Connection Process Guide Banner

CUSTOMER CONNECTION PROCESS

CUSTOMER CONNECTION PROCESS

 

MissionPartner-ConnectionProcessMap-thumbnail

Click on the thumbnail image to view a larger version of the Mission Partner Connection Process.

Identify the appropriate network/service in the DISA Service Catalog at https://www.disa.mil/Network-Services.
After the appropriate network/service is identified and applicable approvals are received, the customer initiates a request for service fulfillment on DISA Storefront (DSF) at https://disa-storefront.disa.mil/dsf/logon?a=DDR&r=https%253A%252F%252Fddsf.disadirect.disa.mil%252Fkinetic%252FDisplayPage%253Fname%253DDDSF_Home. This is the ordering tool for DISN Telecommunications Business Services guide. If a circuit is ordered, DISA has a specified time to provide circuit delivery. Customers should utilize the below timelines for planning purposes when ordering circuits to minimize the time between delivery of circuit and activation of the circuit. Once a circuit is delivered, whether the customer is ready for use or not, the billing of the circuit will commence within 72 hours of delivery. The circuit should only be ordered when the customer is within the below appropriate specified time-line of completing all required actions otherwise, the circuit should not be ordered.

DAYS: 

T1 45 days 
DS3 60 days 
OC3  90 days 
OC12  120 days 
OC48  120 days 
OC192  120 days 

*Network PLS: 

  Standard  Expedite 
T1 45  23 
DS3  85  43 
OC3  ICB   
OC12  ICB   
OC48  ICB   
OC192  ICB   

*Contact the DCCC for delivery timeline (844) 347-2457, Option 2)

In the event the service request qualifies as an Emergency or Essential National Security/Emergency Preparedness (NS/EP) telecommunications service, there is an expedited process available, both for service fulfillment and for connection approval.

In parallel, or shortly after initiating the request for service through DSF, the customer should begin the A&A process for the enclave for which a connection to the DISN is required.

For additional information on the RMF, see NIST SP 800-37 (ref n) and the RMF Knowledge Service (ref o) at https://rmfks.osd.mil/.

Customers are required to register the connection information (new or legacy) within applicable systems/databases.

Once the DSF process has been completed with the receipt of a CCSD, customers are required to register and maintain their IS information (IP address ranges, hosts, POCs, etc.) in the appropriate databases based on classification of the connection:

Contact the Network Information Center (NIC) through the DCCC at (844) 347-2457, Option 2; CML: (614) 692-0032, Option 2; DSN: (312) 850-0032, Option 2; disa.dccc@mail.mil for all unclassified connection

(844) 347-2457, Option 2; CML: (614) 692-0032, Option 2; DSN: (312) 850-0032, Option 2; disa.dccc@mail.mil for all unclassified connection
  • SNAP (https://snap.dod.mil) for:
    • Voice, video, data circuit registrations and connections to unclassified networks/ services DoD CIO temporary exception to policy registrations (Appendix G)
  • DCCC at (844) 347-2457, Option 2; CML: (614) 692-0032, Option 2; DSN: (312) 850-0032, Option 2 ; disa.dccc@mail.mil for all classified connections
  • SGS (https://giap.disa.smil.mil/gcap/home.cfm) for:
    • Voice, video, and data circuit registrations/connections to classified networks/services
  • Ports, Protocols, and Services Management (PPSM) (https://pnp.cert.smil.mil) (http://iase.disa.mil/ppsm) for:
    • All networks/systems ports, protocols, and services for all IP solutions or applications, in accordance with DoDI 8551.01 (ref e)
Note: DoDI 8510.01, Change 1, (ref d) Enclosure 8 authorizes and encourages DoD Components to start using RMF immediately when authorizing DoD IS and PIT systems and provides a timeline and instructions for transition from DIACAP to RMF. DIACAP packages can be submitted to Component Authorizing Officials (AOs) up until 1 Oct 2016. Any DoD IS or PIT system with a DIACAP package submitted through 1 Oct 16 will only be authorized an ATO for at most 1.5 years from the date of the AO's signature. On 2 Oct 2016, only RMF packages can be submitted to AOs. In the case of significant financial or operational impacts of transitioning to RMF, an AO may submit a request for deviation from this guidance for specific systems to the respective DoD Component CIO for approval. All requests for deviation forwarded to the Component CIO must be accompanied by an IS transition plan and a plan of action and milestones. During the transition, DISA will accept a request for a DISN connection that is supported by an ATO with RMF or DIACAP artifacts but will not accept a package with a combination of RMF and DIACAP artifacts.

Account Registration for the SNAP and SGS Databases

CAP packages for connections will be uploaded by the customer in the SNAP (unclassified) or SGS (classified) database. The customer must first register and get a SNAP or SGS account in order to submit a CAP package, Note: a legacy version of SGS is provided as a reference. Legacy SGS is not updated and does not contain current information. At some point in the near future, the Legacy SGS system will be removed.

Note: DISN ATCs will not be issued until the enclave’s systems are properly registered in the PPSM registry and have a valid PPSM registration identification number. For questions regarding PPSM registration call the PPSM Office at 301-225-2904.

