Enterprise Connection Division: The Power to Connect

CONNECTION APPROVAL FAQS

PRINT PAGE Add This

This page contains frequently asked questions on both the unclassified and classified Connection Approval Process (CAP). Have a question? Submit it here.

Expand each tab to read questions and answers on each topic below.

General Connection Approval
Question: What is the purpose of the Connection Approval Process (CAP)?

Answer: The purpose of the Connection Approval Process (CAP) is to provide existing and potential Unclassified but Sensitive Internet Protocol Router Network (NIPRNET), DISN Asynchronous Transfer Mode System - Unclassified (DATMS-U), Systems Approval Process (SYSAPP), DISN Video Services (DVS) Defense Switched Network (DSN) and OSD Commercial Internet Waiver subscribers with connectivity requirements that must be followed. To maintain system integrity, it is crucial that every user maintains the required standards for normal, secure connectivity. The information requested is used to support the certification and accreditation requirements of the DISN infrastructure, including the Regional Network Operations and Security Centers (RNOSCs), DoD Network Information Center (NIC), and the Department of Defense Computer Emergency Response Team (DoD CERT).

Question: What does accreditation mean?

Answer: Accreditation is the formal declaration by the Authorizing Official (AO), formerly the Designated Accrediting Authority (DAA), that an Information Technology (IT) system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. Each Automated Information System (AIS) or network connected to the Unclassified Defense System Information Network (DISN) will be accredited to operate in accordance with the appropriate AO/DAA-approved set of security safeguards. The accreditation is usually documented in the DIACAP Scorecard, but may also be accepted as an Interim/Authority to Operate (I/ATO) AO/DAA signed letter.

Question: What does certification mean?

Answer: Certification is a comprehensive evaluation of the technical and non-technical security features of an Information Technology (IT) system and other safeguards, made in support of the Accreditation process, to establish the extent that a particular design and implementation meets a set of specified security requirements.

Question: What is the difference between certification and accreditation?

Answer: Certification is the evaluation of the technical and non technical security features of an information system. Certification is granted by the Certifying Authority. Accreditation is the formal approval to operate which is granted by the Authorizing Official (AO)/Designated Accrediting Authority (DAA).

Question: What does the acronym DIACAP mean?

Answer: The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) is the approach used for the Certification & Accreditation (C&A) of the Core Network. DIACAP is the standard DoD process for identifying information security requirements, providing security solutions, and managing information system security activities. This approach enhances the security of the Defense Information Infrastructure (DII) and reduces the resources necessary to provide and maintain the required level of security. Each community has a specific role in developing, procuring, employing and operating an IS with an acceptable level of residual risk.

Question: Can a contractor have access to the NIPRNET?

Answer: Yes. The connection must be validated by the NIPRNET Service Manager and approved by OSD (NII). The sponsoring agency is responsible for validating the requirement, arranging funding and providing a topology and narrative description of the system to the NIPRNET Service Manger. It must be a closed system and cannot be physically or logically connected to the contractor corporate LAN/Internet connection.

Question: Who can be an Authorizing Official (AO)/Designated Accrediting Authority (DAA)?

Answer: Usually a senior commissioned officer or senior government civilian (GS-15 or above). The AO/DAA may be delegated in writing by a responsible senior authority. Consult your service/agency regulations for specific requirements.

Question: Why are the requirements for Authorizing Official’s (AO’s)/Designated Accrediting Authorities (DAA’s) so stringent?

Answer: Authorizing Official’s (AO’s)/Designated Approving Authorities (DAA’s) have a great deal of responsibility and authority over DoD information systems. DAAs must have a level of authority commensurate with accepting, in writing, the risk of operating DoD information systems under their purview. They must have a degree of independence and objectivity that allows them to fulfill this role. A DAA must be both a U.S. citizens and a DoD employee. Further, DAAs may not also serve as certifying authorities for systems they accredit since that would constitute a conflict of interests.

Question: Can a contractor have unfiltered access to SIPRNET sites?

Answer: No. All contractors must have filtered access. Contractor’s access to resources (i.e., websites, ports and etc.) on SIPRNET is determined by their sponsor and authorized through DISA’s disclosure authorization process.

Question: Where should the sponsor forward Disclosure Authorization (DA) forms?

Answer: DA forms are submitted to the DISA SIPRNET Monitoring Center at disa.scott.conus.mbx.smc-cntr@mail.smil.mil.

Question: Who provides email services to the contractor?

Answer: The sponsoring agency is responsible for providing email services to the contractor.

Question: Can a contractor have more than one government entity utilizing their SIPRNET connection?

