Thursday, January 17, 2019

Access Control Policy Template (draft)

This Access Control Policy outline is intended to address requirements specified in the NIST SP 800-53 Rev 4. Access Control (AC) family.


Accounts. With the exception of service, administrator accounts built into operating systems, devices, or applications (e.g. Administrator, admin, root), accounts must be named such that they are attributable to an individual user. The use of built-in/default accounts is limited to initial configuration and/or emergency recovery (e.g. lost Administrator or root password).


Multifactor Authentication (MFA). All local and network access will be authenticated using at least two of the authentication methods:  password or PIN (something you know), smartcard or token (something you know), biometric (something you are).


Types of Accounts:
User Accounts
Privileged Accounts
Service Accounts. Service Accounts will adhere to the same rules as Privileged Accounts with the following exceptions:  MFA not required, expiration extended to 180 days.

Password Rules
Passwords will be:
  • 15 characters in length
  • Contain a mix of at least two lowercase letters, two uppercase letters, two numbers, and two special characters
  • Passwords or PINs cannot have three consecutive letters of the same type
  • PINs used on hand-held devices will contain 6 or more digits
  • PINs used across the network on hand-held devices will be 9 or more digits
  • 24 passwords are remembered
  • Passwords or PINs cannot be changed any more often than 24 hours
  • Passwords must be changed every 90 days.
Passwords may not be shared.


Expiration Warnings. Warning messages will be send 15, 7 and 1 day from account expiration.


Accounts will be disabled (stale) after 30 days and automatically disabled after 45 days.


Extended Absence.
If an individual will be on an extended absence they must notify the Service Desk within 5 days of departure. The account will be suspended by marking it disabled for 90 days or until the individual returns.


Use of Password Vaults.


Active Directory Roles
All Active Directory Roles will be configured in accordance with Microsoft's Best Practices for Securing Active Directory.
Enterprise Admins (.EA). Built-in Active Directory Forest Root Domain Role. Note the Enterprise Admins group is by default a member of the domain Built-in\Administrators group. Appendix E:  Security Enterprise Admins Groups in Active Directory.
Schema Admins (.CA). Built-in Active Directory Forest Root Domain Role.
Domain Admins (.DA). Built-in Active Directory Domain Role.
Group Policy Admins (.GA). Custom-defined group for administration of Group Policy Objects (GPO).
OU Admins (.OA). Custom-defined group for administration of an Organizational Unit (OU) within a Domain. Each OU has a "admins" group defined for it named in accordance with the OU name (e.g. OU "Executive Group" OU Admins group is named "Executive Group OU Admins").
System Administrators (.SA). Custom-defined for administrators of Windows servers. Assigned membership in the domain Administrators and Domain Admins group. Note the Domain Admins group is a member of the Built-in\Administrators group. Appendix F:  Securing Domain Admins Groups in Active Directory.
Account Operators (.AO). Built-in Active Directory Domain Role.
Server Operators (.SO). Custom-defined group for Windows Server administrators to perform specific privileged tasks.
Backup Operators (.BO). Built-in Active Directory Domain Role.
Auditors (.AU). Custom-defined group for viewing audit events. Member of the Domain Event Log Readers built-in group.
Workstations Admins (.SA). Custom-defined group for administrators of Windows workstations (desktop and laptops).
Service Desk Technician (.SD). Custom-defined group for Tier 1 and 2 Service Desk technicians.
Application Administrators (.AA). Custom-defined group for application administration.
Local Workstation Admins (.LA). Custom-defined group for membership in Workstation built-in\Administrators group.


Best Practices Guide for Security Active Directory Appendix B:  Privileged Accounts and Groups in Active Directory describes the rights, privileges, and permissions in Active Directory and the built-in groups. Bolded groups in the list below indicate that users can be provisioned with an account type which is assigned membership in that group (e.g. user.EA is a member of the Built-in\Enterprise Admins group in the Forest Root Domain).


Built-in Groups at the Forest Root Domain Level:
Administrator, Administrators (Enterprise Admins), Enterprise Admins (Administrator), Incoming Forest Trust Builders, Schema Admins.

Built-in Groups at the Domain Level.
Access Control Assistance (Active Directory in Windows Server 2012), Account Operators, Administrator, Administrators (Enterprise Admins, Domain Admins, Administrator), Allowed RODC Password Replication Group, Backup Operators, Cert Publishers, Certificate Service DCOM Access, Cloneable Domain Controllers (AD DS in Windows Server 2012AD DS), Cryptographic Operators, Debugger Users, Denied RODC Password Replication Group, DHCP Administrators, DHCP Users, Distributed COM Users, DnsAdmins, DnsUpdateProxy, Domain Admins (Administrator), Domain Computers, Domain Controllers, Domain Guests, Domain Users, Enterprise Read-only Domain Controllers, Event Log Readers, Group Policy Creator Owners, Guest, Guests, Hyper-V Administrators (Windows Server 2012), IIS_USRS, Krbtgt, Network Configuration Operators, Performance Log Users, Pre-Windows 2000 Compatible Access, Print Operators, RAS and IAS Servers, RDS Endpoint Servers (Windows Server 2012), RDS Management Servers (Windows Server 2012), RDS Remote Access Servers (Windows Server 2012), Read-only Domain Controllers, Remote Desktop Services Users, Remote Management Servers (Windows Server 2012), Replicator, Server Operators, Terminal Server License Servers, Users, Windows Authorization Access Group, WinRMRemoteWMIUsers (Windows Server 2012).


Built-in Groups a the Computer Level.
Administrators (Domain Admins)


Use of the Built-In Administrator accounts in Active Directory is limited to initial build and disaster recovery scenarios. In each domain in Active Directory, an Administrator account is created as part of the creation of the domain. This account is by default a member of the Domain Admins and Administrators groups in the domain, and if the domain is the forest root domain, the account is also a member of the Enterprise Admins group.  Appendix D:  Securing Built-in Administrator Accounts in Active Directory, Appendix G:  Securing Administrators Groups in Active Directory.


Service Accounts. Service accounts will be defined as necessary to grant an application or service the necessary rights, privileges, or rights necessary to function. The following rights will be explicitly denied:  Interactive Logon. The following rights will be granted in accordance with the scope the service account is required:  Allow Login to, Allow Logon as a service.


