3-2 Customer Initiates DISA Storefront Process
Customer Initiates DISA Storefront Process Identify the appropriate network/service in the DISA Service Catalog at https://www.disa.mil/Network-Services.
After the appropriate network/service is identified and applicable approvals are received, the customer initiates a request for service fulfillment on DISA Storefront (DSF). This is the ordering tool for DISN Telecommunications Business Services guide. If a circuit is ordered, DISA has a specified time to provide circuit delivery. Customers should utilize the below timelines for planning purposes when ordering circuits to minimize the time between delivery of circuit and activation of the circuit. Once a circuit is delivered, whether the customer is ready for use or not, the billing of the circuit will commence within 72 hours of delivery. The circuit should only be ordered when the customer is within the below appropriate specified time-line of completing all required actions otherwise, the circuit should not be ordered.
*Contact the DCCC for delivery timeline (844) 347-2457, Option 2)
In the event the service request qualifies as an Emergency or Essential National Security/Emergency Preparedness (NS/EP) telecommunications service, there is an expedited process available, both for service fulfillment and for connection approval.
In parallel, or shortly after initiating the request for service through DSF, the customer should begin the A&A process for the enclave for which a connection to the DISN is required.
For additional information on the RMF, see NIST SP 800-37 (ref n) and the RMF Knowledge Service (ref o) at https://rmfks.osd.mil/.
3-3 Customer Registers Connection Information
Customers are required to register the connection information (new or legacy) within applicable systems/databases.
Once the DSF process has been completed with the receipt of a CCSD, customers are required to register and maintain their IS information (IP address ranges, hosts, POCs, etc.) in the appropriate databases based on classification of the connection:
Contact the Network Information Center (NIC) through the DCCC at (844) 347-2457, Option 2; CML: (614) 692-0032, Option 2; DSN: (312) 850-0032, Option 2; firstname.lastname@example.org for all unclassified connection
(844) 347-2457, Option 2; CML: (614) 692-0032, Option 2; DSN: (312) 850-0032, Option 2; email@example.com for all unclassified connection
- SNAP (https://snap.dod.mil) for:
- Voice, video, data circuit registrations and connections to unclassified networks/ services DoD CIO temporary exception to policy registrations (Appendix G)
- DCCC at (844) 347-2457, Option 2; CML: (614) 692-0032, Option 2; DSN: (312) 850-0032, Option 2 ; firstname.lastname@example.org for all classified connections
- SGS (https://giap.disa.smil.mil/gcap/home.cfm) for:
- Voice, video, and data circuit registrations/connections to classified networks/services
- Ports, Protocols, and Services Management (PPSM) (https://pnp.cert.smil.mil) (http://iase.disa.mil/ppsm) for:
- All networks/systems ports, protocols, and services for all IP solutions or applications, in accordance with DoDI 8551.01 (ref e)
|Note: DoDI 8510.01, Change 1, (ref d) Enclosure 8 authorizes and encourages DoD Components to start using RMF immediately when authorizing DoD IS and PIT systems and provides a timeline and instructions for transition from DIACAP to RMF. DIACAP packages can be submitted to Component Authorizing Officials (AOs) up until 1 Oct 2016. Any DoD IS or PIT system with a DIACAP package submitted through 1 Oct 16 will only be authorized an ATO for at most 1.5 years from the date of the AO’s signature. On 2 Oct 2016, only RMF packages can be submitted to AOs. In the case of significant financial or operational impacts of transitioning to RMF, an AO may submit a request for deviation from this guidance for specific systems to the respective DoD Component CIO for approval. All requests for deviation forwarded to the Component CIO must be accompanied by an IS transition plan and a plan of action and milestones. During the transition, DISA will accept a request for a DISN connection that is supported by an ATO with RMF or DIACAP artifacts but will not accept a package with a combination of RMF and DIACAP artifacts.|
Account Registration for the SNAP and SGS Databases
CAP packages for connections will be uploaded by the customer in the SNAP (unclassified) or SGS (classified) database. The customer must first register and get a SNAP or SGS account in order to submit a CAP package, Note: a legacy version of SGS is provided as a reference. Legacy SGS is not updated and does not contain current information. At some point in the near future, the Legacy SGS system will be removed.
