united states naval academy annapolis maryland 21402-1300 · 2020-05-15 · united states naval...

DEPARTMENT OF THE NAVY UNITED STATES NAVAL ACADEMY

121 BLAKE ROAD ANNAPOLIS MARYLAND 21402-1300

USNAINST 5230 . lB 6/ITSD 24 May 2016

USNA INSTRUCTION 5230.lB

From : Superintendent , U. S . Naval Academy

Subj: INFORMATION TECHNOLOGY AND CYBERSECURITY POLICY AND STANDARDS

Ref: (a) DoDD 8000 . 01 , Management of the Department of Defense

Encl :

Information Enterprise (DoD IE ) (b) DoDD 8140 . 01 , Cyberspace Workforce Management (c) DoDCIO Policy on Use of Department of Defense

( d)

( e) ( f)

( g)

( 1)

( 2) ( 3)

( 4)

Information Systems Standard Consent Banner and User Agreement , 9 May 2008 USNAINST 5231.lC , Information Technology Life Cycle Management Policy USNAINST 7320 . 10 , USNA Manageme nt of Personal Property Navy Higher Education Network Cybersecurity Concept of Operations (CONOPs) USNAINST 8510 . 01 , Cybersecurity Risk Management

Information Technology and Cybersecurity Policy and Standards Acceptable Use Policy for USNA IT Resources I nformation Technology Services Division Project Request Providing IT Assets , Services , and Support to Exchange Students

1 . Purpose . To establish information technology (IT) and cybersecurity policy and standards for the United States Naval Academy (USNA) per references (a) through (g) .

2 . Cancellation . USNAINST 5230 . lA dated 24 Sep 2014 .

3. Applicability . All elements of this instruction apply to all organizations and personnel using any USNA IT resource including all network infrastructure , hardware, software , and services .

4. Background

USNAINST 5230.lB 24 May 2016

a. Institutional IT policy and standards provide the structure and good order necessary for productivity. Policy and standards also support an environment that gives cost-effective service while maintaining currency in technology. Well-defined policy best serves the uncertain and volatile nature of a limited budget, reduced IT support staff, increased demand for more technology, the necessity for training, shortened product life-cycles, urgency of immediate service, dependence on IT for mission support, and constraints imposed by outside authority. Institutional policy provides the foundation to prudently manage IT resources and a format to analyze courses of actions, select methodologies, and make decisions.

b. USNA embraces an "information engineered" IT environment. Information engineering refers to the seamless integration of information technologies; makes available IT products and services for teaching, learning, training, researching, managing, communicating, and decision making; engineers data into accurate information; strives to make complex IT transparent to the user; and affords everyone from novice to expert the opportunity to be productive.

c. IT must be affordable, achievable, flexible, scalable, migratable, and secure. Affordable means that existing financial assets allow USNA to procure or develop, maintain, upgrade, modernize, and eventually replace technology. Achievable means that existing staff provides for acquisition, systems integration, and operation. Flexible means the technology supports multiple functions. Scalable means the same technology can meet varying demands. Migratable means that the architecture includes a path for the future. Secure means that policies, mechanisms, and infrastructure are in place to manage risks related to confidentiality, integrity, and availability of services and information.

5. Responsibilities

a. The Command Information Officer (Chief Information Officer, CIO) ensures compliance with applicable DoD and DON IT and cybersecurity policies. The CIO shall promulgate policy and

2


standards (enclosure (1)) to implement requirements of this instruction and is responsible for its revision. Enclosures (2) through (4) are used as applicable to execute enclosure (1).

b. All hands shall follow CIO standard procedures implemented per this instruction.

