• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
NetOps Checklist
 

NetOps Checklist

on

  • 5,979 views

 

Statistics

Views

Total Views
5,979
Views on SlideShare
5,979
Embed Views
0

Actions

Likes
0
Downloads
128
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    NetOps Checklist NetOps Checklist Document Transcript

    • 3 DISA NetOps 4 Readiness Review Process 5 6 And 7 8 DISA NetOps 9 Program/System/Application/Service 10 Readiness Checklist 11 13 14 15 16 17 18 Version 2.1 19 31 Aug 2007 20 21 22 Unclassified UNTIL FILLED IN 23 Circle one of the following: 24 25FOR OFFICIAL USE ONLY (mark each page) 26CONFIDENTIAL (mark each page and each finding) 27SECRET (mark each page and each finding)
    • 1 UNCLASSIFIED 2NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 331 Aug 2007 Defense Information Systems Agency 4 28 Document Change Record 29 Version ID Date Description Version 1 31 May 2006 Initial Release Version 2 04 Apr 2007 Updated NRRB Process, updated Recommended P/S/A/ S Documentation, updated Requirements and Question Formatting. Updated CFE reviews (Fig 4), CP-SIB and SEPA information. Merge of Process and Checklist documents into one. Version 2.1 31 August 2007 Updated with administrative comments received as feedback from formal staffing of Version 2 to DISA Directorates. Substantive comments will be addressed in the next major release. 30 5 6 i 7 UNCLASSIFIED
    • 8 UNCLASSIFIED 9NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 1031 Aug 2007 Defense Information Systems Agency 11 31 Table of Contents 32 331 Introduction.......................................................................................................................1 34 1.1 Background................................................................................................................1 35 1.2 Purpose of the NetOps Readiness Review Process ...................................................1 36 1.3 Scope of the Document..............................................................................................3 372 Definition of NetOps.........................................................................................................4 38 2.1 NetOps Essential Tasks and Desired Effects.............................................................4 39 2.2 NetOps in the DISA Framework................................................................................5 403 DISA’s Role in NetOps....................................................................................................6 41 3.1 DISA’s NetOps Vision..............................................................................................6 42 3.2 DISA’s Implementation of the GIG NetOps Vision..................................................6 434 Management for NetOps...................................................................................................8 44 4.1 DISA NetOps Goals...................................................................................................8 45 4.2 Best Practices to Ensure NetOps................................................................................8 465 NetOps Readiness Reviews............................................................................................10 47 5.1 NetOps Readiness Review Process..........................................................................10 48 5.1.1 NetOps P/S/A/S Readiness Checklist...............................................................11 49 5.1.2 CONOPS Template...........................................................................................13 50 5.2 DISA Roles in Achieving NetOps Readiness..........................................................14 51 5.2.1 The Chief Financial Executive Role.................................................................16 52 5.2.2 The Component Acquisition Executive Role...................................................16 53 5.2.3 The Corporate Board Role................................................................................18 54 5.2.4 The GIG Engineering and the Program Executive Offices Role......................18 55 5.2.5 The GIG Combat Support Directorate Role.....................................................19 56 5.2.6 The GIG Operations Directorate Role..............................................................20 57 5.2.7 Configuration Management Control Process....................................................20 58 5.2.8 Supporting the GIG IA Portfolio (GIAP).........................................................21 596 Appendix A. NetOps Program/System/Application/Service Readiness Checklist.........24 607 GIG ENTERPRISE MANAGEMENT (GEM)..............................................................28 61 7.1 Assignment of Project Officer.................................................................................28 62 7.2 CONOPS with NetOps Section...............................................................................28 63 7.3 Designation of DNC for Management and Control.................................................29 64 7.4 System Status Reporting Requirements and Procedures.........................................29 65 7.5 Situational Awareness (SA)/Critical System Status Reporting ..............................30 66 7.6 DISA NetOps Center (DNC) Specific Requirements..............................................30 67 7.7 Compliance with DISA OSS...................................................................................31 68 7.8 Filtering of Status Data............................................................................................31 69 7.9 Alternate DNC if the Internal Management System is Not Redundant...................32 70 7.10 Automated Drill Down and Query Capability.......................................................32 71 7.11 Integration to DISA Help Desk Center..................................................................33 72 7.12 Trouble Management System (TMS)....................................................................34 73 7.13 Configuration Management Tracking....................................................................34 74 7.14 Proposed Maintenance Schedule for System Devices/Components......................35 75 7.15 Specialized Training Requirements.......................................................................35 12 13 ii 14 UNCLASSIFIED
    • 15 UNCLASSIFIED 16NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 1731 Aug 2007 Defense Information Systems Agency 18 76 7.16 Formal Agreements with Outside (Non-DISA) Organizations.............................36 77 7.17 Maintenance of System Diagrams.........................................................................37 78 7.18 Approval Process for Changes to the System Architecture...................................38 79 7.19 Identification and Registration of System Interfaces.............................................39 80 7.20 Key Performance Metrics and Objectives for Service Level Agreement (SLA) 81 Monitoring.....................................................................................................................39 82 7.21 System Performance Capability ............................................................................40 83 7.22 Product Support Plan (PSP)...................................................................................42 84 7.23 Employment and Integration of Core Enterprise Services....................................42 85 7.24 Does the System Support IPv6.............................................................................43 868 GIG NETWORK DEFENSE (GND) .............................................................................44 87 8.1 DoD Net-Centric IA Strategy..................................................................................44 88 8.3 IA Design Tenets.....................................................................................................45 89 8.4 Assignment of Mission Assurance Category (MAC)/Sensitivity Levels................46 90 8.5 Integrity and Availability Controls Required for the Assigned MAC Level...........46 91 8.6 Confidentiality Controls Required for the Assigned Sensitivity Level...................46 92 8.7 Identification of P/S/A/S Need-to-Know Requirements and Access Control 93 Procedures......................................................................................................................47 94 8.9 Capture and UDOP Display of Security Events .....................................................48 95 8.10 Automated Capability for Detecting and Reporting P/S/A/S Security Events and 96 Anomalous Behavior.....................................................................................................48 97 8.11 IAVM Methodology .............................................................................................49 9810 GIG CONTENT MANAGEMENT (GCM).................................................................50 99 10.1 Metadata.................................................................................................................50 100 10.2 Federated Search Aggregators...............................................................................51 101 10.3 Service Discovery Registry....................................................................................52 102 10.4 Roles-Based Access...............................................................................................53 103 10.5 Smart Push/Pull of Data.........................................................................................54 104 10.6 Publication Mechanism for Smart Push/Pull of Data............................................55 105 10.7 Caching, Content Management, or Other “Smart” Delivery Mechanisms............56 106 10.8 Receipt and Delivery Notifications........................................................................57 107 10.9 Definition of User Population/COI........................................................................57 108 10.10 Contingency Operations.......................................................................................58 109 10.11 Monitoring and Analysis......................................................................................59 11011 APPENDIX B. ACRONYMS.....................................................................................61 11112 APPENDIX C. REFERENCES...................................................................................64 11213 APPENDIX D. DEFINITIONS...................................................................................68 113 19 20 iii 21 UNCLASSIFIED
    • 22 UNCLASSIFIED 23NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 2431 Aug 2007 Defense Information Systems Agency 25 1141 Introduction 115 116This document contains: 117 118 1. Definition of NetOps as referenced from the Version 3 Joint Concept of Operations 119 (CONOPS) for Global Information Grid NetOps (04 Aug 2006) 120 2. DISA’s role in NetOps as seen by the participating directorates 121 3. DISA management and guidance for NetOps on new acquisition and existing programs 122 regarding NetOps policy and requirements 123 4. DISA NetOps Readiness Review Process overview for assessing NetOps capabilities in 124 DISA-managed Information Systems 125 5. An overview of the documents used to assess NetOps readiness 126 6. DISA NetOps Program/System/Application/Service Readiness Checklist 1271.1 Background 128 129 The Commander, USSTRATCOM (CDRUSSTRATCOM) and the Assistant Secretary of 130 Defense for Networks and Information Integration, ASD(NII) have directed a common NetOps 131 framework and process for execution by DoD elements. DISA supports USSTRATCOM and the 132 Joint Task Force – Global Network Operations (JTF-GNO) vision to lead an adaptive force that 133 assures the availability, delivery, and protection of the Global Information Grid (GIG). The 134 NetOps tasks, effects, and organizational relationships described herein formulate a foundation 135 for the operational future of the GIG, but these will not happen automatically, nor will they occur 136 without significant effort from the entire NetOps community of interest (COI). The NetOps COI 137 is defined as the GIG providers, operators, defenders, and subscribers who possess a fundamental 138 understanding of their responsibilities, and act instinctively to ensure DoD’s intelligence, 139 business, and warfighting domains are a success. This vision requires cooperation, innovation, 140 and execution from all mission partners and everyone who touches the GIG. 1411.2 Purpose of the NetOps Readiness Review Process 142 143This NetOps Readiness Review Process document is intended to advance NetOps thinking within 144DISA and to accomplish the following objectives: 145 146 1. Define DISA’s requirements for NetOps that comply with USSTRATCOM NetOps 147 requirements 148 2. Identify how DISA is supporting NetOps requirements and capabilities for DISA’s 149 Information Systems and operations 150 151DISA’s role in achieving NetOps addresses two aspects of DISA’s products and services: 152 153 1. The development of new, transformational capabilities 154 2. The evolution of existing capabilities that are in sustainment 155 156This document shows how DISA’s NetOps Readiness Review Process fits in the broader context 157of DISA’s related processes and strategies, e.g., the DISA Net-Centric Review Process & 26 27 1 28 UNCLASSIFIED
    • 29 UNCLASSIFIED 30NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 3131 Aug 2007 Defense Information Systems Agency 32 158Strategy. This document also shows how DISA will use it to guide Agency technical decisions 159on direction of critical Programs/Systems/Applications/Services (P/S/A/S) that support the 160enterprise, to include applicable Pilots and Projects, and existing legacy systems’ development, 161fielding, and ongoing maintenance, through a NetOps Readiness Review Process. An electronic 162copy of this document is available online at the Systems Engineering Dashboard 163(https://dashboard.ncr.disa.mil/) under the Policy and Guidance section. This review process 164monitors program directions (or each program’s direction) toward NetOps readiness and potential 165cross-program disconnects that may affect successful movement toward NetOps. The following 166figure depicts where NetOps requirements are incorporated into all phases of the Defense 167Acquisition Management Framework and DISA’s Acquisition Lifecycle. 168 169 170 Figure 1: Integrating NetOps into DISA’s Acquisition Lifecycle 171 172The application of the NetOps Readiness Review Process for the acquisition of managed services, 173e.g. Net-Centric Enterprise Services (NCES), requires a modified approach than that depicted in 174Figure 1. DISA follows the precepts of adopt before buy and buy before create. Managed 175services adopted from the private sector may not necessarily follow the traditional milestone 176layout and will still be required to ensure an acceptable level of NetOps. The Agency will decide 177the level of acceptable risk for managed services that perform below DoD NetOps standards. As 178capability requirements are presented to industry in a Statement of Objectives (SOO), the NetOps 179requirements must also be included. A risk analysis will be conducted to determine if NetOps 180can be achieved. The managed service provider (MSP), Program Management Office (PMO), and 181government acquisition team will work together to establish a Service Level Agreement (SLA) 182that clearly articulates the interfacing and compliance of key NetOps requirements. Industry’s 183approach may be different from DoD’s NetOps approach, however both should have the same 184objectives to assure the availability, delivery, and protection of the GIG. 185 186The MSP is encouraged to cite Best Business Practices in response to the SOO to demonstrate 187how the NetOps requirements are satisfied. The government acquisition team will evaluate the 188responses and eliminate those that do not adequately satisfy functionality, cost, schedule, and 33 34 2 35 UNCLASSIFIED
    • 36 UNCLASSIFIED 37NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 3831 Aug 2007 Defense Information Systems Agency 39 189NetOps requirements. A site review is conducted on each remaining potential best value 190solution. During the site review the MSP must demonstrate the viability of the solution on three 191levels. Each level is given added weight to the NetOps certification recommendation developed 192at the conclusion of the site review. First, the MSP must articulate how they deliver the 193capabilities proposed in response to the SOO. Second, the MSP must present documentation on 194how those capabilities are delivered. Third, the MSP must demonstrate how the capabilities are 195delivered. Those areas that do not initially meet NetOps compliance will need a Plan of Action 196and Milestones (POA&M) with a mitigating strategy to come into compliance and to reduce 197risks. The government acquisition team will adjudicate the MSP proposal and present associated 198risks for Agency acceptance or rejection of associated risks. This approach should not delay the 199quick deployment associated with network-based services or applications delivered, hosted, and 200managed between PMO and service providers. As a minimum, any managed service operating 201across the GIG must be in accordance with the NetOps concept, be properly managed, provide 202adequate defensive mechanisms, and, if appropriate, stage content information to the warfighter 203and DoD customers. The NetOps Readiness Review Process constitutes a validation of proposed 204NetOps capabilities and affords the flexibility necessary to ensure essential NetOps information is 205synchronized to key acquisition decisions. 2061.3 Scope of the Document 207 208This document’s primary function is to aid DISA technical personnel in helping the Agency 209deliver NetOps compliant products and services to its community of users. This document is also 210intended for DISA’s Senior Program Directors, Program Managers, their Chief Engineers, the 211Cross Program – Synchronization and Integration Board (CP-SIB), and the GIG Operations 212Directorate (GO). The document can serve as a guide to help these leaders achieve NetOps 213requirements and capabilities for DISA. The document may also serve to inform people outside 214DISA, such as OSD, the Military Services, the Combatant Commands, and other Defense 215Agencies, on how DISA is implementing its technical approach to achieve NetOps in its products 216and services. 40 41 3 42 UNCLASSIFIED
    • 43 UNCLASSIFIED 44NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 4531 Aug 2007 Defense Information Systems Agency 46 2172 Definition of NetOps 2182.1 NetOps Essential Tasks and Desired Effects 219 220NetOps is defined as the operational framework consisting of: 221 • three essential tasks (GIG Enterprise Management (GEM), GIG Network Defense 222 (GND), and GIG Content Management (GCM)) 223 • situational awareness 224 • C2 that the CDRUSSTRATCOM employs to operate and defend the GIG. 225These tasks produce the desired effects of NetOps, which are: Assured System and Network 226Availability, Assured Information Protection, and Assured Information Delivery. NetOps relies 227on the application and integration of information technology and standard processes that provide 228traditional systems and network management (Fault, Configuration, Accounting, Performance, 229Security (FCAPS)); information and infrastructure protection; and the ability to maneuver 230information across GIG terrestrial, space, airborne and wireless environments. 231 232Figure 2, titled NetOps Essential Tasks and Effects, was developed to establish a common 233understanding of the technical composition that must be considered to provide and sustain the 234effects of NetOps. 235 236 237 Figure 2: NetOps Essential Tasks and Effects 47 48 4 49 UNCLASSIFIED
