Ncf Cybersecurity Ia Handbook

7/30/2019 Ncf Cybersecurity Ia Handbook

1/81

________________________________________________________________


2/81

COMMANDING OFFICERS INFORMATION ASSURANCE HANDBOOK

TABLE OF CONTENTS

IDENTIFICATION TITLE PAGE

FOREWORD COMMANDER, U.S. FLEET FORCES COMMAND LETTER ... iii

REFERENCES LIST OF PERTINENT REFERENCES ................... iv

CHAPTER 1 INFORMATION ASSURANCE OVERVIEW

SECTION 1 INTRODUCTION .................................. 1-1

SECTION 2 WHAT IS INFORMATION ASSURANCE ................. 1-3

SECTION 3 WHY INFORMATION ASSURANCE IS IMPORTANT ........ 1-6

SECTION 4 HOW DO WE BUILD A ROBUST IA PROGRAM ........... 1-7

CHAPTER 2 CSI PREPARATION GUIDE

SECTION 1 COMMANDERS GUIDANCE .......................... 2-1

SECTION 2 INFORMATION ASSURANCE MANAGERS ................ 2-5

SECTION 3 SECURITY MANAGERS ............................. 2-9

SECTION 4 SYSTEM ADMINISTRATORS ........................ 2-13

LIST OF ENCLOSURES:

ENCLOSURE (1) Information Security (INFOSEC) Checklist ....... E-1


3/81

ENCLOSURE (11) System Administrator Checklist: As Required/

After Configuration Changes.................. E-11

ENCLOSURE (12) Cyber Zone Inspection Items.................. E-12ENCLOSURE (13) COs Information Assurance Quick Look........ E-13

ENCLOSURE (14) Minimum Set Of Periodic Reports.............. E-14

ENCLOSURE (15) Example Report-Certification & Accreditation E-15

ENCLOSURE (16) Sample Report-Information Assurance Work Force

Training..................................... E-16

ENCLOSURE (17) Sample Report-IAVM........................... E-17

ENCLOSURE (18) Sample Report-Weekly IA Status............... E-18

ENCLOSURE (19) Sample Report-Antivirus...................... E-19

ENCLOSURE (20) Sample Report-USB Scan....................... E-20

ENCLOSURE (21) Sample Report-8 Oclock Report............... E-21


4/81


5/81

LIST OF PERTINENT REFERENCES

(a) DoD Directive 8500.01E of 24 October 2002(b) DoD Instruction 8500.2 of 6 February 2003

(c) OPNAVINST 5239.1C, Navy Information Assurance Program

(d) SECNAV M-5239.1, DoN Information Assurance Program

(e) SECNAV M-5239.2, DoN Information Assurance (IA) Workforce

Management Manual

(f) SECNAV M-5510.36, DoN Information Security Program Manual

(g) NIST Special Publication 800-128, Configuration Management

Guide for Information Systems(h) DoD Instruction 8510.01 of 28 November 2007

(i) https://diacap.iaportal.navy.mil/ks/Pages/default.aspx

(j) https://www.nde.navy.mil(k) https://iats.nmci.navy.mil

(l) https://www.portal.navy.mil/netwarcom/navycanda

(m) SPAWAR SCCVI User Guide

(n) http://iase.disa.mil

(o) https://iaportal.navy.mil(p) https://www.iaportal.fnmoc.navy.smil.mil

(q) https://www.iava.navy.mil/ocrs

(r) https://sailor.nmci.navy.mil

(s) http://isea.spawar.navy.smil.mil

(t) https://vms.disa.mil

(u) https://vms.disa.smil.mil

(v) https://infosec.navy.mil

(w) https://www.cybercom.mil(x) https://www.cybercom.smil.mil

(y) https://www.portal.navy.mil/netwarcom/CIO/policydirection/

default aspx
https://www.nde.navy.mil/https://www.nde.navy.mil/https://iats.nmci.navy.mil/https://www.portal.navy.mil/netwarcom/navycandahttps://www.portal.navy.mil/netwarcom/navycandahttps://iats.nmci.navy.mil/https://www.nde.navy.mil/


6/81

(al) https://www.ncdoc.navy.mil

(am) https://www.ncdoc.navy.smil.mil

(an) https://www.portal.navy.mil/cyberfor/N47/N41/default.aspx(ao) https://www.portal.navy.mil/fcc-c10f/OCA


7/81

CHAPTER 1

INFORMATION ASSURANCE OVERVIEW

SECTION 1INTRODUCTION

1. Introduction

. Security for a ship begins at the brow.

Topside watches and Officers-of-the Deck stand watch to ensure

that the ship is secured and that unauthorized personnel do not

get onboard. However, shipboard security does not stop there.

Escorts provide extra security for non-cleared visitors below

decks. Secure areas of the ship are protected by locks andalarm systems. Entry into those spaces are controlled by

cognizant authorities and visitor logs track who has been in the

space. This concept of Defense in Depth applies equally to

the ships connection to Cyberspace. Enclave routers and

firewalls stand guard at the networks perimeter to prevent

unauthorized access from outside. Network security personnel,

cyber policies and procedures, and automated systems such as the

Host-Based Security System (HBSS) and proxy server logs allserve to monitor activity within the networks lifelines. The

combination of personnel, procedures, and products provide the

layered system defense required to ensure the availability,

integrity and confidentiality of the data we rely on to run our

ships.

a. Bottom line: Across the Federal Government, cyber

security incidents have soared by over 600% in the last 5 years.At least 85% of cyber intrusions could have been prevented if

the following four cyber security and IA practices were

routinely and vigorously followed:


8/81

(2) Commanding Officers are ultimately responsible for

understanding and managing the cyber-readiness of their ships.

2. Purpose

. To establish Information Assurance (IA) techniques

and procedures that utilize policies for people, processes,

strategy, and technology for protecting Information Technology

(IT) and information. The information in this handbook is

designed to equip Commanding Officers and command personnel with

the background knowledge and tools needed to effectively manage

shipboard IA programs and:

a. Establish guidance for successfully maintaining command

level IA-Readiness requirements.

b. Provide a common reference of all Defense and tactical

level IA-related doctrine.

c. Provide training and education guidance for command IA

Workforce members.

3. Scope. This document is intended to provide Commanding

Officers with an overview of the fundamental issues regarding

the management of our networks, providing them with (and to a

limited extent) guidelines they can use in day-to-day efforts

for ensuring their networks can reliably support the ships

mission and resist adversaries in the virtual realm. Although

designed as a COs handbook, this information is relevant andapplicable to baseline a level of understanding for all khaki

leadership. Build cyber security awareness, actions, and

oversight into command daily battle rhythm and in parallel


9/81

CHAPTER 1


SECTION 2WHAT IS INFORMATION ASSURANCE (IA)?

1. Information Assurance

. In broad terms, IA is the practice

of managing risks related to the use, processing, storage, and

transmission of information or data and the systems and

processes used for those purposes. The terms IA, Information

Security (INFOSEC), Computer Security (COMSEC) and Network

Security (NETSEC) are often used interchangeably with IA. Inactuality, each of these areas deals with a more specific

portion of overall security within the cyber environment.

Reference (a) defines IA as measures that protect and defend

information and information systems by ensuring their

availability, integrity, authentication, confidentiality, and

non-repudiation. This includes providing for restoration of

information systems by incorporating protection, detection, and

reaction capabilities.

2. INFOSEC

. INFOSEC is defined as protecting information and

information systems from unauthorized access, use, disclosure,

disruption, modification, perusal, inspection, recording or

destruction of the information. INFOSEC is concerned with the

confidentiality, integrity, and availability of data regardless

of format: electronic, print, etc. The ship can ensure INFOSEC

through:

a. Leadership involvement. Making INFOSEC a priority at

all levels in the command Examples inculcating cyber security


10/81

(3) Taking immediate action in the event of an incident

or spillage to ensure the incident response is thorough,remediation/mitigation efforts are completed, and records are

retained by the IA Manager (IAM)/IA Officer (IAO).

3. Computer Security

. Computer Security is the collective

processes and mechanisms by which sensitive and valuable

information and services are protected from publication,

tampering, or compromise by unauthorized activities, or inside

threats and unplanned events. Its objective includes theprotection of information and property from theft, corruption,

or natural loss due to disaster, while allowing the information

and property to remain accessible, reliable, and responsive to

its intended users. Unlike INFOSEC, Computer security focuses

primarily on ensuring the availability and correct operation of

a computer system without concern for the actual information

stored or processed by the computer.

