MASTIR COPY DO NOT R�r��VE FROM ALE Department of Defense DIRECTIVE ���· --�--· ------ January 2001 NU- MB R 0-8530 1 SUBJECT Computer Network Defense CND References a 10 U S C 2224 Defense Information Assurance Program b DoD Directive 5137 1 Assistant Secretary of Defense for Comm d Control Communications and Intelligence ASD C31 February 12 1992 c DoD 5025 1-M DoD Directives System Procedures August 1994 d 18 U S C 2511 2 a 1 Wire and Electronic Communications Int rception and Interception of Oral Communications e through l see Enclosure E I 1 �URPOSE This Directive 1 1 Establishes in accordance with references a and b the computer network defense CND policy definition and respons ibilities necessary to provide the essential stru ure and support to the Commander in Chief U S Space Command USCINCSPACE for Co puter Network Defense CND within Department of Defense information systems and co puter networks oD 1 2 Authorizes the publication of DoD 8530 1-R and 8530 1-M consistent with 5025 1-M reference c 2 APPL ICABILITY AND SCOPE This Directive 2 1 Applies to the Office of the Secretary of Defense the Military Departments he Chairman of the Joint Chiefs of Staff the Combatant Commands the Office of the T spector General of the Department of Defense the Defense Agencies the DoD Field Activiti s and all other organizational entities within the Department of Defense hereafe t r referred to ollectively as the i DoD Components 2 2 Applies to all DoD information systems and computer networks I I 3 DEFINITIONS The terms used in this Directive are defmed in enclosure 2 IOROFPI@LifStJ91 8Tflff I I i DoDD 0-85301 Janu 4 8 2001 POLICY It is DoD policy that 4 1 All DoD information systems and computer networks shall be monitored in ccordance with 18 U S C 2511 reference d and DoD Directive 4640 6 reference e order detect isolate and react to intrusions disruption of services or other incidents that threaten or fhnction of DoD operations DoD information systems or computer networks e security 4 2 CND activities shaU be coordinated among multiple disciplines including n twork operations law enforcement counterintelligence and intelligence as well as with th actions and responsibilities of DoD information systems and computer network owners and sers 4 3 The DoD shall organize plan train for and conduct defense ofDoD compu r networks as part of a DoD-wide operational hierarchy including a CND Common Operational Picture COP a sensor grid and a capabilities accreditation and certification process 4 4 CND operations that impact more than one DoD Component are centrally rdinated and directed by USCINCSPACE 4 5 All DoD Components shall establish or provide for a CND Service CNDS 4 6 AJl DoD Components shall implement robust infrastructure and information ssurance practices including but not limited to 4 6 1 Comprehensive configuration management and certification and accr accordance with DoD Instruction 5200 40 reference f to ensure Information Ass applied throughout the life-cycle of information systems and computer networks 4 6 2 Regular and proactive vulnerability analysis and assessment includin active penetration testing and Red Teaming and implementation of identified improvemen s 4 6 3 Adherence to a defense-in-depth strategy using risk management prin iples to defend against both external and internal threats by employing both technical and no -technical means and multiple protections at different layers within information systems and c networks puter 4 6 4 Information assurance training awareness and ce11ification for all infi mation system and computer network providers managers administrators support perscmn I and users alerts 4 6 5 A dissemination and compliance process for information assurance ad isories and 4 7 CND be supported by an integrated activity that monitors and coordinates c minal and counterintelligence investigations and provides releasable information concerning th · 2 FOROPPIIilL'sLUffOil'lf l DoDD 0-85301 Janwuy s 2001 � investigations to the DoD Components to counter threats to DoD information system and computer net works 48 All appropriate elements of national power e g diplomatic military economic will be considered to deter and defeat foreign based or sponsored threats to the security of DoD operations DoD information systems or computer networks 5 I RESPONSIBILITIES ·� 5 l The Assistant Secretary of Dcfcnse for Command Control Comn umication Intelligence shall CND and 5 1 1 Provide policy direction and guidance for the development and implementation of 5 1 2 Develop and incorporate information assurance and CND requirements in the Command Control Communications and Computers Intelligence Surveillance and Reconnaissance C4ISR Architectural Framework reference g and the Joint Tech ical � -TI Architecture JTA reference h 5 1 3 I In coordination