ENCLOSURE (1) Information Security (INFOSEC) Checklist... E-1. ENCLOSURE (2) Network Security Checklist... E-2

Transcription

1

2 COMMANDING OFFICER S INFORMATION ASSURANCE HANDBOOK TABLE OF CONTENTS IDENTIFICATION TITLE PAGE FOREWORD REFERENCES CHAPTER 1 COMMANDER, U.S. FLEET FORCES COMMAND LETTER... iii LIST OF PERTINENT REFERENCES... iv INFORMATION ASSURANCE OVERVIEW SECTION 1 INTRODUCTION SECTION 2 WHAT IS INFORMATION ASSURANCE SECTION 3 WHY INFORMATION ASSURANCE IS IMPORTANT SECTION 4 HOW DO WE BUILD A ROBUST IA PROGRAM CHAPTER 2 CSI PREPARATION GUIDE SECTION 1 COMMANDER S GUIDANCE SECTION 2 INFORMATION ASSURANCE MANAGERS SECTION 3 SECURITY MANAGERS SECTION 4 SYSTEM ADMINISTRATORS LIST OF ENCLOSURES: ENCLOSURE (1) Information Security (INFOSEC) Checklist... E-1 ENCLOSURE (2) Network Security Checklist... E-2 ENCLOSURE (3) Certification & Accreditation Checklist... E-3 ENCLOSURE (4) Information Assurance Work Force Checklist... E-4 ENCLOSURE (5) Traditional Security Checklist... E-5 ENCLOSURE (6) System Administrator Checklist: Daily... E-6 ENCLOSURE (7) System Administrator Checklist: Weekly... E-7 ENCLOSURE (8) System Administrator Checklist: Monthly... E-8 ENCLOSURE (9) System Administrator Checklist: Annually... E-9 ENCLOSURE (10) System Administrator Checklist: Initial... E-10 i

3 ENCLOSURE (11) System Administrator Checklist: As Required/ After Configuration Changes... E-11 ENCLOSURE (12) Cyber Zone Inspection Items... E-12 ENCLOSURE (13) CO s Information Assurance Quick Look... E-13 ENCLOSURE (14) Minimum Set Of Periodic Reports... E-14 ENCLOSURE (15) Example Report-Certification & Accreditation E-15 ENCLOSURE (16) Sample Report-Information Assurance Work Force Training... E-16 ENCLOSURE (17) Sample Report-IAVM... E-17 ENCLOSURE (18) Sample Report-Weekly IA Status... E-18 ENCLOSURE (19) Sample Report-Antivirus... E-19 ENCLOSURE (20) Sample Report-USB Scan... E-20 ENCLOSURE (21) Sample Report-8 O clock Report... E-21 ii

4 iv

5 LIST OF PERTINENT REFERENCES (a) DoD Directive E of 24 October 2002 (b) DoD Instruction of 6 February 2003 (c) OPNAVINST C, Navy Information Assurance Program (d) SECNAV M , DoN Information Assurance Program (e) SECNAV M , DoN Information Assurance (IA) Workforce Management Manual (f) SECNAV M , DoN Information Security Program Manual (g) NIST Special Publication , Configuration Management Guide for Information Systems (h) DoD Instruction of 28 November 2007 (i) (j) (k) (l) (m) SPAWAR SCCVI User Guide (n) (o) (p) (q) (r) (s) (t) (u) (v) (w) (x) (y) default.aspx (z) SECNAV 5239/14, System Access Authorization Request (SAAR) Forms (aa) CJCSM A, Information Assurance (IA) and Computer Network Defense (CND) Volume I (Incident Handling Program) (ab) (ac) SECNAVINST B, DoN CIO Network Policy (ad) SECNAVINST (ae) NIST Special Publication Rev. 1, Contingency Planning Guide for Information Technology Systems (af) DoD M CH 2, Information Assurance Workforce Improvement Program, April 2010 (ag) (ah) (ai) (aj) (ak) iv

6 (al) (am) (an) (ao) v

7 CHAPTER 1 INFORMATION ASSURANCE OVERVIEW SECTION 1 INTRODUCTION 1. Introduction. Security for a ship begins at the brow. Topside watches and Officers-of-the Deck stand watch to ensure that the ship is secured and that unauthorized personnel do not get onboard. However, shipboard security does not stop there. Escorts provide extra security for non-cleared visitors below decks. Secure areas of the ship are protected by locks and alarm systems. Entry into those spaces are controlled by cognizant authorities and visitor logs track who has been in the space. This concept of Defense in Depth applies equally to the ship s connection to Cyberspace. Enclave routers and firewalls stand guard at the network s perimeter to prevent unauthorized access from outside. Network security personnel, cyber policies and procedures, and automated systems such as the Host-Based Security System (HBSS) and proxy server logs all serve to monitor activity within the network s lifelines. The combination of personnel, procedures, and products provide the layered system defense required to ensure the availability, integrity and confidentiality of the data we rely on to run our ships. a. Bottom line: Across the Federal Government, cyber security incidents have soared by over 600% in the last 5 years. At least 85% of cyber intrusions could have been prevented if the following four cyber security and IA practices were routinely and vigorously followed: (1) Patching application vulnerability. (2) Patching operating system vulnerability. (3) Minimizing the number of users with system administrator privileges. (4) Employ Application white listing to prevent unapproved programs from running on the network. b. Continued focus on these fundamental principles will ensure success in this dynamic cyber space domain: (1) Cyber security is serious business; requiring all hands involvement, and 1-1

