Daily version for specification development

FMN Spiral 5
Procedural Instructions for
CIS Security

11 September 2024 Page 1

Procedural Instructions for CIS Security Disclaimer

Disclaimer

This document is part of the Federated Mission Networking (FMN) Spiral 5 Specification. In the
FMN management structure it is the responsibility of the Capability Planning Working Group
(CPWG) to develop the FMN Spiral Specifications, in close cooperation with the Operational
Coordination Working Group (OCWG) and the Multinational CIS Security Management Authority
Working Group (MCSMAWG), in order to accomplish the scope from the FMN Spiral Specification
Roadmap and support Affiliates' long term capabilities planning.
The FMN Spiral 5 Specification delivers a series of procedural and service instructions to describe
what actions FMN Affiliates should undertake to establish their interface with any federation of
mission participants in term of People, Processes and Technology. These instructions are
completed with documents that provide an overview of the interoperability architecture,
requirements, standard profiles, terms and definitions and interface profiles.
The FMN Framework falls under the governance of the NATO's Military Committee (MC) and as
such, the NATO Security Policy and the Policy on Handling Unclassified Information apply. The
information in this document defines general aspects as a result of FMN capability planning, using
data from unclassified and open sources, and nothing in it is specifically written to describe
classified material and/or sensitive operational aspects for any of the FMN Affiliates. Hence, this
FMN document does not have classification and releasability markings. No fees are charged for
this material at any stage, and it is not intended to be sold.
The specification documents and associated products are published at protected non-public
websites on the basis of the "Attribution-NonCommercial 4.0 International" (CC BY-NC 4.0)
license. Subject to the terms and conditions of this license, users are allowed to copy and
redistribute the material in any medium or format, and transform and build upon the material (for
non-commercial purposes), while giving appropriate credit to its source and indicate if changes
were made. It is up to users to determine if there is a legitimate reason to disseminate these
documents to individuals or organizations with an interest in FMN.
If you have any questions about Federated Mission Networking, about the Capability Planning
Working Group or about any of the documents of this FMN Spiral Specification, please contact the
CPWG custodians in the Federated Interoperability Branch at Headquarters, Supreme Allied
Commander Transformation in Norfolk, Virginia.

11 September 2024 Page 2

Procedural Instructions for CIS Security Table of Contents

Table of Contents
1 Introduction 5
1.1 Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Aim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 Provenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Changes 6
3 References 8
4 Context 9
5 Interoperability Architecture 10
5.1 Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5.1.1 Federated CIS Security Information Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5.1.2 Federated CIS Security Accreditation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5.1.3 Federated CIS Security Incident Coordination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
5.1.4 Federated SPIF Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5.2 Functional Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.2.1 CISOA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.2.2 MN CIS Sec WG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.2.3 MNP SAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.2.4 MNP Security Assurance Coordinator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.2.5 Mission Cyber Operation Centre (MCyOC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.2.6 Mission Network Information Management Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5.2.7 Mission Network Participant Security Operation Center (MNP SOC) . . . . . . . . . . . . . . . . . . . . . 20
5.2.8 Mission Network Security Accreditation Board . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5.2.9 Mission Network Service Management Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.2.10 Mission Security Operations Centre (MSOC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.3 Information Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.4 Information Exchange Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Annex A. Definitions 26
Annex B. Roadmap 27
Annex C. Information Exchange Requirements Details 29
C.1 Generic CIS Security Information Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
C.1.1 Initial MNP CIS Security Incident Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
C.1.2 Initial MNP CIS Security Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
C.1.3 Escalation MSOC-annotated CIS Security Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
C.1.4 Multinational CIS Security Incident Ticket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
C.1.5 MSOC-annotated CIS Security Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
C.1.6 Multinational CIS Security Incident Ticket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
C.1.7 Security Risk Management Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
C.1.8 MNP specific threat assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
C.1.9 Share endorsed CSRS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
C.1.10 Initial CSRS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

11 September 2024 Page 3

Procedural Instructions for CIS Security Table of Contents

C.1.11 Share residual risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

C.1.12 Consolidated threat assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
C.1.13 Escalated CIS Security incident report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
C.1.14 Provide I/ATO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
C.1.15 SPIF Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
C.1.16 Submit SoC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Annex D. Information Products 48
D.1 CIS Security Informations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
D.2 Community Security Requirements Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
D.3 Escalated CIS Security incident report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
D.4 Initial MNP CIS Security Incident Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
D.5 Initial MNP CIS Security Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
D.6 MSOC-annotated CIS Security Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
D.7 Multinational CIS Security Incident Ticket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
D.8 SPIF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
D.9 Security Accreditation Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
D.10 Security Risk Management Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
D.11 Statement of Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
D.12 Threat Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

11 September 2024 Page 4

Procedural Instructions for CIS Security 1 Introduction

1 Introduction
1.1 Audience
Procedural Instructions (PIs) guide the design and implementation of military capabilities that can interoperate in any
combination of multi-national force structures from the very start of any future mission. Therefore, the PI are intended for the
following audiences:

• Capability planners -- to provide the operational context, operational direction and prioritization for the development of
technical, doctrinal and training solutions.
• Capability validators -- to permit accurate testing and validation of the federated processes in an operational context with
real information systems.
• Trainers -- to design individual and collective federated business process training in the context of a federated mission
instantiation.
Whilst primary use cases are within the FMN framework, it should not exclude the fact that this document is useful for the
development of (national) capabilities and therefore, that the intended audience will also include comparable staff structures
of every FMN Affiliate with ambitions to implement the procedural instructions within.

