Wide Area Network Approvals

Memorandum of Understanding

SIPRNET

JSAC Dallas – Fort Worth

16 – 17 April 2008

JD Springer

There are essentially two types of WAN connections

Those where some other Agency is the DAA of the WAN.

Such as: a contractor node certified and accredited by DSS connecting to a WAN which has

been certified and accredited by another CSA such as DISA, Navy, Army etc.

When DSS is not the DAA for the WAN, DSS will defer connection authority to the DAA of the

WAN though the drafting and approval by all involved DAAs of a Memorandum or Agreement

(MOA) or Memorandum of Understanding (MOU). The MOA or MOU must be completed prior

to any connection to the non-DSS controlled WAN.

Those where DSS is the DAA of the WAN.

Example: a contractor node certified and accredited by DSS connecting to another contractor

node also certified and accredited by DSS.

Interim vs Approval

IATO vs ATO

Interim Approval to Operate (IATO) and Approval to Operate (ATO)

IATOs and ATOs will only permit the operation of the system or LAN. They will not permit

connection to a WAN where DSS is the DAA.

• IATO - Some period of time - normally 180 days may be granted twice

• SIPRNET does not receive an IATO

IATC vs ATC

Interim Approval to Connect (IATC) and Approval to Connect (ATC)

Two additional documents have been created to support the WAN process. These documents are

used when DSS is the CSA of the WAN. While many other government agencies employ similar

documents, non-DSS DAAs for WANs will ultimately determine their own method of connection

approval notification.

IATC – Allows a temporary connection to a WAN for no longer than 180 days with the possibility of

a single 180 day extension. IATC are issued when connection of a node with an IATO is approved

or when the node has an ATO but the WAN has an IATO.

ATC - Allows connection to a WAN for three years or less if a security relevant change is

determined by the DAA to acquire reaccreditation. Given when connection of a node with an ATO

is approved and when the WAN has an ATO.

Wide Area Networks

Government (controlled) Networks (SDREN or SIPRNET);

Mixed (Contractor & Government);

Contractor based (Contractor to Contractor);

Depending on the type of network connection may help in deciding what kind of network: Unified

or Interconnected.

Unified

A unified network is a connected collection of systems or networks that are accredited:

(1) under a single SSP, (2) as a single entity, and (3) by a single CSA. Such a network

can be as simple as a small stand-alone LAN operating at Protection Level 1, following

a single security policy, accredited as a single entity, and administered by a single

ISSO. Conversely, it can be as complex as a collection of hundreds of LANs

separated over a wide area but still following a single security policy, accredited as a

single entity by a single CSA. The perimeter of each network encompasses all its

hardware, software, and attached devices. Its boundary extends to all of its users.

Interconnected

An interconnected network is comprised of two or more separately accredited systems

and/or networks. Each separately accredited system or network maintains its own

intra-system services and controls, protects its own resources, and retains its

individual accreditation. Each participating system or network has its own ISSO. The

interconnected network shall have a controlled interface capable of adjudicating the

different security policy implementations of the participating systems or unified

networks. An interconnected network also requires accreditation as a unit.

A Network Security Plan (NSP) should cover the following information for the WAN:

1. ODAA UID and IS name.

2. Facility address.

3. POC information.

4. Protection level and the highest classification of data with any caveats or

formal access requirements identified.

5. Minimum clearance level of users.

6. Description with an accompanying diagram showing all connections.

7. Encryption method and devices in use.

8. Responsibilities.

9. Network connection rules. This should include a statement from the

ISSM on whether or not full accreditation will be required for

connection.

10. Signed and dated statement from the ISSM attesting that there are no

additional connections to the WAN other than those identified in the

NSP.

11. An ISSM signed network participation sheet for each node which

includes requirements 1-8 above and a description of the node system.

12. For any node not given an ODAA UID an accreditation letter or a signed

MOU/MOA included. If the node is under an MSSP, the protection

profile associated with the node must also be identified.

NETWORK WORK SECURITY PLAN

NOTE: Access to COMSEC, CNWDI, RD or FRD information require at a minimum: Final Secret.

Access to NATO, CNWDI, COMSEC or CRYPTO require a: Formal Briefing Statement

Notes:

1. Is the focal point for the network and the individual Information System Security Mangers (ISSMs).

2. Generate & achieve and maintain approval for the Network Security Plan.

3. Ensure all ISs on the network have an accredited System Security Plan (SSP)

4. Assure proper network security procedures are developed and implemented, and will monitor the Network Security Plan for compliance.

5. Evaluate the impact of IS and network changes and apply for re-approval of the Network Security Plan if necessary.

6. Must notify all parties and rescind the Network Security Plan whenever circumstances may impede the security of any network member.

NSM Responsibilities

1. All users must have a minimum of an Interim / Final Secret clearance, a XXXX Program briefing, XXXX WAN SSP briefing and possess a need-to-know in order

to be granted access to the XXXX WAN.

