2 4 SEP 2014
advertisement
DEPARTMENT OF THE NAVY UNITED STATES NAVAL ACADEMY 121 BLAKE ROAD ANNAPOLIS MARYLAND 21402-1300 USNAINST 5230.1A 6/ITSD 2 4 SEP 2014 USNA INSTRUCTION 5230.1A From: Superintendent Subj: INFORMATION TECHNOLOGY AND CYBERSECURITY POLICY AND STANDARDS Ref: (a) DODD 8320.03 Unique Identification (UID) Standards for a Net-Centric Department of Defense (b) DODD 8570.01 Information Assurance Training, Certification, and Workforce Management (c) DODCIO Policy on Use of Department of Defense (DOD) Information Systems Standard Consent Banner and User Agreement, 09 May 2008 (d) USNAINST 5231.1C, Life Cycle Management Policy for Information Systems (e) USNAINST 7320.1 Management of Personal Property (f) Navy Higher Education Network Cybersecurity Concept of Operations (CONOPs) Encl: (1) Information Technology and Cybersecurity Policy and Standards (2) Acceptable Use Policy for USNA IT Resources (3) Information Technology Services Division (ITSD) Project Request (4) Providing IT Assets, Services and Support to Semester Exchange Students. 1. Purpose. To establish information technology (IT) and cybersecurity policy and standards for the United States Naval Academy (USNA) in accordance with references (a) through (f) . 2. Cancellation. USNAINST 5230.1 3. Applicability. All elements of this instruction apply to all organizations and personnel using the USNA Mission network and to all IT resources including any network and communication infrastructure and attached devices, software systems, web services, and cloud services. USNAINST 5230.1A 2 4 SEP 2014 4. Background. a. Institutional IT policy and standards provide the structure and good order necessary for productivity. Policy and standards also support an environment that provides costeffective service while maintaining currency in technology. Well-defined policy best serves the uncertain nature of a limited budget and IT support staff, increased demand for technology, necessity for - training, shortened product lifecycles, urgency of immediate service, dependence on IT for mission support, and constraints imposed by outside authority. Institutional policy provides the foundation for prudent management of IT resources and a format to analyze courses of actions, select methodologies, and make decisions. b. USNA embraces an "information engineered" IT environment. Information engineering refers to the seamless integration of information technologies; makes available IT products and services for teaching, learning, training, researching, managing, communicating, and decision making; engineers data into accurate information; strives to make complex IT transparent to the user; and affords everyone from novice to expert the opportunity to increase productivity. c. IT must be affordable, achievable, flexible, scalable, migratable, and secure. Affordable means that existing financial assets allow USNA to procure or develop, maintain, upgrade, modernize, and eventually replace technology. Achievable means that existing staff provides for acquisition, systems integration, and operation. Flexible means the technology supports multiple functions. Scalable means the same technology can meet varying demands. Migratable means that the architecture includes a path for the future. Secure means that policies, mechanisms and infrastructure are in place to manage risks related to confidentiality, integrity, and availability of services and information. d. This instruction is a complete revision and should be reviewed in its entirety. Significant changes include: (1) Establishment of the User Repository Database as the authoritative information source for provisioning user accounts and services. 2 USNAINST 5230 . 1A 2 4 SEP 2014 (2) Establishment of user identity standards . (3) Formalization of remote access policy . (4) Assignment of r esponsibilities for prov iding IT serv ices to e x change students. (5) Incorporation of Cy bersecurity Workforce requirements. 5. Responsibilities. a. The Command Information Officer (Chief Information Officer, CIO) shall ensure compliance with applicable DOD/DON IT and cybersecurity policies. The CIO shall promulgate standard procedures (enclosures (1) through (4)) and is responsible for their revision. b. All hands shall follow CIO standard procedures per this instruction. impl ~ mented Distribution: Non Mids(electronically) Brigade (electronically ) 3 USNAINST 5230.1A 2 4 SEP 2014 Information Technology and Cybersecurity Policy and Standards 1. Definitions. a. IT resources include all computing and communications systems. Computing systems include all devices with a processing unit (e.g., server, desktop, laptop, tablet, printer, copier, smartphone, storage device, router, switch, intrusion prevention and detection devices, traffic shaping appliances), devices