1.2 Aim
These procedural instructions articulate the process, information products, roles and responsibilities required to conduct
federated activities in the context of a coalition of any combination of nations and/or organizations (e.g. NATO acting in a
coalition with nations external to NATO). The instruction supplements existing doctrine by describing how CIS Security
Operation is supported by standardized information services.

1.3 Scope
The Procedural Instructions for CIS Security fulfills Spiral Objectives for FMN Spiral 5 from the "Federated CIS Security"
enabling swimlane in the FMN Spiral Specification Roadmap. In overview, these instructions respond to the need of the
federation to react as a single entity in order to effectively respond to and recover from CIS Security incidents and events. The
federation must be able to monitor CIS activity, to detect malicious activity, react to incidents in order to stop or mitigate their
effect, and finally recover the CIS to a fully operational state. This can be achieved by establishing a common organizational
framework (structures and roles), establishing common processes and last but not least ensuring interoperability of
management tools (SMC, CIS Security).

1.4 Provenance
These procedural instructions were developed by MCSMA WG, which was comprised of operational requirements managers
from FMN affiliates including NATO, capability developers, as well as experts in testing, validation and system
implementation. All affiliate members of FMN have been provided with an opportunity to comment and provide input to the
document. Consequently, this is the agreed FMN affiliate-wide concept of CIS Security Management.
Doctrinal Overview
Affiliates mission networks are required to be in compliance with their national security policy. Therefore, the doctrine
governing federated CIS Security procedures must be at least be compliant with the national policy of all affiliates contributing
to an xMN. In the case of NATO involvement as an affiliate, then NATO doctrine must be adhered to. For non-federated CIS
Security processes, affiliate security policies will be followed by each affiliate.
In the case of FMN security requirements the ISO 27002 Information Security Standard is the doctrine in place to define these
requirements, identify the security controls and safeguards to implement the requirements and provide guidance in order to
ensure that they are functioning as designed.

11 September 2024 Page 5

Procedural Instructions for CIS Security 2 Changes

2 Changes
The principle on which capability planning is based in the context of Federated Mission Networking is incremental
development. A time boxed planning is used to produce FMN Spiral Specifications that inspire a gradual but steady
maturation of the FMN capabilities in two ways: either by the introduction of new Capability Enhancements (CPEs) on the
basis of Spiral Objectives (SPOs), or through an continuous effort to improve existing capabilities in the FMN Framework. In
other words, each FMN Spiral Specification invokes changes to increase federated interoperability.
This chapter provides an overview of the scale of change compared to the previous spiral specification with the following
details:

• Summary -- a text segment with a summary of the changes in these procedural instructions compared to the previous
spiral.
• Capability Enhancements -- a table listing all CPEs that are fulfilled with these procedural instructions, each with its own
summary.
• Backwards Compatibility -- a text segment describing the compatibility of the implemented changes in this specification in
relation to the previous spiral.
• Resolved Issues -- a bullet list of the issues that have been raised on these procedural instructions and that have been
resolved within, displayed with issue number and title. The problem statements, discussions and ultimate resolution of
these issues can be consulted in the Issue Tracker.

Summary
These procedural instructions have no substantial changes compared to the previous spiral.
Capability Enhancements

Capability Enhancement Summary

Define procedures for sharing of newly This enhancement defines procedures for the sharing of newly discovered vulnerabilities.
discovered vulnerabilities (CPE-272) Disclosure of such vulnerabilities is critical to defending national and coalition networks due to
the very high possibility of exploitation until security patches are available.

Define procedures for sharing of general cyber This enhancement defines procedures for sharing of general enabling cyber defence
defence information (CPE-190) information, including Points of Contact Information, cyber security reports and statistics, to help
build and mature the cyber defence community of interest.

Define procedures for sharing of cyber mitigation This enhancement defines procedures for sharing cyber mitigation information. These
information (CPE-294) procedures apply at the national / federation level, the technical level, lessons learned / best
practices, and patching / remedial activities for bespoke software.

Define procedures for sharing of cyber detection This enhancement defines procedures for the sharing of cyber detection information including
information (CPE-273) known malicious cyber assets, indicators of compromise, and malware detection. Such
information sharing distributes workload more evenly across the Community of Interest and
avoids duplication.

Create and maintain SPIFs for Affiliates and other This enhancement develops and manages a process to analyze organization and national
potential mission participants (CPE-561) policies from which labelling policy information needs to be derived, and produce SPIFs for all
FMN Affiliates.

Develop a SPIF implementation and equivalency This enhancement defines a data format for equivalency mappings between Security Policy
mapping methodology for exploitation (CPE-560) Information Files (SPIFs) and implementation guidance. A methodology to develop, store,
maintain and disseminate these SPIFs and SPIF equivalence mappings across the federation is
also in scope of this CPE.

Develop a procedure for creating a security This enhancement develops a procedure for defining and agreeing a common security labelling
labelling policy for a federated Mission Network policy for a mission, and the dissemination of Security Policy Information Files (SPIFs).
(CPE-562)

Backwards Compatibility
There are no issues or concerns for backward compatibility from these procedural instructions.

