The NIPRNET Federated Gateway (NFG) (aka Mission Partner Gateway (MPG) for JIE) provides a secure, robust, and scalable means for non-DoD Federal Agencies, mission partners, and contractor connections to connect to the Unclassified but Sensitive Internet Protocol (IP) Router Network (NIPRNet). The NFG supports both logical and physical connections.
Note: It is strongly recommended that mission partners communicate with current service providers to ensure the smooth circuit hand off to NFG site/DISN Transport nodes. Logical circuits are an interim solution for migration to NFG and not meant to be an end state/long term solution |
3.12.1 NFG Logical Connections
Existing Mission Partner connections to NIPRNet may be extended to NFG without installing new physical circuits. This can be accomplished by provisioning logical tunnels using Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) or Internet Protocol Security (IPsec) VPN over the DISN. These tunnels extend existing Mission Partner connection(s) to the NFG and the traffic will flow to the NFG on a slightly different path than originating from physical connections. Encryption is also available for logical connections if required by the Mission Partner. Mission Partners are required to maintain a direct physical connection to a DISN node to be eligible for a logical connection. Logical connections through sponsors or other DoD agencies are not supported. Logical connection use cases are as follows:
1. A commercial circuit extends from the customer to the DISN node. At the DISN router the customer connects to the NFG COI (MPLS VPN) for logical transport to the NFG site.
2. Mission Partners currently connected to the DISN router for NIPRNet access will connect to the NFG COI (MPLS VPN), eliminating NIPRNet access without passing through the NFG first.
3.12.2 NFG Physical Connections
Physical connections are terminated on the NFG using up to OC-12 SONET 1Gb and 10Gb Ethernet (copper or fiber) connections. A non-DoD organization such as a Federal Department/Agency, DoD contractor, or other mission partners may connect to the NFG router via third-party leased circuit or DISN transport in consonance with a formal agreement (e.g., contract, MOU, MOA, etc.). In cases where the Mission Partner equipment is collocated with an NFG site, the Mission Partner Customer Premise Equipment (CPE) can connect to the NFG using a direct cable connection without a leased circuit and/or DISN transport. Physical connection use cases are as follows:
It is strongly recommended that mission partners communicate with current service providers to ensure the smooth circuit hand off to NFG site/DISN Transport nodes. Logical circuits are an interim solution for migration to NFG and not meant to be an end state/long term solution
1. A commercial carrier extends a circuit from the Mission Partner service point to the NFG site.
2. A commercial carrier extends a circuit from the Mission Partner service point to DISN physical transport for a dedicated circuit to an NFG site.
3. A Mission Partner plugs directly into DISN transport for a dedicated circuit to an NFG site.
3.12.3 NFG Connection Approval Requirements
Connections to the NFG are either physical or logical.
Physical connections that are directly homed to the NFG use point-to-point circuits between the NFG and a Mission Partner's network. Logical connections are physically homed to a NIPRNet router but are connected to the NFG via an encapsulated tunnel. NFG connections require a modified Connection Approval Process package as illustrated below. NFG connections will be annotated in SNAP database as "NIPR FED GW." Qualified NFG connections will receive an ATC/IATC and be reviewed in accordance with the established agreement (e.g., MOA/MOU/SLA).
CAP Package Required Documentation: NFG Connections |
Signed DoD CIO validation memo (e.g., MOU/MOA/SLA)... |
Network topology diagram/SDD |
Valid PPSm registration identification number, |
Required current POC information |
Authorization to Operate (ATO) letter |
3.12.4 Ordering NFG Connections
Orders for NFG circuits are submitted to the DISA Direct Order Entry (DDOE):
1. After obtaining access, Mission Partners use DDOE to generate Telecommunications Service Requests (TSR) to have circuits provisioned to the NFG. Refer to the DDOE website (https://www.disadirect.disa.mil/products/asp/welcome.asp) for information on the circuit-ordering process.
a. For logical connections, the VPN Identification (ID) number for the NFG Community of Interest (COI) service is provided by DISA and is always the same for every Mission Partner
b. The VPN ID for NFG COI Service is DKL300249
c. DDOE assigns the VPN ID to all Mission Partners requesting NFG COI Service
2. The TSR initiates the process of identifying Mission Partner requirements and provisioning the new NFG circuit paths based on the approved engineering design and connection approval package.
3. To revise approved connections, Mission Partners must update the approved CAP or submit a new CAP based on the approved engineering solutions.
4. Mission Partners must ensure they have obtained and completed the NIPRNet Federated Gateway Questionnaire as well as the NIPRNet Federated Gateway Policy spreadsheet https://www.disa.mil/Network-Services/VPN/MPG). Should applicable PPSM not be identified, the corresponding services will not be available. This may result in subsequent submissions of firewall rule requests to support mission partner/sponsor requirements.
DoD policy also requires that DoD Components register their IS information in the DoD Information Technology Portfolio Repository (DITPR) at https://ditpr.dod.mil.
DoD policy also requires that DoD Components register their IS information in the DoD Information Technology Portfolio Repository (DITPR) at https://ditpr.dod.mil.
Use of the unclassified DITPR is preferred for registration of all information systems including classified systems. There are numerous classified systems registered in the unclassified DITPR, without inclusion of classified information about the system. However, an information system may be registered using the SIPRNet IT Registry (SITR) if the description of the information system must contain classified material, or, if the organization (such as a CCMD) routinely uses the SIPRNet. The link to the SITR on SIPRNet is: https://dodcio.osd.smil.mil/itregistry - for additional assistance using SITR, send email to: osd.mc-alex.dod-cio.mbx.ditpr-support-team@mail.mil and include 'SIPR IT Registry' in the subject line.
CC/S/A may have internal databases that need to be updated with connection information. Check with the CC/S/A for additional requirements.