that can connect to a processing unit (e . g., monitor, external disk, keyboard, mouse, UPS), software (operating systems, hypervisors and applications including shareware, freeware, licensed and public domain), and firmware. Communications systems include telephones, telephone switching devices, facsimile machines, and pagers. b. The USNA mission network consists of the USNA EDU network partitioned into an internal intranet and an extranet demilitarized zone (DMZ), and the USNA MIL network. The USNA EDU network consists of IT resources with connectivity via a usna.edu domain name to the Maryland Research and Education Network (MDREN) . The USNA MIL network consists of IT resources with connectivity via a usna.navy.mil domain name to the Defense Research and Engineering Network (DREN) . c. The USNA guest network consists of access to MDREN from usna . edu tunneled to the DMZ, and is used to facilitate communications for guests attending officially sponsored USNA activities such as conferences and workshops. d. IT Services consist of the applications and functionality made available through IT resources and via USNA contracted cloud services. e. Remote access is access to a USNA information ' system by an authorized user communicating through an external; non-USNA controlled network (e.g. a home network via an internet service provider) . Authorized use of USNA contracted web-based cloud services from a browser on a mobile device is not considered to be remote access. Enclosure (1) USNAINST 5230.1A 2 4 SEP 2014 f. A student is a midshipman, Naval Academy Preparatory School (NAPS) midshipman candidate, or Service Academy exchange student (domestic and foreign) . g. A group account (positional account) is one that by policy, authorizes more than one user to share the same authentication credentials, e.g., the Naval Academy Duty Officer account, nado®usna.edu. 2. Authorized Users. a. Students matriculating at USNA and NAPS and personnel assigned to billets listed in the Activity Manpower Document (AMD) of USNA and NAPS are authorized to use the USNA mission network. Select former civilian USNA faculty members retired from government service, prospective AMD gains and military on temporary additional duty (TAD) to USNA, and others may be authorized to use the USNA mission network if there is a mission requirement to do so. b. The User Repository (UR) database is the authoritative source for information employed to populate the enterprise directory, to create network accounts and to provision IT services. UR information shall be entered and maintained by the respective data owners. 3. Identity. As a DOD component, the identity management standards for persona display names and email addresses established per reference (a) shall be followed where possible. Military, civilians, contractors, and foreign nationals will be distinctly identified. As an institution of higher education, accommodation may be made for civilian faculty upon request. 4 . Managed Services. Authorized users will appear in the enterprise directory. Additional managed IT services required for the performance of duty may be authorized upon request. These include: a. Mission network account. b. Email account. Because email is a contracted cloud service that incurs cost, it is not necessarily provided to all 2 Enclosure (1) USNAINST 5230.1A 2 4 SEP 2014 authorized users. For example, email service is not provided to all employees paid through non-appropriated funds, Naval Academy Athletic Association (NAAA) employees, and TAD military unless a justified need is demonstrated. c. Enterprise Information System account (e.g., AIS, MIDS, NSTAR). d. USNA public and intranet webserver and web content management system account. e. Network shared file system. f. Cloud service account (e.g., Blackboard, Ungerboeck) 5. Access Control. The USNA EDU, .MIL , and guest networks, and remote user access require different manners of access control. a. USNA EDU network. A System Access Authorization Request - Navy (SAAR-N) shall be used to request access to the USNA EDU network and associated IT services. Access will not be granted without an approved SAAR-N. A new SAAR-N shall be initiated to request IT services for USNA faculty who retire from the civil service. (1) An appropriate supervisor shall initiate each request. Supervisors shall certify that the request is for legitimate and justified needs that support the USNA mission: (a) IT service for retired USNA faculty members must be requested via the Academic Dean and Provost. (b) For exchange students, the request shall originate from the Office of the Commandant of Midshipmen. (c) For military assigned TAD to USNA, the request shall originate from the Officer Personnel Office. Group accounts are discouraged and alternate means shall be used wherever possible. 