11 September 2024 Page 6

Procedural Instructions for CIS Security 2 Changes

Resolved Issues
• 5279: Update of process diagram (SecIncEvtMgmt) (normal)
• 5526: Align Security Policy Information Files with IM procedures (normal)
• 5917: Need for new product for Security Policy Mapping (normal)
• 7175: Define procedures for sharing of cyber defence Points of Contact information (normal)
• 7177: Define procedures for sharing of newly discovered vulnerabilities (normal)
• 7178: Define procedures for sharing of cyber detection information (normal)
• 7181: Define procedures for sharing of cyber mitigation information (normal)
• 7185: Define processes and procedures for exchanging cyber incidents between organizations responsible for CIS
Security (normal)
• 7186: Define federated dynamic risk assessment (normal)
• 7187: Develop a SPIF implementation and equivalency mapping methodology for exploitation (normal)
• 7188: Create and maintain SPIFs for Affiliates and other potential mission participants (normal)
• 7189: Develop a procedure for creating a security labeling policy for a federated Mission Network (normal)
• 8353: Usage of Mission Network Participant role (enhancement)
• 8354: Missing dependency on Technology Interaction (enhancement)
• 9003: Include 'procedural' Security Implementation Guidance items in the PI for CIS Security (enhancement)
• 9085: Create a guidance document for CIS Security (enhancement)

11 September 2024 Page 7

Procedural Instructions for CIS Security 3 References

3 References
This chapter lists the source documentation that has been used as a reference in the development of these procedural
instructions. Typically, the list includes the identifiers and titles of related documents and files, as well as standard
specifications.
The metadata of all these references (including title, description, identifying code, publication date, classification and version)
is available on the spiral wiki, often accompanied by the original file and/or a link to the source of that reference.
The list below offers the references specifically for these procedural instructions. The complete set of references for the spiral
specification is listed in an annex to the main document.

• FMN Defensive Cyberspace Operations Concept - FMN Defensive Cyberspace Operations Concept in a Federated
Mission Environment
• IMSM-0222-2018 - High-level Taxonomy of Cyberspace Operations
• IMSM-0533-2018 - Cyberspace Operations Capability Breakdown
• ISO/IEC 27002:2013 - ISO/IEC 27002:2013 - Information technology

11 September 2024 Page 8

Procedural Instructions for CIS Security 4 Context

4 Context
The procedural instructions articulate how specific federated military capabilities (business services) shall be utilized in a
federation of mission networks by describing basic concepts, processes, roles, information products and their exchanges.
This chapter provides the context in which these services will be deployed, managed and exploited through the presentation
of a business architecture. The technical architecture is described further in dependent service instructions.

Comprehensible and traceable procedures are required to establish trust between mission network participants and to
achieve an agreed security level across the federated network. By accrediting the own mission network services based on an
agreed minimum level of security requirements, contained in the community security requirements statement (CSRS), and
providing the proof of its compliance with the statement of compliance (SoC) to the mission network security accreditation
board (MN SAB) such a trust relationship can be established and maintained over the live cycle of the mission network
instantiation.
Further, secure and trustworthy procedures are required to share any CIS security relevant information in a federated
environment.

11 September 2024 Page 9

Procedural Instructions for CIS Security 5 Interoperability Architecture

5 Interoperability Architecture
This chapter provides the interoperability architecture at the basis of these procedural instructions. It describes the associated
Business Processes (BPs) with their incorporated Business Activities (BAs), often companied by examples and illustrations.
Furthermore, it lists all of the involved organizational entities and business roles, and the exchanged information products.
Finally, it provides a table of all Information Exchange Requirements (IERs).

• Business Processes -- all processes and their sub-processes, and where business activities are available, accompanied
by an ArchiMate view. under the view a table is printed with the list of Business Activities (BAs) with their description, by
which Business Role (ROLE) they are performed, and the Information Exchange Requirements (IERs) used as input and
delivered as output.
• Organizational Entities -- all organizations and similar entities (ORGs) that are involved in the execution of the Business
Processes, providing their identifier (ID) and definition.
• Functional Roles -- all Business Roles (ROLE) with their identifier (ID) and definition, plus the list of Business Activities in
subsequent Business Processes in which they perform.
• Information Products -- all Information Products (IPs) that are created, exploited and disseminated in these procedural
instructions, with their identifier (ID), title and description.
• Information Exchange Requirements -- All Information Exchange Requirements (IERs) describing the Information products
(IPs) being exchanged, with their description and the Organizational Entities (ORGs) that form the source and the
destination for the IP in that exchange. Additionally, for each of the IPs, the Technology Interactions (TINs) from the
associated Service Instructions that are used to execute, including a short description of the exchange.

11 September 2024 Page 10

Procedural Instructions for CIS Security 5 Interoperability Architecture

5.1 Processes

5.1.1 Federated CIS Security Information Sharing

(BP-45) -- Each MNP is responsible for detecting and handling cyber security incidents, vulnerabilities, and responding to
threats on its own network. In addition, if a security information:

• is considered as critical and there is a risk of affecting other MNPs and/or

• affects other MNPs directly or in a context of services provided,
• relevant or sensitive data leaked concerning MNP
it shall be reported to the central SOC capability for handling it in a coordinated manner with the whole MN community.

Figure 1. Federated CIS Security Information Sharing

11 September 2024 Page 11

Procedural Instructions for CIS Security 5 Interoperability Architecture

MNP-level Security Operations Centre (P-SOC) Each MNP operating as “Option A” is to establish a Security Operation
Centre capability for their mission network. SOC capability may have “deployed” or “rear” or both elements with procedural
instructions on how these elements are functioning towards incident detection and handling at the MNP level. Instructions
shall also contain conditions for:

• MNP level incident escalation (e.g. CyOC);

• Incident sharing with, and / or coordination via the federation-level M-SOC.
An MNP, operating as an “Option B”, may establish a SOC capability for its mission network as described for “Option A” or
may make an agreement with another MNP (acting as an “Option A”) to be covered by its SOC. For a MNP, operating as an
“Option C”, a SOC is not required.
The P-SOC capability is responsible for detecting and reacting to all security events and incidents across its own network, and
for escalating and sharing issues where they may impact the wider federation.
Federation-level Centralized Mission Security Operations Centre capability (M-SOC) In order to maintain an overall view of
the cyber security posture and risk-level of the MN’s CIS across the whole federation, the MN Commander is to establish and
resource a federation-level Centralized Mission Security Operations Centre (M-SOC).
To inform the M-SOC of security events occurring in the individual MNP’s mission networks, each of the MNPs in the mission
is to share incident / security event information with the M-SOC.
In turn, the incident / security event information collected by the M-SOC can be disseminated to all MNPs in the mission so
that each MNP can build their own near real-time picture of the cyber security posture of the overall mission.
Activities