ACAS Roles


Appendices:   Processes and Procedures


Appendix A:  Account Request Form(s)
Appendix B:  Account Provisioning Process
Appendix C:  Account Termination Process

Saturday, January 5, 2019

Network and System Management

NOC:
  • SolarWinds
  • Naggios
System and Patch Management
  • SCCM
  • Ivanti
Translating Windows Event Logs into SNMP TRAPs:
https://wiki.opennms.org/wiki/Windows_Event_Log_Traps​

Windows Events of Interest:
System | USER32
  • ​1074 (reboot)


DoD Contractor Email Signature and Telephone Greeting

Per DFARS ​​211.1, contractors must identify themselves as such in telephone conversations and written formal and information correspondence.
​https://www.acq.osd.mil/dpap/dars/dfars/html/current/211_1.htm
​​
 

Configuration Baselines and Assessment Tools

​TOOL ​DESCRIPTION NSA​ ​STIG ​USGCB ​CIS ​IAVM

​Windows 7 ​Windows Server 2008/2008R2 ​RHEL ​CentOS ​Fedora Linux ​OpenSuSE ​Debian ​Ubuntu ​Apple OS X
​ACAS (Nessus) ​x ​x ​x x​
​x
OpenSCAP ​​​ ​x ​x
​SCAP Compliance Checker (SCC) ​The Security Content Automation Protocol (SCAP) Compliance Checker (SCC) is a SCAP 1.0 Validated Scanner, with support for SCAP versions 1.1 and 1.2, and an Open Vulnerability Assessment Language (OVAL) adopter, capable of performing compliance verification using SCAP content, and authenticated vulnerability scanning using OVAL content.  ​x ​x ​x ​x
STONIX​ https://github.com/CSD-Public/stonix ​x ​x ​x ​x ​x ​v6, v7 ​v7 ​v20, v21 ​12.2 ​(stable) ​14.04 ​v10.9, v10.10
​OpenVAS ​Open source vulnerability scanner and manager that was forked from Nessus in 2005. Able to detect more than 35,000 vulnerabilities.
Configuration Baselines:
Checklists and Assessment Tools
GSA and OMB required NIST validation of configuration and vulnerability scanners. The list of NIST validated configuration and vulnerability scanners is here:  ​​https://nvd.nist.gov/SCAP-Validated-Tools.
Source Code Inspection:
Web Application:
Forensics:
  • Backtrack
  • Dshell​. An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures. ​
Reports:

DoD Acquistion Category (ACAT)

​Acquisition Categories are assigned based on program funding and who is assigned decision making authority. For details, see https://www.dau.mil/acquipedia/Pages/ArticleDetails.aspx?aid=a896cb8a-92ad-41f1-b85a-dd1cb4abdc82.
  • ACAT I
    • ACAT ID
    • ACAT IC
    • ACAT IA
      • ACAT IAM
      • ACAT IAC
  • ACAT II
  • ACAT III
  • ACAT IV (Navy and Marine Corps only)
Per the Army's Assess Only process, systems which fall into the CAT I category are deemed Major Systems and thus require a full RMF implementation (Assess & Authorize).
Reference(s):

What's the difference between a policy, standard, guideline, procedure, and plan?

The Information Assurance (IA) discipline is frequently concerned with the writing and/or inspection/review of various policies, standards, guidelines, processes, or plans. What's the difference? A policy is a set of high-level, general statements produced by senior management. Policies outline roles and responsibilties, define the scope of applicability, and provide a high-level description of what is required to meet the objetive of the policy. It should make reference to the standards and guidelines that support it. A documented policy is frequently a requirement to satisfy regulations or laws, such as those relating to privacy and finance. Standards are specific tools applied to a policy. It should be viewed as a business mandate and must be driven from the top (i.e. senior management) downwards in order to be effective. Standards help to enforce or support a policy and ensure consistency across the business. Standards usually contain controls relating to the implementation of specific technology, hardware or software. Guidelines are recommended, best practices that are applied to a process and support a standard if one is in place. Guidelines could consist of additional recommended controls that support a standard, or help fill in the gaps where no specific standard applies. A procedure is a step-by-step description of how to perform a task and or assist workers in implementing a policy, standard, or guideline. A plan organizes a group of task to accomplish an objective. For example, a policy is established that all corporate proprietary, financial, personally identificable information, and personal health information must be protected both at rest and in transit. A standard is requiring sensitive data at rest or in transit must be encrypted using FIPS 140-2 as the encryption algorithm. A guideline is that Public Key Infrastructure (PKI) is used to encrypt email. A procedure is to obtain a Digital ID from VeriSign, import into Outlook, select AES-256 as the encryption algorithm, select SHA-256 as the hashing algorithm, etc.​

What storage services available in AWS?

Amazon Web Services (AWS) offers several different file storage services which can be deployed in accordance with the needs of the hosted applications.
  • Elastic Block Store (EBS). Simple logical disk(s) attached to an Amazon Elastic Compute Cloud (EC2) instance. EBS volumes are persistent block storage that is automatically replication within its Availability Zone (AZ) in order to provide high availability and durability. Limited to 1 TB and 5,000 volumes or 20 TB per account.
  • Elastic File System (EFS). Network Attached Storage (NAS) using Network File System (NFS) intended for Linux-based workloads. Regional service which stores data within and across multiple AZs for high availability and durability. Can be accessed across AZs, Regions, and VPCs. The Amazon Elastic File System Infrequent Access storage class is cost-optimized for files not accessed every day, reducing costs by up to 85% compared to the EFS Standard storage class.
  • Amazon FSx for Windows File Server. NAS using CIFS intended for Windows-based workloads. Supports Server Message Block (SMB) protocol and NTFS, Active Directory (AD), and Distributed File System (DFS). 
  • Simple Storage Service (S3). Object storage designed for 11 9s (99.999999999%) of durability.
  • Glacier. Cloud storage service for data archiving and long-term backup.
  • Storage Gateway. Hybrid storage service that enables on-premises applications to seamlessly use AWS cloud storage for backup and archiving, disaster recovery, cloud data processing, storage tiering, and migration. Accessed through a virtual machine or hardware gateway appliance using standard storage protocols such as NFS, SMB, and iSCSI.
  • Cloud Data Migration Services. AWS-managed cloud data migration tools including Direct Connect, Snowball, Storage Gateway, Technology Partnerships, Kinesis Firehose, and Transfer Acceleration.
https://aws.amazon.com/products/storage/​​

What is the Army Application Migration Business Office (AAMBO)

AAMBO assists Army capabilty owners with application assessment and migration to other hosting environments, including DISA traditional, milCloud and milCloud Plus, Army Enterprise Data Centers (AEDC), Army Private Cloud Enterprise (APC-E), DISA Enterprise Computing Centers (DECC), and commercial cloud provider (CSP) cloud service offering (CSO).
Engage with AAMBO consists of a 6 step process:

  1. Discovery and Portfolio Analysis. Use the Army Application Migration Planning Tool (AAMPT) to record application characterisics (e.g. server CPU, memory, storage requirements, resource utilization, etc.). This is for unclassified applications only. SIPR application data is collected via PDF files (which are deemed classified upon completion per DISA Circular 300-115-3).
  2. Migration Readiness Assessment and Rough order of Magnitude. AAMBO produces a report which provides costs for various hosting options (+/- 50%). Note costs do not include accreditation (i.e. ATO), provider services such as Cybersecurity Service Provider​ (CSSP), licensing, any provider enhancements such as performance monitoring, log collection, etc., and operation and maintenance labor and tools.
  3. Cost Benefit Analysis (CBA). A presentation (PowerPoint) is prepared in cooperation with the Army capability owner, CIO/G-6 Policy & Resources (P&R, ​​and ​Deputy Assistant Secretary of the Army​​ for Cost and Economics (DACA-CE)​.
  4. Migration Planning. Use of the Army Cloud Computing Enterprise Transformation (ACCENT) contract vehicle.
  5. Execute Migration.
  6. Quality Assurance & Steady State.
Ordering of ACCENT cloud services is conducted through the Computer Hardware, Enterprise Software and Solutions (CHESS) Information Technology eMart:  https://chess.army.mil. Acquisition Package considerations include:
  • Aquisition Strategy/Acquisition Plan:  contract type, source selection criteria, Service Contract Approval Request (SCAR) Quality Assurance Surveillance Plan (QASP).
  • Requirements:  tecnical, security, transition support, Service Level Agreement (SLA), Performance Work Statement (PWS), or Statement of Objectives (SOO).
  • Independent Government Cost Estimate (IGCE)
Reference(s):
Contact(s):
  • AAMBO Project Officer:  Donald Squires, donald.c.squires.civ@mail.mil, 703-704-1638
  • AAMBO Team Lead:  James Stevens, james.e.stevens26.ctr@mail.mil, 703-704-3369
  • Office of the Deputy Assistant Secretary of the Army for Cost & Economics (ODASA-CE) Acquisition Costing Directorate (SAFM-CEA-C):  cybilline Aclan, cybilline.e.aclan.civ@mail.mil, 703-697-1619
  • PL EC ACCENT POCs:  Donald Squires, Scott Knudson, scott.e.knudson.ctr@mail.mil, 703-704-2366, Louis Peasley, louis.c.peasley.ctr@mail.mil, 703-704-2197. 
  • AAMBO mailbox:  usarmy.belvoir.peo-eis.mbx.army-app-migration-office@mail.mil

DoD Public Key Infrastructure and Enabling (PKI-PKE) for Administrators, Integrators, and Developers

​The DISA IASE ​PKI-PKE page for Administrators, Integrators & Developers is here:
Under the "Web Servers" button are guides for obtaining SSL certificates for Apache, IIS, and Java-based servers and applications.
References:

Mission Critical, Mission Essential, Mission Support Mission Categories

​DoDI 8580.1, Information Assurance (IA) in the Defense Acquisition System, July 9, 2004, defines Mission Critical and Mission Essential:
E2.1.15. Mission Critical Information System. A system that meets the definitions of "information system" and "national security system" in reference (a), the loss of which would cause the stoppage of warfighter operations or direct mission support of warfighter operations. (Note: The designation of mission critical shall be made by a Component Head, a Combatant Commander, or their designee. A financial management IT system shall be considered a mission-critical IT system as defined by the USD(Comptroller). A "Mission-Critical Information Technology System" has the same meaning as a "Mission-Critical Information System.")
E2.1.16. Mission Essential Information System. A system that meets the definition of "information system" in reference (a), that the acquiring Component Head or designee determines is basic and necessary for the accomplishment of the organizational mission. (Note: The designation of mission essential shall be made by a Component Head, a Combatant Commander, or their designee. A financial management IT system shall be considered a mission-essential IT system as defined by the USD Comptroller). A "Mission-Essential Information Technology System" has the same meaning as a "Mission-Essential Information System.")
Note that Mission Assurance Category defined in DoDI 8580.1 do not correspond to "critical," "essential," and "support" mission categories.
E2.1.14. Mission Assurance Category (MAC). Applicable to DoD information systems, the mission assurance category reflects the importance of information relative to the achievement of DoD goals and objectives, particularly the warfighters' combat mission. Mission assurance categories are primarily used to determine the requirements for availability and integrity. The Department of Defense has three defined mission assurance categories:
E2.1.14.1. Mission Assurance Category I (MAC I). Systems handling information that is determined to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness. The consequences of loss of integrity or availability of a MAC I system are unacceptable and could include the immediate and sustained loss of mission effectiveness. MAC I systems require the most stringent protection measures.
E2.1.14.2. Mission Assurance Category II (MAC II). Systems handling information that is important to the support of deployed and contingency forces. The consequences of loss of integrity are unacceptable. Loss of availability is difficult to deal with and can only be tolerated for a short time. The consequences could include delay or degradation in providing important support services or commodities that may seriously impact mission effectiveness or operational readiness. MAC II systems require additional safeguards beyond best practices to ensure adequate assurance.
E2.1.14.3. Mission Assurance Category III (MAC III). Systems handling information that is necessary for the conduct of day-to-day business, but does not materially affect support to deployed or contingency forces in the short-term. The consequences of loss of integrity or availability can be tolerated or overcome without significant impacts on mission effectiveness or operational readiness. The consequences could include the delay or degradation of services or commodities enabling routine activities. MAC III systems require protective measures, techniques, or procedures generally commensurate with commercial best practices.
DoDI 500.02, "Operation of the Defense Acquisition System," 7 January, 2015, defines Mission-Critical, Mission-Essential, and Mission-Support system:
Mission-Critical Information System. A system that meets the definitions of "information system" and "national security system" in the Clinger-Cohen Act
(Subtitle III of title 40 of U.S. Code (Reference (p))), the loss of which would cause the stoppage of warfighter operations or direct mission support of warfighter operations. (The designation of mission critical will be made by a DoD Component head, a Combatant Commander, or their designee. A financial management IT system will be considered a mission-critical IT system as defined by the Under Secretary of Defense (Comptroller) (USD(C)).)
A "Mission-Critical Information Technology System" has the same meaning as a "Mission-Critical Information System."
Mission-Essential Information System. A system that meets the definition of "information system" in 44 U.S.C. 3502 (Reference (aw)), that the acquiring DoD Component Head or designee determines is basic and necessary for the accomplishment of the organizational mission. (The designation of mission-essential will be made by a DoD Component head, a Combatant Commander, or their designee. A financial management IT system will be considered a mission-essential IT system as defined by the USD(C).) A "Mission-Essential Information Technology System" has the same meaning as a "Mission-Essential Information System."

Mission Support are information systems that do not fall into either Mission Critical or Mission Essential.

