APPLICATION sECURITY iNFORMATION (ASI) SHEET

Directions: Answer all questions in each section. Spell out all acronyms. When complete, attach to the ‘Join NIAPS’ request form. Any questions related to information being asked for in this form can be directed to NSWC Crane at (812) 854-4778.

Section 1.0: APPLICATION/SYSTEM Description and Identification

1.1Application/System Name and Identification: This section should state the name and mission of the application.

Distance Support Version 2.0 (DS2) Server.
The information system to be described in this Application Security Information (ASI) sheet is called the Distance Support 2.0 Server. DS2 Servers are deployed to IT-21 shipboard environments, and contain software specifically configured to enhance the ship’s intranet environment.

1.2Application/System Description: This section should describe what type of application it is (i.e. is it tech manual application, drawing application, training application, etc.).

The DS2 Server is an intranet web-based information system used to support, distribute, and collect information in an Information Technology – 21 (IT-21) shipboard environment. This system hosts an intranet that maintains information such as: training courses, maintenance documents, and maintenance data collection, as well as morale and welfare support.
Examples of content on the DS2 Server include: NetG courses for training, Advanced Technical Information System (ATIS) for technical documentation, along with PMS Scheduling (SKED) and Electronic Portable Maintenance Assistance (ePMA) for maintenance data collection. For morale and welfare support, DS2 hosts local web content that includes AnchorDesk.Navy.Mil, NKO.Navy.Mil and BUPERS. The DS2 Server has many other pages cached locally, which allows the warfighter to use the fast internal shipboard bandwidth as compared to using external ship bandwidth and expensive satellite time.
The DS2 local intranet server provides this information to users during times that networking external to the ship is unavailable. When the ship has network connectivity, updates to the content can be obtained through the DS2 Amendment Server, located at Naval Surface Warfare Center (NSWC) Crane Division, Crane, Indiana.

1.3 Functional Description: This section should provide a functional description of the application and the purpose or mission for which it will be used. Include functional diagrams of the application. Describe functions performed jointly with other systems and identify the other systems. Included functional diagrams should be at the macro-level. Provide the intended flows of data into the application, data manipulation, and product output. (Properly labeled diagrams or data flows can be included at the end of this document)

The Knowledge Management Center (KMC) and the DS2 Amendment Server are both located at NSWC Crane Division, while the DS2 Server is installed on a US Navy vessel.
The DS2 Server is designed to provide value-added solutions in shipboard environments. The DS2 system maintains current data with the KMC through the DS2 Amendment Server.
The DS2 system is a web-based information system used to support, distribute and collect information that exists in an IT-21 shipboard environment. The local intranet server (DS2 Server) then provides this off-line information to users during times that external network connectivity to the ship is unavailable. When the ship has external network connectivity, updates to the content on the DS2 Server can be obtained from DS2 Amendment Server, which provides timely and accurate information updates to the fleet. This central management of distance support relieves the burden of administration from local ship Information Technology (IT) personnel, and provides a highly trained workforce to maintain and manage information flow throughout each deployed DS2 shipboard system.
Amendments are comprised of changes to web based content, training materials, ship manuals, technical drawings, human resource data, and other data intended to reside on DS2 deployed servers. Basically, amendments are highly compressed files that are only readable by the deployed DS2 systems.
When a DS2 system is deployed, it is loaded with initial content from the KMC. When the content changes on the KMC, that change becomes the new amendment that is provided to all deployed DS2 systems via DS2 Amendment Server.

1.3.1Application/System Capabilities: This section should include the description of the capabilities of the application to be certified and accredited. These capabilities include functions the application should perform, desired interfaces and capabilities associated with those interfaces and the information to be processed.

The DS2 Server provides the ability to serve intranet documentation for maintenance, training, and other services that would normally be obtained via external network connectivity. It also collects data for delivery to shore via DS2 Amendment Server.
The following are capabilities of DS2 Server:
  • Unclassified Trusted Network Protection Policy (UTNP) compliant (All communications between the amendment server and the deployed DS2 Server are conducted using Secure Socket Layer (SSL) encryption over port 443.)
  • Receives amendments from the KMC through the DS2 Amendment Server
  • Sends updates from the ship to the DS2 Amendment Server
  • Provides useful intranet data to sailors, even when external network connectivity is unavailable
  • Synchronizes content between the ships and the KMC through the Amendment Server
  • Improvement of data validity
  • Lead time reduction
  • Labor and time savings
  • Fully integrated system
Data security and integrity maintained

1.3.2Application/System Criticality: This section should describe the overall criticality of the application’s capability to support mission accomplishments.

