CDC/ATSDR Guidelines and Policy
Regarding Connection of External LANs

 

Introduction

Secure connectivity to the CDC Wide Area Network (WAN) is critical to the reliability and integrity of the network environment and the security of CDC's data and information resources. As a direct result of the increased number of electronic collaborators and of contracts for IT services to meet CDC requirements, requests for direct connections to the CDC WAN by commercial vendors, contractors, and private organizations and agencies are increasing. However, this connectivity must provide both secure and reliable service in both directions, to meet mission requirements.

This document defines connection requirements and standards for commercial and external LANs which require direct connection to the CDC WAN. It is important that these requirements be included as part of the contract, statement of work, MOU, or grant under which the relationship with the entity is established, if connectivity to the CDC WAN is necessary to accomplish mission objectives. Adherence to these conditions should be confirmed by active and passive audit mechanisms, with non-compliant conditions corrected as quickly as possible.

Connection Requirements

The CDC organization requesting connection of an external LAN to the CDC WAN should coordinate with IRMO/NTB during the development of the contract language, statement of work, MOU, or grant to assure that all technical and security requirements are included. Requests made without prior IRMO/NTB coordination will result in delay to the requesting organization and will be acted upon as time permits. Within 10 days after award of contract, external LAN connection requirements should be finalized with IRMO/NTB to include any minor modifications.

If the connection requirement is not contractual, IRMO/NTB should be included in any discussions with the external LAN owner at least 45 days before the production connection is required.

Bandwidth requirements will be determined by functional needs to meet contract obligations or program needs.

Security

Contractors or programs shall perform only authorized contract-related business on this connection, and then within a "least privilege" framework (i.e., if Internet usage is not a requirement of the contract, the CDC Internet link should not be used).

Connection to an external LAN from any device which is itself directly connected to the CDC WAN, or is part of a LAN which is directly connected to the CDC WAN, shall be effected only through means authorized by CDC IRMO. Preferentially, such a connection should be through an IRMO router. However, where this is not feasible, IRMO shall manage the connection and will require full remote access to the connection device(s). The requesting organization may be required to participate in the management of these devices.

Unless authorized to the contrary, connections shall be centrally terminated in IRMO Data Center.

The entity operating through a direct connection to the CDC WAN must provide verifiable protection to CDC from their other business transactions, especially internal or external networking to other groups (including the Internet). The CDC ISSO and IRMO Network Security group will determine the level of protection/security required.

Installation/Implementation

- Functional requirements

- Name and location of entity proposed for direct connection

- Business Steward under whom the activity requiring the connection is located

- Timeframes

Once a final plan has been agreed upon in the collaboration process, a confirmation E-mail should be sent directly from the IRM Coordinator of the requesting organization -- not the contractor, to the WAN Notification mailbox. IRMO will coordinate as required with PGO and the CDC ISSO.

lanconnect.wpd

August 3, 1999

Updated 2/10/00