Changelog for the DoD Cybersecurity Policy Chart

The goal of the DoD Cybersecurity Policy Chart is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

This page highlights and lists the updates to the DoD Cybersecurity Policy Chart.

Click here to view the DoD Cybersecurity Policy Chart.

8 September 2021

# Document Name Change/Justification
1 CNSSP-10 National Policy Governing Use of Approved Security Containers in Information Security Applications New policy document from April 28, 2021 added to the Manage Access subcategory. Document establishes the Policy on the use of approved security containers in Information System Security applications.
2 CNSSP-11 National Policy Governing the Acquisition of Information Technology Products Policy updated July, 9, 2021. This policy governs the acquisition policies regarding national security systems.
3 CNSSP-14 National Policy Governing the Release of IA Products/Services Policy updated May 19, 2021. This policy governs the release of Information Assurance (IA) products and services to U.S. persons or activities that are not part of the federal government.
4 CNSSP-16 National Policy for the Destruction of COMSEC Paper Material Policy updated May 5, 2021. This policy requires departments and agencies to use crosscut shredders that meet the new NSA specification for the destruction of paper-based COMSEC material. It also defines parameters for the use of crosscut shredders currently in inventory until such time as new shredders are obtained.
5 CNSSP-18 National Policy on Classified Information Spillage Policy updated May 19, 2021. This policy applies to the spillage of classified national security information on any IS, be it government or nongovernment systems. It provides a framework for the consistent handling of the spillage of classified national security information.
6 CNSSI-1001 National Instruction on Classified Information Spillage Policy updated June 15, 2021. This instruction establishes the minimum actions required when responding to an information spillage of classified national security information.

24 June 2021

# Document Name Change/Justification
1 White House – President Biden: Executive Order on Improving the Nation’s Cybersecurity New document from 05/12/21 added to the National/Federal subcategory concerning improving cybersecurity capabilities of the nation. Specifically, the administration commits to prioritizing the prevention, detection, assessment, and remediation of cyber incidents.
2 * DoDD 5101.21E DoD Executive Agent for Unified Platform and Joint Cyber Command and Control (JCC2) New document from 06/04/20 added to the Strengthen Cyber Readiness subcategory regarding closing critical cyberspace capability gaps, and ensuring the delivery of resilient, agile, secure, and effective cyberspace capability solutions to the warfighter.

26 May 2021

# Document Name Change/Justification
1 NIST SP 1800-25 Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events New document added to the Strengthen Cyber Readiness subcategory. Published December 2020. Document explores methods to effectively identify assets (devices, data, and applications) that may become targets of data integrity attacks, as well as the vulnerabilities in the organization’s system that facilitate these attacks.
2 CNSSI-4007 Communications Security (COMSEC) Utility Program * Relocated document link from Manage Access to Sustain Missions subcategory
3 DoDD 5144.02 DoD Chief Information Officer Relocated document from Develop and Maintain Trust to Sustain Missions subcategory

27 April 2021

# Document Name Change/Justification
1 CNSSI-4007 Communications Security (COMSEC) Utility Program Relocated document link from Partner for Strength to the Manage Access subcategory
2 DOD Instruction 5000.90, Cybersecurity for acquisition decision authorities and program managers* Change 10 was issued to update the instruction. Originating Component: Office of the Under Secretary of Defense for Acquisition and Sustainment. Added to the Prevent and Delay Attackers and Prevent Attackers from Staying subcategory.
Effective: December 31, 2020
3 Added Directive-type Memorandum 20-004 Enabling Cyberspace Accountability of DoD Components and Information Systems Added this new document link to the Design for the Fight subcategory. November 13, 2020. DTM 20-004, “Enabling Cyberspace Accountability of DoD Components and Information Systems”
4 MOA Between DoD and DHS (Jan. 19, 2017) Relocated document link from Design for the Fight to the Partner for Strength subcategory

19 March 2021

# Document Name Change/Justification
1 Interim National Security Strategic Guidance* The new Administration has issued interim guidance to which all Departments and Agencies should align their actions as the White House team begins work on a new National Security Strategy.
Published: Mar 21
2 National Cyber Strategy Document link fixed.
https://dodcio.defense.gov/Portals/0/Documents/Cyber/ICAM_Strategy.pdf
3 DoD Information Sharing Strategy Document link fixed.
https://dodcio.defense.gov/Portals/0/Documents/InfoSharingStrategy.pdf
4 DoD Identity, Credential, and Access Management (ICAM) Strategy Document link added.
https://dodcio.defense.gov/Portals/0/Documents/Cyber/ICAM_Strategy.pdf
5 NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information** New Documentation.
https://doi.org/10.6028/NIST.SP.800-172
Published: Feb 21
6 DoDI 5000.02T Operation of the Defense Acquisition System Change 10 published on 31 December 2020. Document link updated.
https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/500002Tp.pdf?ver=2020-09-15-152849-783
7 DoDI 8510.01 Change 3, “Risk Management Framework (RMF) for DoD Information Technology (IT)” Document link updated.
Change 3 Published: 29 Dec 20
8 DoDI 8523.01, “Communications Security” Document link updated.
Reissued: 6 Jan 21
9 DoDI 8581.01 IA Policy for Space Systems Used by the DoD Document removed.
Canceled: Aug 2020

