Transcription of Contractor SIPRNet Process - San Diego Industrial …
1 Contractor SIPRNet ProcessISAC 2017 Defense Security Service *Roles & Responsibilities*Circuit Validation & Registration*Required Equipment & Devices*Certification & Accreditation*Connection Approval Package* SIPRNet Process Flow ChartObjectivesRoles and ResponsibilitiesOrganizationsResponsibil itiesDoD CIO-Final approval authority for all connection requests in support of sponsor s mission Defense Information Systems Agency (DISA)-Responsible for management of Defense Information Systems Networks (DISN) circuits and Sponsor-Sponsor/owner of Contractor connection-Provide funding for circuit and any other required services for Contractor connection to SIPRNet ( Computer Network Defense Service Provider (CNDSP), Host Based Security System (HBSS), email, Domain Name Service (DNS), SIPRNet Hardware Token and SIPRNet GIAP System Accounts).
2 DISA SIPRNet Service Management Office (SSMO)-Review SIPRNet requests and initial topologies to determine whether the proposed DISN solution is the approved solution to DoD CIO for Security Service (DSS)-DAA for accrediting Contractor information systems used to Process classified information in industry issues IATO, ATO and Certification and Accreditation Office/Classified Connection Approval Office (CAO)- Process Connection Approval Packages (CAP) issues Authority to Test/Connect IATT, IATC and Sponsor Government Contracting Authority (GCA) All Non-DoD Connections require a contract, MOU/A, and DoD Sponsor to validate mission need for partner access to DISN. Sponsors must adhere to responsibilities as stated in DoD CIO Sponsor Memorandum, dated 11 Jan 2012 Circuit Validation Process Sponsorship Letter (Validation request) Request must document all SIPRNet resources Contractor will require ( ports, protocols, services, websites) Topology (complete & accurate) Non-DoD Validation request: Initial Approvals needed from: DISA SIPRNet Service Manager Office (SSMO), Sponsor s Service/Agency official, and final approval granted by DoD CIO Revalidation is required if change in sponsor, mission, requirements, contract or physical location (CAGE); not required for contract extensions (same mission etc.)
3 Example: Contractor relocating circuit to new facility/CAGE or additional sponsor organization to existing circuitCNDSPCJCSI For mission partner and defense Contractor ISs, the sponsoring CC/S/A must ensure: A signed agreement ( , MOA) or contract defines the Computer Network Defense Service Provider (CNDSP) requirements, as specified in DODD , are included in the agreement CNDSP requirements are implemented prior to connection Check with your CNDSP for additional services; Host Based Security Service (HBSS), Vulnerability Scanning (ACAS), and Secure Technical Implementation Guide (STIG) Training Email a listing of available CND providersCircuit Ordering Government Sponsor Initiates SIPRNet ConnectionDISA Direct Online Entry (DDOE) DoD CIO approval required prior to circuit ordering Sponsor creates account and submits Telecommunication Service Request (TSR).
4 Funding provided via Program Designator Code (PDC) Accurate POC information is critical to ordering Process For example: Sponsor, Contractor FSO, ISSM and/or ISSO and COMSEC managerRequired Equipment/Resources All SIPRNet circuits require NSA Type 1 encryption ( KIV 7M) Sponsor must provide at both ends of SIPRNet circuit Approved Products List (APL) & National Information Assurance Program (NIAP) approved Firewall (EAL-4) and Intrusion Detection System (IDS/IPS) (EAL-2) See applicable STIGs for detailed requirements Sponsor assist to obtain the following: Points, Protocols, Services Management (PPSM), SGS, SIPRNet IT Registry and others as requiredCertification and Accreditation DSS is accrediting authority for NISP cleared Contractor systems (NISPOM) Grants Authority to Operate (I/ATO) based on contract expiration date or three years whichever occurs first.
5 Enhanced NISPOM requirements (DoD technical requirements) are required prior to accreditation per DISA DSS MOA signed September 2011 DISA has management and oversight responsibilities of DISN Connection Approval Authority (CAO) grants Authority to Connect Sponsor/ Contractor submits accreditation packages to SIPRNet GIAP System (SGS) for accreditation; record shall be kept accurate throughout systems life cycle Cleared Contractor s systems must have both current ATO & ATC prior to processing on SIPRNetCertification and AccreditationSystem Security Plan and supporting documentation; see NISP SIPRNet Connection Approval Process (NSCAP) for detailed Process System Security Plan (SSP) and IS Profile Utilize and configure systems to applicable DoD Secure Technical Implementation Guide (STIG) Topology must include compliant/supported Firewall/IDS and Routers STIGs may require additional supporting documentation: Appointment letters, local IA policies/procedures, change management plans etc.
