siprnet_process.2094..

advertisement
Defense Security Service
Contractor SIPRNet
Process
1
Objectives
–
–
–
–
–
–
–
–
–
–
–
What is the Secret Internet Protocol Router Network (SIPRNet)?
Roles and Responsibilities
Circuit Validation and Order
Required Equipment/Devices
CNDSP/HBSS
Connection Approval Package
Connection Approval
Disclosure Authorization
Re-validation
Process Flow Chart
SIPRNet FAQs
2
What is the SIPRNet?
• The SIPRNet (Secret Internet Protocol Router Network) is a system of
interconnected computer networks used by the Department of Defense and
the U.S. Department of State to transmit classified information (up to and
including information classified SECRET) by packet switching over the
TCP/IP protocols in a "completely secure" environment. It also provides
services such as hypertext documents and electronic mail. In other words,
the SIPRNet is the DoD’s classified version of the civilian Internet.
• The SIPRNet is virtually indistinguishable from the Internet to the user. Its
chief visible difference is the domain name system, with almost all sites
being under '.smil.mil' or '.sgov.gov' .
3
Roles and Responsibilities
Organizations
Responsibilities
Defense Information Systems Agency (DISA)
- Responsible for Defense Information Systems Networks
(DISN) circuits and oversight.
Office of the Assistant Secretary of Defense For Networks
and Information Integration (OASD) (NII))
- Final approval authority for all connection requests in
support of sponsor’s mission
DISA SIPRNet Management Office
- Review SIPRNet requests and initial topologies to
determine whether the proposed DISN solution is
appropriate.
-Forwards the approved solution to OASD NII for approval.
Government Sponsor
-Sponsor/owner of contractor connection
- Provide funding for circuit and any other required services
for contractor connection to SIPRNet (i.e. Computer Network
Defense Service Provider (CNDSP), email, Domain Name
Service (DNS)).
Defense Security Service (DSS)
- DAA for accrediting information systems used to process
classified information in industry
- Process System Security Plans (SSP)
DISA Certification and Accreditation Office/Classified
Connection Approval Office (CAO)
- Process Connection Approval Packages (CAP) – issues
IATT, IATO and ATC.
4
Circuit Validation/Order
•
Government Contracting Authority (GCA)
– Sponsorship is required to validate contractor and mission support requirements
– OASD validation is good for 3 years
•
Sponsorship Letter (example)
– Letter must include: contract number, CAGE code, and POC information. Additionally, sponsor
letter must include all SIPRNet resources the contractor will require (i.e. ports, protocols,
services, websites, etc.) and a Network topology diagram is required.
•
•
Submit to SSMO@disa.mil
Approval needed by: DISA SMO, Sponsor’s Service/Agency validation official then OASD NII approval.
•
Initiate SIPRNet connection.
– DISA Direct Online Entry (DDOE) Customer Support 618-229-9922 or DISN Global Support
Center (DGSC) 800-554-3476. Additional info:
https://www.disadirect.disa.mil/products/asp/welcome.asp
•
Register the IS information within the SIPRNet IT Registry.
•
Obtain SIPRNet IP addresses . Contractors will contact their government sponsor to provide IP
addressing requirements.
– DOD Network Information Center (NIC) at 800-582-2567
5
Required Equipment/Devices
•
To protect the integrity of the network, all SIPRNet circuits require Type 1 encryption. The customer
is required to provide for the appropriate encryption device and associated Fixed Plant Adapter
(FPA) for both ends of the SIPRNet access circuit.
•
Examples of approved devices on the DISN includes the KIV-7M, KIV -7M with DS-3 Module, KG175B/D, and the KG-175A.
6
Required Equipment/Devices
• DISA requires that all systems connected to SIPRNet have an Evaluated
Assurance Level (EAL) 4 firewall and an EAL 2 IDS.
• National Information Assurance Program (NIAP) Evaluated Products list:
http://www.niap-ccevs.org/vpl/
• For configuration guidance:
•http://iase.disa.mil/stigs/stig/index.html
Examples only (DSS does not endorse products)
7
CNDSP
•
In accordance with DoD Directive O-8530.1, it is the responsibility of all DoD Components to either
establish a Computer Network Defense (CND) Service or subscribe to an accredited Tier 2 CND
Service Provider (CNDSP). This policy applies to all DoD systems and networks, to include nonDoD Information Systems connected to the DISN. As prescribed by DoD Directive O-8530.1, an
accredited Tier 2 CNDSP provides services for protection, detection, monitoring, analysis, and
response actions or activities ensuring robust CND for DoD. These services include actions taken
to protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information
systems and computer networks. These services also include the employment of IA capabilities to
respond to unauthorized activity within DoD information systems and computer networks in
response to a CND alert or threat information.