16 March 2021

# Document Name Change/Justification
1 Interim National Security Strategic Guidance* The new Administration has issued interim guidance to which all Departments and Agencies should align their actions as the White House team begins work on a new National Security Strategy.
Published: Mar 21
2 National Cyber Strategy Document link fixed.
https://dodcio.defense.gov/Portals/0/Documents/Cyber/ICAM_Strategy.pdf
3 DoD Information Sharing Strategy Document link fixed.
https://dodcio.defense.gov/Portals/0/Documents/InfoSharingStrategy.pdf
4 DoD Identity, Credential, and Access Management (ICAM) Strategy Document link added.
https://dodcio.defense.gov/Portals/0/Documents/Cyber/ICAM_Strategy.pdf
5 NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information** New Documentation.
https://doi.org/10.6028/NIST.SP.800-172
Published: Feb 21
6 DoDI 5000.02T Operation of the Defense Acquisition System Change 10 published on 31 December 2020. Document link updated.
https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/500002Tp.pdf?ver=2020-09-15-152849-783
7 DoDI 8510.01 Change 3, “Risk Management Framework (RMF) for DoD Information Technology (IT)” Document link updated.
Change 3 Published: 29 Dec 20
8 DoDI 8523.01, “Communications Security” Document link updated.
Reissued: 6 Jan 21

30 November 2020

# Document Name Change/Justification
1 NIST SP 800-207, Zero Trust Architecture New document added. This document contains an abstract definition of zero trust architecture (ZTA) and gives general deployment models and use cases where zero trust could improve an enterprise’s overall information technology security posture.
Published: August 2020
2 NIST SP 800-209, Security Guidelines for Storage Infrastructure New document added. Comprehensive security recommendations for storage infrastructures. The security focus areas covered in this document not only span those that are common to the entire IT infrastructure—such as physical security, authentication and authorization, change management, configuration control, and incident response and recovery—but also those that are specific to storage infrastructure, such as data protection, isolation, restoration assurance, and data encryption.
Published: 26 October 2020
3 NIST SP 1800-16, Securing Web Transactions: TLS Server Certificate Management New document added. NIST SP 1800-16 describes the TLS certificate management challenges faced by organizations; provides recommended best practices for large-scale TLS server certificate management; describes an automated proof-of-concept implementation that demonstrates how to prevent, detect, and recover from certificate-related incidents; and provides a mapping of the demonstrated capabilities to the recommended best practices and to NIST security guidelines and frameworks.
Published: 06 June 2020
4 NIST SP 800-210, General Access Control Guidance for Cloud Systems New document added. This document presents cloud access control characteristics and a set of general access control guidance for cloud service models: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service).
Published: July 2020
5 DoDD O-5100.19, Critical Information Communications (CRITICOM) System (CAC-required) New document added. Assigns responsibility and prescribes procedures for the establishment of software acquisition pathways IAW Section 800 of Public Law 116-92.
Published: 02 October 2020
6 DoDI 5000.87, Operation of the Software Acquisition Pathway USD(I) was changed to USD(I&S) to reflect office name change.
7 DoDI 5205.83, DoD Insider Threat and Management and Analysis Center (DITMAC) New document added. Enterprise-level capability for managing and analyzing insider threats.
Change 1: 29 October 2020
8 DoDM 3305.09, Cryptologic Accreditation and Certification New document added. Provides accreditation guidance and procedures for DoD education and training institutions that support the cryptologic community.
Change 2: 01 October 2020
9 DoDM 5205.02E, DoD Operations Security (OPSEC) Program Manual New document added. To provide baseline requirements to ensure national security-related missions and functions are protected (to include information systems)
Change 2: 29 October 2020
10 Cybersecurity Maturity Model Certification (CMMC), v. 1.02 New document added. Certification developed to enhance the protection of FCI and CUI within the DIB. Version dated 18 March 2020.

13 October, 2020

# Document Name Change/Justification
1 14 U.S.C. Ch. 7 Replaced with new hyperlink to authoritative source
2 DoDI 8531.01 The link to DoDI 8531.01 mistakenly linked to DoDI 8530.01 and has been fixed.

09 October, 2020

# Document Name Change/Justification
1 Title 14, U.S. Code, Cooperation with Other Agencies Replaced with new hyperlink
2 NIST Special Publication 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations Long awaited and very important update, published September 2020, supersedes Rev. 4
3 CNSSD 507: National Directive for Identity, Credential, and Access Mgmt. Capabilities on the U.S. Federal Secret Fabric Provides a minimum set of requirements for Identity, Credential, and Access Management (ICAM) implementation and management that applies to the Federal Secret Fabric. Updated July 7, 2020.
4 DoD Directive 8140.01, Cyberspace Workforce Management Published October 5, 2020, superseding the earlier version dated August 11, 2015
5 DoD Instruction 8531.01, DoD Vulnerability Management Released on September 15, 2020
6 DoD Data Strategy The DoD Data Strategy supports the National Defense Strategy and Digital Modernization, published October 9, 2020
7 DTM 17-007, Ch. 3, Defense Support to Cyber Incident Response Change 3 issued May 29, 2020

