DODD 8530.01 CE-01
Cybersecurity Activities Support to DoD Information Network Operations
|Publication Date:||25 July 2017|
PURPOSE. In accordance with the authority in DoD Directive (DoDD) 5144.02 (Reference (a)), this instruction:
a. Reissues DoDD O-8530.1 (Reference (b)) as a DoD Instruction (DoDI) and incorporates and cancels DoDI O-8530.2 (Reference (c)) to establish policy and assign responsibilities to protect the Department of Defense information network (DODIN) against unauthorized activity, vulnerabilities, or threats.
b. Supports the Joint Information Environment (JIE) concepts as outlined in JIE Operations Concept of Operations (CONOPS) (Reference (d)).
c. Supports the formation of Cyber Mission Forces (CMF), development of the Cyber Force Concept of Operations and Employment, evolution of cyber command and control, cyberspace operations doctrine in Joint Publication 3-12 (Reference (e)), and evolving cyber threats.
d. Supports the Risk Management Framework (RMF) requirements to monitor security controls continuously, determine the security impact of changes to the DODIN and operational environment, and conduct remediation actions as described in DoDI 8510.01 (Reference (f).
e. Cancels Assistant Secretary of Defense for Command, Control, Communications, and Intelligence Memorandum (Reference (g)).
APPLICABILITY. This instruction:
a. Applies to OSD, the Military Departments, the Office of the Chairman of the Joint Chiefs of Staff (CJCS) and the Joint Staff, the Combatant Commands, the Office of the Inspector General of the Department of Defense (IG DoD), the Defense Agencies, the DoD Field Activities, and all other organizational entities within the DoD (referred to collectively in this instruction as the "DoD Components").
b. The United States Coast Guard (USCG). The USCG will adhere to DoD cybersecurity requirements, standards, and policies in this instruction in accordance with the direction in Paragraphs 4a, b, c, and d of the Memorandum of Agreement Between the Department of Defense and the Department of Homeland Security (Reference (cn)).
c. Applies to the DoDINDODIN. The DoDINDODIN includes DoD information technology (IT) (e.g., DoD-owned or DoD-controlled information systems (ISs), platform information technology (PIT) systems, IT products and services) as defined in DoDI 8500.01 (Reference (h)) and control systems and industrial control systems (ICSs) as defined in National Institute (NIST) Special Publication (SP) 800-82 (Reference (i)) that are owned or operated by or on behalf of DoD Components.
d. Applies to commercial cloud computing services that are subject to the DoD Cloud Computing Security Requirements Guide (Reference (j)), developed by Director, Defense Information Systems Agency (DISA).
e. Applies to cleared defense contractors who operate pursuant to DoD 5220.22-M (Reference (k)) and the National Industrial Security Program (NISP) in accordance with DoDI 5220.22 (Reference (l)), to the extent that its requirements are made applicable through incorporation into contracts.
f. Applies to mission partner systems connected to the DODIN in accordance with, and to the extent set forth in, a contract, memorandum of agreement (MOA), support agreement, or international agreement, subject to and consistent with DoDI 4000.19 (Reference (m) and DoDD 5530.03 (Reference (n)).
g. Does not alter or supersede the existing authorities and policies of the Director of National Intelligence regarding the protection of sensitive compartmented information (SCI) as directed by Executive Order 12333 (Reference (o)) and other laws and regulations.