Question: What is the purpose of the Connection Approval Process (CAP)?

Answer: The purpose of the Connection Approval Process (CAP) is to provide existing and potential Unclassified but Sensitive Internet Protocol Router Network (NIPRNET), DISN Asynchronous Transfer Mode System - Unclassified (DATMS-U), Systems Approval Process (SYSAPP), DISN Video Services (DVS) Defense Switched Network (DSN) and OSD Commercial Internet Waiver subscribers with connectivity requirements that must be followed. To maintain system integrity, it is crucial that every user maintains the required standards for normal, secure connectivity. The information requested is used to support the certification and accreditation requirements of the DISN infrastructure, including the Regional Network Operations and Security Centers (RNOSCs), DoD Network Information Center (NIC), Department of Defense Computer Emergency Response Team (DoD CERT), and US Strategic Command (USSTRATCOM) Joint Task Force Global Network Operations (JTF-GNO).

Question: What does accreditation mean?

Answer: Accreditation is the formal declaration by the Designated Approving Authority (DAA) that an Information Technology (IT) system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. Each Automated Information System (AIS) or network connected to the Unclassified Defense System Information Network (DISN) will be accredited to operate in accordance with the appropriate DAA-approved set of security safeguards. Accreditation must be documented in the DIACAP Score Card.

Question: What does certification mean?

Answer: Certification is a comprehensive evaluation of the technical and non-technical security features of an IT system and other safeguards, made in support of the Accreditation process, to establish the extent that a particular design and implementation meets a set of specified security requirements.

Question: What is the difference between certification and accreditation?

Answer: Certification is the evaluation of the technical and non technical security features of an information system. Certification is granted by the Certifying Authority. Accreditation is the formal approval to operate which is granted by the Designated Approval Authority (DAA).

Question: What does the acronym DIACAP mean?

Answer: The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) is the approach used for the Certification & Accreditation (C&A) of the Core Network. DIACAP is the standard DoD process for identifying information security requirements, providing security solutions, and managing information system security activities. This approach enhances the security of the Defense Information Infrastructure (DII) and reduces the resources necessary to provide and maintain the required level of security. Each community has a specific role in developing, procuring, employing and operating an IS with an acceptable level of residual risk.

Question: Can a contractor have access to the NIPRNET/DATMS-U?

Answer: Yes. The connection must be validated by the NIPRNET Service Manager and approved by OSD (NII). The sponsoring agency is responsible for validating the requirement, arranging funding and providing a topology and narrative description of the system to the NIPRNET Service Manger. It must be a closed system and cannot be physically or logically connected to the contractor corporate LAN/Internet connection.

Question: Who can be a DAA?

Answer: Usually a senior commissioned officer or senior government civilian (GS-15 or above). The DAA may be delegated in writing by a responsible senior authority. Consult your service/agency regulations for specific requirements.

Question: Why are the requirements for DAAs so stringent?

Answer: Designated Approving Authorities have a great deal of responsibility and authority over DoD information systems. DAAs must have a level of authority commensurate with accepting, in writing, the risk of operating DoD information systems under their purview. They must have a degree of independence and objectivity that allows them to fulfill this role. A DAA must be both a U.S. citizens and a DoD employee. Further, DAAs may not also serve as certifying authorities for systems they accredit since that would constitute a conflict of interests.

Question: Can a contractor have unfiltered access to SIPRNET sites?

Answer: No. All contractors must have filtered access. Contractor’s access to resources (i.e., websites, ports and etc.) on SIPRNET is determined by their sponsor and authorized through DISA’s disclosure authorization process.

Question: Where should the sponsor forward Disclosure Authorization (DA) forms?

Answer: DA forms are submitted to the DISA SIPRNET Monitoring Center at smc-cntr@disa.mil.

Question: Who provides email services to the contractor?

Answer: The sponsoring agency is responsible for providing email services to the contractor.

Question: Can a contractor have more than one government entity utilizing their SIPRNET connection?

