DoD Directive (DoDD) 5000.01, titled "The Defense Acquisition System," is the foundational policy document that governs how the U.S. Department of Defense (DoD) acquires weapon systems, services, and automated information systems. Signed by the Deputy Secretary of Defense, it establishes the overarching principles and policies that apply to all DoD acquisition programs.

Think of DoDD 5000.01 as the constitution for DoD acquisition. It lays out the fundamental rules and objectives that the entire acquisition process must adhere to.

Key aspects and principles outlined in DoDD 5000.01 include:

• Overarching Goal: To support the National Defense Strategy by developing a more lethal force based on U.S. technological innovation and a culture of performance that yields a decisive and sustained U.S. military advantage.
• Guiding Policies: The directive emphasizes several key policies that govern the Defense Acquisition System, including:
  • Flexibility: Encouraging tailored acquisition strategies that are unique characteristics of each program.
  • Responsiveness: Integrating advanced technology and deploying systems in a timely manner to meet user needs. Evolutionary acquisition strategies are the preferred approach.
  • Innovation: Fostering a culture of innovation and leveraging technological advancements.
  • Discipline: Maintaining accountability and adhering to established processes while allowing for adaptation.
  • Streamlined and Effective Management: Promoting efficiency and reducing bureaucracy in the acquisition process.
• Emphasis on the Adaptive Acquisition Framework (AAF): DoDD 5000.01 is the directive that formally introduces and emphasizes the implementation of the AAF. The AAF provides different acquisition pathways to match the specific needs of diverse programs.
• Life Cycle Perspective: The directive underscores the importance of managing systems throughout their entire life cycle, from concept development to disposal.
• Acquisition of Quality Products: A primary objective is to acquire quality products that satisfy user needs with measurable improvements to mission capability and operational support at a fair and reasonable price.
• Integration of Key Considerations: DoDD 5000.01 highlights the importance of factors such as:
  • Armaments Cooperation
  • Collaboration
  • Competition
  • Cost and Affordability
  • Cost Realism
  • Interoperability
  • Performance-Based Acquisition
  • Small Business Participation
  • Software-Intensive Systems
  • Systems Engineering
• Establishes Responsibilities: The directive assigns broad responsibilities to various DoD officials involved in the acquisition process.

Summary:  DoDD 5000.01 sets the strategic direction and fundamental principles for how the Department of Defense approaches the complex task of acquiring the resources necessary to support the nation's defense. It is the top-level policy document that the more detailed DoD Instructions (like DoDI 5000.02) and other acquisition regulations and guidance are built upon.

Document:  https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodd/500001p.pdf

DoD Instruction (DoDI) 5000.02,  officially titled "Operation of the Adaptive Acquisition Framework (AAF)," is the foundational instruction that establishes policy and prescribes procedures for managing all DoD acquisition programs. It outlines the framework the DoD uses to acquire defense systems, services, and technologies.

Here are the key aspects of DoDI 5000.02:

Purpose:

• Establish the Adaptive Acquisition Framework (AAF): This instruction defines the AAF, which is a flexible and streamlined approach to defense acquisition, replacing the previous, more linear process.
• Provide Policy and Procedures: It sets forth the overarching policies and specific procedures for managing acquisition programs throughout their lifecycle.
• Grant Tailoring Authority: It authorizes Milestone Decision Authorities (MDAs) and other decision authorities (DAs) and Program Managers (PMs) broad authority to tailor acquisition strategies and processes to match the specific characteristics of the capability being acquired, consistent with statutory requirements and sound business practices.
• Describe Acquisition Pathways: DoDI 5000.02 outlines the six distinct acquisition pathways within the AAF:
  • Urgent Capability Acquisition (UCA)
  • Middle Tier of Acquisition (MTA)
  • Major Capability Acquisition (MCA)
  • Software Acquisition Pathway (SWP)
  • Defense Business Systems (DBS)
  • Acquisition of Services

• Assign Responsibilities: It clearly defines the roles and responsibilities of various DoD officials involved in the acquisition process.
• Emphasize Timely Delivery: The overarching goal is to deliver effective, suitable, survivable, sustainable, and affordable solutions to the end-user in a timely manner.

