OCR of the Document

View the Document >>

Department of Defense Instruction O-8530.2, Subject: Support to Computer Network Defense. Unclassified/For Official Use Only.

m eDepartment o w 00 HToFM fVEFUDe ense INSTRUCTION Ma1 SUBJECT Support to Computer Network Defense CND References a DoD Directive 0-8530 1 Computer Network Defense January 8 b DoD Command Control Communications Intelligence Surveillan e and Reconnaissance C4ISR Architecture Framework Version 2 0 Dec ember 18 1997 c Joint Technical Architecture JTA Version 3 0 November 29 199' d DoD Instruction 5200 40 DoD Information Technology Security Certification and Accreditation Process DITSCAP December 30 e through 1 see enclosure 1 1 PURPOSE This Instruction 1 1 Implements policy assigns responsibilities and prescribes procedures under I eference a necessary to provide the essential structure and support to the U S Space Command USCINCSPACE for Computer Network Defense CND within Department of Def lnse information systems and computer networks 1 2 Defines CND Services CNDS 1 3 Establishes the CND Service certification and accreditation process 1 4 Requires CND compliance with references b and c 1 5 Provides for Information Assurance Red Team notification reporting and coc rdination to insure deconfliction of Red Team and CND activities 2 APPLICABILITY AND SCOPE This Instruction 2 1 Applies to the Office of the Secretary of Defense the Military Departments he Chairman of the Joint Chiefs of Staff the Combatant Commands the Ofice of the In pector General of the Department of Defense the Defense Agencies the DoD Field Activitit s and all other organizational entities within the Department of Defense hereafter referred to ollectively as the DoD Components 2 2 Applies to all DoD information systems and computer networks 1 FOR OFFICIAL USE ONLY I DoDI 0-8530 2 3 DEFINITIONS Terms used in this In truction are defined in enclosure 2 4 POLICY This Instruction implements the policies defined in DoD Directive 0-8530 1 reference a 5 RESPONSIBILITIES Pursuant to reference a 5 1 The Assistant Secretarv of Defense for Command Control Communicatio rsand Intelligence ASD C3I shall 5 1 1 Oversee and review implementation of this Instruction 5 1 2 Appoint in coordination with Chairman Joint Chiefs of Staff CJCS USD AT L the DoD CND Architect 5 1 3 Ensure the establishment of the CNDS certification and accreditation process 5 1 4 Ensure the establishment of a Defense-wide Information Assurance Alert IAVA notification reporting coordination and compliance process see i 5 1 5 Ensure the establishment of a Defense-wide Information Assurance ed Teaming I notification reporting and coordination process 5 1 6 Ensure that CND requirements are addressed as part of the DoD Technology Security Certification and Accreditation Process DITSCAP DoD 5200 40 reference d and in information technology IT registration and management guidance and systems 5 2 The Director Defense Information Svstems Agency shall 5 2 1 Develop in coordination with USCINCSPACE and Director N S 4 he CNDS certification and accreditation process See enclosure 5 1 5 2 2 Function as the CNDS Certification Authority CNDSICA for e n e i a Service l CNDS I 5 2 3 Function as the Systems Integrator for Defense-wide CND related s accordance with DoD Instruction 4630 8 reference e I 5 2 4 Manage the IAVA process see enclosure 6 5 2 5 Coordinate all red team and penetration tests for General Service En laves FOR OFFICIAL USE ONLY 1 March 9 2001 5 3 The Director National Security Aaencv shall 5 3 1 Assist the Director DISA in developing the CNDS certification a1 accreditation process 5 3 2 Function as the CNDSICA for Special Enclave CNDS 5 3 3 Function as the Program Manager for Defense-wide CND researcl nd technology WT 5 3 4 Establish and maintain a trusted agent network and procedures for Information Assurance Red Teaming activities e reporting of 5 3 5 Provide specialized Attack Sensing and Warning AS W support USCINCSPACE and the DoD Components J shall 5 4 The Commander in Chief United States Space Command USCINCSPL E 5 4 1 Establish in coordination with the DoD Components DoD-wide dissemination of CND and related advisories alerts and warning notices includin originating outside of the Department of Defense monitor compliance with issue1 direct DoD-wide actions including DoD-wide Information Operations Condition changes to defend DoD computer network operations lcedures for those AVAs and NFOCON 5 4 2 Provide the Secretary of Defense through the Chairman Joint Chic of Staff CJCS a periodic operational assessment of the readiness of the DoD Compone r to defend DoD information systems and computer networks 5 4 3 Employ combatant command authority and tactical control TACC of assigned forces to plan and execute operations to protect and defend DoD computer netw ks or other vital national security interests as directed by the Secretary of Defense against ar intentional unauthorized computer network intrusion or attack 5 4 4 Develop and request changes to Standing Rules of Engagement fo Network Defense 5 4 5 Conduct and coordinate CND deliberate and crisis action planning dexecution for computer network defense as directed in accordance with the Joint Operation Jlanning and Execution System 5 4 6 Coordinate with the Director NSA to maintain awareness of and zonflict Red Teaming activities and operations associated with DoD information systems and mputer networks 5 4 7 Assist the Director DISA in developing the CNDS certification ar accreditation process and serve as Accrediting Authority for the CNDSICAs 3 FOR OFFICIAL USE ONLY DoDI 0-8530 2 Yarch 9 2001 5 5 The Heads of the Components shall 5 5 1 Establish Component-level CND Services to coordinate and wide CND and ensure system and personnel certification and accreditation in established DoD requirements and procedures 5 5 2 Provide USCINCSPACE with operational assessments and USCINCSPACE operational direction for the planning and conduct of CND and of Information Assurance activities into CND operations 5 5 3 Comply with the reporting requirements of CJCSI 65 10 01 series reference 0 and additional reporting requirements coordinated by USCINCSPACE a 5 5 4 Contribute to computer network situational awareness by providing olerational requirements and priorities operational status and the user's perspective on comput network status e g availability reliability 5 5 5 Maintain an networks i e systems separately DAA under the provisions of DoD Instruction 5200 40 CNDS providers This inventory information shall be Information Officer and USCINCSPACE 5 5 6 Manage the designation of Component-owned Special Enclaves and designated Special Enclaves are assigned to a CNDS 5 5 7 Ensure that CNDS support is a condition of information and comput security certification and accreditation in accordance with reference d S 5 5 8 Provide guidance on service arrangements with non-Component C N providers I 5 5 9 In coordination with the CNDSICAs and USCINCSPACE develop a coordinated and common DoD curriculum for CND education training and awareness 5 5 10 Participate in planning and establish Component requirements for a efense-wide common operational picture COP I f I 5 5 11 Plan program and monitor Component-assigned responsibilities fo development of information systems or databases supporting Defense-wide CND 5 5 12 In coordination with the Systems Integrator establish Component s nsor grid requirements and plan and program for their implementation I 5 5 13 Coordinate system development and integration with the Systems I egrator and the R T Program Manager I I 5 5 14 Support CND Architect sponsored activities and respond to request for information 4 FOR OFFICIAL USE ONLY 2 March 9 2001 6 PROCEDURES 6 1 The CNDS Certification Authorities shall 6 1 1 In coordination with the CND Architect develop and implement t lie CND certification and accreditation process I 6 1 2 Provide technical analytical and coordination CND services e g e analysis and reporting of intrusions incidents and event dissemination of alerts and warning r 01 ices computer diagnostics short term CND trend and pattern analysis IAVA monitoring to thc I OD Component CNDS providers and to USCINCSPACE 6 1 3 In coordination with the Heads of Components and Defense-wide Information Assurance initiatives develop a coordinated curriculum for CND education trair in g and awareness that addresses requirements identified by the CNDS providers and the ctxtification and accreditation process 1 1 II 6 1 4 In coordination with the CNDS providers and the R T Program 1 mager identifj requirements and ensure that new technologies are effectively transitioned into C DS practices 6 2 The Component CNDS Providers shall 6 2 1 Comply with the operational direction of USCINCSPACE for the C nductof CND and the integration of Information Assurance activities into CND operations 6 2 2 Comply with the reporting requirements of CJCSI 65 10 01 series and additional reporting requirements coordinated by USCINCSPACE ference 0 6 2 3 Provide for the coordination services see paragraph E5 4 5 of th lppropriate CNDSICA 6 2 4 Maintain an inventory of all supported entities and associated info and computer networks 6 2 5 Provide CND Services in accordance with enclosure 4 ation systems 6 3 The CND Law Enforcement and Counterintelligence LE CI Center s 11 6 3 1 Serve as the primary interface with the National Infrastructure Prc ection Center NIPC for CND related law enforcement and counterintelligenceissues 1 6 3 2 Receive operational direction for law enforcement from the Defen Criminal Investigative Organizations and respond to the information requirements of the 1 CINCSPACE and Component CNDS providers 6 3 3 Coordinate deconflict and facilitate law enforcement and counter- nitelligence