You are on page 1of 81

________________________________________________________________

COMMANDING OFFICERS INFORMATION ASSURANCE HANDBOOK TABLE OF CONTENTS IDENTIFICATION FOREWORD REFERENCES CHAPTER 1 SECTION 1 SECTION 2 SECTION 3 SECTION 4 CHAPTER 2 SECTION 1 SECTION 2 SECTION 3 SECTION 4 TITLE PAGE

COMMANDER, U.S. FLEET FORCES COMMAND LETTER ... iii LIST OF PERTINENT REFERENCES ................... iv INFORMATION ASSURANCE OVERVIEW INTRODUCTION .................................. 1-1 WHAT IS INFORMATION ASSURANCE ................. 1-3 WHY INFORMATION ASSURANCE IS IMPORTANT ........ 1-6 HOW DO WE BUILD A ROBUST IA PROGRAM ........... 1-7 CSI PREPARATION GUIDE COMMANDERS GUIDANCE .......................... 2-1 INFORMATION ASSURANCE MANAGERS ................ 2-5 SECURITY MANAGERS ............................. 2-9 SYSTEM ADMINISTRATORS ........................ 2-13

LIST OF ENCLOSURES: ENCLOSURE (1) Information Security (INFOSEC) Checklist ....... E-1 ENCLOSURE (2) Network Security Checklist ..................... E-2 ENCLOSURE (3) Certification & Accreditation Checklist ........ E-3 ENCLOSURE (4) Information Assurance Work Force Checklist ..... E-4 ENCLOSURE (5) Traditional Security Checklist ................. E-5 ENCLOSURE (6) System Administrator Checklist: ENCLOSURE (7) System Administrator Checklist: ENCLOSURE (8) System Administrator Checklist: ENCLOSURE (9) System Administrator Checklist: ENCLOSURE (10) System Administrator Checklist: i Daily ......... E-6 Weekly ........ E-7 Monthly ....... E-8 Annually ...... E-9 Initial..... E-10

ENCLOSURE (11) System Administrator Checklist: As Required/ After Configuration Changes.................. E-11 ENCLOSURE (12) Cyber Zone Inspection Items.................. E-12 ENCLOSURE (13) COs Information Assurance Quick Look........ E-13 ENCLOSURE (14) Minimum Set Of Periodic Reports.............. E-14 ENCLOSURE (15) Example Report-Certification & Accreditation E-15

ENCLOSURE (16) Sample Report-Information Assurance Work Force Training..................................... E-16 ENCLOSURE (17) Sample Report-IAVM........................... E-17 ENCLOSURE (18) Sample Report-Weekly IA Status............... E-18 ENCLOSURE (19) Sample Report-Antivirus...................... E-19 ENCLOSURE (20) Sample Report-USB Scan....................... E-20 ENCLOSURE (21) Sample Report-8 Oclock Report............... E-21

ii

iv

LIST OF PERTINENT REFERENCES (a) (b) (c) (d) (e) DoD Directive 8500.01E of 24 October 2002 DoD Instruction 8500.2 of 6 February 2003 OPNAVINST 5239.1C, Navy Information Assurance Program SECNAV M-5239.1, DoN Information Assurance Program SECNAV M-5239.2, DoN Information Assurance (IA) Workforce Management Manual (f) SECNAV M-5510.36, DoN Information Security Program Manual (g) NIST Special Publication 800-128, Configuration Management Guide for Information Systems (h) DoD Instruction 8510.01 of 28 November 2007 (i) https://diacap.iaportal.navy.mil/ks/Pages/default.aspx (j) https://www.nde.navy.mil (k) https://iats.nmci.navy.mil (l) https://www.portal.navy.mil/netwarcom/navycanda (m) SPAWAR SCCVI User Guide (n) http://iase.disa.mil (o) https://iaportal.navy.mil (p) https://www.iaportal.fnmoc.navy.smil.mil (q) https://www.iava.navy.mil/ocrs (r) https://sailor.nmci.navy.mil (s) http://isea.spawar.navy.smil.mil (t) https://vms.disa.mil (u) https://vms.disa.smil.mil (v) https://infosec.navy.mil (w) https://www.cybercom.mil (x) https://www.cybercom.smil.mil (y) https://www.portal.navy.mil/netwarcom/CIO/policydirection/ default.aspx (z) SECNAV 5239/14, System Access Authorization Request (SAAR) Forms (aa) CJCSM 6510.01A, Information Assurance (IA) and Computer Network Defense (CND) Volume I (Incident Handling Program) (ab) http://iase.disa.mil/eta/etadaa.html (ac) SECNAVINST 5239.3B, DoN CIO Network Policy (ad) SECNAVINST 5239.19 (ae) NIST Special Publication 800-34 Rev. 1, Contingency Planning Guide for Information Technology Systems (af) DoD 8570.01-M CH 2, Information Assurance Workforce Improvement Program, April 2010 (ag) https://www.portal.navy.mil/cyberfor/IAWF/default.aspx (ah) http://iase.disa.mil/tools/index.html (ai) https://patches.csd.disa.mil (aj) https://patches.mont2.disa.smil.mil (ak) https://infosec.navy.smil.mil

iv

(al) (am) (an) (ao)

https://www.ncdoc.navy.mil https://www.ncdoc.navy.smil.mil https://www.portal.navy.mil/cyberfor/N47/N41/default.aspx https://www.portal.navy.mil/fcc-c10f/OCA

CHAPTER 1 INFORMATION ASSURANCE OVERVIEW SECTION 1 INTRODUCTION 1. Introduction. Security for a ship begins at the brow. Topside watches and Officers-of-the Deck stand watch to ensure that the ship is secured and that unauthorized personnel do not get onboard. However, shipboard security does not stop there. Escorts provide extra security for non-cleared visitors below decks. Secure areas of the ship are protected by locks and alarm systems. Entry into those spaces are controlled by cognizant authorities and visitor logs track who has been in the space. This concept of Defense in Depth applies equally to the ships connection to Cyberspace. Enclave routers and firewalls stand guard at the networks perimeter to prevent unauthorized access from outside. Network security personnel, cyber policies and procedures, and automated systems such as the Host-Based Security System (HBSS) and proxy server logs all serve to monitor activity within the networks lifelines. The combination of personnel, procedures, and products provide the layered system defense required to ensure the availability, integrity and confidentiality of the data we rely on to run our ships. a. Bottom line: Across the Federal Government, cyber security incidents have soared by over 600% in the last 5 years. At least 85% of cyber intrusions could have been prevented if the following four cyber security and IA practices were routinely and vigorously followed: (1) Patching application vulnerability. (2) Patching operating system vulnerability. (3) Minimizing the number of users with system administrator privileges. (4) Employ Application white listing to prevent unapproved programs from running on the network. b. Continued focus on these fundamental principles will ensure success in this dynamic cyber space domain: (1) Cyber security is serious business; requiring all hands involvement, and

1-1

(2) Commanding Officers are ultimately responsible for understanding and managing the cyber-readiness of their ships. 2. Purpose. To establish Information Assurance (IA) techniques and procedures that utilize policies for people, processes, strategy, and technology for protecting Information Technology (IT) and information. The information in this handbook is designed to equip Commanding Officers and command personnel with the background knowledge and tools needed to effectively manage shipboard IA programs and: a. Establish guidance for successfully maintaining command level IA-Readiness requirements. b. Provide a common reference of all Defense and tactical level IA-related doctrine. c. Provide training and education guidance for command IA Workforce members. 3. Scope. This document is intended to provide Commanding Officers with an overview of the fundamental issues regarding the management of our networks, providing them with (and to a limited extent) guidelines they can use in day-to-day efforts for ensuring their networks can reliably support the ships mission and resist adversaries in the virtual realm. Although designed as a COs handbook, this information is relevant and applicable to baseline a level of understanding for all khaki leadership. Build cyber security awareness, actions, and oversight into command daily battle rhythm, and in parallel, develop the technically competent, informed, and proactive supervisors to inculcate cyber readiness down to the deckplates. Navy Cyber Forces (CYBERFOR) N41 manages this document and solicits your feedback, lessons learned, and best practices to incorporate into future editors of this document.

1-2

CHAPTER 1 INFORMATION ASSURANCE OVERVIEW SECTION 2 WHAT IS INFORMATION ASSURANCE (IA)? 1. Information Assurance. In broad terms, IA is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. The terms IA, Information Security (INFOSEC), Computer Security (COMSEC) and Network Security (NETSEC) are often used interchangeably with IA. In actuality, each of these areas deals with a more specific portion of overall security within the cyber environment. Reference (a) defines IA as measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. 2. INFOSEC. INFOSEC is defined as protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction of the information. INFOSEC is concerned with the confidentiality, integrity, and availability of data regardless of format: electronic, print, etc. The ship can ensure INFOSEC through: a. Leadership involvement. Making INFOSEC a priority at all levels in the command. Examples inculcating cyber security awareness include: (1) Plan of the Day (POD) and INFOSEC Notices. (2) Duty section training for all ratings. (3) Requiring reports of network status and system outages included with daily operational reporting requirements (i.e. 8 Oclocks). b. Minimizing the footprint of information stored on the ships Local Area Network (LAN). Examples of minimizing the footprint can include: (1) Reducing duplicate information. (2) Structure data across the network.

1-3

(3) Taking immediate action in the event of an incident or spillage to ensure the incident response is thorough, remediation/mitigation efforts are completed, and records are retained by the IA Manager (IAM)/IA Officer (IAO). 3. Computer Security. Computer Security is the collective processes and mechanisms by which sensitive and valuable information and services are protected from publication, tampering, or compromise by unauthorized activities, or inside threats and unplanned events. Its objective includes the protection of information and property from theft, corruption, or natural loss due to disaster, while allowing the information and property to remain accessible, reliable, and responsive to its intended users. Unlike INFOSEC, Computer security focuses primarily on ensuring the availability and correct operation of a computer system without concern for the actual information stored or processed by the computer. 4. Network Security. Network Security includes provisions and policies adopted by the network administrator to monitor and prevent unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources. 5. Physical Security. Physical Security includes measures designed to deny access to unauthorized personnel (including attackers or even accidental intruders) from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts. a. Enforcing Physical Security includes:

(1) Verifying personnel access and need-to-know for visiting personnel. (2) Monitoring activity, by all personnel, for irregular activity contrary to IA policy. (3) Maintaining a record of accreditation, personnel network accountability, and IA appointments and policy will also ensure information is properly handled and secured. 6. Conclusion. Information Assurance is paramount as the overarching discipline that encompasses Information Security, Computer Security, Network Security and Physical Security. IA incorporates the elements of each type of security into a

1-4

layered defense that ensures information is readily accessible where and when we need it. Figure 1 illustrates this Defense in Depth concept.

