C

SCRM Policy, Guidance, and Standards

The current influential policies, guidance, and standards that supply chain risk management (SCRM) practitioners will need to comply and implement program protections within the Department of Defense (DoD) and U.S. Air Force (USAF) acquisition life cycle are listed below by organization, including the Air Force Life Cycle Management Center(AFLCMC), the Air Force Life Cycle Management Center’s Cryptologic and Cyber Systems Division (AFLCMC/HNC), the Trusted Systems Network (TSN)—DoD(CIO) Working Group, the National Institute of Standards and Technology (NIST), the Committee on National Security Systems (CNSS), and the Intelligence Community.

AIR FORCE LIFE CYCLE MANAGEMENT CENTER—CRYPTOLOGIC AND CYBER SYSTEMS DIVISION (AFLCMC/HNC)

1. HNC OI 63-1201, HNC Engineering Processes and Roles, 10 August 2016.
2. HNC OI 63-102, HNC Lifecycle Supply Chain Risk Management (SCRM), 20 July 2018.
3. HNC 63-510, Deficiency Reporting Investigation and Resolution, 30 June 2016.
4. GM 2017-101, Risk Management Framework Information Technology, 13 November 2017.

AIR FORCE LIFE CYCLE MANAGEMENT CENTER (AFLCMC)

The following are/will be recent releases:

1. AFLCMC CPI/CC Identification, pending release.
2. AFLCMC (Anti-Tamper Guide), pending release.
3. AFLCMC (TSN Center of Excellence CONOPS), pending release.
4. AFLCMC Standard Process, Program Protection Planning and System Security Engineering, v. 1.0, AFLCMC/EZSP/EZSI, 16 November 2017.
5. AFLCMC Standard Process, Life Cycle Sustainment Plans, AFLCMC/LG-LZ, 1 October 2017.
6. AFLCMC Standard Process, Risk and Issue Management (RIM) in Acquisition Programs, AFLCMC/AZE, 17 November 2017.
7. AFLCMC Standard Process, Cybersecurity Assessment and Authorization, AFLCMC/EZA/EZB/EZC, 21 June 2018.
8. AFLCMC Internal Process Guide, Weapon System Supply Chain Risk Management (WS SCRM), version 1.0, AFLCMC/LG-LZ, 30 November 2016.

U.S. AIR FORCE

1. AFI 63-101/20-101, Integrated Life Cycle Management, 9 May 2017.
2. AFMCI 63-1201, Implementing Operational Safety Suitability and Effectiveness (OSS&E) and Life Cycle Systems Engineering (LCSE), 28 March 2017.
3. AFPAM 63-113, Program Protection Planning for Life Cycle Management, 17 October 2013.
4. AFPAM 63-128, Integrated Life Cycle Management, 10 July 2014.
5. AFPD 63-1/20-1, Integrated Life Cycle Management, 3 June 2016.
6. AFI 90-901, Operational Risk Management, as amended, 1 April 2000.
7. AFGM2018-63-146-01, Air Force Guidance Memorandum for Rapid Acquisition Activities, 13 June 2018.

DEPARTMENT OF DEFENSE

1. Deputy Assistant Secretary of Defense Systems Engineering (DASD/SE), Program Protection Plan (PPP) Outline and Guidance, version 1.0, July 2011. [Version 2, in process.]
2. DoD Guide, Key Practices and Implementation Guide for the DoD Comprehensive National Cybersecurity Initiative 11 (CNCI) Supply Chain Risk Management (SCRM) Pilot Program, 25 February 2010.

