AF Form 4160: IAAP Criteria Guide & PDF Download

AF Form 4160: IAAP Criteria Guide & PDF Download – In the U.S. Air Force, protecting information systems, networks, and data is critical to mission success and national security. AF Form 4160, titled Information Assurance Assessment and Assistance Program (IAAP) Criteria, served as a key checklist tool for evaluating and strengthening Information Assurance (IA) programs across wings and units.

Although the Air Force transitioned many self-assessment processes to the Management Internal Control Toolset (MICT) around 2013 (which largely superseded paper-based forms like AF Form 4160 for ongoing self-inspections), the form remains relevant for historical reference, legacy compliance reviews, training, and understanding the foundational criteria used in IA assessments.

This article explains the purpose of AF Form 4160, its role in the IAAP, how it was used, and where to access the official PDF. It is intended for Air Force personnel, IA officers, commanders, and cybersecurity professionals in the United States seeking compliant, up-to-date guidance on Air Force information protection practices.

What Is AF Form 4160?

AF Form 4160 is an official U.S. Air Force form designed specifically for the Information Assurance Assessment and Assistance Program (IAAP). It functions as a detailed checklist to evaluate the effectiveness of unit-level IA programs.

  • Full Title: Information Assurance Assessment and Assistance Program (IAAP) Criteria
  • Purpose: To assess compliance with Information Assurance policies, identify vulnerabilities, and provide assistance (“find and fix”) in areas such as computer security (COMPUSEC), communications security (COMSEC), emissions security (EMSEC), and overall information protection.
  • Release/Revision: The form was released or significantly updated around August 2000 (with later editions noted as of November 30, 2007 in some repositories). It was referenced in early 2000s-era instructions.

The IAAP inspection process was typically a “find and fix” review conducted by external teams (such as from the Air Force Network Integration Center) or internally. Inspectors used the AF Form 4160 checklist to canvas units, visiting a sample of Information Assurance Officers (often at least 30%) and 100% of COMSEC accounts in some cases.

Purpose and Role of the IAAP in the Air Force

The Information Assurance Assessment and Assistance Program helped commanders and IA managers:

  • Evaluate the overall health of wing and unit IA programs.
  • Identify weaknesses in policies, procedures, training, and implementation.
  • Correct deficiencies before they become mission-impacting vulnerabilities.
  • Ensure alignment with broader Air Force and DoD cybersecurity and information protection standards.

Earlier instructions, such as AFI 33-230 (Communications and Information), directed biennial assessments of wing Information Protection (IP) programs using AF Form 4160. These assessments covered computer security, emissions security, and communications security.

The program emphasized a supportive rather than purely punitive approach—assistance was provided alongside assessment to improve compliance and security posture.

Note on Evolution: By 2013, the Air Force shifted self-assessments and checklist management to the web-based MICT system (accessible via the AF Portal). MICT allows digital tracking, assigned checklists, comments, and evidence upload for compliance with directives like AFI 90-201 (The Air Force Inspection System). Many IA-related self-assessment communicators (SACs) in MICT build on the foundational criteria once captured in AF Form 4160.

Modern Air Force cybersecurity now heavily incorporates the Risk Management Framework (RMF) under AFI 17-101, along with AFMAN 17-1301 (Computer Security – COMPUSEC) and related publications.

Key Features and Use of AF Form 4160

As a criteria checklist, AF Form 4160 outlined specific evaluation items across IA domains. While the exact item-by-item list is contained in the official fillable PDF (rather than fully reproduced in public web summaries), typical areas in such IA assessments historically included:

  • Policy and Program Management — Existence and currency of unit IA policies, appointment of trained IA officers, and commander oversight.
  • Computer Security (COMPUSEC) — User training, password management, software control, incident reporting, and system configuration compliance.
  • Communications Security (COMSEC) — Accounting, handling, and destruction of COMSEC material; two-person integrity where required.
  • Emissions Security (EMSEC) / TEMPEST — Protection against compromising emanations.
  • Physical Security and Access Control — Protection of systems and media.
  • Training and Awareness — IA awareness programs for personnel.
  • Incident Response and Reporting — Procedures for handling security incidents.
  • Documentation and Records — Maintenance of required logs, inventories, and self-inspection records.

Users rated items for compliance (e.g., compliant / non-compliant / not applicable), noted findings, and documented corrective actions. The form supported both external assistance visits and internal self-assessments.

How the Form Was Typically Used?

  1. IA inspectors or unit personnel completed the checklist during scheduled assessments.
  2. Findings were discussed with unit leadership.
  3. Corrective actions were tracked to resolution.
  4. Results informed higher-level reporting and program improvement.

For current self-assessments, refer to MICT checklists assigned to your unit/role, which align with current AFIs and AFMANs.

Download the Official AF Form 4160 PDF

The authoritative source for the form is the Air Force e-Publishing site:

→ Official Downloadhttps://static.e-publishing.af.mil/production/1/saf_cio_a6/form/af4160/af4160.pdf

This is the fillable PDF version. Always verify you are using the latest revision from e-Publishing.af.mil when referencing official forms. Additional repositories (such as TemplateRoller or AF-Forms.com) offer copies for reference but defer to the .mil source for compliance.

Pro Tip: When opening the PDF, ensure your viewer supports form fields for easy digital completion and saving.

Modern Context: From IAAP to MICT and RMF

While AF Form 4160 provided a structured paper-based approach in the early 2000s, today’s Air Force emphasizes:

  • MICT for self-assessment and compliance tracking.
  • Risk Management Framework (RMF) per AFI 17-101 for IT system authorization.
  • Integrated cybersecurity workforce development and continuous monitoring.

Units should consult their local IA office, wing Inspector General, or the AF RMF Knowledge Service for current checklists and processes. Legacy knowledge of IAAP criteria remains valuable for understanding the evolution of Air Force information protection programs.

Who Needs AF Form 4160 or IAAP Knowledge?

  • Air Force IA Officers and Cyber Security personnel
  • Unit Commanders and Directors responsible for information protection
  • COMSEC managers and custodians
  • Personnel preparing for inspections or audits
  • Contractors supporting Air Force IA programs
  • Anyone studying Air Force cybersecurity history or compliance frameworks

Maintaining strong IA practices protects sensitive data, ensures mission readiness, and supports DoD-wide cybersecurity goals.

Conclusion

AF Form 4160 played an important historical and practical role in the Air Force’s Information Assurance Assessment and Assistance Program by providing clear criteria to evaluate and improve IA programs. While largely superseded by digital tools like MICT for routine self-assessments, the form and its underlying principles continue to inform best practices in protecting Air Force information systems.

For the most accurate and current guidance:

  • Download the form directly from the official link above.
  • Access MICT via the AF Portal for active self-assessment checklists.
  • Reference AFI 17-101, AFMAN 17-1301, and related publications for RMF and COMPUSEC requirements.

If you are preparing for an assessment, conducting training, or need assistance interpreting IA criteria, contact your unit Information Assurance Manager or wing cybersecurity office. Staying proactive with information assurance protects our people, missions, and national security.

Keywords: AF Form 4160, IAAP criteria, Information Assurance Assessment and Assistance Program, Air Force IA checklist, AFI 33-230, MICT self-assessment, Air Force COMPUSEC, COMSEC inspection.

This article is for informational purposes and does not replace official Air Force policy or guidance. Always consult current directives on e-Publishing.af.mil and your chain of command.