Answer: Yes. This configuration can be administratively cumbersome and requires special approval from DISA. Each contract must operate on a separate subnet (subnet per contract/per sponsor) and each sponsor is required to submit a sponsor package to the Joint Staff. Implementation of a Memorandum of Understanding (MOU) between the sponsoring DoD agencies will be required. The primary sponsoring agency takes full responsibility for the circuit. “Need-to- know” must be established for each contract. Additionally, the subagency accessing the circuit must understand that if the circuit is shut off for issues related to the prime sponsor they too risk losing their access. Additionally, each sponsor will need to provide a validation package to the Joint Staff for their respective contractor.

Question: Can a contractor connect through another SIPRNET connection for access?

Answer: No. This is considered a “back door,” which is not allowed. Contractors are prohibited from tapping into other SIPRNET connection for access. (Reference: http://iase.disa.mil/stigs/stig/)

Question: Can a contractor allow other organizations (government or contractor) to tap into their existing connection?

Answer: No. Same as above, no back door connections are allowed. (Reference: http://iase.disa.mil/stigs/stig)

Question: Are contractors required to be Information Assurance Vulnerability Alert (IAVA) compliant?

Answer: Yes. Contractors connected to DoD networks are required to be IAVA compliant. It is the responsibility of the sponsor to ensure IAVA compliance at contractor enclaves. (Reference: http://iase.disa.mil/stigs/stig/index.html)

Question: Once I enter a circuit into the CAP database, is that all I need to do?

Answer: No. Every circuit that is entered into the CAP database must go through the DIACAP Process.

Question: How long is an accreditation good for?

Answer: An Authority to Operate (ATO) is good for 3 years and an Interim Authority to Operate (IATO) is good for 180 days at a time and consecutive totaling 360 days per DIACAP 8510.01. These dates are subject to change if the DAA directs a reaccreditation due to significant changes to your system.

Question: What is considered a significant change?

Answer: Anything that the DAA thinks impacts the security of the system, usually changing operating systems, processing higher classification of information, unauthorized users accessing the system.

Question: Why don't I have an Interim Approval to Connect / Approval to Connect (IATC/ATC)?

Answer: The most common reason for not having an IATC/ATC is that the customer has not submitted the proper documents which consist of an IATO / ATO, Consent to Monitor (CTM), and Network Topology. Another reason can be that information is missing from the registration or the accreditation has expired.

Question: Are there repercussions for an expired accreditation?

Answer: Yes. All unaccredited circuits are sent to the Joint Task Force Global Network Operations (JTF-GNO) for non-compliance of DoD Policy, which may result in disconnection from the NIPRNET/DATMS-U/DVS/DSN Core.

Question: If I have no direct connection to the DSN Core, do I need an accreditation?

Answer: Yes. DoD Regulations require all DoD Circuits/Switches/Systems (network or stand-alone) to be accredited.

Question: Do all Unclassified DISN circuits have to be accredited?

Answer: Yes. All DATMS-U, DSN, DVS, NIPRNET, and STEP/Temporary/Exercise must be accredited.

Question: What is a Plan of Action and Milestones (POA&M)?

Answer: A POA&M identifies tasks to be accomplished in support of Certification and Accreditation (C&A). It details resources required to accomplish the elements of the C&A, any milestones-dates in meeting the tasks, and scheduled completion dates for the tasks.
The purpose of a POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and systems.
The POA&M is developed from security weaknesses and deficiencies identified during the security assessment of the system. The POA&M is submitted from the Program/Project Manager of the system to the Designated Approval Authority (DAA) to demonstrate the way forward with resolving areas of non-compliance.

Question: Where should the sponsor forward Disclosure Authorization (DA) forms?

Answer: DA forms are submitted to the DISA SIPRNET Monitoring Center at smc-cntr@disa.mil.

Question: What documents are needed to continue a connection when the circuit expires

Answer: The sponsoring agency will need to provide DISA with a valid Joint Staff letter, Approval to Operate (ATO), SIPRNET Connection Questionnaire (SCQ) & and any additional supporting documentation at DISA‘s request. (Reference: http://iase.disa.mil/diacap/index.html)

Question: Who should the sponsoring agency contact in reference to circuit installation

Answer: Please contact the SIPRNET service manager at 703-882-0191 or the SIPRNET Support Center 800-582-2567.

Question: Who should the sponsoring agency contact in reference to a circuit being looped-away (disconnected)?

Answer: DISA CCAO 703-882-1450 ccao@disa.mil, or DSS ODAA disn@dss.mil.

Question: Can a contractor extend their connection within their facility?

Answer: Yes. The contractor may extend their connection within their facility. The System Security Plan (SSP) must demonstrate how the line is protected while running through the facility.

Question: How can a contractor identify a Computer Network Defense (CND) Service Provider?

Answer: CND services are actions taken, within DoD, to protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information systems and computer networks. CND protection activity employs information assurance principals and includes deliberate actions taken to modify an assurance configuration or a condition in response to a CND alert or threat information. DoD Directive 8530.1 and Instruction 8530.2 deal with the CND Service Provider requirements for all connections on the Global Information Grid (GIG).
Government Sponsors are responsible for ensuring their contractors are serviced by a CND Service Provider. In most cases the sponsor assumes CND Service Provider responsibilities.

SIPRNet GIAP System (SGS)

Question: How long does it take to get an account approved and created?

Answer: Accounts are approved within 24 hours.

Question:  So can we still email you the packages?
Answer: Now that we’re using the SGS v5.3, we do require an SGS account for you to upload the upload of the package via the customer using their SGS account.

Question: Was the old information migrated over?

Answer: The old information should have been migrated over, but those that were over three years old that were expired, were not moved over.

Question: What artifacts were moved over from the old system?

Answer: Everything from the old system was moved over as far as account information, etc.  but not the old documents

Question: Is there a suspense date for loading the artifacts to the new database?

Answer: It all depends on the accreditation.  Would recommend getting an account right away, and you only need to update the artifacts when you need to request the accreditation.

Question: What is the difference between a connection, an account, and a registration?

Answer: An account refers to your SGS account.  The registration we are talking about is registering your circuit in SGS.  The connection would be your actual DISN connection request.

Question: Help me understand which tools are used for which task...  SNAP, old SGS, new SGS, GIAP.  Is there any automatic interaction with eMASS, etc.

Answer: SNAP is NIPRNet only.  SGS/GIAP are interchangeable, SGS stands for the SIPRNet GIAP System.  There is no automatic interaction with eMass at the moment, you will still have to upload the eMass document into either SNAP or SGS separately.

Question: On the scorecard, are you still accepting the digital signature?

Answer: Yes, either physical, electronic, or eMass signature

Question: Are we required to submit a new 2875 even if we had an active account in the legacy system? 

Answer: Yes- the account is moved over, but you do still need to submit the 2875, that is a requirement now

Question: If I upload a new package and hit submit, who does it go to?

Answer: Once a package is submitted it gets sent to the Analyst Queue and then it awaits the validation from the CIO. Once the package is validated the Analyst will analyze the package to be compliant or noncompliant. It is then sent to the SIPR mailbox where it is assigned to an analyst. 

Question: We have not received a confirmation e-mail notifying us that our SGS account has been created?
Answer: One reason why you might have not received an e-mail confirming the creation of your SGS account is because your request has been rejected. Please confirm that all the items in the request form were filled out.

Question: What types of roles are currently available within SGS?

Answer: There are two types of roles. One is the organizational role – that will allow the individual to view all CCSDs in the SGS for that specific organization; and the Validator Roll – which allows the individual to validate the package being submitted for our approval.

Question: Section 10.6, 10.9, and 10.10 in the circuit registration in SGS are items that we have not been required to submit in the past, are we required to submit those items now

Answer: SGS is designed to capture all types of connect request, therefore it must list all the different items a connect request could be required to have. For situations where your circuit request does not require that specific item, the section must be acknowledged by checking “No” or “N/A”.

Question: I am a contractor and I can't access the site in order to request a SGS account, who do I need to contact to get access?

Answer: If you are unable to access the website to request an SGS account you will need to contact your DOD sponsor’s helpdesk to get permission to access that specific site.

Question: Where can I find a more detailed outline of the Topology Requirements?

Answer: A more detailed list of the Topology Requirements is available in the Connection Process Guide.

Question: In the example given in the Topology Requirement CBT there is VOIP, how do we capture video as well?

Answer: Customers are to include a video switch in their enclave for accreditation.

Question: When including both voice and video in our enclave, do we make separate them or combine them?

Answer: Separating both the voice and video in the enclave makes the Topology more simplistic to understand and analyze.

Question: If I am installing VOIP in an already accredited network with an ATC do I need to acquire a new ATC?

Answer: Yes, the package must be resubmitted with the changes being done because this can affect the security posture of the network.

Question: In an independent phase is it required to show the internal piece of the external connection even though the connection is not owned by the requestor?

Answer: No, it is not required. It just needs to show that they network is connected to it by going to the gateway of the external connection’s enclave.

Question: Do we need to show every item and device in the Topology?

Answer: No, showing the IP scan should be sufficient.

Question: Are Kiosk type system acceptable as part of the connection package?

Answer: Yes, if they will be connecting to the DISN.

Question: IP addresses, are we supposed to encrypt them from the high side or low side?

Answer: We take them either way.

Question: There is nothing that indicates a VPN-ID, is there a specific way we are to show that in our drawing?

Answer: Use the Topology templates provided and send a request to NSC1 who will coordinate the each requestor in regards to their request.

Question: When will we receive the VPN -ID?

Answer: The VPN-ID will be given once the package goes through provisioning.

Question: Will the CCO require our diagrams to mirror the Topology templates provided?

Answer: No, they do not; the templates are merely to show the necessary information that is required in the Topology diagram.

Question: Where are the DISN templates located?

Answer: Multiple examples are within the Connection Process Guide, and templates are available on the Topology Requirements training page.

Question: Can the Topology diagram be submitted in Visio format?

Answer: Yes, it can. It can be submitted in Word, Power Point, Visio, or any other similar format.

Question: If the diagram is too detailed, how do I fit all the items in the same page?

Answer: Put a square box in the diagram for the area of the network that you are seeking connection approval. Required information may also be submitted in a table supporting the diagram.

Question: Are a firewall and Intrusion Detection System (IDS) required for a SIPRNET connection?

Answer: Yes. All enclaves connecting to the SIPRNET must implement a firewall & IDS. (Reference: DoD Instruction 8500.2 and Defense Information System Agency (DISA) Security Technical Implementation Guide (STIG)) http://iase.disa.mil/stigs/stig/index.html)

Question: Can the firewall and IDS reside on the same device?

Answer: No. The firewall and IDS must be physically located on separate hardware devices. (Reference: http://iase.disa.mil/stigs/stig/index.html)

Question: Is the IDS also required to be NIAP EAL 4 approved?

Answer: No. The IDS must be NIAP EAL 2 approved. (Reference: http://iase.disa.mil/stigs/stig/index.html)

Question: Who should the sponsoring agency or contractor contact for information regarding the firewall/IDS?

Answer: For information regarding firewall/IDS specifications and installation refer to www.niap-cevs.org or contact the DISA Field Security Operations (FSO) helpdesk via email at fso_spt@disa.mil .

Question: When is a GIG Waiver required?

Answer: A GIG waiver is required if DISA cannot provide the service and when at least one of the following is true:

• The ISP connection is purchased with Appropriated Funds.
• Appropriated funds are government funds set aside for a specific use.
• The connection will store, process, or transmit any DoD data.

A GIG Waiver is NOT required if ALL of the following are true:

• The ISP connection is not purchased with appropriated funds.
• The connection will not store, process, or transmit any DoD data.
• The connection is physically and logically separated from the DISN.

Even if a GIG Waiver is not required, the DAA must perform a risk assessment endorsed by the facility or installation on file if the connection is co-located on the same premise as a DoD network.

Question: When does the OSD GIG Waiver Panel meet?

Answer: The OSD GIG Waiver Panel meets on the third Wednesday of every month. If you are scheduled for the panel and the panel date is rescheduled, the CAO will inform you of the change.

Question: Must I attend in person to present my brief to OSD or can a phone bridge be made available for me?

Answer: You can attend in person or via phone. The OSD secretariat will establish a phone bridge for the meeting. The CAO will request that you inform them of the names of who will be presenting and a contact number for day of the meeting.

Question: I have an ISP connection co-located on the same premise as a DOD network, however, this connection is not paid for using appropriated funds and the connection is physically and logically separated from the DISN. Furthermore, it does not store, process, or transmit any DoD data. Does this require a waiver?

Answer: No, this does not require a waiver. However, the DAA must perform and have a risk assessment endorsed by the facility or installation command on file.

Question: What is a complete ISP Waiver package?                                                                  

Answer: A complete package includes the following:

• Registration in SNAP
• Completed brief
• Waiver validation from the SRO
• Independent verification of physical and logical separation from the DoD network may be required. (Must be signed by the Certifying Authority) – for Stand Alone only.
• Accreditation (ATO\IATO\IATT and Scorecard)

Question: Can you explain the CDTAB decision process?

Answer: The CDTAB meets once a month to review tickets; they meet the 4th Thursday of every month.  Tickets are then presented to the DSAWG, and then the Flag panel meets once a month for final approval.

Question:  Do DREN networks fit in with CDS?

Answer: The DREN networks connecting to other networks has come before the panel before, and those connections deal with policy and are better answered by the DSAWG when it gets to that level. Contact service CDSE regarding this policy for specific guidance.

Question:  Where can I find a list of approved CDS hardware?

Answer: There is a page of web links at the end of the training, and there is a link to the UCDMO site at the end of training.  There are actually two lists for guards that are approved and guards on a sunset list that will be taken offline by end of October next year.

Question: How long does it take to be accredited?

Answer: It’s not a hard and fast process. On average, it takes about 9 months to receive a 1 year accreditation.  If your CDS requires review with NSA, that will lengthen process.

Question: What is needed for yearly CDS reaccreditation?

Answer: 1 time review. See Connection Process Guide (CPG) Appendix K for more details.

Question:  What about reaccreditation for multiple locations or sites?

Answer: It is required to receive an accreditation or reaccreditation for each site.

Question: Why does everything need to go through the CDSE?

Answer: The CDSE needs to be aware of your mission requirement to implement a Cross Domain Solution to assist you with submitting required documentation and to coordinate for monthly CDSE meetings.  The CDS team reviews all of the documentation but the CDSE acts as the main point of contact for the CDSE mission that will assist you in ensuring you have all of the requirements in place.

Question:  What if the connection is between classified to classified networks between different departments?

Answer: It is evaluated on a case by case basis for approval.  The best starting point would be your CDSE, and see what they say based on what networks you are connecting.

Question: What about RDAC training sessions?

Answer: Your CDSE can put you in contact with the NSA and attend a two-day training in the Ft Meade area and gives a very good overview of the RDAC framework.

Question: I received results from a semiannual scan, but some of the recipients no longer work for/with my site. What do I need to do to get this changed?

Answer: If the POCs or site information for the CCSD change, please log on the SGS database at https://giap.disa.smil.mil/gcap/home.cfm and update the POC’s for the perspective CCSD..

Question: What do I need to do to prepare for the CTO Scans?

Answer: Review the posted monthly CTO scan schedule, available on SIPRNet at http://www.disa.smil.mil/connect/schedule and/or https://www.cybercom.smil.mil/j3/pages/IPsonarmappingschedule.aspx. If your site is listed for the upcoming month; ensure that the IP address listed in the CTO 07-09 is configured to “allow” in all Access Control Lists (ACLs), Host Based Security System (HBSS) and Intrusion Detection System (IDS).

Question: I received a failure on an Unannounced/Announced scan. What steps do I need to take now?

Answer: For unannounced scans, review your boundary protection systems to ensure they are locked down as much as possible. For Announced scans, review the CAT I findings and fix/mitigate them. Once these items have been addressed, you should contact the CAO Scan Team to schedule an AD HOC scan.