Skip to content
  • There are no suggestions because the search field is empty.

Is there DoD documentation that specifies which profile (MAC I, MAC II, MAC III) to select based on the device type or STIG type?

Mission Assurance Categories, are the profiles assigned to every DoD information system. 

DoD documentation specifies that the MAC profile is selected based on the mission criticality of the information system or data it handles, not primarily the device type or STIG (Security Technical Implementation Guide) type itself. The specific STIG for a given device type will then have security requirements tailored to the assigned MAC level. 

  • MAC I systems handle information vital to the operational readiness or effectiveness of deployed or contingency forces. Because the loss of MAC I data would cause severe damage to the successful completion of a DoD mission, MAC I systems must maintain the highest levels of both integrity and availability and use the most rigorous measure of protection.

  • MAC II systems handle information important to the support of deployed and contingency forces. The loss of MAC II systems could have a significant negative impact on the success of the mission or operational readiness. The loss of integrity of MAC II data is unacceptable; therefore MAC II systems must maintain the highest level of integrity. The loss of availability of MAC II data can be tolerated only for a short period of time, so MAC II systems must maintain a medium level of availability. MAC II systems require protective measures above industry best practices to ensure adequate integrity and availability of data.

  • MAC III systems handle information that is necessary for day-to-day operations, but not directly related to the support of deployed or contingency forces.
    The loss of MAC III data would not have an immediate impact on the effectiveness of a mission or operational readiness. Since the loss of MAC III data would not have a significant impact on mission effectiveness or operational readiness in the short term, MAC III systems are required to maintain basic levels of integrity and availability. MAC III systems must be protected by measures considered as industry best practices.