There are two general types of customers/partners that connect to the DISN to utilize its networks/services: DOD and non-DOD. DOD customers are DOD combatant commands, military services and organizations, and agencies (DOD CC/S/A/), collectively referred to as "DOD Components." DOD customer enclaves include information systems or Platform Information Technology (PIT) systems that are developed jointly by DOD components and mission partners, comprise DOD and non-DOD information systems, or contain a mix of DOD and non-DOD information consumers and producers (e.g., jointly developed systems, multi-national or coalition environments, or first responder environments) in accordance with DODI 8500.01 (ref a). Non-DOD customers include: contractors and federally funded research and development centers, other U.S. government federal departments and agencies, state, local, and tribal governments, foreign government organizations/entities (e.g., allies or coalition partners), non-government organizations, commercial companies and industry, academia (e.g., universities, colleges, or research and development centers) and are collectively referred to as "mission partners." In order to connect to the DISN, mission partners must have a validated requirement approved by a sponsoring CC/S/A or field activity headquarters and validation of the mission requirement from the DOD CIO in accordance with CJCIS 6211.02D (ref b). In addition, all DISN customer information systems will be aligned to DOD network operations and security centers (NOSCs). The NOSC and supporting cybersecurity service provider(s) will provide any required cybersecurity services to aligned systems in accordance with CJCSI 6211.02D,(ref b), DODI 8530.01 (ref k), DODI O-8530.01M ( ref l), and the DOD CIO Memo on DOD Sponsor Responsibilities (ref m)2. Applicable issuances, Defense Finance and Accounting Regulations (DFAR), and requirements must be codified in an appropriate agreement (e.g., memorandum of agreement [MOA] or contract). Responsibilities of DOD sponsors are defined in several OSD and Joint Staff issuances.
DISN Network/Services and Connections
The DISN offers classified and unclassified voice, video, and data services to its customers. A detailed description of each of the services is available at https://www.disa.mil/Network-Services.
Customers requiring a new connection to the DISN and its services must use the DISA Storefront request fulfillment process to initiate the provisioning requirement and circuit activation (go to: https://disa-storefront.disa.mil/dsf/logon?a=DDR&r=https%253A%252F%252Fddsf.disadirect.disa.mil%252Fkinetic%252FDisplayPage%253Fname%253DDDSF_Home for further information and guidance). The Telecommunications Service Request (TSR) and In-Effect Report (IER) processes involve the ordering, engineering, acquisition, and installation of the circuit and equipment necessary to connect to the DISN. Request fulfillment may only be initiated by a DOD entity. A DOD CC/S/A entity may elect to sponsor a mission partner, but the DOD sponsor remains responsible for all request fulfillment actions to include, but not limited to, completing and/or assisting the mission partner with A&A requirements. See the DOD CIO Sponsor Memorandum (ref m).
Assessment and Authorization
All enclaves connecting to the DISN require A&A in accordance with an appropriate and acceptable process. For new and additional connections, the A&A process should be initiated in parallel to or soon after beginning the request fulfillment process. For reauthorizations, the customer should initiate enclave reauthorization actions with sufficient time prior to expiration of the current authorization and connection approval to prevent a potential circuit disconnect. Expiration notices are sent to the POCs for the subject enclave every 30 days starting 90 days prior to the expiration. For out-of-band (OOB) point-to-point connections, the Command Communications Service Designator (CCSD) and IER information will be uploaded in the System Network Approval Process (SNAP) and SIPRNet Global Information Grid (GIG) Interconnection Approval Process (GIAP) System (SGS) as applicable.
Additionally, the OOB connection will not have an expiration date. DOD components and mission partners must ensure that all SNAP and SGS POC fields are maintained in an up-to-date and accurate status of the enclave at all times.
DOD Combatant Commands/Service/Agency/Field Activities (CC/S/A/FAs) must execute the RMF or DIACAP process in accordance with DODI 8510.01 (ref d). For mission partners and defense contractors, the appropriate A&A process (i.e., RMF, DIACAP, National Industrial Security Program [NISP] Operating Manual [NISPOM], National Institute of Standards and Technology [NIST], Director of Central Intelligence Directives [DCID], etc.) depends on the type of customers and the network/service to be accessed. At the completion of the A&A process, the authorizing official (AO) or Chief Information Officer (CIO) issues an authorization decision in the form of an Authorization to Operate (ATO), ATO with conditions, or Interim Authorization to Test (IATT). Please note that under the RMF process there are no Interim Authorizations to Operate (IATOs). Before a DISA DISN Approval to Connect (ATC) or Interim ATC (IATC) can be issued, a number of documents are required depending on whether a connection request is a DOD RMF or DIACAP package3. For an RMF package, these documents include the RMF Security Assessment Report (SAR), the System Security Plan (SP), Systems Enterprise and Information Security Architecture (system security design document or topology), plus the Consent to Monitor (CTM) and Plan of Actions and Milestone (POA&M). For a DIACAP package these documents include the signed DIACAP Scorecard, System Identification Profile (SIP), CTM, detailed topology, and POA&M. Mission partners require additional documentation addressed later in the CPG.
Connection Approval Process Package
Connection requests are sent to the Chief Administrative Officer (CAO) in the form of a Connection Approval Process (CAP) package. These packages provide the CAO the information necessary to make the connection approval decision. The baseline requirements for what must be included in the CAP package depend on whether the customer is DOD or non-DOD and whether the connection is new or due for reauthorization. There may also be additional requirements, depending on the specific DISN network/service the customer needs to access. The DISA CAO will follow DOD CIO-provided guidance regarding the DIACAP to RMF transition timeline and instructions for all DISN CAP packages.
As an integral part of the connection approval process, the CAO conducts an initial compliance assessment of a new or reauthorization connection to the DISN. Compliance assessments are based on the level of customer adherence with DOD CIO governance (e.g., DODI 8510.01 (ref d)), DISA Security Technical Information Guides (STIGs), Security Requirements Guides (SRGs) and on-site and remote compliance monitoring and vulnerability assessment scans, the Defense Security/Cybersecurity Authorization Working Group (DSAWG)/DOD Information Security Risk Management Committee (ISRMC) decisions, etc.
When non-compliance issues are identified and confirmed, the CAO works with the customer and others to validate and correct the weaknesses that generated the non-compliance issue. Non-compliance can include, among other elements, incomplete and/or incorrect information submitted as part of the CAP package documentation and artifacts.
After the CAP package is reviewed and a compliance assessment conducted, the CAO makes a connection decision and notifies the DOD component or mission partner. DOD components or mission partners approved for connection to the DISN are granted either an ATC or an IATC, which are normally assigned an expiration date to coincide with the Authorization Termination Date (ATD) of the ATO. In the event of a non-compliant assessment for a new connection, the CAO will work with customers to address the matter until the concern is downgraded or mitigated allowing the issuance of an ATC or IATC.