3 Enclosure (1) USNAINST 5230.1A 2 4 SEP 2014 (2) A group account may be authorized only when no other technical means can provide its functionality. (3) Privileged users are defined in reference (b). (a) Privileged access shall not be used to perform computing tasks that do not require elevated privilege. (b) The internet shall not be accessed from a web browser while logged in to a privileged user account, nor shall email be sent from this account. (c) Some users perform privileged access system administration functions on information systems that are not enterprise systems (e.g., a faculty research server). These users are not members of the USNA Cybersecurity Workforce (CSWF) as defined in reference (b), but shall sign a privileged access agreement. b. USNA MIL network. Access will be via VPN from a nonprivileged user account on the usna.edu intranet. c. USNA Guest Network. Access is not granted but may be authorized upon special request. d. Remote access may be authorized for administrative or end-user purposes in support of the USNA mission. (1) Remote administrative access involves users who connect from a remote location to perform system administration tasks on enterprise systems. Remote administrative access is authorized for members of the CSWF. It shall not be used routinely, but may be used to resolve emergent critical issues that require timely response. Supervisors shall remain informed of this use. (2) Remote end-user access involves users who connect from a remote location to perform tasks typical of their USNA job description. Remote end-user access is for occasional use and is not telework, which requires separate authorization. 4 Enclosure (1) USNAINST 5230.1A 2 4 SEP 2014 (3) Users must sign a Remote Use Agreement before being authorized remote access. e. Approval Authority. (1) The Command Information Systems Security Manager (ISSM) or designated assistant is the approval authority for granting access to USNA mission and guest networks. (2) The Deputy Director of the cognizant ITSD department is the approval authority for granting access to a managed IT service. (3) The CIO shall approve all retired USNA faculty IT service requests. 6. Authorized Use. a. Authorized use indicates the IT resource is used to directly support the USNA mission and is not prohibited by law, regulation, instruction, or command policy. Questions concerning authorized use shall be resolved by an appropriate supervisor; the user does not determine what use is authorized. b. The USNA mission network is a U.S. Government (USG) information system (IS) . By accessing a USG IS, the user gives consent to conditions on government-authorized use specified in the reference (c) User Agreement and summarized in login notice and consent banners . The provisions of this agreement and banners apply for all IT services including cloud services accessed from a web browser on a mobile device in any location. c. Consistent with DOD policy, Cost Center Heads may authorize limited personal use while in the workplace. Authorized personal use includes personal communications (e.g., with family members and medical staff or for scheduling appointments) as long as the use: (1) Does not adversely affect the employee's performance of duty. 5 Enclosure (1) USNAINST 5230.1A 2 4 SEP 2014 (2) Is of reasonable duration and frequency, and conducted during the individual's personal time. (3) Serves a legitimate interest that in some manner indirectly supports the USNA mission, such as improving morale, enhancing professional skill, or furthering education. (4) Does not adversely impact mission network performance. (5) Does not incur additional cost to USNA. (6) Is continuously attended. d. A computing device that is government property issued for employee use while in the USNA workplace may be used outside of the workplace (e.g., during official travel) under the following conditions: (1) The use is approved by the employee's supervisor. (2) Unless a formal telework agreement has been approved, the use is temporary (e.g., a laptop may not be used as a "home computer"). (3) The Deputy for Cybersecurity, ITSD, must be contacted in advance if a government computing device is to be used during international travel. The device may require reimaging upon return. 