-
DAY 1 - Introduction to Networking
-
- Join this Course to access resources
-
Network Models
Introduction to Networking (DoD Version)
═══════════════════════════════════════════════════════════════════ RESTRICTED DISTRIBUTION — DICDP PROGRAM PARTICIPANTS ONLY ═══════════════════════════════════════════════════════════════════
═══════════════════════════════════════════════════════════════════
RED IRISH GLOBAL SERVICES
Defense Information Capacity Development Program (DICDP)
Communications and Information Systems (CIS) Track — Foundation Level
Foundation Networking Course | Day 01 Morning Lecture Notes
Document ID: DICDP-CIS-FNC-D01-LN-AM-v4
Issued: [date of determination]
Controlled by: Program Director, DICDP, Red Irish Global Services
Redirect requests: ops@redirish.global
Distribution: RESTRICTED — Program participants only
═══════════════════════════════════════════════════════════════════
Restricted Distribution Statement
This material is the intellectual property of Red Irish Global Services. Distribution is authorized only to participants enrolled in the Defense Information Capacity Development Program (DICDP). Reproduction, transmission, posting to public networks or social media, sharing with non-participants, or use as the basis for derivative training materials, in whole or in part, requires prior written authorization from Red Irish Global Services. Other requests shall be referred to: ops@redirish.global
Program Notice — Read Before Continuing
This document and the materials accompanying it are part of the Defense Information Capacity Development Program (DICDP), a foreign-military capability development program operated by Red Irish Global Services.
Program authority. The Defense Information Capacity Development Program is developed and delivered by Red Irish Global Services (RIGS), a Defense Cyber and Information Systems Contractor established in 2018 and serving ministries of defense, military commands, national police forces, and government institutions across EMEA and APAC. DICDP curricula are developed and delivered by personnel with operational backgrounds in defense networking, military communications, and government information systems. Doctrinal references throughout the materials cite publicly available standards and publications; the program is operated under RIGS's own authority and not on behalf of any government.
Intellectual property. All content — text, structure, diagrams, scenarios, instructional methodology, and curriculum design — is the property of RIGS. No license, transfer, or assignment of rights is granted by access to this material beyond the specific use authorized in the DICDP Program Participation Agreement.
Restricted distribution. This material is provided to authorized program participants for personal study and use during the course of instruction. It may not be reproduced, transmitted, posted to public networks or social media, shared with non-participants, or used as a basis for derivative training materials, in whole or in part, without prior written authorization from RIGS. Other requests shall be referred to: ops@redirish.global
Unclassified material. This material is unclassified. It does not contain US classified national security information and is not marked with US Government distribution statements under DoDI 5230.24. Participants are expected to apply professional handling discretion consistent with the sensitivity of the subject matter.
Export control awareness. This material discusses defense networking architecture and security doctrine. Participants are responsible for compliance with applicable export-control laws and regulations in their own jurisdictions when handling, transmitting, or further-disseminating this material.
Authorized use. Program participants may retain this material for personal professional reference after the course concludes, subject to the restrictions above and to the Participation Agreement.
Acceptance. Continued use of this material constitutes acknowledgment of and agreement to these terms.
Day 1 — Introduction to Networking (DoD Version)
MORNING SESSION — Foundations
Document ID: DICDP-CIS-FNC-D01-LN-AM-v4 Version: v4.0
Opening
Welcome to Day 1.
The civilian lecture you just attended explained what a network is at the level of universal concepts — hosts, clients, servers, protocols, network types. Every one of those concepts is true on a DoD network. None of them is enough on a DoD network.
This document fills the gap between the civilian frame and the operational reality you will work in.
The morning session covers the foundations: what a network actually means in a DoD context, what makes a "host" a DoD host (it is not just an IP address), why the DoD architecture is almost always client/server, and what NIPRNet / SIPRNet / JWICS really are.
The afternoon session will take this foundation and build the doctrine frame — the DoDIN, the Four Rules that govern every DoD network, and the RMF process behind every authorization.
By the end of Day 1 you will not just know what a network is. You will know how a network becomes a DoD network — and that distinction is what the rest of the course is built on.
Part 1 — What a Network Is, in DoD Terms
The civilian definition (recap)
The civilian lecture defined a network as: devices + connections + protocols. All three are required. Missing any one and communication fails. This is correct, and it is the universal foundation.