4. Network Security

. Network Security includes provisions and

policies adopted by the network administrator to monitor and

prevent unauthorized access, misuse, modification, or denial of

the computer network and network-accessible resources.

5. Physical Security. Physical Security includes measures

designed to deny access to unauthorized personnel (including

attackers or even accidental intruders) from physicallyaccessing a building, facility, resource, or stored information;

and guidance on how to design structures to resist potentially

hostile acts


11/81

layered defense that ensures information is readily accessible

where and when we need it. Figure 1 illustrates this Defense

in Depth concept.


12/81

CHAPTER 1


SECTION 3WHY IS INFORMATION ASSURANCE IMPORTANT?

1. Background

. In 1996, pursuant to a congressional request,

the Government Accounting Office (GAO) reviewed the extent to

which DoD computer systems experience attack. The GAO analyzed

the potential for further damage to DoD computer systems and

challenges in securing sensitive information on its computer

systems.

a. DoD relies on a complex information infrastructure to

design weapons, identify and track enemy targets, pay soldiers,

mobilize reservists, and manage supplies.

b. Use of the Internet to enhance communication and

information sharing has increased DoD exposure to attack, since

the Internet provides unauthorized users a means to accessunclassified DoD systems.

c. While the DoD information available on the Internet is

unclassified, it is sensitive and must be restricted.

d. Only about 1 in 500 attacks is detected and reported,

but the Defense Information Systems Agency (DISA) estimates that

DoD is attacked about 250,000 times per year.

e. Attackers have stolen, modified, and destroyed data and

software disabled protection systems to allow future


13/81

implementation. For DoN specifically, references (c) through

(f) promulgate Navy IA, IA Workforce (IAWF) Improvement, and

INFOSEC policy. Numerous other instructions, directives,bulletins, and policy documents further define and codify the

requirements for all Navy units to have a robust IA program.


14/81

CHAPTER 1


SECTION 4HOW DO WE BUILD A ROBUST INFORMATION ASSURANCE PROGRAM?

1. Facets of IA

. As with any other shipboard program, multiple

actions and persistent oversight must exist to establish a

robust IA program. This chapter addresses four core areas of

IA: Administration, Personnel, Training, Operations, and

Monitoring and Assessment.

2. IA Administration

. One of the principal enablers of any

successful program is meticulous record-keeping and adherence to

published procedures. Myriad instructions, bulletins, technical

documents, and other publications provide requirements and

guidance for properly maintaining an IA program. For Commanding

Officers, two key documents are reference (c), OPNAVINST 5239.1C

and reference (d), SECNAV M-5239.1. These documents provide a

concise overview of the DoNs implementation of DoD IArequirements. Additionally, reference (c), paragraph 8.k,

outlines the duties of Commanding Officers with regard to IA.

3. Command Security Instruction

. Reference (f), exhibit 2A

requires all commands to publish a command security instruction

and provides specific guidelines for development.

4. IA Documentation. The key to a robust IA program ismaintaining accurate documentation of command information

systems. A well-organized, well-maintained command IA binder

will help ensure command cyber systems are being maintained in


15/81

exists as the definitive document required in obtaining and/or

renewing an Authority to Operate (ATO) for the network.

(1) ATO

. The ATO is a document provided by the DoN DAA

and Systems Command Program Manager that grants specific

permissions to connect and operate a given information system

based on a satisfactory DoD IA Certification and Accrediation

Process (DIACAP) score. Once granted, an ATO is valid for a

maximum period of 3 years.

(2) IATO

. An IATO is a temporary ATO that allows acommand to operate while simultaneously resolving known

vulnerabilities. Once granted, an IATO is valid for a maximum

period of 6 months.

(3) Knowing in advance that an ATO/IATO renewal is due,

IAMs must be proactive in submitting the required documentation

to maintain network operations. A good rule of thumb is that

requests for ATO/IATO renewal should be submitted at least 6months prior to the expiration of the existing ATO/IATO.

Meticulous record keeping of existing ATO/IATOs and approved

system configuration changes makes the process of

recertification significantly easier. See reference (h) and (i)

for more details on C&A process. See references (j) through (l)

for more details on obtaining ATO/IATOs.

c. IA Vulnerability Management (IAVM). Navy Cyber DefenseOperations Command (NCDOC) constantly reviews Navy cyber systems

for new or existing security vulnerabilities. When a new

vulnerability appears discovered NCDOC will issue an IA


16/81

(4) Reference (n) for Retina Engine Updates/Downloads.

(5) Reference (o) for DoN IAVA Patch reporting Non-Secure Internet Protocol Router Network (NIPRNET).

(6) Reference (p) for DoN IAVA Patch reporting Secret

Internet Protocol Router Network (SIPRNET).

(7) Reference (r) for CTO/IAVA Patch Compliance

Reporting.

(8) Reference (s) for SPAWAR Patch repository NIPRNET.

(9) Reference (t) for SPAWAR Patch repository SIPRNET.

(10) Reference (u) for DoD/DISA Patch/Plan of Action and

Milestones (POA&M) reporting NIPRNET.

(11) Reference (u) for DoD/DISA Patch/POA&M reportingSIPRNET.

d. Navy Telecommunications Directives (NTDs)/

CTOs/Patches/Fleet Advisory Messages (FAMs). NTDs generally

address larger policy or overall operational aspects of cyber

operations. CTOs issue specific tasking with regard to such

things as setting Information Operations Condition (INFOCON)

levels or establishing new information security procedures. Howthe system is patched depends on whether it is a program of

record (PoR) or not. For PoRs, it is a six-step process:


17/81

(6) DoN command applies the patch to the system. For

non-PoRs, the command downloads the patch directly from the

vendor when directed via broadcast message by NCDOC. Mostsystems in the Fleet are PoR. The following references provide

further guidance on Tactical Directives (TD):

(a) References (q) and (v) for Navy CTOs.

(b) References (w) and (x) for DoD CTOs.

(c) References (r) for SPAWAR FAMs.

(d) Reference (y) for NTDs.

e. Command IA Plan

. Each command is responsible for

publishing a command-level IA plan. The IAM develops the plan

based on doctrine and has overall responsibility for

implementing it once it is signed by the Commanding Officer.

The IA Plan should include guidance and reporting for:

(1) Incident Handling and Response.

(2) IAVM (Antivirus, IAVA, Universal Serial Bus (USB)

Detect).

(3) Information Assurance Workforce (IAWF) (Training and

Certification).

(4) Tactical Directives (CTO/NTD/FAM/FRAGO).


18/81

f. System Access Authorization Requests (SAARs)

. Each user

of a DoD information system must complete a SAAR for each system

he or she will use. Included in the SAAR is the securityclassification level of the system and the clearance level of

the individual. SAARs also contain the user agreement for

proper use of government information systems and provide

guidelines for appropriate use. In the approval process, the

SAAR is accompanied by a copy of the individual users

certification of completion of the annual IA refresher training

requirement. Completed SAARs and IA training certificates

should be maintained by the IAM for all users assigned to thecommand and for all visitors to whom system access has been

granted. See reference (z) for further guidance.

5. IA Personnel

. IA Personnel are key individuals within the

IAWF who manage the day-to-day operations of a command-level IA

program:

a. The Deployed Designated Approving Authority (DDAA).Reference (c), paragraph 8.K assigns responsibility to

Commanding Officers, Commanders, Officers-in-Charge and

Directors in their role as local IA authorities. It states that

in coordination with the Office of Designated Approving

Authority (ODAA), when the unit is deployed, they serve as the

DDAA.

b. Commanding Officers, Commanders, Officers-in-Charge andDirectors (acting as DDAA) must ensure information systems are

compliant with DoD IA requirements per references (a), (y), and

(aa) and Defense Information Systems Network (DISN) policy and


19/81

products lists or to authorize connection of an information

system that had not been accredited by the DoN ODAA.

d. If a Commanding Officer of a deployed unit does exercise

the DDAA authority, the Commanding Officer must inform

FLTCYBERCOM as soon as operationally feasible of the authorized

deviation per Navy Telecommunications Directive (NTD) 07-09.