Distribution: Non Mids(electronically) Brigade (electronically)

3


Information Technology and Cybersecurity Policy and Standards

1. Definitions

a. IT resources are all computing and communications systems. Computing systems include all devices with a processing unit (e.g., server, desktop, laptop, tablet, printer, copier, smartphone, storage device, router, switch, intrusion prevention and detection devices, and traffic shaping appliances), devices that can connect to a processing unit (e.g., monitor, external disk, keyboard, mouse, and UPS), software (operating systems, hypervisors and applications including shareware, freeware, and licensed and public domain), and firmware. Communications systems include telephones, telephone switching devices, facsimile machines, and pagers.

b. USNA networks consist of all voice, video, and data infrastructure under the responsibility of the USNA Superintendent. These include but are not limited to:

(1) The USNA mission network consists of the USNA EDU network partitioned into an internal intranet and an extranet demilitarized zone (DMZ), and the USNA MIL network. The USNA EDU network consists of IT resources with connectivity via a usna.edu domain name to the Maryland Research and Education Network (MOREN) . The USNA MIL network consists of IT resources with connectivity via a usna.navy.mil domain name to the Defense Research and Engineering Network (OREN) .

(2) The USNA non-mission network consists of access to MOREN from usna.edu tunneled to the DMZ, and is used to facilitate communications for guests attending officially sponsored USNA activities such as conferences and workshops, and to provide faculty and staff with Internet access from a personally owned device.

(3) All standalone networks without any connectivity to either the intranet or Internet. These networks typically exist as self-contained environments for pedagogical and/or research purposes.

Enclosure (1)


(4) All commercial and/or governmental networks with connectivity to the Internet. These networks typically exist to meet non-standard needs for special-purpose access to external resources.

c. Hardware consists of all computing and peripheral devices whether networked or standalone categorized as information technology equipment.

d. Software consists of all encoded information and computer instructions. It includes applications, programs, libraries, and related non-executable data such as online documentation or digital media.

e. Services consist of the applications and functionality enabled or accessed by USNA IT resources including those which are web-based or available through a cloud service provider. These include but are not limited to file storage and sharing, networking, electronic mail, calendaring, teaching and learning tools, electronic subscriptions, software as a service, platform as a service, etc.

f. Remote access is access to a USNA information system by an authorized user communicating through an external, non-USNA

·controlled network. (e.g. a home network via an internet service provider) . Authorized use of USNA contracted web-based cloud services from a browser on a mobile device is not considered to be remote access.

g. A student is a midshipman, Naval Academy Preparatory School (NAPS) midshipman candidate, or service academy exchange student (domestic and foreign) .

h. A group account (positional account) is one that, by policy, authorizes more than one user to share the same authentication credentials, e.g., the Naval Academy Duty Officer account, [email protected].

2. Authorized Users

a. Students matriculated at USNA and NAPS and personnel assigned to billets listed in the Activity Manpower Document (AMO) of USNA and NAPS are authorized to use the USNA mission

2 Enclosure (1)


network. Selected former civilian USNA faculty members retired from government service, prospective AMO gains, and military on temporary additional duty (TAD) to USNA, and others may be authorized to use the USNA mission network if there is a mission requirement to do so.

b. The User Repository (UR) database is the authoritative source for information employed to populate the enterprise directory, create network accounts, and provide IT services. UR information shall be entered and maintained by the respective data owners.

3. Identity. As a DoD component, the identity management standards for persona display names and email addresses established per reference (a) shall be followed where possible. Military, civilians, contractors, and foreign nationals will be distinctly identified. As an institution of higher education, accommodation may be made for civilian faculty upon request.

4. Managed Services. Authorized users will appear in the enterprise directory. Additional managed IT services required for the performance of duty may be authorized upon request. These include:

a. Mission network account.

b. Email account. Because email is a contracted cloud service that incurs cost, it is not necessarily provided to all authorized users. For example, email service is not provided to all employees paid through non-appropriated funds, Naval Academy Athletic Association (NAAA) employees, and TAD military unless a justified need is demonstrated. ·

c. Enterprise Information System account (e.g., AIS, MIDS, and NSTAR) .

d. USNA public and intranet webserver and web content management system account.

e. Network shared file system.

f. Cloud service account (e.g., Blackboard and Ungerboeck).

