DoDI 5000.90 – Cybersecurity For Acquisition Decision Authorities And Program Managers

327 Solutions Ribbon

Purpose: In accordance with the authority in DoD Directive (DoDD) 5135.02, this issuance
establishes policy, assigns responsibilities, and prescribes procedures for the management of
cybersecurity risk by program decision authorities and program managers (PMs) in the DoD
acquisition processes, compliant with the requirements of DoDD 5000.01, DoD Instruction
(DoDI) 5000.02T, DoDI 8510.01, and Chairman of the Joint Chiefs of Staff Instruction 5123.01H.

Supply Chain Risk Management (SCRM) and cybersecurity management are “Front and Center” for the US Federal Government. The DoD has been actively working to address deficiencies in the cybersecurity of its Defense Industry Base (DIB) using Defense Federal Acquisition Regulation Supplement (DFARS) and applying the Risk Management Framework (RMF). On the 31st of December 2020, the DoD released a necessary Instruction DoDI 5000.90 “Cybersecurity for Acquisition Decision Authorities and Program Managers,” establishing policy, prescribing procedures, and management of cybersecurity risk by program Decision Authorities (DA) and Program Managers (PM) in the DoD acquisition process. For those organizations who contract with the DoD, this is a critical instruction. It sets out the foundations for cybersecurity risk-based decision making within the Defense Acquisition System (DAS), utilizing the RMF, which includes an SCRM policy requirement for program managers. It will significantly affect the relationship between DoD, DIB contractors, and subcontractors.

#SCRM #SupplyChainRiskManagement #DefenseIndustrialBase #DefenseProcurement #CyberRiskManagement #500090 #SupplyChainSecurity #DefenseIndustry #FederalAcquisition #fisma