OCR of the Document

View the Document >>

Department of Defense, Office of the Inspector General, Navy Commands Need to Improve Logical and Physical Controls Protecting SIPRNET Access Points. December 10, 2014. Secret.

INSPECTOR GENERAL DEPARTMENT OF DEFENSE 4800 MARK CENTER DRIVE ALEXANDRIA VIRGINIA 22350-1500 September 12 2018 Ref FOIA-2015-00203 SENT VIA EMAIL TO 14878-99862718@requests muckrock com Mr Shawn Musgrave MuckRock News DEPT MR 14878 P O Box 55819 Boston MA 02205-5819 Dear Mr Musgrave This is in response to your Freedom of Information Act FOIA request for a copy of DODIG-2015-046 Navy Commands Need to Improve Logical and Physical Controls Protecting SIPRNET Access Points We received your request on December 19 2014 and assigned it case number FOIA-2015-00203 The Office of the Deputy Inspector General for Audit conducted a search and located one document totaling 90 pages which is responsive to your request Upon review we determined that certain redacted portions are exempt from release pursuant to 5 U S C 552 b 6 which pertains to information the release of which would constitute a clearly unwarranted invasion of personal privacy and 5 U S C 552 b 7 E which pertains to records or information compiled for law enforcement purposes the release of which would disclose techniques and procedures for law enforcement investigations or prosecutions Additionally the Department of the Navy reviewed the report and determined that further redacted portions are exempt from release in accordance with 5 U S C 552 b 1 which pertains to information that is currently and properly classified pursuant to Executive Order 13526 Section 1 4 g vulnerabilities or capabilities of systems installations infrastructures projects plans or protection services relating to the national security If you consider this response to be an adverse determination you may submit an appeal You can appeal in writing to the Department of Defense Office of Inspector General ATTN FOIA Appellate Authority Suite 10B24 4800 Mark Center Drive Alexandria VA 22350-1500 Any appeal must be postmarked within 90 days of the date of this letter must clearly state the adverse determination being appealed and should reference the file number above We recommend that your appeal and its envelope both bear the notation Freedom of Information Act Appeal For more information on appellate matters and procedures please refer to 32 C F R Sec 286 9 e and 286 11 a for further information on administrative appeals You may seek dispute resolution services and assistance with your request from the DoD OIG FOIA Public Liaison Officer at 703-604-9785 or the Office of Government Information Services OGIS at 877-684-6448 ogis@nara gov or https ogis archives gov You may also September 12 2018 Ref FOIA-2015-00203 contact OGIS via regular mail at National Archives and Records Administration Office of Government Information Services 8601 Adelphi Road - OGIS College Park MD 20740-6001 Please note that OGIS mediates disputes between FOIA requesters and Federal agencies as a non-exclusive alternative to litigation However OGIS does not have the authority to mediate requests made under the Privacy Act of 1974 request to access one's own records If you have any questions regarding this matter please contact Searle Slutzkin at 703-604-9775 or via email at foiarequests@dodig mil Sincerely Mark Dorgan Division Chief FOIA Privacy and Civil Liberties Office Enclosure s As stated 2 I INSPECTOR GENERAL US Department of Defense December 10 2014 U Navy Commands Need to Improve Logical and Physical Controls Protecting SIPRN ET Access Points - mer Inspector General T T - eco'nd Printing Report Copy INTEGRITY EFFICIENCY if ACCOUNTABILITY EXCELLENCE Reportma Boole-2015MB INTEGRITY it EFFICIENCY k ACCOUNTABILITY EXCELLENCE Mission Our mission is to provide independent reievant and timely oversight of the Department ofDefense that supports the wai ghter promotes integrity and e 'ciency advises the Secretary of Defense and Congress and informs the pubiic Vision Our vision is to be a modei oversight organization in the Federai Government by leading change speaking truth and promoting excellence a diverse organization working together as one professionai team recognized as Ieaders in our fieid Fraud Waste 8 Abuse 102 HOTLIN Department of Defense dodig mil hotline For more information about whistleblower protection please see the inside back cover untu 1 Results in Brief Navy Needr to Improve Logical and Physical Cor-itrols Protecting PRN Access Points December 10 2014 U Objective Our objective was to determine whether the Navy was effectively protecting its Secret Internet Protocol Router Network access points Speci cally we reviewed the logical and physical controls protecting the SIPRNET access points U Findings 8 NAVY I hit-u Visit us at U Findings cont o 4U Recommendations Nun- r I Hg U Management Comments and Our Response @9116 We renumbered two recommendations for Finding A Generally management comments addressed the speci cs of our recommendations However we request that the Under Secretary of Defense for Intelligence Commander Cyber Command provide additional comments in response to this report In addition we received the CID comments on the draft report too late to include them in the nal report Therefore ifthe CID does not submit additional comments we will consider those comments as the management response to the final report Please see the Recommendations Table on the back ofthis page U Recommendations Table Recommendations Requiring Comment Management No Additional Comments Required Under Secretary of Defense for Intelligence A1 Commander U S Cyber Command A1 Deputy Under Secretary of the Navy Policy Department of Defense Chief Information Officer Department of the New Chief Information Officer A 1 Department of the Navy Deputy Chief information foicar Navy Commander U 5 Fleet Cyber CommandeS Tenth Fleet lHlli ilEJ 1 NIH Director Navy Operational Designated Accrediting Authority UIIHH-I IililTill'i A 9 a A 9 c A 11 b A 11 d A 11 e U Please provide Management Comments bylanuary 12 2015 A2 A3 A 5 b 3 1 3 2 3 1 A5 Ala Alb A83 A 8 a A 8 b RE All Alt Alf 3 4 3 33 3 3 1 B 3 d B 3 e 3 4 A 8 a A b Ala an a113 A 11 c Ul -- INSPECTOR GENERAL DEPARTMENT OF DEFENSE 4300 MARK CENTER DRIVE ALEXANDRIA VIRGINIA 22350-1500 December 10 2014 MEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE COMMANDER U S CYBER COMMAND DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER NAVAL INSPECTOR GENERAL SUBIECT Navy Commands Need to Improve Logical and Physical Controls Protecting SIPRNET Access Points Report No We are providing this report for your review and comment We considered management comments on a draft ofthis report when preparing the final report Directive 7650 3 requires that recommendations be resolved Comments from the Under Secretary of Defense for Intelligence and the Commander U S Cyher Command partially addressed Recommendation A 1 Therefore we request additional comments on this recommendation by lanuary 12 2015 Comments frol - did not address Recommendation A 6 Therefore we request additional comments on this recommendation by january 12 2015 Comments from th partially addressed Recommendations Alla and A 9 c Therefore we request additional comments on these recommendations bylanuary 12 2015 Comments from the partially addressed Recommendations A 11 h A 11 d and A 11 e Therefore we request additional comments on these recommendations by January 12 2015 We received the Chief Information Of cer comments on the draft report too late to include them in the final report Therefore ifthe Chief Information Of cer does not submit additional comments we will consider those comments as the management response to the final report U Please send a PDF file containing your comments itm and ritdodi smilmi Copies ofyour comments must have the actual signature of the I 1 authorizing official for your organization We cannot accept the f5ignedf symbol in place of the actual signature Ifyou arrange to send classi ed documents electronically you must send them over the SIPRN ET We appreciate the courtesies extended to the staff Please direct questions to - at mm 604mm 6mm mm atl7031601- 329m CMWAW Carol N German Assistant Inspector General Readiness and Cyber Operations U Contents 1U Introduction 1 1 U Background U Review ofInternal Controls 4- U Fin di ng as Navy Commands Did Not Effectively Protect SIPRNET Access Points 5 IL URI LI II- Him I m assess-I 11 II 14 15 ease 1 Recommendations Management Comments and Um Response 17 U Finding 3 4 35 on mo time Mu 42 43 Recommendations Management Comments and Our 43 U Appendix A 49 Scope and Methodology 49 U Use of Computer-Processed Data 50 U Use ofTechnica Assistance 51 Prior Coverage 51 U Appendix 52 Information Assurance Certi cation and Accreditation Process 52 U Appendix Information Assurance Controls U Appe ndix ihim I Criteria U Management Comments U Under Secretary of Defense for U US Cyber Command Deputy Under Secretary ofthe Navy Policy r Department ofthe Navy Chiefinformation Of cer Assistant Deputy Chief of Naval Dperations Information Dominance U Glossary U Annex Sources U Acronyms and Abbrewatlons SEER- U Introduction U Objective Our objective was to