Answer: Yes. This configuration can be administratively cumbersome and requires special approval from DISA. Each contract must operate on a separate subnet (subnet per contract/per sponsor) and each sponsor is required to submit a sponsor package to the Joint Staff. Implementation of a Memorandum of Understanding (MOU) between the sponsoring DoD agencies will be required. The primary sponsoring agency takes full responsibility for the circuit. “Need-to- know” must be established for each contract. Additionally, the subagency accessing the circuit must understand that if the circuit is shut off for issues related to the prime sponsor they too risk losing their access. Additionally, each sponsor will need to provide a validation package to the Joint Staff for their respective contractor.

Question: Can a contractor connect through another SIPRNET connection for access?

Answer: No. This is considered a “back door,” which is not allowed. Contractors are prohibited from tapping into other SIPRNET connection for access. (Reference: http://iase.disa.mil/stigs/stig/)

Question: Can a contractor allow other organizations (government or contractor) to tap into their existing connection?

Answer: No. Same as above, no back door connections are allowed. (Reference: http://iase.disa.mil/stigs/stig)

Question: Are contractors required to be Information Assurance Vulnerability Alert (IAVA) compliant?

Answer: Yes. Contractors connected to DoD networks are required to be IAVA compliant. It is the responsibility of the sponsor to ensure IAVA compliance at contractor enclaves. (Reference: http://iase.disa.mil/stigs/stig/index.html)

STEP Missions

Question: What documents are required for a STEP mission?

Answer: For STEP missions, we only require an ATO or Scorecard signed by the DAA, a Topology, and a GAA. These artifacts must be registered in SGS and submitted to the CAO for an ATC/IATC.
New Connection - Reaccreditation
Question: Once I enter a circuit into the SNAP and SGS, is that all I need to do?

Answer: No. Every circuit that is entered into the SNAP or SGS database must go through the DIACAP (or equivalent for Non-DoD and Contractors) Process. Once your circuit is registered in the SNAP or SGS database, to include the uploading of the Executive DIACAP package, the CAO Analyst will review the package for compliance and completion.

Question: How long is an accreditation good for?

Answer: An Authority to Operate (ATO) is good for up to three years and an Interim Authority to Operate (IATO) is good for up to 180 days at a time. Consecutive IATOs must not total more than 360 days per DIACAP 8510.01. These dates are subject to change if the Authorizing Official (AO)/Designated Accrediting Authority (DAA) directs a reaccreditation due to significant changes to your system. The DAA determines the length of the accreditation.

Question: What is considered a significant change?

Answer: Anything that the Authorizing Official (AO)/Designated Accrediting Authority (DAA) thinks impacts the security posture of the system, usually changing operating systems, processing higher classification of information, unauthorized users accessing the system, architecture changes requiring re-accreditation, movement of the enclave to a new location, changes in risk posture, etc., that may cause a modification in the IA status of the system/enclave or if the connection is no longer needed. If the AO/DAA determines that a circuit with a current ATC/IATC has had a significant change that requires reaccreditation, the CAO must be notified and a new ATC/IATC will be issued based on the AO’s/DAA’s new accreditation decision.

Question: Why don't I have an Interim Approval to Connect / Approval to Connect (IATC/ATC)?

Answer: The most common reason for not having an IATC/ATC is because the customer has not submitted the proper documents which consist of a Scorecard or an IATO / ATO, SIP, Consent to Monitor (CTM), Network Topology, and POA&M, if necessary. Another reason can be that information is missing from the registration or the accreditation has expired.

Question: Are there repercussions for an expired accreditation?

Answer: Yes. All unaccredited circuits are sent to the United States Cyber Command (USCC) for non-compliance of DoD Policy, which may result in disconnection from the NIPRNET/SIPRNet DoDIN.

Question: If I have no direct connection to the DISN Core, do I need an accreditation?

Answer: Yes. DoD Regulations require all DoD Circuits/Switches/Systems (network or stand-alone) to be accredited.

Question: Do all Unclassified DISN circuits have to be accredited?

Answer: Yes. All DSN, DVS, NIPRNET, and STEP/Temporary/Exercise must be accredited.

Question: What is a Plan of Action and Milestones (POA&M)?

Answer: A POA&M identifies tasks to be accomplished in support of Certification and Accreditation (C&A). It details resources required to accomplish the elements of the C&A, any milestones-dates in meeting the tasks, and scheduled completion dates for the tasks.
The purpose of a POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs and systems, along with corrective efforts for those vulnerabilities. The POA&M is developed from security weaknesses and deficiencies identified during the security assessment of the system. The POA&M is submitted from the Program/Project Manager of the system to the Authorizing Official (AO)/Designated Accrediting Authority (DAA) to demonstrate the way forward with resolving areas of non-compliance.