3. DoD Guide, Risk Management Guide for DoD Acquisition, Sixth Edition, Version 1.0, August 2006.
4. DoD 5220.22-M, National Industrial Security Program Operating Manual (NISPOM), 18 May 2016.
5. DoDD 5200.47E, Anti-Tamper (AT), Change 1, 28 August 2017.
6. DoDD 5240.02, Counterintelligence (CI), 17 March 2015.
7. DoDI 4140.01, DoD Supply Chain Materiel Management Policy, 14 September 2017.
8. DoDI 4140.67, DoD Counterfeit Prevention Policy, 25 October 2017.
9. DoDI 5000.02, Operation of the Defense Acquisition System, 10 August 2017. [Especially Enclosure 14 Item 3.b. (7).]
10. DoDI 5200.39, Critical Program Information (CPI) Protection Within Research, Development, Test, and Evaluation (RDT&E), 17 November 2017.
11. DoDI 5200.44, Protection of Mission-Critical Functions to Achieve Trusted Systems and Networks, 27 July 2017.
12. DoDI O-5240.24, Counterintelligence (CI) Activities Supporting Research, Development, and Acquisition (RDA), 15 October 2013.
13. DoDI 8320.04, Item Unique Identification (IUID) Standards for Tangible Personal Property, 14 November 2017.
14. DoDI 8500.01, Cybersecurity, 14 March 2014.
15. DoDI 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), 12 March 2014.
16. DoDI 8581.01, Cybersecurity for Space Systems Used by the DoD, in review 2018.
17. DoDM 5240.01, Procedures Governing the Conduct of DoD Intelligence Activities, 8 August 2016. [Defines U.S. Person and USPI.]
18. Principle Deputy Under Secretary of Defense for Acquisition, Technology, and Logistics, Memorandum, Document Streamlining—Program Protection Plan (PPP), 18 July 2011.
19. DASD/SE, DoD Risk, Issue, and Opportunity Management Guide for Defense Acquisition Programs, January 2017.
20. Defense Acquisition Guide (DAG), Chapter 3, Systems Engineering, current release.
21. DAG, Chapter 7, Intelligence Support and Acquisition, current release.
22. DAG, Chapter 9, Program Protection, current release.
23. Defense Standardization Program Office, SD-22, Diminishing Manufacturing Sources and Material Shortages, A Guidebook of Best Practices for Implementing a Robust DMSMS Management Program, January 2016.
24. JCIDS, Manual for the Joint Capabilities Integration and Development System (JCIDS), 12 February 2015, including errata as of 18 December 2015. [P. F-I-8, Appendix I, Item e. Threat Assessment item 2 c (2) (d).]

25. MIL-HDBK-1785, Systems Security Engineering Program Management Requirements, notice of validation for use in acquisition, 22 April 2014. [Reactivated from 1 August 1995.]
26. Risk Management Framework (RMF) guidance, located at https://rmfks.osd.mil.

TRUSTED SYSTEMS NETWORK GUIDANCE—DOD(CIO) WORKING GROUP

1. DASD/SE, Trusted Systems and Networks (TSN) Analysis, June 2014.
2. Trusted Systems and Networks (TSN) Information and Communications Technology (ICT) Risk Mitigation Guidebook (RMG), Version 2.0, February 2014.
3. DASD/SE, Suggested Language to Incorporate System Security Engineering for Trusted Systems and Networks (TSN) into Department of Defense Requests for Proposals, January 2014.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

1. NIST SP800-30r1, Guide for Conducting Risk Assessments, September 2012.
2. NIST SP800-37r1, Risk Management Framework for Information Systems and Organizations, June 10, 2014. [Rev. 2 INITIAL DRAFT released May 2018.]
3. NIST SP800-39, Managing Information Security Risk: Organization, Mission, and Information System View, 1 March 2011.
4. NIST SP800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
5. NIST SP800-53r5, Initial Public Draft, Security and Privacy Controls for Federal Information Systems and Organizations, 15 August 2017.
6. NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, September 2011.
7. NIST SP 800-60, Volume I, Guide for Mapping Types of Information and Types of Information Systems to Security Categories, August 2008.
8. NIST SP 800-60, Volume II, Appendices to Guide for Mapping Types of Information and Types of Information Systems to Security Categories, August 2008.
9. NIST SP800-160, Systems Security Engineering, November 2016.
10. NIST SP800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, April 2015.
11. NIST, Framework for Improving Critical Infrastructure Cybersecurity, version 1.1, Draft 2, 5 December 2017.

12. NIST Interagency Report (IR) 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems, October 2012.

COMMITTEE ON NATIONAL SECURITY SYSTEMS

1. CNSSD 505, Supply Chain Risk Management, 26 July 2017.
2. CNSSI No. 1253, Security Categorization and Control Selection for National Security Systems, 27 March 2014.
3. CNSSI No. 1254, Risk Management Framework Documentation, Data Element Standards, and Reciprocity Process for National Security Systems, August 2016.
4. CNSSI No. 4009, Glossary, 6 April 2015.
5. CNSSP 22, Cybersecurity Risk Management, August 2016.

INTELLIGENCE COMMUNITY

1. Intelligence Community Directive (ICD) 731, Supply Chain Risk Management, 7 December 2013.
2. Intelligence Community Standard (ICS) 731, Supply Chain Criticality Assessments, 2 October 2015.
3. ICS 731-02, Supply Chain Threat Assessments, 17 May 2016.
4. ICS 731-03, Supply Chain Information Sharing, 29 June 2017.