7. General User Responsibilities. Prudent, efficient, cost effective, and secure use of information technology is a professional responsibility . Users shall adhere to the Acceptable Use Policy for USNA IT Resources in enclosure (2), and the Navy User Agreement and Consent Provisions. Additionally, a. Users are expected to be able to perform basic computing tasks without assistance. b. Users shall acquire training in the use of the systems 6 Enclosure (1) USNAINST 5230.1A 2 4 SEP 2014 required to perform their assigned duties, by attending classes, reading instructions and manuals, viewing tutorial videos, etc. c. Data to be backed up consumes primary and backup storage space and network bandwidth during backup. Users should be cognizant of what data is being backed up as a service, take care to not duplicate this data, and shall assume responsibility for backing up all other of their own critical data. d. Users should follow cybersecurity best practices in the workplace, including: (1) Being wary of email and attachments from unknown sources. (2) Not clicking links that cannot be verified. (3) Not downloading anything from untrusted sources. (4) Not using the same password to authenticate to different accounts or services. 8. Life Cycle Management (LCM). a. Abbreviated System Decision Paper (ASDP). Per reference (d) , all mission IT resource needs will be planned and documented annually in an ASDP. A request for emergent project support not included in a current ASDP should be documented by submitting enclosure (3) which amends the current ASDP. b. Acquisition. All USNA IT acquisitions require LCM documentation and approval by the Deputy for ITSD prior to procurement. Required documentation (specifications, descriptions, justifications, privacy impact assessments, documents required by the configuration control board (CCB), etc.) prepared by the requesting organization must be accurate. Acquisition of capital equipment or other items resulting in a new or improved information system are funded through an Operations and Maintenance, Navy (O&MN) or Other Procurement, Navy (OPN) account as applicable. Operational support and maintenance to sustain existing information systems as currently 7 Enclosure (1) USNAINST 5230.1A 2 4 SEP 2014 configured are funded through the O&MN centralized maintenance account. Consumable supplies, designated non-centralized maintenance actions, and incidental software acquisitions are funded from organizational O&MN expense accounts. Telecommunications equipment and services are funded through the telecommunications account. c. Per reference (e), Property Responsible Officers shall maintain an accurate inventory and disposition of IT assets within their department. Lost or stolen IT assets shall be reported per reference (e) . 9. World Wide Web. a. The official USNA internal and external web sites are administered by ITSD. Certain areas of the web site are maintained by non-ITSD personnel with oversight and assistance provided by software/application developers assigned to ITSD. b. Additional USNA policy pertaining to web-page maintainers and content developers is published on the internal USNA web site. 10. Semester Exchange Students. ITSD is responsible for providing IT services to visiting cadets participating in the Service Academy Exchange Program, and to Foreign Service Academy cadets identified by the Academic Dean (AcDean) . The Commandant of Midshipmen (COMDT) manages the military affairs of all midshipmen and NABSD is responsible for issuing and maintaining midshipmen computers. These parties shall coordinate efforts per enclosure (4) to ensure exchange students receive IT services in a timely manner before an academic semester begins. 11. Cybersecurity and Configuration Control. a. Before a federal agency can grant an Authority to Operate (ATO) , a government information system, the Federal Information Security Management Act (FISMA) requires these systems to be certified and accredited with respect to cybersecurity risk management. The risk management framework includes continuous monitoring and periodic recertification. 8 Enclosure (1) USNAINST 5230.1A 2 4 SEP 2014 b. A baseline level of cybersecurity is established through a set of controls. A cybersecurity control describes an objective condition of integrity, availability, or confidentiality achieved by applying specific safeguards or regulating specific activities. The objective condition is testable, compliance is measurable, and the activities required to achieve the control are assignable and accountable. Controls include such things as training and education, technical implementation requirements, configuration control processes, logging and reporting, and physical security . c. The risk category of the information system determines the controls that are applied. USNA systems are not designated as National Security Systems and do not store nor transmit classified information but do contain sensitive information such as Personally Identifiable Information (PII), financial data, and operational data that must be protected. The USNA ATO is based on the reference (f) Concept of Operations for an educational environment. The following policies support USNA certification and accreditation: (1) Personal Electronic Devices (PEDs) are not permitted on the mission