Question: Where should the sponsor forward Disclosure Authorization (DA) forms?

Answer: DA forms are submitted to the DISA SIPRNET Monitoring Center at disa.scott.conus.mbx.smc-cntr@mail.smil.mil.

Question: What documents are needed to continue a connection when the circuit expires?

Answer: The Mission Partner will need to submit the Executive DIACAP package, to include a Topology and Consent To Monitor (CTM) and make any necessary updates to the circuit registration in SNAP or SGS. If the circuit has been disconnected by United States Cyber Command (USCC), then the Mission Partner must receive connection approval prior to the circuit getting re-connected.

Question: Who should the sponsoring agency contact in reference to circuit installation?

Answer: Mission Partners requiring a new connection to the DISN and its services must use the DISA Direct Order Entry (DDOE) request fulfillment process to initiate the provisioning requirement and circuit activation (go to https://www.disadirect.disa.mil/products/asp/welcome.asp for further information and guidance). The Telecommunications Service Request (TSR) and Telecommunication Service Order (TSO) processes involve the ordering, engineering, acquisition, and installation of the circuit and equipment necessary to connect to the DoDIN.

Question: Who should the sponsoring agency contact in reference to a circuit being looped-away (disconnected)?

Answer: Vincent Mincey
USCYBERCOM J3F
DODIN Connection Manager
443-654-5117
DODIN_CTK_MGMT@NSA.GOV
DODIN_CTK_MGMT@NSA.SMIL.MIL


Question: Can a contractor extend their connection within their facility?

Answer: Yes. The contractor may extend their connection within their facility. The System Security Plan (SSP) must demonstrate how the line is protected while running through the facility.

Question: How can a contractor identify a Computer Network Defense (CND) Service Provider?

Answer: CND services are actions taken, within DoD, to protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information systems and computer networks. CND protection activity employs information assurance principals and includes deliberate actions taken to modify an assurance configuration or a condition in response to a CND alert or threat information. DoD Directive 8530.1 and Instruction 8530.2 deal with the CND Service Provider requirements for all connections on the Global Information Grid (GIG).
Government Sponsors are responsible for ensuring their contractors are serviced by a CND Service Provider. In most cases the sponsor assumes CND Service Provider responsibilities.

Question: What are the most seen discrepancies resulting in a receipt\rework for a submitted CAP package?

Answer: The top five issues observed include:

1. Scorecard not signed by the AO/DAA
2. Scorecard expired
3. Missing the vendor, model, and/or S/W IOS release version on the Topology for IA enabled network Security devices
4. The IA controls identified on the POA&M do not match or are missing when compared to the Scorecard
5. Open CAT II findings exceeding 180 days

Additionally we often find documents are missing or the wrong document is uploaded.

Question: Is the SCQ still required for SIPR circuits?

Answer: No, since we migrated to the new version of GIAP/SGS in January 2013, the information contained in the SCQ is now entered directly into the database.

Question: If my accreditation is about to expire, and I have not uploaded my package yet, can I get an extension?

Answer: No. DISA is not permitted to extend an accreditation beyond the ATD date approved by your Authorizing Official (AO)/Designated Authorizing Authority (DAA).
SGS - SNAP
SIPRNet GIAP System (SGS)

Question: How long does it take to get an account approved and created?

Answer: Accounts are approved within 24 hours.

Question: Can Mission Partners still email the packages to the CAO?

Answer: Packages should be uploaded to SGS. If, however, the Mission Partner is unable to upload the package to SGS, they should contact their DoD sponsor for assistance.

Question: What is the difference between a connection, an account, and a registration?

Answer: An account refers to your SGS account to gain access to the database. The registration refers to registering your circuit in SGS. The connection would be your actual DoDIN connection request to DISA Direct Order Entry (DDOE).

Question: Help me understand which tools are used for which task... SNAP, old SGS, new SGS, GIAP. Is there any automatic interaction with eMASS, etc.

Answer: SNAP is NIPRNet only. SGS/GIAP are interchangeable, SGS stands for the SIPRNet Global Information Grid Interconnection Approval Process System. There is no automatic interaction with eMass at the moment; you will still have to upload the required documentation into either SNAP or SGS separately.

Question: On the scorecard, are you still accepting the digital signature?

Answer: Yes, either physical, electronic, or eMass signature.

Question: If I upload a new package and hit submit, who does it go to?

Answer: Once a package is submitted it gets assigned to an analyst for processing.