Why DoD Contractors Need to Get Certified or Trained (DoDD 8570, 8140)

​DoDD 8570.01, "Information Assurance Training, Certification, and Workforce Management," Certified Current as of April 23, 2007 and 8570.01-M​, "Information Assurance Workforce Improvement Program," Incorporating Change 4, 11/10/2016, requires the DoD Information Assurance (IA) Workforce to possess baseline IA certification and Computing Environment (CE) certification(s) or training appropriate for their assigned duties. DoDD 8140.01, "Cyberspace Workforce Management," August 11, 2015, reissues and renumbers DoDD 8570; however, until a DoDD 8140 manual is produced, 8570.01-M will be used. DoDD 5144.02 states that DoD Manual 8570 is issued to implement the policy in DoD Directive 8140.01. 8570.01-M breaks out the IA Workforce into management (IAM), technical (IAT), IA System Architecture and Engineering (IASAE) and Computer Network Defense-Service Provider (CND-SP) roles. There are three (I, II, III) levels each for IAM and IAT.
Per DoD 8570.01-M, C1.4.1.4.2, The Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer (ASD(NII)/DoD CIO) shall:
Establish an approval process for IA baseline certifications to be added to or deleted from the approved IA baseline certification list on the DISA IA Support Environment (IASE) website. Certifications must have strong correlation to IA workforce levels and functions. The Defense-side Information Assurance Program (DIAP) office will prove oversight to the IA WIPAC and IA baseline certification approval process outline in AP2.2 and post updates to the DISA IASE website. The IA WIPAC Executive Secretariat will publish a memorandum to announce updates to the Certification Table.
The IA WIPAC is the Information Assurance Workforce Improvement Program Advisory Council.
DoD 8570.01-M includes AP3. Appendix 3, "IA WORKFORCE REQUIREMENTS AND CERTIFICATIONS." The requirements such as experience and background investigation are provided ​for IAT, IAM, IASAE, and CND-SP roles but specific industry certifications are not included in the table. The specific industry certifications required are provided on the DISA IASE website (http://iase.disa.mil/iawip/Pages/iabaseline.aspx).
AP3.2.8. Changes to the approved IA baseline certification list will be made by the IA WIPAC in accordance with AP2.2.1. The DISA IASE website will be updated to reflect these changes.
AP3.3. The approved IA baseline certification table on the DISA IASE website (http://iase.disa.mil/eta/iawip) provides a list of DoD approved certifications for personnel performing IA functions that meet baseline requirements. DoD Components may choose any of the approved certifications to meet the applicable certification requirements for each associated level.

The correct URL for the DoD approved certifications is ​http://iase.disa.mil/iawip/Pages/iabaseline.aspx. Table AP3.T2, "DoD Approved Baseline Certifications," as of 4/13/2017:

Per DoD 8570.01-M C2.3.9:
Contractor personnel supporting IA functions in Chapters 3, 4, 10, and 11 shall obtain the appropriate DoD-approved IA baseline certification prior to being engaged. Contractors shall have up to 6 months to obtain the rest of the qualifications for their position outlined in AP3.T1. The contracting officer will ensure that contractor personnel are appropriately certified. Additional training on local or system procedures may be provided by the DoD organization receiving services.
Chapters 3, 4, 10 and 11 are the sections in the manual describing IAT, IAM, IASAE, and CND-SP roles.
Per ALARACT 284/2011 DTG 011658Z AUG 11, Subject:  COMPUTING ENVIRONMENT CE CERTIFICATIONS FOR THE ARMY INFORMATION ASSURANCE IA WORKFORCE:
3. (U) DOD POLICY (REF A) MANDATES THAT ALL PERSONNEL IN THE INFORMATION ASSURANCE TECHNICAL (IAT), COMPUTER NETWORK DEFENSE-SERVICE PROVIDER (CND-SP) (EXCEPT CND-SP MANAGER), AND INFORMATION ASSURANCE SECURITY ARCHITECT AND ENGINEER (IASAE) POSITIONS WHO PERFORM IAT FUNCTIONS MUST OBTAIN APPROPRIATE CE CERTIFICATIONS FOR THE OPERATING SYSTEM(S) AND/OR SECURITY RELATED TOOLS/DEVICES THEY SUPPORT.
 4. (U) DESCRIPTION OF CHANGE:  THE PROPONENT FOR DOD 8570.01-M NOW ACCEPTS CERTIFICATES OF TRAINING OR VENDOR CERTIFICATIONS TO FULFILL THE CE REQUIREMENT. DOD WILL POST THE FOLLOWING TEXT TO THE INFORMATION ASSURANCE SUPPORT ENVIRONMENT (IASE) WEBSITE ON THE FREQUENTLY ASKED QUESTIONS (FAQ) PAGE UNTIL DOD 8570.01-M IS UPDATED. "IF YOU ARE AN IAT OR CND-SP AND HAVE PRIVILEGED ACCESS, YOU MUST OBTAIN TRAINING FOR THE OPERATING SYSTEM AND/OR SECURITY RELATED TOOLS/DEVICES YOU SUPPORT AS REQUIRED BY YOUR ORGANIZATION. A CERTIFATE OF COMPLETION FROM A COMPONENT AUTHORIZED TRAINING COURSE THAT MAPS THE ASSOCIATE CURRICULUM/LEARNING OBJECTIVES TO THE POSITION REQUIREMENTS IS ACCEPTABLE TO MEET THIS REQUIREMENT." EXPECTED UPDATE TO THE FAQ PAGE IS NO LATER THAN 30 SEPTEMBER 2011.
5. (U) THE GUIDANCE CONTAINED IN THIS ALARACT WILL BE INCORPORATED INTO THE NEXT VERSION OF AR 25-2 AND THE IA TRAINING AND CERTIFICATION BEST BUSINESS PRACTICE. THE LIST OF ARMY AUTHORIZED CE CERTIFICATIONS AND TRAINING COURSES IS AVAILABLE ON ATCTS AT HTTPS://ATC.US.ARMY.MIL. A COMPLETE LIST IS POSTED ON THE ATCTS HOME PAGE AND CAN BE FOUND BY CLICKING THE DOCUMENTS BUTTON. THE LIST WILL BE UPDATED QUARTERLY.
7. (U) CIO/G-6 CYBER DIRECTORATE REQUIRES:
7.1 ALL TECHNICAL PERSONNEL IN THE INFORMATION ASSURANCE TECHNICAL LEVEL THREE (IAT3) CATEGORY MUST OBTAIN A COMMERCIAL CE CERTIFICATION (NOT JUST A CERTIFICATE OF TRAINING)
7.2 NO LESS THAN TWO TECHNICAL PERSONNEL (IAT1 AND IAT2) AT EACH NEC, SYSTEM, OR ENCLAVE (TO INCLUDE PROGRAM-MANAGED INFORMATION SYSTEMS) MUST OBTAIN A COMMERCIAL CE CERTIFICATION (NOT JUST A CERTIFICATE OF TRAINING) FOR THE SYSTEMS THEY ADMINISTER/MAINTAIN (OPERATING SYSTEM, NETWORK EQUIPMENT, BOUNDARY DEFENSE, ETC.). ORGANIZATION MANAGERS SHALL DECIDE WHICH INDIVIDUALS REQUIRE CERTIFICATION.
Per HQDA CIO/G-6 Memorandum, "Computing Environment (CE) Certifications for the Army Information Assurance Workforce," 14 November 2012, the Army has modified IAT Level 1 Task T-I.3 (Provide end user IA support for all CE operating systems, peripherals, and applications) to permit those in ranks E-1 through E-5 to install operating systems, peripherals, and applications without obtaining industry-standard certifications. The basis for this change is that soldiers awarded the 25B10, 25N10, or 25U10 Military Occupational Specialty (MOS) at the conclusion of Advanced Individual Training (AIT) have been trained in basic technical and networking skills commensurate with future IAT Level 1 functions.
NIST has developed the NICE National Cybersecurity Workforce Framework. The DHS NPPD FY16 Cyber Pay Enhancements lists certification requirements for the NICE categories. The DoDD 8140 manual has not been developed or approved but it will be based on the NICE initiative. https://dodcio.defense.gov/Cyber-Workforce/DCWF.aspx

