R 271840Z MAY 20
MARADMIN 310/20
MSGID/CMC DCI IC4 WASHINGTON DC//
SUBJ/COMPLY-TO-CONNECT (C2C) COMPLIANCE POLICY STANDARDS//
REF/A/NDAA 2016 SECTION 1653//
REF/B/DOD CIO STRATEGY AND IMPLEMENTATION PLAN FOR COMPLY TO CONNECT DECEMBER 2019//
REF/C/MROC DECISION BRIEF FOR NACCR 06 FEB 2017//
REF/D/USON 26 APRIL 2016//
REF/E/CRC 19 AUG 19//
NARR/REF A IS THE NATIONAL DEFENSE AUTHORIZATION ACT WHICH MANDATES AN AUTOMATED INFORMATION SECURITY CONTINUOUS MONITORING CAPABILITY AND A COMPLY-TO-CONNECT POLICY THAT REQUIRES ENDPOINTS TO AUTOMATICALLY COMPLY WITH THE CONFIGURATIONS OF THE MARINE CORPS NETWORK AS A CONDITION OF CONNECTING. REF B IS THE DEPARTMENT OF DEFENSE (DOD) CHIEF INFORMATION OFFICER (CIO) DRAFT STRATEGY AND IMPLEMENTATION PLAN FOR COMPLY TO CONNECT WHICH PROVIDES THE STRATEGY, OBJECTIVES, AND IMPLEMENTATION DETAILS THAT THE SERVICES WILL FOLLOW IN DEPLOYING COMPLY TO CONNECT. REF C IS A DECISION BRIEF FROM THE MARINE REQUIREMENTS OVERSIGHT COMMITTEE (MROC) THAT AUTHORIZED FUNDS IN SUPPORT OF THE NETWORK ACCESS CONTROL, COMPLIANCE AND REMEDIATION URGENT UNIVERSAL NEEDS STATEMENT (U-UNS). REF D IS THE URGENT STATEMENT OF NEED FOR NETWORK ACCESS CONTROL, COMPLIANCE AND REMEDIATION (NACCR) THAT OFFICIALLY TASKED MARINE CORPS SYSTEMS COMMAND WITH ESTABLISHING A PROGRAM OF RECORD TO DEVELOP, DESIGN, DEPLOY, AND SUSTAIN A COMPLY TO CONNECT CAPABILITY. NACCR FOCUSED ON WINDOWS 10 END USER DEVICES ONLY. REF E IS THE CAPABILITY REQUIREMENTS CHANGE (CRC) SUBMITTED TO MARINE CORPS SYSTEMS COMMAND FROM THE CAPABILITIES DEVELOPMENT & INTEGRATION (CD&I). THE CRC AUTHORIZES MARINE CORPS SYSTEMS COMMAND TO EXPAND THE REQUIREMENTS OF NACCR TO INCLUDE ALL IP-ENABLED ENDPOINTS AND THE FULL CAPABILITIES OF COMPLY TO CONNECT.//
POC/DR. R. A. LETTEER/CIV/DC I IC4/TEL: 703-693-3490/EMAIL: RAY.LETTEER@USMC.MIL//
POC/W. M. MOSES/CIV/DC I IC4/TEL: 571-697-4776/EMAIL BILL.MOSES@USMC.MIL//
GENTEXT/REMARKS/1. Purpose. Define the standards and actions necessary to employ comply-to-connect (C2C) across the Marine Corps. The Network Access Control, Compliance, and Remediation (NACCR) Program of Record established initial enterprise discovery, tool orchestration, and policy enforcement of compliance standards for Windows 10 end user devices (EUDs) on the Marine Corps Enterprise Network (MCEN) NIPR (MCEN-N) and SIPR (MCEN-S). Efforts are underway to implement C2C capabilities on domains outside the scope of the NACCR effort. Ultimately NACCR will become a subset of C2C capabilities that satisfies the requirements defined in ref (a) for all Marine Corps domains. This MARADMIN provides the minimum security standards that define compliance for the Marine Corps under C2C.
2. Background
2.A. Comply-to-Connect (C2C) is framework of tools and technologies operating throughout the network infrastructure to discover, identify, characterize, and report all devices connecting to the network. The C2C capability will orchestrate multiple tools to prevent non-compliant and unauthorized devices and personnel from connecting to the network, thus maintaining the secure configuration of the network and protecting the information in accordance with established standards and configurations.
2.B. C2C also enables the Marine Corps to conduct Defensive Cyber Operations in response to detected and prevailing threats by allowing segregation of devices by categorization, function, and data criticality, enabling emerging environment structures while maintaining identification of assets, verification control and creating a trusted environment.
