7/30/2019 Ncf Cybersecurity Ia Handbook
1/81
________________________________________________________________
7/30/2019 Ncf Cybersecurity Ia Handbook
2/81
COMMANDING OFFICERS INFORMATION ASSURANCE HANDBOOK
TABLE OF CONTENTS
IDENTIFICATION TITLE PAGE
FOREWORD COMMANDER, U.S. FLEET FORCES COMMAND LETTER ... iii
REFERENCES LIST OF PERTINENT REFERENCES ................... iv
CHAPTER 1 INFORMATION ASSURANCE OVERVIEW
SECTION 1 INTRODUCTION .................................. 1-1
SECTION 2 WHAT IS INFORMATION ASSURANCE ................. 1-3
SECTION 3 WHY INFORMATION ASSURANCE IS IMPORTANT ........ 1-6
SECTION 4 HOW DO WE BUILD A ROBUST IA PROGRAM ........... 1-7
CHAPTER 2 CSI PREPARATION GUIDE
SECTION 1 COMMANDERS GUIDANCE .......................... 2-1
SECTION 2 INFORMATION ASSURANCE MANAGERS ................ 2-5
SECTION 3 SECURITY MANAGERS ............................. 2-9
SECTION 4 SYSTEM ADMINISTRATORS ........................ 2-13
LIST OF ENCLOSURES:
ENCLOSURE (1) Information Security (INFOSEC) Checklist ....... E-1
7/30/2019 Ncf Cybersecurity Ia Handbook
3/81
ENCLOSURE (11) System Administrator Checklist: As Required/
After Configuration Changes.................. E-11
ENCLOSURE (12) Cyber Zone Inspection Items.................. E-12ENCLOSURE (13) COs Information Assurance Quick Look........ E-13
ENCLOSURE (14) Minimum Set Of Periodic Reports.............. E-14
ENCLOSURE (15) Example Report-Certification & Accreditation E-15
ENCLOSURE (16) Sample Report-Information Assurance Work Force
Training..................................... E-16
ENCLOSURE (17) Sample Report-IAVM........................... E-17
ENCLOSURE (18) Sample Report-Weekly IA Status............... E-18
ENCLOSURE (19) Sample Report-Antivirus...................... E-19
ENCLOSURE (20) Sample Report-USB Scan....................... E-20
ENCLOSURE (21) Sample Report-8 Oclock Report............... E-21
7/30/2019 Ncf Cybersecurity Ia Handbook
4/81
7/30/2019 Ncf Cybersecurity Ia Handbook
5/81
LIST OF PERTINENT REFERENCES
(a) DoD Directive 8500.01E of 24 October 2002(b) DoD Instruction 8500.2 of 6 February 2003
(c) OPNAVINST 5239.1C, Navy Information Assurance Program
(d) SECNAV M-5239.1, DoN Information Assurance Program
(e) SECNAV M-5239.2, DoN Information Assurance (IA) Workforce
Management Manual
(f) SECNAV M-5510.36, DoN Information Security Program Manual
(g) NIST Special Publication 800-128, Configuration Management
Guide for Information Systems(h) DoD Instruction 8510.01 of 28 November 2007
(i) https://diacap.iaportal.navy.mil/ks/Pages/default.aspx
(j) https://www.nde.navy.mil(k) https://iats.nmci.navy.mil
(l) https://www.portal.navy.mil/netwarcom/navycanda
(m) SPAWAR SCCVI User Guide
(n) http://iase.disa.mil
(o) https://iaportal.navy.mil(p) https://www.iaportal.fnmoc.navy.smil.mil
(q) https://www.iava.navy.mil/ocrs
(r) https://sailor.nmci.navy.mil
(s) http://isea.spawar.navy.smil.mil
(t) https://vms.disa.mil
(u) https://vms.disa.smil.mil
(v) https://infosec.navy.mil
(w) https://www.cybercom.mil(x) https://www.cybercom.smil.mil
(y) https://www.portal.navy.mil/netwarcom/CIO/policydirection/
default aspx
https://www.nde.navy.mil/https://www.nde.navy.mil/https://iats.nmci.navy.mil/https://www.portal.navy.mil/netwarcom/navycandahttps://www.portal.navy.mil/netwarcom/navycandahttps://iats.nmci.navy.mil/https://www.nde.navy.mil/7/30/2019 Ncf Cybersecurity Ia Handbook
6/81
(al) https://www.ncdoc.navy.mil
(am) https://www.ncdoc.navy.smil.mil
(an) https://www.portal.navy.mil/cyberfor/N47/N41/default.aspx(ao) https://www.portal.navy.mil/fcc-c10f/OCA
7/30/2019 Ncf Cybersecurity Ia Handbook
7/81
CHAPTER 1
INFORMATION ASSURANCE OVERVIEW
SECTION 1INTRODUCTION
1. Introduction
. Security for a ship begins at the brow.
Topside watches and Officers-of-the Deck stand watch to ensure
that the ship is secured and that unauthorized personnel do not
get onboard. However, shipboard security does not stop there.
Escorts provide extra security for non-cleared visitors below
decks. Secure areas of the ship are protected by locks andalarm systems. Entry into those spaces are controlled by
cognizant authorities and visitor logs track who has been in the
space. This concept of Defense in Depth applies equally to
the ships connection to Cyberspace. Enclave routers and
firewalls stand guard at the networks perimeter to prevent
unauthorized access from outside. Network security personnel,
cyber policies and procedures, and automated systems such as the
Host-Based Security System (HBSS) and proxy server logs allserve to monitor activity within the networks lifelines. The
combination of personnel, procedures, and products provide the
layered system defense required to ensure the availability,
integrity and confidentiality of the data we rely on to run our
ships.
a. Bottom line: Across the Federal Government, cyber
security incidents have soared by over 600% in the last 5 years.At least 85% of cyber intrusions could have been prevented if
the following four cyber security and IA practices were
routinely and vigorously followed:
7/30/2019 Ncf Cybersecurity Ia Handbook
8/81
(2) Commanding Officers are ultimately responsible for
understanding and managing the cyber-readiness of their ships.
2. Purpose
. To establish Information Assurance (IA) techniques
and procedures that utilize policies for people, processes,
strategy, and technology for protecting Information Technology
(IT) and information. The information in this handbook is
designed to equip Commanding Officers and command personnel with
the background knowledge and tools needed to effectively manage
shipboard IA programs and:
a. Establish guidance for successfully maintaining command
level IA-Readiness requirements.
b. Provide a common reference of all Defense and tactical
level IA-related doctrine.
c. Provide training and education guidance for command IA
Workforce members.
3. Scope. This document is intended to provide Commanding
Officers with an overview of the fundamental issues regarding
the management of our networks, providing them with (and to a
limited extent) guidelines they can use in day-to-day efforts
for ensuring their networks can reliably support the ships
mission and resist adversaries in the virtual realm. Although
designed as a COs handbook, this information is relevant andapplicable to baseline a level of understanding for all khaki
leadership. Build cyber security awareness, actions, and
oversight into command daily battle rhythm and in parallel
7/30/2019 Ncf Cybersecurity Ia Handbook
9/81
CHAPTER 1
INFORMATION ASSURANCE OVERVIEW
SECTION 2WHAT IS INFORMATION ASSURANCE (IA)?
1. Information Assurance
. In broad terms, IA is the practice
of managing risks related to the use, processing, storage, and
transmission of information or data and the systems and
processes used for those purposes. The terms IA, Information
Security (INFOSEC), Computer Security (COMSEC) and Network
Security (NETSEC) are often used interchangeably with IA. Inactuality, each of these areas deals with a more specific
portion of overall security within the cyber environment.
Reference (a) defines IA as measures that protect and defend
information and information systems by ensuring their
availability, integrity, authentication, confidentiality, and
non-repudiation. This includes providing for restoration of
information systems by incorporating protection, detection, and
reaction capabilities.
2. INFOSEC
. INFOSEC is defined as protecting information and
information systems from unauthorized access, use, disclosure,
disruption, modification, perusal, inspection, recording or
destruction of the information. INFOSEC is concerned with the
confidentiality, integrity, and availability of data regardless
of format: electronic, print, etc. The ship can ensure INFOSEC
through:
a. Leadership involvement. Making INFOSEC a priority at
all levels in the command Examples inculcating cyber security
7/30/2019 Ncf Cybersecurity Ia Handbook
10/81
(3) Taking immediate action in the event of an incident
or spillage to ensure the incident response is thorough,remediation/mitigation efforts are completed, and records are
retained by the IA Manager (IAM)/IA Officer (IAO).
3. Computer Security
. Computer Security is the collective
processes and mechanisms by which sensitive and valuable
information and services are protected from publication,
tampering, or compromise by unauthorized activities, or inside
threats and unplanned events. Its objective includes theprotection of information and property from theft, corruption,
or natural loss due to disaster, while allowing the information
and property to remain accessible, reliable, and responsive to
its intended users. Unlike INFOSEC, Computer security focuses
primarily on ensuring the availability and correct operation of
a computer system without concern for the actual information
stored or processed by the computer.
4. Network Security
. Network Security includes provisions and
policies adopted by the network administrator to monitor and
prevent unauthorized access, misuse, modification, or denial of
the computer network and network-accessible resources.