DDAA training may be found in reference (ab).

e. The Command Security Manager (CSM) is responsible to the

Command Security Officer for running the commands traditionalsecurity program. CSM closely works with IA Manager (IAM)/IA

Officer (IAO) to ensure that Information Systems Security

Management (ISSM) is established and maintained.

f. IAM is designated in writing by the DDAA and is

responsible for the overall operation and management of the

commands/ships IA program. The IAM should be Navy Enlisted

Classification (NEC) 2779 qualified, U.S. citizen designated bythe Commanding Officer/DDAA, and assume responsibilities per

reference (b), section 5.9 and reference (e). Specific duties

of the IAM include:

(1) Act as primary IA technical advisor to the

Commanding Officer.

(2) Maintain IA oversight of the ships networks andchanges that may affect IA posture.

(3) Develop and maintain the command IA program to


20/81

(8) Provide IA and network security training for all

users.

(9) Ensure all personnel with privileged systems access

(system administrators) have all required training and are

designated in writing.

(10) Ensure all command networks are certified,

accredited, and have a valid ATO, or Platform Information

Technology (PIT) Risk Assessment (PRA) for designated PIT

systems, and that they are maintained according to their IA C&Adocumentation.

(11) Maintain accurate configuration and compliance

records for all networks.

(l2) Observe shipboard information processing practices

and ensure the Commanding Officer and command leadership are

aware of the commands IA climate.

g. The IAO works directly for IAM and is focused primarily

on INFOSEC. Each IAO, in addition to satisfying all

responsibilities of an Authorized User, shall assist the IAM in

accordance with reference (b), section 5.10 and reference (e)

section 1.8.6. to include:

(1) Ensure that all users have the requisite securityclearances and supervisory need-to-know authorization, and are

aware of their IA responsibilities before being granted access

to the DoD information system


21/81

(6) Implement and enforce all DoD information system IA

policies and procedures.

h. The CSM and IAO must be designated in writing by the

Commanding Officer/DDAA.

6. IA Training

. A commands IA program is only as good as the

people who manage it. Ensuring that both operators and managers

have the proper training is therefore critical to the ships

INFOSEC posture.

7. IAWF Improvement Program (IA WIP)

. Reference (af) specifies

that all personnel who work on DoD information systems must be

trained and certified at various levels commensurate with the

level of their network privileges; reference (e) provides

specific Navy guidance. The DoNs NEC 2790 and 2791, and the IA

PQS levels 300 through 304 provide the training and

certification for DoN personnel to comply with the DoD

requirements. Reference (ag) provides CYBERFOR IAWF guidancefor implementing a command level program and details on

obtaining IAWF certifications. The command IAM is responsible

for managing the commands IA WIP. IAM is directly responsible

to DDAA to ensure:

a. IAWF personnel are properly appointed in writing.

b. IAWF personnel are identified, and training progresstracked, in the Total Workforce Management System (TWMS).

c IAWF personnel obtain certification requirements for


22/81

and report any perceived problems or inconsistencies in system

operations. Continued discussion and reemphasizing of IA

training at all levels will help ensure users do not becomecomplacent. In addition, systems administrators (SA) perform a

range of other tasks to ensure the commands/ships networks are

being properly maintained. SAs should use a daily checklist

similar to enclosure (6) to ensure that ships information

systems are maintained in an optimum state of readiness and

security.

a. IAVM Scanning

. SAs are required to conduct monthlySecure Configuration Compliance Validation Initiative (SCCVI)

scans to identify security vulnerabilities. The results of

these scans must be uploaded to the DoNs Vulnerability

Remediation Asset Management (VRAM) database. See reference (m)

and CTO 08-05 and 11-16a for further guidance.

b. IAVM Patching

. IAVM patches are released by PoR Program

Office to resolve security vulnerabilities, VRAM results provideSAs with a list of approved patches to apply to hosts; as such,

SAs are required to maintain 100% patch accountability (ie:

patch applied successfully or reported as a false-positive) for

all patches older than 30 days. Once patches are successfully

applied to all hosts, additional scans should be conducted to

ensure that all patches were successfully applied. Any patches

that do not install properly should be reported to the system PM

office via trouble-ticket. See references (r) and (s) to submitweb-based trouble-tickets for PoR systems.

c Fleet Advisory Messages (FAMs) FAMs are disseminated


23/81

supervision of IAM or IAO. When questionable USB activity is

discovered, SAs must take follow-on action to identify and

locate the device used and determine if incident handling and/orreporting to NCDOC is required. The Command IA Policy and

account user forms should clearly state permitted and prohibited

USB use and provide appropriate enforcement authority to IAWF

Personnel. As with SCCVI scans, a common problem with USB scan

results include:

(1) Improper administrative configuration.

(2) Connectivity issues.

(3) Registry keys are not routinely reset when a USB

event is detected.

f. Security Technical Implementation Guides (STIG)

. DISA

publishes STIGs for common network configuration and security

requirements that specify how components should be configured tominimize the risk of vulnerability exploitation on the affected

network. SAs should complete/verify all STIGs that apply to

their information systems components on a semi-annual basis.

Note that some STIGs require component modifications that are

beyond ships force capability; however, it is still incumbent

upon the ship to recognize STIG non-compliance and defer these

changes to the Inservice Engineering Activity (ISEA) for

appropriate action. See reference (ah) for a comprehensive listof DISA STIGs.

g Antivirus Definitions Just like system patches


24/81

accounts for new users. When a user leaves the command, SAs

should disable the user account, maintain the account inactive

for a period of 1-year, and then permanently delete the account.The 1-year period ensures that an account can be reactivated for

investigational purposes. As they create accounts, SAs must

ensure they are providing only the level of access required by

the user to perform his/her job. Additionally, any access above

Authorized User requires IAM approval. See reference (b), (e),

(z), (aa), and (af) for guidance on user account management.

i. Password Management

. Another area of large impact ispassword management. Current network configurations require

passwords to be complex and changed periodically per the latest

Information Operations Condition (INFOCON) message found at

references (al) and (am). IAM/IAO/SAs shall conduct periodic

account audits to ensure that there are no default/group

usernames and passwords being used by personnel. Default/Group

accounts (excluding group email accounts) generated by ships

force shall be disabled immediately.

j. Remote Account (Password) Management. SYSCOMs, Fleet

Systems Engineers, and other outside activities often maintain

default usernames and passwords on systems for easy remote

access when required for troubleshooting, maintenance, and

monitoring. However, doing so poses a critical vulnerability to

ships systems; therefore, IAMs shall maintain a strict password

renewal and storage policy to ensure that remote access toshipboard systems is properly controlled. This includes

periodic remote access password changes and proper storage for

centralized dissemination by IAM/IAO to outside entities only


25/81

are successful, testing the backup with periodic restorations is

crucial to ensure the data is preserved. PoR System Technical

Manuals can be found at references (r) and (s). Latest INFOCONmessage may be found at reference (al) and (am).

10. IA Monitoring & Assessment

. Reference (ac) directs that

all DoN IA programs must be periodically evaluated for

effectiveness. Evaluation must take place at all levels, from

the duty SA to the applicable DoN oversight agency to ensure DoN

information systems continue to adapt to an ever-changing threat

environment. The adage that, You get what you inspect, notwhat you expect, and, Trust but verify, are nowhere more true

than in the realm of IA. Commands with the best IA assessment

and monitoring programs are those best equipped to operate and

defend in the cyber domain.

a. IA Quick Look

. Enclosure (13) provides 10 questions

Commanding Officers should ask to get a quick overview of cyber

readiness for their ship. The Quick Look touches on all areasof IA and can justify the implementation by management of more

exhaustive processes necessary for maintaining the ships cyber

readiness posture.

b. Periodic Reports. DoN IA regulations require specific

periodic reports for IAVA compliance and USB scan results.