Key Concepts:

• Adaptive Acquisition Framework (AAF): The central concept of DoDI 5000.02 is the AAF, which provides a flexible and adaptive approach to acquisition. It recognizes that different types of acquisitions require different strategies and levels of oversight.
• Tailoring: A core principle of the AAF is the ability for program managers and decision authorities to tailor the acquisition process to the specific needs and risks of their program. This allows for more efficient and effective acquisition.
• Acquisition Pathways: The six pathways provide different frameworks and timelines for acquiring various types of capabilities, allowing the DoD to select the most appropriate approach based on the urgency, complexity, and nature of the requirement.
• Milestone Decision Authority (MDA): The individual with the authority to approve a program to proceed to the next phase of the acquisition process. The level of the MDA depends on the program's category.
• Program Manager (PM): The individual responsible for the day-to-day management of an acquisition program.

Summary:  DoDI 5000.02 is the guiding document for how the DoD buys things. It establishes a modern, flexible framework that emphasizes tailoring the acquisition process to the specific needs of each program to deliver capabilities to the warfighter more rapidly and efficiently.

Document: https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/500002p.PDF

The DoD Software Acquisition Pathway (SWP) is one of six acquisition pathways within the Department of Defense's (DoD) Adaptive Acquisition Framework (AAF), as outlined in DoD Instruction (DoDI) 5000.02. The SWP is specifically designed to facilitate the rapid and iterative delivery of software capabilities to the user.

Here is a breakdown of the key aspects of the SWP:

Purpose:

• Accelerate Software Delivery: To move away from traditional, hardware-centric acquisition processes that often lead to lengthy development cycles for software.
• Embrace Modern Software Practices: To incorporate industry best practices like Agile Software Development, DevSecOps, and Lean practices.
• Focus on User Value: To emphasize active user engagement and feedback throughout the development process to ensure the delivered software meets their needs.
• Reduce Bureaucracy: To streamline the acquisition process and cut "red tape" to enable faster deployment of capabilities.
• Leverage Commercial Innovation: To make it easier for the DoD to adopt and integrate commercial software solutions and technologies.

Key Characteristics and Principles:

• Iterative Development: Software is developed and delivered in small, frequent increments, allowing for continuous feedback and adaptation.
• Active User Engagement: Users are involved throughout the development lifecycle, providing regular input and ensuring the software meets their operational needs.
• Agile and Lean Practices: The pathway encourages the use of Agile methodologies and Lean principles to maximize efficiency and responsiveness.
• DevSecOps: Cybersecurity is integrated throughout the development process, ensuring secure and resilient software delivery.
• Flexibility and Tailoring: Programs using the SWP have greater flexibility in their acquisition strategies and can tailor their approaches based on the specific software being acquired.
• Emphasis on Working Software: The focus is on delivering functional software to users quickly, rather than extensive documentation.
• Commercial Solutions Focus: The SWP encourages the solicitation of commercial solutions through mechanisms like Commercial Solutions Openings (CSOs) and Other Transactions (OTAs).
• Rapid Prototyping and Fielding: Programs are expected to demonstrate viable capabilities for operational use within a relatively short timeframe (often within a year of initial funding).

Policy and Mandates:

• Preferred Pathway: As of March 2025, a DoD memorandum directed all DoD components to adopt the SWP as the preferred acquisition method for all software development components of business and weapon system programs.
• DoDI 5000.87: While DoDI 5000.02 establishes the AAF and its pathways, DoDI 5000.87 specifically outlines the policy and procedures for the Software Acquisition Pathway (SWP).
• NDAA Mandate: Congress directed the DoD to create software acquisition pathways in Section 800 of the FY2020 National Defense Authorization Act (NDAA).

Summary:  The DoD Software Acquisition Pathway represents a significant shift towards a more agile, user-centric, and efficient approach to acquiring software for defense systems. It prioritizes speed, adaptability, and the integration of modern software development practices to deliver timely and valuable capabilities to the warfighter.

DoD Instruction (DoDI) 8510.01, titled "Risk Management Framework (RMF) for DoD Systems," establishes the cybersecurity Risk Management Framework (RMF) for Department of Defense (DoD) information technology (IT) systems. It outlines the policy, responsibilities, and procedures for managing cybersecurity risks throughout the lifecycle of DoD systems.

