Army issues SIPRGuard biometric desktop access control RFI
A Sources Sought/Request for Information (RFI) was issued this past week “for potential vendors that can provide … a SIPRGuard Biometric Controller System, three year Trusted Care Maintenance Service Warranty, Installation and Training on the SIPRGuard System. The RFI was issued by the Army Contracting Command-Redstone Arsenal, on behalf of the US Army Test, Measurement, and Diagnostic Equipment Activity (USATA).
SIPRGuard is the endpoint physical protection for SIPRNet biometric desktop access controls. SIPRNet is the Secret Internet Protocol Router Network, the Department of Defense’s (DOD) classified version of the civilian Internet managed by the Defense Information Systems Agency’s (DISA) Defense Information Systems Network. It is a system of interconnected computer networks used by DOD as well as the Department of State to transmit only classified information up to and including the Secret level by packet switching over TCP/IP protocols in a “completely secure” environment. It also provides services such as hypertext documents and electronic mail.
According to a Defense Security Service document, SIPRNet is “virtually indistinguishable from the Internet to the user. Its chief visible difference is the domain name system, with almost all sites being under .smil.mil or .sgov.gov. It also provides services such as hypertext document access and electronic mail.”
To protect the integrity of the network, all SIPRNet circuits require Type 1 encryption. The customer is required to provide for the appropriate encryption device and associated Fixed Plant Adapter (FPA) for both ends of the SIPRNet access circuit.
“SIPRGuard streamlines network access from the desktop without compromising security, convenience or performance,” according to a SIPRGuard explanation document. “It uses two factor (PIN & Fingerprint) authentication to connect the desktop KVM and Ethernet devices to the network equipment mounted inside a Trusted Systems IPS Container (CAA equivalent). This precedes, and is in addition to, the normal SIPR token login without the need to open the IPS Container.
SIPRGuard consists of three modules: a Desktop Module, Control Module and Gateway Module, with the latter two secured inside the IPS Container. Users are enrolled using the Desktop Module. Once the user is validated in the Control Module, signals are transmitted through the Gateway Module to the desktop peripherals.
“Then,” according to the document, “normal SIPRNet token login commences. To disconnect, the user simply removes their SIPR token, presses the off button on the Desktop Module, and walks away. If the user leaves the desktop without pressing the off button, a time-delayed motion sensor kills the circuit automatically. The Control Module supplies power to all other modules, backup manual on/off control and motion sensor management.”
The RFI was issued under NAICS Category, “Computer Terminal and Other Computer Peripheral Equipment Manufacturing,” which involves biometrics system input devices (e.g., retinal scan, iris pattern recognition, hand geometry), as well as optical readers and scanners.
USATA has the primary organizational responsibility of performing the test, measurement, and diagnostic equipment (TMDE) calibration and repair support mission (C&RS) for the Army, as well as provide “support to other Department of Defense and federal agencies,” and thousands of industrial based customers. USATA ensures measurements made with TMDE are traceable to national, international, or intrinsic standards of measurement. USATA’s TMDE C&RS mission is the keystone of the Army diagnostic, calibration, maintenance and repair support program during peacetime and war, supporting every soldier and every weapon system currently in the Army inventory.
The RFI “to ascertain the level of interest of potential vendors desiring to contract for commercial services based on commercial catalog industry pricing” came not quite a year after a damning follow up audit by the Department of Defense (DOD) Inspector General on the “Military Departments’ Security Safeguards Over SIPRNet Access Points” to determine whether the actions Army, Navy, and Air Force officials took to correct the problems identified in prior DOD Office of Inspector General reports improved logical and physical security safeguards that protect SIPRNet access points.”
The IG specifically reviewed the security safeguards protecting SIPRNet access points at Fort Huachuca, Arizona; Fort Hood, Texas; Naval Station Norfolk, Virginia; Naval Air Station NorthIsland, California; Joint Base Langley-Eustis, Virginia; and Offutt Air Force Base, Nebraska.
The IG found that “Army, Navy, and Air Force officials did not correct problems identified in prior DOD Office of Inspector General reports related to the improvement of logical or physical security safeguards that protect SIPRNet access points. Specifically, among the unclassified findings the IG released, Army, Navy, and Air Force officials “did not ensure that approving officials maintained completed and approved user access forms because officials did not have a process to verify the accuracy and completeness of SIPRNet access forms,” and “did not ensure users had the required security training because officials did not have a process to verify users completed the required annual security training.”
The IG’s report stated that, “Because the SIPRNet supports classified war-fighting and planning applications, the problems we identified with the Army, Navy, and Air Force logical or physical security safeguards could pose a risk to the life and safety of DOD personnel, impact Military programs and operations, and lead to accidental or negligent exposure of classified information on the SIPRNet.”
Among “other recommendations, we recommend that the Army, Navy, and Air Force Chief Information Officers ensure that SIPRNet access request forms are properly completed, reviewed, and approved; and ensure that SIPRNet users complete all required security training,” the DOD IG determined.