3. Guidance
3.A. Device Authentication. Every endpoint discovered by C2C will first be authenticated to validate the endpoint is authorized prior to connecting to the MCEN. The default method for this authentication will be 802.1X, which requires the installation of a supplicant on the endpoint. Endpoints with technical limitations that prevent the installation of a supplicant must be authenticated and authorized through an alternate means. The following methods are approved:
3.A.1. Media Access Control (MAC): A static endpoint always using the same port in a secured area may use MAC authentication if all ports are locked to known hosts via their MAC address. All unused ports are to be disabled. Devices attempting to connect via a port not associated with the specific MAC address will be denied access. This is also known as “sticky MAC” and has been approved by the Marine Corps Authorizing Official (AO) as an alternative. For sites using this mitigation control, network devices must be compliant with STIG IDs NET-NAC-031 (maximum MAC addresses) and NET-NAC-032 (port-security violation shutdown). Alternatively, sites may use MAC Authentication Bypass (MAB).
3.A.2. Systems that use an alternative method to meet authentication requirements must document the exception as an item on the Plan of Actions and Milestones (POA&M) for the affected endpoint in the appropriate Marine Corps Compliance and Authorization Support Tool (MCCAST) package, and require approval by the AO. The POA&M cannot exceed 1 year. When requirements drive the replacement of an endpoint, that replacement shall include 802.1X compatibility.
3.B. Compliance: All IP-enabled devices currently connected to the MCEN, to include Facility Related Control System (FRCS) Human Machine Interface (HMI) systems, will be scanned and patched in compliance with Information Assurance Vulnerability Alert (IAVA) directions. All applicable security technical implementation guides (STIGs) will be automatically applied using the C2C tool suite prior to gaining access to network resources as directed in REF A and in accordance with steps outlined in REF B.
3.B.1. Software agents necessary for the C2C tools to operate (SCCM, HBSS, McAfee, etc.) will be validated to ensure proper functionality prior to use in the production environment. Subsequent release into the production will be documented and approved by competent authority. Connection to the MCEN can be wired or wireless, locally or remotely connected.
3.B.2. Health of the agent installed (SCCM, HBSS, McAfee, etc.) will be validated and all current group policies confirmed. C2C will attempt to auto-remediate the device twice. After two attempts of auto-remediation, the affected device will immediately be placed in a quarantine status on the affected access switch using an access-control list.
3.B.3. While in quarantine the device will only have network connectivity to the C2C tool suite. Following failed auto-remediation, a Remedy ticket will be automatically generated and assigned to the local IT support responsible for the affected device. Local IT support will troubleshoot the device to determine why auto-remediation failed. Upon issue resolution, the device will be rechecked by C2C for compliance. Once the device has passed the compliance checks established by C2C, it will be authorized to connect to the network.
3.C. Continuous Monitoring: C2C has the capability to perform compliance enforcement continuously. On a production network the size and complexity of the MCEN, executing discovery and rescan actions continuously without prior evaluation and tool configurations could cause an unacceptable impact to the network. Marine Forces Cyberspace Command (MFCC) will direct the Marine Corps Cyberspace Operations Group (MCCOG) to develop a plan leveraging C2C to continuously validate the compliance of endpoints connected to the MCEN in a manner that will cause the least impact to the network, ensure a positive user experience, and still meet regulatory tasks, standards, and conditions directed from DOD and USCYBERCOM for cybersecurity protections. This plan will be briefed to the Network Governance Board (NGB) for approval and will include the process to initially provide regular monthly reports to senior leadership on the number of endpoint devices monitored, the number of endpoint devices actively controlled, and the measures of overall compliance of the devices on the network.
3.D. Non-traditional endpoints: Devices on the operational network for which C2C could cause an adverse impact will be identified and tracked. MFCC and MCCOG will determine the best process to maintain and enforce the minimum compliance standards listed on these devices without causing impact to day-to-day operations until such time that these devices can be automatically managed by C2C for compliance. This process will include how remediation will be achieved as well as reporting requirements to senior leadership.
3.E. Exceptions: Systems unable to enforce the compliance standards in this MARADMIN must submit an exception to the Marine Corps (AO) via MCCAST for approval. Exceptions will be reviewed on a case-by-case basis and must include justification why C2C cannot be used, supported by detailed mitigations on how compliance will be maintained and reported. Exceptions required approval by the AO. Non-compliance will be documented on the affected system’s POA&M and managed within MCCAST.
3.F. Future Requirements: Deltas identified in the current C2C toolset will be identified and used to feed requirements for additional tools that may be needed to secure non-end user devices such as multi-function, network, and FRCS devices. Use of C2C in other mission areas, such as cloud and tactical, will be addressed in future policy as the C2C process matures.
4. Standards defined in this MARADMIN are the minimum baseline actions. MFCC will build upon this baseline as necessary based on threat data received through other sources such as USCYBERCOM, Director Intelligence, and the Marine Corps cyber protection teams (CPTs). Per REF A, information generated through automated and automation-assisted processes for continuous monitoring, asset management, and C2C policies and processes shall be accessible and usable in machine-readable form to appropriate CPTs and cyber security support providers.
5. As the C2C project matures and policies are refined, details of the execution of these policies will be documented in the appropriate Enterprise Cybersecurity Manuals (ECSMs).
6. Release authorized by BGen Lorna M. Mahlock, Director, Information, Command, Control, Communications and Computers (IC4) Deputy Commandant for Information (DC I).//