Presentation is loading. Please wait.

Presentation is loading. Please wait.

Contractor SIPRNet Process

Published byCameron Cummings Modified over 8 years ago

Similar presentations

Presentation on theme: "Contractor SIPRNet Process"— Presentation transcript:

1 Contractor SIPRNet Process
Defense Security Service Contractor SIPRNet Process

2 Objectives Roles and Responsibilities Circuit Validation and Order
What is the Secret Internet Protocol Router Network (SIPRNet)? Roles and Responsibilities Circuit Validation and Order Required Equipment/Devices CNDSP/HBSS Connection Approval Package Connection Approval Disclosure Authorization Re-validation Process Flow Chart SIPRNet FAQs

3 What is the SIPRNet? The SIPRNet (Secret Internet Protocol Router Network) is a system of interconnected computer networks used by the Department of Defense and the U.S. Department of State to transmit classified information (up to and including information classified SECRET) by packet switching over the TCP/IP protocols in a "completely secure" environment. It also provides services such as hypertext documents and electronic mail. In other words, the SIPRNet is the DoD’s classified version of the civilian Internet. The SIPRNet is virtually indistinguishable from the Internet to the user. Its chief visible difference is the domain name system, with almost all sites being under '.smil.mil' or '.sgov.gov' .

4 Roles and Responsibilities
Organizations Responsibilities Defense Information Systems Agency (DISA) Responsible for Defense Information Systems Networks (DISN) circuits and oversight. Office of the Assistant Secretary of Defense For Networks and Information Integration (OASD) (NII)) - Final approval authority for all connection requests in support of sponsor’s mission DISA SIPRNet Management Office - Review SIPRNet requests and initial topologies to determine whether the proposed DISN solution is appropriate. Forwards the approved solution to OASD NII for approval. Government Sponsor Sponsor/owner of contractor connection Provide funding for circuit and any other required services for contractor connection to SIPRNet (i.e. Computer Network Defense Service Provider (CNDSP), , Domain Name Service (DNS)). Defense Security Service (DSS) DAA for accrediting information systems used to process classified information in industry Process System Security Plans (SSP) DISA Certification and Accreditation Office/Classified Connection Approval Office (CAO) - Process Connection Approval Packages (CAP) – issues IATT, IATO and ATC.

5 Circuit Validation/Order
Government Contracting Authority (GCA) Sponsorship is required to validate contractor and mission support requirements OASD validation is good for 3 years Sponsorship Letter (example) Letter must include: contract number, CAGE code, and POC information. Additionally, sponsor letter must include all SIPRNet resources the contractor will require (i.e. ports, protocols, services, websites, etc.) and a Network topology diagram is required. Submit to Approval needed by: DISA SMO, Sponsor’s Service/Agency validation official then OASD NII approval. Initiate SIPRNet connection. DISA Direct Online Entry (DDOE) Customer Support or DISN Global Support Center (DGSC) Additional info: Register the IS information within the SIPRNet IT Registry. Obtain SIPRNet IP addresses . Contractors will contact their government sponsor to provide IP addressing requirements. DOD Network Information Center (NIC) at

6 Required Equipment/Devices
To protect the integrity of the network, all SIPRNet circuits require Type 1 encryption. The customer is required to provide for the appropriate encryption device and associated Fixed Plant Adapter (FPA) for both ends of the SIPRNet access circuit. Examples of approved devices on the DISN includes the KIV-7M, KIV -7M with DS-3 Module, KG-175B/D, and the KG-175A.

7 Required Equipment/Devices
DISA requires that all systems connected to SIPRNet have an Evaluated Assurance Level (EAL) 4 firewall and an EAL 2 IDS. National Information Assurance Program (NIAP) Evaluated Products list: For configuration guidance: Examples only (DSS does not endorse products)

