Download presentation
Presentation is loading. Please wait.
Published byAubrey Helena Hoover Modified over 9 years ago
1
UNCLASSIFIED//FOUO Warrior Communicators 1 Fort Hood NEC Certification and Accreditation Workshop 30 June 2009
2
UNCLASSIFIED//FOUO Warrior Communicators Agenda 2 -DIACAP and Tenant Security Plan overview -DAA Delegation and future changes -SIPRNet Tenant Security Plan- Intent, Examples and Explanations -SIPRNet TSP- Timelines and packet submission process -Exercise TSP- Intent, Examples and Explanations -Exercise TSP- Timelines and packet submission process -STAMIS/ABCS (NIPR and SIPR)- Intent, Examples and Explanations -STAMIS/ABCS-Timelines and packet submission process -Firewall/ PPS tutorial -Additional devices (VTCs etc)
3
UNCLASSIFIED//FOUO Warrior Communicators Agenda cont. 3 -Inspections- What to expect and what we are looking for -Remedy Tickets -Definitions -Fort Hood Policies, CCB, Email/Dig Signatures, Where to find Fort Hood/Army policies -Workshop time
4
UNCLASSIFIED//FOUO Warrior Communicators DIACAP and TSP Overview 4 What is DIACAP? DIACAP is the DoD Information Assurance Certification and Accreditation Process. -It is the process through which the system’s security posture is assessed, documented, verified and maintained. Fort Hood has two basic DIACAP packages: the NIPRNet ICAN and the SIPRNet ICAN. You connect to one or both of these. -The Army Best Business Practice: Terms for Connectivity to the Installation Service Provider/ ICAN mandates that all tenants (an organization that is physically located on the installation, or virtually or logically connected to the installation campus area network [ICAN]) will complete and submit a Tenant Security Plan (TSP) to the DOIM/NEC for use as artifacts in the ICAN installation DIACAP. Therefore, the TSP is your piece of the installation’s DIACAP package.
5
UNCLASSIFIED//FOUO Warrior Communicators DIACAP/ TSP 5 -Tenant Security Plan: Who is responsible? -The Commander is responsible for the security posture of his/her portion of the network. -The appointed IA personnel are responsible for ensuring IA compliance and for keeping the Commander informed of any issues. -Initial approval of the Tenant Security Plan is the responsibility of the NEC IA Policy Management Branch. We then make the recommendation to the DAA (or his delegate) for Approval to Connect (ATC). -The DAA for Fort Hood is the IMCOM West Director, J. Randall Robinson. He has delegated the authority for ATC to the Garrison Commander.
6
UNCLASSIFIED//FOUO Warrior Communicators DIACAP/ TSP 6 -As you may know, the NEC is now under the OPCON of the 106 th BDE/ 7 th Signal Command/ NETCOM. -As of 1 Oct 2009, the NEC will be a part of NETCOM, and the DAA will become BG Napper, the 7 th Signal Commander. -When the DAA changes, the processes and/or delegation might change.
7
UNCLASSIFIED//FOUO Warrior Communicators 7 SIPRNet Tenant Security Plan
8
UNCLASSIFIED//FOUO Warrior Communicators Talking Points 8 When to Submit a SIPRNet TSP How to Submit a SIPRNet TSP Questions/Comments
9
UNCLASSIFIED//FOUO Warrior Communicators When to Submit a SIPR TSP 9 Units/Organizations who need SIPR Connectivity must submit a Tenant Security Plan (TSP) to the Information Assurance Policy Management (IAPM) Office via Remedy. The TSP must be submitted per unit, per building, and will need to be submitted/resubmitted when one of the following occurs: When a unit/organization wants new connectivity When a unit/organization moves into a new building When a unit/organization has a Change of Command When the unit/organization has a major change to the TSP (i.e., addition of PDS) When the Authority to Connect expires (every three years)
10
UNCLASSIFIED//FOUO Warrior Communicators How to Submit a SIPR TSP 10 Download SIPRNET TSP documents from DOIM website: http://www.hood.army.mil/doim/ Tenant Security Plan (TSP) with attached BLDG/RM Diagrams & Hardware & Software Inventory SIPRNet Access Assessment SIPRNet Standing Operating Procedure (SOP) SIPRNet Authority to Connect (ATC)
11
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 11
12
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 12
13
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 13
14
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP
15
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 15
16
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 16 Building 999999999 Room 104 Room 102 Room 106 Room 105Room 103 Room 101
17
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 17
18
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 18 VTC Firewall Requests Firewall Request Form Ports Protocols And Services Spreadsheet NEC Website
19
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 19
20
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 20 Software Inventory Hardware Inventory Hardware includes: Workstations Laptops Printers External Storage Thumb Drives KVMs Stand-Alone Systems Things to keep in mind: Naming Convention Networked Printers Unsecured Printers/Printer Memo Stand-Alone’s & External Media
21
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 21
22
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 22
23
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 23 NEW!!!