Figure 1:

Information Assurance - Defense in Depth

1-5

CHAPTER 1 INFORMATION ASSURANCE OVERVIEW SECTION 3 WHY IS INFORMATION ASSURANCE IMPORTANT? 1. Background. In 1996, pursuant to a congressional request, the Government Accounting Office (GAO) reviewed the extent to which DoD computer systems experience attack. The GAO analyzed the potential for further damage to DoD computer systems and challenges in securing sensitive information on its computer systems. a. DoD relies on a complex information infrastructure to design weapons, identify and track enemy targets, pay soldiers, mobilize reservists, and manage supplies. b. Use of the Internet to enhance communication and information sharing has increased DoD exposure to attack, since the Internet provides unauthorized users a means to access unclassified DoD systems. c. While the DoD information available on the Internet is unclassified, it is sensitive and must be restricted. d. Only about 1 in 500 attacks is detected and reported, but the Defense Information Systems Agency (DISA) estimates that DoD is attacked about 250,000 times per year. e. Attackers have stolen, modified, and destroyed data and software, disabled protection systems to allow future unauthorized access, and shut down entire systems and networks to preclude authorized use. f. Security breaches pose a serious risk to national security because terrorists or U.S. adversaries could disrupt the national information infrastructure. g. Security breaches cost DoD hundreds of millions of dollars annually. h. DoD needs to increase the resources devoted to computer security, update the policies that govern computer security, and increase security training for system and network administrators. 2. Doctrine. Reference (a) defines IA requirements for all DoD components, and reference (b) provides DoD guidance for IA

1-6

implementation. For DoN specifically, references (c) through (f) promulgate Navy IA, IA Workforce (IAWF) Improvement, and INFOSEC policy. Numerous other instructions, directives, bulletins, and policy documents further define and codify the requirements for all Navy units to have a robust IA program.

1-7

CHAPTER 1 INFORMATION ASSURANCE OVERVIEW SECTION 4 HOW DO WE BUILD A ROBUST INFORMATION ASSURANCE PROGRAM? 1. Facets of IA. As with any other shipboard program, multiple actions and persistent oversight must exist to establish a robust IA program. This chapter addresses four core areas of IA: Administration, Personnel, Training, Operations, and Monitoring and Assessment. 2. IA Administration. One of the principal enablers of any successful program is meticulous record-keeping and adherence to published procedures. Myriad instructions, bulletins, technical documents, and other publications provide requirements and guidance for properly maintaining an IA program. For Commanding Officers, two key documents are reference (c), OPNAVINST 5239.1C and reference (d), SECNAV M-5239.1. These documents provide a concise overview of the DoNs implementation of DoD IA requirements. Additionally, reference (c), paragraph 8.k, outlines the duties of Commanding Officers with regard to IA. 3. Command Security Instruction. Reference (f), exhibit 2A requires all commands to publish a command security instruction and provides specific guidelines for development. 4. IA Documentation. The key to a robust IA program is maintaining accurate documentation of command information systems. A well-organized, well-maintained command IA binder will help ensure command cyber systems are being maintained in the optimal state of security and readiness. The IA binder should contain: a. Configuration management records. As-built network diagrams, combined with documentation of all approved modifications to the configuration baseline will ensure that all potential points of vulnerability are identified. See reference (g), NIST Special Publication 800-128 for more details on configuration management requirements. b. Certification and Accreditation (C&A) Documentation. Every DoD network goes through a process of certification and accreditation before it can connect and operate on the Global Information Grid (GIG). The C&A process provides detailed configuration information to the DoNs Designated Approving Authority (DAA), allowing them to verify that a proposed network complies with DoD IA requirements. A networks C&A paperwork

1-8

exists as the definitive document required in obtaining and/or renewing an Authority to Operate (ATO) for the network. (1) ATO. The ATO is a document provided by the DoN DAA and Systems Command Program Manager that grants specific permissions to connect and operate a given information system based on a satisfactory DoD IA Certification and Accrediation Process (DIACAP) score. Once granted, an ATO is valid for a maximum period of 3 years. (2) IATO. An IATO is a temporary ATO that allows a command to operate while simultaneously resolving known vulnerabilities. Once granted, an IATO is valid for a maximum period of 6 months. (3) Knowing in advance that an ATO/IATO renewal is due, IAMs must be proactive in submitting the required documentation to maintain network operations. A good rule of thumb is that requests for ATO/IATO renewal should be submitted at least 6 months prior to the expiration of the existing ATO/IATO. Meticulous record keeping of existing ATO/IATOs and approved system configuration changes makes the process of recertification significantly easier. See reference (h) and (i) for more details on C&A process. See references (j) through (l) for more details on obtaining ATO/IATOs. c. IA Vulnerability Management (IAVM). Navy Cyber Defense Operations Command (NCDOC) constantly reviews Navy cyber systems for new or existing security vulnerabilities. When a new vulnerability appears discovered, NCDOC will issue an IA Vulnerability Alert (IAVA) or Information Assurance Vulnerability Bulletin (IAVB). In conjunction with these messages, NCDOC will release an updated set of electronic definitions to be used with the Secure Configuration Compliance Validation Initiative (SCCVI) network scanning tool to scan shipboard networks for these vulnerabilities. For further guidance, see: (1) Reference (m) for Space and Naval Warfare Systems (SPAWAR) scanning and patching procedures. (2) Computer Tasking Order (CTO) 08-005 and 11-16a for DoD/DoN specific scan guidance. (3) United States Cyber Command (USCYBERCOM) Fragmentary Order (FRAGO) 11 for additional audits guidance.

1-9

(4) Reference (n) for Retina Engine Updates/Downloads. (5) Reference (o) for DoN IAVA Patch reporting NonSecure Internet Protocol Router Network (NIPRNET). (6) Reference (p) for DoN IAVA Patch reporting Secret Internet Protocol Router Network (SIPRNET). (7) Reference (r) for CTO/IAVA Patch Compliance Reporting. (8) Reference (s) for SPAWAR Patch repository NIPRNET. (9) Reference (t) for SPAWAR Patch repository SIPRNET. (10) Reference (u) for DoD/DISA Patch/Plan of Action and Milestones (POA&M) reporting NIPRNET. (11) Reference (u) for DoD/DISA Patch/POA&M reporting SIPRNET. d. Navy Telecommunications Directives (NTDs)/ CTOs/Patches/Fleet Advisory Messages (FAMs). NTDs generally address larger policy or overall operational aspects of cyber operations. CTOs issue specific tasking with regard to such things as setting Information Operations Condition (INFOCON) levels or establishing new information security procedures. How the system is patched depends on whether it is a program of record (PoR) or not. For PoRs, it is a six-step process: (1) A commercial vendor announces a patch for a known vulnerability. (2) USCYBERCOM analyzes the vulnerability, and if it finds the vulnerability has the potential to impact DoD operations, issues an IAVM notice in the form of IAVA/IAVB. (3) NCDOC issues a vulnerability message, based on the IAVM notice, to the DoN commands. (4) The PoR program manager (PM) tests the patch to verify it does not adversely affect system operation and then releases the patch for use. (5) DoN command receives an announcement via broadcast message from the PM that the patch is available.

1-10

(6) DoN command applies the patch to the system. For non-PoRs, the command downloads the patch directly from the vendor when directed via broadcast message by NCDOC. Most systems in the Fleet are PoR. The following references provide further guidance on Tactical Directives (TD): (a) References (q) and (v) for Navy CTOs. (b) References (w) and (x) for DoD CTOs. (c) References (r) for SPAWAR FAMs. (d) Reference (y) for NTDs. e. Command IA Plan. Each command is responsible for publishing a command-level IA plan. The IAM develops the plan based on doctrine and has overall responsibility for implementing it once it is signed by the Commanding Officer. The IA Plan should include guidance and reporting for: (1) Incident Handling and Response. (2) IAVM (Antivirus, IAVA, Universal Serial Bus (USB) Detect). (3) Information Assurance Workforce (IAWF) (Training and Certification). (4) Tactical Directives (CTO/NTD/FAM/FRAGO). (5) Command IA Policy. (6) Security Technical Implementation Guidelines (STIGs) (Host-Based Security System (HBSS), Traditional Security, and Network Policy). (7) Configuration Management. (8) DIACAP (ATOs/IATOs/PITs). (9) Command POA&M. Note: A softcopy repository Command IA Reports (8 O'Clocks, Monthly Updates, Semi-Annual STIG Compliance Reports, etc.) should be maintained separately the by IAM. See enclosure (14) of this instruction for detailed reporting guidance.

1-11

f. System Access Authorization Requests (SAARs). Each user of a DoD information system must complete a SAAR for each system he or she will use. Included in the SAAR is the security classification level of the system and the clearance level of the individual. SAARs also contain the user agreement for proper use of government information systems and provide guidelines for appropriate use. In the approval process, the SAAR is accompanied by a copy of the individual users certification of completion of the annual IA refresher training requirement. Completed SAARs and IA training certificates should be maintained by the IAM for all users assigned to the command and for all visitors to whom system access has been granted. See reference (z) for further guidance. 5. IA Personnel. IA Personnel are key individuals within the IAWF who manage the day-to-day operations of a command-level IA program: a. The Deployed Designated Approving Authority (DDAA). Reference (c), paragraph 8.K assigns responsibility to Commanding Officers, Commanders, Officers-in-Charge and Directors in their role as local IA authorities. It states that in coordination with the Office of Designated Approving Authority (ODAA), when the unit is deployed, they serve as the DDAA. b. Commanding Officers, Commanders, Officers-in-Charge and Directors (acting as DDAA) must ensure information systems are compliant with DoD IA requirements per references (a), (y), and (aa) and Defense Information Systems Network (DISN) policy and procedures. Information systems under their command must be maintained in accordance with the authorized configuration. Any deviations from the authorized configuration or failure to comply with IA requirements are only permitted if approval is given by Navy ODAA U.S. Fleet Cyber Command (FLTCYBERCOM). c. The DDAA authority is intended to be used only in unusual circumstances when operational circumstances prevent obtaining authorization from FLTCYBERCOM prior to making a change to an information system. It is intended to give the Commanding Officer the authority to respond to casualties or urgent operational requirements. It is not meant to be used to circumvent normal approval processes for the sake of operational convenience or expediency. For example, it would be improper to use the DDAA authority to authorize the installation of software on the shipboard network that was not on SPAWARs approved

1-12

products lists or to authorize connection of an information system that had not been accredited by the DoN ODAA. d. If a Commanding Officer of a deployed unit does exercise the DDAA authority, the Commanding Officer must inform FLTCYBERCOM as soon as operationally feasible of the authorized deviation per Navy Telecommunications Directive (NTD) 07-09. DDAA training may be found in reference (ab). e. The Command Security Manager (CSM) is responsible to the Command Security Officer for running the commands traditional security program. CSM closely works with IA Manager (IAM)/IA Officer (IAO) to ensure that Information Systems Security Management (ISSM) is established and maintained. f. IAM is designated in writing by the DDAA and is responsible for the overall operation and management of the commands/ships IA program. The IAM should be Navy Enlisted Classification (NEC) 2779 qualified, U.S. citizen designated by the Commanding Officer/DDAA, and assume responsibilities per reference (b), section 5.9 and reference (e). Specific duties of the IAM include: (1) Act as primary IA technical advisor to the Commanding Officer. (2) Maintain IA oversight of the ships networks and changes that may affect IA posture. (3) Develop and maintain the command IA program to provide adequate security for all associated assets. (4) Ensure all information ownership responsibilities are established. (5) Ensure security events are properly investigated, and incidents are reported and coordinated with NCDOC per references (ac) and (ad), and response measures completed as directed. (6) Proactively use IA tools to do the commands part in protecting networks. Ensure IA controls are in place as outlined in DISA STIGs, IAVAs, IAVBs and CTOs. (7) Be familiar with, and use all applicable websites and IA doctrine to stay current with IA issues.

