DEFENSE SECURITY COOPERATION AGENCY
MEMORANDUM FOR :
DEPUTY UNDER SECRETARY OF THE AIR FORCE FOR INTERNATIONAL AFFAIRS
DEPUTY ASSISTANT SECRETARY OF THE ARMY FOR DEFENSE EXPORTS AND COOPERATION
DEPUTY ASSISTANT SECRETARY OF THE NAVY FOR INTERNATIONAL PROGRAMS
DIRECTOR, DEFENSE CONTRACT MANAGEMENT AGENCY
DIRECTOR FOR SECURITY ASSISTANCE, DEFENSE FINANCE AND ACCOUNTING SERVICE - INDIANAPOLIS OPERATIONS
DIRECTOR, DEFENSE INFORMATION SYSTEMS AGENCY
DIRECTOR, DEFENSE LOGISTICS AGENCY
DIRECTOR, DEFENSE LOGISTICS INFORMATION SERVICE
DIRECTOR, DEFENSE LOGISTICS AGENCY DISPOSITION SERVICES
DIRECTOR, DEFENSE THREAT REDUCTION AGENCY
DIRECTOR, MISSILE DEFENSE AGENCY
DIRECTOR, NATIONAL GEOSPATIAL-INTELLIGENCE AGENCY
DEPUTY DIRECTOR FOR INFORMATION ASSURANCE, NATIONAL SECURITY AGENCY
Policy Change to Identify Missile Defense Agency as the Implementing Agency for stand-alone Cross Domain Solution FMS Cases, DSCA Policy 19-13 [SAMM E-Change 423]
- DSCA Manual 5105.38-M, Security Assistance Management Manual (SAMM), Chapter 5, Table 2 (C5.T2.)
This memorandum updates Figure C5.T2., of the Security Assistance Management Manual (SAMM) to provide additional guidance on developing Letters of Offer and Acceptance (LOAs) that include the transfer of stand-alone Cross Domain Solution (CDS) devices and support. Such CDS devices are intended to protect U.S. Classified Military Information (CMI) that will exist on partner nations' network architectures as a result of a transfer of U.S. sensors or weapons systems to a Foreign Military Sales (FMS) partner.
This memorandum revises Figure C5.T2., to designate the Missile Defense Agency (MDA) as the Implementing Agency (IA) responsible for stand-alone FMS Cross Domain Solutions. LORs that request only FMS CDS devices or FMS CDS capabilities will be processed by MDA. MDA has and will maintain a list of certified FMS CDS devices available to FMS customers.
For LORs that request integration of a FMS CDS device into an IA Program of Record, the associated U.S. Military Department may serve as the primary IA. In such cases, the IA will coordinate with MDA to determine if there is a need to include MDA line(s) on a multi-service LOA, and to determine if there is a certified FMS CDS device available to meet system requirements. If a certified FMS CDS device is not technically capable of meeting system requirements, the IA will coordinate with MDA and the National Security Agency's (NSA) National Cross Domain Strategy and Management Office (NCDSMO) to ensure a device is developed in accordance with current cybersecurity standards. The IA will be responsible for verifying that the newly developed CDS has been cleared for release to the partner.
A CDS is a means of information assurance that provides the ability to manually or automatically access or transfer information between two or more differing security domains. CDS devices are integrated systems of hardware and software that enable the transfer of information among otherwise incompatible security domains or levels of classification. They also allow the DoD to transfer classified and unclassified information from U.S. Government networks to partner networks by filtering unauthorized messages and malicious files and protect both U.S. and FMS customer systems, networks, and data.
NSD-42, CNSSP No. 8, and DoDI 8510.01 require that CDS devices protect the data produced by U.S. systems when they are connected to other non-USG networks in conjunction with the application of appropriate Risk Management Framework (RMF) security controls. Because CDS devices available to FMS partners contain sensitive technology, their transfer requires approval from NCDSMO prior to the U.S. Government offering the solutions to the FMS partner. Consistent with the authorities listed above, the NCDSMO is also responsible for defining the security requirements for all CDS transferred via FMS, overseeing the security testing of FMS CDS in NCDSMO designated labs, and, in conjunction with the Committee on National Security Systems (CNSS), authorizing the release of CDS technology to foreign nations and organizations.
To request a CDS via FMS, the COCOMs should identify specific interoperability requirements with the foreign partner and notify the Joint Staff/J6 and MDA. In accordance with CJCSI 6211.02D Defense Information Systems Network (DISN) Responsibilities, and DoDI 8510.01 RMF for DoD Information Technology (IT), formal approval for the connection of a CDS to a foreign partner network will depend on Defense Security/Cybersecurity Authorization Working Group's (DSAWG) and DoD Information Security Risk Management Committee (ISRMC) approval of the RMF package provided by the CCMD.
For questions regarding establishing MDA as the lead IA responsible for stand-alone CDS devices for FMS cases, please contact DSCA (DSA/WPNS C4I International Programs) Mr. Chris King at (703)-697-9963, or email: firstname.lastname@example.org. For questions concerning processing stand-alone CDS devices on FMS cases, please contact the Missile Defense Agency, MDA/DIF, at e-mail: email@example.com. For questions relating to the SAMM, please contact DSCA-STR/SPI, Mr. Mike Slack, Strategic Planning and Integration Division, at (703) 697-9058 or e-mail: firstname.lastname@example.org. Implementing Agencies should disseminate this policy to supporting activities.
Gregory M. Kausner
USCG International Affairs (G-CI)
SECURITY ASSISTANCE MANAGEMENT MANUAL (SAMM), E-CHANGE 400
Revise C5.T2 as follows:
Missile Defense Agency (MDA)
Action address for all LORs
MDA LOR Inbox