Defense Security Service Contractor SIPRNet Process 1 Objectives – – – – – – – – – – – What is the Secret Internet Protocol Router Network (SIPRNet)? Roles and Responsibilities Circuit Validation and Order Required Equipment/Devices CNDSP/HBSS Connection Approval Package Connection Approval Disclosure Authorization Re-validation Process Flow Chart SIPRNet FAQs 2 What is the SIPRNet? • The SIPRNet (Secret Internet Protocol Router Network) is a system of interconnected computer networks used by the Department of Defense and the U.S. Department of State to transmit classified information (up to and including information classified SECRET) by packet switching over the TCP/IP protocols in a "completely secure" environment. It also provides services such as hypertext documents and electronic mail. In other words, the SIPRNet is the DoD’s classified version of the civilian Internet. • The SIPRNet is virtually indistinguishable from the Internet to the user. Its chief visible difference is the domain name system, with almost all sites being under '.smil.mil' or '.sgov.gov' . 3 Roles and Responsibilities Organizations Responsibilities Defense Information Systems Agency (DISA) - Responsible for Defense Information Systems Networks (DISN) circuits and oversight. Office of the Assistant Secretary of Defense For Networks and Information Integration (OASD) (NII)) - Final approval authority for all connection requests in support of sponsor’s mission DISA SIPRNet Management Office - Review SIPRNet requests and initial topologies to determine whether the proposed DISN solution is appropriate. -Forwards the approved solution to OASD NII for approval. Government Sponsor -Sponsor/owner of contractor connection - Provide funding for circuit and any other required services for contractor connection to SIPRNet (i.e. Computer Network Defense Service Provider (CNDSP), email, Domain Name Service (DNS)). Defense Security Service (DSS) - DAA for accrediting information systems used to process classified information in industry - Process System Security Plans (SSP) DISA Certification and Accreditation Office/Classified Connection Approval Office (CAO) - Process Connection Approval Packages (CAP) – issues IATT, IATO and ATC. 4 Circuit Validation/Order • Government Contracting Authority (GCA) – Sponsorship is required to validate contractor and mission support requirements – OASD validation is good for 3 years • Sponsorship Letter (example) – Letter must include: contract number, CAGE code, and POC information. Additionally, sponsor letter must include all SIPRNet resources the contractor will require (i.e. ports, protocols, services, websites, etc.) and a Network topology diagram is required. • • Submit to SSMO@disa.mil Approval needed by: DISA SMO, Sponsor’s Service/Agency validation official then OASD NII approval. • Initiate SIPRNet connection. – DISA Direct Online Entry (DDOE) Customer Support 618-229-9922 or DISN Global Support Center (DGSC) 800-554-3476. Additional info: https://www.disadirect.disa.mil/products/asp/welcome.asp • Register the IS information within the SIPRNet IT Registry. • Obtain SIPRNet IP addresses . Contractors will contact their government sponsor to provide IP addressing requirements. – DOD Network Information Center (NIC) at 800-582-2567 5 Required Equipment/Devices • To protect the integrity of the network, all SIPRNet circuits require Type 1 encryption. The customer is required to provide for the appropriate encryption device and associated Fixed Plant Adapter (FPA) for both ends of the SIPRNet access circuit. • Examples of approved devices on the DISN includes the KIV-7M, KIV -7M with DS-3 Module, KG175B/D, and the KG-175A. 6 Required Equipment/Devices • DISA requires that all systems connected to SIPRNet have an Evaluated Assurance Level (EAL) 4 firewall and an EAL 2 IDS. • National Information Assurance Program (NIAP) Evaluated Products list: http://www.niap-ccevs.org/vpl/ • For configuration guidance: •http://iase.disa.mil/stigs/stig/index.html Examples only (DSS does not endorse products) 7 CNDSP • In accordance with DoD Directive O-8530.1, it is the responsibility of all DoD Components to either establish a Computer Network Defense (CND) Service or subscribe to an accredited Tier 2 CND Service Provider (CNDSP). This policy applies to all DoD systems and networks, to include nonDoD Information Systems connected to the DISN. As prescribed by DoD Directive O-8530.1, an accredited Tier 2 CNDSP provides services for protection, detection, monitoring, analysis, and