COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

Transcription

1 BY ORDER OF THE SECRETARY OF THE AIR FORCE AIR FORCE INSTRUCTION NOVEMBER 2005 Communications and Information ENTERPRISE NETWORK OPERATIONS NOTIFICATION AND TRACKING COMPLIANCE WITH THIS PUBLICATION IS MANDATORY ACCESSIBILITY: RELEASABILITY: Publications and forms are available on the e-publishing website at for downloading or ordering. There are no releasability restrictions on this publication. OPR: SAF/XCIFN Certified by: SAF/XCIF (Col Porter Clapp) Supersedes AFI33-138, 7 December Pages: 92 This Air Force instruction (AFI) implements Air Force Policy Directive (AFPD) 33-1, Command, Control, Communications, and Computer (C4) Systems; the Information Assurance Vulnerability Management Program; and incident and vulnerability reporting guidance provided in Chairman of the Joint Chiefs of Staff Manual (CJCSM) , Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND). This instruction prescribes and explains the various notification and tracking processes required to direct action and report status throughout the Air Force Network Operations (AFNETOPS) hierarchy. The specific processes addressed include Time Compliance Network Order (TCNO); Command, Control, Communications and Computers Notice to Airmen (C4 NOTAM); and incident, vulnerability, security incident, and service interruption reporting. This instruction applies to all Air Force military and civilian personnel and to Air Force contractors who develop, acquire, deliver, use, operate, or manage Air Force information systems. Supplementation of this instruction is permitted but is not required. If supplements are issued, major commands (MAJCOM), field operating agencies (FOA), and direct reporting units (DRU) will furnish a copy to Secretary of the Air Force (SAF/XCIF), 1030 Air Force Pentagon, Washington DC ; field units will furnish a copy to the next echelon of command. This publication applies to the Air National Guard. Send recommended changes or comments to Headquarters Air Force Communications Agency (HQ AFCA/EASD), 203 W. Losey Street, Room 1100, Scott AFB IL , through appropriate channels, using Air Force (AF) IMT 847, Recommendation for Change of Publication, with an information copy to SAF/XCIF. The reporting requirements in this instruction are exempt from licensing in accordance with AFI , The Information Collections and Reports Management Program; Controlling Internal, Public, and Interagency Air Force Information Collections. Ensure that all records created as a result of processes prescribed in this publication are maintained in accordance with Air Force Manual (AFMAN) , Management of Records (will become AFMAN ), and disposed in accordance with Air Force Records Information Management System (AFRIMS) Records Disposition Schedule (RDS) located at index.cfm. See Attachment 1 for a glossary of references and supporting information.

2 2 AFI NOVEMBER 2005 SUMMARY OF CHANGES This change incorporates interim change (IC) (Attachment 13) and alters FOA/DRU reporting directly to the Air Force Network Operations and Security Center (AFNOSC) due to FOA/DRU NOSC realignment. Mission Support Centers (MSC) will be treated as Network Control Centers (NCC) for reporting purposes. Multiple tables have been updated to reflect this conversion. Additional minor administrative corrections were made and office symbols updated. A bar ( ) indicates a revision from the previous edition. Chapter 1 GENERAL INFORMATION Introduction Notification and Tracking Hierarchy Figure 1.1. Notification and Tracking Hierarchy Submitting Notifications and Reports to the Air Force Network Operations and Security Center (AFNOSC)... 9 Table 1.1. AFNOSC Report Priority and Contact Information Operational Reporting Reporting Incidents not Covered by this Instruction Table 1.2. Reporting Incidents not Covered by this Instruction Chapter 2 ROLES AND RESPONSIBILITIES Introduction Director, Information, Services and Integration (SAF/XCI) Major Command Senior Communicator Air Force Communications Agency (AFCA) Air Force Network Operations and Security Center (AFNOSC) Air Force Network Operations and Security Center (AFNOSC) Network Operations and Security Center (NOSC) Network Control Center (NCC)/Mission Support Centers (MSC) Program Executive Officer (PEO) Functional System Designated Approving Authority (DAA) Program Management Office (PMO) and System Program Office (SPO) Major Command (MAJCOM) Liaison to Air Force-Managed Systems Information System Security Manager (ISSM) and Information System Security Officer (ISSO) Workgroup Manager (WM) and Functional System Administrator (FSA)... 16

3 AFI NOVEMBER End Users Chapter 3 TCNO MANAGEMENT 17 Section 3A Introduction Purpose Applicability Section 3B TCNO Generation Process When to Generate a Time Compliance Network Order (TCNO) Releasing Authority Establishing Time Compliance Network Order (TCNO) Priority Table 3.1. TCNO Priority Categories Assigning TCNO Suspense Dates Table 3.2. Determining TCNO Suspense Dates Assigning a Tracking Number Providing Implementation Details Specifying Justification Other Time Compliance Network Order (TCNO) Content Example Time Compliance Network Order (TCNO) Section 3C TCNO Dissemination and Acknowledgment Dissemination Timelines Single Distribution List Time Compliance Network Order (TCNO) Dissemination Acknowledging Time Compliance Network Orders (TCNO) Section 3D TCNO Implementation Implementing Time Compliance Network Orders (TCNO) Two-Person Compliance FSA and WM Actions PMO and SPO Actions Section 3E TCNO Extensions General Guidance Extension Request Format