1-13

(8) Provide IA and network security training for all users. (9) Ensure all personnel with privileged systems access (system administrators) have all required training and are designated in writing. (10) Ensure all command networks are certified, accredited, and have a valid ATO, or Platform Information Technology (PIT) Risk Assessment (PRA) for designated PIT systems, and that they are maintained according to their IA C&A documentation. (11) Maintain accurate configuration and compliance records for all networks. (l2) Observe shipboard information processing practices and ensure the Commanding Officer and command leadership are aware of the commands IA climate. g. The IAO works directly for IAM and is focused primarily on INFOSEC. Each IAO, in addition to satisfying all responsibilities of an Authorized User, shall assist the IAM in accordance with reference (b), section 5.10 and reference (e) section 1.8.6. to include: (1) Ensure that all users have the requisite security clearances and supervisory need-to-know authorization, and are aware of their IA responsibilities before being granted access to the DoD information system. (2) Per reference (ad), in coordination with the IAM, initiate protective or corrective measures when an IA incident or vulnerability is discovered. (3) Per reference (g), ensure that IA and IA-enabled software, hardware, and firmware comply with command security configuration change guidelines. (4) Per reference (ae), ensure that DoD information system recovery processes are monitored and that IA features and procedures are properly restored. (5) Ensure that all DoD information system IA-related documentation is current and accessible to properly authorized individuals.

1-14

(6) Implement and enforce all DoD information system IA policies and procedures. h. The CSM and IAO must be designated in writing by the Commanding Officer/DDAA. 6. IA Training. A commands IA program is only as good as the people who manage it. Ensuring that both operators and managers have the proper training is therefore critical to the ships INFOSEC posture. 7. IAWF Improvement Program (IA WIP). Reference (af) specifies that all personnel who work on DoD information systems must be trained and certified at various levels commensurate with the level of their network privileges; reference (e) provides specific Navy guidance. The DoNs NEC 2790 and 2791, and the IA PQS levels 300 through 304 provide the training and certification for DoN personnel to comply with the DoD requirements. Reference (ag) provides CYBERFOR IAWF guidance for implementing a command level program and details on obtaining IAWF certifications. The command IAM is responsible for managing the commands IA WIP. IAM is directly responsible to DDAA to ensure: a. IAWF personnel are properly appointed in writing.

b. IAWF personnel are identified, and training progress tracked, in the Total Workforce Management System (TWMS). c. IAWF personnel obtain certification requirements for their appointed IAWF positions. d. IAWF personnel participate in a continuous training program to ensure the skills they acquire are practiced on a regular basis. 8. Periodic Training. In addition to specific skills training, DoD also requires that all IAWF and general users of information systems undergo annual refresher training, both in physical security and in IA Awareness. IAM and CSM must ensure that these training programs are in place at the command level. 9. IA Operations. Maintaining shipboard information systems at peak security and readiness requires vigilance and proactive management by system users and administrators alike. Users must always be aware of and follow the guidelines for safe and proper use of information systems. Users should be on the lookout for

1-15

and report any perceived problems or inconsistencies in system operations. Continued discussion and reemphasizing of IA training at all levels will help ensure users do not become complacent. In addition, systems administrators (SA) perform a range of other tasks to ensure the commands/ships networks are being properly maintained. SAs should use a daily checklist similar to enclosure (6) to ensure that ships information systems are maintained in an optimum state of readiness and security. a. IAVM Scanning. SAs are required to conduct monthly Secure Configuration Compliance Validation Initiative (SCCVI) scans to identify security vulnerabilities. The results of these scans must be uploaded to the DoNs Vulnerability Remediation Asset Management (VRAM) database. See reference (m) and CTO 08-05 and 11-16a for further guidance. b. IAVM Patching. IAVM patches are released by PoR Program Office to resolve security vulnerabilities, VRAM results provide SAs with a list of approved patches to apply to hosts; as such, SAs are required to maintain 100% patch accountability (ie: patch applied successfully or reported as a false-positive) for all patches older than 30 days. Once patches are successfully applied to all hosts, additional scans should be conducted to ensure that all patches were successfully applied. Any patches that do not install properly should be reported to the system PM office via trouble-ticket. See references (r) and (s) to submit web-based trouble-tickets for PoR systems. c. Fleet Advisory Messages (FAMs). FAMs are disseminated by SPAWAR to provide commands with important information regarding system configurations and vulnerabilities, including resolutions and work-arounds. Implementing FAMs should be carefully managed by the command configuration management process to ensure that any configuration changes reflect an acceptable balance between operational capability and system security. d. The processes of scanning, patching, and applying FAMs are critical to maintaining PoR systems security posture. e. USB Scans. CTO 08-08, issued in December of 2008, prohibited the use of all unauthorized USB devices on Navy networks. Found at reference (n), Naval Support Activity (NSA) developed a USB Detect tool that scans network hosts for unauthorized USB activity. To ensure accountability of USB usage, USB scans should be conducted weekly by SAs under

1-16

supervision of IAM or IAO. When questionable USB activity is discovered, SAs must take follow-on action to identify and locate the device used and determine if incident handling and/or reporting to NCDOC is required. The Command IA Policy and account user forms should clearly state permitted and prohibited USB use and provide appropriate enforcement authority to IAWF Personnel. As with SCCVI scans, a common problem with USB scan results include: (1) Improper administrative configuration. (2) Connectivity issues. (3) Registry keys are not routinely reset when a USB event is detected. f. Security Technical Implementation Guides (STIG). DISA publishes STIGs for common network configuration and security requirements that specify how components should be configured to minimize the risk of vulnerability exploitation on the affected network. SAs should complete/verify all STIGs that apply to their information systems components on a semi-annual basis. Note that some STIGs require component modifications that are beyond ships force capability; however, it is still incumbent upon the ship to recognize STIG non-compliance and defer these changes to the Inservice Engineering Activity (ISEA) for appropriate action. See reference (ah) for a comprehensive list of DISA STIGs. g. Antivirus Definitions. Just like system patches, computer antivirus systems have definition files that must be updated. Per INFOCON 3, Antivirus definitions are updated weekly, but they may come out more frequently if a critical threat is discovered. SAs must ensure that their networked systems are configured to automatically download and distribute the antivirus updates, and check frequently to verify the update process is applied to all applicable hosts. IAM/IAOs should verify antivirus definitions are up-to-date using the Symantec Control Console on a weekly basis. Antivirus definitions must also be updated for stand-alone systems, such as PIT systems. See references (s), (v), (x), and (ai) through (ak) for antivirus patches and updates. h. Network Administration. The process of creating and managing user accounts on shipboard networks is instrumental to maintaining network security. Administrators must scrupulously adhere to the commands procedures for creating and documenting

1-17

accounts for new users. When a user leaves the command, SAs should disable the user account, maintain the account inactive for a period of 1-year, and then permanently delete the account. The 1-year period ensures that an account can be reactivated for investigational purposes. As they create accounts, SAs must ensure they are providing only the level of access required by the user to perform his/her job. Additionally, any access above Authorized User requires IAM approval. See reference (b), (e), (z), (aa), and (af) for guidance on user account management. i. Password Management. Another area of large impact is password management. Current network configurations require passwords to be complex and changed periodically per the latest Information Operations Condition (INFOCON) message found at references (al) and (am). IAM/IAO/SAs shall conduct periodic account audits to ensure that there are no default/group usernames and passwords being used by personnel. Default/Group accounts (excluding group email accounts) generated by ships force shall be disabled immediately. j. Remote Account (Password) Management. SYSCOMs, Fleet Systems Engineers, and other outside activities often maintain default usernames and passwords on systems for easy remote access when required for troubleshooting, maintenance, and monitoring. However, doing so poses a critical vulnerability to ships systems; therefore, IAMs shall maintain a strict password renewal and storage policy to ensure that remote access to shipboard systems is properly controlled. This includes periodic remote access password changes and proper storage for centralized dissemination by IAM/IAO to outside entities only when required for authorized work. During usage of a remote account, SAs shall actively monitor the connection. This includes being cognizant of remote maintenance activities that are being performed by supporting organizations and monitoring audit logs to verify that unauthorized remote access activity is not taking place. SAs shall report completion of remote access to IAM and then immediately change the remote account password per Information Operations Condition (INFOCON) requirements and store per reference (f). Latest INFOCON message may be found at references (al) and (am). k. Backup/Recovery. Network systems invariably crash. If backups are not conducted properly, critical data may be lost; therefore, it is essential that SAs maintain a daily and weekly program for backing up system data per System Technical Manuals and INFOCON requirements. Restoration is another critical component of this process. While logs may indicate that backups

1-18

are successful, testing the backup with periodic restorations is crucial to ensure the data is preserved. PoR System Technical Manuals can be found at references (r) and (s). Latest INFOCON message may be found at reference (al) and (am). 10. IA Monitoring & Assessment. Reference (ac) directs that all DoN IA programs must be periodically evaluated for effectiveness. Evaluation must take place at all levels, from the duty SA to the applicable DoN oversight agency to ensure DoN information systems continue to adapt to an ever-changing threat environment. The adage that, You get what you inspect, not what you expect, and, Trust but verify, are nowhere more true than in the realm of IA. Commands with the best IA assessment and monitoring programs are those best equipped to operate and defend in the cyber domain. a. IA Quick Look. Enclosure (13) provides 10 questions Commanding Officers should ask to get a quick overview of cyber readiness for their ship. The Quick Look touches on all areas of IA and can justify the implementation by management of more exhaustive processes necessary for maintaining the ships cyber readiness posture. b. Periodic Reports. DoN IA regulations require specific periodic reports for IAVA compliance and USB scan results. Commands must develop their own IA readiness reports to ensure that command leadership is continuously aware of the IA posture of their systems. Enclosure (14) lists a minimum set of reports for Commanding Officers to review periodically to get a sense of the overall cyber-health of their command. c. Spot Checks. Shipboard IA programs encompass a wide array of auditable tasks. From the various documentation requirements to network scans to configuration management to everyday operations, there are many areas where Commanding Officers, Executive Officers, IAMs and other leaders can delve in to a particular area to ensure their IA program is on track. The check sheets in Enclosures (1-11) provide specific items to check in several key IA areas. d. Zone Inspections. The shipboard zone inspection program is a great place to engage the ships INFOSEC team. In addition to looking at spaces for physical/information/personnel security issues, inspectors should assess personnel level-of-knowledge of IA security requirements. Enclosure (12) provides suggested items to be reviewed during zone inspections.