|Note: DISN ATCs will not be issued until the enclave’s systems are properly registered in the PPSM registry and have a valid PPSM registration identification number. For questions regarding PPSM registration call the PPSM Office at 301-225-2904.|
SNAP and SGS Account Request Procedures
- Go to https://snap.dod.mil for SNAP and https://giap.disa.smil.mil for SGS
- Click on “Request a SNAP account” or “Request a SGS account”
- Upload a completed signed DD Form 2875 System Authorization System Request (SAAR); The DD Form 2875 can be downloaded from SNAP and/or SGS on the Reference Documents page
- Complete section 13 of the DD Form 2875, “Justification for Access” by specifying the SNAP and/or SGS module and user role for the CC/S/A/FA
- Complete the profile data, asterisked item are required fields
- Click “Submit Request” for approval
- Once the account is approved, proceed with the creation/registration of the connection to include the submittal/upload of the RMF/DIACAP executive package artifacts once the local RMF A&A/DIACAP C&A is completed
3-4 Registration and Submission Process for CAP Packages
The below steps detail the registration and submission process for both unclassified and classified CAP packages:
SNAP (Unclassified) and SGS (Classified) Submittal Process
- Log on to SNAP (https://snap.dod.mil) for Unclassified Connections and SGS (https://giap.disa.smil.mil) for Classified Connections
- Hover the mouse over “NIPR” for SNAP or “GIAP” for SGS and select “New Registration”
- Complete all required fields of the NIPR or GIAP Checklist (Sections with a locked icon are reserved for use by CAO Analyst)
- Upload Attachments for the RMF/DIACAP executive package artifacts in the Attachments/Documents Section as applicable
- Once all sections are completed, a submit button at the bottom of the screen will be available in order to submit the entire registration
- For NIPR packages that have classified artifacts, upload a placeholder document in the applicable section in SNAP stating that the artifact was submitted on SIPR. The date of the email and sender’s name should be in the note. Send the email to the SIPR UCAO mailbox: email@example.com.
3-5 DISN Connection Approval Package Submission
The customer connection requests are submitted to the CAO in the form of a SNAP or SGS registration and uploading of the CAP package. This package provides the CAO the information necessary to make a connection approval decision. CAP packages should be submitted at least 30 days prior to the desired connection date, for new connections, or 30 days prior to the existing ATC or IATC expiration date, to ensure service continuity. The following documentation is required for the CAO to analyze a CAP package:
3.5.1 DoD Component Connections to the DISN:
Connection Approval Packages for DoD Component connections to DISN will include the following documentation:
|CAP Package Required Documentation: DoD Component Connections|
|Authorization Decision Document (ADD) signed by the AO||ATO or ATO with conditions signed by the DAA|
|Security Assessment Report (SAR)||DIACAP Scorecard|
|Security Plan (SP)||System Identification Profile (SIP)|
|POA&M||IT Security POA&M|
|Detailed Topology Diagram||Detailed Topology Diagram|
|Consent to Monitor||Consent to Monitor|
|AO Appointment Letter||DAA Appointment Letter|
For additional RMF guidance, please go to the RMF/DIACAP Knowledge Management website at: https://rmfks.osd.mil/login.htm.
3.5.2 Mission Partner Connections to the DISN
Connection Approval Packages for Mission Partner connections to DISN will include the following documentation: DoD Sponsors and Mission Partners will ensure information in SNAP/.SGS are kept up to date.
|CAP Package Required Documentation: Mission Partner Connections|
|ATO or ATO with conditions signed by the AO/DAA|
|As appropriate: RMF Documentation or DIACAP Executive Package (DIACAP Scorecard) in accordance with DoDI 8510.01, DoD 5220.22-M, NISPOM, NIST 800-37, ICD 503 documentation, or equivalent documentation|
|Statement of Residual Risk|
|Detailed Topology Diagram|
|DoD Sponsor Validation Letter / Revalidation Letter|
|DoD CIO Memo validating the mission requirement for a new Mission Partner connection to DISN|
|Consent to Monitor (the DoD Sponsor is a responsible for signing the CTM)|
|AO/DAA Appointment Letter|
|The DoD Sponsor must validate the Mission Partner’s need for access to the DISN. The DoD Sponsor and Mission Partner must understand and agree (e.g., MOA/MOU, contract) to their responsibilities as stated in the DoD CIO Sponsor Memorandum.|
3.5.3 DoD Classified Contractor Connections to DISN:
In addition to the requirements in paragraph 3.5.2, a Connection Approval Package for a Classified Defense Contractor connection to DISN will include:
|CAP Package Required Documentation: DoD Contractor Connections|
|Master System Security Plan and Information Security Plan|
|DoD 5220.22-M, NISPOM executive package artifacts|
|The Defense Security Service (DSS) has responsibility for all AO actions related to Classified Contractor connections to DISN in accordance with NISPOM C&A; see the DSS-DISA MOA for further specifics regarding classified DoD contractor connections|
DoD Contractor connections to the SIPRNet must go through DSS for A&A of their facilities and information systems. For questions regarding DSS A&A, contact the DSS SIPRNet Program Management Office at firstname.lastname@example.org by phone at 888-282-7682.
