UNCLASSIFIED National GeospatiaI-lntelligenCe Agency DIRECTIVE NUMBER 8231 19 May 2015 Administrative Update 4 28 October 2015 SUBJECT Cyber Defense Operations References See Enclosure 1 1 PURPOSE This NGA Directive NGAD a Establishes policy and assigns responsibilities for centralized NGA cyber defense operations b Supports the national Intelligence Community IC and Department of Defense DOD cyber defense operations objectives in accordance with IAW References 3 and through c Establishes the Cyber Security Operations Cell 0800 as the central point for all NGA cyber defense operations d Supports cyber defense operations interoperability between agencies combatant commands and services 2 APPLICABILITY This NGAD applies to NGA civilian employees military service members assigned to the NGA personnel from other Government agencies permanently assigned to NGA and contractors 3 DEFINITIONS See Glossary 4 POLICY It is NGA policy that a All NGA cyber defense operations are consolidated and centralized under the CSOC which serves as the focal point for cyber incident detection analysis and reporting and is the Computer Network Defense-Service Provider for NGA networks and information systems ISs b The NGA is certified and accredited IAW Reference UNCLASSIFIED UNCLASSIFIED NGAD 8231 c Technical and non technical capabilities are employed to implement directed information network operations and cyberspace defense actions to protect NGA networks and ISs IAW Reference 5 RESPONSIBILITIES See Enclosure 2 6 EFFECTIVE DATE This Directive is effective on the date of signature Harry E Mornston Chief of Staff Enclosures 1 References 2 Responsibilities Glossary 2 UNCLASSIFIED UNCLASSIFIED NGAD 8231 ENCLOSURE 1 REFERENCES Intelligence Community Directive ICD 502 Integrated Defense of the Intelligence Community Information Environment 11 March 2011 ICD 503 Intelligence Community Information Technology Systems Security Risk Management Certification and Accreditation 15 September 2008 0 Committee on National Security Systems Instruction CNSSI 4009 Committee on National Security Systems Glossary 08 April 6 2015 Instruction 8500 01 Cybersecurity 14 March 2014 8570 01-M Information Assurance Workforce Improvement Program 19 December 2005 Incorporating Change 3 24 January 2012 8410 02 NetOps for the Global Information Grid 19 December 2008 Computer Network Defense 08 January 2001 Department of Defense Computer Network Defense CND Service Provider Certification and Accreditation Program 17 December 2003 NIST SP 800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations September 2011 NGA Directive NGAD 8000 Information Management and the Chief Information Officer 09 August 2013 Cyber Security Operations Cell Concept of Operations CONOPS 22 May 2014 I Administrative Update on responsibilities of the Chief Information Security Officer CISO from NGA IG note 20 May 2015 Change 1 m Emai from DINGA to 008 Policy Signature Designation Note 5 June 2015 Change 2 Administrative Update on responsibilities of the Director NGA Operations Center N00 and NGA Continuity Coordinator Change 3 3 UNCLASSIFIED UNCLASSIFIED NGAD 8231 ENCLOSURE 2 RESPONSIBILITIES 1 Director NGA a Oversees cyber defense operations to ensure integration with the NGA mission and posture NGA in defense of current and future threats b Executes and supports risk management decisions to resource plan and prepare for survival continuity recovery and restoration of mission critical and mission- essential ISs applications and data when affected by cybersecurity threats and incidents 2 Chief Information Officer IT Services a Oversees overall coordination of enterprise cyber defense management IAW Reference - b Coordinates policies to support 0800 operations c Assists Key Component KC Directors with guidance and direction regarding resources of high value and relevance to cyber defense expertise d Establishes implements maintains monitors and reports status on ISS and networks e Implements and enforces requirements to support NGA CSOC threat analysis and remediation f In conjunction with the Chief Information Security Officer CISO and the NGA Continuity Coordinator executes risk management and funding decisions to resource plan and prepare forthe survival continuity recovery CISO also ensures that an adequate and effective information assurance program is developed implemented and maintained on behalf of the CIO under the Federal Information Management Security Act Remediation of mission critical and mission essential information system assets and data when affected by a cyber-security threat or incident are managed on behalf of the 0180 through the 0800 9 Reports directly to the on matters relating to the security of NGA networks h Supports NGA's mission essential functions 4 UNCLASSIFIED UNCLASSIFIED NGAD 8231 i Ensures a defense in breadth and defense-in-depth strategy is provided for the survival continuity recovery and restoration of NGA ISs applications and data when faced with cyber threats or incidents j Provides and maintains situational awareness of cyber threats directly impacting mission to ensure the confidentiality integrity and availability of NGA information and 83 k Leads the development of the 0800 Identifies best business practices and incident monitoring and handling workflow 3 Director 0800 a Serves as the NGA focal point for collection and reporting of cyber defense operations and ensures appropriate escalation of significant cybersecurity events incidents or threats b Protects NGA networks and separately operated ISs by employing programs and processes supporting information network operations and cyberspace defense operations 0 Establishes data collection requirements to monitor analyze and examine cyber threats and attacks Reference d Establishes and enforces the use of tools methodology and best practices for cybersecurity defense to respond and remediate threats and disruptions for NGA systems and networks e Oversees cybersecurity incident detection analysis examination mitigation counterintelligence review