These FAQs come directly from the most common mission partner inquiries received, and from the live Enterprise Connection Division subject matter expert hosted Question and Answer sessions that are available regularly as part of the Mission Partner Training Program. If you would like to attend a live session please visit the training page for more information.
This page contains frequently asked questions on the Mission Partner Training program. Have a question? Submit it here.
January FAQ – Accreditation Enforcement
Question: 1.0 Does a program rides on a circuit (EIBN circuit) have to register in SNAP?
Answer: Yes, however dedicated circuits are not reported to JFHQ DODIN.
Question: Are the requirements in SNAP/GIAP the same for dedicated circuits?
Answer: No, the requirements are the topology and ATO for dedicated circuits.
Question: Are VPNS reported to JFHQ DODIN?
Question: Where can I find ATC examples?
Answer: They are located in the DISN Connection Process Guide (https://dl.dod.cyber.mil/wp-content/uploads/connect/pdf/unclass-DISN_CPG.pdf).
Question: How long upon CLSA delivery to DISA should we expect to hear back regarding CLSA approval and entered into the CAL?
Answer: CLSAs are posted to the CAL at the end of each month.
February FAQ – DSAWG 101
Question: What is the phone number for the DSAWG team?
Question: Are the DSAWG meetings held monthly?
Answer: Yes, they are held the second Tuesday of every month.
Question: What is the phone number for the team regarding connection approval packages?
Answer: 301-225-2900 or 301-225-2901
Question: How do I have IP addresses added to the DISN Access Control List (ACL) and the DISN Whitelist?
Answer: This can be completed by contacting your PPSM and Whitelist POC’s.
March FAQ – Category Assurance List
Question: If I would like to use a data service not listed on the CAL and it crosses boundaries 7 and 8; how long would a vulnerability assessment take to be completed?
Answer: The first step is to coordinate with your PPSM tag rep. and they will submit a Further Action (FA) report. Once the FA is received and everything is provided then the VA will be completed within 90-120 days (research time, presentation time, e-vote).
Question: Is there an updated boundary diagram including the cloud?
Answer: Yes, there is an updated boundary diagram. It can be obtained by contacting your PPSM tag rep.
Question: Is it possible to provide a very brief summary of the glossary page of the CAL regarding an external application going through the process?
Answer: The first step is to work with your component TAG rep to submit a FA report
Question: How do you begin the connection approval process for AWS Gov Cloud to DISA?
Answer: Either contact your tag rep. or Cloud Services Support (email@example.com)
Question: Is it possible to force a CAL update between regular monthly CAL updates?
Answer: Admin. update for mission critical updates. The request can be made by contacting your tag rep.
Question: Does it benefit other organizations when a PPS has been added to the CAL by a different organization?
Answer: Yes, it can benefit other organizations by using those PPS.
April FAQ – DSN Registration
Question: Does the ATO have to be completed before the registration? What if the ATO relies on the registration?
Answer: A customer can initiate DSN registration prior to receiving their ATO however; the final submission of the DSN registration needs the final ATO signature.
Question: What is an example of a CCSD for commercial cloud use?
Answer: CCSDs are not required for cloud connections.
Question: What happens after the ATO expires? Is our system automatically disconnected?
Answer: DSN registrations are not automatically disconnected, but the Connection Approval Office will work diligently with the customer to ensure that they have a current up-to-date accreditation.
May FAQ – PPSM
Question: What is PPSM?
Answer: PPSM standardizes procedures to catalog, regulate, and control the use of ports, protocols, and services. The PPS need to be registered either in the PPSM registry or in PPSM-U.
Question: What do I need to do to use Titanium?
Answer: VA’s already exist for Titanium. Titanium is restricted to boundary 15. A further action report will be needed to change boundaries.
Question: Which boundaries are used when moving to community of interest, across federated/mission partner gateways?
Answer: Boundary 16 under the same AO and boundary 15 under a different AO.
Question: What does — line mean in the CAL?
Answer: — means it is a restricted boundary.
Question: What is the difference between CLSA and FA?
Answer: The PPSM for a CLSA remain within the local enclave while for FA they cross the DISN.
Question: How long to review changes for PPSM?
Answer: A brand new service can take 90 – 120 days.
June FAQ – CHA Introduction
Question: Will Titanium replace Acropolis?
Answer: Titanium will not interfere with Acropolis.