network without prior written approval. (2) A personally owned mobile device shall be registered before it is used to access USNA contracted cloud services, and users shall comply with all conditions of registration (e.g., PIN/password requirements, maintenance of registration, etc.) Loss or theft of registered personally owned mobile devices shall be reported to ITSD. (3) Device quarantine, seizure, and re-configuration may be used to mitigate risk. Vulnerable software that is not accepted with an approved mitigation plan and is not remediated, as required, will be disabled. _ (4) Configuration Control shall be implemented in accordance with reference (f) and amplifying procedures as promulgated by ITSD. (5) Members of the USNA CSWF shall maintain 9 Enclosure (1) USNAINST 5230.1A 2 4 SEP 2014 certification and training per reference (b) and procedures established by the CIO. 12. Information Technology Services Division (ITSD) Support. a. ITSD will assist acquisition, operations, information technologies Support will be provided the customer and approve the maintenance, and management of needed to support the USNA mission. with the following priorities: (1) Emergent critical (e.g., equipment failure, disaster recovery) (2) Externally driven (e.g., security, legal) (3) Enterprise mission (e.g . , MIDS, AIS, NSTAR, contracted cloud services) (4) Academic core (core courses) (5) Academic major (majors, courses and electives) (6) Academic research and administrative (Faculty Research Office) b. (7) Administrative (e.g., Institutional Research) (8) Command support (e.g., conferences, meetings, ECAs) Information Technology Service Center (ITSC). (1) The ITSC supports authorized users and is a single point of contact for reporting problems with or asking questions about managed IT services and the associated IT resources. The ITSC does not provide general education or training in basic computer use, does not assist with questions related to use of specialized customer software, and does not maintain student computers. (2) "Level-1n support is primarily accessible through telephone, remote assistance, or face-to-face help in Ward Hall 10 Enclosure (1) USNAINST 5230.1A 2 4 SEP 2014 Room G-1 and departmental IT Specialists. Users with simple issues should use one of these means. ITSC and IT specialists will attempt to resol v e these issues as soon as possible; however, support is only provided during normal business hours . These support requests may also be emailed at any time for entry into the support ticketing system, but response time will include ticket processing time. Issues that cannot be resolved at this lev el are escalated to level-2 and entered into the ticketing system for tracking. (3) "Level - 2" support is for level-1 issues identified outside of normal business hours and for issues that might not be resolved in the same day. Technical expertise from a single ITSD department is typically required to address level - 2 issues as they often require gathering additional information. ITSD will attempt to resolve level-2 issues within several workdays. Issues not resolved in this timeframe or by a single department are escalated to level-3. (4) "Level-3" support is required if new solutions must be devised or more than one ITSD department is involved . Resolving level-3 issues will usually take more than sev eral days. c. Any support issues requiring acquisition to resolve should also be addressed where appropriate through the Life Cy cle Management process per reference (d) or Configuration Control Board. 11 Enclosure (1) USNAINST 5230.1A 2 4 SEP 2014 Acceptable Use Policy for USNA IT Resources The USNA mission network is a U.S. Government (USG) information system (IS). By accessing a USG IS, the user gives consent to conditions on government-authorized use specified in the DOD Standard User Agreement and summarized in login notice and consent banners. The provisions of this agreement and banners apply for all IT services including cloud services accessed from a web browser on a mobile device in any location . A user shall comply with all DOD/DON/USNA policies on use of IT resources, and: • Must use information technology resources only for authorized education, research, and administrative activities in support of the Naval Academy mission. • Must remain aware of the licensing terms and conditions of all software they use . • Must permit system access for vulnerability scanning and remediation. • Must use official email distribution lists only for missionrelated purposes that are germane to the list. • Must NOT participate in any behavior that unreasonably interferes with the fair use of IT resources by another (e.g., bandwidth or disk space consumption) . • Must NOT use images or graphics that reflect adversely on the Naval