Customers are required to register the connection information (new or legacy) within applicable systems/databases.

Once the DDOE process has been completed with the receipt of a CCSD, customers are required to register and maintain their IS information (IP address ranges, hosts, POCs, etc.) in the appropriate databases based on classification of the connection:

• SNAP (https://snap.dod.mil) for:
  • Voice, video, data circuit registrations and connections to unclassified networks/ services DoD CIO temporary exception to policy registrations (Appendix G)
• DCCC at (844) 347-2457, Option 2; CML: (614) 692-0032, Option 2; DSN: (312) 850-0032, Option 2 ; disa.dccc@mail.mil for all classified connections
• SGS (https://giap.disa.smil.mil/gcap/home.cfm) for:
  • Voice, video, and data circuit registrations/connections to classified networks/services
• Ports, Protocols, and Services Management (PPSM) (https://pnp.cert.smil.mil) (http://iase.disa.mil/ppsm) for:
  • All networks/systems ports, protocols, and services for all IP solutions or applications, in accordance with DoDI 8551.01 (ref e)

Account Registration for the SNAP and SGS Databases

CAP packages for connections will be uploaded by the customer in the SNAP (unclassified) or SGS (classified) database. The customer must first register and get a SNAP or SGS account in order to submit a CAP package, Note: a legacy version of SGS is provided as a reference. Legacy SGS is not updated and does not contain current information. At some point in the near future, the Legacy SGS system will be removed.

• Go to https://snap.dod.mil for SNAP and https://giap.disa.smil.mil for SGS
• Click on "Request a SNAP account" or "Request a SGS account"
  • Upload a completed signed DD Form 2875 System Authorization System Request (SAAR); The DD Form 2875 can be downloaded from SNAP and/or SGS on the Reference Documents page
• Complete section 13 of the DD Form 2875, "Justification for Access" by specifying the SNAP and/or SGS module and user role for the CC/S/A/FA
• Complete the profile data, asterisked item are required fields
• Click "Submit Request" for approval
• Once the account is approved, proceed with the creation/registration of the connection to include the submittal/upload of the RMF/DIACAP executive package artifacts once the local RMF A&A/DIACAP C&A is completed

The below steps detail the registration and submission process for both unclassified and classified CAP packages:

SNAP (Unclassified) and SGS (Classified) Submittal Process

• Log on to SNAP (https://snap.dod.mil) for Unclassified Connections and SGS (https://giap.disa.smil.mil) for Classified Connections
• Hover the mouse over "NIPR" for SNAP or "GIAP" for SGS and select "New Registration"
• Complete all required fields of the NIPR or GIAP Checklist (Sections with a locked icon are reserved for use by CAO Analyst)
• Upload Attachments for the RMF/DIACAP executive package artifacts in the Attachments/Documents Section as applicable
• Once all sections are completed, a submit button at the bottom of the screen will be available in order to submit the entire registration
• For NIPR packages that have classified artifacts, upload a placeholder document in the applicable section in SNAP stating that the artifact was submitted on SIPR. The date of the email and sender’s name should be in the note. Send the email to the SIPR UCAO mailbox: disa.meade.ns.mbx.ucao@mail.smil.mil.

 The customer connection requests are submitted to the CAO in the form of a SNAP or SGS registration and uploading of the CAP package. This package provides the CAO the information necessary to make a connection approval decision. CAP packages should be submitted at least 30 days prior to the desired connection date, for new connections, or 30 days prior to the existing ATC or IATC expiration date, to ensure service continuity. The following documentation is required for the CAO to analyze a CAP package:

For additional RMF guidance, please go to the RMF/DIACAP Knowledge Management website at: https://rmfks.osd.mil/login.htm.

Connection Approval Packages for Mission Partner connections to DISN will include the following documentation: DoD Sponsors and Mission Partners will ensure information in SNAP/.SGS are kept up to date.

In addition to the requirements in paragraph 3.5.2, a Connection Approval Package for a Classified Defense Contractor connection to DISN will include:

DoD Contractor connections to the SIPRNet must go through DSS for A&A of their facilities and information systems. For questions regarding DSS A&A, contact the DSS SIPRNet Program Management Office at occ.cust.serv@dss.mil by phone at 888-282-7682.