8 (2) Commanding Officers are ultimately responsible for understanding and managing the cyber-readiness of their ships. 2. Purpose. To establish Information Assurance (IA) techniques and procedures that utilize policies for people, processes, strategy, and technology for protecting Information Technology (IT) and information. The information in this handbook is designed to equip Commanding Officers and command personnel with the background knowledge and tools needed to effectively manage shipboard IA programs and: a. Establish guidance for successfully maintaining command level IA-Readiness requirements. b. Provide a common reference of all Defense and tactical level IA-related doctrine. c. Provide training and education guidance for command IA Workforce members. 3. Scope. This document is intended to provide Commanding Officers with an overview of the fundamental issues regarding the management of our networks, providing them with (and to a limited extent) guidelines they can use in day-to-day efforts for ensuring their networks can reliably support the ship s mission and resist adversaries in the virtual realm. Although designed as a CO s handbook, this information is relevant and applicable to baseline a level of understanding for all khaki leadership. Build cyber security awareness, actions, and oversight into command daily battle rhythm, and in parallel, develop the technically competent, informed, and proactive supervisors to inculcate cyber readiness down to the deckplates. Navy Cyber Forces (CYBERFOR) N41 manages this document and solicits your feedback, lessons learned, and best practices to incorporate into future editors of this document. 1-2

9 CHAPTER 1 INFORMATION ASSURANCE OVERVIEW SECTION 2 WHAT IS INFORMATION ASSURANCE (IA)? 1. Information Assurance. In broad terms, IA is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. The terms IA, Information Security (INFOSEC), Computer Security (COMSEC) and Network Security (NETSEC) are often used interchangeably with IA. In actuality, each of these areas deals with a more specific portion of overall security within the cyber environment. Reference (a) defines IA as measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. 2. INFOSEC. INFOSEC is defined as protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction of the information. INFOSEC is concerned with the confidentiality, integrity, and availability of data regardless of format: electronic, print, etc. The ship can ensure INFOSEC through: a. Leadership involvement. Making INFOSEC a priority at all levels in the command. Examples inculcating cyber security awareness include: (1) Plan of the Day (POD) and INFOSEC Notices. (2) Duty section training for all ratings. (3) Requiring reports of network status and system outages included with daily operational reporting requirements (i.e. 8 O clocks). b. Minimizing the footprint of information stored on the ship s Local Area Network (LAN). Examples of minimizing the footprint can include: (1) Reducing duplicate information. (2) Structure data across the network. 1-3

10 (3) Taking immediate action in the event of an incident or spillage to ensure the incident response is thorough, remediation/mitigation efforts are completed, and records are retained by the IA Manager (IAM)/IA Officer (IAO). 3. Computer Security. Computer Security is the collective processes and mechanisms by which sensitive and valuable information and services are protected from publication, tampering, or compromise by unauthorized activities, or inside threats and unplanned events. Its objective includes the protection of information and property from theft, corruption, or natural loss due to disaster, while allowing the information and property to remain accessible, reliable, and responsive to its intended users. Unlike INFOSEC, Computer security focuses primarily on ensuring the availability and correct operation of a computer system without concern for the actual information stored or processed by the computer. 4. Network Security. Network Security includes provisions and policies adopted by the network administrator to monitor and prevent unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources. 5. Physical Security. Physical Security includes measures designed to deny access to unauthorized personnel (including attackers or even accidental intruders) from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts. a. Enforcing Physical Security includes: (1) Verifying personnel access and need-to-know for visiting personnel. (2) Monitoring activity, by all personnel, for irregular activity contrary to IA policy. (3) Maintaining a record of accreditation, personnel network accountability, and IA appointments and policy will also ensure information is properly handled and secured. 6. Conclusion. Information Assurance is paramount as the overarching discipline that encompasses Information Security, Computer Security, Network Security and Physical Security. IA incorporates the elements of each type of security into a 1-4

11 layered defense that ensures information is readily accessible where and when we need it. Figure 1 illustrates this Defense in Depth concept. Figure 1: Information Assurance - Defense in Depth 1-5

12 CHAPTER 1 INFORMATION ASSURANCE OVERVIEW SECTION 3 WHY IS INFORMATION ASSURANCE IMPORTANT? 1. Background. In 1996, pursuant to a congressional request, the Government Accounting Office (GAO) reviewed the extent to which DoD computer systems experience attack. The GAO analyzed the potential for further damage to DoD computer systems and challenges in securing sensitive information on its computer systems. a. DoD relies on a complex information infrastructure to design weapons, identify and track enemy targets, pay soldiers, mobilize reservists, and manage supplies. b. Use of the Internet to enhance communication and information sharing has increased DoD exposure to attack, since the Internet provides unauthorized users a means to access unclassified DoD systems. c. While the DoD information available on the Internet is unclassified, it is sensitive and must be restricted. d. Only about 1 in 500 attacks is detected and reported, but the Defense Information Systems Agency (DISA) estimates that DoD is attacked about 250,000 times per year. e. Attackers have stolen, modified, and destroyed data and software, disabled protection systems to allow future unauthorized access, and shut down entire systems and networks to preclude authorized use. f. Security breaches pose a serious risk to national security because terrorists or U.S. adversaries could disrupt the national information infrastructure. g. Security breaches cost DoD hundreds of millions of dollars annually. h. DoD needs to increase the resources devoted to computer security, update the policies that govern computer security, and increase security training for system and network administrators. 2. Doctrine. Reference (a) defines IA requirements for all DoD components, and reference (b) provides DoD guidance for IA 1-6

