BY ORDER OF THE SECRETARY AIR FORCE POLICY DIRECTIVE …

1 BY ORDER OF THE SECRETARY OF THE AIR FORCE AIR FORCE POLICY DIRECTIVE 17-1 12 APRIL 2016 cyberspace information dominance governance AND MANAGEMENT COMPLIANCE WITH THIS PUBLICATION IS MANDATORY ACCESSIBILITY: Publications and forms are available on the e-Publishing website at for downloading or ordering RELEASABILITY: There are no releasability restrictions on this publication OPR: SAF/CIO A6SS Supersedes: AFPD 33-2, 3 August 2011; AFPD 33-4, 17 January 2013; AFPD 33-5, 11 January 2013 Certified by: SAF/CIO A6 (Lt Gen William J. Bender) Pages: 15 This Air FORCE (AF) POLICY DIRECTIVE (PD) establishes AF POLICY for the governance and management of activities to achieve information dominance under the direction of the Chief of information dominance and Chief information Officer (SAF/CIO A6). information dominance is defined as the operational advantage gained from the ability to collect, control, exploit, and defend information to optimize decision making and maximize warfighting effects.

2 This DIRECTIVE implements: Office of Management and Budget (OMB) Circular A-11, Preparation, Submission, and Execution of the Budget; OMB Circular A-130, Management of Federal information Resources; OMB Memorandum M-11-29, Chief information Officer Authorities; Department of Defense (DoD) DIRECTIVE (DoDD) , DoD Command and Control (C2) Enabling Capabilities; DoDD , Capability Portfolio Management; DoDD , Management of the Department of Defense information Enterprise. DoDD information Technology Portfolio Management; DoDD , Single Agency Manager (SAM) for Pentagon information Technology Services (ITS); DoDD , Department of Defense Biometrics; , cyberspace Workforce Management; DoD Instruction (DoDI) , Senior Leader Secure Communications Modernization (SLSCM); DoDI , Encryption of Imagery Transmitted by Airborne Systems and Unmanned Aircraft Control Communications; DoDI , Defense and National Leadership Command Capability (DNLCC) governance ; DoDI , Access to Classified Cryptographic information ; DoDI , Defense Industrial Base (DIB) Cyber Security/ information Assurance (CS/IA) Activities; DoDI information Technology Portfolio Management Implementation; DoDI , information Technology Standards in the DoD; DoDI , Electromagnetic Spectrum Data 2 AFPD 17-1 12 APRIL 2016 Sharing.

3 DoDI , Interoperability of information Technology (IT) and National Security Systems (NSS); DoDI , Risk Management Framework (RMF) for DoD information Technology (IT). This DIRECTIVE is consistent with: Subtitle III of Title 40 of the Clinger-Cohen Act (CCA) of 1996, National Defense Authorization Act (NDAA) 2005 2222, NDAA 2009 (PL110-417) 908, NDAA 2010 1072, NDAA 2010 804, NDAA 2012 901 and NDAA 2015; Federal information Security Management Act (FISMA), 44 USC Chap 35, Subchap II; Title 10, USC, Section 2223(b) information Technology: Additional Responsibilities of Chief information Officers of Military Department, 2007; DoDD , The Defense Acquisition System; DoDD , DoD Chief information Officer (DoD CIO); DoDI , Operation of the Defense Acquisition System; DoDI , Protection of Mission Critical Functions to Achieve Trusted Systems and Networks; CJCSI , Military Command, Control, Communications, and Computers Executive Board; and CJCSI , Charter of the Joint Requirements Oversight Council.

4 This DIRECTIVE applies to all military and civilian AF personnel, members of the AF Reserve, Air National Guard, and individuals or organizations authorized by an appropriate government official to manage any portion of the AF information Network (AFIN). It applies to all information , information systems (IS), and cyberspace and information technology (IT) infrastructure within AF purview. Comments and recommended changes regarding this publication should be sent through appropriate channels using AF Form 847, Recommendation for Change of Publication, to the office of primary responsibility (OPR), SAF/A6SS, Ensure that all records created as a result of processes prescribed in this publication are maintained in accordance with AF Manual (AFMAN) 33-363, Management of Records, and disposed of in accordance with AF Records Disposition Schedule (RDS) located in the AF Records information Management System (AFRIMS).

5 SUMMARY OF CHANGES This AFPD, published along with AFPD 17-2, supersedes AFPD 33-4, AFPD 33-5, and those portions of AFPD 33-2 not superseded by AFPD 17-2. This DIRECTIVE aligns and consolidates policies on cyberspace and IT management with current AF doctrine, statutory, and regulatory guidelines. 1. Overview. This DIRECTIVE establishes the AF POLICY for information dominance governance and management to provide a process for the SAF/CIO A6 to fulfill the duties of the AF CIO established in federal laws and DoD issuances. This DIRECTIVE provides a means by which the AF will cross-functionally align cyberspace programs and capabilities to effectively and efficiently deliver capabilities to users. cyberspace is defined as a global domain within the information environment consisting of the interdependent network of IT infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.