In addition to the requirements in paragraph 3.5.2, a Connection Approval Package for a Federal Department or Agency, IC or other Mission Partner (e.g., coalition partner) connection to DISN will include:

If an enclave approaching its Authorization Termination Date (ATD), the system owner/program manager must reinitiate the A&A/C&A process and obtain a new authorization decision from the AO. Ideally, the new ATO will be issued and an updated CAP package uploaded to SNAP or SGS a minimum of 30-days prior to the expiration of the current ATC/IATC. In accordance with DoDI 8510.01 (ref d), "systems that have been evaluated as having a sufficiently robust system-level continuous monitoring program (as defined by emerging DoD continuous monitoring policy) may operate under a continuous reauthorization." AOs who determine that their DISN connected enclave has met DoD’s continuous monitoring policy requirements are still required to update their respective ATO at a minimum of every three (3) years before a new ATC/IATC will be issued. For UC connection requirements please see Appendix E... If a system does not have a sufficiently robust system-level continuous monitoring program, the "Systems must be reassessed and reauthorized/reaccredited once every 3 years. The results of an annual review or a major change in the cybersecurity posture at any time may also indicate the need for reassessment and reauthorization of the system in accordance with Appendix III to OMB Circular A-130 (ref q).

The expiration date of an ATC/IATC is usually the same as (and will never go beyond) the ATD expiration date of the associated scorecard. In some instances, the results of the DSAWG risk assessment may warrant the issuance of an ATC/IATC with an authorization period shorter than that of the associated scorecard or RMF documentation. An expired ATC/IATC will prompt a review by Joint Force Headquarters DODIN (JFHQ DODIN), and may result in an order to disconnect the enclave from the DISN network/service. In accordance with DoDI 8510.01 (ref d), "An ADD/ATO authorization decision must specify an ATD that is within 3 years of the authorization date unless the IS or PIT has a system-level continuous monitoring program compliant with DoD continuous monitoring policy as issued."

The AO could decide that planned changes to an enclave are significant enough to warrant reinitiating the full A&A process, with subsequent issuance of a new reauthorization decision inside the normal 3-year authorization cycle. If no physical reconfiguration of the DISN circuit is needed to effect the planned changes, such modifications to an enclave (even if significant enough to warrant a new authorization decision) do not need to be coordinated with the corresponding DISN Validation Official. However, the planned events may have a significant impact on the IA5/cybersecurity posture of the enclave, and consequently on the risk the enclave poses to the DISN community at large. Pre-coordination with the CAO is necessary to ensure the updated topologies, CAP package artifacts, and risk decision artifacts are updated and available for the connection approval decision.

Examples of significant impact events:

• Deployment of a cross domain solution (CDS)
• Deployment of a UC product enhancing the capability of the enclave (i.e., softswitch VoIP, VoSIP, CVVoIP), even if the application is already accredited by the enclave AO
• Rehoming of an authorized enclave to a new DEMARC; such as moving to a new facility where a new CCSD(s) is issued by Defense Information Technology Contracting Office (DITCO), unless the TSO clearly states that the authorization will transfer.

The following events do not need to be pre-coordinated with the CAO prior to deployment/ implementation. However, these events must be identified to the CAO no later than deployment/ implementation by providing an updated network topology diagram and SIP.

Examples:

• Deployment of new VoIP phones requiring a new VLAN segment within the enclave
• Deployment of new VTC products (on DoD UC APL)
• Changes in the IP address range assigned to the IS/enclave
• DISA transport re-homing actions that change the connection points to DISN but the enclave remains at the same facility
• Upgrade of bandwidth service

To update the registration for existing connections, use the following processes:

• Logon to SNAP (https://snap.dod.mil) for Unclassified Connections and SGS (https://giap.disa.smil.mil) for Classified Connections
• Hover the mouse over the respective tab (e.g., "Waiver," "Defense Switched Network," "VPN," or "NIPRNet") for Unclassified Connection in SNAP and the respective tab (GIAP or CDS) for Classified Connection in SGS and select "View/Update"
• Use the Search Field to locate the registration
• Complete all required fields of the Checklist (Sections with a locked icon are reserved for use by CAO Analyst)
• Upload Attachments for the RMF, DIACAP, or other applicable executive package artifacts in the "Attachments/Documents" section as applicable
• Once all sections are completed, a submit button at the bottom of the screen will be available in order to submit the entire registration

This checklist provides the key activities that must be performed by the Mission Partner or DoD Component sponsor during the connection approval process:

* - This step is not required for existing mission partner connections unless there has been a change in Sponsor, mission requirement, contract, location, or the connection has not been registered.