Question: Why have we not received a confirmation e-mail notifying us that our SGS account has been created?

Answer: One reason why you might not have received an e-mail confirming the creation of your SGS account is because your request has been rejected. Please confirm that all the items in the request form were filled out. The other reason could be because your email address is incorrect.

Question: What types of roles are currently available within SGS?

Answer: There are four types of roles. One is the Organizational role – that will allow the individual to view all CCSDs in the SGS for that specific organization; the Validator role – which allows the individual to validate the package being submitted for our approval; the User role – which allows the individual to register and modify registration and the Global Read Only role – which allows the individual to view all CCSDs in SGS.

Question: Section 10.6, 10.9, and 10.10 in the circuit registration in SGS are items that we have not been required to submit in the past, are we required to submit those items now?

Answer: SGS is designed to capture all types of connect request, therefore it must list all the different items a connect request could be required to have. For situations where your circuit request does not require that specific item, the section must be acknowledged by checking “No” or “N/A."

Question: I am a contractor and I can't access the site in order to request an SGS account, who do I need to contact to get access?

Answer: If you are unable to access the website to request an SGS account you will need to contact your DOD sponsor.

Question: Where can I get a copy of an ATC/IATC letter?

Answer: When a connection request is approved in SNAP/SGS, the ATC/IATC letter is automatically generated and distributed to the POCs listed in Section 0. Only POCs registered in Section 0 of the SGS/SNAP registration can receive a copy of the letter.

Question: I am a Non-DoD entity and am trying to complete SGS registration but the attachments don’t seem relevant to me. Where do I upload the required documents outlined in the Connection Process Guide (CPG)?

Answer: In place of the Scorecard, upload the System Security Plan (SSP). In place of the DIACAP System Identification Profile (SIP), upload the Information System Profile (ISP) if it is not already contained in the SSP. The POA&M is not required and can be replaced with the Statement of Residual Risk (SRR), which must also be uploaded to its designated section. Please note that non-DoD connections require the Validation/Revalidation Letter (Appendix A & B of the CPG) and must be uploaded into the OSD Approval Memo section of SGS.
Topology
Question: Where can I find a more detailed outline of the Topology Requirements?

Answer: A more detailed list of the Topology Requirements is available in the Connection Process Guide.

Question: In the example given in the Topology Requirement CBT there is VOIP, how do we capture video as well?

Answer: Customers are to include a video switch in their enclave for accreditation.

Question: When including both voice and video in our enclave, do we separate them or combine them?

Answer: Separating both the voice and video in the enclave makes the Topology more simplistic to understand and analyze.

Question: If I am installing VOIP in an already accredited network with an ATC do I need to acquire a new ATC?

Answer: Yes, the package must be resubmitted with the changes being done because this can affect the security posture of the network.

Question: In an independent phase, is it required to show the internal piece of the external connection even though the connection is not owned by the requestor?

Answer: No, it is not required. It just needs to show that the network is connected to it by going to the gateway of the external connection's enclave.

Question: Do we need to show every item and device in the Topology?

Answer: No, showing the IP scan should be sufficient.

Question: Are Kiosk type systems acceptable as part of the connection package?

Answer: Yes, if they will be connecting to the DISN.

Question: Are we supposed to encrypt the IP Addresses from the high side or low side?

Answer: We receive the IP Addresses on both the high and the low side.

Question: There is nothing that indicates a VPN-ID, is there a specific way we are to show that in our drawing?

Answer: Use the Topology templates provided available in the Connection Process Guide and be sure to include the VPN ID, as well as the CCSD, Locations and IP Addresses.

Question: When will we receive the VPN -ID?

Answer: The VPN-ID will be given once the package goes through provisioning.

Question: Will the CAO require our diagrams to mirror the Topology templates provided?

Answer: No, they do not need to mirror the templates; the templates are merely to show the necessary information that is required in the Topology diagram.

Question: Where are the DISN topology templates located?

Answer: Multiple examples are in the Connection Process Guide and templates are available on the Topology Requirements training page - http://www.disa.mil/Services/Network-Services/Enterprise-Connections/Mission-Partner-Training-Program.

Question: Can the Topology diagram be submitted in Visio format?

Answer: Yes, it can. It can be submitted in Word, Power Point, Visio, or any other similar format.

Question: If the diagram is too detailed, how do I fit all the items in the same page?

Answer: Put a square box in the diagram for the area of the network (e.g., Accreditation Boundary) that you are seeking connection approval. Required information may also be submitted in a table supporting the diagram.

Question: Are a firewall and Intrusion Detection System (IDS) required for a SIPRNET connection?