5. Physical Security. Physical Security includes measures
designed to deny access to unauthorized personnel (including
attackers or even accidental intruders) from physicallyaccessing a building, facility, resource, or stored information;
and guidance on how to design structures to resist potentially
hostile acts
7/30/2019 Ncf Cybersecurity Ia Handbook
11/81
layered defense that ensures information is readily accessible
where and when we need it. Figure 1 illustrates this Defense
in Depth concept.
7/30/2019 Ncf Cybersecurity Ia Handbook
12/81
CHAPTER 1
INFORMATION ASSURANCE OVERVIEW
SECTION 3WHY IS INFORMATION ASSURANCE IMPORTANT?
1. Background
. In 1996, pursuant to a congressional request,
the Government Accounting Office (GAO) reviewed the extent to
which DoD computer systems experience attack. The GAO analyzed
the potential for further damage to DoD computer systems and
challenges in securing sensitive information on its computer
systems.
a. DoD relies on a complex information infrastructure to
design weapons, identify and track enemy targets, pay soldiers,
mobilize reservists, and manage supplies.
b. Use of the Internet to enhance communication and
information sharing has increased DoD exposure to attack, since
the Internet provides unauthorized users a means to accessunclassified DoD systems.
c. While the DoD information available on the Internet is
unclassified, it is sensitive and must be restricted.
d. Only about 1 in 500 attacks is detected and reported,
but the Defense Information Systems Agency (DISA) estimates that
DoD is attacked about 250,000 times per year.
e. Attackers have stolen, modified, and destroyed data and
software disabled protection systems to allow future
7/30/2019 Ncf Cybersecurity Ia Handbook
13/81
implementation. For DoN specifically, references (c) through
(f) promulgate Navy IA, IA Workforce (IAWF) Improvement, and
INFOSEC policy. Numerous other instructions, directives,bulletins, and policy documents further define and codify the
requirements for all Navy units to have a robust IA program.
7/30/2019 Ncf Cybersecurity Ia Handbook
14/81
CHAPTER 1
INFORMATION ASSURANCE OVERVIEW
SECTION 4HOW DO WE BUILD A ROBUST INFORMATION ASSURANCE PROGRAM?
1. Facets of IA
. As with any other shipboard program, multiple
actions and persistent oversight must exist to establish a
robust IA program. This chapter addresses four core areas of
IA: Administration, Personnel, Training, Operations, and
Monitoring and Assessment.
2. IA Administration
. One of the principal enablers of any
successful program is meticulous record-keeping and adherence to
published procedures. Myriad instructions, bulletins, technical
documents, and other publications provide requirements and
guidance for properly maintaining an IA program. For Commanding
Officers, two key documents are reference (c), OPNAVINST 5239.1C
and reference (d), SECNAV M-5239.1. These documents provide a
concise overview of the DoNs implementation of DoD IArequirements. Additionally, reference (c), paragraph 8.k,
outlines the duties of Commanding Officers with regard to IA.
3. Command Security Instruction
. Reference (f), exhibit 2A
requires all commands to publish a command security instruction
and provides specific guidelines for development.
4. IA Documentation. The key to a robust IA program ismaintaining accurate documentation of command information
systems. A well-organized, well-maintained command IA binder
will help ensure command cyber systems are being maintained in
7/30/2019 Ncf Cybersecurity Ia Handbook
15/81
exists as the definitive document required in obtaining and/or
renewing an Authority to Operate (ATO) for the network.
(1) ATO
. The ATO is a document provided by the DoN DAA
and Systems Command Program Manager that grants specific
permissions to connect and operate a given information system
based on a satisfactory DoD IA Certification and Accrediation
Process (DIACAP) score. Once granted, an ATO is valid for a
maximum period of 3 years.
(2) IATO
. An IATO is a temporary ATO that allows acommand to operate while simultaneously resolving known
vulnerabilities. Once granted, an IATO is valid for a maximum
period of 6 months.
(3) Knowing in advance that an ATO/IATO renewal is due,
IAMs must be proactive in submitting the required documentation
to maintain network operations. A good rule of thumb is that
requests for ATO/IATO renewal should be submitted at least 6months prior to the expiration of the existing ATO/IATO.
Meticulous record keeping of existing ATO/IATOs and approved
system configuration changes makes the process of
recertification significantly easier. See reference (h) and (i)
for more details on C&A process. See references (j) through (l)
for more details on obtaining ATO/IATOs.
c. IA Vulnerability Management (IAVM). Navy Cyber DefenseOperations Command (NCDOC) constantly reviews Navy cyber systems
for new or existing security vulnerabilities. When a new
vulnerability appears discovered NCDOC will issue an IA
7/30/2019 Ncf Cybersecurity Ia Handbook
16/81
(4) Reference (n) for Retina Engine Updates/Downloads.
(5) Reference (o) for DoN IAVA Patch reporting Non-Secure Internet Protocol Router Network (NIPRNET).
(6) Reference (p) for DoN IAVA Patch reporting Secret
Internet Protocol Router Network (SIPRNET).
(7) Reference (r) for CTO/IAVA Patch Compliance
Reporting.
(8) Reference (s) for SPAWAR Patch repository NIPRNET.
(9) Reference (t) for SPAWAR Patch repository SIPRNET.
(10) Reference (u) for DoD/DISA Patch/Plan of Action and
Milestones (POA&M) reporting NIPRNET.
(11) Reference (u) for DoD/DISA Patch/POA&M reportingSIPRNET.
d. Navy Telecommunications Directives (NTDs)/
CTOs/Patches/Fleet Advisory Messages (FAMs). NTDs generally
address larger policy or overall operational aspects of cyber
operations. CTOs issue specific tasking with regard to such
things as setting Information Operations Condition (INFOCON)
levels or establishing new information security procedures. Howthe system is patched depends on whether it is a program of
record (PoR) or not. For PoRs, it is a six-step process:
7/30/2019 Ncf Cybersecurity Ia Handbook
17/81
(6) DoN command applies the patch to the system. For
non-PoRs, the command downloads the patch directly from the
vendor when directed via broadcast message by NCDOC. Mostsystems in the Fleet are PoR. The following references provide
further guidance on Tactical Directives (TD):
(a) References (q) and (v) for Navy CTOs.
(b) References (w) and (x) for DoD CTOs.
(c) References (r) for SPAWAR FAMs.
(d) Reference (y) for NTDs.
e. Command IA Plan
. Each command is responsible for
publishing a command-level IA plan. The IAM develops the plan
based on doctrine and has overall responsibility for
implementing it once it is signed by the Commanding Officer.
The IA Plan should include guidance and reporting for:
(1) Incident Handling and Response.
(2) IAVM (Antivirus, IAVA, Universal Serial Bus (USB)
Detect).
(3) Information Assurance Workforce (IAWF) (Training and
Certification).
(4) Tactical Directives (CTO/NTD/FAM/FRAGO).
7/30/2019 Ncf Cybersecurity Ia Handbook
18/81
f. System Access Authorization Requests (SAARs)
. Each user
of a DoD information system must complete a SAAR for each system
he or she will use. Included in the SAAR is the securityclassification level of the system and the clearance level of
the individual. SAARs also contain the user agreement for
proper use of government information systems and provide
guidelines for appropriate use. In the approval process, the
SAAR is accompanied by a copy of the individual users
certification of completion of the annual IA refresher training
requirement. Completed SAARs and IA training certificates
should be maintained by the IAM for all users assigned to thecommand and for all visitors to whom system access has been
granted. See reference (z) for further guidance.
5. IA Personnel
. IA Personnel are key individuals within the
IAWF who manage the day-to-day operations of a command-level IA
program:
a. The Deployed Designated Approving Authority (DDAA).Reference (c), paragraph 8.K assigns responsibility to
Commanding Officers, Commanders, Officers-in-Charge and
Directors in their role as local IA authorities. It states that
in coordination with the Office of Designated Approving
Authority (ODAA), when the unit is deployed, they serve as the
DDAA.
b. Commanding Officers, Commanders, Officers-in-Charge andDirectors (acting as DDAA) must ensure information systems are
compliant with DoD IA requirements per references (a), (y), and
(aa) and Defense Information Systems Network (DISN) policy and
7/30/2019 Ncf Cybersecurity Ia Handbook
19/81
products lists or to authorize connection of an information
system that had not been accredited by the DoN ODAA.
d. If a Commanding Officer of a deployed unit does exercise
the DDAA authority, the Commanding Officer must inform
FLTCYBERCOM as soon as operationally feasible of the authorized
deviation per Navy Telecommunications Directive (NTD) 07-09.
DDAA training may be found in reference (ab).
e. The Command Security Manager (CSM) is responsible to the
Command Security Officer for running the commands traditionalsecurity program. CSM closely works with IA Manager (IAM)/IA
Officer (IAO) to ensure that Information Systems Security
Management (ISSM) is established and maintained.
f. IAM is designated in writing by the DDAA and is
responsible for the overall operation and management of the
commands/ships IA program. The IAM should be Navy Enlisted
Classification (NEC) 2779 qualified, U.S. citizen designated bythe Commanding Officer/DDAA, and assume responsibilities per
reference (b), section 5.9 and reference (e). Specific duties
of the IAM include:
(1) Act as primary IA technical advisor to the
Commanding Officer.
