Purpose. To revise policy and procedures for Information Technology (IT) configuration control.
Background. IT configuration control is critical in outlining processes and documenting procedures for requests to modify baseline configurations; to include adding new hardware and software. The IT Configuration Control Board (CCB) shall convene quarterly, or as required, to review recommended changes to all baselines with regards to TTGL SIPR domain, Program of Record (PoR) systems, and all Non-PoR systems connected to TTGL network. CCB’s will be conducted in accordance with references (t) and (u).
Discussion. It is the responsibility of the IAM to determine what IT equipment can be purchased without a negative impact on TTGL’s configuration and provide recommendations to the CO regarding alternative solutions that fulfill mission requirements.
For PoR AIS, additional software is only permitted if it is Program Management Office (PM) approved and is listed on the Preferred Products List (PPL). Requests for hardware on PoR AIS require both PM, NAVCYBERFOR, and CO approval.
Installation of non-POR systems requires CCB and/or CO approval.
Configuration change of any system requires approval by the CCB and initiation of the ATO/IATO process IAW reference (p), (r), and Chapter 1 of this instruction.
Policy
Process. Personnel who have a requirement for additional AIS hardware or software must complete and route a System Change Request (SCR), enclosure 1 of reference (v), through their chain of command. SCR must be routed to the N6 Department Head via the Information Assurance Officer (IAO) and Information Assurance Manager (IAM). Upon receipt of the SCR, TTGL IAM will review and evaluate the request for security, legality and configuration issues. Once all requirements are met, the SCR will be reviewed at the next CCB. If SCR is an emergent requirement, N6 can convene a special CCB for review.
Approval Process
Departmental POC will determine genuine need and will obtain system ATO/IATO (if available), and necessary quotes from appropriate vendors based on the minimum, standard system requirements of TTGL ISNS.
IAO will evaluate security threats that may be introduced by the change, will evaluate installation requirements, possible impact to the network, possible application conflicts, possible technical assistance, and current software and hardware versions. All hardware must be on the National Information Assurance Partnership (NIAP) approved list prior to purchase.
IAM will review SCR and schedule it for CCB review. CCB will make an approval or disapproval recommendation. Upon completion of installations, IAM is responsible for updating TTGL network configuration diagrams.
N6, as CCB Chairman, gives final approval of SCR based on recommendations from the CCB.
Procurement. AIS equipment approved for purchase will be requisitioned through Supply Department. Installation and configuration of any AIS shall be performed by N6 Department.
Software
Scope. IAM is responsible for ensuring all software used on TTGL computer systems is approved and consistent with proper license or copyright agreements. Accordingly, communication should be maintained with NAVCYBERFOR FAM Department to ensure that only properly authorized software is installed on TTGL IS.
Action. Each Authorized User is responsible for ensuring only authorized software is introduced on any TTGL IS. Outlined below represents the minimum acceptable standards for the control, disposition, transfer, and use of commercial or government software packages.
Authorized Software. Software which is:
Loaded as part of the Navy PPL.
Unauthorized Software. Software not expressly identified as authorized software is considered high-risk software and is not authorized for use on TTGL systems. Some examples of unauthorized software includes:
Games. Game software included as part of vendor supplied software shall be removed immediately following installation.
Public domain software, "shareware", or "freeware" obtained outside official channels.
All software applications that have been developed outside government-approved facilities such as those developed on personally owned computers at home or software acquired via "bulletin boards."
Personally owned software (either purchased or gratuitously acquired).
Software whose source cannot be determined.
Illegally copied software.
Per reference (k), off-the-shelf vendor software will be centrally controlled to preclude violation of copyright or licensing agreements. All off-the-shelf vendor software will be write-protected to prevent inadvertent contamination by classified information per the special data transfer procedures described in reference (l).
Contractor owned software. Magnetic media owned and used by authorized outside entities on any TTGL IS are subject to TTGL access control and monitoring procedures. Software may be reserved for use by the contractor; however, these media must be clear of all classified or privacy act data unless the contractor has been authorized access by an existing contract or statement of work. If contractor software contains classified information the media shall be controlled and inventoried IAW reference (l) and Chapter 7 of this instruction. TTGL CCB must approve all contractor software prior to evaluation on TTGL IS.
Reproduction of copyrighted software. Copyrighted software acquired for use on any TTGL computer system may not be copied for general distribution without written consent of the copyright holder. Violations of this policy may constitute UCMJ action.
Never copy government-acquired or government-produced software for private use on a government IS or for use on a privately owned computer.
Demonstration software. The IAM must obtain SPAWAR and/or NAVCYBERFOR approval prior to installing demonstration software.
j. Disposition of excess software. Disposition instructions regarding excess, superseded or outdated software is based on the latest applications kills list which may be obtained from NAVCYBERFOR via email or broadcast message request.Chapter SIX