cyber intelligence collection and reporting internal and external f Coordinates with external agencies combatant commands and services on cyber defense operations as required g Integrates direct operational and support personnel from Analysis Directorate A Security and Installations Directorate and Source Directorate S 4 Director NOC a Coordinate internal and external cybersecurity incident reporting requirements with 3800 to ensure reporting timelines are met using the appropriate formats and methods 5 UNCLASSIFIED UNCLASSIFIED NGAD 8231 to Provide exercise support across the N00 Enterprise to integrate response and reporting requirements to NGA partners and the IC 5 KC Directors and Career Service Heads a Provide assistance people processes and technology as necessary to support 0800 operations b In conjunction with the 0800 identify a security plan for incident monitoring and remediation for each NGA system purview and ensure understanding and capabilities are provided to execute and maintain the plan 0 Provide sufficient human capital investments to meet training requirements of the Cyber Team Liaison roles supporting NGA cyber defense and cyber operations d Adequater fund and prioritize training and development requirements to certify the Cyber Team Liaison achieves and sustains relevant cyber expertise IAW Reference as applicable 6 UNCLASSIFIED Access Chief Information Security Officer Confidentiality Cyber Attack Cybersecurity Cyberspace Defense in Breadth UNCLASSIFIED NGAD 8231 GLOSSARY DEFINITIONS Ability and means to communicate with or otherwise interact with a system to use system resources to handle information to gain knowledge of the information the system contains or to control system components and functions Reference Official responsible for carrying out the Chief Information Officer CIO responsibilities under the Federal Information Security Management Act FISIVIA and serving as the ClO's primary liaison to the agency s authorizing officials information system owners and information systems security officers Reference The requirement that information is not disclosed to system entities users processes devices unless they have been authorized to access the information Reference An attack via cyberspace targeting an enterprise s use of cyberspace for the purpose of disrupting disabling destroying or maliciously controlling a computing environment infrastructure or destroying the integrity of the data or stealing controlled information Reference The ability to protect or defend the use of cyberspace from cyber attacks Reference The interdependent network of information technology infrastructures that includes the Internet telecommunications networks computer systems and embedded processors and controllers in critical industries Reference A planned systematic set of multi-disciplinary activities that seek to identify manage and reduce risk of exploitable vulnerabilities at every stage of the system network or sub-component Iifecycle system network or product design and development manufacturing packaging assembly system integration distribution operations maintenance and retirement Reference 7 UNCLASSIFIED Defense in-Depth Disruption Enterprise Information Information System Integrity Risk Risk Management UNCLASSIFIED NGAD 8231 Information security strategy integrating people technology and operations capabilities to establish variable barriers across multiple layers and missions of the organization Reference An unplanned event that causes the general system or major application to be inoperable for an unacceptable length of time Reference An organization with a defined missionlgoal and a defined boundary using information systems to execute that mission and with responsibility for managing its own risks and performance An enterprise may consist of all or some of the following business aspects acquisition program management financial management budgets human resources security and information systems information and mission management Reference Any communication or representation of knowledge such as facts data or opinions in any medium or form including textual numerical graphic cartographic narrative or audiovisual Reference A discrete set of information resources organized for the collection processing patience use sharing dissemination or disposition of information Reference The property whereby an entity has not been modified in an unauthorized manner Reference A measure of the extent to which an entity is threatened by a potential circumstance or event and typically a function of 1 the adverse impacts that would arise if the circumstance or event occurs and 2 the likelihood of occurrence Note Information system related security risks are those risks that arise from the loss of confidentiality integrity or availability of information or information systems and reflect the potential adverse impacts to organizational operations including mission functions image or reputation organizational assets individuals other organizations and the Nation Reference The process of managing risks to organizational operations including mission functions image or reputation organizational assets individuals other organizations or the nation resulting from the operation or use of an information system and includes 1 the conduct of a risk assessment 2 the implementation of a risk mitigation strategy 3 employment of 8 UNCLASSIFIED Security Plan Th reat UNCLASSIFIED NGAD 8231 techniques and procedures for the continuous monitoring of the security state of the information system and 4 documenting the overall risk management program Reference Formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements Reference Any circumstance or event with the potential to adversely impact organizational operations including mission functions image or reputation organizational assets individuals other organizations or the Nation through an information system via unauthorized'access destruction disclosure modification of information and or denial of service Reference 9 UNCLASSIFIED