determine whether the Navy was effectively protecting its Secret Internet Protocol Router Network access points Specifically we reviewed the logical and physical controls protecting the SIPRNET access points at For Scope and Methodology see Appendix A U Bach-ground ERG-U99 The SIPRNET is the Navy's command and control1 network that operates at the classified Secret level SIPRNET access points are all possible physical or logical connections where a user can access the SIPRNET Physical controls such as locks guards and window blinds deter or delay adversaries' access to the network Logical controls are system-based mechanisms for example firewalls permission settings and usernames and passwords used to designate who or what has access to a specific system or function The Department of the Navy's DON shore-based enterprise network in the continental United States and Hawaii is the Navy Marine Corps Intranet comprising two networks one that connects to the SIPRNETZ and one that connects to the Non-secure Internet Protocol Router Network which is the unclassified network The NMCI SIPRNET has I approximately 77 395 users illirllIE-II 1 Command and control means that the New uses the network to send operational orders and battle Commands to New combat forces i The SIPRNET connects to the Defense Information Systems Network which is the responsibility of the Defense information Systems Agency 3A server farm is a collecrion ofsewers that are used to route network traf c between two points in this case the SIPRNET and Navyinstallaoons 1 p U Naval Network Warfare Command is responsible for managing however the network is owned and operated by Hewlett Packard Enterprise Services Currently Hewlett Packard Enterprise Services works under a continuity contract which was awarded in October 2011' and is expected to expire in September 2014 Contractor responsibilities include but are not limited to I conducting certification and accreditation testing in accordance with the Information Assurance Certi cation and Accreditation Process Implementation Plan and other Government-approved test plans and Ir defending systems by recognizing reacting to and responding to threats vulnerabilities and deficiencies to ensure no uncontrolled access and that all systems and networks can defend themselves use NMCI to connect to the SIPRNET U information System Certification and Accreditation requires that networks be certi ed and accredited before connecting to the SIPRNET was accredited in October 2012 in accordance with Instruction 8510 01 Information Assurance Certification and Accreditation Process November 28 2007 For more information on DIACAP see Appendix B We focused on three DIACAP activities validation of information assurance controls certi cation and accreditation decisions and maintaining authorization Validation is the testing evaluation examination and investigation ofevidence that assigned controls5 are implemented correctly and effectively fie-He '1 We reviewed the logical and physical controls for the New Marine Corps lntrane_ Classified Transport Boondary known generically in this report as the cl- ii SIPRNET 5 IA controls are applied to information systems to achieve an acceptable level of integrity availability and confidentlalltv Ir-u in I-ui The certification decision is a determination ofthe extent to which a system complies with assigned IA controls The decision is based on validation results that identify and assess the residual risk 3 and the costs to correct or mitigate IA vulnerabilities as documented in the Information Technology Security Plan ofAction and Milestones A certification determination is required before an accreditation decision The accreditation decision is a formal statement by a designated accrediting authority regarding acceptance of the risk associated with operating a D01 information system The accreditation decision is expressed as an Authorization to Operate an Interim ATO an Interim Authorization to Test or a Denial The Navy Operational Designated Accrediting Authority is the designated accrediting authority for the Navy Maintaining the authorization involves the sustainment ofan acceptable security posture The IA controls should be reviewed annually to confirm their effectiveness or to recommend changes to the accreditation status The results of an annual review or a major change in information assurance posture at any time may indicate the need for recerti cation and reaccreditation DIACAP requires that all vulnerabilities identified during 1A control validation be corrected or mitigated or that the risk be accepted In addition Components are required to report vulnerabilities on the IT Security POASM before granting an approved accreditation decision for a particular network The IT Security assists agencies in identifying assessing prioritizing and monitoring the network s vulnerabilities and should include the actions performed to correct or mitigate the vulnerabilities The IT Security should include the Vulnerability the Corresponding unique IA control number and an assigned vulnerability severity category CAT I vulnerabilities are assigned to findings that allow primary security protections to be bypassed allowing immediate access by unauthorized personnel and are required to be corrected before an ATO is granted U15 Residual risk is the portion of risk remaining after security measures have been applied Sarah CAT II vulnerabilities can lead to unauthorised system access or activity and are required to be corrected or mitigated within 180 days of granting an ATO If vulnerabilities are not corrected or mitigated within the Specified time frame the ATO becomes invalid - CAT vulnerabilities may impact security posture but are not required to be mitigated or corrected in order for an ATD to be granted For more information on IA controlsI see Appendix C U Review of internal Eontrols mum sL-c geese We also identi ed internal control weaknesses for the UDAA Wewm provideawwm report to the senior official responsible for internal controls at ODAA U Finding A U Navy Commands Did Not Effectively Protect Access Points Fave W Removable media is defined as compact disc digital video disc Secure Digital cards tape flash memory data storage devices MultiMediaCards removable hard drives Etc 5 l l 3' ESE I I SILT I UL-prim ialliltE 3 93-93 63 5 1 -n lf l 1 1 NAVY liuUJJi-Jc 14 3 DHDIU Iniffiit'i The IDSD Memorandum r lnsider Treat Mitigation was signed by the Department of Defense Chief Information Officer and the Under Secretary r of Defense for Intelligence however U3 Cyber Command is responsible for issuing additionalguidance $9995 i i i 1 ma i U112 DoDl 85130 01 identi Ies required sensurityI controlsPUmG - that are published in Ithe Knowledge Service as referenced within Instruction FEER run eme Ih'llth' mum - - 9669 LnJi THU - - #9996 Dunlfi E m innit J The Secretary ofthe Navy Manual 5510 36 Department ofthe New Information Security Program June 2006 needs to be updated to include current 100 requirements The Manual requires that a classi ed information storage risk assessment be performed However after the Manual was issued issued 5200 01 volume 3 which includes minimum requirements that are not outlined in Secretary ofthe Navy Manual 5510 36 The Deputy Under Secretary ofthe Navy Policy should update DON policy to implement at least the minimum requirements for performing a risk assessment as required by 5200 01 volume 3 should implement the requirements for performing a risk assessment in accordance with updated DON policy and 5200 01 volume 3 System Access Forms Were Not Appropriately Completed or Approved did not appropriately complete and approve network access forms before granting access to the SIPRNET The Navy requires each user requesting system access to have a completed I 3 996 System Access Authorization Request Navy form in accordance with Navy Telecommunications Directive 10-1 1 Form 5239-14 System Access Authorization Request Navy October 201 and DD Form 2842 Department ofDefense Public Key Infrastructure Certificate of Acceptance and Acknowledgement of Responsibilities 14 to acknowledge their responsibilities of receiving a SIPRN ET token 4 The DD Form 28-12 l5 usad to acknowledge user acceptance of their responsibilities upon receiving their SIPRNET token The DD Form 2842 requires that the registration official witness the user sign the document Eli-9'39 The SAAR-N is used to authorize access to networks Secretary of the Navy instruction 5239 313 Department ofthe Navy Information Assurance Policy June 17 2009 requires that all authorized users information systems and networks receive initial 1A training In addition users should complete annual IA refresher training which should be noted on the SAAR-N in accordance with Navy Telecommunications Directive 10-11 To determine whether the forms were appropriately completed and approved we verified that the 1AM signed the forms and that IA training was completed within a year of the IAM's signature To determine whether the DD Form 2842 was appropriately completed and approved we veri ed that the user and registration of cial signed and dated the form and con rmed that the registration official witnessed the user's signature We performed control tests