SNAP and SGS Account Request Procedures

  • Go to https://snap.dod.mil for SNAP and https://giap.disa.smil.mil for SGS
  • Click on "Request a SNAP account" or "Request a SGS account"
    • Upload a completed signed DD Form 2875 System Authorization System Request (SAAR); The DD Form 2875 can be downloaded from SNAP and/or SGS on the Reference Documents page
  • Complete section 13 of the DD Form 2875, "Justification for Access" by specifying the SNAP and/or SGS module and user role for the CC/S/A/FA
  • Complete the profile data, asterisked item are required fields
  • Click "Submit Request" for approval
  • Once the account is approved, proceed with the creation/registration of the connection to include the submittal/upload of the RMF/DIACAP executive package artifacts once the local RMF A&A/DIACAP C&A is completed

The below steps detail the registration and submission process for both unclassified and classified CAP packages:

SNAP (Unclassified) and SGS (Classified) Submittal Process

  • Log on to SNAP (https://snap.dod.mil) for Unclassified Connections and SGS (https://giap.disa.smil.mil) for Classified Connections
  • Hover the mouse over "NIPR" for SNAP or "GIAP" for SGS and select "New Registration"
  • Complete all required fields of the NIPR or GIAP Checklist (Sections with a locked icon are reserved for use by CAO Analyst)
  • Upload Attachments for the RMF/DIACAP executive package artifacts in the Attachments/Documents Section as applicable
  • Once all sections are completed, a submit button at the bottom of the screen will be available in order to submit the entire registration
  • For NIPR packages that have classified artifacts, upload a placeholder document in the applicable section in SNAP stating that the artifact was submitted on SIPR. The date of the email and sender’s name should be in the note. Send the email to the SIPR UCAO mailbox: disa.meade.ns.mbx.ucao@mail.smil.mil.

 The customer connection requests are submitted to the CAO in the form of a SNAP or SGS registration and uploading of the CAP package. This package provides the CAO the information necessary to make a connection approval decision. CAP packages should be submitted at least 30 days prior to the desired connection date, for new connections, or 30 days prior to the existing ATC or IATC expiration date, to ensure service continuity. The following documentation is required for the CAO to analyze a CAP package:

3.5.1 DoD Component Connections to the DISN:

Connection Approval Packages for DoD Component connections to DISN will include the following documentation:

CAP Package Required Documentation: DoD Component Connections 

DoD RMF DIACAP
Authorization Decision Document (ADD) signed by the AO  ATO or ATO with conditions signed by the DAA 
Security Assessment Report (SAR)  DIACAP Scorecard 
Security Plan (SP)  System Identification Profile (SIP) 
POA&M  IT Security POA&M 
Detailed Topology Diagram  Detailed Topology Diagram 
Consent to Monitor  Consent to Monitor 
AO Appointment Letter  DAA Appointment Letter

For additional RMF guidance, please go to the RMF/DIACAP Knowledge Management website at: https://rmfks.osd.mil/login.htm.

3.5.2 Mission Partner Connections to the DISN

Connection Approval Packages for Mission Partner connections to DISN will include the following documentation: DoD Sponsors and Mission Partners will ensure information in SNAP/.SGS are kept up to date.

CAP Package Required Documentation: Mission Partner Connections 

ATO or ATO with conditions signed by the AO/DAA

As appropriate: RMF Documentation or DIACAP Executive Package (DIACAP Scorecard) in accordance with DoDI 8510.01, DoD 5220.22-M, NISPOM, NIST 800-37, ICD 503 documentation, or equivalent documentation 

Statement of Residual Risk
Detailed Topology Diagram
DoD Sponsor Validation Letter / Revalidation Letter 
DoD CIO Memo validating the mission requirement for a new Mission Partner connection to DISN
Consent to Monitor (the DoD Sponsor is a responsible for signing the CTM)
AO/DAA Appointment Letter 
The DoD Sponsor must validate the Mission Partner's need for access to the DISN. The DoD Sponsor and Mission Partner must understand and agree (e.g., MOA/MOU, contract) to their responsibilities as stated in the DoD CIO Sponsor Memorandum.

3.5.3 DoD Classified Contractor Connections to DISN:

In addition to the requirements in paragraph 3.5.2, a Connection Approval Package for a Classified Defense Contractor connection to DISN will include:

CAP Package Required Documentation: DoD Contractor Connections 

Master System Security Plan and Information Security Plan

DoD 5220.22-M, NISPOM executive package artifacts

The Defense Security Service (DSS) has responsibility for all AO actions related to Classified Contractor connections to DISN in accordance with NISPOM C&A; see the DSS-DISA MOA for further specifics regarding classified DoD contractor connections

DoD Contractor connections to the SIPRNet must go through DSS for A&A of their facilities and information systems. For questions regarding DSS A&A, contact the DSS SIPRNet Program Management Office at occ.cust.serv@dss.mil by phone at 888-282-7682.