4 4 AFI NOVEMBER Processing Extensions Table 3.3. TCNO Extension Categories and Timeframes Table 3.4. Time Compliance Network Order (TCNO) Extension Approval Process Program Management Office (PMO) and System Program Office (SPO) Extension Requests Evaluating Extension Requests Section 3F TCNO Compliance Reporting General Guidance Recording TCNO Compliance Compiling TCNO Compliance Statistics Initial and Follow-On TCNO Compliance Statistics Reporting Preventing Duplicate TCNO Compliance Information Resolving TCNO Compliance Reporting Discrepancies Section 3G Assessing TCNO Compliance TCNO Compliance Levels Table 3.5. TCNO Compliance Levels Chapter 4 C4 NOTAM MANAGEMENT Introduction Types of C4 NOTAMs C4 NOTAM Formatting Guidance Table 4.1. C4 NOTAM Priority Categories C4 NOTAM Dissemination Chapter 5 INCIDENT AND VULNERABILITY REPORTING 35 Section 5A Introduction and General Procedures Purpose General Reporting Requirements Incident and Vulnerability Report Classification Guidance Section 5B Incident Reporting Incidents Defined Table 5.1. Incident Categories

5 AFI NOVEMBER Incident Detection General Incident Response Actions ASIM-Identified Incidents Incident Reporting Table 5.2. Incident Reporting Action Matrix Malicious Logic Incidents Table 5.3. Malicious Logic Reporting Action Matrix Section 5C Vulnerability Reporting Vulnerability Reporting Table 5.4. Vulnerability Reporting Action Matrix Chapter 6 SECURITY INCIDENT REPORTING Security Incidents Related Guidance Classification Guidance Security Incident Reporting Classified Message Incidents (CMI) Corrective Actions Table 6.1. Security Incident Reporting (SIR) Action Matrix Chapter 7 SERVICE INTERRUPTION REPORTING 44 Section 7A Introduction and General Procedures Introduction Operational Reporting of Mission Impact Service Interruption Reporting Classification Guidance Section 7B Authorized Service Interruptions (ASI) Authorized Service Interruption (ASI) Definition ASI Approval Authority General ASI Coordination Guidance Submission of ASI Requests for Approval by the AFNETOPS/CC Submission of ASI Requests for Approval by the MAJCOM DAA Table 7.1. ASI Submission Timelines

6 6 AFI NOVEMBER Notification of Approved ASIs Tracking ASIs During Execution Extension of an Ongoing ASI Section 7C Unscheduled Service Interruptions Unscheduled Service Interruption (USI) Definition USIs Linked to Incidents USI Reporting Categories Table 7.2. USI Reporting Categories USI Reporting Table 7.3. Unscheduled Service Interruption (USI) Action Matrix Table 7.4. Unscheduled Service Interruption (USI) Reporting Timelines Chapter 8 INFORMATION COLLECTIONS, RECORDS, AND FORMS OR INFORMATION MANAGEMENT TOOLS (IMT) Information Collections Records Forms or IMTs (Adopted and Prescribed) Attachment 1 GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION 51 Attachment 2 EXAMPLE TCNO 59 Attachment 3 PMO/SPO COMPLIANCE STATUS MESSAGES 61 Attachment 4 TCNO EXTENSION PACKAGES 63 Attachment 5 EXAMPLE INFORMATIVE C4 NOTAM 69 Attachment 6 EXAMPLE SCHEDULED/UNSCHEDULED EVENT C4 NOTAM 70 Attachment 7 EXAMPLE SUMMARY C4 NOTAM 71 Attachment 8 INCIDENT REPORTS (IR) 72 Attachment 9 MALICIOUS LOGIC REPORTS 75 Attachment 10 VULNERABILITY REPORTS (VR) 77 Attachment 11 SECURITY INCIDENT REPORTS (SIR) 79

7 AFI NOVEMBER Attachment 12 AUTHORIZED SERVICE INTERRUPTION REQUESTS 81 Attachment 13 INTERIM CHANGE (IC) TO AFI , ENTERPRISE NETWORK OPERATIONS NOTIFICATION AND TRACKING 83

8 8 AFI NOVEMBER 2005 Chapter 1 GENERAL INFORMATION 1.1. Introduction. This instruction prescribes and explains the various processes necessary to direct action and report status throughout the AFNETOPS hierarchy. Specifically, it details the steps required to generate, disseminate, acknowledge, implement, track, and report network compliance and status information using the TCNO. It also introduces and provides guidance for the use of C4 NOTAMs. The C4 NOTAMs are closely related to TCNOs with the primary difference being that they are informative in nature and are the primary means for disseminating network information that does not direct specific action to be taken, or compliance to be tracked. Incident, vulnerability, and security incident (to include classified message incidents [CMI]) reporting processes, and the processes for managing and reporting service interruptions, both authorized and unscheduled, are defined Notification and Tracking Hierarchy. All network and computer security professionals within the tiered AFNETOPS hierarchy perform a subset of the procedures to produce and manage TCNOs or C4 NOTAMs. Those same individuals perform a variety of tasks in the various reporting processes described within this instruction. Figure 1.1. provides a simple illustration of the interrelationships and associated lines of communication among the various organizations and personnel involved. NOTE: Refer to AFI , Volume 1, Network Operations (NETOPS), for a complete explanation of the AFNETOPS hierarchy.