13 implementation. For DoN specifically, references (c) through (f) promulgate Navy IA, IA Workforce (IAWF) Improvement, and INFOSEC policy. Numerous other instructions, directives, bulletins, and policy documents further define and codify the requirements for all Navy units to have a robust IA program. 1-7

14 CHAPTER 1 INFORMATION ASSURANCE OVERVIEW SECTION 4 HOW DO WE BUILD A ROBUST INFORMATION ASSURANCE PROGRAM? 1. Facets of IA. As with any other shipboard program, multiple actions and persistent oversight must exist to establish a robust IA program. This chapter addresses four core areas of IA: Administration, Personnel, Training, Operations, and Monitoring and Assessment. 2. IA Administration. One of the principal enablers of any successful program is meticulous record-keeping and adherence to published procedures. Myriad instructions, bulletins, technical documents, and other publications provide requirements and guidance for properly maintaining an IA program. For Commanding Officers, two key documents are reference (c), OPNAVINST C and reference (d), SECNAV M These documents provide a concise overview of the DoN s implementation of DoD IA requirements. Additionally, reference (c), paragraph 8.k, outlines the duties of Commanding Officers with regard to IA. 3. Command Security Instruction. Reference (f), exhibit 2A requires all commands to publish a command security instruction and provides specific guidelines for development. 4. IA Documentation. The key to a robust IA program is maintaining accurate documentation of command information systems. A well-organized, well-maintained command IA binder will help ensure command cyber systems are being maintained in the optimal state of security and readiness. The IA binder should contain: a. Configuration management records. As-built network diagrams, combined with documentation of all approved modifications to the configuration baseline will ensure that all potential points of vulnerability are identified. See reference (g), NIST Special Publication for more details on configuration management requirements. b. Certification and Accreditation (C&A) Documentation. Every DoD network goes through a process of certification and accreditation before it can connect and operate on the Global Information Grid (GIG). The C&A process provides detailed configuration information to the DoN s Designated Approving Authority (DAA), allowing them to verify that a proposed network complies with DoD IA requirements. A network s C&A paperwork 1-8

15 exists as the definitive document required in obtaining and/or renewing an Authority to Operate (ATO) for the network. (1) ATO. The ATO is a document provided by the DoN DAA and Systems Command Program Manager that grants specific permissions to connect and operate a given information system based on a satisfactory DoD IA Certification and Accrediation Process (DIACAP) score. Once granted, an ATO is valid for a maximum period of 3 years. (2) IATO. An IATO is a temporary ATO that allows a command to operate while simultaneously resolving known vulnerabilities. Once granted, an IATO is valid for a maximum period of 6 months. (3) Knowing in advance that an ATO/IATO renewal is due, IAMs must be proactive in submitting the required documentation to maintain network operations. A good rule of thumb is that requests for ATO/IATO renewal should be submitted at least 6 months prior to the expiration of the existing ATO/IATO. Meticulous record keeping of existing ATO/IATOs and approved system configuration changes makes the process of recertification significantly easier. See reference (h) and (i) for more details on C&A process. See references (j) through (l) for more details on obtaining ATO/IATOs. c. IA Vulnerability Management (IAVM). Navy Cyber Defense Operations Command (NCDOC) constantly reviews Navy cyber systems for new or existing security vulnerabilities. When a new vulnerability appears discovered, NCDOC will issue an IA Vulnerability Alert (IAVA) or Information Assurance Vulnerability Bulletin (IAVB). In conjunction with these messages, NCDOC will release an updated set of electronic definitions to be used with the Secure Configuration Compliance Validation Initiative (SCCVI) network scanning tool to scan shipboard networks for these vulnerabilities. For further guidance, see: (1) Reference (m) for Space and Naval Warfare Systems (SPAWAR) scanning and patching procedures. (2) Computer Tasking Order (CTO) and 11-16a for DoD/DoN specific scan guidance. (3) United States Cyber Command (USCYBERCOM) Fragmentary Order (FRAGO) 11 for additional audits guidance. 1-9