3.5.4 Federal Departments, IC, and Other Mission Partners:
In addition to the requirements in paragraph 3.5.2, a Connection Approval Package for a Federal Department or Agency, IC or other Mission Partner (e.g., coalition partner) connection to DISN will include:
|CAP Package Required Documentation: Federal Departments and Agencies, IC and Other Mission Partner Connections|
|The documentation used for authorization of a Federal Mission Partner IS not categorized as a National Security System (NSS) will use National Institute of Standards and Technology (NIST) SP 800-37 Rev 1|
|The documentation used for authorization of a Federal Mission Partner IS categorized as an NSS will use CNSS Instruction (CNSSI) No. 1253 Security Categorization and Control Selection for National Security Systems, 27 March 2014|
|The documentation used for authorization of an IC IS or other Mission Partner IS will be in accordance with ICD 503, RMF Documentation, DIACAP Executive Package (DIACAP Scorecard), or equivalent documentation. IC documentation and submitted artifacts will be commensurate with the IC reciprocity memorandum.|
|DoD CIO Memorandum of Agreement with Federal Departments and Agencies for connection to DISN in lieu of a DoD Sponsor validation memo.|
|Joint Staff approval memo for 5 Eyes/coalition partner connections to DISN|
|Connection requests for all Mission Partners require a validation/revalidation memo signed by the DoD sponsor and validated by the DoD CIO|
3-6 Reauthorization or Reaccreditation Connection Evaluation
If an enclave approaching its Authorization Termination Date (ATD), the system owner/program manager must reinitiate the A&A/C&A process and obtain a new authorization decision from the AO. Ideally, the new ATO will be issued and an updated CAP package uploaded to SNAP or SGS a minimum of 30-days prior to the expiration of the current ATC/IATC. In accordance with DoDI 8510.01 (ref d), “systems that have been evaluated as having a sufficiently robust system-level continuous monitoring program (as defined by emerging DoD continuous monitoring policy) may operate under a continuous reauthorization.” AOs who determine that their DISN connected enclave has met DoD’s continuous monitoring policy requirements are still required to update their respective ATO at a minimum of every three (3) years before a new ATC/IATC will be issued. For UC connection requirements please see Appendix E… If a system does not have a sufficiently robust system-level continuous monitoring program, the “Systems must be reassessed and reauthorized/reaccredited once every 3 years. The results of an annual review or a major change in the cybersecurity posture at any time may also indicate the need for reassessment and reauthorization of the system in accordance with Appendix III to OMB Circular A-130 (ref q).
The expiration date of an ATC/IATC is usually the same as (and will never go beyond) the ATD expiration date of the associated scorecard. In some instances, the results of the DSAWG risk assessment may warrant the issuance of an ATC/IATC with an authorization period shorter than that of the associated scorecard or RMF documentation. An expired ATC/IATC will prompt a review by Joint Force Headquarters DODIN (JFHQ DODIN), and may result in an order to disconnect the enclave from the DISN network/service. In accordance with DoDI 8510.01 (ref d), “An ADD/ATO authorization decision must specify an ATD that is within 3 years of the authorization date unless the IS or PIT has a system-level continuous monitoring program compliant with DoD continuous monitoring policy as issued.”
The AO could decide that planned changes to an enclave are significant enough to warrant reinitiating the full A&A process, with subsequent issuance of a new reauthorization decision inside the normal 3-year authorization cycle. If no physical reconfiguration of the DISN circuit is needed to effect the planned changes, such modifications to an enclave (even if significant enough to warrant a new authorization decision) do not need to be coordinated with the corresponding DISN Validation Official. However, the planned events may have a significant impact on the IA5/cybersecurity posture of the enclave, and consequently on the risk the enclave poses to the DISN community at large. Pre-coordination with the CAO is necessary to ensure the updated topologies, CAP package artifacts, and risk decision artifacts are updated and available for the connection approval decision.
Examples of significant impact events:
- Deployment of a cross domain solution (CDS)
- Deployment of a UC product enhancing the capability of the enclave (i.e., softswitch VoIP, VoSIP, CVVoIP), even if the application is already accredited by the enclave AO
- Rehoming of an authorized enclave to a new DEMARC; such as moving to a new facility where a new CCSD(s) is issued by Defense Information Technology Contracting Office (DITCO), unless the TSO clearly states that the authorization will transfer.
|Note: An Automated Information System (AIS) that has already been authorized by the DISA AO for deployment on DISN/DODIN does not trigger a requirement for pre-coordination with the CAO if deployed to another enclave on DISN.|
The following events do not need to be pre-coordinated with the CAO prior to deployment/ implementation. However, these events must be identified to the CAO no later than deployment/ implementation by providing an updated network topology diagram and SIP.