9 AFI NOVEMBER Figure 1.1. Notification and Tracking Hierarchy. NOTES: 1. This category applies to those Program Management Offices (PMO)/System Program Offices (SPO) that fall under a HQ USAF functional and do not administratively align under Air Force Materiel Command (AFMC). 2. This category applies to those HQ USAF FOA and DRU Network Control Centers (NCC) or Mission Support Centers (MSC) that operate and maintain a network. All other FOA/DRU tenant units residing on an Air Force base shall comply with the security policy of the host base NCC and the supporting NOSC Submitting Notifications and Reports to the Air Force Network Operations and Security Center (AFNOSC). NOSCs will notify and submit all reports to the AFNOSC Command and Control Division using the methods listed in Table 1.1. Use Defense Switched Network (DSN) to make initial verbal reports, followed by full documentation using priority 2, Enterprise Tracking and Notification Graphical User Interface (etang). If etang is not available then use priority 3, and so on, until all methods have been exhausted. Use classified transmission means when required.

10 10 AFI NOVEMBER 2005 Table 1.1. AFNOSC Report Priority and Contact Information. Priority Method Remarks 1 Voice (All Secure Telephone Unit-III/ Secure Terminal Equipment Capable) 2 etang 3 Secure (Secret Internet Protocol Router Network [SIPRNET]) DSN: Commercial: Toll Free: afnosc@barksdale.af.smil.mil 4 Defense Messaging System (DMS) c:us, o:u.s. Government, ou:dod, ou:af, ou:organizations, l:barksdale AFB LA, ou:afnosc(uc) c:us, o:u.s. Government, ou:dod, ou:af, ou:organizations, l:barksdale AFB LA, ou:afnosc(sc) 5 Secure FAX DSN: Commercial: Unclassified FAX DSN: Commercial: Unclassified (Non-Secure Internet Protocol Router Network [NIPRNET]) afnosc@barksdale.af.mil 1.4. Operational Reporting. In addition to the reporting requirements listed throughout this instruction, confirmed network/system intrusions and changes to Information Operations Condition (INFOCON) require the submission of Operational Event/Incident Report (OPREP-3) to the servicing command post per AFI , Operational Reporting. Individuals preparing OPREP-3s should coordinate with the servicing NCC or NOSC before the information is sent to the command post. The NCC submits report information applicable to the base metropolitan area network (MAN). The NOSC submits report information applicable to the MAJCOM network. The AFNOSC will submit report information applicable to the entire Air Force Enterprise Network (AFEN). Per AFI , Commander Air Force Forces-Computer Network Operations (COMAFFOR-CNO) is a required recipient of all computer incident-related OPREP-3s. The required content for all Communications/Computer Event OPREP-3s is detailed in AFI Reporting Incidents not Covered by this Instruction. There are a variety of information system/ network incidents that fall under the jurisdiction of other programs for investigation and reporting purposes. Examples include theft or loss of information system resources; fraud, waste, and abuse; and copyright violations. Table 1.2. provides reference to the governing publications for these types of incidents.

11 AFI NOVEMBER Table 1.2. Reporting Incidents not Covered by this Instruction. R A B U L E If the incident relates to then follow the guidance in 1 theft/loss of information system resources AFI , Computer Systems Management; AFMAN , Reports of Survey for Air Force Property 2 fraud, waste, and abuse AFI , Inspector General Complaints 3 copyright violation AFI , Intellectual Property--Patents, Patent Related Matters, Trademarks and Copyrights

12 12 AFI NOVEMBER 2005 Chapter 2 ROLES AND RESPONSIBILITIES 2.1. Introduction. Overarching roles and responsibilities for Air Staff offices, AFNETOPS organizations, and network/system personnel are defined here. Additional process-specific responsibilities are elaborated throughout the remainder of this document. Refer to Department of Defense (DOD) directives and instructions, Chairman of the Joint Chiefs of Staff (CJCS) instructions and manuals, and Defense Information Systems Agency (DISA) circulars for an explanation of DOD, Joint, and DISA offices respective roles and responsibilities Director, Information, Services and Integration (SAF/XCI) will: Establish Air Force policy and guidance for the AFNETOPS notification and tracking processes Ensure Air Force notification and tracking policy and processes are consistent with DOD and Joint guidance Provide the Air Force position when attending Air Force, DOD, or Joint forums relating to the processes covered by this instruction Keep senior Air Force and DOD leaders informed on any issues relating to the processes covered by this instruction Be the Air Staff focal point for the consolidation and presentation of situational awareness vulnerability, incident, and network/system availability data to senior Air Force leaders (e.g., Deputy Chief of Staff, Air and Space Operations [HQ USAF/XO]; Deputy Chief of Staff, Installations and Logistics [HQ USAF/IL]; Secretary of the Air Force, Office of Warfighting Integration and Chief Information Officer [SAF/XC]) Work with the involved organizations that own systems traversing the AFEN to accomplish timely compliance with TCNOs Ensure training and mission-ready standardization and evaluation criteria are established for all network professionals charged with supporting the requirements of this instruction Major Command Senior Communicator will: Plan, program, and budget for the capability to respond to TCNOs that impact end user workstations and/or core network servers and infrastructure When delegated as the MAJCOM Designated Approving Authority (DAA), approve or disapprove applicable TCNO extension requests based on an assessment of the overall risk to the AFEN and to supported operations (see Section 3E) Air Force Communications Agency (AFCA) will: Develop AFNETOPS notification and tracking processes consistent with SAF/XCI policy and guidance.