DISA is currently piloting courses for roles included in the Defense Cyber Workforce Framework (DCWF). These courses appear to be free of charge to government personnel and contractors. They are 5 days long, appear to be no cost, and do not require certification testing (although students receive a certificate for completing a course). Courses are held at the DoD Training Center - 8830 Stanford Boulevard, Columbia, MD 21043. See https://cyber.mil/training/cyber-defense-infrastructure-support-foundation-pilot-cw20012/ for more information. Current classes include:

  •  Cyber Defense Infrastructure (CDIS) Specialist – Foundation – PILOT.  CW20012. This is a pilot of the five (5) day Cyber Defense Infrastructure Support (CDIS) Specialist Foundation course. Learners will be provided an introduction into common cyber defensive concepts and capabilities used in network and system defenses. The course begins by providing insight into general information technology and cybersecurity concepts relevant to this role. Topics include networking basics, common ports and protocols, Department of Defense (DoD) Incident Response (IR)/Incident Handling (IH) methods, and access control techniques. The later portion of the class extends these basic concepts into general cyber defense capabilities used in CDIS’s more advanced classes. Topics include broad-based attack techniques, network design mitigations, and network traffic/intrusion detection analysis. Written IP addressing/subnetting exercises as well as Wireshark and Sguil/Snort labs incorporated into several modules provide a practical application of the concepts and capabilities discussed. Students will be asked to provide their feedback on the class and how well it matches the knowledge, skills, abilities, and tasks (KSATs) expected within the DoD for someone who performs the CDIS specialist role. The foundation CDIS course is intended for those new to, or unfamiliar with, the CDIS role as defined by the DoD Cyber Workforce Framework (DCWF). As part of the Protect and Defend framework category, the CDIS role is accountable for the following tasks: tests, implements, deploys, maintains, and administers the infrastructure hardware and software.
  • Cyber Defense Infrastructure (CDIS) Specialist – Intermediate – PILOT. CW20013. This is a pilot of the five (5) day CDIS specialist Intermediate course. Learners will be provided with administration knowledge and skills for commonly used Department of Defense (DoD) cyber defense tools. The tools covered include the Wireshark/Tshark and Tcpdump packet analyzers, Cisco FirePOWER network intrusion prevent system (IPS), McAfee Enterprise Policy Orchestrator (ePO) host IPS, Cisco Adaptive Security Appliance virtual (ASAv) firewall and virtual private network (VPN), and Splunk security information and event management (SIEM) system. Modules for each tool discusses customization and maintenance activities in order to improve usability and optimize performance and security effectiveness. Activities include managing user preferences and tool configurations/policies, controlling and updating protection features, upgrading/patching software, troubleshooting problems, and performing backups and restores. After these tool-specific modules, the class steps back to address their overall maintenance coordination and accreditation, covering critical cyber defense infrastructure protection, test and change management, and the DoD Risk Management Framework (RMF). The course closes with background analyst knowledge and activities (e.g., attacker profiles and defensive/analysis techniques) to improve student administration decisions. Wireshark, Cisco FirePOWER, McAfee ePO, Cisco ASAv firewall/VPN, and Splunk labs embedded throughout the class provide a practical application of the concepts and capabilities discussed. Students will be asked to provide their feedback on the class and how well it matches the knowledge, skills, abilities and tasks (KSATs) expected within the DoD for someone who performs the CDIS specialist role. The advanced CDIS course is intended for those already familiar with the CDIS role as defined by the DoD Cyber Workforce Framework (DCWF) and common cyber defensive concepts and capabilities used in network and system defenses. As part of the Protect and Defend framework category, the CDIS role is accountable for the following tasks: tests, implements, deploys, maintains, and administers the infrastructure hardware and software.
  • Cyber Defense Infrastructure (CDIS) Specialist – Advanced – PILOT. CW20014. This is a pilot of the five (5) day CDIS specialist Advanced course. Learners will be provided with deployment and initial configuration knowledge and skills for commonly used Department of Defense (DoD) cyber defense tools. The tools covered include the Cisco FirePOWER network intrusion prevent system (IPS), McAfee Enterprise Policy Orchestrator (ePO) host IPS, Cisco Adaptive Security Appliance virtual (ASAv) firewall and virtual private network (VPN), and Splunk security information and event management (SIEM) system. Modules for each tool discuss how to deploy virtual machine (VM) versions of it, initially configure it to be operational on the network, and troubleshoot any problems that arise. The course closes by addressing critical cyber defense infrastructure protection, test bed administration and evaluations, update coordination with stakeholders, and post-evaluation activities of the DoD Risk Management Framework (RMF) accreditation process. Cisco FirePOWER, McAfee ePO, Cisco ASA firewall/VPN, and Splunk labs embedded throughout the class provide a practical application of the concepts and capabilities discussed. Students will be asked to provide their feedback on the class and how well it matches the knowledge, skills, abilities and tasks (KSATs) expected within the DoD for someone who performs the CDIS specialist role. The advanced CDIS course is intended for those already familiar with the CDIS role as defined by the DoD Cyber Workforce Framework (DCWF) and common cyber defensive concepts and capabilities used in network and system defenses.
  • Systems Security Analyst – Foundation – PILOT. CW20009. This is a pilot of the five (5) day Systems Security Analyst (SSA) Foundation course. Learners will be provided an introduction into the analysis and development of the integration, testing, operations, and the maintenance of systems security. This course will also provide an insight into DoD cybersecurity core concepts as well as provide a foundation for assessing DoD systems using current standards. And finally, the course will provide an introduction to tools used for the authorization of a DoD information system.  Students will be asked to provide their feedback on the class and how well it matches the knowledge, skills, abilities and tasks (KSATs) expected within the DoD for someone who performs the SSA role. The foundation SSA course is intended for those new to or unfamiliar with the SSA role as defined by the DoD Cyber Workforce Framework (DCWF).  As part of the Operate and Maintain framework category, the SSA role is accountable for the following tasks: Conducts threat and vulnerability assessments and determines deviations from acceptable configurations or policies. Assesses the level of risk and develops and/or recommends appropriate mitigation countermeasure in operational and non-operational situations. 
  • Systems Security Analyst – Intermediate – PILOT. CW20010. This is a pilot of the five (5) day Systems Security Analyst Intermediate course. Students will be asked to provide their feedback on the class and how well it matches the knowledge, skills, abilities and tasks (KSATs) expected within the DoD for someone who performs the SSA role. The Intermediate Systems Security Analyst (SSA) course is provided for those with a mid-level of expertise with the SSA role as defined by the DoD Cyber Workforce Framework (DCWF). Learners will be provided instruction into the analysis and development of the integration, testing, Operations, and maintenance of systems security. Learners will also gain an understanding topics needed to perform the tasks of a mid-level Systems Security Analyst. These topics will include Security Information and Event Management (SIEM) software, Networking Concepts, Introduction to RMF principles, Embedded Systems, and PKI. The course includes hands on exercises to expand the learning experience.
  • Systems Security Analyst – Advanced – PILOT. CW20011. This is a pilot of the Systems Security Analyst Advanced course. Students will be asked to provide their feedback on the class and how well it matches the knowledge, skills, abilities and tasks (KSATs) expected within the DoD for someone who performs the SSA role. The advanced Systems Security Analyst (SSA) course is intended for those with advance knowledge with the SSA role as defined by the DoD Cyber Workforce Framework (DCWF) Course. Learners will be provided instruction into the analysis and development of the integration, testing, operations, and maintenance of systems security. Learners will also gain an understanding of topics needed to perform the tasks of an advance Systems Security Analyst. This course will cover Risk Management Framework in detail. Other advance topics covered are Software /System Development Life Cycle (SDLC), Spillage Handling, Encryption, and Contingence Planning and Disaster Recovery. The course includes hands on exercises to expand the learning experience.
  • REFERENCES:

