The DoD operates a tiered CND C2 structure in order to effectively defend DoD information systems that are networked globally across a diverse set of environments. Each of these environments must defend the network and ensure the security of computing and communication systems. It is critical that certain information be disseminated and that actions and supporting countermeasures can be directed from higher levels of command to network defenders (which include CSPs supporting defense of their CSOs).
The DoD cyber chain of command for CSPs is represented in Figure 8 (Section 6.3). USCYBERCOM, at Tier 1, disseminates Warnings, Tactical Directives, and Orders to both the BCND and MCNDs (all Tier 2). The BCND entities will analyze them for their applicability to individual CSPs, and then communicate with USCYBERCOM and the CSPs as appropriate. CSPs (effectively acting as Tier 3) will coordinate with the BCND, MCND, and Mission Owners as contracted to implement the provided guidance and countermeasures.
CSPs must be able to receive, act upon, and report compliance with directives and notifications sent by CND Tier 2 (MCND or BCND), as required by FedRAMP selected security control SI-5.
Understanding existing vulnerabilities and risks within the enterprise is a key component in performing effective CND analysis. The vulnerability reports and POA&Ms developed by the CSPs as part of continuous monitoring requirements supporting both FedRAMP and FedRAMP+ requirements will be made available by DISA’s cloud services support team to the MCND and BCND providers for their collective use in providing CND.
Planned outages affecting mission systems are to be coordinated through the Mission Owner; with the goal of minimizing impacts to the operational community. An approved outage is referred to as an Authorized Services Interruption (ASI). CSPs must notify all affected MCND providers of ASIs under their control when an outage starts and upon return to service. Outages or changes that affect more than one mission environment must be reported by the MCND to the BCND to enable broader situational awareness across all MCND providers. Mission owners and administrators are responsible for the same notifications to the MCND when the ASI is under their control.
The DoD PKI program provides assurances of an individual’s identity, which is important in sharing information regarding C2 and CND functions. This section outlines requirements for establishing trusted identities for CSP personnel communicating securely with DoD CND personnel.
Impact Level 2 through 5: CSPs must preferably have either a DoD PKI certificate or a DoD-approved External Certification Authority (ECA) medium-assurance PKI Certificate for each person that needs to communicate with DoD via encrypted email. The DoD has established the ECA program to support the issuance of DoD-approved certificates to industry partners and other external entities and organizations; providing a mechanism to securely communicate with the DoD and authenticate to DoD Information Systems. Additional information on the ECA program can be found at http://iase.disa.mil/pki/eca/Pages/index.aspx. Equivalent alternative measures will be assessed on a case by case basis.
Impact Level 6: CSPs serving Level 6 systems will already have SIPRNet tokens / NSS PKI certificates for their system administrators by virtue of the connection to SIPRNet. Incident response and CND personnel will use SIPRNet tokens/certificates to communicate with DoD via encrypted email.
Vulnerability and threat information sharing is a highly effective way for DoD to help CSPs protect and defend DoD information housed or processed in their service offerings. Government sources such as US CERT and USCYBERCOM provide detailed vulnerability information. Several commercial sources also provide supplemental information that can be used by CSPs in further defending their infrastructure. CSPs are encouraged to leverage such knowledge sources. However, much of the information that the DoD can provide to CSPs is classified. An avenue to obtain such information follows:
The Defense Industrial Base Cyber Security / Information Assurance Program (DIB CS/IA) is a program to enhance and supplement DIB participants’ capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems. Membership in DIB CS/IA enables DIB participants to acquire access to DIBNet-U and DIBNet-S, the unclassified and classified networks used for data sharing and collaboration. Access to DIBNet provides CSPs with access to CYBERCOM notifications, classified email, and the DIB web portals.
Access to DIBNet provides CSPs with access to both classified and unclassified cyber threat information, including mitigation strategies. DIB CS/IA program membership is voluntary, although cyber incident reporting as described in section 6.4.3 is mandatory. Eligible CSPs are encouraged to join the voluntary DIB CS/IA program to facilitate their protection of infrastructure that hosts higher-value DoD data and systems.
NOTE: DoD CSPs are already integrated into the CND communications architecture and receive unclassified CYBERCOM notifications via established channels.