NAVY IMPLEMENTATION OF DOD CYBERSECURITY CAMPAIGN REPORTING:

UNCLASSIFIED//
ROUTINE
R 012027Z SEP 15
FM CNO WASHINGTON DC
TO NAVADMIN
INFO CNO WASHINGTON DC
BT
UNCLAS

NAVADMIN 210/15

MSGID/ GENADMIN/CNO WASHINGTON DC/N2N6BC/AUG//

SUBJ/NAVY IMPLEMENTATION OF DOD CYBERSECURITY CAMPAIGN REPORTING//

REF/A/MEMO/DOD CYBERSECURITY CAMPAIGN/04JUN15//
REF/B/MEMO/IMPLEMENTATION AND REPORTING OF DOD PUBLIC KEY INFRASTRUCTURE 
(PKI) SYSTEM ADMINISTRATOR AND PRIVILEGED USERS AUTHENTICATION/05JUL15//
REF/C/MSG/USCYBERCOM/061534ZJUL15//
REF/D/MSG/COMFLTCYBERCOM/082247ZJUL15//
REF/E/MSG/COMFLTCYBERCOM/161300ZJUL15//
REF/F/MSG/CNO WASHINGTON DC/N2N6BC/051837ZAUG15//
REF/G/DOC/DOD/CYBERSECURITY DISCIPLINE TIGER TEAM IMPLEMENTATION 
PLAN/19AUG15//

NARR/REF A IS THE DOD CYBERSECURITY CAMPAIGN PLAN, WHICH REINFORCES THE 
USCYBERCOM OPERATION CYBER SHIELD IDENTIFYING ACTIONS REQUIRED BY COMMANDERS 
AND LEADERS TO ENFORCE CYBERSECURITY COMPLIANCE AND ACCOUNTABILITY.  REF B IS 
THE DOD MEMO MANDATE TO ACCELERATE PKI ENFORCEMENT OF SYSTEM ADMINISTRATOR 
AND PRIVILEGED USER ACCOUNTS. REF C IS USCYBERCOM TASKORD 15-0102 DIRECTING 
THE ACCELERATION OF DOD PKI SYSTEM ADMINS AND PRIVILEGED USER AUTHENTICATION. 
REF D IS FLEET CYBER COMMAND TASK ORDER 15-030 TO ACCELERATE SYSTEM 
ADMINISTRATOR AND PRIVILEGED USER AUTHENTICATION. REF E IS CTF 1010 TASKORD 
15-0002 WHICH DIRECTS THE IMPLEMENTATION OF AN UPDATED HOST BASE SECURITY 
SOLUTION (HBSS) BASELINE NLT 01DEC15. REF F IS THE CYBERSECURITY 
IMPLEMENTATION PLAN NAVADMIN 183/15 PROVIDING ADDITIONAL ACCELERATION 
GUIDANCE OF PKI HARDENING. REF G IS THE DOD IMPLEMENTATION PLAN THAT 
REINFORCES BASIC CYBERSECURITY REQUIREMENTS IDENTIFIED IN DIRECTIVES, ORDERS, 
AND POLICIES.
//
POC/MR. ANDREJ STARE/CIV/OPNAV N2N6BC/WASHINGTON DC/TEL:  571-256-8284/EMAIL: 
andrej.stare@navy.mil//

RMKS/1. References A - G outline objectives for Commanders and Civilian 
leaders to secure and defend their segments of the Department of Defense 
(DoD) Information Network (DoDIN) while enforcing accountability and 
readiness across assigned forces. Securing the DoDIN to provide mission 
assurance requires leadership at all levels to implement cybersecurity 
discipline, enforce accountability, and manage the shared risk to all Navy 
missions. Therefore, the Cybersecurity Campaign focuses on ensuring 
accountability at all levels for the below key tasks by including the results 
of Navy’s cybersecurity compliance with readiness reporting in the Defense 
Cyber Scope (DCS) tool.  The seven key areas are: PKI enforcement, securing 
outward facing servers behind DoD Demilitarized Zones (DMZ), reducing the 
number of unsupported operating systems, ensure system accreditation, Host 
Based Security System (HBSS) continuous monitoring, configuration control, 
and patch management.

