Where can I find Cybersecurity SOO language for an acquisition program?
It is very hard to find a single repository that has specific SOO language since cybersecurity is such a broad subject area. To determine applicable cybersecurity requirements, it depends on the type of service and/or product being requested, where in the acquisition lifecycle, whether this is a follow-on/upgrade/replacement or new initiative that effects a systems/network/component, or etc.
Open full Question Details
The Statement of Objectives (SOO) should contain, at a minimum, the following FARS/DFARS statement:
* Subpart 204.73 Safeguarding covered defense information and cyber incident reporting (revised Oct 2016)
* 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls (Oct 2016)
* 252.204-7009 Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information (Oct 2016)
* 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (Oct 2016)
* 252.239-7009 Representation of Use of Cloud Computing (Sep 2015)
* 252.239-7010 Cloud Computing Services (Oct 2016)
Key Guidance Documents:
* DFARS Procedures, Guidance, and Information (PGI) - PGI 204.73 Safeguarding Covered Defense Information and Cyber Incident Reporting (Sep 2015)
* Cloud Computing SRG v1r2 ( March 2016)
Other DoD/Best Practices to consider:
* DoDI 8500.01
* DoDI 8510.01
* NIST SP 800-39
* NIST SP 800-37
* NIST SP 800-53 & 53A
* NIST SP 800-137
* NIST SP 800-60
* NIST SP 800-160
* CNSSP 22
* CNSSI 1253
* CNSS 4009
Other key areas to consider:
* Supply Chain Risk Management (SCRM)
* Software Assurance (SwA)
Another reference tool to consider is the Cybersecurity and Acquisition Lifecycle Integration Tool (CALIT) located at knowledge sharing website; https://acc.dau.mil/CommunityBrowser.aspx?id=740975.
DAU can support you and work with the applicable organization via a Selected Acquisition Workshop (SAW) or a tailored workshop to determine the most relevant, effective, and efficient cybersecurity requirements to support the required acquisition strategy.