Commands must develop their own IA readiness reports to ensure

that command leadership is continuously aware of the IA postureof their systems. Enclosure (14) lists a minimum set of reports

for Commanding Officers to review periodically to get a sense

of the overall cyber-health of their command


26/81

e. Blue Team Visits

. Navy Information Operations Command

(NIOC) provides personnel trained in computer network threat

assessments and vulnerability analysis to visit commands andprovide an analysis of their networks cyber-readiness

condition. Because they are trusted agents, the Blue Team has

access to ethical hacker tools that provide a significantly more

detailed report of network status than those authorized for use

by ships force. Blue Team visits should be requested via

official broadcast message to FLTCYBERCOM to help ensure that

the commands IA program remains on track.

f. Cyber Security Inspection and Certification Program

(CSICP). The CSICP is the DoNs process of formally inspecting

shipboard IA posture based on DoD, DoN, DISA, and National

Institute of Standards and Technology (NIST) standards. The

shipboard Cyber Security Inspection (CSI) follows the same

format and guidelines as the Command Cyber Readiness Inspection

(CCRI) that DISA performs for shore commands. The CSI should be

integrated into the ships Fleet Readiness Training Plan (FRTP)and is required as part of renewing the ships network ATOs.

Notification of the CSI schedule for a ship normally occurs 120

days prior to the actual inspection. If the ship has a robust

and vital IA program, preparation for the CSI should cause

minimal impact. Notification of the CSI schedule occurs when

the schedule message is released, notionally 5-6 months prior to

the inspection. FLTCYBERCOM OCA will contact the ship 90 days

prior to the inspection to begin coordination. Blue Teams andCYBERFOR assistance teams will help to ensure readiness and can

fairly accurately predict CSI performance. Outside assistance

aside the very best preparation for the CSI is daily vigilance


27/81

Commanders. This assessment will include a review of Stage I,

plus an additional in-depth assessment of network security,

physical security and all five IA Facets: Administration,Training, Personnel, Operations, and Monitoring and Assessment.

For afloat commands, any similar assessments conducted as part

of FRTP will be incorporated into Stage II to eliminate

redundancy. Upon successful completion of Stage II, a command

is determined ready to progress to the Stage III, a

comprehensive inspection to be scheduled and conducted within

the following 12-month period.

(a) Pre-CSI Training and Assist Visits

. CYBERFORs

Pre-CSI Training and Assist Team, CYBERFOR N41, provides IA

program training and assistance as a subset of a ships CSICP

Stage II.

(b) These visits are valuable for identifying

shipboard IA program deficiencies for ships force action prior

to a Stage III inspection.

(c) Stage III: Cyber Security Inspection. This is

a nominal 5-day comprehensive graded inspection involving all

cyber security areas; specifically, leadership engagement,

physical security, administration, training, network

configuration, and network operations. This inspection will be

scheduled and conducted by FLTCYBERCOM inspection teams and is

structured to replace the DISA CCRI. As CSICP matures, severalStage III inspection teams will be assigned to select Echelon II

Commanders to conduct inspections on behalf of FLTCYBERCOM using

the same established process Stage III inspections will result


28/81

CHAPTER 2

CSI PREPARATION GUIDES

SECTION 1COMMANDERS GUIDANCE

1. Summary

. You are highly encouraged to conduct a self

assessment of information systems, within your area of

authority, in preparation for the scheduled FLTCYBERCOM directed

Cyber Security Inspection (CSI). The completion of a self

assessment utilizing the checklists, tools, and processes

referenced in this document will also meet the requirements forCC/S/A self-conducted compliance assessments listed in CJCSI

6211.02C and in the Joint Common IA Assessment Methodology

(JCIAAM).

2. CSI Background

. A CSI is a methodology that expands upon

the original NIPRNET and SIPRNET Compliance Validations as

mandated in the CJCSI 6211.02C. The CSI program inspects

network security compliance with DoD IA policies, NISTconfiguration management requirements, and DoD 8570.01-M IA WIP

requirements.

3. Requirements. Ensure that a comprehensive self-assessment

meets all of the criteria that will be evaluated during a formal

CSI. The self-assessment will reveal areas which require

corrective action and remediable that can be accomplished by

ships force, as well as any program of record or physicalsecurity shortfalls that require external assistance to address

and correct documentation of these shortfalls (via casualty

reports (CASREPs) or other formal message traffic) is


29/81

c. Network Configuration.

d. Network Operations and Behavior.

5. Checklist

. An affirmative response and understanding of the

questions below will prepare you for a successful CSI.

a. Program Administration

(1) Do we have appointment letters for our networksecurity team (IAM, IAOs, etc)?

(2) Have we verified that Privileged Access Users have

signed Information System Privileged Access Agreement Letters on

file?

(3) Have all personnel completed the mandatory annual

Information Assurance training by the required due date? Ifnot, what is the plan for getting us there?

(4) Have all command personnel received OPSEC training

and when was it completed?

(5) Do we have signed Memorandums of Agreement or

Understanding with all tenant commands connected to our network,

if applicable?

(6) Are our tenant commands also in compliance with DoD

and DoN standards if applicable?


30/81

(4) Is a program established to ensure safes, vaults,

and secure rooms are properly managed? Ensure only GSA approvedsecurity containers are being used; ensure combinations are

changed as required; ensure all forms, Standard Form (SF) 700

and SF-702, are properly completed; ensure repairs are conducted

correctly?

(5) Are individuals granted access to classified

materials notified of applicable handling instructions? This

may be accomplished by a briefing, written instructions, or byapplying specific handling requirements to an approved cover

sheet?

(6) Are security checks being performed at the close of

each working day to ensure all areas are secure? SF 701,

"Activity Security Checklist," shall be used to record such

checks. An integral part of the security check system shall be

the securing of all vaults, secure rooms, and containers usedfor the storage of classified material; SF 702, "Security

Container Check Sheet," shall be used to record such actions.

In addition, SF 701 and 702 shall be annotated to reflect

after-hours, weekend, and holiday activity.

(7) Do all vaults and secure rooms meet all requirements

of DoD 5200.1R Appendix 7?

(8) Do we have approval or waiver letters for Open

Secret Storage in spaces where classified information is

processed or where a PDS may not be in place?


31/81

(4) Are the proper ports opened on our network per

COMNAVNETWARCOM CTO 08-08, IP SONAR Mapping of Classified

Networks?(5) What vulnerabilities were identified that we were

unable to patch or mitigate?

d. Network Operations and Behavior

(1) On what date was the last monthly scan conducted

using RETINA? Are we sure we are scanning with the most recent

scan engine? Are all scans conducted using the proper accesses?

(2) Are we reviewing VRAM scan results on a monthly

basis? Who validates that noted vulnerabilities have been

corrected? Is this a formalized, documented process?

(3) Has a POA&M been entered into VMS for all

uncorrected vulnerabilities?

(4) Have we informed the DAA/DDAA about our uncorrected

vulnerabilities?

(5) Have the latest anti-virus updates been downloaded

and installed to all

systems onboard the ship?

(6) Have any new USB devices been detected on the

networks? Where?

(7) Are there any CND incidents currently open with

either NCDOC or the CNOC? If so what is the status and


32/81

(3) Do we have a mitigation plan in place for those

findings that cannot be immediately corrected?

(4) Is our ISIC aware of the inspection results?

f. Points of Contact

(1) OPERATIONAL: Who are our points of contact at

FLTCYBERCOM?

(2) READINESS: Who are our points of contact at NavyCyber Forces (C5I TYCOM)?

(3) When was the last time we communicated with them?


33/81

CHAPTER 2


SECTION 2INFORMATION ASSURANCE MANAGERS GUIDANCE

1. Summary

. A best practice is to conduct a self assessment of

information systems, within your area of authority, in

preparation for the scheduled FLTCYBERCOM directed Cyber

Security Inspection (CSI). The completion of a self assessment

utilizing the checklists, tools, and processes referenced in

this document will also satisfy the requirements for CC/S/Aself-conducted compliance assessments listed in CJCSI 6211.02C

and in the Joint Common IA Assessment Methodology (JCIAAM).

2. CSI Background




network security compliance with DoD IA policies and

configuration requirements, the health of the network from asecurity viewpoint, and DoD 8570.01-M Information Assurance

Workforce Improvement Program requirements.

3. Requirements

. A through self assessment must be aligned

with the formal CSI components and criteria.

4. Requirements

. The CSI components are listed below for your

reference with URLs to the specific checklists and toolsutilized during the CSI.

a Latest STIGs: http://iase disa mil/stigs/stig


34/81

(7) Domain Name System (DNS) Operating Systems

Windows.

(8) Microsoft Windows STIG.

(9) Microsoft Windows 2003 Checklist.


c. Gold Disk [DISA]: https://patches.csd.disa.mil (CAC

login required).

d. Domain Name System (DNS) Operating Systems UNIX

(1) UNIX Operating System STIG.