- Deployment of new VoIP phones requiring a new VLAN segment within the enclave
- Deployment of new VTC products (on DoD UC APL)
- Changes in the IP address range assigned to the IS/enclave
- DISA transport re-homing actions that change the connection points to DISN but the enclave remains at the same facility
- Upgrade of bandwidth service
Deployment of new VoIP phones requiring a new VLAN segment within the enclave
To update the registration for existing connections, use the following processes:
- Logon to SNAP (https://snap.dod.mil) for Unclassified Connections and SGS (https://giap.disa.smil.mil) for Classified Connections
- Hover the mouse over the respective tab (e.g., “Waiver,” “Defense Switched Network,” “VPN,” or “NIPRNet”) for Unclassified Connection in SNAP and the respective tab (GIAP or CDS) for Classified Connection in SGS and select “View/Update”
- Use the Search Field to locate the registration
- Complete all required fields of the Checklist (Sections with a locked icon are reserved for use by CAO Analyst)
- Upload Attachments for the RMF, DIACAP, or other applicable executive package artifacts in the “Attachments/Documents” section as applicable
- Once all sections are completed, a submit button at the bottom of the screen will be available in order to submit the entire registration
Logon to SNAP (https://snap.dod.mil) for Unclassified Connections and SGS (https://giap.disa.smil.mil) for Classified Connections
3-7 Connection Process Checklist
This checklist provides the key activities that must be performed by the Mission Partner or DoD Component sponsor during the connection approval process:
|Item||DoD Component||Mission Partner|
|Obtain DoD CIO approval for Non-DoD connection||X||*|
|Provision the connection||X||X||*|
|Perform the A&A process||X||X||X||X|
|Obtain an authorization decision (ATO/IATT)||X||X||X||X|
|Register the connection||X||**||X||*|
|Register in the GIAP/SGS and/or SNAP database||X||**||X||*|
|Register in the PPSM database||X||**||X||*|
|Register in the DITPR database (NIPR Only)||X||**||X||*|
|Register in the SIPRNet IT Register database (SIPR Only)||X||**||X||X|
|Register with the SIPRNet Support Center (SSC) (SIPR Only)||X||X|
|Complete the CAP package||X||X||X||X|
|DIACAP Executive Package (or equivalent for non-DoD entities)/RMF Security Assessment Report||X||X||X||X|
|DIACAP Scorecard/Systems Authorization Package||X||X||X||X|
|System Identification Profile/System’s Security Plan||X||X||X||X|
|Plan of Actions and Milestones, if applicable||X||X||X||X|
|AO Appointment Letter||X||X||X||X|
|Network/Enclave Topology Diagram||X||X||X||X|
|Consent to Monitor||X||X||X||X|
|Proof of Contract/SLA/MOU/MOA||X||X|
|DoD CIO Approval Letter||X||X|
|Submit the CAP package of the CAO||X||X||X||X|
|Receive remote compliance scan (SIPR Only)||X||X|
|Proof of a funded agreement with a DoD accredited Computer Network Defense Service Provider (CNDSP)||X||X||X||X|
* – This step is not required for existing mission partner connections unless there has been a change in Sponsor, mission requirement, contract, location, or the connection has not been registered.
** – This step is not required for existing connections that are already registered and where all information is current.
|Note: The CAO review of the SIPRNet CAP package for new connections includes an on-line initial remote compliance assessment. This is a SIPRNet vulnerability scan of the requesting enclave’s ISs performed by DISA, to identify possible vulnerabilities that exist within the enclave. The results are used during the connection approval decision-making process prior to the enclave going operational.|
3-8 Customer Network Enclave Topology Diagram Requirements
Network Topology Diagram/Systems Design Document – the diagram below depicts the network topology and security posture of the Customer network enclave that will be connecting to the DISN. The Network Topology Diagram document should:
- Be dated
- Clearly delineate authorization boundaries
- Identify the CCSDs of all connections to the DISN
- Identify equipment inventory (to include the most recent configuration including any enclave boundary firewalls, Intrusion Detection Systems (IDS), premise router, routers, switches, backside connections, Internet Protocol (IP) addresses, encryption devices, Cross Domain Solutions (CDS)
- Other SIPRNet connections (access points) must be shown; the flow of information to, from, and through all connections, host IP addresses, and CCSD number, if known must be shown
- Identify any other cybersecurity or cybersecurity-enabled products deployed in the enclave
- Identify any connections to other systems/networks/enclaves
- Identification of other connected enclaves must include:
- The name of the organization that owns the enclave
- The connection type (e.g., wireless, dedicated point-to-point, etc.)
- IP addresses for all devices within the enclave
- The organization type (e.g., DoD, federal agency, contractor, etc.)