with the Chairman Joint Chiefs of StatT CJCS and th Under f Secretcuy of Defense for Acquisition Technology and Logistics ensure that CND requirements are fully integrated into C4ISR and information technology related architectures plans and programs 5 1 4 Establish and provide oversight of a certification process for CND capabilities 5 1 5 Designate as appropriate DoD information systems and or computer networks I with special security requirements as Special Enclaves I � 5 1 6 Oversee in coordination with the Under Secretary of Defense for Pers nnel and Readiness applicable training and career development policy to ensure personnel are tr ained specifically designated and available to support and participate in CND 5 1 7 In conjunction with the CJCS and the USCINCSPACE establish requirements for the CND COP and the CND sensor grid 5 1 8 Oversee development deployment configuration management and ass rance of y the CND COP and the sensor grid �f · S I 9 Coordinate with the General Counsel DoD the Inspector General D and the Secretaries of the Military Departments on policy guidance for DoD CND counterint JLigence and law enforcement investigations and operations 3 17088FFI@ZJil5 JEOld J DoDD 0-85301 January 8 2001 5 1 10 In conjunction with the Inspector General DoD and the Secretaries o the Military Departments establish aCND Law Enforcement and Counterintelligence Wf CI to Center for coordination ofLE CI investigations and operations in support of CND 5 1 11 Oversee DoD participation in the National Infrastructure Protection NIPC and ensure consideration of DoD interests and equities by the NIPC I ter · 5 1 12 Develop and lead a process for periodic review of CND with the Do q l � Components that includes an assessment of Department effectiveness in meeting goa s and objectives an assessment of the performance of organizations in accomplishing their oles and responsibilities and a review of threats and technologies impacting CND i 5 1 13 Approve in accordance with DoD 5200 l·R reference i security I classification guidance SCG and handling and release authority guidance for CND 5 1 14 Require the Director Defense Information SystemsAg_enqy_ DISA 5 1 14 1 Serve as the technical advisor to the ASD C3I the CJCS and USCINCSPACE for Defense-wide CND requirements providers e 5 1 14 2 Function as the Certification Authority for all General Service 5 1 14 3 Provide CNDS support to DoD Component CNDS as rovide General Service CNDS on a subscription basis to any DoD Component that does not stablish or otherwise subscribe to a General Service CNDS required 5 1 14 4 Establish advisory and alert procedures for General Service C S providers and technical alert support for USCINCSP ACE release to network operata s through established joint command and control channels Provide CND trend and pattern ana sis to USCINCSPACE and the DoD Components 5 1 14 5 Serve as overall integrator for DoD CND-related systems 5 1 15 Require the Director Defense Intelligence A�q cy DlA _ 5 15 1 Oversee DoD intelligence requirements in support ofthe CND 5 1 5 2 Manage Defense intelligence community production to support D D CND 5 15 3 Serve as the Defense intelligence community focal point for the d sign development and maintenance of information systems and databases that facilitate t' ely collection processing and dissemination of all-source finished intelligence for provide data to CND and the COP databases as appropriate 4 IOilOfIICIJtbJSJ §61421 l 'and DoDD 0-85301 January 8 2001 5 2 The Under Se retarv of Defense for Acquisition Technologyand Logistics s all coordinate with the ASD C3I and the CJCS on matters of CND acquisition and acq isition policy to ensure that CND requirements are fidly integrated into Command Control Communications and Computer Systems C4 and information technology related plans and programs hitectures i 5 3 The UnderSecretaryof Defense for Personnel and Readiness shall coordinat with the ASD C31 to develop applicable training and career development policy to ensure tr ned personnel are available to support and execute CND operations 5 4 The General Counsel of the Department of Defense shall coordinate with th ASD C31 and the Ins pector General DoD to provide legal guidance on CND related counterin lligence and law enforcement investigations and operations 5 5 The lrumectorGeneral of the Department of Defense shall 5 5 1 In conjunction with ASD C31 and the Secretaries of the Military Dep rtments establish the CND LE CI Center for coordination of law enforcement and counterin elligence activities in support of CND 5 5 2 Coordinate with the General Counsel DoD the ASD C31 and the etaries of rt CND the Military Departments on policy guidance for law enforcement operations that s 5 5 3 Require the Director Defense Criminal InvestigativeServiceCDCIS t 5 5 3 1 Provide