(2) UNIX Operating System Checklist.

(3) SRR Scripts:http://iase.disa.mil/stigs/SRR/unix.html.

e. Internal Vulnerability Scans

(1) DoD Enterprise SCCVI Tool Currently: eEye Retina

IAVM https://powhatan.iiie.disa.mil/tools/sccvi/updates (CAC

login required).

(2) Configuration Requirements/Checklist

https://powhatan.iiie.disa.mil/tools/sccvi/documentation/checkli

st for successfully running eeye retina pdf


35/81

(5) Motorola Good Mobile MWES Security Checklist.

(6) Apriva Sensa Secure WES Security Checklist.

g. Enclave Review

(1) Enclave STIGs.

(2) Enclave Checklist

https://powhatan.iiie.disa.mil/stigs/enclave-policy.

h. Host Based Security System (HBSS) Review

(1) DoD IA Enterprise Solutions STIGs

https://powhatan.iiie.disa.mil/stigs/app-sec-guides.

(2) HBSS Checklist

https://powhatan.iiie.disa.mil/stigs/app-sec-guides.

i. INFOSEC/PERSEC/PHYSEC Security tools:

(1) SECNAV M-5510.36 Exhibit 2A, Command Security

Instruction Requirements.

(2) SECNAV M-5510.36 Exhibit 2C, INFOSEC Checklist.

(3) SECNAV M-5510.30 Exhibit 10A, PERSEC Checklist.

j. Cross Domain Solutions


36/81

(2) REL LAN Security Checklist:

https://powhatan.iiie.disa.mil/stigs/net-sec-guides/rel-lan-

checklst-1-25-07.pdf.

l. IAM/Security Officer Review

(1) Latest checklists are located at

http://iase.disa.mil/stigs/checklist/index.html.

(2) Tenant Command MOUs/MOAs

(3) Latest DISA Enhanced compliance Validation

(ECV)/Command Cyber Readiness Inspection (CCRI) or FLTCYBERCOM

Cyber Readiness Inspection (CRI) results.

(4) IG inspection (IA and security areas).

(5) Signed designation letters for IAWF Members.

(6) Foreign Nationals Administration.

m. Firewalls and Routers

(1) The latest version of procedures, checklists, STIGS

and scripts may be obtained from http://iase.disa.mil or

https://iase.disa.smil.mil.

(2) Sailor 2.1 NIPR: https://sailor.nmci.navy.mil,

Sailor 2.1 SIPR: http://sailor.nmci.navy.smil.mil.


37/81

(3) Adequate VMS training:

(a) For classroom training, contact

[email protected].

(b) Web based CBT: https://vmscbt.disa.mil/.

o. Technical Support Contact Information

(1) DISA Operational Support - VMS Helpdesk: (405) 739-

5600 (option #3), DSN 339.

(2) [email protected].


38/81

CHAPTER 2


SECTION 3

SECURITY MANAGERS GUIDANCE

1. Summary

. Action Officers are also highly encouraged to

conduct a self assessment of information systems, for areas

within their respective area of responsibility. The completion

of a self assessment utilizing the checklists, tools, and

processes referenced in this document will also meet the

requirements for CC/S/A self-conducted compliance assessmentslisted in CJCSI 6211.02C and in the Joint Common IA Assessment

Methodology (JCIAAM).

2. CSI Background





configuration requirements, the health of the network from asecurity viewpoint, and DoD 8570.01-M IAWP requirements.

3. Requirements

. Your self assessment must be based on the CI

criteria to ensure a comprehensive review of network security

posture. Additionally, findings should be loaded into the DoD

VMS to document significant vulnerabilities and address

corrective actions prior to the CSI. The following reference to

the specific checklists and tools utilized during the CSI areprovided below.

a General guidance may be found in these reference and on


39/81

(1) Traditional Basic Checklist.

(2) Traditional DISA Checklist.

(3) Traditional Common CV Checklist.

(4) Traditional SCV.

c. INFOSEC/PERSEC/PHYSEC review areas:

(1) Building Floor Plans (Identify areas that

process/store classified information).

(2) PDS Drawings if installed and certification letter.

(3) Intrusion Detection System Information (drawings if

available).

(4) Access Controls.

(5) Emergency Action Plan.

(6) Key and Lock Program.

(7) Anti-Terrorism Plan.

(8) Visitor security procedures.

(9) Procedures for end-of-work-day security checks


40/81

e. The following industrial security (INFOSEC/PERSEC) areas

will also be reviewed:

(1) Appointment Letters.

(2) Personnel Security Files (Military and Civilian).

(3) Contractor Security Files and all applicable DD

254s.

(4) SAERS/LOIs/LONs.

(5) Civilian Position Designations.

(6) Copies of completed self-inspections.

(7) Courier Card/Letter Program.

(8) Periodic Reinvestigations.

(9) Foreign Nationals Program.


41/81

CHAPTER 2


SECTION 4

SYSTEM ADMINISTRATORS GUIDANCE

1. Summary

. You are highly encouraged to conduct a self

assessment of your assigned shipboard information systems in

preparation for the scheduled FLTCYBERCOM directed Cyber

Security Inspection (CSI). The completion of a self assessment

utilizing the checklists, tools, and processes referenced in

this document will also meet the requirements for CC/S/A self-conducted compliance assessments listed in CJCSI 6211.02C and in

the Joint Common IA Assessment Methodology (JCIAAM).

2. CSI Background





configuration requirements, the health of the network from asecurity viewpoint, and DoD 8570.01-M Information Assurance

Workforce Improvement Program requirements.

3. Requirements. Your self-assessment must be aligned with the

CSI components as listed below, and all results should be loaded

into the DoD Vulnerability Management System (VMS). This effort

will allow you to address significant vulnerabilities prior to

the CSI while creating a one-to-one relationship between theresults of both your assessment and the CSI. The CSI components

are listed below for your reference with URLs to the specific

checklists and tools utilized during the CSI


42/81

(7) Domain Name System (DNS) Operating Systems - Windows

(8) Microsoft Windows STIG.



c. GOLD DISK [DISA]: https://patches.csd.disa.mil/ (CAC

login required).

d. Domain Name System (DNS) Operating Systems UNIX

(1) UNIX Operating System STIG.

(2) UNIX Operating System Checklist.

(3) SRR Scripts:http://iase.disa.mil/stigs/SRR/unix.html.

e. Internal Vulnerability Scans

(1) DoD Enterprise Secure Configuration Compliance

Validation Initiative (SCCVI) Tool Currently: eEye Retina IAVM

https://powhatan.iiie.disa.mil/tools/sccvi/updates/ (CAC login

required).

(2) Configuration Requirements/Checklist

https://powhatan iiie disa mil/tools/sccvi/documentation/checkli


43/81

(5) Motorola Good Mobile MWES Security Checklist.

(6) Apriva Sensa Secure WES Security Checklist.

g. Enclave Review

(1) Enclave STIG.

(2) Enclave Checklist:

https://powhatan.iiie.disa.mil/stigs/enclave-policy/.

h. Host Based Security System (HBSS) Review

(1) DoD IA Enterprise Solutions STIG:

https://powhatan.iiie.disa.mil/stigs/app-sec-guides/.

(2) HBSS Checklist:

https://powhatan.iiie.disa.mil/stigs/app-sec-guides/.

i. Traditional Security

(1) SECNAV M-5510.36 Exhibit 2C, INFOSEC Checklist.

(2) SECNAV M-5510.30 Exhibit 10A, PERSEC Checklist.

j. Cross Domain Solutions

(1) JVAP Admin Checklist.

https://powhatan iiie disa mil/stigs/net-sec-guides/sabi/


44/81

l. IAM/Security Officer Review

(1) Latest checklist located at:

http://iase.disa.mil/stigs/checlist/index,html.

(2) Tenant Command MOUs/MOAs

(3) Latest DISA Enhance compliance Validation

(ECV)/Command Cyber Readiness Inspection (CCRI) or FLTCYBERCOM

Cyber Security Inspection (CSI) results IG inspection (IA and

security areas).

(4) Signed designation letters for IA Staff.

(5) Foreign Nationals presence.

m. Firewall and Routers

(1) The latest version of procedures, checklists, STIGS

and scripts may be obtained from http://iase.disa.mil or

https://iase.disa.smil.mil.