30 July 2020

# Document Name Change/Justification
1 DoDI 8320.02: Sharing Data, Information, and Technology (IT) Services in the Department of Defense Incorporating Change 1, Effective June 24, 2020
SUMMARY OF CHANGE 1. The change to this issuance updates references and organizational titles and removes expiration language in accordance with current Chief Management Officer of the Department of Defense direction.
2 DoD Identity, Credential, and Access Management (ICAM) Strategy ICAM Strategy signed on 17 July 2020
3 MOA Between DoD and DHS Removed “requires CAC” language; CAC no longer required to view MOA.
4 RMF Knowledge Service Italicized to reflect no publicly accessible version available. Available with CAC only.
5 About This Chart Added note to open PDF document directly in a web browser
6 USD(I&S)* USD(I) was changed to USD(I&S) to reflect office name change.

22 June 2020

# Document Name Change/Justification
1 HSPD-12* Updated Link
2 NIST SP 800-37, R1* Replaced by NIST SP 800-37, R2
3 NIST SP 800-163* Replaced by NIST SP 800-163, R1
4 CJCSI 3213.02D, Joint Operations Security* Should be labeled as CJCSI 3213.01D
5 NIST SP 800-34, R1* Updated Link
6 OMB Circular A-130 Updated Link
7 DoD Cybersecurity Risk Reduction Strategy New Policy / Link to Document not publicly available.
8 “About This Chart” Added instructions for how to follow the link to a policy for those whose organizational policies block them from hyperlinking directly from a .pdf document.

29 May 2020

# Document Name Change/Justification
1 National Strategy to Secure 5G New policy added
2 DoD 5G Strategy New policy added
3 N/A Moved Executive Orders and Presidential Directives from “Lead and Govern” to “National/Federal” to make room for new strategies.

1 April 2020

# Document Name Change/Justification
1 NIST Framework for Improving Critical Infrastructure Cybersecurity Updated link
2 Common Criteria Evaluation and Validation Scheme (CCEVS) Updated to reflect change in CCEVS as of February 2020
3 DoDI 5000.02T Operation of the Defense Acquisition System Updated to reflect change in January 2020
4 DoDI 8510.01, Risk Management Framework for DoD IT Updated link
5 Joint Publication 6-0, Joint Communications System Updated link
6 MOA Between DoD and DHS (Jan 19, 2017, requires CAC) Updated link
7 DoDI 8420.01 Commercial WLAN Devices, Systems, and Technologies Updated link
8 DoD O-8530.1-M (CAC req’d) CND Service Provider Certification and Accreditation Program Updated link
9 DoDD 3020.40, Mission Assurance Updated link
10 DoDD 3100.10, Space Policy Updated link
11 Defense Acquisition Guidebook Updated link
12 Title 14, US Code, Cooperation With Other Agencies (Ch. 7) Updated link
13 NISTIR 7298, Rev. 3, Glossary of Key Information Security Terms Updated link to point to Rev. 3.
14 NIST SP 800-125A, R1, Security Recommendations for Hypervisor Platforms Updated link
15 NIST SP 800-88, R1,Guidelines for Media Sanitization New policy added

13 March 2020

# Document Name Change/Justification
1 NIST SP 800-171, R2 Protecting CUI in Nonfederal Systems and Organizations Superseded R1 of NIST SP 800-171 on 21 Feb 2020
2 DoDI 5200.48 Controlled Unclassified Information(CUI) New issuance, cancels DoD 5200.01 Volume 4. Issued 6 Mar 2020.
3 NIST SP 800-63 series Digital Identity Guidelines NIST SP 800-63-3, 800-63A, 800-63B, and 800-63C were all updated on 2 Mar 2020

19 February 2020

# Document Name Change/Justification
1 DoDI 8170.01, Online Information Management and Electronic Messaging Updated hyperlink

18 February 2020

# Document Name Change/Justification
1 DoDD 8140.01, Cyberspace Workforce Management Updated hyperlink
2 DoDI 8170.01, Online Information Management and Electronic Messaging Supersedes DoD Instruction 8550.01, “DoD Internet Services and Internet-Based Capabilities,” September 11, 2012 (which was removed from the chart)
3 Joint Special Access Program (SAP) Implementation Guide (JSIG) Updated hyperlink

29 January 2020

# Document Name Change/Justification
1 CNSSI-5002, Telephony Isolation Used for Unified Communications Implementations within Physically Protected Spaces Supersedes CNSSI No. 5002, National Information Assurance (IA) Instruction for Computerized Telephone Systems (February 2012) on December 18, 2019.
2 DTM 17-007, Defense Support to Cyber Incident Response Updated hyperlink

