Contractor SIPRNet

Process

ISAC 2017

Defense Security Service

* Roles & Responsibilities

* Circuit Validation & Registration

* Required Equipment & Devices

* Certification & Accreditation

* Connection Approval Package

* SIPRNet Process Flow Chart

Objectives

Roles and ResponsibilitiesOrganizations Responsibilities

DoD CIO - Final approval authority for all connection requests in support of sponsor’s mission

Defense Information Systems Agency (DISA) - Responsible for management of Defense Information Systems Networks (DISN) circuits and oversight.

Government Sponsor -Sponsor/owner of contractor connection

- Provide funding for circuit and any other required services for contractor connection to SIPRNet (i.e. Computer Network Defense Service Provider (CNDSP), Host Based Security System (HBSS), email, Domain Name Service (DNS), SIPRNet Hardware Token and SIPRNet GIAP System Accounts).

DISA SIPRNet Service Management Office (SSMO) - Review SIPRNet requests and initial topologies to determine whether the proposed DISN solution is appropriate.

-Forwards the approved solution to DoD CIO for approval.

Defense Security Service (DSS) - DAA for accrediting contractor information systems used to process classified information in industry – issues IATO, ATO and DATO.

DISA Certification and Accreditation Office/Classified Connection Approval Office (CAO)

- Process Connection Approval Packages (CAP) – issues Authority to Test/Connect IATT, IATC and ATC.

Government Sponsor

• Government Contracting Authority (GCA)

• All Non-DoD Connections require a contract, MOU/A, and DoD Sponsor to validate mission need for partner access to DISN.

• Sponsors must adhere to responsibilities as stated in DoD CIO Sponsor Memorandum, dated 11 Jan 2012

Circuit Validation Process• Sponsorship Letter (Validation request)

• Request must document all SIPRNet resources contractor will require (e.g. ports, protocols, services, websites)

• Topology (complete & accurate)

• Non-DoD Validation request: disa.meade.ns.mbx.siprnet-management-office@mail.mil

• Initial Approvals needed from: DISA SIPRNet Service Manager Office (SSMO), Sponsor’s Service/Agency official, and final approval granted by DoD CIO

• Revalidation is required if change in sponsor, mission, requirements, contract or physical location (CAGE); not required for contract extensions (same mission etc.)

• Example: Contractor relocating circuit to new facility/CAGE or additional sponsor organization to existing circuit

CNDSPCJCSI 6211.02D

• For mission partner and defense contractor ISs, the sponsoring CC/S/A must ensure:• A signed agreement (e.g., MOA) or contract defines the Computer

Network Defense Service Provider (CNDSP) requirements, as specified in DODD O-8530.1, are included in the agreement

• CNDSP requirements are implemented prior to connection

• Check with your CNDSP for additional services; Host Based Security Service (HBSS), Vulnerability Scanning (ACAS), and Secure Technical Implementation Guide (STIG) Training

• Email disn@dss.mil for a listing of available CND providers

Circuit Ordering Government Sponsor Initiates SIPRNet Connection

DISA Direct Online Entry (DDOE)

• DoD CIO approval required prior to circuit ordering

• Sponsor creates account and submits Telecommunication Service Request (TSR);

• Funding provided via Program Designator Code (PDC)

• Accurate POC information is critical to ordering process

• For example: Sponsor, Contractor FSO, ISSM and/or ISSO and COMSEC manager

Required Equipment/Resources

• All SIPRNet circuits require NSA Type 1 encryption (e.g. KIV 7M)

• Sponsor must provide at both ends of SIPRNet circuit

• Approved Products List (APL) & National Information Assurance Program (NIAP) approved Firewall (EAL-4) and Intrusion Detection System (IDS/IPS) (EAL-2)

• See applicable STIGs for detailed requirements

• Sponsor assist to obtain the following: Points, Protocols, Services Management (PPSM), SGS, SIPRNet IT Registry and others as required

Certification and Accreditation• DSS is accrediting authority for NISP cleared contractor systems (NISPOM)

• Grants Authority to Operate (I/ATO) based on contract expiration date or three years whichever occurs first.

• Enhanced NISPOM requirements (DoD technical requirements) are required prior to accreditation per DISA DSS MOA signed September 2011

• DISA has management and oversight responsibilities of DISN

• Connection Approval Authority (CAO) grants Authority to Connect

• Sponsor/contractor submits accreditation packages to SIPRNet GIAP System (SGS) for accreditation; record shall be kept accurate throughout systems life cycle

• Cleared contractor’s systems must have both current ATO & ATC prior to processing on SIPRNet

Certification and AccreditationSystem Security Plan and supporting documentation; see NISP SIPRNet Connection Approval Process (NSCAP) for detailed process

• System Security Plan (SSP) and IS Profile

• Utilize and configure systems to applicable DoD Secure Technical Implementation Guide (STIG)

• Topology must include compliant/supported Firewall/IDS and Routers

• STIGs may require additional supporting documentation: Appointment letters, local IA policies/procedures, change management plans etc.