Question: Who are the ports and protocol infractions reported to?
Answer: PPSM Secretariat.
Question: What are the requirements to use the tools?
Answer: No requirements, CHA team runs the scan.
Question: Are the tools available to all enclaves?
Answer: Yes, it is a free service.
Question: Can the tools differentiate between multiple programs riding the same CCSD?
Answer: No, they are not able to differentiate between the programs.
Question: Can the tools identify protocol encapsulation?
Answer: Yes, they can for GRE and ESP.
Question: Do the tools work with data at rest encryption requirements?
Question: Do any of the tools provide a network map?
Answer: They do not provide one.
Question: Is there a full listing of all of the tools the analysts have access to in Acropolis?
Question: Are reports available from the Silk scanning tool to use as RMF artifact?
Question: How often are data centers evaluated? Is it on a cycle or as needed?
Answer: As needed or as requested or JFHQ-DODIN orders.
July FAQ – PPSM Overview
Question: Can you discuss the role of Cybercom in the PPSM process – both permanent and temporary requests?
Answer: CYBERCOM is not involved in the DoD PPSM PMO process; they are involved with the DCC IAP exception process. You would need to reach out to the DCC to request and IAP exception and work with you component TAG Rep.
Question: If I would like to have a port scan on my system to verify the services that are being used who do I contact?
Answer: It is recommended that you contact your network engineers to perform this function. However, you can contact the Cyber Hygiene Analysis team in the Connection Approval Office; they are also able to perform a port scan.
Question: Do commercial systems operating on behalf of a DoD entity go through the PPSM process?
Answer: If the system resides on DoD equipment or is housed in a DoD facility it will most likely need to be registered, consult with your component TAG rep for clarification.
Question: Is there an average number of days that the PPSM process takes to complete?
Answer: Most PPSM process can be completed in a few days, the Further Action process can take 90 to 120 days depending on customer involvement.
Question: Is there an annual PPS review requirement by the PPSM office over already approved PPS?
Answer: It is DoD PPSM PMO policy to review PPS Vulnerability Assessments every two years.
Question: When should the application owner start to register the PPSM?
Answer: A PPSM Tracking ID is required for a SNAP and SGS Circuit registration. You should register you IS as part of the RMF A&A process or when you have identified the data services that operate on you system.
Question: Should the PPS be registered for all boundaries crossed in the end-to-end path or just the last crossed boundary?
Answer: You must register all boundaries crossed internal and external as well as ingress and egress.
Question: Are all PPS registered even if they do not cross any boundaries (internal to organization)?
Answer: Yes, Per DoDI 8551.01all PPS both internal and external need to be registered.
Question: Is there a way to receive a report of what I have registered in PPSM currently?
Answer: Yes, by contacting your component TAG rep to receive the “All IS” spreadsheet.
Question: Is it the sole responsibility of the mission partner to review the PPS every 30 days in order to identify unnecessary and/or unsecure functions of PPS?
Answer: DoD PPSM PMO does not dictate a set time frame, but it is the mission partners responsibility to review and update their PPS.
Question: Are IP’s apart of a CCC or PPSM request?
Answer: DoD PPSM PMO does not require IP address for PPSM registrations, however the DCC does require source and destination IP address for data services crossing boundaries 1 & 2.
Question: The ports are divided into “high” and “low” on the PPS spreadsheet. Does this mean “well known/registered” and “dynamic/ephemeral”
Answer: The low/high port range refers to the range for the specific data service.
Question: If an organization needs to start getting cloud services, does that also go through the PPSM process? Are there any further PPSM considerations related to cloud services?
Answer: Yes; you will need to register the data services that are under control of the organization.
Question: Are there any recommended tools for gathering and generating the information required for the PPSM report?
Answer: You could do network scans to identify what data services are being used.
Question: How are RPC services reported? Services that negotiate a second pair of ports to communicate across, generally in the ephemeral range?
Answer: There are a number of RPC services on the CAL listed by Vendor and Application.
August FAQ – CDS CAP
Question: How long does the CDS CAP take?
Answer: There are many factors, which affect the length of getting your cross domain request accredited. Things that can cause delays are incomplete or unsatisfactory accreditation documents being submitted, choosing a technology which has not already completed LBSA (Lab Based Security Assessment) or requesting to use a point-to-point technology if an enterprise service could be used instead. If you were going to DISA’s Cross Domain Enterprise Services the timeline would depend on their schedules and capabilities to get your flows implemented or a new system built to meet your needs. If you were utilizing a point-to-point solution, which was on the UCDSMO baseline and already, completed LBSA you could be approved as short as a few months.