CND investigations and operations among the DoD Components 5 FOR OFFICIAL USE ONLY DoDI 0-8530 2 Marc1 9 2001 6 3 4 Provide analytical services to support CND investigations and operations a d the COP 6 3 5 Support CND planning and policy development 6 3 6 Coordinate release of CND LE CI information with appropriate consent iom originating agencies to support information sharing across the DoD Components 6 4 The National Security Incident Response Center NSIRC shall 6 4 1 Provide specialized Attack Sensing and Warning AS W analysis for disc very of Defense-wide and long-term trends and patterns 6 4 2 Provide overall focus and coordination for the AS W fbnction 6 4 3 Provide direct AS W support to USCINCSPACE 6 4 4 Provide AS W assistance as required to Component CNDS providers 6 5 The DoD CND Architect shall 6 5 1 Develop and implement CND operational architectures to support USCINCSPACE 6 5 2 Support the DoD Components in all CND architecture activities 6 5 3 Support the ASD C3I in periodic review of CND capabilities and require1 ents 6 5 4 Oversee the establishment and implementation of the CND certification an1 accreditation process 6 5 5 Oversee the activities of the CND Research and Technology Program Mar ger and Systems Integrator 6 5 6 Manage the Special Enclave designation process 6 6 The CND Research and Technolorn R T Program Manager shall 6 6 1 Provide technical direction and coordination for the development and evali ition of CND tools and techniques 6 6 2 In coordination with the CNDSICAs ensure the effective transition of nev capabilities into CNDS practices 6 6 3 In coordination with the DoD Components and the Defense-wide Inforrna 3n Assurance Program DIAP provide a comprehensive view of all CND-related technolot ' gaps 6 FOR OFFICIAL USE ONLY March 9 200 1 shortfalls research development and transition requirements to the Director of I lfense Research and Engineering DDR E 6 6 4 Develop the CND Technology Transition Plan and Program 6 6 5 Program for common Defense-wide CND Technology Transitions nd provide support to the DIAP and the DDR E in programming for related research and d elopment 6 6 6 Provide support to the CND Architect OSD the Joint Staff and I CINCSPACE in the identification and resolution of CND technology transition and R D progr m issues 6 7 The CND Systems Integrator shall 6 7 1 Develop and coordinate the Sensor Grid Plan and Program 6 7 2 Develop and coordinate the COP Plan and Program 6 7 3 Provide support to the CND Architect OSD the Joint Staff and 1 CINCSPACE in the identification and resolution of CND systems e g capabilities tools inte ation issues 7 INFORMATION REQUIREMENTS 7 1 The Information Systems Registration with DoD Chief Information Offi er reporting requirement referred to in this Instruction has been assigned Report Control Sym 01 DDC3I AR 2096 in accordance with DoD 8910 1-M reference g 7 2 The Information Assurance Vulnerability Alert IAVA reporting referrc 1 to in subparagraph 5 1 4 is exempt from licensing in accordance with paragraph C4 4 of reference g 7 3 The reporting of Information Assurance Red Teaming Activities is exen t from licensing in accordance with paragraph C4 4 2 of reference g 7 4 The operational assessment referred to in subparagraph 5 4 2 is exempt 1 om licensing in accordance with paragraph C4 4 4 of reference g 7 5 The Certificate Authority reporting of intrusions incidents and events ar dissemination of alerts and warnings notices are exempt from licensing in accordance with para raph C4 4 2 of reference g 7 6 Additional information requirements unless exempt shall be developed pproved and licensed in accordance with reference g 7 FOR OFFICIAL USE ONLY DoDI 0-8530 2 Marc 8 EFFECTIVE DATE This Instruction is effective immediately Enclosures - 6 E 1 References continued E2 Definitions E3 Computer Network Defense CND Concept E4 Computer Network Defense CND Services E5 Computer Network Defense CND Support Functions E6 Information Assurance Vulnerability Alert IAVA 8 FOR OFFICIAL USE ONLY I I DoDI 0-8530 2 Ma h 9 2001 El ENCLOSURE 1 REFERENCES continued e DoD Instruction 4630 8 Procedures for Compatibility Interoperabilit and Integration of Command Control Communication and Intelligence Sy tems November 18 1992 0 CJCS Instruction 65 10 01B Defensive Information Operations Implementation August 22 1997 g DoD 8910 1-M DoD Procedures for Management of Information Requirements June 30 1998 h Presidential Report Defending America's Cyberspace National Plan f r Information Systems Protection Version 1 O Prepared by the Nationa Coordinator for Security Infi-astructureProtection and counter- errdrism June 2000 i Executive Order 12333 United States Intelligence Activities Decem er 4 1981 j DoD Directive 5240 1 Activities of DoD Intelligence Components t t Meet U S Persons April 25 1988 k DoD 5240 1-R Procedures Governing the Activities of DoD Components that M e c t United States Persons December 1982 1 National Security Telecommunications and Information Directive NSTISSD No 503 Incident Response and for National Security Systems August 30 1993 1 I 9 FOR OFFICIAL USE ONLY arch 9 2001 E2 ENCLOSURE 2 DEFINITIONS E2 1 1 Accreditation Formal declaration by the Designated ApprovingIAccrediting Authority DAA that an information system is approved to operate in a particular security moc 2 using a prescribed set of safeguards at an acceptable level of risk E2 1 2 Attack Sensing and Warning AS W The detection correlation identificl tion and characterization of intentional unauthorized activity including computer intrusion or ttack across a large spectrum coupled with the notification to command and decision-make -s so that an appropriate response can be developed Attack sensing and warning also includes at1 icWintrusion related intelligence collection tasking and dissemination limited immediate response recommendations and limited potential impact assessments E2 1 3 Certification Comprehensive evaluation of the technical and non-technical sl curity features of an information system and other safeguards made in support of the accrel litation process to establish the extent that a particular design and implementation meets a st t of specified security requirements E2 1 4 Computer Emergency Response Tearn Computer Incident Response Team JCERTICIRT An organization chartered by an information systems owner to coorc inate or accomplish necessary actions in response to computer emergency incidents that threa en the availability or integrity of its information systems E2 1 5 Computer Network Two or more computers connected with one another fc the purpose of communicating data electronically A computer network includes the phy ical connection of a variety of computers communication devices and supporting periphc -a1 equipment and a cohesive set of protocols that allows them to exchange information n a nearseamless fashion E2 1 6 Computer Network Attack CNA Operations to disrupt deny degrade o destroy information resident on computers and computer networks or the computers and net vorks themselves E2 1 7 Computer Network Defense CND Actions taken to protect monitor ana yze detect and respond to unauthorized activity within DoD information systems and computer letworks Note The unauthorized activity may include disruption denial degradation destruci on exploitation or access to computer networks information systems or their contents r theR of information CND protection activity employs information assurance protection acti ity and includes deliberate actions taken to modifl an assurance configuration or condition il response to a CND alert or threat information Monitoring analysis and detection activities inc uding trend and pattern analysis are performed by multiple disciplines within the Department of I Iefense e g network operations CND Services intelligence counterintelligence and law enforct ment CND response can include recommendations or actions by network operations including i iformation 10 FOR OFFICIAL USE ONLY r DoDI 0-8530 2 Mar h 9 2001 assurance restoration priorities law enforcement military forces and other US Gover agencies i E2 1 8 CND Operational Hierarchy The way DoD is organized to conduct CND T Department of Defense is organized into three tiers to conduct CND Tier One provide DoDwide CND operational direction or support to all DoD Components Tier Two Component-wide operational direction or support and responds to direction Three provides local operational direction or support and responds to Tier Two entity Tier One entities include the USCINCSPACE and the CND Service Certification Authorities DISA and NSA the Counterintelligence Center and the National Security Incident includes CNDS providers designated by Heads of Components CND Tier Three includes all entities responding to direction CNDS e g local control centers that manage and control services either deployed or fixed at DoD Installations E2 1 9 CND Common Operational Picture COP A distributed capability that intermediate and DoD-wide visual situational awareness of CND actions and collaboration and decision support The CND COP is a view on the Common Operational Picture NETOPS COP E2 1 10 CND Law Enforcement and Counterintelligence Center An organization that coordinates LE CI investigations and operations in support of CND and is staffed by a 1 Defense Criminal Investigative and Counterintelligence Organizations E2 1 11 CND Sensor Grid A coordinated constellation of decentrally owned and im intrusion and anomaly detection systems deployed throughout DoD information computer networks The CND sensor grid is a component of the NETOPS E2 1 12 CND Service CNDS A DoD service provided or subscribed to by owners information systems andlor computer networks in order to maintain and provide CND awareness