administrative support to the CND LE CI Center 5 5 3 2 Serve in coordination with the Secretaries of the Military Depa the Defense law enforcement community focal point for the design development an maintenance of information systems and databases that facilitate CND law enforcem nt operations and CND LE CI Center requirements and provide data to CND and the OP databases as appropriate 5 6 The Chairmanof the Joint Chiefs of Staff shall 5 6 1 Serve as the principal military advisor to the Secretary of Defense on C 5 6 2 Coordinate with USCINCSPACE and other Commanders of the Comb Commands to ensure effective planning and execution o f CND 5 6 3 Ensure plans and operations include and are consistent with CND poli and doctrine t strategy 5 6 4 Coordinate with USCINCSPACE to establish doctrine and instructions to facilitate the integration of CND into joint operations 5 P8D8JiFifUtlsUl ll8 115 ' DoDD 0-85301 Januar 8 2001 5 6 5 Ensure that exercises routinely test and refine CND operations includi application of operational stress to information systems and computer networks Ex cises shall include Red Team activities directed against CNDS as well as DoD information syst ms and computer networks 5 6 6 In conjunction with ASD C3J and USCIN CSPACE establish require ents for the CND COP and the sensor grid 5 6 7 Ensure in coordination with ASD C3I the validation ofC ND require ents through the Joint Requirements Oversight Council and as required by DoD Directive 5000 1 reference j and USD AT L ASD C3I and DOT E Memorandum Mandato Procedures for Major Defense Acquisition Programs MDAPS and Major Automate Information System MAIS Acquisition Programs reference k 5 6 8 In coordination with the ASD C3I and the Under Secretary of Defens Acquisition Technology and Logistics ensure that CND requirements are fully inte C4ISR and information teclmology related architectures plans and programs 5 6 9 Ensure the compatibility interoperability integration and supportabilit of CND requirements for C4 in accordance with DoD Instruction 4630 8 reference 1 5 6 10 Incorporate CND into joint military education curricula INCSPACE shall 5 7 1 Lead Defense-wide CND mission operations to include 5 7 1 1 Advocating the CND requirements of all Commanders-in- Chief conductina and planning for CND mission operations 5 7 1 2 Executing operational authority to direct Defense-wide change i Information Operations Condition INFOCON 5 7 1 3 Coordinating release and distribution of CND advisories and ale s and monitoring compliance of issued Information Assurance Vulnerability Alerts IAV A 5 7 1 4 Developing national requirements for CND defining intelligenc support requirements identifying intelligence resources establishing intelligence support pr and supporting all CIN Cs for CND edures 5 7 2 Provide the Secretary of Defense through the CJCS a periodic operat nal assessment of the readiness of the DoD Components to defend DoD computer netwo ks 5 7 3 In conjunction with the CJCS and the ASD CJI establish requiremen CND COP and the CND sensor grid 6 F8B8FFI@Ii'dstJQB8Ifi5Tf for the DoDD 0-85301 Januar � 8 2001 5 7 4 Execute combatant command authority to plan and execute operations defend DoD computer networks or other vital national security interests as directed by the S cretary of Defense against any unauthorz i ed computer network intrusion or attack S 1 S Provide defense-wide situational awareness and attack warning thr fiJsion analysis and coordinated information flows through the CNDCOP I t 5 7 6 Serve as the Accrediting Authority for theCNDCertification Authorit s 5 8 The SecretariesoftheMilitaryDepartments shall I 5 8 1 Coordinate with ASD C31 and the Inspector General DoD on policy idance for law enforcement operations that supportCND and establish the C�TI LE CICenter for coordination oflaw enforcement and counterintelligence operations in support ofC 5 8 2 Provide law enforcement and counterintelligence support to theCND Center 5 8 3 Ensure information sharing among the Defense law enforcement com � lnity in support of CND 5 8 4 Ensure information sharing among the Defense counterintelligence co support ofCND 5 9 The SecretaryoftheAirForce shall serve as the DoD Executive Agent for a Computer Forensics Laboratory and a DoD Computer Investigations Training Prog D e Nayy shall coordinate the design development and m intenance 5 10 The Secretaryofth of information systems and databases that facilitate CND counterintelligence operati ns and CND LE CICenter requirements populateCND andCOP databases as appropriat 5 11 The Director Nationa l Security Agency NSA shall 5 11 1 Function as the Certification Authority for all DoD CNDS providers by ASD C31 as a Special Enclave 5 11 2 Provide CNDS support for Special Enclaves to the DoD Component NDS as required Provide Special Enclave CNDS on a