Changelog for the DoD Cybersecurity Policy Chart

The goal of the DoD Cybersecurity Policy Chart is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

This page highlights and lists the updates to the DoD Cybersecurity Policy Chart.

Click here to view the DoD Cybersecurity Policy Chart.

29 March 2024

#	Document Names	Change/Justification
1	The NIST Cybersecurity Framework (CSF) 2.0 (Feb 26, 2024))	The NIST Cybersecurity Framework (CSF) 2.0 provides updated guidance to industry, government agencies, and other organizations to manage cybersecurity risks. When compared to CSF 1.1, CSF 2.0 adds the “Govern” function to the existing five functional areas, expands coverage beyond critical infrastructure to all areas, includes supply chain security, and enhances customizability for tailored implementation strategies.
2	Defense Industrial Base (DIB) Cybersecurity Strategy 2024 (March 21, 2024)	This strategy is designed to strengthen DoD governance structure for DIB Cybersecurity, enhance the Cybersecurity posture of DIB contractors, preserve the resiliency of critical DIB capabilities in a cyber-contested environment, and improve collaboration with numerous components, program managers (PMs), and DIB.
3	Executive Order (EO) 14117: Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (Feb 28, 2024)	The Executive Order (EO) calls for the Department of Justice (DOJ) to promulgate regulations to prevent the large-scale transfer of sensitive personal data and US Government-related data to "countries of concern,” as defined in the EO. This EO recognizes that disclosure of sensitive personal data may rise to a national security issue in some cases.
4	Directive-type Memorandum (DTM) 24-001 – “DoD Cybersecurity Activities Performed for Cloud Service Offerings” (Feb 27, 2024)	Focusing on Cloud Service Offerings (CSOs), this DTM establishes policy, assigns responsibilities, and provides procedures for cybersecurity and defensive cyberspace operations (DCO) activities that are performed by a cybersecurity service provider (CSSP), DoD entity, or commercial entity on behalf of the mission owner or authorizing official.
5	Miscellaneous Changes	Set new indicator for updated hyperlinks (dotted lines) to avoid confusion with updated/new policies. *Revised language in “About this Chart” section to be clearer and more concise.

*Hat tip to Nathan Skoglund for assistance in identifying this issue.

28 February 2024

#	Document Names	Change/Justification
1	DoD Instruction 5200.44: Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (Feb 16, 2024)	This instruction supersedes the existing version of DoD Instruction 5200.44, “Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN),” published November 5, 2012. The updated instruction implements the DoD’s trusted systems and networks (TSN) strategy through program protection and cybersecurity implementation to provide uncompromised weapon and information systems, with a focus on supply chain risk management measures.
2	STIGS, SRGS, and TCGs	Added Tenant Configuration Guides (TCGs), which address Microsoft 365 tenant configuration requirements.
3	General Document Review	Reviewed policy chart for broken and out-of-date links; documents with updated links are highlighted with red boxes.

09 January 2024

#	Document Names	Change/Justification
1	2023 Department of Defense Data, Analytics, and Artificial Intelligence Adoption Strategy	This DoD Strategy, released in November 2023, supersedes and replaces the 2020 DoD Data Strategy and the 2019 DoD AI Strategy in the Policy Chart.
2	2023 National Intelligence Strategy	This Strategy replaces the 2019 National Intelligence Strategy in the Policy Chart.
3	2022 National Military Strategy	This Strategy, posted in May 2023, replaces the existing 2018 National Military Strategy in the Policy Chart.
4	NIST SP 800-221 Enterprise Impact of Information and Communications Technology Risk: Governing and Managing ICT Risk Programs Within an Enterprise Risk Portfolio	Posting this NIST Special Publication, published in November 2023, to the Policy Chart. This document is intended to help individual organizations within an enterprise improve their ICT risk management (ICTRM). This can enable enterprises and their component organizations to better identify, assess, and manage their ICT risks in the context of their broader mission and business objectives.
5*	(Removal of) DoD 8570.01M Information Assurance Workforce Improvement Program	Removed DoD 8570.01M from the Policy Chart as it was superseded by DoDM 8140.03 Cyberspace Workforce Qualification and Management Program, effective February 15, 2023.
6**	Color Key box	Fixed several links in Color Key box, including fixing the CYBERCOM link to point to the correct site.

* Hat tip to Laura Gest for informing us that this policy should be removed.

** Hat tip to Daniel Gomez for alerting us to this incorrect link.

21 November 2023

#	Document Names	Change/Justification
1	2023 DoD Strategy for Operations in the Information Environment	The purpose of the 2023 Department of Defense (DoD) Strategy for Operations in the Information Environment (SOIE), which has been posted to the Lead and Govern subsection, is to improve the Department’s ability to plan, resource, and apply informational power to enable integrated deterrence, campaigning, and building enduring advantages as described in the 2022 National Defense Strategy (NDS).
2	NIST SP 800-53A Rev. 5 Assessing Security and Privacy Controls in Information Systems and Organizations	This Special Publication was updated on November 7, 2023. NIST issued a patch release of SP 800-53A (Release 5.1.1) that includes: • Minor grammatical edits and clarification • One new control and three supporting control enhancement assessment procedures to correspond with the new SP 800-53 control, IA-13.
3*	UFC 4-010-06 Cybersecurity Of Facility-Related Control Systems (FRCS)	This UFC’s link has been updated in the Policy Chart and describes requirements for incorporating cybersecurity in the design of all facility-related control systems which include a network. It also covers the cybersecurity aspects of control system design, and the requirements of this UFC must be coordinated with the control system design and the criteria relevant to the control system.

*Hat tip to Colin Dunn for providing the updated link for this policy.

23 October 2023

#	Document Names	Change/Justification
1	NIST SP 800-82 Rev. 3 Guide to Operational Technology (OT) Security	This Publication supersedes and replaces NIST SP 800-82 Rev. 2 Guide to Industrial Control Systems (ICS) Security in the Policy Chart. This document provides guidance on how to secure operational technology (OT) while addressing their unique performance, reliability, and safety requirements.
2	NIST SP 1800-22 Mobile Device Security: Bring Your Own Device (BYOD)	This Publication, released in September 2023, has been added to the Policy Chart. Bring Your Own Device (BYOD) refers to the practice of performing work-related activities on personally owned devices. This practice guide provides an example solution demonstrating how to enhance security and privacy in Android and Apple phones and tablets used in BYOD deployments.
3	DoDD 5101.23E Executive Agent for Advanced Cyber Training Curricula	Posting this Directive, effective October 18, 2023, to the Policy Chart. This Issuance designates effective and relevant Advanced Cyber Training (ACT) to be developed and delivered to the Military Services supporting the Cyber Mission Force (CMF).
4	DTM 17-007 Interim Policy and Guidance for Defense Support to Cyber Incident Response	Updating this Memorandum in the Policy Chart to Incorporate Change 7, which extends the expiration date for the DTM to December 19, 2023.

22 September 2023

#	Document Names	Change/Justification
1	2023 DoD Cyber Strategy Summary	The 2023 DoD Cyber Strategy Summary, published in September 2023, replaces its Fact Sheet in the Lead and Govern subsection of the Policy Chart and provides additional unclassified details on the strategy. The full classified strategy establishes how the Department will operate in and through cyberspace to protect the American people and advance the defense priorities of the United States.

17 August 2023

#	Document Names	Change/Justification
1	CISA Cybersecurity Strategic Plan	The CISA Cybersecurity Strategic Plan for FY 2024-2026, has been posted to the Lead and Govern subsection of the Policy Chart. This strategy outlines a new vision for cybersecurity involving how to address immediate threats, harden the cyber terrain, and drive security at scale.
2	National Cyber Workforce and Education Strategy	This strategy, posted to the Lead and Govern subsection of the Policy Chart details how we will strengthen our cyber workforce, connect people to well-paying, quality jobs, and advance the welfare, prosperity, and security of our society through cyber education.
3	NIST SP 800-218 Secure Software Development Framework (SSDF)	NIST SP 800-218 SSDF, published in February of 2022, addresses software security and development practices in detail to ensure that the software being developed is well-secured. This document recommends the SSDF – a core set of high-level secure software development practices that can be integrated into each SDLC implementation.
4	DoD Cyber Workforce Strategy	This strategy establishes a unified direction for DoD cyber workforce management and, as the cyber domain continues to expand, the inclusion of emerging technology workforces. This strategy also provides a roadmap for how the cyber workforce will grow and adapt to guarantee our Nation's security.
5	DoDI 5000.82 Requirements for the Acquisition of Digital Capabilities	This DoD Instruction assigns program responsibilities concerning the acquisition of digital capabilities as defined in this issuance for the acquisition pathways of the adaptive acquisition framework described in DoD Instruction (DoDI) 5000.02.
6	DoDI 8530.03 Cyber Incident Response	This DoD issuance establishes policy, assigns responsibilities, and provides procedures for DoD cyber incident response (CIR).
7	2018 DoD Cloud Strategy (Removed)	Removed from the Policy Chart, as it was replaced by the DoD Software Modernization Strategy.
8	DoD Information Sharing Strategy (Temp. Removed)	Removed from the DoD CIO Library Page, so this strategy has temporarily been removed pending further investigation.
9	DoD Information Security Continuous Monitoring (ISCM) Strategy (Note)	No change to strategy - RMFKS site is down for the time being but should be back online soon.