3.5.4 Federal Departments, IC, and Other Mission Partners:

In addition to the requirements in paragraph 3.5.2, a Connection Approval Package for a Federal Department or Agency, IC or other Mission Partner (e.g., coalition partner) connection to DISN will include:

CAP Package Required Documentation: Federal Departments and Agencies, IC and Other Mission Partner Connections 

The documentation used for authorization of a Federal Mission Partner IS not categorized as a National Security System (NSS) will use National Institute of Standards and Technology (NIST) SP 800-37 Rev 1

The documentation used for authorization of a Federal Mission Partner IS categorized as an NSS will use CNSS Instruction (CNSSI) No. 1253 Security Categorization and Control Selection for National Security Systems, 27 March 2014

The documentation used for authorization of an IC IS or other Mission Partner IS will be in accordance with ICD 503, RMF Documentation, DIACAP Executive Package (DIACAP Scorecard), or equivalent documentation. IC documentation and submitted artifacts will be commensurate with the IC reciprocity memorandum.
DoD CIO Memorandum of Agreement with Federal Departments and Agencies for connection to DISN in lieu of a DoD Sponsor validation memo.
Joint Staff approval memo for 5 Eyes/coalition partner connections to DISN
Connection requests for all Mission Partners require a validation/revalidation memo signed by the DoD sponsor and validated by the DoD CIO

 

If an enclave approaching its Authorization Termination Date (ATD), the system owner/program manager must reinitiate the A&A/C&A process and obtain a new authorization decision from the AO. Ideally, the new ATO will be issued and an updated CAP package uploaded to SNAP or SGS a minimum of 30-days prior to the expiration of the current ATC/IATC. In accordance with DoDI 8510.01 (ref d), "systems that have been evaluated as having a sufficiently robust system-level continuous monitoring program (as defined by emerging DoD continuous monitoring policy) may operate under a continuous reauthorization." AOs who determine that their DISN connected enclave has met DoD’s continuous monitoring policy requirements are still required to update their respective ATO at a minimum of every three (3) years before a new ATC/IATC will be issued. For UC connection requirements please see Appendix E... If a system does not have a sufficiently robust system-level continuous monitoring program, the "Systems must be reassessed and reauthorized/reaccredited once every 3 years. The results of an annual review or a major change in the cybersecurity posture at any time may also indicate the need for reassessment and reauthorization of the system in accordance with Appendix III to OMB Circular A-130 (ref q).

The expiration date of an ATC/IATC is usually the same as (and will never go beyond) the ATD expiration date of the associated scorecard. In some instances, the results of the DSAWG risk assessment may warrant the issuance of an ATC/IATC with an authorization period shorter than that of the associated scorecard or RMF documentation. An expired ATC/IATC will prompt a review by Joint Force Headquarters DODIN (JFHQ DODIN), and may result in an order to disconnect the enclave from the DISN network/service. In accordance with DoDI 8510.01 (ref d), "An ADD/ATO authorization decision must specify an ATD that is within 3 years of the authorization date unless the IS or PIT has a system-level continuous monitoring program compliant with DoD continuous monitoring policy as issued."

The AO could decide that planned changes to an enclave are significant enough to warrant reinitiating the full A&A process, with subsequent issuance of a new reauthorization decision inside the normal 3-year authorization cycle. If no physical reconfiguration of the DISN circuit is needed to effect the planned changes, such modifications to an enclave (even if significant enough to warrant a new authorization decision) do not need to be coordinated with the corresponding DISN Validation Official. However, the planned events may have a significant impact on the IA5/cybersecurity posture of the enclave, and consequently on the risk the enclave poses to the DISN community at large. Pre-coordination with the CAO is necessary to ensure the updated topologies, CAP package artifacts, and risk decision artifacts are updated and available for the connection approval decision.

Examples of significant impact events:

  • Deployment of a cross domain solution (CDS)
  • Deployment of a UC product enhancing the capability of the enclave (i.e., softswitch VoIP, VoSIP, CVVoIP), even if the application is already accredited by the enclave AO
  • Rehoming of an authorized enclave to a new DEMARC; such as moving to a new facility where a new CCSD(s) is issued by Defense Information Technology Contracting Office (DITCO), unless the TSO clearly states that the authorization will transfer.
Note: An Automated Information System (AIS) that has already been authorized by the DISA AO for deployment on DISN/DODIN does not trigger a requirement for pre-coordination with the CAO if deployed to another enclave on DISN. 

The following events do not need to be pre-coordinated with the CAO prior to deployment/ implementation. However, these events must be identified to the CAO no later than deployment/ implementation by providing an updated network topology diagram and SIP.

Examples:

  • Deployment of new VoIP phones requiring a new VLAN segment within the enclave
  • Deployment of new VTC products (on DoD UC APL)
  • Changes in the IP address range assigned to the IS/enclave
  • DISA transport re-homing actions that change the connection points to DISN but the enclave remains at the same facility
  • Upgrade of bandwidth service
Deployment of new VoIP phones requiring a new VLAN segment within the enclave

To update the registration for existing connections, use the following processes:

  • Logon to SNAP (https://snap.dod.mil) for Unclassified Connections and SGS (https://giap.disa.smil.mil) for Classified Connections
  • Hover the mouse over the respective tab (e.g., "Waiver," "Defense Switched Network," "VPN," or "NIPRNet") for Unclassified Connection in SNAP and the respective tab (GIAP or CDS) for Classified Connection in SGS and select "View/Update"
  • Use the Search Field to locate the registration
  • Complete all required fields of the Checklist (Sections with a locked icon are reserved for use by CAO Analyst)
  • Upload Attachments for the RMF, DIACAP, or other applicable executive package artifacts in the "Attachments/Documents" section as applicable
  • Once all sections are completed, a submit button at the bottom of the screen will be available in order to submit the entire registration
Logon to SNAP (https://snap.dod.mil) for Unclassified Connections and SGS (https://giap.disa.smil.mil) for Classified Connections