- Identify Internetworking Operating System (IOS) version
- Include the model number(s) and IP’s of the devices on the diagram; diagram must show actual and planned interfaces to internal and external LANs or WANs (including backside connections)
|Note: It is important to note that in accordance with DoD and DISA guidance, firewalls, Intrusion Detection Systems (IDSs)\ and Wireless-IDSs (where applicable) are required on all partner enclaves. Private IP addresses (non-routable) are not permitted on SIPRNet enclaves without an acceptable RFC 1918 community risk assessment from the DSAWG. For more information go to the following link: (https://intelshare.intelink.gov/sites/dsawg/default.aspx). Indicate and label all of the devices, features, or information; minimum diagram size: 8.5″ x 11.”All Cybersecurity and cybersecurity-enabled products that require use of the product’s cybersecurity capabilities must comply with the evaluation and validation requirements of (ref p) in accordance with DoDI 8500.01 (ref a).
DoD Components are required to acquire or operate only UC products listed on the UC APL, unless, and until, a DoD CIO temporary exception to policy is approved in accordance with DoDI 8100.04, Unified Capabilities (ref g). The DoD UC Approved Products List and can be found at the DISA APLITS web page: https://aplits.disa.mil.
All Topologies MUST include IP address ranges, equipment make/model, and software version.
3-9 Customer Network Enclaves Connecting via JRSS
The topology diagram for customer network enclaves that connect via the JRSS must include a JRSS topology overlay as shown in the diagram below. The JRSS topology overlay also must identify the make/model/IP address/software version of the JRSS equipment being used.
3-10 Tactical Exercise or Mission CAP Packages
Tactical exercise/mission CAP packages must be submitted a minimum of eight (8) days prior to the start of the exercise/mission. Upon successful registration of the initial tactical mission/exercise, the registration will become valid for the duration of the ATO. The Registration ID number, that is auto-generated from SGS upon registration, will be used as a reference to access DoD Gateway SIPRNet services for the duration of the ATO. This Registration ID number will be used on all future missions, and provided to the CONEX in the remarks section 1 of the Gateway Authorization Request (GAR). Remarks will be: “SGS Registration ID number xxxxx for SIPRNet IATC, expiration DD-MMM-YYYY.”
Customers are not required to register for each mission after initial registration. The authorization is valid thru the ATO revocation and or expiration. If the current ATO will expire prior to the next time the Tactical user will enter a DoD Gateway, the user will start a new request so that a new Registration ID number can be issued. Any changes to equipment configuration affecting enclave security posture of the system resulting in a new ATO will require registration in the SGS database. A complete authorization package is not submitted with a CAP package for a tactical exercise/mission, however, the CAP package must include at a minimum, an ATO letter, Gateway Access Authorization (GAA), and topology/System Design Document (SDD).
The CAO will review the registration information and will issue an IATC/ATC for the duration of the ATO upon successful and complete registration. The IATC/ATC will be made available under section 10.1 of the SGS database (Scorecard). The DISA GSD/Tier II will verify the validity of the Registration ID number provided in the GAA against the SGS database prior to allowing access to SIPRNet.
For additional information, please review the Policy and Procedures for DoD Gateways (STEP/Teleport) SIPRNet DODIN Interconnection Approval Process System (SGS).
3-11 Mission Partner De-Militarized Zone or Gateway Connections
In accordance with CJCSI 6211.02D (ref b) non-Mission Partners, including defense contractor enclave connections to DISN-provided transport, information services must be through an established DISN DMZ and will follow DISN DMZ security requirements. DISA operates three (3) DMZs or Mission Partner Gateways; NIPRNet Federal Gateway (NFG), SIPRNet Federal DMZ (FED-DMZ), and the SIPRNet Releasable (SIPR REL) DMZ. In certain limited special use cases, the DoD CIO has approved some non-DoD Federal Agencies Mission Partner connections to the NIPRNet and SIPRNet, however, this is not the norm. Connections to the DISN DMZs/NFG can be made either physically or logically (see Figure 3). Mission Partners will work with the NIPRNet or SIPRNet DMZ offices listed in Table 2 to initiate their respective DMZ/NFG connections.
|DISA DMZ Offices|
|NIPRNet NFG||301-225-8684 DSN 375|
|SIPRNet REL-DMZ/FED DMZs||301-225-9607 DSN 375|
All Non-DoD NIPRNet/SIPRNet connections require DoD CIO Approval, a Contract/MOA/MOU and DoD Sponsor to validate DoD mission need for Mission Partner access to the DISN. DoD Sponsors must understand and agree to their responsibilities as stated in the DoD CIO Sponsor Memorandum (ref m), applicable issuances, the Defense Finance and Accounting Regulations (DFAR), and the DoD Sponsor and Mission Partner responsibilities must be codified in an appropriate agreement (e.g., MOA, MOU, or contract). The DoD CIO will establish MOA with Federal Departments and Agencies that have a mission requirement to connect to DISN.