1-19

e. Blue Team Visits. Navy Information Operations Command (NIOC) provides personnel trained in computer network threat assessments and vulnerability analysis to visit commands and provide an analysis of their networks cyber-readiness condition. Because they are trusted agents, the Blue Team has access to ethical hacker tools that provide a significantly more detailed report of network status than those authorized for use by ships force. Blue Team visits should be requested via official broadcast message to FLTCYBERCOM to help ensure that the commands IA program remains on track. f. Cyber Security Inspection and Certification Program (CSICP). The CSICP is the DoNs process of formally inspecting shipboard IA posture based on DoD, DoN, DISA, and National Institute of Standards and Technology (NIST) standards. The shipboard Cyber Security Inspection (CSI) follows the same format and guidelines as the Command Cyber Readiness Inspection (CCRI) that DISA performs for shore commands. The CSI should be integrated into the ships Fleet Readiness Training Plan (FRTP) and is required as part of renewing the ships network ATOs. Notification of the CSI schedule for a ship normally occurs 120 days prior to the actual inspection. If the ship has a robust and vital IA program, preparation for the CSI should cause minimal impact. Notification of the CSI schedule occurs when the schedule message is released, notionally 5-6 months prior to the inspection. FLTCYBERCOM OCA will contact the ship 90 days prior to the inspection to begin coordination. Blue Teams and CYBERFOR assistance teams will help to ensure readiness and can fairly accurately predict CSI performance. Outside assistance aside, the very best preparation for the CSI is daily vigilance and attention to detail in all areas of cyber-readiness. Sections (5) through section (8) are designed to assist command leadership and IA personnel in preparing for the CSI. They are provided here for ease of access. An overview of the three phases of CSICP appears below: (1) Stage I: Administrative Review. This is a nominal 1-day review, scheduled and conducted by your ISIC. This review will consist of an internal program review of administration, leadership engagement, and training. Upon successful completion of Stage I, a command will be determined ready to progress to a Stage II unit level assessment to be conducted within the following 12-month period. (2) Stage II: Unit Level Training and Assessment. This is a nominal 3 to 5 day, graded assessment (advise and assist format) scheduled and executed by CYBERFOR and Echelon II

1-20

Commanders. This assessment will include a review of Stage I, plus an additional in-depth assessment of network security, physical security and all five IA Facets: Administration, Training, Personnel, Operations, and Monitoring and Assessment. For afloat commands, any similar assessments conducted as part of FRTP will be incorporated into Stage II to eliminate redundancy. Upon successful completion of Stage II, a command is determined ready to progress to the Stage III, a comprehensive inspection to be scheduled and conducted within the following 12-month period. (a) Pre-CSI Training and Assist Visits. CYBERFORs Pre-CSI Training and Assist Team, CYBERFOR N41, provides IA program training and assistance as a subset of a ships CSICP Stage II. (b) These visits are valuable for identifying shipboard IA program deficiencies for ships force action prior to a Stage III inspection. (c) Stage III: Cyber Security Inspection. This is a nominal 5-day comprehensive graded inspection involving all cyber security areas; specifically, leadership engagement, physical security, administration, training, network configuration, and network operations. This inspection will be scheduled and conducted by FLTCYBERCOM inspection teams and is structured to replace the DISA CCRI. As CSICP matures, several Stage III inspection teams will be assigned to select Echelon II Commanders to conduct inspections on behalf of FLTCYBERCOM using the same established process. Stage III inspections will result in a grade and will measure cyber security compliance and identify operational risks to command and control, communications, computer and combat systems, and the GIG. Upon successful completion of Stage III, a command will be certified for operational status. For accreditation purposes, this certification will meet the DoD activity IV (IA sustainment) annual review requirement.

1-21

CHAPTER 2 CSI PREPARATION GUIDES SECTION 1 COMMANDERS GUIDANCE 1. Summary. You are highly encouraged to conduct a self assessment of information systems, within your area of authority, in preparation for the scheduled FLTCYBERCOM directed Cyber Security Inspection (CSI). The completion of a self assessment utilizing the checklists, tools, and processes referenced in this document will also meet the requirements for CC/S/A self-conducted compliance assessments listed in CJCSI 6211.02C and in the Joint Common IA Assessment Methodology (JCIAAM). 2. CSI Background. A CSI is a methodology that expands upon the original NIPRNET and SIPRNET Compliance Validations as mandated in the CJCSI 6211.02C. The CSI program inspects network security compliance with DoD IA policies, NIST configuration management requirements, and DoD 8570.01-M IA WIP requirements. 3. Requirements. Ensure that a comprehensive self-assessment meets all of the criteria that will be evaluated during a formal CSI. The self-assessment will reveal areas which require corrective action and remediable that can be accomplished by ships force, as well as any program of record or physical security shortfalls that require external assistance to address and correct documentation of these shortfalls (via casualty reports (CASREPs) or other formal message traffic) is appropriate. The following components comprise a complete CSI, and each is completed by utilizing the latest version of the corresponding DoD STIG Checklist and applicable enterprise IA Tools. This checklist offers a simple self-assessment questionnaire to provide you and your Information Assurance Manager (IAM) a starting point for discussing the health and status of the commands network. It also represents the baseline of information you will need to provide for any CSI or network inspection. 4. Overview. CSIs and network inspections generally focus on four primary areas: a. Program Administration.

b. Physical Security (sometimes reference to as Traditional Security). 2-1

c. d.

Network Configuration. Network Operations and Behavior.

5. Checklist. An affirmative response and understanding of the questions below will prepare you for a successful CSI. a. Program Administration

(1) Do we have appointment letters for our network security team (IAM, IAOs, etc)? (2) Have we verified that Privileged Access Users have signed Information System Privileged Access Agreement Letters on file? (3) Have all personnel completed the mandatory annual Information Assurance training by the required due date? If not, what is the plan for getting us there? (4) Have all command personnel received OPSEC training and when was it completed? (5) Do we have signed Memorandums of Agreement or Understanding with all tenant commands connected to our network, if applicable? (6) Are our tenant commands also in compliance with DoD and DoN standards, if applicable? (7) Have we completed the Vulnerability Scan Coordination Memo to provide to the FCC OCA inspector? b. Physical Security

(1) Is our Physical Distribution System (PDS) certified and are the documents up-to-date and available for viewing by the inspection team? (2) Were IDS alarm systems installed and maintained by U.S. citizens who were subjected to a trustworthiness determination in accordance with DoD 5200.1-R? (3) Are IDS monitoring stations supervised continuously by U.S. citizens who have been subjected to a trustworthiness determination in accordance with DoD 5200.1-R? 2-2

(4) Is a program established to ensure safes, vaults, and secure rooms are properly managed? Ensure only GSA approved security containers are being used; ensure combinations are changed as required; ensure all forms, Standard Form (SF) 700 and SF-702, are properly completed; ensure repairs are conducted correctly? (5) Are individuals granted access to classified materials notified of applicable handling instructions? This may be accomplished by a briefing, written instructions, or by applying specific handling requirements to an approved cover sheet? (6) Are security checks being performed at the close of each working day to ensure all areas are secure? SF 701, "Activity Security Checklist," shall be used to record such checks. An integral part of the security check system shall be the securing of all vaults, secure rooms, and containers used for the storage of classified material; SF 702, "Security Container Check Sheet," shall be used to record such actions. In addition, SF 701 and 702 shall be annotated to reflect after-hours, weekend, and holiday activity. (7) Do all vaults and secure rooms meet all requirements of DoD 5200.1R Appendix 7? (8) Do we have approval or waiver letters for Open Secret Storage in spaces where classified information is processed or where a PDS may not be in place? c. Network Configuration

(1) Does our Network Topology Diagram accurately reflect our current architecture and is it available for review? Does it meet NTD requirements? (2) Do we really know the actual number of devices connected to our network? Really know? [Hint: Your IAM can run a RETINA Discovery Scan to find this out]. (3) Are our Access Control Lists (ACLs) for our routers, switches, and firewalls ready for an inspector to review? Do they reflect the currently published IP Block Lists?

2-3

(4) Are the proper ports opened on our network per COMNAVNETWARCOM CTO 08-08, IP SONAR Mapping of Classified Networks? (5) What vulnerabilities were identified that we were unable to patch or mitigate? d. Network Operations and Behavior

(1) On what date was the last monthly scan conducted using RETINA? Are we sure we are scanning with the most recent scan engine? Are all scans conducted using the proper accesses? (2) Are we reviewing VRAM scan results on a monthly basis? Who validates that noted vulnerabilities have been corrected? Is this a formalized, documented process? (3) Has a POA&M been entered into VMS for all uncorrected vulnerabilities? (4) Have we informed the DAA/DDAA about our uncorrected vulnerabilities? (5) Have the latest anti-virus updates been downloaded and installed to all systems onboard the ship? (6) Have any new USB devices been detected on the networks? Where? (7) Are there any CND incidents currently open with either NCDOC or the CNOC? If so, what is the status and estimated time of restoral for resolution? (8) Is there any equipment that needs to be repaired? Have we CASREPed the affected equipment? (9) Have any configuration changes been made to the network since my last spot check? e. Previous Inspections

(1) What inspections have been completed on the network in the last 12 months? (2) Have we corrected all vulnerabilities found from the inspection?

2-4

(3) Do we have a mitigation plan in place for those findings that cannot be immediately corrected? (4) Is our ISIC aware of the inspection results? f. Points of Contact Who are our points of contact at

(1) OPERATIONAL: FLTCYBERCOM?

(2) READINESS: Who are our points of contact at Navy Cyber Forces (C5I TYCOM)? (3) When was the last time we communicated with them?

2-5

CHAPTER 2 CSI PREPARATION GUIDES SECTION 2 INFORMATION ASSURANCE MANAGERS GUIDANCE 1. Summary. A best practice is to conduct a self assessment of information systems, within your area of authority, in preparation for the scheduled FLTCYBERCOM directed Cyber Security Inspection (CSI). The completion of a self assessment utilizing the checklists, tools, and processes referenced in this document will also satisfy the requirements for CC/S/A self-conducted compliance assessments listed in CJCSI 6211.02C and in the Joint Common IA Assessment Methodology (JCIAAM). 2. CSI Background. A CSI is a methodology that expands upon the original NIPRNET and SIPRNET Compliance Validations as mandated in the CJCSI 6211.02C. The CSI program inspects network security compliance with DoD IA policies and configuration requirements, the health of the network from a security viewpoint, and DoD 8570.01-M Information Assurance Workforce Improvement Program requirements. 3. Requirements. A through self assessment must be aligned with the formal CSI components and criteria. 4. Requirements. The CSI components are listed below for your reference with URLs to the specific checklists and tools utilized during the CSI. a. Latest STIGs: http://iase.disa.mil/stigs/stig.

b. Latest STIG Checklists: http://iase.disa.mil/stigs/checklist. (1) Network Infrastructure. (2) Network Infrastructure STIG. (3) Network Infrastructure Checklist. (4) Domain Name System (DNS) Configuration. (5) Domain Name System STIG. (6) Domain Name System Checklist.