implement CND protect measures monitor and analyze in order to detect unauthorized activity and implement CND operational direction E2 1 13 CNDS Certification An integrated suite of CNDS certification standards sel assessment and independent assessment processes improvement methods and tools an interCNDS information exchange and communications protocols established by the CNDS @A E2 1 14 CNDS Certification Authority CNDSICA An entity responsible for providers coordinating among supported CNDS providers and managing information dissemination supporting CND operations r E2 1 15 CNDS Providers Those organizations responsible for delivering protection etection and response services to its users CNDS providers must provide for the coordination ervice support of a CNDS Certification Authority CNDS is commonly provided by a Compu er Emergency or Incident Response Team CERTICIRT and may be associated with a N twork Operations and Security Center NOSC t FOR OFFICIAL USE ONLY DoDI 0-8530 2 f arch 9 2001 E2 1 16 Counterintelligence Information gathered and activities conducted to pro espionage other intelligence activities sabotage or assassinations conducted by or foreign governments or elements thereof foreign organizations or foreign persons international terrorist activities I E2 1 17 Counterintellinence Activities The four hnctions of counterintelligence a e operations investigations collection and reporting and analysis production and dissemination E2 1 18 Counterintellinence Investination Includes inquiries and other activities determine whether a particular United States person is acting for or on behalf of a for purposes of conducting espionage and other intelligence activities sabotage international terrorist activities and actions to neutralize such acts t E2 1 19 General Service Network or System For the purposes of CND all DoD i ormation systems and computer networks are classified at one of two security levels General ervice or Special Enclave All DoD information systems andlor computer networks will be cdnsidered General Service e g NIPRNET SIPRNET unless designated as Special Enclav because of special security requirements 1 E2 1 20 Indications and Warning Those intelligence activities intended to detect a d report time-sensitive intelligence information on foreign developments that could involve a h e a t to the United States or allied coalition military political or economic interests or to U S c tizens abroad It includes forewarning of enemy actions or intentions the imminence of ho tilities insurgency nuclearlnon-nuclear attack on the United States its overseas forces or lliedlcoalition nations hostile reactions to U S reconnaissance activities terrorists' attacks and ot er similar I events E2 1 21 Information Assurance Red Teaming An independent threat based improving information assurance readiness by emulating a potential exploitation capabilities See also Red Team E2 1 22 Information Assurance Vulnerability Alert IAVA The comprehensive dihtribution process for notifling CINCs Services and Agencies CISIA about vulnerability ale s and countermeasures information The IAVA process requires CISIA receipt acknowle gment and provides specific time parameters for implementing appropriate countermeasures de ending on the criticality of the vulnerability I f E2 1 23 Information Operations Condition INFOCON The INFOCON is a defense posture and response based on the status of intelligence assessments of adversary capabilities and intent The structured coordinated approach to defend against a computer network attack measures focus on computer network-based protective measures posture based on the risk of impact to military operations friendly information systems INFOCON levels are NORMAL normal activity increased risk of attack BRAVO specific risk of DELTA general attack Countermeasures at during an attack and damage controllmitigating actions 12 FOR OFFICIAL USE ONLY E2 1 24 Information System The entire infrastructure organization personnel and components for the collection processing storage transmission display dissemination and dispc isition of information For the purposes of this Directive it is an information system that has een separately accredited by a DAA under provisions of DoD Instruction 5200 40 refer nce d E2 1 25 National Infrastructure Protection Center NIPC The NIPC is both a na ional security and law enforcement effort to detect deter assess warn of respond to and investil ate computer intrusions and unlawhl acts both physical and cyber that threaten or target our cr tical infrastructures The NIPC provides a national focal point for gathering information 3n threats to critical infrastructures Additionally the NIPC will provide the principal means for acilitating and coordinating the Federal Government's resources to an incident or mitigating an attz zk E2 1 26 Network Operations NETOPS An organizational and procedural framc work intended to provide DoD information system and computer network owners the me ns to manage their information systems and computer networks This framework allows informat on system and computer network owners to effectively execute their mission priorities suppor DoD missions and maintain their information systems and computer networks This fram work integrates the mission areas of network management information dissemination m a agement and information assurance E2 1 27 Red Team An independent threat based activity aimed at readiness impro rements through simulation of an opposing force Red teaming activity includes becoming k lowledgeable of a target system matching an adversary's approach gathering appropriate tools to attack the system training launching an attack then working with system owners to demonst 3te vulnerabilities and suggest countermeasures See Information Assurance Red Tear 1 E2 1 28 Special Enclave DoD information systems andlor computer networks wi h special security requirements e g Special Access Programs SAP Special Access Requir merits SAR and designated as Special Enclave by the Assistant Secretary of Defense for Command Control Communications and Intelligence E2 1 29 Vulnerabilitv Analvsis and Assessment In information operations a syste natic examination of an information system or product to determine the adequacy of secu ity measures identifl security deficiencies provide data from which to predict the effectivenesso 'proposed security measures and confirm the adequacy of such measures after implementation 13 FOR OFFICIAL USE ONLY DoDI 0-8530 2 Mardh 9 2001 I E3 ENCLOSURE 3 COMPUTER NETWORK DEFENSE CND CONCEPT E3 1 INTRODUCTION E3 1 1 This Enclosure provides a general overview of the DoD operational Computer Network Defense and its relationship to national initiatives proposed processes activities and organizations and describing CND and the CND Operational Hierarchy CND Services and CND Support Functions are ddscribed in greater detail at enclosures 4 and 5 i E3 1 2 Within the Department of Defense Computer Network Defense has distinct mission with a dedicated professional workforce and organizational Department of Defense has designated the USCINCSPACE as the military lead for C operations and is developing a standard suite of CND Services that can be DoD information systems and computer networks The USCINCSPACE coordination and direction for CND Services however all DoD Components have the responsibility to ensure their information systems and networks are defended The DoD Components must establish a Component-level CND capability the USCINCSPACE and support the USCINCSPACE in the conduct of Defense-wid3ND operations Additionally all DoD Components must actively contribute to the continue definition and maturation of an evolving mission area that employs or is employed by si interrelated capabilities Information Assurance Network Operations Information Oper tions Critical Infrastructure Protection Law Enforcement and Counterintelligence i E3 1 3 CND Services are the actions taken to protect monitor analyze detect an respond to unauthorized activity within DoD information systems and computer networks Whilp CND Services are normally provided by Computer Emergency or Incident Response Team CERTICIRT organizations the terms are not synonymous CNDS does not include so services normally provided by a CERTICIRT e g recovery of a computer system's software incompatibility is a traditional CERT hnction but not a CNDS since it is unauthorized activity 3 E3 1 3 1 CND Protection includes the management of the Department of Def nse's Information Operations Conditions system and deliberate actions taken to modifl an inf rmation system or computer network configuration or assurance posture in response to a CND ert or threat information It also includes support for activities such as the Information Assur Vulnerability Alert system vulnerability analysis and assessments and Information and CND education training and awareness E3 1 3 2 CND Monitoring analysis and detection actions provide CND awareness attack sensing and warning and indications and warning Multiple the Department of Defense e g network operations CND Services intelligence counterintelligence and law enforcement contribute to situational awareness warning AS W includes a managed network of intrusion misuse and 14 FOR OFFICIAL USE ONLY larch 9 200 1 systems supporting data fusion and and warning communications networks Indications and warning by contrast senses changes in community provides indications and warning for foreign threats - nation states and groups The law enforcement community provides threat and groups and the counterintelligence community support t o nation states and transnational groups 1 analysis ID computer intelligence ansnational c individuals t insider i E3 1 3 3 CND Response actions