(CJCSI) 6211.02C, Defense Information System Network - Air Force ...

INSTALLATIONREPORT OF AUDITF2010-0016-FCI000Contractor Circuit Security75th Air Base WingHill AFB UTHill Area Audit Office18 November 2009

Executive SummaryINTRODUCTIONOBJECTIVESAs a critical portion of the Global Information Grid, the DefenseInformation System Network furnishes secured network servicesto Department of Defense installations and deployed forces. Assuch, contractor internet circuits should be obtained through theNetwork. Also, Global Information Grid risk managementrequires that all circuits providing connections to contractorfacilities must be established through the Defense InformationSystems Agency and receive proper certification andaccreditation. Additionally, internet services obtained outsidethe Defense Information System Network require a GlobalInformation Grid waiver. As of April 2009, the 75thCommunications Group maintained 682 circuits providingvarious communications connections to contractor facilities.We accomplished this centrally directed because unsecured non-DoD circuits could subject the Air Force to serious securityrisks. The overall objective of this Air Force-wide audit was todetermine whether the Air Force effectively managed contractorcircuit security. At Hill Air Force Base, we determined ifmanagement personnel with the 75th Communications Groupproperly:• Obtained security accreditations for contractor circuits.• Registered contractor circuits in the Defense InformationSystems Agency Systems/Network Approval Processdatabase.• Established circuit connections to contractor facilitiesCONCLUSIONSAir Force personnel could more effectively manage contractorcircuit security. Specifically, Communications Group officialsproperly determined that the contractor circuits reviewed duringthe audit did not require accreditation or registration in theDefense Information Systems Agency Systems/NetworkApproval Process database. This is a result of the systems beingoutside the base firewall. However, circuit connections tocontractor facilities did not meet regulatory requirements as all16 contractor circuits reviewed were not processed through therequired Defense Information Systems Agency Directconnection approval procedures. Also, required GlobalInformation Grid waivers were not obtained. Properlyestablishing circuit connections to contractor facilities isnecessary to ensure sufficient oversight of contractor circuits andaccreditation. (Tab A, page 1).i

Executive SummaryRECOMMENDATIONSMANAGEMENT’SRESPONSEThis report does not contain recommendations addressing theissues identified because the concerns discussed above werereferred to the Air Force Audit Agency Audit Control Point atthe Financial and Systems Audits Directorate, March AirReserve Base CA, and will be addressed in an Air Force reportof audit.Management concurred in principle with the audit resultsdiscussed in this report and were responsive to the issuesidentified. Consequently, this report contains no disagreementsrequiring elevation to higher headquarters for resolution.DWIGHT M. KAKAZUChief, Audit Team AGREGORY C. CARLSONChief, Hill Area Audit Officeii

Table of ContentsPageEXECUTIVE SUMMARYiTABA Contractor Circuits 1APPENDIXI Audit Scope and Prior Audit Coverage 3II Points of Contact and Final Report Distribution 5