As far as our offices timelines go, once we receive a completed and satisfactory package from a CDSE we will review and post the eCDTAB or schedule it for CDTAB within 1-3 business days. E-votes usually last a week. If it passes CDTAB successful it could be e-vote for DSAWG or placed on the next meeting agenda. If e-voted, we will schedule the e-vote closure 1 week from the date of posting. Once the e-vote is closed and any remaining signatures are provided we will also issue a CDSA within 1-3 days. We recommend requesting CDSA’s at least 2 weeks ahead of schedule. This timelines describes normal processing but we also do expediting processing for urgent mission needs. For more information call 301-225-2905.
Question: Is there a document that lists the steps required to submit a request to DISA?
Answer: Yes, Appendix H of the DISA Connection Process Guide lists the steps. It can be viewed by going here.
Question: Can DISA support Secret to SCI CDS solutions?
Answer: We cannot speak to what DISA Cross Domain Enterprise Services can support. However, in regards to the approval process, the IC registration process which is described in the DISN CPG Appendix H. This registration process covers IC guards, which connect to DoD networks.
Question: Is there going to be a single process for DHA to DISA 2.0 or is everything going to need to be submitted individually?
Answer: As of right now the documentation would need to be submitted individually.
Question: Can requirement requests be submitted for risk analysis before ST&E?
Answer: Phase 1 of the CDS process is documenting the requirement and performing an analysis of alternatives. DODI 8540.01 directs DoD mission partners not to purchase or commit to purchasing a solution until phase 1 of the CDS process is completed. Your CDSE, the CDTAB and DSAWG will make recommendations and ultimately tell you what level of risk the community is willing to accept for your requirement. In Phase 2 you will have selected a technology and documented a Site Based Security Assessment (SBSA) (RMF term replacing ST&E) plan.
Question: How do you know who your CDSE is?
Answer: Contact the DSAWG team.
Question: Do you have a link or POC for the process of CDS to JWICS?
Answer: However, in regards to the approval process, the IC registration process which is described in the DISN CPG Appendix H. This registration process covers IC guards, which connect to DoD networks.
Question: Can DSAWG meetings be set up for high-level approvals – not on the usual monthly schedule?
Answer: There has been an occasional DCS session DSAWG to discuss high-level issues. There is also an expedited CDS approval process for critical mission needs. In this case, the DSAWG Chair has the authority to administratively approve an urgent operational need for an interim until the matter can be revisited at a DSAWG meeting.
Question: Do you have a listing for the CDSE POC’s?
Answer: Yes but our CDSE listing is updated on a weekly basis. Please send an email to firstname.lastname@example.org to request your CDSE POC’s.
Question: Is there a POC lead we can reach out to and discuss a huge effort with 32 different system interfaces that are coming soon?
Answer: We recommend reaching out to your CDSE to discuss way aheads first. They will gather the details we need and set up a phoneocon with our office and yourself to discuss possibly way aheads.
Question: Does DISA maintain/provide a list of approved CDS by domain?
Answer: The Unified Cross Domain Services Management Office is responsible for maintaining a CDS Baseline list. This list does specify what domains the CDS is approved to operate.
Question: Who is the DIA POC for CDS?
Question: Is there somewhere we can go to find information for the limitations of various CDS?
Answer: The Unified Cross Domain Services Management Office is responsible for maintaining a CDS Baseline list. This list does provide the capabilities of each CDS.
September FAQ – RMF Package Submission
Question: What is the typical timeline for an ATO?
Answer: The typical timeline for an ATO can be 6-9 months.
Question: Is this more so for your system circuit and SNAP or for the overall ATO?
Answer: It is for submitting a package in order to receive an ATC.
Question: Do you care about the number of POAMs in the SAR?
Answer: One POAM and one SAR would be submitted for a package.
Question: The CBT states the ATO would be reviewed in 6 months?
Answer: For Highs and very highs, the ATO will need to be reviewed every 6 months
Question: Do NAs go on the POAM?
Answer: NA’s go on the POAM and have to be justified.
Question: How many days does it take to review a package?
Answer: 5 working days to review package.
Question: Is there a fix coming for control IA-1?