2-6

(7) Domain Name System (DNS) Operating Systems Windows. (8) Microsoft Windows STIG. (9) Microsoft Windows 2003 Checklist. (10) Microsoft Windows 2000 Checklist. c. Gold Disk [DISA]: login required). d. https://patches.csd.disa.mil (CAC

Domain Name System (DNS) Operating Systems UNIX (1) UNIX Operating System STIG. (2) UNIX Operating System Checklist.

(3) SRR Scripts: http://iase.disa.mil/stigs/SRR/unix.html. e. Internal Vulnerability Scans

(1) DoD Enterprise SCCVI Tool Currently: eEye Retina IAVM https://powhatan.iiie.disa.mil/tools/sccvi/updates (CAC login required). (2) Configuration Requirements/Checklist https://powhatan.iiie.disa.mil/tools/sccvi/documentation/checkli st_for_successfully_running _eeye_retina.pdf. (3) National Security Agency software suite (Blue Scope for Windows), Dark Ether (Unix and Infrastructure devices). (4) Network packet capture (Snort, PERL scripts, manual analysis). f. Wireless Security (1) Wireless STIGs. (2) Wireless Checklist. (3) Blackberry Security Checklist. (4) Windows Mobile MWES Security Checklist.

2-7

(5) Motorola Good Mobile MWES Security Checklist. (6) Apriva Sensa Secure WES Security Checklist. g. Enclave Review (1) Enclave STIGs. (2) Enclave Checklist https://powhatan.iiie.disa.mil/stigs/enclave-policy. h. Host Based Security System (HBSS) Review

(1) DoD IA Enterprise Solutions STIGs https://powhatan.iiie.disa.mil/stigs/app-sec-guides. (2) HBSS Checklist https://powhatan.iiie.disa.mil/stigs/app-sec-guides. i. INFOSEC/PERSEC/PHYSEC Security tools:

(1) SECNAV M-5510.36 Exhibit 2A, Command Security Instruction Requirements. (2) SECNAV M-5510.36 Exhibit 2C, INFOSEC Checklist. (3) SECNAV M-5510.30 Exhibit 10A, PERSEC Checklist. j. Cross Domain Solutions

(1) JVAP Admin Checklist https://powhatan.iiie.disa.mil/stigs/net-sec-guides/sabi. (2) Specific CDS Guard Security Checklists (TGS, ISSE, RM, SOWI, TDX, MLChat, DII) Bottom of page: https://powhatan.iiie.disa.mil/stigs/net-sec-guides. (3) Comparison of data collected from different domains that may indicate a spillage or misuse of the system. k. Releasable (REL) Demilitarized Zone

(1) REL DMZ Security Checklist: https://powhatan.iiie.disa.mil/stigs/net-sec-guides/REL-DMZChecklist-V1R1.pdf.

2-8

(2) REL LAN Security Checklist: https://powhatan.iiie.disa.mil/stigs/net-sec-guides/rel-lanchecklst-1-25-07.pdf. l. IAM/Security Officer Review

(1) Latest checklists are located at http://iase.disa.mil/stigs/checklist/index.html. (2) Tenant Command MOUs/MOAs (3) Latest DISA Enhanced compliance Validation (ECV)/Command Cyber Readiness Inspection (CCRI) or FLTCYBERCOM Cyber Readiness Inspection (CRI) results. (4) IG inspection (IA and security areas). (5) Signed designation letters for IAWF Members. (6) Foreign Nationals Administration. m. Firewalls and Routers

(1) The latest version of procedures, checklists, STIGS and scripts may be obtained from http://iase.disa.mil or https://iase.disa.smil.mil. (2) Sailor 2.1 NIPR: https://sailor.nmci.navy.mil, Sailor 2.1 SIPR: http://sailor.nmci.navy.smil.mil. (3) If your site has Windows NT servers/workstations, provide a Vault Management System POA&M indicating the plan for removal/replacement of these assets from your network. (4) IA Workforce Checklist: Appendix H. SECNAV M-5239.2, May 2009

(5) CTOs, INFOCON procedures, security policies, executive orders. n. Reporting requirements for assessment results in VMS: (1) Accounts with correct permissions in VMS. (2) Contact Navy ODAA for account request (NIPRNET/SIPRNET).

2-9

(3) Adequate VMS training: (a) For classroom training, contact edward.williams@disa.mil. (b) Web based CBT: o. https://vmscbt.disa.mil/.

Technical Support Contact Information

(1) DISA Operational Support - VMS Helpdesk: (405) 7395600 (option #3), DSN 339. (2) DISA.DODTOOLSOST@CSD.DISA.MIL.

2-10

CHAPTER 2 CSI PREPARATION GUIDES SECTION 3 SECURITY MANAGERS GUIDANCE 1. Summary. Action Officers are also highly encouraged to conduct a self assessment of information systems, for areas within their respective area of responsibility. The completion of a self assessment utilizing the checklists, tools, and processes referenced in this document will also meet the requirements for CC/S/A self-conducted compliance assessments listed in CJCSI 6211.02C and in the Joint Common IA Assessment Methodology (JCIAAM). 2. CSI Background. A CSI is a methodology that expands upon the original NIPRNET and SIPRNET Compliance Validations as mandated in the CJCSI 6211.02C. The CSI program inspects network security compliance with DoD IA policies and configuration requirements, the health of the network from a security viewpoint, and DoD 8570.01-M IAWP requirements. 3. Requirements. Your self assessment must be based on the CI criteria to ensure a comprehensive review of network security posture. Additionally, findings should be loaded into the DoD VMS to document significant vulnerabilities and address corrective actions prior to the CSI. The following reference to the specific checklists and tools utilized during the CSI are provided below. a. General guidance may be found in these reference, and on the FLTCYBERCOM CSI Web Portal: https://www.portal.navy.mil/fcc-c10f/OCA/default.aspx. (1) DoD 5200.1R. (2) DODD 8100.02. (3) SECNAV M-5510.36. (4) SECNAV M-5510.30. (5) IA PUB-5239-22/September 2008 (If PDS is installed). (6) OPNAVINST 5530.14 Series. b. The latest STIG checklists can be found at: https://iase.dis.mil/stigs/checklist. 2-11

(1) Traditional Basic Checklist. (2) Traditional DISA Checklist. (3) Traditional Common CV Checklist. (4) Traditional SCV. c. INFOSEC/PERSEC/PHYSEC review areas:

(1) Building Floor Plans (Identify areas that process/store classified information). (2) PDS Drawings if installed and certification letter. (3) Intrusion Detection System Information (drawings if available). (4) Access Controls. (5) Emergency Action Plan. (6) Key and Lock Program. (7) Anti-Terrorism Plan. (8) Visitor security procedures. (9) Procedures for end-of-work-day security checks. (10) Space Designation Letters (Secure Room, CAA, RAA, LAA). (11) Vaults and Secure rooms. (12) Classified storage and destruct plans. d. INFOSEC/PERSEC/PHYSEC self-assessment tools:

(1) SECNAV M-5510.36 Exhibit 2A, Command Security Instruction Requirements. (2) SECNAV M-5510.36 Exhibit 2C, INFOSEC Checklist. (3) SECNAV M-5510.30 Exhibit 10A, PERSEC Checklist.

2-12

e. The following industrial security (INFOSEC/PERSEC) areas will also be reviewed: (1) Appointment Letters. (2) Personnel Security Files (Military and Civilian). (3) Contractor Security Files and all applicable DD 254s. (4) SAERS/LOIs/LONs. (5) Civilian Position Designations. (6) Copies of completed self-inspections. (7) Courier Card/Letter Program. (8) Periodic Reinvestigations. (9) Foreign Nationals Program.

2-13

CHAPTER 2 CSI PREPARATION GUIDES SECTION 4 SYSTEM ADMINISTRATORS GUIDANCE 1. Summary. You are highly encouraged to conduct a self assessment of your assigned shipboard information systems in preparation for the scheduled FLTCYBERCOM directed Cyber Security Inspection (CSI). The completion of a self assessment utilizing the checklists, tools, and processes referenced in this document will also meet the requirements for CC/S/A selfconducted compliance assessments listed in CJCSI 6211.02C and in the Joint Common IA Assessment Methodology (JCIAAM). 2. CSI Background. A CSI is a methodology that expands upon the original NIPRNET and SIPRNET Compliance Validations as mandated in the CJCSI 6211.02C. The CSI program inspects network security compliance with DoD IA policies and configuration requirements, the health of the network from a security viewpoint, and DoD 8570.01-M Information Assurance Workforce Improvement Program requirements. 3. Requirements. Your self-assessment must be aligned with the CSI components as listed below, and all results should be loaded into the DoD Vulnerability Management System (VMS). This effort will allow you to address significant vulnerabilities prior to the CSI while creating a one-to-one relationship between the results of both your assessment and the CSI. The CSI components are listed below for your reference with URLs to the specific checklists and tools utilized during the CSI. a. Latest STIGs: http://iase.disa.mil/stigs/stig.

b. Latest STIG Checklists: http://iase.disa.mil/stigs/checklist/. (1) Network Infrastructure. (2) Network Infrastructure STIG. (3) Network Infrastructure Checklist. (4) Domain Name System (DNS) Configuration. (5) Domain Name System STIG. (6) Domain Name System Checklist. 2-14

(7) Domain Name System (DNS) Operating Systems - Windows (8) Microsoft Windows STIG. (9) Microsoft Windows 2003 Checklist. (10) Microsoft Windows 2000 Checklist. c. GOLD DISK [DISA]: login required). d. https://patches.csd.disa.mil/ (CAC

Domain Name System (DNS) Operating Systems UNIX (1) UNIX Operating System STIG. (2) UNIX Operating System Checklist.