8 CNDSP In accordance with DoD Directive O , it is the responsibility of all DoD Components to either establish a Computer Network Defense (CND) Service or subscribe to an accredited Tier 2 CND Service Provider (CNDSP). This policy applies to all DoD systems and networks, to include non-DoD Information Systems connected to the DISN. As prescribed by DoD Directive O , an accredited Tier 2 CNDSP provides services for protection, detection, monitoring, analysis, and response actions or activities ensuring robust CND for DoD. These services include actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information systems and computer networks. These services also include the employment of IA capabilities to respond to unauthorized activity within DoD information systems and computer networks in response to a CND alert or threat information. If the customer has not been aligned to a CNDSP, they will not be authorized for connection to the DISN. As of January 2011, Plans of Actions & Milestones (POA&M) or Temporary Waivers are NOT permitted for lack of CNDSP alignment. CNDSP Potential Issues: Cost (approx 40k) Army Research Labs (ARL) One of few accepting new CNDSP alignment Lack of inventory of sensors Existing SIPRNet Nodes: DISA FSO has agreed to permit MOA with sponsor and CNDSP and proof of funds as meeting CNDSP alignment requirement. All non-compliant nodes shall seek CNDSP alignment immediately. New SIPRNet Nodes: Obtain CNDSP alignment with circuit acquisition process prior ATO/ATC.

9 CTO 10-133/HBSS Communication Tasking Order (CTO) 10-133
DSS CTO Guidance File Sanitization Tool (FiST) for Flash Media transfers only Vulnerability Management System (VMS) account Host Based Security System (HBSS) with Device Control Manager (DCM) Existing circuits with current accreditation: POAM New circuits: must be compliant with DSS CTO Guidance Obtaining HBSS software Sponsor/customer of circuit’s responsibility Sponsor/customer can contact DISA HBSS Configuration Ensure that DCM module installed to prevent data transfers Data transfers can only occur if DSS has RAL on file with (M)SSP

10 CCRI Command Cyber Readiness Inspection (CCRI)
Currently conducted by DISA FSO Future DSS trained Information System Security Professionals (ISSP) and Industrial Security Representatives (ISR) will conduct in coordination with annual review 120 day notice prior to CCRI CCRI inspects and grades the IA operational readiness of each network Inspect operating systems (and DNS), network and network devices, HBSS, Physical environment (traditional) Compliance with USCYBERCOM (CTOs)

11 Connection Approval Package
After receiving circuit approval/validation and circuit order contractor should be developing all required security documentation begin system configuration/hardening. Required documentation for Connection Approval Package (CAP) package submittal to DISA Classified Connection Approval Office (CAO) : DSS ISFO Process Manual for contractor Certification and Accreditation Systems Security Plan (SSP), Protection Profile (PP) other documentation as required Obtain DSS Accreditation Letter SIPRNet Connection Questionnaire (SCQ) with DSS RDAA signature (example) Consent to Monitor signed by sponsor Residual Risk Memorandum signed by contractor Topology diagram (example) IP addresses are required (FOUO, unless specified by sponsor with supporting security classification guide)

12 Connection Approval The DISA CAO manages the Connection Approval Process and security requirements for the SIPRNet. DISA CAO verifies CAP is complete with all required documentation. Once circuit is installed at Contractor facility (DMARC) and security package approved by DISA CAO, DISA will issue an Interim Approval To Test (IATT). Note: Prior to DISA scheduling technician to install/configure CSU/DSU, KIV-7 etc. the following items are required: 1) DSS ATO 2) CAP approved by DISA CAO Burn-in & implementation by GNSC After burn-in and implementation by the GNSC the CAO will initiate a remote compliance vulnerability scan. Once a successful scan has been completed, the CAO will issue an IATC/ATC. Contractor on SIPRNet

13 Disclosure Authorization
Contractors are NOT allowed unfiltered access to the SIPRNet (CJCSI ). The government sponsor determines access requirements. The validation letter must identify access requirements (i.e., websites and ports and protocols.) Sponsor sends form to DISA SMC DISA builds/updates contractor filter

14 Re-Validation Sponsor revalidate circuit every 3 years (example template) Has there been a change in sponsor, mission, requirement, contract or location? If yes, OASD (NII) approval required Once re-validated submit updated CAP to

15 SIPRNet Flow

16 FAQ? 1. What is a Plan of Action and Milestones (POA&M)?
Answer: A POA&M identifies tasks to be accomplished in support of Certification and Accreditation (C&A). It details resources required to accomplish the elements of the C&A, any milestones-dates in meeting the tasks, and scheduled completion dates for the tasks. The purpose of a POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and systems. The POA&M is developed from security weaknesses and deficiencies identified during the security assessment of the system. The POA&M is submitted from the Program/Project Manager of the system to the Designated Approval Authority (DAA) to demonstrate the way forward with resolving areas of non-compliance. 2. Can a contractor have unfiltered access to SIPRNET sites? Answer: No. All contractors must have filtered access (CJCSI ). Contractor’s access to resources (i.e., websites, ports etc.) on SIPRNet is determined by their sponsor and authorized through DISA’s disclosure authorization process.

