Starting in late 2002, the Department of Defense (DoD) and the U.S. Army issued major regulatory guidance changes regarding Information Assurance (IA), which have a major impact on the acquisition of automated information systems (AIS) procured by the Department of Defense and its components. The paper will present the new regulatory guidance as it pertains to the certification and accreditation (C&A) of U.S. Army automated information systems. The terms "certification" and "accreditation" will be defined as they pertain to fielding an accredited AIS.

The paper will present the current methodology of incorporating IA into AIS acquisitions to include the lack of IA requirements in RFPs and resulting contracts, the "add-on" or "bolt-on" approach to IA, and the cost and schedule impacts caused by this methodology.

The paper will present a methodology to integrate IA into the AIS acquisition process from the beginning. Included in this methodology is the concept of defining the IA requirements in the RFP to preclude baseline or engineering change requirements after contract award to add security to the program as an afterthought, which is a major cost and schedule driver. The paper will also present the DoD Information Technology Security Certification and Accreditation Process (DITSCAP) compared to the normal acquisition cycle process to depict how the two processes are related and how IA applied as an afterthought or as a forethought affects the two processes.

In summary, the paper will contrast the two methodologies of incorporating IA into AIS acquisitions. Additionally, the benefits of pursuing the new methodology of integrating IA into AIS acquisitions versus the current "add-on" approach will be presented.