    • 50 UNCLASSIFIED 51NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 5231 Aug 2007 Defense Information Systems Agency 53 2382.2 NetOps in the DISA Framework 239 240NetOps is the operational construct that the CDRUSSTRATCOM will use to operate and defend 241the GIG. The goal of NetOps is to provide assured and timely Net-centric services across 242strategic operational and tactical boundaries in support of the Department of Defense (DoD) full 243spectrum of warfighting, intelligence and business missions. 244 245An enabling capability of NetOps is achieving shared situational awareness (SA) of GIG system, 246network and information availability. The primary purpose is to enhance knowledge of the GIG 247to improve the quality and timeliness of collaborative decision-making regarding the 248employment, protection and defense of the GIG. To be useful, much of this GIG SA must be 249available and shared in near real-time by the relevant decision-makers. DISA is to comply with 250USSTRATCOM and the JTF-GNO in their vision to lead an adaptive force that assures the 251availability, delivery, and protection of the GIG. 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 54 55 5 56 UNCLASSIFIED
    • 57 UNCLASSIFIED 58NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 5931 Aug 2007 Defense Information Systems Agency 60 2693 DISA’s Role in NetOps 2703.1 DISA’s NetOps Vision 271 272DISA has a long history in the area of NetOps resulting from its four decades of exercising 273operational direction and management control of the Defense Information System Network and 274its predecessor, the Defense Communications System. Drawing upon this experience, the 275Secretary of Defense and the CDRUSSTRATCOM are looking to DISA to provide the 276operational elements with the capabilities necessary to execute NetOps for the GIG. Key 277attributes of the NetOps operational elements include: 278 279 • An operational hierarchy and horizontal information sharing 280 • Global arbitration of NetOps priorities/requirements 281 • Global situational awareness 282 • Centralized management (monitoring and control) of DISA GIG resources 283 284By providing these capabilities, DISA supports the GIG NetOps vision. 2853.2 DISA’s Implementation of the GIG NetOps Vision 286 287To succeed in achieving its vision, DISA will implement and assess NetOps requirements using 288the process and tools as described in this document. Centralized management of NetOps will be 289conducted via the DISA NetOps Centers (DNC). The DNC are comprised of the Global NetOps 290Support Center (GNSC), Theater NetOps Centers (TNCs), GIG Infrastructure Services 291Management Center (GISMC), and Systems Management Center (SMC). Additional directives 292on the decision of which center each DISA P/S/A/S is to be managed from are currently in 293conception and will be referenced in future versions of this document. 294 295 • The Global NetOps Support Center (GNSC) provides the day-to-day technical operation, 296 control and management of the portions of the GIG that support Global Operations but 297 are not assigned to a COCOM (global backbone portions of the GIG). The GNSC 298 conducts GIG backbone NetOps along with other services as support as referenced in the 299 Joint CONOPS for GIG NetOps. 300 301 • Each Theater NetOps Center (TNC) is responsible for the effective operation and defense 302 of the GIG within the theater and for providing onsite, theater support for NetOps as 303 referenced in the Joint CONOPS for GIG NetOps. 304 305 • The GIG Infrastructure Services Management Center (GISMC) is the primary DOD 306 enterprise level applications services NetOps center that supports the GNSC and TNCs 307 with applications layer network and systems management, visibility, monitoring, 308 analysis, planning, and control. The center optimizes the integrated NetOps of the 309 existing and emerging applications networks and services as referenced in the Joint 310 CONOPS for GIG NetOps. 311 312 • The Systems Management Center (SMC) create points of convergence for problem 313 resolution and form a gateway to aid in facilitating customer support requirements for 61 62 6 63 UNCLASSIFIED
    • 64 UNCLASSIFIED 65NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 6631 Aug 2007 Defense Information Systems Agency 67 314 accessing and using the IT products and services provided by the Computing Services 315 Directorate (CSD). The SMC provides operational management oversight, support, and 316 problem resolution for production environments. The SMC is realigned into primary 317 areas reporting to a single Director or Commander as described in the DISA Operations 318 Support Team (OST) CONOPS. 319 320 68 69 7 70 UNCLASSIFIED
    • 71 UNCLASSIFIED 72NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 7331 Aug 2007 Defense Information Systems Agency 74 3214 Management for NetOps 322 323This section describes how DISA is working to achieve NetOps readiness in its key programs. 324Additional directives on management models are in conception, and will be referenced in future 325versions of this document. Further financial, programmatic, and technical management activities 326are discussed in Section 5, NetOps Readiness Reviews. 3274.1 DISA NetOps Goals 328 329The NetOps Readiness Review Process has the following strategic goals, each with important 330second-tier objectives: 331  Enable effective and efficient GIG NetOps. 332 − Identify and reduce technical obstacles to NetOps implementation. 333 − Accommodate DoD and industry changes that will affect NetOps, including net-centric 334 behavior of the GIG, IP Convergence, and IPv6. 335  Foster development and adoption of a joint NetOps architecture that addresses deployed 336 and sustainment forces. This must support GIG SA, C2, and all three NetOps essential 337 tasks: GIG Enterprise Management (GEM), GIG Network Defense (GND), and GIG 338 Content Management (GCM). 339 − Enable integration of GIG SA, C2, GEM, GND, and GCM data and analysis to exchange 340 data and conclusions where appropriate. 341 342DISA’s NetOps goals are to support the long-haul part of the end-to-end network, including 343enterprise services and tactical situational awareness, while individual Services and Agencies 344help provide this capability in the tactical and specialized domains. The overall goal is to assure 345effective NetOps across data, voice, and video; including applications, services, computing and 346transport layers by helping to implement the DISA CONOPS template in conformance with the 347other appropriate NetOps P/S/A/S Readiness Checklist requirements. To assist in reaching these 348goals, the DISA Field Security Operations (FSO) will be responsible for development of NetOps 349Training for the DISA workforce. 3504.2 Best Practices to Ensure NetOps 351 352There are some best practices that can be found in the systems engineering and integration 353literature and in experience gained in government and industry to ensure NetOps. Some DISA 354programs cannot adopt portions of this guidance due to policy and regulations that direct other 355standards. Thus cost, schedule, and technical risks can be introduced through adherence to policy 356guidance and regulations. Other documentation may be requested when existing policy and 357regulation precludes such adherence, such as a POA&M. 358 359NetOps guidance includes: 360 361 • Cooperation, innovation, and execution from all mission partners and everyone who 362 touches the GIG (refer to the GIG IA Portfolio (GIAP)) 363 • Adopt currently available resources before building new capabilities, and refrain from 364 creating new programs until exhausting the preceding approaches 75 76 8 77 UNCLASSIFIED
    • 78 UNCLASSIFIED 79NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 8031 Aug 2007 Defense Information Systems Agency 81 365 • Assure timely and secure Net-Centric capabilities across strategic, operational, and 366 tactical boundaries in support of DoD’s full spectrum of warfighting, intelligence, and 367 business missions 368 • Document operational purpose of the proposed Program/System/Application/Service 369 (P/S/A/S) to include items such as background and objectives, policies and constraints, 370 roles and responsibilities, support environment/lifecycle management in the form of a 371 Concept of Operations (CONOPS) 372 82 83 9 84 UNCLASSIFIED
    • 85 UNCLASSIFIED 86 87NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 8831 Aug 2007 Defense Information Systems Agency 89 3735 NetOps Readiness Reviews 3745.1 NetOps Readiness Review Process 375 376All DISA Programs/Systems/Applications/Services (P/S/A/S) are subject to NetOps Readiness 377Reviews. To ensure Agency P/S/A/S are managed and protected as they evolve over their 378lifecycle, the DISA Field Security Operations (FSO) marries the NetOps vision with their well 379established security certification and accreditation process during the NetOps Readiness Review. 380NetOps Readiness Reviews are to be conducted as part of ongoing DISA Component Acquisition 381Executive (CAE) program reviews to assure that sound acquisition, engineering, and financial 382practices are being used and that products and services are being developed in accordance with 383DoD guidance pursuant to major program milestones. The NetOps Readiness Review process 384will begin during the pre-system acquisition stage to ensure that NetOps is incorporated 385during concept refinement and as the Initial Capabilities Document is developed and will 386follow the sequence of events identified below: 387 388 1. The NetOps Readiness Review Board (NRRB) will meet on a regular basis to determine 389 which DISA P/S/A/S to include applicable Pilots and Projects are critical technologies 390 that require a NetOps Review. The NRRB is led by GIG Operations (GO) and consists of 391 members from DISA Field Security Operations Division (FSO), GO Technical Director’s 392 Team (GOTD), GO Integration Support Branch (GO51), CAE, GS, GE, and SPI-CIO. 393 394 2. The NetOps P/S/A/S Readiness Checklist requirements are introduced to the system 395 program manager (PM), or proponent for non-PM managed system (e.g. Transition 396 Manager, Migration Manager, etc.) during a pre-coordination meeting with the NRRB. 397 398 3. The PM works with Directorate Information Assurance Managers (IAM) and FSO to 399 perform a NetOps self-assessment using the Checklist requirements during the concept 400 refinement stage (pre-Milestone A) of the P/S/A/S’s lifecycle. Additional existing 401 documents (e.g., the Capability Description Document that identifies expected P/S/A/S 402 capabilities) are made available to GO staff. 403 404 4. FSO acts as the field agent to check the P/S/A/S documents for points of clarification. 405 Information is validated by the FSO team during both the NetOps Assessment and IA 406 Assessment. The FSO team may conduct informal review meetings with the PMs as 407 needed to ensure all NetOps P/S/A/S Readiness Checklist requirements are met. 408 409 5. The PM will provide the completed Checklist and plan of actions and milestones 410 (POA&M) to address any open findings to the FSO team. 411 412 6. FSO acts as the NetOps certifier and will provide a NetOps recommendation 413 memorandum for the particular P/S/A/S reviewed to the NetOps Readiness Review 414 Board (NRRB) for formal evaluation. 415 416 7. The P/S/A/S and NRRB meet to review the data and assess progress toward the final 417 operational capability of the P/S/A/S in terms of NetOps. The NRRB review identifies 9010 UNCLASSIFIED 91 92
    • 93 UNCLASSIFIED 94 95NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 9631 Aug 2007 Defense Information Systems Agency 97 418 actions to correct identified NetOps problems and suggests changes in direction. The 419 NRRB will act as the endorser for final NetOps certification. 420 421 8. The NetOps required actions are captured, managed, and may be presented to the NetOps 422 Governance and Advisory Board (NGAB) in the event of any critical issues associated 423 with the NetOps certification. The NGAB meets quarterly or on an ad-hoc basis as 424 recommended and is comprised of senior members from CAE, GO, GS, GE and SPI. 425 426 9. Information regarding NetOps Readiness of a P/S/A/S is included with the P/S/A/S’s 427 accreditation request package for an Authority to Operate (ATO) to the CIO who acts as 428 the DISA Designated Accrediting Authority (DAA). 429 430Throughout the P/S/A/S’s lifecycle and review processes, CIO and GO will cooperate from the 431security and NetOps aspects to inform each other of the P/S/A/S’s status. Information regarding 432NetOps Readiness will also be submitted at the next GE Systems Engineering Process 433Assessment (SEPA) with GO staff support. Further details of the NetOps Readiness Review 434process are detailed below in section 5.2.6. 435 436 Figure 3: NetOps Readiness Review Process 437 5.1.1 NetOps P/S/A/S Readiness Checklist 438 439The NetOps Program/System/Application/Service (P/S/A/S) Readiness Checklist may be found 440in Appendix A of this document. The NetOps P/S/A/S Readiness Checklist is a Global 441Information Grid Operations (GO) led initiative and was developed to provide DISA Designated 442Accrediting Authority (DAA) and Program Managers (PM)s with a mechanism that is used to 443assess the NetOps Readiness of critical DISA P/S/A/S and applicable Pilots and Projects prior to 444their introduction, or incorporation into the Global Information Grid (GIG) Architecture. 445 446The NetOps P/S/A/S Readiness Checklist is also designed as a tool to assess existing DISA 447P/S/A/S. Existing system’s shortcomings that are captured during the review process would 9811 UNCLASSIFIED 99 100
    • 101 UNCLASSIFIED 102 103NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 10431 Aug 2007 Defense Information Systems Agency 105 448serve as key factors and considerations in existing system strategy planning, with the primary 449focus of attaining an acceptable NetOps Readiness status. 450 451The NetOps P/S/A/S Readiness Checklist will serve as an internal DISA P/S/A/S certification 452tool. The Checklist is not intended to replace or supersede any similar or pre-existing DoD 453processes or guidance. Some items contained in the Checklist may overlap those in other 454established processes. However, the goal of the Checklist is to both validate the completion 455of other relative system processes while highlighting and re-emphasizing the most critical 456considerations for ensuring the NetOps readiness of the system. 457 458An electronic copy of this Checklist is available online at the Systems Engineering 459Dashboard (https://dashboard.ncr.disa.mil/) under the Policy and Guidance section. 460The NetOps P/S/A/S Readiness Checklist is to be kept simple with the intent that a review can 461move quickly over items that appear to be compliant. Items that appear to need greater discussion 462can be probed more deeply to assure review participants that being reviewed is on track to 463address any apparent challenges in achieving NetOps readiness. 464 465FSO will use the NetOps P/S/A/S Readiness Checklist, along with the other required system 466documentation as a framework to ensure that no potential security liability exists with the 467network. FSO will use the Checklist in combination with their normal certification and 468accreditation activities, with the main focus on the Top DISA P/S/A/S. In addition to conforming 469to the NetOps P/S/A/S Readiness Checklist attributes, the FSO team may also look at other 470requirements as appropriate as indicators of NetOps behavior. 471 472FSO will provide a NetOps recommendation memorandum based on the results of the NetOps P/ 473S/A/S Readiness Checklist. FSO will also provide Checklist support in maintaining version 474control with the GO Technical Director’s Team (GOTD). 475 5.1.1.1 Checklist Applicability 476 477The Checklist applies to critical DISA Programs/Systems/Applications/Services (P/S/A/S) that 478support the enterprise, to include applicable Pilots and Projects, and existing systems. Each 479newly developed and acquisitioned DISA P/S/A/S, existing P/S/A/S, and all system 480upgrades/modifications must be assessed to verify/validate its security posture, prior to their 481introduction or incorporation into the Global Information Grid (GIG) Architecture. The Checklist 482may be applied to an existing P/S/A/S regardless of where it lies in the Acquisition Lifecycle. 483 484Not all P/S/A/S will need to address the full checklist. For example, a P/S/A/S that primarily 485provides information transport will have minimal, if any, net-centricity issues having to do with 486data, applications, or the services infrastructure. Similarly, a P/S/A/S that supports directory 487services may have data-, applications- and services-, and information assurance infrastructure- 488related net-centricity issues but not transport-related issues. 489 5.1.1.2 Checklist Requirements 490 491The desired objective of a NetOps Readiness assessment of a DISA P/S/A/S is to verify full 492compliance with all requirements in sections six through nine of this document. Requirement 10612 UNCLASSIFIED 107 108
    • 109 UNCLASSIFIED 110 111NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 11231 Aug 2007 Defense Information Systems Agency 113 493compliance is verified through the review of required system documentation for completeness 494and accuracy, along with the evaluation of P/S/A/S functionality and interoperability to include 495compliance with quality of service (QoS) and security standards specified in the applicable policy 496and system design requirements. Verification of requirement compliance is guided by responses 497and results to indicators included with each requirement that are compiled from applicable DoD 498reference documents listed in Appendix C. 499 500A plan of action and milestones (POA&M) is required for those requirements which can not be 501verified as fully compliant with the applicable policy and system design requirements. The 502POA&M should lead to the efficient and effective compliance of the requirement or ensure the 503mitigation of requirement non-compliance to an acceptable level of risk. 504 505The evaluation requirements contained in the Checklist are organized to assess system 506compliance within the three essential tasks defined in the Joint Concept of Operations for Global 507Information Grid NetOps: GIG Enterprise Management (GEM); GIG Network Defense (GND) 508and GIG Content Management (GCM). Additionally, the requirements are further delineated 509based upon where the system is within its acquisition life cycle, whether newly acquired, or in the 510maintenance phase, e.g. existing systems. To ensure that the appropriate life cycle specifics are 511addressed, the proper milestone associated with each individual requirement is identified. The 512requirement shall be checked by the FSO accordingly as described below: 513 514Open if the stated requirement is non-compliant and requires mitigation. The appropriate 515Milestone category shall be “checked” as a justification and a POA&M shall be developed to 516address the open finding. 517 518Not a Finding if the stated requirement is in compliance and justification provided. 519 520Not Reviewed if the stated requirement is not reviewed during current assessment. 521 522Not Applicable if it pertains to a particular life-cycle stage of development for which the P/S/A/S 523has not yet attained, or not applicable to the P/S/A/S. The appropriate Milestone category shall 524be “checked” as a justification for the (N/A) designation. 525 5.1.1.3 Checklist Structure 526The NetOps P/S/A/S Readiness Checklist is organized using the three essential tasks that are 527described in the US Strategic Command (USSTRATCOM) Joint Concept of Operations for 528Global Information Grid NetOps. Each Checklist item is assigned to an essential tasks category 529based on its relationship to the high-level definitions below: 530 531 • Transport: Enterprise Services Management, Systems Management, Network 532 Management, and SATCOM / Electromagnetic Spectrum Management. 533 • Defense: Availability, Authentication, Confidentiality, Integrity, Non-repudiation, 534 Protection, Monitor, Detection, Analyze, and Response. 535 • Flow: Awareness, Access, Delivery and Support 536 5.1.2 CONOPS Template 537 11413 UNCLASSIFIED 115 116