17 FAQ? 3. What documents are needed to continue a connection when the circuit expires? Answer: The sponsoring agency will need to provide DISA with a valid Non-DoD Connection Re-Validation letter, DSS Approval to Operate (ATO) letter, SIPRNET Connection Questionnaire (SCQ) & and any additional supporting documentation at DISA‘s request. (Reference: ) Who should the sponsoring agency contact in reference to circuit installation? Answer: Please contact the SIPRNET service manager at or the SIPRNET Support Center 5. Who should the sponsoring agency contact in reference to a circuit being looped-away (disconnected)? Answer: DISA CAO and or DSS ODAA 6. Can a contractor connect through another SIPRNET connection for access? Answer: No. This is considered a “back door,” which is not allowed. Contractors are prohibited from tapping into other SIPRNET connection for access (CJCSI ).

18 FAQ? 7. Can a contractor have more than one government entity utilizing their SIPRNET connection? Answer: Yes. This configuration can be administratively cumbersome and requires special approval from DISA. Each contract must operate on a separate subnet (subnet per contract/per sponsor) and each sponsor is required to submit a sponsor Non-DoD connection package. Implementation of a Memorandum of Understanding (MOU) between the sponsoring DoD agencies will be required. The primary sponsoring agency takes full responsibility for the circuit. “Need-to-know” must be established for each contract. Additionally, the subagency accessing the circuit must understand that if the circuit is shut off for issues related to the prime sponsor they too risk losing their access. Additionally, each sponsor will need to provide a validation package with OASD (NII) approval for their respective contractor. Contact DISA SIPRNet Management Office or or DSS ODAA for more information. 8. Can a contractor extend the connection within their facility? Answer: Yes. The contractor may extend the connection within their facility. The System Security Plan (SSP) must demonstrate how the line is protected while running through the facility (i.e. approved Protected Distribution System (PDS), NSA Type 1 encryption, etc.). Contact your DSS Industrial Security Representative for further information.

19 FAQ? 7. Do contractors follow the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) for processing on classified systems connected to the SIPRNet? Answer: No. Contractors use the Certification and Accreditation Process documented in the Industrial Security Field Office (ISFO) Process Manual. The ISFO PM can be requested from the DSS web site Contractors do not need to follow DIACAP

20 POCs and Links DISA SSMO - SSMO@disa.mil or 703-674-5311
DISA Certification and Accreditation – DISA CAO – DSS PM – DISN Connection Process: Non-DoD New Connection: Non-DoD Existing Connection: NIAP Validated Products List: DISA STIGs: DISA Direct Order (DDOE) : (PKI required). DSS: DOD Network Information Center (DOD NIC) : /

Download ppt "Contractor SIPRNet Process"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
ODAA Workshop December 2012 Charles Duchesne, DSS Tiffany Snyder, DSS

ODAA Workshop December 2012 Charles Duchesne, DSS Tiffany Snyder, DSS
What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,

What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,
1 Office of the Designated Approving Authority (ODAA) April 2008.

1 Office of the Designated Approving Authority (ODAA) April 2008.
ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov 2013 1 Nov 2013.

ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov Nov 2013.
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.

DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.

4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010.

Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
1 UNCLASSIFIED Army Enterprise Email Migration to DISA LTC Peter Barclay, CIO/G6 Mr. Kevin Mott, NETCOM Mr. Jose Ortega, PEO EIS Mr. Donald Greenlee, PEO.

1 UNCLASSIFIED Army Enterprise Migration to DISA LTC Peter Barclay, CIO/G6 Mr. Kevin Mott, NETCOM Mr. Jose Ortega, PEO EIS Mr. Donald Greenlee, PEO.
Information Security Policies and Standards

Information Security Policies and Standards
Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.

Christopher P. Cabuzzi CS 591 DEFENSE INFORMATION ASSURANCE CERTIFICATION & ACCREDITATION PROCESS (DIACAP) Chris Cabuzzi, DIACAP, 12/8/10 1.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
ODAA Update Agenda ODAA Business Management System (OBMS) Deployment

ODAA Update Agenda ODAA Business Management System (OBMS) Deployment
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google