Process Steps

ID Activity Performed by Input IER Output IER

BA-1376 Possible CIS Security Incident detected Mission Network

The WatchKeeper detected a possible CIS Security Participant Security
Incident. After initial evaluation based upon the Incident Operation Center
Severity Schema for xMN he/she determined that it is an (MNP SOC)
incident at federation level and therefore needs to share it (ROLE-343)
with the Mission Security Operations Centre (MSOC).

BA-1378 Inform MSOC of CIS Security Information of Interest Mission Network Initial MNP CIS
Inform the MSOC about CIS Security information that Participant Security Security Report
meets criteria for sharing with the MSOC / other MNPs / Operation Center (IER-470)
the federation. An information sharing template should be (MNP SOC)
used for each kind of information (security incidents, (ROLE-343)
vulnerabilities, threats and leaked data), if possible in
STIIX format.

BA-1377 Receive initial CIS Security Report Mission Security Initial MNP CIS
The Mission SOC on the federation level receives a CIS Operations Centre Security Report
Security Report from one of the MNPs. (MSOC) (ROLE-296) (IER-470)

BA-1375 Inform relevant MNPs of CIS Security information of Mission Security MSOC-annotated CIS
interest Operations Centre Security Report
Provide CIS Security information to the MNPs for whom (MSOC) (ROLE-296) (IER-472)
the information is of interest/relevance. An information
sharing template should be used for each kind of
information (security incidents, vulnerabilities, threats and
leaked data), if possible in STIIX format.

BA-1379 Receive CIS Security Report Mission Cyber Escalation

Receive an MSOC-annotated CIS Security Report from Operation Centre MSOC-annotated CIS
the MSOC. (MCyOC) (ROLE-294) Security Report
(IER-471)

BA-1381 Receive CIS Security Report Mission Network MSOC-annotated CIS

Receive an MSOC-annotated CIS Security Report from Participant Security Security Report
the MSOC. Operation Center (IER-472)
(MNP SOC)
(ROLE-343)

11 September 2024 Page 12

Procedural Instructions for CIS Security 5 Interoperability Architecture

BA-1380 Inform MCyOC of CIS Security information of interest Mission Security Escalation
Provide the MCyOC with an annotated version of the CIS Operations Centre MSOC-annotated CIS
Security Report. (MSOC) (ROLE-296) Security Report
(IER-471)

BA-1374 Evaluate CIS security information Mission Security

The evaluation of CIS security information includes Operations Centre
assessing the reliability of the reported information based (MSOC) (ROLE-296)
upon the federated CIS environment and estimating the
potential impact on the federation.

5.1.2 Federated CIS Security Accreditation

(BP-349) -- CIS Security Accreditation/Re-accreditation is conducted at the federated level.
1. Each Federated Mission Networking (FMN) instantiation will follow a standardized security accreditation approach. To
achieve this requirement, an FMN focused Security Accreditation procedures has been developed by the FMN Multinational
CIS Security Management Authority Working Group (MCSMA WG).
2. As each FMN instantiation will support a different mission with different information exchange requirements (IERs), this
instruction is designed to provide general guidelines instead of specifically defined direction. The process is managed by an
Accreditation Board, composed of partner nations’ national accreditation authorities.
3. When a requirement to deploy an FMN Mission Network is identified, a CIS Security Working Group (CIS SWG) will be
stood up under the guidance and direction of the lead nation, organization or agency which will facilitate security focused
planning and the development of the following security deliverables:

• Produce a mission specific Threat Assessment (TA), based on threats identified by partner nations;
• Produce a mission specific Security Risk Assessment (SRA) based on the mission specific TA;
• Produce the xMN Community Security Requirements Statement (CSRS) that reflect the current mission incorporating the
mitigation measures identified in the Security Risk Assessment, and based on the FMN template CSRS, developed by the
MCSMA WG;
• Develop the mission specific Statement of Compliance (SoC) based on the template SoC contained as an appendix to the
template CSRS;
• Develop the mission specific System Interconnection Security Requirement Statement (SISRS).
• Produce the MN SAB ToRs, based on the template ToRs developed by the MCSMA WG;
• Establish a date and location of the first MN SAB;
• Develop the mission specific Security Accreditation Plan (SAP), based on the Template SAP produced by the MCSMA
WG; and
• Develop the mission specific Security Operating Procedures (SecOPs).
4. All partner nations joining the FMN instantiation are required to provide staff to participate in the CIS SWG and the MN
SAB.
5. Partner nations joining an FMN instantiation will be required to submit accreditation documents detailing evidence that
meet the terms of accreditation. Minimum documentation defining the terms of accreditation contained in the Community
Security Requirements (CISR) are:

• Statement of Compliance (SOC); and

• Interconnection Security Requirements Statement (SISR)(if required)
6. Partner nations that interconnect with other networks are required to submit a SISIR as part of their accreditation
documents.
7. The accreditation of an FMN instantiation is based on the Accreditation documentation submitted by each partner nation.
The sum of which will allow the appointed chair to formally declare the state of the network and advise appointed network
authorities.
8. The mission level Accreditation process begins upon declaration that an FMN instantiation is required to support a mission.
9. Re-accreditation of partner nation instantiations is as directed by the MN SAB, who will determine the accreditation
frequency. In addition the following events could trigger an out of cycle Re-accreditation process:

• changes in the classification levels of information stored, processed or exchanged that cause a change in the security
measures;
• a change in the security requirement resulting from a change in National or NATO security policy or supporting Directives;

11 September 2024 Page 13

Procedural Instructions for CIS Security 5 Interoperability Architecture

• a change in the threats to, or vulnerabilities of, the xMN or of a MNP that is interconnected;
• additions or a change to the underlying operating system or to security-relevant / security-enforcing software, or a
significant change to the configuration of an xMN element, or a significant change in the security status of the security
relevant/security enforcing software;
• additions or a change to the hardware that requires a change in the approved security measures;
• a significant change to the physical structure of the facility or to the SecOPs;
• a breach of security, a breach of integrity, or an unusual situation that appears to invalidate the accreditation by revealing a
flaw in the security design;
• as a results of an inspection / review that showed security flaws, carried out by the SAA.
10. Accreditation is granted upon acceptance by each voting SAB partner nation accreditation authority. Silence procedures
are followed.
11. The CIS Operational Authority (CISOA) of each Partner network must ensure that the accreditation process is initialized
as per their national policies. This documentation and the MN SoC detailing the level of compliance achieved is then
presented to the Partner’s Security Accreditation Authorities (SAA) or National Accreditation Authority (NAA) for review and
formal signature. This document is then presented to the MN SAB for review and risk acceptance by the Mission Commander.
This is to attain a transparency to make sure that the Partners will follow the same procedures regarding security work.
12. When the Operational tempo requires rapid deployment of a mission network, an abridged approach will be adopted.
Joining partner nations will be required to submit letters of accreditation signed by their national Security Accreditation
Authority to the mission lead. Once received authority to connect will be granted. The standard processes detailed above will
be continue to move forward as a concurrent process. Once all security deliverables are completed and a MN SAB is
established the standard Accreditation process will be adopted.

Figure 2. Federated CIS Security Accreditation

All members of a MN SAB must have delegated authority from their parent organizations' Security Accreditation Authorities as
the MN SAB is responsible to:

• determine Security Requirements – based on a Security Risk Assessment and tailored to provide the acceptable level of
information assurance;
• review and approve the accreditation strategy and procedures for the federated MN instance;
• define the scope of the accreditation boundaries for the MN instance.
• define the requirements governing SISIR submissions.
• review, approve the conditions and standard for accreditation and re-accreditation of MN related CIS, review incidents
when notified and assess accreditation status.
• accredit MN network and services, sustaining the collective confidence in the federation of networks.
The Operational Commander is responsible to ensure that an individual is appointed as the chair of the MN SAB.

11 September 2024 Page 14

Procedural Instructions for CIS Security 5 Interoperability Architecture

Activities

Process Steps

ID Activity Performed by Input IER Output IER

BA-1157 Determine the minimum level of security Mission Network

determine – based on a Security Risk Assessment – the Security Accreditation
minimum level of security for the respective MN or its Board (ROLE-21)
segments

BA-1857 Communicate decision and residual risks to CISOA Mission Network Share residual risk
Security Accreditation (IER-637)
Board (ROLE-21)

BA-1851 Receive and exploit MN Threat Assessment MNP Security Consolidated threat
Assurance Coordinator assessment (IER-630)
(ROLE-443)

BA-1852 Ratify and share MN Security Risk Assessment Mission Network Security Risk
Security Accreditation Management Report
Board (ROLE-21) (IER-633)

BA-1850 Endorse and share consolidated Mission Threat Mission Network Consolidated threat
Assessment Security Accreditation assessment (IER-630)
Board (ROLE-21)

BA-1858 Inform MNPs that network can be connected / (I)ATO Mission Network Provide I/ATO
Security Accreditation (IER-638)
Board (ROLE-21)

BA-1849 Provide MNP specific cyber security threat assessment MNP Security MNP specific threat
Provide the national / mission specific cyber security threat Assurance Coordinator assessment (IER-629)
assessment. (ROLE-443)

BA-1846 Tailor MN CSRS and Annexes MN CIS Sec WG Initial CSRS (IER-628)
Tailor the Spiral 5 CSRS template including its Annexes (ROLE-438)
according to the mission specific requirements.

BA-1847 Use approved MN CSRS to prepare capabilities MNP Security Share endorsed CSRS
The NMP uses the approved xMN CSRS to secure its own Assurance Coordinator (IER-634)
CIS capabilites. (ROLE-443) Initial CSRS (IER-628)

BA-1854 Review and endorse MN CSRS and Annexes Mission Network Share endorsed CSRS
Security Accreditation (IER-634)
Board (ROLE-21)

BA-1859 Receive information about accreditation decision and CISOA (ROLE-439) Share residual risk
residual risks (IER-637)

BA-1853 Receive and exploit MN Risk Assessment MNP Security Security Risk
Assurance Coordinator Management Report
(ROLE-443) (IER-633)

BA-1860 Receive (I)ATO notifications MNP Security Provide I/ATO

Assurance Coordinator (IER-638)
(ROLE-443)

BA-1855 Accredit MNP network MNP SAA (ROLE-441) Submit SoC (IER-636)
Accredit MNP network, sign SoC on behalf of MNP and
provide SoC to MN SAB

BA-1848 Consolidate a Mission Threat Assessment MN CIS Sec WG MNP specific threat
Consolidate the national Threat Assessment of each (ROLE-438) assessment (IER-629)
participating MNPs into the xMN Threat Assessment.