This checklist provides the key activities that must be performed by the Mission Partner or DoD Component sponsor during the connection approval process:

Item  DoD Component  Mission Partner 
  New  Existing  New  Existing 
Obtain DoD CIO approval for Non-DoD connection     

Provision the connection 

 

Perform the A&A process 

X

Obtain an authorization decision (ATO/IATT) 

X

Register the connection 

X

**

Register in the GIAP/SGS and/or SNAP database 

X

** 

Register in the PPSM database 

X

** 

Register in the DITPR database (NIPR Only) 

X

** 

Register in the SIPRNet IT Register database (SIPR Only) 

X

** 

Register with the SIPRNet Support Center (SSC) (SIPR Only) 

X

 

 
Complete the CAP package 

X

DIACAP Executive Package (or equivalent for non-DoD entities)/RMF Security Assessment Report 

X

X

DIACAP Scorecard/Systems Authorization Package 

X

System Identification Profile/System's Security Plan 

X

Plan of Actions and Milestones, if applicable 

X

AO Appointment Letter 

X

Network/Enclave Topology Diagram 

X

Consent to Monitor 

X

Proof of Contract/SLA/MOU/MOA     

DoD CIO Approval Letter     

Submit the CAP package of the CAO 

X

Receive remote compliance scan (SIPR Only) 

X

 

 
Receive ATC/IATC 

X

Proof of a funded agreement with a DoD accredited Computer Network Defense Service Provider (CNDSP) 

X

* - This step is not required for existing mission partner connections unless there has been a change in Sponsor, mission requirement, contract, location, or the connection has not been registered.

** - This step is not required for existing connections that are already registered and where all information is current.

Note: The CAO review of the SIPRNet CAP package for new connections includes an on-line initial remote compliance assessment. This is a SIPRNet vulnerability scan of the requesting enclave’s ISs performed by DISA, to identify possible vulnerabilities that exist within the enclave. The results are used during the connection approval decision-making process prior to the enclave going operational.

Network Topology Diagram/Systems Design Document – the diagram below depicts the network topology and security posture of the Customer network enclave that will be connecting to the DISN. The Network Topology Diagram document should:

  • Be dated
  • Clearly delineate authorization boundaries
  • Identify the CCSDs of all connections to the DISN
  • Identify equipment inventory (to include the most recent configuration including any enclave boundary firewalls, Intrusion Detection Systems (IDS), premise router, routers, switches, backside connections, Internet Protocol (IP) addresses, encryption devices, Cross Domain Solutions (CDS)
  • Other SIPRNet connections (access points) must be shown; the flow of information to, from, and through all connections, host IP addresses, and CCSD number, if known must be shown
  • Identify any other cybersecurity or cybersecurity-enabled products deployed in the enclave
  • Identify any connections to other systems/networks/enclaves
  • Identification of other connected enclaves must include:
    • The name of the organization that owns the enclave
    • The connection type (e.g., wireless, dedicated point-to-point, etc.)
    • IP addresses for all devices within the enclave
    • The organization type (e.g., DoD, federal agency, contractor, etc.)
  • Identify Internetworking Operating System (IOS) version
  • Include the model number(s) and IP's of the devices on the diagram; diagram must show actual and planned interfaces to internal and external LANs or WANs (including backside connections)

Note: It is important to note that in accordance with DoD and DISA guidance, firewalls, Intrusion Detection Systems (IDSs)\ and Wireless-IDSs (where applicable) are required on all partner enclaves. Private IP addresses (non-routable) are not permitted on SIPRNet enclaves without an acceptable RFC 1918 community risk assessment from the DSAWG. For more information go to the following link: (https://intelshare.intelink.gov/sites/dsawg/default.aspx). Indicate and label all of the devices, features, or information; minimum diagram size: 8.5" x 11."

All Cybersecurity and cybersecurity-enabled products that require use of the product’s cybersecurity capabilities must comply with the evaluation and validation requirements of (ref p) in accordance with DoDI 8500.01 (ref a).

DoD Components are required to acquire or operate only UC products listed on the UC APL, unless, and until, a DoD CIO temporary exception to policy is approved in accordance with DoDI 8100.04, Unified Capabilities (ref g). The DoD UC Approved Products List and can be found at the DISA APLITS web page: https://aplits.disa.mil.

All Topologies MUST include IP address ranges, equipment make/model, and software version.  

 

The topology diagram for customer network enclaves that connect via the JRSS must include a JRSS topology overlay as shown in the diagram below. The JRSS topology overlay also must identify the make/model/IP address/software version of the JRSS equipment being used.

Tactical exercise/mission CAP packages must be submitted a minimum of eight (8) days prior to the start of the exercise/mission. Upon successful registration of the initial tactical mission/exercise, the registration will become valid for the duration of the ATO. The Registration ID number, that is auto-generated from SGS upon registration, will be used as a reference to access DoD Gateway SIPRNet services for the duration of the ATO. This Registration ID number will be used on all future missions, and provided to the CONEX in the remarks section 1 of the Gateway Authorization Request (GAR). Remarks will be: "SGS Registration ID number xxxxx for SIPRNet IATC, expiration DD-MMM-YYYY."

Customers are not required to register for each mission after initial registration. The authorization is valid thru the ATO revocation and or expiration. If the current ATO will expire prior to the next time the Tactical user will enter a DoD Gateway, the user will start a new request so that a new Registration ID number can be issued. Any changes to equipment configuration affecting enclave security posture of the system resulting in a new ATO will require registration in the SGS database. A complete authorization package is not submitted with a CAP package for a tactical exercise/mission, however, the CAP package must include at a minimum, an ATO letter, Gateway Access Authorization (GAA), and topology/System Design Document (SDD).

The CAO will review the registration information and will issue an IATC/ATC for the duration of the ATO upon successful and complete registration. The IATC/ATC will be made available under section 10.1 of the SGS database (Scorecard). The DISA GSD/Tier II will verify the validity of the Registration ID number provided in the GAA against the SGS database prior to allowing access to SIPRNet.

For additional information, please review the Policy and Procedures for DoD Gateways (STEP/Teleport) SIPRNet DODIN Interconnection Approval Process System (SGS).

In accordance with CJCSI 6211.02D (ref b) non-Mission Partners, including defense contractor enclave connections to DISN-provided transport, information services must be through an established DISN DMZ and will follow DISN DMZ security requirements. DISA operates three (3) DMZs or Mission Partner Gateways; NIPRNet Federal Gateway (NFG), SIPRNet Federal DMZ (FED-DMZ), and the SIPRNet Releasable (SIPR REL) DMZ. In certain limited special use cases, the DoD CIO has approved some non-DoD Federal Agencies Mission Partner connections to the NIPRNet and SIPRNet, however, this is not the norm. Connections to the DISN DMZs/NFG can be made either physically or logically (see Figure 3). Mission Partners will work with the NIPRNet or SIPRNet DMZ offices listed in Table 2 to initiate their respective DMZ/NFG connections.

DISA DMZ Offices 

NIPRNet NFG  301-225-8684 DSN 375 
SIPRNet REL-DMZ/FED DMZs  301-225-9607 DSN 375 

All Non-DoD NIPRNet/SIPRNet connections require DoD CIO Approval, a Contract/MOA/MOU and DoD Sponsor to validate DoD mission need for Mission Partner access to the DISN. DoD Sponsors must understand and agree to their responsibilities as stated in the DoD CIO Sponsor Memorandum (ref m), applicable issuances, the Defense Finance and Accounting Regulations (DFAR), and the DoD Sponsor and Mission Partner responsibilities must be codified in an appropriate agreement (e.g., MOA, MOU, or contract). The DoD CIO will establish MOA with Federal Departments and Agencies that have a mission requirement to connect to DISN.

In addition to the requirements listed in this section, to connect to the NIPRNet Federated Gateway mission partners must complete a NIPRNet Federated Gateway, (NFG) Questionnaire, as well as the NIPRNet Federated Gateway Policy spreadsheet (https://www.disa.mil/Network-Services/VPN/MPG). The questionnaire provides baseline data for engineering teams to work with mission partners while the NFG Policy Spreadsheet identifies the firewall posture of the

NFG which will support mission partners. The customer must notify the NIPRNet NFG or SPIRNet DMZ offices of the PPSM registration ID, in addition to the above referenced documentation. The DMZ/NFG team works with the Web Content Filtering team to ensure that the applicable firewall rulesets are vetted and provided to the DISA Command Center (DCC) which issues a DISA Task Order (DTO) for DISA Global Operations Center (DGOC) to implement (See Figure 4 and 5). Should applicable PPSM not be identified, the corresponding services will not be available. This may result in subsequent submissions of firewall rule requests to support mission partner/sponsor requirements.

 

The NIPRNET Federated Gateway (NFG) (aka Mission Partner Gateway (MPG) for JIE) provides a secure, robust, and scalable means for non-DoD Federal Agencies, mission partners, and contractor connections to connect to the Unclassified but Sensitive Internet Protocol (IP) Router Network (NIPRNet). The NFG supports both logical and physical connections.

Note: It is strongly recommended that mission partners communicate with current service providers to ensure the smooth circuit hand off to NFG site/DISN Transport nodes. Logical circuits are an interim solution for migration to NFG and not meant to be an end state/long term solution  

3.12.1 NFG Logical Connections

Existing Mission Partner connections to NIPRNet may be extended to NFG without installing new physical circuits. This can be accomplished by provisioning logical tunnels using Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) or Internet Protocol Security (IPsec) VPN over the DISN. These tunnels extend existing Mission Partner connection(s) to the NFG and the traffic will flow to the NFG on a slightly different path than originating from physical connections. Encryption is also available for logical connections if required by the Mission Partner. Mission Partners are required to maintain a direct physical connection to a DISN node to be eligible for a logical connection. Logical connections through sponsors or other DoD agencies are not supported. Logical connection use cases are as follows:

1. A commercial circuit extends from the customer to the DISN node. At the DISN router the customer connects to the NFG COI (MPLS VPN) for logical transport to the NFG site.

2. Mission Partners currently connected to the DISN router for NIPRNet access will connect to the NFG COI (MPLS VPN), eliminating NIPRNet access without passing through the NFG first.

3.12.2 NFG Physical Connections

Physical connections are terminated on the NFG using up to OC-12 SONET 1Gb and 10Gb Ethernet (copper or fiber) connections. A non-DoD organization such as a Federal Department/Agency, DoD contractor, or other mission partners may connect to the NFG router via third-party leased circuit or DISN transport in consonance with a formal agreement (e.g., contract, MOU, MOA, etc.). In cases where the Mission Partner equipment is collocated with an NFG site, the Mission Partner Customer Premise Equipment (CPE) can connect to the NFG using a direct cable connection without a leased circuit and/or DISN transport. Physical connection use cases are as follows:

It is strongly recommended that mission partners communicate with current service providers to ensure the smooth circuit hand off to NFG site/DISN Transport nodes. Logical circuits are an interim solution for migration to NFG and not meant to be an end state/long term solution

1. A commercial carrier extends a circuit from the Mission Partner service point to the NFG site.

2. A commercial carrier extends a circuit from the Mission Partner service point to DISN physical transport for a dedicated circuit to an NFG site.

3. A Mission Partner plugs directly into DISN transport for a dedicated circuit to an NFG site.

3.12.3 NFG Connection Approval Requirements

Connections to the NFG are either physical or logical.

Physical connections that are directly homed to the NFG use point-to-point circuits between the NFG and a Mission Partner's network. Logical connections are physically homed to a NIPRNet router but are connected to the NFG via an encapsulated tunnel. NFG connections require a modified Connection Approval Process package as illustrated below. NFG connections will be annotated in SNAP database as "NIPR FED GW." Qualified NFG connections will receive an ATC/IATC and be reviewed in accordance with the established agreement (e.g., MOA/MOU/SLA).

CAP Package Required Documentation: NFG Connections 
Signed DoD CIO validation memo (e.g., MOU/MOA/SLA)... 
Network topology diagram/SDD 
Valid PPSm registration identification number, 
Required current POC information 
Authorization to Operate (ATO) letter 

3.12.4 Ordering NFG Connections

Orders for NFG circuits are submitted to the DISA Storefront (DSF):

1. After obtaining access, Mission Partners use DSF to generate Telecommunications Service Requests (TSR) to have circuits provisioned to the NFG. Refer to the DSF website (https://disa-storefront.disa.mil/dsf/logon?a=DDR&r=https%253A%252F%252Fddsf.disadirect.disa.mil%252Fkinetic%252FDisplayPage%253Fname%253DDDSF_Home) for information on the circuit-ordering process.

    a. For logical connections, the VPN Identification (ID) number for the NFG Community of Interest (COI) service is provided by DISA and is always the same for every Mission Partner

    b. The VPN ID for NFG COI Service is DKL300249

    c. DSF assigns the VPN ID to all Mission Partners requesting NFG COI Service

Note: The mission partner must first register for access to the DSF site using the following link: https://disa-storefront.disa.mil/dsf/logon?a=DDR&r=https%253A%252F%252Fddsf.disadirect.disa.mil%252Fkinetic%252FDisplayPage%253Fname%253DDDSF_Home.  

2. The TSR initiates the process of identifying Mission Partner requirements and provisioning the new NFG circuit paths based on the approved engineering design and connection approval package.

3. To revise approved connections, Mission Partners must update the approved CAP or submit a new CAP based on the approved engineering solutions.

4. Mission Partners must ensure they have obtained and completed the NIPRNet Federated Gateway Questionnaire as well as the NIPRNet Federated Gateway Policy spreadsheet https://www.disa.mil/Network-Services/VPN/MPG). Should applicable PPSM not be identified, the corresponding services will not be available. This may result in subsequent submissions of firewall rule requests to support mission partner/sponsor requirements.

DoD policy also requires that DoD Components register their IS information in the DoD Information Technology Portfolio Repository (DITPR) at https://ditpr.dod.mil.

DoD policy also requires that DoD Components register their IS information in the DoD Information Technology Portfolio Repository (DITPR) at https://ditpr.dod.mil.

Use of the unclassified DITPR is preferred for registration of all information systems including classified systems. There are numerous classified systems registered in the unclassified DITPR, without inclusion of classified information about the system. However, an information system may be registered using the SIPRNet IT Registry (SITR) if the description of the information system must contain classified material, or, if the organization (such as a CCMD) routinely uses the SIPRNet. The link to the SITR on SIPRNet is: https://dodcio.osd.smil.mil/itregistry - for additional assistance using SITR, send email to: osd.mc-alex.dod-cio.mbx.ditpr-support-team@mail.mil and include 'SIPR IT Registry' in the subject line.

CC/S/A may have internal databases that need to be updated with connection information. Check with the CC/S/A for additional requirements.

The NIPRNET Federated Gateway (NFG) (aka Mission Partner Gateway (MPG) for JIE) provides a secure, robust, and scalable means for non-DoD Federal Agencies, mission partners, and contractor connections to connect to the Unclassified but Sensitive Internet Protocol (IP) Router Network (NIPRNet). The NFG supports both logical and physical connections.