(2) Maintain IA oversight of the ships networks andchanges that may affect IA posture.
(3) Develop and maintain the command IA program to
7/30/2019 Ncf Cybersecurity Ia Handbook
20/81
(8) Provide IA and network security training for all
users.
(9) Ensure all personnel with privileged systems access
(system administrators) have all required training and are
designated in writing.
(10) Ensure all command networks are certified,
accredited, and have a valid ATO, or Platform Information
Technology (PIT) Risk Assessment (PRA) for designated PIT
systems, and that they are maintained according to their IA C&Adocumentation.
(11) Maintain accurate configuration and compliance
records for all networks.
(l2) Observe shipboard information processing practices
and ensure the Commanding Officer and command leadership are
aware of the commands IA climate.
g. The IAO works directly for IAM and is focused primarily
on INFOSEC. Each IAO, in addition to satisfying all
responsibilities of an Authorized User, shall assist the IAM in
accordance with reference (b), section 5.10 and reference (e)
section 1.8.6. to include:
(1) Ensure that all users have the requisite securityclearances and supervisory need-to-know authorization, and are
aware of their IA responsibilities before being granted access
to the DoD information system
7/30/2019 Ncf Cybersecurity Ia Handbook
21/81
(6) Implement and enforce all DoD information system IA
policies and procedures.
h. The CSM and IAO must be designated in writing by the
Commanding Officer/DDAA.
6. IA Training
. A commands IA program is only as good as the
people who manage it. Ensuring that both operators and managers
have the proper training is therefore critical to the ships
INFOSEC posture.
7. IAWF Improvement Program (IA WIP)
. Reference (af) specifies
that all personnel who work on DoD information systems must be
trained and certified at various levels commensurate with the
level of their network privileges; reference (e) provides
specific Navy guidance. The DoNs NEC 2790 and 2791, and the IA
PQS levels 300 through 304 provide the training and
certification for DoN personnel to comply with the DoD
requirements. Reference (ag) provides CYBERFOR IAWF guidancefor implementing a command level program and details on
obtaining IAWF certifications. The command IAM is responsible
for managing the commands IA WIP. IAM is directly responsible
to DDAA to ensure:
a. IAWF personnel are properly appointed in writing.
b. IAWF personnel are identified, and training progresstracked, in the Total Workforce Management System (TWMS).
c IAWF personnel obtain certification requirements for
7/30/2019 Ncf Cybersecurity Ia Handbook
22/81
and report any perceived problems or inconsistencies in system
operations. Continued discussion and reemphasizing of IA
training at all levels will help ensure users do not becomecomplacent. In addition, systems administrators (SA) perform a
range of other tasks to ensure the commands/ships networks are
being properly maintained. SAs should use a daily checklist
similar to enclosure (6) to ensure that ships information
systems are maintained in an optimum state of readiness and
security.
a. IAVM Scanning
. SAs are required to conduct monthlySecure Configuration Compliance Validation Initiative (SCCVI)
scans to identify security vulnerabilities. The results of
these scans must be uploaded to the DoNs Vulnerability
Remediation Asset Management (VRAM) database. See reference (m)
and CTO 08-05 and 11-16a for further guidance.
b. IAVM Patching
. IAVM patches are released by PoR Program
Office to resolve security vulnerabilities, VRAM results provideSAs with a list of approved patches to apply to hosts; as such,
SAs are required to maintain 100% patch accountability (ie:
patch applied successfully or reported as a false-positive) for
all patches older than 30 days. Once patches are successfully
applied to all hosts, additional scans should be conducted to
ensure that all patches were successfully applied. Any patches
that do not install properly should be reported to the system PM
office via trouble-ticket. See references (r) and (s) to submitweb-based trouble-tickets for PoR systems.
c Fleet Advisory Messages (FAMs) FAMs are disseminated
7/30/2019 Ncf Cybersecurity Ia Handbook
23/81
supervision of IAM or IAO. When questionable USB activity is
discovered, SAs must take follow-on action to identify and
locate the device used and determine if incident handling and/orreporting to NCDOC is required. The Command IA Policy and
account user forms should clearly state permitted and prohibited
USB use and provide appropriate enforcement authority to IAWF
Personnel. As with SCCVI scans, a common problem with USB scan
results include:
(1) Improper administrative configuration.
(2) Connectivity issues.
(3) Registry keys are not routinely reset when a USB
event is detected.
f. Security Technical Implementation Guides (STIG)
. DISA
publishes STIGs for common network configuration and security
requirements that specify how components should be configured tominimize the risk of vulnerability exploitation on the affected
network. SAs should complete/verify all STIGs that apply to
their information systems components on a semi-annual basis.
Note that some STIGs require component modifications that are
beyond ships force capability; however, it is still incumbent
upon the ship to recognize STIG non-compliance and defer these
changes to the Inservice Engineering Activity (ISEA) for
appropriate action. See reference (ah) for a comprehensive listof DISA STIGs.
g Antivirus Definitions Just like system patches
7/30/2019 Ncf Cybersecurity Ia Handbook
24/81
accounts for new users. When a user leaves the command, SAs
should disable the user account, maintain the account inactive
for a period of 1-year, and then permanently delete the account.The 1-year period ensures that an account can be reactivated for
investigational purposes. As they create accounts, SAs must
ensure they are providing only the level of access required by
the user to perform his/her job. Additionally, any access above
Authorized User requires IAM approval. See reference (b), (e),
(z), (aa), and (af) for guidance on user account management.
i. Password Management
. Another area of large impact ispassword management. Current network configurations require
passwords to be complex and changed periodically per the latest
Information Operations Condition (INFOCON) message found at
references (al) and (am). IAM/IAO/SAs shall conduct periodic
account audits to ensure that there are no default/group
usernames and passwords being used by personnel. Default/Group
accounts (excluding group email accounts) generated by ships
force shall be disabled immediately.
j. Remote Account (Password) Management. SYSCOMs, Fleet
Systems Engineers, and other outside activities often maintain
default usernames and passwords on systems for easy remote
access when required for troubleshooting, maintenance, and
monitoring. However, doing so poses a critical vulnerability to
ships systems; therefore, IAMs shall maintain a strict password
renewal and storage policy to ensure that remote access toshipboard systems is properly controlled. This includes
periodic remote access password changes and proper storage for
centralized dissemination by IAM/IAO to outside entities only
7/30/2019 Ncf Cybersecurity Ia Handbook
25/81
are successful, testing the backup with periodic restorations is
crucial to ensure the data is preserved. PoR System Technical
Manuals can be found at references (r) and (s). Latest INFOCONmessage may be found at reference (al) and (am).
10. IA Monitoring & Assessment
. Reference (ac) directs that
all DoN IA programs must be periodically evaluated for
effectiveness. Evaluation must take place at all levels, from
the duty SA to the applicable DoN oversight agency to ensure DoN
information systems continue to adapt to an ever-changing threat
environment. The adage that, You get what you inspect, notwhat you expect, and, Trust but verify, are nowhere more true
than in the realm of IA. Commands with the best IA assessment
and monitoring programs are those best equipped to operate and
defend in the cyber domain.
a. IA Quick Look
. Enclosure (13) provides 10 questions
Commanding Officers should ask to get a quick overview of cyber
readiness for their ship. The Quick Look touches on all areasof IA and can justify the implementation by management of more
exhaustive processes necessary for maintaining the ships cyber
readiness posture.
b. Periodic Reports. DoN IA regulations require specific
periodic reports for IAVA compliance and USB scan results.
Commands must develop their own IA readiness reports to ensure
that command leadership is continuously aware of the IA postureof their systems. Enclosure (14) lists a minimum set of reports
for Commanding Officers to review periodically to get a sense
of the overall cyber-health of their command
7/30/2019 Ncf Cybersecurity Ia Handbook
26/81
e. Blue Team Visits
. Navy Information Operations Command
(NIOC) provides personnel trained in computer network threat
assessments and vulnerability analysis to visit commands andprovide an analysis of their networks cyber-readiness
condition. Because they are trusted agents, the Blue Team has
access to ethical hacker tools that provide a significantly more
detailed report of network status than those authorized for use
by ships force. Blue Team visits should be requested via
official broadcast message to FLTCYBERCOM to help ensure that
the commands IA program remains on track.
f. Cyber Security Inspection and Certification Program
(CSICP). The CSICP is the DoNs process of formally inspecting
shipboard IA posture based on DoD, DoN, DISA, and National
Institute of Standards and Technology (NIST) standards. The
shipboard Cyber Security Inspection (CSI) follows the same
format and guidelines as the Command Cyber Readiness Inspection
(CCRI) that DISA performs for shore commands. The CSI should be
integrated into the ships Fleet Readiness Training Plan (FRTP)and is required as part of renewing the ships network ATOs.