3 Enclosure (1)


5. Access Control. The USNA.EDU, USNA.MIL, and guest networks as well as remote user access require different manners of access control.

a. USNA EDU network. A System Access Authorization Request - Navy (SAAR-N) shall be used to request access to the USNA EDU network and associated IT services. Access shall not be granted without an approved SAAR-N. A new SAAR-N shall be initiated to request IT services for USNA faculty who retire from the civil service.

(1) An appropriate supervisor shall initiate each request. Supervisors shall certify that the request is for legitimate and justified needs that support the USNA mission:

(a) IT service for retired USNA faculty members is not a right and must be requested by the Academic Dean.

(b) For exchange students, the request shall originate from the Office of the Commandant of Midshipmen.

(c) For military assigned TAD to USNA, the request shall originate from the Officer Personnel Office.

(d) For students, the request shall originate from the Company Officer.

(2) A group account may be authorized only when no other technical means can provide its functionality.

(3) Privileged users are defined in reference (b). Except where noted below, privileged users shall be certified and trained per reference (b) .

(a) Privileged access shall not be used to perform computing tasks that do not require elevated privilege.

(b) The Internet shall not be accessed from a web browser while logged in to a privileged user account, nor shall email be sent from this account.

(c) Some users perform privileged access system administration functions on information systems that are not

4 Enclosure (1)


enterprise systems (e.g., a faculty research server). These users are not members of the USNA Cybersecurity Workforce (CSWF) as defined in reference (b), but shall sign a privileged access agreement.

b. USNA.MIL network. Access will be via VPN from a nonprivileged user account on the usna.edu intranet.

c. USNA non-mission network. Access is not granted but may be authorized upon special request.

d. Remote access may be authorized for administrative or end-user purposes in support of USNA's mission.

(1) Remote administrative access involves users who connect from a remote location to perform system administration tasks on enterprise systems. Remote administrative access is authorized for members of the CSWF. It shall not be used routinely, but may be used to resolve emergent critical issues that require timely response. Supervisors shall remain informed of this use.

(2) Remote end-user access involves users who connect from a remote location to perform tasks typical of their USNA job description. Remote end-user access is for occasional use and is not telework which requires separate authorization.

(3) Users must sign a Remote Use Agreement before being authorized remote access.

e. Approval Authority

{1) The Corrunand Information Systems Security Manager (ISSM) or designated assistant is the approval authority for granting access to USNA networks.

(2) The Deputy Director of the cognizant ITSD department is the approval authority for granting access to a managed IT service.

(3) The CIO shall approve all IT service requests from retired USNA faculty.

5 Enclosure (1)

6. Authorized Use


a. Authorized use means the IT resource is used to directly support the USNA mission and is not prohibited by law, regulation, instruction, or command policy. Questions concerning authorized use shall be resolved by an appropriate supervisor; the user does not determine what use is authorized.

b. The USNA mission network is a U.S. Government {USG) information system {IS). By accessing a USG IS, the user gives consent to conditions on government-authorized use specified in the reference {c) User Agreement and summarized in login notice and consent banners. The provisions of this agreement and banners apply for all IT services including cloud services accessed from a web browser on a mobile device in any location.

c. Consistent with DoD policy, Cost Center Heads may authorize limited personal use while in the workplace. Authorized personal use includes personal communications (e.g., with family members and medical staff, or for scheduling appointments) as long as the use:

(1) Does not adversely affect the employee's performance of duty.

(2) Is of reasonable duration and frequency, and conducted during the individual's personal time.

(3) Serves a legitimate interest that in some manner supports the USNA mission, such as improving morale, enhancing professional skill, or furthering education.

(4) Does not adversely impact mission network performance.

(5) Does not incur additional cost to USNA.