16 (4) Reference (n) for Retina Engine Updates/Downloads. (5) Reference (o) for DoN IAVA Patch reporting Non- Secure Internet Protocol Router Network (NIPRNET). (6) Reference (p) for DoN IAVA Patch reporting Secret Internet Protocol Router Network (SIPRNET). (7) Reference (r) for CTO/IAVA Patch Compliance Reporting. (8) Reference (s) for SPAWAR Patch repository NIPRNET. (9) Reference (t) for SPAWAR Patch repository SIPRNET. (10) Reference (u) for DoD/DISA Patch/Plan of Action and Milestones (POA&M) reporting NIPRNET. (11) Reference (u) for DoD/DISA Patch/POA&M reporting SIPRNET. d. Navy Telecommunications Directives (NTDs)/ CTOs/Patches/Fleet Advisory Messages (FAMs). NTDs generally address larger policy or overall operational aspects of cyber operations. CTOs issue specific tasking with regard to such things as setting Information Operations Condition (INFOCON) levels or establishing new information security procedures. How the system is patched depends on whether it is a program of record (PoR) or not. For PoRs, it is a six-step process: (1) A commercial vendor announces a patch for a known vulnerability. (2) USCYBERCOM analyzes the vulnerability, and if it finds the vulnerability has the potential to impact DoD operations, issues an IAVM notice in the form of IAVA/IAVB. (3) NCDOC issues a vulnerability message, based on the IAVM notice, to the DoN commands. (4) The PoR program manager (PM) tests the patch to verify it does not adversely affect system operation and then releases the patch for use. (5) DoN command receives an announcement via broadcast message from the PM that the patch is available. 1-10

17 (6) DoN command applies the patch to the system. For non-pors, the command downloads the patch directly from the vendor when directed via broadcast message by NCDOC. Most systems in the Fleet are PoR. The following references provide further guidance on Tactical Directives (TD): (a) References (q) and (v) for Navy CTOs. (b) References (w) and (x) for DoD CTOs. (c) References (r) for SPAWAR FAMs. (d) Reference (y) for NTDs. e. Command IA Plan. Each command is responsible for publishing a command-level IA plan. The IAM develops the plan based on doctrine and has overall responsibility for implementing it once it is signed by the Commanding Officer. The IA Plan should include guidance and reporting for: (1) Incident Handling and Response. (2) IAVM (Antivirus, IAVA, Universal Serial Bus (USB) Detect). (3) Information Assurance Workforce (IAWF) (Training and Certification). (4) Tactical Directives (CTO/NTD/FAM/FRAGO). (5) Command IA Policy. (6) Security Technical Implementation Guidelines (STIGs) (Host-Based Security System (HBSS), Traditional Security, and Network Policy). (7) Configuration Management. (8) DIACAP (ATOs/IATOs/PITs). (9) Command POA&M. Note: A softcopy repository Command IA Reports (8 O'Clocks, Monthly Updates, Semi-Annual STIG Compliance Reports, etc.) should be maintained separately the by IAM. See enclosure (14) of this instruction for detailed reporting guidance. 1-11

18 f. System Access Authorization Requests (SAARs). Each user of a DoD information system must complete a SAAR for each system he or she will use. Included in the SAAR is the security classification level of the system and the clearance level of the individual. SAARs also contain the user agreement for proper use of government information systems and provide guidelines for appropriate use. In the approval process, the SAAR is accompanied by a copy of the individual user s certification of completion of the annual IA refresher training requirement. Completed SAARs and IA training certificates should be maintained by the IAM for all users assigned to the command and for all visitors to whom system access has been granted. See reference (z) for further guidance. 5. IA Personnel. IA Personnel are key individuals within the IAWF who manage the day-to-day operations of a command-level IA program: a. The Deployed Designated Approving Authority (DDAA). Reference (c), paragraph 8.K assigns responsibility to Commanding Officers, Commanders, Officers-in-Charge and Directors in their role as local IA authorities. It states that in coordination with the Office of Designated Approving Authority (ODAA), when the unit is deployed, they serve as the DDAA. b. Commanding Officers, Commanders, Officers-in-Charge and Directors (acting as DDAA) must ensure information systems are compliant with DoD IA requirements per references (a), (y), and (aa) and Defense Information Systems Network (DISN) policy and procedures. Information systems under their command must be maintained in accordance with the authorized configuration. Any deviations from the authorized configuration or failure to comply with IA requirements are only permitted if approval is given by Navy ODAA U.S. Fleet Cyber Command (FLTCYBERCOM). c. The DDAA authority is intended to be used only in unusual circumstances when operational circumstances prevent obtaining authorization from FLTCYBERCOM prior to making a change to an information system. It is intended to give the Commanding Officer the authority to respond to casualties or urgent operational requirements. It is not meant to be used to circumvent normal approval processes for the sake of operational convenience or expediency. For example, it would be improper to use the DDAA authority to authorize the installation of software on the shipboard network that was not on SPAWAR s approved 1-12