In addition to the requirements listed in this section, to connect to the NIPRNet Federated Gateway mission partners must complete a NIPRNet Federated Gateway, (NFG) Questionnaire, as well as the NIPRNet Federated Gateway Policy spreadsheet (https://www.disa.mil/Network-Services/VPN/MPG). The questionnaire provides baseline data for engineering teams to work with mission partners while the NFG Policy Spreadsheet identifies the firewall posture of the
NFG which will support mission partners. The customer must notify the NIPRNet NFG or SPIRNet DMZ offices of the PPSM registration ID, in addition to the above referenced documentation. The DMZ/NFG team works with the Web Content Filtering team to ensure that the applicable firewall rulesets are vetted and provided to the DISA Command Center (DCC) which issues a DISA Task Order (DTO) for DISA Global Operations Center (DGOC) to implement (See Figure 4 and 5). Should applicable PPSM not be identified, the corresponding services will not be available. This may result in subsequent submissions of firewall rule requests to support mission partner/sponsor requirements.
3-12 Mission Partner NIPRNet Federated Gateway Connections
The NIPRNET Federated Gateway (NFG) (aka Mission Partner Gateway (MPG) for JIE) provides a secure, robust, and scalable means for non-DoD Federal Agencies, mission partners, and contractor connections to connect to the Unclassified but Sensitive Internet Protocol (IP) Router Network (NIPRNet). The NFG supports both logical and physical connections.
|Note: It is strongly recommended that mission partners communicate with current service providers to ensure the smooth circuit hand off to NFG site/DISN Transport nodes. Logical circuits are an interim solution for migration to NFG and not meant to be an end state/long term solution|
3.12.1 NFG Logical Connections
Existing Mission Partner connections to NIPRNet may be extended to NFG without installing new physical circuits. This can be accomplished by provisioning logical tunnels using Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) or Internet Protocol Security (IPsec) VPN over the DISN. These tunnels extend existing Mission Partner connection(s) to the NFG and the traffic will flow to the NFG on a slightly different path than originating from physical connections. Encryption is also available for logical connections if required by the Mission Partner. Mission Partners are required to maintain a direct physical connection to a DISN node to be eligible for a logical connection. Logical connections through sponsors or other DoD agencies are not supported. Logical connection use cases are as follows:
1. A commercial circuit extends from the customer to the DISN node. At the DISN router the customer connects to the NFG COI (MPLS VPN) for logical transport to the NFG site.
2. Mission Partners currently connected to the DISN router for NIPRNet access will connect to the NFG COI (MPLS VPN), eliminating NIPRNet access without passing through the NFG first.
3.12.2 NFG Physical Connections
Physical connections are terminated on the NFG using up to OC-12 SONET 1Gb and 10Gb Ethernet (copper or fiber) connections. A non-DoD organization such as a Federal Department/Agency, DoD contractor, or other mission partners may connect to the NFG router via third-party leased circuit or DISN transport in consonance with a formal agreement (e.g., contract, MOU, MOA, etc.). In cases where the Mission Partner equipment is collocated with an NFG site, the Mission Partner Customer Premise Equipment (CPE) can connect to the NFG using a direct cable connection without a leased circuit and/or DISN transport. Physical connection use cases are as follows:
It is strongly recommended that mission partners communicate with current service providers to ensure the smooth circuit hand off to NFG site/DISN Transport nodes. Logical circuits are an interim solution for migration to NFG and not meant to be an end state/long term solution
1. A commercial carrier extends a circuit from the Mission Partner service point to the NFG site.
2. A commercial carrier extends a circuit from the Mission Partner service point to DISN physical transport for a dedicated circuit to an NFG site.
3. A Mission Partner plugs directly into DISN transport for a dedicated circuit to an NFG site.
3.12.3 NFG Connection Approval Requirements
Connections to the NFG are either physical or logical.