** - This step is not required for existing connections that are already registered and where all information is current.

Network Topology Diagram/Systems Design Document – the diagram below depicts the network topology and security posture of the Customer network enclave that will be connecting to the DISN. The Network Topology Diagram document should:

• Be dated
• Clearly delineate authorization boundaries
• Identify the CCSDs of all connections to the DISN
• Identify equipment inventory (to include the most recent configuration including any enclave boundary firewalls, Intrusion Detection Systems (IDS), premise router, routers, switches, backside connections, Internet Protocol (IP) addresses, encryption devices, Cross Domain Solutions (CDS)
• Other SIPRNet connections (access points) must be shown; the flow of information to, from, and through all connections, host IP addresses, and CCSD number, if known must be shown
• Identify any other cybersecurity or cybersecurity-enabled products deployed in the enclave
• Identify any connections to other systems/networks/enclaves
• Identification of other connected enclaves must include:
  • The name of the organization that owns the enclave
  • The connection type (e.g., wireless, dedicated point-to-point, etc.)
  • IP addresses for all devices within the enclave
  • The organization type (e.g., DoD, federal agency, contractor, etc.)
• Identify Internetworking Operating System (IOS) version
• Include the model number(s) and IP's of the devices on the diagram; diagram must show actual and planned interfaces to internal and external LANs or WANs (including backside connections)

The topology diagram for customer network enclaves that connect via the JRSS must include a JRSS topology overlay as shown in the diagram below. The JRSS topology overlay also must identify the make/model/IP address/software version of the JRSS equipment being used.

Tactical exercise/mission CAP packages must be submitted a minimum of eight (8) days prior to the start of the exercise/mission. Upon successful registration of the initial tactical mission/exercise, the registration will become valid for the duration of the ATO. The Registration ID number, that is auto-generated from SGS upon registration, will be used as a reference to access DoD Gateway SIPRNet services for the duration of the ATO. This Registration ID number will be used on all future missions, and provided to the CONEX in the remarks section 1 of the Gateway Authorization Request (GAR). Remarks will be: "SGS Registration ID number xxxxx for SIPRNet IATC, expiration DD-MMM-YYYY."

Customers are not required to register for each mission after initial registration. The authorization is valid thru the ATO revocation and or expiration. If the current ATO will expire prior to the next time the Tactical user will enter a DoD Gateway, the user will start a new request so that a new Registration ID number can be issued. Any changes to equipment configuration affecting enclave security posture of the system resulting in a new ATO will require registration in the SGS database. A complete authorization package is not submitted with a CAP package for a tactical exercise/mission, however, the CAP package must include at a minimum, an ATO letter, Gateway Access Authorization (GAA), and topology/System Design Document (SDD).

The CAO will review the registration information and will issue an IATC/ATC for the duration of the ATO upon successful and complete registration. The IATC/ATC will be made available under section 10.1 of the SGS database (Scorecard). The DISA GSD/Tier II will verify the validity of the Registration ID number provided in the GAA against the SGS database prior to allowing access to SIPRNet.

For additional information, please review the Policy and Procedures for DoD Gateways (STEP/Teleport) SIPRNet DODIN Interconnection Approval Process System (SGS).

In accordance with CJCSI 6211.02D (ref b) non-Mission Partners, including defense contractor enclave connections to DISN-provided transport, information services must be through an established DISN DMZ and will follow DISN DMZ security requirements. DISA operates three (3) DMZs or Mission Partner Gateways; NIPRNet Federal Gateway (NFG), SIPRNet Federal DMZ (FED-DMZ), and the SIPRNet Releasable (SIPR REL) DMZ. In certain limited special use cases, the DoD CIO has approved some non-DoD Federal Agencies Mission Partner connections to the NIPRNet and SIPRNet, however, this is not the norm. Connections to the DISN DMZs/NFG can be made either physically or logically (see Figure 3). Mission Partners will work with the NIPRNet or SIPRNet DMZ offices listed in Table 2 to initiate their respective DMZ/NFG connections.

