Sign In
  • Question

    Where can I find Cybersecurity SOO language for an acquisition program?


    It is very hard to find a single repository that has specific SOO language since cybersecurity is such a broad subject area.  To determine applicable cybersecurity requirements, it depends on the type of service and/or product being requested, where in the acquisition lifecycle, whether this is a follow-on/upgrade/replacement or new initiative that effects a systems/network/component, or etc.
    The Statement of Objectives (SOO) should contain, at a minimum, the following FARS/DFARS statement:
    DFAR Clauses:
    Subpart 204.73 Safeguarding covered defense information and cyber incident reporting (revised Oct 2016)
    252.204-7008  Compliance with Safeguarding Covered Defense Information Controls (Oct 2016)
    252.204-7009 Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information (Oct 2016)
    252.204-7012  Safeguarding Covered Defense Information and Cyber Incident Reporting  (Oct 2016)
    252.239-7009  Representation of Use of Cloud Computing (Sep 2015)
    252.239-7010  Cloud Computing Services (Oct 2016)
    Key Guidance Documents:
    DFARS Procedures, Guidance, and Information (PGI) - PGI 204.73 Safeguarding Covered Defense Information and Cyber Incident Reporting (Sep 2015)
    Cloud Computing SRG v1r2 ( March 2016)
    Other DoD/Best Practices to consider:
    DoDI 8500.01
    DoDI 8510.01
    NIST SP 800-39
    NIST SP 800-37
    NIST SP 800-53 & 53A
    NIST SP 800-137
    NIST SP 800-60
    NIST SP 800-160
    CNSSP 22
    CNSSI 1253
    CNSS 4009
    Other key areas to consider:
    Supply Chain Risk Management (SCRM)
    Software Assurance (SwA)
    Another reference tool to consider is the Cybersecurity and Acquisition Lifecycle Integration Tool (CALIT) located at knowledge sharing website;
    DAU can support you and work with the applicable organization via a Selected Acquisition Workshop (SAW) or a tailored workshop to determine the most relevant, effective, and efficient cybersecurity requirements to support the required acquisition strategy.

    Open full Question Details