NAVY SCANNING POLICY:
R 251522Z APR 19
FM CNO WASHINGTON DC
INFO CNO WASHINGTON DC
PASS TO OFFICE CODES:
FM CNO WASHINGTON DC//N2N6//
INFO CNO WASHINGTON DC//N2N6//
MSGID/GENADMIN/CNO WASHINGTON DC/N2N6/APR//
SUBJ/NAVY SCANNING POLICY//
NARR/REF (A) IS UNITED STATES CYBER COMMAND TASK ORDER 17-0019, ASSURED
COMPLIANCE ASSESSMENT SOLUTION (ACAS) OPERATIONAL GUIDANCE.
REF (B) IS DEPARTMENT OF DEFENSE (DOD) INSTRUCTION, RISK MANAGEMENT FRAMEWORK
(RMF) FOR DOD INFORMATION TECHNOLOGY (IT).//
POC/KELLEY/CIV/OPNAV N2N6G5/WASHINGTON DC/
TEL: 571-256-8509/E-MAIL: email@example.com//
RMKS/1. This policy is applicable to all Navy commands and both acquisition
and non-acquisition programs, regardless of designation as Information
Technology (IT), Weapon System, Platform Information Technology (PIT), or
Control System. U.S. Fleet Cyber Command (FLTCYBERCOM) will issue scanning
implementation guidance via Navy Execute Order (EXORD).
2. This policy mandates compliance with reference (a) and is issued to
eliminate the significant administrative burden of processing repetitive
waivers for specific situations. The eight situational waivers listed in
paragraph 4 can be applied to all components within the Assess and
Authorization (AA) boundary or limited to specific components as appropriate.
The system must maintain a valid authorization and apply an alternate form of
compliance. Acceptable alternate methods of determining and maintaining
cybersecurity posture are provided by the Navy Information
Technology/Cybersecurity Technical Advisory Board (Navy IT/CS TAB).
3. Echelon II commands will maintain oversight and Programs of Record (POR)
will document alternate form of compliance in the Risk Management Framework
(RMF) System Level Continuous Monitoring (SLCM) Plan. The Echelon II will
verify annually the listing of systems (i.e., Enterprise Mission Assurance
Support Service (eMASS) records) with exempt components to FLTCYBERCOM and
Deputy Chief of Naval Operations for Information Warfare (OPNAV N2N6).
4. Effective immediately, in accordance with reference (a), an Information
System (IS) component may be waived from the Assured Compliance Assessment
Solution (ACAS) scan requirement only if one of the following criteria
identified below is met.
a. ACAS incompatible Operating System (OS) or Internetwork OS (IOS).
The Security Control Assessor (SCA) will have concurred ACAS is incompatible
and determined an alternate method of assessing control compliance in the
Security Assessment Plan (SAP).
b. ACAS compatible OS or IOS that only uses a non-internet protocol
connection (regardless of physical media). ACAS may have been identified in
the SAP to assess security posture in a lab (non -operational installation)
but use of ACAS on fielded systems is not possible.
c. Disposable systems with integrated Information Technology (IT). The
Navy has a number of disposable systems that have IT built in, but the
systems are designed to be disposable (e.g., Missile, Torpedoes, and
Sonobuoys). Only the disposable components within the AA boundary are waived
d. Research, Development, Test, and Engineering (RDTE) network Zone D
e. Medical or weapons system that could potentially result in the loss
f. Systems that have limited bandwidth where scanning negatively impacts
mission execution. In this case, scanning should still be implemented to the
greatest extent operationally possible, such as periodically connecting to
local networks for scanning when not operational. Where systems can be
scanned but bandwidth limitation restrict uploading and reporting, the scans
should be reviewed locally. The IT/CS TAB Cybersecurity Posture Process
specifies scanning, documenting, and maintaining a system baseline for this
g. Physically or Cryptographically (High Assurance Internet Protocol
Encrypted (HAIPE)) isolated systems. This includes Top Secret General
Service (TS GENSER) systems, Radio Frequency (RF) control systems, NSA
approved Commercial Solution for Classified, or systems that only communicate
within a closed or isolated boundary. This does not include Hypertext
Transfer Protocol Secure (HTTPS), Secure Socket Layer (SSL), or Virtual
Private Network (VPN).
h. Systems that only use a Defense Switched Network (DSN) connection.
5. If one of the exemption criteria in paragraph 4 is met, the Echelon II
command will provide justification to the cognizant SCA and Authorizing
Official (AO) for analysis and approval during the RMF process, preferably
during Steps 1 and 2. For example, if during the RMF SAP development, the
SCA determines that, based on the criteria above, ACAS is not an appropriate
tool for Cybersecurity posture scanning, they can provide that recommendation
to the AO. Systems that meet the criteria identified above, and that have
received a situational waiver determination from the AO, shall document the
exemption approval within the eMASS record in accordance with reference (b).
6. All other situations require a full waiver from the Deputy Department of
the Navy, Senior Information Security Officer (Navy) (DDSISO(N)). Echelon II
commands shall request an ACAS waiver in accordance with reference (a),
preferably during RMF Steps 1 and
2. Approvals shall be documented in the appropriate eMASS record by the
7. This NAVADMIN will remain in effect until canceled or superseded.
8. Released by VADM Matthew J. Kohler, Deputy Chief of Naval Operations for
Information Warfare, OPNAV N2N6.//