are governed by the authorities that defin unauthorized activity Authority Legal National Security Examples of Unauthorized Activity Violation of Department or system owner security policy Intrusion Denial of Service Theft System Vandalism or Destruction Espionage Coordinated attack Coordinated exdoitation System Destruction Espionage Coordinated attack Coordinated exdoitation Examples of Response ctions Revocation or suspension of sy m access or privileges Investigation Prosecution The application of national ecor 'Ink military andlor diplomatic pow to defeat or deter Figure E3 Fl Authorities Governing Activity within DoD Information Systems and Compu r Networks E3 1 4 CND Support Functions include 4 E3 1 4 1 Means to address CND Services for information systems and net orks with special security requirements General ServiceISpecial Enclave Designation 1 E3 1 4 2 A CND Services certification and accreditation process to ensure development improvement and performance measurement 1 e E3 1 4 3 CND Architecture program management of CND research and t hnology and E3 1 4 4 CND-related systems integration I I are E3 1 5 The Strategic Environment CND Services and CND Support perational enumerated and illustrated in the CND overview below figure E3 F2 The CND Hierarchy will be addressed separately in section E3 3 15 FOR OFFICIAL USE ONLY CND Support Functions Figure E3 F2 Overview of Computer Network Defense E3 2 THE STRATEGIC ENVIRONMENT 1 E3 2 1 Information Assurance IA addresses information availability integr ty confidentiality identification and authentication and non-repudiation across the i ormation technology life cycle It does this by evaluating and integrating information assur nce in Readiness Policy Research and Technology Architectural Standards and Systeq Transformation Acquisition Support and Product Development Human Resourc s Management and Network Operations Network Operations integrates Network Management IInformation Dissemination Management and IA 1 f I I Figure E3 F3 Information Assurance Across the IT Life Cycle and CND as an Element of N twork Operations 16 FOR OFFICIAL USE ONLY arch 9 2001 E3 2 2 Effective CND is predicated upon a robust Information Assurance post re however all policies standards technologies and practices that apply across the IT Fe cycle and contribute to that posture are not managed as part of CND E3 2 3 Network Operations NETOPS as illustrated in the pulldown in Fig E3 F3 is an emerging management framework that addresses the relationships Netv Management Information Dissemination Management and Information Assurance Information Assurance provides the link between information operations and networ operations figure E3 F4 Figure E3 F4 Information Assurance as the link between Information Operations and NETOPS E3 2 4 Information Operations is distinguished from Information Assurance in 1 at it does not apply to the entire information systems life cycle Rather it represents oper tions that employ CND with other activities such as military deception psychological ope ltions and electronic warfare to affect or defend information and information systems and contribute to achieving information superiority figure E3 F4 E3 2 5 Computer Network Defense contributes to information superiority by pi E3 2 5 1 Situational awareness of computer network defense information 2 exchange within DoD information systems and computer networks and E3 2 5 2 An integrated operational capability to protect monitor analyze and respond to unauthorized activity within DoD information systems and computer networks 17 FOR OFFICIAL USE ONLY I DoDI 0-8530 2 Mar h 9 2001 Figure E 3 E The U S Government's Critical Infrastructure Protection Structure I I E3 2 6 Critical Infrastructure Protection CIP is an overarching national policy Presidential Decision Directive 63 which seeks to assure continuity and vitality in criti a1 national infrastructures including both physical and cyber-based systems and their associated information and communications infrastructures CIP is related to Informatio Assurance in that it applies to the entire life cycle of infrastructure systems and to Information Operations in that it provides an operational strategy for the protection of 'tal national and defense infrastructure The DoD CND operational hierarchy represented i the national plan for information systems protection Defending America's Cyberspace National Plan for Information System Protection reference h by the Joint Task For e Computer Network Defense JTF-CND and described in section E3 3 of this enclosu is an element of the U S Government's critical systems protection capabilities as are the National Infrastructure Protection Center NIPC the Federal Computer Incident Resp nse Center FedCIRC and the National Security Incident Response Center NSIRC figur E3 F5 I 1 i E3 2 7 Law Enforcement and Counterintelligence LE CI are critical contributots to a viable CND capability providing the mechanisms to establish attribution for and resp to illegal activity within DoD information systems and computer networks The DoD Computer Forensics Laboratory and the DoD Computer Investigations Training Progra support the LE CI communities in all computer-related forensics and investigations 18 FOR OFFICIAL USE ONLY i DoDI 0-853 2 March 9 2001 CND LE CI Center provides Defense-wide coordination of CND related inv operations The CND L E E 1 Center supports operational decision making b CND related investigations and operations that cross the DoD Component or DepartmentIAgency bounds and contributing law enforcement and counterint generated information to a CND Common Operational Picture COP All o Criminal Investigative Organizations DCIO exchange CND related inform LE CI Center the LE CI Center maintains an information system to pr information input to the CND COP and to support the operational needs E3 3 THE DOD CND OPERATIONAL HIERARCHY E3 3 1 The CND environment is characterized by escalating national requirements and increasing reliance on information and information change and a dynamic threat environment The Department of that can quickly adapt to near-term changes and continuously and technology trends Additionally the Department of unites all Components under the coordination and to conduct multi-Component and Defense-wide CND operations 1 E3 3 2 To achieve such a capability the DoD CND operational hierarchy i tegrates a traditional military command and control structure with a more dynamic and less formal coordination structure This unique structure is organized into three tiers in ord to I i E3 3 2 1 Ensure that all DoD information systems and computer netwo ks are provided CND Services CNDS All information systems and computer networ s must enter into a service relationship with a CNDS provider Arranging for this servic is the responsibility of the system or network owner E3 3 2 2 Permit DoD Components organizational discretion in Services Except where clearly impractical the DoD Components must Component-level CNDS capability The DoD Components may also Services offered by other DoD Components when those CND meet CNDS requirements e g for activities collocated with Accordingly CNDS for a given Component may be Whether Components opt to establish more than DoD Components a primary CNDS provider Component-wide situational providers that are not designated as the providers and follow the direction of of Component CNDS P E3 3 2 3 Ensure that all CNDS providers have continuous information change and work together in synchrony i e simultaneously execute a single prescribed ourse of Action COA and that at any given time a new COA can override the existing o e Coordination among CNDS providers is primarily effected through the CNDS Ce ification Authorities CNDSICAs on behalf and under the direction of the USCINCSPAC All CNDS providers are required to comply with the guidance and direction of the 19 FOR OFFICIAL USE ONLY n 9 2001 USCINCSPACE and enter into a service relationship with a CNDSICA The CNDSIC perform four interrelated functions 5 E3 3 2 3 1 Technical and analytic support to the USCINCSPACE E3 3 2 3 2 Technical and analytic support to the serviced CNDS provider E3 3 2 3 3 Dynamic information exchange among the serviced CNDS providers E3 3 2 3 4 Management and implementation of the CNDS certification an accreditation process further described in enclosure 4 of this Instruction E3 3 2 4 Provide specialized Defense-wide services E3 3 2 4 1 The National Security Incident Response Center NSIRC pro ies overall focus and coordination for Attack Sensing and Warning and provides specialize analysis for discovery of Defense-wide and long term patterns E3 3 2 4 2 The CND LE CI Center coordinates CND investigations and perations among the DoD Components functions as integrated information exchange and operat nal interface between the DoD Components and USCINCSPACE and serves as the primal interface between DoD and the NIPC for CND related LE CI issues E3 3 2 5 Permit the DoD Component CND elements to remain distributed heterogeneous and autonomous while providing for dynamic command and control E3 3 2 The USCINCSPACE provides leadership and direction for the organizatic and evolution of the operational hierarchy which is summarized in figure E3 F6 20 FOR OFFICIAL USE ONLY March 9 2001 Tier 1 2 Description Provides DoD-wide CND operational direction or support to all DoD Components Centrally coordinates and or directs CND operations that impact more than one DoD Component Provides Defense-wide situational awareness and attack sensing and warning through fusion analysis and coordinated information flows Supports Component situational awareness and attack sensing and warning Coordinates CND related LE CI investigations and operations that cross DoD Component