Tab AContractor CircuitsBACKGROUNDAir Force Instruction (AFI) 33-129, Web Management and Internet Use, 30 October 2008, onlyallows connections or subscriptions to commercial internet service providers for officialDepartment of Defense (DOD) e-mail or network services:• If such connections or subscriptions are determined necessary.• The organization has obtained a waiver from the DoD Global Information Grid (GIG)Waiver Board.Regardless of how communications or internet services are provided, contractor and other non-DoD customers must obtain internet connectivity consistent with requirements provided in theChairman of the Joint Chiefs of Staff Instruction (CJCSI) 6211.02C, Defense Information SystemNetwork (DISN): Policy, Responsibilities and Processes, dated 9 July 2008. Basically, theInstruction requires internet circuits be established via a Defense Information System Networksolution, ordered through the Defense Information Systems Agency (DISA). This is because theDISA Direct connection approval process results in assignments of unique commandcommunications service designator identifiers necessary to facilitate DoD oversight of allinternet circuits.AUDIT RESULTS 1 – NON-DISA CIRCUITSCondition. Circuit connections to contractor facilities did not meet regulatory requirements.Specifically, all 16 contractor circuits reviewed were provided by a commercial internet serviceprovider without going through DISA Direct approval process and obtaining required GIGwaivers.Cause. The above condition occurred because 75th Communications Group officials determinedthe current CJCSI (paragraph B17a) and AFI 33-129 (paragraph 4.1) requirements forcoordinating internet requests through the DISA Direct connection approval process and/orobtaining waivers did not apply to the 16 contractor circuits reviewed. More specifically,Communications Group officials indicated the subject contractor circuits did not touch the basenetwork and were intended only for non-DoD communications purposes. Hence, managementconcluded the AFI 33-129 guidance which only addresses internet arrangements for officialemail or internet services and the CJCSI guidance which focused on internet services connectedto the Defense Information System Network did not apply. However, during the audit, Air ForceAudit Agency Audit Control Point discussions with DISA and the Office of WarfightingIntegration and Chief Information Office (SAF/XC) officials indicated the guidance intent was tohave all internet service requests go through DISA Direct connection approval process andwaivers to be obtained if needed. Also, in our opinion, regardless of the intended use of the 16contractor commercial circuits examined, there was no assurance that the internet services wouldalways be properly used and never result in the transmission of DoD-official information.1

Tab AContractor CircuitsImpact. Properly establishing circuit connections to contractor facilities is necessary to providesufficient oversight of contractor circuits by higher headquarters and ensure all securityrequirements are met.Audit Comment. Although the 16 contractor circuits reviewed during this audit were notestablished via the DISA Direct connection approval process and did not have required GIGwaivers, this report does not contain a recommendation requiring those circuits to bedisconnected. Instead, this issue and the guidance concerns discussed above were referred to theAir Force Audit Agency Audit Control Point at the Financial and Systems Audits Directorate,March Air Reserve Base CA, and will be addressed in an Air Force report of audit.Management Comments. The Director of the 75th Communications Group concurred with theaudit comment and concurred in principle with the audit condition, and stated “All contractorinternet connection requests via a commercial Internet Service Provider should be approved byDISA and issued GIG waivers when DISA is unable to provide the service. In order to ensurefull compliance, AFI 33-129, paragraph 4.1 requires revisions to address commercial InternetService Provider connections secured by contractors for unofficial business. As written today,‘Waiver requests shall explain how the other than non-classified internet protocol route networkinternet connections meet the minimum security standards established by the DSAWG [theDefense Information Systems Network Security Accreditation Working Group] and beaccompanied by a plan to transition the connection to the non-classified internet protocol routenetwork.’ The 16 Internet Service Provider connections identified in this audit are not used forofficial business negating the ability to transition them to the non-classified internet protocolroute network as prescribed.”Evaluation of Management Comments. Management comments addressed the issuesdiscussed in Audit Results 1 and the related audit comment. Management concerns regardingcurrent directives were noted during the audit. As stated previously, the guidance concerns werereferred to the Air Force Audit Agency Audit Control Point at the Financial and Systems AuditsDirectorate, March Air Reserve Base CA for further review and resolution.2

