Tunneling of classified traffic across an unclassified IP transport network or service provider backbone must be documented in the enclaves security authorization package and an Approval to Connect (ATC), or an Interim ATC must be issued by DISA prior to implementation.

From Network Infrastructure Policy Security Technical Implementation Guide

Part of Unapproved SIPRNet traffic exists

SV-15494r2_rule Tunneling of classified traffic across an unclassified IP transport network or service provider backbone must be documented in the enclaves security authorization package and an Approval to Connect (ATC), or an Interim ATC must be issued by DISA prior to implementation.

Vulnerability discussion

CJCSI 6211.02E instruction establishes policy and responsibilities for the connection of any information systems to the Defense Information Systems Network (DISN) provided transport. Enclosure E mandates that the CC/S/A document all IP tunnels transporting classified communication traffic in the enclave’s security authorization package prior to implementation. An ATC or IATC amending the current connection approval must be in place prior to implementation.

Check content

Review the enclave's security authorization package and the ATC or Interim ATC amending the connection approval received. If the tunneling of classified traffic is not documented in the security authorization package and an ATC or Interim ATC, this is a finding.

Fix text

Document the tunneling of classified traffic in the security authorization package and the ATC or Interim ATC.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.