All Non-DoD NIPRNet/SIPRNet connections require DoD CIO Approval, a Contract/MOA/MOU and DoD Sponsor to validate DoD mission need for Mission Partner access to the DISN. DoD Sponsors must understand and agree to their responsibilities as stated in the DoD CIO Sponsor Memorandum (ref m), applicable issuances, the Defense Finance and Accounting Regulations (DFAR), and the DoD Sponsor and Mission Partner responsibilities must be codified in an appropriate agreement (e.g., MOA, MOU, or contract). The DoD CIO will establish MOA with Federal Departments and Agencies that have a mission requirement to connect to DISN.

In addition to the requirements listed in this section, to connect to the NIPRNet Federated Gateway mission partners must complete a NIPRNet Federated Gateway, (NFG) Questionnaire, as well as the NIPRNet Federated Gateway Policy spreadsheet (https://www.disa.mil/Network-Services/VPN/MPG). The questionnaire provides baseline data for engineering teams to work with mission partners while the NFG Policy Spreadsheet identifies the firewall posture of the

NFG which will support mission partners. The customer must notify the NIPRNet NFG or SPIRNet DMZ offices of the PPSM registration ID, in addition to the above referenced documentation. The DMZ/NFG team works with the Web Content Filtering team to ensure that the applicable firewall rulesets are vetted and provided to the DISA Command Center (DCC) which issues a DISA Task Order (DTO) for DISA Global Operations Center (DGOC) to implement (See Figure 4 and 5). Should applicable PPSM not be identified, the corresponding services will not be available. This may result in subsequent submissions of firewall rule requests to support mission partner/sponsor requirements.

The NIPRNET Federated Gateway (NFG) (aka Mission Partner Gateway (MPG) for JIE) provides a secure, robust, and scalable means for non-DoD Federal Agencies, mission partners, and contractor connections to connect to the Unclassified but Sensitive Internet Protocol (IP) Router Network (NIPRNet). The NFG supports both logical and physical connections.

Existing Mission Partner connections to NIPRNet may be extended to NFG without installing new physical circuits. This can be accomplished by provisioning logical tunnels using Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) or Internet Protocol Security (IPsec) VPN over the DISN. These tunnels extend existing Mission Partner connection(s) to the NFG and the traffic will flow to the NFG on a slightly different path than originating from physical connections. Encryption is also available for logical connections if required by the Mission Partner. Mission Partners are required to maintain a direct physical connection to a DISN node to be eligible for a logical connection. Logical connections through sponsors or other DoD agencies are not supported. Logical connection use cases are as follows:

1. A commercial circuit extends from the customer to the DISN node. At the DISN router the customer connects to the NFG COI (MPLS VPN) for logical transport to the NFG site.

2. Mission Partners currently connected to the DISN router for NIPRNet access will connect to the NFG COI (MPLS VPN), eliminating NIPRNet access without passing through the NFG first.

Physical connections are terminated on the NFG using up to OC-12 SONET 1Gb and 10Gb Ethernet (copper or fiber) connections. A non-DoD organization such as a Federal Department/Agency, DoD contractor, or other mission partners may connect to the NFG router via third-party leased circuit or DISN transport in consonance with a formal agreement (e.g., contract, MOU, MOA, etc.). In cases where the Mission Partner equipment is collocated with an NFG site, the Mission Partner Customer Premise Equipment (CPE) can connect to the NFG using a direct cable connection without a leased circuit and/or DISN transport. Physical connection use cases are as follows:

It is strongly recommended that mission partners communicate with current service providers to ensure the smooth circuit hand off to NFG site/DISN Transport nodes. Logical circuits are an interim solution for migration to NFG and not meant to be an end state/long term solution

1. A commercial carrier extends a circuit from the Mission Partner service point to the NFG site.

2. A commercial carrier extends a circuit from the Mission Partner service point to DISN physical transport for a dedicated circuit to an NFG site.