Audit Scope andPrior Audit CoverageAUDIT SCOPEAudit Coverage. This was a centrally directed audit of contractor circuit security at the 75th AirBase Wing, Hill Air Force Base UT. The Wing was 1 of 9 locations where the audit wasconducted. Documents reviewed were dated from October 1999 through March 2009. Weperformed this audit between 18 May and 23 June 2009, and issued management a draft reporton 6 August 2009.Audit Tests. To accomplish the audit objectives, we performed the audit tests described below.• Circuit Connections. To determine whether 75th Communications Group personnelproperly established circuit connections to contractor facilities, we obtained a list ofcontractor circuits. In addition, we interviewed communications personnel and revieweddocuments to ensure that management reviewed and considered all possible sources toprovide complete and accurate contractor circuit information for the audit. We thenvalidated the contractor circuit data call results. We also determined if GlobalInformation Grid waivers were obtained.• Circuit Accreditation and Certification. To determine whether personnel obtainedsecurity accreditations for circuits connecting to contractor facilities, we interviewedCommunications Group and Air Combat Command personnel. Additionally, the AirForce Audit Agency Audit Control Point reviewed the recent Air Force-wideSystems/Networks Approval Process report to determine whether circuits wereregistered.Sampling Methodology. To accomplish the audit, we used sampling techniques and computerassistedauditing tools and techniques as follows.• Sampling. Although the Air Force Audit Agency Audit Control Point at the Agency’sFinancial and Systems Audits Directorate, March Air Reserve Base CA, performed anAir Force-wide data call to determine the number of contractor circuits, some majorcommands did not forward the data call down to the local installations. Therefore, werequested this information from the 75th Communications Group at the beginning of theaudit. Specifically, Communications Group personnel were asked to provide informationabout all established circuit connections to contractor facilities excluding (1) SIPRNET 1circuits, (2) telephone circuits, (3) circuits to other Federal agencies, and (4) circuits fromother non-Air Force tenant organization networks on base. Through this query, a total of682 contractor circuits were identified. Upon receipt, we forwarded this Hill Air Force1 Secret internet protocol router.3 Appendix I

Audit Scope andPrior Audit CoverageBase universe data to the Air Force Audit Agency Audit Control Point who thenjudgmentally chose 25 circuits for our review. The sample selection was based on thehighest risk circuits, to include those identified to be inside the base firewall and thoseidentified as providing non-classified internet protocol route network service. Afterreceiving additional information, the Air Force Audit Agency Audit Control Point laterreduced the audit sample from 25 to 16 contractor circuits.• Computer-Assisted Auditing Tools and Techniques. We did not use any computerassistedauditing tools and techniques to analyze data in this audit.Data Reliability. Although we relied on computer-generated information fromTelecommunication Certification Office Support System, we did not evaluate the adequacy ofthe System’s general and application controls. However, we evaluated the data reliabilitythrough discussions with knowledgeable personnel. Since source/supporting documentation wasnot available at this location, we could not fully determine the data reliability of the System, butthe data had no material impact on the audit results.Auditing Standards. We conducted this audit in accordance with generally acceptedgovernment auditing standards and, accordingly, included such tests of internal controls asconsidered necessary under the circumstances. Specifically, we evaluated controls required toprotect vulnerable contractor communications circuits and information.Discussions with Responsible Officials. We discussed/coordinated this report with theCommander of the Ogden Air Logistics Center, the Commander of the 75th Air Base Wing, theDirector of the 75th Communications Group, and other interested officials. We advisedmanagement officials that this audit was part of an Air Force-wide evaluation (Project F2008-FB4000-0911.000, Contractor Circuit Security). Consequently, selected data not reflected in thisreport, as well as data contained herein, may appear in a related Air Force audit report.Management comments were received on 9 November 2009 and are included in this report.PRIOR AUDIT COVERAGEWe did not identify any other Air Force Audit Agency, DoD Inspector General, U.S.Government Accountability Office, or public accountant audit reports issued to the 75th Air BaseWing, within the last 5 years, that addressed the same or similar objectives covered in this audit.4 Appendix I

Points of Contact andFinal Report DistributionPOINTS OF CONTACTHill Area Audit Office6068 Aspen Avenue, Building 1294Hill AFB, Utah 84056-5805Gregory Carlson, Office ChiefDSN 775-3615Commercial (801) 775-3615Dwight Kakazu, Team ChiefDavid Odle, Auditor-in-ChargeFINAL REPORT DISTRIBUTIONHQ AFMC/CCHQ AFMC/FMPCOO-ALC/CCOO-ALC/FMP75 ABW/CC75 ABW/XPAFOSI, Detachment 113AFAA/QLRPROJECT NUMBERWe accomplished this audit under project number F2008-FB4000-0911.004FREEDOM OF INFORMATION ACTThe disclosure/denial authority prescribed in AFPD 65-3 will make all decisions relative to therelease of this report to the public.5 Appendix II