Overview
Acquisition or outsourcing of dedicated IA services such as incident monitoring, analysis and response; operation of IA devices such as firewalls; or key management services are supported by a formal risk analysis and approved by the DoD Component CIO.
Threat
Many dedicated IA services introduce ancillary security and financial risks which may not be readily apparent to organizations. Formal risk management techniques must be employed to fully understand the scope of implementing IA services.
Guidance
1. Each Component shall adopt or develop a documented formal risk analysis process in which to evaluate the acquisition or outsourcing of dedicated IA services such as incident monitoring, analysis and response; operation of IA devices such as firewalls; or key management services.
2. Minimum factors to consider when evaluating dedicated IA shall include potential cost, schedule and technical risk. Ideally, consideration would be given in terms of the Mission Assurance Categories, provided in DoDI 8500.2 Enclosure 2.3.
The risk analysis findings shall be presented to the DoD Component CIO for action.
DoD classifies this control in the subject area of “Security Design and Configuration” with a impact of “Medium”.