SIPRNet - Frequently Asked Questions (FAQ) - NISP Inc.

1 Page 1 SIPRNet - Frequently Asked Questions (FAQ) March 2008 Background: The Defense Information System Agency (DISA) owns and manages the Secret internet protocol Router network ( SIPRNet ).

2 When a government contractor has been approved to connect to this Department of Defense (DoD) Wide Area network (WAN) additional guidance is needed. Objective: To provide a consolidated response to Questions routinely posed to headquarters from the DSS field personnel and cleared contractors. 1. What is a Plan of Action and Milestones (POA&M)? Answer: A POA&M identifies tasks to be accomplished in support of Certification and Accreditation (C&A). It details resources required to accomplish the elements of the C&A, any milestones-dates in meeting the tasks, and scheduled completion dates for the tasks. The purpose of a POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and systems.

3 The POA&M is developed from security weaknesses and deficiencies identified during the security assessment of the system. The POA&M is submitted from the Program/Project Manager of the system to the Designated Approval Authority (DAA) to demonstrate the way forward with resolving areas of non-compliance. 2. Are a firewall and Intrusion Detection System (IDS) required for a SIPRNet connection? Answer: Yes. All enclaves connecting to the SIPRNet must implement a firewall & IDS. (Reference: DoD Instruction and Defense Information System Agency (DISA) Security Technical Implementation Guide (STIG)) ) 3.

4 Can the firewall and IDS reside on the same device? Answer: No. The firewall and IDS must be physically located on separate hardware devices. (Reference: ) 4. Can any firewall be used? Answer: No. The firewall must be National Information Assurance Partnership (NIAP) approved and it must be Evaluation Assurance March 2008 Page 1 March 2008 Page 2 Level (EAL) 4.

5 Devices with Common Criteria evaluations from countries outside of the United States will not be accepted. (Reference: DoD Instruction and Defense Information System Agency (DISA) Security Technical Implementation Guide (STIG)) ) 5. Is the IDS also required to be NIAP EAL 4 approved? Answer: No. The IDS must be NIAP EAL 2 approved. (Reference: ) 6. Who should the sponsoring agency or contractor contact for information regarding the firewall/IDS? Answer: For information regarding firewall/IDS specifications and installation refer to or contact the DISA Field Security Operations (FSO) helpdesk via email at.

6 7. Can a contractor have unfiltered access to SIPRNet sites? Answer: No. All contractors must have filtered access. Contractor s access to resources ( , websites, ports and etc.) on SIPRNet is determined by their sponsor and authorized through DISA s disclosure authorization process. 8. Where should the sponsor forward Disclosure Authorization (DA) forms? Answer: DA forms are submitted to the DISA SIPRNet Monitoring Center at 9. How are IP addresses provided to the contractor? Answer: The sponsoring agency is responsible for providing IP services to the contractor. Sponsors should request IP blocks for their contractor connections from the SIPRNet Support Center at 800-582-2567.

7 10. Who provides email services to the contractor? Answer: The sponsoring agency is responsible for providing email services to the contractor. March 2008 Page 3 11. What documents are needed to continue a connection when the circuit expires? Answer: The sponsoring agency will need to provide DISA with a valid Joint Staff letter, Approval to Operate (ATO), SIPRNet Connection Questionnaire (SCQ) & and any additional supporting documentation at DISA s request.

8 (Reference: ) 12. Who should the sponsoring agency contact in reference to the Joint Staff validation? Answer: Lt. Col. Suzanne Kumashiro 703-697-4503. 13. Who should the sponsoring agency contact in reference to circuit installation? Answer: Jim Nostrant 703-882-0191 or the SIPRNet Support Center 800-582-2567. 14. Who should the sponsoring agency contact in reference to a circuit being looped-away (disconnected)? Answer: DISA SCAO 703-882-1450 or DSS ODAA 15. Can a contractor have more than one government entity utilizing their SIPRNet connection? Answer: Yes. This configuration can be administratively cumbersome and requires special approval from DISA.

9 Each contract must operate on a separate subnet (subnet per contract/per sponsor) and each sponsor is required to submit a sponsor package to the Joint Staff. Implementation of a Memorandum of Understanding (MOU) between the sponsoring DoD agencies will be required. The primary sponsoring agency takes full responsibility for the circuit. Need-to- know must be established for each contract. Additionally, the subagency accessing the circuit must understand that if the circuit is shut off for issues related to the prime sponsor they too risk losing their access. Additionally, each sponsor will need to provide a validation package to the Joint Staff for their respective contractor.

10 16. Can a contractor connect through another SIPRNet connection for access? Answer: No. This is considered a back door, which is not allowed. Contractors are prohibited from tapping into other SIPRNet connection for access. (Reference: ) March 2008 Page 4 17. Can a contractor allow other organizations (government or contractor) to tap into their existing connection? Answer: No. Same as above, no back door connections are allowed.