13 AFI NOVEMBER Interpret AFEN incident statistics and generate the annual Assessment of The State of Information Protection in the Air Force report according to AFI , Information Protection Metrics and Measurements Program Air Force Network Operations and Security Center (AFNOSC) Director and Commander, Air Force Forces, Computer Network Operations (COMAFFOR-CNO). NOTE: The AFNOSC Director is also assigned as the COMAFFOR-CNO. Refer to AFI , Volume 1, for a detailed explanation of the command relationships between the Commander of Air Force Network Operations (AFNETOPS/CC) and the AFNOSC Director/COMAFFOR-CNO. The COMAFFOR-CNO will: Ensure Air Force compliance with the Information Assurance Vulnerability Management (IAVM) Program and vulnerability incident reporting direction specified in CJCSM Direct the issuance of TCNOs and C4 NOTAMs, as required Air Force Network Operations and Security Center (AFNOSC). The AFNOSC is a distributed organization that combines the capabilities of the AFNOSC Command and Control Division, Barksdale AFB LA, AFNOSC Net Security Division (formerly the Air Force Computer Emergency Response Team), Lackland AFB TX, and the AFNOSC Net Operations Division (formerly the Air Force Network Operations Center), Gunter Annex, Maxwell AFB AL, to preserve the availability, integrity, and confidentiality of the Air Force s networks, information systems, and the information contained within those elements, respectively. The AFNOSC will: Serve as the Air Force Office of Primary Responsibility (OPR) to register, acknowledge, and track implementation of IAVM program messages (i.e., Information Assurance Vulnerability Alerts [IAVA], Information Assurance Vulnerability Bulletins [IAVB], and Technical Advisories (TA) as defined in CJCSM ) Serve as the Air Force OPR to acknowledge and track Joint Task Force-Global Network Operations (JTF-GNO) Computer Network Operations Tasking Orders (JTF-GNO CTO), as required Serve as the Air Force OPR to generate, disseminate, and track implementation of Air Force-level TCNOs in accordance with Chapter Serve as the Air Force OPR to generate and disseminate Air Force-level C4 NOTAMs in accordance with Chapter Assess the impact of IAVAs, IAVBs, TAs, JTF-GNO CTOs, and TCNOs on Air Force operations Compile and maintain TCNO and associated IAVA compliance status, and other network security metrics to maintain an AFEN situational picture according to applicable DOD, CJCS, and Air Force guidance. Report status to higher headquarters and JTF-GNO as required Serve as the Air Force OPR for incident response and countermeasure generation for incidents that traverse multiple MAJCOMs or meet/exceed current Air Force incident thresholds Work with the NOSCs in assessing the scope of unauthorized network activities and incidents Recommend a countermeasure or a set of countermeasures to neutralize intruder activity and to foster recovery operations.

14 14 AFI NOVEMBER Work with NOSCs in eradicating malicious logic from networks, information systems, and stand-alone computing devices Track all ongoing, validated incidents Report all validated incidents to JTF-GNO and other agencies (e.g., SAF/XCI, Air Force Office of Special Investigations) as required Disseminate incident reports, trend analysis and vulnerability assessments to NOSCs, SAF/XCI, and HQ AFCA/EVPI, as required Serve as the Air Force OPR to provide, manage, and disseminate computer malware (i.e., viruses, trojans, malicious logic, etc.) incident alert reports via subscription based service to JTF-GNO, NOSCs, Department of Defense Computer Emergency Response Team (DOD CERT), and other approved entities Serve as the Air Force OPR to provide, manage, and maintain the most current anti-virus definitions and automated anti-virus product update service for the Air Force Track, compile, analyze, and report Air Force-wide statistics on unauthorized network activities, malicious logic, and virus incidents. Report the analysis results to AFCA/EVPI as required according to AFI Network Operations and Security Center (NOSC) will: Serve as the OPR for their assigned area of responsibility (AOR) to acknowledge, disseminate, implement, track, and report TCNOs and C4 NOTAMs. This includes Air Force-generated and MAJ- COM-generated TCNOs (for MAJCOM-unique systems) Disseminate and track TCNOs for MAJCOM-level SPOs and PMOs. NOTE: The AFMC NOSC will disseminate TCNOs to those Air Force-level PMOs and SPOs that are administratively supported by AFMC Track, compile, assess, and report AOR-wide compliance, extension, and situational awareness metrics on TCNOs in accordance with Chapter Serve as the OPR responsible for managing responses and preventing unauthorized network activity and incidents within their respective AORs Oversee and orchestrate vulnerability, security incident, and incident response actions whenever they affect the MAJCOM enclave network or whenever a NCC or network professional requires assistance Work with the AFNOSC, NCCs, and MSCs to assist customers in eradicating malicious logic from networks, information systems, and stand-alone computing devices Work with the AFNOSC, NCCs, and MSCs to assist customers in assessing the scope of unauthorized network activities and incidents Track, compile, assess, and report to the AFNOSC all unauthorized network activities and incidents that affect multiple NCCs or meet/exceed current Air Force incident thresholds in accordance with Chapter Maintain situational awareness by tracking, compiling, assessing, and reporting AOR-wide statistics on incidents and reporting TCNO compliance statistics to the NOSC s chain of command.

