Project Part 1: United States Compliance Laws

Student Name’

Institution Affiliation

Date

Project Part 1: United States Compliance Laws

Introduction

The Department of Defense (DoD) is in charge of protecting the United States from any potential dangers, and to accomplish this goal, robust IT security regulations and processes are required. The DoD depends on a network of IT service providers to offer the required technological services, and these providers are required to follow stringent security rules, standards, and controls that comply with DoD requirements (U.S. DoD, 2022). As a security expert working at Blue Stripe Tech, it is essential to have a grasp of the compliance rules that apply to the United States Department of Defense to develop security policies that are compliant with DoD standards for the IT infrastructure of the firm.

DOD-specific Requirements

The DoD has strict requirements for information systems and networks which process, store, and transfer confidential data. These requirements are detailed in numerous DoD directives and instructions (U.S DoD, 2019). One such requirement for a firm’s Information Technology (IT) infrastructure is the “Risk Management Framework” (RMF) for DoD IT. This framework offers a methodical and organized approach to the management of hazards connected to the operation and usage of DoD IT (U.S DoD, 2022). It covers all IT the DoD uses, including national security tools, calls for security controls, and constant monitoring. Another DoD-specific requirement for a firm's IT infrastructure is the Department of Defense Information Security Program. This program is responsible for establishing guidelines and processes for the protection of classified and regulated unclassified information within the information systems of the DoD. It comprises standards for the security of personnel, as well as needs for physical security and technology security (Carril & Duggan, 2020). A third requirement is the “Department of Defense Internet Services and Internet-Based Capabilities”. This directive lays out guidelines for how DoD internet services and web-based tools should be used, along with standards for the safety of networks, user authentication, and incident reporting.

U.S. Compliance Laws

Besides the DoD-specific requirements, Blue Stripe Tech is required to abide by any applicable U.S. compliance laws. One pertinent law is the Health Insurance Portability and Accountability Act (HIPAA). This law mandates uniform requirements for protecting electronic medical records and neccesitates covered firms to take administrative, physical, and technological measures to maintain the privacy, safety, and accessibility of this data (Yimam & Fernandez, 2018). In addition, the law requires covered entities to execute these safeguards in accordance with the law. Another law is the Federal Information Security Modernization Act (FISMA). FISMA mandates that all federal agencies create and implement comprehensive information security plans to ensure the privacy, integrity, and accessibility of data and computer systems (Yimam & Fernandez, 2018). The third U.S. compliance law that may affect the firm is the Sarbanes-Oxley Act (SOX). This law mandates that publicly traded corporations implement control mechanisms over their accounting practices to ensure the accuracy and reliability of their accounting records. If a company is traded on a public market and offers information technology services to the Department of Defense, then the company may be required to comply with SOX requirements. Lastly, another U.S. compliance law that may impact the firm is the Defense Federal Acquisition Regulation Supplement (DFARS). The DFARS details the rules contractors must follow when purchasing products and services for the Department of Defense (Yimam & Fernandez, 2018). Information security, data privacy, and logistics are only a few of the many topics addressed by these rules.

Conclusion

In conclusion, to provide information technology services to the AFCSC, Blue Stripe Tech must comply not only with the requirements specific to the DOD but also with compliance laws specific to the United States.

References

Carril, R., & Duggan, M. (2020). The impact of industry consolidation on Government Procurement: Evidence from Department of Defense Contracting. Journal of Public Economics, p. 184, 104141. https://doi.org/10.1016/j.jpubeco.2020.104141

U.S DOD. (2019). Online Information Management and Electronic Messaging. https://www.esd.whs.mil/Portals/54/Documents/FOID/Reading%20Room/Personnel_Related/22-F-0350_DODI_8170.01-_Online_Information_Management_and_Electronic_Messaging_2Jan2019_CH-1_24Aug2021.pdf

U.S DOD. (2022). Risk Management Framework (RMF) for DoD Information Technology (IT) https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001p.pdf

Yimam, D., & Fernandez, E. B. (2018). A survey of compliance issues in cloud computing. Journal of Internet Services and Applications, 7(1). https://doi.org/10.1186/s13174-016-0046-8

Security Policy Project

Name

Institution

Course

Instructor

Date

The project will adhere to the following policy frameworks:

The DOD (2020) Data Strategy, which outlines the vision, guiding principles, tools, and objectives for the DoD's use of data. By facilitating data-centric operations and decision-making, it complements both the National Defense Strategy and Digital Modernization.

