Information Assurance (IA) Controls
DoD 8500.2, Enclosure 3, establishes fundamental IA requirements for DoD Information Systems in the form of two sets of graded baseline IA Controls. The baseline sets of IA controls are pre-defined based on the determination of the Mission Assurance Category (MAC) and Confidentiality Levels. IA Controls addressing availability and integrity requirements are tied to the system's MAC based on the importance of the information to the mission, particularly the warfighters' combat mission. IA Controls addressing confidentiality requirements are based on the sensitivity or classification of the information.
The set of IA Controls applicable to any given DoD information system is always a combination of the IA Controls for its Mission Assurance Category and the IA Controls for its Confidentiality Level.
These baseline IA levels are achieved by applying the specified set of IA Controls in a comprehensive IA program that includes acquisition, proper security engineering, connection management, and IA administration.
An IA Control describes an objective IA condition achieved through the application of specific safeguards or through the regulation of specific activities. The objective condition is testable, compliance is measurable, and the activities required to achieve the IA Control are assignable and thus accountable.
An IA Control is comprised of the following:
- Control Subject Area: One of eight groups indicating the major subject or focus area to which an individual IA Control is assigned
- Control Name: A brief title phrase that describes the individual IA Control
- Control Text: One or more sentences that describe the IA condition or state that the IA Control is intended to achieve
- Control Number: A unique identifier comprised of four letters, a dash, and a number. The first two letters are an abbreviation for the subject area name and the second two letters are an abbreviation for the individual IA Control Name.