Answer: Yes. All enclaves connecting to the SIPRNET must implement a firewall & IDS. (Reference: DoD Instruction 8500.2 and Defense Information System Agency (DISA) Security Technical Implementation Guide (STIG) http://iase.disa.mil/stigs/stig/index.html)

Question: Can the firewall and IDS reside on the same device?

Answer: No. The firewall and IDS must be physically located on separate hardware devices. (Reference: http://iase.disa.mil/stigs/stig/index.html)

Question: Is the IDS also required to be NIAP EAL 4 approved?

Answer: No. The IDS must be NIAP EAL 2 approved. (Reference: http://iase.disa.mil/stigs/stig/index.html)

Question: Who should the sponsoring agency or contractor contact for information regarding the firewall/IDS?

Answer: For information regarding firewall/IDS specifications and installation refer to www.niap-cevs.org or contact the DISA Field Security Operations (FSO) helpdesk via email at fso_spt@disa.mil.
Waivers
Question: Where can I find information on the waivers process?

Answer: You can find the waiver process outlined in the Connection Process Guide at the following webpage: http://www.disa.mil/Services/Network-Services/Enterprise-Connections/Connection-Process-Guide/Service-Appendices/OSD-GIG-Waiver-Process
Additional Waivers documentation can be found within SNAP: https://snap.dod.mil/gcap/reference-docs.cfm

Question: When is a GIG Waiver required?

**Note** You must confirm your waiver requirement with your Service Representative Officer (SRO) prior to starting the waivers process. The below answers are not a final determination of whether you need a waiver or not. (A complete list of SRO's can be found in SNAP under Reference documents)

Answer: A GIG waiver is required if DISA cannot provide the service and when at least one of the following is true:

-The ISP connection is purchased with Appropriated Funds. Appropriated funds are government funds set aside for a specific use.
-The connection will store, process, or transmit any DoD data.

A GIG Waiver is NOT required if ALL of the following are true:

-The ISP connection is not purchased with appropriated funds.
-The connection will not store, process, or transmit any DoD data.
-The connection is physically and logically separated from the DISN.
**Even if a GIG Waiver is not required, the DAA must perform a risk assessment endorsed by the facility or installation on file if the connection is co-located on the same premise as a DoD network.

Question: When does the OSD GIG Waiver Panel meet?

Answer: The OSD GIG Waiver Panel meets on the third Wednesday of every month. If you are scheduled for the panel and the panel date is rescheduled, the CAO will inform you of the change.

Question: Must I attend in person to present my brief to OSD or can a phone bridge be made available for me?

Answer: You can attend in person or via phone. The OSD secretariat will establish a phone bridge for the meeting. The CAO will request that you inform them of the names of who will be presenting and a contact number for day of the meeting.

Question: I have an ISP connection co-located on the same premise as a DOD network, however, this connection is not paid for using appropriated funds and the connection is physically and logically separated from the DISN. Furthermore, it does not store, process, or transmit any DoD data. Does this require a waiver?

Answer: No, this does not require a waiver. However, the DAA must perform and have a risk assessment endorsed by the facility or installation command on file.

Question: What is a complete ISP Waiver package?

Answer: A complete package includes the following:
• Registration in SNAP
• Completed brief
• Accreditation (ATO, IATO, IATT, Scorecard, or Letter from Commander (Conceptual Stage Only))
• Independent verification of physical and logical separation from the DoD network may be required. (Must be signed by the Certifying Authority) - for Stand Alone only.
Scans
Question: I received results from a semiannual scan, but some of the recipients no longer work for/with my site. What do I need to do to get this changed?

Answer: If the POCs or site information for the CCSD change, please log on the SGS database at https://giap.disa.smil.mil/gcap/home.cfm and update the POC’s for the perspective CCSD.

Question: What do I need to do to prepare for the CTO Scans?

Answer: Review the posted monthly CTO scan schedule, available on SIPRNet at http://www.disa.smil.mil/connect/schedule and/or https://www.cybercom.smil.mil/j3/pages/IPsonarmappingschedule.aspx. If your site is listed for the upcoming month; ensure that the IP address listed in the CTO 07-09 is configured to “allow” in all Access Control Lists (ACLs), Host Based Security System (HBSS) and Intrusion Detection System (IDS).

Question: I received a failure on an Unannounced/Announced scan. What steps do I need to take now?

Answer: For unannounced scans, review your boundary protection systems to ensure they are locked down as much as possible. For Announced scans, review the CAT I findings and fix/mitigate them. Once these items have been addressed, you should contact the CAO Scan Team to schedule an AD HOC scan.