(3) SRR Scripts: http://iase.disa.mil/stigs/SRR/unix.html. e. Internal Vulnerability Scans

(1) DoD Enterprise Secure Configuration Compliance Validation Initiative (SCCVI) Tool Currently: eEye Retina IAVM https://powhatan.iiie.disa.mil/tools/sccvi/updates/ (CAC login required). (2) Configuration Requirements/Checklist https://powhatan.iiie.disa.mil/tools/sccvi/documentation/checkli st_for_successfully_running _eeye_retina.pdf. (3) National Security Agency Software Suite: (a) Blue Scope (Windows). (b) Dark Ether (Unix and Infrastructure devices). f. Wireless Security (1) Wireless STIG. (2) Wireless Checklist. (3) Blackberry Security Checklist. (4) Windows Mobile MWES Security Checklist. 2-15

(5) Motorola Good Mobile MWES Security Checklist. (6) Apriva Sensa Secure WES Security Checklist. g. Enclave Review (1) Enclave STIG. (2) Enclave Checklist: https://powhatan.iiie.disa.mil/stigs/enclave-policy/. h. Host Based Security System (HBSS) Review

(1) DoD IA Enterprise Solutions STIG: https://powhatan.iiie.disa.mil/stigs/app-sec-guides/. (2) HBSS Checklist: https://powhatan.iiie.disa.mil/stigs/app-sec-guides/. i. Traditional Security (1) SECNAV M-5510.36 Exhibit 2C, INFOSEC Checklist. (2) SECNAV M-5510.30 Exhibit 10A, PERSEC Checklist. j. Cross Domain Solutions

(1) JVAP Admin Checklist. https://powhatan.iiie.disa.mil/stigs/net-sec-guides/sabi/. (2) Specific CDS Guard Security Checklists (TGS, ISSE, RM, SOWI, TDX, MLChat, DII) Bottom of page: https://powhatan.iiie.disa.mil/stigs/net-sec-guides/. (3) Comparison of data collected from different domains that may indicate a spillage or misuse of the system. k. Releasable (REL) Demilitarized Zone

(1) REL DMZ Security Checklist https://powhatan.iiie.disa.mil/stigs/net-sec-guides/REL-DMZChecklist-V1R1.pdf. (2) REL LAN Security Checklist: https://powhatan.iiie.disa.mil/stigs/net-sec-guides/rel-lanchecklst-1-25-07.pdf 2-16

l.

IAM/Security Officer Review

(1) Latest checklist located at: http://iase.disa.mil/stigs/checlist/index,html. (2) Tenant Command MOUs/MOAs (3) Latest DISA Enhance compliance Validation (ECV)/Command Cyber Readiness Inspection (CCRI) or FLTCYBERCOM Cyber Security Inspection (CSI) results IG inspection (IA and security areas). (4) Signed designation letters for IA Staff. (5) Foreign Nationals presence. m. Firewall and Routers

(1) The latest version of procedures, checklists, STIGS and scripts may be obtained from http://iase.disa.mil or https://iase.disa.smil.mil. (2) If your site has Windows NT servers/workstations, please provide the POA&M indicating the plan for removal of these assets from your network. (3) IA Workforce Checklist: SECNAV M-5239.2, May 2009 Appendix H-IA Workforce Management Review Checklist. (4) CTOs, INFOCON procedures, security policies and executive orders n. VMS POA&M Management (1) NIPRNET: (2) SIPRNET: https:///vms.disa.mil. https://vms.disa.smil.mil.

(3) Request an account through your IAM. o. Technical Support Contact Information DISA Operational Support - VMS Helpdesk: (405) 739-5600 (option #3), DSN 339, or DISA.DODTOOLSOST@CSD.DISA.MIL.

2-17

Information Security Checklist Date: Yes 1. Is the Information Assurance Manager (IAM) appointed in writing? [Command IA Policy] 2. Is the Information Assurance Officer (IAO) appointed in writing? [Command IA Policy] 3. Do the ships Secret Material Transfer Agents follow the procedures from the ships policy to transfer classified data to removable media? [CTO 10-25] 4. Is the ships a list of RMR authorized Secret Material Transfer Agents (SMTA) up to date? [CTO 10-25] 5. Is the ships a list of RMR authorized Subject Matter Experts (SME) up to date? [Command Security Policy] 6. Do the ships SMEs and SMTAs follow the procedures from the ships policy to transfer data between networks of different classification? [CTO 10-25] 7. Does the ship have an Incident Handling Policy for electronic media? [SECNAVINST M5510.36] 8. Is the IAO and LAN Division familiar with the ships policy for incident handling? 9. From a sampling of removable media on-board, are personnel properly labeling removable media? [CTO 10-25 and SECNAVINST M5510.36] 10. In observation of the topside watch(es) does the ship verify the credentials of non-ship force personnel at every request for access and escort personnel who do not meet clearance requirements? [Command Security Policy] __ No __

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

Enclosure (1)

Information Security Checklist cont Date: Yes 11. Has the ship completed an annual security self inspection and corrected the discrepancies (if noted) from the previous self inspection? [SECNAVINST M5510.36 & DoD 5200.1-R] 12. Has the ship completed the annual inventory of all classified and unclassified ADP equipment? [Command Security Policy] 13. Does the System Administrator maintain a record of System Authorization Access Request (SAAR) forms for the ships company and privileged users? [SECNAV INST 5239.14 (Series)] 14. Are backups installed in accordance with the ships Backup and Recovery policy? [COMPOSE Backup and Recovery Instructions] 15. Does the ship maintain a list of approved removable stowage devices? [CTO 08-08 and DISA STIG STO-ALL-030] 16. Spot check at least two files on both the the SIPRNET and NIPRNET for classification markings on the document in comparison to the content of the information. [Command Security Policy] No

__

__

__

__

__

__

__

__

__

__

__

__

Commanding Officer: Information Assurance Manager:

DISCREPANCIES MUST BE CORRECTED IMMEDIATELY AND ACTION TAKEN REPORTED TO THE COMMANDING OFFICER

Enclosure (1)

Network Security Checklist DATE: Yes 1. Is the ships IAVM Compliance greater than or equal to 90%? 2. Does the antivirus signature file age exceed 7 days? 3. Is the antivirus software scheduled to scan at least weekly? 4. Is the ship in accordance with current INFOCON requirements? [ALCOM 179-08] 5. Do passwords meet minimum complexity and password age requirements? [ALCOM 179-08] 6. Are default passwords on all network components (i.e. servers, switches, workstations) changed from manufacturer passwords? [DISA STIG NET0240] 7. When logging onto the SIPRNET and NIPRNET does a DoD login banner appear? [CTO 08-008A] 8. Review the last weekly USB Detect scan log. Are anomalies investigated promptly and remedied? 9. Are SCCVI scans uploaded to VRAM by the 20th day of the month? 10. Does the IAO ensure accounts for personnel who have transferred are removed and for personnel who have not accessed their account in greater than 30 days are disabled? 11. Are all backups verified through restoration of one or more files? 12. Has the HBSS HIPS Admin password been changed from the default password? [DISA STIG H36140] ___ No

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

__

Enclosure (2)

Network Security Checklist cont DATE: Yes 13. Does the HBSS HIPS User Interface Admin password meet password complexity requirements? [DISA STIG H36160] 14. Is the HBSS ePO component in the enforcement mode? [DISA STIG H35500] ___ No

__

__

__

__

Commanding Officer: Information Assurance Manager:

DISCREPANCIES MUST BE CORRECTED IMMEDIATELY AND ACTION TAKEN REPORTED TO THE COMMANDING OFFICER

Enclosure (2)

Certification & Accreditation Checklist

DATE:_______
Yes 1. Spot Check the ships binder of current Authority To Operate (ATO) documents. Are there expired ATOs? 2. Spot Check the ships binder of current System Security Authorization Agreement (SSAA) documents. Is the binder up-to-date for removed systems or newly installed systems? 3. Is the drawing of the ships network topology Current? [DISA STIG NET0090] 4. Spot check a ships workstation for applications that are not on the current copy of the Baseline Allowance Control (BAC). Are there applications present not on the approved BAC? 5. Review the last annual Information System Self Inspection. Are any of the discrepancies still outstanding? No

__

__

___

__

__

__

__

__

__

__

Commanding Officer: Information Assurance Manager:

DISCREPANCIES MUST BE CORRECTED IMMEDIATELY AND ACTION TAKEN REPORTED TO THE COMMANDING OFFICER

Enclosure (3)

Information Assurance Workforce Checklist


DATE: Yes 1. Do the IAO, LAN Administrator and other members of LAN Division have an Online Compliance Reporting System account? 2. Do the IAO, LAN Administrator and other members of LAN Division have an VRAM account? 3. Do the IAO and LAN Administrator have a TWMS account? [NTD 02-09] 4. Are the IAWF personnel listed in TWMS? [NTD 02-09] 5. Do the IAO, LAN Administrator and other members of LAN Division have a Naval Networks account? 6. Do members of the IAWF have required certifications? [DoD 8570-01M] 7. Have all members of the command completed the current Annual Information Assurance Training in NKO/e-Learning? 8. Does the ship have a training plan in place for IAWF personnel? [DoD 8570-01M] __ No

__

__

__

__

__

__

__

__

__

__

__

__

___

__

__

__

Commanding Officer: Information Assurance Manager:

DISCREPANCIES MUST BE CORRECTED IMMEDIATELY AND ACTION TAKEN REPORTED TO THE COMMANDING OFFICER

Enclosure (4)

Traditional Security Checklist


DATE: Yes 1. Does the ship have a command security instruction? [SECNAV Manual 5510.36] ___ No

___

___

2. Are the Command Security Manager (CSM) and Top Secret Control Officer (TSCO) appointed in writing by the CO? [SECNAV M-5510.36] 3. In observation of the quarterdeck watch(es) does the ship verify the credentials of non-ship force personnel at every request for access, and escort personnel who do not meet clearance requirements? [SECNAV M-5510.30] 4. Has the ship completed an annual security self inspection and corrected the discrepancies (if noted) from the previous self inspection? [SECNAV M-5510.36] 5. Has the ship completed the annual inventory of all classified and unclassified ADP equipment? 6. Have space certification letters been signed for all areas where classified information is processed or stored? [SECNAV-M 5510.36]

___

___

___

___

___

___

___

___

___

___

Commanding Officer: Information Assurance Manager:

DISCREPANCIES MUST BE CORRECTED IMMEDIATELY AND ACTION TAKEN REPORTED TO THE COMMANDING OFFICER

Enclosure (5)

System Administrator Checklist:


1. Review Audit Logs. Tasks

Daily

Check application log for warning and error messages for service errors, application or database errors and unauthorized application installs. Check security log for warning and error messages for invalid logons, unauthorized user creating, opening or deleting files. Check system log for warning and error messages for hardware and network failures. Check web/database/application logs for warning and error messages. Check directory services log on domain controllers. Report suspicious activity to IAO/IAM. Reference http://iase.disa.mil - Security Technical Implementation Guides (STIGs). Tools Windows Event Viewer. 2. Perform/Verify Daily Incremental Backup. Tasks Run and/or verify successful backup of system and data files. Run and/or verify successful backup of Active Directory files. Reference http://iase.disa.mil - Security Technical Implementation Guides (STIGs). Tools Windows Backup Tool. Veritas Backup Software.

Enclosure (6)

System Administrator Checklist:


3.

Daily cont

Track/Monitor System Performance and Activity. Tasks Check for memory usage. Check for system paging. Check CPU usage. Reference www.Microsoft.com - Monitoring Server performance. Tools Windows Microsoft Management Console. Performance Log and Alerts. Task Manager. System Monitor. Microsoft Operations Manager.

4.

