DoDI 8100.04, December 9, 2010, states the Defense Information System Agency (DISA) is the preferred unified capabilities transport provider for Internet and commercial satellite connections used for voice, video, and/or data services in Department of Defense (DoD) networks. The DoD components shall be permitted to use non-DISA enterprise-level infrastructures only if:

• A compelling business case justification is provided and approved by Assistant Secretary of Defense for Networks and Information Integration (ASD(NII))/DoD Chief Information Officer (DoD CIO);or
• The head of the Office of the Secretary of Defense (OSD) or DoD component, in coordination with the director of DISA, provides a justification to the ASD/DoD CIO that the unique mission requirements cannot be met by DISA.

These types of alternate connections require the OSD Global Information Grid (GIG) Waiver Panel to grant a waiver prior to operation.

If DISA has determined that the CC/S/A requirements cannot be fulfilled by DoD common user-systems, an exemption (i.e., GIG Waiver) may be requested by the CC/S/A. These types of alternate connections require the OSD GIG Waiver Board to grant a waiver prior to operation.

The CC/S/A should contact their Service Representative Officer (SRO) /CIO Office for validation of the mission and requirements prior to beginning the waiver process. If it has been determined by the SRO that a waiver is needed, it is the responsibility of the CC/S/A to register their request in the Systems/Networks Approval Process (SNAP) database. It is the responsibility of the SRO to validate this request in SNAP.

DISA and DSAWG will review all CC/S/A GIG waiver requests and provide a recommendation to the OSD GIG Waiver Panel prior to adjudication of the request. It is the responsibility of the CC/S/A and the partner to present the GIG waiver request to the OSD GIG Waiver Panel. If the GIG waiver request is approved, the CC/S/A shall utilize the appropriate DITCO contracting office to obtain the Internet service from a commercial ISP.

The following are types of alternate connections that will require the OSD GIG Waiver Panel to a grant a waiver:

• Stand-Alone: A connection that is paid for using appropriated funds and/or stores, processes, or transmits DoD information to the Internet using a commercial Internet Service Provider that is not connected to the unclassified Defense Information System Network (DISN).
• NIPRNet to Internet: A connection that is paid for using appropriated funds and/or stores, processes, or transmits DoD information connected to the DISN to the Internet using an unclassified-but-sensitive Internet protocol router network (NIPRNet) Internet access point.
• Network: Unless explicitly permitted by DoD policy, all telecommunications and IT networks and circuits that extend beyond the confines of the B/P/C/S shall be procured and /or contracted for by the Defense Information System Agency. Existing or planned networks being built, modified, or discovered as operating outside these parameters or those networks that have a Telecommunications Service Order (TSO,) but the CC/S/As needs to operate immediately and requires a waiver to meet urgent or critical operational mission requirements. If an alternative connection path (i.e., commercial Internet Service Provider (ISP) is required for NIPRNet access (i.e., enclave/standalone), or Network connection, a waiver must be approved by the GIG Waiver Panel and signed by DOD CIO. 

    -As examples, if an alternative connection path (a path that uses other than DISN transport) is required such as:

• A Commercial Internet Service Provider (C-ISP) for a stand-alone network
• A C-ISP used to tunnel a DISN circuit between enclaves, or
• A C-ISP connection to an enclave connected to the DISN that does not transverse an IAP or any Non-standard connection to a DISN circuit, such as a connection that does not follow all applicable STIGs, then a waiver must be approved by the GIG Waiver Panel and signed by the DoD CIO.

NOTE: Consideration for waiver approval will be based on compliance with DoD IA and CND policies and USSTRATCOM directives.

Requesting mission partner will:

• Acquire CC/S/A or field activity validation and endorsement of the alternate connection.
• Complete the waiver request form for the alternate connection via the SNAP system web-based application. (https://snap.dod.mil/.)
• Provide required connection documentation. (Reference H.3)
• Prepare an explanatory brief IAW OSD GIG Waiver presentation. (Instruction located on the SNAP system website.)
• The OSD GIG Waiver Board will review assessments from DISA, DSAWG, and other IA technical review activities before making a final approval.

NOTE: If required from DSAWG chair: Prepare a brief IAW the standard brief format contained on the DSAWG website and submit the prepared brief to the DSAWG for waiver approval review. The DSAWG will perform a technical review of the IA compliance assessment of the waiver and make a recommendation to the required reviewing body.

Documentation Requirements

Develop a PowerPoint briefing based on provided guidance and the waiver criteria. The briefing will cover the points below and be conducted at the Secret level or below. New and renewal waiver briefing templates are located in SNAP at https://snap.dod.mil/gcap/reference-docs.cfm. A Soft copy of the briefing must be uploaded electronically in SNAP for review at least six weeks prior to the OSD GIG Waiver Panel meeting. All CC/S/A partners are required to coordinate the presentation with their SRO.

NOTE: Prior to submission of this brief the SRO's must validate the brief, including the mission in SNAP, and ensure the DAA has provided the applicable IATO/ATO.

Accreditation - All DoD ISs require certification and accreditation through DIACAP (DoDI 8510.01 (ref g)). Waivers will not be processed further if the accreditation is not current. DAA approved Scorecard with expiration date should assert the DAA's acknowledgement of mission and connection requirements, and acceptance of the risk associated with deviation from standard architecture.

NOTE: The scorecard must be signed and dated by the DAA

Independent verification (Certification and Accreditation (CA) letter) of physical and logical separation from the DoD network may be required.

PowerPoint Briefs should include the following slides:

1.      Cover slide

• Type of Waiver Request, Name of Component/Agency, Waiver Request Identification #, Submission Date, CIO, and POC.

2.      Request Summary Slide

• Specify what you are requesting and for how long. Also specify if the connection will be procured through DITCO or another DISN service in the future.

3.      Organization and Mission Requirement Slide

• Mission of component/agency and of the network/computing function/satellite support/ISP. 
• What is it your organization does and how does the requirement support that mission?
• Does the Organization’s Charter or DoD Directive drive a requirement?

4.      Requirements Overview Slide

• What is the operational requirement? 
• What has DISA provided as a DISN solution and why does it not fulfill your requirement? 
• Data Transfer Movement Policy (what policy is currently in place for the command/headquarters?)
• Data Information (what data and information is crossing the connection. How is traffic being introduced to the DISN?)

-      Other questions the panel/board will consider:

• Is the requirement National Security System (NSS), command and control, mission essential?
• What operational considerations merit deviation from the DoD DISN/GIG architecture?
• Is this a requirement or a solution?
• Is the time requirement valid?

5.      Security Evaluation Status Slide

• Describe the security status of the system and its information assurance components

6.  Topology Diagram Slide

•    Provide a communications diagram of current architecture and proposed architectures.  At a minimum, the drawing must identify any Intrusion Detection Systems (IDSs), premise router, firewalls, any other security-related systems that are installed, and any connections to other systems/networks.  If NIPRNet-to-Internet connection, identify the command communications service designators (CCSDs) of all connections to the DISN. Identifications to other connected systems should include the name of the organization that owns the system/enclave, the connection type (e.g., wireless, dedicated point-to-point), and the organization type (e.g., federal, DoD, contractor, etc.).

7.      Waiver Architecture Slide (see topology guidance at the end of this section)

• Architectural Congruence - Coordination with the DISA NIPRNet Manager is required to ensure DoD Global Information Grid (GIG) architecture compliance. 

  -         Other questions the panel/board will consider:

• Is this a defined technical requirement? 
•    Is the request duplicative of other reaccreditation service?
• Does this deviate from DoD architecture and preserve interoperability?
• Does this deviate from DoD architecture and preserve positive control?
• Does this deviate from DoD architecture and enable network control?
• Does this deviate from DoD architecture and enable configuration management?
• How much time will it take DISA to migrate the network to DISN?
• Using current offerings, can DISA provide the services requested?
• Will DISA expand current offerings to include the services requested?

8.      Identified Vulnerabilities & Risk Mitigation Slide

• Identify and describe the vulnerabilities identified in the SSAA during the vulnerability assessment.
• Identify any associated risk mitigation measures and include risk mitigation processes indentified during the Information Flow discussion.

9.      Residual Risk Slide

• Discuss all of the residual security risks that cannot be mitigated (or will not be mitigated until a future date).

10.  Business Case/Best Practices Slide

• How much will it cost?  Include all costs.  This must be coordinated with DISA.

  -         Questions the panel/board will consider:

• Is the request funded? 

•   Is there a supporting business case?

• If a service network solution is not possible, what is the business case for transport only solution?

• Time requirement – Commercial Contract expires/Waiver expires.

• Monthly Reoccurring or Annual Cost for the ISP connection.

• What is the total cost to DoD?

11.  Alternative Solutions Slide

•   Specify why the CC/S/A cannot use a Defense Information System Network (DISN) solution to perform the requirement being requested.

12.  Cost Alternatives Slide

13.  Alternative Comparisons Slide

14.  Business Plan Alternatives Slide

• Plan for obtaining the commercial ISP connection through the appropriate DITCO contracting office.

15.  Recommendation & Actions Slide

• Provide recommendation and actions of chosen alternative required to make it happen.

 

Once a waiver has expired, the CC/S/A has the option of renewing. If it has been determined that the waiver needs to be renewed, the CC/S/A must do the following:

• Update the SNAP registration
• Complete and upload the Renewal ISP Waiver Brief Template (located in SNAP).
• Upload the accreditation requirements (if expired)
• Submit the registration
• The renewal request will then follow the same process as a new waiver request.

NOTE: For waiver renewals (no changes to topology, IA, etc) that have full Panel consensus, there will not be a brief presented at the GWP, only a note of the vote will be made during the meeting.

Connection Approval Office
Unclassified email	disa.meade.ns.mbx.ucao-waivers@mail.mil  (NIPRNet)
Classified email	disa.meade.ns.mbx.ucao-waivers@mail.smil.mil (SIPRNet)
Phone (Commercial)	301-225-2900
Phone (DSN)	312-375-2900

Policy	Name
CJCSI 6211.02D	Defense Information System Network (DISN): Policy and Responsibilities, 24 Jan 2012 (ref d)
DoDD 8500.01E	Information Assurance (IA), 24 October 2002 (ref c)
DoDI 8500.2	Information Assurance (IA) Implementation, 6 February 2003 (ref f)
DoDI 8100.4	DoD Unified Capabilities, 9 December 2010 (ref n)
DoDD 8100.02	Use of Commercial Wireless Devices, Services and Technologies in the Department of Defense (DoD) Global Information Grid (GIG), 14 April 2007 (ref v)

*Network Topology Diagram – this diagram depicts the network topology and security posture of the partner IS or network enclave that will be connecting to the DISN. The Network Topology Diagram should:

• Be dated
• Clearly delineate accreditation boundaries
• Identify the CCSDs of all connections to the DISN
• Identify equipment inventory (to include the most recent configuration including any enclave boundary firewalls, Intrusion Detection Systems (IDS), premise router, routers, switches, backside connections, Internet Protocol (IP) addresses, encryption devices, Cross Domain Solutions (CDS).
• Other SIPRNet connections (access points) must be shown; the flow of information to, from, and through all connections, host IP addresses, and CCSD number, if known must be shown
• Identify any other IA or IA-enabled products deployed in the enclave
• Identify any connections to other systems/networks
• Identification of other connected IS/enclaves must include:
• The name of the organization that owns the IS/enclave
• The connection type (e.g., wireless, dedicated point-to-point, etc.)
• IP addresses for all devices within the enclave
• The organization type (e.g., DoD, federal agency, contractor, etc.)
• Identify Internetworking Operating System (IOS) version
• Include the model number(s) and IP's of the devices on the diagram; diagram must show actual and planned interfaces to internal and external LANs or WANs (including backside connections)

NOTE: It is important to note that in accordance with DoD and DISA guidance, firewalls, IDSs and Wireless-IDSs (where applicable) are required on all partner enclaves. Private IP addresses (non-routable) are not permitted on SIPRNet enclaves. Indicate and label all of the devices, features, or information; minimum diagram size: 8.5" x 11."

The IA and IA-enabled products must be in the DoD UC Approved Products List and can be found at the DISA APLITS web page: https://aplits.disa.mil.

Q: When is a GIG Waiver required?

A: A GIG waiver is required if DISA cannot provide the service and when at least one of the following is true:

• The ISP connection is purchased with Appropriated Funds. Appropriated funds are government funds set aside for a specific use.
• The connection will store, process, or transmit any DoD data.

A GIG Waiver is NOT required if ALL of the following are true:

• The ISP connection is not purchased with appropriated funds.
• The connection will not store, process, or transmit any DoD data.
• The connection is physically and logically separated from the DISN.

Even if a GIG Waiver is not required, the DAA must perform a risk assessment endorsed by the facility or installation on file if the connection is co-located on the same premise as a DoD network.

Q: When does the OSD GIG Waiver Panel meet?

A: The OSD GIG Waiver Panel meets on the third Wednesday of every month. If you are scheduled for the panel and the panel date is rescheduled, the CAO will inform you of the change.

Q: Must I attend in person to present my brief to OSD or can a phone bridge be made available for me?

A: You can attend in person or via phone. The OSD secretariat will establish a phone bridge for the meeting. The CAO will request that you inform them of the names of who will be presenting and a contact number for day of the meeting.

Q: I have an ISP connection co-located on the same premise as a DOD network, however, this connection is not paid for using appropriated funds and the connection is physically and logically separated from the DISN. Furthermore, it does not store, process, or transmit any DoD data. Does this require a waiver?

A: No, this does not require a waiver. However, the DAA must perform and have a risk assessment endorsed by the facility or installation command on file.

Q: What is a complete ISP waiver package?

A: A complete package includes the following:

• Registration in SNAP
• Completed brief
• Waiver validation from the SRO
• Independent verification of physical and logical separation from the DoD network may be required. (Must be singed by the Certifying Authority) – for Stand Alone only.
• Accreditation (ATO\IATO\IATT and Scorecard)