of the SAAR-N forms and DD Forms 2842 15 F989 System Access Forms Were Not Completed or Approved Fe-96a 1AM did not complete and approve user network access forms before providing users with SIPRN ET access We requested SAAR-N forms and DD Forms 2842 for a sample of personnel The 1AM could only provide 28 SAAR-Ns and 21 DD Forms 2842 and could not explain why the 4 SAAR-N forms and 5 DD Forms 284-2 were missing For the other 6 missing DD Forms 2842 requested the personnel had not been issued SIPRNET tokens therefore the form was not required We reviewed the 23 forms and determined that the IAM did not sign 1 form The other 27 forms were signed however the signature block was dated the day that the forms were provided to the audit team In addition 2 ofthe forms did not have IA training noted on the form and 11 forms indicated that IA training was not completed within ayear of the iAM's signature We reviewed the 21 DD Forms 2842 and determined that 15 forms were signed however the signature block was dated the day that the forms were provided to the audit team When asked about witnessing the forms the MM stated that she did not witness the users sign them U 15 We used the control test table developed by Quantitative Methods Division and published in the Council of the Inspectors General on Integrity and Efficiencvi Journal of Public Inquiry 2 112-2013 when performing the control tests I '1 This occurred insulae jl' f' had not established policies and procedures to verify that the required forms for system access were appropriately completed and that approved before providing users access in addition the 1AM stated that this occurred became the 1AM was reaponsible for approximately 3 000 users and did not complete approve and witness the forms as they were received However the- did not adequately perform the duties assigned in the IAM's position description for authorizing all users SIPRNET access forms before granting them a SIPRNET account The Commander- and the Commander- should coordinate and establish policies and procedures to verify that the 1AM signs required documentation before providing access to the and establish policies and procedures to review and verify that the registration official signs required documentation before providing users their SIPRNET tokens System Access Forms Were Not Appropriately Completed or Approved mum Ilu mm did not accurately complete two SAAR-N forms and a DD Form 2842 We requested and received SAAR-N forms and DD Forms 2842 for a sample of 41- personnel We reviewed the 41 SAAB-N forms and determined that 1 form did not document training on the form and another form indicated that IA training was not completed within a year of signature and therefore the control test failed In addition we reviewed the 41 DD Forms 2842 and determined that the registration of cial did not sign or witness the user s signature for 1 form and therefore the control test failed Fe-96' This occurred because- had not established procedures to verify that the required forms for system access were appropriately completed before providing users SIPRNET access On May 1 2014- established a procedure for Security Department to review and verify all SAAR-N forms should implement procedures to review and verify that all DD Forms 284-2 are completed before users gain access to the SIPRNET $999 Security Training Records Were Incomplete Fe-86' did not maintain evidence ofsecurity training 5200 01 volume 3 requires Components to maintain records ofemployee security training Specific training required for access to classified information include - initial orientation training on security policies as required by 5200 01 volume 3 - 3080- annual refresher training on security policies principles and procedures as required by 5200 01 volume 3 and -li-Q-iai-B i North Atlantic Treaty Organization NATO briefings that discuss the responsibilities for protecting NATO information and a written acknowledgement ofthe individual's receipt of the briefing as required by 5200 01 volume 1 Information Security Program Overview Classi cation and Declassification February 24 2012 Few-Training Records Were incomplete did not maintain evidence that personnel completed classi ed information aCCess training We requested evidence for completed initial orientation security training annual security refresher training and NATO brie ngs for a sample of 32 personnel The_ provided evidence that 16 personnel completed the initial orientation security training but was unable to provide evidence that personnel completed the annual security refresher training and the NATO brie ngs did not have a process in place to ensure that personnel completed training and that evidence of completion is recorded before granting SIPRNET access The staredthar and NATO briefings however he was not aware that the command needed to maintain lit-dill I'lrl provides annual security refresher training evidence of security training completion should complete required security trainings and implement a mechanism to identify individuals who have completed the required training F666 Training Records Were incomplete mm did not maintain evidence that personnel completed classified information access training We requested evidence for completed initial orientation security training annual security refresher training and NATO briefings for a sample of 4-1 personnel provided evidence ofinitiai orientation security training for 39 personnel annual security training for 31 personnel and NATO brie ngs for all 41 personnel For the two personnel we did not receive evidence of initial orientation security training - was unsure why one person did not receive initial orientation semrity training and the Security Officer stated that the other person was a reservist who was rarely at the command and the security staff overlooked the requirement In addition- did not have evidence ofannual security training for six personnel because they were not due for annual security training however four personnel were missing annual security refresher training because the command was changing how it tracked annual security training and the new automated tracking system did not record the data correctly I'll 9999- We reviewed the training records provided by H and determined that 2 of 41 personnel did not have NATO brie ngs signed by the presenter This occurred because the presenter signed the NATO briefings at the end of the presentation and two of the training forms were overlooked Also- did not have policies and procedures to track completion ofthe required security training before granting SIPRNET access should complete required security trainings and implement a procedure for identifying and retaining records of individuals who completed the required training lintllii' hit WIMIJJU ma HLIUJIEI i I Jnlfiltij Iminlfl junnlti i Erie NAVY tlathJJiec lit-g - Hon U Recommendations Management Comments and Our Response U Renumbered Recommendations U We renumbered draft report Recommendation A 2 as 131 3 We renumbered draft report Recommendation A 3 as A 2 A 1 We recommend that the Under Secretary of Defense for Intelligence Commander Cyber Command and Department of Defense Chief Information Of cer coordinate to review and issue clarifying guidance for the Office of the Secretary of Defense Memorandum Insider Threat Mitigation July 12 2013 instructing Components on the proper procedures for U Under Secretary of Defense for Intelligence Comments -F-B-H-Q-J The Director for Defense intelligence Intelligence 8 Security responding on behalfof the Under Secretary of Defense for Intelligence neither agreed nor disagreed and stated that since the memorandum was dispatched Commander U S Cyber Command issued Task Order 13-065 1 Insider Threat Mitigation Amplifying Direction July 31 2013 and Task Order 14-0185 Insider Threat Initiative July 17 2014 that provide explicit guidance to Components regarding- According to the Director collaboration with Do CIO staff con rmed that the two task orders capture requirements r The Office ofthe Under Secretary of Defense for Intelligence acknowledged the OIG comment but requested that the draft report recommendation be withdrawo due to US Cyher Command clarifying guidance U Our Response NAVY H i-Jc U Commander U S Cyber Command Comments FOB-33 The Director of Operations responding on behalf ofthe Commander U S Cyber Command neither agreed nor disagreed and stated that US Cyber Command Task Order 14-0185 Insider Threat Initiative July 17 2014 applies to SIPRNET and provides technical and procedural direction U Our Response hill 9n- 5n U Department of Defense Chief Information Officer Comments We received the CID comments on the draft report too late to include them in the final report Therefore if the CID does not submit additional comments we will consider those comments as the management response to the final report U Commander Cyber Command Comments The Director ofOperations responding on behalf of the Commander U S Cyber Command neither agreed nor disagreed and stated that U S Cyber Command will update all applicable orders including Communications Tasking Order 10-133 to direct Components t U Our Response Comments from the Director addressed all ofthe specifics ofthe recommendation