The Deputy Chief of Naval Operations for Information Warfare, OPNAV N2N6, Vice Adm. Matthew J. Kohler, updated guidance to ensure cyber-secure expanded telework in a joint message with Fleet Cyber Command/10th Fleet April 28.
The new NAVADMIN 123-20 cancels the previous NAVADMIN/OPNAV/172159ZMAR20 issued in March, and provides updated remote working guidance.
OPNAV N2N6 and FCC/C10F continue to refine remote work capabilities and capacity to meet mission requirements. They remind users of Department of the Navy information technology assets to stay cyber-safe and vigilant.
DoD Commercial Virtual Environment
As of April 20, more than 680,000 Navy users (see illustration at top right) have been sent invitations to leverage the DoD Commercial Virtual Environment (CVR) introduced in NAVADMIN/OPNAV/022018ZAPR20. DON users who have not received an invitation via email, should perform the following steps:
- Go to: https://milconnect.dmdc.osd.mil/milconnect/
- Click Update work contact info (GAL)
- Select CAC tab and log in
- Select MIL, CIV, or CTR tab, as applicable
- Under Personnel Status, edit BOTH of the following drop down menus: Duty Organization and Duty Sub Organization
Note there are more than 2,000 Navy organizations listed in MilConnect. You will need to find and select your specific organization in the list. Under Personnel Email Addresses, ensure it is the correct .mil email address. Then click the Submit button.
Updating this information will make remaining Navy users eligible to receive a CVR invitation within 48 hours. The invitation will come from email@example.com, with subject line (TEAMS GENERATED) Welcome to DODs Commercial Virtual Remote Environment. Be sure to check this email message Junk Mail folder as well.
Instructions for activating CVR accounts are in DoD Commercial Virtual Remote (CVR) Collaboration EnvironmenT (CORRECTED COPY),50 NAVADMIN/OPNAV/022018ZAPR20//.
Remote Work Best Practices
Security remains paramount; OPNAV N2N6 and FCC/10F urge all DON IT users to continue to follow all security guidelines. Do not allow an adversary to exploit DON systems and collect information that could be used against DON operations or personnel.
Be vigilant in considering whether the information you are preparing to transmit is Controlled Unclassified Information (CUI). CUI is unclassified information that requires safeguarding or dissemination controls required by law, Federal regulation, and government-wide policy.
The CUI Program replaces existing agency markings like For Official Use Only (FOUO) and Sensitive But Unclassified (SBU). Controlled Technical Information (CTI), includes Personally Identifiable Information (PII), or information protected by the Health Insurance Portability and Accountability Act (HIPAA).
Do not save sensitive information including CUI, PII, and HIPAA to your personal device. More information on CUI can be found on the Deputy Department of Navy Chief Information Officer, Navy (DDCIO(N)) Corona Virus Disease (COVID)-19 page:
Do not stream video while connected remotely or onsite; bandwidth is limited and must be used efficiently. Continue to read Navy/Marine Corps Intranet (NMCI) or OCONUS Navy Enterprise Network (ONE-Net) bulletins as they contain critical information.
The Joint Force Headquarters for Department of Defense Information Networks (JFHQ-DODIN) and Commander, TENTH Fleet (C10F) continue to block most streaming media websites to maximize operational bandwidth available for COVID-19 response remote work.
Echelon II commands should consolidate any exception requests and submit in accordance with reference (c), EXORD/FCC/201950ZMAR20. Submit exemption requests here.
Remote Access Guidance
Utilize remote work options in the following prioritized order to facilitate maximum access for all users.
- Mobikey and Enhanced Virtual Desktop (EVD)
- Mobile devices with Blackberry Unified Endpoint Management (UEM)
- Outlook Web Access (OWA)
- Users with government laptops should access email via OWA vice Remote Access Server (RAS), whenever possible, to reduce the RAS connection load. Users can download/upload files from OWA when using Internet Explorer (IE).