Need-to-Know Methodology for Network

Encryption method: NSA/Type 1 Network Type: Unified or Interconnected, Refer to Figure 1, Overall Network Diagram

Network Type and Data Transmission Protections

Minimum clearance level of user:

CONFIDENTIAL

SECRET

TOP SECRET

Interim SECRET Interim TOP SECRET

Network Protection Level: PL1 PL2 PL3 P L4

Highest classification level of data:

CONFIDENTIAL SECRET TOP SECRET

Category(s): NONE COMSEC RD FRD FGI Other: Non-SCI

Formal access approvals: No Yes. If yes, indicate NATO CNWDI CRYPTO

Protection, Sensitivity Level, and User Information

Contract Number(s):

High-level description and usage of overall network:

Network Identification

Network Security Manager:

Phone Number:

CSA/DAA:

Phone Number:

Contact Information

Facility Address: Revision # Date:

CAGE Code : Contractor facility name: Network ID # Network Security Plan

(Contractor and Government Facilities Only) 1 2

3

4

5

6 7

8

By signing, I hereby certify that there are no additional connections to the wide area network other than those identified in this NSP.

NSO/NSM Signature: Date:

Signature

1.The interconnection between remote ISs will be controlled by National Security Agency (NSA) endorsed Type 1 encryption devices.

2.Clearance levels, contractual relationship with need-to-know and Formal Access Approval determinations at all locations must be

established prior to connecting to the wide area network.

3.All ISs on the network shall have an accredited System Security Plan (SSP) – Interim Approval of the remote SSP is the minimum

necessary to connect to the WAN.

4.Passwords will be provided by a classification level appropriate secure means.

5.Users must be knowledgeable of the Network Security Plan requirements for which they are responsible.

6.Each connecting site's ISSM shall coordinate any changes to the network with the Network Security Officer/Network Security

Manager and shall gain approval by the appropriate cognizant security officials in advance.

7.The NSO/NSM and connecting sites will report immediately any security-related incident to the appropriate local cognizant security

official.

Network Connection Rules

Network Host Facility: Network Identifier:

Overall Network Security Profile

Contractor to Contractor

Facilities Only 9

10

Date: ISSM Signature:

All remote participant sites will operate in the PL1 mode accredited by their local DSS office.

1.Notify the Network Security Manager (NSM) of any proposed external connections or system changes effecting security.

2.Notify NSM of any local SSP or protection profile changes effecting the security of the WAN.

3.Ensure no changes are made to the network without proper review and approval by the NSM and cognizant DAAs.

4.Notify NSM of IS reaccreditation.

5.Brief personnel on the use of the network. Users are not authorized to share User IDs or passwords.

6.Ensure audit trails associated with the network are reviewed on weekly basis.

7.Report any security incidents or violations to the NSM.

8.Provide Network Participant Datasheet and DSS signed Accreditation Letter to the NSM. Interim accreditation will be accepted as long as it does not affect the

integrity and confidentiality of the XXXX WAN.

9.Back-sided connections will not be authorized without the approval of the NSM

ISSM Responsibilities for Connection to WAN

1. The network encryption system will be a NSA Type One encryption device. (REMOVE) Suggest you DO NOT identify the type of encryption

2. Unclassified configuration disks will be utilized with groups and accounts set up on systems at each location.

Need-to-Know Methodology for Network

Minimum clearance level of user:

CONFIDENTIAL

SECRET

TOP SECRET

Interim SECRET Interim TOP SECRET

Accredited Protection Level: PL1 PL2 PL3 PL4

Highest classification level of IS data:

CONFIDENTIAL SECRET TOP SECRET

Category(s): None COMSEC RD FRD FGI Other:

Formal access approvals: No Yes.

IS Protection, Sensitivity Level, and User Information

Description of Network: The XXXX WAN will be used for used data manipulation, computation, sorting comparison, reduction, transfer and other

data related operations in support of XXXX.

Contracts Supported: (Contract Numbers):

ISSM:

Phone Number:

Network Security Manager:

Phone Number: CSA/DAA:

Phone Number:

IS Contact Information

CAGE Code: Facility Address: Date:

Contractor facility name: IS #

Network Participant Data Sheet

11 1 2

3

4 5

7

8

NETWORK SECURITY PLAN

In addition to the Host and Node Network

Participant Data Sheets you will need a:

• Configuration diagram or Topology • IATO, ATO for each node or MOU

(Government)

Memorandum of Understanding

Government - Contractor - Government

Memorandum of Agreement (Not as simple as the name would imply)

Government - Contractor - Government

Memorandum of Agreement

Government - Contractor - Government

KEY POINTS

When must you write a Network Security Plan?

• When you are the Host.

If you are not the Host, can your WAN be part of the Security Profile?

• Yes, include it as an Enclosure or Attachment

Can you approve a Node to connect to the WAN or the WAN NSP?

• No

According to DSS, WANs (Host or Node) must be inspected each year.

SECRET Internet Protocol Router Network

(SIPRNET)

The attached documents comprise the

documents needed in the DSS SIPRNET

process.

SECRET Internet Protocol Router Network

(SIPRNET)

The attached document is an example of the

DISA request document. Ensure you send

all the documents identified as Enclosures.

Bonus Material