17 December 2019

# Document Name Change/Justification
1 NIST SP 800-34, R1 Contingency Planning Guide for Federal Information Systems New addition to chart to address contingency planning.*
2 NIST SP 800-82, R2 Guide to Industrial Control Systems (ICS) Security New addition to chart to address ISC cybersecurity.*
3 DoDI 8582.01, Security of Non-DoD Information Systems Processing Unclassified Nonpublic DoD Information Policy was updated on 9 Dec 2019.
4 UFC 4-010-06, Cybersecurity of Facility-Related Control Systems New addition to chart to address cybersecurity issues for facility-related control systems.*
5 Security Technical Implementation Guides (STIGs) Hyperlink updated to link to DISA’s updated website and new URL.†
6 Security Configuration Guides (SCGs) Hyperlink updated to link to NSA’s updated website and new URL.
7 NSA IA Guidance New addition to the chart includes 123 “security tip” documents for mitigating cyber risk

27 November 2019

# Document Name Change/Justification
1 CNSSD 506, National Directive to Implement PKI on Secret Networks New addition to the Policy Chart
2 CNSSD 520, The Use of Mobile Devices to Process National Security Information Outside of Secure Spaces New addition to the Policy Chart

30 October 2019

# Document Name Change/Justification
1 DoDI 5205.13 Defense Industrial Base (DIB) Cyber Security (CS) / IA Activities Change 2 issued on 21 August 2019
2 DoDI 8500.01, Cybersecurity Change 1 issued on 7 Oct 2019
3 NIST 800-128, Guide for Security-Focused Configuration Management of Information Systems Updated 10 October 2019
4 NIST 800-160, Vol. 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems Added to the chart to reflect the increasing importance of this topic.
5 FIPS Pub 140-3, Security Requirements for Cryptographic Modules Superseded FIPS Pub 140-2. FIPS 140-3 was published on 22 Mar 2019, but didn’t officially become effective under the implementation schedule until 22 Sep 2019.

25 October 2019

# Document Name Change/Justification
1 DoDI 5205.13 Defense Industrial Base (DIB) Cyber Security (CS) / IA Activities Change 2 issued on 21 August 2019
2 DoDI 8500.01, Cybersecurity Change 1 issued on 7 Oct 2019
3 NIST 800-128, Guide for Security-Focused Configuration Management of Information Systems Updated 10 October 2019
4 NIST 800-160, Vol. 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems Added to the chart to reflect the increasing importance of this topic.

23 July 2019

# Document Name Change/Justification
1 DoD Digital Modernization Strategy Added this new Strategy released on 12 July 2019
2 DoDM O-5205.13, Defense Industrial Base (DIB) Cybersecurity (CS) Program Security Classification Manual (SCM) Change 1 issued on 14 Jun 2019. (Note: This document requires a DoD PKI certificate for access.)
3 Directive-Type Memorandum (DTM) 17-007 – “Interim Policy and Guidance for Defense Support to Cyber Incident Response” Change 2 issued on 6 Jun 2019

22 May 2019

# Document Name Change/Justification
1 EO 13873: Securing the Information and Communications Technology and Services Supply Chain Added this new Executive Order signed 15 May 2019
2 EO 13800: Strengthening Cybersecurity of Fed Nets and CI Updated link to the Federal Register’s permalink
3 EO 13636: Improving Critical Infrastructure Cybersecurity Updated link to the Federal Register’s permalink
4 NIST SP 800-163, Vetting the Security of Mobile Applications Added this new publication, published on 19 Apr 2019
5 DoD Information Technology Environment Strategic Plan Moved from the Lead and Govern block to the National/Federal block to make room for the new Executive Order.
6 Cybersecurity Policy Chart Updated the red text in the bottom center of the chart to reflect the new location that DTIC established for updated versions of the chart.

28 February 2019

# Document Name Change/Justification
1 2019 National Intelligence Strategy Added this updated strategy
2 Department of Defense (DoD) Cloud Strategy Added this new strategy
3 Summary of the 2018 DoD Artificial Intelligence Strategy Added an unclassified summary of this new strategy
4 CYBERCOM Orders The Operational section of the chart removed older references to STRATCOM policies and has replaced it with a reference to CYBERCOM orders and JFHQ-DODIN orders. Neither is hyperlinked because these orders are not available to the public.
5 JFHQ-DODIN Orders See above

15 January 2019

# Document Name Change/Justification
1 CJCSI 5123.01H, Charter of the JROC and Implementation of the JCID As of 18 Aug 2018, CJCSI 5123.01H stated that “CJCSI 3170.01 Series, “Joint Capabilities Integration and Development System (JCIDS),” is hereby canceled, with content moved to Enclosure D of this CJCSI.”
2 Department of Defense (DoD) Joint Special Access Program (SAP) Implementation Guide (JSIG) Policy added to chart to expand coverage to JSAP.

7 January 2019

# Document Name Change/Justification
1 DoDI 5200.39, Critical Program Information (CPI) Identification and Protection Within Research, Development, Test, and Evaluation (RDT&E) Added per the suggestion of Ms. Creel of the CERT Division, Software Engineering Institute, Carnegie Mellon University.

5 December 2018

# Document Name Change/Justification
1 CJCSI 3170.01, Joint Capabilities Integration and Development System (JCIDS) Manual was converted to a “living document” available at the new hyperlink
2 UCP Unified Command Plan Updated link to unclassified site that identifies the 10 Combatant Commands and provides information on each.