Physical connections that are directly homed to the NFG use point-to-point circuits between the NFG and a Mission Partner’s network. Logical connections are physically homed to a NIPRNet router but are connected to the NFG via an encapsulated tunnel. NFG connections require a modified Connection Approval Process package as illustrated below. NFG connections will be annotated in SNAP database as “NIPR FED GW.” Qualified NFG connections will receive an ATC/IATC and be reviewed in accordance with the established agreement (e.g., MOA/MOU/SLA).
|CAP Package Required Documentation: NFG Connections|
|Signed DoD CIO validation memo (e.g., MOU/MOA/SLA)…|
|Network topology diagram/SDD|
|Valid PPSm registration identification number,|
|Required current POC information|
|Authorization to Operate (ATO) letter|
3.12.4 Ordering NFG Connections
Orders for NFG circuits are submitted to the DISA Storefront (DSF):
1. After obtaining access, Mission Partners use DSF to generate Telecommunications Service Requests (TSR) to have circuits provisioned to the NFG. Refer to the DSF website for information on the circuit-ordering process.
a. For logical connections, the VPN Identification (ID) number for the NFG Community of Interest (COI) service is provided by DISA and is always the same for every Mission Partner
b. The VPN ID for NFG COI Service is DKL300249
c. DSF assigns the VPN ID to all Mission Partners requesting NFG COI Service
|Note: The mission partner must first register for access to the DSF site using the following link: Click here|
2. The TSR initiates the process of identifying Mission Partner requirements and provisioning the new NFG circuit paths based on the approved engineering design and connection approval package.
3. To revise approved connections, Mission Partners must update the approved CAP or submit a new CAP based on the approved engineering solutions.
4. Mission Partners must ensure they have obtained and completed the NIPRNet Federated Gateway Questionnaire as well as the NIPRNet Federated Gateway Policy spreadsheet https://www.disa.mil/Network-Services/VPN/MPG). Should applicable PPSM not be identified, the corresponding services will not be available. This may result in subsequent submissions of firewall rule requests to support mission partner/sponsor requirements.
DoD policy also requires that DoD Components register their IS information in the DoD Information Technology Portfolio Repository (DITPR) at https://ditpr.dod.mil.
DoD policy also requires that DoD Components register their IS information in the DoD Information Technology Portfolio Repository (DITPR) at https://ditpr.dod.mil.
Use of the unclassified DITPR is preferred for registration of all information systems including classified systems. There are numerous classified systems registered in the unclassified DITPR, without inclusion of classified information about the system. However, an information system may be registered using the SIPRNet IT Registry (SITR) if the description of the information system must contain classified material, or, if the organization (such as a CCMD) routinely uses the SIPRNet. The link to the SITR on SIPRNet is: https://dodcio.osd.smil.mil/itregistry – for additional assistance using SITR, send email to: email@example.com and include ‘SIPR IT Registry’ in the subject line.
CC/S/A may have internal databases that need to be updated with connection information. Check with the CC/S/A for additional requirements.
3-13 Mission Partner SIPRNet DMZ Connections
Mission Partners connecting to SIPRNet must complete a ‘Non-DoD Connection Request Letter’ and submit it to the DISN Validation Official. This will begin the process by which subsequent approval/disapproval by DoD CIO is granted. Mission Partner SIPRNet DMZ connections are either through the SIPRNet FED-DMZ or the SIPR REL DMZ. In rare cases, the DoD CIO may approve Mission Partner direct SIPRNet connections. Applicable Mission Partner connections must also adhere to DoDI 8110.01, Mission Partner Environment (MPE) Information Sharing Capability Implementation for the DoD (ref f) and CJCSI 6285.01C, Multinational Information Sharing (MNIS) Operational Systems Requirements Management Process (ref r) as part of the Mission Partner Environment (MPE) and Joining, Membership, and Exiting Instructions (JMEI) policy requirements.
Like Mission Partner NFG connections, Mission Partner SIPRNet FED DMZ connections can either be physical or logical. Physical connections are directly homed to the SIPRNet FED DMZ
(e.g., point-to-point circuits between the DMZ and a Mission Partner’s network). Logical connections are physically homed to a SIPRNet router and connected to the SIPRNet FED DMZ via an encapsulated tunnel. SIPRNet FED DMZ connections require a modified Connection Approval Process package as illustrated below. Qualified SIPRNet FED DMZ connections will receive an ATC/IATC and be reviewed in accordance with the established agreement (e.g., MOA/MOU/SLA).
|CAP Package Required Documentation: SIPRNet FED DMZ Connections|
|Signed DoD CIO validation memo (e.g., MOU/MOA/SLA/).|
|Network topology diagram/SDD|
|Valid PPSM registration identification number,|
|Required current POC information|
|Authorization to Operate (ATO) letter|
SIPRNet REL DMZ require a full Mission Partner Connection Approval Package (CAP) as explained in section 3.5.
3-14 JRSS Accreditation
Currently customers that have a current ATC for a traditional NIPR circuit are being reauthorized/reaccredited for moving to the JRSS Stack. This only applies to NIPR circuits. SIPR circuits are not yet being moved to JRSS.