3. A Mission Partner plugs directly into DISN transport for a dedicated circuit to an NFG site.

Connections to the NFG are either physical or logical.

Physical connections that are directly homed to the NFG use point-to-point circuits between the NFG and a Mission Partner's network. Logical connections are physically homed to a NIPRNet router but are connected to the NFG via an encapsulated tunnel. NFG connections require a modified Connection Approval Process package as illustrated below. NFG connections will be annotated in SNAP database as "NIPR FED GW." Qualified NFG connections will receive an ATC/IATC and be reviewed in accordance with the established agreement (e.g., MOA/MOU/SLA).

Orders for NFG circuits are submitted to the DISA Direct Order Entry (DDOE):

1. After obtaining access, Mission Partners use DDOE to generate Telecommunications Service Requests (TSR) to have circuits provisioned to the NFG. Refer to the DDOE website (https://www.disadirect.disa.mil/products/asp/welcome.asp) for information on the circuit-ordering process.

    a. For logical connections, the VPN Identification (ID) number for the NFG Community of Interest (COI) service is provided by DISA and is always the same for every Mission Partner

    b. The VPN ID for NFG COI Service is DKL300249

    c. DDOE assigns the VPN ID to all Mission Partners requesting NFG COI Service

2. The TSR initiates the process of identifying Mission Partner requirements and provisioning the new NFG circuit paths based on the approved engineering design and connection approval package.

3. To revise approved connections, Mission Partners must update the approved CAP or submit a new CAP based on the approved engineering solutions.

4. Mission Partners must ensure they have obtained and completed the NIPRNet Federated Gateway Questionnaire as well as the NIPRNet Federated Gateway Policy spreadsheet https://www.disa.mil/Network-Services/VPN/MPG). Should applicable PPSM not be identified, the corresponding services will not be available. This may result in subsequent submissions of firewall rule requests to support mission partner/sponsor requirements.

DoD policy also requires that DoD Components register their IS information in the DoD Information Technology Portfolio Repository (DITPR) at https://ditpr.dod.mil.

DoD policy also requires that DoD Components register their IS information in the DoD Information Technology Portfolio Repository (DITPR) at https://ditpr.dod.mil.

Use of the unclassified DITPR is preferred for registration of all information systems including classified systems. There are numerous classified systems registered in the unclassified DITPR, without inclusion of classified information about the system. However, an information system may be registered using the SIPRNet IT Registry (SITR) if the description of the information system must contain classified material, or, if the organization (such as a CCMD) routinely uses the SIPRNet. The link to the SITR on SIPRNet is: https://dodcio.osd.smil.mil/itregistry - for additional assistance using SITR, send email to: osd.mc-alex.dod-cio.mbx.ditpr-support-team@mail.mil and include 'SIPR IT Registry' in the subject line.

CC/S/A may have internal databases that need to be updated with connection information. Check with the CC/S/A for additional requirements.

The NIPRNET Federated Gateway (NFG) (aka Mission Partner Gateway (MPG) for JIE) provides a secure, robust, and scalable means for non-DoD Federal Agencies, mission partners, and contractor connections to connect to the Unclassified but Sensitive Internet Protocol (IP) Router Network (NIPRNet). The NFG supports both logical and physical connections.

Existing Mission Partner connections to NIPRNet may be extended to NFG without installing new physical circuits. This can be accomplished by provisioning logical tunnels using Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) or Internet Protocol Security (IPsec) VPN over the DISN. These tunnels extend existing Mission Partner connection(s) to the NFG and the traffic will flow to the NFG on a slightly different path than originating from physical connections. Encryption is also available for logical connections if required by the Mission Partner. Mission Partners are required to maintain a direct physical connection to a DISN node to be eligible for a logical connection. Logical connections through sponsors or other DoD agencies are not supported. Logical connection use cases are as follows:

1. A commercial circuit extends from the customer to the DISN node. At the DISN router the customer connects to the NFG COI (MPLS VPN) for logical transport to the NFG site.

2. Mission Partners currently connected to the DISN router for NIPRNet access will connect to the NFG COI (MPLS VPN), eliminating NIPRNet access without passing through the NFG first.