    • 117 UNCLASSIFIED 118 119NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 12031 Aug 2007 Defense Information Systems Agency 121 538The CONOPS offer a place to showcase the NetOps attributes of the program’s products or 539services and how the program plans to provide those NetOps capabilities. Many of the 540requirements addressed in the NetOps P/S/A/S Readiness Checklist will already be documented 541in the P/S/A/S’s CONOPS. The CONOPS Template is available online from the DISA Systems 542Engineering Process website in the Toolbox, under “Templates and Forms” located at 543https://dashboard.ncr.disa.mil/index.php?page=se_temp_form . You can also access the DISA 544Systems Engineering Homepage by navigating to the DISA Edge portal (CAC required), 545Functions, Systems Engineering, SE Process (Groupshare). Access to this site may be granted 546by contacting Edge_Support@disa.mil 5475.2 DISA Roles in Achieving NetOps Readiness 548 549Many organizations in DISA have roles in assuring that DISA P/S/A/S achieve NetOps readiness. 550NetOps achievement is also measured by DISA in its corporate level balanced scorecard. 551This notion of measurement demands a corporate culture change and requires senior 552management involvement/participation in all phases of execution. 553 554The GIG Operations Directorate (GO) provides guidance and operational requirements that 555advocate for NetOps technology solutions and enterprise-wide implementation. The DISA Field 556Security Operations (FSO) will be responsible for development of NetOps Training for the DISA 557workforce. GO also acts as the NetOps compliance evaluators using tools such as the CONOPS 558Evaluation Checklist and NetOps P/S/A/S Readiness Checklist. The Component Acquisition 559Executive (CAE) conducts acquisition management reviews to assure that DoD and DISA 560acquisition policy are being followed. The Chief Financial Executive (CFE) is responsible for 561resourcing NetOps capabilities and conducts financially related reviews to assure that programs 562conform to financial policy and any prospective financial problems are addressed. The GIG 563Engineering and the Program Executive Offices (Information Assurance/NetOps (IAN), Defense 564Enterprise Computing Centers (DECC), Net-Centric Enterprise Services (NCES), Teleport and 565others that may be created in the future) are responsible for development of new project, program 566and service capabilities. GE holds engineering reviews to assure that sound systems, 567communications, and software engineering practices are being applied in the P/S/A/S. The Cross 568Program – Synchronization and Integration Board (CP-SIB) holds cross-program engineering 569reviews to assure that all affected programs are addressing program interdependencies. 570 571DISA Test and Evaluation Directorate (TED) will assess DISA products and services for their 572conformance to requirements in the context of NetOps readiness. Computing Services (part of 573GIG Combat Services or GS) will host DISA’s net-centric products and services in ways that 574assure fast and economical response to users’ updates of and access to information anywhere in 575the world. GS is responsible for the evolution of existing capabilities that are in sustainment and 576will support new NetOps requirements with consistently high quality of service (QoS) and class 577of service (CoS). The authority to ratify the NetOps certification of a system is the responsibility 578of the Principal Director for GIG Operations (GO). The Agency Designated Accrediting 579Authority (DAA) receives a system NetOps readiness certification recommendation from the 580NetOps Readiness Review Board (NRRB) and/or NetOps Governance and Advisory Board 581(NGAB). The basis of the NetOps Board’s certification recommendation is the review of a 582system accreditation request package that is compiled and submitted by the PM or proponent for 583non-PM managed system (e.g. Transition Manager, Migration Manager, etc.). The system 12214 UNCLASSIFIED 123 124
    • 125 UNCLASSIFIED 126 127NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 12831 Aug 2007 Defense Information Systems Agency 129 584accreditation request package is comprised of a variety of required system documentation, system 585assessments and certification assessments that includes the NetOps P/S/A/S Readiness Checklist. 13015 UNCLASSIFIED 131 132
    • 133 UNCLASSIFIED 134 135NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 13631 Aug 2007 Defense Information Systems Agency 137 586 5.2.1 The Chief Financial Executive Role 587 588Program Financial Reviews 589 590DISA’s Chief Financial Executive (CFE) conducts financially related reviews to assure that 591programs conform to financial policy, are executing spending plans appropriately and are 592prepared to address prospective financial problems. CFE holds one Annual Program Plan Review 593and three subsequent Financial Health Assessments. These reviews are typically held early in a 594new fiscal year to identify any funding issues that need early attention in a given year. Reviews of 595particularly complicated programs (e.g., with multiple overlapping blocks or phases) may occur 596with more frequency than for programs with sequential phases or a single sequence of milestones. 597Figure 4 depicts the nominal CFE schedule for a P/S/A/S. 598 599 600 Figure 4. Nominal Schedule for P/S/A/S Financial Reviews 601 5.2.2 The Component Acquisition Executive Role 602 603Acquisition Management Reviews 604 605The CAE conducts acquisition management reviews, mainly of programs and major services, to 606assure that DoD and DISA acquisition policies are being followed. Acquisition Management 607Reviews are conducted periodically (typically quarterly or semi-annually). More frequent checks 608are provided at weekly CAE PM meetings. Other acquisition reviews are conducted on programs 609prior to Overarching Integrated Product Team (OIPT) reviews at OSD and major milestone 610reviews. Figure 5 depicts the nominal CAE schedule for acquisition management reviews of 611major programs. Financial, engineering, and net-centricity reviews are conducted in the context 612of the CAE pre-OSD milestone readiness reviews. 13816 UNCLASSIFIED 139 140
    • 141 UNCLASSIFIED 142 143NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 14431 Aug 2007 Defense Information Systems Agency 145 613 614 Figure 5. Nominal Annual Schedule of CAE Reviews of Major DISA Programs 615 616The Defense Acquisition Management Framework description is provided in Figure 6 below. 617 618 619 620 Figure 6. Defense Acquisition Management Framework 6215.2.2.1 Milestone A 622 623A Milestone A decision usually comes at the end of Concept Refinement when the Milestone 624Decision Authority (MDA) approves the result of the Analysis of Alternatives (AoA) and the 625Technology Development Strategy (TDS). Milestone A is the beginning of the Technology 626Development stage. Concept Refinement and Technology Development constitute the “Pre- 627System Acquisition” phase of the Defense Acquisition System. 6285.2.2.2 Milestone B 629 630A Milestone B decision follows the completion of Technology Development, and begins the 631“Systems Acquisition” phase of the Defense Acquisition System. The Systems Acquisition phase 632is comprised of “System Development and Demonstration”, and “Production and Deployment”. 633System Development and Demonstration (SDD) is comprised of System Integration, and System 14617 UNCLASSIFIED 147 148
    • 149 UNCLASSIFIED 150 151NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 15231 Aug 2007 Defense Information Systems Agency 153 634Demonstration. Milestone B begins at System Integration, and ends the completion of System 635Demonstration. 6365.2.2.3 Milestone C 637 638A Milestone C decision comes at the completion of “System Development and Demonstration”, 639and begins the “Production and Deployment” phase. 6405.2.2.4 Sustainment 641 642Sustainment and Disposal comprise the “Operations and Support” stage of the Defense 643Acquisition System. 644 645It is assumed that P/S/A/Ss being considered for NetOps readiness for introduction or 646incorporation into the GIG architecture would have received a Milestone B decision at a 647minimum; entering the System Development and Demonstration (SDD) phase. Programs 648entering the acquisition process at Milestone B shall have an approved Initial Capabilities 649Document (ICD) that provides the context in which the capability was determined and approved, 650and an approved Capability Development Document (CDD) that describes specific program 651requirements. 652 653Programs considered for NetOps readiness may already be in the Production and Deployment, or 654Sustainment phase. In which case, a Milestone C decision would have been received. 655 656The tables in Enclosure 3 of DODI 5000.2, “Operation of the Defense Acquisition 657System”, May 12, 2003 identify the statutory and regulatory information requirements of 658each milestone and decision point. Additional non-mandatory guidance on best practices, 659lessons learned, and expectations is available in The Defense Acquisition Guidebook at 660http://dod5000.dau.mil/. 661 5.2.3 The Corporate Board Role 662 663The DISA Corporate Board is briefed on major DISA programs (i.e., ACAT I and Special 664Interest programs) as significant issues come up that affect strategic DISA directions. There is no 665explicit schedule for such Board meetings on program issues, except as dictated by major events 666on programs. 667 5.2.4 The GIG Engineering and the Program Executive Offices Role 668 669The GIG Engineering and the Program Executive Offices (IAN, DECC, NCES, Teleport and 670others that may be created in the future) are responsible for development of new P/S/A/S 671capabilities. The Program Executive Office for Information Assurance/NetOps (PEO-IAN) is 672subject to the various reviews in preparation to major milestone and other significant events in a 673program’s life cycle. PEO-IAN has the responsibility for development of new transformational 674capabilities and for ensuring that DISA products are NetOps ready when fielded. Figure 7 shows 675a notional schedule for a program over its life and the associated GE review insertion points to 676support CAE reviews. 15418 UNCLASSIFIED 155 156
    • 157 UNCLASSIFIED 158 159NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 16031 Aug 2007 Defense Information Systems Agency 161 677 678 679Figure 7. Notional Life-cycle Schedule of GE Systems Engineering Reviews 680 681 682Systems Engineering Process Assessments 683 684The GIG Engineering organization (GE) conducts systems engineering reviews in preparation to 685major milestone and other significant events in a program’s life cycle. The Systems Engineering 686Process Assessements (SEPA) will occur periodically throughout the programs lifecycle. The 687purpose of the SEPA is to provide a quick, broad life cycle view of a program’s Systems 688Engineering activities. The SEPA can be used to identify specific issues or risk areas that require 689more in-depth evaluation. As a part of this review the SEPA Team will verify that the program is 690aware of the CONOPS Template and the NetOps P/S/A/S Readiness Checklist and has completed 691the NetOps P/S/A/S Readiness Checklist questions appropriate to the program’s phase in the 692lifecycle. GE will partner with GO for NetOps assessments presented during a SEPA. All 693NetOps assessments should be a result from the most recent P/S/A/S’s NetOps Readiness 694Review, as described above in section 5.1. 695 5.2.5 The GIG Combat Support Directorate Role 696 697GIG Combat Support Directorate (GS) is responsible for the evolution of existing capabilities that 698are in sustainment and is being challenged to support new NetOps requirements with consistently 699high quality of service (QoS) and class of service (CoS). Any program planning to put 700capabilities into the DNCs must comply with the DNC requirements (DOTMLPF) and integration 701framework and will need to coordinate with the DISN Operations Support System (OSS) 702Division (GS28) in order to ensure their integration to the overall DISN OSS Architecture. New 703systems that are transitioning into GS responsibility and sustainment will have NetOps readiness 704reviews and certification as part of the transition process. The originating organization will 705provide the completed checklist and process the readiness review leading to DAA approval. 706 707Systems in sustainment will have a NetOps certification. Those existing systems that do not have 708certification will initiate the NetOps Readiness Review Process. Once a system is in sustainment 709and has had an initial or transition readiness review and DAA approval, it will be the system 710management office’s responsibility to maintain the NetOps P/S/A/S Readiness Checklist. 711Changes of varying degrees occur in sustainment and the checklist will be kept current for each 16219 UNCLASSIFIED 163 164
    • 165 UNCLASSIFIED 166 167NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 16831 Aug 2007 Defense Information Systems Agency 169 712change. The system management office will initiate a readiness review for any significant change 713that negatively impacts NetOps. Negative impacts are when any checklist criteria are degraded. 714All requirements are critical for NetOps compliance, and whatever areas are not met will need a 715Plan of Action and Milestones (POA&M). The NGAB reviews all changes for systems that are 716deployed to GNSC and TNC’s and will determine if a readiness review is required. 717 5.2.6 The GIG Operations Directorate Role 718 719NetOps Readiness Reviews 720 721As noted earlier, NetOps Readiness Reviews are intended to complement overall P/S/A/S reviews 722led by CAE and conducted with the CFE and GE. The intent of NetOps Readiness Reviews is to 723assure that DISA P/S/A/S are developed with the appropriate NetOps requirements. The 724information for the NetOps assessment of a given P/S/A/S will be a result of the NetOps review 725that is done by the NetOps Readiness Review Board (NRRB). The NRRB is led by GO and 726consists of members from FSO, GO Technical Director’s Team (GOTD), GO Integration Support 727Branch (GO51), CAE, GS, GE, and SPI-CIO. The expected outcomes include a “report card” for 728the reviewed P/S/A/S and guidance to the P/S/A/S on corrective technical actions to improve 729getting to NetOps. FSO will provide a NetOps recommendation memorandum based on the 730results of the NetOps P/S/A/S Readiness Checklist. The P/S/A/S will need to prepare a Plan of 731Action and Milestones (POA&M) with a mitigating strategy that addresses those areas that do not 732initially meet NetOps compliance. That information will be used as input by the NRRB to the 733Principal Director for GIG Operations (GO) who acts as the authority to accredit the NetOps 734certification of a system. The agency Designated Accrediting Authority (DAA) receives a system 735NetOps readiness certification recommendation from the NRRB or NGAB. 736 737GO will also act as the evaluators for P/S/A/S’s CONOPS. GO teams will want to participate in 738the engineering Working Integrated Product Teams (WIPTs) to provide guidance to programs 739with respect to their moving toward NetOps readiness. Alternatively, the GO teams may wish to 740review outcomes of WIPT meetings and work any issues with the appropriate participants from 741the WIPTs and the programs. The CAE may seek GO guidance on selected operational matters 742during quarterly program reviews as well. 743 5.2.7 Configuration Management Control Process 744DISA has several processes that are linked for overall management of assurances through control 745of changes made to hardware, software, firmware, documentation, and tests of 746Programs/Systems/Applications/Services (P/S/A/S) throughout its development and operational 747life. The Configuration Control Boards (CCB) are instrumented with common architecture, tools, 748and capabilities to accept management of DISA P/S/A/S. Example of DISA CCBs include the 749following: 750 751 • The DISA NetOps Configuration Control Board is chaired by GIG Operations (GO) and 752 is the approval authority to introduce new initiatives not approved by higher-level boards 753 to the configuration and routine operation of the DISA NetOps Centers (DNC). The 754 DNCs includes the Global NetOps Support Center (GNSC), Theater NetOps Centers 755 (TNCs), and GIG Infrastructure Services Management Center (GISMC). Initiatives 756 could affect policies, procedures, concepts or strategies, as well as tools, technologies, 757 and infrastructure required to support the DNCs (DOTMLPF issues). 17020 UNCLASSIFIED 171 172
    • 173 UNCLASSIFIED 174 175NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 17631 Aug 2007 Defense Information Systems Agency 177 758 759 • The DISN Network Services Configuration Control Board is chaired by GIG Combat 760 Support, Center for Network Services, Operational Support Systems Division (GS28) and 761 is responsible for establishing the initial integrated DISN core and DISN baseline in 762 terms of architecture, functionality and service offering, and for reviewing all subsequent 763 proposed configuration changes to the established baselines, assessing their impact, and 764 rendering a decision concerning approval or disapproval. Examples of changes include 765 any modifications to approved individual service/transport offerings as part of the overall 766 integrated DISN core and DISN architecture. 767 5.2.8 Supporting the GIG IA Portfolio (GIAP) 768 769The Deputy Secretary of Defense approved DoDD 8115.01, providing instruction on how to 770perform portfolio management activities for all GIG Information Technology (IT) investments. 771IT investments will be managed as portfolios to: 772 773 • Ensure IT investments support the Department’s vision, mission, and goals 774 • Ensure efficient and effective delivery of capabilities to the warfighter 775 • Maximize return on investment to the Enterprise using the GIG architecture, plans, risk 776 management techniques, capability goals 777 778Three major DoD IT Mission Areas include Business, Warfighting, and Enterprise Information 779Environment, which is comprised of four domain areas (Core Enterprise Services, Computing, 780Transport, and Information Assurance). 781 DoD IT Portfolio EIE Mission Area Portfolio GIG IA Portfolio AIS AMM CON DTG HAE INR Roadmap Roadmap Roadmap Roadmap Roadmap Roadmap Foundational Activities 782 Roadmap 783 Figure 8. DoD IT Portfolio 784 785Figure 8 depicts the GIG IA Portfolio (GIAP) as part of the DoD IT Portfolio. The GIAP is 786designed to analyze, select, control and evaluate critical IA capabilities and associated 787investments to enable information superiority. The purpose of GIAP is to: 788 17821 UNCLASSIFIED 179 180