No further comments are required E E E li r'l A 3 We recommend that the Deputy Under Secretary of the Navy Policy update Department of Navy policy to implement at least the minimum requirements for performing a risk assessment as required by Manual 5200 01 volume 3 U Deputy Under Secretary of the Navy Poiicy Comments The Deputy Under Secretary of the Navy Policy agreed with the recommendation The Deputy Under Secretary of the Navy Policy Senior Director for Security stated that the Deputy Under Secretary of the Navy Policy is updating the Secretary of the Navy Manual 5510 36 Department of the Navy Information Security Program June 2006 The expected timeline for completion ofthe draft is the end of FY 2015 U Our Response Comments from the Senior Director addressed all ofthe specifics ofthe recommendation No further comments are required AA We recommend that the Department of the Navy Chief Information Of cer and Department of the Navy Deputy Chief Information Of cer Navy coordinate to implement requirements from Instruction 8500 01 Cybersecurity March 14 2014 including all links references and attachments U Department of the Navy Chief information Officer Comments 419-36 The Principal Deputy CID responding on behalfof the Department of the Navy CID agreed with the recommendation The Principal Deputy CID stated that the DDN CID has already begun coordinating the Department's transition to the revised Cybersecurity and Risk Management Framework instructions including instruction 8500 01 Cybersecurity March 14- 2014 The DDN CID issued a memorandum Implementation of the Risk Management Framework for Information Technology on May 20 2014 providing guidance to the Navy and Marine Corps to transition to the Risk Management Framework In addition the DDN C10 is working with the DON Deputy CID Navy to develop the Navy's Risk Management Framework implementation plan U Our Response Comments from the Principal Deputy CID addressed all ofthe specifics ofthe recommendation No further comments are required U Assistant Deputy Chief of Naval Operations Information Dominance Comments 93-8-93 The Assistant Deputy Chief of Naval Operations Information Dominance responding on behalf ofthe neither agreed nor disagreed and stated that the continues to coordinate with the DON CID U S Fleet Cyber CommandeS Tenth Fleet and applicable Echelon II commands on the transition to the revised Cybersecurity and Risk Management Framework to ensure Navy implements Instruction 8500114 and Instruction 8510 01 requirements addition 1 including all links references attachments and the hosted a Risk Management Framework implementation working group on October 2 1-23 20 14 to review the Navy s Risk Management Framework transition plan U Our Response Comments from the Assistant Deputy Chief of Naval Operations Information Dominance addressed all ofthe speci cs of the recommendation No further comments are required U Deputy Under Secretary of the Navy Policy Comments Although not required to comment the Deputy Under Secretary of the Navy Policy suggested including the Deputy Under Secretary of the Navy Policy in the coordination for recommendation AA U Our Response We fully support coordination between the Navy Components however our recommendation was directed to the parties responsible for implementing Navy policy Therefore we did not change the recommendation to include coordination with the Deputy Under Secretary ofthe Navy Policy 11 5 We recommend that the Department of the Navy Deputy r Chief Information Of cer Navy a $0593 Review the deficiencies identified have a thorough review of the Navy Marine Corps Intranet Secret Internet Protocol Router Network security controls performed at each command and apply corrective actions as necessary U Assistant Deputy Chief of Naval Operations information Dominance Comments The Assistant Deputy Chief of Naval Operations information Dominance responding on behalfofthe neither agreed nor disagreed and stated that the has directed Fleet Cyber Command U3 Tenth Fleet ODAA to review the NMCI SIPRNET security controls enterprise-wide The review will consist ofthe following stakeholders SiteXCommand 1AM Naval Enterprise Networks Program Management Office US Fleet Cyber Command US Tenth Fleet Network Operations and the ODAA who will coordinate to ensure the results and corrective actions are used I-Jliiri-i to determine the impact of the The coordination with stakeholders will take place no later than November 15 2014 U Our Response Comments from the Assistant Deputy' ChiefofNaval Operations Information Deminance addressed all ofthe specifics of the recommendation No further comments are required b Implement the requirements for performing a risk assessment in accordance with updated Department of Navy policy r and 5200 01 volume 3 U Assistant Deputy Chief of Naval Operations information Dominance Comments The Assistant Deputy ChiefofNaval Operations Information Dominance responding on behalf ofthe neither agreed nor disagreed and stated that the as issued a - The Site Command 1AM and Naval Enterprise Networks Program 5 55 quinl run Management Of ce will work to implement the requirements in accordance with 5200 01 Volume 3 and transmit information to the ODAA who will use the results to determine the impact to 01 The estimated timeline for this action is no later than November 15 2014 A risk assessment is part of the physical security control assessment required for system accreditation under Instruction 8510 01 and forthcoming Secretary ofthe Navy and ChiefofNaval Operations guidance ChiefofNaval Operations Instruction 5239 10 is expected to be published by January 31 2015 U Our Response Comments from the Assistant Deputy Chief of Naval Operations Information Dominance addressed all ofthe speci cs of the recommendation No further comments are required we Werewmmenw-m IIlEiliL' the actions of the Information Assurance Manager for the regarding the de ciencies identified in this report Based on take appropriate management action including holding the Information Assurance Manager accountable U Assistant Deputy Chief of Naval Operations information Dominance Comments The Assistant DEputy Chiefof Naval Operations Information Dominance responding on behalfof mm neither agreed nor disagreed and stated that the supervision thlf'fliFJ and accountability of Information Assurance Officer resides with th_ Commanding Officer The Information Assurance Of cer no longer provides Information Assurance services to The provides services for all 5 PRNET account requests SAAR-N compliance and token requests I U Our Response Comments from the Assistant Deputy Chief of Naval Operations Information Dominance did not address the specifics of the recommendation The did not comment on the review of the actions and the corresponding management actions taken for holding the 1AM - provide comments in response to the nal report new we and establish ihil'JJlH a Fees-1 Unlillj DEIDHJ U Assistant Deputy Chief of Naval Operations Information Dominance Comments esaeea The Assistant Deputy Chiefof Naval Operations information Dominance en benennren neither agreed nor disagreed and stated that 0 l nger sees-Fr- 1 a4 U Our Response Comments from the Assistant Deputy Chief of Naval Operations Information Dominance addressed all ofthe speci cs of the recommendation No further comments are required um-s- We recommend that a Review the alignment of the Information Assurance Manager function determine if realignment is necessary for effective supervision and establish policyr that assigns supervisory responsibility U Assistant Deputy Chief of Naval Operations information Dominance Comments The Assistant Deputy Chief of Naval Operations Information Dominance res'mding 0 mahalf h neither agreed nor disagreed and stated that-no longer receives services Supervision and accountability offl ff l lnformation Assurance Of cer resides with the Commanding of cer U Oar Response Comments from the Assistant Deputy Chief of Naval Operations Information Dominance addressed all ofthe specifics ofthe recommendation As discussed in the comments and response to Recommendation n 7 th has so ervisor res onsibili for dnenff m Information L Assurance Officer A Memorandum of Agreement between the- uiseuseiuu and responsibilities for the Information Assurance Of cer was provided We reviewed the Memorandum ongreement and determined that it meets the intent ofthe recommendation No further comments are required b Establish and implement performance standards and standard operating procedures for the Information Assurance Manager function and monitor and evaluate the Information Assurance Managers' performance U Assistant Deputy Chief of Naval Operations information Dominance Comments The Assistant Deputy Chiefof Naval Operations Information Dominance On behalf Hill lltl neither agreed nor disagreed and stated that the will request that Iinl'ili'i that niELI Chiefof Naval Operations direct personnel to provide documentation that they have implemented performance standards and standard operating procedures for the MM no later than November 30 2014 U Our Response Comments from the Assistant Deputy Chief of Naval Operations Information Dominance addressed all ofthe speci cs ofthe recommendation