Sign In
  • Question

    For systems security engineering...I need to know if there is a Data Item Description (DID) for System Security Plan Securtiy Assessment Report Risk Assessment Report Continuous Monitoring Plan These are referenced in the NIST SP 800 documents are are relvant to achieving compliance to the Risk Management Framework. Thanks.


    Answer

    We apologize for the delay.  Our sweep across the community took a little more time than expected, and we came up short. There isn’t a specific DID as you requested.  However, DoDi 8500.01 (Cybersecurtity) dated March 14 2014 speaks to the specific direction for Cybersecurity Risk Management (found in Enclosure 3).  It also reinforces the point that Cybersecurity Risk Management is a subset of the overall Risk Management process for all DoD acquisitions. DI-MGMT-81808 (Contractor's Risk Management Plan) would be the DID to use to include the additional risk monitoring you require.  Please keep in mind that for Systems Security Engineering (SSE) the Program Protection Plan (PPP—and the associated DID) describes the linkage between system security engineering and the Systems Engineering Plan and answers the question, "How will system security design considerations be addressed."  The Program Protection Plan Outline & Guidance published by OSD is a very good reference tool as well. Chapter 4 of the DAG provides an overview of Systems Security Engineering (SSE) as a key countermeasure, and Section 13.14 further elaborates how to capture Systems Security Engineering (SSE) within Systems Engineering (SE).  Thanks for your question and have a wonderful Holiday!

    Open full Question Details