(2) If your site has Windows NT servers/workstations,

please provide the POA&M indicating the plan for removal of

these assets from your network.

(3) IA Workforce Checklist: SECNAV M-5239.2, May 2009

Appendix H-IA Workforce Management Review Checklist.


45/81

Information Security Checklist

Date:

Yes No

1. Is the Information Assurance Manager (IAM)

appointed in writing? [Command IA Policy] __ __

2. Is the Information Assurance Officer (IAO)

appointed in writing? [Command IA Policy] __ __

3. Do the ships Secret Material Transfer Agents

follow the procedures from the ships policy to

transfer classified data to removable media?

[CTO 10-25] __ __

4. Is the ships a list of RMR authorized Secret

Material Transfer Agents (SMTA) up to date?

[CTO 10-25] __ __

5. Is the ships a list of RMR authorized Subject

Matter Experts (SME) up to date?

[Command Security Policy] __ __

6. Do the ships SMEs and SMTAs follow the

procedures from the ships policy to

transfer data between networks of differentclassification? [CTO 10-25] __ __

7 Does the ship have an Incident Handling Policy


46/81

Information Security Checklist cont

Date:

Yes No

11. Has the ship completed an annual security

self inspection and corrected the discrepancies

(if noted) from the previous self inspection?

[SECNAVINST M5510.36 & DoD 5200.1-R] __ __

12. Has the ship completed the annual inventory

of all classified and unclassified ADP equipment?

[Command Security Policy] __ __

13. Does the System Administrator maintain a

record of System Authorization Access Request

(SAAR) forms for the ships company andprivileged users? [SECNAV INST 5239.14 (Series)] __ __

14. Are backups installed in accordance with

the ships Backup and Recovery policy?

[COMPOSE Backup and Recovery Instructions] __ __

15. Does the ship maintain a list of approved

removable stowage devices?[CTO 08-08 and DISA STIG STO-ALL-030] __ __

16 Spot check at least two files on both the


47/81

Network Security Checklist

DATE: ___

Yes No

1. Is the ships IAVM Compliance greater than or

equal to 90%? __ __

2. Does the antivirus signature file age exceed

7 days? __ __

3. Is the antivirus software scheduled to scan

at least weekly? __ __

4. Is the ship in accordance with current INFOCON

requirements? [ALCOM 179-08] __ __

5. Do passwords meet minimum complexity and passwordage requirements? [ALCOM 179-08] __ __

6. Are default passwords on all network components

(i.e. servers, switches, workstations) changed

from manufacturer passwords? [DISA STIG NET0240] __ __

7. When logging onto the SIPRNET and NIPRNET does

a DoD login banner appear? [CTO 08-008A] __ __

8. Review the last weekly USB Detect scan log. Are

anomalies investigated promptly and remedied?


48/81

Network Security Checklist cont

DATE: ___

Yes No

13. Does the HBSS HIPS User Interface Admin password

meet password complexity requirements?

[DISA STIG H36160] __ __

14. Is the HBSS ePO component in the enforcement

mode? [DISA STIG H35500] __ __

Commanding Officer:

Information Assurance Manager:

DISCREPANCIES MUST BE CORRECTED IMMEDIATELY AND ACTION TAKEN REPORTED

TO THE COMMANDING OFFICER


49/81

Certification & Accreditation Checklist

DATE:_______

Yes No

1. Spot Check the ships binder of current

Authority To Operate (ATO) documents. Are there

expired ATOs? __ __

2. Spot Check the ships binder of currentSystem Security Authorization Agreement (SSAA)

documents. Is the binder up-to-date for removed

systems or newly installed systems? ___ __

3. Is the drawing of the ships network topology

Current? [DISA STIG NET0090] __ __

4. Spot check a ships workstation for applications

that are not on the current copy of the BaselineAllowance Control (BAC). Are there applications

present not on the approved BAC? __ __

5. Review the last annual Information System Self

Inspection. Are any of the discrepancies still

outstanding? __ __

Commanding Officer:


50/81

Information Assurance Workforce Checklist

DATE: __

Yes

No

1. Do the IAO, LAN Administrator and other

members of LAN Division have an Online Compliance

Reporting System account? __ __

2. Do the IAO, LAN Administrator and othermembers of LAN Division have an VRAM account? __ __

3. Do the IAO and LAN Administrator have a TWMS

account? [NTD 02-09] __ __

4. Are the IAWF personnel listed in TWMS?

[NTD 02-09] __ __

5. Do the IAO, LAN Administrator and other membersof LAN Division have a Naval Networks account? __ __

6. Do members of the IAWF have required

certifications? [DoD 8570-01M] __ __

7. Have all members of the command completed

the current Annual Information Assurance

Training in NKO/e-Learning? ___ __

8. Does the ship have a training plan in place for

IAWF personnel? [DoD 8570-01M] __ __


51/81

Traditional Security Checklist

DATE: ___

Yes No

1. Does the ship have a command security instruction?

[SECNAV Manual 5510.36] ___ ___

2. Are the Command Security Manager (CSM) and Top Secret

Control Officer (TSCO) appointed in writing by the CO?[SECNAV M-5510.36] ___ ___

3. In observation of the quarterdeck watch(es) does the

ship verify the credentials of non-ship force personnel at

every request for access, and escort personnel who do not

meet clearance requirements? [SECNAV M-5510.30] ___ ___

4. Has the ship completed an annual security self

inspection and corrected the discrepancies (if noted) fromthe previous self inspection? [SECNAV M-5510.36] ___ ___

5. Has the ship completed the annual inventory of all

classified and unclassified ADP equipment? ___ ___

6. Have space certification letters been signed for all

areas where classified information is processed or stored?

[SECNAV-M 5510.36] ___ ___

Commanding Officer:


52/81

System Administrator Checklist: Daily

1. Review Audit Logs.

Tasks

Check application log for warning and error messages forservice errors, application or database errors and

unauthorized application installs.

Check security log for warning and error messages forinvalid logons, unauthorized user creating, opening ordeleting files.

Check system log for warning and error messages forhardware and network failures.

Check web/database/application logs for warning and errormessages.

Check directory services log on domain controllers. Report suspicious activity to IAO/IAM.

Reference

http://iase.disa.mil - Security Technical Implementation

Guides (STIGs).

Tools Windows Event Viewer.

2. Perform/Verify Daily Incremental Backup.

Tasks

Run and/or verify successful backup of system and data


53/81

System Administrator Checklist: Daily cont

3. Track/Monitor System Performance and Activity.

Tasks

Check for memory usage. Check for system paging. Check CPU usage.

Reference

www.Microsoft.com - Monitoring Server performance.

Tools Windows

Microsoft Management Console.

Performance Log and Alerts.

Task Manager.

System Monitor.Microsoft Operations Manager.

4. Check Free Hard Drive Space.

Tasks

Check all drives for adequate free space.

Take appropriate action as specified by site's StandardOperating Procedures.

Reference


54/81

System Administrator Checklist: Daily cont

6. Tactical Directives Review.

Tasks

Go to applicable websites to review for new tacticaldirectives:

o CTOs.o NTDs.o FAMs.o

FRAGOs.

Report applicable directives to IAM for action.


55/81

System Administrator Checklist: Weekly

1. Review ISA Logs.

Tasks

Check ISA/PROXY logs.Reference

Ships Network Policy.

2. Review DHCP Logs.

Tasks

Review DHCP logs on each Domain Controller in the C:winnt\system32\dhcp folder.

Reference

Ships Network Policy.

3. Archive Audit logs.

Tasks

Archive audit logs to a media device with one yearretention.

Reference


56/81

System Administrator Checklist: Weekly cont

Tools

Windows Backup Tool.

Veritas Backup Software.

5. Test Backup/Restore Procedures.

Tasks

Restore backup files to a test system to verify proceduresand files.

Reference


Guides (STIGs).

Tools

Windows Backup and Recovery Tool.

Veritas Backup Software.

6. Update Anti-Virus Signature File.

Tasks

Download and install current Anti-Virus signature files.Reference


57/81


8. Check Sailor 2.1/Navy IASE Websites for Patch Information.

Tasks

Check SPAWAR approved websites to ensure correct version ofscanning tools is being used.

Check SPAWAR approved websites for new vulnerabilityinformation including patches and hotfixes.