- Users without government laptops accessing OWA utilizing a personal device with a CAC reader will ensure it is in accordance with security measures. Do not use any CAC readers or CAC-enabled devices with government furnished equipment if they are personally procured OR have been plugged into personal devices.
RAS on Government Laptops
Connect to RAS through one of the available gateways (Norfolk, San Diego, Hawaii, Jacksonville, and Bremerton). If accessing the network via RAS: reboot your computer prior to each session, access NMCI or ONE-Net as appropriate, complete required activities, and then terminate your RAS session.
If your RAS connection hangs up and never gets past the securing connection, the Virtual Adapter may not be properly loading. Contact the NMCI Help Desk for assistance.
Per reference (d), unauthorized cloud and collaboration capabilities place DoD information at risk and are not authorized to conduct internal DoD business. Navy users shall use only approved collaboration tools, as outlined below.
- DoD CVR is the Navy preferred unclassified collaboration tool during this period. After the crisis, the CVR environment will be shut down nd all data in it will be permanently deleted. Reference (b) provides further details about CVR capabilities, onboarding, restrictions, and support.
- Defense Collaboration Service provides virtual meetings at https://conference.apps.mil and real-time chat at https://chat.apps.mil/client
- Defense Information Systems Agency (DISA) Global Video Services (fee for some services)
- Secure Access File Exchange at https://safe.apps.mil for secure and /or large file transfers.
- Intelink offers collaborative capabilities including file storage and web-based collaboration at https://www.intelink.gov.
- DoD and Navy SharePoint portals may be used for collaboration and file sharing, including Milsuite at https://www.milsuite.mil.
Further, per NAVADMIN 123-20, all Navy organizations are prohibited from establishing vendor agreements or contracts for the use of new collaboration tools during the COVID-19 crisis. Government personnel may not task a contractor to procure any collaboration tools or services on behalf of the government. If an industry partner hosts a meeting using commercial collaboration tools, government personnel may participate using those tools.
Contractors are authorized to use commercially procured collaboration tools on contractor networks. Do not process or store sensitive information, including but not limited to Controlled Technical Information (CTI), Personally Identifiable Information (PII), or Health Insurance Portability and Accountability Act (HIPAA), unless contractually required to do so.
Collaborative tools on contractor networks are not to be used as a work around to facilitate remote work for government personnel.
The Naval Postgraduate School, Naval War College, and United States Naval Academy may continue to use existing commercially procured collaboration tools on Navy Higher Education Networks (NHENs).
When using non-DoD approved collaboration tools with external entities, such as industry partners, do not discuss, process, or transmit sensitive information, including, but not limited to: CTI, PII, or HIPAA.
When working remotely, it is important to maintain physical, information, and cyber security to prevent our adversaries from being able to exploit our systems and collect information that could be used against us.
Steps that you should take to protect information and reduce the risk of exploitation while teleworking are outlined below.
- Do not use any CAC readers or CAC-enabled devices with government furnished equipment if they are personally procured OR have been plugged into personal devices.
- While not prohibited by policy, it is prudent to avoid connecting government furnished peripheral devices to personal devices. Individual commands may determine if government issued peripherals connected to personal devices will be dedicated to supporting teleworking requirements or may return to government only use.
- Do not attach any personal device to a government issued device.
- Do not leave your CAC in the reader when you are away from your device.
- Use a strong, secure, private password on your personal device and have PIN, fingerprint, or facial recognition enabled to further protect your devices from unwanted physical access.
- Shield your screen from anyone who does not have a need to know the information.
- Do not connect thumb drives to government-issued computers.
- Digitally sign emails requiring message integrity, verification of sender identity (non-repudiation), or attachments.
- Digitally encrypt emails and data-at-rest that contain CUI, PII, IPAA, or all other sensitive information that should be protected against unauthorized access.
