Information Assurance (IA) Testing
The test and evaluation of IA requirements is an integral part of the overall Test & Evaluation process. DoD Instruction (DoDI) 5000.2 directs that IA testing be conducted during both Developmental Test and Evaluation (DT&E) and Operational Test and Evaluation (OT&E). Additionally, the DoDI 8500.2 requires testing of the IA Controls as a primary determination for Certification and Accreditation (C&A). The key aspects of IA include availability, integrity, confidentiality, authentication, and non-repudiation.
IA testing shall be conducted on information systems to ensure that planned and implemented security measures satisfy requirements when the system is installed and operated in its intended environment. The level of IA testing depends on the system risk and importance. Systems with the highest importance and risk shall be subject to penetration-type testing. Systems with minimal risk and importance shall be subject to normal National Security Agency security and developmental testing, but shall not be subject to field penetration testing during OT&E.