or Federal Department Agency bounds Coordinates development of baseline CND and supporting IA Education Training and Awareness curriculum and products Responds to direction from Tier One Provides DoD Component-wide operational direction or support Provides DoD Component situational awareness and attack sensing and warning and supports Tier 1 situational awareness and attack sensing and warning through coordinated reporting and information flows Responds to direction from servicing Tier Two CNDS Supports Tier 2 situational awareness and attack sensing and warning through coordinated reporting and information flows Organizatic USCINCSP CND Servic Authorities NSDRC CND LE C FOR OFFICIAL USE ONLY CE Certification NDSICA Center CNDS prov ers designated by Heads of Cc lponents to coordinate mponent-wide CND Local contrc manage anc information and service fixed at Do1 Figure E3 F6 DoD CND Operational Hierarchy 21 a l Entities centers that ontrol ystems networks either deployed or Installations DoDI 0-8530 2 March 9 2001 E4 ENCLOSURE 4 COMPUTER NETWORK DEFENSE CND SERVICES E4 1 INTRODUCTION E4 1 1 This Enclosure describes CND Services their composition and the tiers in the DoD CND Operational Hierarchy see Enclosure 3 that provide Figure E4 F1 CND Services 1 i E4 1 2 CND Services are a standard certified continuously measured suite f services that are organized along the Protect Monitor Analyze Detect and Respond parad gm as illustrated in figure E4 Fl Defense-wide services are planned coordinated and irected by Tier 1 Component-wide services are planned coordinated directed and implemente by Tier 2 Local services are planned and implemented by Tier 3 See enclosure 3 for a dis ussion of the CND tiers E4 2 CND PROTECT SERVICES E4 2 1 Information Operations Conditions INFOCON are intended to lower defensive posture to respond to unauthorized activity e g computer computer network exploitation system misuse and to mitigate potential information systems and computer networks E4 2 1 1 Tier 1 The USCINCSPACE is the authority for changes in INFOCON level and is the administrator of the INFOCON changed by Tier 2 or Tier 3 level authorities to a level more USCINCSPACE E4 2 1 2 Tier 2 CNDS providers support the INFOCON system by 1 1 E4 2 1 2 1 Maintaining INFOCON implementing INFOCON chang s and complying with USCINCSPACE reporting requirements FOR OFFICIAL USE ONLY DoDI 0-8530 2 i f arch 9 2001 E4 2 1 2 2 Monitoring the current INFOCON and providing informatio and recommendations to the USCINCSPACE and serviced Components E4 2 1 2 3 Monitoring Tier 3 compliance with changes in INFOCON a d advising the USCINCSPACE and serviced Components regarding compliance status and iss es related to compliance E4 2 1 2 4 Supporting serviced Components in assessing the impact of changes on missions and operations E4 2 1 2 5 In coordination with the USCINCSPACE serviced Compo serviced Tier 3 entities continuously improving the INFOCON definitions and 4 E4 2 1 2 6 Supporting Component INFOCON system extensions as re uired I E4 2 1 3 Tier 3 entities support INFOCON by implementing INFOCON ch nges and complying with INFOCON reporting requirements E4 2 2 The Information Assurance Vulnerability Alert IAVA process is a system that provides a Defense-wide mechanism to ensure all entities are identified system vulnerabilities and deficiencies and receive and corrective measures While IAVA is a traditional Information essential to CND as a primary means of improving the CND and computer networks DoD Components may establish a disseminating this type of information as long as there is notification IAVA is a reserved term used for policy and guidance for the DoD IAVA process E4 2 2 1 Tier 1 The USCINCSPACE is the DoD monitor for IAVA assessing impact on defense of DoD computer networks USCINCSPACE direct actions in response to IAVA non-compliance that impacts defense of networks The IAVA system is managed by the Defense Information IAVAs are initiated by DISA and monitored by the CNDSICAs E4 2 2 2 Tier 2 CNDS providers support the IAVA process by I E4 2 2 2 1 Monitoring the implementation of all IAVAs and providing echnical assistance to Tier 3 as required E4 2 2 2 2 Deconflicting Component-specific and information system-s guidance with IAVAs as required E4 2 2 2 3 Providing technical support to serviced Components in the dissemination and management of Component vulnerability guidance E4 2 2 2 4 IdentifLing system vulnerabilities or threats to the CNDSIC inclusion in IAVAs E4 2 2 2 5 Providing feedback to the CNDSICAs for improvement o f t system and process 23 FOR OFFICIAL USE ONLY 4 1 DoDI 0-8530 2 M rch 9 2001 E4 2 2 3 Tier 3 entities support IAVAs by implementing all IAVAs and comp ying with IAVA reporting requirements E4 2 3 Vulnerability Analysis and Assessments VAA for DoD information computer networks originate from a number of programs systems and typically differ according to the systems and networks included the and the methodologies employed the targeted recipients of the themselves While VAA is a traditional IA activity it is measuring the CND posture of DoD information comprehensive view of VAA activity within the E4 2 3 l Tier 1 The USCINCSPACE is the authority for the decontliction Red Teaming see succeeding paragraph with CND operations and may direct progress or planned VAAs that may negatively impact CND operations The VAAs by ii E4 2 3 1 1 Establishing and implementing a Defense-wide process for V notification reporting and coordination E4 2 3 1 2 Identieing Defense-wide VAA programs and schedules and as their impact to CND operations E4 2 3 1 3 Coordinating with VAA providers to incorporate CND issues requirements 1 d I E4 2 3 1 4 Incorporating VAA results into the CND certification and accr process and other CND support activities E4 2 3 2 Tier 2 CNDS providers support VAAs by E4 2 3 2 l Supporting serviced Components and Tier 3 cataloging VAAs that may be performed within the serviced area and by whom related programs such as Critical Infrastructure Protection Information Enforcement and Counterintelligence VAAs as well as IA VAAs E4 2 3 2 2 Assessing the potential impact of VAAs to CND situational and operations and coordinating or directing changes to in-progress or planned negatively impact CND operations E4 2 3 2 3 Supporting serviced Components and Tier 3 entities in the of Defense-wide VAA notification and reporting requirements E4 2 3 2 4 Supporting serviced Components in the establishment and imp of Component-specific VAA notification reporting and coordination requirements E4 2 3 2 5 Supporting serviced Components and Tier 3 entities in an asse the potential impact of each VAA to military or support operations 24 FOR OFFICIAL USE ONLY DoDI 0-8530 2 1 arch 9 2001 E4 2 3 2 6 Working with VAA providers to incorporate CND related re for information collection and performance measurement E4 2 3 2 7 In coordination with the USCINCSPACE identifjmg require and supporting VAAs directed at CND-related systems E4 2 3 2 8 Providing feedback to and incorporating VAA lessons learned into the INFOCON system the IAVA system IA Education Training and Awareness the certification and accreditation process and the Information Assurance Components E4 2 3 3 Tier 3 entities support VAAs by complying with Tier 1 and Tier 2 regarding the deconfliction of VAAs with CND and by complying with VAA reporting and coordination requirements 1 E4 2 4 Red Teaming is essential to gauge the state of CND operational readines of the DoD Components and the networks that sustain their operations This activity is hndame tally different than the VAA in that it is an independent and threat based activity that simu ates an opposing force and is focused on readiness improvements Red Team support is avai able from NSA and may be available at the DoD Component level Red Teams emulate the capabilities and methods of an adversarial force against DoD information systems including systems -mder development Red Teams are requested at the system owner's or developer's request and based on a defined scenario Red Teams become knowledgeable of the target system s match their approach to the adversary threat environment for the target gather appropriate tools to attack the system and train to effect the attack The Red Team then deploys to launch the assa- lt documenting the vulnerabilities and suggesting countermeasures Red Teams work closely with system owners demonstrating how the attacks were run and how owners can protect their systems Red Teams provide an accurate assessment on which system owners and developers can make coherent risk management decisions concerning their information systems networks and supporting infrastructure E4 2 4 1 Red Teaming activities like VAAs originate from a number of pr systems and organizations while conforming to a DoD standard methodology originate from a number of sources impact situational awareness negatively posture of the targeted information systems and computer networks during the improvement of information assurance and computer network defense item of interest to CND operations E4 2 4 2 Tier 1 The USCINCSPACE is the authority for deconflicting activity with CND operations and may direct changes to in-progress or planned activities that may negatively impact CND operations The National Security responsible for the establishment and maintenance of a trusted agent network the reporting of Red Teaming activities and for tracking Red Team and VAA of Special Enclaves DISA is responsible for tracking Red Team and VAA General Service Enclaves The DoD Component initiating Red Team coordination with affected parties and obtaining necessary 25 FOR OFFICIAL USE ONLY DoDI 0-8530 2 March 2001 E4 2 4 3 Tier 2 CNDS providers support Red Teaming much the same way