What DoD adds
In DoD, that three-part definition is necessary but not sufficient. A working network — one where packets flow and pings succeed — is not yet a DoD network. A DoD network requires four additional elements on top of the civilian three:
Element | What it means |
|---|---|
Authorization | Every device has an ATO (Authorization to Operate) signed by a designated Authorizing Official before it ever connects. |
Compliance | Every device matches a STIG (Security Technical Implementation Guide) configuration baseline before it goes live. |
Documentation | The connection is recorded in DoD asset and connection tracking systems. Unrecorded connections are unauthorized connections. |
Classification | Every network operates at one specific classification level. Crossing levels requires special engineered gateways — there is no "just connect them" option. |
So the DoD definition is:
DoD Network =
Devices + Connections + Protocols (the civilian foundation)
+ ATO (legal authorization)
+ STIG compliance (configuration baseline)
+ Documentation (asset and connection records)
+ Classification level (the security boundary)
If you walk into a DoD facility, find an empty switch port, plug in your laptop, and successfully ping another machine — you have created a working network. You have not created a DoD network. You have created an unauthorized connection — and the consequences are serious. Your laptop will be confiscated. An incident will be opened. Depending on the network you touched, you may lose your clearance.
The civilian three parts make the packets flow. The four DoD additions make the connection lawful and trusted.
The point: a DoD network is not just technically a network. It is also legally and administratively a network. Both must be true.
Why this matters from minute one
Every concept in this course — every protocol, every device, every architecture — sits inside this expanded definition. When you learn what a switch does on Day 4, you are learning about a switch that has an ATO, has a STIG configuration, is documented in the asset inventory, and operates at one classification level. The civilian switch is the same hardware; the DoD switch is that same hardware plus all four wrappers.
Part 2 — Hosts, Clients, and Servers in DoD
The civilian concepts (recap)
The civilian lecture defined:
Host = any device on the network with an IP address (PC, phone, IP camera, printer, server).
Client = a host that requests data or services.
Server = a host that provides data or services in response to requests.
These definitions hold in DoD without change. What changes is everything around them.
What makes a host a DoD host
In the civilian world, you connect a laptop to a network by plugging it in and accepting the DHCP lease. The laptop is now a host on that network.
In DoD, the same laptop is not yet a DoD host. To become one, it must satisfy the following — before connecting:
Requirement | What it means |
|---|---|
Government Furnished Equipment (GFE) | The hardware is government-procured, government-owned, or specifically authorized. Personal laptops are not DoD hosts and cannot become DoD hosts. |
STIG-compliant operating system and applications | The OS and the major applications have been hardened against the applicable DISA STIG. Default Windows or default Linux installations do not qualify. |
HBSS / ESS agent installed and reporting | The DoD's endpoint security suite is installed, active, and reporting to the central ePO console (or its successor — see Day 8). |
Enrolled in the asset inventory | The device is listed in the DoD asset tracking system. Serial number, hardware configuration, software baseline, and assigned user are all recorded. |
Authorized user with valid credentials | Only personnel with the appropriate clearance, need-to-know, and CAC certificates can log in. |
Covered by an ATO | The device is included in the system boundary covered by an active Authorization to Operate. |
A host that is missing any one of these is not a DoD host. It is a foreign device, and if it appears on the network it triggers a security incident (the "rogue system detection" you will hear about in Day 8).
The CAC — what a DoD user looks like
Civilian users authenticate with a username and password. DoD users authenticate with a Common Access Card (CAC) plus a PIN.
What the CAC physically is: a smart card about the size of a credit card. On the front: a photo, name, rank/affiliation, and barcode. On the back: a magnetic stripe and an ICC (Integrated Circuit Chip) — the gold contact pad. Inside the chip is a tamper-resistant processor that holds the cryptographic keys and certificates. There is also a contactless antenna for limited use cases.
What the CAC actually contains (this is what makes it powerful):
Stored on the CAC | What it is for |
|---|---|
Identity (PIV Authentication) certificate | Proves who you are when you log in to a workstation or a network service. This is the certificate that authenticates you to Active Directory. |
Encryption certificate | Allows others to encrypt email to you so that only you can decrypt it. Anyone in the DoD can find your public key in the Global Address List and encrypt to it. |
Digital signature certificate | Lets you sign emails and documents. Your signature is cryptographically tied to your identity and cannot be forged or repudiated. This is the basis of non-repudiation (covered in Day 8). |
Fingerprint biometric template | Stored on the chip. Used primarily during card issuance and re-issuance to confirm you are the same person, and in some physical access systems. Not used for routine workstation logon. |
Photograph and personal data | For visual identification by guards and for badge functions. |
How the CAC is actually used for logon:
You insert the card into a contact reader (the slot in your keyboard or a USB reader).
The workstation prompts you for your PIN.
You enter the PIN. The PIN is sent only to the chip on the card — never to the workstation or the network.
If the PIN is correct, the chip "unlocks" and is willing to perform cryptographic operations using the private keys stored inside it.
The workstation sends a challenge (a random number) to the chip; the chip signs it with the identity certificate's private key.
