Please follow the project document and follow the instructions:
Security policy_project (4).docx Download Security policy_project (4).docx
U.S. Compliance Laws Research
Submit a draft of your research of DOD-specific requirements for an organization’s IT infrastructure and U.S. compliance laws that may affect the firm.
Infrastructure Research A
Submit a draft of
(1) which policy framework(s) will be followed for the project and
(2) DoD-compliant policies, standards, and controls that affect the User, Workstation, LAN, and LAN-to-WAN Domains.
For Project Part 3, Infrastructure Research B
Submit a bulleted list of DoD-compliant policies, standards, and controls that affect the
WAN, Remote Access, and System/Application Domains.
FINAL Report Submit the final report of your class project.
Running head: UNITED STATES COMPLIANCE LAWS 1
UNITED STATES COMPLIANCE LAWS 5
Project Part 1: United States Compliance Laws
Project Part 1: United States Compliance Laws
The Department of Defense (DoD) is in charge of protecting the United States from any potential dangers, and to accomplish this goal, robust IT security regulations and processes are required. The DoD depends on a network of IT service providers to offer the required technological services, and these providers are required to follow stringent security rules, standards, and controls that comply with DoD requirements (U.S. DoD, 2022). As a security expert working at Blue Stripe Tech, it is essential to have a grasp of the compliance rules that apply to the United States Department of Defense to develop security policies that are compliant with DoD standards for the IT infrastructure of the firm.
The DoD has strict requirements for information systems and networks which process, store, and transfer confidential data. These requirements are detailed in numerous DoD directives and instructions (U.S DoD, 2019). One such requirement for a firm’s Information Technology (IT) infrastructure is the “Risk Management Framework” (RMF) for DoD IT. This framework offers a methodical and organized approach to the management of hazards connected to the operation and usage of DoD IT (U.S DoD, 2022). It covers all IT the DoD uses, including national security tools, calls for security controls, and constant monitoring. Another DoD-specific requirement for a firm's IT infrastructure is the Department of Defense Information Security Program. This program is responsible for establishing guidelines and processes for the protection of classified and regulated unclassified information within the information systems of the DoD. It comprises standards for the security of personnel, as well as needs for physical security and technology security (Carril & Duggan, 2020). A third requirement is the “Department of Defense Internet Services and Internet-Based Capabilities”. This directive lays out guidelines for how DoD internet services and web-based tools should be used, along with standards for the safety of networks, user authentication, and incident reporting.
U.S. Compliance Laws
Besides the DoD-specific requirements, Blue Stripe Tech is required to abide by any applicable U.S. compliance laws. One pertinent law is the Health Insurance Portability and Accountability Act (HIPAA). This law mandates uniform requirements for protecting electronic medical records and neccesitates covered firms to take administrative, physical, and technological measures to maintain the privacy, safety, and accessibility of this data (Yimam & Fernandez, 2018). In addition, the law requires covered entities to execute these safeguards in accordance with the law. Another law is the Federal Information Security Modernization Act (FISMA). FISMA mandates that all federal agencies create and implement comprehensive information security plans to ensure the privacy, integrity, and accessibility of data and computer systems (Yimam & Fernandez, 2018). The third U.S. compliance law that may affect the firm is the Sarbanes-Oxley Act (SOX). This law mandates that publicly traded corporations implement control mechanisms over their accounting practices to ensure the accuracy and reliability of their accounting records. If a company is traded on a public market and offers information technology services to the Department of Defense, then the company may be required to comply with SOX requirements. Lastly, another U.S. compliance law that may impact the firm is the Defense Federal Acquisition Regulation Supplement (DFARS). The DFARS details the rules contractors must follow when purchasing products and services for the Department of Defense (Yimam & Fernandez, 2018). Information security, data privacy, and logistics are only a few of the many topics addressed by these rules.
In conclusion, to provide information technology services to the AFCSC, Blue Stripe Tech must comply not only with the requirements specific to the DOD but also with compliance laws specific to the United States.
Carril, R., & Duggan, M. (2020). The impact of industry consolidation on Government Procurement: Evidence from Department of Defense Contracting. Journal of Public Economics, p. 184, 104141. https://doi.org/10.1016/j.jpubeco.2020.104141
U.S DOD. (2019). Online Information Management and Electronic Messaging. https://www.esd.whs.mil/Portals/54/Documents/FOID/Reading%20Room/Personnel_Related/22-F-0350_DODI_8170.01-_Online_Information_Management_and_Electronic_Messaging_2Jan2019_CH-1_24Aug2021.pdf
U.S DOD. (2022). Risk Management Framework (RMF) for DoD Information Technology (IT) https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001p.pdf
Yimam, D., & Fernandez, E. B. (2018). A survey of compliance issues in cloud computing. Journal of Internet Services and Applications, 7(1). https://doi.org/10.1186/s13174-016-0046-8
Security Policy Project
The project will adhere to the following policy frameworks:
The DOD (2020) Data Strategy, which outlines the vision, guiding principles, tools, and objectives for the DoD's use of data. By facilitating data-centric operations and decision-making, it complements both the National Defense Strategy and Digital Modernization.
The DOD (2020) Cybersecurity Policy Chart, which summarizes the range of relevant DoD cybersecurity policies. Detailed information on protecting the DoD Information Network (DoDIN) and its assets is provided in significant legal precedents, federal and national regulations, and operational and subordinate level papers.