Physical connections are terminated on the NFG using up to OC-12 SONET 1Gb and 10Gb Ethernet (copper or fiber) connections. A non-DoD organization such as a Federal Department/Agency, DoD contractor, or other mission partners may connect to the NFG router via third-party leased circuit or DISN transport in consonance with a formal agreement (e.g., contract, MOU, MOA, etc.). In cases where the Mission Partner equipment is collocated with an NFG site, the Mission Partner Customer Premise Equipment (CPE) can connect to the NFG using a direct cable connection without a leased circuit and/or DISN transport. Physical connection use cases are as follows:

It is strongly recommended that mission partners communicate with current service providers to ensure the smooth circuit hand off to NFG site/DISN Transport nodes. Logical circuits are an interim solution for migration to NFG and not meant to be an end state/long term solution

1. A commercial carrier extends a circuit from the Mission Partner service point to the NFG site.

2. A commercial carrier extends a circuit from the Mission Partner service point to DISN physical transport for a dedicated circuit to an NFG site.

3. A Mission Partner plugs directly into DISN transport for a dedicated circuit to an NFG site.

Connections to the NFG are either physical or logical.

Physical connections that are directly homed to the NFG use point-to-point circuits between the NFG and a Mission Partner's network. Logical connections are physically homed to a NIPRNet router but are connected to the NFG via an encapsulated tunnel. NFG connections require a modified Connection Approval Process package as illustrated below. NFG connections will be annotated in SNAP database as "NIPR FED GW." Qualified NFG connections will receive an ATC/IATC and be reviewed in accordance with the established agreement (e.g., MOA/MOU/SLA).

Orders for NFG circuits are submitted to the DISA Direct Order Entry (DDOE):

1. After obtaining access, Mission Partners use DDOE to generate Telecommunications Service Requests (TSR) to have circuits provisioned to the NFG. Refer to the DDOE website (https://www.disadirect.disa.mil/products/asp/welcome.asp) for information on the circuit-ordering process.

    a. For logical connections, the VPN Identification (ID) number for the NFG Community of Interest (COI) service is provided by DISA and is always the same for every Mission Partner

    b. The VPN ID for NFG COI Service is DKL300249

    c. DDOE assigns the VPN ID to all Mission Partners requesting NFG COI Service

2. The TSR initiates the process of identifying Mission Partner requirements and provisioning the new NFG circuit paths based on the approved engineering design and connection approval package.

3. To revise approved connections, Mission Partners must update the approved CAP or submit a new CAP based on the approved engineering solutions.

4. Mission Partners must ensure they have obtained and completed the NIPRNet Federated Gateway Questionnaire as well as the NIPRNet Federated Gateway Policy spreadsheet https://www.disa.mil/Network-Services/VPN/MPG). Should applicable PPSM not be identified, the corresponding services will not be available. This may result in subsequent submissions of firewall rule requests to support mission partner/sponsor requirements.

DoD policy also requires that DoD Components register their IS information in the DoD Information Technology Portfolio Repository (DITPR) at https://ditpr.dod.mil.

DoD policy also requires that DoD Components register their IS information in the DoD Information Technology Portfolio Repository (DITPR) at https://ditpr.dod.mil.

Use of the unclassified DITPR is preferred for registration of all information systems including classified systems. There are numerous classified systems registered in the unclassified DITPR, without inclusion of classified information about the system. However, an information system may be registered using the SIPRNet IT Registry (SITR) if the description of the information system must contain classified material, or, if the organization (such as a CCMD) routinely uses the SIPRNet. The link to the SITR on SIPRNet is: https://dodcio.osd.smil.mil/itregistry - for additional assistance using SITR, send email to: osd.mc-alex.dod-cio.mbx.ditpr-support-team@mail.mil and include 'SIPR IT Registry' in the subject line.

CC/S/A may have internal databases that need to be updated with connection information. Check with the CC/S/A for additional requirements.

Currently customers that have a current ATC for a traditional NIPR circuit are being reauthorized/reaccredited for moving to the JRSS Stack. This only applies to NIPR circuits. SIPR circuits are not yet being moved to JRSS.