they upport VAAs E4 2 4 3 1 Supporting serviced Components and Tier 3 entities in the implem ntation of Defense-wide Red Teaming notification and reporting requirements E4 2 4 3 2 Assessing the potential impact of Red Teaming activities to CND situational awareness and operations and coordinating or directing changes to in-progress lr planned activities that may negatively impact CND operations E4 2 4 3 3 Supporting serviced Components in the establishment and implem Itation of Component-specificRed Teaming notification reporting and coordination requiremen E4 2 4 3 4 Supporting serviced Components and Tier 3 entities in an assessm nt of the potential impact of each Red Teaming activity to military or support operations E4 2 4 3 5 Working with Red Teams to incorporate CND related requiremen for information collection and performance measurement E4 2 4 3 6 In coordination with the USCINCSPACE identifjmg requiremeni for and supporting Red Teaming activities directed at CND operations E4 2 4 3 7 Providing feedback to and incorporating Red Teaming lessons lea led into the INFOCON system the IAVA system IA Education Training and Awareness prc grams the certification and accreditation process and the Information Assurance programs of sei iced Components E4 2 4 4 Tier 3 entities support Red Teaming by complying with Tier 1 and Tier direction regarding the deconfliction of Red Teaming activities with CND and by complyi g with Red Teaming notification reporting and coordination requirements E4 2 5 Information Assurance Education Training and Awareness IA ETA forms 1e basis for a robust CND capability IA ETA also provides the means to coordinate a consi ent level of knowledge across DoD Components IA ETA like the VAA process is highly decentralized E4 2 5 l Tier 1 The USCINCSPACE is the DoD advocate for IA ETA as it rela s to CND The Certification Authorities must develop a coordinated curriculum for CND edu ation training awareness professionalization and ensure the implementation of the curriculum throughout the CNDS certification and accreditation process E4 2 5 2 Tier 2 CNDS providers support IA ETA by E4 2 5 2 1 Working with Tier 3 serviced entities and serviced Components tc identi@ their CND-specific IA ETA requirements 26 FOR OFFICIAL USE ONLY DoDI 0-8530 2 M arch 9 2001 b E4 2 5 2 2 Supporting the serviced Components as required in the esta lishrnent and management of IA ETA tracking systems iI E4 2 5 2 3 Working within the CND operational hierarchy and with the program managers of the DoD Computer Forensics Laboratory and DoD Computer Investig tions Training Program to identifl CND specific education training and awareness requi ements for CNDS providers and with the CNDS Certification Authorities to ensure that they ar incorporated into the CNDS Certification and Accreditation Program E4 2 5 2 4 Working with ETA providers to incorporate CND requirem nts and objectives into ETA curricula and courseware and providing technical support in co rse development E4 2 5 2 5 Working within the CND operational hierarchy and with se Components to determine requirements for a shared synthetic training and iI E4 2 5 2 6 Provide CND ETA requirements to Tier 1 to insure a coord nated CND curriculum is developed E4 2 5 3 Tier 3 entities support IA ETA by E4 2 5 3 1 Identifling Component level IA ETA requirements I E4 2 5 3 2 Complying with Tier 1 and Tier 2 requirements and guidanc E4 3 CND MONITOR ANALYZE and DETECT SERVICES E4 3 1 Situational awareness is the key to effective CND A capability is mandated by the highly interconnected nature of the computer networks the degree to which they share risk and the coordination and requirements of response efforts Situational awareness is enabled by an information systems that collectively support and comprise a Common COP E4 3 1 1 Constructing a COP is a top down and a bottom up endeavor A operational picture is required that is both Defense-wide and tailored to a makers in a dynamic command and control construct Managing and collecting for a dynamic environment is inherently complex Many factors contribute to example i E4 3 1 1 1 The optimum set of data elements is inherently dynamic ch nging as the computer network environment the DoD operational environment and the threat c ange as the DoD CND capability matures and as technology evolves to support CND Additio ally the optimum subset for decision support changes as control shifts up and down the ope ational hierarchy E4 3 1 1 2 Both the optimal and the obtainable refresh rates for the elements are inherently dynamic Each rate is continuously moving toward real 27 FOR OFFICIAL USE ONLY ch 9 2001 constrained by the rates of the set itself in that extremely disparate refresh rates among individual data elements can distort or falsify the resulting hsed picture E4 3 1 2 The major Components ofthe CND COP are E4 3 1 2 1 A shared picture of the DoD global information and computinj and the military and business operations they supports to include notice of any impenc changes in configuration capacity utilization assurance posture user priorities or cri support for military operations An understanding and visualization of these global sy required for all Network Operations elements - network management information dis management and information assurance - therefore the development and maintenance network operational picture is not the exclusive responsibility of CND Rather the Cl incorporates and builds upon the operational picture of the DoD global network COP common to all Network Operations elements networks ng cality of ems is mination of the D COP mat is E4 3 1 2 2 A shared picture of the threat developed from all sources Thc e sources include foreign intelligence Federal law enforcement National counterintelligence DE ense law enforcement Defense counterintelligence other security sources private sector infiasl ucture service and computer emergency response providers and and other open sources E 0 12333 reference i applies to both DoD and non-DoD intelligence and counterintelligence 1 nits DoD Directive 5240 1 reference j and DoD 5240 1-R reference k govern the activitie of all DoD intelligence units and non-intelligence units performing intelligence activities 8 E4 3 1 2 3 A shared picture of CND operations e g effective INFOCO levels and status of compliance status and compliance of IAVAs schedule and status of VAAs tatus of CND COA development and execution as well as impending changes to CND service E4 3 1 3 In addition to a Defense-wide shared picture the COP seeks to enal e contributing communities by promoting community specific COPs Communities m Y be organizational e g DoD Component or hnctional e g the Defense Law Enforcemc lt community The community specific COPs are intended to E4 3 1 3 1 Provide the ability to collect organize process manage and d iseminate CND related information within the community at a level of detail greater than the C 5 1 COP E4 3 1 3 2 Support the development and improvement of standard proce ies for community support to CND E4 3 1 3 3 Support the standardization and availability of information req ired for the DoD CND COP E4 3 1 4 Tier 1 The USCINCSPACE establishes CND requirements for the ND COP The certification authorities maintain common Defense-wide aspects of the COP by E4 3 1 4 1 Contributing Component and relevant hnctional CND informi tion to the COP 28 FOR OFFICIAL USE ONLY DoDI 0-8530 2 M a r k 9 2001 E4 3 1 4 2 Coordinating informational needs with Tier 2 entities to ensure a Defensewide CND COP E4 3 1 4 3 Assisting Tier 2 entities to meet reporting and information input requirements E4 3 1 5 Tier 2 CNDS providers support situational awareness by E4 3 1 5 1 Working with and supporting the CND Architect and the CND Integrator to identify requirements and to develop deploy and maintain information E4 3 1 5 2 Working with serviced Tier 3 entities and Components to ensureithat CND COP information is timely and accurate t E4 3 1 5 3 Working with serviced Components to identify Component-uniq e requirements and support their development deployment and maintenance E4 3 1 5 4 Assisting Tier 3 entities to meet reporting and information input requirements I E4 3 1 6 Tier 3 supports situational awareness by complying with reporting req irements and providing information inputs to the COP E4 3 2 Indications and Warning I W is defined as those intelligence activities intdnded to detect and report time-sensitive intelligence information on foreign involve a threat to the United States or allied coalition military to U S citizens abroad It includes forewarning of enemy hostilities insurgency nuclearlnon-nuclear attack on the United States its overseas allied coalition nations hostile reactions to U S reconnaissance activities terrorists' other similar events E4 3 2 1 Tier 1 The USCINCSPACE provides the Intelligence priority intelligence requirements PIR and indications and warning attacks against DoD information systems and computer networks Agency DIA coordinates IC support to the USCINCSPACE E4 3 2 2 Tier 2 DoD Components provide PIR input to the USCINCSPACE coordination with the USCINCSPACE and DIA determine direct intelligence support t CNDS providers E4 3 2 3 Tier 3 implements Tier 1 and Tier 2 direction i E4 3 3 Attack sensing and warning AS W is defined as the detection correlatio identification and characterization of intentional unauthorized activity including comput r intrusion or attack across a large spectrum coupled with the notification to command a d decision makers so that an appropriate response can be developed Attack sensing and arning also includes attacklintrusion related intelligence collection tasking and dissemination li 'ted immediate response recommendations and limited potential impact