No further comments are required I a u r I- libei _ We tha ili i llt' 3- U Assistant Deputy Chief of Naval Operations information Dominance Comments EEG-1403 The Assistant Deputy Chief of Naval Operations Information Dominance resmndi g Width i Either agreed nor disagreed and stated that thy- int mm mm was the The Deputy Chief of Naval Operations will direct us Fleet Forces Command Tenth Fleet to provide documentation o within the past 6 months U Our Response Elie-HQ Comments from the Assistant Deputy Chiefof Naval Operations information Dominance partially addressed the recommendation We request that- provide comments to the final report that explicitly state whether has been performed within the past 6 months or if one has not been performed a should be performed immediately h moa U Assistant Deputy Chief of Na Operations information Dominance Comments The Assistant Deputy Chief of Naval Operations Information Dominance respondingonbehalrorth menher agreed nor disagreed and stated that the U Our Response Comments from the Assistant Deputy Chief of Naval Operations Information Dominance addressed all ofthe speci cs of the recommendation No further comments are required c Complete required security trainings and develop and implement a mechanism for identifying individuals who complete required security training U Assistant Deputy Chief of Naval Operations information Dominance Comments The Assistant Deputy Chief of Naval Operations Information Dominance responding on hehalfof th neither agreed nor disagreed and stated that initial security training is conducted when military civilian and contractor personnel report onboard and is documented in security files Annual security refresher training is conducted and documented as required by current instructions U Oar Response Comments from the Assistant Deputy ChiefofNaval Operations Information Dominance partially addressed the recommendation We request that- officials provide comments to the final report that describe the mechanism that will he used to identify individuals-who complete the required security training U Assistant Deputy Chief of Na vai Operations Information Dominance Comments thrills- 1 I-Hyi U Our Response Comments from the Assistant Deputy Chiefof Naval Operations Information Dominance addressed all ofthe speci cs of the recommendation No further comments are required We tha U Assistant Deputy Chief of Naval Operations information Dominance Comments The Assistant Deputy Chief of Naval Operations Information Dominance responding on behalronhe neither agreed nor disagreed and stated has corrected de ciencies with its secure room in a manner compliant with 5200 31 1Jolume 3 ensuring continuous monitoring during working hours when the secure door is unlocked sagas- r '1 1 1 rr in lrj U Our Response U Comments from the Assistant Deputy ChiefofNaval Operations Information Dominance addressed all ofthe specifics of the recommendation No further comments are required II U Assistant Deputy Chief of Naval Operations information Dominance Comments l'l LhUILi iluj iltt i U Our ReSponse $939 Comments from the Assistant Deputy Chief of Naval Operations Informaticm Dominance partially addressed the recommendation 1 I linifllt'i U Assistant Deputy Chief of Naval Operations Information Dominance Comments U Our Response Comments from the Assistant Deputy Chief of Naval Operations Information Dominance addressed all of the speci cs of the recommendation No further comments are required himL'I-I I U Assistant Deputy Chief of Naval Operations information Dominance Comments Wei nIJlt i tumult i U Our Response 931 18 Comments from the Assistant Deputy Chief of Naval Operations Information Dominance partially addressed the recommendation We request thatm additional comments that describe the procedures for performing risk assessments in response to the nal report e 1 680 Complete required security training and develop and implement a mechanism to identify individuals who complete required security training U Assistant Deputy Chief of Naval Operations information Dominance Comments The Assistant Deputy Chief of Naval Operations Information Dominance responding on hawth neither agreed nor disagreed and stated that- will conduct a physical security training audit identify de ciencies and conduct required training no later than i'l November 15 2014 Proof of training completion will be reported to The Chiefof Naval Operations will request that Commander Navy Reserve Forces Command provide documentation of the- physical security training audit no later than November 30 2014 U Our Response 6 66-33 Comments from the Assistant Deputy Chief of Naval Operations Information Ill-DILi'ill Dominance partially addressed the recommendation We request thatmm of cials provide additional comments that address all security training not just physical security training Also provide comments that describe the mechanism which should be of a recurring nature that will be used to identify individuals who complete the required security training in response to the nal report 9F U Assistant Deputy Chief of Naval Operations information Dominance Comments Although not required to comment the Assistant Deputy Chief of Naval Operations Information Dominance responding on behalfofthe stated that- require U Our Response Although the comments from the Assistant Deputy Chief of Naval Operations Information Dominance do not directly address any recommendation we agree with ti-JiiltI-J in accordance with 0001 8500 01 Cybersecurity March 14 2014 l I U Finding 959 61 999- I'llu lii W Dam Ml Nu m 1 Vulnerabilities are also known as security weaknesses 1 a mint eme m During the audit issued updated policy for the certi cation and accreditation of systems DoDl 8510 01 Risk Management Framework for Information Technology March 12 2014 According to 8510 01 Components should transition to the updated policy requirements when reaccreditation is necessary mine i Her I-ltsl r The Readiness Inspection re5ults were presented The Enterprise lists Dumm- ibimim The Validation Plan and Procedures and Risk Assessment Reports are internallyr generated documents that identify vulnerabilities and their associated severity CAT 144g I thJI'mI i m i U DUDIG lull I Set I i cross-domain solution is an information a55urance solution that provides the ability to access or transfer data between two or more differing security domains and can be authorized for no more than one yearfrom the date of approval Domains include a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy security model or security architecture GEE-RET- W - DUI-NU I'r'f'lf If m Table Ilulli JlEr i Dumu t-imik'i 6 999 hilTltEJ 21 A network topology depicts the security posture of the network enclave that will be connecting to the DISN SEGRH ll lNlE I'JnL'Ilfi Time lapsed before DISA approval refers to the time between when the configuration change was implemented and when DISA issued the Authority to Connect Ui Intrusion detection system gnu tla'li'i'llE 22 Enclayes are a collection of information systems connEcted by one or more internal networks under the control of a single authority and security policy LJJ Unhtl'j' 6966 According to DISA Network Infrastructure Technology Overview version 8 release 5 April 27 2012 enabled tunnels should be identified on the network topology In addition according to the DISN Connection Process Guide the network topology is required to Show the accreditation boundaries 23 identify cross-domain solution and identify any connections to other networks to include the name of the organization that owns the enclave the connection type internet protocol addresses for all devices within the enclave and the organization type m hll'l' l i 33' Accreditation boundary refers to the physical or logical boundary' that is defined for a system domain or enclave The system has a conceptual boundary that extends to all intended users of the system both directly r and indirectly connected SEER-E31 U Recommendations Management Comments and Our Response U Assistant Deputy Chief of Naval Operations information Dominance Comments Dunltj i U Our Response Comments from the Assistant Deputy Chiefof Naval Operations Information Dominance addressed all of the specifics of the recommendation No further comments are required 69 59 2 name Human U Assistant Deputy Chief of Naval Operations information Dominance Comments D-JDIU I'll-fluid U Our Response Comments from the Assistant Deputy Chief of Naval Operations Information Dominance addressed all of the speci cs of the recommendation No further comments are required B3 We recommend that the Director Navy Operational Designated Accrediting Authority clnl'iIH-J a awe c-I 'Lr1 Assistant Deputy Chief of Naval Operations Information Dominance Comments 93393 U Our Response Comments from the Assistant Deputy Chief of Naval Operations Information Dominance addressed all of the speci cs of the recommendation No further comments are required DuleEi i U Assistant Deputy Chief of Naval Operations information MUHEI U Oar Response Comments from the Assistant Deputy ChiefofNaval Operations Information Dominance addressed all of the speci cs of the recommendation No further comments are required C- U Assistant Deputy Chief of Naval