The following procedures will allow the customer to create a SNAP registration:

1. To register a JRSS connection in SNAP, in the NIPR module select ‘New Registration’.

2. In Section 0.1, for Connection Type, select JRSS instead of DoD.

3. In Section 1, there is a question, 'Is this systems connection type JRSS?' Select Yes and type in the VRF in the block below. NOTE: Currently the VRF will not show if the customer goes to My Entries report. Until that is fixed the customer will have to search by Registration ID for that registration.

4. Internal boundary defense equipment (firewall, IDS/IPS) is no longer required on the topology and will not be evaluated by the analysts. The JRSS stack must be shown on the topology.

5. Other than the Virtual Routing and Forwarding (VRF) identifier instead of a CCSD, JRSS packages are submitted like any other Connection Approval package. Please remember to show the VRF on the documentation where the CCSD would previously have been identified.

The CAO analysts will review the package and an Approval to Connect (ATC) will be issued.

Upon submittal of the registration, the CAO will review all sections of the registration or completeness and compliance. In the event a section is incomplete or a non-compliant artifact is uploaded to the database, that individual section will be rejected. The POCs listed in the database will receive notification of a rejected registration to include what documentation is missing or non-compliant from the package. The customer must log back into the database and complete or upload the updated artifact for the rejected section. Typically, when all the connection approval requirements are met an ATC or IATC will be issued within eight (8) business days.

As an integral part of the process, the CAO assesses the level of risk the customer’s network enclave poses to the specific DISN network/service and to the DODIN community at large. The identification of cybersecurity vulnerabilities or other non-compliance issues and the responsiveness of the affected enclave in implementing appropriate remediation or mitigation measures against validated vulnerabilities will have a direct impact on the risk assessment, and subsequently on the connection approval decision.

An ATC/IATC will authorize the partner to connect to the DISN network/service defined in the connection approval, up to the Authorization Termination Date (ATD). The results of the risk assessment may warrant the issuance of a connection approval decision with a validity period shorter than that of the authorization decision ATD. In such cases, the CAO will provide justification to the DAA/AO for the shorter validity period.

If the CAO assesses that an enclave’s connection to the DISN poses a potentially "high" impact community risk, it will forward the connection request to the DSAWG as part of the executive risk function in accordance with DoDI 8500.01 (ref a) and DoDI 8510.01 (ref d). The CAO will provide the AO the justification for the assessment and inform the AO that current guidance (i.e., policy, DSAWG decision, STIGs, etc.) from DISN/DODIN DAAs/AOs precludes the issuance of an ATC without additional review of the enclave cybersecurity status by the community authorization bodies.

Type accredited/authorized systems refer to a generally standardized configuration for two or more circuits. Although they have similar configurations, they are still individual circuits, and are registered individually in SNAP or SGS. Each circuit under a type accreditation/authorization must have an individual topology that shows, among other things, the unique IP addresses assigned to that circuit. They may all use the same Scorecard/SAR/ATO/IATO, SIP, and POA&M.

Once the CAO makes a connection decision, the partner is notified:

If the connection request is approved, the partner is issued an ATC or ATC with conditions. The validity period is specified in the ATC letter. After the connection is approved, the partner must work with DISN Implementation to complete the installation of the circuit. The connection approval is valid until the expiration date. The AO must notify the CAO of significant changes, such as architecture changes requiring re-authorization /re-accreditation movement of the enclave to a new location, changes in risk posture, etc., that may cause a modification in the cybersecurity status of the enclave or if the connection is no longer needed.

If the connection request is rejected, the CAO will provide the partner a list of corrective actions required before the connection can be approved. The process will restart at Section 3.5.

If for any reason it becomes necessary to discontinue the use of an enclave, the customer must submit via e-mail the discontinuance or cancellation TSO/IER) to the CAO (e.g. SIPRNet: disa.meade.ns.mbx.ccao@mail.smmil.mil or NIPRNet: disa.meade.ns.mbx.ucao@mail.mil). CAO will upload the TSO or IER in the respective database and close the registration for that CCSD.

Procedures for connecting to Cloud computing services are currently documented in the Cloud Connection Process Guide (ref aL). Cloud connection procedures will be addressed in future editions of the DISN CPG.