Download Wide Area Network Approvals Memorandum of Understanding

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
Document related concepts

Unix security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Security-focused operating system wikipedia , lookup

Wireless security wikipedia , lookup

Computer security wikipedia , lookup

Mobile security wikipedia , lookup

Distributed firewall wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Network tap wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Wide Area Network Approvals
Memorandum of Understanding
SIPRNET
JSAC Dallas – Fort Worth
16 – 17 April 2008
JD Springer
There are essentially two types of WAN connections
Those where some other Agency is the DAA of the WAN.
Such as: a contractor node certified and accredited by DSS connecting to a WAN which has
been certified and accredited by another CSA such as DISA, Navy, Army etc.
When DSS is not the DAA for the WAN, DSS will defer connection authority to the DAA of the
WAN though the drafting and approval by all involved DAAs of a Memorandum or Agreement
(MOA) or Memorandum of Understanding (MOU). The MOA or MOU must be completed prior
to any connection to the non-DSS controlled WAN.
Those where DSS is the DAA of the WAN.
Example: a contractor node certified and accredited by DSS connecting to another contractor
node also certified and accredited by DSS.
Interim vs Approval
IATO vs ATO
Interim Approval to Operate (IATO) and Approval to Operate (ATO)
IATOs and ATOs will only permit the operation of the system or LAN. They will not permit
connection to a WAN where DSS is the DAA.
• IATO - Some period of time - normally 180 days may be granted twice
• SIPRNET does not receive an IATO
IATC vs ATC
Interim Approval to Connect (IATC) and Approval to Connect (ATC)
Two additional documents have been created to support the WAN process. These documents are
used when DSS is the CSA of the WAN. While many other government agencies employ similar
documents, non-DSS DAAs for WANs will ultimately determine their own method of connection
approval notification.
IATC – Allows a temporary connection to a WAN for no longer than 180 days with the possibility of
a single 180 day extension. IATC are issued when connection of a node with an IATO is approved
or when the node has an ATO but the WAN has an IATO.
ATC - Allows connection to a WAN for three years or less if a security relevant change is
determined by the DAA to acquire reaccreditation. Given when connection of a node with an ATO
is approved and when the WAN has an ATO.
Wide Area Networks
Government (controlled) Networks (SDREN or SIPRNET);
Mixed (Contractor & Government);
Contractor based (Contractor to Contractor);
Depending on the type of network connection may help in deciding what kind of network: Unified
or Interconnected.
Unified
A unified network is a connected collection of systems or networks that are accredited:
(1) under a single SSP, (2) as a single entity, and (3) by a single CSA. Such a network
can be as simple as a small stand-alone LAN operating at Protection Level 1, following
a single security policy, accredited as a single entity, and administered by a single
ISSO. Conversely, it can be as complex as a collection of hundreds of LANs
separated over a wide area but still following a single security policy, accredited as a
single entity by a single CSA. The perimeter of each network encompasses all its
hardware, software, and attached devices. Its boundary extends to all of its users.
Interconnected
An interconnected network is comprised of two or more separately accredited systems
and/or networks. Each separately accredited system or network maintains its own
intra-system services and controls, protects its own resources, and retains its
individual accreditation. Each participating system or network has its own ISSO. The
interconnected network shall have a controlled interface capable of adjudicating the
different security policy implementations of the participating systems or unified
networks. An interconnected network also requires accreditation as a unit.
NETWORK WORK SECURITY PLAN
A Network Security Plan (NSP) should cover the following information for the WAN:
1. ODAA UID and IS name.
2. Facility address.
3. POC information.
4. Protection level and the highest classification of data with any caveats or
formal access requirements identified.
5. Minimum clearance level of users.
6. Description with an accompanying diagram showing all connections.
7. Encryption method and devices in use.
8. Responsibilities.
9. Network connection rules. This should include a statement from the
ISSM on whether or not full accreditation will be required for
connection.
10. Signed and dated statement from the ISSM attesting that there are no
additional connections to the WAN other than those identified in the
NSP.
11. An ISSM signed network participation sheet for each node which
includes requirements 1-8 above and a description of the node system.
12. For any node not given an ODAA UID an accreditation letter or a signed
MOU/MOA included. If the node is under an MSSP, the protection
profile associated with the node must also be identified.
Network Security Plan
(Contractor and Government Facilities Only)
Date:
Network ID #
Contractor facility name:
1
Revision #
2
CAGE Code :
Facility Address:
Contact Information
3
CSA/DAA:
Phone Number:
Network Security Manager:
Phone Number:
Network Identification
High-level description and usage of overall network:
Contract Number(s):
4
Protection, Sensitivity Level, and User Information
Network Protection Level: PL1 PL2 PL3 P L4
Highest classification level of data:
CONFIDENTIAL SECRET TOP SECRET
Category(s): NONE COMSEC RD FRD FGI Other: Non-SCI
Formal access approvals: No Yes. If yes, indicate NATO CNWDI CRYPTO
Minimum clearance level of user:
CONFIDENTIAL
SECRET
TOP SECRET
Interim SECRET Interim TOP SECRET
6
Network Type and Data Transmission Protections
Network Type: Unified or Interconnected, Refer to Figure 1, Overall Network Diagram
Encryption method: NSA/Type 1
5
7
Need-to-Know Methodology for Network
1. All users must have a minimum of an Interim / Final Secret clearance, a XXXX Program briefing, XXXX WAN SSP briefing and possess a need-to-know in order