    • 181 UNCLASSIFIED 182 183NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 18431 Aug 2007 Defense Information Systems Agency 185 789 • Develop an integrated IA operational capability roadmap that is accepted community- 790 wide 791 • Develop an investment strategy for IA portfolio to drive investment decisions 792 • Continuously analyze and refresh investment strategy to maximize operational benefit. 793 • Provide an opportunity to partner with IA community members 794 • Optimize existing funding and justify additional funding to meet IA priorities 795 796 797 Figure 9. DoD Governance IA Portfolio Management 798 799Figure 9 shows DoD Governance of IA Portfolio Management. Portfolio Management is defined 800as a holistic view of DoD’s GIG IA Strategy with: 801 802 1. Inventory of IA projects (Baseline is the Defense Information Assurance Program 803 (DIAP) Database) 804 2. Create a master Schedule 805 3. Evaluate Portfolio for synchronization, gaps, duplication, risks 806 4. Impact the Program Objective memorandum (POM) process 807 5. Cradle to grave investment strategy (life cycle management (LCM)) 808 809Under the GIAP there are six Capability Roadmaps: 810 18622 UNCLASSIFIED 187 188
    • 189 UNCLASSIFIED 190 191NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 19231 Aug 2007 Defense Information Systems Agency 193 811 1. Assured Information Sharing (AIS): Provides the user with the right information, at the 812 right time, at the right place, and displayed in the right format, while denying adversaries 813 access to that same information or service. 814 2. Assured Mission Management (AMM): Provides the ability to coordinate and de-conflict 815 system configuration and resource changes, mission priority changes, and cyber attack 816 responses as well as includes the ability to assign, prioritize, modify, and revoke user and 817 system roles, access rights, COI membership and resources. 818 3. Confidentiality (CON): Ensure information is not made available or disclosed to 819 unauthorized individuals, entities, devices, or processes. 820 4. Defend the GIG (DTG): Monitors, analyzes, detects, and responds to potential and actual 821 unauthorized network activities, as well as unintentional non-malicious user errors that 822 could potentially cause harm. 823 5. Highly Available Enterprise (HAE): Ensures GIG computing and communications 824 resources, services, and information are available and accessible. 825 6. Integrity and Non-Repudiation (INR): Integrity/Non-Repudiation capabilities provide 826 assurance that information does not change from production to consumption, or from 827 transmission to receipt. It also guarantees that neither recipient can deny the processing 828 or reception of the data. 829 830Additional information on the GIAP is available online 831(https://gesportal.dod.mil/sites/gigia/default.aspx). 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 19423 UNCLASSIFIED 195 196
    • 197 UNCLASSIFIED 198 199NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 20031 Aug 2007 Defense Information Systems Agency 201 8596 Appendix A. NetOps Program/System/Application/Service 860 Readiness Checklist 861Classification is based on classification of network reviewed: 862Date of NetOps RR:________ _____________ 863 P/S/A/S Reviewer Phone Previous RR Y N Date of Previous RR NA VC06 Available Y N Number of Current Open Findings 864 865 866P/S/A/S Information: P/S/A/S Name Program Manager Phone P/S/A/S Tracking # (DITPR) DAA: CIO [ ] GO [ ] J6 [ ] DSS [ ] OTHER [ ] 867 868 869Site Information: Site Name Address Phone 870 871Site Personnel Information: Position Name Phone Number Email Area of Responsibility IAM IAO NSO 872 873The Program/System/Application/Service (P/S/A/S) documentation provides the framework for 874the NetOps P/S/A/S Readiness assessment prior to incorporation into the GIG. 20224 UNCLASSIFIED 203 204
    • 205 UNCLASSIFIED 206 207NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 20831 Aug 2007 Defense Information Systems Agency 209 875 876The list of documentation provided in Table 1-1 is not intended to be all-inclusive, but provides 877those documents (including the NetOps P/S/A/S Readiness Checklist) recommended for a system 878PM, or proponent for non-PM managed systems, to submit for the system accreditation request 879package. The list also comprises the minimum recommended documentation that may be 880provided to the NetOps Readiness Review Board for review and consideration of P/S/A/S NetOps 881readiness certification. 882 883 Table 1-1 RECOMMENDED P/S/A/S DOCUMENTATION FOR NETOPS REVIEW 884 Item Documentation Yes No Notes for the Evaluator Security Certification and Accreditation documentation (DIACAP): The DIACAP package is a 1. set of documentation submitted to the Designated Accrediting Authority (DAA) for authorization to operate (ATO). DoD Architecture Framework: The DoDAF is a framework for development of a systems architecture or enterprise architecture (EA). DoDAF views are 2. organized into four basic view sets: overarching All View (AV), Operational View (OV), Systems View (SV), and the Technical Standards View (TV). Approval/Interim Approval to Operate (I/ATO), Approval/Interim Approval to Test (I/ATT), and Approval/Interim Approval to Connect (I/ATC) 3. Signed documentation by the Designated Accrediting Authority (DAA) authorizing operation of a system for a designated period of time. (In most cases will be part of the SSAA*) P/S/A/S Concept Of Operations (CONOPS): Outlines 4. assumptions or intent in regard to the operations, defense, NetOps, and C2 of a program. (May be part of SSAA) P/S/A/S Operation Manuals: Provide operational 5. instructions that can be used by system administrators to properly configure, manage, and troubleshoot a system. Configuration Management Plan: Identifies the organizations and procedures to be used by the 6. developers to perform activities related to configuration management. (May be part of SSAA) Network/System Management Plan: Defines how the network or system will be managed, and possibly what 7. Enterprise management tools will be used for performance monitoring, change and configuration management, reporting, etc. 21025 UNCLASSIFIED 211 212
    • 213 UNCLASSIFIED 214 215NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 21631 Aug 2007 Defense Information Systems Agency 217 Item Documentation Yes No Notes for the Evaluator Continuity of Operations Plan (COOP): Describes 8. preparations in place for survival of operations in the case of a catastrophic event. (May be part of SSAA) Disaster Recovery Plan (DRP): Describes the data, hardware, and software critical for an organization to 9. restart operations in the event of a natural or human- caused disaster. (May be part of SSAA) Systems Integration Test, Security Verification, Site and User Acceptance Test Reports: Reports from 10. security, testing and evaluations as part of the C&A process. Memorandums of Agreement or Memorandums of Interconnection (MOA/MOI): Document written between parties to cooperatively work together on an 11. agreed upon project or meet an agreed upon objective. The purpose of an MOA is to have a written understanding of the agreement between parties. (May be part of SSAA) System Deployment Schedule: Provides a deployment 12. timeline for a system, accounting for the end user, operator, and sustainment communities. Product (or Logistics) Support Plan: Outline how 13. logistics support and sustainment of a system will be managed over its life cycle. Functional Requirements Specification/ System Statement of Requirement (SOR): Describes how the user intends to use the system and the expected 14. performance. Issues of security and data integrity should also be included. Functional requirements specify specific behaviors of a system. The SOR details requirements that the system will provide. Implementation Plan: Outlines a program’s strategy for 15. successful execution of a program’s system/service/capability. FSO Test Reports and IA Controls: A roll-up of a series of physical security assessments and scans on a program’s hardware assets. Hardware is configured 16. according to the required Security Technical Implementation Guides (STIGs), and scanned for potential vulnerabilities. DISA System Accreditation Checklist and CIO Accreditation Memo: Appendix R contains the CA’s 17. recommendation to the DAA and the authorization to operate in a formal memorandum signed by the DAA, which is the accreditation memorandum. 21826 UNCLASSIFIED 219 220
    • 221 UNCLASSIFIED 222 223NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 22431 Aug 2007 Defense Information Systems Agency 225 Item Documentation Yes No Notes for the Evaluator NetOps P/S/A/S Readiness Checklist: Internal DISA P/ S/A/S certification tool that evaluates compliance within the three essential tasks defined in the Joint CONOPS for 18. GIG NetOps: GIG Enterprise Management (GEM); GIG Network Defense (GND) and GIG Content Management (GCM). 885 886*Systems Security Authorization Agreement (SSAA) – A living document that defines all 887system specifications including the system mission, target environment, target architecture, 888security requirements and applicable access policies. The SSAA also describes the applicable 889planning and certification actions, resources and documentation required to support the 890certification and accreditation. In essence, the SSAA is the vehicle that guides the implementation 891of information security. The SSAA is updated and revised during each of the four phases. 892 893The DIACAP Comprehensive Package includes: 894 895 • System Identification Profile (SIP) - Part of the Executive Package, which contains the 896 minimum required information for an accreditation decision. An information base, i.e., a 897 document, collection of documents, or collection of data objects within an automated 898 information system that uniquely identifies an information system within the DIACAP 899 and contains established management indicators, e.g., DIACAP status. 900 901 • DIACAP Implementation Plan – Contains the information system’s assigned IA 902 Controls. The plan also includes the implementation status, responsible entities, 903 resources and the estimated completion date for each assigned IA Control. The plan may 904 reference applicable supporting implementation material and artifacts. 905 906 • Certification Documentation - A collection of documents that describes the security 907 posture of the system, an evaluation of the risks, and recommendations for correcting any 908 deficiencies. 909 910 • DIACAP Scorecard - Part of the Executive Package, which contains the minimum 911 required information for an accreditation decision. A summary report that shows the 912 certified or accredited implementation status of a DoD information system’s assigned IA 913 Controls and supports or conveys a certification determination and/or accreditation 914 decision. The DIACAP Scorecard is intended to convey information about the IA 915 posture of a DoD information system in a format that can be easily understood by 916 managers and be easily exchanged electronically. 917 918 • Plan of Action & Milestones (POA&M) - Part of the Executive Package, which 919 contains the minimum required information for an accreditation decision. A POA&M is 920 required for any accreditation decision that requires corrective actions. It is a tool 921 identifying tasks that need to be accomplished. It specifies resources required to 922 accomplish the elements of the plan, any milestones in meeting the task, and scheduled 923 completion dates for the milestones. 22627 UNCLASSIFIED 227 228
    • 229 UNCLASSIFIED 230 231NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 23231 Aug 2007 Defense Information Systems Agency 233 9247 GIG ENTERPRISE MANAGEMENT (GEM) 9257.1 Assignment of Project Officer Has a DISA NetOps Center (DNC) representative been assigned to serve as a Project Officer responsible for coordinating the deployment of this system? Identify name(s) and role(s). Procedure: Verify assignment. References(s): Defense Information Systems Agency Instruction (DISAI) 310-220-1; DODI 5000.2, Para 3.4; DCID 6/3 para 2.B.4.e(4), 2.B.4.e(5); DoDI 8500.2 Encl 4, Att 1,2,3 DCSD-1; DCID 1/19 Sect 5 and 10 Indicators: Comments: o Appointment directive. o Personnel know are familiar with the identity of the Project Officer. Milestone A Requirement: Technology Development PDI Short Description: No DNC Representative has been assigned to serve as Project Officer. Open Not a Finding Not Reviewed Not Applicable 9277.2 CONOPS with NetOps Section 928 Has a CONOPS been written for the Program/System/Application/Service (P/S/A/S) that includes a NetOps section? Procedure: Verify documentation. References(s): Joint Concept of Operations for Global Information Grid NetOps, DISA CONOPS Template. Comments: Indicators: o Included in CONOPS. Milestone A Requirement: Technology Development PDI Short Description: NetOps is not included in the CONOPS. Open Not a Finding Not Reviewed Not Applicable 23428 UNCLASSIFIED 235 236
    • 237 UNCLASSIFIED 238 239NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 24031 Aug 2007 Defense Information Systems Agency 241 9307.3 Designation of DNC for Management and Control Has the PM worked with the DNC(s) to define a set of information necessary to manage the P/S/A/S? Procedure: Verify CONOPS includes an appropriate determination of how the DNC(s) will manage this capability. References(s): Defense Information Systems Agency Instruction (DISAI) 310-220-1; Joint Concept of Operations for Global Information Grid NetOps. Indicators: Comments: o Stated in the CONOPS or fielding document. o DNC acknowledgement or relationships. Milestone A Requirement: Technology Development PDI Short Description: No DNC has been designated to manage and control the P/S/A/S once it is declared operational. Open Not a Finding Not Reviewed Not Applicable 9327.4 System Status Reporting Requirements and Procedures Have the DNC’s Tactics, Techniques & Procedures (TTPs) for system status reporting been included in the P/S/A/S design and implementation documents? Procedure: Interview the Network Security Officer (NSO) and review implementation documentation References(s): Joint Concept of Operations (CONOPS) for Global Information Grid (GIG) NetOps, Version 3, 4 August 2006; CJCSI 6215.02A; DISAC 310-55-1, “Status Reporting for the Defense Communications System”; DODI 5000.2, Para 3.8 Indicators: Comments: o The DNC has documented status reporting requirements for the P/S/A/S. o The P/S/A/S documentation satisfies the DNC defined requirements. o Requirements Traceability Matrix (RTM) showing DNC requirements and system solutions to meet those requirements. Milestone B Requirement: System Development and Demonstration PDI Short Description: The P/S/A/S status reporting requirements and procedures have not been established. Open Not a Finding Not Reviewed Not Applicable 24229 UNCLASSIFIED 243 244
    • 245 UNCLASSIFIED 246 247NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 24831 Aug 2007 Defense Information Systems Agency 249 9347.5 Situational Awareness (SA)/Critical System Status Reporting Does the P/S/A/S report the status data on fault, configuration, security and performance data using GEM, GND, GCM tools and capabilities? Identify the tool or capability. Procedure: Review P/S/A/S documentation. References(s): Joint Concept of Operations (CONOPS) for Global Information Grid (GIG) NetOps, Version 3, 4 August 2006 (Situational Awareness) ; DODI 5000.2, Para 3.7; DoDI 8500.2 Encl 4, Att ½/3 DCHW-1, DCFA-1, DCPP-1, DCPR-1, DCSW-1; DoDD 5220.22M, Sec 8-101; DCID 6/3 Sec 2.B.4.b.(4), 2.B.5.c.(4), 5.B.1.a.(2), 5.B.2.a.(4) Indicators: Comments: o Sys logs being exported. o SNMP or other fault system integrated into the SA system. Milestone B Requirement: System Development and Demonstration PDI Short Description: Critical system devices do not report status to an internal Management System. Open Not a Finding Not Reviewed Not Applicable 9357.6 DISA NetOps Center (DNC) Specific Requirements 25030 UNCLASSIFIED 251 252
    • 253 UNCLASSIFIED 254 255NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 25631 Aug 2007 Defense Information Systems Agency 257 9367.7 Compliance with DISA OSS Have specific DNC NetOps requirements been met, and have all major issues that affect policies, procedures, concepts or Do the P/S/A/S’s management tools and capabilities fit intorequired to supportOperations been properly satisfied? strategies, as well as tools, technologies, and infrastructure the overall DISA the DNCs Support System (OSS) Architecture? Procedure: Review requirements documentation. Procedure: Review P/S/A/S documentation. Should comply with DISA OSS Architecture. References(s): Defense Information Systems Agency Instruction (DISAI) 310-220-1; DODI 5000.2, Para 3.4 and 3.8; References(s): 2.B.4.e(4), 2.B.4.e(5); DoDI (CONOPS) for Att 1,2,3 DCSD-1; DCID(GIG)Sect 5 andVersion 3, 4 August Ch DCID 6/3 para Joint Concept of Operations 8500.2 Encl 4, Global Information Grid 1/19 NetOps, 10; NISPOMSUP 2006 (Situational Awareness) ; DODI 5000.2, Para 3.7; CJCSM 6510.01 para 2.c 8 Sec 4 Indicators: Comments: Indicators: o System Requirements Traceability Matrix (RTM) o The DNC representative reviewed the DNC specific includes DNC requirements. Comments: requirements and has taken/assigned various tasks to o System Interface Control Document (ICD) identifies all manage and control the P/S/A/S once it is declared information exchange requirements. operational. o The DNC has the ability to satisfy critical requirements (e.g., requirements for security, reliability, real-time Milestone B Requirement: System Development and Demonstration responsiveness, and correctness) under all conditions. o Doctrine, Organization, Training, Materiel, Leadershipis not compatible with the DISA OSS Architecture. PDI Short Description: The P/S/A/S’s management data and Education, Personnel and Facilities (DOTMLPF) requirements. Open Not a Finding Not Reviewed Not Applicable Milestone A Requirement: Technology Development PDI Short Description: DNC requirements have not been met. Open Not a Finding Not Reviewed Not Applicable 9377.8 Filtering of Status Data 25831 UNCLASSIFIED 259 260
    • 261 UNCLASSIFIED 262 263NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 26431 Aug 2007 Defense Information Systems Agency 265 Is the P/S/A/S management data compliant or filterable for incorporation into a DISA Network Operations Common Operational Picture (COP)? Procedure: Review P/S/A/S architecture. References(s): CJCSI 6211.02B, “Defense Information System Network (DISN): Policy, Responsibilities and Processes”, 31 July 2003, Encl B; GIG Capstone Requirements Document; DODI 5000.2, Para 3.7 Indicators: Comments: o System Element Management System (EMS) data is entered in the DoD Metadata Registry. o System Ports and Protocols are registered IAW DoDI 8551.1. o Identify P/S/A/S EMS data that are filterable for incorporation into a DISA Network Operations COP. (User Defined Operational Picture (UDOP), NetCOP, INMS, Amberpoint) Milestone B Requirement: System Development and Demonstration PDI Short Description: The P/S/A/S is not capable of providing status data that can be filtered for incorporation into a DISA COP. Open Not a Finding Not Reviewed Not Applicable 9387.9 Alternate DNC if the Internal Management System is Not Redundant In the event of a DNC failure, can the P/S/A/S’s management data be redirected to an alternate DNC? Procedure: Interview the NSO. References(s): Joint Concept of Operations (CONOPS) for Global Information Grid (GIG) NetOps, Version 3, 4 August 2006; DODI 5000.2, Para 3.8; CJCSM 6510.01 para 2.c Indicators: Comments: o CONOPS. o System COOP. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: The P/S/A/S’s EMS data cannot be redirected to an alternate DNC. Open Not a Finding Not Reviewed Not Applicable 9397.10 Automated Drill Down and Query Capability 940 26632 UNCLASSIFIED 267 268