Note: It is strongly recommended that mission partners communicate with current service providers to ensure the smooth circuit hand off to NFG site/DISN Transport nodes. Logical circuits are an interim solution for migration to NFG and not meant to be an end state/long term solution  

3.12.1 NFG Logical Connections

Existing Mission Partner connections to NIPRNet may be extended to NFG without installing new physical circuits. This can be accomplished by provisioning logical tunnels using Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) or Internet Protocol Security (IPsec) VPN over the DISN. These tunnels extend existing Mission Partner connection(s) to the NFG and the traffic will flow to the NFG on a slightly different path than originating from physical connections. Encryption is also available for logical connections if required by the Mission Partner. Mission Partners are required to maintain a direct physical connection to a DISN node to be eligible for a logical connection. Logical connections through sponsors or other DoD agencies are not supported. Logical connection use cases are as follows:

1. A commercial circuit extends from the customer to the DISN node. At the DISN router the customer connects to the NFG COI (MPLS VPN) for logical transport to the NFG site.

2. Mission Partners currently connected to the DISN router for NIPRNet access will connect to the NFG COI (MPLS VPN), eliminating NIPRNet access without passing through the NFG first.

3.12.2 NFG Physical Connections

Physical connections are terminated on the NFG using up to OC-12 SONET 1Gb and 10Gb Ethernet (copper or fiber) connections. A non-DoD organization such as a Federal Department/Agency, DoD contractor, or other mission partners may connect to the NFG router via third-party leased circuit or DISN transport in consonance with a formal agreement (e.g., contract, MOU, MOA, etc.). In cases where the Mission Partner equipment is collocated with an NFG site, the Mission Partner Customer Premise Equipment (CPE) can connect to the NFG using a direct cable connection without a leased circuit and/or DISN transport. Physical connection use cases are as follows:

It is strongly recommended that mission partners communicate with current service providers to ensure the smooth circuit hand off to NFG site/DISN Transport nodes. Logical circuits are an interim solution for migration to NFG and not meant to be an end state/long term solution

1. A commercial carrier extends a circuit from the Mission Partner service point to the NFG site.

2. A commercial carrier extends a circuit from the Mission Partner service point to DISN physical transport for a dedicated circuit to an NFG site.

3. A Mission Partner plugs directly into DISN transport for a dedicated circuit to an NFG site.

3.12.3 NFG Connection Approval Requirements

Connections to the NFG are either physical or logical.

Physical connections that are directly homed to the NFG use point-to-point circuits between the NFG and a Mission Partner's network. Logical connections are physically homed to a NIPRNet router but are connected to the NFG via an encapsulated tunnel. NFG connections require a modified Connection Approval Process package as illustrated below. NFG connections will be annotated in SNAP database as "NIPR FED GW." Qualified NFG connections will receive an ATC/IATC and be reviewed in accordance with the established agreement (e.g., MOA/MOU/SLA).

CAP Package Required Documentation: NFG Connections 
Signed DoD CIO validation memo (e.g., MOU/MOA/SLA)... 
Network topology diagram/SDD 
Valid PPSm registration identification number, 
Required current POC information 
Authorization to Operate (ATO) letter 

3.12.4 Ordering NFG Connections

Orders for NFG circuits are submitted to the DISA Storefront (DSF)

1. After obtaining access, Mission Partners use DSF to generate Telecommunications Service Requests (TSR) to have circuits provisioned to the NFG. Refer to the DSF website (https://disa-storefront.disa.mil/dsf/logon?a=DDR&r=https%253A%252F%252Fddsf.disadirect.disa.mil%252Fkinetic%252FDisplayPage%253Fname%253DDDSF_Home) for information on the circuit-ordering process.

    a. For logical connections, the VPN Identification (ID) number for the NFG Community of Interest (COI) service is provided by DISA and is always the same for every Mission Partner

    b. The VPN ID for NFG COI Service is DKL300249

    c. DSF assigns the VPN ID to all Mission Partners requesting NFG COI Service

Note: The mission partner must first register for access to the DSF site using the following link: https://disa-storefront.disa.mil/dsf/logon?a=DDR&r=https%253A%252F%252Fddsf.disadirect.disa.mil%252Fkinetic%252FDisplayPage%253Fname%253DDDSF_Home.  

2. The TSR initiates the process of identifying Mission Partner requirements and provisioning the new NFG circuit paths based on the approved engineering design and connection approval package.

3. To revise approved connections, Mission Partners must update the approved CAP or submit a new CAP based on the approved engineering solutions.

4. Mission Partners must ensure they have obtained and completed the NIPRNet Federated Gateway Questionnaire as well as the NIPRNet Federated Gateway Policy spreadsheet https://www.disa.mil/Network-Services/VPN/MPG). Should applicable PPSM not be identified, the corresponding services will not be available. This may result in subsequent submissions of firewall rule requests to support mission partner/sponsor requirements.

DoD policy also requires that DoD Components register their IS information in the DoD Information Technology Portfolio Repository (DITPR) at https://ditpr.dod.mil.

DoD policy also requires that DoD Components register their IS information in the DoD Information Technology Portfolio Repository (DITPR) at https://ditpr.dod.mil.

Use of the unclassified DITPR is preferred for registration of all information systems including classified systems. There are numerous classified systems registered in the unclassified DITPR, without inclusion of classified information about the system. However, an information system may be registered using the SIPRNet IT Registry (SITR) if the description of the information system must contain classified material, or, if the organization (such as a CCMD) routinely uses the SIPRNet. The link to the SITR on SIPRNet is: https://dodcio.osd.smil.mil/itregistry - for additional assistance using SITR, send email to: osd.mc-alex.dod-cio.mbx.ditpr-support-team@mail.mil and include 'SIPR IT Registry' in the subject line.