25 September 2018

# Document Name Change/Justification
1 National Cyber Strategy Replaces the 2003 National Cyber Strategy.
2 2018 DoD Cyber Strategy Update to the 2015 DoD Cyber Strategy. It was signed on 27 July, but a publicly accessible, unclassified summary became available on 18 Sep. The hyperlink is to the unclassified summary.
3 CNSSP-28, “Cybersecurity of Unmanned National Security Systems,” 6 July 2018 New policy.
4 DoDI 8560.01, “Communications Security (COMSEC) Monitoring,” 22 Aug 2018 Incorporated and canceled DoD Instruction 8560.01, “Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing,” October 9, 2007.
5 DoD Cybersecurity Policy Chart Added additional CSIAC contact information to the upper left corner of the chart.

14 August 2018

# Document Name Change/Justification
1 2018 DoD Cyber Strategy Update to the 2015 DoD Cyber Strategy. It was signed on 27 July, but a publicly accessible version is not yet available, so the name is italicized in the chart indicating no public-facing hyperlink is available.
2 CNSSI-5000, Annex I, Voice Over Secure Internet Protocol (VoSIP) Annex released on 21 June 2018.

12 June 2018

# Document Name Change/Justification
1 Directive-Type Memorandum (DTM) 17-007 – “Interim Policy and Guidance for Defense Support to Cyber Incident Response” NIST Released NIST SP 800-126, R3, SCAP 1.3 on 14 Feb 2018
2 CJCSI 6510.02E, Cryptographic Modernization Plan Updated from CJCSI 6510.02D
3 CJCSM 3213.02D, Joint Staff Focal Point Updated from CJCSM 3213.02C
4 NIST SP 800-171, R1, Protecting CUI in Nonfederal Systems and Organizations Rev. 1 final release date was 6/7/2018.
5 NIST SP 800-125A, R1, Security Recommendations for Hypervisor Platforms Rev. 1 final release date was 6/7/2018.
6 National Security Strategy Moved from National/Federal to Organize/Lead and Govern

9 April 2018

# Document Name Change/Justification
1 NIST SP 800-126, R2 SCAP 1.2 NIST Released NIST SP 800-126, R3, SCAP 1.3 on 14 Feb 2018
2 NIST SP 800-171 NIST Released NIST SP 800-171, R1, on 20 Feb 2018
3 NIST SP 800-125A Added NIST SP 800-125A, Security Recommendations for Hypervisor Deployment on Servers, 23 Jan 2018
4 DoD Directive 3020.26, “Department of Defense Continuity Programs,” January 9, 2009, as amended Reissued and canceled by DoDD 3026, DoD Continuity Policy, 14 Feb 2018
5 CJCSI 3170.01I, Joint Capabilities Integration and Development System (JCIDS) Updated link.
6 Stored Communications Act, 18 USC §2701 et seq. The Stored Communications Act was amended by the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which was passed as part of the Consolidated Appropriations Act of 2018, signed into law on 23 March 2018. NOTE: The link to the Government Publishing Office’s text of the law currently does not reflect these most recent changes, nor does the House of Representatives official United States Code website. Both are expected to be updated after some time.

1 February 2018

# Document Name Change/Justification
1 2017 National Defense Strategy Released on 19 January 2018, it replaces the 2012 National Defense Strategy. Since the National Defense Strategy is classified, the link is to the unclassified summary.
2 Quadrennial Defense Review Removed from chart, based on the 2017 National Defense Authorization Act (NDAA), which replaced the legislative foundation of the Quadrennial Defense Review with requirements to be included in a National Defense Strategy.
3 Strategic Instruction (SI) 527-01 DoD INFOCON System Procedures, 27 March 2015 Superseded SD 527-01, 27 Jan 2006.
4 NIST Framework for Improving Critical Infrastructure Cybersecurity Updated broken link.
5 CJCSM 6510.02, Information Assurance Vulnerability Management Program Added this older policy to the chart. Policy is in italics because it is FOUO and so no publicly accessible link can be provided.

8 January 2018

# Document Name Change/Justification
1 EO 13636: Improve Critical Infrastructure Cybersecurity Corrected link to Document.
2 The DoD Cybersecurity Policy Chart Changed the gray/white background/text combos to gray/black.

18 December 2017

# Document Name Change/Justification
1 2017 National Security Strategy Released on 18 December 2017, it replaces the 2015 National Security Strategy.