• Consent To Monitor (CTM) with sponsor signature

• Statement of Residual Risk (SRR) with contractor management signature (contractor personnel not GCA)

• Sponsor Validation/Re-Validation Letter

Disclosure Authorization

• Contractors are NOT permitted unfiltered access to the SIPRNet(see CJCSI 6211.02D). The government sponsor determines requirements (validation letter/contract)

• Sponsor completes Disclosure Authorization Form with required ports/protocols and submits to DISA; DISA will update contractor access list

Process Flow Chart

Maintaining Compliance

• Compliance with DoD policies is required throughout the system’s lifecycle

• Failure to implement and maintain the DoD IA requirements may result in a level of risk deemed unacceptable by the DAA of the system (DSS) or the network owner (DISA) • Non-compliant nodes may be disconnected from the network after

coordination with the government sponsor to consider justification for remaining connected

• The decision to allow a node to remain connected (or not) is made by USCYBERCOM based on input from DISA and DSS

Training & Resources

• Connection Process Guide (CPG): http://www.disa.mil/Network-Services/Enterprise-Connections/Connection-Process-Guide

• NISP SIPRNet Circuit Approval Process: https://www.dss.mil/documents/nao/NSCAP-v2-4.pdf

• Connection Approval FAQs: http://www.disa.mil/network-services/Enterprise-Connections/FAQs/Connection-Approval-FAQs

• Mission Partner Training (topology, SGS, PPSM): http://www.disa.mil/Network-Services/Enterprise-Connections/Mission-Partner-Training-Program

• STIGs & Tools: http://iase.disa.mil/stigs/Pages/index.aspx

DSS CCRI Program

Overview

ISAC 2017

Defense Security Service

BACKGROUND

• CJCSI 6211.02: All ISs connected to the DISN are subject to electronic monitoring for communications management and network security. This includes site visits, compliance inspections, and remote vulnerability assessments to check system compliance with configuration standards.

• ~160 NISP SIPRNet nodes across four regions

DISA DSS MOA

• DISA - DSS SIPRNet Memorandum of agreement (MOA) signed September 9, 2011• Outlines roles and responsibilities of DISA and DSS• NISP SIPRNet nodes will adhere to DoD requirements• Annual Reviews and scheduled Command Cyber Readiness Inspection

(CCRI) to assess compliance with DoD requirements

• DSS HQ works closely with government sponsor, DISA, DoD CIO and USCYBERCOM

DSS CCRI Team Status

• DISA provides training and certification for CCRI team personnel.

• DSS CCRI certified personnel as of April 2017• (6) Traditional Security Reviewers/Industrial Security Specialists (ISRs)• (17) Technical Reviewers (includes 5 CCRI Leads)/Information Systems Security

Professionals/(ISSPs)• Additional ISRs and ISSPs pending final on-the-job training and check-rides

• Certified Reviewers required to complete 4 CCRIs per year for proficiency

• DSS CCRI team oversight and certification check-rides by DISA• DSS tasked directly on CCRI scheduling TASKORDs

• FY18 CCRI planning is in draft form • DSS scheduled to lead ALL inspections for Cleared Industry circuits

CCRI

• Inspection is used to improve cyber security posture of the DoD networks. • Provides situational awareness to government sponsor and CDC senior

leadership

• In brief, daily hot-washes and exit briefing with senior leadership

• The team will meet with facility security staff personnel (FSO, ISSM/ISSO, SAs) to validate:• Current accreditations• Enclave/Network security • Perform vulnerability scans• Computer Network Defense (CND) services• Access compliance with DoD IA policies

CCRI

• DISA Secure Technical Implementation Guide (STIG) is the technical checklist• Compliance reports must be completed appropriately

• After Action Plan, POAM, ACAS scanning

• Lessons Learned• Do not wait for scheduled inspection to prepare; sites are to be ready at

all times. No notice are always a possibility per policy• Contact your CNDSP for assistance with ACAS, HBSS RC• Contact DISA FSO STIG Support desk for STIG clarification items

CCRI Prep

• DSS Advise & Assist:• HQ to contact government sponsor to discuss inspection and

requirements• Site assistance visits and ongoing support prior to inspection (ISR/ISSP)

• Contact Computer Network Defense Service Provider (CNDSP) and/or sponsor for possible Pre-CCRI assistance

Maintaining Compliance

• Compliance with DoD policies is required throughout the system’s lifecycle

• Failure to implement and maintain the DoD IA requirements may result in a level of risk deemed unacceptable by the DAA of the system (DSS) or the network owner (DISA) • Non-compliant nodes may be disconnected from the network after

coordination with the government sponsor to consider justification for remaining connected

• The decision to allow a node to remain connected (or not) is made by USCYBERCOM based on input from DISA and DSS

DSS CCRI TEAM LEAD

**WINDOWS/DNS Reviewer (if applicable)

Network Reviewer

Vulnerability Scanner Reviewer

HBSS Reviewer

Traditional Reviewer (DSS Industrial Security Specialist)

DSS CCRI Team Example

*Other reviewer roles may be requested (e.g. Exchange or Unix/DNS) if applicable

24

Questions?

Points of contact

• Mr. Ehren M. ThompsonSenior Industrial Security Representative (ISR)DISA Certified Traditional ReviewerSan Diego Field OfficeOffice: 858-207-0194 BB: 626-483-5182ehren.m.thompson.civ@mail.mil

• Mrs. Nadja L. WestInformation System Security Professional (ISSP)DISA Certified HBSS/Windows ReviewerLos Angeles Field Office (Cypress Resident Office)Office: 714-822-3113 BB: 714-715-9878nadja.l.west.civ@mail.mil