The signed challenge plus the certificate are sent to the authentication server (typically Active Directory with smart-card logon enabled). The server verifies the signature against the certificate, and verifies the certificate chains up to a trusted DoD Certificate Authority.
You are logged in.
Two crucial properties of this process:
The private key never leaves the card. It cannot be copied, exfiltrated by malware on the workstation, or extracted by an attacker who steals only the card image. The card itself must be physically present at the reader.
The PIN never leaves the card. Stealing the PIN alone is useless without the physical card. Stealing the card is useless without the PIN. This is true two-factor authentication.
Why this is two-factor authentication:
Factor | What it is | In the CAC |
|---|---|---|
Something you have | A physical object that must be in your possession | The CAC itself — the card must be physically inserted |
Something you know | A secret only the user knows | The PIN |
A username and password is only one factor (something you know — twice). A CAC + PIN is genuinely two distinct factors. Stealing one does not give the attacker the other.
The same CAC is used everywhere: workstation logon, encrypted email, document signing, VPN client authentication, SharePoint and internal portal logon, and many physical access systems on installations. One physical token, used universally.
Beyond the CAC — Other Authentication Methods in DoD
A common student question is: "In the civilian world we have fingerprint readers, face recognition, NFC tap-to-unlock. Does DoD use any of these?"
The honest answer is: the CAC plus PIN is the authoritative DoD authentication method, mandated by HSPD-12 (Homeland Security Presidential Directive 12) and implemented through FIPS 201 for PIV/CAC credentials. But DoD does use other methods in specific, limited contexts. Here is the realistic picture:
Methods used in DoD today:
Method | How it is used in DoD |
|---|---|
CAC + PIN (smart card + PIN) | The standard. The default. The mandated method for almost all DoD workstation and network logon. |
Fingerprint biometric (on the CAC) | Stored on the CAC chip and used during card issuance, card re-keying, and some physical-access systems. Not used for routine workstation logon — the PIN remains the second factor for daily use. |
Derived PIV Credentials (DPC) | A "CAC-equivalent" credential placed on a mobile device (phone or tablet), governed by NIST SP 800-157. The mobile device replaces the physical card; the second factor is a PIN or a biometric on the device (fingerprint or face). Used for authorized mobile access to DoD resources without carrying a card reader. |
SIPR token | A separate smart card specific to SIPRNet, with its own certificates. The SIPR token is to SIPRNet what the CAC is to NIPRNet. Same model, different card, different issuing authority. |
Password (for some accounts) | Legacy or specific service accounts may still use passwords, but for human user logon to DoD networks, passwords alone are not compliant with current policy. |
Methods that are NOT authorized for DoD network logon:
Method | Why not |
|---|---|
Fingerprint as primary logon factor (no card) | Biometrics alone are "something you are" — they cannot be revoked if compromised, they can be lifted from surfaces, and they are not interoperable across systems. PIV/CAC remains the authoritative federal credential per HSPD-12. |
Face recognition as logon | Same reasons. Useful as a factor on a mobile device (with DPC), not as the sole authentication. |
NFC tap-to-unlock for network logon | The CAC has a contactless (NFC) interface, but it is used for limited physical-access cases — not for cryptographic logon to a workstation. Cryptographic logon uses the contact interface. |
SMS-based one-time codes | Phone-based SMS is not phishing-resistant and is not authorized for DoD authentication. |
Username/password alone | Not compliant with HSPD-12 / FIPS 201 for federal personnel logon to information systems. |
Where DoD is heading:
DoD has actively explored multi-modal biometrics (fingerprint + iris + facial) as a future augmentation to the CAC, not a replacement. The 2018 Pentagon Force Protection Agency (PFPA) RFI made the position clear: HSPD-12 keeps the PIV/CAC as the authoritative credential, but biometrics may augment it in the future for higher-assurance physical access and contingency scenarios.
For now and the foreseeable future: CAC + PIN is the answer for workstation logon. Derived PIV is the answer for authorized mobile access. SIPR token is the answer for SIPRNet workstation logon. Biometrics support these, but do not replace them.
Reference: HSPD-12 — Homeland Security Presidential Directive 12. FIPS 201 — Personal Identity Verification (PIV) of Federal Employees and Contractors. NIST SP 800-157 — Guidelines for Derived PIV Credentials. DoDI 8520.02 — Public Key Infrastructure (PKI) and Public Key Enabling.
Server roles in DoD — same idea, different stakes
Every server role from the civilian lecture exists in DoD: web servers, file servers, mail servers, DNS servers, DHCP servers, database servers. The functions are the same.
What differs is the operational rigor:
DNS in DoD uses DoD-authorized DNS servers, never public ones (no 8.8.8.8, no 1.1.1.1). DNSSEC validation is required for NIPRNet.