13 December 2017

# Document Name Change/Justification
1 DoDI 8310.01 Information Technology Standards in the DoD Added to chart
2 EO 13636: Improving Critical Infrastructure Cybersecurity Corrected Link to document
3 DoDI 8582.01 Security of Unclassified DoD Information on Non-DoD Info Systems Policy updated by DoDI 8310.01
4 NSTISSI 7003 Protective Distribution Systems Changed to CNSSI 7003, Protected Distribution Systems

6 November 2017

# Document Name Change/Justification
1 NIST SP 800-18, Rev 1 Corrected Link to document

3 November 2017

# Document Name Change/Justification
1 ASD(NII)/DoD CIO Memo on Use of Peer-to-Peer File Sharing Applications Removed, was canceled by DoDI 8500.01, Cybersecurity
2 CNSSI-4001 Added link.
3 CNSSI-4005 Added link.
4 CNSSP-16 Added link.
5 DoDD 3020.40 Updated link.
6 DoDI 5200.01 Updated link.
7 DoDI 8320.02 Corrected link.
8 DoDI 8551.01 Updated link.
9 Ethics Regulations Updated link.
10 E. O. 13800 Added.
11 FIPS 140-2 Updated link.
12 FIPS 199 Updated link.
13 FIPS 200 Updated link.
14 ICD 503 Updated link.
15 NISTR 7693 Updated link.
16 NIST SP 800-18, Rev 1 Updated link.
17 NIST SP 800-39 Updated link.
18 NIST SP 800-59 Updated link.
19 NIST SP 800-60, Vol 1, Rev 1 Updated link.
20 NIST SP 800-92 Updated link.
21 NIST SP 800-126, Rev 2 Updated link.
22 NIST SP 800-128 Updated link.
23 NIST SP 800-137 Updated link.
24 NIST SP 800-153 Updated link.
25 NSTISSI-4003 Changed to CNSSI 4003 and added link.
26 NSTISSI-4006 Changed to CNSSI 4006 and added link.
27 OMB A-130 White House temporarily moved many policies to the Obama White House archives site, though these appear to be in full force unless or until formally rescinded or superseded.
28 Security Configuration Guides Updated link.

15 Aug 2017

# Document Name Change/Justification
1 DoDD 8000.01 Change issued 27 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates.
2 DoDD 8140.01 Change issued 31 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates.
3 DoDI 8510.01 Change issued 28 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates.
4 DoDI 8520.03 Change issued 27 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates.
5 DoDI 8530.01 Change issued 25 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates.
6 DoDI 8551.01 Change issued 27 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates.
7 MOA Between DoD & DHS MOA signed 19 January 2017 regarding Department of Defense and U.S. Coast Guard cooperation on cybersecurity and cyberspace operations.

30 Jun 2017

# Document Name Change/Justification
1 All DoDDs, DoDIs, DoDMs, and other DoD issuances 46 hyperlinks changed to reflect the movement of the official DoD Issuances website to a new URL.
2 DoD Acquisition Guidebook Hyperlink changed to reflect updated URL for the DAG. Link is to Chapter 9, which is the deepest link permitted, but subpart 3.2.2, Risk Management Framework for DoD IT is the pertinent reference.