Operations information Dominance Comments U Our Response Comments from the Assistant Deputy Chief of Naval Operations Information Dominance addressed all of the specifics of the recommendation No further comments are required a me U Assistant Deputy Chief of Nova Operations Information Dominance Comments Imam U Oar Response Comments from the Assistant Deputy Chiefof Naval Operations Information Dominance did not address the speci cs ofthe recommendation However as in ll-21 discussed in the comments to Recommendation 13 2 and therefore no further comments are required unmo- a e- 96663 U Assistant Deputy Chief of Naval Operations information Dominance Comments U Our Response Comments from the Assistant Deputy Chief of Naval Operations Information Dominance addressed all of the specifics of the recommendation No further comments are required rm llii'iJiH $939 3 4 1 I - ewe bu TIIH mea U Assistant Deputy Chief of Naval Operations Information Dominance Comments m UnlJIl'i' U Our Response Comments from the Assistant Deputy Chief of Naval Operations Information Dominance addressed all ofthe specifics of the recommendation No further comments are required U Appendix A U and Methodologv We conducted this performance audit from April 2013 through September 2014 in accordance with generally accepted government auditing standards Those standards require that we plan and perform the audit to obtain suf cient appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives We performed the audit to determine whether the Navy was effectively protecting SIPRNET RECESS P il'lt5_ unmi- uumusp The commands chosen represented various types of access points Sensitive Compartmented Information Facility Open Secret Storage and Secure Room as designated by the fi 111nm us Navy For more information on certification and accreditation activities see Appendix B During our review we interviewed and Navy component personnel We interviewed personnel at the Under Secretary of Defense for Intelligence C10 and U S Cyber Command concerning the write privilege criteria We interviewed personnel at to discuss SIPRNET access points and open vulnerabilities At the hit Fur-i we interviewed personnel obtained reviewed and analyzed policies obtained reviewed in In in Mr I and analyzed network access and privilege processes and obtained reviewed and analyzed network settings At_ we interviewed personnel obtained reviewed and analyzed physical security logical security user authentication personnel access classi ed information protection visitor access and classified information technology disposal policies and procedures and observed physical security for SIPRNET access points U In addition we performed control tests for the SAAR-N forms DD Forms 2842 and security training ferm- The fDllOwlng decision rules applied for our control tests if there were no errors in the sample then the control passes and if there were one or more errors then the control fails We used the control test table developed by Quantitative Methods Division and published in the Council ofthe Inspectors General on Integrity and Ef ciency lournal of Public Inquiry 2012-2013 when performing the control tests m U Use of Computer-Processed Data DHDIU 4 -J SFFPET Dilml'j Ill NIH U Use of Technical Assistance U We obtained support from the Office of the Inspector General Quantitative Methods Division in developing a statistical sample for review We obtained support from the Office of the Inspector GEHeral Information Systems Directorate for de ning SIPRNET access points U Prior Coverage U During the last 5 years the Naval Audit Service issued one report discussing security guidance for certification and accreditation U Navy Audit Service U Navy Compliance with Department of Defense Information Assurance Certification and Accreditation Process September 28 2D 12 S-E-G-FLE-T U Appendix U information Assurance Certification and Accreditation Process U The DIACAP establishes a process to certify and accredit information systems based on the implementation of IA controls DIACAP applies to all DoD-owned and controlled information systems and consists of ve activities U Activity 1 Initiate Certification and Accreditation includes registering the system with the appropriate Component assigning IA controls to the information system and initiating the DIACAP Implementation Plan Each assigned control is implemented according to the applicable implementation guidelines provided in the DIACAP Activity 2 Implement and 1Validate IA Controls includes executing the DIACAP Implementation Plan conducting validation activities preparing the IT Security POAELM and compiling validation results in the DIACAP Scorecard The status of each assigned IA control is indicated on the DIACAP Scorecard as compliant noncompliant or not applicable U Activity 3 Make Certi cation Determination and Accreditation Decision includes determining whether to certify and accredit a information system Each information system has a certifying authority who bases the certi cation decision on IA validation results and a designated accrediting authority who bases the accreditation dacision on a balance ofmission or business need and protection ofthe information being processed Activity 4 Maintain Authorization involves the sustainment of acceptable IA posture The IA controls should be reviewed annually to con rm the effectiveness of the assigned 1A controls or to reenmmend changes to the accreditation status A designated accrediting authority may downgrade or revoke an accreditation decision at anytime if risk conditions or concerns develop from the reviews The results of an annual review or a major change in information aSSurance posture at any time may indicate the need for recerti cation and reaccreditation Activity 5 Decommissioning focuses on removing information system from operation U Appendix U Information Assurance Controls According to 8500 2 Information Assurance IA implementation February 6 2903 IA controls are an objective condition ofthe integrity availability or con dentiality ofthe information system achieved through the application of speci c safeguards or through the regulation of specific activities There are eight broad IA control subject areas 0 U Security Design and Con guration abbreviated a U Identi cation and Authentication abbreviated IA U Enclave and Computing Environment abbreviated - U Enclave Boundary Defense abbreviated I U Physical and Environmental abbreviated I U Personnel abbreviated - U Continuity abbreviated C0 and a U Vulnerability and Incident Management abbreviated VI U Each IA control is assigned a control number that designates the control s subject area and name The control numbers consist of four letters a dash and a number The first two letters designate the subject area and the second two letters designate the control name The number represents a level of robustness of the IA control in ascending order with one being the least robust and a three being the most robust See Table 1 for a description of the IA controls discussed in our report including the control number and the corresponding subject areas and control names 16991993 Table 3 1 Information Assurance Controfs Control Number Subject Area Control Name U Appendix NAVY 5'31 l-iitll il'IlE'll Her U 1 CAT vulnerabilities are the most critical and are required to be corrected before an ATD is granted CAT ll vulnerabilities can lead to unauthorized system access or activity and are required to be corrected or mitigated within 186 days of granting an ATG vulnerabilities are not corrected or mitigated within the specified time frame the ATO becomes invalid CAT vulnerabilities may impact security posture but are not required to be mitigated or corrected in order for an ATO to be granted U Appendix U Criteria We used the following guidance throughout the audit U National Security Telecommunications and information Systems Security Committee U National Security Telecommunications and Information Systems Security Instruction 33'003 Protected Distribution Systems December 13 1996 outlines the approval authority standards and guidance for PBS design installation and maintenance U Office of the Secretary of Defense Office of the Secretary of Defense Memorandum Insider Threat Mitigation July 12 2013 provides information protection and insider threat mitigation procedures to be implemented by all Do Components U Chairman of the Joint Chiefs of Staff U Chairman of the Ioints Chiefs ofStaff Instruction 6211 021 Defense Information Systems Network Responsibilities Jan 24 2012 establishes policy and responsibilities for the connection of information systems and uni ed capabilities products to the DISH-provided transport and access to information services transmitted over the DISN U U 8500 2 Information Assurance Implementation February 6 2003 implements policy assigns responsibilities and prescribes procedures for applying integrated layered protection of the information systems and networks 301 8510 01 Information Assurance Certi cation and Accreditation Process November 28 2007 establishes a certi cation and accreditation process to manage the implementation of IA capabilities and services and provide visibility of accreditation decisions regarding the operation of