assessments 29 FOR OFFICIAL USE ONLY h r DoDI 0-8530 2 Marc 9 2001 E4 3 3 1 AS W focuses not only on actual intrusions or misuse but also prepar tory actions or preliminary network conditions that signifl that an incident is likely is planne or is under way This service is supported by both intelligence and counterintelligence indicat ons and warning of foreign or foreign-sponsored developments and law enforcement products re arding domestic criminal activity Information system and computer network owners and opera ors are the most likely detectors of changes in network state and must therefore be considered partners in the AS W process 4 E4 3 3 2 Attack sensing and warning and situational awareness are inextricably l'nked The complexity of constructing a COP is complicated by the requirement to optimize C P data collection and exchange requirements with AS W requirements Like the COP an inte rated AS W system must conform to the construct and operating principles of the CND hierarchy It must permit control to dynamically shift from tier to tier be common repository of information and enable the establishment of specific supporting repositories E4 3 3 3 AS W requires an in-depth understanding of vulnerabilities in informadion technologies and of intrusion or computer attack strategies that can exploit these The innovative fusion of traditional intelligence information with systems and and reporting information is essential for effective AS W specially developed exploitation tools can uncover intrusion may be overlooked by other analysis Operational analysis of network mapping and net reconstruction the analysis of and bit stream analysis I E4 3 3 4 The results of time-sensitive CND and the correlation fusion and tech al analysis of incidents intrusions and events requires automatic transfer of alerts advisori s threat reports and response recommendations Formal reporting procedures and formats are n cessary to exchange raw and processed information on detected intrusions and to deliver timely nd effective warning and response coordination products AS W is comprised of the follo 1 E4 3 3 4 1 The CND Sensor Grid a coordinated constellation of intrusion and anomaly detection systems deployed throughout the DoD global networks T' suse E4 3 3 4 2 Data repositories or warehouses that archive data from the Sens and other sources in order to support long term analysis diagnostics and pattern supporting tools and techniques E4 3 3 4 3 AS W analysts E4 3 3 4 4 Procedures and communication channels for warning I E4 3 3 4 5 A research and engineering Component for continuous technolo ical and analytical advancement E4 3 3 5 The CND Sensor Grid and the Tier 3 entities comprise the foundation iof the Department's AS W capability and are key contributors to situational awareness altho 30 FOR OFFICIAL USE ONLY Th 1 DoDI 0-8530 March 9 2001 I neither is dedicated to CND As technologies converge and the Sensor Grid mat es it will continue to expand in hnctionality toward a true Network Operations Sensor Gri enabling for example Network Management capacity and performance management functions and Security Management identification and authentication functions For CND the Sensor id provides the ability to I E4 3 3 5 1 Enable an operational capability throughout the DoD glob 1 networks E4 3 3 5 2 View network and system activity in real-time E4 3 3 5 3 Discover detect and guide further investigation E4 3 3 5 4 Identifl unauthorized activity and engage and control it in real-time to include some near-real-time automated response 1 E4 3 3 5 5 Analyze current activity in view of past activity in order t identifl larger trends and problems E4 3 3 5 6 Collect information to support AS W an analytic service that builds 1 upon intrusion misuse and anomaly detection E4 3 3 5 7 Collect information to support continued intrusion misus and anomaly detection and AS W research 2 E4 3 3 6 Tier 1 The USCINCSPACE establishes requirements and dire ion for AS W as part of its responsibilities for the National Security Incident Program as define in NSTISSD 503 reference 1 The NSIRC facilitates AS W cooperation and coordination CND operational hierarchy and it provides additional support to the Department i E4 3 3 6 1 Provide direct support to the USCINCSPACE for AS rT E4 3 3 6 2 Provide specialized analysis for discovery of Defense-wid and long term patterns ce E4 3 3 6 3 Provide overall focus and coordination for the AS W se E4 3 3 7 Tier 2 CNDS providers support AS W by E4 3 3 7 1 Working with and supporting the CND Architect and the Integrator to identifl requirements and to develop deploy and maintain informat E4 3 3 7 2 Working with the CND Research and Technology Progra develop and evaluate emerging AS W technologies I E4 3 3 7 3 Conducting or supporting AS W in accordance with Tie 1 established agreements standards and protocols 31 FOR OFFICIAL USE ONLY DoDI 0-8530 2 Ma ch 9 2001 E4 3 3 7 4 Working with serviced Tier 3 entities and Components to ensur CND AS W information is timely and accurate E4 3 3 7 5 Working with Serviced Components to identifl Component-u requirements and support their development deployment and maintenance E4 4 CND RESPONSE SERVICES P Course E4 4 1 The USCINCSPACE is responsible for managing the DoD process for C of Action COA development and execution and developing supporting documentatio e g doctrine tactics techniques and procedures OPLANs and CONPLANs E4 4 2 Tier 2 CNDS providers support CND COA development and execution by I E4 4 2 1 Supporting Tier 1 in COA development t E4 4 2 2 Following the operational direction of Tier 1 for COA execution and executing CND COAs in accordance with Tier 1 established doctrine tactics techniques and pro edures i E4 4 2 3 Working with serviced Tier 3 entities and Components to ensure effe tive lines of command control communication and coordination I E4 4 2 4 Worlung with serviced Tier 3 entities and Components to ensure thati information supporting COA development and execution is timely and accurate E4 4 2 5 Working with serviced Components to identifl Component requirem ensure their incorporation in COAs i E4 4 3 Tier 3 entities follow the operational direction of Tier 2 for COA develop ent and execution 32 FOR OFFICIAL USE ONLY DoDI 0-8530 2 MJch 9 2001 E5 ENCLOSURE 5 COMPUTER NETWORK DEFENSE CND SUPPORT FUNCTICINS E5 1 INTRODUCTION I E5 1 1 This Enclosure describes the activities that provided essential support to th DoD CND Operational Hierarchy see enclosure 3 and CND Services see enclosure 4 E5 1 2 CND Support Functions assist in managing special services and development within the CND community The CND Support Functions aid program management and oversight of CND capabilities on a Functions program management is established through Services standardization of common security framework and oversight of CND research and technology R T initiatives E5 2 SPECIAL ENCLAVEIGENERAL SERVICE DESIGNATION i For the purposes of CND all DoD information systems and computer networks are la eled as either General Service or Special Enclave CND Services CNDS must be certified a d provided at one of these two security levels Special Enclave systems and networks are those d signated by the ASD C3I as requiring special security Any information system or computer net ork not designated as Special Enclave is considered General Service Special Enclave systems and networks shall be assigned to CNDS Providers that are certified for Special Enclave S The CND Architect manages the Special Enclave designation process E5 3 CND ARCHITECT $ E5 3 1 The CND Architect oversees and coordinates Defense-wide CND activiti s related to the design and development of systems supporting the CND COP the CND sensor gri the deconfliction and integration activities of the CND Research and Technology and the establishment and certification of CNDS The CND Architect insures are incorporated into the DoD C4ISR Architectural Framework reference Technical Architecture reference c i E5 3 2 The CND Architect facilitates the development of the CND aspects of the operational systems and technical architecture views Heads of Components have a r sponsibility to ensure that ALL their information systems and computer networks are provided su port by certified CNDS providers and that ALL Component-established CND Services are ce ified and accredited The CND Architect interacts with all Components to ensure that these res onsibilities are met Components ensure compliance by E5 3 2 1 Maintaining a master inventory of Component information systems computer networks defined as those systems and networks separately accredited by accordance with DoD Instruction 5200 40 reference d FOR OFFICIAL USE ONLY I DoDI 0-8530 2 4 arch 9 2001 '1 E5 3 2 2 Developing a CND architecture to both facilitate CND policy C requirements generation and development acquisition Planning Programming and B dgeting System activities force structure and force management activities and operational pr cess improvement E5 3 2 3 Ensuring that Special Enclave systems and networks are so design#ed I I E5 3 2 4 Ensuring that all Component information systems and computer nefworks are supported by an certified CNDS provider and that support is established as a condition of system accreditation in accordance with DoD Instruction 5200 40 reference d E5 3 2 5 Tracking the certification and accreditation of all Component-estab ished CNDS providers i E5 3 2 6 Providing guidance and oversight regarding arrangements with non Component CNDS providers E5 3 3 In addition to maintaining an operational view of CND for Component compliance with the DoD C4ISR Architecture Framework reference b the works with the Components to coordinate CND-related system requirements Component compliance with the