What are the requirements to do a Cybersecurity Strategy for a program that is already in the sustainment phase of the acquisition phase?
There are no statutory, regulatory, or policy requirements that DAU is aware of that requires a program office to transition the Information Assurance Plan to a Cybersecurity Strategy if there are no DoDI 5000.02 acquisition milestones remaining for the effort. The Authorizing Official (AO) for the system may however request a Cybersecurity Strategy as part of the system's reaccreditation artifacts.
Open full Question Details
The program office is reminded that with the transition from DIACAP to RMF, they must establish a Continuous Monitoring Strategy/Plan that addresses cybersecurity requirements for the system in the sustainment phase of the
lifecycle. This must include regular/periodic threat assessment, assessment of the cybersecurity posture of the fielded system and support systems versus the current threat, plan for engagement with the program office engineering and management team for any identified susceptibilities/vulnerabilities, plans for periodic cybersecurity testing,
patching/flaw remediation plans, and structure for engagement with system configuration management efforts to ensure the security posture of the system is maintained. This information, along with the program's plan for following the RMF process for reaccreditation form the cybersecurity strategy for the system.