Notification of the CSI schedule for a ship normally occurs 120
days prior to the actual inspection. If the ship has a robust
and vital IA program, preparation for the CSI should cause
minimal impact. Notification of the CSI schedule occurs when
the schedule message is released, notionally 5-6 months prior to
the inspection. FLTCYBERCOM OCA will contact the ship 90 days
prior to the inspection to begin coordination. Blue Teams andCYBERFOR assistance teams will help to ensure readiness and can
fairly accurately predict CSI performance. Outside assistance
aside the very best preparation for the CSI is daily vigilance
7/30/2019 Ncf Cybersecurity Ia Handbook
27/81
Commanders. This assessment will include a review of Stage I,
plus an additional in-depth assessment of network security,
physical security and all five IA Facets: Administration,Training, Personnel, Operations, and Monitoring and Assessment.
For afloat commands, any similar assessments conducted as part
of FRTP will be incorporated into Stage II to eliminate
redundancy. Upon successful completion of Stage II, a command
is determined ready to progress to the Stage III, a
comprehensive inspection to be scheduled and conducted within
the following 12-month period.
(a) Pre-CSI Training and Assist Visits
. CYBERFORs
Pre-CSI Training and Assist Team, CYBERFOR N41, provides IA
program training and assistance as a subset of a ships CSICP
Stage II.
(b) These visits are valuable for identifying
shipboard IA program deficiencies for ships force action prior
to a Stage III inspection.
(c) Stage III: Cyber Security Inspection. This is
a nominal 5-day comprehensive graded inspection involving all
cyber security areas; specifically, leadership engagement,
physical security, administration, training, network
configuration, and network operations. This inspection will be
scheduled and conducted by FLTCYBERCOM inspection teams and is
structured to replace the DISA CCRI. As CSICP matures, severalStage III inspection teams will be assigned to select Echelon II
Commanders to conduct inspections on behalf of FLTCYBERCOM using
the same established process Stage III inspections will result
7/30/2019 Ncf Cybersecurity Ia Handbook
28/81
CHAPTER 2
CSI PREPARATION GUIDES
SECTION 1COMMANDERS GUIDANCE
1. Summary
. You are highly encouraged to conduct a self
assessment of information systems, within your area of
authority, in preparation for the scheduled FLTCYBERCOM directed
Cyber Security Inspection (CSI). The completion of a self
assessment utilizing the checklists, tools, and processes
referenced in this document will also meet the requirements forCC/S/A self-conducted compliance assessments listed in CJCSI
6211.02C and in the Joint Common IA Assessment Methodology
(JCIAAM).
2. CSI Background
. A CSI is a methodology that expands upon
the original NIPRNET and SIPRNET Compliance Validations as
mandated in the CJCSI 6211.02C. The CSI program inspects
network security compliance with DoD IA policies, NISTconfiguration management requirements, and DoD 8570.01-M IA WIP
requirements.
3. Requirements. Ensure that a comprehensive self-assessment
meets all of the criteria that will be evaluated during a formal
CSI. The self-assessment will reveal areas which require
corrective action and remediable that can be accomplished by
ships force, as well as any program of record or physicalsecurity shortfalls that require external assistance to address
and correct documentation of these shortfalls (via casualty
reports (CASREPs) or other formal message traffic) is
7/30/2019 Ncf Cybersecurity Ia Handbook
29/81
c. Network Configuration.
d. Network Operations and Behavior.
5. Checklist
. An affirmative response and understanding of the
questions below will prepare you for a successful CSI.
a. Program Administration
(1) Do we have appointment letters for our networksecurity team (IAM, IAOs, etc)?
(2) Have we verified that Privileged Access Users have
signed Information System Privileged Access Agreement Letters on
file?
(3) Have all personnel completed the mandatory annual
Information Assurance training by the required due date? Ifnot, what is the plan for getting us there?
(4) Have all command personnel received OPSEC training
and when was it completed?
(5) Do we have signed Memorandums of Agreement or
Understanding with all tenant commands connected to our network,
if applicable?
(6) Are our tenant commands also in compliance with DoD
and DoN standards if applicable?
7/30/2019 Ncf Cybersecurity Ia Handbook
30/81
(4) Is a program established to ensure safes, vaults,
and secure rooms are properly managed? Ensure only GSA approvedsecurity containers are being used; ensure combinations are
changed as required; ensure all forms, Standard Form (SF) 700
and SF-702, are properly completed; ensure repairs are conducted
correctly?
(5) Are individuals granted access to classified
materials notified of applicable handling instructions? This
may be accomplished by a briefing, written instructions, or byapplying specific handling requirements to an approved cover
sheet?
(6) Are security checks being performed at the close of
each working day to ensure all areas are secure? SF 701,
"Activity Security Checklist," shall be used to record such
checks. An integral part of the security check system shall be
the securing of all vaults, secure rooms, and containers usedfor the storage of classified material; SF 702, "Security
Container Check Sheet," shall be used to record such actions.
In addition, SF 701 and 702 shall be annotated to reflect
after-hours, weekend, and holiday activity.
(7) Do all vaults and secure rooms meet all requirements
of DoD 5200.1R Appendix 7?
(8) Do we have approval or waiver letters for Open
Secret Storage in spaces where classified information is
processed or where a PDS may not be in place?
7/30/2019 Ncf Cybersecurity Ia Handbook
31/81
(4) Are the proper ports opened on our network per
COMNAVNETWARCOM CTO 08-08, IP SONAR Mapping of Classified
Networks?(5) What vulnerabilities were identified that we were
unable to patch or mitigate?
d. Network Operations and Behavior
(1) On what date was the last monthly scan conducted
using RETINA? Are we sure we are scanning with the most recent
scan engine? Are all scans conducted using the proper accesses?
(2) Are we reviewing VRAM scan results on a monthly
basis? Who validates that noted vulnerabilities have been
corrected? Is this a formalized, documented process?
(3) Has a POA&M been entered into VMS for all
uncorrected vulnerabilities?
(4) Have we informed the DAA/DDAA about our uncorrected
vulnerabilities?
(5) Have the latest anti-virus updates been downloaded
and installed to all
systems onboard the ship?
(6) Have any new USB devices been detected on the
networks? Where?
(7) Are there any CND incidents currently open with
either NCDOC or the CNOC? If so what is the status and
7/30/2019 Ncf Cybersecurity Ia Handbook
32/81
(3) Do we have a mitigation plan in place for those
findings that cannot be immediately corrected?
(4) Is our ISIC aware of the inspection results?
f. Points of Contact
(1) OPERATIONAL: Who are our points of contact at
FLTCYBERCOM?
(2) READINESS: Who are our points of contact at NavyCyber Forces (C5I TYCOM)?
(3) When was the last time we communicated with them?
7/30/2019 Ncf Cybersecurity Ia Handbook
33/81
CHAPTER 2
CSI PREPARATION GUIDES
SECTION 2INFORMATION ASSURANCE MANAGERS GUIDANCE
1. Summary
. A best practice is to conduct a self assessment of
information systems, within your area of authority, in
preparation for the scheduled FLTCYBERCOM directed Cyber
Security Inspection (CSI). The completion of a self assessment
utilizing the checklists, tools, and processes referenced in
this document will also satisfy the requirements for CC/S/Aself-conducted compliance assessments listed in CJCSI 6211.02C
and in the Joint Common IA Assessment Methodology (JCIAAM).
2. CSI Background
. A CSI is a methodology that expands upon
the original NIPRNET and SIPRNET Compliance Validations as
mandated in the CJCSI 6211.02C. The CSI program inspects
network security compliance with DoD IA policies and
configuration requirements, the health of the network from asecurity viewpoint, and DoD 8570.01-M Information Assurance
Workforce Improvement Program requirements.
3. Requirements
. A through self assessment must be aligned
with the formal CSI components and criteria.
4. Requirements
. The CSI components are listed below for your
reference with URLs to the specific checklists and toolsutilized during the CSI.
a Latest STIGs: http://iase disa mil/stigs/stig
7/30/2019 Ncf Cybersecurity Ia Handbook
34/81
(7) Domain Name System (DNS) Operating Systems
Windows.
(8) Microsoft Windows STIG.
(9) Microsoft Windows 2003 Checklist.
(10) Microsoft Windows 2000 Checklist.
c. Gold Disk [DISA]: https://patches.csd.disa.mil (CAC
login required).
d. Domain Name System (DNS) Operating Systems UNIX
(1) UNIX Operating System STIG.
(2) UNIX Operating System Checklist.
(3) SRR Scripts:http://iase.disa.mil/stigs/SRR/unix.html.
e. Internal Vulnerability Scans
(1) DoD Enterprise SCCVI Tool Currently: eEye Retina
IAVM https://powhatan.iiie.disa.mil/tools/sccvi/updates (CAC
login required).
(2) Configuration Requirements/Checklist
https://powhatan.iiie.disa.mil/tools/sccvi/documentation/checkli
st for successfully running eeye retina pdf
7/30/2019 Ncf Cybersecurity Ia Handbook
35/81
(5) Motorola Good Mobile MWES Security Checklist.
(6) Apriva Sensa Secure WES Security Checklist.
g. Enclave Review
(1) Enclave STIGs.
(2) Enclave Checklist
https://powhatan.iiie.disa.mil/stigs/enclave-policy.
h. Host Based Security System (HBSS) Review
(1) DoD IA Enterprise Solutions STIGs
https://powhatan.iiie.disa.mil/stigs/app-sec-guides.