05 Jun 2017

# Document Name Change/Justification
1 National Strategy for Information Sharing and Safeguarding (2012) Updated link:
https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/internationalstrategy_cyberspace.pdf
2 U.S. International Strategy for Cyberspace (2011) Updated link:
https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/internationalstrategy_cyberspace.pdf
3 25 Point Implementation Plan to Reform Federal IT Management (2010) Removed.
4 NIST Framework for Improving Critical Infrastructure Cybersecurity (2014) Updated link:
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
5 National Defense Strategy (NDS) (2012) Updated broken link:
http://www.acqnotes.com/Attachments/2012%20National%20Defense%20Strategy.pdf
6 IA Component of the GIG Integrated Architecture, Version 1.1 (2002) Removed.
7 Alignment Framework for the GIG IA Architecture (AFG) Version 1.1 (2002) Removed.
8 IATF Release 3.1 Information Assurance Technical Framework (2002) Removed.
9 DoDI 5000.02 Operation of the Defense Acquisition System (2017) Updated broken link:
http://www.dtic.mil/whs/directives/corres/pdf/500002_dodi_2015.pdf
10 DoD CIO Memo (2011) Interim Guidance on Networthiness of IT Connected to DoD Networks Removed.
11 DoD CIO G&PM 12-8430 (2001) Acquiring Commercial Software Removed.
12 NSTISSI-4000 to: CNSSI-4000 Maintenance of Communications Security (COMSEC) Equipment (2012) Link Broken/Document Type Changed:
https://www.cnss.gov/CNSS/issuances/Instructions.cfm
13 ICD 503 IC Information Technology Systems Security Risk Management Updated link:
https://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives
14 OMB M-05-24 Implementation of HSPD-12 Removed.
15 From NSTISSI to CNSSI 4001 Controlled Cryptographic Items (2013) Document Type Change/Updated link:
https://www.cnss.gov/CNSS/issuances/Instructions.cfm
16 DoDI 5200.01 Dod Information Security Program And Protection Of Sensitive Compartmented Information (SCI) (2016) Updated broken link:
http://www.dtic.mil/whs/directives/corres/pdf/520001p.pdf
17 DoD Information Sharing Strategy (2007) Updated broken link:
http://dodcio.defense.gov/Portals/0/Documents/DIEA/InfoSharingStrategy.pdf
18 ASD(NII)/DoD CIO Memo Use of Peer-to-Peer File Sharing Applications Across DoD Removed. This Memo was canceled by DoDI 8500.01, Cybersecurity
19 CJCSI 6211.02D Defense Information System Network (DISN) Responsibilities (2012) Updated broken link:
http://www.jcs.mil/Portals/36/Documents/Library/Instructions/6211_02a.pdf?ver=2016-02-05-175050-653
20 CJCSM 6510.01B Cyber Incident Handling Program (2014) Updated broken link:
http://www.jcs.mil/Portals/36/Documents/Library/Manuals/m651001.pdf?ver=2016-02-05-175710-897
21 CJCSI 6510.01F Information Assurance (IA) And Support To Computer Network Defense (CND) (2015) Updated broken link:
http://www.jcs.mil/Portals/36/Documents/Library/Instructions/6510_01.pdf?ver=2016-02-05-175054-497
22 NSTISSD-600 Communications Security Monitoring (1990) Added link:
https://www.cnss.gov/CNSS/issuances/Directives.cfm
23 DoDD 3020.40 Mission Assurance (MA) (2016) Ttitle and Link Updated:
http://www.dtic.mil/whs/directives/corres/pdf/302040_dodd_2016.pdf
24 DoDI 8581.01 Information Assurance (IA) Policy for Space Systems Used by the Department of Defense (2010) Keep
25 DoDD S-5100.44 and DoDD S-3710.01 Replacement/Updated Link. Replaced DoDD S-5100.44, Defense and National Leadership Command Capability (DNLCC) with DoDD S-3710.01, National Leadership Command Capability (NLCC)
New link:
http://www.dtic.mil/whs/directives/corres/pdf/S371001_placeholder.pdf
26 CNSSP-300 National Policy on Control of Compromising Emanations (2006) Updated broken link:
https://www.cnss.gov/CNSS/issuances/Policies.cfm
27 CNSSI-4004.1 Destruction and Emergency Protection Procedures for COMSEC and Classified Material (2008) Updated broken link:
https://www.cnss.gov/CNSS/issuances/Instructions.cfm
28 Defense Acquisition Guidebook Sect 7.5 Information Assurance (2013) and the DAG (2016) Replaced/Updated Link. Replaced Defense Acquisition Guidebook Sect 7.5 Information Assurance (2013) with the DAG (2016)
New link:
https://dap.dau.mil/glossary/pages/178.aspx?scroll=0
29 2015 National Security Strategy Updated broken link:
http://www.jcs.mil/Portals/36/Documents/Publications/2015_National_Military_Strategy.pdf
30 NSD 42 Updated link:
https://www.cnss.gov/cnss/assets/authorities/NSD-42.pdf
31 OMB A-130 (2016) Updated broken link:
https://www.federalregister.gov/documents/2016/07/28/2016-17872/revision-of-omb-circular-no-a-130-managing-information-as-a-strategic-resource
32 CNSSI 4009 Committee on National Security Systems (CNSS) Glossary (2015) Updated Title.
33 Security Configuration Guides (SCGs) Consider Deleting. Current link takes you to “Media Destruction Guidance”. A search of the term SCG nets many different websites. Is there a particular site to reference?
34 Security Reference Review Scripts  Consider Deleting/Broken Link. A search of the term SCG nets many different websites. Is there a particular site to reference?
35 Component—Level Policy Consider Deleting/Broken Link. This is too vague considering that everything on the chart has specific references.

21 Aug 2016

# Document Name Change/Justification
1 Presidential Policy Directive 41: United States Cyber Incident Coordination New PPD issued.
2 CJCSI 6212.01F Net Ready Key Performance Parameter Canceled by CJCSI 5123.01G, 12 Feb 15
3 DoD 5220.22-M, Ch. 2 National Industrial Security Program Operating Manual (NISPOM) Change 2 published May 18, 2016. Updated link.
4 DoDD 8000.01 Management of the DOD Information Enterprise Policy and link updated.
5 DoDD 8521.01E Department of Defense Biometrics Updated link.
6 DoDI O-8530.1 Superseded by DoDI 8530.01, link updated.
7 DoDI O-8530.2 Superseded by DoDI 8530.01, link updated.
8 DoDI 5200.01 DoD Information Security Program and Protection of SCI Added as a new policy based on recent update.
9 DoDI 5200.08 Change 3 issued, link updated.
10 SP 800-30, Rev. 1, Guide for Conducting Risk Assessments Moved to:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
11 SP 800-126 Rev. 2, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 Moved to:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-126r2.pdf
12 SP 800-128, Guide for Security-Focused Configuration Management of Information Systems (August 2011) Moved to:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-128.pdf
13 SP 800-137, Information Security Continuous http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf

27 Oct 2015

# Document Name Change/Justification
1 National Strategy for Information Sharing and Safeguards Updated link:
https://www.whitehouse.gov/sites/default/files/docs/2012sharingstrategy_1.pdf
2 Quadrennial Defense Review Report Updated link:
http://archive.defense.gov/pubs/2014_Quadrennial_Defense_Review.pdf
3 National Defense Strategy Updated link:
http://www.defense.gov/Portals/1/Documents/pubs/2008NationalDefenseStrategy.pdf
4 DoD Cyber Strategy Updated link:
http://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf
5 DoD Strategy for Operating in Cyberspace Removed as superseded by the DoD Cyber Strategy
6 National Military Strategic Plan for the War on Terrorism Updated link:
https://digitalndulibrary.ndu.edu/cdm/compoundobject/collection/strategy/id/9695/rec/8
7 Title 44 – Federal Information Security Modernization Act (Ch. 35) Updated link to reflect the amendments effected by the Federal Information Security Modernization Act to amend the Federal Information Security Management Act.
Updated link:
https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf
8 CNSSI 1300 De-italicized to show that a publicly accessible link is available at:
https://www.cnss.gov/CNSS/issuances/Instructions.cfm
9 DFARS Subpart 208.74 Updated link:
http://www.acq.osd.mil/dpap/dars/dfars/html/current/208_74.htm
10 DoDD 8570.01 Directive was superseded by 8140.01.
11 DoDD 5000.02 Updated broken link:
http://www.dtic.mil/whs/directives/corres/pdf/500002p.pdf
12 CJCSI 6211.02D Updated link:
http://www.dtic.mil/cjcs_directives/cdata/unlimit/6211_02a.pdf

15 Aug 2015

# Document Name Change/Justification
1 National Military Strategy (NMS) Link updated to 2015 NMS:
http://www.jcs.mil/Portals/36/Documents/Publications/National_Military_Strategy_2015.pdf
2 National Security Strategy (NSS) 2015 NSS added:
https://www.whitehouse.gov/sites/default/files/docs/2015_national_security_strategy_2.pdf
3 National Military Strategy for Cyberspace Operations (NMS-CO) Updated link:
http://nsarchive.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-023.pdf
4 DoDD 8140.01 Cyberspace Workforce Management Signed 11 Aug 2015, cancelled DoD Directive 8570.01, “Information Assurance (IA) Training, Certification, and Workforce Management,” August 15, 2004, as amended.
5 DoDI 8330.01 Interoperability of IT and National Security Systems (NSS) Correct spacing in title.
6 CJCSI 3170.01H Joint Capabilities Integration and Development System (JCIDS) Updated to CJCSI 3170.01I:
https://dap.dau.mil/policy/Documents/2015/CJCSI_3170_01I.pdf
7 Presidential Memo, “Classified Information and Controlled Unclassified Information, “27 May 09” Memo withdrawn. Removed from chart.
8 FAR Federal Acquisition Regulation Updated link:
https://www.acquisition.gov/?q=browsefar

24 Apr 2015

# Document Name Change/Justification
1 The DoD Cyber Strategy New Issuance, 23 Apr 2015
2 Comprehensive National Cybersecurity Initiative Removed
3 DoDI S-5240.23, Counterintelligence (CI) Activities in Cyberspace Added new link to aid those with SIPRNet access to find document.
4 DoDI S-5200.16, Objectives and Min Stds for COMSEC Measures used in NC2 Comms Added new link to aid those with SIPRNet access to find document.
5 DoDD S-5100.44, Defense and National Leadership Command Capability (DNLCC) Added new link to aid those with SIPRNet access to find document.
6 DoDD O-5100.30, Department of Defense (DoD) Command and Control (C2) Superseded by DoD DoDD 3700.01, DoD Command and Control (C2) Enabling Capabilities
7 DoDD O-8530.1, Computer Network Defense (CND) Added new link to aid those with a DoD PKI cert to access this document.
8 DoDI O-8530.2, Support to Computer Network Defense (CND) Added new link to aid those with a DoD PKI cert to access this document.
9 DoD O-8530.1-M, CND Service Provider Certification and Accreditation Program Added new link to aid those with a DoD PKI cert to access this document.

17 Feb 2015

# Document Name Change/Justification
1 Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing New Issuance, 13 Feb 2015
2 National Security Strategy New Issuance, Feb 2015
3 NIST SP – 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach New link includes updates as of 6 May 2014
4 SP 800-61 Rev. 2, Computer Security Incident Handling Guide Updated link
5 FIPS 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors Superseded by FIPS 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors
6 DoD Defending Networks, Systems, and Data Strategy New direct link
7 DoD Cyber, Identity & Information Assurance Strategic Plan Updated link
8 National Military Strategy Updated link
9 CNSSAM IA 1-10, Reducing Risk of Removable Media in NSS Updated link
10 CNSSI-1300, Instructions for NSS PKI X.509SP Updated link
11 DoDI 5000.02, Operation of the Defense Acquisition System Updated link
12 DoD CIO Memo Interim Guidance on Networthiness of IT Connected to DoD Networks Updated link
13 NSSMOA between DoD CIO and ODNI CIO Establishing Net-Centric Software Licensing Agreements Updated link
14 Title 44 – Federal Information Security Mgt Act, (§3541 et seq) Updated link
15 NSTISSI-4002 Classification Guide for COMSEC Information Removed to make room for new E.O. 13691 (the NSTISSI-4002 did not have a public-facing link anyway)
16 Security Technical Implementation Guides (STIGs) Updated link
17 About this chart box Updated the text