19 products lists or to authorize connection of an information system that had not been accredited by the DoN ODAA. d. If a Commanding Officer of a deployed unit does exercise the DDAA authority, the Commanding Officer must inform FLTCYBERCOM as soon as operationally feasible of the authorized deviation per Navy Telecommunications Directive (NTD) DDAA training may be found in reference (ab). e. The Command Security Manager (CSM) is responsible to the Command Security Officer for running the commands traditional security program. CSM closely works with IA Manager (IAM)/IA Officer (IAO) to ensure that Information Systems Security Management (ISSM) is established and maintained. f. IAM is designated in writing by the DDAA and is responsible for the overall operation and management of the command s/ship s IA program. The IAM should be Navy Enlisted Classification (NEC) 2779 qualified, U.S. citizen designated by the Commanding Officer/DDAA, and assume responsibilities per reference (b), section 5.9 and reference (e). Specific duties of the IAM include: (1) Act as primary IA technical advisor to the Commanding Officer. (2) Maintain IA oversight of the ship s networks and changes that may affect IA posture. (3) Develop and maintain the command IA program to provide adequate security for all associated assets. (4) Ensure all information ownership responsibilities are established. (5) Ensure security events are properly investigated, and incidents are reported and coordinated with NCDOC per references (ac) and (ad), and response measures completed as directed. (6) Proactively use IA tools to do the command s part in protecting networks. Ensure IA controls are in place as outlined in DISA STIGs, IAVAs, IAVBs and CTOs. (7) Be familiar with, and use all applicable websites and IA doctrine to stay current with IA issues. 1-13

20 users. (8) Provide IA and network security training for all (9) Ensure all personnel with privileged systems access (system administrators) have all required training and are designated in writing. (10) Ensure all command networks are certified, accredited, and have a valid ATO, or Platform Information Technology (PIT) Risk Assessment (PRA) for designated PIT systems, and that they are maintained according to their IA C&A documentation. (11) Maintain accurate configuration and compliance records for all networks. (l2) Observe shipboard information processing practices and ensure the Commanding Officer and command leadership are aware of the command s IA climate. g. The IAO works directly for IAM and is focused primarily on INFOSEC. Each IAO, in addition to satisfying all responsibilities of an Authorized User, shall assist the IAM in accordance with reference (b), section 5.10 and reference (e) section to include: (1) Ensure that all users have the requisite security clearances and supervisory need-to-know authorization, and are aware of their IA responsibilities before being granted access to the DoD information system. (2) Per reference (ad), in coordination with the IAM, initiate protective or corrective measures when an IA incident or vulnerability is discovered. (3) Per reference (g), ensure that IA and IA-enabled software, hardware, and firmware comply with command security configuration change guidelines. (4) Per reference (ae), ensure that DoD information system recovery processes are monitored and that IA features and procedures are properly restored. (5) Ensure that all DoD information system IA-related documentation is current and accessible to properly authorized individuals. 1-14

21 (6) Implement and enforce all DoD information system IA policies and procedures. h. The CSM and IAO must be designated in writing by the Commanding Officer/DDAA. 6. IA Training. A command s IA program is only as good as the people who manage it. Ensuring that both operators and managers have the proper training is therefore critical to the ship s INFOSEC posture. 7. IAWF Improvement Program (IA WIP). Reference (af) specifies that all personnel who work on DoD information systems must be trained and certified at various levels commensurate with the level of their network privileges; reference (e) provides specific Navy guidance. The DoN s NEC 2790 and 2791, and the IA PQS levels 300 through 304 provide the training and certification for DoN personnel to comply with the DoD requirements. Reference (ag) provides CYBERFOR IAWF guidance for implementing a command level program and details on obtaining IAWF certifications. The command IAM is responsible for managing the command s IA WIP. IAM is directly responsible to DDAA to ensure: a. IAWF personnel are properly appointed in writing. b. IAWF personnel are identified, and training progress tracked, in the Total Workforce Management System (TWMS). c. IAWF personnel obtain certification requirements for their appointed IAWF positions. d. IAWF personnel participate in a continuous training program to ensure the skills they acquire are practiced on a regular basis. 8. Periodic Training. In addition to specific skills training, DoD also requires that all IAWF and general users of information systems undergo annual refresher training, both in physical security and in IA Awareness. IAM and CSM must ensure that these training programs are in place at the command level. 9. IA Operations. Maintaining shipboard information systems at peak security and readiness requires vigilance and proactive management by system users and administrators alike. Users must always be aware of and follow the guidelines for safe and proper use of information systems. Users should be on the lookout for 1-15

22 and report any perceived problems or inconsistencies in system operations. Continued discussion and reemphasizing of IA training at all levels will help ensure users do not become complacent. In addition, systems administrators (SA) perform a range of other tasks to ensure the command s/ship s networks are being properly maintained. SAs should use a daily checklist similar to enclosure (6) to ensure that ship s information systems are maintained in an optimum state of readiness and security. a. IAVM Scanning. SAs are required to conduct monthly Secure Configuration Compliance Validation Initiative (SCCVI) scans to identify security vulnerabilities. The results of these scans must be uploaded to the DoN s Vulnerability Remediation Asset Management (VRAM) database. See reference (m) and CTO and 11-16a for further guidance. b. IAVM Patching. IAVM patches are released by PoR Program Office to resolve security vulnerabilities, VRAM results provide SAs with a list of approved patches to apply to hosts; as such, SAs are required to maintain 100% patch accountability (ie: patch applied successfully or reported as a false-positive) for all patches older than 30 days. Once patches are successfully applied to all hosts, additional scans should be conducted to ensure that all patches were successfully applied. Any patches that do not install properly should be reported to the system PM office via trouble-ticket. See references (r) and (s) to submit web-based trouble-tickets for PoR systems. c. Fleet Advisory Messages (FAMs). FAMs are disseminated by SPAWAR to provide commands with important information regarding system configurations and vulnerabilities, including resolutions and work-arounds. Implementing FAMs should be carefully managed by the command configuration management process to ensure that any configuration changes reflect an acceptable balance between operational capability and system security. d. The processes of scanning, patching, and applying FAMs are critical to maintaining PoR systems security posture. e. USB Scans. CTO 08-08, issued in December of 2008, prohibited the use of all unauthorized USB devices on Navy networks. Found at reference (n), Naval Support Activity (NSA) developed a USB Detect tool that scans network hosts for unauthorized USB activity. To ensure accountability of USB usage, USB scans should be conducted weekly by SAs under 1-16