2. Immediate action: Echelon II Commanders must designate a Cybersecurity 
Campaign Lead (CCL) and report the name of CCL as the primary cybersecurity 
metrics point of contact (POC) to the OPNAV N2/N6 POC listed in this NAVADMIN 
NLT 8 September, 2015.
a. The CCL will be responsible for establishing a user account in DCS. Upon 
account creation, the CCL shall create a Sub-Echelon II reporting structure 
to collect Cybersecurity Campaign metrics for each subcomponent. 
Additionally, the CCL is responsible for ensuring that reporting requirements 
are disseminated down to all the commands subcomponents.
b. No later than the fifth calendar day of each month, the CCL shall submit a 
consolidated report and ensure that the Echelon II metrics are reported in 
DCS for OPNAV N2/N6 review. Echelon II Commanders are ultimately responsible 
for ensuring that the data collected is validated and accurately reported in 
the DCS tool prior to submission to OPNAV N2/N6.
d. The link to the DCS DoD Enterprise Reporting tool is: https://emass-
ers.csd.disa.mil/Home?ReturnUrl=%2fFismaDash%2fHome

3. In support of the DoD Cybersecurity initiatives, Navy must report DoD 
Cybersecurity Scorecard metrics on a monthly basis.  Commands shall report 
the metrics outlined in DCS to the best of their ability no later than the 
fifth calendar day of each month, noting the Commanders confidence level in 
the numbers.  Metrics are to be further categorized by afloat and ashore 
where applicable.  DoD and OPNAV N2/N6 expect the reporting numbers and 
confidence to be low initially and increase over the course of the next few 
months for certain metrics.  For HBSS-dependent metrics, Commanders are 
required to ensure compliance no later than 1 December 2015 IAW Reference E.  
Command specific actions:
a. U.S. Fleet Cyber Command/U.S. Tenth Fleet (FCC/C10), as the Network 
Operational Commander, is responsible for the reporting and validating of key 
metrics for all Navy Information Technology (IT) assets and accounts in all 
domains secret and below, the outward facing webservers behind approved Navy 
and DoD DMZs, afloat and ashore Enterprise networks (i.e. Navy Marine Corps 
Internet (NMCI), OCONUS Navy Enterprise Network (ONE-Net), IT-21, and CANES) 
except those listed in paragraph 3.b.
b. All other Echelon II Commanders are responsible for the reporting and 
validating of key metrics for all Navy IT assets and accounts for all 
networks previously considered excepted and legacy in all domains secret and 
below.  These excepted and legacy networks specifically include: Research, 
Development, Training, and Education(RDT&E), non-NMCI, non-ONE-Net, including 
ONE-Net transport Community of Interest (COI) assets, Satellite, PSNET, 
METOC, Commercial Shipyard, Navy Exchange, Medical, Education, Prison 
Networks, NMCI Contract Line Item Number (CLIN) 27 assets (i.e. DON Servers 
that have migrated and are connected to NMCI enclave, DMZ, or COI 
environments), NMCI CLIN 6AR workstations (Program of Record such as Global 
Command and Control System (GCCS)), and NMCI CLIN 32 (COI Service Delivery 
Point) servers and workstations, and NGEN CLIN 58 in DCS.
c. OPNAV N2/N6 will report System Authorization Metrics, however, Echelon II 
Commanders are responsible for ensuring that the data in DoD Information 
Technology Portfolio Repository (DITPR) is current and properly maintained.

4. Echelon IIs requesting relief from the mandates in reference G must 
provide an operational impact statement with justification for non-
compliance.  All waiver requests should be submitted via the OPNAV N2/N6 POC 
listed in this NAVADMIN.  Any requests exceeding 12 months will forwarded to 
DoN CIO to DoD CIO for review and approval / disapproval.  Waiver request 
justifications must fall into one of the below categories:
a.	Statutory: Laws or regulations prohibit changes to the capability / 
system.
b. Proprietary: Non-DoD / government organization owns information / data / 
software.
c. Timeline: Will not meet the deadline for completion, but can become 
compliant within 365 days of deadline.
d. Resources: Cost is prohibitive to implementation before system replacement 
- will not be compliant within 365 days of deadline.
e. Technical Solutions in Development: Solution is currently in development 
with a plan to be compliant will not be compliant within 365 days of 
deadline.

5. This NAVADMIN will remain in effect until cancelled or superseded.

6. Released by VADM Ted N. Branch, Deputy Chief of Naval Operations,
Information Dominance, OPNAV N2/N6.//

BT
#0001
NNNN
UNCLASSIFIED//