Do information systems including core enterprise services and Web service-based software systems and applications 8510 01 Risk Management Framework for Information Technology March 12 2014 provides procedural guidance for the reciprocal acceptance of authorization decisions and artifacts within and between 001 and other Federal agencies for the authorization and connection of information systems 5200 01 volume 1 Information Security Program Overview Classification and Declassification February 24 2012 implements policy assigns responsibilities and provides procedures for the designation marking protection and dissemination ofcontrolled unclassi ed information and classified information including information categorized as collateral sensitive compartmented information and Special Access Program 5200 01 volume 3 Information Security Program Protection of Classified Information March 19 2013 provides guidance for safeguarding storing destroying transmitting and transporting classified information and also identi es security education and training requirements and processes for handling of security violations and compromise of classified information U 0 5 Cyber Command US Cyber Command Communications Taslting Order 10-133 Protection of Classified Information on 000 Secret Internet Protocol Router Network are January 4120111 U Navy Secretary ofthe Navy Instruction 5239 38 Department of the Navy Information Assurance Policy June 17 2009 establishes IA policy for the DON consistent with national and policies Secretary ofthe Navy Manual 5510 36 Department of the Navy Information Security Program June 2006 establishes uniform policies and procedures for classifying safeguarding transmitting and destroying classi ed information in addition the manual provides guidance on security education and the industrial security program DUN Information Assurance Certification and Accreditation Process Handbook version 1 Julyr 15 2008 details the baseline DON approach to the DIACAP and the procedures necessary to obtain an accreditation decision for DON information systems undergoing the certi cation and accreditation actions as required under Federal law and DON regulations and directives Navy Telecommunications Directive 10-11 Form 5239-14 System Access Authorization Request Navy October 201 1 requires all users accessing Navy IT resources to sign a SAAR-N form and complete Annual IA training U Defense information Systems Agency U DISH Defen5e information Systems Network DISNJ Connection Process Guide version 4 2 January 2013I establishes manages maintains and promulgates a partner connection process guide describing steps that must be followed to request and implement a DISN connection U DISA Network Infrastructure Technology Overview version 8 release 5 April 27 2012 provides security considerations at the network level needed for an acceptable level of risk for information as it is transmitted throughout the enclave U Management Comments U Under Secretary of Defense for intelligence OFFICE OF THE UNDER OF DEFENSE new DEFENSE FWAW DC min-m OCT 2 3 ill FDR 0F THF DEPARTMENI OF DEFENSE PROGRAM DIRECTOR It 35 EULUHSI Umll DOD Enrrm'lul tin-ml Hey-1m lmpmu Logical and I'll 9 ch Currlruls Aunts Pam s ll rnml Nu mm mm MIDUIJIU HIHFHEI WUUDIU i 55ml nl'n rer-imm and nwke mlirin repurl Ax mlcd TAP- F1 ww- rndinn makings rum 5mm In Unclmi cd l'hc ruin farm-rut is- Meme IIM Director for halclliperwe r5 iuunlr'l -'llLdulunerl'II r'rs luk'd Report Referenee - Omitted attachments because af Iengrh Coples provided upon requesr U Ufa Cyber Command DE OF DEFENSE UNITED nal-m In In Em 64 FORT MFADE HAP VI AND HUI HFPA Kl m suHJtL I - Review u 'laullrnu limit Helm Navy i munmndi New In Lugml um I'h 3 an l u'lwlillx SIFHNE l'tIiiIls l'tujtul UNI uluxmm l Regarding the mu l ur ta ddtus I 1 1 HIM-ins inf-M Tiluli'Dlil I ll A 1 U1 llccunu'nmdalion - J 11 dcuulnmt L'clinns l'or UH fg'her nnmumd haw been reriuud I'm ussillcminn nub uluugua 11ml mul In hr mad urn Ilml m1 rm nlnr'xin '3 In h r1111 ml In for classi cullm cw-amid UHLJ WT Final Repm't Reference Renurn bered as Recommendation 12 U U S Cyber Command cont d Final Repnl't Reference mummy 4 m lln POI rmm I'uhrt rmions mum lira-Jun Ii I'lunninl l Ititiniunt Mlndurzcnu Omitted attachments Enclosure A BIBS Insider thmt mled 234 ttJLI-l mt because oflength limtusum H F tM Emu-try Marking my Cup es provld Ed upon request um U Deputy Under Secretary of the Navy THE DEPUTY UNDER at THE HAVY ac narrator 1 MEMUII ANDUM FUR CIF DEFENBE HF FICF 0F SUBJECT Department at Defense onie er the Inspector Genera Report an Navy tiemmends Need 10 Logical and Physical Controls Protecting Access Point Reference in Dot IG emai nt 22 Sept 2 I4 As requested in reference tn my office revitweri the Department ul Det'e rue Of ce General report and concurs with cummentst A security marking review Was conducted an cormentt submitted and determined to he unclassi ed anemone re tting this review and attached may he addressed tn- Jud ween 6 i Atwuhtltenl As tamed U Deputy Under Secretary of the Navy cont d UNCLASSIFIED i I I E cu wk-Irm v nl Pill rmh-HI 1'11 ml Hm mm 'llu'll Indium-H Mn l'mununh Pun- n WI PM I mll mm 1' I ham-aw Cur-mun Imtm ml wim Anh nr wt par 11 kmnmem lulu-re such ruin-II Ind Jmnonu mn pg m 'LInnuJuhmenm In um mum Hill ml-1 Ihb dMI-ill All nunIh-r ww t mn L wrdlukw Ilium-alum II mail Int lulu-mu diamet- Kuhn-15 mam lull u m l b I'll-r131 'rur'l'L'IMI Lawmil-m for WM i'mrllulr-r unmtm- lavilh arm mlM-I I ll-llI-n-rlilruI Lia-In lbw-hi1 mm nix-new Imd n II hull Ippn-rm bu'lm IWdh ml-amine Juulluu-u comm-d mi mlm u awn-Ilium ml ning w gun all Ihn luu' Ih' l mum irll mm - Im Nuix I M- IJ Kilim- I 'Iullilghi I'Imn ' 'Jhl mnufy hm' Ihttl Iw mav DON I-nrmdun Swan Ewan-Inland In humid H C mmulw JunMumH- u l minim India-alt Inur MIMI 1h ll-dial ImnIm waln l HUI-NIH Judi-Ill ng I- J ' lrn'ln h ' I1 1h Ira-Inn min 'u I'M-scant a mu ldluw imlun if mil-HI unm-M nmuf-r pom-h- I rh'l'l -l nu- u FORM J11 EDITIDF UNCLASSIFIED 1U SEER-544 U Deputy Under Secretary of the Navy cont d Finn Raglan Reference 1 NIH llu1il Flu-Id llu uid-I Ilnll lle-I Lam lino-Inl- maven hu- Ihhln nun-ml hadn- - In I own-n 5 I 'It ul hlfd ' ll-I l nuun th nun-m unmunrw I was nan I II - Lsuum - I thanluwhm mm mum lam-1 Iwnmun-u mum marmm 5 1 3 5 quinh l h Itwill Ifi Inn-mini Fn M4 I I Im- umnuqua-run WW lumen hum magnum- 1 Hem-ll bEl'Ed 35 mm mm Recommendation A3 OIHmeJui-l t lm In I In 1' 1 nun-Imam fnnuur Krulk '41 Nomi-um Jul Jul-kph Lu mm m Ill-I'll ufmuu-I unity mm MW-mam hiring-IE mum Inn-m H1 lul I lld kW-v man I'd Mil- aunt 'Ill'l' It ht le h in JU- ll l'llL' MILE um 35 newsman U Department of the Navy Chief Information Officer DE PARTMENT CIF THE MAW muster m ma n Into-1m Til nr'll'dlm JIL-HNUUM Hill Ulil'Ali'l UlichiNSI-I IUl-t Uln l'lb HI Yt'ul 1n fnipmu ngiml Inl P ysirnl mec nlt HIPRNIET Aucum Points learn-new - Luj all In nf uptunhul '11 JJII-L Navy Iu Immnu Lug-ind Iml i hw'wl l matlilm ll RNi' T Aunt Paint ijutl Nu F- l 41 4mm Rul'cmuw in Inn-emu ucliuns ILuIInquuhIliluu in of Inspector Hum ml mum report Nnvy Need la Improve Lugiml l'h 'niml ll ll llfl' Act ND Hlunnmul'dnliml 11 4 rhu 'npurl tn hr Hwy Inl cnuntlon 3mm CID m1 H1 LID with Ihnl Ilv HUN and lit DUN Dtp'le' C10 3 my wrdinm mmimmuls I'Imn Dun Imlnl ' i snnm Il'ilum'curlli H linlis Infumm The DUN Kiln 1m Illa-nay mmiulhllug lmusilinn 9 me rewind um Iliad ESUIHII A rm u-I'Mnr 7m 9m 4 n1 Ihn mu Hi'e t Jmumnll- at Inlhnuntinn Trd'unalnw pmuniw p gn'dmcc For Navy and Marine Carl-u Immi an In lhu not INF Additiulm y u unwm cumi iunc wilh nun um DHN lyimnlnuuily uml HMF It DUN cm 1 walking with an DUN lg-pm Many In Ila nf m Navy tMl- ilnniclmma nn nhn U IXJM Cl paint ul wnsm $11 this Tum ii wlul cm be wachud at 1' m- ha 110mm only Nun-3 - lidnrilm n Homily 111 9 mamnmlinn H11 rm U Assistant Deputy Chief 0f Naval Operationg Information Dominance From Assistant Deputy Chin at Naval Dparatiuns InformuLlon Dominance To - Dapartmanr of Deiansa Inspector General non DIPARTHEHT OF THE NAVY urn-c mam up wgsmuamu DC roam 5000 301' 1 5 128 EU Oct 14 i I Subj HAW RESPONSE '1 0 Doll 19 NO I nal I21 31' ll 51 BI 53 10 11' 12 13' 14' 15' uni 1 Per reference to the tollnwing comment-3 are gravid-d 2 tn Rccomgngigiou nu Emma llalliliE qFF Ri-u-w I 1 U ssistant Deputy Chief of Naua Upemtiom Information Dominance cornt d Final Report Reference 3 Reconmendapion 5 5 I'Jumtfi Dunn hnmEl 1 U1 Recommendation attachments because 0 length Coples moulded upon request attachments because of length Copies pIOVided upon request Omitted attachments because of lenuth Copies provided upon request U Assistant Deputy Chief of Naval Operations Information Dominance gont d Final Repm't Reference Omitted attachments bumm hmm 5 aecomendutgn Coples provided upon request U Assistant Deputy Chief of Naval Operatiom Information Dominance cont d Final Report Reference mum Homo Omltled anachments because 01 length Copies provided upon request 6 In Recommendation 13 5 11 on Review the angnmant o the 1m notion determine if realignment In tor attentive auparvininn and establish pol icy that unnignn supervisory responsibility Omliled altachmenls because oi length Coples provtded upon request c to Tank Establish and implement parrormnca