(6) Is continuously attended.

d. A computing device that is government property issued for employee use while in the USNA workplace may be used outside of the workplace {e.g., during official travel) if:

6 Enclosure (1)


(1) The use is approved by the employee's supervisor.

(2) Unless a formal telework agreement has been approved, the use is temporary (e.g., a laptop may not be used as a "home computer").

(3) The Deputy for Cybersecurity, ITSD, must be contacted in advance if a government computing device is to be used during international travel. The device may require reimaging upon return.

7. General User Responsibilities. Prudent, efficient, cost effective, and secure use of information technology is a professional responsibility. Users shall adhere to the Acceptable Use Policy for USNA IT Resources in enclosure (2), and the Navy User Agreement and Consent Provisions .. In addition,

a. Users are expected to be able to perform basic computing tasks without assistance.

b. Users shall acquire training in the use of the systems required to perform their assigned duties, by attending classes, reading instructions and manuals, viewing tutorial videos, etc.

c. Data to be backed up consumes primary and backup storage space and network bandwidth during backup. Users should be cognizant of what data is being backed up as a service, take care to not duplicate this data, and shall assume responsibility for backing up all other of their own critical data.

d. Users should follow cybersecurity best practices in the workplace, including:

(1) Being wary of email and attachments from unknown sources.

(2) Not clicking links that cannot be verified.

(3) Not downloading anything from untrusted sources.

(4) Not using the same password to authenticate to different accounts or services.

7 Enclosure (1)

8. Life Cycle Management (LCM)

USNAINST 5230.lB 24 ay 2016

a. Abbreviated System Decision Paper (ASDP). Per reference (d), all USNA IT resource needs will be planned and documented annually in an ASDP. Interdependencies with reimbursable and/or gift resources shall be specified in the ASDP. A request for emergent project support not included in a current ASDP should be documented by submitting enclosure (3) which amends the current ASDP.

b. Acquisition. All USNA IT acquisitions require LCM documentation and approval by the Deputy for ITSD prior to procurement. Required documentation (specifications, descriptions, justifications, impact assessments, documents required by the configuration control board (CCB), etc.) prepared by the requesting organization must be accurate. Acquisition of capital equipment or other items resulting in a new or improved information system are funded through an Operations and Maintenance, Navy (O&MN) or Other Procurement, Navy (OPN) account as applicable. Operational support and maintenance to sustain existing information systems as currently configured are funded through the O&MN centralized maintenance account. Consumable supplies, designated non-centralized maintenance actions, and incidental software acquisitions are funded from organizational O&MN expense accounts. Reimbursable and gift acquisitions must provide commensurate lifecycle resources for new capabilities support and sustainment of nonstandard and/or enhanced technologies.

c. Per reference (e), property responsible officers maintain an accurate inventory and disposition of IT assets within his/her department. Lost or stolen IT assets shall be reported per reference (e).

9. World Wide Web

a. The official USNA internal and external web sites are administered by ITSD. Certain areas of the web site are maintained by non-ITSD personnel with oversight and assistance provided by software/application developers assigned to ITSD.

b. Additional USNA policy pertaining to web-page maintainers and content developers is published on the internal USNA web site.

8 Enclosure (1)


10. Semester Exchange Students. ITSD is responsible for providing IT services to visiting cadets participating in the Service Academy Exchange Program, and to Foreign Service Academy cadets identified by the Academic Dean (AcDean) . The Commandant of Midshipmen manages the military affairs of all students and Naval Academy Business Service Division (NABSD) is responsible to issue and maintain student computers. These parties shall coordinate efforts per enclosure (4) to ensure exchange students receive IT services in a timely manner before an academic semester begins.

11. Cybersecurity and Configuration Control

a. Before a federal agency can grant an Authority to Operate (ATO), a government information system, the Federal Information Security Management Act (FISMA) requires these systems to be certified and accredited with respect to cybersecurity risk management. The risk management framework includes continuous monitoring and periodic recertification.

b. The USNA ATO is based on the reference (f) Concept of Operations for an educational environment. The following policies support USNA certification and accreditation:

(1) Personally owned electronic devices are not permitted on the mission network without prior written approval.

