CJCSI 6510.01F
9 February 2011
A-3 Enclosure A
technology (IT) assets.
c. All IA and IA-enabled government-off-the-shelf (GOTS) and commercial-
off-the-shelf (COTS) hardware, firmware, and software components must be
acquired, evaluated, installed, and configured IAW National Security
Telecommunications and Information Systems Security Policy (NSTISSP) No.
11, “National Policy Governing the Acquisition of Information Assurance (IA)
and IA-Enabled Information Technology (IT) Products” (reference l). Acquire
documentation including initial configuration, user guides, and maintenance
manuals along with the products.
d. Public domain software products, other software products with limited or
no warranty (i.e., freeware or shareware), and Peer-to-Peer (P2P) file sharing
software shall only be used after a risk assessment has been conducted,
recommendations provided to the Senior Information Assurance Officer (SIAO),
and authorized by the CC/S/A Headquarters-level Authorizing Official (i.e.,
DAA).
e. Mobile code technologies (e.g., Java Virtual Machine, Java compiler, .NET
Common Language Runtime, Windows Scripting Host, and Hypertext Markup
Language (HTML) Application Host) shall be categorized, evaluated, and
controlled to reduce the vulnerability and risk to DOD ISs IAW DODI 8552.01,
“Use of Mobile Code Technologies in DoD Information Systems” (reference m).
6. Portable Electronic Devices (PEDs) and Removable Media
a. Government-owned PEDs (e.g., laptop computers, personal digital
assistants (PDAs), Blackberrys, and cell phones) including removable media
(e.g., diskettes, compact disks (CDs), external hard drives, flash media, and
universal serial bus (USB) “thumb drives”) shall be properly accounted for as
required, properly marked, properly transported, and secured at all times to
the highest level of classified information processed.
b. PEDs including removable media shall be secured with approved security
applications and data-at-rest solutions IAW DOD CIO memorandum,
“Encryption of Sensitive Unclassified Data at Rest on Mobile Computing
Devices and Removable Storage Media” (reference n).
c. Use of removable media to transfer data between different security
domains (e.g., unclassified to classified) will be limited to the execution of
specific mission tasks IAW DOD warning and tactical directives/orders and will
be prohibited when used simply for convenience IAW CNSSP 26, “National
Policy on Reducing the Risk of Removable Media” (reference o). Removable
media used to transfer data to or from classified ISs will be employed only to
ensure that CC/S/A mission tasks are not precluded or significantly impacted