Training issues were again addressed in the DOD IG audit report of DOD’s Implementation of the Joint Regional Security Stacks (JRRS)
In April, 2018, Alice F. Carey, Assistant Inspector General, Readiness, Operations, and Support, had notified the Department of Navy of the DOD IG’s “Audit of the Security Controls Over Navy’s Secret Internet Protocol Router Network Access Points it planned to begin that same month.
“This is the first in a series of audits to review the controls implemented by the Military Departments for protecting the Secret Internet Protocol Router Network, Carey wrote, noting, “We plan to audit each of the military departments separately. Our objective is to determine whether the Navy is effectively protecting SIPRNet access points. We will review the logical and physical controls protecting the SIPRNet access points at selected locations” and “will consider suggestions from management on additional or revised objectives.”
“SIPRNet access points are logical or physical connections where users can access the network. Logical safeguards are system-based mechanisms, such as firewalls, permission settings, and SIPRNet tokens, used to designate who or what has access to a specific system or function. Physical safeguards include locks, guards, and security containers to deter or delay access to the network.”
“Access to the SIPRNet requires a Secret-level clearance and a need to know the classified information [that’s] transmitted on the network,” the IG report stated, consequently noting that “the SIPRNet is an obvious target for cyber attacks and other adverse actions because it contains high-value information. Therefore, the DOD requires that components employ logical and physical security safeguards to protect access to the SIPRNet.”
In September 2014, the DOD Chief Information Officer (CIO), who is responsible for establishing policy and guidance to support DOD Information Network (DoDIN) operations and defensive measures, proposed to the Joint Information Environment (JIE) Executive Committee that DOD should implement the JRSS to address the JIE capability objective of implementing regional security, according to the June IG audit report. “Implementing regional security refers to using the JRSS to provide protected communications between installations and combatant command, military service, and DOD agency networks.”
The IG reported that, “According to the DOD CIO, achieving this capability objective will result in timely access to cyber situational awareness, reduced footprint and enemy attack vectors, and an improved security posture for DoDIN operations,” noting that “an enterprise’s security posture relies on people, hardware, software, policies, and capabilities to protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non‑repudiation.”
In November 2015, the Secretary of Defense directed the DOD CIO to designate the JRSS as an enterprise service and for the DOD to migrate to the JRSS by the end of fiscal year 2019.
The JRSS represents a shift from protecting service‑specific networks and systems to securing the DOD enterprise in a unified manner. JRSS centralizes DOD’s network security into regional architectures instead of local architectures at each military base, post, camp, or station.
In theory, the JRSS provides “situational awareness by collecting data that allows operators to analyze cyber information from DoDIN they can troubleshoot issues occurring on the network and detect threats. For example, sensor data within the JRSS provides operators with information about suspicious network activity, such as adversaries gaining unauthorized access to the network, leading to more successful mitigation efforts and reduced impact to the mission readiness of DOD components.”
According to the June IG audit, “The DOD CIO plans to replace more than 1,000 local security stacks with 23 Non‑Secure Internet Protocol Router Network JRSS and 25 Secret Internet Protocol Router Network JRSS at locations around the world.” As of March 2019, DISA, which serves as the JRSS program management office (PMO), had deployed 13 of the 23 planned NIPRNET JRSS, and planned to deploy the remaining 10 by last October.”
“As of March 2019, none of the Secret Internet Protocol Router Network JRSS were deployed,” the IG found, adding that DOD’s Office of the CIO “is still working to address the recommendations related to logical and physical security safeguards.”
As a matter of context, it was SIPRNet which Army Private First Class Chelsea Manning — an intelligence analyst — accessed while deployed to Iraq in 2007 with the 2nd Brigade Combat Team of the Army’s 10th Mountain Division to download and provide to WikiLeaks nearly 750,000 secret or unclassified but sensitive, military and diplomatic documents. Manning was convicted by court-martial in July 2013 of violations of the Espionage Act and other offenses.
Manning’s apparent job was to make sure fellow intelligence analysts and operators in the field hunting Al Qaeda and the Taliban received everything from the intelligence streams that they were cleared to receive pertinent to their missions. This included information that had been inputted into JWICS and SIPRNet.
Basically, any intelligence analyst at the time with the knowledge and skill could have accessed pretty much any classified cable, document, report, or other material that he or she wanted at the secret and confidential classification level, and download it, even onto a portable storage device, as there were no biometric protocols in place to prevent what was disclosed to be an overlooked security risk.
In fact, it was determined that the secret-level information housed in SIPRNet’s databases were able to be conveyed to unclassified networks — even portable hard drives and universal serial bus (USB) memory sticks — from battlefields and remote locations using an Annapolis, Md.-based-TeleCommunication Systems, Inc. SIPR/NIPR Access Point (SNAP), a portable, interoperable tactical satellite communications terminal. There were about 1,500 SNAPs were deployed in Iraq and Afghanistan, according to the company.
As a result, DOD began security oversight inspections in forward-deployed areas and conducting vulnerability assessments of military networks and improving awareness and compliance with information protection procedures, including new policies on portable, external storage devices, download capabilities, and biometric-enabled monitored network access activity.