scope:

Scope and Applicability

a. This instruction is consistent with and supports references (b) and (c), and includes roles and responsibilities that enable the Office of the Chief of Naval Operations (OPNAV), the fleet, echelon 2 commands, systems commands (SYSCOM), type commands, program executive offices (PEO), and other development and acquisition activities to implement cybersecurity. It applies to all USN activities and organizations, as well as contractors and their sub-contractors, and contractor facilities (with appropriate contract provisions) that perform the functions in subparagraphs 3a(1) through 3a(4).

(1) Design, construct, operate, maintain, upgrade, procure, test, access, use, oversee, or manage Navy collateral and general service top secret and below USN networks and information systems (IS) used to receive, process, store, display, or transmit DoD classified or unclassified information. This may or may not comprise a National Security System and includes use in foreign military sales (FMS) programs (incorporation of cyber capabilities in FMS platforms will be in line with technology releasability policies for FMS customers). IT is the collective term that encompasses IS, platform IT or industrial control systems IT products, IT services, and any other IT asset. With regards to risk management framework and the rest of this instruction, there is no assessment and authorization process distinction between platform IT or industrial control systems and other IT.

(2) Process data or information regardless of classification and not limited to national security information as defined in reference (d).

(3) Operate systems on behalf of USN or own facilities or systems that process any information associated with USN contracts. Contractors processing classified information must also comply with reference (e). Contractors processing personally identifiable information must also comply with reference (f) and DoD Instruction 8582.01 of 6 June 2012.

(4) Operate systems, infrastructure, software, or platforms on behalf of USN or own facilities or systems that process any information associated with cloud service providers or cloud service offerings outlined in reference (g).

b. For the purposes of this instruction, the terms "fleet commanders" and "fleet" refer to operational forces inclusive of all warfighting domains, to include U.S. Fleet Forces Command (USFLTFORCOM), U.S. Pacific Fleet (COMPACFLT), and numbered fleet commands.

c. This policy will not alter or supersede the existing authorities and policies of the Director of National Intelligence and Deputy Chief of Naval Operations for Information Warfare (CNO (N2N6)), as the Navy head of the intelligence community (IC) element, regarding the protection of sensitive compartmented information (SCI) as directed by references (h) and (i). Additionally, this policy will not alter or supersede the existing authorities and policies of the Director, Department of the Navy (DON) Special Access Program Central Office set forth in references (j), (k), and (l), Executive Order 12344, and section 7158 of Title 42, U.S. Code.

d. This policy does not alter or supersede the existing authorities of the Director, Naval Nuclear Propulsion Program (CNO N00N), who also serves as the Naval Sea Systems Command Deputy Commander for Nuclear Propulsion Program (NAVSEASYSCOM 08) and National Nuclear Security Administration Deputy Administrator for Naval Reactors, as set forth in sections 2401 and 2511 of Title 50, U.S. Code. The responsibilities detailed in subparagraph 8f align with and reinforce the existing responsibilities of CNO N00N for the supervision of all technical aspects of the Naval Nuclear Propulsion Program (NNPP), including oversight of program support in the area of cybersecurity of naval nuclear propulsion information (NNPI) and NNPP-related systems.

e. This policy is not to be interpreted as contradictory to the authority of operational commanders (e.g., carrier or expeditionary strike group commanders) and commanding officers regarding their responsibilities as outlined in the Navy Regulations. This instruction incorporates cybersecurity with their responsibilities to maintain readiness, organize forces and resources, develop training strategies and plans, act in self-defense of the unit, and immediately report departure from instructions.

f. This policy is intended to bridge the gap between DoD's replacement of the term information assurance (IA), as used in reference (m), with its successor cybersecurity. While applicable policies are under revision, the term cybersecurity as used in this policy will replace the term IA where applicable.

g. This instruction is aligned with and designed to be implemented harmoniously with the DON Cybersecurity Safety (CYBERSAFE) Program, reference (n). CYBERSAFE is intended primarily to identify and ensure sufficient protection and resiliency of mission critical IT in a contested environment, and does not conflict with the intent or execution of risk management framework. CYBERSAFE is not a substitute for risk management framework.

h. Federal, DoD, and DON policy take precedence over any conflicting requirements of this instruction. Implementing authorities should identify conflicting policy to DON Deputy Chief Information Officer (Navy) (DDCIO(N)) for resolution.

Purpose

a. This instruction establishes policies, procedures, and assigns responsibilities for executing and maintaining the United States Navy's (USN) Cybersecurity Program and implements the provisions of references (a) through (aw).

b. Specifically included in this instruction is the USN policy and the responsibilities pertaining to reference (a), which replaces the Department of Defense (DoD) information assurance certification and accreditation process (DIACAP) with the risk management framework for DoD information technology (IT). This instruction is a complete revision and should be reviewed in its entirety.