BA-1856 Review of SoCs and SISRS by all SAAs Mission Network Submit SoC (IER-636)
Review of SoCs and SISRS by all SAAs Security Accreditation
Board (ROLE-21)

11 September 2024 Page 15

Procedural Instructions for CIS Security 5 Interoperability Architecture

5.1.3 Federated CIS Security Incident Coordination

(BP-471) -- This process enables federated participants to coordinate the handling of a CIS security incident in the mission
network.

Figure 3. Federated CIS Security Incident Coordination

Activities

Process Steps

ID Activity Performed by Input IER Output IER

BA-1529 Inform MSOC of CIS Security incident requiring Mission Network Initial MNP CIS
coordination Participant Security Security Incident
Inform the MSOC about a discovered CIS Security Operation Center Report (IER-469)
Incident that needs coordination between MNPs. (MNP SOC)
(ROLE-343)

BA-1532 Receive CIS Security Incident Coordination Notice Mission Security Initial MNP CIS
The CIS Security Incident Coordination Notice is sent from Operations Centre Security Incident
the MNP SOC to the MSOC to initiate a coordinated CIS (MSOC) (ROLE-296) Report (IER-469)
Security Incident Response.

11 September 2024 Page 16

Procedural Instructions for CIS Security 5 Interoperability Architecture

BA-1533 Coordinate CIS Security incident response activities Mission Security Multinational CIS
The MSOC coordinates federation-wide CIS Security Operations Centre Security Incident Ticket
incident response between relevant MNPs: - identify (MSOC) (ROLE-296) (IER-501)
relevant MNPs - notify - seek appropriate responses - seek Multinational CIS
appropriate reporting - share feedback between partners - Security Incident Ticket
seek timely resolution - else escalate (IER-503)

BA-1535 Respond to CIS Security incident (in coordination) Mission Network Multinational CIS
Each affected MNP responds to the CIS Security incident, Participant Security Security Incident Ticket
as per national procedures, but including coordination with Operation Center (IER-501)
MSOC. (MNP SOC)
(ROLE-343)

BA-1530 Receive CIS Security incident escalation Mission Cyber Escalated CIS Security
Receive a CIS Security Incident Report from the MSOC. Operation Centre incident report
(MCyOC) (ROLE-294) (IER-500)

BA-1539 Coordinate incident response activities with MSOC Mission Network Multinational CIS
Service Management Security Incident Ticket
Authority (ROLE-22) (IER-503)

BA-1531 Escalate CIS Security incident Mission Security Escalated CIS Security
Escalate the CIS security incident to the MCyOC for Operations Centre incident report
coordinated activities (beyond pure CIS security (MSOC) (ROLE-296) (IER-500)
competences).

5.1.4 Federated SPIF Management

(BP-484) -- The Federated SPIF Management Business Process enables a Federation of MNP to develop, update and
disseminate the SPIF (Security Policy Information File) with the standardized XML format according to www.xmlspif.org and
the STANAG 4774. The SPIF contains the MNPs used security classification levels and their mapping to the common agreed
classification levels for the mission. Furthermore, this Business Process will manage the continuous update of an equivalency
table, required for the SPIF management.

Figure 4. Federated SPIF Management

Based on the SPIF template provided in the FMN framework and with the required information of all participants participating
in the mission network, the Mission Network Information Management Authority creates the specific SPIF. The created SPIF
is made available for download on a web service (a proper web service shall be identified to facilitate the SPIF dissemination

11 September 2024 Page 17

Procedural Instructions for CIS Security 5 Interoperability Architecture

prior to a MN instantiation). This process is triggered each time an affiliate joins or leaves the MN.
If a new participant who is not yet an affiliate shall join the MN, its security policies must first be analyzed and the equivalency
table needs to be updated before the information can be included in the SPIF.
Activities

Process Steps

ID Activity Performed by Input IER Output IER

BA-1558 Create mission security labelling policy Mission Network

Information
Management Authority
(ROLE-359)

BA-1580 Make the Mission SPIF available to all MNP Mission Network SPIF Download
Share the mission specific SPIF with all the mission Information (IER-594)
network participants via an appropriate collaboration Management Authority
platform (e.g. website). (ROLE-359)

BA-1581 Get MN SPIF from collaboration platform MNP Security SPIF Download
Download the mission network specific SPIF from the Assurance Coordinator (IER-594)
mission network collaboration platform. (ROLE-443)

11 September 2024 Page 18

Procedural Instructions for CIS Security 5 Interoperability Architecture

5.2 Functional Roles

5.2.1 CISOA
ID ROLE-439

Definition CIS Operational Authority

Activities Federated CIS Security Accreditation (BP-349)

• Receive information about accreditation decision and residual risks

5.2.2 MN CIS Sec WG

ID ROLE-438

Definition Mission Network CIS Security WG

Activities Federated CIS Security Accreditation (BP-349)

• Tailor MN CSRS and Annexes

• Consolidate a Mission Threat Assessment

5.2.3 MNP SAA

ID ROLE-441

Definition Mission Network Participant Security Accreditation Authority

Activities Federated CIS Security Accreditation (BP-349)

• Accredit MNP network

5.2.4 MNP Security Assurance Coordinator

ID ROLE-443

Definition Role within the MNP who coordinates on security activities, including engineering security solutions and preparing documentation for
accreditation / assurance processes.

Activities Federated SPIF Management (BP-484)

• Get MN SPIF from collaboration platform

Federated CIS Security Accreditation (BP-349)

• Receive and exploit MN Threat Assessment

• Provide MNP specific cyber security threat assessment
• Use approved MN CSRS to prepare capabilities
• Receive and exploit MN Risk Assessment
• Receive (I)ATO notifications

5.2.5 Mission Cyber Operation Centre (MCyOC)

ID ROLE-294

Definition The Mission Cyber Operation Centre (MCyOC) contain the advisors and staff of the Cyber Commander. The staff consists of C1 to C9
functions and the advisors contain the legal advisors, political advisors and StratCom functions. However, it is likely that for most xMN
operations, these functions will be grouped or some functions might be taken over by the equivalent Joint functions.