14 July 2023

#	Document Names	Change/Justification
1	National Cybersecurity Strategy Implementation Plan	Added to the Lead and Govern subsection of the policy chart and published in July 2023, the National Cybersecurity Strategy Implementation Plan lays out a vision for cyberspace and outlines a path for achieving the need for more capable actors in cyberspace and the need to increase incentives to make investments in long term resilience.
2	Department of Defense Outside the Continental United States (OCONUS) Cloud Strategy	Added to the Lead and Govern subsection of the policy chart and cleared for open publication on May 26, 2021, The Department of Defense (DoD) Outside the Continental United States (OCONUS) Cloud Strategy establishes the vision and goals for enabling a dominant all-domain advantage through cloud innovation at the tactical edge.
3	NIST SP 800-124 Rev. 2 Guidelines for Managing the Security of Mobile Devices in the Enterprise	Updating policy chart to include the change in this publication from Rev. 1 to Rev. 2, published in May 2023.
4	DoDI 8510.01 Risk Management Framework for DoD IT	Updated policy chart by removing DTM 20-004 “Enabling Cyberspace Accountability of DoD Components and Information Systems,” which was cancelled and incorporated into DoDI 8510.01
5	Directive-Type Memorandum (DTM) 17-007 - Interim Policy and Guidance for Defense Support to Cyber Incident Response	Updated policy chart to include Change 6 of DTM 17 – 007, effective June 21, 2023. This memorandum provides supplementary policy guidance, assigns responsibilities, and details procedures for providing Defense Support to Cyber Incident Response (DSCIR).
6	CJCSI 5123.01I Charter of the JROC and Implementation of the JCIDS	Updating policy chart to include CJCSI 5123.01I from October 2021, which supersedes and cancels CJCSI 5123.01H.

12 June 2023

#	Document Names	Change/Justification
1	2023 Department of Defense Cyber Strategy	Added to the Lead and Govern subsection of the policy chart, replacing the 2018 DoD Cyber Strategy. The 2023 DoD Cyber Strategy establishes how the Department will operate in and through cyberspace to protect the American people and advance the defense priorities of the United States. Since the titled document is classified, we have hyperlinked the 2023 DoD Cyber Strategy Fact Sheet for reference instead.
2	DoD Instruction 8520.02 Public Key Infrastructure and Public Key Enabling	DoDI 8520.02, effective May 18, 2023, reissues, and cancels policy from May 2011 under the same name. This Instruction establishes policy, assigns responsibilities, and prescribes procedures for DoD public key infrastructure (PKI) and public key enabling (PKE).
3	DoD Instruction 8520.03 Identity Authentication for Information Systems	DoDI 8520.03, effective May 19, 2023, reissues, and cancels policy from May 2011 under the same name. This Instruction stablishes policy, assigns responsibilities, and provides procedures for authenticating person and non-person entities (NPEs) to DoD information systems, including credential management.
4	DoD Instruction 8551.01 Ports, Protocols, and Services Management	DoDI 8551.01, effective May 31, 2023, reissues, and cancels policy from May 2014 under the same name. This Instruction establishes policy and standardizes procedures for cataloging, governing, and managing the use and management of protocols in the internet protocol suite, related protocols, and data services referred to as Department of Defense information network (DODIN) ports, protocols, and services (PPS).
5	DoD Manual 8530.01 Cybersecurity Activities Support Procedures	DoDM 8530.01, effective May 31, 2023, cancels DoD O-8530.1-M “Department of Defense Computer Network Defense (CND) Service Provider Certification and Accreditation Program,” from December 2003. This issuance assigns responsibilities and provides procedures for designated DoD Component-level organizations.

16 May 2023

#	Document Names	Change/Justification
1	DoD Cybersecurity Reference Architecture (Version 5.0)	Adding DoD CS Reference Architecture, cleared for open publication on February 7th, 2023, to the Lead and Govern subsection of the Policy Chart. This document’s purpose is to establish characteristics for cybersecurity architecture in the form of principles, fundamental components, capabilities, and design patterns to address threats in and outside network boundaries.
2	DoDI 8310.01 Information Technology Standards in the DoD	Highlighting update to this DoD Instruction effective April 7th, 2023. This issuance establishes policy, assigns responsibilities, and authorizes a process for identifying, developing, adopting, establishing, prescribing, and publishing technical standards for DoD information technology.

13 March 2023

#	Document Names	Change/Justification
1	2023 National Cybersecurity Strategy	Added the National Cybersecurity Strategy, published on March 1st, 2023, to the Lead and Govern subsection on the Policy Chart. This strategy details the comprehensive approach that the Biden Administration is taking to better secure cyberspace and realize the benefits of the nation’s digital future.
2	DoD Cyber Workforce Strategy	Added the Department of Defense Cyber Workforce Strategy, published on March 1st, 2023, to the Lead and Govern subsection on the Policy Chart. This strategy “establishes a unified direction for DoD cyber workforce management and, as the cyber domain continues to expand, the inclusion of emerging technology workforces.

7 February 2023

#	Document Name	Change/Justification
1	DoD Information Security Continuous Monitoring (ISCM) Strategy	Added the DoD ISCM Strategy, signed in January 2023, to the Lead and Govern subsection in the Policy Chart. This strategy details how the DOD ISCM Program will modernize the existing Continuous Monitoring frameworks to increase cyber agility and enable continuous cybersecurity readiness using a data-driven approach.

*This document contains Controlled Unclassified Information (CUI) and is CAC Protected at the Risk Management Framework Knowledge Service (RMF KS).

20 December 2022

#	Document Name	Change/Justification
1	DoD Security Classification Guides	Removed the box for NSA IA Guidance due to long-term site errors and replaced it with a link to DoD’s Security Classification Guides. This site serves as a reference for the classification of data, which plays a key role in cybersecurity.

*Hat tip to Mr. Keith Golden

13 December 2022

#	Document Name	Change/Justification
1	Department of Defense Zero Trust Strategy (2022)	The 2022 DoD Zero Trust Strategy was cleared for open publication on November 22nd and updated in the Lead and Govern section of the Policy Chart. This strategy document provides guidance for advancing Zero Trust concept development; gap analysis, requirements development, implementation, execution decision-making, and ultimately procurement and deployment of required ZT capabilities.
2	NIST SP 800-160 Vol. 1 Rev. 1 “Engineering Trustworthy Secure Systems”	Supersedes NIST SP 800-160 Vol. 1 “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems” and updated in the Policy Chart under Develop and Maintain Trust section.

21 November 2022

#	Document Name	Change/Justification
1	2022 National Security Strategy	The 2022 National Security Strategy was officially published in Oct 2022, and replaces the previous interim strategy located in the Cybersecurity Policy Chart.
2	2022 National Defense Strategy	The public version of the 2022 National Defense Strategy (NDS) was released in Oct 2022, and replaces the NDS placeholder in the Policy Chart. This strategy document includes the 2022 Nuclear Posture Review and the 2022 Missile Defense Review.

13 October 2022

#	Document Name	Change/Justification
1	CNSSI 1253E, Attachment 5 Classified System Overlay	This attachment overlay, released on September 30 2022 and highlighted under the “CNSSI-1253F, Atchs 1-5” box on the chart, lists additional privacy and control baselines to CNSSI 1253. It identifies security control specifications needed to safeguard classified information stored, processed, or transmitted by national security systems (NSS). This overlay is baseline independent and can be used with any NSS baseline (security and privacy) to safeguard classified information.
2	DoDI 8330.01 Interoperability of Information Technology, Including National Security Systems	DoDI 8330.01, effective as of September 27, 2022, provides direction for certifying the interoperability of IT and NSS systems. The Purpose of this Instruction includes establishing the Interoperability Steering Group (ISG), and establishing the governing policy and responsibilities for interoperability requirements development, test, certification, and prerequisites for connection of IT, including NSS.
3	CJCSI 6510.02F Cryptographic Modernization Planning	This Instruction, updated in August of 2022, has been adjusted in the Policy Chart. This Instruction provides policy and guidance for planning, programming and implementing the modernization of Type 1 cryptographic products certified by the NSA and held by the DoD.