24
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 24
25
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 25
26
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 26
27
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 27 Vulnerability Scanning - SAs are able to scan their own systems for vulnerabilities using Retina software. To obtain a license for Retina, SAs must complete the Retina training course and request a Retina license SAs must also provide scan results to the DOIM
28
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 28
29
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 29
30
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 30
31
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 31
32
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 32 Military Signature Block: JOE P. SNUFFY COL, AVN Commanding
33
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet Access Assessment 33
34
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet SOP 34
35
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet SOP 35
36
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet SOP 36
37
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet SOP 37
38
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet Authority to Connect 38
39
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet TSP 39 QUESTIONS??
40
UNCLASSIFIED//FOUO Warrior Communicators Exercise Packets 40 Who: Units who are going to be conducting SIPR or NIPR FTX’s, Training Exercise with units outside of Fort Hood or units who will be training in an area that is unusual to their Area of Operation. What: Please use the Exercise Packet that can be found out on the DOIM website. Please use Website template only to ensure the latest version is used.
41
UNCLASSIFIED//FOUO Warrior Communicators Exercise Packets 41 When – Packets are to be submitted 30 days prior to exercise start date. Why: To ensure that the NEC is able to provide all service required by the unit prior to Exercise kick off. This will also allow unit to run a test prior to start date
42
UNCLASSIFIED//FOUO Warrior Communicators Exercise Packets 42 Remember, Exercise connection process takes several steps: Packet submission (IAPM) If using a TA Site unit will need to coordinate with Plans for Connectivity. Scanning/VLAN assignment (IACB) – All units will be Scanned for IAVA compliance and to ensure SAV is updated to the most current version. If PM fielded systems are being used it is up to the PM and the Unit to ensure systems are update.
43
UNCLASSIFIED//FOUO Warrior Communicators Exercise Packets 43 Process Cont. Firewall – If you needs has a need for outside connectivity then firewall and PPS need to be submitted. (Remember if this is a SIPR exercise Firewall and PPS need to be sent over SIPR) Inspection – Unit will need to set up a few days prior to exercise kick off date so that the IAPM office can Inspect area.
