Skip to content
ATO Pathways
  Log In

The enclave must be dual homed to two geographically diverse DISN SDNs and DISN WAN Service (NIPRNet or SIPRNet) Aggregation Routers (AR) or DISN Provider Edge (PE) routers.

An XCCDF Rule

Description

<VulnDiscussion>Redundancy and dual homing is used within the DISN core to provide for continuity of operations (COOP) if a piece of equipment, circuit path, or an entire service delivery node is lost. DOD policy also requires DOD enclaves that support command and control (C2) users for data services to be dual homed to the DISN core SDNs. This means there will be two physically separate access circuits from the enclave to two geographically diverse DISN SDNs. Once the access circuits arrive at the SDNs, the circuits must be connected to two geographically diverse DISN WAN Service (NIPRNet or SIPRNet) Aggregation Routers (AR) or DISN Provider Edge (PE) routers. Depending on the size of the SDN, one or both of the access circuits must be extended to another SDN containing the AR or PE. ARs are also dual homed to geographically diverse DISN PE routers. A single circuit provides far less redundancy and reliability than dual circuits This redundancy is required to increase the availability of the access to the DISN core to provide a greater chance of achieving assured service. This need extends to assured service C2 VVoIP communications and is why it is checked here.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-259915r948761_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

If the VVoIP system connects to the DISN WAN for VVoIP transport between enclaves AND the system is intended to provide assured service communications to any level of C2 user (Special C2, C2, C2(R)), ensure the enclave is dual homed to two geographically diverse DISN SDNs and DISN WAN Service (NIPRNet or SIPRNet) routers.

NOTES:
- This means there are two DISN (or commercial) access circuits (many circuits will have a commercial component, typically the "last mile") from the site/enclave to the DISN SDNs.
- This assumes the site/enclave is NOT collocated with a DISN SDN such that a direct Ethernet or optical connection can be made.
- If a site is located at a DISN SDN and is able to directly connect to the SDN using Ethernet or optical connections, the site may be able to rely on the dual homing of the SDN into the core. However, the site must still be homed to two geographically diverse ARs. This depends on the size or type of the SDN. A large site directly connected to a smaller SDN will implement an access circuit to a geographically diverse SDN (i.e., another SDN in another location remote from the local SDN). This should not be one of the SDNs to which the local SDN is homed.