01 September 2022

#	Document Name	Change/Justification
1	CNSSI 1253 Categorization and Control for National Security Systems	CNSSI 1253, updated by CNSS on July 29, 2022, to build on and serve as a companion document to NIST SP 800-53, Rev. 5 and NIST SP 800-37, Rev. 2.
2	DoD Directive 5000.01 The Defense Acquisition System	DoDI 5000.01 The Defense Acquisition System, with an objective of supporting National Defense Strategy, was updated in the Policy Chart as Change 1 became effective July 28, 2022.

26 July 2022

#	Document Name	Change/Justification
1*	NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations	No update to Policy, but the chart has been edited to reflect the proper document title. The box title has been changed from “Security and Privacy Controls for Federal Information Systems” to “Security and Privacy Controls for Information Systems and Organizations”
2*	NIST SP 800-53A Rev. 5 Assessing Security and Privacy Controls in Information Systems and Organizations	No update to Policy, but the chart has been edited to reflect the proper document title. The box title has been changed from “Assessing Security and Privacy Controls in Federal Information Systems” to “Assessing Security and Privacy Controls in Information Systems and Organizations”
3	CNSSI 4009 Committee on National Security Systems (CNSS) Glossary	CNSSI 4009 has been updated in March of 2022 to include new terms and to adjust definitions of current terms in the Glossary
4	DoD Instruction 8510.01 Risk Management Framework for DoD Systems	DoDI 8510.01, updated as of 19 July 2022, establishes the cybersecurity Risk Management Framework (RMF) for DoD Systems and establishes policy, assigns responsibilities, and prescribes procedures for executing and maintaining the RMF

*Hat Tip to Mr. Patrick J. Simon for suggesting updates 1 and 2.

21 June 2022

#	Document Name	Change/Justification
1	CNSSP-32 Cloud Security for National Security Systems	This Policy Document, released on 22 May 2022, establishes the minimum security requirements for National Security Systems (NSS) migrating to or operating in a cloud environment. This Policy derives its authority from National Security Directive 42, which outlines the roles and responsibilities for securing NSS.
2	DoD Instruction 5000.02 Operation of the Adaptive Acquisition Framework (AAF)	DoDI 5000.02, with Change 1 effective on 8 June 2022, restructures defense acquisition guidance to improve process effectiveness and implement the AAF. Change 1 cancels DoDI 5000.02T in accordance with the 2020 coordination of this issuance and subsequent approval of the transition plan and updates the transition plan to document its completion and final location of information.

1 April 2022

#	Document Name	Change/Justification
1	2022 National Defense Strategy	An unclassified version of the 2022 NDS has not yet been released, but the link will be posted once it is released. For now, the link for the 2022 National Defense Strategy will direct users to the Fact Sheet.
2	NIST SP 800-172A - Assessing Enhanced Security Requirements for Controlled Unclassified Information	This publication, released in March 2022, provides federal agencies and nonfederal organizations with assessment procedures that can be used to carry out assessments of the requirements in NIST Special Publication 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.
3	CNSSP 1 – National Policy for Safeguarding and Control of COMSEC Materials	This policy, released in March 2022, is an update of an existing Policy Chart item and establishes the policy on Safeguarding and Control of COMSEC Material for National Security Systems (NSS).
4	CNSSD 600 – Directive on Communications Security (COMSEC) Monitoring *CAC required	This directive, released in March 2022, provides policy and basic procedures for the establishment of COMSEC monitoring programs consistent with law, Executive Orders, and applicable Presidential Directives.

The color code for DoDI 5200.48 has been changed to fall under USD (I&S) instead of DoD CIO - *Hat Tip to Dr. Rosemary K. Helton, SFPC

As of Feb 24, 2022, CNSS is requiring all users to install a DoD Root Certificate in their browser in order to access the CNSS website. There have been no reported issues by users trying to access the site yet, but if you need help installing the certificate please see the link below:

DoD Root Certificate Help: https://www.cnss.gov/CNSS/help/DoD_Root_Cert_Help_Final.pdf

22 February 2022

#	Document Name	Change/Justification
1	DoD Software Modernization Strategy	This DoD Strategy document, cleared for open publication on 2 Feb 2022, provides a goal of delivering better software faster. Projected outcomes include shifting secure software delivery left through modern infrastructure and platforms and enabling this shift through true process transformation and people development.
2	FIPS 201-3 Personal Identity Verification (PIV) of Federal Employees and Contractors	This Publication, released in January 2022, supersedes FIPS 201-2 and establishes a standard for a Personal Identity Verification (PIV) system that meets the control and security objectives of Homeland Security Presidential Directive-12.
3*	NIST SP 800-53A R5 Assessing Security & Privacy Controls in Federal Information Systems & Organizations	This Publication, released in January 2022, supersedes NIST SP 8-53A R4, and provides a methodology and set of procedures for conducting assessments of security and privacy controls employed within systems and organizations within an effective risk management framework.
4**	DoDD 5200.47E Anti-Tamper (AT)	This Directive is replacing DoDD 5000.01 in the Policy Chart as it references Cybersecurity more specifically than the broad scope of DoDD 5000.01. It addresses the identification and protection of Critical Program Information (CPI) in accordance with DoDI 5200.39 Critical Program Information (CPI) Identification and Protection Within Research, Development, Test, and Evaluation (RDT&E).
5**	DoDI 5000.02 Operation of the Adaptive Acquisition Framework	This Instruction replaces DoDI 5000.02T in the Policy Chart in order to maintain the chart’s Cybersecurity relevance. DoDI 5000.02 restructures defense acquisition guidance to improve process effectiveness and implement the Adaptive Acquisition Framework (AAF). When the AAF realignment is complete, an administrative change to this issuance will cancel DoDI 5000.02T.
6	CNSSP-200 National Policy on Controlled Access Protection	This Policy, released in January 2022, defines a minimum level of protection for automated information systems operated by executive branch, agencies and departments of the Federal Government and their contractors.

*Hat tip to Mr. Jeff Brewer for recommendation 3.

**Hat tip to Mr. Raymond Shanahan for recommendations 4 and 5.

11 January 2022

#	Document Name	Change/Justification
1	EO 14028 on Improving the Nation’s Cybersecurity	Added the number of the Executive Order to assist in locating the document on the policy chart. The link remains in the National/Federal subcategory.
2	NIST SP-800-213 IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements	This Publication, released in November 2021, contains background and recommendations to help organizations consider how an IoT device they plan to acquire can integrate into a system.
3	CNSSI 1300 Secret NSS PKI X.509 Certificate Policy	This Instruction, updated in December 2021, establishes the requirements for Federal Departments and Agencies to implement the National Security Systems Public Key Infrastructure to manage and support their Secret NSS networked systems.
4	DoDI 8140.02 Identification, Tracking, And Reporting of Cyberspace Workforce Requirements	This Instruction, published in December 2021, establishes policy, assigns responsibilities, and provides guidance for the identification, tracking, data collection, and reporting requirements of DoD Cyberspace Workforce Framework (DCWF)work roles.

29 November 2021

#	Document Name	Change/Justification
1	CNSSD-505 Supply Chain Risk Management	This directive released on 11/17/2021 updates formats and references regarding supply chain risk management (SCRM) capabilities for National Security Systems (NSS). This Directive provides a “whole of government approach” resulting in enhanced inter-agency collaboration and the sharing of lessons learned to address SCRM.
2	CNSSD-520 The Use of Mobile Devices to Process National Security Information Outside of Secure Spaces	This directive released 11/09/2021 provides specific instructions for the control and use of mobile devices that are intended to store, process, and transmit NSI outside of secure spaces, both domestically and limited overseas, to ensure that mobile devices are protected commensurate to the threat environment and level of information stored, processed, transmitted, or communicated.
3	CNSSI 1011 Implementing Host-Based Security Capabilities on National Security Systems	This Instruction released on 09/09/2021 provides operational guidance and assigns responsibilities for deploying host-based security capabilities for National Security Systems.
4	CNSSI 1013 Network Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS) on National Security Systems	This Instruction released on 09/09/2021 provides operational guidance and assigns responsibilities for deploying network intrusion detection systems and network intrusion prevention systems (IDS/IPS) capabilities for National Security Systems (NSS).