44
UNCLASSIFIED//FOUO Warrior Communicators Exercise Packets 1. TENANT SYSTEM IDENTIFICATION Dates of Exercise: Dates Network Connectivity Needed: [i.e. go hot on 1 July 08, ENDEX 30 Aug 08] Host Organization: [i.e. Battle Simulation Center] Owning Organization: [YOUR UNIT/ORGANIZATION NAME] Subnet Name: [Example: 48 th Chem Liberty Focus 2008 Exercise] Subnet Location: [Buildings/ Rooms] Highest Level of Data/Network Classification: [UNCLASSIFIED, SECRET, TOP SECRET etc] Information Assurance POC: [Your IASO and SA- list both] 44
45
UNCLASSIFIED//FOUO Warrior Communicators Exercise Packets 2. SYSTEM DESCRIPTION The systems use the approved Fort Hood AGM image only and will be used on system connected to the SIPRNET. It consists of (the Secure Distribution System which supports # of systems). The (directorate/division/office) at (physical location (to include Bldg #’s) – installation) has determined the mission need. (if the unit has a need to have software above the image then this will be annotated on the Appendix C. Please note that software only on the Fort Hood approved Products list will be authorized above the image. If there is a need for additional software that has been approved by the Army but not on the Fort Hood APL then you will need to request approval via the CCB that is held on the first Tuesday of every Month) (If unit is using VTC, VOSIP or KVM’s they must add to description. VOSIP, VTC, and KVMs need static IP requests submitted. VTC’s need to have firewall request submitted via SIPR. KVMs being used must be on the approved products list. Please see KVM BBP posted on DOIM website. VOSIP requires approval memorandum from the Corps G6). Other peripherals may be attached to the workstations. A diagram of the systems and their locations are located in Appendix A. A Logical Connectivity Diagram is located in Appendix B. A Software and Hardware Inventory is located in Appendix C. 45
46
UNCLASSIFIED//FOUO Warrior Communicators Exercise Packets 2.0 Mission Statement and Communications Requirement 2.1 Physical Connectivity Diagram 2.2 Data Flow Diagram 2.3 Connectivity Description 2.4 Hardware & Software Inventory 2.5 Systems of Record 3.0 Security Technical Implementation Guides 4.0 Tempest Requirements 46
47
UNCLASSIFIED//FOUO Warrior Communicators Exercise Packets 5.0 Software Updates/Patches/Hotfixes 6.0 Anti-Virus 7.0 Information Assurance Vulnerability Management IAVM Compliance 8.0 Vulnerability scanning 9.0 IA Training and Certifications 10.0 Incident Response 11.0 PHYSICAL SECURITY 12.0 NON- US CITIZENS 47
48
UNCLASSIFIED//FOUO Warrior Communicators 48 QUESTIONS??
49
UNCLASSIFIED//FOUO Warrior Communicators 49 Which Systems Need STAMIS Packets? All Program Manager Imaged systems (PBUSE, SAMS, SARSS, SAAS, TCAIMS, BCS3, RAPIDS) hooked up to the Ft. Hood network. All Program Manager Imaged systems (PBUSE, SAMS, SARSS, SAAS, TCAIMS, BCS3, RAPIDS) hooked up to a government VSAT, whether or not they touch the Ft. Hood network in any way. Any system that sits on the Ft. Hood network with a need to do something unconventional (e.g., kiosk)
50
UNCLASSIFIED//FOUO Warrior Communicators Process Overview 50 Packet submission Issuance of static IP address Enclave port configuration System scanning, patching, rescanning Static IP configuration Submission of firewall request and PPS Spreadsheet (Ports, Protocols and Services) Ticket sent to TNOSC to open ports
51
UNCLASSIFIED//FOUO Warrior Communicators 51 Packet Overview Submit Packet Via Remedy Ticket What to submit in initial ticket Cover Sheet – fill in what is applicable. If something is not applicable to you, state “not applicable.” This must be on unit letterhead. Request to Connect Memorandum – use the memo in the packet. Memo should be filled out in entirety, not left with the generic language. Memo must be on unit letterhead. Software/Hardware Inventory – all computers, printers, and other hardware must be listed, and all requested information provided. Software on system should be the same that is listed in the system’s SSAA or TSP (accreditation documentation). Adding software not on the SSAA invalidates the Approval to Operate for the system, so do not do it! Building/room diagram – label room in which system is located, including locks, doors, windows, computers, printers, and any other systems in the room. System Interface – get this information from your CSSAMOs or whoever fielded you the system. This is information about what your system connects to, what other systems it communicates with, and how this communication is done.