(2) HBSS Checklist
https://powhatan.iiie.disa.mil/stigs/app-sec-guides.
i. INFOSEC/PERSEC/PHYSEC Security tools:
(1) SECNAV M-5510.36 Exhibit 2A, Command Security
Instruction Requirements.
(2) SECNAV M-5510.36 Exhibit 2C, INFOSEC Checklist.
(3) SECNAV M-5510.30 Exhibit 10A, PERSEC Checklist.
j. Cross Domain Solutions
7/30/2019 Ncf Cybersecurity Ia Handbook
36/81
(2) REL LAN Security Checklist:
https://powhatan.iiie.disa.mil/stigs/net-sec-guides/rel-lan-
checklst-1-25-07.pdf.
l. IAM/Security Officer Review
(1) Latest checklists are located at
http://iase.disa.mil/stigs/checklist/index.html.
(2) Tenant Command MOUs/MOAs
(3) Latest DISA Enhanced compliance Validation
(ECV)/Command Cyber Readiness Inspection (CCRI) or FLTCYBERCOM
Cyber Readiness Inspection (CRI) results.
(4) IG inspection (IA and security areas).
(5) Signed designation letters for IAWF Members.
(6) Foreign Nationals Administration.
m. Firewalls and Routers
(1) The latest version of procedures, checklists, STIGS
and scripts may be obtained from http://iase.disa.mil or
https://iase.disa.smil.mil.
(2) Sailor 2.1 NIPR: https://sailor.nmci.navy.mil,
Sailor 2.1 SIPR: http://sailor.nmci.navy.smil.mil.
7/30/2019 Ncf Cybersecurity Ia Handbook
37/81
(3) Adequate VMS training:
(a) For classroom training, contact
(b) Web based CBT: https://vmscbt.disa.mil/.
o. Technical Support Contact Information
(1) DISA Operational Support - VMS Helpdesk: (405) 739-
5600 (option #3), DSN 339.
(2) [email protected].
7/30/2019 Ncf Cybersecurity Ia Handbook
38/81
CHAPTER 2
CSI PREPARATION GUIDES
SECTION 3
SECURITY MANAGERS GUIDANCE
1. Summary
. Action Officers are also highly encouraged to
conduct a self assessment of information systems, for areas
within their respective area of responsibility. The completion
of a self assessment utilizing the checklists, tools, and
processes referenced in this document will also meet the
requirements for CC/S/A self-conducted compliance assessmentslisted in CJCSI 6211.02C and in the Joint Common IA Assessment
Methodology (JCIAAM).
2. CSI Background
. A CSI is a methodology that expands upon
the original NIPRNET and SIPRNET Compliance Validations as
mandated in the CJCSI 6211.02C. The CSI program inspects
network security compliance with DoD IA policies and
configuration requirements, the health of the network from asecurity viewpoint, and DoD 8570.01-M IAWP requirements.
3. Requirements
. Your self assessment must be based on the CI
criteria to ensure a comprehensive review of network security
posture. Additionally, findings should be loaded into the DoD
VMS to document significant vulnerabilities and address
corrective actions prior to the CSI. The following reference to
the specific checklists and tools utilized during the CSI areprovided below.
a General guidance may be found in these reference and on
7/30/2019 Ncf Cybersecurity Ia Handbook
39/81
(1) Traditional Basic Checklist.
(2) Traditional DISA Checklist.
(3) Traditional Common CV Checklist.
(4) Traditional SCV.
c. INFOSEC/PERSEC/PHYSEC review areas:
(1) Building Floor Plans (Identify areas that
process/store classified information).
(2) PDS Drawings if installed and certification letter.
(3) Intrusion Detection System Information (drawings if
available).
(4) Access Controls.
(5) Emergency Action Plan.
(6) Key and Lock Program.
(7) Anti-Terrorism Plan.
(8) Visitor security procedures.
(9) Procedures for end-of-work-day security checks
7/30/2019 Ncf Cybersecurity Ia Handbook
40/81
e. The following industrial security (INFOSEC/PERSEC) areas
will also be reviewed:
(1) Appointment Letters.
(2) Personnel Security Files (Military and Civilian).
(3) Contractor Security Files and all applicable DD
254s.
(4) SAERS/LOIs/LONs.
(5) Civilian Position Designations.
(6) Copies of completed self-inspections.
(7) Courier Card/Letter Program.
(8) Periodic Reinvestigations.
(9) Foreign Nationals Program.
7/30/2019 Ncf Cybersecurity Ia Handbook
41/81
CHAPTER 2
CSI PREPARATION GUIDES
SECTION 4
SYSTEM ADMINISTRATORS GUIDANCE
1. Summary
. You are highly encouraged to conduct a self
assessment of your assigned shipboard information systems in
preparation for the scheduled FLTCYBERCOM directed Cyber
Security Inspection (CSI). The completion of a self assessment
utilizing the checklists, tools, and processes referenced in
this document will also meet the requirements for CC/S/A self-conducted compliance assessments listed in CJCSI 6211.02C and in
the Joint Common IA Assessment Methodology (JCIAAM).
2. CSI Background
. A CSI is a methodology that expands upon
the original NIPRNET and SIPRNET Compliance Validations as
mandated in the CJCSI 6211.02C. The CSI program inspects
network security compliance with DoD IA policies and
configuration requirements, the health of the network from asecurity viewpoint, and DoD 8570.01-M Information Assurance
Workforce Improvement Program requirements.
3. Requirements. Your self-assessment must be aligned with the
CSI components as listed below, and all results should be loaded
into the DoD Vulnerability Management System (VMS). This effort
will allow you to address significant vulnerabilities prior to
the CSI while creating a one-to-one relationship between theresults of both your assessment and the CSI. The CSI components
are listed below for your reference with URLs to the specific
checklists and tools utilized during the CSI
7/30/2019 Ncf Cybersecurity Ia Handbook
42/81
(7) Domain Name System (DNS) Operating Systems - Windows
(8) Microsoft Windows STIG.
(9) Microsoft Windows 2003 Checklist.
(10) Microsoft Windows 2000 Checklist.
c. GOLD DISK [DISA]: https://patches.csd.disa.mil/ (CAC
login required).
d. Domain Name System (DNS) Operating Systems UNIX
(1) UNIX Operating System STIG.
(2) UNIX Operating System Checklist.
(3) SRR Scripts:http://iase.disa.mil/stigs/SRR/unix.html.
e. Internal Vulnerability Scans
(1) DoD Enterprise Secure Configuration Compliance
Validation Initiative (SCCVI) Tool Currently: eEye Retina IAVM
https://powhatan.iiie.disa.mil/tools/sccvi/updates/ (CAC login
required).
(2) Configuration Requirements/Checklist
https://powhatan iiie disa mil/tools/sccvi/documentation/checkli
7/30/2019 Ncf Cybersecurity Ia Handbook
43/81
(5) Motorola Good Mobile MWES Security Checklist.
(6) Apriva Sensa Secure WES Security Checklist.
g. Enclave Review
(1) Enclave STIG.
(2) Enclave Checklist:
https://powhatan.iiie.disa.mil/stigs/enclave-policy/.
h. Host Based Security System (HBSS) Review
(1) DoD IA Enterprise Solutions STIG:
https://powhatan.iiie.disa.mil/stigs/app-sec-guides/.
(2) HBSS Checklist:
https://powhatan.iiie.disa.mil/stigs/app-sec-guides/.
i. Traditional Security
(1) SECNAV M-5510.36 Exhibit 2C, INFOSEC Checklist.
(2) SECNAV M-5510.30 Exhibit 10A, PERSEC Checklist.
j. Cross Domain Solutions
(1) JVAP Admin Checklist.
https://powhatan iiie disa mil/stigs/net-sec-guides/sabi/
7/30/2019 Ncf Cybersecurity Ia Handbook
44/81
l. IAM/Security Officer Review
(1) Latest checklist located at:
http://iase.disa.mil/stigs/checlist/index,html.
(2) Tenant Command MOUs/MOAs
(3) Latest DISA Enhance compliance Validation
(ECV)/Command Cyber Readiness Inspection (CCRI) or FLTCYBERCOM
Cyber Security Inspection (CSI) results IG inspection (IA and
security areas).
(4) Signed designation letters for IA Staff.
(5) Foreign Nationals presence.
m. Firewall and Routers
(1) The latest version of procedures, checklists, STIGS
and scripts may be obtained from http://iase.disa.mil or
https://iase.disa.smil.mil.
(2) If your site has Windows NT servers/workstations,
please provide the POA&M indicating the plan for removal of
these assets from your network.
(3) IA Workforce Checklist: SECNAV M-5239.2, May 2009
Appendix H-IA Workforce Management Review Checklist.
7/30/2019 Ncf Cybersecurity Ia Handbook
45/81
Information Security Checklist
Date:
Yes No
1. Is the Information Assurance Manager (IAM)
appointed in writing? [Command IA Policy] __ __
2. Is the Information Assurance Officer (IAO)
appointed in writing? [Command IA Policy] __ __
3. Do the ships Secret Material Transfer Agents
follow the procedures from the ships policy to
transfer classified data to removable media?
[CTO 10-25] __ __
4. Is the ships a list of RMR authorized Secret
Material Transfer Agents (SMTA) up to date?