    • 269 UNCLASSIFIED 270 271NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 27231 Aug 2007 Defense Information Systems Agency 273 Does the P/S/A/S support external queries using NetOps technology (UDOP, NetCOP, INMS, Amberpoint)? Procedure: Interview the NSO. References(s): Joint Concept of Operations (CONOPS) for Global Information Grid (GIG) NetOps, Version 3, 4 August 2006; DODI 5000.2, Para 3.8 Indicators: o Drill down and query specific system component Comments: configuration information to facilitate situational awareness. o Compliance with Tele-Management Forum, Multi- Technology Network Management (MTNM) Solutions Suite. o Compliance with Tele-Management Forum Multi- Technology Operations System Interface (MTOSI) Solutions Suite. o The Internal Management System interfaces to and correlates with other relevant system management tools and data. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: The P/S/A/S does not support external queries using required NetOps technologies. Open Not a Finding Not Reviewed Not Applicable 9417.11 Integration to DISA Help Desk Center 942 If PM has established a separate Help Desk, is it integrated and compliant with the DNC Trouble Management System (TMS) policy? Procedure: Interview the NSO. Trouble tickets must link to Help Desk and DNC process. References(s): DODI 5000.2, Para 3.8 Indicators: Comments: o Integration plan addresses trouble management process and relationship with DNC. o GO and DNC involvement is documented. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: The P/S/A/S integration plans do not include integration to an existing DISA Help Desk Center. Open Not a Finding Not Reviewed Not Applicable 27433 UNCLASSIFIED 275 276
    • 277 UNCLASSIFIED 278 279NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 28031 Aug 2007 Defense Information Systems Agency 281 9447.12 Trouble Management System (TMS) 945 Does the P/S/A/S seamlessly integrate with the existing DISA TMS? Procedure: Interview the NSO to ensure the P/S/A/S is compliant with this requirement. References(s): Director’s Policy Letter: Standard Trouble Management System; DODI 5000.2, Para 3.8 Indicators: Comments: o PM using the DISA-TMS. o System automated trouble tickets are generated in response to alarms and performance thresholds. o Trouble tickets are automatically cleared when alarms are cleared. o Manual ticket generation capability. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: TMS is not being used as the corporate trouble-ticketing system. Open Not a Finding Not Reviewed Not Applicable 9467.13 Configuration Management Tracking 28234 UNCLASSIFIED 283 284
    • 285 UNCLASSIFIED 286 287NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 28831 Aug 2007 Defense Information Systems Agency 289 Is there an automated configuration management (CM) process for the P/S/A/S? Procedure: Interview the NSO to ensure the P/S/A/S is compliant with this requirement. References(s): DODI 5000.2, Para 3.8 Indicators: Comments: o The P/S/A/S has established a plan and business processes for entering and maintaining configuration management data. O The P/S/A/S has designated overall CM responsibility to a person and users have attended CM training. O The P/S/A/S has assigned a member to the DISN Configuration Control Board. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: There is no automated CM process. Open Not a Finding Not Reviewed Not Applicable 9477.14 Proposed Maintenance Schedule for System Devices/Components If P/S/A/S devices/components require scheduled maintenance, has a proposed maintenance plan and procedures been developed? Procedure: Refer to the Product Support Plan to validate. References(s): DODI 5000.2, Para 3.8; DoDI O-8530.2 Encl 4, para E4.3.1.2.1; NISPOM Ch 8 and 10; NISPOMSUP Ch 8 Sec 4; DCID 6/3 para 2.B.4.e(13) Indicators: Comments: o Instructions have been developed outlining maintenance procedures for devices/components requiring scheduled maintenance. o Requirements for scheduled maintenance are detailed in the PSP. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: A proposed maintenance plan/schedule has not been developed for devices/components requiring scheduled maintenance. Open Not a Finding Not Reviewed Not Applicable 9487.15 Specialized Training Requirements 949 29035 UNCLASSIFIED 291 292
    • 293 UNCLASSIFIED 294 295NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 29631 Aug 2007 Defense Information Systems Agency 297 Have specialized training requirements been identified for NetOps center personnel (e.g., O&M, sys config, monitoring…)? Procedure: Review training documentation. References(s): CJCSI 6510.01D, “Information Assurance (IA) and Computer Network Defense”, Encl B para 14,15 June 2004; DODI 8500.2, “Information Assurance (IA) Program Implementation”, February 6, 2003, Encl 3 para E3.3.6; DODI 5000.2, Para 3.8; DoDD O-8530.1 para 5.12.10; CJCSM 6510.01 para 5.j and m; DoDI 8500.2 Encl 4, Att 4/5 PRTN-1; DoD 8570.01-M Indicators: Comments: o System specific Training for the NetOps Center: • Copies of presentations for NetOps Center training • Schedule for NetOps Center training • Subscriber’s NetOps Center personnel are aware of available training and schedules Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: No specialized training requirements have been identified for NetOps center personnel. Open Not a Finding Not Reviewed Not Applicable 951 9527.16 Formal Agreements with Outside (Non-DISA) Organizations 29836 UNCLASSIFIED 299 300
    • 301 UNCLASSIFIED 302 303NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 30431 Aug 2007 Defense Information Systems Agency 305 In the case where outside (non-DISA) organizations are required to perform certain tasks and functions, have formal agreements been established between DISA and the external organizations? Procedure: Review agreements such as Site Concurrence Letters, and Memorandums of Agreement. Refer to the PSP to validate. References(s): DODI 5000.2, Para 3.8; DOD 5000.2-R C3.2.3.2.1, C3.2.3.2.2.3; NISPOMSUP 7-100; NISPOM Ch 10 Sec 6; DCID 6/3 para 2.B.4.e(4), 2.B.4.e(5) Indicators: Comments: o Copy of MOU(s) or written agreement that has been signed. o Operational relationships covered in the agreement are detailed in the P/S/A/S CONOPS. o Agreement documents detail the services provided such that they can be re-established if necessary. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: Outside organizations are required to perform certain tasks and functions, but no formal written agreements have been established. Open Not a Finding Not Reviewed Not Applicable 954 955 9567.17 Maintenance of System Diagrams 30637 UNCLASSIFIED 307 308
    • 309 UNCLASSIFIED 310 311NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 31231 Aug 2007 Defense Information Systems Agency 313 Are P/S/A/S diagrams maintained, and is there a process to incorporate updates? Procedure: Review P/S/A/S configuration documentation and CM process. References(s): DISAI 310-220-1; DODI 5000.2, Para 3.8; DoDD O-8530.1 para 4.6.1; DoDI O-8530.2 para 6.2.4 and E6.1.6.1; DoDI 8500.2 Encl 4, Att 1,2,3 DCHW-1, DCFA-1, DCPP-1, DCPR-1, DCSW-1; DoDD 5220.22M, Sec 8-101; DCID 6/3 Sec 5.B.1.a.(2), 5.B.2.a.(4); DCID 6/3 2.B.4.b.(4), 2.B.5.c.(4) Indicators: Comments: o Copies of the Latest network diagram(s) o Up-to-date inventory of information systems, network components, software, O/Ss, etc. o Network services utilized by subscriber o Network access points and operational importance identified o Personnel display knowledge of subscriber networks and configurations Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: P/S/A/S diagrams are not being maintained, and there is no process to incorporate updates. Open Not a Finding Not Reviewed Not Applicable 9577.18 Approval Process for Changes to the System Architecture 958 31438 UNCLASSIFIED 315 316
    • 317 UNCLASSIFIED 318 319NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 32031 Aug 2007 Defense Information Systems Agency 321 Are significant changes to the P/S/A/S architecture approved through the DISA NetOps Center Control Board prior to implementation? Procedure: Review CM process. References(s): DISAI 310-220-1; DODI 5000.2, Para 3.8; DoDD O-8530.1 para 4.6.1; DoDI O-8530.2 para 6.2.4 and E6.1.6.1; DoDI 8500.2 Encl 4, Att 1,2,3 DCHW-1, DCFA-1, DCPP-1, DCPR-1, DCSW-1; DoDD 5220.22M, Sec 8-101; DCID 6/3 Sec 2.B.4.b.(4), 2.B.5.c.(4), 5.B.1.a.(2), 5.B.2.a.(4) Indicators: Comments: o Process addressed in CM Plan. o Minutes from CCB Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: Significant changes to the P/S/A/S architecture are not approved through the NetOps Control Board prior to implementation. Open Not a Finding Not Reviewed Not Applicable 9597.19 Identification and Registration of System Interfaces 960 Have P/S/A/S ports, protocols and services (PPS) been identified and registered with the PPS POC? Procedure: Validate online PPS database. References(s): DODI 8551.1 “Ports, Protocols, and Services Management (PPSM)”, August 13, 2004; DODI 5000.2, Para 3.8; CJCSI 6510.01D Encl D, para 2.b.(4) and 13.a.(6); DoDI 8500.2 Encl 4, Att ½/3 DCCS-1/2; CMU/SEI-2003-HB-002 Sec 2.3.2.2; DCID 6/3 para 2.B.5.c.(1) Indicators: Comments: o P/S/A/S PPS’s are registered. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: Internal system interfaces have not been identified and registered with the DISA PPS POC. Open Not a Finding Not Reviewed Not Applicable 9617.20 Key Performance Metrics and Objectives for Service Level Agreement 962 (SLA) Monitoring 963 32239 UNCLASSIFIED 323 324
    • 325 UNCLASSIFIED 326 327NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 32831 Aug 2007 Defense Information Systems Agency 329 If key performance metrics and objectives for P/S/A/S exist, are they identified to the DNC(s)? Procedure: Check Service Level Agreement. References(s): Joint Concept of Operations (CONOPS) for Global Information Grid (GIG) NetOps, Version 3, 4 August 2006 Situational Awareness; DISAC 310-130-2; DODI 5000.2, Para 3.8 Indicators: Comments: o Key performance parameters and thresholds have been identified. (e.g., QOS, packet loss, latency, CPU utilization, etc.) o Activity doing the monitoring has been identified. o Response actions identified. o P/S/A/S provides end-to-end performance data to support SLA compliance monitoring. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: Key performance metrics and objectives for SLA monitoring have not been identified. Open Not a Finding Not Reviewed Not Applicable 965 9667.21 System Performance Capability 967 33040 UNCLASSIFIED 331 332
    • 333 UNCLASSIFIED 334 335NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 33631 Aug 2007 Defense Information Systems Agency 337 Is the P/S/A/S instrumented to meet specified performance metrics? (Are there alarms or indicators for performance thresholds?) Procedure: Review ST&E and user acceptance tests. References(s): DODI 5000.2, Para 3.7 Indicators: o Use of Modeling and Simulation testing or other Comments: analytical techniques. o The P/S/A/S provides end-to-end performance data to support monitoring. o The predicted traffic throughput/number of transactions during periods of peak system load has been validated and documented. o The P/S/A/S bandwidth requirements have been identified. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: Performance metrics are not validated through system Modeling and Simulation testing. Open Not a Finding Not Reviewed Not Applicable 33841 UNCLASSIFIED 339 340
    • 341 UNCLASSIFIED 342 343NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 34431 Aug 2007 Defense Information Systems Agency 345 9697.22 Product Support Plan (PSP) Does the Product Support Plan (PSP) support NetOps? Procedure: Refer to SSAA, CM Plan, and/or PSP. References(s): NCOW RM v1.1; DODI 5000.2, Para 3.8, E9.3 Indicators: Comments: o Technology refresh plan. o LCM covers ‘cradle to grave’. o Maintenance Plan. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: The PSP has not been established for the P/S/A/S. Open Not a Finding Not Reviewed Not Applicable 9707.23 Employment and Integration of Core Enterprise Services 34642 UNCLASSIFIED 347 348
    • 349 UNCLASSIFIED 350 351NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 35231 Aug 2007 Defense Information Systems Agency 353 Has the P/S/A/S been designed and developed to employ and integrate the use of Core Enterprise Services (CES)? Procedure: Review P/S/A/S design documentation. References(s): NCOW RM v1.1; DODI 5000.2, Para 3.7 Indicators: o CONOPS addresses CES Comments: o Application, Discovery, User Assistant, Collaboration, Storage, Mediation, Messaging o IA/Security o Enterprise Service Management (ESM) o P/S/A/S provides ability for CES monitoring. Milestone B Requirement: System Development and Demonstration PDI Short Description: The P/S/A/S is not designed and developed to employ and integrate the use of CES. Open Not a Finding Not Reviewed Not Applicable 9717.24 Does the System Support IPv6 If the P/S/A/S is IP network enabled, does it support Internet Protocol Version Six (IPv6)? Procedure: Verify P/S/A/S architecture documentation and test documentation (results of IPv6 testing). References(s): Request for Comment (RFC) 791; RFC 2460; DoD Memo on IPv6; DODI 5000.2, Para 3.7; DoD Memo Internet Protocol Version 6 (IPv6) Interim Transition Guidance, September 29, 2003; DoD Memo, Internet Protocol Version 6 (IPv6), June 9, 2003 Indicators: Comments: o Capable of receiving, processing and forwarding IPv6 packets and/or interfacing with other P/S/A/S and protocols in a manner similar to that of IPv4. o IP network conformant with the JTA developed IPv6 standards profile. o IP network operates on or coexists on a network supporting IPv4 only, IPv6 only, or a hybrid of IPv4 and IPv6. o If the P/S/A/S is IP network enabled and does not support IPv6, a Plan of Action & Milestones (POA&M) for compliance has been developed. Milestone B Requirement: System Development and Demonstration PDI Short Description: The P/S/A/S is IP network enabled, and does not support IPv6. 35443 Open Not a Finding UNCLASSIFIED Not Reviewed Not Applicable 355 356
    • 357 UNCLASSIFIED 358 359NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 36031 Aug 2007 Defense Information Systems Agency 361 9728 GIG NETWORK DEFENSE (GND) 9738.1 DoD Net-Centric IA Strategy Is the P/S/A/S designed to meet the DoD Net-Centric IA Strategy? Procedure: Validate P/S/A/S design documentation. Verify STIG compliance. References(s): NCOW RM v1.1, para 3.3; 3.3.1; 6.5.1; 6.5.2; 6.5.3; DODI 5000.2, Para 3.7; DoD Net-Centric Information Assurance (IA) Strategy Ver 1.0 dtd 30 June 2004 Indicators: Comments: o P/S/A/S is designed to protect information confidentiality (from unauthorized access) and integrity (from unauthorized modifications), while at the same time making information available to those who need it in a manner that they can readily use. o P/S/A/S is designed to be self-protecting by recognizing, reacting to, and responding to threats, vulnerabilities, and deficiencies. o P/S/A/S is designed to provide IA situational awareness to minimize unauthorized or accidental access to GIG functions, maintain confidentiality, integrity, and availability, and continuously monitor for security breaches. Milestone B Requirement: System Development and Demonstration PDI Short Description: The P/S/A/S has not been designed to meet the DoD Net-Centric IA Strategy. Open Not a Finding Not Reviewed Not Applicable 9758.2 36244 UNCLASSIFIED 363 364
    • 365 UNCLASSIFIED 366 367NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 36831 Aug 2007 Defense Information Systems Agency 369 9768.3 IA Design Tenets Does the P/S/A/S comply with all of the IA design tenets as defined in the Net-Centric Operations and Warfare Reference Model (NCOW RM)? Procedure: Verify P/S/A/S design documentation. References(s): NCOW RM v1.1, para 6.5.1; 6.5.2; 6.5.3; 3.3; Net-Centric Checklist, para I.A. thru I.H; DODI 5000.2, Para 3.7 Indicators: Comments: o The P/S/A/S complies with the Identity Management, Authentication and Privileges. o The P/S/A/S complies with the Mediate Security Assertions. o The P/S/A/S complies with the Cross Domain Security Exchange. o The P/S/A/S complies with the Encryption and HAIPE. o The P/S/A/S complies with the Employment of Wireless Technologies. o Data packets routed across networks, not switched via dedicated circuits. o Data posted by authoritative sources is visible, available, and usable. o Business process owners are making their own data available on the net as soon as it is created. o Data separates from applications; the applications “talk” to each other by posting data. Milestone B Requirement: System Development and Demonstration PDI Short Description: The P/S/A/S does not comply with all of the IA design tenets as defined in the NCOW RM. Open Not a Finding Not Reviewed Not Applicable 978 37045 UNCLASSIFIED 371 372
    • 373 UNCLASSIFIED 374 375NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 37631 Aug 2007 Defense Information Systems Agency 377 9798.4 Assignment of Mission Assurance Category (MAC)/Sensitivity Levels Have Mission Assurance Category (MAC)/Sensitivity Levels been assigned for the P/S/A/S? Procedure: Verify designation in C&A documentation. References(s): DODD 8500.1 “Information Assurance”, October 24, 2002, para 4.7; DODI 8500.2 “Information Assurance (IA) Program Implementation”, February 6, 2003, E4.1.9; DODI 5000.2, Para 3.6 Comments: Indicators: o Level are documented in requirements documentation. o Levels are documented in C&A documentation. Milestone A Requirement: Technology Development PDI Short Description: An appropriate MAC and Sensitivity Level have not been assigned for the P/S/A/S. Open Not a Finding Not Reviewed Not Applicable 9818.5 Integrity and Availability Controls Required for the Assigned MAC 982 Level Does the P/S/A/S meet the Integrity and Availability controls required for the assigned MAC level? Procedure: Verify controls traceability. References(s): DODI 8500.2 “Information Assurance (IA) Program Implementation”, February 6, 2003, E4.1.9; DODI 5000.2, Para 3.7; Indicators: Comments: o RTM in SSAA. o IA Controls Check List review with acceptable POA&M for findings. Milestone B Requirement: System Development and Demonstration PDI Short Description: The P/S/A/S does not meet the Integrity and Availability controls required for the assigned MAC level. Open Not a Finding Not Reviewed Not Applicable 9848.6 Confidentiality Controls Required for the Assigned Sensitivity Level 985 37846 UNCLASSIFIED 379 380