Reference


Guides (STIGs).

https://sailor.nmci.navy.mil/index.cfm.

Downloads

http://iase.disa.mil DoD Patch Repositorywww.cert.mil.

9. Compare System Configuration Files Against a Baseline for Changes.

Tasks

Compare system configuration files against the baselinefor:

o All Servers.o Random selection of five workstations/week.

Compare application executables against the baseline.


58/81


Reference

www.Microsoft.com - Managing Disks and Volumes.

Tools Windows

Disk Defragmenter.

Error-checking tool.

Device Manager.

11. Perform SIPR/NIPR USB Scan.

Tasks

Scan all nodes for evidence of USB device insertion using the

USB Detect Program.

12. Perform Wireless Check.

Tasks

Check system for wireless devices and access.Reference


Guides (STIGs).

13. Perform Server Clock/Time Synchronization.


59/81


14. Check for Unnecessary Services.

Tasks

Check system services for any unnecessary services running.Reference


Guides (STIGs).


60/81

System Administrator Checklist: Monthly

1. Perform Self-Assessment Security Review.

Tasks

Review technology checklist for any changes. Run current security review tool. Import results into Vulnerability Management System (VMS).

Reference


Guides (STIGs).

https://vms.disa.mil.Downloads

http://iase.disa.mil DoD IA Enterprise-wide Tools and

Software: Gold Disk (.mil only).

http://iase.disa.mil IA Subject Matter Areas: Security

Technical Implementation Guides STIGS: Security

Readiness Review Evaluation Scripts.

Tools Windows

DISA FSO Gold Disk and Scripts.

eEye Retina Scanner.

Citadel Hercules Remediation Tool.


61/81

System Administrator Checklist: Monthly cont

3. Perform Hardware/Software Inventory.

Tasks

Review hardware and compare to inventory list. Review software and compare to inventory list. Update VMS, where applicable.

Reference

https://vms.disa.mil.

4. Verify User Account Configuration.

Tasks

Run DumpSec tool to verify user account configuration. Verify and/or delete dormant accounts with IAO approval. Provide output to IAO team.

Reference


Guides (STIGs)

Tool available on DISA FSO Gold Disk (Windows).


62/81

System Administrator Checklist: Annually

1. Change Service-Account Passwords.

Tasks

Work with appropriate application administrator to ensurepassword changes for service accounts such as database

accounts, application accounts and other service accounts

are implemented.

Reference


Guides (STIGs).

2. Review Appropriate Security Technical Implementation Guides

(STIG).

Tasks

Review appropriate STIGs which are updated semi-annually.Reference


Guides (STIGs).

3. Review Training Requirements.

Tasks


63/81

System Administrator Checklist: Initial

1. Subscribe to STIG News.

Reference

http://iase.disa.mil/request-mail.html.2. Subscribe to JTF-GNO Mailings

Reference

ftp://ftp.cert.mil/pub/misc/subscribe.htm.

3. Establish User Accounts with the following Web-Portals:

o Sailor 2.1 (NIPRNET/SIPRNET).o VRAM (NIPRNET/SIPRNET).o OCRS (NIPRNET).o VMS (NIPRNET).o

IATS (NIPRNET).


64/81

System Administrator Checklist

As Required/After Configuration Changes

1. Test Patches and Hotfixes.

2. Install Patches and Hotfixes.

3. Schedule Downtime for Reboots.

4. Apply OS upgrades and service packs.

5. Create/maintain user and groups accounts.

6. Set user and group security.

7. Subscribe to STIG News.

After System Configuration Changes:

1. Create Emergency System Recovery Data.

2. Create new system configuration baseline.

3. Document System Configuration Changes.

4. Review and update SSAA.

5. Update VMS for Asset Changes.

6. Update VMS for IAVMs.


65/81

Cyber Zone Inspection Items

Date: ________

Yes

1. Does the space contain classified information

processing systems?

No

___ ___

2. Does the area meet the requirements for the level of

information being processed?

Controlled Access Area (CAA) ___

Restricted Access Area (RAA)

___

___

Open Secret Storage Area (OSS)

___

___ ___

3. Are screens for classified systems able to be viewed

from outside the space? ___ ___

4. If the space is a RAA, is an access control list

posted? ___ ___

5. If the space is a CAA, RAA or OSS, is it protectedwith a GSA-approved lock? ___ ___

6. Are information processing systems clearly labeled

with their classifications? ___ ___

7. Is there a minimum of one meter separation between

classified and unclassified information processing

systems? ___ ___

Commanding Officer:


66/81

COs Information Assurance Quick Look

The following ten questions will provide a basis for discussing the

various aspects of cyber readiness within the command. Commandleadership should address these questions and discuss the answers with

the Command IAM, CSM, IAOs and SAs.

Ten questions to better IA awareness:

1. Have you designated your Command Security Manager (CSM) and

Information Assurance Manager (IAM) in writing, and do they have the

required training for their positions?

2. Do your command security procedures provide positive access

control for all spaces where classified information is stored or

processed?

3. Do all of your personnel in positions of trust (IAM, Network

Administrators, etc.) have the required training and certifications

according to the Information Assurance Workforce (IAWF) requirements?

4. Can your IAM tell you how many computers and other IT resources

are on your ship?

5. Does your IAM maintain configuration drawings of your shipboard

networks?

6. Is your IAM presenting you the results of the required network

scans for unauthorized USB device usage for your review?

7. Does your IAM direct monthly network scans for compliance with the

Information Assurance Vulnerability Management (IAVM) program?


67/81

Minimum Set of Periodic Reports

The following list of reports represents the minimum set of reports

that all commands will generate on a periodic basis. The reportslisted in this enclosure do not replace any reports that are required

by other official instructions or directives. All periodic and

irregular reports are to be retained on board by the IAM/IAO, with

copies forwarded as required.

1. Irregular Reports

a. System Operation and Verification Testing (SOVT)

b.

. Any time a

cyber system is installed, the final installation step is the

completion of the SOVT. Ships force personnel must sign the SOVT

verifying that the system operates as designed and accepting

responsibility. An important item of note is that system

discrepancies can be noted as exceptions when the SOVT is completed.

This is important, since systems are often installed with known

vulnerabilities. Documenting all vulnerabilities and deviation from

IAVA and STIG requirements as SOVT exceptions ensures the program

office does not lose track of actions required to make shipboard cybersystems compliant with IA regulations.

Cyber Incident Reports

2.

. In the event that a cyber incident

occurs on the ship, IA personnel shall provide regular reports to the

command team on actions taken and how the incident affects the ships

IA posture and overall mission readiness.

Semi-annual Reports

a. Certification and Accreditation. At least twice a year,

review the status of all command Authorities to Operate (ATOs). For


68/81

Minimum Set of Periodic Reports cont

b. Privileged User Training

4.

. Monthly review the list of

personnel who have been granted system administrator rights on thenetwork. These personnel shall have a valid need for this access,

will be designated in writing, and shall have the appropriate level of

training and qualification in accordance with IAWF guidance.

Bi-weekly Reports

a. IAVM Reports

5.

. Every 2 weeks review the status of the ships

compliance with all identified IA vulnerabilities. This report will

include results of periodic SCCVI network scans and show the

percentage of ships computers that have been updated with all

available patches. In reviewing the IAVM report, special attention

shall be taken to ensure that all computers on the network are being

scanned, and that missing patches are being tracked and individual

computers are being updated as necessary.

Weekly Reports

a. Weekly IA Status Report

b.

. Weekly, the IAM shall provide a

report that gives an overview of the ships IA posture. Although less

detailed than the other individual reports in this section, the IA

status report provides leadership with all the data required to ensure

that the ship is maintaining a proper level of cyber readiness.