Activities Federated CIS Security Incident Coordination (BP-471)

• Receive CIS Security incident escalation

Federated CIS Security Information Sharing (BP-45)

• Receive CIS Security Report

11 September 2024 Page 19

Procedural Instructions for CIS Security 5 Interoperability Architecture

5.2.6 Mission Network Information Management Authority

ID ROLE-359

Definition The MN Information Management Authority (MN IMA) is the identified authoritative body that is responsible for implementing a
standardized approach to IM, assign clear responsibilities across the coalition force and identify ADS and TDS for the mission.
In particular the MN IMA is responsible:

• To develop and maintain an IM framework for a mission containing IM Plan, Standard Operating Procedures and guidelines
concerning all matters of IM;
• To ensure consistency of this framework with policies and directives of participating nations and organizations;
• To develop and maintain the Informational Management Structure and Roles in the Mission;
• To establish the process to manage, maintain and distribute the permissible confidentiality and/or security metadata values that are
to be used on the Mission Network.
• To ensure compliance with the framework by implementing control processes;
• To categorize information assets and identify ADS and TDS for the mission; and
• To establish clear lines of authority, responsibility and accountability for IM that conform to the roles and responsibilities.

Activities Federated SPIF Management (BP-484)

• Create mission security labelling policy

• Make the Mission SPIF available to all MNP

5.2.7 Mission Network Participant Security Operation Center (MNP SOC)

ID ROLE-343

Definition The element established by each MNP for coordination of CIS Security within their deployed CIS assets.

Activities Federated CIS Security Incident Coordination (BP-471)

• Inform MSOC of CIS Security incident requiring coordination

• Respond to CIS Security incident (in coordination)
Federated CIS Security Information Sharing (BP-45)

• Possible CIS Security Incident detected

• Inform MSOC of CIS Security Information of Interest
• Receive CIS Security Report

5.2.8 Mission Network Security Accreditation Board

ID ROLE-21

Definition The MN Security Accreditation Board (MNSAB) is the board consisting of a member from each affiliate contributing to an MN which is
responsible for the security accreditation of the MN instantiation.
The Mission Network Security Accreditation Board (MN-SAB) is the collective security accreditation authority for the federated Mission
Network instance. The MN-SAB will remain in existence for the duration of the operation or of the MN whatever lasts longer.
The MN-SAB will be responsible to:

• accredit MN capabilities, sustaining the collective confidence in the federation of networks;

• review and approve the accreditation process for the federated MN instance,
• to review, approve the conditions for accreditation and re-accreditation of MN related CIS;
• provide advice and guidance on MN IA matters ;
• define the minimum accreditation standards;
• define the requirements for security evaluation and certification;
• To define the scope of the accreditation boundaries for the MN instance;

Activities Federated CIS Security Accreditation (BP-349)

• Determine the minimum level of security

• Communicate decision and residual risks to CISOA
• Ratify and share MN Security Risk Assessment
• Endorse and share consolidated Mission Threat Assessment
• Inform MNPs that network can be connected / (I)ATO
• Review and endorse MN CSRS and Annexes
• Review of SoCs and SISRS by all SAAs

11 September 2024 Page 20

Procedural Instructions for CIS Security 5 Interoperability Architecture

5.2.9 Mission Network Service Management Authority

ID ROLE-22

Definition A Mission Network Service Management Authority (MNSMA) is a central role in a Mission Network assigned by the Lead Commander
based on delegated authority from all mission network participants, to define and govern the ICT services within a mission. This
includes the accountability for the design, provision, management, security, and provision of oversight and control of Information and
Communications Services in a coherent, effective and coordinated manner within its designated Area Of Responsibility (AOR), and the
assurance of the availability of ADS and TDS. The MNSMA establishes a standardized Service Management Framework (SMF) for the
MN to execute its functions and may delegate selected responsibilities to either internal or external organizations in order to provide the
desired end-to-end effect.

Activities Federated CIS Security Incident Coordination (BP-471)

• Coordinate incident response activities with MSOC

5.2.10 Mission Security Operations Centre (MSOC)

ID ROLE-296

Definition Mission Security Operations Centre (MSOC), responsible for overviewing the CIS Security Operations and handling Cyber Security
Incidents;

Activities Federated CIS Security Incident Coordination (BP-471)

• Receive CIS Security Incident Coordination Notice

• Coordinate CIS Security incident response activities
• Escalate CIS Security incident
Federated CIS Security Information Sharing (BP-45)

• Receive initial CIS Security Report

• Inform relevant MNPs of CIS Security information of interest
• Inform MCyOC of CIS Security information of interest
• Evaluate CIS security information

11 September 2024 Page 21

Procedural Instructions for CIS Security 5 Interoperability Architecture

5.3 Information Products

No Information Product Description

IP-38 CIS Security Informations CIS Security informations are exchanged within the CIS security processes between mission
partners.

IP-382 Community Security Requirements A Community Security Requirements Statement (CSRS) is a Security Requirements Statement
Statement where the community of interest is comprised of a number of interconnected CIS; or where a
large organization / HQs / civil or military body has a number of different CIS operating within the
same global security environment.

IP-1787 Escalated CIS Security incident report All relevant details of incident and attempted resolutions, for which resolution has not been
possible between MNPs and MSOC, for escalation to MCyOC.