23 supervision of IAM or IAO. When questionable USB activity is discovered, SAs must take follow-on action to identify and locate the device used and determine if incident handling and/or reporting to NCDOC is required. The Command IA Policy and account user forms should clearly state permitted and prohibited USB use and provide appropriate enforcement authority to IAWF Personnel. As with SCCVI scans, a common problem with USB scan results include: (1) Improper administrative configuration. (2) Connectivity issues. (3) Registry keys are not routinely reset when a USB event is detected. f. Security Technical Implementation Guides (STIG). DISA publishes STIGs for common network configuration and security requirements that specify how components should be configured to minimize the risk of vulnerability exploitation on the affected network. SAs should complete/verify all STIGs that apply to their information systems components on a semi-annual basis. Note that some STIGs require component modifications that are beyond ship s force capability; however, it is still incumbent upon the ship to recognize STIG non-compliance and defer these changes to the Inservice Engineering Activity (ISEA) for appropriate action. See reference (ah) for a comprehensive list of DISA STIGs. g. Antivirus Definitions. Just like system patches, computer antivirus systems have definition files that must be updated. Per INFOCON 3, Antivirus definitions are updated weekly, but they may come out more frequently if a critical threat is discovered. SAs must ensure that their networked systems are configured to automatically download and distribute the antivirus updates, and check frequently to verify the update process is applied to all applicable hosts. IAM/IAOs should verify antivirus definitions are up-to-date using the Symantec Control Console on a weekly basis. Antivirus definitions must also be updated for stand-alone systems, such as PIT systems. See references (s), (v), (x), and (ai) through (ak) for antivirus patches and updates. h. Network Administration. The process of creating and managing user accounts on shipboard networks is instrumental to maintaining network security. Administrators must scrupulously adhere to the command s procedures for creating and documenting 1-17

24 accounts for new users. When a user leaves the command, SAs should disable the user account, maintain the account inactive for a period of 1-year, and then permanently delete the account. The 1-year period ensures that an account can be reactivated for investigational purposes. As they create accounts, SAs must ensure they are providing only the level of access required by the user to perform his/her job. Additionally, any access above Authorized User requires IAM approval. See reference (b), (e), (z), (aa), and (af) for guidance on user account management. i. Password Management. Another area of large impact is password management. Current network configurations require passwords to be complex and changed periodically per the latest Information Operations Condition (INFOCON) message found at references (al) and (am). IAM/IAO/SAs shall conduct periodic account audits to ensure that there are no default/group usernames and passwords being used by personnel. Default/Group accounts (excluding group accounts) generated by ship s force shall be disabled immediately. j. Remote Account (Password) Management. SYSCOMs, Fleet Systems Engineers, and other outside activities often maintain default usernames and passwords on systems for easy remote access when required for troubleshooting, maintenance, and monitoring. However, doing so poses a critical vulnerability to ship s systems; therefore, IAMs shall maintain a strict password renewal and storage policy to ensure that remote access to shipboard systems is properly controlled. This includes periodic remote access password changes and proper storage for centralized dissemination by IAM/IAO to outside entities only when required for authorized work. During usage of a remote account, SAs shall actively monitor the connection. This includes being cognizant of remote maintenance activities that are being performed by supporting organizations and monitoring audit logs to verify that unauthorized remote access activity is not taking place. SAs shall report completion of remote access to IAM and then immediately change the remote account password per Information Operations Condition (INFOCON) requirements and store per reference (f). Latest INFOCON message may be found at references (al) and (am). k. Backup/Recovery. Network systems invariably crash. If backups are not conducted properly, critical data may be lost; therefore, it is essential that SAs maintain a daily and weekly program for backing up system data per System Technical Manuals and INFOCON requirements. Restoration is another critical component of this process. While logs may indicate that backups 1-18

25 are successful, testing the backup with periodic restorations is crucial to ensure the data is preserved. PoR System Technical Manuals can be found at references (r) and (s). Latest INFOCON message may be found at reference (al) and (am). 10. IA Monitoring & Assessment. Reference (ac) directs that all DoN IA programs must be periodically evaluated for effectiveness. Evaluation must take place at all levels, from the duty SA to the applicable DoN oversight agency to ensure DoN information systems continue to adapt to an ever-changing threat environment. The adage that, You get what you inspect, not what you expect, and, Trust but verify, are nowhere more true than in the realm of IA. Commands with the best IA assessment and monitoring programs are those best equipped to operate and defend in the cyber domain. a. IA Quick Look. Enclosure (13) provides 10 questions Commanding Officers should ask to get a quick overview of cyber readiness for their ship. The Quick Look touches on all areas of IA and can justify the implementation by management of more exhaustive processes necessary for maintaining the ship s cyber readiness posture. b. Periodic Reports. DoN IA regulations require specific periodic reports for IAVA compliance and USB scan results. Commands must develop their own IA readiness reports to ensure that command leadership is continuously aware of the IA posture of their systems. Enclosure (14) lists a minimum set of reports for Commanding Officer s to review periodically to get a sense of the overall cyber-health of their command. c. Spot Checks. Shipboard IA programs encompass a wide array of auditable tasks. From the various documentation requirements to network scans to configuration management to everyday operations, there are many areas where Commanding Officers, Executive Officers, IAMs and other leaders can delve in to a particular area to ensure their IA program is on track. The check sheets in Enclosures (1-11) provide specific items to check in several key IA areas. d. Zone Inspections. The shipboard zone inspection program is a great place to engage the ship s INFOSEC team. In addition to looking at spaces for physical/information/personnel security issues, inspectors should assess personnel level-of-knowledge of IA security requirements. Enclosure (12) provides suggested items to be reviewed during zone inspections. 1-19

26 e. Blue Team Visits. Navy Information Operations Command (NIOC) provides personnel trained in computer network threat assessments and vulnerability analysis to visit commands and provide an analysis of their network s cyber-readiness condition. Because they are trusted agents, the Blue Team has access to ethical hacker tools that provide a significantly more detailed report of network status than those authorized for use by ship s force. Blue Team visits should be requested via official broadcast message to FLTCYBERCOM to help ensure that the command s IA program remains on track. f. Cyber Security Inspection and Certification Program (CSICP). The CSICP is the DoN s process of formally inspecting shipboard IA posture based on DoD, DoN, DISA, and National Institute of Standards and Technology (NIST) standards. The shipboard Cyber Security Inspection (CSI) follows the same format and guidelines as the Command Cyber Readiness Inspection (CCRI) that DISA performs for shore commands. The CSI should be integrated into the ship s Fleet Readiness Training Plan (FRTP) and is required as part of renewing the ship s network ATOs. Notification of the CSI schedule for a ship normally occurs 120 days prior to the actual inspection. If the ship has a robust and vital IA program, preparation for the CSI should cause minimal impact. Notification of the CSI schedule occurs when the schedule message is released, notionally 5-6 months prior to the inspection. FLTCYBERCOM OCA will contact the ship 90 days prior to the inspection to begin coordination. Blue Teams and CYBERFOR assistance teams will help to ensure readiness and can fairly accurately predict CSI performance. Outside assistance aside, the very best preparation for the CSI is daily vigilance and attention to detail in all areas of cyber-readiness. Sections (5) through section (8) are designed to assist command leadership and IA personnel in preparing for the CSI. They are provided here for ease of access. An overview of the three phases of CSICP appears below: (1) Stage I: Administrative Review. This is a nominal 1-day review, scheduled and conducted by your ISIC. This review will consist of an internal program review of administration, leadership engagement, and training. Upon successful completion of Stage I, a command will be determined ready to progress to a Stage II unit level assessment to be conducted within the following 12-month period. (2) Stage II: Unit Level Training and Assessment. This is a nominal 3 to 5 day, graded assessment (advise and assist format) scheduled and executed by CYBERFOR and Echelon II 1-20

27 Commanders. This assessment will include a review of Stage I, plus an additional in-depth assessment of network security, physical security and all five IA Facets: Administration, Training, Personnel, Operations, and Monitoring and Assessment. For afloat commands, any similar assessments conducted as part of FRTP will be incorporated into Stage II to eliminate redundancy. Upon successful completion of Stage II, a command is determined ready to progress to the Stage III, a comprehensive inspection to be scheduled and conducted within the following 12-month period. (a) Pre-CSI Training and Assist Visits. CYBERFOR s Pre-CSI Training and Assist Team, CYBERFOR N41, provides IA program training and assistance as a subset of a ship s CSICP Stage II. (b) These visits are valuable for identifying shipboard IA program deficiencies for ship s force action prior to a Stage III inspection. (c) Stage III: Cyber Security Inspection. This is a nominal 5-day comprehensive graded inspection involving all cyber security areas; specifically, leadership engagement, physical security, administration, training, network configuration, and network operations. This inspection will be scheduled and conducted by FLTCYBERCOM inspection teams and is structured to replace the DISA CCRI. As CSICP matures, several Stage III inspection teams will be assigned to select Echelon II Commanders to conduct inspections on behalf of FLTCYBERCOM using the same established process. Stage III inspections will result in a grade and will measure cyber security compliance and identify operational risks to command and control, communications, computer and combat systems, and the GIG. Upon successful completion of Stage III, a command will be certified for operational status. For accreditation purposes, this certification will meet the DoD activity IV (IA sustainment) annual review requirement. 1-21