52
UNCLASSIFIED//FOUO Warrior Communicators 52 ATO/IATO – we have ATOs for the usual suspects (SAMS, PBUSE, etc.). If your system is not a common system, you will need to provide to us the ATO/IATO and the accreditation documentation for the system. Firewall Request Form – submit if your system needs connectivity outside the enclave environment. Fill in everything but the static IP addresses. Do not get memo signed by your commander until IP addresses are issued. PPS Spreadsheet – submit if your system needs connectivity outside the enclave environment. Fill in everything but the static IP addresses. Packet Overview
53
UNCLASSIFIED//FOUO Warrior Communicators 53 STAMIS systems must be named according to the naming convention form included with the packet. There are a couple of exceptions – if your system names cannot be changed, let us know. If the STAMIS code for your system isn’t on the naming convention sheet, let us know that as well. System Naming
54
UNCLASSIFIED//FOUO Warrior Communicators 54 This process can be as quick and painless or as slow and painful as you make it. Here are a few guidelines: Packet submission: after packet is submitted via Remedy, I try to look at it and make corrections within 5 days. Static IPs: generally takes up to 5 days to assign Scanning/Port Configuration: as long as instructions are followed, this can be done quickly. Firewall/PPS: TNOSC requires at least 7 days to open and process a ticket, so don’t delay submitting this if you need outside connectivity. Timelines
55
UNCLASSIFIED//FOUO Warrior Communicators Talking Points 55 When to Submit a SIPRNet STAMIS Packet How to Submit a SIPRNet STAMIS Packet Questions/Comments
56
UNCLASSIFIED//FOUO Warrior Communicators When to Submit a SIPR STAMIS Packet 56 Units/Organizations who need to connect a STAMIS/ABCS systems to the SIPRNet must submit a SIPRNet STAMIS Packet to the Information Assurance Policy Management (IAPM) Office via Remedy. Some of the included systems are: CPOF (Command Post of the Future) BCS-3 (Battle Command and Sustainment Support System) DCGS-A (Distributed Common Ground System — Army) GCCS (Global Command and Control System )
57
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet STAMIS Accreditation 57
58
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet STAMIS Accreditation 58 Request to Connect template is included in the packet
59
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet STAMIS Accreditation 59
60
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet STAMIS Accreditation 60
61
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet STAMIS Accreditation 61 CURRENT Tenant Security Plan - If the unit does not have active SIPR a TSP must be submitted prior to STAMIS packet - If unit is on legacy SIPR, PDS must be installed and accredited prior to STAMIS packet
62
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet STAMIS Accreditation 62 Use same BLDG/RM Diagram template as SIPR TSP
63
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet STAMIS Accreditation 63 This ATO will come from the PM who issued the system, i.e. General Dynamics, and must be included in the packet.
64
UNCLASSIFIED//FOUO Warrior Communicators 64 SIPRNet STAMIS Accreditation Firewall Request Form Ports Protocols And Services Spreadsheet
65
UNCLASSIFIED//FOUO Warrior Communicators SIPRNet STAMIS Accreditation 65 QUESTIONS??
66
UNCLASSIFIED//FOUO Warrior Communicators 66
67
UNCLASSIFIED//FOUO Warrior Communicators 67 o PDS Drop Box : 1. Forms : SF 700 – Inside the PDS Box SF 701 – Posted in the room to be filled out at the end of each day SF 702 – Posted Near the Drop to be filled when open and closed. IASO / SA Placard – informs user of important information and phone numbers that are readily available in case of incidents. SIPR IN USE – No cordless device signs 2. Security: All active drops will be issued a Sargeant & Greenleaf ™ lock. All inactive drops will be issued a seal. Inspections
68
UNCLASSIFIED//FOUO Warrior Communicators 68 Inspections o PDS Condition No Paint or Labels Scratches, Dents, Dings Any Evidence of Intrusion Nothing should be attached, hanging from or touching the PDS Should be completely viewable o TACLANE Safe Nothing on the safe other than the SF 702 and Signed SOP. o Computers Ensure the Computer Names are Correct Verify the Serial Number and Name on Appendix C Classification Labels on Equipment Shredder Size / Classifications and Sign Stop Signs, USB Labels, and Do’s and Don’t Labels
69
UNCLASSIFIED//FOUO Warrior Communicators Inspections 69 o TEMPEST Measures: 39” between Power connecting a transmitter and classified device 2” between NIPR & SIPR Cables 20” between NIPR & SIPR Processors (Computers) 10’ area with No Cordless Phones 10’ away for all Cable and Cable Television 10’ area with no Transmitters (Radios, VSAT, LMR, SINCGARS, ETC) Signs in place to prevent Cordless Phones from entering areas when in use. SCAR / Visitor Control of areas when in use
70
UNCLASSIFIED//FOUO Warrior Communicators 70 Remedy Tickets
71
UNCLASSIFIED//FOUO Warrior Communicators Remedy Tickets 71 Remedy Console
72
UNCLASSIFIED//FOUO Warrior Communicators Remedy Tickets 72 Select the Information Assurance Tab
73
UNCLASSIFIED//FOUO Warrior Communicators Remedy Tickets 73 Select the SIPR/ NIPR C & A Packets Tab. This will bring up the pop up shown here:
74
UNCLASSIFIED//FOUO Warrior Communicators Remedy Tickets 74 Please fill out Building and POC Information to include good contact numbers.