15 AFI NOVEMBER Network Control Center (NCC)/Mission Support Centers (MSC) will: Serve as the wing/base OPR to acknowledge, disseminate, and implement TCNOs and C4 NOTAMs and to track and report compliance with TCNOs Track, compile, assess, and report wing/base TCNO compliance, extension, and situational awareness metrics (to include geographically separated units [GSU]) in accordance with Chapter Serve as the wing/base OPR responsible for managing responses and controlling unauthorized network activity and incidents that occur within their AOR and meet current Air Force incident thresholds. NCCs must: Oversee and orchestrate vulnerability, security incident, and intrusion response actions whenever an incident affects the base backbone network, a Community of Interest network, a system, or whenever a network professional requests assistance Work with the NOSC and network professionals to assist Air Force customers in eradicating malicious logic from networks, information systems, and stand-alone computing devices Work with the NOSC and network professionals to assist Air Force customers in assessing the scope of unauthorized network activities and incidents Track, compile, assess, and report to their parent NOSC all unauthorized activities and incidents that occur on any network or system under the NCC s purview Maintain wing situational awareness by tracking, compiling, and reporting wing statistics on unauthorized network activity and incidents MSCs are treated as NCCs throughout the rest of this instruction Program Executive Officer (PEO) will: Ensure PMOs/SPOs process and comply with TCNOs Ensure PMOs/SPOs report through the appropriate NOSC or directly to the AFNOSC as detailed within this instruction Functional System Designated Approving Authority (DAA) will: Work with PMOs/SPOs to ensure TCNO extension requests are processed in accordance with Section 3E Thoroughly understand the risk to the AFEN and supported operational missions before endorsing or approving TCNO extension requests Program Management Office (PMO) and System Program Office (SPO) will: Serve as the OPR to process, evaluate, test, and coordinate TCNOs and risk mitigation countermeasures for those functional systems for which they are responsible Within allocated funds and resources, ensure program has the capability to respond to all TCNOs Determine a TCNO s applicability, risks, vulnerabilities, and impact to their programs and inform affected agencies of the results in accordance with paragraph 3.19.

16 16 AFI NOVEMBER Ensure a countermeasure is developed for every applicable TCNO Major Command (MAJCOM) Liaison to Air Force-Managed Systems will: Serve as the MAJCOM OPR to coordinate configuration management functions between Air Force PMOs/SPOs, MAJCOM PMOs/SPOs, and Functional System Administrators (FSA) Receive and disseminate projected and actual risk mitigation countermeasure and fix action release status Information System Security Manager (ISSM) and Information System Security Officer (ISSO) will: Immediately notify the appropriate AFNETOPS organization and the DAA upon discovering an unauthorized network activity or incident as directed within this instruction Work with the NOSCs, NCCs, and network and security professionals to assist Air Force customers in eradicating malicious logic from a network, information systems, and stand-alone computing devices Work with the NOSCs, NCCs, and network and security professionals to assist Air Force customers in assessing the scope of unauthorized network activities or incidents Ensure unit workgroup managers (WM) and FSAs are taking aggressive action to implement TCNOs within the mandatory timeframe Workgroup Manager (WM) and Functional System Administrator (FSA) will: Implement TCNO countermeasures as approved by each system s configuration control authority and as directed by the servicing NCC in accordance with the TCNO instructions Coordinate TCNO implementation with the servicing NCC, users, and external agencies Report TCNO compliance metrics to the servicing NCC according to the requirements of this instruction Work with the NCC and network and security professionals to assist Air Force customers in eradicating malicious logic from a network, information systems, and stand-alone computing device Work with the NCCs and network and security professionals to assist Air Force customers in assessing the scope of unauthorized network activities or incidents End Users will: Comply with Air Force, MAJCOM, and local system and network security policies Report unauthorized network activities or incidents, which includes all forms of malicious logic, to their WM/FSA to ensure notification continues up the chain of command.

17 AFI NOVEMBER Section 3A Introduction Chapter 3 TCNO MANAGEMENT 3.1. Purpose Compliance with Air Force TCNOs is mandatory Time Compliance Network Orders (TCNO) are downward-directed operations, security, or configuration management-related orders issued by the AFNOSC or NOSCs. The TCNO provides a standardized mechanism to issue one order to the entire AFNETOPS hierarchy, directing how to operate and make changes to the AFEN. The AFNOSC or NOSCs generate TCNOs internally or in response to an IAVA to direct the implementation of an operational or security vulnerability risk mitigation procedure or fix action (i.e., countermeasure) The TCNO process is used to inform responsible Air Force agencies of network and system vulnerabilities and to direct and track the implementation of countermeasures. This chapter defines the TCNO process and provides guidance, procedures, and formats to process TCNOs The TCNO replaces the Directive C4 NOTAM, AFCERT Advisories and Advisory Compliance Messages. Existing Directive C4 NOTAMs, AFCERT Advisories, and Advisory Compliance Messages will remain valid until superceded by a TCNO. Informative, Scheduled Event, Unscheduled Event, and Summary C4 NOTAMs will continue to be used as identified in Chapter Applicability. The processes defined within this chapter apply to the mitigation of identified vulnerabilities on any Air Force-owned/managed device connected to the AFEN or other DOD network. Devices, also referred to as assets, include workstations, servers, infrastructure components (e.g., router, switch) and networked peripherals (e.g., network printers). Embedded computers within weapon systems are excluded from this definition unless they are directly accessible through the AFEN and thus vulnerable to exploitation. Section 3B TCNO Generation Process 3.3. When to Generate a Time Compliance Network Order (TCNO). The AFNOSC or NOSCs will produce TCNOs under the following conditions: The AFNOSC will generate a TCNO to implement an IAVA, or where applicable, a JTF-GNO CTO. TCNO timelines are set to ensure downward-directed timelines are met The AFNOSC can generate a TCNO to address IAVBs, TAs, Air Force-identified vulnerabilities or to direct other network operations/defense actions. TCNO timelines are set based on an internal analysis of the scope of effort necessary for units to achieve compliance and the potential impact on planned and ongoing operations NOSCs can generate a TCNO to address MAJCOM-specific vulnerabilities or to direct other network operations/defense actions. NOSCs should coordinate MAJCOM-unique TCNOs with the AFNOSC to ensure the network defense and network operations aspects of TCNO-directed actions are evaluated for their overall impact on the AFEN.

