Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN)
|Publication Date:||15 October 2018|
PURPOSE. This Instruction, in accordance with the authorities in DoD Directive (DoDD) 5134.01 (Reference (a)) and DoDD 5144.02 (Reference (b)):
a. Establishes policy and assigns responsibilities to minimize the risk that DoD's warfighting mission capability will be impaired due to vulnerabilities in system design or sabotage or subversion of a system's mission critical functions or critical components, as defined in this Instruction, by foreign intelligence, terrorists, or other hostile elements.
b. Implements the DoD's TSN strategy, described in the Report on Trusted Defense Systems (Reference (c)) as the Strategy for Systems Assurance and Trustworthiness, through Program Protection and cybersecurity implementation to provide uncompromised weapons and information systems. The TSN strategy integrates robust systems engineering, supply chain risk management (SCRM), security, counterintelligence,
c. Incorporates and cancels Directive-Type Memorandum 09-016 (Reference (d)).
d. Directs actions in accordance with the SCRM implementation strategy of National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (Reference (e)), section 806 of Public Law 111-383 (Reference (f)), DoDD 5000.01 (Reference (g)), DoDI 5000.02 (Reference (h)), DoDI 8500.01 (Reference (i)), Committee on National Security Systems Directive No. 505 (Reference (j)), and National Institute for Science and Technology Special Publication 800-161 (Reference (k)).
APPLICABILITY. This Instruction applies to:
a. OSD, the Military Departments, the Office of the Chairman of the Joint Chiefs of Staff (CJCS) and the Joint Staff, the Combatant Commands, the Office of the Inspector General of the Department of Defense, the Defense Agencies, the DoD Field Activities, and all other organizational entities within the DoD (hereinafter referred to collectively as the "DoD Components").
b. The United States Coast Guard. The United States Coast Guard will adhere to DoD cybersecurity requirements, standards, and policies in this issuance in accordance with the direction in Paragraphs 4a, b, c, and d of the Memorandum of Agreement Between the Department of Defense and the Department of Homeland Security (Reference (l)).
c. All DoD information systems and weapons systems that are or include systems described in subparagraphs 2.b.(1) through 2.b.(3) (hereinafter referred to collectively as "applicable systems"):
(1) National security systems as defined by section 3552 of title 44, United States Code (U.S.C.) (Reference (m)). Although DoD's Non-classified Internet Protocol Router Network (NIPRNet) and its enclaves are considered national security systems in accordance with CJCS Instruction 6211.02D (Reference (n)), they are exempted from this instruction due to the need to prioritize use of limited TSN enterprise capabilities unless paragraph 2.b.(2) or 2.b.(3) applies;
(2) Any DoD system with a high impact level for any of the three security objectives (confidentiality, integrity, and availability) in accordance with the system categorization procedures in DoDI 8510.01 (Reference (o)); or
(3) Other DoD information systems that the DoD Component's acquisition executive or chief information officer, or designee, determines are critical to the direct fulfillment of military or intelligence missions, which may include some connections to or enclaves of NIPRNet and some industrial control systems..
d. All mission critical functions and critical components within applicable systems identified through a criticality analysis, including spare or replacement parts. For the purposes of this Instruction, only information and communications technology (ICT) components in applicable systems shall be considered for the processes described herein until this Applicability section is modified in accordance with Enclosure 2, paragraph 1.f.