[CTO 10-25] __ __
5. Is the ships a list of RMR authorized Subject
Matter Experts (SME) up to date?
[Command Security Policy] __ __
6. Do the ships SMEs and SMTAs follow the
procedures from the ships policy to
transfer data between networks of differentclassification? [CTO 10-25] __ __
7 Does the ship have an Incident Handling Policy
7/30/2019 Ncf Cybersecurity Ia Handbook
46/81
Information Security Checklist cont
Date:
Yes No
11. Has the ship completed an annual security
self inspection and corrected the discrepancies
(if noted) from the previous self inspection?
[SECNAVINST M5510.36 & DoD 5200.1-R] __ __
12. Has the ship completed the annual inventory
of all classified and unclassified ADP equipment?
[Command Security Policy] __ __
13. Does the System Administrator maintain a
record of System Authorization Access Request
(SAAR) forms for the ships company andprivileged users? [SECNAV INST 5239.14 (Series)] __ __
14. Are backups installed in accordance with
the ships Backup and Recovery policy?
[COMPOSE Backup and Recovery Instructions] __ __
15. Does the ship maintain a list of approved
removable stowage devices?[CTO 08-08 and DISA STIG STO-ALL-030] __ __
16 Spot check at least two files on both the
7/30/2019 Ncf Cybersecurity Ia Handbook
47/81
Network Security Checklist
DATE: ___
Yes No
1. Is the ships IAVM Compliance greater than or
equal to 90%? __ __
2. Does the antivirus signature file age exceed
7 days? __ __
3. Is the antivirus software scheduled to scan
at least weekly? __ __
4. Is the ship in accordance with current INFOCON
requirements? [ALCOM 179-08] __ __
5. Do passwords meet minimum complexity and passwordage requirements? [ALCOM 179-08] __ __
6. Are default passwords on all network components
(i.e. servers, switches, workstations) changed
from manufacturer passwords? [DISA STIG NET0240] __ __
7. When logging onto the SIPRNET and NIPRNET does
a DoD login banner appear? [CTO 08-008A] __ __
8. Review the last weekly USB Detect scan log. Are
anomalies investigated promptly and remedied?
7/30/2019 Ncf Cybersecurity Ia Handbook
48/81
Network Security Checklist cont
DATE: ___
Yes No
13. Does the HBSS HIPS User Interface Admin password
meet password complexity requirements?
[DISA STIG H36160] __ __
14. Is the HBSS ePO component in the enforcement
mode? [DISA STIG H35500] __ __
Commanding Officer:
Information Assurance Manager:
DISCREPANCIES MUST BE CORRECTED IMMEDIATELY AND ACTION TAKEN REPORTED
TO THE COMMANDING OFFICER
7/30/2019 Ncf Cybersecurity Ia Handbook
49/81
Certification & Accreditation Checklist
DATE:_______
Yes No
1. Spot Check the ships binder of current
Authority To Operate (ATO) documents. Are there
expired ATOs? __ __
2. Spot Check the ships binder of currentSystem Security Authorization Agreement (SSAA)
documents. Is the binder up-to-date for removed
systems or newly installed systems? ___ __
3. Is the drawing of the ships network topology
Current? [DISA STIG NET0090] __ __
4. Spot check a ships workstation for applications
that are not on the current copy of the BaselineAllowance Control (BAC). Are there applications
present not on the approved BAC? __ __
5. Review the last annual Information System Self
Inspection. Are any of the discrepancies still
outstanding? __ __
Commanding Officer:
7/30/2019 Ncf Cybersecurity Ia Handbook
50/81
Information Assurance Workforce Checklist
DATE: __
Yes
No
1. Do the IAO, LAN Administrator and other
members of LAN Division have an Online Compliance
Reporting System account? __ __
2. Do the IAO, LAN Administrator and othermembers of LAN Division have an VRAM account? __ __
3. Do the IAO and LAN Administrator have a TWMS
account? [NTD 02-09] __ __
4. Are the IAWF personnel listed in TWMS?
[NTD 02-09] __ __
5. Do the IAO, LAN Administrator and other membersof LAN Division have a Naval Networks account? __ __
6. Do members of the IAWF have required
certifications? [DoD 8570-01M] __ __
7. Have all members of the command completed
the current Annual Information Assurance
Training in NKO/e-Learning? ___ __
8. Does the ship have a training plan in place for
IAWF personnel? [DoD 8570-01M] __ __
7/30/2019 Ncf Cybersecurity Ia Handbook
51/81
Traditional Security Checklist
DATE: ___
Yes No
1. Does the ship have a command security instruction?
[SECNAV Manual 5510.36] ___ ___
2. Are the Command Security Manager (CSM) and Top Secret
Control Officer (TSCO) appointed in writing by the CO?[SECNAV M-5510.36] ___ ___
3. In observation of the quarterdeck watch(es) does the
ship verify the credentials of non-ship force personnel at
every request for access, and escort personnel who do not
meet clearance requirements? [SECNAV M-5510.30] ___ ___
4. Has the ship completed an annual security self
inspection and corrected the discrepancies (if noted) fromthe previous self inspection? [SECNAV M-5510.36] ___ ___
5. Has the ship completed the annual inventory of all
classified and unclassified ADP equipment? ___ ___
6. Have space certification letters been signed for all
areas where classified information is processed or stored?
[SECNAV-M 5510.36] ___ ___
Commanding Officer:
7/30/2019 Ncf Cybersecurity Ia Handbook
52/81
System Administrator Checklist: Daily
1. Review Audit Logs.
Tasks
Check application log for warning and error messages forservice errors, application or database errors and
unauthorized application installs.
Check security log for warning and error messages forinvalid logons, unauthorized user creating, opening ordeleting files.
Check system log for warning and error messages forhardware and network failures.
Check web/database/application logs for warning and errormessages.
Check directory services log on domain controllers. Report suspicious activity to IAO/IAM.
Reference
http://iase.disa.mil - Security Technical Implementation
Guides (STIGs).
Tools Windows Event Viewer.
2. Perform/Verify Daily Incremental Backup.
Tasks
Run and/or verify successful backup of system and data
7/30/2019 Ncf Cybersecurity Ia Handbook
53/81
System Administrator Checklist: Daily cont
3. Track/Monitor System Performance and Activity.
Tasks
Check for memory usage. Check for system paging. Check CPU usage.
Reference
www.Microsoft.com - Monitoring Server performance.
Tools Windows
Microsoft Management Console.
Performance Log and Alerts.
Task Manager.
System Monitor.Microsoft Operations Manager.
4. Check Free Hard Drive Space.
Tasks
Check all drives for adequate free space.
Take appropriate action as specified by site's StandardOperating Procedures.
Reference
7/30/2019 Ncf Cybersecurity Ia Handbook
54/81
System Administrator Checklist: Daily cont
6. Tactical Directives Review.
Tasks
Go to applicable websites to review for new tacticaldirectives:
o CTOs.o NTDs.o FAMs.o
FRAGOs.
Report applicable directives to IAM for action.
7/30/2019 Ncf Cybersecurity Ia Handbook
55/81
System Administrator Checklist: Weekly
1. Review ISA Logs.
Tasks
Check ISA/PROXY logs.Reference
Ships Network Policy.
2. Review DHCP Logs.
Tasks
Review DHCP logs on each Domain Controller in the C:winnt\system32\dhcp folder.
Reference
Ships Network Policy.
3. Archive Audit logs.
Tasks
Archive audit logs to a media device with one yearretention.
Reference
7/30/2019 Ncf Cybersecurity Ia Handbook
56/81
System Administrator Checklist: Weekly cont
Tools
Windows Backup Tool.
Veritas Backup Software.
5. Test Backup/Restore Procedures.
Tasks
Restore backup files to a test system to verify proceduresand files.
Reference
http://iase.disa.mil - Security Technical Implementation
Guides (STIGs).
Tools
Windows Backup and Recovery Tool.
Veritas Backup Software.
6. Update Anti-Virus Signature File.
Tasks
Download and install current Anti-Virus signature files.Reference
7/30/2019 Ncf Cybersecurity Ia Handbook
57/81
System Administrator Checklist: Weekly cont
8. Check Sailor 2.1/Navy IASE Websites for Patch Information.
Tasks
Check SPAWAR approved websites to ensure correct version ofscanning tools is being used.
Check SPAWAR approved websites for new vulnerabilityinformation including patches and hotfixes.
Reference
http://iase.disa.mil - Security Technical Implementation
Guides (STIGs).
https://sailor.nmci.navy.mil/index.cfm.
Downloads
http://iase.disa.mil DoD Patch Repositorywww.cert.mil.
9. Compare System Configuration Files Against a Baseline for Changes.
Tasks
Compare system configuration files against the baselinefor:
o All Servers.o Random selection of five workstations/week.
Compare application executables against the baseline.
7/30/2019 Ncf Cybersecurity Ia Handbook
58/81
System Administrator Checklist: Weekly cont
Reference
www.Microsoft.com - Managing Disks and Volumes.
Tools Windows
Disk Defragmenter.
Error-checking tool.
Device Manager.
11. Perform SIPR/NIPR USB Scan.
Tasks
Scan all nodes for evidence of USB device insertion using the
USB Detect Program.
12. Perform Wireless Check.
Tasks
Check system for wireless devices and access.Reference
http://iase.disa.mil - Security Technical Implementation
Guides (STIGs).
13. Perform Server Clock/Time Synchronization.
7/30/2019 Ncf Cybersecurity Ia Handbook
59/81
System Administrator Checklist: Weekly cont
14. Check for Unnecessary Services.
Tasks
Check system services for any unnecessary services running.Reference
http://iase.disa.mil - Security Technical Implementation
Guides (STIGs).
7/30/2019 Ncf Cybersecurity Ia Handbook
60/81
System Administrator Checklist: Monthly
1. Perform Self-Assessment Security Review.
Tasks
Review technology checklist for any changes. Run current security review tool. Import results into Vulnerability Management System (VMS).
Reference
http://iase.disa.mil - Security Technical Implementation
Guides (STIGs).
https://vms.disa.mil.Downloads
http://iase.disa.mil DoD IA Enterprise-wide Tools and
Software: Gold Disk (.mil only).
http://iase.disa.mil IA Subject Matter Areas: Security
Technical Implementation Guides STIGS: Security
Readiness Review Evaluation Scripts.
Tools Windows
DISA FSO Gold Disk and Scripts.
eEye Retina Scanner.
Citadel Hercules Remediation Tool.
7/30/2019 Ncf Cybersecurity Ia Handbook
61/81
System Administrator Checklist: Monthly cont
3. Perform Hardware/Software Inventory.
Tasks
Review hardware and compare to inventory list. Review software and compare to inventory list. Update VMS, where applicable.
Reference
https://vms.disa.mil.
4. Verify User Account Configuration.
Tasks
Run DumpSec tool to verify user account configuration. Verify and/or delete dormant accounts with IAO approval. Provide output to IAO team.
Reference
http://iase.disa.mil - Security Technical Implementation
Guides (STIGs)
Tool available on DISA FSO Gold Disk (Windows).
7/30/2019 Ncf Cybersecurity Ia Handbook
62/81
System Administrator Checklist: Annually
1. Change Service-Account Passwords.
Tasks
Work with appropriate application administrator to ensurepassword changes for service accounts such as database
accounts, application accounts and other service accounts
are implemented.
Reference
http://iase.disa.mil - Security Technical Implementation
Guides (STIGs).
2. Review Appropriate Security Technical Implementation Guides
(STIG).
Tasks
Review appropriate STIGs which are updated semi-annually.Reference
http://iase.disa.mil - Security Technical Implementation
Guides (STIGs).
3. Review Training Requirements.
Tasks
7/30/2019 Ncf Cybersecurity Ia Handbook
63/81
System Administrator Checklist: Initial
1. Subscribe to STIG News.
Reference
http://iase.disa.mil/request-mail.html.2. Subscribe to JTF-GNO Mailings
Reference
ftp://ftp.cert.mil/pub/misc/subscribe.htm.
3. Establish User Accounts with the following Web-Portals:
o Sailor 2.1 (NIPRNET/SIPRNET).o VRAM (NIPRNET/SIPRNET).o OCRS (NIPRNET).o VMS (NIPRNET).o
IATS (NIPRNET).
7/30/2019 Ncf Cybersecurity Ia Handbook
64/81
System Administrator Checklist
As Required/After Configuration Changes
1. Test Patches and Hotfixes.
2. Install Patches and Hotfixes.
3. Schedule Downtime for Reboots.
4. Apply OS upgrades and service packs.
5. Create/maintain user and groups accounts.
6. Set user and group security.
7. Subscribe to STIG News.
After System Configuration Changes:
1. Create Emergency System Recovery Data.
2. Create new system configuration baseline.
3. Document System Configuration Changes.
4. Review and update SSAA.
5. Update VMS for Asset Changes.
6. Update VMS for IAVMs.
7/30/2019 Ncf Cybersecurity Ia Handbook
65/81
Cyber Zone Inspection Items
Date: ________
Yes
1. Does the space contain classified information
processing systems?
No
___ ___
2. Does the area meet the requirements for the level of
information being processed?
Controlled Access Area (CAA) ___
Restricted Access Area (RAA)
___
___
Open Secret Storage Area (OSS)
___
___ ___
3. Are screens for classified systems able to be viewed
from outside the space? ___ ___
4. If the space is a RAA, is an access control list
posted? ___ ___
5. If the space is a CAA, RAA or OSS, is it protectedwith a GSA-approved lock? ___ ___
6. Are information processing systems clearly labeled
with their classifications? ___ ___
7. Is there a minimum of one meter separation between
classified and unclassified information processing
systems? ___ ___
Commanding Officer:
7/30/2019 Ncf Cybersecurity Ia Handbook
66/81
COs Information Assurance Quick Look
The following ten questions will provide a basis for discussing the
various aspects of cyber readiness within the command. Commandleadership should address these questions and discuss the answers with
the Command IAM, CSM, IAOs and SAs.
Ten questions to better IA awareness:
1. Have you designated your Command Security Manager (CSM) and
Information Assurance Manager (IAM) in writing, and do they have the
required training for their positions?
2. Do your command security procedures provide positive access
control for all spaces where classified information is stored or
processed?
3. Do all of your personnel in positions of trust (IAM, Network
Administrators, etc.) have the required training and certifications
according to the Information Assurance Workforce (IAWF) requirements?
4. Can your IAM tell you how many computers and other IT resources
are on your ship?
5. Does your IAM maintain configuration drawings of your shipboard
networks?
6. Is your IAM presenting you the results of the required network
scans for unauthorized USB device usage for your review?
7. Does your IAM direct monthly network scans for compliance with the
Information Assurance Vulnerability Management (IAVM) program?
7/30/2019 Ncf Cybersecurity Ia Handbook
67/81
Minimum Set of Periodic Reports
The following list of reports represents the minimum set of reports
that all commands will generate on a periodic basis. The reportslisted in this enclosure do not replace any reports that are required
by other official instructions or directives. All periodic and
irregular reports are to be retained on board by the IAM/IAO, with
copies forwarded as required.
1. Irregular Reports
a. System Operation and Verification Testing (SOVT)
b.
. Any time a
cyber system is installed, the final installation step is the
completion of the SOVT. Ships force personnel must sign the SOVT
verifying that the system operates as designed and accepting
responsibility. An important item of note is that system
discrepancies can be noted as exceptions when the SOVT is completed.
This is important, since systems are often installed with known
vulnerabilities. Documenting all vulnerabilities and deviation from
IAVA and STIG requirements as SOVT exceptions ensures the program
office does not lose track of actions required to make shipboard cybersystems compliant with IA regulations.
Cyber Incident Reports
2.
. In the event that a cyber incident
occurs on the ship, IA personnel shall provide regular reports to the
command team on actions taken and how the incident affects the ships
IA posture and overall mission readiness.
Semi-annual Reports
a. Certification and Accreditation. At least twice a year,
review the status of all command Authorities to Operate (ATOs). For
7/30/2019 Ncf Cybersecurity Ia Handbook
68/81
Minimum Set of Periodic Reports cont
b. Privileged User Training
4.
. Monthly review the list of
personnel who have been granted system administrator rights on thenetwork. These personnel shall have a valid need for this access,
will be designated in writing, and shall have the appropriate level of
training and qualification in accordance with IAWF guidance.
Bi-weekly Reports
a. IAVM Reports
5.
. Every 2 weeks review the status of the ships
compliance with all identified IA vulnerabilities. This report will
include results of periodic SCCVI network scans and show the
percentage of ships computers that have been updated with all
available patches. In reviewing the IAVM report, special attention
shall be taken to ensure that all computers on the network are being
scanned, and that missing patches are being tracked and individual
computers are being updated as necessary.
Weekly Reports
a. Weekly IA Status Report
b.
. Weekly, the IAM shall provide a
report that gives an overview of the ships IA posture. Although less
detailed than the other individual reports in this section, the IA
status report provides leadership with all the data required to ensure
that the ship is maintaining a proper level of cyber readiness.