subscription basis to any DoDCompo ent that does not establish or otherwise subscribe to a Special Enclave C'IDS S 11 3 Establish advisory and alert procedures for Special EnclaveCNDS pr viders 5 11 4 Coordinate the design development and maintenance of Special Enc information systems and databases that facilitate CND and populate CND and COP appropriate 7 _ 8lifi@LthtfOB8Pfllf ve atabases as DoDD 0-85301 Januar 5 11 5 Coordinate incorporation of intelligence community IC network sit tional awareness information into the DoD CND COP 5 11 6 Provide Attack Sensing and Warning AS W e g Defense-wide I long term CND trend and pattern analysis support to USCI�CSPACE and to the DoD Compo nts Populate CND and COP databases with AS W analysis as appropriate 5 l1 7 Establish and maintain a trusted agent network and procedures for the reporting of Information Assurance Red Teaming activities Populate Cl D and COP databases ith Red Team activities as appropriate Program 5 l1 8 In support of ASD C3n CND architectural initiatives serve as the C Manager for research and technology in order to 5 11 8 1 Develop and evaluate attack sensing and warning emerging tee 5 11 8 2 Coordinate development and evaluation of tools and techniques o support CND operations 5 11 8 3 Support the CND procurement and logistics activities of the Do Components 5 l2 The Heads of DoD Components sbalJ 5 12 l Establish Component-level CND Services to coordinate and direct Co wide CND and ensure certification and accreditation in accordance with established requirements and procedures onent­ oD 5 l2 2 Comply with the operational direction of the USCINCSPACE for the onduct of CND and the deconfliction oflnformation Assurance activities that may impact C operations 5 12 3 Require that all Component information systems and computer netwo ks are assigned to a certified CNDS 5 12 4 Contribute to computer network situational awareness by providing o erational requirements and priorities operational status and the user's perspective on compute network status e g availability reliability 5 12 5 Comply with USCINCSPACE alerts and directives e g INFOCON nd AVA and report CND activities in accordance with DoD and USCINCSPACE guidance 5 12 6 Ensure in coordination with Director DISA that the DoD Compone t information systems and computer networks requirements are instrumented according to CND sen or grid 8 FORQiiFIUibLUlJB8flls'I' DoDD 0-8530 1 Ja1uary 8 2001 5 12 7 Ensure that the DoD Component information systems and computer m tworks are monitored to detect CND-related activity and that detected activity is reported in ace rdance with USCINCSPACE guidance T 5 12 8 Coordinate CND related research development and evaluation with th Director National Security Agency 5 12 9 Coordinate with Director DIA on intelligence collection and reporting requirements 5 12 1 0 Provide training and education programs to support CND personnel o include system administrators and network managers and ensure that CND personnel are trai ed designated equipped and certified in accordance with established DoD standards 6 EFFECTIVEDATE This Directive is effective immediately Enclosures - 2 Deputy Secretary of Defense E l References E2 Definitions 9 JlbttUiflfLhlbbOIS8Ifi5Tf DoDD 0-85301 January 8 2001 El ENCLOSURE 1 REFERENCESiCon e t DoD Directive 4640 6 Communications Security Telephone Monitoring an Recording June26 1981 DoD Instruction 5200 40 DoD Information Technology Security Accreditation Process December 30 1997 Certificaf nand g DoD C4ISR Architecture Framework Version 2 0 December 18 1997 h DoD Joint Technical Architecture JTA Version 3 0 November 29 1999 i DoD 5200 1-R Information Security Program January 1997 U DoD Directive 5000 1 The Defense Acquisition System October 23 200 k USD AT L ASD C3I and DOT E Memorandum Mandatory Procedu Major Defense Acquisition Programs MDAPS and Major Automated Infor ation System MAIS Acquisition Programs October 23 2000 1 DoD Instruction 4630 8 Procedures for Compatibility Interoperability and Integration of Command Control Communications and Intelligence C3I Systems N vember 18 1992 10 DoDD 0-85301 January 8 2001 E2 ENCLOSURE 2 DEFINITIONS E2 1 1 Accreditation Formal declaration by the Designated Approving Accrediting a particular security mod thority DAA that an information system is approved to operate in prescribed set of safeguards at a n acceptable level of risk E2 1 2 AttackSensingand Warning AS W The detection correlation identific ion and characterization of intentional unauthorized activity including computer intrusion or ttack across a large spectrum coupled with the notification to command and decision-make s so that an appropriate response can be developed Attack sensing and warning also includes attack inuusion related intelligence collection tasking and dissemination limited