Joint Technical Architecture reference c CND Archtect works with Components to ensure that they E5 3 3 1 Establish Component requirements for COP E5 3 3 2 Track and comply with Component responsibilities and efforts tow development of information systems or databases supporting Defense-wide CND E5 3 3 3 Track Component sensor grid requirements and implementation E5 3 3 4 Respond to requests for information from the CND Architect and Architect-sponsored activities E5 3 3 5 Support Defense-wide Information Assurance Program DIAP pl programming integration activities relative to CND E5 3 4 The CND Architect provides oversight and direction for the certificationand accreditation process E5 4 CNDS CERTIFICATION AND ACCREDITATION Process t E5 4 1 The CNDSICAs work together and in conjunction with the CND Archit ct to establish and implement the certification and accreditation process The certification and accreditation process will include a CNDS capability maturity model CNDS best pra tices and self-assessment and independent assessment methods service performance metrics i dividual capability maturity models and models to determine optimum staffing and workload evels The capability maturity models will link education training and certification standards anp requirements to organizational capabilities I 34 FOR OFFICIAL USE ONLY I E5 4 2 The CNDSICAs in conjunction with Heads of Components will develop coordinated Defense-wide CND educational curriculum integrated with DoD's IA curriculum and continuously improve it through the incorporation of best practices E5 4 3 The CNDSICAs in conjunction with the CND R T Program Manager Components will identi@ CNDS requirements and ensure that new technology is acceptable DoD CNDS practices E5 4 4 The CNDS capability maturity model will addresses all CND Services desdribed in Enclosure 4 as well as subscription and reporting requirements service level agreements and any additional process areas identified by the CND Architect or the USCINCSPACE i4 E5 4 5 In addition to managing certification and process improvement the CND provide an active and ongoing coordination service for all associated Tier 2 CNDS pr This includes dynamic information exchange among the CNDS providers and manage exchange protocols and technical and analytic support The CNDSICAs also provide and analytic support to the USCINCSPACE and to Component CNDS providers as re E5 5 CND RESEARCH AND TECHNOLOGY PROGRAM MANAGEMENT CAs will iders ent of the chnical uired 1 E5 5 1 The CND Research and Technology Program Manager coordinates develo ment and evaluation of tools and techniques to support CND operations develops and evaluates attack sensing and warning emerging technologies and supports the CND procurement and 1 gistics activities of the DoD Components to include enterprise-wide licensing of CND tools E5 5 2 To support these efforts the Program Manager chairs a CND steering group whose members include USCINCSPACE the Joint Staff DIAP the CNDSICAs and the DoD Components The CND technology shall host regular reviews of DoD and Component requirements and I E5 5 3 The Program Manager E5 5 3 1 Has program coordination responsibility for Defense-wide issues relhted to 1 CND technology transition I E5 5 3 2 Develops in coordination with the DoD Components a comprehen all CND R D requirements and technology transition programs E5 5 3 3 Reports to the Director Defense Research and Engineering DDR DIAP on these R D requirements and technology transition plans and activities 1 E 5 5 4 The Program Manager provides support to the CND Architect OSD and he Joint Staff in the identification and resolution of CND technology transition program issues 1 FOR OFFICIAL USE ONLY I March 9 2001 E5 6 CND INTEGRATION INTO DOD INFORMXTION SYSTEMS E5 6 1 The Systems Integrator coordinates Sensor Grid systems engineering implementation and integration coordinates COP requirements design and integration and devell ps and maintains COP common databases and utilities E5 6 2 To support these efforts Systems Integrator chairs a regular CND sy items working group under the Military Communications and Electronics Board MCEB Inforn ation Assurance Panel IAP to address COP and Sensor Grid architecture engineering and deplo merit Membership includes but is not limited to those Components responsible for deve opment of the COP system Figure E5 Fl details a listing of member agency and CND COP de relopment responsibilities DoD Component DISA Naw DoD IG DIA NSA DoD Component CND COP Development Responsibili CND Systems Integrator General Service Network Operations COP Common databases and utilities Systems support for USCINCSPACE requirements General Service CNDS Counterintelligence input and community view Law Enforcement input and community view Intelligence input and community view Special Enclave Network Operations COP Special Enclave CNDS Component view optional Figure E5 Fl Component Responsibilities for CND Common Operational Picture 36 FOR OFFICIAL USE ONLY DoDI 0-8530 2 March 9 2001 E6 ENCLOSURE 6 INFORMATION ASSURANCE VULNERABILITY ALERT IAVA E6 1 INTRODUCTION E6 1 1 Tlvs enclosure provides policy and guidance for the DoD vulnerability alert IAVA process The IAVA process supports the against known or identified vulnerabilities IAVA also provides a ensure system administrators receive acknowledge and comply notification and to ensure that corrective actions were taken vulnerabilities The IAVA process assists in mitigating effectiveness or operational readiness E6 1 2 Requirements and Responsibilities Within DoD incorporate positive control of vulnerability notification and IAVA process is managed by the Defense Information systems Agency DISA with USCINCSPACE through the Joint Task Force - Computer Network DISA processes and distributes IAVA alerts to all Component points of Internet Web-based process that is pre-coordinated with CNDS corrective measures have been implemented The CNDSICAs compliance I E6 1 3 IAVA Notification IAVAs are generated whenever a critical vulnera ility exists that poses an immediate threat to DoD and where acknowledgement and corrective ac ion compliance must be tracked Not all identified vulnerabilities and threats will warrant an IAV M e r an initial evaluation a request for comments is sent to a coordination team consistin of JTF-CND Component CNDS providers and joint system program managers This team protrides input in determining the type of notification to be generated IAVAs are promulgated via organizational messaging The message is for notification only and directs recipients to c Computer Emergency Response Team's CERT Internet web site HTTP for technical specifications and corrective action IAVAs will expire after otherwise specified and may be modified or superceded as more technical informeiion becomes available E6 1 4 IAVA Acknowledgement Procedures All Heads of the DoD designate a primary and secondary point of contact POC acknowledgement and reporting Acknowledgement of receipt of the required within five days of the date of the specified in the message itself Dissemination of the IAVA within conducted by all program managers system administrators and or the implementation and managing of technical responses to IAVAs E6 1 5 The DoD Components will report compliance with an IAVA notificajion via appropriate unclassified or classified IAVA web site within 30 days of the date f the message or as specified in the individual message Component program manager reports ill be included 37 FOR OFFICIAL USE ONLY 4 March 9 2001 in the overall compliance report For reporting purposes assets include all compc nents i e hardware and software of information systems comprising or assessing a networ ed environment Compliance information shall include at a minimum the number of assets affectec the number of assets in compliance and the number of assets with waivers E6 1 6 Configuration Management Maintaining positive configuration con1 -01 of all information systems assets under a component's purview supports the integrity oj the IAVA process E6 1 6 1 The DoD Components will maintain configuration documentati In that identifies specific systedasset owners and system administrator s including applicable el€ tronic addresses E6 1 6 2 Networked assets will be managed and administered in a manne allowing for both chain-of-command and authorized independent verification of corrective act ons E6 1 6 3 The DoD Components will modifl contracts for DoD informat on system asset management to reflect the above performance requirements i e paragraphs E6 4 and E6 1 5 for IAVA acknowledgement and reporting This includes contracts being develo led that will affect Defense Information Infrastructure @II assets utilize administer or intej rate IT or communication assets into the DII E6 1 6 4 The DoD Components will also establish a process to periodic lly review any waivers prior to their expiration date E6 1 7 In support of the IAVA process the DoD Components will register vith the DISA for assignment of a web-site user-ID and password On receipt of an IAVA not cation Component POC's must enter their organization's acknowledgment and complian e data into the IAVA database E6 1 8 Waivers Designated Approving Accrediting Authorities DAA's h ve the authority to waive compliance with a specific IAVA notification if appropriate following risk assessment and determination of other risk mitigating actions Waivers shall be for the minin lum length of time required to achieve compliance with the IAVA notification The DAA musl consider the risks involved to both the local network and the greater DII when granting a wa ver Specific technical questions regarding individual IAVAs should be addressed to the DoD ZERT via e-mail at cert@ cert mil 38 FOR OFFICIAL USE ONLY