The DS2 Server is a mission support system. The DS2 Server enables Naval Sea Systems Command (NAVSEA) to provide reliable support to the Fleet.
The criticality of the DS2 Server is Mission Assurance Category III. The loss of the DS2 Server is equivalent in severity to losing email and web-browsing capability. Impact includes the inability to retrieve documents quickly resulting in delays and loss of productivity to intranet users. The information served by DS2 is necessary for conducting of day-to-day business, but does not materially affect support to deployed or contingency forces in the short-term. The loss of integrity or availability can be tolerated or overcome without significant impacts on mission effectiveness or operational readiness. The consequences could include the delay or degradation of services or commodities enabling routine activities.

1.3.2Classification and Sensitivity of Data Processed: This section should describe the security classification of the data processed and any additional sensitivity labels or warnings that accompany the data.

The data processed by the DS2 Server is unclassified. However, since the system contains business sensitive, For Official Use Only (FOUO), and Not Releasable to Foreign Nationals (NOFORN) data, the system is categorized as Controlled Unclassified Information (CUI). All files, programs, tables and related software are protected in accordance with existing standards of the Department of Defense (DOD), the Department of the Navy (DON), NAVSEA, and NSWC Crane Division.

1.3.3Application/System User Description and Clearance Levels: This section should describe the personnel that are to be the primary users of the application and data on the system or network, and the necessary clearance levels that are required to access the data on the system or network.

Granting of access to data and/or functionality is based upon “need-to-know” and “least privilege.” Security requires operators to log on and off at the start and completion of each approved work period. All users of the DS2 Server must meet the local Automated Data Processing (ADP) security policies of the installed environment (the ship’s ADP policy). The DS2 Server is joined to the ship’s domain.
Any restricted data is password protected. Requests for access may be granted by ship’s force after a background check. Examples of this rule would include the access controls provided by ATIS, SKED, ePMA, Navy Knowledge Online (NKO), and certain web content.
For security purposes, DS2 users can be divided into two broad categories:

Ordinary Users. Ordinary users may be government, military, or contractor personnel that utilize DS2 Server resources to conduct official business. Ordinary users are not tasked with security or system administration. Because DS2 Server data is processed at the CUI level, no special government clearance levels are necessary. Access to information is on a “need-to-know” basis and the principle of “least privilege” applies when granting access to users.

System and Security Managers. System and security managers are government or military personnel that perform security and/or administration for one or more of DS2 resources. Although no formal government clearance is required, system and security managers are strongly encouraged to have a favorable National Agency Check Inquiry (NACI), or a DoD clearance of classified or higher. Access to information is on a “need-to-know” basis and the principle of least privilege applies.

1.3.4Life Cycle of the Application/System: This section should include the description of the Application/System Development Life Cycle, where your application is relevant to the application development life cycle, and the plans for the near future.

There is no planned retirement for the Distance Support 2.0 system. Hardware and software upgrades are to be updated as needed to satisfy growth requirements.
Future plans include the enablement of Public Key Infrastructure (PKI) authentication. Those services shall be implemented according to Navy instructions, and upon shipboard implementation of PKI authentication. The software to accomplish enablement of PKI authentication on DS2 is in place, but not turned on at this time. As PKI is implemented aboard ship this software will be enabled as appropriate on a per ship basis.
Certificate enabled communications are in use while the DS2 Server reaches back to the DS2 Amendment Server.
As of right now, there is no Secure Internet Protocol Router Network (SIPRNet) component of the Distance Support 2.0 system. If in the future a need exists, a new System Security Authorization Agreement shall be written for that component, and this SSAA shall be updated to make reference to that SSAA.
DS2 is comprised of Commercial Off-The-Shelf (COTS) and Government Off-The-Shelf (GOTS) software, along with specially tailored applications. The expected life cycle of the existing components in this configuration is a minimum of five (5) years. As required, additional COTS equipment may be acquired and integrated into the configuration or used to replace existing components.
Currently, the DS2 Server is past the developmental stage, and is ready for deployment and connection to the Integrated Shipboard Network System (ISNS) aboard ship.

1.3.5Application/System CONOPS Summary: This section should include a brief summary of the Concept of Operations for the application. What the application is, its major mission, who it supports, and how its users will utilize it when operational.