Antivirus Signatures. New antivirus signatures are typically
released weekly. Every 2 weeks, network records shall be reviewed to
ensure that the signature updates have been applied to all computers.As with IAVM reports, attention shall be given to the number of
computers reported as compared to the number actually on the network,
7/30/2019 Ncf Cybersecurity Ia Handbook
69/81
Enclosure (15)
Sample Report - Certification & Accreditation
USS [Ship name] Certification and Accreditation Report
(Semiannual)
Date:_______________
System Name Last ATO
Date
ATO Exp
Date
Next Action Due Date Action Status
ISNS Compose
3.0.0.0 (NIPRNET)
May 2009 May 2012 Submit C&A
Package to
ODAA
Dec 2011 Assembling package
ISNS Compose
3.0.0.0 (SIPRNET)
Jun 2009 Jun 2012 Schedule
vulnerability
assessment
Nov 2011 Contacting NIOC Blue
Team to schedule
Other systems
here
IAM: _____________________ Date: ______
CSO: _____________________ Date: ______
DDAA: ____________________ Date: ______
7/30/2019 Ncf Cybersecurity Ia Handbook
70/81
Enclosure (16)
Sample Report - IAWF Training
USS [Ship name] IAWF Training Report
(Monthly)
Date:_______________
IA Qualification
Name Position Rqd IA Lvl Qual Status Due Date Waiver Req Status
ITCS Jones IAM IAM 90% compl Dec 2011 N/A
IT2 Kelly Sys Admin IAT Level
II
50% compl Mar 2012 6-mo extension
approved from Sep
2011
IAM: _____________________ Date: ______
CSO: _____________________ Date: ______
DDAA: _______________________ Date: ___________
7/30/2019 Ncf Cybersecurity Ia Handbook
71/81
2 Enclosure (16)
Sample Report - IAWF Training
USS [Ship name] IAWF Training Report
(Monthly)
Date:_______________
2735-2791 Conversion
Name ADNS CBT ISNS CBT Security+ MS 290 MS 291 Due Date Pkg
Submitted
IT2 Kelly 20Jul11 24Jul11 12May11 13Aug11 3Sep11 30Sep12 10Sep11
IT3 George 15Sep11 25Sep11 2Oct11 15Oct11 Tst
2Nov11
30Sep12 --
IAM: _____________________ Date: ______
CSO: _____________________ Date: ______
DDAA: ____________________ Date: ______
7/30/2019 Ncf Cybersecurity Ia Handbook
72/81
Enclosure (17)
Sample Report - IAVM
USS [Ship name] IAVM Report
(Monthly)
Date:_______________
System No. of
Computers on
System
No. of
Computers
Scanned
Total
Available
Patches
No. of
Patches
Applied
No. of
Computers
Below 90%
Average
Compliance
%
NIPR Compose 55 50 354 350 4 95%
IAM: _____________________ Date: ______
CSO: _____________________ Date: ______
DDAA: ____________________ Date: ______
7/30/2019 Ncf Cybersecurity Ia Handbook
73/81
Sample Report - Weekly IA Status
USS [Ship Name] Weekly IA Status Report
Date:_______________
NIPR SIPR CENTRIXS (Others)
# of Servers
# of Workstations
Information Assurance Vulnerability Management (IAVM) Scans
# Scanned
Last Scan
% Compliance
Last VRAM
Upload
Antivirus
Definition Date
Last Scan
# Scanned
i
7/30/2019 Ncf Cybersecurity Ia Handbook
74/81
Sample Report - Weekly IA Status
Backups
Completed Date
Tested Date
Information Assurance Work Force (IAWF)
#
Required
#
Completed
# in Total Workforce
Management Services (TWMS)
Database
Current
90-Day
Projection
120-DayProjection
Authorized
DFS
Scheduled
Maint
Privileged
Users
Locked
Accounts
7/30/2019 Ncf Cybersecurity Ia Handbook
75/81
Enclosure (19)
Sample Report - Antivirus
USS [Ship name] Antivirus Report
(Weekly)
Date:_______________
System No. of
Computers on
System
AV Def Date Last Scan
Date
No. of
Computers
Scanned
No. of
Computers Out
of Date
No. of
Threats
Found
NIPR Compose 55 20Oct11 24Oct11 52 3 0
IAM: _____________________ Date: ______
CSO: _____________________ Date: ______
DDAA: ____________________ Date: ______
7/30/2019 Ncf Cybersecurity Ia Handbook
76/81
Enclosure (20)
Sample Report - USB Scan
USS [Ship name] USB Scan Report
(Daily)
Date:_______________
USB Detect Version: 3.1
System No. of
Computers on
System
No. of
Computers
Scanned
Last Scan Date No. of
Instances
Found
Action Taken
NIPR Compose 55 48 24Oct11 1 Device
identified &
confiscated.
Individual
account lockedpending
further
action.
IAM: ____________________ Date: _______
CSO: ____________________ Date: _______
DDAA: ___________________ Date: _______
Sample Report - 8 OClock Report
7/30/2019 Ncf Cybersecurity Ia Handbook
77/81
Enclosure (21)
Sample Report 8 O Clock Report
USS SHIP COMBAT SYSTEM 8 O'CLOCK REPORTS
CDO/SDO: Date: 11/16/2011 INFOCON 3
Duty IT:
NOTE: Periodicities are per PMS requirements or as stated below. * = Required periodicity
LAN STATUS: PERIODIC CHECKS
SYSTEM TYPE VERSION
DATE OF
ACTION HOSTS RESULTS # PERIODICITY
Scan - USBISNS-NIPR
USB
Detect
3.1 11/10/2012 30/86
Hosts with unauthorized
devices: Weekly
Scan -
Antivirus Hosts containing malware: Weekly
Hosts failed to update:
Scan -
Retina
Hosts scanned with admin
credentials: Monthly*Patch -
VRAM Patches found (fixable): Monthly*
Patches found (unfixable):
Patches Applied (Pushed):
Patches Applied (Manual):
False Positives Reported
w/Trouble-ticket:
Log Reviews ISA (Proxy) Log Reviewed:
Y /
N Daily
ISA (Proxy) Log Issues:
Y /
N
System Audit (Event) Log
Reviewed:
Y /
N
System Audit (Event) Log
Issues:
Y /
N
Y /
7/30/2019 Ncf Cybersecurity Ia Handbook
78/81
2 Enclosure (21)
Router (Ports) Log Reviewed:
Y /
N
Router (Ports) Log Issues:
Y /
N
Back-Ups
Partial or Full Back-Up
Required:
P /
F Daily*
Back-Up Successful:
Y /
N
Scan - USBISNS-SIPR Hosts with unauth devices: Daily
Scan -
Antivirus Hosts containing malware: Weekly
Hosts failed to update:
Scan -
RetinaISNS-SIPR
Hosts scanned with admin
credentials: Monthly*
Patch -
VRAM Patches found (fixable): Monthly*
Patches found (unfixable):
Patches Applied (Pushed):
Patches Applied (Manual):
False Positives Reported
w/Trouble-ticket:
Log Reviews ISA (Proxy) Log Reviewed:
Y /
N Daily
ISA (Proxy) Log Issues:
Y /
N
System Audit (Event) Log
Reviewed:
Y /
N
System Audit (Event) LogIssues:
Y /N
Router (Ports) Log Reviewed:
Y /
N
Router (Ports) Log Issues:
Y /
N
Partial or Full Back-Up P /
7/30/2019 Ncf Cybersecurity Ia Handbook
79/81
3 Enclosure (21)
Back-Ups
Partial or Full Back Up
Required:
P /
F Daily*
Back-Up Successful:
Y /
N
Scan - USB
NIAPS
Server
Hosts with unauthorized
devices: Daily
Scan -
Antivirus Malware found:
Y /
N Weekly
Host failed to update:
Y /
N
Scan -
Retina
Host scanned with admin
credentials:
Y /
N Monthly*
Patch -
VRAM Patches found (fixable): Monthly*
Patches found (unfixable):
Patches Applied (Pushed):
Patches Applied (Manual):
False Positives Reported
w/Trouble-ticket:
Log Reviews
System Audit (Event) Log
Reviewed:
Y /
N Daily*
System Audit (Event) Log
Issues:
Y /
N
Back-Ups
Partial or Full Back-Up
Required:
P /
F Daily*
Back-Up Successful:
Y /
N
Scan - USBNavy Cash
Hosts with unauthorized
devices: Weekly
Scan -Antivirus Malware found:
Y /N Weekly
Scan -
AntivirusNavy Cash Host failed to update:
Y /
N
Scan -
Retina
Host scanned with admin
credentials:
Y /
N Monthly*
Patch - VRAM Patches found (fixable): Monthly*
7/30/2019 Ncf Cybersecurity Ia Handbook
80/81
4 Enclosure (21)
Patch VRAM Patches found (fixable): Monthly
Patches found (unfixable):
Patches Applied (Pushed):
Patches Applied (Manual):
Patch - VRAM
False Positives Reported
w/Trouble-ticket:
Log Reviews
System Audit (Event) Log
Reviewed:
Y /
N Daily*
System Audit (Event) Log
Issues:
Y /
N
Back-Ups
Partial or Full Back-Up
Required:
P /
F Daily*
Back-Up Successful:
Y /
N
LAN STATUS: TACTICAL DIRECTIVES
Fully
Compliant
TACTICALDIRECTIVE DESCRIPTION
Computer Tasking Orders
CTO COMPLIANT CTOs: Y / N
DELINQUENT CTOs: Y / N
Comments:
Fragmented Orders to USCYBERCOM WARNORD (https://www.cybercom.mil; https://www.cybercom.smil.mil)
FRAGO COMPLIANT FRAGOs: Y / N
DELINQUENT FRAGOs: Y / N
Comments:
Fleet Advisory Messages
FAM COMPLIANT FAMs: Y / N
DELINQUENT FAMs: Y / N
Sample Report 8 OClock Report
7/30/2019 Ncf Cybersecurity Ia Handbook
81/81
Sample Report - 8 OClock Report
Comments:
Naval Telecommunication Directives
NTD COMPLIANT NTDs: Y / N
NTD DELINQUENT NTDs: Y / N
Comments:
Security Technical Implementation Guidelines (STIG)
Network Policy COMPLIANT STIGs: Y / N
DELINQUENT STIGs: Y / N
Comments:
i.CHOP:
IAO IAM COMMO CSO DDAA