Network Infrastructure Policy Security Technical Implementation Guide

NET1026

Syslog messages must be retained for a minimum of 30 days online and then stored offline for one year.

NET1040

Current and previous network element configurations must be stored in a secured location.

NET1050

The organization must encrypt all network device configurations while stored offline.

NET1622

An Out-of-Band (OOB) management network must be deployed or 24x7 personnel must have console access for device management.

NET1815

All Releasable Local Area Network (REL LAN) environments must be documented in the System Security Authorization Agreement (SSAA).

NET1816

Annual reviews must be performed on all Releasable Local Area Network (REL LAN) environments.

NET1826

Enabling a connection that extends DISN IP network connectivity (e.g., NIPRNet and SIPRNet) to any DoD Vendor, Foreign, or Federal Mission Partner enclave or network without a signed DoD CIO approved sponsorship memo is prohibited. For classified connectivity it must be to a DSS approved contractor facility or DoD Component approved foreign government facility.

NET1827

Command and Control (C2) and non-C2 exceptions of SIPRNet must be documented in the enclaves accreditation package and an Authority to Connect (ATC) or Interim ATC amending the connection approval received prior to implementation.

NET1832

VPN gateways used to create IP tunnels to transport classified traffic across an unclassified IP network must comply with appropriate physical security protection standards for processing classified information.

NET2000

Multi-Protocol Labeled Switching (MPLS) protocols deployed to build Label-Switch Path (LSP) tunnels must authenticate all messages with a hash function using the most secured cryptographic algorithm available.