(2) A personally owned mobile device shall be registered before it is used to access USNA contracted cloud services, and users shall comply with all conditions of registration (e.g., PIN/password requirements, maintenance of registration, etc.). Loss or theft of registered personally owned mobile devices shall be reported to ITSD.

(3) Device quarantine, seizure, and re-configuration may be used to mitigate risk. Vulnerable software that is not accepted with an approved mitigation plan and is not remediated, as required, will be disabled.

(4) Configuration Control shall be per reference (f} and amplifying procedures as promulgated by ITSD.

9 Enclosure (1)


(5) Members of the USNA Cybersecurity Workforce (CSWF} shall maintain certification and training per reference (b} and procedures established by the CIO.

12. ITSD Support

a. ITSD will assist the customer and approve the acquisition, operations, maintenance, and management of information technologies needed to support the USNA mission. Support will be provided with the following priorities:

(1) Emergent critical (e.g., equipment failure, disaster recovery)

(2) Externally driven (e.g., security, legal)

(3) Enterprise mission (e.g., MIDS, AIS, NSTAR, contracted cloud services}

(4) Academic core (core courses}

(5) Academic major (majors, courses, and electives)

(6) Academic research and administrative (Faculty Research Office}

(7} Administrative (e.g., Institutional Research}

(8) Command support (e.g., conferences, meetings, ECAs)

b. Information Technology Service Center (ITSC}

(1) ITSC supports authorized users and is a single point of contact for reporting problems with, or asking questions about, managed IT services and associated IT resources. ITSC does not provide general education or training in basic computer use, assist with questions related to use of specialized customer software, or maintain student computers.

(2} "Level-ln support is primarily accessible through telephone, remote assistance, or face-to-face help in Ward Hall Room G-1 and departmental IT Specialists. Users with simple issues should use one of these means. ITSC and IT Specialists

10 Enclosure (1)


will attempt to resolve these issues as soon as possible, however support is only provided during normal business hours. These support requests may also be emailed at any time for entry into the support ticketing system, but response time will include ticket processing time. Issues that cannot be resolved this level are escalated to level-2 and entered into the ticketing system for tracking.

(3) "Level-2n support is for level-1 issues identified outside of normal business hours and for issues that might not be resolved in the same day. Technical expertise from a single ITSD department is typically required to address level-2 issues as they often require gathering additional information. ITSD will attempt to resolve level-2 issues within several workdays. Issues not resolved in this timeframe or by a single department are escalated to level-3.

(4) "Level-3n support is required if new solutions must be devised or more than one ITSD department is involved. Resolving level-3 issues will usually take more than several days.

c. Any support issues requiring acquisition to resolve should also be addressed where appropriate through the Life Cycle Management process per reference {d) or Configuration Control Board.

11 Enclosure (1)


Acceptable Use Policy for USNA IT Resources

The USNA mission network is a U.S. Government (USG) information system (IS). By accessing a USG IS, the user gives consent to conditions on government-authorized use specified in the DoD Standard User Agreement and summarized in login notice and consent banners. The provisions of this agreement and banners apply for all IT services including cloud services accessed from a web browser on a mobile device in any location.

A user shall comply with all DoD/DON/USNA policies on use of IT resources, and:

• Must use information technology resources only for authorized education, research, and administrative activities in support of the Naval Academy mission.

• Must remain aware of the licensing terms and conditions of all software they use.

• Must permit system access for vulnerability scanning and remediation.

• Must use official email distribution lists only for missionrelated purposes that are germane to the list.

• Must NOT participate in any behavior that unreasonably interferes with the fair use of IT resources by another (e.g., bandwidth or disk space consumption) .

• Must NOT use images or graphics that reflect adversely on the Naval Academy, including personal images associated with contracted USNA cloud services.