The DOD (2020) Cybersecurity Policy Chart, which summarizes the range of relevant DoD cybersecurity policies. Detailed information on protecting the DoD Information Network (DoDIN) and its assets is provided in significant legal precedents, federal and national regulations, and operational and subordinate level papers.

The DoD Issuances, which are recognized documents that establish or carry out policy, delegate authority, and specify practices for the DoD. They comprise administrative instructions, manuals, publications, directive-type memoranda, and directives.

The DoD-compliant guidelines, requirements, and controls that apply to the LAN, LAN-to-WAN, and User domains are as follows:

User Domain: Users who access IT systems and data are under the purview of this domain. This domain is impacted by the following policies, standards, and controls: – DoDI 8500.01, which outlines cybersecurity policy for the DoDIN and its assets.

· DoDI 8510.01, which lays out the Risk Management Framework (RMF) for evaluating and approving IT systems in the DoD.

· DoDI 8520.02, which outlines the DoD's strategy for “public key infrastructure (PKI) and public key enabling (PKE).”

· DoDI 8530.01, which outlines guidelines for the DoD's exchange of cyberthreat information.

· DoDI 8570.01, which defines policy for individuals performing cybersecurity activities in the DoD and for the certification, management, and management of such personnel.

Workstation Domain account for the devices that users use to access IT systems and data are within the workstation domain. The following policies, standards, and regulations apply to this domain:

· DoDI 8100.04, which defines guidelines for the DoD's IT systems' spectrum supportability.

· DoDI 8320.02, which defines rules for data sharing in a DoD that is centered on the internet.

· CNSSI 1253, which offers national security systems (NSS) recommendations on security classification and control choices.

· NIST SP 800-53, which offers recommendations for security and privacy controls for federal information systems and organizations.

LAN Domain: This domain includes the local area network (LAN) that links the devices and IT systems inside a building or location. The laws, regulations, and checks that apply to this realm are as follows:

· CJCSI 6211.02E, which defines the Defense Information System Network's (DISN) policies and roles.

· CJCSI 6510.01G, which defines the DoD's policies and roles for “information assurance (IA) and computer network defense (CND)”.

· CJCSM 6510.01B, which outlines the DoD's policies for handling cyber incidents.

· “NIST SP 800-82, which offers recommendations for protecting industrial control systems (ICS).”

LAN-to-WAN Domain: This domain includes the wide area network (WAN), which links IT systems and equipment at various locations or facilities. The laws, regulations, and checks that apply to this realm are as follows:

· DODI 8551.01, which defines guidelines and accountability for the DoDIN's management of ports, protocols, and services (PPSM).

· DODI 8552.01, which defines the DoD's policy and obligations for cloud computing services.

· DODI 8582.01, which specifies guidelines and accountability for the protection of unclassified DoD data on non-DoD information systems.

References

DOD. (2020). DOD Rules and Guidance Documents. Www.defense.gov. https://www.defense.gov/Resources/DOD-Rules-and-Guidance-Documents/

Sherman, J. (n.d.). DOD INSTRUCTION 8510.01 RISK MANAGEMENT FRAMEWORK FOR DOD SYSTEMS. https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001p.pdf?ver=2019-02-

WHS. (2017). Directives Division. Whs.mil. https://www.esd.whs.mil/DD/

WHS. (2023). DoD Issuances Home. Www.esd.whs.mil. https://www.esd.whs.mil/DD/DoD-Issuances/