6 AFPD 17-1 12 APRIL 2016 3 2. POLICY . The AF will: Develop cyberspace capabilities to execute, enhance and support Joint, Coalition, and AF core missions, by rapidly developing and implementing innovative solutions, and when appropriate, leveraging commercial products/services to deliver AF capabilities in a Disconnected, Intermittent, Low-Bandwidth environment. Deliver cyberspace capabilities to support the four defined DoD mission areas: Warfighting (WMA), Business (BMA), information Environment (IEMA), and Defense Intelligence (DIMA). Optimize the planning, programming, budgeting, and execution of cyberspace investments consistent with national, DoD, Joint and AF POLICY . Establish and track performance measures for cyberspace investments, programs, and acquisitions to ensure compliance with validated requirements. Design, develop, incorporate, test, and evaluate all AF IT, to include Platform IT (PIT), and NSS for interoperability and supportability, and as necessary, determine tradeoffs among mission effectiveness, cybersecurity, efficiency, survivability, resiliency, and IT interoperability.

7 Ensure cyberspace capabilities are designed to enhance information sharing, collaboration, and situational awareness, consistent with cybersecurity standards and best practices. 3. Responsibilities. The responsibilities for cyberspace and IT are overseen by SAF/CIO A6 and shared among numerous key stakeholders. CIO responsibilities are codified in Title 10, USC 2223a and 8014; Title 40, USC, Subtitle III; and, Title 44, USC 3506. Acquisition authority is codified in Title 10, USC 1704 and 8014. Chief Financial Officer authority is codified in Title 10, USC 8022. Chief Management Officer and Deputy Chief Management Officer authorities are in Title 10, USC 2222, and Public Law 110-417, 908 (NDAA 2009). Under SECRETARY of the Air FORCE . As Chief Management Officer, provide any determinations required for defense business systems under Title 10, USC 2222. Chief of information dominance and Chief information Officer (SAF/CIO A6).

8 SAF/CIO A6 has a wide range of responsibilities which are listed in detail in the SAF/CIO A6 Mission DIRECTIVE (AFMD 1-26). These responsibilities may be summarized as follows:: Set the strategic direction for fully exploiting cyberspace by leading Air Staff-level executive groups and boards in the development of policies, strategies, roadmaps, and technical baselines. Charter AF cyberspace governance and Warfighting Integration forums and, in coordination with the Core Function Leads (CFLs), appoint representatives to cyberspace governance forums external to the AF. Execute all responsibilities and functions outlined in statutes, directives, and regulations pertaining to an Agency Chief information Officer or military department CIO. 4 AFPD 17-1 12 APRIL 2016 Develop and implement a deliberate budget and investment review and approval process, within existing corporate processes, to integrate cyberspace requirements and investments across all mission areas.

9 Ensure an operationally resilient, reliable, interoperable, and secure AF information Network to meet the needs of AF core missions and AF responsibilities for Joint and Coalition Operations. Serve as the Functional Authority for military and civilian IT, cyberspace , and information management career fields for the life cycle program management of IT and cyberspace capabilities. For all acquisitions subject to DoDI , review and approve the Cybersecurity Strategy for acquisitions of systems containing IT prior to milestone decisions or contract award. For ACAT ID, IAM, and IAC programs, forward the Cybersecurity Strategy to the DoD CIO for review and approval. For SAP systems, conduct the review in coordination with SAF/AA. For nuclear systems, conduct the review in coordination with AF/A10. Oversee, establish, integrate and maintain the target baseline (TB) and implementation baseline (IB) in coordination with appropriate governance forums.

10 Deputy Chief of Staff for Intelligence, Surveillance, and Reconnaissance (AF/A2) will: Advocate for a prioritized integration of battlespace awareness warfighting systems and intelligence, surveillance, and reconnaissance (ISR) enterprise interoperability under the Warfighting Integration governance forums and with other appropriate forums as needed. Participate in cyberspace governance forums. Coordinate and facilitate the review of DIMA cyberspace capabilities and investment. Identify opportunities to share capabilities and investment between DIMA and the other mission areas. Coordinate intelligence activities required to fully characterize the cyber threat. Facilitate the provision of cyber intelligence data for acquisition development programs. Facilitate the provision of cyber intelligence data to support modeling and simulation (M&S) and test and evaluation (T&E) activities.