19 October 2021

#	Document Name	Change/Justification
1	CNSSD-504 Directive on Protecting National Security Systems from Insider Threat	Updated policy document from September 2021 added to the Develop the Workforce subcategory. Update only corrects for format and references. This document establishes that cybersecurity procedures should be implemented to protect against insider threats.
2	CNSSP-22 Cybersecurity Risk Management	Policy updated September 2021. This policy document provides guidance for organizations that own, operate, or maintain national security systems (NSS) to establish an integrated, organization-wide Cybersecurity Risk Management Program among other cyber risk mitigation activities.
3	CNSSI-5000 Voice Over Internet Protocol (VoIP) Telephony	Policy updated September 2021. This policy document contains requirements for providing on-hook and off-hook audio security for VoIP (video/voice) systems located in areas where NSS are located.

8 September 2021

#	Document Name	Change/Justification
1	CNSSP-10 National Policy Governing Use of Approved Security Containers in Information Security Applications	New policy document from April 28, 2021 added to the Manage Access subcategory. Document establishes the Policy on the use of approved security containers in Information System Security applications.
2	CNSSP-11 National Policy Governing the Acquisition of Information Technology Products	Policy updated July, 9, 2021. This policy governs the acquisition policies regarding national security systems.
3	CNSSP-14 National Policy Governing the Release of IA Products/Services	Policy updated May 19, 2021. This policy governs the release of Information Assurance (IA) products and services to U.S. persons or activities that are not part of the federal government.
4	CNSSP-16 National Policy for the Destruction of COMSEC Paper Material	Policy updated May 5, 2021. This policy requires departments and agencies to use crosscut shredders that meet the new NSA specification for the destruction of paper-based COMSEC material. It also defines parameters for the use of crosscut shredders currently in inventory until such time as new shredders are obtained.
5	CNSSP-18 National Policy on Classified Information Spillage	Policy updated May 19, 2021. This policy applies to the spillage of classified national security information on any IS, be it government or nongovernment systems. It provides a framework for the consistent handling of the spillage of classified national security information.
6	CNSSI-1001 National Instruction on Classified Information Spillage	Policy updated June 15, 2021. This instruction establishes the minimum actions required when responding to an information spillage of classified national security information.

24 June 2021

#	Document Name	Change/Justification
1	White House – President Biden: Executive Order on Improving the Nation’s Cybersecurity	New document from 05/12/21 added to the National/Federal subcategory concerning improving cybersecurity capabilities of the nation. Specifically, the administration commits to prioritizing the prevention, detection, assessment, and remediation of cyber incidents.
2	* DoDD 5101.21E DoD Executive Agent for Unified Platform and Joint Cyber Command and Control (JCC2)	New document from 06/04/20 added to the Strengthen Cyber Readiness subcategory regarding closing critical cyberspace capability gaps, and ensuring the delivery of resilient, agile, secure, and effective cyberspace capability solutions to the warfighter.

*Hat tip to Mr. Eric Winters for recommending this document be added to the Policy Chart.

26 May 2021

#	Document Name	Change/Justification
1	NIST SP 1800-25 Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events	New document added to the Strengthen Cyber Readiness subcategory. Published December 2020. Document explores methods to effectively identify assets (devices, data, and applications) that may become targets of data integrity attacks, as well as the vulnerabilities in the organization’s system that facilitate these attacks.
2	CNSSI-4007 Communications Security (COMSEC) Utility Program *	Relocated document link from Manage Access to Sustain Missions subcategory
3	DoDD 5144.02 DoD Chief Information Officer	Relocated document from Develop and Maintain Trust to Sustain Missions subcategory

*Hat tip Randy Borland for recommending the document relocation

27 April 2021

#	Document Name	Change/Justification
1	CNSSI-4007 Communications Security (COMSEC) Utility Program	Relocated document link from Partner for Strength to the Manage Access subcategory
2	DOD Instruction 5000.90, Cybersecurity for acquisition decision authorities and program managers*	Change 10 was issued to update the instruction. Originating Component: Office of the Under Secretary of Defense for Acquisition and Sustainment. Added to the Prevent and Delay Attackers and Prevent Attackers from Staying subcategory. Effective: December 31, 2020
3	Added Directive-type Memorandum 20-004 Enabling Cyberspace Accountability of DoD Components and Information Systems	Added this new document link to the Design for the Fight subcategory. November 13, 2020. DTM 20-004, “Enabling Cyberspace Accountability of DoD Components and Information Systems”
4	MOA Between DoD and DHS (Jan. 19, 2017)	Relocated document link from Design for the Fight to the Partner for Strength subcategory

*Hat tip to Raymond Shanahan from DAU for recommending DoDI 5000.90

19 March 2021

#	Document Name	Change/Justification
1	Interim National Security Strategic Guidance*	The new Administration has issued interim guidance to which all Departments and Agencies should align their actions as the White House team begins work on a new National Security Strategy. Published: Mar 21
2	National Cyber Strategy	Document link fixed. https://dodcio.defense.gov/Portals/0/Documents/Cyber/ICAM_Strategy.pdf
3	DoD Information Sharing Strategy	Document link fixed. https://dodcio.defense.gov/Portals/0/Documents/InfoSharingStrategy.pdf
4	DoD Identity, Credential, and Access Management (ICAM) Strategy	Document link added. https://dodcio.defense.gov/Portals/0/Documents/Cyber/ICAM_Strategy.pdf
5	NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information**	New Documentation. https://doi.org/10.6028/NIST.SP.800-172 Published: Feb 21
6	DoDI 5000.02T Operation of the Defense Acquisition System	Change 10 published on 31 December 2020. Document link updated. https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/500002Tp.pdf?ver=2020-09-15-152849-783
7	DoDI 8510.01 Change 3, “Risk Management Framework (RMF) for DoD Information Technology (IT)”	Document link updated. Change 3 Published: 29 Dec 20
8	DoDI 8523.01, “Communications Security”	Document link updated. Reissued: 6 Jan 21
9	DoDI 8581.01 IA Policy for Space Systems Used by the DoD	Document removed. Canceled: Aug 2020

The 2017 National Security Strategy is still available at the Trump White House Archives at https://trumpwhitehouse.archives.gov/wp-content/uploads/2017/12/NSS-Final-12-18-2017-0905.pdf

*Hat tip to Mr. Jeff Brewer from the National Institute of Standards and Technology.

16 March 2021

#	Document Name	Change/Justification
1	Interim National Security Strategic Guidance*	The new Administration has issued interim guidance to which all Departments and Agencies should align their actions as the White House team begins work on a new National Security Strategy. Published: Mar 21
2	National Cyber Strategy	Document link fixed. https://dodcio.defense.gov/Portals/0/Documents/Cyber/ICAM_Strategy.pdf
3	DoD Information Sharing Strategy	Document link fixed. https://dodcio.defense.gov/Portals/0/Documents/InfoSharingStrategy.pdf
4	DoD Identity, Credential, and Access Management (ICAM) Strategy	Document link added. https://dodcio.defense.gov/Portals/0/Documents/Cyber/ICAM_Strategy.pdf
5	NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information**	New Documentation. https://doi.org/10.6028/NIST.SP.800-172 Published: Feb 21
6	DoDI 5000.02T Operation of the Defense Acquisition System	Change 10 published on 31 December 2020. Document link updated. https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/500002Tp.pdf?ver=2020-09-15-152849-783
7	DoDI 8510.01 Change 3, “Risk Management Framework (RMF) for DoD Information Technology (IT)”	Document link updated. Change 3 Published: 29 Dec 20
8	DoDI 8523.01, “Communications Security”	Document link updated. Reissued: 6 Jan 21

The 2017 National Security Strategy is still available at the Trump White House Archives at https://trumpwhitehouse.archives.gov/wp-content/uploads/2017/12/NSS-Final-12-18-2017-0905.pdf

*Hat tip to Mr. Jeff Brewer from the National Institute of Standards and Technology.