and standard Dpratlng proocduron for tho InfUl'rIulLinn Muuranca Manager luncLion 4nd mutton and evaluate tho Information Aasurnnoo Hanagera' panormance 31 9 a Tank Omlued altachmenls because of length Coples provided upon request Eul- U Assistant Deputy Chief of Naval Operations Information Dominance cont d Final lit-purl Reference in lli taunt I i - H1ll7 ll attachments because of length 1 1 immtE upon request al'llii Omitted attachments because of length m IJulJlfi hll Flu-J COPIES prov ed upon request 5 Recommendation mo Sci I-ng My 9- tut SF U Assistant Deputy Chief of Navai Operations Information Dominance cont d I-thtl- l U Assistant Deputy Chief of Naval Operations Information Dominance cont'd Final Re mrt Reference m1 Resume D-IDIU MINNIE 10 U necoumendauon 1mm mqu ll liliL'I 11 Recommendation be Hill Run Dana 12 eenmndagiun 3 3 Tag Omitted attachments because at lenglh Copies moulded upon request Omitted attachments because of length Copies provlded upon request U Assistant Deputy Chief of Naval Operations Information Dominance cont d Final Report Reference Omitted attachments becau se of1ength maples provided upon request IJulJIvi'i Omltted attachments becau se 0 length Comes pruvld Ed upon request Er E iq l'nln U Assistant Daputy Chief of Naval Operations Information Dominance cont d Reunions b Res-male an be reached Copy to DON CID HASHINGTON 13 U Recommendation 3 6 ihlr nilii 11 Hr paint a conue or Inn mtur 1 ur Final Report Reference Omitted attachments because of Iengih Copies provided upon request E1 q ER FUF _l U Glossary Accreditation Decision A formal statement by a designated accrediting authority regarding acceptance of the risk associated with operating a information system and expressed as an ATO Interim ATO Interim Authorization to Test or Denial The accreditation decision may be issued in hard copy with a traditional signature or issued electronically signed with a public key infrastructure certi ed digital signature Approval to Connect A formal statement by the Connection Approval Office granting approval for an information system to connect to the DISN The Approval to Connect cannot be granted for longer than the period of validity of the associated ATO An ATO may be issued for up to 3 years An Approval to Connect will not be granted based on an Interim ATE Artifacts System policies documentation plans test procedures test results and other evidence that express or enforce the IA posture of the information system make up the certi cation and accreditation information and provide evidence of compliance with the assigned IA controls Authorization to Operate ATO Authorization granted by a designated accrediting authority for 3 information system to process store or transmit information an ATO indicates a information system has adequately implemented ali assigned controlsto the point where residual risk is acceptable to the designated accrediting authority ATOs may be issued for up to 3 years Category CAT I Severity Assigned to ndings that allow primary security protections to be bypassed allowing immediate access by unauthorized personnel or unauthorized assumptions of super-user privileges An ATO will not be granted while CAT weaknesses are present Category 1 Severity Assigned to findings that have a potential to lead to unauthorized system access or activity CAT II findings that have been satisfactorily mitigated will not prevent an ATO from being granted Certi cation Determination A certifying authority's determination of the degree to which a system complies with assigned IA controls based on validation results It identifies and assesses the residual risk with operating a system and the costs to correct or mitigate IA vulnerabilities as documented in the IT Security Classi ed Transport Boundary A physical or logical perimeter of a system that conveys classi ed information from one location to another and requires protection ll Cross Domain Solution A form of controlled interface that provides the ability to manually or automatically access and transfer information between different security domains Denial of Authorization to Operate A designated accrediting authority decision that a information system cannot operate because of an inadequate design failure to adequately implement assigned controls or other lack ofadequate security If the system is already operational the operation of the system is halted DIACAP Implementation Plan Contains the information system s assigned IA controls The plan also includes the implementation status responsible entities resources and the estimated completion date for each assigned In control The plan may reference applicable supporting implementation material and artifacts DIACAP Scorecard A summary report that ConVeyS information on the IA security posture ofa information system in a format that can be exchanged electronically It shows the implementation status of a information system s assigned lA controls non compliant or not applicable as well as the certi cation and accreditation status Domain An environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as de ned by a common security policy security model or security architecture Tunnel An tunnel sends secure information between networks by encapsulating network protocols within packets Interim Authorization to Operate Temporary authorisation granted by the designated accrediting authority to operate a information system under the conditions or constraints enumerated in the accreditation dacision Network Topology Depicts the security posture of the network enclave that will be connecting to the DISN Plan of Action and Milestones A permanent record that identifies tasks to be accomplished in order to resolve vulnerabilities required for any accreditation decision that requires corrective actions it speci es resources required to accomplish the tasks enumerated in the plan and milestones for completing the tasks also used to document designated accrediting authority accepted non compliant IA controls and baseline IA controls that are not applicable An IT Security may be active or inactive throughout a system's life cycle as weaknesses are newly identified or closed Protected Distribution System A system used to transmit classi ed National Security Information through an area oflesser classification or control Security Posture The security status of an enterprise's networks information and systems based on IA resources and capabilities in place to manage the defense of the enterprise and to react as the situation changes Severity Codes The category assigned to a system IA vulnerability by a Certifying Authority as part ofcenification analysis to indicate the risk level associated with the IA vulnerability and the urgency with which the corrective action must be completed Severity categories are expressed as CAT I CAT II or CAT ill with CAT I indicating the greatest risk and urgency System Identi cation Pro le A compiled list of system characteristics or qualities required to register an information system with the governing Component IA program Validation Confirmation that requirements for a speci c intended use or application have been fulfilled U Annex U Somces Source 1 Instruction 0-3 600 02 information Operations Security Classification Guide November 28 2005 Document EEG-HG Source 2 nun Document classified Seem-t Declassify 0n 20321105 Date ofSource November 5 2012 SDUFCE 3 D cument classified Seer-eh Declassify 011 20371102 Date ofSource November 2 2012 W Source 4' Document classi ed Secret Declassify On 20220323 Date ofSource May 4 2012 U Acronyms and Abbreviations ATO Authorization to Operate CAT Category CDSA Cross Domain Solution Authorization CID Chief Information Officer DDCIOIN Department of the Navy Deputy Chief Information Officer Navy DIACAP Defense Information Assurance Certification and Accreditation Process DISA Defense Information Systems Agency DISH Defense Information Systems Network Instruction Manual DON Department of the Navy DnlrIi J ilnt'IirEi IA information Asaurance IAM Information Assurance Manager IT Information Technology NATO North Atlantic Treaty Organization NMCI Navy Marine Corps Intranet Dunn Hot In DDAA Operational Designated Accrediting Authority PDS Protected Distribution System Plan of Action and Milestones SAAB-N System Access Authorization Request Navy SIPRNET Secret Internet Protocol Router Network Whistle-blower Protection U S DEPARTMENT OF DEFENSE The Whistiebiower Protection Enhancement Act of 2012 requires the Inspector Generai to designate a Whistiebiower Protection Ombudsman to educate agency empioyees about prohibitions on retaiiation and rights and remedies against retaiiation for protected disciosures The designated ombudsman is the Hot iine Director For more information on your rights and remedies against retaiiation visit For more information about DOB 16 reports or activities please contact us Congressional Liaison congressional@dodig mil TG3 604 8324 Media Contact public affair5@dodig mil 703 604 8324 Update Reports Mailing List Twitter Dal Hotline dodigmillhotline DEPARTMENT OF DEFENSE I INSPECTOR GENERAL 4-80 Mark IL-mm Drive Alcxanclria 22350- 1500 wx-w-w in i gmil lutlinc nil uni I This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu