Question: What is the purpose of the Connection Approval Process (CAP)?
Answer: The purpose of the Connection Approval Process (CAP) is to provide existing and potential Unclassified but Sensitive Internet Protocol Router Network (NIPRNET), DISN Asynchronous Transfer Mode System - Unclassified (DATMS-U), Systems Approval Process (SYSAPP), DISN Video Services (DVS) Defense Switched Network (DSN) and OSD Commercial Internet Waiver subscribers with connectivity requirements that must be followed. To maintain system integrity, it is crucial that every user maintains the required standards for normal, secure connectivity. The information requested is used to support the certification and accreditation requirements of the DISN infrastructure, including the Regional Network Operations and Security Centers (RNOSCs), DoD Network Information Center (NIC), and the Department of Defense Computer Emergency Response Team (DoD CERT). Question: What does accreditation mean?
Answer: Accreditation is the formal declaration by the Authorizing Official (AO), formerly the Designated Accrediting Authority (DAA), that an Information Technology (IT) system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. Each Automated Information System (AIS) or network connected to the Unclassified Defense System Information Network (DISN) will be accredited to operate in accordance with the appropriate AO/DAA-approved set of security safeguards. The accreditation is usually documented in the DIACAP Scorecard, but may also be accepted as an Interim/Authority to Operate (I/ATO) AO/DAA signed letter. Question: What does certification mean?
Answer: Certification is a comprehensive evaluation of the technical and non-technical security features of an Information Technology (IT) system and other safeguards, made in support of the Accreditation process, to establish the extent that a particular design and implementation meets a set of specified security requirements. Question: What is the difference between certification and accreditation?
Answer: Certification is the evaluation of the technical and non technical security features of an information system. Certification is granted by the Certifying Authority. Accreditation is the formal approval to operate which is granted by the Authorizing Official (AO)/Designated Accrediting Authority (DAA). Question: What does the acronym DIACAP mean?
Answer: The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) is the approach used for the Certification & Accreditation (C&A) of the Core Network. DIACAP is the standard DoD process for identifying information security requirements, providing security solutions, and managing information system security activities. This approach enhances the security of the Defense Information Infrastructure (DII) and reduces the resources necessary to provide and maintain the required level of security. Each community has a specific role in developing, procuring, employing and operating an IS with an acceptable level of residual risk. Question: Can a contractor have access to the NIPRNET?
Answer: Yes. The connection must be validated by the NIPRNET Service Manager and approved by OSD (NII). The sponsoring agency is responsible for validating the requirement, arranging funding and providing a topology and narrative description of the system to the NIPRNET Service Manger. It must be a closed system and cannot be physically or logically connected to the contractor corporate LAN/Internet connection.
Question: Who can be an Authorizing Official (AO)/Designated Accrediting Authority (DAA)?
Answer: Usually a senior commissioned officer or senior government civilian (GS-15 or above). The AO/DAA may be delegated in writing by a responsible senior authority. Consult your service/agency regulations for specific requirements. Question: Why are the requirements for Authorizing Official’s (AO’s)/Designated Accrediting Authorities (DAA’s) so stringent?
Answer: Authorizing Official’s (AO’s)/Designated Approving Authorities (DAA’s) have a great deal of responsibility and authority over DoD information systems. DAAs must have a level of authority commensurate with accepting, in writing, the risk of operating DoD information systems under their purview. They must have a degree of independence and objectivity that allows them to fulfill this role. A DAA must be both a U.S. citizens and a DoD employee. Further, DAAs may not also serve as certifying authorities for systems they accredit since that would constitute a conflict of interests. Question: Can a contractor have unfiltered access to SIPRNET sites?
Answer: No. All contractors must have filtered access. Contractor’s access to resources (i.e., websites, ports and etc.) on SIPRNET is determined by their sponsor and authorized through DISA’s disclosure authorization process.
Question: Where should the sponsor forward Disclosure Authorization (DA) forms?
Answer: DA forms are submitted to the DISA SIPRNET Monitoring Center at email@example.com
. Question: Who provides email services to the contractor?
Answer: The sponsoring agency is responsible for providing email services to the contractor. Question: Can a contractor have more than one government entity utilizing their SIPRNET connection?
Answer: Yes. This configuration can be administratively cumbersome and requires special approval from DISA. Each contract must operate on a separate subnet (subnet per contract/per sponsor) and each sponsor is required to submit a sponsor package to the Joint Staff. Implementation of a Memorandum of Understanding (MOU) between the sponsoring DoD agencies will be required. The primary sponsoring agency takes full responsibility for the circuit. “Need-to- know” must be established for each contract. Additionally, the subagency accessing the circuit must understand that if the circuit is shut off for issues related to the prime sponsor they too risk losing their access. Additionally, each sponsor will need to provide a validation package to the Joint Staff for their respective contractor.Question: Can a contractor connect through another SIPRNET connection for access?
Answer: No. This is considered a “back door,” which is not allowed. Contractors are prohibited from tapping into other SIPRNET connection for access. (Reference: http://iase.disa.mil/stigs/stig/
) Question: Can a contractor allow other organizations (government or contractor) to tap into their existing connection?
Answer: No. Same as above, no back door connections are allowed. (Reference: http://iase.disa.mil/stigs/stig
) Question: Are contractors required to be Information Assurance Vulnerability Alert (IAVA) compliant?
Answer: Yes. Contractors connected to DoD networks are required to be IAVA compliant. It is the responsibility of the sponsor to ensure IAVA compliance at contractor enclaves. (Reference: http://iase.disa.mil/stigs/stig/index.html) STEP Missions Question: What documents are required for a STEP mission?
Answer: For STEP missions, we only require an ATO or Scorecard signed by the DAA, a Topology, and a GAA. These artifacts must be registered in SGS and submitted to the CAO for an ATC/IATC.