Cybersecurity Frequently Asked Questions

Published, December 8, 2017

Thank you for visiting the website of the Department of the Navy Chief Information Officer. The DON CIO provides policy and guidance on information management and information technology/cybersecurity to the Department of the Navy.

Please review the below frequently asked questions before submitting questions via "Contact Us." We have included answers to the most common cybersecurity questions.

After review, if you still have an unanswered question, please feel free to submit it via Contact Us. (Submissions are limited to 1,500 characters. Please allow 3-5 business days for response from the DON CIO team.)

What is DON policy regarding disposal of electronic media (e.g., Single State Drives (SSD) and Hard Disk Drives (HDD)) no longer needed?

All DON-owned, leased, or purchased electronic storage media and information systems shall remain in DON custody and control until physically destroyed in compliance with NIST Special Publications 800-88, "Guidelines For Media Sanitization" and CNSSI 4004.1, "Destruction and Emergency Protection Procedures for COMSEC And Classified Material" – unless shipped to the National Security Agency (NSA) for destruction.

The National and DON policy guidance below applies to this line of inquiry. (Note: Check with your local Command Information Assurance Managers as additional implementation procedures may apply).

How do I become a Navy Qualified Validator?

To become a Navy Qualified Validator (NQV), candidates must submit an application and supporting documentation to the SPAWAR Information Assurance Technical Authority (IA TA). To receive the NQV designation, which is required to perform validator duties within the RMF process, candidates are now required to meet the qualification criteria developed and enforced by the Navy Security Control Assessor (SCA).

The qualification standards are broken up into four main categories: Certifications, Education, General Experience, and Navy Experience. In addition to the qualification standards, the Navy recognizes three qualification levels of NQVs (Level I, II and III), with Level I being the most basic level and Level III considered expert level.

In addition, the SPAWAR IA TA has also developed computer-based training courses, as well as instructor-led training courses, to ensure validators receive the proper training prior to assessing RMF packages. Successful completion of these courses will be a requirement to receive the NQV designation.

NQV information can be found on the CAC-enabled Navy Portal (select Navy CA Documentation/Navy Validator Information.

Are NMCI NIPR laptops with an active Wi-Fi capability authorized within the SCIF?

For command specific response, please contact SSO Navy at: ONI_ALTN.SSO_Navy@navy.mil

Are there any approved Data at Rest solutions for use on Navy networks?

Review DON policies for Data at Rest (DAR).

For Navy-specific DAR policy and implementation guidance, we recommend contacting OPNAV, via chain of command. The OPNAV cybersecurity point of contact is OPNAV N2N6/DDCIO Navy, ddcio-n@navy.mil.

What is the guidance/policy on Smart TVs for conference rooms that are classified?

The DON CIO has not issued specific policy for Smart televisions. In general, we recommend you work with your Information System Security Manager (ISSM), command security manager, and/or applicable chain of command to identify guidance, requirements, and prohibitions for your environment (i.e., environment type, classification, etc.).

Policies to consider include:

  • DON CIO memo, Acceptable Use of Department of the Navy Information Technology states, "Users must protect DoD/DON information and IT to prevent unauthorized access, compromise, tampering, exploitation, unauthorized or inadvertent modification, disclosure, destruction, or misuse."
  • NTD 06-14, Navy Network Discipline states, "Smart devices are not authorized in classified environments, as they have the capability for information processing, and storage...See your IAM [now ISSM], CSM, or special security officer (SSO) for further guidance."
  • NAVADMIN 290/15, Use of Unclassified Navy and Marine Corps Intranet Laptops with Embedded Wireless refers to NMCI laptops with embedded wireless, but users can apply the same guidelines to smart TVs.
  • DoD Directive 8100.02, para 4.2 states "...other RF or Infrared (IR) wireless devices shall not be allowed into an area where classified information is discussed or processed without written approval from the Authorizing Official in consultation with the Cognizant Security Authority (CSA) Certified TEMPEST Technical Authority (CTTA)." If you believe there is a mission requirement to maintain RF or IF wireless devices in the space, you will need to get approval. The approval process is outlined in DoDD 8100.02.
The following resources may also be helpful:
  • COMNAVNETWARCOM Battle Watch Captain (BWC.NNWC.FCT@navy.mil, 757-203-0110). The Battle Watch Captain assists with inquiries regarding the direction, operation, maintenance, and security of Navy communications and network systems for Department of Defense Information Networks.
  • DDCIO (Navy)/OPNAV (N2N6) (DDCIO-N@navy.mil). DDCIO (Navy) provides Navy-specific cybersecurity policy and implementation guidance.
  • DUSN (Policy) Security Directorate (SD) (M_SECNAV_DUSN_SECURITY_GS@navy.mil). DUSN (Policy) SD is the DON office of responsibility for information and physical security in classified spaces. Contact DUSN (Policy) SD for clarification of information and physical security policy.
  • Chain of command. Your upper echelon commands may have addressed similar questions in the past.
What guidance/policy requires FOUO information to be encrypted when sent via email?
  • DON CIO memo, Acceptable Use of DON Information Technology, states "Users must follow the specific guidance provided in [SECNAV messages DTG 192027Z Aug 10 and DTG 192031Z Aug 10] to properly safeguard controlled unclassified information (CUI), including PII and for official use only (FOUO)" and "Users must encrypt CUI contained in email in accordance with [DoDM 5200.01-V4]."
  • DoDM 5200.01-V4, DoD Information Security Program: Controlled Unclassified Information, states "Whenever practical, electronic transmission of FOUO information (e.g., data, website, or e-mail) shall be by approved secure communications systems or systems utilizing other protective measures such as Public Key Infrastructure (PKI) or transport layer security (e.g., https).
  • DUSN (Policy) Security Directorate is responsible for the DON Information Security Program. Further questions regarding protecting FOUO, CUI, or similar information can be sent via email to: DON_SECURITY_INFO@navy.mil.
Who would I contact with questions about the Navy Marine Corps Intranet (NMCI) environment, processes, requirements, policy, etc.?

