Department of Defense Instruction 8500.2 “Information Assurance (IA) Implementation:” A retrospective

Abstract

From the time of its publication on February 6, 2003, the Department of Defense Instruction 8500.2 “Information Assurance (IA) Implementation” (DoDI 8500.2) has provided the definitions and controls that form the basis for IA across the DoD. This is the document to which compliance has been mandatory. For over 9 years, as the world of computer security has swirled through revision after revision and upgrade after upgrade, moving, for example, from DITSCAP to DIACAP, this instruction has remained unrevised, in its original form. As this venerable instruction now nears end of life it is appropriate that we step back and consider what we have learned from it and what its place is in context. In this paper we first review the peculiar structure of DoDI 8500.2, including its attachments, its “Subject Areas,” its “baseline IA levels,” its implicit use of type, signatures (full, half, left, and right), and signature patterns, along with span, and class. To provide context and contrast we briefly present three other control sets, namely (1) the DITSCAP checklists that preceded DoDI 8500.2, (2) the up and coming NIST 800-53 that it appears will follow DoDI 8500.2, and (3) Cobit from the commercial world. We then compare the scope of DoDI 8500.2 with those three control sets. The paper concludes with observations concerning DoDI 8500.2 and control sets in general.