Tunneling of classified traffic across an unclassified IP transport network or service provider backbone must be documented in the enclaves security authorization package and an Approval to Connect (ATC), or an Interim ATC must be issued by DISA prior to implementation.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-251349	NET-TUNL-028	SV-251349r916231_rule		High

Description
CJCSI 6211.02D instruction establishes policy and responsibilities for the connection of any information systems to the Defense Information Systems Network (DISN) provided transport. Enclosure E mandates that the CC/S/A document all IP tunnels transporting classified communication traffic in the enclave's security authorization package prior to implementation. An ATC or IATC amending the current connection approval must be in place prior to implementation. Enclosure D of the CJCSI 6211.02D also provides guidance on the requirements of tunneling classified data (section 15.a), which helps a CC/S/A determine applicability to their mission. Items include but are not limited to: - minimize tunneling of classified data over transport other than DISN provided transport (i.e., SIPRNET); - ensure the Authorizing Official (DAA) validates all requirements to tunnel classified information across unclassified IP infrastructure; - obtain DSAWG approval before tunneling classified data across unclassified IP infrastructure; - ensure transmission of classified information is secured through use of authorized cryptographic equipment and algorithms and/or PDSs; - document IP tunnels transporting classified communication traffic in the enclave’s security authorization package prior to implementation; - an ATC or IATC amending the current connection approval must be in place prior to implementation.

Description

CJCSI 6211.02D instruction establishes policy and responsibilities for the connection of any information systems to the Defense Information Systems Network (DISN) provided transport. Enclosure E mandates that the CC/S/A document all IP tunnels transporting classified communication traffic in the enclave's security authorization package prior to implementation. An ATC or IATC amending the current connection approval must be in place prior to implementation. Enclosure D of the CJCSI 6211.02D also provides guidance on the requirements of tunneling classified data (section 15.a), which helps a CC/S/A determine applicability to their mission. Items include but are not limited to: - minimize tunneling of classified data over transport other than DISN provided transport (i.e., SIPRNET); - ensure the Authorizing Official (DAA) validates all requirements to tunnel classified information across unclassified IP infrastructure; - obtain DSAWG approval before tunneling classified data across unclassified IP infrastructure; - ensure transmission of classified information is secured through use of authorized cryptographic equipment and algorithms and/or PDSs; - document IP tunnels transporting classified communication traffic in the enclave’s security authorization package prior to implementation; - an ATC or IATC amending the current connection approval must be in place prior to implementation.

STIG	Date
Network Infrastructure Policy Security Technical Implementation Guide	2023-05-04

Details

Check Text ( C-54784r806000_chk )
Review the enclave's security authorization package and the ATC or Interim ATC amending the connection approval received. If the tunneling of classified traffic is not documented in the security authorization package and an ATC or Interim ATC, this is a finding.

Fix Text (F-54737r806001_fix)
Document the tunneling of classified traffic in the security authorization package and the ATC or Interim ATC.