- When you receive an alert that intended recipient(s) do not have a certificate for encryption, there are three corrective actions:
- Refresh the email address by deleting the identified addressee and use the Global Address List (GAL) to select the address of the intended recipient(s). If the alert is received a second time, remove the individual(s) from the distribution and send the email without them.
- Send the identified individual a signed, encrypted email and request a signed, encrypted response. This should provide you with the required certificates to include them in future encrypted email exchanges.
- Add the recipients certificates from the Global Directory
Service, https://dod411.gds.disa.mil/ (CAC required).
- For users on OWA, Transport Layer Security (TLS) 1.2 must be enabled to support encryption. The instructions to set this up are available on the NMCI Homeport at https://www.homeport.navy.mil/support/articles/ie-enable-tls/.
CUI is unclassified information that requires safeguarding or dissemination controls required by law, Federal regulation, and government-wide policy. The CUI Program replaces existing agency markings like For Official Use Only (FOUO) and Sensitive But Unclassified (SBU). These different categories of unclassified information require restrictions on handling and transmission.
- Do not save sensitive information including CUI, PII, and HIPAA to your personal device.
- Do not auto-forward official email to commercial or private
domains (e.g., Gmail, Yahoo, etc.).
- Do not auto forward your office phone to an off-site number
unless directed to do so by your command.
- Use only approved file sharing solutions. See the Effective
Use of Remote Work Option and DON CIO Telework Reference Guide links under the DON /Navy Policy heading on the home page of the second link in paragraph 8.a.(1).
- Install and use a DoD-recommended anti-virus solution on your personal devices. All DoD members have free access to a 1-year subscription to McAfee antivirus software. More information on the McAfee software can be found at https://patches.csd.disa.mil/Metadata.aspx?id=79775.
- Secure home Wi-Fi routers by using Wi-Fi Protected Access (WPA) 2 or WPA3 security, password protecting your router with a strong secure password, and enabling encryption.
- Do not click links or open file attachments from unknown accounts. If unsure of the legitimacy of an email, verify with the sender by phone before proceeding.
- Utilize private browsing when possible and delete browsing history, cookies, and cache after each session to avoid compromising credentials.
- Patching and updates. NMCI and ONE-Net assets being used for telework should be connected to the network on a regular basis to receive patches and updates to key software components using one of the following methods:
- Bring the asset back to regular place of work weekly, or at a minimum every two weeks, and plug directly into NMCI or ONE-Net. Reboot machine to ensure it looks for and applies all available patches and updates.
- If unable to return to regular place of work due to Health Protection Condition (HPCON) or other limiting factors, log into the NMCI RAS sites at Norfolk, San Diego, or Jacksonville (not Pearl Harbor) or applicable ONE-Net RAS site. For NMCI, click start, then software distribution, then patch connect to pull available patches and apply them to your asset. To see progress of patching, click on the small up arrow icon in the system tray near the clock, then right-click on the blue Radia icon and choose show console. This software update will run in the background until complete. If possible, leave the machine connected to the RAS for at least four hours to receive all applicable updates, and be sure to reboot once disconnected from the RAS. Please limit this to once per week, and to off hours (overnight) or weekends. Fleet Cyber Command may block access to RAS patching during normal working hours to minimize impact to remote work.
This NAVADMIN will remain in effect until canceled or superseded. The point of contact for further guidance is Capt. Eric McCartney (OPNAV N2N6G32) at firstname.lastname@example.org or phone: 571-256-8399/DSN 312-260-8399.
- NARR/REF A IS NAVADMIN 068/20, Effective Use of Remote Work Options.
- REF B IS NAVADMIN 093/20, DoD Commercial Virtual Remote Collaboration Environment (CORRECTED COPY).
- REF C IS FCC EXORD 20-021, Effective Use of Remote Work Options.
- REF D IS DoD Chief Information Officer Memo on Authorized Telework
Capabilities and Guidance.