Strategic Command Directive (SD) 527-1

StrategicCommandDirective527-1_27JAN2006InformationOperationsCondition-INFOCON-System

Department of Defense Information Operations Condition (INFOCON) System Procedures

  • Operations, Planning, and Command and Control
  • 35 pages
  • For Official Use Only
  • January 27, 2006

INFOCON SYSTEM
1.1. Purpose. The INFOCON system provides a framework within which the Commander USSTRATCOM (CDRUSSTRATCOM), regional commanders, service chiefs, base/post/camp/station/vessel commanders, or agency directors can increase the measurable readiness of their networks to match operational priorities. This SD describes a new INFOCON approach replacing the INFOCON system that has been in place since 1999. Key to this new strategy is a shift from a threat focus to a readiness focus. The readiness strategy provides the ability to continuously maintain and sustain one’s own information systems and networks throughout their schedule of deployments, exercises and operational readiness life cycle independent of network attacks or threats. The system provides a framework of prescribed actions and cycles necessary for reestablishing the confidence level and security of information systems for the commander and thereby supporting the entire GIG.

1.2. Execution. The INFOCON system, including responsibilities, processes, and procedures, applies to Non-classified Internet Protocol Routing Network (NIPRNET) and Secret Internet Protocol Router Network (SIPRNET) systems under the purview of the Joint Chiefs of Staff and all DoD activities within the unified commands, military services, and DoD Agencies, as well as the non-DoD NetOps COI (NetOps CONOPS, Joint Concept of Operations for Global Information Grid NetOps). It is executed by unified and service commanders, base/post/camp/station/vessel commanders and agency directors with authority over information systems and networks (operational and/or support) (hereafter collectively referred to as “commanders”). The INFOCON system provides commanders the authority, discretion and accountability to prepare their organization’s network and information systems at any level they deem appropriate for the current and anticipated environment, as directed in paragraph 3.2.

1.3. Authority. The Chairman of the Joint Chiefs of Staff established the INFOCON system in CM-510-99. The INFOCON system is executed through the operational authority of CDRUSSTRATCOM as part of his overall responsibility for Global Network Operations (GNO) for the DoD in accordance with (IAW) DoDD O-8530.1.

1.3.1. DoD INFOCON Declaration Authority. The Secretary of Defense delegated the authority to set global INFOCON levels to CDRUSSTRATCOM.

1.3.2. Regional and Local INFOCON Declaration Authority. Commanders at all levels of the DoD retain the authority to set INFOCON levels for information systems and networks under their command and control. The INFOCON system reinforces the commander’s inherent right to self defense. Commander’s have the flexibility to adjust their INFOCON assurance levels as necessary and report when raising regional INFOCON levels above the established global INFOCON. These levels must remain at least as high as the DoD INFOCON level declared by CDRUSSTRATCOM.

1.4. Background.

1.4.1. The INFOCON system was initiated in 1999 and many real world events have highlighted needed changes in system concept, procedures and measures. Foremost among the “must fix” issues was the need to operationalize, standardize, and normalize the INFOCON process across the DoD.

1.4.2. This SD describes a new INFOCON strategy that shifts from a “threat-based,” reactive system to a “readiness-based,” proactive approach. This paradigm shift represents a significant change in how commanders at all levels ensure the security and operational readiness of their information networks. While CDRUSSTRATCOM will continue to direct changes in the global INFOCON status, changes in local or regional INFOCON status will now be more actively managed by commanders at all levels (e.g., base, post, camp, station, vessel, major command) using a framework of standardized measures. The INFOCONs mirror Defense Conditions (DEFCON) defined in CJCSM 3402.1B, (S) Alert System of the Chairman of the Joint Chiefs of Staff (U), and are a uniform system of five progressive readiness conditions – INFOCON 5, INFOCON 4, INFOCON 3, INFOCON 2, and INFOCON 1. (There is no direct correlation between INFOCON and DEFCON levels, though commanders should consider changes in INFOCON when DEFCON changes.) INFOCON 5 is normal readiness and INFOCON 1 is maximum readiness. Each level represents an increasing level of network readiness based on tradeoffs in resource balancing (e.g., downtime versus level of assured confidence regarding malicious activity) that every commander must make. The INFOCONs are supplemented by Tailored Readiness Options (TRO), which are applied in order to respond to specific intrusion characteristics or activities, directed by CDRUSSTRATCOM or commanders.

GLOBAL INFOCON PROCEDURES

4.1. (FOUO) Overview. INFOCON procedures focus on proactively establishing and re-establishing a secure baseline based on a periodic, operational rhythm. This cycle varies, based on perceived operational needs, from bringing systems back to a secure baseline every 180 days at INFOCON 5, to restoring that secure baseline every 15 days at INFOCON 1. As we move from a lower to a higher level, immediately complete the cycle and then use the timeline established for that level for successive cycles. Each level of INFOCON uses the lower level(s) as the basis from which to start all activities. Report all activities to the command setting the INFOCON level (declaring command).

4.2. INFOCON 5, Normal Readiness Procedures.

Table 4.1. (FOUO) INFOCON 5 Procedures.