•
If the customer has not been aligned to a CNDSP, they will not be authorized for connection to the
DISN. As of January 2011, Plans of Actions & Milestones (POA&M) or Temporary Waivers are NOT
permitted for lack of CNDSP alignment.
•
CNDSP Potential Issues:
–
–
•
Existing SIPRNet Nodes:
–
•
Cost (approx 40k)
Army Research Labs (ARL)
• One of few accepting new CNDSP alignment
• Lack of inventory of sensors
DISA FSO has agreed to permit MOA with sponsor and CNDSP and proof of funds as meeting CNDSP
alignment requirement. All non-compliant nodes shall seek CNDSP alignment immediately.
New SIPRNet Nodes:
–
Obtain CNDSP alignment with circuit acquisition process prior ATO/ATC.
8
CTO 10-133/HBSS
•
Communication Tasking Order (CTO) 10-133
– DSS CTO 10-133 Guidance
– File Sanitization Tool (FiST) for Flash Media transfers only
– Vulnerability Management System (VMS) account
•
Host Based Security System (HBSS) with Device Control Manager (DCM)
– Existing circuits with current accreditation: POAM
– New circuits: must be compliant with DSS CTO 10-133 Guidance
– Obtaining HBSS software
• Sponsor/customer of circuit’s responsibility
• Sponsor/customer can contact DISA HBSS http://www.disa.mil/hbss/
– Configuration
• Ensure that DCM module installed to prevent data transfers
• Data transfers can only occur if DSS has RAL on file with (M)SSP
9
CCRI
•
Command Cyber Readiness Inspection (CCRI)
– Currently conducted by DISA FSO
– Future DSS trained Information System Security Professionals (ISSP)
and Industrial Security Representatives (ISR) will conduct in
coordination with annual review
– 120 day notice prior to CCRI
•
CCRI inspects and grades the IA operational readiness of each network
– Inspect operating systems (and DNS), network and network devices,
HBSS, Physical environment (traditional)
– Compliance with USCYBERCOM (CTOs)
10
Connection Approval Package
•
After receiving circuit approval/validation and circuit order contractor should be developing all
required security documentation begin system configuration/hardening.
•
Required documentation for Connection Approval Package (CAP) package submittal to DISA
Classified Connection Approval Office (CAO) CCAO@disa.mil :
– DSS ISFO Process Manual for contractor Certification and Accreditation
• Systems Security Plan (SSP), Protection Profile (PP) other documentation as required
• Obtain DSS Accreditation Letter
–
–
–
–
SIPRNet Connection Questionnaire (SCQ) with DSS RDAA signature (example)
Consent to Monitor signed by sponsor
Residual Risk Memorandum signed by contractor
Topology diagram (example)
•
IP addresses are required (FOUO, unless specified by sponsor with supporting security
classification guide)
11
Connection Approval
•
The DISA CAO manages the Connection Approval Process and security requirements for the
SIPRNet.
•
DISA CAO verifies CAP is complete with all required documentation.
•
Once circuit is installed at Contractor facility (DMARC) and security package approved by DISA
CAO, DISA will issue an Interim Approval To Test (IATT).
– Note: Prior to DISA scheduling technician to install/configure CSU/DSU, KIV-7 etc. the
following items are required:
• 1) DSS ATO
• 2) CAP approved by DISA CAO
–
Burn-in & implementation by GNSC
•
After burn-in and implementation by the GNSC the CAO will initiate a remote compliance
vulnerability scan. Once a successful scan has been completed, the CAO will issue an IATC/ATC.
•
Contractor on SIPRNet
12
Disclosure Authorization
•
Contractors are NOT allowed unfiltered access to the SIPRNet (CJCSI 6211.02). The government
sponsor determines access requirements. The validation letter must identify access requirements
(i.e., websites and ports and protocols.)
–
Sponsor sends form to DISA SMC SMC-CNTR@disa.mil
–
DISA builds/updates contractor filter
13
Re-Validation
•
Sponsor revalidate circuit every 3 years (example template)
•
Has there been a change in sponsor, mission, requirement, contract or location?
– If yes, OASD (NII) approval required
•
Once re-validated submit updated CAP to CCAO@disa.mil
14
SIPRNet Flow
15
FAQ?