Here is a breakdown of the key aspects of DoDI 8510.01:

Purpose:

• Establish the RMF: Defines the comprehensive process for managing cybersecurity risk in DoD IT.
• Establish Policy: Sets forth the mandatory cybersecurity policies for all DoD IT.
• Assign Responsibilities: Clearly defines the roles and responsibilities of various DoD entities in implementing and maintaining the RMF.
• Prescribe Procedures: Provides the step-by-step procedures for executing and maintaining the RMF.
• Integrate Enterprise-Wide Decision Structure: Establishes a unified approach to cybersecurity risk management across the DoD, integrating mission areas.
• Provide Guidance on Reciprocity: Offers direction on the mutual acceptance of system authorization decisions within the DoD and with other federal agencies.
• Authorize the RMF Technical Advisory Group (TAG): Designates the TAG as the body responsible for developing and publishing RMF implementation guidance.

Key Elements and Concepts:

• Risk Management Framework (RMF): A six-step process for managing cybersecurity risk:
  1. Categorize: Define the security category of the system based on the potential impact of a security breach.
  2. Select: Choose the appropriate security controls from the National Institute of Standards and Technology (NIST) Special Publication 800-53.
  3. Implement: Put the selected security controls into practice.
  4. Assess: Evaluate the effectiveness of the implemented security controls.
  5. Authorize: Obtain formal authorization for the system to operate based on the assessed risk.
  6. Monitor: Continuously track the system and its environment for changes and maintain its security posture.
• Applicability: Applies to all DoD IT that receives, processes, stores, displays, or transmits DoD information, including:

• • DoD Information Systems (IS)
  • Platform IT (PIT)
  • IT services
  • IT products
  • IT supporting research, development, test, and evaluation (T&E)
  • DoD-controlled IT operated by contractors or other entities on behalf of the DoD.

• Relationship to NIST Standards: DoDI 8510.01 implements and aligns with key NIST publications, particularly NIST SP 800-37 ("Risk Management Framework for Information Systems and Organizations") and NIST SP 800-53 ("Security and Privacy Controls for Information Systems and Organizations").
• Supersedes DIACAP: The RMF replaced the previous DoD Information Assurance Certification and Accreditation Process (DIACAP).
• Emphasis on Continuous Monitoring: Highlights the importance of ongoing monitoring to detect and respond to security changes and threats.
• Integration with Acquisition: The RMF process is intended to inform all phases of the DoD acquisition lifecycle, including requirements development and testing.

Summary:  DoDI 8510.01 is the cornerstone of cybersecurity risk management within the DoD. It provides a standardized and comprehensive framework for ensuring the security and resilience of the Department's information systems. The instruction emphasizes a risk-based approach, continuous monitoring, and the integration of cybersecurity considerations throughout the system lifecycle.

DoDI 8510.01 Document:   https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001p.pdf

NIST Special Publication (SP) 800-37, titled "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy," is a comprehensive guideline developed by the National Institute of Standards and Technology (NIST). It outlines a seven-step process for managing security and privacy risk for information systems and organizations. Often referred to as the Risk Management Framework (RMF), it provides a structured, flexible, and repeatable approach to:

1. Prepare: Lay the groundwork for the RMF implementation within the organization by establishing context, roles, responsibilities, and risk management strategies.
2. Categorize: Define the security and privacy categories of the information system and the information it processes, stores, and transmits based on the potential impact of a security or privacy breach.
3. Select: Choose a baseline set of security and privacy controls from NIST SP 800-53, tailoring and supplementing them as needed based on the risk assessment and organizational requirements.
4. Implement: Put the selected security and privacy controls into practice within the information system and document how they are deployed.
5. Assess: Evaluate the effectiveness of the implemented controls to determine if they are operating as intended and meeting the defined security and privacy requirements.
6. Authorize: A designated senior official reviews the security and privacy risk assessment and decides whether to authorize the information system to operate. This decision is based on the acceptability of the remaining risk.
7. Monitor: Continuously track the effectiveness of implemented controls, identify changes to the system and its environment, and respond to security and privacy incidents to maintain an ongoing authorization.