Antivirus Signatures. New antivirus signatures are typically

released weekly. Every 2 weeks, network records shall be reviewed to

ensure that the signature updates have been applied to all computers.As with IAVM reports, attention shall be given to the number of

computers reported as compared to the number actually on the network,


69/81

Enclosure (15)

Sample Report - Certification & Accreditation

USS [Ship name] Certification and Accreditation Report

(Semiannual)

Date:_______________

System Name Last ATO

Date

ATO Exp

Date

Next Action Due Date Action Status

ISNS Compose

3.0.0.0 (NIPRNET)

May 2009 May 2012 Submit C&A

Package to

ODAA

Dec 2011 Assembling package

ISNS Compose

3.0.0.0 (SIPRNET)

Jun 2009 Jun 2012 Schedule

vulnerability

assessment

Nov 2011 Contacting NIOC Blue

Team to schedule

Other systems

here

IAM: _____________________ Date: ______

CSO: _____________________ Date: ______

DDAA: ____________________ Date: ______


70/81

Enclosure (16)

Sample Report - IAWF Training

USS [Ship name] IAWF Training Report

(Monthly)

Date:_______________

IA Qualification

Name Position Rqd IA Lvl Qual Status Due Date Waiver Req Status

ITCS Jones IAM IAM 90% compl Dec 2011 N/A

IT2 Kelly Sys Admin IAT Level

II

50% compl Mar 2012 6-mo extension

approved from Sep

2011

IAM: _____________________ Date: ______

CSO: _____________________ Date: ______

DDAA: _______________________ Date: ___________


71/81

2 Enclosure (16)

Sample Report - IAWF Training

USS [Ship name] IAWF Training Report

(Monthly)

Date:_______________

2735-2791 Conversion

Name ADNS CBT ISNS CBT Security+ MS 290 MS 291 Due Date Pkg

Submitted

IT2 Kelly 20Jul11 24Jul11 12May11 13Aug11 3Sep11 30Sep12 10Sep11

IT3 George 15Sep11 25Sep11 2Oct11 15Oct11 Tst

2Nov11

30Sep12 --

IAM: _____________________ Date: ______

CSO: _____________________ Date: ______

DDAA: ____________________ Date: ______


72/81

Enclosure (17)

Sample Report - IAVM

USS [Ship name] IAVM Report

(Monthly)

Date:_______________

System No. of

Computers on

System

No. of

Computers

Scanned

Total

Available

Patches

No. of

Patches

Applied

No. of

Computers

Below 90%

Average

Compliance

%

NIPR Compose 55 50 354 350 4 95%

IAM: _____________________ Date: ______

CSO: _____________________ Date: ______

DDAA: ____________________ Date: ______


73/81

Sample Report - Weekly IA Status

USS [Ship Name] Weekly IA Status Report

Date:_______________

NIPR SIPR CENTRIXS (Others)

# of Servers

# of Workstations

Information Assurance Vulnerability Management (IAVM) Scans

# Scanned

Last Scan

% Compliance

Last VRAM

Upload

Antivirus

Definition Date

Last Scan

# Scanned

i


74/81

Sample Report - Weekly IA Status

Backups

Completed Date

Tested Date

Information Assurance Work Force (IAWF)

#

Required

#

Completed

# in Total Workforce

Management Services (TWMS)

Database

Current

90-Day

Projection

120-DayProjection

Authorized

DFS

Scheduled

Maint

Privileged

Users

Locked

Accounts


75/81

Enclosure (19)

Sample Report - Antivirus

USS [Ship name] Antivirus Report

(Weekly)

Date:_______________

System No. of

Computers on

System

AV Def Date Last Scan

Date

No. of

Computers

Scanned

No. of

Computers Out

of Date

No. of

Threats

Found

NIPR Compose 55 20Oct11 24Oct11 52 3 0

IAM: _____________________ Date: ______

CSO: _____________________ Date: ______

DDAA: ____________________ Date: ______


76/81

Enclosure (20)

Sample Report - USB Scan

USS [Ship name] USB Scan Report

(Daily)

Date:_______________

USB Detect Version: 3.1

System No. of

Computers on

System

No. of

Computers

Scanned

Last Scan Date No. of

Instances

Found

Action Taken

NIPR Compose 55 48 24Oct11 1 Device

identified &

confiscated.

Individual

account lockedpending

further

action.

IAM: ____________________ Date: _______

CSO: ____________________ Date: _______

DDAA: ___________________ Date: _______

Sample Report - 8 OClock Report


77/81

Enclosure (21)

Sample Report 8 O Clock Report

USS SHIP COMBAT SYSTEM 8 O'CLOCK REPORTS

CDO/SDO: Date: 11/16/2011 INFOCON 3

Duty IT:

NOTE: Periodicities are per PMS requirements or as stated below. * = Required periodicity

LAN STATUS: PERIODIC CHECKS

SYSTEM TYPE VERSION

DATE OF

ACTION HOSTS RESULTS # PERIODICITY

Scan - USBISNS-NIPR

USB

Detect

3.1 11/10/2012 30/86

Hosts with unauthorized

devices: Weekly

Scan -

Antivirus Hosts containing malware: Weekly

Hosts failed to update:

Scan -

Retina

Hosts scanned with admin

credentials: Monthly*Patch -

VRAM Patches found (fixable): Monthly*

Patches found (unfixable):

Patches Applied (Pushed):

Patches Applied (Manual):

False Positives Reported

w/Trouble-ticket:

Log Reviews ISA (Proxy) Log Reviewed:

Y /

N Daily

ISA (Proxy) Log Issues:

Y /

N

System Audit (Event) Log

Reviewed:

Y /

N


Issues:

Y /

N

Y /


78/81

2 Enclosure (21)

Router (Ports) Log Reviewed:

Y /

N

Router (Ports) Log Issues:

Y /

N

Back-Ups

Partial or Full Back-Up

Required:

P /

F Daily*

Back-Up Successful:

Y /

N

Scan - USBISNS-SIPR Hosts with unauth devices: Daily

Scan -

Antivirus Hosts containing malware: Weekly

Hosts failed to update:

Scan -

RetinaISNS-SIPR

Hosts scanned with admin

credentials: Monthly*

Patch -






w/Trouble-ticket:

Log Reviews ISA (Proxy) Log Reviewed:

Y /

N Daily

ISA (Proxy) Log Issues:

Y /

N


Reviewed:

Y /

N

System Audit (Event) LogIssues:

Y /N

Router (Ports) Log Reviewed:

Y /

N

Router (Ports) Log Issues:

Y /

N

Partial or Full Back-Up P /


79/81

3 Enclosure (21)

Back-Ups

Partial or Full Back Up

Required:

P /

F Daily*

Back-Up Successful:

Y /

N

Scan - USB

NIAPS

Server


devices: Daily

Scan -

Antivirus Malware found:

Y /

N Weekly

Host failed to update:

Y /

N

Scan -

Retina

Host scanned with admin

credentials:

Y /

N Monthly*

Patch -






w/Trouble-ticket:

Log Reviews


Reviewed:

Y /

N Daily*


Issues:

Y /

N

Back-Ups


Required:

P /

F Daily*

Back-Up Successful:

Y /

N

Scan - USBNavy Cash


devices: Weekly

Scan -Antivirus Malware found:

Y /N Weekly

Scan -

AntivirusNavy Cash Host failed to update:

Y /

N

Scan -

Retina

Host scanned with admin

credentials:

Y /

N Monthly*

Patch - VRAM Patches found (fixable): Monthly*


80/81

4 Enclosure (21)

Patch VRAM Patches found (fixable): Monthly




Patch - VRAM


w/Trouble-ticket:

Log Reviews


Reviewed:

Y /

N Daily*


Issues:

Y /

N

Back-Ups


Required:

P /

F Daily*

Back-Up Successful:

Y /

N

LAN STATUS: TACTICAL DIRECTIVES

Fully

Compliant

TACTICALDIRECTIVE DESCRIPTION

Computer Tasking Orders

CTO COMPLIANT CTOs: Y / N

DELINQUENT CTOs: Y / N

Comments:

Fragmented Orders to USCYBERCOM WARNORD (https://www.cybercom.mil; https://www.cybercom.smil.mil)

FRAGO COMPLIANT FRAGOs: Y / N

DELINQUENT FRAGOs: Y / N

Comments:

Fleet Advisory Messages

FAM COMPLIANT FAMs: Y / N

DELINQUENT FAMs: Y / N

Sample Report 8 OClock Report


81/81

Sample Report - 8 OClock Report

Comments:

Naval Telecommunication Directives

NTD COMPLIANT NTDs: Y / N

NTD DELINQUENT NTDs: Y / N

Comments:

Security Technical Implementation Guidelines (STIG)

Network Policy COMPLIANT STIGs: Y / N

DELINQUENT STIGs: Y / N

Comments:

i.CHOP:

IAO IAM COMMO CSO DDAA

Documents

Ncf Cybersecurity Ia Handbook