What DNSSEC is: DNS Security Extensions. Standard DNS has no way to prove that a DNS response actually came from the legitimate owner of a domain. An attacker who can intercept or poison DNS responses can redirect users to malicious servers — even when those users are using HTTPS, because DNS resolves the IP address before HTTPS kicks in. DNSSEC fixes this by adding cryptographic signatures to DNS records. A DNSSEC-validating resolver can verify that a response was signed by the authoritative nameserver and has not been tampered with. DoD requires DNSSEC validation per OMB Memorandum M-08-23 so that DoD users do not get silently redirected to fake or malicious sites through poisoned DNS. Pointing a DoD workstation at a non-DoD resolver bypasses this protection and is a STIG finding.
NTP (time servers) must point to USNO (the US Naval Observatory) or DoD-authorized stratum servers, never to pool.ntp.org.
File servers enforce access controls based on clearance and need-to-know — not just role.
Mail servers on NIPRNet and SIPRNet are separate systems. A NIPRNet mail server has no path to a SIPRNet mail server.
Each of these comes up in detail later in the course. For Day 1 it is enough to know: the function is identical, the governance is what changes.
Part 3 — Architecture: Why DoD Is Almost Always Client/Server
The civilian comparison (recap)
The civilian lecture introduced two architectures:
Peer-to-peer (P2P) — every device is equal, requests and provides at the same time. Simple, scattered, hard to manage.
Client/server — dedicated roles, centralized servers, scalable, secure, requires administration.
The civilian guidance: client/server dominates organizational networks; P2P is for home use and small workgroups.
Why DoD is even more committed to client/server
In DoD the imbalance is much sharper. Almost every operational DoD network is client/server, and the reasons go beyond convenience:
Centralized authentication is mandatory. DoD users authenticate via CAC against Active Directory — a centralized identity system. Peer-to-peer has no central authentication authority. Without one, there is no way to enforce clearance levels or need-to-know consistently. P2P is structurally incompatible with how DoD identifies users.
Centralized logging is mandatory. Every access, every command, every login on a DoD system must be logged and forwarded to a central system (the SIEM). Logs feed the CNDSP and the cyber defense apparatus. P2P has no central log destination. An isolated P2P share generates no traceable audit record — which on a DoD network is itself a finding.
Centralized policy enforcement is mandatory. STIG configurations, HBSS policies, software updates, security patches — these are all pushed centrally to every endpoint. The whole HBSS/ESS architecture you will see in Day 8 (ePO pushing policy to thousands of endpoints) is fundamentally client/server. P2P cannot enforce uniform policy.
Data centralization is required for backup, recovery, and access control. Classified data scattered across peer devices is uncontrollable. Centralized storage with enforced ACLs is how classified data is actually protected.
The narrow exceptions
P2P-style or mesh architectures do exist in DoD, but only in tightly scoped contexts:
Tactical mesh radios in austere environments (forward-deployed units operating without infrastructure) sometimes form peer-to-peer mesh networks. These are purpose-built systems with their own security architecture, not general-purpose P2P.
Some specialized intelligence and SOF systems use peer-to-peer-style architectures for resilience. These are exceptions, accredited individually, not the rule.
Pure direct-share P2P between two DoD laptops (the civilian "two laptops sharing a folder" example) is generally prohibited on classified networks because it bypasses centralized logging and access control.
The point: on the networks you will operate — installation NIPRNet and SIPRNet enclaves — the answer to "P2P or client/server?" is essentially always client/server. The architecture is not a preference. It is a structural requirement of how DoD does identity, logging, and policy.
Part 4 — DoD Network Types: NIPRNet, SIPRNet, JWICS
The civilian map (recap)
The civilian lecture introduced four network types based on geography:
PAN ............ ~10 meters ........ personal devices
LAN ............ one building/campus . office, school
MAN ............ one city ............ ISP, university with multiple campuses
WAN ............ countries/continents the Internet, corporate WANs
Classification: geographic. Size and reach determine the category.
The DoD map is different — classification drives everything
DoD networks are categorized first by classification level, not geography. Each DoD network exists as a global system at one specific classification level, and the levels are physically separate.