30 November 2020

#	Document Name	Change/Justification
1	NIST SP 800-207, Zero Trust Architecture	New document added. This document contains an abstract definition of zero trust architecture (ZTA) and gives general deployment models and use cases where zero trust could improve an enterprise’s overall information technology security posture. Published: August 2020
2	NIST SP 800-209, Security Guidelines for Storage Infrastructure	New document added. Comprehensive security recommendations for storage infrastructures. The security focus areas covered in this document not only span those that are common to the entire IT infrastructure—such as physical security, authentication and authorization, change management, configuration control, and incident response and recovery—but also those that are specific to storage infrastructure, such as data protection, isolation, restoration assurance, and data encryption. Published: 26 October 2020
3	NIST SP 1800-16, Securing Web Transactions: TLS Server Certificate Management	New document added. NIST SP 1800-16 describes the TLS certificate management challenges faced by organizations; provides recommended best practices for large-scale TLS server certificate management; describes an automated proof-of-concept implementation that demonstrates how to prevent, detect, and recover from certificate-related incidents; and provides a mapping of the demonstrated capabilities to the recommended best practices and to NIST security guidelines and frameworks. Published: 06 June 2020
4	NIST SP 800-210, General Access Control Guidance for Cloud Systems	New document added. This document presents cloud access control characteristics and a set of general access control guidance for cloud service models: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service). Published: July 2020
5	DoDD O-5100.19, Critical Information Communications (CRITICOM) System (CAC-required)	New document added. Assigns responsibility and prescribes procedures for the establishment of software acquisition pathways IAW Section 800 of Public Law 116-92. Published: 02 October 2020
6	DoDI 5000.87, Operation of the Software Acquisition Pathway	USD(I) was changed to USD(I&S) to reflect office name change.
7	DoDI 5205.83, DoD Insider Threat and Management and Analysis Center (DITMAC)	New document added. Enterprise-level capability for managing and analyzing insider threats. Change 1: 29 October 2020
8	DoDM 3305.09, Cryptologic Accreditation and Certification	New document added. Provides accreditation guidance and procedures for DoD education and training institutions that support the cryptologic community. Change 2: 01 October 2020
9	DoDM 5205.02E, DoD Operations Security (OPSEC) Program Manual	New document added. To provide baseline requirements to ensure national security-related missions and functions are protected (to include information systems) Change 2: 29 October 2020
10	Cybersecurity Maturity Model Certification (CMMC), v. 1.02	New document added. Certification developed to enhance the protection of FCI and CUI within the DIB. Version dated 18 March 2020.

13 October, 2020

#	Document Name	Change/Justification
1	14 U.S.C. Ch. 7	Replaced with new hyperlink to authoritative source
2	DoDI 8531.01	The link to DoDI 8531.01 mistakenly linked to DoDI 8530.01 and has been fixed.

09 October, 2020

#	Document Name	Change/Justification
1	Title 14, U.S. Code, Cooperation with Other Agencies	Replaced with new hyperlink
2	NIST Special Publication 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations	Long awaited and very important update, published September 2020, supersedes Rev. 4
3	CNSSD 507: National Directive for Identity, Credential, and Access Mgmt. Capabilities on the U.S. Federal Secret Fabric	Provides a minimum set of requirements for Identity, Credential, and Access Management (ICAM) implementation and management that applies to the Federal Secret Fabric. Updated July 7, 2020.
4	DoD Directive 8140.01, Cyberspace Workforce Management	Published October 5, 2020, superseding the earlier version dated August 11, 2015
5	DoD Instruction 8531.01, DoD Vulnerability Management	Released on September 15, 2020
6	DoD Data Strategy	The DoD Data Strategy supports the National Defense Strategy and Digital Modernization, published October 9, 2020
7	DTM 17-007, Ch. 3, Defense Support to Cyber Incident Response	Change 3 issued May 29, 2020

30 July 2020

#	Document Name	Change/Justification
1	DoDI 8320.02: Sharing Data, Information, and Technology (IT) Services in the Department of Defense	Incorporating Change 1, Effective June 24, 2020 SUMMARY OF CHANGE 1. The change to this issuance updates references and organizational titles and removes expiration language in accordance with current Chief Management Officer of the Department of Defense direction.
2	DoD Identity, Credential, and Access Management (ICAM) Strategy	ICAM Strategy signed on 17 July 2020
3	MOA Between DoD and DHS	Removed “requires CAC” language; CAC no longer required to view MOA.
4	RMF Knowledge Service	Italicized to reflect no publicly accessible version available. Available with CAC only.
5	About This Chart	Added note to open PDF document directly in a web browser
6	USD(I&S)*	USD(I) was changed to USD(I&S) to reflect office name change.

*Hat tip to Dr. Rosemary K. Helton from the Pentagon Force Protection Agency.

22 June 2020

#	Document Name	Change/Justification
1	HSPD-12*	Updated Link
2	NIST SP 800-37, R1*	Replaced by NIST SP 800-37, R2
3	NIST SP 800-163*	Replaced by NIST SP 800-163, R1
4	CJCSI 3213.02D, Joint Operations Security*	Should be labeled as CJCSI 3213.01D
5	NIST SP 800-34, R1*	Updated Link
6	OMB Circular A-130	Updated Link
7	DoD Cybersecurity Risk Reduction Strategy	New Policy / Link to Document not publicly available.
8	“About This Chart”	Added instructions for how to follow the link to a policy for those whose organizational policies block them from hyperlinking directly from a .pdf document.

* Hat tip to Vincent Williams of HQ Air Force Office of Special Investigations, for updates 1-5 above.

29 May 2020

#	Document Name	Change/Justification
1	National Strategy to Secure 5G	New policy added
2	DoD 5G Strategy	New policy added
3	N/A	Moved Executive Orders and Presidential Directives from “Lead and Govern” to “National/Federal” to make room for new strategies.

1 April 2020

#	Document Name	Change/Justification
1	NIST Framework for Improving Critical Infrastructure Cybersecurity	Updated link
2	Common Criteria Evaluation and Validation Scheme (CCEVS)	Updated to reflect change in CCEVS as of February 2020
3	DoDI 5000.02T Operation of the Defense Acquisition System	Updated to reflect change in January 2020
4	DoDI 8510.01, Risk Management Framework for DoD IT	Updated link
5	Joint Publication 6-0, Joint Communications System	Updated link
6	MOA Between DoD and DHS (Jan 19, 2017, requires CAC)	Updated link
7	DoDI 8420.01 Commercial WLAN Devices, Systems, and Technologies	Updated link
8	DoD O-8530.1-M (CAC req’d) CND Service Provider Certification and Accreditation Program	Updated link
9	DoDD 3020.40, Mission Assurance	Updated link
10	DoDD 3100.10, Space Policy	Updated link
11	Defense Acquisition Guidebook	Updated link
12	Title 14, US Code, Cooperation With Other Agencies (Ch. 7)	Updated link
13	NISTIR 7298, Rev. 3, Glossary of Key Information Security Terms	Updated link to point to Rev. 3.
14	NIST SP 800-125A, R1, Security Recommendations for Hypervisor Platforms	Updated link
15	NIST SP 800-88, R1,Guidelines for Media Sanitization	New policy added

* Hat tip to Jeffery Ellison of KBR for #15 above.

13 March 2020

#	Document Name	Change/Justification
1	NIST SP 800-171, R2 Protecting CUI in Nonfederal Systems and Organizations	Superseded R1 of NIST SP 800-171 on 21 Feb 2020
2	DoDI 5200.48 Controlled Unclassified Information(CUI)	New issuance, cancels DoD 5200.01 Volume 4. Issued 6 Mar 2020.
3	NIST SP 800-63 series Digital Identity Guidelines	NIST SP 800-63-3, 800-63A, 800-63B, and 800-63C were all updated on 2 Mar 2020

* Hat tip to Randy Renk of Boeing for the first two updates.

19 February 2020

#	Document Name	Change/Justification
1	DoDI 8170.01, Online Information Management and Electronic Messaging	Updated hyperlink

* Hat tip to Randal Sullivan for the updated hyperlink.

18 February 2020

#	Document Name	Change/Justification
1	DoDD 8140.01, Cyberspace Workforce Management	Updated hyperlink
2	DoDI 8170.01, Online Information Management and Electronic Messaging	Supersedes DoD Instruction 8550.01, “DoD Internet Services and Internet-Based Capabilities,” September 11, 2012 (which was removed from the chart)
3	Joint Special Access Program (SAP) Implementation Guide (JSIG)	Updated hyperlink

29 January 2020

#	Document Name	Change/Justification
1	CNSSI-5002, Telephony Isolation Used for Unified Communications Implementations within Physically Protected Spaces	Supersedes CNSSI No. 5002, National Information Assurance (IA) Instruction for Computerized Telephone Systems (February 2012) on December 18, 2019.
2	DTM 17-007, Defense Support to Cyber Incident Response	Updated hyperlink

17 December 2019

#	Document Name	Change/Justification
1	NIST SP 800-34, R1 Contingency Planning Guide for Federal Information Systems	New addition to chart to address contingency planning.*
2	NIST SP 800-82, R2 Guide to Industrial Control Systems (ICS) Security	New addition to chart to address ISC cybersecurity.*
3	DoDI 8582.01, Security of Non-DoD Information Systems Processing Unclassified Nonpublic DoD Information	Policy was updated on 9 Dec 2019.
4	UFC 4-010-06, Cybersecurity of Facility-Related Control Systems	New addition to chart to address cybersecurity issues for facility-related control systems.*
5	Security Technical Implementation Guides (STIGs)	Hyperlink updated to link to DISA’s updated website and new URL.†
6	Security Configuration Guides (SCGs)	Hyperlink updated to link to NSA’s updated website and new URL.
7	NSA IA Guidance	New addition to the chart includes 123 “security tip” documents for mitigating cyber risk

* Hat tip to Dan Ricci for the documents numbered 1, 2, and 4 above.

† Hat tip to Ruben D. Martinez, Information Systems Security Officer at RMF – AFLCMC HNCO for the updated link to the STIGs.

27 November 2019

#	Document Name	Change/Justification
1	CNSSD 506, National Directive to Implement PKI on Secret Networks	New addition to the Policy Chart
2	CNSSD 520, The Use of Mobile Devices to Process National Security Information Outside of Secure Spaces	New addition to the Policy Chart

30 October 2019

#	Document Name	Change/Justification
1	DoDI 5205.13 Defense Industrial Base (DIB) Cyber Security (CS) / IA Activities	Change 2 issued on 21 August 2019
2	DoDI 8500.01, Cybersecurity	Change 1 issued on 7 Oct 2019
3	NIST 800-128, Guide for Security-Focused Configuration Management of Information Systems	Updated 10 October 2019
4	NIST 800-160, Vol. 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems	Added to the chart to reflect the increasing importance of this topic.
5	FIPS Pub 140-3, Security Requirements for Cryptographic Modules	Superseded FIPS Pub 140-2. FIPS 140-3 was published on 22 Mar 2019, but didn’t officially become effective under the implementation schedule until 22 Sep 2019.

* Hat tip to Tyler Harding of Amazon for the update from FIPS 140-2 to FIPS 140-3.

25 October 2019

#	Document Name	Change/Justification
1	DoDI 5205.13 Defense Industrial Base (DIB) Cyber Security (CS) / IA Activities	Change 2 issued on 21 August 2019
2	DoDI 8500.01, Cybersecurity	Change 1 issued on 7 Oct 2019
3	NIST 800-128, Guide for Security-Focused Configuration Management of Information Systems	Updated 10 October 2019
4	NIST 800-160, Vol. 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems	Added to the chart to reflect the increasing importance of this topic.

23 July 2019

#	Document Name	Change/Justification
1	DoD Digital Modernization Strategy	Added this new Strategy released on 12 July 2019
2	DoDM O-5205.13, Defense Industrial Base (DIB) Cybersecurity (CS) Program Security Classification Manual (SCM)	Change 1 issued on 14 Jun 2019. (Note: This document requires a DoD PKI certificate for access.)
3	Directive-Type Memorandum (DTM) 17-007 – “Interim Policy and Guidance for Defense Support to Cyber Incident Response”	Change 2 issued on 6 Jun 2019

22 May 2019

#	Document Name	Change/Justification
1	EO 13873: Securing the Information and Communications Technology and Services Supply Chain	Added this new Executive Order signed 15 May 2019
2	EO 13800: Strengthening Cybersecurity of Fed Nets and CI	Updated link to the Federal Register’s permalink
3	EO 13636: Improving Critical Infrastructure Cybersecurity	Updated link to the Federal Register’s permalink
4	NIST SP 800-163, Vetting the Security of Mobile Applications	Added this new publication, published on 19 Apr 2019
5	DoD Information Technology Environment Strategic Plan	Moved from the Lead and Govern block to the National/Federal block to make room for the new Executive Order.
6	Cybersecurity Policy Chart	Updated the red text in the bottom center of the chart to reflect the new location that DTIC established for updated versions of the chart.

28 February 2019

#	Document Name	Change/Justification
1	2019 National Intelligence Strategy	Added this updated strategy
2	Department of Defense (DoD) Cloud Strategy	Added this new strategy
3	Summary of the 2018 DoD Artificial Intelligence Strategy	Added an unclassified summary of this new strategy
4	CYBERCOM Orders	The Operational section of the chart removed older references to STRATCOM policies and has replaced it with a reference to CYBERCOM orders and JFHQ-DODIN orders. Neither is hyperlinked because these orders are not available to the public.
5	JFHQ-DODIN Orders	See above

15 January 2019

#	Document Name	Change/Justification
1	CJCSI 5123.01H, Charter of the JROC and Implementation of the JCID	As of 18 Aug 2018, CJCSI 5123.01H stated that “CJCSI 3170.01 Series, “Joint Capabilities Integration and Development System (JCIDS),” is hereby canceled, with content moved to Enclosure D of this CJCSI.”
2	Department of Defense (DoD) Joint Special Access Program (SAP) Implementation Guide (JSIG)	Policy added to chart to expand coverage to JSAP.

7 January 2019

#	Document Name	Change/Justification
1	DoDI 5200.39, Critical Program Information (CPI) Identification and Protection Within Research, Development, Test, and Evaluation (RDT&E)	Added per the suggestion of Ms. Creel of the CERT Division, Software Engineering Institute, Carnegie Mellon University.

5 December 2018

#	Document Name	Change/Justification
1	CJCSI 3170.01, Joint Capabilities Integration and Development System (JCIDS)	Manual was converted to a “living document” available at the new hyperlink
2	UCP Unified Command Plan	Updated link to unclassified site that identifies the 10 Combatant Commands and provides information on each.

25 September 2018

#	Document Name	Change/Justification
1	National Cyber Strategy	Replaces the 2003 National Cyber Strategy.
2	2018 DoD Cyber Strategy	Update to the 2015 DoD Cyber Strategy. It was signed on 27 July, but a publicly accessible, unclassified summary became available on 18 Sep. The hyperlink is to the unclassified summary.
3	CNSSP-28, “Cybersecurity of Unmanned National Security Systems,” 6 July 2018	New policy.
4	DoDI 8560.01, “Communications Security (COMSEC) Monitoring,” 22 Aug 2018	Incorporated and canceled DoD Instruction 8560.01, “Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing,” October 9, 2007.
5	DoD Cybersecurity Policy Chart	Added additional CSIAC contact information to the upper left corner of the chart.

14 August 2018

#	Document Name	Change/Justification
1	2018 DoD Cyber Strategy	Update to the 2015 DoD Cyber Strategy. It was signed on 27 July, but a publicly accessible version is not yet available, so the name is italicized in the chart indicating no public-facing hyperlink is available.
2	CNSSI-5000, Annex I, Voice Over Secure Internet Protocol (VoSIP)	Annex released on 21 June 2018.

12 June 2018

#	Document Name	Change/Justification
1	Directive-Type Memorandum (DTM) 17-007 – “Interim Policy and Guidance for Defense Support to Cyber Incident Response”	NIST Released NIST SP 800-126, R3, SCAP 1.3 on 14 Feb 2018
2	CJCSI 6510.02E, Cryptographic Modernization Plan	Updated from CJCSI 6510.02D
3	CJCSM 3213.02D, Joint Staff Focal Point	Updated from CJCSM 3213.02C
4	NIST SP 800-171, R1, Protecting CUI in Nonfederal Systems and Organizations	Rev. 1 final release date was 6/7/2018.
5	NIST SP 800-125A, R1, Security Recommendations for Hypervisor Platforms	Rev. 1 final release date was 6/7/2018.
6	National Security Strategy	Moved from National/Federal to Organize/Lead and Govern

9 April 2018

#	Document Name	Change/Justification
1	NIST SP 800-126, R2 SCAP 1.2	NIST Released NIST SP 800-126, R3, SCAP 1.3 on 14 Feb 2018
2	NIST SP 800-171	NIST Released NIST SP 800-171, R1, on 20 Feb 2018
3	NIST SP 800-125A	Added NIST SP 800-125A, Security Recommendations for Hypervisor Deployment on Servers, 23 Jan 2018
4	DoD Directive 3020.26, “Department of Defense Continuity Programs,” January 9, 2009, as amended	Reissued and canceled by DoDD 3026, DoD Continuity Policy, 14 Feb 2018
5	CJCSI 3170.01I, Joint Capabilities Integration and Development System (JCIDS)	Updated link.
6	Stored Communications Act, 18 USC §2701 et seq.	The Stored Communications Act was amended by the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which was passed as part of the Consolidated Appropriations Act of 2018, signed into law on 23 March 2018. NOTE: The link to the Government Publishing Office’s text of the law currently does not reflect these most recent changes, nor does the House of Representatives official United States Code website. Both are expected to be updated after some time.

1 February 2018

#	Document Name	Change/Justification
1	2017 National Defense Strategy	Released on 19 January 2018, it replaces the 2012 National Defense Strategy. Since the National Defense Strategy is classified, the link is to the unclassified summary.
2	Quadrennial Defense Review	Removed from chart, based on the 2017 National Defense Authorization Act (NDAA), which replaced the legislative foundation of the Quadrennial Defense Review with requirements to be included in a National Defense Strategy.
3	Strategic Instruction (SI) 527-01 DoD INFOCON System Procedures, 27 March 2015	Superseded SD 527-01, 27 Jan 2006.
4	NIST Framework for Improving Critical Infrastructure Cybersecurity	Updated broken link.
5	CJCSM 6510.02, Information Assurance Vulnerability Management Program	Added this older policy to the chart. Policy is in italics because it is FOUO and so no publicly accessible link can be provided.

* Hat tip to Lawrence E. Cernicky for suggesting last 3 updates listed above.

8 January 2018

#	Document Name	Change/Justification
1	EO 13636: Improve Critical Infrastructure Cybersecurity	Corrected link to Document.
2	The DoD Cybersecurity Policy Chart	Changed the gray/white background/text combos to gray/black.

18 December 2017

#	Document Name	Change/Justification
1	2017 National Security Strategy	Released on 18 December 2017, it replaces the 2015 National Security Strategy.

13 December 2017

#	Document Name	Change/Justification
1	DoDI 8310.01 Information Technology Standards in the DoD	Added to chart
2	EO 13636: Improving Critical Infrastructure Cybersecurity	Corrected Link to document
3	DoDI 8582.01 Security of Unclassified DoD Information on Non-DoD Info Systems	Policy updated by DoDI 8310.01
4	NSTISSI 7003 Protective Distribution Systems	Changed to CNSSI 7003, Protected Distribution Systems

* Hat tip to Kathy Yelshin for suggesting the addition of DoDI 8310.01.

* Hat tip to Brent Stedry for suggesting the update to NSTISSI 7003.

6 November 2017

#	Document Name	Change/Justification
1	NIST SP 800-18, Rev 1	Corrected Link to document

3 November 2017

#	Document Name	Change/Justification
1	ASD(NII)/DoD CIO Memo on Use of Peer-to-Peer File Sharing Applications	Removed, was canceled by DoDI 8500.01, Cybersecurity
2	CNSSI-4001	Added link.
3	CNSSI-4005	Added link.
4	CNSSP-16	Added link.
5	DoDD 3020.40	Updated link.
6	DoDI 5200.01	Updated link.
7	DoDI 8320.02	Corrected link.
8	DoDI 8551.01	Updated link.
9	Ethics Regulations	Updated link.
10	E. O. 13800	Added.
11	FIPS 140-2	Updated link.
12	FIPS 199	Updated link.
13	FIPS 200	Updated link.
14	ICD 503	Updated link.
15	NISTR 7693	Updated link.
16	NIST SP 800-18, Rev 1	Updated link.
17	NIST SP 800-39	Updated link.
18	NIST SP 800-59	Updated link.
19	NIST SP 800-60, Vol 1, Rev 1	Updated link.
20	NIST SP 800-92	Updated link.
21	NIST SP 800-126, Rev 2	Updated link.
22	NIST SP 800-128	Updated link.
23	NIST SP 800-137	Updated link.
24	NIST SP 800-153	Updated link.
25	NSTISSI-4003	Changed to CNSSI 4003 and added link.
26	NSTISSI-4006	Changed to CNSSI 4006 and added link.
27	OMB A-130	White House temporarily moved many policies to the Obama White House archives site, though these appear to be in full force unless or until formally rescinded or superseded.
28	Security Configuration Guides	Updated link.

* Hat tip to Maria Jenkins, contractor support to DCMA Cybersecurity, for identifying most of the above issues.

15 Aug 2017

#	Document Name	Change/Justification
1	DoDD 8000.01	Change issued 27 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates.
2	DoDD 8140.01	Change issued 31 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates.
3	DoDI 8510.01	Change issued 28 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates.
4	DoDI 8520.03	Change issued 27 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates.
5	DoDI 8530.01	Change issued 25 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates.
6	DoDI 8551.01	Change issued 27 July 2017 to include US Coast Guard in applicability paragraph and make other administrative updates.
7	MOA Between DoD & DHS	MOA signed 19 January 2017 regarding Department of Defense and U.S. Coast Guard cooperation on cybersecurity and cyberspace operations.

30 Jun 2017

#	Document Name	Change/Justification
1	All DoDDs, DoDIs, DoDMs, and other DoD issuances	46 hyperlinks changed to reflect the movement of the official DoD Issuances website to a new URL.
2	DoD Acquisition Guidebook	Hyperlink changed to reflect updated URL for the DAG. Link is to Chapter 9, which is the deepest link permitted, but subpart 3.2.2, Risk Management Framework for DoD IT is the pertinent reference.

05 Jun 2017

#	Document Name	Change/Justification
1	National Strategy for Information Sharing and Safeguarding (2012)	Updated link: https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/internationalstrategy_cyberspace.pdf
2	U.S. International Strategy for Cyberspace (2011)	Updated link: https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/internationalstrategy_cyberspace.pdf
3	25 Point Implementation Plan to Reform Federal IT Management (2010)	Removed.
4	NIST Framework for Improving Critical Infrastructure Cybersecurity (2014)	Updated link: https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
5	National Defense Strategy (NDS) (2012)	Updated broken link: http://www.acqnotes.com/Attachments/2012%20National%20Defense%20Strategy.pdf
6	IA Component of the GIG Integrated Architecture, Version 1.1 (2002)	Removed.
7	Alignment Framework for the GIG IA Architecture (AFG) Version 1.1 (2002)	Removed.
8	IATF Release 3.1 Information Assurance Technical Framework (2002)	Removed.
9	DoDI 5000.02 Operation of the Defense Acquisition System (2017)	Updated broken link: http://www.dtic.mil/whs/directives/corres/pdf/500002_dodi_2015.pdf
10	DoD CIO Memo (2011) Interim Guidance on Networthiness of IT Connected to DoD Networks	Removed.
11	DoD CIO G&PM 12-8430 (2001) Acquiring Commercial Software	Removed.
12	NSTISSI-4000 to: CNSSI-4000 Maintenance of Communications Security (COMSEC) Equipment (2012)	Link Broken/Document Type Changed: https://www.cnss.gov/CNSS/issuances/Instructions.cfm
13	ICD 503 IC Information Technology Systems Security Risk Management	Updated link: https://www.dni.gov/index.php/intelligence-community/ic-policies-reports/intelligence-community-directives
14	OMB M-05-24 Implementation of HSPD-12	Removed.
15	From NSTISSI to CNSSI 4001 Controlled Cryptographic Items (2013)	Document Type Change/Updated link: https://www.cnss.gov/CNSS/issuances/Instructions.cfm
16	DoDI 5200.01 Dod Information Security Program And Protection Of Sensitive Compartmented Information (SCI) (2016)	Updated broken link: http://www.dtic.mil/whs/directives/corres/pdf/520001p.pdf
17	DoD Information Sharing Strategy (2007)	Updated broken link: http://dodcio.defense.gov/Portals/0/Documents/DIEA/InfoSharingStrategy.pdf
18	ASD(NII)/DoD CIO Memo Use of Peer-to-Peer File Sharing Applications Across DoD	Removed. This Memo was canceled by DoDI 8500.01, Cybersecurity
19	CJCSI 6211.02D Defense Information System Network (DISN) Responsibilities (2012)	Updated broken link: http://www.jcs.mil/Portals/36/Documents/Library/Instructions/6211_02a.pdf?ver=2016-02-05-175050-653
20	CJCSM 6510.01B Cyber Incident Handling Program (2014)	Updated broken link: http://www.jcs.mil/Portals/36/Documents/Library/Manuals/m651001.pdf?ver=2016-02-05-175710-897
21	CJCSI 6510.01F Information Assurance (IA) And Support To Computer Network Defense (CND) (2015)	Updated broken link: http://www.jcs.mil/Portals/36/Documents/Library/Instructions/6510_01.pdf?ver=2016-02-05-175054-497
22	NSTISSD-600 Communications Security Monitoring (1990)	Added link: https://www.cnss.gov/CNSS/issuances/Directives.cfm
23	DoDD 3020.40 Mission Assurance (MA) (2016)	Ttitle and Link Updated: http://www.dtic.mil/whs/directives/corres/pdf/302040_dodd_2016.pdf
24	DoDI 8581.01 Information Assurance (IA) Policy for Space Systems Used by the Department of Defense (2010)	Keep
25	DoDD S-5100.44 and DoDD S-3710.01	Replacement/Updated Link. Replaced DoDD S-5100.44, Defense and National Leadership Command Capability (DNLCC) with DoDD S-3710.01, National Leadership Command Capability (NLCC) New link: http://www.dtic.mil/whs/directives/corres/pdf/S371001_placeholder.pdf
26	CNSSP-300 National Policy on Control of Compromising Emanations (2006)	Updated broken link: https://www.cnss.gov/CNSS/issuances/Policies.cfm
27	CNSSI-4004.1 Destruction and Emergency Protection Procedures for COMSEC and Classified Material (2008)	Updated broken link: https://www.cnss.gov/CNSS/issuances/Instructions.cfm
28	Defense Acquisition Guidebook Sect 7.5 Information Assurance (2013) and the DAG (2016)	Replaced/Updated Link. Replaced Defense Acquisition Guidebook Sect 7.5 Information Assurance (2013) with the DAG (2016) New link: https://dap.dau.mil/glossary/pages/178.aspx?scroll=0
29	2015 National Security Strategy	Updated broken link: http://www.jcs.mil/Portals/36/Documents/Publications/2015_National_Military_Strategy.pdf
30	NSD 42	Updated link: https://www.cnss.gov/cnss/assets/authorities/NSD-42.pdf
31	OMB A-130 (2016)	Updated broken link: https://www.federalregister.gov/documents/2016/07/28/2016-17872/revision-of-omb-circular-no-a-130-managing-information-as-a-strategic-resource
32	CNSSI 4009 Committee on National Security Systems (CNSS) Glossary (2015)	Updated Title.
33	Security Configuration Guides (SCGs)	Consider Deleting. Current link takes you to “Media Destruction Guidance”. A search of the term SCG nets many different websites. Is there a particular site to reference?
34	Security Reference Review Scripts	Consider Deleting/Broken Link. A search of the term SCG nets many different websites. Is there a particular site to reference?
35	Component—Level Policy	Consider Deleting/Broken Link. This is too vague considering that everything on the chart has specific references.

21 Aug 2016

#	Document Name	Change/Justification
1	Presidential Policy Directive 41: United States Cyber Incident Coordination	New PPD issued.
2	CJCSI 6212.01F Net Ready Key Performance Parameter	Canceled by CJCSI 5123.01G, 12 Feb 15
3	DoD 5220.22-M, Ch. 2 National Industrial Security Program Operating Manual (NISPOM)	Change 2 published May 18, 2016. Updated link.
4	DoDD 8000.01 Management of the DOD Information Enterprise	Policy and link updated.
5	DoDD 8521.01E Department of Defense Biometrics	Updated link.
6	DoDI O-8530.1	Superseded by DoDI 8530.01, link updated.
7	DoDI O-8530.2	Superseded by DoDI 8530.01, link updated.
8	DoDI 5200.01 DoD Information Security Program and Protection of SCI	Added as a new policy based on recent update.
9	DoDI 5200.08	Change 3 issued, link updated.
10	SP 800-30, Rev. 1, Guide for Conducting Risk Assessments	Moved to: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
11	SP 800-126 Rev. 2, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2	Moved to: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-126r2.pdf
12	SP 800-128, Guide for Security-Focused Configuration Management of Information Systems (August 2011)	Moved to: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-128.pdf
13	SP 800-137, Information Security Continuous	http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf

27 Oct 2015

#	Document Name	Change/Justification
1	National Strategy for Information Sharing and Safeguards	Updated link: https://www.whitehouse.gov/sites/default/files/docs/2012sharingstrategy_1.pdf
2	Quadrennial Defense Review Report	Updated link: http://archive.defense.gov/pubs/2014_Quadrennial_Defense_Review.pdf
3	National Defense Strategy	Updated link: http://www.defense.gov/Portals/1/Documents/pubs/2008NationalDefenseStrategy.pdf
4	DoD Cyber Strategy	Updated link: http://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf
5	DoD Strategy for Operating in Cyberspace	Removed as superseded by the DoD Cyber Strategy
6	National Military Strategic Plan for the War on Terrorism	Updated link: https://digitalndulibrary.ndu.edu/cdm/compoundobject/collection/strategy/id/9695/rec/8
7	Title 44 – Federal Information Security Modernization Act (Ch. 35)	Updated link to reflect the amendments effected by the Federal Information Security Modernization Act to amend the Federal Information Security Management Act. Updated link: https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf
8	CNSSI 1300	De-italicized to show that a publicly accessible link is available at: https://www.cnss.gov/CNSS/issuances/Instructions.cfm
9	DFARS Subpart 208.74	Updated link: http://www.acq.osd.mil/dpap/dars/dfars/html/current/208_74.htm
10	DoDD 8570.01	Directive was superseded by 8140.01.
11	DoDD 5000.02	Updated broken link: http://www.dtic.mil/whs/directives/corres/pdf/500002p.pdf
12	CJCSI 6211.02D	Updated link: http://www.dtic.mil/cjcs_directives/cdata/unlimit/6211_02a.pdf

15 Aug 2015

#	Document Name	Change/Justification
1	National Military Strategy (NMS)	Link updated to 2015 NMS: http://www.jcs.mil/Portals/36/Documents/Publications/National_Military_Strategy_2015.pdf
2	National Security Strategy (NSS)	2015 NSS added: https://www.whitehouse.gov/sites/default/files/docs/2015_national_security_strategy_2.pdf
3	National Military Strategy for Cyberspace Operations (NMS-CO)	Updated link: http://nsarchive.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-023.pdf
4	DoDD 8140.01 Cyberspace Workforce Management	Signed 11 Aug 2015, cancelled DoD Directive 8570.01, “Information Assurance (IA) Training, Certification, and Workforce Management,” August 15, 2004, as amended.
5	DoDI 8330.01 Interoperability of IT and National Security Systems (NSS)	Correct spacing in title.
6	CJCSI 3170.01H Joint Capabilities Integration and Development System (JCIDS)	Updated to CJCSI 3170.01I: https://dap.dau.mil/policy/Documents/2015/CJCSI_3170_01I.pdf
7	Presidential Memo, “Classified Information and Controlled Unclassified Information, “27 May 09”	Memo withdrawn. Removed from chart.
8	FAR Federal Acquisition Regulation	Updated link: https://www.acquisition.gov/?q=browsefar

24 Apr 2015

#	Document Name	Change/Justification
1	The DoD Cyber Strategy	New Issuance, 23 Apr 2015
2	Comprehensive National Cybersecurity Initiative	Removed
3	DoDI S-5240.23, Counterintelligence (CI) Activities in Cyberspace	Added new link to aid those with SIPRNet access to find document.
4	DoDI S-5200.16, Objectives and Min Stds for COMSEC Measures used in NC2 Comms	Added new link to aid those with SIPRNet access to find document.
5	DoDD S-5100.44, Defense and National Leadership Command Capability (DNLCC)	Added new link to aid those with SIPRNet access to find document.
6	DoDD O-5100.30, Department of Defense (DoD) Command and Control (C2)	Superseded by DoD DoDD 3700.01, DoD Command and Control (C2) Enabling Capabilities
7	DoDD O-8530.1, Computer Network Defense (CND)	Added new link to aid those with a DoD PKI cert to access this document.
8	DoDI O-8530.2, Support to Computer Network Defense (CND)	Added new link to aid those with a DoD PKI cert to access this document.
9	DoD O-8530.1-M, CND Service Provider Certification and Accreditation Program	Added new link to aid those with a DoD PKI cert to access this document.

17 Feb 2015

#	Document Name	Change/Justification
1	Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing	New Issuance, 13 Feb 2015
2	National Security Strategy	New Issuance, Feb 2015
3	NIST SP – 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach	New link includes updates as of 6 May 2014
4	SP 800-61 Rev. 2, Computer Security Incident Handling Guide	Updated link
5	FIPS 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors	Superseded by FIPS 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors
6	DoD Defending Networks, Systems, and Data Strategy	New direct link
7	DoD Cyber, Identity & Information Assurance Strategic Plan	Updated link
8	National Military Strategy	Updated link
9	CNSSAM IA 1-10, Reducing Risk of Removable Media in NSS	Updated link
10	CNSSI-1300, Instructions for NSS PKI X.509SP	Updated link
11	DoDI 5000.02, Operation of the Defense Acquisition System	Updated link
12	DoD CIO Memo Interim Guidance on Networthiness of IT Connected to DoD Networks	Updated link
13	NSSMOA between DoD CIO and ODNI CIO Establishing Net-Centric Software Licensing Agreements	Updated link
14	Title 44 – Federal Information Security Mgt Act, (§3541 et seq)	Updated link
15	NSTISSI-4002 Classification Guide for COMSEC Information	Removed to make room for new E.O. 13691 (the NSTISSI-4002 did not have a public-facing link anyway)
16	Security Technical Implementation Guides (STIGs)	Updated link
17	About this chart box	Updated the text

Subscribe to the Digest

Start a New Technical Inquiry