Command (USFLTFORCOM), U.S. Pacific Fleet (COMPACFLT), U.S. Fleet Cyber Command (FLTCYBERCOM) and numbered fleet commands.

c. This policy will not alter or supersede the existing authorities and policies of the Director of National Intelligence and Deputy Chief of Naval Operations for Information Warfare (CNO N2N6), as the Navy head of the intelligence community (IC) element, regarding the protection of sensitive compartmented information (SCI) and Controlled Access Program (CAP) information and systems wholly or partially funded by the National Intelligence Program (NIP) as directed by references (h) and (i). Additionally, this policy will not alter or supersede the existing authorities and policies of the Director, Department of the Navy (DON) Special Access Program Central Office set forth in references (j), (k) and (l), Executive Order 12344 and section 7158 of Title 42, U.S. Code.

d. This policy does not alter or supersede the existing authorities of the Director, Naval Nuclear Propulsion Program (CNO N00N), who also serves as the Naval Sea Systems Command Deputy Commander for Nuclear Propulsion Program (NAVSEASYSCOM 08) and National Nuclear Security Administration Deputy Administrator for Naval Reactors, as set forth in sections 2401 and 2511 of Title 50, U.S. Code. The responsibilities detailed in subparagraph 8f align with and reinforce the existing responsibilities of CNO N00N for the supervision of all technical aspects of the Naval Nuclear Propulsion Program (NNPP), including oversight of program support in the area of cybersecurity of naval nuclear propulsion information (NNPI) and NNPP-related systems.

e. This policy is not to be interpreted as contradictory to the authority of operational commanders (e.g., carrier or expeditionary strike group commanders) and commanding officers regarding their responsibilities as outlined in the Navy Regulations. This instruction incorporates cybersecurity with their responsibilities to maintain readiness, organize forces and resources, develop training strategies and plans, act in self-defense of the unit and immediately report departure from instructions.

f. Federal, DoD and DON policy take precedence over any conflicting requirements of this instruction. Implementing authorities should identify conflicting policy to DON Deputy Chief Information Officer (Navy) (DDCIO(N)) for resolution.

Purpose

a. This instruction establishes policies, procedures and assigns responsibilities for executing and maintaining the United States Navy's (USN) Cybersecurity Program and implements the provisions of references (a) through (bc). This instruction integrates the USN cybersecurity safety (CYBERSAFE) into the USN Cybersecurity Program in order to best position the U.S. Navy to fight and win with speed and agility in the increasingly contested and connected cyber-dominated battlespace by providing maximum reasonable assurance of resiliency for mission critical weapon systems, industrial control systems and information technology (IT) systems.

b. Specifically included in this instruction is the USN policy and the responsibilities pertaining to reference (a), which establishes the Department of Defense (DoD) implementation of the Risk Management Framework for DoD IT.