im response recommendations and limited potential impact assessments E2 1 3 Certification Comprehensive evaluation of the technical and non-technical s curity features of an information system and other safeguards made in support of the accre itation process to establish the extent that a particular design and implementation meets a s specified security requirements of ComouterNetwork Defense Setvice CCNDS Certification An integrated s te of CNDS certification standards self-assessment and independent assessment processe E2 J 4 improvement methods and tools and inter-CNDS in formation exchange and commu ications protocols established by the CNDS CA E2 1 5 CNDSCertification A u t hority CNDS CA An entity responsible for cenif ing CNDS providers coordinating among assigned CNDS providers and managing information dissemination supporting CND operations E2 1 6 CNDCommon Operational Picture COP A distributed capability that pr ides local intermediate and DoD-wide visual situational awareness of CND activities and oper tions and their impact collaboration and decision suppOit The CND COP is a view on the N twork Operations NETOPS Common Operational Picture NETOPS COP E2 1 7 CND Sensor Grid A coordinated constellation of decentrally owned and im Iemen ted intrusion and anomaly detection systems i e instrumentation deployed throughout information systems and computer networks The CND sensor grid is a component NETOPS sensor grid E2 1 8 oD f the CNDService CNDS A DoD service provided or subscribed to by owners f DoD information systems or computer network in order to maintain and provide CND sit rional awareness implement CND protect measures monitor and analyze in order to detect unauthorized activity and implement CND operational direction 11 P8R8PFI@IitiS1§0198 tiSI DoDD 0-85301 January 8 2001 E2 1 9 C NDSProviders Those organizations responsible for delivering protection detection and response services to its users CNDS providers must provide for the coordinatio service support of a CNDS CA CNDS is commonly provided by a Computer Emergency o Incident Response Team CERT CIRT and may be associated with a 1 etwork Operations an Center NOSC Security E 2 1 10 Computer Network Two or more computers connected with one another fi r the purpose of communicating data electronically A computer network includes the phy ical connection of a variety of computers communication devices and supporting peri ph al equipment and a cohesive set of protocols that allows them to exchange information n a near­ seamless fashion E2 1 11 Computer Network Operations to disrupt deny degrade o destroy information resident on computers and computer networks or the computers and net themselves Attack CNA E2 1 12 ComputerNetwork Defense CND Actions taken to protect monitor an yze detect and respond to unauthorized activity within DoD information systems and computer etworks Note The unauthorized activity may include disruption denial degradation destru exploitation or access to computer networks infonnation systems or their contents r theft of information CND protection activity employs information assurance protection activ t y and includes deliberate actions taken to modify an assurance configuration or condition i response to a CND alert or threat information Monitoring analysis and detection activities i eluding trend and pattern analysis are performed by multiple disciplines within the Depat1m nt of Defense e g network operations CND Services intelligence counterintelligence a d law enforcement CND response can include recommendations or actions by network op rations including information assurance restoration priorities law enforcement military fo ces and other US Government agencies E2 1 13 ment and Counterintelli ence Center Cl TD LE CJ Cen er An organization that coordinates LE CI investigations and operations in support ofC staffed by all Defense Criminal Investigative and Counterintelligence Organizations E2 1 14 DoDExecutive Agent For the purpose of this Directive a DoD Executive Agency is the individual designated by position to have and to exercise the assigned responsibil ty and delegated authority of the Secretary of Defense as specified in this Directive E2 1 1 S Enclave An environment that is under the control of a single authority and homogeneous security policy including personnel and physical security Local and as a mote elements that access resources within an enclave must satisfy the policy of the encla Enclaves can be specific to an organization or a mission and may also contain multiple networ s They may be logical such as an operational area network OAN or be based on physical cation and proximity The enclave encompasses both the network layer and the host and applic ions layer 12 Fill9i'61Ui'J 'LUiil9Jfk'' i y1l DoDD 0-85301 Januar 8 2001 t E2 l l6 General Services Any