CC/S/A may have internal databases that need to be updated with connection information. Check with the CC/S/A for additional requirements.

Currently customers that have a current ATC for a traditional NIPR circuit are being reauthorized/reaccredited for moving to the JRSS Stack. This only applies to NIPR circuits. SIPR circuits are not yet being moved to JRSS.

The following procedures will allow the customer to create a SNAP registration:

1. To register a JRSS connection in SNAP, in the NIPR module select ‘New Registration’.

2. In Section 0.1, for Connection Type, select JRSS instead of DoD.

3. In Section 1, there is a question, 'Is this systems connection type JRSS?' Select Yes and type in the VRF in the block below. NOTE: Currently the VRF will not show if the customer goes to My Entries report. Until that is fixed the customer will have to search by Registration ID for that registration.

4. Internal boundary defense equipment (firewall, IDS/IPS) is no longer required on the topology and will not be evaluated by the analysts. The JRSS stack must be shown on the topology.

5. Other than the Virtual Routing and Forwarding (VRF) identifier instead of a CCSD, JRSS packages are submitted like any other Connection Approval package. Please remember to show the VRF on the documentation where the CCSD would previously have been identified.

The CAO analysts will review the package and an Approval to Connect (ATC) will be issued.

Upon submittal of the registration, the CAO will review all sections of the registration or completeness and compliance. In the event a section is incomplete or a non-compliant artifact is uploaded to the database, that individual section will be rejected. The POCs listed in the database will receive notification of a rejected registration to include what documentation is missing or non-compliant from the package. The customer must log back into the database and complete or upload the updated artifact for the rejected section. Typically, when all the connection approval requirements are met an ATC or IATC will be issued within eight (8) business days.

As an integral part of the process, the CAO assesses the level of risk the customer’s network enclave poses to the specific DISN network/service and to the DODIN community at large. The identification of cybersecurity vulnerabilities or other non-compliance issues and the responsiveness of the affected enclave in implementing appropriate remediation or mitigation measures against validated vulnerabilities will have a direct impact on the risk assessment, and subsequently on the connection approval decision.

An ATC/IATC will authorize the partner to connect to the DISN network/service defined in the connection approval, up to the Authorization Termination Date (ATD). The results of the risk assessment may warrant the issuance of a connection approval decision with a validity period shorter than that of the authorization decision ATD. In such cases, the CAO will provide justification to the DAA/AO for the shorter validity period.

If the CAO assesses that an enclave’s connection to the DISN poses a potentially "high" impact community risk, it will forward the connection request to the DSAWG as part of the executive risk function in accordance with DoDI 8500.01 (ref a) and DoDI 8510.01 (ref d). The CAO will provide the AO the justification for the assessment and inform the AO that current guidance (i.e., policy, DSAWG decision, STIGs, etc.) from DISN/DODIN DAAs/AOs precludes the issuance of an ATC without additional review of the enclave cybersecurity status by the community authorization bodies.

Type accredited/authorized systems refer to a generally standardized configuration for two or more circuits. Although they have similar configurations, they are still individual circuits, and are registered individually in SNAP or SGS. Each circuit under a type accreditation/authorization must have an individual topology that shows, among other things, the unique IP addresses assigned to that circuit. They may all use the same Scorecard/SAR/ATO/IATO, SIP, and POA&M.

Once the CAO makes a connection decision, the partner is notified:

Connection Approval

If the connection request is approved, the partner is issued an ATC or ATC with conditions. The validity period is specified in the ATC letter. After the connection is approved, the partner must work with DISN Implementation to complete the installation of the circuit. The connection approval is valid until the expiration date. The AO must notify the CAO of significant changes, such as architecture changes requiring re-authorization /re-accreditation movement of the enclave to a new location, changes in risk posture, etc., that may cause a modification in the cybersecurity status of the enclave or if the connection is no longer needed.

Denial of Approval to Connect

If the connection request is rejected, the CAO will provide the partner a list of corrective actions required before the connection can be approved. The process will restart at Section 3.5.

If for any reason it becomes necessary to discontinue the use of an enclave, the customer must submit via e-mail the discontinuance or cancellation TSO/IER) to the CAO (e.g. SIPRNet: disa.meade.ns.mbx.ccao@mail.smmil.mil or NIPRNet: disa.meade.ns.mbx.ucao@mail.mil). CAO will upload the TSO or IER in the respective database and close the registration for that CCSD.

Connection Approval Office (CAO)
CAO for Unclassified Connections 

disa.meade.re.mbx.ucao@mail.mil

disa.meade.re.mbx.ucao-waivers@mail.mil 

CAO for Classified Connections 

disa.meade.re.mbx.ucao@mail.smil.mil

disa.meade.re.mbx.ucao-waivers@mail.smil.mil 

Phone (Commercial)  301-225-2900, 301-225-2901 
Phone (DSN)  312-375-2900, 312-375-2901 
DISA CONUS Provisioning Center
Unclassified E-mail  provtms@scott.disa.mil 
Address 

PO Box 25860

Scott AFB, IL 62225-5860 

Procedures for connecting to Cloud computing services are currently documented in the Cloud Connection Process Guide (ref aL). Cloud connection procedures will be addressed in future editions of the DISN CPG.