Key aspects and goals of NIST SP 800-37 include:

• Holistic Approach: It emphasizes integrating security and privacy risk management throughout the entire system development life cycle.
• Risk-Based: Decisions about control selection and implementation are driven by a thorough assessment of risks to organizational operations, assets, individuals, other organizations, and the nation.
• Flexibility and Tailorability: The framework is designed to be adaptable to various types of organizations and information systems, allowing for the tailoring of controls to specific needs.
• Continuous Monitoring: It promotes an ongoing awareness of security and privacy posture through continuous monitoring activities.
• Authorization to Operate (ATO): The framework culminates in a formal authorization decision by a senior leader, signifying an acceptable level of risk.
• Alignment with Other Frameworks: It aims to align with other cybersecurity and privacy frameworks, such as the NIST Cybersecurity Framework (CSF).
• Integration of Privacy: The latest revision (Revision 2) places a stronger emphasis on integrating privacy risk management alongside security risk management.
• Supply Chain Risk Management: It incorporates considerations for managing security risks associated with the supply chain.

NIST SP 800-37 Usage

While initially developed for the U.S. federal government, NIST SP 800-37 has been widely adopted by various organizations, including:

• Federal agencies and contractors
• State and local governments
• Private sector organizations looking for a robust and well-regarded risk management framework

Summary:  NIST SP 800-37 provides a comprehensive roadmap for organizations to effectively manage their information security and privacy risks in a structured and systematic way, contributing to a more secure and resilient digital environment. ¹

Document:  https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

NIST Special Publication (SP) 800-37, titled "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy," is a comprehensive guideline developed by the National Institute of Standards and Technology (NIST). It outlines a seven-step process for managing security and privacy risk for information systems and organizations. Often referred to as the Risk Management Framework (RMF), it provides a structured, flexible, and repeatable approach to:

1. Prepare: Lay the groundwork for the RMF implementation within the organization by establishing context, roles, responsibilities, and risk management strategies.
2. Categorize: Define the security and privacy categories of the information system and the information it processes, stores, and transmits based on the potential impact of a security or privacy breach.
3. Select: Choose a baseline set of security and privacy controls from NIST SP 800-53, tailoring and supplementing them as needed based on the risk assessment and organizational requirements.
4. Implement: Put the selected security and privacy controls into practice within the information system and document how they are deployed.
5. Assess: Evaluate the effectiveness of the implemented controls to determine if they are operating as intended and meeting the defined security and privacy requirements.
6. Authorize: A designated senior official reviews the security and privacy risk assessment and decides whether to authorize the information system to operate. This decision is based on the acceptability of the remaining risk.
7. Monitor: Continuously track the effectiveness of implemented controls, identify changes to the system and its environment, and respond to security and privacy incidents to maintain an ongoing authorization.

Key aspects and goals of NIST SP 800-37 include:

• Holistic Approach: It emphasizes integrating security and privacy risk management throughout the entire system development life cycle.
• Risk-Based: Decisions about control selection and implementation are driven by a thorough assessment of risks to organizational operations, assets, individuals, other organizations, and the nation.
• Flexibility and Tailorability: The framework is designed to be adaptable to various types of organizations and information systems, allowing for the tailoring of controls to specific needs.
• Continuous Monitoring: It promotes an ongoing awareness of security and privacy posture through continuous monitoring activities.
• Authorization to Operate (ATO): The framework culminates in a formal authorization decision by a senior leader, signifying an acceptable level of risk.
• Alignment with Other Frameworks: It aims to align with other cybersecurity and privacy frameworks, such as the NIST Cybersecurity Framework (CSF).
• Integration of Privacy: The latest revision (Revision 2) places a stronger emphasis on integrating privacy risk management alongside security risk management.
• Supply Chain Risk Management: It incorporates considerations for managing security risks associated with the supply chain.

NIST SP 800-37 Usage

While initially developed for the U.S. federal government, NIST SP 800-37 has been widely adopted by various organizations, including:

• Federal agencies and contractors
• State and local governments
• Private sector organizations looking for a robust and well-regarded risk management framework

Summary:  NIST SP 800-37 provides a comprehensive roadmap for organizations to effectively manage their information security and privacy risks in a structured and systematic way, contributing to a more secure and resilient digital environment. ¹

Document:  https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

DoD Instruction (DoDI) 5000.87 is titled "Operation of the Software Acquisition Pathway."   This instruction establishes the policy, assigns responsibilities, and prescribes procedures for the Software Acquisition Pathway (SWP) within the Department of Defense's (DoD) Adaptive Acquisition Framework (AAF). It focuses specifically on efficient and effective acquisition, development, integration, and timely delivery of secure software.