JWICS ........ Top Secret / SCI .......... intelligence community
SIPRNet ........ SECRET .................... operational planning, C2, intel sharing
NIPRNet ........ Unclassified (often CUI) .. routine work, email, admin
Some of the terms in that simple map need to be defined before we go any further:
Term in the map | What it means |
|---|---|
Top Secret / SCI | The highest US classification level — "Top Secret" — plus an additional access layer called SCI (Sensitive Compartmented Information). SCI means that even with a Top Secret clearance, you also need to be formally "read on" to a specific compartment to access that compartment's information. Most TS/SCI material is intelligence-derived (signals intelligence, human intelligence, imagery, etc.). |
SECRET | The middle US classification level. Unauthorized disclosure would cause "serious damage" to national security (per Executive Order 13526). Used for operational plans, intelligence at the Secret level, foreign liaison material, and many categories of military capability information. |
Unclassified | Information not designated as classified. Does not mean "public" — most unclassified DoD information is still controlled. |
CUI (Controlled Unclassified Information) | A formal category of unclassified-but-protected information requiring safeguards in handling, storage, and dissemination. Personal information, contract data, certain operational details. CUI replaced the older "For Official Use Only (FOUO)" marking. CUI is the typical content of routine NIPRNet traffic. |
Intelligence community | The 18 US government agencies and organizations that conduct intelligence activities — including DIA, NSA, CIA, NGA, NRO, the service intelligence components, and others. JWICS is their shared classified network. |
Operational planning | The work of designing, coordinating, and executing military operations. The "what we will do, with whom, when, and how" of a military mission. Often at SECRET level. |
C2 (Command and Control) | The authority and direction commanders exercise over assigned forces. C2 messages carry orders, status, and decisions. Much C2 happens on SIPRNet. |
Intel sharing | Distribution of intelligence products and reporting among authorized organizations. Routinely happens at SECRET (SIPRNet) and TS/SCI (JWICS) levels. |
Routine work, email, admin | The day-to-day unclassified business of the DoD: HR systems, payroll, training records, logistics tracking, vendor management, normal email and web. |
Notice what this means: a SIPRNet workstation in a forward base in one country, a SIPRNet workstation at the Pentagon, and a SIPRNet workstation at a sea-borne command share one network — globally — because they are all at the same classification level. From a civilian-mapping perspective, SIPRNet is a global WAN. But it is not categorized by being a WAN. It is categorized by being SECRET.
The classification axis is primary. Geography is secondary.
Global Reach — Why "DoD network" Means Worldwide
A natural civilian assumption is that a "military network" lives at one military base. That is incorrect for DoD. NIPRNet, SIPRNet, and JWICS are global networks — they reach every US military installation worldwide and beyond. Specifically:
Continental US installations: Every major military base, command headquarters, and DoD facility in the United States has NIPRNet and SIPRNet connectivity. Most have JWICS access in their intelligence facilities.
Overseas US bases: US bases in Germany, Japan, South Korea, Italy, the United Kingdom, Guam, Bahrain, Djibouti, and elsewhere are full NIPRNet and SIPRNet nodes. A user at Ramstein Air Base in Germany works on the same SIPRNet that a user at Fort Bragg in North Carolina works on — the network is one logical SECRET network spanning continents.
US embassies and diplomatic posts: The Department of State operates both NIPRNet and SIPRNet at embassies and consulates around the world, in coordination with DoD. This is how military attachés, defense liaison officers, and embassy staff share classified information with home commands.
Naval vessels at sea: Warships extend NIPRNet and SIPRNet to their crews via satellite communications links. A SECRET intelligence brief composed at the Pentagon can be read by a watch officer on a destroyer in the Mediterranean within seconds.
Forward deployed and tactical users: Forward operating bases, expeditionary commands, and tactical units extend NIPRNet and SIPRNet to the edge through satellite links such as TROJAN SPIRIT and TROJAN SPIRIT LITE — transportable SATCOM terminals that can ride in a transit case, on a trailer, or in a shelter. This is how a SECRET network reaches a unit in the field with no fixed infrastructure.
Coalition partners: Specific approved coalition partners may receive bounded access to SIPRNet or to releasable-coalition networks like CMNT (Common Mission Network Transport) through formal mission-partner agreements and Mission Partner Gateways (MPGW).
What this means in practice: when you operate FCN-7 — the fictional installation used throughout this course — you are connecting an installation to a global network that already spans dozens of countries and hundreds of installations. Your installation is not the network. Your installation is one node on the network.
Reference: DoDI 8010.01 — Department of Defense Information Network (DoDIN) Transport. The DISN architecture documentation confirms global reach. SIPRNet currently has on the order of half a million users; NIPRNet considerably more. Both connect installations on six continents.
The three major DoD networks
NIPRNet — Non-classified Internet Protocol Router Network
The DoD's unclassified network. The network most personnel use daily for routine work: email, web browsing, administrative systems, payroll, training records, logistics tracking.