The goal of the DS2 Server is to deliver a knowledge management system that integrates into the framework of a ship's day-to-day work environment. Critical information distributed in documents, training, and feedback will be quickly available even without continuous external network connectivity. The DS2 server will be used as the primary gateway to that information, while using the smallest amount of network bandwidth possible.
The DS2 Server integrates with the existing shipboard environment. It utilizes the ISNS shipboard network, and travels over the ships encrypted Inmarsat satellite link. IT-21 NOCs provide firewall protection for the ISNS shipboard LAN and the DS2 Server. The DS2 utilizes encrypted SSL through port 443, which is Navy UTN (Unclassified Trusted Network) Protect Policy Firewall compliant, to communicate with the Distance Support Amendment server. Please see Figure 1 at the end of this document for a diagram of this interaction.

Section 2.0: APPLICATION/SYSTEM ARCHITECTURAL DESCRIPTION

DS2 Server. DS2 documents and files are stored on the Windows 2000 NTFS File System to allow scanning for viruses, access restrictions, and logging. The disaster recovery method is to ship re-imaged hard disks from the design agent NSWC Crane Division. See Figure 1 at the end of this document for a connectivity diagram of the DS2 Server.
Deployed DS2 Environment. The deployed DS2 server is connected to the IT-21 unclassified network. Because it is considered a member of the ship’s domain, the deployed DS2 server is protected by ISNS/IT-21 security features (specifically a UNTProtect compliant firewall), already in place on the vessel and in the NetworkOperationsCenter.
DS2 Innovation Test Lab. Hardware associated with the Distance Support Innovation Test Lab includes servers, workstations, peripherals, and communication equipment required to exchange data. Security protection, allowing the Distance Support Innovation Test Lab to traverse another activity’s firewall boundary, is controlled at that activity’s discretion. Connection to the Distance Support Innovation Test Lab by other government and commercial entities is currently controlled by corporate and local firewalls. Firewalls enforce a Unclassified Trusted Network Protection Policy that can be updated by authorized personnel to meet changing requirements. Firewalls that protect access to NSWC Crane Division are controlled by the ISSM. The DS2 firewall administrator controls the firewall protecting the Distance Support Innovation Test Lab. All changes to the firewall must be approved through the ISSM. All external connectivity is provided by a Defense Information Switch Network (DISN) provisioned 12 Megabit Non-Secure Internet Protocol Router Network (NIPRNet) circuit.

2.1Hardware: Identify the specific hardware components being used.

DS2 Server minimum requirements are: dual Intel Pentium III 900 MHz CPUs, 2 GB of RAM, 250 GB of disk space, 10/100 Ethernet network interface, and 120 volt 60 Hz power.
Two common configurations of the DS2 Server being rolled out to the Fleet are:
Compaq ML570 Server
2GB RAM
Four 2.0GHz processors
Twelve 146GB SCSI Ultra 320 drives in a RAID 5 Array
DVD-ROM Drive
Dual Onboard Gigabit Ethernet
Three Redundant Power Supplies
Compaq DL380
2GB RAM
Two 3.06GHz processors
Six 146GB SCSI Ultra 320 drives in a RAID 5 Array
DVD-ROM/CDRW drive
Dual Onboard Gigabit Ethernet
Dual Redundant Power Supplies

2.2Software: This section should describe the target software and its intended user. This includes the entire set of application programs, software procedures, software routines, and operating system software associated with the application in question.