Key aspects of DoDI 5000.87 include:

• Establishes the Software Acquisition Pathway: This instruction formally defines and governs the SWP as one of the distinct pathways within the AAF, as outlined in DoDI 5000.02.
• Focus on Speed and Agility: The SWP is designed to enable rapid and iterative delivery of software capabilities to meet the dynamic needs of the warfighter. It emphasizes modern software development practices like Agile and DevSecOps.
• Minimum Viable Capability Release (MVCR): Programs using the SWP are required to deliver a deployable MVCR to an operational environment within a specified timeframe (often within one year of initial funding).
• Tailored Processes: The SWP allows for streamlined acquisition processes, documentation, and reviews compared to traditional acquisition pathways. It emphasizes delivering value frequently rather than adhering to rigid milestone-based approaches.
• User Engagement: Active and continuous engagement with users is a core principle of the SWP to ensure the delivered software meets their needs.
• Leveraging Enterprise Services: The instruction encourages the use of enterprise services and platforms to avoid redundant development efforts.
• DevSecOps and Continuous Authority to Operate (cATO): The SWP promotes the integration of security into the development process (DevSecOps) and the establishment of continuous authorization to operate to ensure ongoing security and faster deployment.
• Exemption from Traditional JCIDS: Software acquisition programs utilizing the SWP are generally exempt from the traditional Joint Capabilities Integration and Development System (JCIDS) process, allowing for more streamlined requirements development.
• Applicability: This pathway is primarily intended for custom software development for DoD applications and embedded systems.

Summary:  DoDI 5000.87 provides a dedicated framework for acquiring software-intensive capabilities in a more agile and responsive manner, recognizing the unique characteristics and rapid evolution of software development. It aims to deliver valuable software to the warfighter faster and more efficiently than traditional acquisition methods.

DoD Instruction 5000.97, issued on December 21, 2023, is the Digital Engineering (DE) Instruction. It represents a significant shift in how the Department of Defense approaches the creation, development, and procurement of defense systems.

Here is a breakdown of the key aspects of this mandate:

Purpose:

• Establish policy, assign responsibilities, and provide procedures for implementing and using digital engineering in the development and sustainment of defense systems.
• Transform DoD systems engineering practice by moving the primary means of communicating system information from documents to digital models and their underlying data.
• Leverage digital models and the digital thread as authoritative sources of truth for all digital artifacts.
• Enable faster, smarter, data-driven decisions throughout the system lifecycle.
• Support a comprehensive engineering program for defense systems.
• Modernize the development and sustainment of defense systems by incorporating digital technology and innovations into an integrated, digital, model-based approach.

Key Directives and Requirements:

• Mandatory for New Programs: Programs initiated after the date of the instruction must incorporate digital engineering during development unless the program's decision authority provides an exception.
• Encouraged for Existing Programs: Programs initiated before the instruction's release should incorporate digital engineering to the maximum extent possible, when it is practical, beneficial, and affordable.
• Integration into Acquisition Strategy and Systems Engineering Plan: Digital engineering must be addressed in the Acquisition Strategy and a Digital Engineering Implementation Plan should be included in the Systems Engineering Plan for certain programs.
• Emphasis on Digital Models: Digital models are considered essential for understanding complex systems and system interdependence and for communication among team members and stakeholders.
• Importance of the Digital Thread: The digital thread, connecting authoritative data and digital models, is crucial for providing actionable information to decision-makers throughout a system's lifecycle.
• Data Management: Data management must adhere to DoD Data Strategy goals: visible, accessible, understandable, linked, trustworthy, interoperable, and secure.
• Digital Artifacts: Digital products and views should be dynamically generated from the digital ecosystem.
• Digital Engineering Ecosystem (DEE): The instruction emphasizes the infrastructure and architecture (hardware, software, networks, tools, workforce) necessary to support digital approaches across the system development lifecycle.
• Workforce Training: DAU (Defense Acquisition University) is identified as providing workforce training on digital engineering.

Summary:  DoDI 5000.97 mandates a shift towards a digital-first approach in defense acquisition. It requires the use of digital models, data, and tools throughout the lifecycle of a system to improve efficiency, reduce risks, enhance collaboration, and ultimately deliver better capabilities to the warfighter faster. This directive aims to move away from document-centric processes towards a more integrated and data-driven engineering environment.

Document:  https://www.cto.mil/wp-content/uploads/2024/05/info-dodi-500097-de-summary.pdf