Property | Detail |
|---|---|
Classification level | Unclassified — often handles Controlled Unclassified Information (CUI) |
Connectivity | Connected to the public internet through controlled DISA-operated Internet Access Points (IAPs) |
Operator | DISA operates the backbone; each installation operates its own enclave |
Boundary defense | DISA's Joint Regional Security Stacks (JRSS) sit at the boundary — see Day 8 |
Authentication | CAC + PIN |
NIPRNet handles a great deal of sensitive material even though it is "unclassified." CUI is unclassified-but-protected: personal information, contract data, certain operational details, anything marked FOUO (For Official Use Only) in older documents. NIPRNet is not a "public" network just because it touches the internet — it is a controlled network that has a connection to the internet through controlled gateways.
SIPRNet — SECRET Internet Protocol Router Network
The DoD's SECRET-level classified network. Used for operational planning, command and control, intelligence sharing at SECRET, classified messaging, classified VTC, anything carrying SECRET data.
Property | Detail |
|---|---|
Classification level | Up to and including SECRET |
Connectivity | Completely isolated from the public internet — no IAP exists for SIPRNet |
Operator | DISA operates the backbone (the DISN SECRET transport); each installation operates its own SIPRNet enclave |
Access | Only from a SIPRNet-authorized terminal inside a SIPRNet-authorized facility (a SCIF or accredited Controlled Access Area) |
Authentication | CAC + PIN — but on a SIPRNet-issued workstation, with a SIPRNet certificate on the card |
Restrictions | No USB drives without strict approved process; no personal electronics in the room; no photography of screens; TEMPEST controls may apply |
SIPRNet does the same kind of work NIPRNet does — email, web, file sharing, VTC — but at SECRET level. The technical functions are the same. The physical security, facility accreditation, and operational rigor are entirely different.
JWICS — Joint Worldwide Intelligence Communications System
The intelligence community's Top Secret / SCI network. Used for sensitive intelligence, special access programs, and the most compartmented operations.
Property | Detail |
|---|---|
Classification level | Up to Top Secret / SCI |
Operator | Operated by DIA in coordination with the IC and DoD |
Access | SCIF-only, TS/SCI cleared personnel, with read-on (formal need-to-know) for specific compartments |
Restrictions | Even stricter than SIPRNet — emanations security, physical isolation, compartmented access |
JWICS exists at the top of the classification ladder. Most personnel on this course will not directly operate JWICS, but everyone should know it exists and what it carries.
Other networks you will hear about
Network | Purpose | Classification |
|---|---|---|
DREN | Defense Research and Engineering Network | Mixed, R&D focus |
CMNT | Common Mission Network Transport | SECRET releasable to coalitions |
MPE | Mission Partner Environment | Allied / coalition information sharing |
DoDIN-A, -N, -AF, -MC | Service-specific portions of the DoDIN (Army, Navy, Air Force, Marine Corps) | Various |
These are extensions and specializations within the overall DoDIN architecture. The afternoon session will explain how they all fit together.
The Absolute Rule — Classification Networks Do Not Connect
═══════════════════════════════════════════════════════════════════
NIPRNet, SIPRNet, and JWICS are PHYSICALLY AND LOGICALLY SEPARATE.
There is no cable, no router, no firewall, no exception that
bridges them in the normal course of operations.
The ONLY authorized mechanism to move information between
classification levels is a Cross-Domain Solution (CDS) —
a specially engineered, NSA-accredited, monitored device
governed by its own policy (DoDI 8540.01).
A device that has touched NIPRNet may NEVER touch SIPRNet.
A USB drive from NIPRNet may NEVER enter a SIPRNet workstation.
═══════════════════════════════════════════════════════════════════
This is the single most important rule in DoD networking, and it was the rule that was violated in Operation Buckshot Yankee in 2008 — the USB-drive incident that introduced malware into SIPRNet and led to the creation of USCYBERCOM. Day 8 covers Buckshot Yankee in detail. For Day 1 it is enough to know: this rule is absolute, and it is the foundation of how DoD information security works.
Mapping civilian categories onto DoD networks
Students sometimes ask: "Is NIPRNet a LAN, a MAN, or a WAN?" The honest answer is: it is all three, simultaneously.
Inside an installation, NIPRNet has LAN segments (the network in your building).
Across an installation or campus, NIPRNet may have a MAN structure.
Between installations and across continents, NIPRNet is a global WAN.
All of these are unified under one classification level (Unclassified) and one operational structure (the DoDIN). The civilian PAN/LAN/MAN/WAN distinction describes the geography. The DoD network name describes the classification level. Both are real, but in DoD work the classification axis dominates the conversation.