    Army Registry of Networks and Layer-3 Devices (ARNLD)

    ​ARNLD tracks Army network address allocations and assignments linking networks to the organizations responsible for them (Registrars) and organizations using them (Customers). Routing tables are uploaded to the system to link netblocks with ASN's and Army Service Routers. This helps identify where a netblock is used physically and logically.
    Approved whitelist entries are uploaded to the DISA Registry NLT 1600 EST on Friday and Tuesday. See the AGNOSC Whitelist and Web Domain Registration Page on AKO for further details.
    Web servers need to be registered in ARNLD after a Ports, Protocols, and Services exception request is submitted and approved, and before a request is submitted to RCC-C for configuration behind the reverse web proxy (RWP). See the RCC-C RWP Process page for further details. Configuring a web server to be behind a RWC is required per AR 25-2 and the NIPR-DMZ STIG. See AR 25-2, 4-20g Network Security, Internet, Intranet, and WWW security:
    (12) Network managers and IA personnel will protect publicly accessible Army Web sites by placing them behind an Army reverse Web proxy server. The reverse proxy server acts as a proxy from the intranet to the protected server, brokering service requests on behalf of the external user or server. This use of a reverse proxy server provides a layer of protection against Web page defacements by preventing direct connections to Army Web servers.
    (13) Publicly accessible Web sites not protected behind a reverse Web proxy (until moved) will be on a dedicated server in a DMZ, with all unnecessary services, processes, or protocols disabled or removed. Remove all sample or tutorial applications, or portions thereof, from the operational server. Supporting RCERTs and TNOSCs will conduct periodic vulnerability assessments on all public servers and may direct blocking of the site dependent on the inherent risk of identified vulnerabilities. Commanders or assigned IAMs will correct identified deficiencies.
    ​ 

    Policies Concerning Personal Wearable Fitness Devices and Headphones (and Portable Electronics Devices, PED)

    • DoD CIO Memorandum, Subject:  Introduction ​and Use of Wearable Fitness Devices and Headphones within DoD Accredited Spaces and Facilities, April 21, 2016.
    • Defense Intelligence Agency, U-15-001/CIO-3, "Policy Clarification, Portable Electronic Devices, Introduction and Use of Personal Wearable Fitness Devices and Personal Headphones," January 26, 2015
    • NSA/CSS Policy Instruction 6-0006, "Personal Use of Wearable Fitness Devices," March 3, 2015
    • HQDA EXORD 018-17, "Restricting Personal Electronic Devicves (PEDs) at Training/Briefing Sessions in order to (IOT) Mitigate Vulnerabilities and Reduce Operations Security (OPSEC) Violations," 28 October 2016.
    • AR 530-1, Operations Security, 13 October 2014
    • AR 360-1, The Army Public Affairs Program, 25 May 2011​

    What is the DoD Information Network (DoDIN)

    ARCYBER OPORD 2018-100, "Oriel Decimal Windows 10 Sustainment," 5 June 2018, provides the following description of the DoDIN:

    (3) (U) The DoDIN is the globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating, and managing information on demand for warfighters, policy makers, and support personnel. The DoDIN includes owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and national security systems. All Army resources that meet these criteria are subject to the directives provided in this order.

    IT and IA/Cybersecurity Training Resources

    ​NAME ​CATEGORY ​DESCRIPTION
    ​Federal Virtual Training Environment (FedVTE) ​Multiple ​Free training for the government and contractor workforce.
    National Initiative for Cybersecurity Careers and Studies ​Multiple A guide showing the levels of FedVTE, from Beginner to Expert.​
    ​FedRAMP Online Training ​FedRAMP (1) Introduction to FedRAMP and the Cloud Service Provider (CSP) Readiness Process
    (2) FedRAMP System Security Plan (SSP) Required Documents
    ​Defense Security Service (DSS) Cybersecurity eLearning Courses, Curricula, Shorts, Webinars, and Toolkits ​Multiple
    ​NETCOM Cybersecurity/RMF Training Resources ​RMF DISA: 3 Hour CBT Course Covering RMF for DoD IT
    Target Audience: General RMF practitioners (high level intro course)
    Training modules & instructor led video; IASE portal http://iase.disa.mil/rmf/Pages/rmf-training.aspx

    DISA: Cybersecurity Boot Camp (CS304)
    Target Audience: Individuals with limited knowledge of new cybersecurity policies and RMF https://
    disa.deps.mil/ext/cop/iase/classroom_training/Pages/index.aspx
    Survey course of the entire realm of DoD Cybersecurity. Replaces old DoD IA Boot Camp course

    DAU: Cybersecurity Throughout DoD Acquisition (CLE 074)
    Target Audience: General RMF practitioners (high level intro course). Replaces CLE 025 IA module
    5 hour animated CBT; http://icatalog.dau.mil/onlinecatalog/courses.aspx?crs_id=2048

    eMASS Training
    Target Audience: Users of eMASS
    Online CBT; instructor led training is also available
    https://powhatan.iiie.disa.mil/emass/training.html

    Other High Level RMF Training Opportunities
    Taped briefing (1.5 hour) on 15 Jan 2014 - DAU Hot Topic Forum by Kevin Dulany
    https://acc.dau.mil/CommunityBrowser.aspx?id=693410&lang=en-US

    NIST: Applying the RMF to Federal Information Systems (2 hour CBT)
    http://csrc.nist.gov/groups/SMA/fisma/rmf-training.html
    Splunk ​Audit and Logging
    ​Army eLearning (SkillPort) ​Various meeting DoDD 8570 Computing Environment (CE) training or requirements ​Everyone needs to register on the Army eLearning AKO Page for access. A list of courses is available:  Army eLearning Program Listing as of 1/31/2016.
    Army Training Requirements and Resources System (ATRRS) ​Various, mostly pertinent to Army careers ​The Army Training Requirements and Resources System (ATRRS) is the Department of the Army Management Information System of Record for managing student input to training.
    Fort Riley, Kansas 1st Infantry Division Danger's Voice Signal University
    CSAIC​​

    Training for HBSS and ACAS are moving from FedVTE to Cyber Defence Training Cloud (CDTC) located at:
    https://cdtc.cert.org/lms/
    It requires a CAC and a mail.mil email address.