18 18 AFI NOVEMBER Releasing Authority The AFNOSC is the only organization authorized to release an Air Force-wide TCNO NOSCs can release a TCNO for units within their AOR Establishing Time Compliance Network Order (TCNO) Priority. The releasing agency assigns a TCNO priority based on an assessment of the scope and potential impact of the vulnerability to the AFEN and supported operations and where applicable, to comply with JTF-GNO implementation and reporting requirements. NOSCs releasing a MAJCOM-specific TCNO should coordinate with the AFNOSC when assigning priority. The five defined priorities are summarized in Table 3.1. Table 3.1. TCNO Priority Categories. Priority Description Critical Widespread and imminent/ongoing threat to the AFEN and supported operations. Serious Widespread threat to the AFEN and supported operations is expected. High Threat to the AFEN and supported operations is likely. Medium Threat to the AFEN is possible but is mitigated by such factors as difficulty of exploitation, limited deployment of vulnerable operating system, etc. Low Threat to the AFEN is unlikely due the assessed difficulty of exploiting the vulnerability Assigning TCNO Suspense Dates. For each TCNO generated, the releasing organization will assign several key suspense dates to help prioritize work by tasked organizations and to ensure information exchange reporting requirements are met Receipt Acknowledgment Date. The date by which tasked organizations will acknowledge receipt of the TCNO to their next higher echelon Initial Compliance Statistics Date. The date by which tasked organizations will provide their first compliance statistics update to their next-higher echelon Compliance Date. The date by which tasked organizations must achieve full compliance with the implementation actions mandated by the TCNO Table 3.2. provides guidance for establishing each of the required dates.

19 AFI NOVEMBER Table 3.2. Determining TCNO Suspense Dates. R A B C D U then the L E receipt If the TCNO acknowledgment date initial compliance compliance date will priority is: will be statistics date will be be (Note 2) 1 Critical 24 hrs after TCNO the first Monday after 15 days 2 Serious release (Note 1) TCNO release 30 days 3 High 45 days 4 Medium 60 days 5 Low NOTES: 1. Organizations not manned 24 hours, 7 days-a-week, will acknowledge receipt the next duty day. 2. The compliance reporting timeframes listed are the maximum allowed. More restrictive compliance dates may be established by the originating organization based on the assessed threat or as necessary to meet higher echelon requirements (i.e., a NOSC can shorten NCC compliance dates, an NCC can shorten WM/FSA compliance dates) Assigning a Tracking Number. TCNO tracking numbers are built based on the day they are released (recorded as Julian date and year) and the order of release during that given day. The standard numbering format is: the identifier TCNO, issuing agency, four-digit year, three-digit Julian date, a three-digit increment number, and a single character revision identifier. For example, the tracking number assigned to the first TCNO released by the AFNOSC on 19 January 2004 would be TCNO AFNOSC If the original TCNO is revised, the tracking number becomes TCNO AFNOSC A, a revision of the A version will bear the revision identifier B and so on Providing Implementation Details Identify the affected operating systems, applications, and versions. This information helps responsible individuals quickly assess the TCNO s applicability to their systems Provide step-by-step countermeasure implementation instructions. Sort the countermeasures by platform (e.g., RISC, Intel, Macintosh) and by operating system (e.g., WIN NT/2000/XP, UNIX, LINUX) whenever possible. Prepare written instructions for network professionals at the journeyman-level to afford some assistance for system administrators and help expedite countermeasure implementations. Due to the possible variety of system configurations, it s impossible to write detailed implementation instructions for every scenario, therefore NOSCs, NCCs, and PMOs/SPOs may augment the instructions as outlined below:

20 20 AFI NOVEMBER NOSCs and NCCs may augment the AFNOSC s detailed, step-by-step implementation instructions as required so that apprentice-level network and system administration personnel can implement the countermeasures PMOs/SPOs may augment the AFNOSC s step-by-step implementation instructions as required. Write instructions so that apprentice-level network and system administration personnel can implement the countermeasures. When specific implementation procedures other than those provided by AFNOSC, PMO or SPO are required, provide the sources to obtain those procedures Include an estimate of the downtime required to implement the countermeasures Identify residual risks associated with non-compliance; i.e., not implementing countermeasures. Consider the worst-case scenario and chances for exploitation Specifying Justification. The releasing agency will encapsulate or reference applicable IAVAs, IAVBs, TAs, JTF-GNO CTOs, and related TCNOs/C4 NOTAMs in all TCNOs. These references help the AFNETOPS and acquisition communities correlate TCNOs with DOD-level messages Other Time Compliance Network Order (TCNO) Content. The releasing agency may list other relevant information about the vulnerability and countermeasure in the TCNO. This may include information from sources like an associated IAVA, vendor security notice, etc Example Time Compliance Network Order (TCNO). Refer to Attachment 2 for a TCNO example. Section 3C TCNO Dissemination and Acknowledgment Dissemination Timelines. Timely dissemination of vulnerability and countermeasure information to the personnel responsible for implementation is critical to ensure the integrity and availability of the AFEN. All involved organizations will ensure critical and serious priority TCNOs are disseminated to their subordinate organizations within 24 hours of receipt. High, medium, and low priority TCNOs will be disseminated at the originator s discretion Single Distribution List. The AFNOSC will maintain a single distribution list of Air Force units that must receive AFNOSC-generated TCNOs to include: Action Addressees: NOSCs, and all Air Force-level PMOs and SPOs not administratively assigned to AFMC Information Addressees: SAF/XCIF, HQ USAF/XOIW, Numbered Air Force SC/A6s, HQ AFCA/EVPI, HQ AFCA/ECF/ECN, and others as required Time Compliance Network Order (TCNO) Dissemination. The AFNOSC and NOSCs will disseminate TCNOs using etang and/or SIPRNET electronic mail ( ). All organizations send or forward a TCNO as follows: The AFNOSC disseminates TCNOs to NOSCs, FOA/DRU NCCs/MSCs and all Air Force program offices not administratively assigned to AFMC.

21 AFI NOVEMBER The NOSC disseminates TCNOs to all NCCs within its AOR and to its MAJCOM-level PMOs and SPOs The NCC disseminates TCNOs to all FSAs and WMs within the NCC s AOR. This includes host, tenant, and GSU organizations serviced by the NCC All Air Force tenant units on Air Force installations to include FOAs and DRUs must coordinate with their servicing NCCs to receive TCNOs PMOs/SPOs forward TCNOs to the applicable Joint PMO for evaluation under the following conditions: Programs for which the Air Force is not the lead service For a TCNO that was not generated as a result of an IAVA Acknowledging Time Compliance Network Orders (TCNO). Subordinate units and recipients will acknowledge receipt of the TCNO to their next higher echelon NCCs will receive and compile TCNO acknowledgement reports from FSAs and WMs and will acknowledge receipt of the TCNO to their NOSC NOSCs receive and compile TCNO acknowledgement reports from their NCCs and MAJ- COM-level PMOs and SPOs and will acknowledge receipt of the TCNO to the AFNOSC DELETED The AFNOSC will receive TCNO acknowledgement reports from NOSCs, and Air Force-level PMOs and SPOs The AFNOSC sends IAVA acknowledgments to JTF-GNO within the timeframes specified by the IAVA Acknowledgment by subordinate to higher-echelon organizations will be accomplished using one of the following methods: Organizations will use etang to acknowledge receipt according to the timeframes established by the recipient s next higher echelon Organizations that do not have access to etang will send acknowledgement reports via SIPRNET . The subject line of the message will be in the format ACKNOWLEDGE- MENT RECEIPT FOR TCNO Tracking Number where TCNO Tracking Number is the assigned number for the TCNO being acknowledged. For example, ACKNOWLEDGEMENT RECEIPT FOR TCNO AFNOSC Section 3D TCNO Implementation Implementing Time Compliance Network Orders (TCNO). The goal of the TCNO process is the mitigation of risk to the AFEN through the implementation of network vulnerability countermeasures. Countermeasures will generally entail configuration changes to systems, installation of software patches, or the search for and removal of specific files or tools used for malicious purposes. The AFNOSC directs NOSCs, NCCs, PMOs, and SPOs to implement TCNOs using the information and guidance contained within the TCNO. Organizations should submit a request for an extension as described in Section 3E if

22 22 AFI NOVEMBER 2005 there are valid reasons the TCNO-directed timeline cannot be met for the application of countermeasures to workstations Two-Person Compliance. NOSC and NCC personnel will follow a Two-Person Compliance process for all TCNO-directed countermeasures applied to core servers or infrastructure components. The process is as follows: One NOSC/NCC crew member, the TCNO implementer, will apply the TCNO-directed countermeasure using the procedures outlined in the TCNO. Once countermeasure implementation is complete, the TCNO implementer will verify the application of the countermeasure by checking file versions/dates, registry settings, or other applicable indications of successful countermeasure implementation Once the TCNO-directed countermeasure is verified by the TCNO implementer, a second NOSC/NCC crew member, the TCNO validator, will validate the successful application of the countermeasure by verifying the procedures outlined in the TCNO were followed and by checking file version/dates, registry settings, or other applicable indications of successful countermeasure implementation The TCNO implementer and validator will document the implementation of the TCNO-directed countermeasure as outlined in paragraph FSA and WM Actions. The ultimate goal is to be able to achieve TCNO implementation through automated means but there are many occasions when implementation must be manually accomplished on workstations or functional servers at the FSA- and WM-level. In these instances, FSAs and WMs will implement TCNOs according to the step-by-step instructions in the TCNO, or as directed by the system s configuration controlling authority (e.g., PMO or SPO) FSAs and WMs must coordinate all TCNO activities with the servicing NCC Specific local configurations or processes may preclude FSAs and WMs from following the TCNO step-by-step instructions exactly. In these situations, variations to the step-by-step instructions are authorized, provided compliance with the TCNO is achieved and verified FSAs and WMs discovering errors in the step-by-step instructions that could potentially damage systems or make the countermeasure ineffective should immediately send that information to their next higher AFNETOPS echelon. Similarly, report changes to the instructions that could expedite or clarify countermeasure implementation. Forward this information through the reporting hierarchy to the AFNOSC for their consideration. If warranted, the AFNOSC may release a revised version of the original TCNO to reflect the new guidance PMO and SPO Actions PMOs and SPOs are responsible for controlling the configuration of their functional systems and must establish procedures to evaluate the applicability of TCNOs to their systems. FSAs are responsible for the actual implementation of TCNO countermeasures on functional systems, but should only proceed with the permission of the PMO, SPO, NOSC, NCC or as established in the program Configuration Management Plan. PMOs and SPOs will establish procedures for each of the following situations:

23 AFI NOVEMBER The TCNO does not apply to the program. Provide a reason (e.g., the affected operating system is not used by the system) The TCNO applies to the program and the FSAs are authorized to implement the countermeasure according to the procedures contained in the TCNO The TCNO applies to the program but the FSAs are not authorized to implement the countermeasure according to the procedures contained in the TCNO. In this case, specify the actual implementation procedures or a source for those procedures The TCNO applies to the program but actual implementation procedures are not yet available. In this case, provide a reason the implementation procedures are not available (e.g., procedures are being tested, software release is being built) and an action plan with timelines for completing required actions The applicability of the TCNO to the program is not known at this time. In this case, provide an action plan for evaluating applicability of the TCNO For each of the scenarios elaborated in paragraph the following reporting guidance applies: All PMOs/SPOs will utilize the ENOSC web-based status page to maintain TCNO-specific applicability/status information as outlined in paragraph Air Force-level PMOs/SPOs will notify the AFNOSC as soon as TCNO applicability is determined and/or implementation procedures are available. The AFNOSC will in-turn notify the NOSCs to begin TCNO implementation (see Attachment 3, Example 1 for a sample message) MAJCOM-controlled PMOs and SPOs will notify their parent NOSC as soon as TCNO applicability is determined and/or implementation procedures are available (see Attachment 3, Example 2 for a sample message) PMOs and SPOs will ensure all previous TCNOs are incorporated into new system development. Section 3E TCNO Extensions General Guidance. On rare occasions, extensions to TCNOs may be required to achieve compliance. An approved extension authorizes the delay of compliance with a TCNO countermeasure for a specified period past the required TCNO compliance date Extensions will only be granted for TCNOs where additional time is required to bring affected workstations into compliance. Extensions will not be granted for achieving TCNO compliance on affected core servers, infrastructure components or functional servers An extension does not grant the requesting agency the authority to accept the vulnerabilities or risks identified in the TCNO indefinitely; rather, it is approval to accept the risk for a specified period based on an operational risk management decision Extension Request Format. Refer to Attachment 4 for required extension content.

24 24 AFI NOVEMBER Processing Extensions. The extension process has been broken into three sequential categories that are summarized in Table 3.3. Table 3.4. outlines the required endorsement and approval authorities by category of extension and requesting organization. Table 3.3. TCNO Extension Categories and Timeframes. Category First (Note 1) Second (Note 2) Third (Note 2) Time Period Covered Original compliance date plus 30 days First extension compliance date plus 60 days (31 90 days from original compliance date) Second extension compliance date up to two years (91 days 2 years from original compliance date) NOTES: 1. First extension requests should be submitted as soon as the inability to comply is known but not later than 7 days before the TCNO-specified compliance date. 2. Second and third extension requests should be submitted as soon as the inability to comply is known but not later than 14 days before the expiration date of the previously-approved extension.

25 AFI NOVEMBER Table 3.4. Time Compliance Network Order (TCNO) Extension Approval Process. R U L E A B C D If the extension requested is a and it is being requested by the then it must be endorsed by the and the approval authority will be the 1 first extension NCC wing/base DAA (Note 1) MAJCOM DAA 2 NOSC first Colonel in NOSC chain of command 3 FOA/DRU NCC/MSC FOA/DRU DAA (Note 2) 4 PMO/SPO program manager functional system DAA 5 second extension NCC wing/base DAA (Note 1) and MAJCOM DAA 6 NOSC MAJCOM DAA 7 FOA/DRU NCC/MSC FOA/DRU DAA (Note 2) 8 PMO/SPO functional system DAA 9 third extension NCC wing/base DAA (Note 1) and MAJCOM DAA 10 NOSC MAJCOM DAA 11 FOA/DRU NCC/MSC FOA/DRU DAA (Note 2) 12 PMO/SPO functional system DAA AFNOSC Director (Note 2) AFNETOPS/CC (Note 2) NOTES: 1. In those cases where the MAJCOM DAA has assumed the responsibility of the wing/base enclave DAA, the request for extension must still be endorsed by the host wing commander. Refer to AFI , Volume 1, Network and Computer Security, for the definition and assignment of DAAs. 2. Send extension requests electronically to the following account: Secure: afnosc@barksdale.af.smil.mil Program Management Office (PMO) and System Program Office (SPO) Extension Requests. PMOs and SPOs will comply with the timetable and endorsement levels established in Table 3.3. and Table 3.4. when requesting extensions for the development and dissemination of countermeasures for client-side (workstation-based) functional applications (e.g., DMS client). PMOs and SPOs must ensure the functional system DAA understands that approving a first extension or endorsing a second or third extension leads to an acceptance of residual risk that applies to network enclaves outside the functional system DAA s span of control.