DoD information system or computer network e g NIPRNET SIPRNET not otherwise specifically designated by the ASD C3I as a Special En lave because of special security requirements E2 1 17 InformationOperations Condition INFOCQl J The INFOCON is a com �nsive defense posture and response based on the status of information systems military op � rat1ons and intelligence assessments of adversary capabilities and intent The INFOCON system presents a structured coordinated approach to defend against a computer network attack INF qCON measures focus on computer network-based protective measures Each level reflects� defensive posture based on the risk of impact to military operations through the intentional dis tption of PHA friendly information systems INFOCON levels are NORMAL normal activity � increased risk of attack BRAVO specific risk o f attack CHARLIE limited attac and DELTA general attack Countermeasures at each level include preventive actions ctions taken during an attack and damage controVmitigating actions E2 1 18 Information Assurance Information operations IO that protect and defen information and information systems by ensuring their availability integrity authenfcation confidentiality and non-repudiation This includes providing for restoration of infor ation systems by incorporating protection detection and reaction capabilities E2 1 19 InfurmatjonAssuranceRedTeam An independent threat based activity ai ed at improving information assurance readiness by emulating a potential adversary's atta k or exploitation capabilities See also Red Team E2 1 20 Information Assurance Vulnerability Alert IA VA The comprehensive dl ribution process for notifying CINCs Services and Agencies CJSIA about vulnerability ale s and countermeasures information The IAV A process requires CIS A receipt acknowled ment and provides specific time parameters for implementing appropriate countermeasures de nding on the criticality of the vulnerability E2 1 21 Information System The entire infrastructure organization personnel and omponents for the collection processing storage transmission display dissemination and disp ition of en information For the purposes of this Directive it is an information system that has separately accredited by a DAA under provisions ofDoD Instruction 5200 40 refere ce e E2 1 22 National Infrastructure Protection Center N IPC The NIPC is both a nati nal security and law enforcement effort to detect deter assess warn of respond to and investiga e computer intrusions and unlawfhl acts both physical and cyber that threaten or target our cri cal infrastructures The NIPC provides a national focal point for gathering information n threats to critical infrastructures Additionally the NWC will provide the principal means for r litating and coordinating the Federal Government's resources to an incident or mitigating att ck The NIPC is an interagency activity hosted by the Federal Bureau of Investigation E2 1 23 NetworkO JLeratio ns NETOPS � An organizational and procedural frame ork intended to provide DoD information system and computer network owners the mea s to manage their information systems and computer networks This framework allows i formation 13 Be81II§ P8R8PPI@IitiJStJ I I DoDD 0-85301 January 8 2001 system and computer network owners to effectively execute their mission priorities upport DoD missions and maintain their information systems and computer networks This framework integrates the mission areas of network management information dissemination man gement and information assurance Note CND employs NETOPS capabilities specifically i formation assurance mission area in concert with law enforcement intelligence and other mil' activities to defend and protect DoD computer networks E2 1 24 Red T eam An independent threat based activity aimed at readiness improv through simulation of an opposing force Red teaming activity includes becoming ents knowledgeable of a target system matching an adversary's approach gathering appr priate tools to attack the system training launching an attack then working with system owners o demonstrate vulnerabilities and suggest countermeasures See Information Assuran e Red Team E2 1 25 S ensor Grid See CND Sensor Grid II E2 1 26 l Enclave DoD information systems and or computer networks wit pecial S lecial security requirements e g Special Access Programs SAP Special Access Require ents SAR and designated as Special Enclave by the ASD C31 I examination of an information system or product to determine the adequacy of securi� measures identify security deficiencie provide data from which to predict the effec� iveness of E2 l 27 VulnerabilityA laly§is and Assessment In information operations a systet 1atic • proposed security measures and confirm the adequacy of such measures after implementation 14 FOROP fi'JttlSUOf Olliff