    More information about training:

    Friday, January 4, 2019

    Meeting Scheduling Tools

    • https://calendly.com/​. Let's the user set their own date/time for a meeting.​

    Virtual Desktop Infrastructure (VDI) and Desktop as a Services (DaaS)

    References:
    • Amazon WorkSpaces
    • Amazon AppStream
    • Anunta DesktopReady. DesktopReady™ is a fully functional Windows 10 based cloud desktop that is built on the inherently secure and high performing Azure® platform. DesktopReady requires no upfront capital expenditure or separate set up costs. Delivered “as a Service”, DesktopReady is built on platforms that are PCI, HIPAA, and SOC2 compliant and provides end-users access to 24x7 service desk so that you can spend more time on your core business.
    • ​​​https://www.hysolate.com/
    • Nerdio. All flash, VMware Horizon View 7, 1 Gbit/s Internet. Private Active Directory, Office 365 integration.​
    • Liquidware Essentials. Includes ProfileUnity, FlexApp, and Stratusphere UX.
    • Nutanix Xi Frame.
    • Amazon Workspaces.
    • Azure Windows Desktop.
    • NetApp VDI Resource Center
    • Newcloud Networks Desktop as a Service (DaaS)
    • Thinfinity Remote Workspace
    • Windows Virtual Desktop (WVD)
    • Windows 365

    DoD Cloud Enclave Design Notes

    ​Goal:  Establish an accreditated enclave within a Cloud Service Provider (CSP) Cloud Service Offering (CSO) that has the infrastructure support and security services needed to host applications and/or enable use of cloud services.
    Prerequisites:
    • Organization must categorize their data IAW FIPS 199 and NIST SP 800-160, 800-59 to determine the impact levels for Confidentiality, Integrity, and Availability as well as whether the application(s) and/or data is a National Security System
    • ​CSO must have a DoD Provisional Authorization (PA) at the Impact Level (IL) required by the applications and/or data to be used within the environment/accreditation boundary.
    Before You Start:
    • Turn on CSO auditing and logging (e.g. AWS CloudTrail)
    • Identify the roles needed in the environment and authenticaiton realm(s) to be used.
      • ​AWS Management Console
      • operating systems (if using IaaS)
      • platform or application administrators (if using PaaS, SaaS)
    • ​Design a backup strategy. Define the retention periods for data, establish Recovery Time Objective(s) (RTO), Recovery Point Objective(s) (RPO). Note their may be serveral levels of RTO and RPO depending on the criticality of the application or data.

    Recommended Training and Certifications

    • Amazon Web Services (AWS)​
      • Foundational
        • ​AWS Certified Cloud Practitioner
      • ​Associate
        • ​AWS Certified Solutions Architect - Associate (in progress)
        • AWS Certified Developer - Associate
        • AWS Certified SysOps Administrator - Associate
      • Professional
        • ​AWS Certified Solutions Architect - Professional
        • AWS Certified DevOps Engineer - Professional
      • ​Specialty
      • ​AWS Certified Advanced Networking
      • AWS Certified Big Data
      • AWS Certified Security
    • ​International Information Systems Security Certification Consortium (ISC)2
      • ​Certified Authorization Professional (CAP) 
      • Certified Information System Security Professional (CISSP) 
      • CISSP Information System Architecture Professional (CISSP-ISSAP) 
      • CISSP Information System Engineering Professional (CISSP-ISSEP) 
      • CISSP Information System Management Professional (CISSP-ISSMP) 
      • Certified Cloud Security Professional (CSSP) 
    • Project Management Institute (PMI)
      • Project Management Professional (PMP) ✔
    • Microsoft
      • MCSA:  Office 365
      • MCITP:Enterprise Administator ✔
    • EC Council
      • Certified Ethical Hacker (C|EH| ✔

    High Availability SLAs

    The difference between High Availability (HA) and Disaster Recovery (DR) is that ​​HA is concerned with the technical goal of achieving a particular availability metric (e.g. number of nines) and DR concerns planning for what actions to take before, during, and after a disaster occurs. With respect to AWS, Availability Zones (AZ) address HA while Regions address DR.
    ​Availability % ​Downtime per Year ​Downtime per Month
    ​99.999 ​5.26 minutes ​26.30 seconds
    ​99.99 ​52.60 minutes ​4.38 minutes
    ​99.9 ​8.77 hours ​43.83 minutes
    ​99 ​3.65 days ​7.31 hours

    ​90 ​36.53 days ​​73.05 hours

    Note Amazon S3 is eleven 9s of durability and four nines of availability. Which means the probability of losing data is much lower than the actual availability (i.e. your data might not be available, but it probably is not lost).
    Tools to achieve HA:
    • ​Auto Scaling Groups. Horizontal scaling as a workload increases
    • EC2 instance model upgrade (vertical scaling)
    • Elastic Load Balancers
    • Route 53 (DNS)​

    What is APMS?

    The Army Portfolio Management Solution (APMS) is a web-based application used to manage the inventory of Army systems. ​A system must be assigned an APMS number before it can be accepted into the A&A process (RMF). An APMS number is also required to create an eMASS entry (however, for a system that is under development or being tested, using "0000" works!). For Army systems, the APMS number is used in the DITPR field.
    Army systems must be registered in APMS and assigned a Mission Area:  Business Mission Area (BMA), Enterprise Information Environment Mission Area (EIEMA), or Warfighting Mission Area (WMA). Within each Mision Area, a Domain must also be selected. The Mission Areas and Domains are: 