28 CHAPTER 2 CSI PREPARATION GUIDES SECTION 1 COMMANDER S GUIDANCE 1. Summary. You are highly encouraged to conduct a self assessment of information systems, within your area of authority, in preparation for the scheduled FLTCYBERCOM directed Cyber Security Inspection (CSI). The completion of a self assessment utilizing the checklists, tools, and processes referenced in this document will also meet the requirements for CC/S/A self-conducted compliance assessments listed in CJCSI C and in the Joint Common IA Assessment Methodology (JCIAAM). 2. CSI Background. A CSI is a methodology that expands upon the original NIPRNET and SIPRNET Compliance Validations as mandated in the CJCSI C. The CSI program inspects network security compliance with DoD IA policies, NIST configuration management requirements, and DoD M IA WIP requirements. 3. Requirements. Ensure that a comprehensive self-assessment meets all of the criteria that will be evaluated during a formal CSI. The self-assessment will reveal areas which require corrective action and remediable that can be accomplished by ships force, as well as any program of record or physical security shortfalls that require external assistance to address and correct documentation of these shortfalls (via casualty reports (CASREPs) or other formal message traffic) is appropriate. The following components comprise a complete CSI, and each is completed by utilizing the latest version of the corresponding DoD STIG Checklist and applicable enterprise IA Tools. This checklist offers a simple self-assessment questionnaire to provide you and your Information Assurance Manager (IAM) a starting point for discussing the health and status of the command s network. It also represents the baseline of information you will need to provide for any CSI or network inspection. 4. Overview. CSIs and network inspections generally focus on four primary areas: a. Program Administration. b. Physical Security (sometimes reference to as Traditional Security). 2-1

29 c. Network Configuration. d. Network Operations and Behavior. 5. Checklist. An affirmative response and understanding of the questions below will prepare you for a successful CSI. a. Program Administration (1) Do we have appointment letters for our network security team (IAM, IAOs, etc)? (2) Have we verified that Privileged Access Users have signed Information System Privileged Access Agreement Letters on file? (3) Have all personnel completed the mandatory annual Information Assurance training by the required due date? If not, what is the plan for getting us there? (4) Have all command personnel received OPSEC training and when was it completed? (5) Do we have signed Memorandums of Agreement or Understanding with all tenant commands connected to our network, if applicable? (6) Are our tenant commands also in compliance with DoD and DoN standards, if applicable? (7) Have we completed the Vulnerability Scan Coordination Memo to provide to the FCC OCA inspector? b. Physical Security (1) Is our Physical Distribution System (PDS) certified and are the documents up-to-date and available for viewing by the inspection team? (2) Were IDS alarm systems installed and maintained by U.S. citizens who were subjected to a trustworthiness determination in accordance with DoD R? (3) Are IDS monitoring stations supervised continuously by U.S. citizens who have been subjected to a trustworthiness determination in accordance with DoD R? 2-2

30 (4) Is a program established to ensure safes, vaults, and secure rooms are properly managed? Ensure only GSA approved security containers are being used; ensure combinations are changed as required; ensure all forms, Standard Form (SF) 700 and SF-702, are properly completed; ensure repairs are conducted correctly? (5) Are individuals granted access to classified materials notified of applicable handling instructions? This may be accomplished by a briefing, written instructions, or by applying specific handling requirements to an approved cover sheet? (6) Are security checks being performed at the close of each working day to ensure all areas are secure? SF 701, "Activity Security Checklist," shall be used to record such checks. An integral part of the security check system shall be the securing of all vaults, secure rooms, and containers used for the storage of classified material; SF 702, "Security Container Check Sheet," shall be used to record such actions. In addition, SF 701 and 702 shall be annotated to reflect after-hours, weekend, and holiday activity. (7) Do all vaults and secure rooms meet all requirements of DoD R Appendix 7? (8) Do we have approval or waiver letters for Open Secret Storage in spaces where classified information is processed or where a PDS may not be in place? c. Network Configuration (1) Does our Network Topology Diagram accurately reflect our current architecture and is it available for review? Does it meet NTD requirements? (2) Do we really know the actual number of devices connected to our network? Really know? [Hint: Your IAM can run a RETINA Discovery Scan to find this out]. (3) Are our Access Control Lists (ACLs) for our routers, switches, and firewalls ready for an inspector to review? Do they reflect the currently published IP Block Lists? 2-3

31 (4) Are the proper ports opened on our network per COMNAVNETWARCOM CTO 08-08, IP SONAR Mapping of Classified Networks? (5) What vulnerabilities were identified that we were unable to patch or mitigate? d. Network Operations and Behavior (1) On what date was the last monthly scan conducted using RETINA? Are we sure we are scanning with the most recent scan engine? Are all scans conducted using the proper accesses? (2) Are we reviewing VRAM scan results on a monthly basis? Who validates that noted vulnerabilities have been corrected? Is this a formalized, documented process? (3) Has a POA&M been entered into VMS for all uncorrected vulnerabilities? (4) Have we informed the DAA/DDAA about our uncorrected vulnerabilities? (5) Have the latest anti-virus updates been downloaded and installed to all systems onboard the ship? (6) Have any new USB devices been detected on the networks? Where? (7) Are there any CND incidents currently open with either NCDOC or the CNOC? If so, what is the status and estimated time of restoral for resolution? (8) Is there any equipment that needs to be repaired? Have we CASREPed the affected equipment? (9) Have any configuration changes been made to the network since my last spot check? e. Previous Inspections (1) What inspections have been completed on the network in the last 12 months? (2) Have we corrected all vulnerabilities found from the inspection? 2-4