Enterprise Connection Division: The Power to Connect

REMOTE COMPLIANCE MONITORING

PRINT PAGE Add This

Vulnerability Scanning

The Defense Information Systems Agency Enterprise Connection Division vulnerability scanning team is assigned the mission per Communications Tasking Order (CTO) 07-09 of assessing every SIPRNet Command Communications Service Designator (CCSD) perimeter defense in depth stance and vulnerabilities semi-annually.

Scan Types

In accordance with the requirements outlined in CTO 07-09, the vulnerability scanning team conducts two distinct scan actions on a semi-annual basis, unannounced and announced scans.

  • For unannounced scans, the CCSD's circuit perimeter is tested with penetration tools in order to assess its ability to deny intrusion from an unknown source.
  • An announced scan focuses on the CCSD using a known or "trusted" IP Address, and assesses the current state of machines within the CCSD.

 

The trusted IP is identified in CTO- 07-09 for reference.

  • In addition to these scans, the team also conducts IATT scans for new connection requests, and ad hoc scanning at the request of partner organizations.

 

NOTE: Partners must review the monthly CTO scan schedule, available on SIPRNet at http://www.disa.smil.mil/connect/schedule and/or https://www.cybercom.smil.mil/j3/pages/IPsonarmappingschedule.aspx.

  • All scan results are added to the Global Information Grid (GIG) Interconnection Approval Process (GIAP) database for review and sent to the CCSD point of contacts via email.

 

Unannounced Scan

  • All semiannual scans mandated by CTO 07-09 are first scanned as Unannounced (penetration testing).
  • Performed from a server which uses an unknown IP, rather than the IP given in CTO 07-09, in an attempt ascertain the defense in depth stance of the site's enclave/circuit.
  • Passing results are attained when none of the devices on the inside of the network can be identified. Should any devices be identifiable within the internal network, it will be considered a failure of the perimeter's defense.
  • If the scan is a failure, the results will be uploaded into GIAP and sent to the CCSD POCs for review and mitigation.

 

Announced Scan

  • Any site that passes the Unannounced CTO 07-09 scan is then required to undergo an Announced Scan.
  • Performed from a server with the CTO 07-09 IP address.
  • Passing results are attained when no Category (CAT) I vulnerabilities are found IAW current STIGs.  Should any CAT I vulnerabilities be found, or the announced scan was unable to access the circuit, the result will be a failure.  The Enterprise Connection Division provides letters to mission partners based on POCs listed in SGS on the details of all failed scan results.
  • Results will be uploaded into GIAP and sent to the CCSD POCs for review and mitigation.

 

IATT Scan

  • Performed on all new SIPR circuit requests as a requirement for an Authority to Connect/Interim Authority to Connect (ATC/IATC).
  • IATT scan uses the same criteria as an announced scan.
  • Please reference the IATT Process Checklist below.

 

AD HOC Scan

  • Sites that fail any type of scan may request a rescan be conducted.
  • The AD HOC scan will begin with the scan that failed (i.e. a failed Announced Scan would not be subject to an Unannounced scan)
  • The requirements for pass/fail remain the same as the original scan.
  • An AD HOC Scan typically takes up to 8 business days to complete, but may require more time depending on network size.

 

Frequently Asked Questions (FAQs)


Q: I received results from a semiannual scan, but some of the recipients no longer work for/with my site. What do I need to do to get this changed?

A: If the POCs or site information for the CCSD change, please log on the SGS database at https://giap.disa.smil.mil/gcap/home.cfm and update the POC’s for the perspective CCSD.

Q: What do I need to do to prepare for the CTO Scans?

A: Review the posted monthly CTO scan schedule, available on SIPRNet at http://www.disa.smil.mil/connect/schedule and/or https://www.cybercom.smil.mil/j3/pages/IPsonarmappingschedule.aspx. If your site is listed for the upcoming month; ensure that the IP address listed in the CTO 07-09 is configured to "allow" in all Access Control Lists (ACLs), Host Based Security System (HBSS) and Intrusion Detection System (IDS).

Q: I received a failure on an Unannounced/Announced scan. What steps do I need to take now?

A: For unannounced scans, review your boundary protection systems to ensure they are locked down as much as possible. For Announced scans, review the CAT I findings and fix/mitigate them. Once these items have been addressed, you should contact the CAO Scan Team to schedule an AD HOC scan.

 

IATT Process Checklist

To be completed PRIOR to an initial scan for ATC/IATC issuance:
1 Equipment installed, configured, and turned on.
2 72 hr. burn-in completed by IT&A.
3 Per CTO 07-09, SIPRNet Connection Approval Office (SCAO) "Announced" IP Address configured in the firewall(s) and router(s) ACL to allow access for inbound and outbound traffic.
4 At least (1) server, workstation, or laptop with at least (1) port, protocol or service enabled. (Please refer to PPSM for allowed ports and protocols – disa.meade.ns.mbx.ppsm@mail.mil )
5 HBSS disabled for initial scan or SCAO's "Announced" IP Address added to the HBSS allowed IP's
6 Windows firewall disabled for the target system(s) initial scan.

 

Points of Contact

CAO Remote Compliance Monitoring Contact Information
NIPR Scan Email disa.meade.ns.mbx.caoscans@mail.mil
SIPR Scan Email disa.meade.ns.mbx.caoscans@mail.smil.mil
Phone (Commercial) 301-225-2902
Phone (DSN) 312-375-2902

 

IT&A Contact Information
Phone (Commercial) 618-220-9041

 

SIPR NOC Contact Information
Phone (Commercial) 618-220-9980