Answer: EMass would need to be contacted. 844-347-2457, options 1, 5, 3
Question: Why did the time change to 5 working days?
Answer: The time period changed to ensure packages are returned sooner.
Question: How many times can we submit a package?
Answer: Hopefully once but it can be submitted multiple times or if the accreditation changes.
Question: So there are not anymore cat, cat 2 findings?
Answer: Yes, since there are high, very high, etc….
Question: What is the equivalent of the DIP?
Answer: There is not a RMF equivalent to DIP.
Question: Are there are any special processing requirements when using Cloud Service Providers?
Answer: As far as RMF there is not a difference.
Question: Is it possible to expand the terms and conditions section of the ADD documents so that the AO can write more than is allowed?
Answer: This would need to be an eMass enhancement.
Question: What does ADD stand for?
Answer: Authorization Decision Document.
Question: Does milCloud offer a list of controls/CCIs they provide for inheritance?
Answer: The inherited controls would need to be determined when the milCloud connection is set up.
Question: Do PPSM discrepancies result in rejection from the CAO?
Answer: For CAO, just submit the correct PPSM tracking ID. PPSM discrepancies result in a non-compliant status for security control CM-7 that does not prevent connection approval.
Question: Which document defines who is who and their responsibilities?
Answer: 8510 defines the people and responsibilities.
Question: What is the maximum tolerated IATT duration?
Answer: 90 days.
Question: What is the recommended time frame for a RMF package submission for approval?
Answer: As soon as possible.
Question: Does a RMF package have to be completed to obtain an ATO for a commercial ISP?
Answer: You would need to go through the command ISO.
Question: What is a commercial ISP?
Answer: It is a connection that is not through the DISN.
GENERAL TRAINING PROGRAM
Question: What is the purpose of the Mission Partner Training Program?
Answer: The Mission Partner Training Program was developed by the Risk Adjudication and Connection Division (RE4) SMEs to provide a training and education opportunity to mission partners in all areas associated with Enterprise Connections such as: PPSM, DSAWG, Connection Approval, and CDS. The goal for this program is to provide mission partners the policy and process information they need to reduce processing delays due to inaccurate or incomplete information.
Question: How do the topics relate to the DISN Connection Process Guide (CPG)?
Answer: Connection Approval CBTs are extensions and supplementary to the DISN CPG. They are designed as a visual, interactive way to learn the detailed information described in the CPG, and will be continually updated with new versions of the CPG so that the information, processes, and instructions are always consistent between the two.
COMPUTER BASED TRAININGS
Question: Is there a difference between the CBT version available for download and the play now version?
Answer: The two versions are available for convenience for our Mission Partners. We understand that some connections may not give the ability to stream the training from the website, so it might be more convenient to let the training download first and then watch. The downloadable version is also something Mission Partners can refer to at a later time. The play now version also has closed captioning enabled for accessibility if it would be more convenient to read the text instead of listening to the voice over.
Question: How are topics picked to be developed into CBTs?
Answer: The topics are picked from a variety of sources. Surveys to the Connection Approval, DSAWG, and PPSM analysts helped the training team determine which questions they received most from mission partners, and in-depth metrics analysis on the top connection approval package rejection reasons continues to contribute. Now that the program is growing, interaction from Mission Partners via email and during the Q&A sessions add to training topics. This program is designed to bring information to Mission Partners that is useful and needed, so the syllabus will always remain flexible based on the needs of Mission Partners. Have a suggestion for a training topic? Submit it here.
Question: Who hosts the Q&A sessions?
Answer: A representative from the Mission Partner Training Program will host and facilitate the sessions and there will be subject matter experts from the different branches in the Risk Adjudication and Connection Division on the line to answer any specific questions you may have.
Question: How do I prepare for a Q&A session?
Answer: We encourage everyone to watch the computer-based training on the topic that will be discussed in the Q&A prior to the session.
Question: How do I attend a Q&A session?
Answer: The Q&A sessions are hosted via Defense Collaboration System (DCS), as well as a teleconference bridge. All audio will occur on the bridge. The DCS will have supplementary documentation, a chat for submitting additional questions, and website links to help us improve the sessions for Mission Partners. Please join both the DCS and teleconference for the best Q&A experience.
Question: What time zone are the times in the Q&A schedule and invitations?
Answer: All Q&A sessions times are EASTERN time (EST/EDT).