5-1. (FOUO) Re-establish ‘secure baseline’ in conjunction with a check for unauthorized changes on a semi-annual (180-day) cycle. This should involve mirroring the drives for subsequent examination, prior to re-loading the secure configuration. If examination of the drives indicates unauthorized changes, first determine if the changes were actually authorized, yet improperly recorded. This may reveal the need for a review of the procedures for updating the database of authorized changes. Unauthorized changes may indicate the need to temporarily increase to a higher INFOCON level, depending on what unauthorized changes are discovered. Without a provision such as this, you may be unaware the network has been compromised.

5-2. (FOUO) Ensure all DoD Information Systems are compliant with guidance and responsibilities outlined within IAW DoDI O-8530.2 and CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND).

5-2.1. (FOUO) Update and maintain anti-virus, firewall, Information Assurance Vulnerability Alerts (IAVA), and Access Control Lists (ACL) configurations.

5-2.2. (FOUO) Ensure complexity and periodicity of passwords.

5-3. (FOUO) When moving into/from a higher INFOCON level, acknowledge receipt and report entry into INFOCON Level activities via operational channels to the declaring command. Chapter 5 provides sample reporting formats.

4.3. INFOCON 4, Increased Military Vigilance Procedures.

Table 4.2. (FOUO) INFOCON 4 Procedures.

4-1. (FOUO) Acknowledge receipt/entry into INFOCON 4 and report again upon completion of the first INFOCON 4 cycle.

4-2. (FOUO) Confirm completion of directive measures at previous INFOCON levels.

4-3. (FOUO) Establish exit criteria. (Declaring Command)

4-4. (FOUO) Implement TROs as specified in the implementing message or by regional/local commanders.

4-5. (FOUO) On a 90 day cycle: Upon notification immediately complete the following activities and then every 90 days thereafter. Using manual methods or available automated tools, identify and verify all changes to the system parameters tracked using the database created at INFOCON 5 (step 5-4.). Investigate all unauthorized changes and remove or terminate as appropriate. If this is being conducted automatically, apply the comparison to all servers and workstations. If manual, apply the comparison to critical equipment and a representative sample of workstations.

4-6. (FOUO) If explicit permissions are used on folders or files also check to ensure permissions have not been modified.

4-7. (FOUO) Verify service accounts having administrative privileges on critical equipment and ensure they cannot log on remotely.

4-8. (FOUO) Disable LanMan Hash from all critical equipment if technically feasible.

4-9. (FOUO) Conduct offline rehearsals for the rapid and consistent reestablishment of baselines for SIPRNET and NIPRNET critical equipment as called for in INFOCON 3 Procedures.

4.4. INFOCON 3, Enhanced Readiness Procedures.

Table 4.3. (FOUO) INFOCON 3 Procedures.
3-1. (FOUO) Acknowledge receipt and entry into INFOCON 3 and report again up completion of the first INFOCON 3 cycle.

3-2. (FOUO) Confirm completion of directive measures at previous INFOCON levels to the declaring Command.

3-3. (FOUO) Establish exit criteria for current INFOCON level. (Declaring Command)

3-4. (FOUO) Implement TROs as specified by implementing message or regional/local commanders.

3-5. (FOUO) Re-establish a secure baseline on a 60-day cycle.

3-6. (FOUO) Conduct offline rehearsals for the rapid and consistent reestablishment of baselines for SIPRNET and NIPRNET critical equipment as called for in INFOCON 2 Procedures.

4.5. INFOCON 2, Greater Readiness Procedures.

Table 4.4. (FOUO) INFOCON 2 Procedures.

2-1. (FOUO) Acknowledge receipt and entry into INFOCON 2 and report again upon completion of the first INFOCON 2 cycle.

2-2. (FOUO) Confirm completion of directive measures at previous INFOCON levels to the declaring Command.

2-3. (FOUO) Establish exit criteria for current INFOCON level. (Declaring Command)

2-4. (FOUO) Implement TROs as specified by implementing message or regional/local commanders.

2-5. (FOUO) Re-establish a secure baseline on a 30-day cycle.

2-6. (FOUO) Reestablish known good software baselines on the following servers, PDC/BDC/ DNS/Web server. As stated above, this step is intended to address the intrusion techniques that cannot be identified or defeated by other means. These modifications to the servers may be accomplished anywhere within the established operational rhythm period, at the local commander’s discretion to reduce impact on operations or resources.

2-7. (FOUO) Conduct offline rehearsals for the rapid and consistent reestablishment of baselines for SIPRNET and NIPRNET critical equipment as called for in INFOCON 1 Procedures.

4.6. INFOCON 1, Maximum Readiness Procedures.

Table 4.5. (FOUO) INFOCON 1 Procedures.
1-1. (FOUO) Acknowledge receipt and entry into INFOCON 1 and report again upon completion of the first INFOCON 1 cycle.

1-2. (FOUO) Confirm completion of directive measures at previous INFOCON levels to the declaring Command.

1-3. (FOUO) Establish exit criteria for current INFOCON level. (Declaring Command)

1-4. (FOUO) Implement TROs as specified by implementing message or regional/local commanders.

1-5. (FOUO) Re-establish a secure baseline on a 15-day cycle.

info

Share this:

Facebooktwitterredditlinkedinmail