    • 381 UNCLASSIFIED 382 383NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 38431 Aug 2007 Defense Information Systems Agency 385 Does the P/S/A/S meet the Confidentiality controls required for the assigned sensitivity level? Procedure: Verify controls traceability. References(s): DODI 8500.2 “Information Assurance (IA) Program Implementation”, February 6, 2003, E4.1.9; DODI 5000.2, Para 3.7; Indicators: Comments: o SSAA RTM. o IA Controls Check List review with acceptable POA&M for findings. Milestone B Requirement: System Development and Demonstration PDI Short Description: The P/S/A/S does not meet the Confidentiality controls required for the assigned sensitivity level. Open Not a Finding Not Reviewed Not Applicable 9868.7 Identification of P/S/A/S Need-to-Know Requirements and Access 987 Control Procedures Does the P/S/A/S implement need-to-know and access control requirements that have been identified? Procedure: Review P/S/A/S security plan and procedures. Review SRR findings. References(s): DODI 5000.2, Para 3.8; DISAI 630-230-19 Indicators: Comments: o Necessary P/S/A/S need-to-know and access control requirements and are specified and procedures have been implemented. o The designated P/S/A/S mode of operation supports the need-to-know requirements and access control procedures. 1. Dedicated Mode 2. System High Mode 3. Multilevel Mode 4. Multilevel, Partitioned Mode Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: The P/S/A/S does not implement need-to-know and access control requirements. Open Not a Finding Not Reviewed Not Applicable 9888.8 38647 UNCLASSIFIED 387 388
    • 389 UNCLASSIFIED 390 391NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 39231 Aug 2007 Defense Information Systems Agency 393 9898.9 Capture and UDOP Display of Security Events 990 Does the P/S/A/S capture and provide security event information to populate the CND User Defined Operational Picture (UDOP)? Procedure: Review P/S/A/S architecture and test documentation. References(s): Net-Centric Information Assurance (IA) Requirements Traceability Matrix; DODI 5000.2, Para 3.7; UDOP CONOP. Indicators: Comments: o The DNC can monitor the P/S/A/S security status on the UDOP. Milestone B Requirement: System Development and Demonstration PDI Short Description: The P/S/A/S does not capture and provide security event information to populate the CND UDOP. Open Not a Finding Not Reviewed Not Applicable 9918.10 Automated Capability for Detecting and Reporting P/S/A/S Security 992 Events and Anomalous Behavior 993 39448 UNCLASSIFIED 395 396
    • 397 UNCLASSIFIED 398 399NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 40031 Aug 2007 Defense Information Systems Agency 401 Does the P/S/A/S have an automated capability for detecting and reporting P/S/A/S security events and anomalous behavior? Procedure: Review P/S/A/S security architecture. References(s): DODI 5000.2, Para 3.7 Comments: Indicators: o P/S/A/S can detect system security events and anomalous behavior. o Reporting capabilities include page-out and email alerts. Milestone B Requirement: System Development and Demonstration PDI Short Description: The P/S/A/S does not have an automated capability for detecting and reporting P/S/A/S security events and anomalous behavior. Open Not a Finding Not Reviewed Not Applicable 9948.11 IAVM Methodology Is the P/S/A/S capable of interaction with the IA Vulnerability Management (IAVM) process and tools? Procedure: Review IAVM procedures. References(s): CJCSM 6510.01 “Defense-In-Depth: Information Assurance (IA) and Computer Network Defense (CND)”, 25 March 2003, Chg 2; DODI 5000.2, Para 3.7. Indicators: o Demonstrate ability to accept and respond to IAVM Comments: notices and acknowledge compliance or non- applicability in VMS o Demonstrate ability to accept and respond to IAVM notices. o Demonstrate ability seamlessly interoperate with the Secure Configuration Compliance Validation Initiative (SCCVI) and Secure Configuration Remediation Initiative (SCRI). Milestone B Requirement: System Development and Demonstration PDI Short Description: The P/S/A/S is not capable of interaction with the IAVM process and tools. Open Not a Finding Not Reviewed Not Applicable 9969 40249 UNCLASSIFIED 403 404
    • 405 UNCLASSIFIED 406 407NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 40831 Aug 2007 Defense Information Systems Agency 409 99710 GIG CONTENT MANAGEMENT (GCM) 998Questions in this section may only be applicable to web services and-or service oriented 999architectures. 100010.1 Metadata Is the P/S/A/S metadata registered in the metadata registry? Procedure: Compare system metadata list with registry. References(s): NCES Core services; DODI Meta data registration; DoD Net-Centric Data Strategy, May 9, 2003; DODI 5000.2, Para 3.8. Indicators: Comments: o Program system metadata list. o System metadata is in the metadata registry. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: The P/S/A/S does not use Metadata that is registered within the Metadata registry. Open Not a Finding Not Reviewed Not Applicable 1002 41050 UNCLASSIFIED 411 412
    • 413 UNCLASSIFIED 414 415NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 41631 Aug 2007 Defense Information Systems Agency 417 100310.2 Federated Search Aggregators Does the P/S/A/S use one or more registered Federated Search aggregators? Procedure: Review P/S/A/S architecture. References(s): DOD Net-Centric Data Strategy, May 9, 2003; DODI 5000.2, Para 3.8 Indicators: Comments: o The Content Discovery service provides a standard, vendor neutral approach for exposing metadata to the GIG. o The Content Discovery CES defines to interface specifications: 1. Federated Search specification—provides a standard interface allowing submission of a query to one or more existing data sources, such as databases, catalogs, or search engines; 2. Enterprise Search specification—provides a standard interface supporting event-driven updates to metadata in a highly available, scalable enterprise catalog. o The Domain Federation Service is responsible for managing federation relationships with other trust domains. Its operations include the following: 1. Register a trust domain as federated. This is as simple as putting the domain’s Distinguished Name (DN) suffix in an internal lookup table; 2. De-federate a trust domain; 3. Joining a parent domain; 4. Retrieving the set of trusted children from the parent domain; 5. Given a specific domain DN, check whether it is federated. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: The P/S/A/S does not use registered Federated Search aggregators. Open Not a Finding Not Reviewed Not Applicable 1005 1006 1007 1008 1009 41851 UNCLASSIFIED 419 420
    • 421 UNCLASSIFIED 422 423NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 42431 Aug 2007 Defense Information Systems Agency 425 101010.3 Service Discovery Registry 1011 Is the P/S/A/S registered with the Service Discovery registry according to the standard Federated Search specification? Procedure: Review P/S/A/S architecture. References(s): DOD Net-Centric Data Strategy, May 9, 2003; DODI 5000.2, Para 3.8; NCES: Software Center Operator Manual ( SCOM) Final dtd 25 February 05 Indicators: Comments: o The Service Discovery services consists of the set of services that enable the formulation and execution of search activities to locate data assets (e.g., files, databases, services, directories, Web pages, streams) by exploiting metadata descriptions stored in, and/or generated by Information Technology (IT) repositories (e.g., directories, registries, catalogs, repositories, and other shared storage). o A typical usage scenario for Service Discovery is a publish-find-bind cycle. At a high-level, the scenario is described as follows: 1. A service provider publishes a service as well as its deployed instances to the Service Discovery CES. 2. A service consumer searches through Service Discovery CES and finds the service instance(s) that meet the search criteria. 3. The service consumer uses the end point information of a found service instance to “bind to” and consume the service. o For both publishing and inquiry, the service interfaces are protected using the techniques prescribed in the NCES Security Architecture, so that: • Identities of publishers, inquirers, and discovery service providers may be established; • The publishing and inquiry requests and responses are authenticated and their message integrity verified; • The requests and responses are authorized against access control policies, if necessary. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: The P/S/A/S is not registered with the Service Discovery registry according to the standard Federated Search specification. Open Not a Finding Not Reviewed Not Applicable 1013 42652 UNCLASSIFIED 427 428
    • 429 UNCLASSIFIED 430 431NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 43231 Aug 2007 Defense Information Systems Agency 433 1014 101510.4 Roles-Based Access 1016 Does the P/S/A/S employ roles-based access to an OSD level Community of Interest (COI)? Procedure: Review P/S/A/S architecture and SSAA. References(s): Joint Concept of Operations (CONOPS) for Global Information Grid (GIG) NetOps, Version 3, 4 August 2006; DODI 5000.2, Para 3.8; NCES: Software Center Operator Manual ( SCOM) Final dtd 25 February 05; NCES Implementation Procedure for Content Staging (CS), Release 4.1.3 For Solaris 8 Document Version 1.0 dtd 29 March 2004; ANSI INCITS 359-2004; NCES CS/IDM Release 4.1.2 SSAA Ver 3.0 dtd November 2004; NCES CS/IDM Release 4.1.2 TFM dtd November 2003 Indicators: Comments: o Role based access: • Consumer – A recipient of an information product, or an agent of the recipient; also called an information consumer. • Producer – An originator of an information product, or an agent of the originator; also called an information producer. • Information Management Officer (IMO) – A person responsible for a) describing the information flows across a CS configuration, b) coordinating access to information sources, and c) allocating CS functions to locations and networks. • Commander – A definer of user roles and information domains, or an agent of the author. • CS administrator – A computer system administrator responsible for the installation, configuration, and administration of CS software and user accounts. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: The P/S/A/S does not employ roles-based access to a COI. Open Not a Finding Not Reviewed Not Applicable 1018 1019 1020 1021 43453 UNCLASSIFIED 435 436
    • 437 UNCLASSIFIED 438 439NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 44031 Aug 2007 Defense Information Systems Agency 441 102210.5 Smart Push/Pull of Data 1023 Does the P/S/A/S subscribe for smart push/pull of data? Procedure: Review P/S/A/S architecture and SSAA. References(s): Joint Concept of Operations (CONOPS) for Global Information Grid (GIG) NetOps, Version 3, 4 August 2006; DOD Net-Centric Data Strategy, May 9, 2003; DODI 5000.2, Para 3.8; Understanding Metadata by NISO Press in 2004; NCES Annex T for Discovery Service dtd April 2004 Indicators: Comments: o The P/S/A/S has the ability to register and discover metadata artifacts in the DOD Metadata Registry and Clearinghouse. o Trust relationship between a service consumer and a provider. o Service interfaces are protected using the techniques prescribed in the NCES Security Architecture: • Identifies publishers. • Identifies inquirers. • Establishes discovery service providers. o The publishing and inquiry requests and responses are authenticated and their message integrity verified. o The requests and responses are authorized against access control policies, if necessary. o Owner able to “vouch for” its published entities so that consumers can have some degree of trust on these entities. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: The P/S/A/S does not subscribe for smart push/pull of data. Open Not a Finding Not Reviewed Not Applicable 1025 1026 44254 UNCLASSIFIED 443 444
    • 445 UNCLASSIFIED 446 447NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 44831 Aug 2007 Defense Information Systems Agency 449 102710.6 Publication Mechanism for Smart Push/Pull of Data 1028 Does the P/S/A/S’s data system implement a publication mechanism for smart push/pull of data? Procedure: Review P/S/A/S architecture and SSAA. References(s): Joint Concept of Operations (CONOPS) for Global Information Grid (GIG) NetOps, Version 3, 4 August 2006; DOD Net-Centric Data Strategy, May 9, 2003; DODI 5000.2, Para 3.8; Understanding Metadata by NISO Press in 2004; NCES Annex T for Discovery Service dtd April 2004; NCES CS/IDM Release 4.1.2 SSAA Ver 3.0 dtd November 2004; NCES CS/IDM Release 4.1.2 TFM dtd November 2003 Indicators: Comments: o A human user / operator serves as the publisher, who uses a web user interface to publish the service entities in the registry. o An application (possibly the service itself), uses a publishing Web Service / Application Program Interface (API) provided by the registry to publish the service entities. o A service dynamically updates its definitions and metadata in the registry, so that the entities in the registry are kept in sync with the operating conditions of the real service. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: The P/S/A/S’s data system does not implement a publication mechanism for smart push/pull of data. Open Not a Finding Not Reviewed Not Applicable 1030 1031 1032 1033 45055 UNCLASSIFIED 451 452
    • 453 UNCLASSIFIED 454 455NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 45631 Aug 2007 Defense Information Systems Agency 457 103410.7 Caching, Content Management, or Other “Smart” Delivery 1035 Mechanisms 1036 Does the P/S/A/S employ “smart” delivery mechanisms to minimize bandwidth, assure timely delivery and assure Information Integrity? (Control over own pipe size?) Procedure: Review P/S/A/S architecture. References(s): Joint Concept of Operations (CONOPS) for Global Information Grid (GIG) NetOps, Version 3, 4 August 2006; DOD Net-Centric Data Strategy, May 9, 2003; DODI 5000.2, Para 3.8; NCES Implementation Procedure for Content Staging (CS), Release 4.1.3 For Solaris 8 Document Version 1.0 dtd 29 March 2004; Understanding Metadata by NISO Press in 2004; NCES Annex T for Discovery Service dtd April 2004 Indicators: Comments: o Data flow is bi-directional. o Provides services to manage and prioritize the use of the communications infrastructure by utilizing customizable, user-defined information profiles. o These profiles use “smart push” and responsive “user pull” technologies. Dynamically routes information via the best communications path available according to precedence, various qualities of service (timeliness, latency, error-tolerance, delay variation, etc.), size of files, continuous data rates, and other factors. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: The P/S/A/S does not employ caching, content management, or other “smart” delivery mechanisms to minimize bandwidth and/or assure timely delivery, and assure Information Integrity. Open Not a Finding Not Reviewed Not Applicable 1038 45856 UNCLASSIFIED 459 460
    • 461 UNCLASSIFIED 462 463NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 46431 Aug 2007 Defense Information Systems Agency 465 103910.8 Receipt and Delivery Notifications 1040 Does the P/S/A/S use receipt and delivery notifications? Procedure: Review P/S/A/S architecture. References(s): Joint Concept of Operations (CONOPS) for Global Information Grid (GIG) NetOps, Version 3, 4 August 2006; DODI 5000.2, Para 3.8; NCES CS/IDM Release 4.1.2 SSAA Ver 3.0 dtd November 2004; NCES CS/IDM Release 4.1.2 TFM dtd November 2003 Indicators: Comments: o System receipt notifications. o System delivery notifications. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: The P/S/A/S does not utilize receipt and delivery notifications from CS/IDM. Open Not a Finding Not Reviewed Not Applicable 1042 104310.9 Definition of User Population/COI 1044 Is the user population/COI defined/known (e.g. scope and scaling)? Procedure: Review P/S/A/S CONOPS. References(s): Joint Concept of Operations (CONOPS) for Global Information Grid (GIG) NetOps, Version 3, 4 August 2006; DOD Net-Centric Data Strategy, May 9, 2003; DODI 5000.2, Para 3.8; DODD 8320.2 December 2, 2004 Indicators: Comments: o Target data consumers are defined. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: The P/S/A/S user population/COI is not clearly defined or known. Open Not a Finding Not Reviewed Not Applicable 46657 UNCLASSIFIED 467 468
    • 469 UNCLASSIFIED 470 471NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 47231 Aug 2007 Defense Information Systems Agency 473 104510.10Contingency Operations Is the P/S/A/S able to provide full services in all contingencies within limits based on P/S/A/S MAC Level? Procedure: Review accreditation documentation (SSAA). References(s): Joint Concept of Operations (CONOPS) for Global Information Grid (GIG) NetOps, Version 3, 4 August 2006; DODI 5000.2, Para 3.8; NCES CONOPS dtd September 2004; NIST Special Publication 800-34, Contingency Planning Guide for Information Technology (IT) Systems dtd June 2002;NCES CS/IDM Release 4.1.2 TFM dtd November 2003 Indicators: Comments: o Capability should not be lost when COOP. o BCP. o Redundant architecture. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: The P/S/A/S does not include contingency operations. Open Not a Finding Not Reviewed Not Applicable 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 47458 UNCLASSIFIED 475 476
    • 477 UNCLASSIFIED 478 479NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 48031 Aug 2007 Defense Information Systems Agency 481 106710.11Monitoring and Analysis Is information available on the network that enables monitoring and analysis (e.g. up/down status, info flow and access, impact on network, user quality of service)? Procedure: Review P/S/A/S architecture. References(s): Joint Concept of Operations (CONOPS) for Global Information Grid (GIG) NetOps, Version 3, 4 August 2006; DODI 5000.2, Para 3.8; NCES CS/IDM Release 4.1.2 SSAA Ver 3.0 dtd November 2004; NCES CS/IDM Release 4.1.2 TFM dtd November 2003 Indicators: Comments: o Components provide information that can be used to monitor both P/S/A/S performance and access. o Available information is used to maintain and improve quality of service. Milestone C Requirement: Production & Deployment/Operations & Maintenance PDI Short Description: The information is not available on the network that enables monitoring and analysis. Open Not a Finding Not Reviewed Not Applicable 1069 1070 48259 UNCLASSIFIED 483 484
    • 485 UNCLASSIFIED 486 487NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 48831 Aug 2007 Defense Information Systems Agency 489 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 This page is intentionally left blank. 49060 UNCLASSIFIED 491 492
    • 493 UNCLASSIFIED 494 495NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 49631 Aug 2007 Defense Information Systems Agency 497 109011 APPENDIX B. ACRONYMS Acronym Definition ACAT Acquisition Category AIS Assured Information Sharing AMM Assured Mission Management ASD(NII) Assistant Secretary of Defense for Networks & Information Integration ATO Approval to Operate CAE Component Acquisition Executive C4ISR Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance CDRUSSTRATCOM Commander, USSTRATCOM CDS Cross-Domain Solution CES Core Enterprise Service CFE Chief Financial Executive CIO Chief Information Officer CJCS Chairman, Joint Chiefs of Staff CJCSI Chairman, Joint Chiefs of Staff Instruction CJCSM Chairman, Joint Chiefs of Staff Manual CM Configuration Management COI Community of Interest CON Confidentiality CONOPS Concept Of Operations COOP Continuity of Operations Plan COP Common Operational Picture CoS Class of Service COTS Commercial Off-The-Shelf CP-SIB Cross Program – Synchronization and Integration Board CTO Chief Technology Office DAA Designated Accrediting Authority DCN Dedicated Control Net DECC Defense Enterprise Computing Centers DHCP Dynamic Host Configuration Protocol DIACAP DoD Information Assurance Certification and Accreditation Program DIAP Defense Information Assurance Program DITSCAP Defense Information Technology Security Certification and Accreditation Process DISA Defense Information Systems Agency DISAC Defense Information Systems Agency Circular DISAI Defense Information Systems Agency Instruction DISN Defense Information Systems Network DNC DISA NetOps Center DoD Department of Defense DoDAF DoD Architecture Framework DoDD Department Of Defense Directive DoDI Department Of Defense Instruction 49861 UNCLASSIFIED 499 500