The following procedures will allow the customer to create a SNAP registration:
1. To register a JRSS connection in SNAP, in the NIPR module select ‘New Registration’.
2. In Section 0.1, for Connection Type, select JRSS instead of DoD.
3. In Section 1, there is a question, ‘Is this systems connection type JRSS?’ Select Yes and type in the VRF in the block below. NOTE: Currently the VRF will not show if the customer goes to My Entries report. Until that is fixed the customer will have to search by Registration ID for that registration.
4. Internal boundary defense equipment (firewall, IDS/IPS) is no longer required on the topology and will not be evaluated by the analysts. The JRSS stack must be shown on the topology.
5. Other than the Virtual Routing and Forwarding (VRF) identifier instead of a CCSD, JRSS packages are submitted like any other Connection Approval package. Please remember to show the VRF on the documentation where the CCSD would previously have been identified.
The CAO analysts will review the package and an Approval to Connect (ATC) will be issued.
3-15 CAP Package Review and the Authorization to Connect Decision
Upon submittal of the registration, the CAO will review all sections of the registration or completeness and compliance. In the event a section is incomplete or a non-compliant artifact is uploaded to the database, that individual section will be rejected. The POCs listed in the database will receive notification of a rejected registration to include what documentation is missing or non-compliant from the package. The customer must log back into the database and complete or upload the updated artifact for the rejected section. Typically, when all the connection approval requirements are met an ATC or IATC will be issued within eight (8) business days.
As an integral part of the process, the CAO assesses the level of risk the customer’s network enclave poses to the specific DISN network/service and to the DODIN community at large. The identification of cybersecurity vulnerabilities or other non-compliance issues and the responsiveness of the affected enclave in implementing appropriate remediation or mitigation measures against validated vulnerabilities will have a direct impact on the risk assessment, and subsequently on the connection approval decision.
An ATC/IATC will authorize the partner to connect to the DISN network/service defined in the connection approval, up to the Authorization Termination Date (ATD). The results of the risk assessment may warrant the issuance of a connection approval decision with a validity period shorter than that of the authorization decision ATD. In such cases, the CAO will provide justification to the DAA/AO for the shorter validity period.
If the CAO assesses that an enclave’s connection to the DISN poses a potentially “high” impact community risk, it will forward the connection request to the DSAWG as part of the executive risk function in accordance with DoDI 8500.01 (ref a) and DoDI 8510.01 (ref d). The CAO will provide the AO the justification for the assessment and inform the AO that current guidance (i.e., policy, DSAWG decision, STIGs, etc.) from DISN/DODIN DAAs/AOs precludes the issuance of an ATC without additional review of the enclave cybersecurity status by the community authorization bodies.
3-16 Type Authorized or Accredited Systems
Type accredited/authorized systems refer to a generally standardized configuration for two or more circuits. Although they have similar configurations, they are still individual circuits, and are registered individually in SNAP or SGS. Each circuit under a type accreditation/authorization must have an individual topology that shows, among other things, the unique IP addresses assigned to that circuit. They may all use the same Scorecard/SAR/ATO/IATO, SIP, and POA&M.
3-17 Notification of Connection Approval or Denial
Once the CAO makes a connection decision, the partner is notified:
If the connection request is approved, the partner is issued an ATC or ATC with conditions. The validity period is specified in the ATC letter. After the connection is approved, the partner must work with DISN Implementation to complete the installation of the circuit. The connection approval is valid until the expiration date. The AO must notify the CAO of significant changes, such as architecture changes requiring re-authorization /re-accreditation movement of the enclave to a new location, changes in risk posture, etc., that may cause a modification in the cybersecurity status of the enclave or if the connection is no longer needed.
Denial of Approval to Connect
If the connection request is rejected, the CAO will provide the partner a list of corrective actions required before the connection can be approved. The process will restart at Section 3.5.
3-18 Notification of Discontinued or Cancelled Circuits
If for any reason it becomes necessary to discontinue the use of an enclave, the customer must submit via e-mail the discontinuance or cancellation TSO/IER) to the CAO (e.g. SIPRNet: firstname.lastname@example.org or NIPRNet: email@example.com). CAO will upload the TSO or IER in the respective database and close the registration for that CCSD.
3-19 Primary Points of Contact
|Connection Approval Office (CAO)|
|CAO for Unclassified Connectionsfirstname.lastname@example.org@mail.mil|
|CAO for Classified Connectionsemail@example.com@mail.smil.mil|
|Phone (Commercial)||301-225-2900, 301-225-2901|
|Phone (DSN)||312-375-2900, 312-375-2901|
|DISA CONUS Provisioning Center|
|Address||PO Box 25860Scott AFB, IL 62225-5860|
3-20 Cloud Computing Connections
Procedures for connecting to Cloud computing services are currently documented in the Cloud Connection Process Guide (ref aL). Cloud connection procedures will be addressed in future editions of the DISN CPG.