response actions or activities ensuring robust CND for DoD. These services include actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information systems and computer networks. These services also include the employment of IA capabilities to respond to unauthorized activity within DoD information systems and computer networks in response to a CND alert or threat information. • If the customer has not been aligned to a CNDSP, they will not be authorized for connection to the DISN. As of January 2011, Plans of Actions & Milestones (POA&M) or Temporary Waivers are NOT permitted for lack of CNDSP alignment. • CNDSP Potential Issues: – – • Existing SIPRNet Nodes: – • Cost (approx 40k) Army Research Labs (ARL) • One of few accepting new CNDSP alignment • Lack of inventory of sensors DISA FSO has agreed to permit MOA with sponsor and CNDSP and proof of funds as meeting CNDSP alignment requirement. All non-compliant nodes shall seek CNDSP alignment immediately. New SIPRNet Nodes: – Obtain CNDSP alignment with circuit acquisition process prior ATO/ATC. 8 CTO 10-133/HBSS • Communication Tasking Order (CTO) 10-133 – DSS CTO 10-133 Guidance – File Sanitization Tool (FiST) for Flash Media transfers only – Vulnerability Management System (VMS) account • Host Based Security System (HBSS) with Device Control Manager (DCM) – Existing circuits with current accreditation: POAM – New circuits: must be compliant with DSS CTO 10-133 Guidance – Obtaining HBSS software • Sponsor/customer of circuit’s responsibility • Sponsor/customer can contact DISA HBSS http://www.disa.mil/hbss/ – Configuration • Ensure that DCM module installed to prevent data transfers • Data transfers can only occur if DSS has RAL on file with (M)SSP 9 CCRI • Command Cyber Readiness Inspection (CCRI) – Currently conducted by DISA FSO – Future DSS trained Information System Security Professionals (ISSP) and Industrial Security Representatives (ISR) will conduct in coordination with annual review – 120 day notice prior to CCRI • CCRI inspects and grades the IA operational readiness of each network – Inspect operating systems (and DNS), network and network devices, HBSS, Physical environment (traditional) – Compliance with USCYBERCOM (CTOs) 10 Connection Approval Package • After receiving circuit approval/validation and circuit order contractor should be developing all required security documentation begin system configuration/hardening. • Required documentation for Connection Approval Package (CAP) package submittal to DISA Classified Connection Approval Office (CAO) CCAO@disa.mil : – DSS ISFO Process Manual for contractor Certification and Accreditation • Systems Security Plan (SSP), Protection Profile (PP) other documentation as required • Obtain DSS Accreditation Letter – – – – SIPRNet Connection Questionnaire (SCQ) with DSS RDAA signature (example) Consent to Monitor signed by sponsor Residual Risk Memorandum signed by contractor Topology diagram (example) • IP addresses are required (FOUO, unless specified by sponsor with supporting security classification guide) 11 Connection Approval • The DISA CAO manages the Connection Approval Process and security requirements for the SIPRNet. • DISA CAO verifies CAP is complete with all required documentation. • Once circuit is installed at Contractor facility (DMARC) and security package approved by DISA CAO, DISA will issue an Interim Approval To Test (IATT). – Note: Prior to DISA scheduling technician to install/configure CSU/DSU, KIV-7 etc. the following items are required: • 1) DSS ATO • 2) CAP approved by DISA CAO – Burn-in & implementation by GNSC • After burn-in and implementation by the GNSC the CAO will initiate a remote compliance vulnerability scan. Once a successful scan has been completed, the CAO will issue an IATC/ATC. • Contractor on SIPRNet 12 Disclosure Authorization • Contractors are NOT allowed unfiltered access to the SIPRNet (CJCSI 6211.02). The government sponsor determines access requirements. The validation letter must identify access requirements (i.e., websites and ports and protocols.) – Sponsor sends form to DISA SMC SMC-CNTR@disa.mil – DISA builds/updates contractor filter 13 Re-Validation • Sponsor revalidate circuit every 3 years (example template) • Has there been a change in sponsor, mission, requirement, contract or location? – If yes, OASD (NII) approval required • Once re-validated submit updated CAP to CCAO@disa.mil 14 SIPRNet Flow 15 FAQ? 1. What is a Plan of Action and Milestones (POA&M)? Answer: A POA&M identifies tasks to be accomplished in support of Certification and Accreditation (C&A). It details resources required to accomplish the elements of the C&A, any milestones-dates in meeting the tasks, and scheduled completion dates for the tasks. The purpose of a POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and systems. The POA&M is developed from security weaknesses and deficiencies identified during the security assessment of the system. The POA&M is submitted from the Program/Project Manager of the system to the Designated Approval Authority (DAA) to demonstrate the way forward with resolving areas of noncompliance. 