Discretionary access controls are a sufficient IA mechanism for connecting DoD information systems operating at the same classification, but with different need-to-know access rules. A controlled interface is required for interconnections among DoD information systems operating at different classifications levels or between DoD and non-DoD systems or networks. Controlled interfaces are addressed in separate guidance.
MAC / CONF | Impact | Subject Area |
---|---|---|
CLASSIFIED SENSITIVE | Medium | Enclave Computing Environment |
Threat |
---|
Lack of proper protection mechanisms (e.g., discretionary access controls) for information sharing would allow unauthorized access, resulting in unauthorized disclosure, modification, or destruction of classified and/or sensitive information. This implementation guide is aimed to help system/network administrators implement proper access controls for the controlled connectivity. |
Guidance |
---|
1. When connecting the information systems operating at the same classification level (e.g., classified system to classified system, sensitive system to sensitive system), the network/system administrator shall perform the following: a. The network administrator shall configure the router properly using the access control list in accordance with DISA router STIGs, NSA router security configuration guide, and organization’s specific router guide so that only authorized services/applications can be transferred from the source to the destination. b. The system administrator shall configure the system software (e.g., operating system, database, application) securely to restrict access to system information only to authorized personnel in accordance with DISA STIGs, NSA security guides, and organization’s specific guides. 2. When connecting the information systems operating at different classification levels (e.g., Top Secret to Secret, Secret to Unclassified), or when connecting DoD and non-DoD systems/networks, the network/system administrator shall perform the following: a. Research the type of methods that can be used for cross domain solutions (e.g., gateways, guards) in the system environment b. Perform an analysis of advantages and disadvantages of individual cross domain solutions based on functions and security features c. Select the best suitable method and install it in the lab environment d. Configure the gateway and/or guard securely based on DISA STIGs and vendors security administration guides e. Test the component for its adequacy and implement it into the system in the operational environment 3. If the system is a part of the Global Information Grid (GIG), the network administrator shall install the NSA-developed Cross Domain Solution package, if available, and configure it properly. |