The DoD Issuances, which are recognized documents that establish or carry out policy, delegate authority, and specify practices for the DoD. They comprise administrative instructions, manuals, publications, directive-type memoranda, and directives.
The DoD-compliant guidelines, requirements, and controls that apply to the LAN, LAN-to-WAN, and User domains are as follows:
User Domain: Users who access IT systems and data are under the purview of this domain. This domain is impacted by the following policies, standards, and controls: – DoDI 8500.01, which outlines cybersecurity policy for the DoDIN and its assets.
· DoDI 8510.01, which lays out the Risk Management Framework (RMF) for evaluating and approving IT systems in the DoD.
· DoDI 8520.02, which outlines the DoD's strategy for “public key infrastructure (PKI) and public key enabling (PKE).”
· DoDI 8530.01, which outlines guidelines for the DoD's exchange of cyberthreat information.
· DoDI 8570.01, which defines policy for individuals performing cybersecurity activities in the DoD and for the certification, management, and management of such personnel.
Workstation Domain account for the devices that users use to access IT systems and data are within the workstation domain. The following policies, standards, and regulations apply to this domain:
· DoDI 8100.04, which defines guidelines for the DoD's IT systems' spectrum supportability.
· DoDI 8320.02, which defines rules for data sharing in a DoD that is centered on the internet.
· CNSSI 1253, which offers national security systems (NSS) recommendations on security classification and control choices.
· NIST SP 800-53, which offers recommendations for security and privacy controls for federal information systems and organizations.
LAN Domain: This domain includes the local area network (LAN) that links the devices and IT systems inside a building or location. The laws, regulations, and checks that apply to this realm are as follows:
· CJCSI 6211.02E, which defines the Defense Information System Network's (DISN) policies and roles.
· CJCSI 6510.01G, which defines the DoD's policies and roles for “information assurance (IA) and computer network defense (CND)”.
· CJCSM 6510.01B, which outlines the DoD's policies for handling cyber incidents.
· “NIST SP 800-82, which offers recommendations for protecting industrial control systems (ICS).”
LAN-to-WAN Domain: This domain includes the wide area network (WAN), which links IT systems and equipment at various locations or facilities. The laws, regulations, and checks that apply to this realm are as follows:
· DODI 8551.01, which defines guidelines and accountability for the DoDIN's management of ports, protocols, and services (PPSM).
· DODI 8552.01, which defines the DoD's policy and obligations for cloud computing services.
· DODI 8582.01, which specifies guidelines and accountability for the protection of unclassified DoD data on non-DoD information systems.
DOD. (2020). DOD Rules and Guidance Documents. Www.defense.gov. https://www.defense.gov/Resources/DOD-Rules-and-Guidance-Documents/
Sherman, J. (n.d.). DOD INSTRUCTION 8510.01 RISK MANAGEMENT FRAMEWORK FOR DOD SYSTEMS. https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001p.pdf?ver=2019-02-
WHS. (2017). Directives Division. Whs.mil. https://www.esd.whs.mil/DD/
WHS. (2023). DoD Issuances Home. Www.esd.whs.mil. https://www.esd.whs.mil/DD/DoD-Issuances/
Running Head: DOD 1
DoD Compliant Policies
· DoD has various recognized practices, policies and procedures related to its logical access controls, that constitutes of multifactor authentication, license and software inventories, tracking and potentials for detecting threats plus the information security requirements for the givers of third-party service.
· DoD instruction 5200.01 – establishes primary security policies, provides a high level framework for the national adaptation of DoD policy on the national security classified data (Bennett, et.al, 2019).
· DoD has logical access policies, inclusive of ones requiring usage of multifactor authentication. Logical access require users to validate their identity through utilization of personal identification numbers, common cards of access, the 10biometric data or the security tokens.
· DoD Instruction 8580.02 – it is the personal identifiable health information security in the August 12, 2015 DoD healthcare programs. It permits access to electronically protected health information to users only on the not need-to-know basis. In addition, it requires the user to possess the required clearance before gaining access into the health information that is secured. .
· DoD instruction 8582.01 – safety of the unclassified DoD data on non-DoD data systems, June 6th, 2012. It requires the unclassified DoD data possessed or controlled by these non-DoD entities to get protected by a physical barrier or just a chosen electronic such as the logical authentication.
· DoD instructions 8500.01 – requires DoD to implement system security controls that have been designed by the National Institute of Standards and Technology.
· DOD-UIS-00143: Version 1.1 – is the National Industrial Security Program Enterprise Wide Area Network, a concept allowing the NISP participants to design plus develop a business WAN. It should operate alongside maintaining the NISP system under a unique Authorization to Operate (Bergquist, 2020). The cleared industry firms attempting to design and create the NISP eWAN should ensure they meet particular adopted criteria for owning and operating the eWAN. After proving the eligibility, the organization should ensure it offers a NISP proposal for the same NISP to the NISP authorization office, Defense Security Service.
Bennett, G., Forsythe, B., Kelleher, S., & Barborak, G. (2019). Air Force Remote Special Testing and Data Management System Implementation Plan. BAM Technologies.
Bergquist, C. A. (2020). Contract Data Requirements List (CDRL) Best Practices. Defense Acquisition University.