End of Morning Session
By lunch you should be comfortable with:
✓ Why a DoD network is more than the civilian three-part definition
(devices + connections + protocols + ATO + STIG + documentation
+ classification)
✓ What makes a host a DoD host (GFE + STIG + HBSS + asset inventory
+ authorized user + ATO)
✓ How users are authenticated in DoD (CAC + PIN, two-factor by default)
✓ Why DoD architecture is almost always client/server (centralized
authentication, logging, policy enforcement)
✓ The three primary DoD networks (NIPRNet / SIPRNet / JWICS) and the
fact that they are categorized by classification, not geography
✓ The Absolute Rule — classification networks do not connect except
through Cross-Domain Solutions
The afternoon session will take this foundation and build the doctrine frame on top of it: the DoDIN as the overarching military "internet," DISN as its transport, DISA as its operator, DoD data centers and cloud, the Four Rules that govern every DoD network, and the RMF process that authorizes them.
Morning Glossary
Term | Meaning |
|---|---|
ATO | Authorization to Operate. The signed permission for a system or device to operate on a DoD network. Without it, a connection is unauthorized. |
STIG | Security Technical Implementation Guide. The DISA-published configuration baseline a device must match before it goes live on a DoD network. |
CUI | Controlled Unclassified Information. Sensitive-but-not-classified information requiring protection. Travels on NIPRNet. |
GFE | Government Furnished Equipment. Hardware procured and owned by the government. Personal equipment is not GFE. |
CAC | Common Access Card. The DoD smart card containing three PKI certificates (identity, encryption, signature). Used with a PIN for two-factor authentication. |
PKI | Public Key Infrastructure. The DoD's certificate authority system that issues the certificates on the CAC. |
HBSS / ESS | Host-Based Security System (renamed Endpoint Security Solutions in 2024). The DoD's mandatory endpoint security suite. Covered in detail in Day 8. |
NIPRNet | Non-classified Internet Protocol Router Network. The DoD's unclassified network. Connected to the public internet via DISA-controlled IAPs. |
SIPRNet | SECRET Internet Protocol Router Network. The DoD's SECRET-level classified network. Physically isolated from the public internet. |
JWICS | Joint Worldwide Intelligence Communications System. The intelligence community's Top Secret / SCI network. |
IAP | Internet Access Point. A DISA-operated controlled gateway connecting NIPRNet to the public internet. |
SCIF | Sensitive Compartmented Information Facility. An accredited facility for processing classified information at certain levels. SIPRNet workstations live in accredited facilities. |
CDS | Cross-Domain Solution. An NSA-accredited engineered device allowing information transfer between classification networks under strict policy. The only authorized bridge between classification levels. |
CNDSP | Cybersecurity Service Provider. The accredited organization providing cyber defense services to a DoD installation. Covered in Day 8. |
JRSS | Joint Regional Security Stacks. DISA's regional NIPRNet boundary defense stacks. Covered in Day 8. |
USCYBERCOM | United States Cyber Command. The combatant command responsible for DoD cyberspace operations. Created in 2009 in response to Operation Buckshot Yankee. |
HSPD-12 | Homeland Security Presidential Directive 12. Mandates a common identification standard for federal employees and contractors. The legal basis for PIV/CAC. |
FIPS 201 | Federal Information Processing Standard 201. The technical standard for PIV/CAC implementation. |
PIV | Personal Identity Verification. The federal smart card standard. The CAC is the DoD's implementation of PIV. |
Derived PIV Credential (DPC) | A CAC-equivalent credential placed on a mobile device, governed by NIST SP 800-157. Allows authorized mobile access without a card reader. |
SIPR token | A separate smart card specific to SIPRNet logon. Same model as the CAC but with SIPRNet certificates. |
DNSSEC | DNS Security Extensions. Adds cryptographic signatures to DNS records so a validating resolver can detect tampered or spoofed responses. Required on DoD networks. |
CUI | Controlled Unclassified Information. Sensitive-but-not-classified information requiring safeguards. Replaced the older "FOUO" marking. |
SCI | Sensitive Compartmented Information. An additional access layer above Top Secret — requires formal "read on" to a specific compartment. |
C2 | Command and Control. The authority and direction commanders exercise over assigned forces. C2 messages frequently travel SIPRNet. |
CMNT | Common Mission Network Transport. A SECRET-releasable network for sharing with coalition partners through formal mission-partner agreements. |
MPGW | Mission Partner Gateway. The accredited interface allowing approved coalition partners bounded access to DoD classified networks. |
TROJAN SPIRIT / TROJAN SPIRIT LITE | DoD transportable satellite communications systems that extend SIPRNet and JWICS to tactical units at the edge — packed in transit cases, trailers, or shelters. |
Intelligence Community (IC) | The 18 US government agencies and organizations that conduct intelligence activities (DIA, NSA, CIA, NGA, NRO, service intel components, and others). |
Document History