Contact the NMCI Help Desk:
Phone: (866) THE-NMCI or (866) 843-6624
Defense Switched Network (DSN): 577-HELP or 278-0367
Remote Access Service (RAS) DSN: 524-7009 or 278-0368
Email: servicedesk_navy@nmci-isf.com
Portal: https://www.homeport.navy.mil/home/ (CAC-enabled)

Is there a DON instruction/regulation/policy that will allow us to confiscate personal electronic equipment that has been plugged into our ship's network without authorization?

The DON CIO memo, Acceptable Use of Department of the Navy Information Technology, indicates: "Users must not introduce or use unauthorized software, firmware, or hardware on any DON IT resource. Users must not use personally owned hardware, software, shareware, or public domain software for official DON business without written authorization from the local CS authority. Users must protect DoD/DON information and IT to prevent unauthorized access, compromise, tampering, exploitation, unauthorized or inadvertent modification, disclosure, destruction, or misuse."

Who do I contact about my NAVY.MIL domain?

NAVY.MIL is managed by NMCI. Contact the NMCI Help Desk:
Phone: (866) THE-NMCI or (866) 843-6624
Defense Switched Network (DSN): 577-HELP or 278-0367
Remote Access Service (RAS) DSN: 524-7009 or 278-0368
Email: servicedesk_navy@nmci-isf.com
Portal: https://www.homeport.navy.mil/home/

What policy/guidance outside of DoDI 8510.01 mandates the use of the Navy eMASS system for accrediting systems with the NAO?

We recommend visting the CAC-enabled DDCIO (Navy)'s RMF portal. The portal includes Navy-specific policy and points of contact.

Who do I contact if I have a question about my Certification & Accreditation (C & A)/Assessment & Authorization (A&A)?

  • USN: The USN coordinates all of their authorization activities through their Echelon II Command Information Officer (CIO) staff. The Echelon II CIO can help with your questions and any coordination you need with the Certifying Authority (CA)/Security Control Assessor (SCA) or Operational Designated Accrediting Authority (ODAA)/Navy Authorizing Official (NAO) staff. You can also visit the CAC-enabled NAO Portal.
  • USMC: The USMC coordinates authorization questions via phone number or email: Email: mcnoscwo@mcnosc.usmc.mil Phone: (703) 784-5300
How do I contact NCDOC for incidents? How do I contact the Certifying Authority (CA)/Security Control Assessor (SCA) or Designated Accrediting Authority (DAA)/Navy Authorizing Official (NAO)/Marine Corps Authorizing Official (USMC AO) staff? Where do I find USCYBER/DOD/DON Policy and Information?

Some of the main policy sites:

Where do I find Cybersecurity Tips for Civilians?

What is the instruction with duties, responsibilities, and requirements for a Removable Media Representative (RMR)?

USCYBERCOM CTO 10-133 (along with 133A, CH 1, 2, & 3), as amplified for Navy by NETWARCOM CTO 10-25 (along with 25A & B, CH 1 & 2), establishes the procedures for the proper handling and transferring of classified data using all forms of removable media on (to/from) SIPRNet networks. USCYBERCOM CTO 10-133 requires designation of authorized personnel responsible for conducting all “write/download” data transfers on SIPRNet. NETWARCOM CTO 10-25A outlines the functions/responsibilities of Echelon II and Naval Component Command Removable Media Representatives (RMR). CTO 10-25B provides clarification of RMR authority and CTO 10-25B CH1 provides additional RMR requirements.

All CAC-enabled:

Additionally, USCYBERCOM CTO 10-084 of 20 OCT 2010 (which supersedes CTO 10-004A, CTO 10-004 and INFOSPOT 194-08), as amplified for Navy by NETWARCOM CTO 10-04, establishes the policy and restrictions for Removable Flash Media Device Implementation. This policy pertains solely to Flash Media Devices (i.e., sticks, thumb drives and camera memory cards).

COMNAVNETWARCOM Battle Watch Captain (BWC.NNWC.FCT@navy.mil, 757-203-0110). The Battle Watch Captain assists with inquiries regarding the direction, operation, maintenance, and security of Navy communications and network systems for Department of Defense Information Networks.

TAGS: Cybersecurity

Related Policy
Related News
Related Resources