Software requirements for the Distance Support 2.0 Server include:
  • Microsoft Windows 2000 Service Pack 4 Advanced Server, WINFLEX Edition, Version 5.0.2195, member server, with all available hotfixes (Server Operating System)
  • Adobe Systems - Acrobat ReaderVersion6.1 (Document Viewer)
  • Antech Systems, Inc. - Navy PMS SKED Version3.01.0004 (SKED 3.1)
  • Antech Systems, Inc. - OMMS30Interface Version3.01.0004 (OMMS)
  • Belarc - BelManage Client Version6.1a (Configuration Management Tool)
  • Centura Software - Centura SQLBase Version6.1.2-PTF6 (ATIS Database Engine)
  • Eastman Software - Imaging for Windows® Version5.00.2138.1
  • Executive Software - Diskeeper (TM) Disk Defragmenter Version7.0.410.0 (DiskKeeper)
  • iOra Ltd - iOra Publisher Version4.7 (File Replication Software)
  • iOra Ltd. - iOra Client Version4.7 (File Replication Software)
  • Microsoft - .NET Framework Version1.1.4322.573
  • Microsoft - Access Version9.0.2719 (Office 2000)
  • Microsoft - Active Directory Replication Monitor Version1.00.2182
  • Microsoft - Baseline Security Analyzer Version1, 1, 0, 5
  • Microsoft - Clip Gallery Version5.1.00.1221 (Office 2000)
  • Microsoft - Excel Version9.0.2719 (Office 2000)
  • Microsoft - Exchange Version6.0 (Database Engine for SharePoint 2001)
  • Microsoft - FrontPage2000 Version9.0.2719 (Office 2000)
  • Microsoft - Internet Explorer Version 6.00.2800.1106 (Web Browser)
  • Microsoft - Internet Information Services Version5.00.0984 (Server s/w assoc. with Win2000)
  • Microsoft - Internet Services Version6.1.33.0
  • Microsoft - MSSearch Version 10.145.7329.0 (Search Engine SharePoint 2001)
  • Microsoft - Office 2000 Version (Office 2000)
  • Microsoft - Open Database Connectivity Version3.520.9030.0 (Microsoft ODBC)
  • Microsoft - Outlook Version9.0.2719 (Office 2000)
  • Microsoft - PowerPoint for WindowsVersion9.0.2719(Office 2000)
  • Microsoft - Script Debugger Version1.00.7295
  • Microsoft - SharePoint Portal Server Version 10.145.7329.0 (SharePoint 2001)
  • Microsoft - SQL Server Database Server Version8.00.760 (SQL 2000)
  • Microsoft - SQL Server Version8.00.760 (SQL 2000)
  • Microsoft - VB 6 API Declaration Loader Version6.00.8169 (Part of the DS2 Update Program)
  • Microsoft - Visual Basic Version6.00.9782 (Part of the DS2 Update Program)
  • Microsoft - Windows Installer - Unicode Version2.0.2600.1183
  • Microsoft - Windows Media Player Version9.00.00.2980
  • Microsoft - Windows Script Host Version5.6.0.6626
  • Microsoft - Windows® NetMeeting® Version3.01
  • Microsoft - Word Version9.0.2719 (Office 2000)
  • Disk Probe Sector Editor Version5.0.2128.1 (Part of DiskKeeper)
  • WinDVD - DVDplay Application Version1.0.0.1(DVD Drive Software)
  • ePMA Configurator Version1.0.1530.28138(ePMA component, ties in with SKED)
  • Java Web Start (Part of NKO)
  • javaw.exe (Part of NKO)
  • PMA Batch Service Version1.0.1530.28141 (ePMA component, ties in with SKED)
  • Distance Support 2 Update – Version 3.0 (Program that keeps DS2 Servers up to date)
  • Tumbleweed Communications – Secure FTP Client (Used with DS2 Update)
  • NetG - Skill Builder DX Administration (NetG training)
  • Jakarta – Tomcat (Java Engine for NKO)
  • Odyssey Software- CEsetup Application Version1.0.0.0 (ePMA component, ties in with SKED)
  • PowerQuest - V2i Protector Version2.0.2.312 (Backup Software)
  • Symantec - Norton AntiVirus Version9.0 (Antivirus)
  • WinZip Computing - WinZip Version9.1 (Compression Utility)
  • NAVSEA Application - ATIS RAID Manager Version1.02.0003 (Part of ATIS)
  • NAVSEA Application - 32-Bit ATIS (Technical Document Repository)
  • NAVSEA Application - Appian Calendar (Part of Navy Knowledge Online (NKO))
  • NAVSEA Application - TLMS

2.3Firmware: This section should describe the firmware that is stored permanently in a hardware Device that allows reading and executing the software, but not writing or modifying it (PROM and EPROM).

None

2.4Application/System Interfaces and External Connections: This section should describe the application’s external interfaces. The description should include a statement of the purpose of the interface and the relationship between the interface and the application.

See Figure 2: Intra Ship Connectivity Diagram at the end of this document
See Figure 3: Content Update with DS 2.0 Amendment Server at the end of this document

2.5Data Flow (Including Data Flow Diagrams): This section should include the data flow descriptions that show the input and output of all types of data associated with the application, and how the users interface. A line drawing of the flows should be included. (Properly labeled diagrams or data flows can be included at the end of this document)