Academy, including personal images associated with contracted USNA cloud services. • Must NOT override a displayed persona identity (display name) formatted in accordance with DOD/DON/USNA policy. • Must NOT remove or disable client software required for network access control or vulnerability scanning and remediation. Enclosure (2) USNAINST 5230.1A I 4 SEP ?014 • Must NOT use IT resources for illegal or unethical purposes, including: o o o o o o o o o o Possessing, copying, or using illegal software. Destruction or damage to Naval Academy or personal resources. Disruption or unauthorized monitoring of communications. Harassment of others. Dishonesty (plagiarism, cheating, using false identity). Violation of another individual's privacy. Violation of copyright and fair use laws. Violation of licensing agreements. Any use whose intended purpose is financial gain. Pornography (viewing or downloading) 2 Enclosure · (2) USNAINST 5230.1A ? 4 SEP 2014 Information Technology Services Division (ITSD) Project Request Date MEMORANDUM From: To: Cost Center Head Deputy for Information Technology Services Subj: REQUEST FOR PROJECT SUPPORT Encl: (as needed) 1. Request for Service. support. Summarize the details of the requested 2. Organizational Point of Contact. Provide the name, title, email address, and telephone number of the principal point of contact on all matters relating to the project. 3. Priority of Request. Indicate one of the following priorities, with justification: a. Mandatory: the accomplishment is critical to the USNA mission. Alternative action is neither unavailable nor feasible. Immediate resolution may be required. b. Necessary: the accomplishment contributes significantly to improved effectiveness and/or efficiency. c. Desired: the accomplishment would contribute to improved effectiveness, efficiency, economy, or convenience. 4. Required Date. Provide two realistic dates: a. Desired Date. Provide the optimum date from the requestor's viewpoint. b. Critical Date. Provide the latest acceptable date for satisfying the request, beyond which a critical deficiency will exist (N/A if priority is desired) . Enclosure (3) USNAINST 5230.1A ? 4 SFP ?011.1 Subj: REQUEST FOR PROJECT SUPPORT 5. Detailed Description of the Service Requested. Include functional requirements, drawings, system specifications, etc. 6. Reason for Request. Justify the request. Address weaknesses in existing systems, the proposed corrections or improvements, and the specific benefits to be realized. Expected benefits may be described in terms of cost reductions in manpower, supplies, equipment, response time, etc.; or increased capabilities. 7. References. List instructions, letters, documents, memoranda, and publications that make the case for and substantiate the request. 8. Funding. Identify the source of funding. 2 Enclosure (3) USNAINST 5230.1A I 4 SEP 2014 Providing IT Assets, Services, and Support to Exchange Students 1. The Academic Dean shall, before each semester begins: a. Identify to ITSD and NABSD the number of computers required by foreign exchange students . b. Ensure each foreign exchange student has a record in the USNA enterprise MIDS system . 2. The Commandant of Midshipmen shall: a. Before each semester begins: (1) For asset and systems support planning purposes, identify to NABSD the number of computers that will be needed by domestic exchange students. (2) To permit assignment of IT services, ensure each inbound domestic exchange student has a record in the USNA enterprise MIDS system. (3) Initiate a SAAR-N for all exchange students, foreign and domestic. (4) Identify and communicate to ITSD any special computer configuration required by the exchange student source organization for consideration in network configuration control (e.g., VPN client software and settings for on-line coursework, course registration) . b. Before an exchange student returns to their source organization, ensure IT assets are returned to NABSD. This action is necessary for efficient life-cycle management. 3. The Director, NABSD shall: a. Coordinate with ITSD to provide IT assets with hardware and software functionally equivalent to that issued to an exchange student's USNA year group. Enclosure (4) USNAINST 5230.1A ') A SFP ?01A b . . Before each semester begins, have sufficient laptop computers available for the number of exchange students identified by ACDEAN and COMDT. c. Provide exchange students with the same computer support services provided midshipmen. 4. The Deputy, ITSD shall: a. Coordinate transferring computer custody between NABSD, ITSD and exchange students. b. Grant exchange students the standard network services of a USNA midshipman. c. When possible, accommodate special computer configurations required by the exchange student source organizations. 2 Enclosure (4)