    • 501 UNCLASSIFIED 502 503NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 50431 Aug 2007 Defense Information Systems Agency 505 DOTMLPF Doctrine, Organization, Training, Materiel, Leadership and Education, Personnel and Facilities DTG Defend the GIG EMS Element Management System FCAPS Fault, Configuration, Accounting, Performance, Security FSO Field Security Operations GE GIG Engineering GES Global Enterprise Services GIAP GIG IA Portfolio GIG Global Information Grid GIG-OPS Global Information Grid – Operations GISMC GIG Infrastructure Services Management Center GCM GIG Content Management GEM GIG Enterprise Management GND GIG Network Defense GNSC Global NetOps Support Center GO GIG Operations GOTD GIG Operations Technical Director’s Team GS GIG Combat Services HAE Highly Available Enterprise IA/CND Information Assurance / Computer Network Defense IAM Information Assurance Manager IATO Interim Approval To Operate IAVA Information Assurance Vulnerability Alert IAVM Information Assurance Vulnerability Management IAW In Accordance With ICATS Integrated Configuration and Tracking System INMS Integrated Network Management System INR Integrity and Non-Repudiation IP Internet Protocol ISP Internet Service Provider IT Information Technology JTF-GNO Joint Task Force – Global Network Operations LCM Life Cycle Management MAC Mission Assurance Category MAIS Major Automated Information System MNS Mission Need Statement MOA/MOI Memorandum of Agreement / Memorandum of Interconnection MSP Managed Service Provider MTNM Multi-Technology Network Management MTOSI Multi-Technology Operations System Interface NCES Net-Centric Enterprise Services NCOW RM Net-Centric Operations and Warfare Reference Model NetOps NetOps is not a traditional acronym but rather shorthand for an integrated approach to accomplishing GIG SA, C2, and the three interdependent tasks necessary to operate the GIG — GIG Enterprise Management (GEM), GIG Network Defense (GND) and GIG Content Management (GCM). 50662 UNCLASSIFIED 507 508
    • 509 UNCLASSIFIED 510 511NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 51231 Aug 2007 Defense Information Systems Agency 513 NGAB NetOps Governance and Advisory Board NRRB NetOps Readiness Review Board NIPRNET Non-Classified Internet Protocol Router Network NSO Network Security Officer NSTISSP National Security Telecommunications and Information Systems Security Policy OIPT Overarching Integrated Product Team OSD Office of the Secretary of Defense OSS Operations Support System PDI Path Defect Indicator PEO-IAN Program Executive Office – Information Assurance/NetOps POA&M Plan Of Action & Milestones PSP Product Support Plan PM Program Manager PMO Program Management Office POM Program Objective Memorandum PPS Ports, Protocols, and Services P/S/A/S Programs/Systems/Applications/Services QOS Quality of Service RFC Request for Comment RTM Requirements Traceability Matrix SA Situational Awareness SCCVI Secure Configuration Compliance Validation Initiative SCRI Secure Configuration Remediation Initiative SEPA Systems Engineering Process Assessment SLA Service Level Agreement SSAA System Security Authorization Agreement SSP System Security Plan SOO Statement of Objectives SOP Standing Operational Procedure SOR Statement of Requirement STIG Security Technical Implementation Guide TED Test and Evaluation Directorate TMS Trouble Management System TNC Theater NetOps Centers TPPU Task, Post, Process, Use UDOP User Defined Operational Picture USSTRATCOM US Strategic Command WIPT Working Integrated Product Teams 1091 51463 UNCLASSIFIED 515 516
    • 517 UNCLASSIFIED 518 519NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 52031 Aug 2007 Defense Information Systems Agency 521 109212 APPENDIX C. REFERENCES 1093 1094DISA Publications 1095 1096 (a) DISA CONOPS Template, 12 February 2007. 1097 1098 (b) DISA Net-Centric Enterprise Services (NCES), 15 June 2007. 1099 1100 (c) DISA NetOps Common Operational Picture (NETCOP) Functional Requirements Specification, 1101 Version 1.0, 10 September 2004. 1102 1103 (d) DISA Operations Support Team (OST) CONOPS, Version 3, November 2006. 1104 1105 (e) Director’s Policy Letter 2006-8: Trouble Management System (TMS), 15 August 2006. 1106 1107 (f) NCES Annex T for Discovery Services 1108 1109 (g) NCES CS/IDM Release 4.1.2 SSAA Ver 3.0, November 2004. 1110 1111 (h) NCES CS/IDM Release 4.1.2 TFM, November 2003. 1112 1113 (i) NCES Implementation Procedure for Content Staging (CS), Release 4.1.3 For Solaris 8 Document 1114 Version 1.0, 29 March 2004. 1115 1116 (j) NCES: Software Center Operator Manual ( SCOM) Final, 25 February 2005. 1117 1118 (k) Net-Centric Review Process and Strategy for DISA, Version 1.1, 25 July 2006. 1119 1120 (l) Net-Centric Operations and Warfare Reference Model (NCOW RM) v1.1, 8 November 2004. 1121 1122 (m) Request for Comment (RFC) 791; INTERNET PROTOCOL,DARPA INTERNET PROGRAM 1123 PROTOCOL SPECIFICATION, http://www.ietf.org/rfc/rfc0791.txt 1124 1125 (n) Request for Comment (RFC) 2460; Internet Protocol, Version 6 (IPv6) Specification 1126 http://www.ietf.org/rfc/rfc2460.txt 1127 1128 (o) DISAC 310-130-2, Management Thresholds and Performance Objectives, 4 May 2006. 1129 1130 (p) DISAC 310-55-1, Status Reporting for the Defense Communications Systems, 8 May 2002. 1131 1132 (q) DISAI 310-220-1, “Boards and Committees, DISA Network Operations (NetOps) Boards”, Draft, 1133 20 May 2007. 1134 1135 (r) DISAI 630-230-19, Automatic Data Processing, Information Assurance, 2 March 2007. 1136 1137 1138DoD Publications 1139 52264 UNCLASSIFIED 523 524
    • 525 UNCLASSIFIED 526 527NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 52831 Aug 2007 Defense Information Systems Agency 529 1140 (s) Acquisition Information Assurance Strategy for Net-Centric Enterprise Services (NCES), Version 1141 1.0, 10 May 2006. 1142 (t) ASD/NII Net-Centric Checklist, Version 2.1.4, 30 July 2004. 1143 1144 (u) DCID 1/19, Security Policy for Sensitive Compartmented Information and Security Policy 1145 Manual, 1 March 1995. 1146 1147 (v) DCID 6/3 "Protecting Sensitive Compartmented Information Within Information Systems", 1148 MANUAL 24 May 2007. 1149 1150 (w) DoD Architecture Framework (DoDAF), Version 1.5, Volume I: Definitions and Guidelines, 1151 23 April 2007. 1152 1153 (x) DoD Architecture Framework (DoDAF), Version 1.5, Volume II: Product Descriptions, 1154 23 April 2007. 1155 1156 (y) DoD Architecture Framework (DoDAF), Version 1.5, Volume III: Architecture Data Description, 1157 23 April 2007. 1158 1159 (z) DoD Memorandum from the Deputy Assistant Secretary of Defense, IPv6, June 2003. 1160 1161 (aa)DoD Memorandum from the Deputy Assistant Secretary of Defense, Internet Protocol Version 6 1162 (IPv6) Interim Transition Guidance, 29 September 2003. 1163 1164 (bb) DoD Net-Centric Data Strategy, 9 May 2003. 1165 1166 (cc)DoD Net-Centric Information Assurance (IA) Strategy Ver 1.0, 30 June 2004. 1167 1168 (dd)DoD 5200.2-R “DoD Personnel Security Program,” January 1987. 1169 (ee)DoD 5220.22M,"National Industrial Security Program Operating Manual", (NISPOM) 1170 29 February 2006. 1171 (ff) DoD 5220.22-M,"National Industrial Security Program Operating Manual Supplement" 1172 (NISPOMSUP), 4 February 1995. 1173 (gg)DoD 8570.01-M, "Information Assurance Workforce Improvement Program", 19 December 1174 2005. 1175 (hh)DoDD 5000.1, “The Defense Acquisition System”, 12 May 2003. 1176 (ii) DoDD 8115.01 “Information Technology Portfolio Management”, 10 October 2005. 1177 (jj) DODD 8320.02 “Data Sharing in a Net-Centric Department of Defense”, 23 April 2007. 1178 (kk)DoDD 8500.01E “Information Assurance (IA),” 24 October 2002, Certified Current as of 23 1179 April 2007. 1180 (ll) DoDD O-8530.1, "Computer Network Defense (CND)", 8 January 2001. 1181 (mm)DoDI 5000.2, “Operation of the Defense Acquisition System”, 12 May 2003. 53065 UNCLASSIFIED 531 532
    • 533 UNCLASSIFIED 534 535NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 53631 Aug 2007 Defense Information Systems Agency 537 1182 (nn)DoDI 8410.x, “NetOps for the Global Information Grid (GIG)”, Draft 19, 26 February 2007. 1183 (oo)DoDI 8500.2 “Information Assurance (IA) Program Implementation”, 6 February 2003. Includes 1184 IA Control Numbers DCCS-1, DCCS-2, DCFA-1, DCHW-1, DCPP-1, DCPR-1, DCSD-1, 1185 DCSW-1 from Enclosure 4 1186 (pp)DoDI 8551.1 “Ports, Protocols, and Services Management (PPSM)”, 13 August 2004. 1187 (qq)DoDI 8580.1, “Information Assurance (IA) in the Defense Acquisition System”, 9 July 2004. 1188 (rr) DoDI O-8530.2, "Support to Computer Network Defense (CND)", 9 March 2001. 1189 1190 1191Joint Publications 1192 1193 (ss) Joint Concept of Operations (CONOPS) for Global Information Grid (GIG) NetOps, Version 3, 1194 4 August 2006. 1195 1196 (tt) Joint Requirements Oversight Council (JROCM) Memorandum 134-01, Capstone Requirements 1197 Document, Global Information Grid (GIG), 30 August 2001. 1198 1199 (uu)CJCSI 6211.02B “Defense Information System Network (DISN): Policy, Responsibilities and 1200 Processes”, 31 July 2003, Enclosure B RESPONSIBILITIES – Certified Current as of 30 August 1201 2006. 1202 1203 (vv)CJCSI 6510.01D “Information Assurance & Computer Network Defense”, 15 June 2004. 1204 1205 (ww)CJCSM 6510.01 “Defense-In-Depth: Information Assurance (IA) and Computer Network 1206 Defense (CND)”, CHG 3, 8 March 2006, Current as of 14 Mar 2007. 1207 1208 (xx)JP 1-02 DoD Dictionary of Military and Associated Terms, 12 April 2001 as amended through 13 1209 June 2007. 1210 1211 1212Other Publications 1213 1214 (yy) ANSI INCITS 359-2004, "Role Based Access". 1215 1216 (zz)CMU/SEI-2003-HB-002, Handbook for Computer Security Incident Response Teams, Second 1217 Edition, April 2003. 1218 1219 (aaa)NIST Special Publication 800-34, Contingency Planning Guide for Information Technology (IT) 1220 Systems, June 2002. 1221 1222 (bbb) Understanding Metadata, NISO Press in 2004. 1223 1224 1225Websites 1226 1227 (ccc)DISA Core Services – NetOps 53866 UNCLASSIFIED 539 540
    • 541 UNCLASSIFIED 542 543NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 54431 Aug 2007 Defense Information Systems Agency 545 1228 http://www.disa.mil/main/prodsol/cs_netops.html 1229 1230 (ddd)GIG Enterprise IA Architecture and Standards Engineering, 1231 https://gesportal.dod.mil/sites/gigia/default.aspx 1232 1233 (eee)DISA Net-Centric Enterprise Services (NCES) Core Services 1234 http://www.disa.mil/nces/enterprise_services.html 1235 1236 (fff) DOD Metadata Registry and Clearinghouse 1237 https://metadata.dod.mil/mdr/homepage.htm 1238 1239 (ggg)DoD Dictionary of Military Terms 1240 http://www.dtic.mil/doctrine/jel/doddict/ 1241 1242 (hhh)DoD GIG Enterprise Services (GES) Strategy v1.1a. 1243 https://gesportal.dod.mil/sites/DoDGESS/default.aspx 54667 UNCLASSIFIED 547 548
    • 549 UNCLASSIFIED 550 551NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 55231 Aug 2007 Defense Information Systems Agency 553 124413 APPENDIX D. DEFINITIONS 1245 1246 1. Accessible. A data asset is accessible when a human, system, or application may retrieve the data 1247 within the asset. Data assets may be made accessible by using shared storage space or web 1248 services that expose the business or mission process that generates data in readily consumable 1249 forms. 1250 1251 2. Application. Software program that performs a specific function directly for a user and can be 1252 executed without access to system control, monitoring or administrative privileges. Examples 1253 include office automation, electronic mail, web services, and major functional or mission software 1254 programs. 1255 1256 3. Approval to Operate (ATO). The authorization, granted by a DAA, for a DoD information 1257 system to process, store, or transmit information. Authorization is based on acceptability of the IA 1258 component, the system architecture and implementation of assigned IA Controls. The ATO 1259 accreditation decision must specify an Authorization Termination Date (ATD) that is within three 1260 years of the authorization date. 1261 1262 4. Authentication. Security measure designed to establish the validity of a transmission, message, or 1263 originator, or a means of verifying an individual's authorization to receive specific categories of 1264 information. 1265 1266 5. Authoritative Source. A source of data or information that is recognized by members of a COI 1267 to be valid or trusted because it is considered to be highly reliable or accurate or is from an official 1268 publication or reference (e.g., the United States (U.S.) Postal Service is the official source of U.S. 1269 mailing ZIP codes). 1270 1271 6. Authorized User. Any appropriately cleared individual with a requirement to access a DoD 1272 information system in order to perform or assist in a lawful and authorized governmental function. 1273 1274 7. Availability. Timely, reliable access to data and information services for authorized users. 1275 1276 8. Community of Interest (COI). A collaborative group of users that must exchange information in 1277 pursuit of its shared goals, interests, missions, or business processes and therefore must have 1278 shared vocabulary for the information it exchanges. 1279 1280 9. Community Risk. The probability that a particular vulnerability will be exploited within an 1281 interacting population and adversely impact some members of that population. 1282 1283 10. Computer Network. The constituent element of an enclave responsible for connecting computing 1284 environments by providing short-haul data transport capabilities such as local or campus area 1285 networks, or long-haul data transport capabilities such as operational, metropolitan, or wide area 1286 and backbone networks. 1287 1288 11. Computing Environment. Workstation or server (host) and its operating system, peripherals, and 1289 applications. 1290 1291 12. Confidentiality. Assurance that information is not disclosed to unauthorized entities or processes. 1292 55468 UNCLASSIFIED 555 556
    • 557 UNCLASSIFIED 558 559NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 56031 Aug 2007 Defense Information Systems Agency 561 1293 13. Connection Approval. Formal authorization to interconnect information systems. 1294 1295 14. Data Asset. Any entity that is comprised of data. For example, a database is a data asset that is 1296 comprised of data records. A data asset may be a system or application output file, database, 1297 document, or web page. A data asset also includes a service that may be provided to access data 1298 from an application. For example, a service that returns individual records from a database would 1299 be a data asset. Similarly, a web site that returns data in response to specific queries (e.g., 1300 www.weather.com) would be a data asset. A human, system, or application may create a data 1301 asset. 1302 1303 15. Data. A representation of facts, concepts, or instructions in a formalized manner suitable for 1304 communication, interpretation, or processing by humans or by automatic means. Data and 1305 information are equivalent terms for the purposes of this document. 1306 1307 16. Data-Centric. Data separate from applications; applications talk to each other by posting data. 1308 Focus on metadata registered in DoD Metadata Repository. 1309 1310 17. Defense Information System Network (DISN). The DoD consolidated worldwide enterprise- 1311 level telecommunications infrastructure that provides the end-to-end information transfer network 1312 for supporting military operations. 1313 1314 18. Defense-in-Depth. The DoD approach for establishing an adequate IA posture in a shared-risk 1315 environment that allows for shared mitigation through: the integration of people, technology, and 1316 operations; the layering of IA solutions within and among IT assets; and, the selection of IA 1317 solutions based on their relative level of robustness. 1318 1319 19. Designated Accrediting Authority (DAA). The official with the authority to formally assume 1320 responsibility for operating a system at an acceptable level of risk. This term is synonymous with 1321 Designated Accrediting Authority and Delegated Accrediting Authority. 1322 1323 20. DMZ (Demilitarized Zone). Perimeter network segment that is logically between internal and 1324 external networks. Its purpose is to enforce the internal network's IA policy for external 1325 information exchange and to provide external, untrusted sources with restricted access to 1326 releasable information while shielding the internal network from outside attacks. A DMZ is also 1327 called a "screened subnet." 1328 1329 21. DoD Information System. Set of information resources organized for the collection, storage, 1330 processing, maintenance, use, sharing, dissemination, disposition, display, or transmission of 1331 information. Includes P/S/A/S applications, enclaves, outsourced IT-based processes, and platform 1332 IT interconnections. 1333 1334 22. Domains. In this Directive, domains are subsets of Mission Areas and represent a common 1335 collection of related, or highly dependent, information capabilities and services. Managing these 1336 related information capabilities and services within domains improves coordination, collaboration, 1337 integration, and consistency of processes and interfaces for information sharing. 1338 1339 23. Enclave. Collection of computing environments connected by one or more internal networks 1340 under the control of a single authority and security policy, including personnel and physical 1341 security. Enclaves always assume the highest mission assurance category and security 1342 classification of the P/S/A/S applications or outsourced IT-based processes they support, and 1343 derive their security needs from those systems. They provide standard IA capabilities such as 56269 UNCLASSIFIED 563 564