Check Free Hard Drive Space. Tasks Check all drives for adequate free space. Take appropriate action as specified by site's Standard Operating Procedures. Reference www.Microsoft.com - Monitoring Server performance. Tools Windows Disk Defragmenter. Disk Management. Disk Quotas.

5.

Physical Checks of System. Tasks Visually check the equipment for amber lights, alarms, etc. Take appropriate action as specified by site's Standard Operating Procedures.

Enclosure (6)

System Administrator Checklist:


6. Tactical Directives Review. Tasks

Daily cont

Go to applicable websites to review for new tactical directives: o CTOs. o NTDs. o FAMs. o FRAGOs. Report applicable directives to IAM for action.

Enclosure (6)

System Administrator Checklist:


1. Review ISA Logs. Tasks Check ISA/PROXY logs. Reference Ships Network Policy. 2. Review DHCP Logs. Tasks

Weekly

Review DHCP logs on each Domain Controller in the C: winnt\system32\dhcp folder. Reference Ships Network Policy. 3. Archive Audit logs. Tasks Archive audit logs to a media device with one year retention. Reference http://iase.disa.mil - Security Technical Implementation Guides (STIGs). 4. Perform/Verify Daily Full Backups. Tasks Run and/or verify successful backup of system and data files. Run and/or verify successful backup of Active Directory files. Reference http://iase.disa.mil - Security Technical Implementation Guides (STIGs).

Enclosure (7)

System Administrator Checklist:


Tools Windows Backup Tool. Veritas Backup Software. 5. Test Backup/Restore Procedures. Tasks

Weekly cont

Restore backup files to a test system to verify procedures and files. Reference http://iase.disa.mil - Security Technical Implementation Guides (STIGs). Tools Windows Backup and Recovery Tool. Veritas Backup Software. 6. Update Anti-Virus Signature File. Tasks Download and install current Anti-Virus signature files. Reference http://iase.disa.mil - Security Technical Implementation Guides (STIGs) Downloads www.cert.mil. 7. Run Virus Scan on all Hard-Drives. Tasks Scan all hard-drives using current Anti-Virus signature files. Reference http://iase.disa.mil - Security Technical Implementation Guides (STIGs).

Enclosure (7)

System Administrator Checklist:


8.

Weekly cont

Check Sailor 2.1/Navy IASE Websites for Patch Information. Tasks Check SPAWAR approved websites to ensure correct version of scanning tools is being used. Check SPAWAR approved websites for new vulnerability information including patches and hotfixes. Reference http://iase.disa.mil - Security Technical Implementation Guides (STIGs). https://sailor.nmci.navy.mil/index.cfm. Downloads http://iase.disa.mil DoD Patch Repository www.cert.mil.

9.

Compare System Configuration Files Against a Baseline for Changes. Tasks Compare system configuration files against the baseline for: o All Servers. o Random selection of five workstations/week. Compare application executables against the baseline. o o Reference http://iase.disa.mil - Security Technical Implementation Guides (STIGs). Tools Unix Tripwire. All Servers. Random selection of five workstations/week.

10.

Run File System Integrity Diagnostics. Tasks Run diagnostic tools to detect any system problems.

Enclosure (7)

System Administrator Checklist:


Reference

Weekly cont

www.Microsoft.com - Managing Disks and Volumes. Tools Windows Disk Defragmenter. Error-checking tool. Device Manager. 11. Perform SIPR/NIPR USB Scan. Tasks Scan all nodes for evidence of USB device insertion using the USB Detect Program. 12. Perform Wireless Check. Tasks Check system for wireless devices and access. Reference http://iase.disa.mil - Security Technical Implementation Guides (STIGs). 13. Perform Server Clock/Time Synchronization. Tasks Synchronize system clock with master server. Reference http://www.microsoft.com Windows Time Service. Tools Windows Windows Time Service. Tools Unix/Windows NTP.

Enclosure (7)

System Administrator Checklist:


14. Check for Unnecessary Services. Tasks

Weekly cont

Check system services for any unnecessary services running. Reference http://iase.disa.mil - Security Technical Implementation Guides (STIGs).

Enclosure (7)

System Administrator Checklist: 1. Perform Self-Assessment Security Review. Tasks

Monthly

Review technology checklist for any changes. Run current security review tool. Import results into Vulnerability Management System (VMS). Reference http://iase.disa.mil - Security Technical Implementation Guides (STIGs). https://vms.disa.mil. Downloads http://iase.disa.mil DoD IA Enterprise-wide Tools and Software: Gold Disk (.mil only). http://iase.disa.mil IA Subject Matter Areas: Security Technical Implementation Guides STIGS: Security Readiness Review Evaluation Scripts. Tools Windows DISA FSO Gold Disk and Scripts. eEye Retina Scanner. Citadel Hercules Remediation Tool. Tools UNIX DISA FSO Scripts. eEye Retina Scanner. Citadel Hercules Remediation Tool. 2. Verify Retina Vulnerability Scan Performed (SCCVI). Tasks Verify system scanned by IAO or IAM using Retina tool to detect for vulnerabilities and upload to VRAM no later than the 20th of the month. Downloads http://iase.disa.mil DoD IA Enterprise-wide Tools and Software: SCCVI (DoD PKI cert req'd).

Enclosure (8)

System Administrator Checklist: 3. Perform Hardware/Software Inventory. Tasks

Monthly cont

Review hardware and compare to inventory list. Review software and compare to inventory list. Update VMS, where applicable. Reference https://vms.disa.mil. 4. Verify User Account Configuration. Tasks Run DumpSec tool to verify user account configuration. Verify and/or delete dormant accounts with IAO approval. Provide output to IAO team. Reference http://iase.disa.mil - Security Technical Implementation Guides (STIGs) Tool available on DISA FSO Gold Disk (Windows).

Enclosure (8)

System Administrator Checklist:


1. Change Service-Account Passwords. Tasks

Annually

Work with appropriate application administrator to ensure password changes for service accounts such as database accounts, application accounts and other service accounts are implemented. Reference http://iase.disa.mil - Security Technical Implementation Guides (STIGs). 2. Review Appropriate Security Technical Implementation Guides (STIG). Tasks Review appropriate STIGs which are updated semi-annually. Reference http://iase.disa.mil - Security Technical Implementation Guides (STIGs). 3. Review Training Requirements. Tasks Review training requirements according to DoD Directive 8570.1. Reference http://iase.disa.mil IA Subject Matter Areas: Policy and Guidance.

Enclosure (9)

System Administrator Checklist: 1. Subscribe to STIG News. Reference

Initial

http://iase.disa.mil/request-mail.html. 2. Subscribe to JTF-GNO Mailings Reference ftp://ftp.cert.mil/pub/misc/subscribe.htm. 3. Establish User Accounts with the following Web-Portals: o o o o o Sailor 2.1 (NIPRNET/SIPRNET). VRAM (NIPRNET/SIPRNET). OCRS (NIPRNET). VMS (NIPRNET). IATS (NIPRNET).

Enclosure (10)

System Administrator Checklist As Required/After Configuration Changes


1. 2. 3. 4. 5. 6. 7. Test Patches and Hotfixes. Install Patches and Hotfixes. Schedule Downtime for Reboots. Apply OS upgrades and service packs. Create/maintain user and groups accounts. Set user and group security. Subscribe to STIG News.

After System Configuration Changes: 1. 2. 3. 4. 5. 6. Create Emergency System Recovery Data. Create new system configuration baseline. Document System Configuration Changes. Review and update SSAA. Update VMS for Asset Changes. Update VMS for IAVMs.

Enclosure (11)

Cyber Zone Inspection Items


Date: ________ Yes 1. Does the space contain classified information processing systems? 2. Does the area meet the requirements for the level of information being processed? Controlled Access Area (CAA) Restricted Access Area (RAA) Open Secret Storage Area (OSS) 3. Are screens for classified systems able to be viewed from outside the space? 4. If the space is a RAA, is an access control list posted? 5. If the space is a CAA, RAA or OSS, is it protected with a GSA-approved lock? 6. Are information processing systems clearly labeled with their classifications? 7. Is there a minimum of one meter separation between classified and unclassified information processing systems? Commanding Officer: Information Assurance Manager: ___ No ___

___ ___ ___

___ ___ ___

___

___

___

___

___

___

___

___

___

___

DISCREPANCIES MUST BE CORRECTED IMMEDIATELY AND ACTION TAKEN REPORTED TO THE COMMANDING OFFICER

Enclosure (12)

COs Information Assurance Quick Look


The following ten questions will provide a basis for discussing the various aspects of cyber readiness within the command. Command leadership should address these questions and discuss the answers with the Command IAM, CSM, IAOs and SAs. Ten questions to better IA awareness: 1. Have you designated your Command Security Manager (CSM) and Information Assurance Manager (IAM) in writing, and do they have the required training for their positions? 2. Do your command security procedures provide positive access control for all spaces where classified information is stored or processed? 3. Do all of your personnel in positions of trust (IAM, Network Administrators, etc.) have the required training and certifications according to the Information Assurance Workforce (IAWF) requirements? 4. Can your IAM tell you how many computers and other IT resources are on your ship? 5. Does your IAM maintain configuration drawings of your shipboard networks? 6. Is your IAM presenting you the results of the required network scans for unauthorized USB device usage for your review? 7. Does your IAM direct monthly network scans for compliance with the Information Assurance Vulnerability Management (IAVM) program? 8. Does your IAM direct that the results of monthly scans be uploaded to VRAM, the Navy's Vulnerability Reporting and Management system? 9. Do you review the results of the monthly scans before they are uploaded to ensure 1) that all computers are being scanned, and 2) that your overall compliance remains above 90%? 10. Do you document equipment or network security shortfalls (equipment that is too old to be patched, PoR systems that are controlled by program offices) with CASREPs or other requests for outside assistance?

Enclosure (13)

Minimum Set of Periodic Reports


The following list of reports represents the minimum set of reports that all commands will generate on a periodic basis. The reports listed in this enclosure do not replace any reports that are required by other official instructions or directives. All periodic and irregular reports are to be retained on board by the IAM/IAO, with copies forwarded as required. 1. Irregular Reports

a. System Operation and Verification Testing (SOVT). Any time a cyber system is installed, the final installation step is the completion of the SOVT. Ships force personnel must sign the SOVT verifying that the system operates as designed and accepting responsibility. An important item of note is that system discrepancies can be noted as exceptions when the SOVT is completed. This is important, since systems are often installed with known vulnerabilities. Documenting all vulnerabilities and deviation from IAVA and STIG requirements as SOVT exceptions ensures the program office does not lose track of actions required to make shipboard cyber systems compliant with IA regulations. b. Cyber Incident Reports. In the event that a cyber incident occurs on the ship, IA personnel shall provide regular reports to the command team on actions taken and how the incident affects the ships IA posture and overall mission readiness. 2. Semi-annual Reports

a. Certification and Accreditation. At least twice a year, review the status of all command Authorities to Operate (ATOs). For any ATO within 6 months of expiration, the report shall indicate what actions are being taken to ensure that all ships systems will retain their accreditation. b. Network Configuration. Twice a year, review the ships network diagrams. Drawings should be up-to-date and include any changes to the network configuration that has occurred in the previous six months. Accurate network diagrams are critical to successful network management and are required for ATO renewal and CSIs. 3. Monthly Reports

a. IAWF Training. Monthly, review the status of IA training. All hands shall have completed IA refresher training within the last year. Additionally, personnel in positions of trust (system administrators, command IAM/IAO, etc.) shall be certified at the required level of IA training or will have waivers submitted.