1. What is a Plan of Action and Milestones (POA&M)?
Answer: A POA&M identifies tasks to be accomplished in support of Certification and Accreditation
(C&A). It details resources required to accomplish the elements of the C&A, any milestones-dates in
meeting the tasks, and scheduled completion dates for the tasks.
The purpose of a POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the
progress of corrective efforts for security weaknesses found in programs and systems.
The POA&M is developed from security weaknesses and deficiencies identified during the security
assessment of the system. The POA&M is submitted from the Program/Project Manager of the system
to the Designated Approval Authority (DAA) to demonstrate the way forward with resolving areas of noncompliance.
2. Can a contractor have unfiltered access to SIPRNET sites?
Answer: No. All contractors must have filtered access (CJCSI 6211.02). Contractor’s access to
resources (i.e., websites, ports etc.) on SIPRNet is determined by their sponsor and authorized through
DISA’s disclosure authorization process.
16
FAQ?
3. What documents are needed to continue a connection when the circuit expires?
Answer: The sponsoring agency will need to provide DISA with a valid Non-DoD Connection Re-Validation
letter, DSS Approval to Operate (ATO) letter, SIPRNET Connection Questionnaire (SCQ) & and any
additional supporting documentation at DISA‘s request. (Reference:
http://www.disa.mil/connect/instructions/nondod_exist_siprnet_no.html )
4.
Who should the sponsoring agency contact in reference to circuit installation?
Answer: Please contact the SIPRNET service manager at 703-882-0191 or the SIPRNET Support Center
800 582-2567.
5. Who should the sponsoring agency contact in reference to a circuit being looped-away
(disconnected)?
Answer: DISA CAO 703-882-1455 and 703-882-2086 ccao@disa.mil, or DSS ODAA disn@dss.mil.
6. Can a contractor connect through another SIPRNET connection for access?
Answer: No. This is considered a “back door,” which is not allowed. Contractors are prohibited from
tapping into other SIPRNET connection for access (CJCSI 6211.02).
17
FAQ?
7. Can a contractor have more than one government entity utilizing their SIPRNET connection?
Answer: Yes. This configuration can be administratively cumbersome and requires special approval from
DISA. Each contract must operate on a separate subnet (subnet per contract/per sponsor) and each sponsor
is required to submit a sponsor Non-DoD connection package. Implementation of a Memorandum of
Understanding (MOU) between the sponsoring DoD agencies will be required. The primary sponsoring agency
takes full responsibility for the circuit. “Need-to-know” must be established for each contract. Additionally, the
subagency accessing the circuit must understand that if the circuit is shut off for issues related to the prime
sponsor they too risk losing their access. Additionally, each sponsor will need to provide a validation package
with OASD (NII) approval for their respective contractor.
Contact DISA SIPRNet Management Office or 703-882-1574 or DSS ODAA disn@dss.mil for more
information.
8. Can a contractor extend the connection within their facility?
Answer: Yes. The contractor may extend the connection within their facility. The System Security Plan (SSP)
must demonstrate how the line is protected while running through the facility (i.e. approved Protected
Distribution System (PDS), NSA Type 1 encryption, etc.).
Contact your DSS Industrial Security Representative for further information.
18
FAQ?
7. Do contractors follow the Department of Defense Information Assurance Certification and
Accreditation Process (DIACAP) for processing on classified systems connected to the SIPRNet?
Answer: No. Contractors use the Certification and Accreditation Process documented in the Industrial Security
Field Office (ISFO) Process Manual. The ISFO PM can be requested from the DSS web site
http://www.dss.mil/isp/odaa/request.html). Contractors do not need to follow DIACAP
19
POCs and Links
•
DISA SSMO - SSMO@disa.mil or 703-674-5311
•
DISA Certification and Accreditation – 703-882-1940
•
DISA CAO – 703-882-1455 CCAO@disa.mil
•
DSS PM – disn@dss.mil
•
DISN Connection Process:
– Non-DoD New Connection:
http://www.disa.mil/connect/instructions/nondod_new_siprnet.html
– Non-DoD Existing Connection:
http://www.disa.mil/connect/instructions/nondod_exist_siprnet.html
•
NIAP Validated Products List: http://www.niap-ccevs.org/vpl/
•
DISA STIGs: http://iase.disa.mil/stigs/stig/index.html
•
DISA Direct Order (DDOE) : https://www.disadirect.disa.mil/products/asp/welcome.asp (PKI required).
•
DSS: www.dss.mil
•
DOD Network Information Center (DOD NIC) : www.nic.mil / www.ssc.smil.mil - 800-582-2567
20
Download