    BMA (Business Mission Area):
    • Aquisition
    • Financial Management
    • Human Resources Management
    • Installations, Energy & Environment
    • Logistics
    • Training & Readiness
    DIMA (Defense Intelligence Mission Area)
    • Analysis & Production
    • Collection
    • Dissemination
    • Enterprise Information Technology
    • Enterprise Management Support
    • Exploitation
    • Mission Management
    EIMA (Enterprise Information Environment Mission Area)
    • Communications
    • Computing Infrastructure
    • Core Enterprise Services
    • Information Assurance
    WMA (Warfighter Mission Area)
    • Battlespace Awareness
    • Command and Control
    • Corporate Management and Support
    • Focused Logistics
    • Force Application
    • Force Management
    • Mission Command
    • Net Centric
    • Protection
    • Training
    See DoD Instruction (DoDI) 8115.02, "Information Technology Portfolio Management Implementation," 30 October, 2006 and Department of the Army Pamphlet 25-1-1, Information Management, Army Information Technology Implementation Instructions, 25 JUN 2013 for further information concerning Mission Areas and Domains.
    A system's APMS record contains several other details concerning the system including:  POCs, FISMA compliance, PIA, and hosting environment.
    The DoD repository for IT assets is the Department of Defense Information Technology Portfolio Repository (DITPR).
    Resources:
    • APMS Home on AKO
    • APMS System Data
    • Department of the Army Pamphlet 25-1-1, Information Management, Army Information Technology Implementation Instructions, 25 JUN 2013
    • Army Regulation (AR) 5-1, Management of Army Business Operations, 12 DEC 2015​

    COMMAND CYBER READINESS INSPECTION (CCRI) PROGRAM


    The Command Cyber Readiness Inspection (CCRI) increases the accountability and improves the overall security posture of the Department of Defense Information Network (DoDIN) and is mandated by the Chairman of the Joint Chiefs of Staff Instruction (CJCSI) 6211.02D, Department of Defense Instruction (DoDI) 8500.2, IA Implementation. Results of the CCRI are reported to USCYBERCOM and to appropriate DoDIN Connection Approval Office.
    Reviewed Command cyber Readiness Inspection (CCRI) preparation documents provided by the RNEC-N​CR.
                    - CCRI Scoring (12.8 16JAN 18). Scoring is broken out into:  Technical 60%, Computer Network Defense (CND) Directives 30%, Contributing Factors (culture, capability, conduct) 10%. CND Directives identified are:  CTO 07-015 PKI Phase II (NIPR only), TASKORD 12-0823 SIPRNet PKI only), TASKORD 16-0080 (HBSS/EPS), TASKORD 13-0651 Insider Threat. Each component within the three areas is assigned a weight (1-4). Breakout is as follows:
                                    - Technology Areas:
                                                    - Boundary Security        3
                                                    - Internal Network          3
                                                    - Vulnerability Scan         4
                                                    - DNS                                     3
                                                    - HBSS                                   4
                                                    - Traditional Security       4
                                                    - CDS                                     4
                                                    - Administrative CDS       2
                                                    - Mobility                             2
                                                    - Releasable (REL)            2
                                                    - Web Server                     3
                                                    - Database                          3
                                                    - Exchange                          2
                                                    - Video and Voice Over IP (VVOIP)           1
                                                    - Other (Windows OS, Unix OS, etc.)       1
                                    - USCYBERCOM CND Directives
                                                    - CTO 07-015 PKI Phase II (NIPR)                                3
                                                    - TASKORD 12-0863 SIPR PKI                        3
                                                    - CTO 08-005/TASKORD 13-0670 3
                                                    - OPORD 16-0080                                              4
                                                    - TASKORD 13-0651                                         2
                                    - The scanning technology area is scored based on the average number of findings per host
                                    - Non-scanning technology areas are scored based on the percentage of open findings to potential findings
                                    - Concern Indicator (scale 0 – 5) based on open findings using a weighted average. Critical (5), Moderate (3), Minor (1), Minimal Concern (0.5), No Concern (0). It appears that the weight of findings is:  Critical and High (10), Medium (4), Low (1). For the scanning technology area (ACAS) the Concern Indicator is:  0 No Concern, >0 Minimal, >0 Minor, <=2.5 Moderate, >=3.5 Critical. For the non-scanning area (e.g. manual STIG or SRG), the Concern Indicator is:  0% No Concern, >0% Minimal, >0% Minor, >10% Moderate, >20% Critical.
                                    - Use the "2CCRI Phase IV Grading Criteria Worksheet V1R4 31OCT17 to grade CCRI. See "Overall Grade" worksheet for score.
                                    - 70% or worse score is an unacceptable grade. If below 70%, the Risk Indicator will be automatically adjusted to High Risk.
                    - USCYBERCOM OPORD 16-0080 Endpoint Security Compliance Inspection Procedures, Version 2 Revision 11, Current as of 22 August 2018. Covers HBSS ePO version and components (McAfee Agent (MA) Extension, Operational Attributes Manager (OAM), ArcSight Connector, Enhanced Reporting, Rollup Extender, OAM (Operational Attributes Module) Rollup, Asset Publishing Service (APS), Point Product Deployment, identification of whitelisted systems, McAfee Agent, Host Intrusion Detection System (HIPS), Policy Auditor (PA), Device Control Module (DCM/DLP), Asset Configuration Control Module (ACCM), Antivirus (AV), client module configuration, HIPS IPS, HIPS firewall, antivirus configuration, PA configuration, COOP configuration (SIPRNet only), DCP/DCM configuration, Rogue System Detection (RSD), rollup reporting, rollup reporting – ePO servers, APS publishing to CMRS daily, ArcSight connector configuration, HBSS training, personnel trained. Use spreadsheet "JFHQ-DODIN_CCRI EndPoitn Security OPORD 16-0080 Compliance Worksheet" for assessment.
                    - CCRI Computer Network Defense (CND) Directive Guide, Version 12 Revision 12, Current as of 16 February 2018. Covers specific checks per:  CTO 07-015 PKI Phase II (NIPR only), TASKORD 12-0823 SIPRNet PKI only), TASKORD 16-0080 (HBSS/EPS), TASKORD 13-0651 Insider Threat.
                    - CCRI Risk Indicator Guide, Version 1, Revision 5, Current as of 13 August 2018. This document is based on NIST SP 800-30 rev 1, Guide for Conducting Risk Assessments. The Risk Indicator is part of the final CCRI Compliance Report; however, it is not a factor in determining the final CCRI grade or score. Based upon results from Technology reviews, CND Directives compliance, Contributing Factors evaluation and personal observations, CCRI Team Leads (TL) will provide a Risk Indicator score as part of a CCRI compliance report. As such, this document is a guide to properly complete the Risk Indicator worksheet in the nSpect tool. Many of the items assessed/scored per this document are redundant with the CCRI findings (CCRI Scoring). Items reviewed include:  Traditional and Network Security STIG, antivirus definitions, HBSS (broken out in to ePO and endpoint protection components), COOP, Computer Network Defense Service Provider (CNDSP) alignment and relationship, cybersecurity practices and information assurance awareness, dated CAT I findings, cross domain solutions (CDS), Operational Readiness Inspections (ORI) and Exercises (ORE), target value for threat vectors, presence of vulnerable program managed systems, presence of end-of-life systems, port security, configuration management). ​​

    References: