Browse by Subject
Browse by Category
I'm reaching out on behalf of the OUSD(R&E) CRWS-BoK team to inform you that version 3.0 of the CRWS-BoK portal (www.crws-bok.org) has been released! Please see the official press release for more info: https://www.cto.mil/news/crws_bok_v3.
Discussion on current policy on Technology Area Protection Plans and Science and Technology (S&T) Protection Plans (STPP). Discussion includes new S&T protection updates to the DAU ACQ 160 course.
DAU Event - Acquisition Topics: Technology Area Protection Plans
Just saw DoDi 5000.90 released and was pleased by the
direct language in it. I, however, am being told that a PM has the
authority to lawfully exercise discretion by allowing a system to proceed out
of CDR with no SSE being addressed and stating otherwise is a disagreement of
policy. Additionally, the PM is able to accept the risk to not
have cybersecurity addressed or considered as part of any design
reviews and because the system is still in development this risk
is not insurmountable and therefore not an issue. Still further
the belief is that If the program completely failed to build any cybersecurity
into the system there would be no danger as the Department of the Army would
review the system, find it deficient, not grant the required IATT or ATO.
It sounds like the Army is stating cybersecurity is optional and there is no
issue with not addressing it till you need an IATT or ATO, if at all. Is
Draft NIST Special Publication (SP) 800-53A, Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations, provides organizations with a flexible, scalable, and repeatable assessment methodology and assessment procedures that correspond with the controls in NIST SP 800-53, Revision 5. Like previous revisions of SP 800-53A, the generalized assessment procedures provide a framework and starting point to assess the enhanced security requirements and can be tailored to the needs of organizations and assessors. The assessment procedures can be employed in self-assessments or independent third-party assessments.
In addition to the update of the assessment procedures to correspond with the controls in SP 800-53, Revision 5, a new format for assessment procedures in this revision to SP 800-53A is introduced to:
NIST is seeking feedback on the assessment procedures in this publication and in electronic versions (OSCAL, CSV, and plain text), including the assessment objectives, determination statements, and potential assessment methods and objects. We are also interested in the approach taken to incorporate organization-defined parameters into the determination statements for the assessment objectives. To facilitate their review and use by a broad range of stakeholders, the assessment procedures are available for comment and use in PDF format, as well as comma-separated value (CSV), plain text, and Open Security Controls Assessment Language (OSCAL) formats.
The comment period is open through October 1, 2021. See the publication details for a copy of the draft and associated files, and instructions for submitting comments. We encourage you to submit comments using the comment template provided.
Please submit inquiries to [email protected].
NOTE: A call for patent claims is included on page vii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
ITL Patent Policy:
Alert me of new conversations
Required fields marked with *
Please note that you should expect to receive a response from our team, regarding your inquiry, within 2 business days.