6 Consent To Monitor (CTM) with sponsor signature Statement of Residual Risk (SRR) with Contractor management signature ( Contractor personnel not GCA) Sponsor Validation/Re-Validation LetterDisclosure Authorization Contractors are NOT permitted unfiltered access to the SIPRNet (see CJCSI ). The government sponsor determines requirements (validation letter/contract) Sponsor completes Disclosure Authorization Form with required ports/protocols and submits to DISA; DISA will update Contractor access listProcess Flow ChartMaintaining Compliance Compliance with DoD policies is required throughout the system s lifecycle Failure to implement and maintain the DoD IA requirements may result in a level of risk deemed unacceptable by the DAA of the system (DSS) or the network owner (DISA) Non-compliant nodes may be disconnected from the network after coordination with the government sponsor to consider justification for remaining connected The decision to allow a node to remain connected (or not) is made by USCYBERCOM based on input from DISA and DSST raining & Resources Connection Process Guide (CPG): NISP SIPRNetCircuit Approval Process : Connection Approval FAQs: Mission Partner Training (topology, SGS, PPSM): STIGs & Tools.
7 CCRI Program OverviewISAC 2017 Defense Security Service BACKGROUND CJCSI : All ISs connected to the DISN are subject to electronic monitoring for communications management and network security. This includes site visits, compliance inspections, and remote vulnerability assessments to check system compliance with configuration standards. ~160 NISP SIPRNet nodes across four regions DISA DSS MOA DISA -DSS SIPRNet Memorandum of agreement (MOA) signed September 9, 2011 Outlines roles and responsibilities of DISA and DSS NISP SIPRNet nodes will adhere to DoD requirements Annual Reviews and scheduled Command Cyber Readiness Inspection (CCRI) to assess compliance with DoD requirements DSS HQ works closely with government sponsor, DISA, DoD CIO and USCYBERCOMDSS CCRI Team Status DISA provides training and certification for CCRI team personnel.
8 DSS CCRI certified personnel as of April 2017 (6) Traditional Security Reviewers/ Industrial Security Specialists (ISRs) (17) Technical Reviewers (includes 5 CCRI Leads)/Information Systems Security Professionals/(ISSPs) Additional ISRs and ISSPs pending final on-the-job training and check-rides Certified Reviewers required to complete 4 CCRIs per year for proficiency DSS CCRI team oversight and certification check-rides by DISA DSS tasked directly on CCRI scheduling TASKORDs FY18 CCRI planning is in draft form DSS scheduled to lead ALL inspections for Cleared Industry circuits CCRI Inspection is used to improve cyber security posture of the DoD networks. Provides situational awareness to government sponsor and CDC senior leadership In brief, daily hot-washes and exit briefing with senior leadership The team will meet with facility security staff personnel (FSO, ISSM/ISSO, SAs) to validate: Current accreditations Enclave/Network security Perform vulnerability scans Computer Network Defense (CND) services Access compliance with DoD IA policies CCRI DISA Secure Technical Implementation Guide (STIG) is the technical checklist Compliance reports must be completed appropriately After Action Plan, POAM, ACAS scanning Lessons Learned Do not wait for scheduled inspection to prepare; sites are to be ready at all times.
9 No notice are always a possibility per policy Contact your CNDSP for assistance with ACAS, HBSS RC Contact DISA FSO STIG Support desk for STIG clarification itemsCCRI Prep DSS Advise & Assist: HQ to contact government sponsor to discuss inspection and requirements Site assistance visits and ongoing support prior to inspection (ISR/ISSP) Contact Computer Network Defense Service Provider (CNDSP) and/or sponsor for possible Pre-CCRI assistance Maintaining Compliance Compliance with DoD policies is required throughout the system s lifecycle Failure to implement and maintain the DoD IA requirements may result in a level of risk deemed unacceptable by the DAA of the system (DSS) or the network owner (DISA) Non-compliant nodes may be disconnected from the network after coordination with the government sponsor to consider justification for remaining connected The decision to allow a node to remain connected (or not)
10 Is made by USCYBERCOM based on input from DISA and DSSDSS CCRI TEAM LEAD**WINDOWS/DNS Reviewer (if applicable)Network ReviewerVulnerability Scanner ReviewerHBSS ReviewerTraditional Reviewer (DSS Industrial Security Specialist)DSS CCRI Team Example*Other reviewer roles may be requested ( Exchange or Unix/DNS) if applicable24 Questions?Points of contact Mr. Ehren M. ThompsonSenior Industrial Security Representative (ISR)DISA Certified Traditional ReviewerSan Diego Field OfficeOffice: 858-207-0194 BB: Mrs. Nadja L. WestInformation System Security Professional (ISSP)DISA Certified HBSS/Windows ReviewerLos Angeles Field Office (Cypress Resident Office)Office: 714-822-3113 BB.