2. Can a contractor have unfiltered access to SIPRNET sites? Answer: No. All contractors must have filtered access (CJCSI 6211.02). Contractor’s access to resources (i.e., websites, ports etc.) on SIPRNet is determined by their sponsor and authorized through DISA’s disclosure authorization process. 16 FAQ? 3. What documents are needed to continue a connection when the circuit expires? Answer: The sponsoring agency will need to provide DISA with a valid Non-DoD Connection Re-Validation letter, DSS Approval to Operate (ATO) letter, SIPRNET Connection Questionnaire (SCQ) & and any additional supporting documentation at DISA‘s request. (Reference: http://www.disa.mil/connect/instructions/nondod_exist_siprnet_no.html ) 4. Who should the sponsoring agency contact in reference to circuit installation? Answer: Please contact the SIPRNET service manager at 703-882-0191 or the SIPRNET Support Center 800 582-2567. 5. Who should the sponsoring agency contact in reference to a circuit being looped-away (disconnected)? Answer: DISA CAO 703-882-1455 and 703-882-2086 ccao@disa.mil, or DSS ODAA disn@dss.mil. 6. Can a contractor connect through another SIPRNET connection for access? Answer: No. This is considered a “back door,” which is not allowed. Contractors are prohibited from tapping into other SIPRNET connection for access (CJCSI 6211.02). 17 FAQ? 7. Can a contractor have more than one government entity utilizing their SIPRNET connection? Answer: Yes. This configuration can be administratively cumbersome and requires special approval from DISA. Each contract must operate on a separate subnet (subnet per contract/per sponsor) and each sponsor is required to submit a sponsor Non-DoD connection package. Implementation of a Memorandum of Understanding (MOU) between the sponsoring DoD agencies will be required. The primary sponsoring agency takes full responsibility for the circuit. “Need-to-know” must be established for each contract. Additionally, the subagency accessing the circuit must understand that if the circuit is shut off for issues related to the prime sponsor they too risk losing their access. Additionally, each sponsor will need to provide a validation package with OASD (NII) approval for their respective contractor. Contact DISA SIPRNet Management Office or 703-882-1574 or DSS ODAA disn@dss.mil for more information. 8. Can a contractor extend the connection within their facility? Answer: Yes. The contractor may extend the connection within their facility. The System Security Plan (SSP) must demonstrate how the line is protected while running through the facility (i.e. approved Protected Distribution System (PDS), NSA Type 1 encryption, etc.). Contact your DSS Industrial Security Representative for further information. 18 FAQ? 7. Do contractors follow the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) for processing on classified systems connected to the SIPRNet? Answer: No. Contractors use the Certification and Accreditation Process documented in the Industrial Security Field Office (ISFO) Process Manual. The ISFO PM can be requested from the DSS web site http://www.dss.mil/isp/odaa/request.html). Contractors do not need to follow DIACAP 19 POCs and Links • DISA SSMO - SSMO@disa.mil or 703-674-5311 • DISA Certification and Accreditation – 703-882-1940 • DISA CAO – 703-882-1455 CCAO@disa.mil • DSS PM – disn@dss.mil • DISN Connection Process: – Non-DoD New Connection: http://www.disa.mil/connect/instructions/nondod_new_siprnet.html – Non-DoD Existing Connection: http://www.disa.mil/connect/instructions/nondod_exist_siprnet.html • NIAP Validated Products List: http://www.niap-ccevs.org/vpl/ • DISA STIGs: http://iase.disa.mil/stigs/stig/index.html • DISA Direct Order (DDOE) : https://www.disadirect.disa.mil/products/asp/welcome.asp (PKI required). • DSS: www.dss.mil • DOD Network Information Center (DOD NIC) : www.nic.mil / www.ssc.smil.mil - 800-582-2567 20