Skip to content
Catalogs
XCCDF
Network Infrastructure Policy Security Technical Implementation Guide
NET-TUNL-028
Tunneling of classified traffic across an unclassified IP transport network or service provider backbone must be documented in the enclaves security authorization package and an Approval to Connect (ATC), or an Interim ATC must be issued by DISA prior to implementation.
Tunneling of classified traffic across an unclassified IP transport network or service provider backbone must be documented in the enclaves security authorization package and an Approval to Connect (ATC), or an Interim ATC must be issued by DISA prior to implementation. An XCCDF Rule
Tunneling of classified traffic across an unclassified IP transport network or service provider backbone must be documented in the enclaves security authorization package and an Approval to Connect (ATC), or an Interim ATC must be issued by DISA prior to implementation.
High Severity
<VulnDiscussion>CJCSI 6211.02D instruction establishes policy and responsibilities for the connection of any information systems to the Defense Information Systems Network (DISN) provided transport. Enclosure E mandates that the CC/S/A document all IP tunnels transporting classified communication traffic in the enclave's security authorization package prior to implementation. An ATC or IATC amending the current connection approval must be in place prior to implementation.
Enclosure D of the CJCSI 6211.02D also provides guidance on the requirements of tunneling classified data (section 15.a), which helps a CC/S/A determine applicability to their mission. Items include but are not limited to:
- minimize tunneling of classified data over transport other than DISN provided transport (i.e., SIPRNET);
- ensure the Authorizing Official (DAA) validates all requirements to tunnel classified information across unclassified IP infrastructure;
- obtain DSAWG approval before tunneling classified data across unclassified IP infrastructure;
- ensure transmission of classified information is secured through use of authorized cryptographic equipment and algorithms and/or PDSs;
- document IP tunnels transporting classified communication traffic in the enclave’s security authorization package prior to implementation;
- an ATC or IATC amending the current connection approval must be in place prior to implementation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>