Version | Date | Changes |
|---|---|---|
v1.0 | Current | Initial creation. Morning session of Day 1 DoD lecture notes. Four parts: (1) DoD definition of a network (devices + connections + protocols + ATO + STIG + documentation + classification); (2) DoD hosts, the CAC, server roles in DoD; (3) why DoD architecture is structurally client/server; (4) NIPRNet / SIPRNet / JWICS — categorization by classification not geography, the Absolute Rule prohibiting cross-classification connection. Sets foundation for afternoon session covering DoDIN, Four Rules, and RMF. |
v2.0 | Current | Expansions and clarifications: (1) CAC section greatly expanded — physical description, full contents table (now including fingerprint biometric template), step-by-step logon mechanics (private key never leaves card, PIN never leaves card), explicit two-factor explanation. (2) New subsection on biometrics and alternatives — fingerprint usage on the CAC, Derived PIV Credentials (NIST SP 800-157) for mobile, SIPR token, plus an explicit list of authentication methods NOT authorized for DoD network logon (fingerprint alone, face recognition alone, NFC tap, SMS codes). (3) DNSSEC explained inline with the DNS bullet — what it is, what attack it stops, OMB M-08-23 mandate. (4) Classification map terms now defined — TS/SCI, SECRET, Unclassified, CUI, intelligence community, operational planning, C2, intel sharing each have a glossary line under the map. (5) New "Global Reach" subsection — confirms NIPRNet and SIPRNet are worldwide networks, listing CONUS bases, overseas bases (Germany, Japan, Korea, Italy, UK, Guam, Bahrain, Djibouti), embassies, ships at sea, forward deployed units via TROJAN SPIRIT SATCOM, and coalition partners via CMNT/MPGW. (6) Glossary expanded with HSPD-12, FIPS 201, PIV, DPC, SIPR token, DNSSEC, CUI, SCI, C2, CMNT, MPGW, TROJAN SPIRIT, IC. All facts validated against DoDI 8010.01, NIST SP 800-157, HSPD-12, and DoD/DISA documentation. |
v3.0 | Current | Branding integration. Applied the DICDP Program Style Guide v2.0 branding to this document as the program prototype. Added: (1) Top page banner — "RESTRICTED DISTRIBUTION — DICDP PROGRAM PARTICIPANTS ONLY" in ALL CAPS; (2) Full nine-line cover panel with Document ID DICDP-CIS-FNC-D01-LN-AM-v3, Issued date, Controlled by (Program Director role), Redirect requests (ops@redirish.global), and Distribution line; (3) Restricted Distribution Statement block with the "Other requests shall be referred to" federal-convention line; (4) Full Program Notice — six paragraphs including intellectual property assertion, controlled distribution, not-for-redistribution, not classified information, not a US Government publication (explicit clarification that DICDP is a private firm program, not affiliated with or endorsed by the US Government), authorized use, and acceptance through continued use; (5) Symmetric bottom footer plus closing banner so any excerpt carries the marking. Content of the lecture itself unchanged from v2.0 — this version updates only the branding wrapper. All other Day 1+ documents in the package will be updated to the same branding pattern. |
v4.0 | Current | Firm positioning enhancement aligned with Style Guide v3.0. Replaced the v3 Program Notice with a confident, defense-contractor-positioned version. Specific changes: (1) New "Program authority" paragraph introduces RIGS for the first time as "Red Irish Global Services (RIGS), a Defense Cyber and Information Systems Contractor established in 2018 and serving ministries of defense, military commands, national police forces, and government institutions across EMEA and APAC." Establishes the firm category clearly and confidently. Names operational credentials of curriculum personnel. Handles the government-affiliation precision in one declarative sentence rather than an apologetic paragraph. (2) "Not a US Government publication" paragraph removed entirely. Its legal work is now done by the single closing sentence of the Program Authority paragraph: "the program is operated under RIGS's own authority and not on behalf of any government." Confident defense contractors do not apologize for not being the government. (3) Throughout the notice, subsequent mentions of the firm use the acronym RIGS rather than the full name — per the new acronym convention in Style Guide Section 13. (4) Added "Export control awareness" paragraph acknowledging participant responsibility for export-control compliance in their own jurisdictions — matches real defense contractor practice. (5) "Intellectual property" and "Restricted distribution" paragraphs tightened — firmer commercial language, references to the DICDP Program Participation Agreement as the master agreement that governs use (the pattern serious defense contractors actually use). Content of the lecture itself unchanged from v3.0 — this version updates only the Program Notice and branding wrapper. |
═══════════════════════════════════════════════════════════════════ Red Irish Global Services | DICDP | CIS Track | FNC DICDP-CIS-FNC-D01-LN-AM-v4 | Issued: [date] ═══════════════════════════════════════════════════════════════════
═══════════════════════════════════════════════════════════════════ RESTRICTED DISTRIBUTION — DICDP PROGRAM PARTICIPANTS ONLY ═══════════════════════════════════════════════════════════════════
There are no comments for now.