to be granted access to the XXXX WAN.
NSM Responsibilities
8
1. Is the focal point for the network and the individual Information System Security Mangers (ISSMs).
2. Generate & achieve and maintain approval for the Network Security Plan.
3. Ensure all ISs on the network have an accredited System Security Plan (SSP)
4. Assure proper network security procedures are developed and implemented, and will monitor the Network Security Plan for compliance.
5. Evaluate the impact of IS and network changes and apply for re-approval of the Network Security Plan if necessary.
6. Must notify all parties and rescind the Network Security Plan whenever circumstances may impede the security of any network member.
Notes:
NOTE: Access to COMSEC, CNWDI, RD or FRD information require at a minimum: Final Secret.
Access to NATO, CNWDI, COMSEC or CRYPTO require a: Formal Briefing Statement
Overall Network Security Profile
Contractor to Contractor
Facilities Only
Network Identifier:
Network Host Facility:
Network Connection Rules
9
1.The interconnection between remote ISs will be controlled by National Security Agency (NSA) endorsed Type 1 encryption devices.
2.Clearance levels, contractual relationship with need-to-know and Formal Access Approval determinations at all locations must be
established prior to connecting to the wide area network.
3.All ISs on the network shall have an accredited System Security Plan (SSP) – Interim Approval of the remote SSP is the minimum
necessary to connect to the WAN.
4.Passwords will be provided by a classification level appropriate secure means.
5.Users must be knowledgeable of the Network Security Plan requirements for which they are responsible.
6.Each connecting site's ISSM shall coordinate any changes to the network with the Network Security Officer/Network Security
Manager and shall gain approval by the appropriate cognizant security officials in advance.
7.The NSO/NSM and connecting sites will report immediately any security-related incident to the appropriate local cognizant security
official.
Signature
10
By signing, I hereby certify that there are no additional connections to the wide area network other than those identified in this NSP.
NSO/NSM Signature:
Date:
11
IS #
Network Participant Data Sheet
Date:
1
Contractor facility name:
2
Facility Address:
CAGE Code:
IS Contact Information
CSA/DAA:
Phone Number:
Network Security Manager:
Phone Number:
3
ISSM:
Phone Number:
Contracts Supported: (Contract Numbers):
Description of Network: The XXXX WAN will be used for used data manipulation, computation, sorting comparison, reduction, transfer and other
data related operations in support of XXXX.
IS Protection, Sensitivity Level, and User Information
Accredited Protection Level: PL1 PL2 PL3 PL4
Highest classification level of IS data:
CONFIDENTIAL SECRET TOP SECRET
Category(s): None COMSEC RD FRD FGI Other:
Formal access approvals: No Yes.
4
5
Minimum clearance level of user:
CONFIDENTIAL
SECRET
TOP SECRET
Interim SECRET Interim TOP SECRET
7
Need-to-Know Methodology for Network
1. The network encryption system will be a NSA Type One encryption device. (REMOVE) Suggest you DO NOT identify the type of encryption
2. Unclassified configuration disks will be utilized with groups and accounts set up on systems at each location.
ISSM Responsibilities for Connection to WAN
All remote participant sites will operate in the PL1 mode accredited by their local DSS office.
1.Notify the Network Security Manager (NSM) of any proposed external connections or system changes effecting security.
2.Notify NSM of any local SSP or protection profile changes effecting the security of the WAN.
3.Ensure no changes are made to the network without proper review and approval by the NSM and cognizant DAAs.
4.Notify NSM of IS reaccreditation.
5.Brief personnel on the use of the network. Users are not authorized to share User IDs or passwords.
6.Ensure audit trails associated with the network are reviewed on weekly basis.
7.Report any security incidents or violations to the NSM.
8.Provide Network Participant Datasheet and DSS signed Accreditation Letter to the NSM. Interim accreditation will be accepted as long as it does not affect the
integrity and confidentiality of the XXXX WAN.
9.Back-sided connections will not be authorized without the approval of the NSM
8
ISSM Signature:
Date:
NETWORK SECURITY PLAN
In addition to the Host and Node Network
Participant Data Sheets you will need a:
• Configuration diagram or Topology
• IATO, ATO for each node or MOU
(Government)
Memorandum of Understanding
Government - Contractor - Government
Memorandum of Agreement
(Not as simple as the name would imply)
Government - Contractor - Government
Memorandum of Agreement
Government - Contractor - Government
KEY POINTS
When must you write a Network Security Plan?
• When you are the Host.
If you are not the Host, can your WAN be part of the Security Profile?
• Yes, include it as an Enclosure or Attachment
Can you approve a Node to connect to the WAN or the WAN NSP?
• No
According to DSS, WANs (Host or Node) must be inspected each year.
SECRET Internet Protocol Router Network
(SIPRNET)
The attached documents comprise the
documents needed in the DSS SIPRNET
process.
SECRET Internet Protocol Router Network
(SIPRNET)
The attached document is an example of the
DISA request document. Ensure you send
all the documents identified as Enclosures.
Bonus Material
Related documents
WAN Data Networks
WAN Data Networks
الشريحة 1
الشريحة 1
Networks
Networks
Resume (Word) - Zach Campbell
Resume (Word) - Zach Campbell
Director of Technology Position Overview Philip`s Education
Director of Technology Position Overview Philip`s Education
Transcript: Common WAN Components and Issues
Transcript: Common WAN Components and Issues
What is a Network? - ITCK
What is a Network? - ITCK
Course Code
Course Code
HONG KONG—A Chinese health expert has suggested that hand
HONG KONG—A Chinese health expert has suggested that hand
Information Technology
Information Technology
Network Security Manager - Harris
Network Security Manager - Harris
is accepting applications for a Network Engineer who will be
is accepting applications for a Network Engineer who will be
Network Engineer - PCI Strategic Management
Network Engineer - PCI Strategic Management