    • 565 UNCLASSIFIED 566 567NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 56831 Aug 2007 Defense Information Systems Agency 569 1344 boundary defense, incident detection and response, and key management, and also deliver 1345 common applications such as office automation and electronic mail. Enclaves are analogous to 1346 general support systems. Enclaves may be specific to an organization or a mission, and the 1347 computing environments may be organized by physical proximity or by function independent of 1348 location. Examples of enclaves include local area networks and the applications they host, 1349 backbone networks, and data processing centers. 1350 1351 24. Enterprise Information Environment Mission Area. The Department of Defense’s Mission 1352 Area responsible for managing the part of the DoD portfolio known as the enterprise information 1353 environment (EIE), which is the common, integrated computing and communications environment 1354 of the GIG. The EIE is composed of GIG assets that operate as, or that assure, local area networks, 1355 campus area networks, tactical networks, operational area networks, metropolitan area networks, 1356 and wide area networks. The EIE is also composed of GIG assets that operate as, or that assure, 1357 end user devices, workstations, and servers that provide local, organizational, regional, or global 1358 computing capabilities. The EIE includes all software associated with the operation of EIE assets 1359 and the development environments and user productivity tools used in the GIG. The EIE includes 1360 a common set of enterprise services, called Core Enterprise Services, which provide awareness of, 1361 access to, and delivery of information on the GIG. 1362 1363 25. Enterprise. Refers to the Department of Defense, its organizations, and related Agencies. 1364 1365 26. Extensible Markup Language (XML) is a tagging language used to describe and annotate data 1366 so it can be consumed by human and system interactions. XML is typically arranged hierarchically 1367 using XML elements and attributes. It also uses semantically rich labels to describe elements and 1368 attributes to enable meaningful comprehension. An example of XML data describing an element 1369 named “Person” appears as follows: 1370 <Person> 1371 <FirstName>John</FirstName> 1372 <MiddleInitial>H</MiddleInitial> 1373 <LastName>Doe</LastName> 1374 </Person> 1375 1376 27. Federated Data. Data that is joined or otherwise merged. The information from multiple data 1377 sources, of potentially different types. It should do this in a manner that is invisible to the end 1378 user, who should be able to merely issue a standard query to the system and receive the 1379 consolidated results. This is a capability that is independent of any abstraction layer and provides 1380 uniform, integrated access to disparate systems. 1381 1382 28. For Official Use Only (FOUO). In accordance with DoD 5400.7-R. DoD information exempted 1383 from mandatory public disclosure under the Freedom of Information Act (FOIA). 1384 1385 29. Global Information Grid (GIG). The globally connected, end-to-end set of information 1386 capabilities, associated processes, and personnel for collecting, processing, storing, disseminating, 1387 and managing information on demand to war fighters, policy makers, and support personnel. 1388 1389 30. IA Certification and Accreditation. The standard DoD approach for identifying information 1390 security requirements, providing security solutions, and managing the security of DoD information 1391 systems. 1392 1393 31. Information Assurance (IA). Measures that protect and defend information and information 1394 systems by ensuring their availability, integrity, authentication, confidentiality, and non- 57070 UNCLASSIFIED 571 572
    • 573 UNCLASSIFIED 574 575NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 57631 Aug 2007 Defense Information Systems Agency 577 1395 repudiation. This includes providing for restoration of information systems by incorporating 1396 protection, detection, and reaction capabilities. 1397 1398 32. Information Capability. The ability to consume and generate information in the form of data 1399 assets by performing a specific task using IT and/or NSS. 1400 1401 33. Information Owner. Official with statutory or operational authority for specified information and 1402 responsibility for establishing the controls for its generation, collection, processing, dissemination, 1403 and disposal. 1404 1405 34. Information Technology (IT). Any equipment or interconnected system or subsystem of 1406 equipment that is used in the automatic acquisition, storage, manipulation, management, 1407 movement, control, display, switching, interchange, transmission, or reception of data or 1408 information by the DoD Component. For purposes of the preceding sentence, equipment is used 1409 by a DoD Component if the equipment is used directly by the DoD Component or is used by a 1410 contractor under a contract with the DoD Component which requires the use of such equipment or 1411 requires the use, to a significant extent, of such equipment in the performance of a service or the 1412 furnishing of a product. The term “information technology” includes computers, ancillary 1413 equipment, software, firmware and similar procedures, services (including support services), and 1414 related sources. It also includes NSS as defined below. Notwithstanding the above, the term 1415 “information technology” does not include any equipment that is acquired by a Federal contractor 1416 incidental to a Federal contract. 1417 1418 35. Integrity. Quality of an information system reflecting the logical correctness and reliability of the 1419 operating system; the logical completeness of the hardware and software implementing the 1420 protection mechanisms; and the consistency of the data structures and occurrence of the stored 1421 data. Note that, in a formal security mode, integrity is interpreted more narrowly to mean 1422 protection against unauthorized modification or destruction of information. 1423 1424 36. Interim Approval to Operate (IATO). Temporary authorization to operate a DoD information 1425 system under the conditions or constraints enumerated in the accreditation decision. An IATO 1426 accreditation decision is intended to manage IA security weaknesses, and must specify an 1427 Authorization Termination Date (ATD) that is within 180 days of the authorization date. 1428 1429 37. Law, Policy, or Security Classification. The pertinent statutory and regulatory authority dealing 1430 with data assets includes, but is not limited to: personal information, intelligence information, 1431 medical information, information on a non-DoD person, and classified information. 1432 1433 38. Metadata. Information describing the characteristics of data; data or information about data; or 1434 descriptive information about an entity’s data, data activities, systems, and holdings. For example, 1435 discovery metadata is a type of metadata that allows data assets to be found using enterprise 1436 search capabilities. 1437 1438 39. Metadata Registry. A metadata registry is a system that contains information that describes the 1439 structure, format, and definitions of data. Typically, a registry is a software application that uses a 1440 database to store and search data, document formats, definitions of data, and relationships among 1441 data. System developers and applications are the predominant users of a metadata registry. 1442 1443 A federated metadata registry is one in which multiple registries are joined electronically 1444 through a common interface and exchange structure, thereby effecting a common registry. 1445 57871 UNCLASSIFIED 579 580
    • 581 UNCLASSIFIED 582 583NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 58431 Aug 2007 Defense Information Systems Agency 585 1446 40. Mission Area. A defined area of responsibility with functions and processes that contribute to 1447 mission accomplishment. 1448 1449 41. Mission Assurance Category (MAC). Applicable to DoD information systems, the mission 1450 assurance category reflects the importance of information relative to the achievement of DoD 1451 goals and objectives, particularly the war fighters' combat mission. Mission assurance categories 1452 are primarily used to determine the requirements for availability and integrity. The Department of 1453 Defense has three defined mission assurance categories: 1454 1455 Mission Assurance Category I (MAC I). Systems handling information that is 1456 determined to be vital to the operational readiness or mission effectiveness of deployed 1457 and contingency forces in terms of both content and timeliness. The consequences of loss 1458 of integrity or availability of a MAC I system are unacceptable and could include the 1459 immediate and sustained loss of mission effectiveness. MAC I systems require the most 1460 stringent protection measures. 1461 1462 Mission Assurance Category II (MAC II). Systems handling information that is 1463 important to the support of deployed and contingency forces. The consequences of loss of 1464 integrity are unacceptable. Loss of availability is difficult to deal with and can only be 1465 tolerated for a short time. The consequences could include delay or degradation in 1466 providing important support services or commodities that may seriously impact mission 1467 effectiveness or operational readiness. MAC II systems require additional safeguards 1468 beyond best practices to ensure adequate assurance. 1469 1470 Mission Assurance Category III (MAC III). Systems handling information that is 1471 necessary for the conduct of day-to-day business, but does not materially affect support to 1472 deployed or contingency forces in the short-term. The consequences of loss of integrity or 1473 availability can be tolerated or overcome without significant impacts on mission 1474 effectiveness or operational readiness. The consequences could include the delay or 1475 degradation of services or commodities enabling routine activities. MAC III systems 1476 require protective measures, techniques or procedures generally commensurate with 1477 commercial best practices. 1478 1479 42. Mobile Code. Software modules obtained from remote systems, transferred across a network, and 1480 then downloaded and executed on local systems without explicit installation or execution by the 1481 recipient. 1482 1483 43. National Information Assurance Partnership (NIAP). Joint initiative between the NSA and the 1484 National Institute of Standards and Technology responsible for security testing needs of both IT 1485 consumers and producers and promoting the development of technically sound security 1486 requirements for IT products and systems and appropriate measures for evaluating those products 1487 and systems. 1488 1489 44. National Security Systems (NSS). Any telecommunications or information system operated by 1490 the U.S. Government, the function, operation, or uses of which involves intelligence activities; 1491 involves crypto logic activities related to national security; involves command and control of 1492 military forces; involves equipment that is an integral part of a weapon or weapons system; or is 1493 critical to the direct fulfillment of military and intelligence missions, but excluding any system 1494 that is to be used for routine administrative and business applications (including payroll, finance, 1495 logistics, and personnel management applications). 1496 58672 UNCLASSIFIED 587 588
    • 589 UNCLASSIFIED 590 591NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 59231 Aug 2007 Defense Information Systems Agency 593 1497 45. Need-to-Know Determination. Decision made by an authorized holder of official information 1498 that a prospective recipient requires access to specific official information to carry out official 1499 duties. 1500 1501 46. Need-to-Know. Necessity for access to, or knowledge or possession of, specific official DoD 1502 information required to carry out official duties. 1503 1504 47. Net-Centric. Relating to or representing the attributes of net-centricity. Net- centricity is a robust, 1505 globally interconnected network environment (including infrastructure, systems, processes, and 1506 people) in which data is shared timely and seamlessly among users, applications, and platforms. 1507 Net-centricity enables substantially improved military situational awareness and significantly 1508 shortened decision making cycles. Net-Centric capabilities enable network-centric operations and 1509 net-centric warfare (NCW). 1510 1511 48. Network-Centric Warfare (NCW). An information superiority-enabled concept of operations 1512 that generates increased combat power by networking sensors, decision makers, and shooters to 1513 achieve shared awareness, increased speed of command, higher tempo of operations, greater 1514 lethality, increased survivability, and a degree of self-synchronization. In essence, NCW translates 1515 information superiority into combat power by effectively linking knowledgeable entities in the 1516 battle space. 1517 1518 49. Non-repudiation. Assurance the sender of data is provided with proof of delivery and the 1519 recipient is provided with proof of the sender's identity, so neither can later deny having processed 1520 the data. 1521 1522 50. Official DoD Information. All information that is in the custody and control of the Department of 1523 Defense, relates to information in the custody and control of the Department, or was acquired by 1524 DoD employees as part of their official duties or because of their official status within the 1525 Department. 1526 1527 51. Platform IT Interconnection. For DoD IA purposes, platform IT interconnection refers to 1528 network access to platform IT. Platform IT interconnection has readily identifiable security 1529 considerations and needs that must be addressed in both acquisition, and operations. Platform IT 1530 refers to computer resources, both hardware and software, that are physically part of, dedicated to, 1531 or essential in real time to the mission performance of special purpose systems such as weapons, 1532 training simulators, diagnostic test and maintenance equipment, calibration equipment, equipment 1533 used in the research and development of weapons systems, medical technologies, transport 1534 vehicles, buildings, and utility distribution systems such as water and electric. Examples of 1535 platform IT interconnections that impose security considerations include communications 1536 interfaces for data exchanges with enclaves for mission planning or execution, remote 1537 administration, and remote upgrade or reconfiguration. 1538 1539 52. Post in Parallel. Process owners make their data available on the net as soon as it is created. 1540 Focus on data being tagged and posted before processing. 1541 1542 53. Privacy Data. Any record that is contained in a system of records, and information the disclosure 1543 of which would constitute an unwarranted invasion of personal privacy. 1544 1545 54. Proprietary. Information that is provided by a source or sources under the condition that it not be 1546 released to other sources. 1547 59473 UNCLASSIFIED 595 596
    • 597 UNCLASSIFIED 598 599NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 60031 Aug 2007 Defense Information Systems Agency 601 1548 55. Proxy. Software agent that performs a function or operation on behalf of another application or 1549 system while hiding the details involved. Typical proxies accept a connection from a user, make a 1550 decision as to whether or not the user or client network address is authorized to use the requested 1551 service, optionally perform additional authentication, and then complete a connection on behalf of 1552 the user to a remote destination. 1553 1554 56. Public Domain Software. Software not protected by copyright laws of any nation that carries no 1555 warranties or liabilities, and may be freely used without permission of or payment to the creator. 1556 1557 57. Public Information. Official DoD information that has been reviewed and approved for public 1558 release by the information owner. 1559 1560 58. Robustness. A characterization of the strength of a security function, mechanism, service or 1561 solution, and the assurance (or confidence) that it is implemented and functioning correctly. The 1562 Department of Defense has three levels of robustness: 1563 1564 Basic Robustness: Security services and mechanisms that equate to good commercial 1565 practices. 1566 1567 Medium Robustness: Security services and mechanisms that provide for layering of 1568 additional safeguards above good commercial practices. 1569 1570 High Robustness: Security services and mechanisms that provide the most stringent 1571 protection and rigorous security countermeasures. 1572 1573 59. Security Domain. Within an information system, the set of objects that is accessible. Access is 1574 determined by the controls associated with information properties such as its security 1575 classification, security compartment or sensitivity. The controls are applied both within the 1576 information system and in its connection to other classified or unclassified information systems. 1577 1578 60. Semantic Metadata. Information about a data asset that describes or identifies characteristics 1579 about that asset that convey meaning or context (e.g., descriptions, vocabularies, taxonomies). 1580 1581 61. Sensitive But Unclassified (SBU). A term commonly and inappropriately used within the 1582 Department of Defense as a synonym for Sensitive Information, which is the preferred term. 1583 1584 62. Sensitive Compartmented Information (SCI). Classified information concerning or derived 1585 from intelligence sources, methods, or analytical processes, which is required to be handled within 1586 formal access control systems established by the Director of Central Intelligence. 1587 1588 63. Sensitive Information. Information the loss, misuse, or unauthorized access to or modification of 1589 could adversely affect the national interest or the conduct of Federal programs, or the privacy to 1590 which individuals are entitled under Section 552a of title 5, United States Code, "The Privacy 1591 Act", but which has not been specifically authorized under criteria established by Executive order 1592 or an Act of Congress to be kept secret in the interest of national defense or foreign policy 1593 (Section 278g-3 of title 15, United States Code, "The Computer Security Act of 1987". This 1594 includes information in routine DoD payroll, finance, logistics, and personnel management 1595 systems. 1596 60274 UNCLASSIFIED 603 604
    • 605 UNCLASSIFIED 606 607NetOps Readiness Review Process and P/S/A/S Readiness Checklist, V2.1 60831 Aug 2007 Defense Information Systems Agency 609 1597 64. Shared Space. Storage on a file server or in electronic media that is addressable by multiple users 1598 or COIs. Also, web services that are made available to the enterprise that expose the business or 1599 mission processes that generate data in readily consumable forms. 1600 1601 65. Smart Pull (vice Smart Push). Applications encourage discovery; users can pull data directly 1602 from the net, or use value added discovery services. Focus on data sharing, with data stored in 1603 accessible shared space and advertised (tagged) for discovery. 1604 1605 66. Structural Metadata. Information provided about a data asset that describes the internal structure 1606 or representation of a data asset (e.g., database field names, schemas, web service tags). 1607 1608 67. Understandable. Capable of being comprehended in terms of subject, specific content, 1609 relationships, sources, methods, quality, spatial and temporal dimensions, and other factors. 1610 1611 68. Users. Humans, systems, and applications that create, find, access, and exploit data. Also known 1612 as consumers and producers, or publishers and subscribers. System developers are also considered 1613 to be users. For this Directive, users may be expected and planned for, or unanticipated and not 1614 planned for. 1615 1616 69. Visible. Able to be seen, detected, or distinguished and to some extent characterized by humans 1617 and/or IT systems, applications, or other processes. 1618 1619 70. Web Services. A standardized way of integrating web-based applications using open standards 1620 over an Internet Protocol backbone. Web services allow applications developed in various 1621 programming languages and running on various platforms to exchange data without intimate 1622 knowledge of each application’s underlying IT systems. 1623 61075 UNCLASSIFIED 611 612