• Must NOT override a displayed persona identity (display name) formatted in accordance with DoD/DON/USNA policy.

• Must NOT remove or disable client software required for network access control or vulnerability scanning and remediation.

Enclosure (2)


• Must NOT use IT resources for illegal or unethical purposes, including:

o Possessing, copying, or using illegal software. o Destruction or damage to Naval Academy or personal

resources. o Disruption or unauthorized monitoring of communications. o Harassment of others. o Dishonesty {plagiarism, cheating, using false identity). o Violation of another individual's privacy. o Violation of copyright and fair use laws. o Violation of licensing agreements. o Any use whose intended purpose is financial gain.

2 Enclosure (2)


Information Technology Services Division Project Request

MEMORANDUM Date

From: Cost Center Head To: Deputy for Information Technology Services

Subj: REQUEST FOR PROJECT SUPPORT

Encl: (as needed)

1. Request for Service. Summarize the details of the requested support.

2. Organizational Point of Contact. Provide the name, title, email address, and telephone number of the individual who will be the principal point of contact on all matters relating to the project.

3. Priority of Request. Indicate one of the following priorities, with justification:

a. mission. feasible.

Mandatory: the accomplishment is critical to the USNA Alternative action is neither unavailable nor

Immediate resolution may be required.

b. Necessary: The accomplishment contributes significantly to improved effectiveness and/or efficiency.

c. Desired: The accomplishment would contribute to improved effectiveness, efficiency, economy, or convenience.

4. Required Date. Provide two realistic dates:

a. Desired Date. Provide the optimum date from the requester's viewpoint.

b. Critical Date. Provide the latest acceptable date for satisfying the request, beyond which a critical deficiency will exist (N/A if priority is desired).

5. Detailed Description of the Service Requested. Include functional requirements, drawings, system specifications, etc.

Enclosure (3)


6. Reason for Request. Justify the request. Address weaknesses in existing systems, the proposed corrections or improvements, and the specific benefits to be realized. Expected benefits may be described in term~ of cost reductions in manpower, supplies, equipment, response time, or increased capabilities.

7. References. List instructions, letters, documents, memoranda, and publications that make the case for and substantiate the request.

8. Funding. Identify the source of funding.

2 Enclosure (3)


Providing IT Assets, Services, and Support to Exchange Students

1. The Academic Dean (ACDEAN) shall, before each semester begins:

a. Provide to ITSD and NABSD the number of computers required by foreign exchange students.

b. Ensure each foreign exchange student has a record in the USNA enterprise MIDS system.

2. The Commandant of Midshipmen shall, before each semester begins:

a. For asset and systems support planning purposes, provide to NABSD the number of computers that will be needed by domestic exchange students.

b. To permit assignment of IT services, ensure each inbound domestic exchange student has a record in the USNA enterprise MIDS system.

c. Initiate a SAAR-N for all exchange students, foreign and domestic.

d. Provide to ITSD any special computer configuration required by the exchange student source organization for consideration in network configuration control (e.g., VPN client software and settings for on-line coursework, course registration) .

e. Before a exchange student returns to the source organization, ensure IT assets are returned to NABSD. This action is necessary for efficient life-cycle management.

3. The Director, NABSD shall:

a. Coordinate with ITSD to provide IT assets with hardware and software functionally equivalent to that issued to an exchange student's USNA year group.

b. Before each semester begins, have sufficient laptop computers available for the amount of exchange students identified by ACDEAN and the Commandant.

Enclosure(4)


c. Provide exchange students with the same computer support services provided Midshipmen.

4. The Deputy, ITSD shall:

a. Coordinate transferring computer custody between NABSD, ITSD and exchange students.

b. Grant exchange students the .standard network services of a USNA midshipman.

c. When possible, accommodate special computer configurations required by the exchange student source organizations.

2 Enclosure (4)

united states naval academy annapolis maryland 21402-1300 · 2020-05-15 · united states naval...

Documents