Enclosure (14)

Minimum Set of Periodic Reports cont


b. Privileged User Training. Monthly review the list of personnel who have been granted system administrator rights on the network. These personnel shall have a valid need for this access, will be designated in writing, and shall have the appropriate level of training and qualification in accordance with IAWF guidance. 4. Bi-weekly Reports a. IAVM Reports. Every 2 weeks review the status of the ships compliance with all identified IA vulnerabilities. This report will include results of periodic SCCVI network scans and show the percentage of ships computers that have been updated with all available patches. In reviewing the IAVM report, special attention shall be taken to ensure that all computers on the network are being scanned, and that missing patches are being tracked and individual computers are being updated as necessary. 5. Weekly Reports

a. Weekly IA Status Report. Weekly, the IAM shall provide a report that gives an overview of the ships IA posture. Although less detailed than the other individual reports in this section, the IA status report provides leadership with all the data required to ensure that the ship is maintaining a proper level of cyber readiness. b. Antivirus Signatures. New antivirus signatures are typically released weekly. Every 2 weeks, network records shall be reviewed to ensure that the signature updates have been applied to all computers. As with IAVM reports, attention shall be given to the number of computers reported as compared to the number actually on the network, and all discrepancies addressed. 6. Daily Reports

a. USB Scans. Networks shall be scanned daily for unauthorized USB device usage. The results of these scans should be a part of regular daily reports. Once again, the number of computers scanned shall closely match the number of computers on the network. If any unauthorized activity is detected, follow-up actions will also be reported and action taken in accordance with the ships policy for proper use of USB devices. 7. Sample Reports. The following pages provide templates for the periodic reports delineated above. Existing report formats need not be changed as long as they provide the same information as the reports below.

Enclosure (14)

Sample Report - Certification & Accreditation


USS [Ship name] Certification and Accreditation Report (Semiannual) Date:_______________ System Name ISNS Compose 3.0.0.0 (NIPRNET) ISNS Compose 3.0.0.0 (SIPRNET) Other systems here Last ATO Date May 2009 ATO Exp Date May 2012 Next Action Submit C&A Package to ODAA Schedule vulnerability assessment Due Date Dec 2011 Action Status Assembling package

Jun 2009

Jun 2012

Nov 2011

Contacting NIOC Blue Team to schedule

IAM: _____________________ CSO: _____________________ DDAA: ____________________

Date: Date: Date:

______ ______ ______

Enclosure (15)

Sample Report - IAWF Training


USS [Ship name] IAWF Training Report (Monthly) Date:_______________ IA Qualification Name ITCS Jones IT2 Kelly Position IAM Sys Admin Rqd IA Lvl IAM IAT Level II Qual Status 90% compl 50% compl Due Date Dec 2011 Mar 2012 Waiver Req Status N/A 6-mo extension approved from Sep 2011

IAM: _____________________ Date: ______ CSO: _____________________ Date: ______ DDAA: _______________________ Date: ___________

Enclosure (16)

Sample Report - IAWF Training


USS [Ship name] IAWF Training Report (Monthly) Date:_______________ 2735-2791 Conversion Name IT2 Kelly IT3 George ADNS CBT 20Jul11 15Sep11 ISNS CBT 24Jul11 25Sep11 Security+ 12May11 2Oct11 MS 290 13Aug11 15Oct11 MS 291 3Sep11 Tst 2Nov11 Due Date 30Sep12 30Sep12 Pkg Submitted 10Sep11 --

IAM: _____________________ CSO: _____________________ DDAA: ____________________

Date: Date: Date:

______ ______ ______

Enclosure (16)

Sample Report - IAVM USS [Ship name] IAVM Report (Monthly) Date:_______________ System No. of Computers on System 55 No. of Computers Scanned 50 Total Available Patches 354 No. of Patches Applied 350 No. of Computers Below 90% 4 Average Compliance % 95%

NIPR Compose

IAM: _____________________ CSO: _____________________ DDAA: ____________________

Date: Date: Date:

______ ______ ______

Enclosure (17)

Sample Report - Weekly IA Status USS [Ship Name] Weekly IA Status Report Date:_______________ NIPR # of Servers SIPR CENTRIXS (Others)

# of Workstations Information Assurance Vulnerability Management (IAVM) Scans # Scanned Last Scan % Compliance Last VRAM Upload

Antivirus Definition Date Last Scan # Scanned Viruses Found

USB Detect Last Scan # Scanned # Authorized Use # Unauthorized Use

Enclosure (18)

Sample Report - Weekly IA Status

Backups Completed Date Tested Date

Information Assurance Work Force (IAWF) # Required Current 90-Day Projection 120-Day Projection # Completed # in Total Workforce Management Services (TWMS) Database

Authorized DFS Privileged Users

Scheduled Maint Locked Accounts

IAM: _____________________ CSO: _____________________ DDAA: ____________________

Date: Date: Date:

______ ______ ______

Enclosure (18)

Sample Report - Antivirus


USS [Ship name] Antivirus Report (Weekly) Date:_______________ System No. of Computers on System 55 AV Def Date Last Scan Date 24Oct11 No. of Computers Scanned 52 No. of Computers Out of Date 3 No. of Threats Found 0

NIPR Compose

20Oct11

IAM: _____________________ CSO: _____________________ DDAA: ____________________

Date: Date: Date:

______ ______ ______

Enclosure (19)

Sample Report - USB Scan


USS [Ship name] USB Scan Report (Daily) Date:_______________ USB Detect Version: System 3.1 No. of Computers Scanned 48 Last Scan Date No. of Instances Found 1 Action Taken

NIPR Compose

No. of Computers on System 55

24Oct11

Device identified & confiscated. Individual account locked pending further action.

IAM: CSO: DDAA:

____________________ ____________________ ___________________

Date: Date: Date:

_______ _______ _______

Enclosure (20)

Sample Report - 8 OClock Report


USS SHIP COMBAT SYSTEM 8 O'CLOCK REPORTS CDO/SDO: Date: 11/16/2011 Duty IT: NOTE: Periodicities are per PMS requirements or as stated below. * = Required periodicity LAN STATUS: PERIODIC CHECKS SYSTEM TYPE VERSION USB Detect 3.1 DATE OF ACTION HOSTS RESULTS Hosts with unauthorized devices: Hosts containing malware: Hosts failed to update: Hosts scanned with admin credentials: Patches found (fixable): Patches found (unfixable): Patches Applied (Pushed): Patches Applied (Manual): False Positives Reported w/Trouble-ticket: Log Reviews ISA (Proxy) Log Reviewed: ISA (Proxy) Log Issues: System Audit (Event) Log Reviewed: System Audit (Event) Log Issues: Y N Y N Y N Y N / Daily / / / # PERIODICITY INFOCON 3

ISNS-NIPR

Scan - USB Scan Antivirus Scan Retina Patch VRAM

11/10/2012

30/86

Weekly Weekly

Monthly* Monthly*

Enclosure (21)

Router (Ports) Log Reviewed: Router (Ports) Log Issues: Partial or Full Back-Up Required: Back-Up Successful: ISNS-SIPR Scan - USB Scan Antivirus Scan Retina Patch VRAM Hosts with unauth devices: Hosts containing malware: Hosts failed to update: Hosts scanned with admin credentials: Patches found (fixable): Patches found (unfixable): Patches Applied (Pushed): Patches Applied (Manual): False Positives Reported w/Trouble-ticket: Log Reviews ISA (Proxy) Log Reviewed: ISA (Proxy) Log Issues: System Audit (Event) Log Reviewed: System Audit (Event) Log Issues: Router (Ports) Log Reviewed: Router (Ports) Log Issues:

Back-Ups

Y N Y N P F Y N

/ / / Daily* / Daily Weekly

ISNS-SIPR

Monthly* Monthly*

Y N Y N Y N Y N Y N Y N

/ Daily / / / / /

Enclosure (21)

Back-Ups

Partial or Full Back-Up Required: Back-Up Successful: Hosts with unauthorized devices: Malware found: Host failed to update: Host scanned with admin credentials: Patches found (fixable): Patches found (unfixable): Patches Applied (Pushed): Patches Applied (Manual): False Positives Reported w/Trouble-ticket: System Audit (Event) Log Reviewed: System Audit (Event) Log Issues: Partial or Full Back-Up Required: Back-Up Successful: Hosts with unauthorized devices: Malware found: Host failed to update: Host scanned with admin credentials:

P / F Y / N

Daily*

NIAPS Server

Scan - USB Scan Antivirus

Daily Y / N Y / N Y / N Weekly

Scan Retina Patch VRAM

Monthly* Monthly*

Log Reviews

Back-Ups

Y N Y N P F Y N

/ Daily* / / Daily* /

Navy Cash

Navy Cash

Scan - USB Scan Antivirus Scan Antivirus Scan Retina

Weekly Y / N Y / N Y / N Weekly

Monthly*

Enclosure (21)

Patch - VRAM

Patch - VRAM Log Reviews

Back-Ups

Patches found (fixable): Patches found (unfixable): Patches Applied (Pushed): Patches Applied (Manual): False Positives Reported w/Trouble-ticket: System Audit (Event) Log Reviewed: System Audit (Event) Log Issues: Partial or Full Back-Up Required: Back-Up Successful:

Monthly*

Y N Y N P F Y N

/ Daily* / / Daily* /

LAN STATUS: TACTICAL DIRECTIVES TACTICAL DIRECTIVE DESCRIPTION Computer Tasking Orders CTO COMPLIANT CTOs: DELINQUENT CTOs: Comments: Fragmented Orders to USCYBERCOM WARNORD FRAGO COMPLIANT FRAGOs: DELINQUENT FRAGOs: Comments: Fleet Advisory Messages FAM COMPLIANT FAMs: DELINQUENT FAMs:

Fully Compliant

Y / N Y / N

(https://www.cybercom.mil; https://www.cybercom.smil.mil) Y / N Y / N

Y / N Y / N

Enclosure (21)

Sample Report - 8 OClock Report


Comments: Naval Telecommunication Directives NTD COMPLIANT NTDs: NTD DELINQUENT NTDs: Comments: Security Technical Implementation Guidelines (STIG) Network Policy COMPLIANT STIGs: DELINQUENT STIGs: Comments: i. CHOP:

Y / N Y / N

Y / N Y / N

IAO

IAM

COMMO

CSO

DDAA

Enclosure (21)