75
UNCLASSIFIED//FOUO Warrior Communicators Remedy Tickets 75 Also fill out all ports and COMSEC information in the second tab.
76
UNCLASSIFIED//FOUO Warrior Communicators Remedy Tickets 76 Click Saved Required Information Button and then click the Submit Ticket Button.
77
UNCLASSIFIED//FOUO Warrior Communicators Definitions 77 ATO: Authorization to Operate ATC: Authorization to Connect IATO: Interim Authorization to Operate (up to 180 days) IATT: Interim Authorization to Test Dedicated NIPR Port for TACLANE: Port must be used only for the TACLANE. Cannot unplug the TACLANE to use the port for a computer. Foreign National: A non-US citizen (even soldiers). When asked in the packet if you have any foreign nationals, you must list all non-US citizens in your unit/building, even if they don’t have direct access to the SIPRNet. STAMIS/ABCS packet: A packet used for all PM-managed systems of record. These are systems that are registered in APMS, usually have a type accreditation with their own ATO and CoN. CoN: Certificate of Networthiness required to operate on the Army’s network.
78
UNCLASSIFIED//FOUO Warrior Communicators Fort Hood and Army Policies 78 -Your first resource will be: http://www.hood.army.mil/doimhttp://www.hood.army.mil/doim -Under “Information Assurance” (a CAC enabled site only accessible from Fort Hood), you will find FAQs, packet templates, sample memos, training, approved products lists and much more… -Under “Fort Hood DOIM Policies,” you will find all of the IA and IT policies that apply to Fort Hood. -Another resource is: https://informationassurance.us.army.milhttps://informationassurance.us.army.mil -You will find all of the Army Best Business Practices (mandatory) as well as additional Army guidance -When in doubt, contact: hood.doim.ia.policy@conus.army.mil or submit a Remedy ticket via https://helpdesk.hood.army.milhood.doim.ia.policy@conus.army.milhttps://helpdesk.hood.army.mil
79
UNCLASSIFIED//FOUO Warrior Communicators Fort Hood and Army Policies 79 -Some things to remember: 1.All software, hardware, systems, devices etc must be approved by the NEC Configuration Control Board prior to use. 2.All emails containing an attachment or hyperlink must be digitally signed 3.All emails containing FOUO, sensitive, SBU, PII or similar information must be encrypted. 4.Your TSP is FOUO, and must be encrypted when transmitted to the NEC via email. 5. SIPR firewall requests needs to be sent on SIPR. 6.When sending a message from a digital sender, send it to yourself, and then resend with your digital signature. Information requiring encryption cannot be sent via digital senders unless they have CAC/PKI capability.
80
UNCLASSIFIED//FOUO Warrior Communicators Additional Items 80 -VTCs: If using the VTC over IP- it must be included in your Tenant Security Plan -VOSIP- Must be included in TSP -VTC over ISDN (DVS-G or DVS-II): Use the packet available on the DOIM IA website for DVS-G. These will be rolled into the ICAN C&A separately and must be submitted/ registered with DISA -All devices, including VTCs, VOSIP etc must be in compliance with the applicable STIGs. STIGs are available at: http://iase.disa.mil/stigs/stig/index.htmlhttp://iase.disa.mil/stigs/stig/index.html
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.