IP-1785 Initial MNP CIS Security Incident Initial report describing key details about a CIS Security incident, identified by an MNP, which
Report meets criteria for sharing with wider federation / other MNPs via the MSOC. (child of “Initial MNP
CIS Security report”) This contains all relevant information that the MNP can share (permitted
within his national policy), that he assesses as relevant / useful to the other partners to aid
incident handling and resolution.

IP-1789 Initial MNP CIS Security Report Any CIS Security information object that meets criteria for sharing with the wider federation via
the MSOC.

IP-1786 MSOC-annotated CIS Security Report CIS Security information evaluated by MSOC and considered relevant to share (with MNPs and /
or MCyOC).

IP-1788 Multinational CIS Security Incident Multinational CIS Security Incident Ticket
Ticket

IP-1831 SPIF The Security Policy Information File (SPIF) describes all of the allowable values within a security
policy and the relationships between them. The SPIF can also include information that defines
how the allowable values should be rendered as a security marking. The SPIF can include
information for rendering in different languages.

IP-1377 Security Accreditation Statement A formal statement of the security accreditation decision.

IP-1388 Security Risk Management Report A report that includes the objective and scope of the related security risk assessment, the value
of the assets, a threat and vulnerability summary, a description of the countermeasures to be
implemented, a description of the residual risk, and the processes for ongoing security risk
management

IP-1421 Statement of Compliance • THIS CELL SHOULD NOT BE EMPTY ***

IP-1531 Threat Assessment An assessment of the threat of deliberate physical or electromagnetic attacks, and of threats
through "acts of God", for example fire, flood, lightning, storms or earthquakes.

11 September 2024 Page 22

Procedural Instructions for CIS Security 5 Interoperability Architecture

5.4 Information Exchange Requirements

Information Exchange Description Source Destination

Obligation Service Instruction Technology Description

1. Generic CIS Security This IER is intended to cover / group all the specific CIS Security IER.
Information Exchange
(IER-502)

1.1. Initial MNP CIS Security The MNP SOC has determined that an internal CIS Security Incident needs to Mission Network Participant Security Mission Security Operations Centre
Incident Report (IER-469) be assessed and coordinated by the MSOC. Operation Center (MNP SOC) (MSOC)

IDP-941: Primary Informal Messaging Email routing (TIN-11) As long as no dedicated information exchange service with a standardized
format is available, it is possible to use Email services to exchange
asynchronous information such as a CIS Security Incident Report.

1.2. Initial MNP CIS Security Report The MNP SOC has determined that an Mission Participant internal CIS Mission Network Participant Security Mission Security Operations Centre
(IER-470) Security Incident needs to be reported to the Mission Security Operations Operation Center (MNP SOC) (MSOC)
Centre (MSOC).

IDP-942: Primary Informal Messaging Email routing (TIN-11) As long as no dedicated information exchange service with a standardized
format is available, it is possible to use Email services to exchange
asynchronous information such as a CIS Security Incident Report.

1.3. Escalation MSOC-annotated The MSOC disseminates the CIS Security Incident Report to the MCyOC. Mission Security Operations Centre Mission Cyber Operation Centre
CIS Security Report (IER-471) (MSOC) (MCyOC) Cyberspace Picture
Manager

IDP-944: Primary Informal Messaging Email routing (TIN-11) As long as no dedicated information exchange service with a standardized
format is available, it is possible to use Email services to exchange
asynchronous information such as a CIS Security Incident Report.

1.4. Multinational CIS Security Coordination of cyber incident via exchange of incident “ticket” between Mission Security Operations Centre Mission Network Participant Security
Incident Ticket (IER-501) affected MNPs. (MSOC) Operation Center (MNP SOC)

Conditionality
Ongoing incident involving/affecting multiple MNPs.

IDP-940: Alternative Text-based Collaboration Instant Messaging (TIN-138) As long as no dedicated information exchange service with a standardized
format is available, it is possible to use Instant Messaging services to
exchange timely information or to coordinate incident response.

IDP-946: Primary Informal Messaging Email routing (TIN-11) As long as no dedicated information exchange service with a standardized
format is available, it is possible to use Email services to exchange
asynchronous information such as a CIS Security Incident Report.

1.5. MSOC-annotated CIS Security The MSOC disseminates the Security Incident Report to the relevant MNP. Mission Security Operations Centre Mission Network Participant Security
Report (IER-472) (MSOC) Operation Center (MNP SOC)

IDP-945: Primary Informal Messaging Email routing (TIN-11) As long as no dedicated information exchange service with a standardized
format is available, it is possible to use Email services to exchange
asynchronous information such as a CIS Security Incident Report.

11 September 2024 Page 23

Procedural Instructions for CIS Security 5 Interoperability Architecture

1.6. Multinational CIS Security Coordination of cyber incidents through the exchange of an incident ticket Mission Security Operations Centre Mission Network Service
Incident Ticket (IER-503) between the MSOC and the MNOC / the entity responsible for network (MSOC) Management Authority
operations.

IDP-1033: Primary Informal Messaging Email routing (TIN-11) The Multinational CIS Security Incident Ticket could be exchanged using
encrypted email service.

1.7. Security Risk Management Share the ratified MN Security Risk Assessment Report Mission Network Security MNP Security Assurance Coordinator
Report (IER-633) Accreditation Board

IDP-1170: Primary Informal Messaging Email routing (TIN-11) security risk management reports are shared via email, in agreed format for
the mission network.

1.8. MNP specific threat Provide the MNP specific threat assessment to the MN CIS Sec WG. MNP Security Assurance Coordinator MN CIS Sec WG
assessment (IER-629)

IDP-1171: Primary Informal Messaging Email routing (TIN-11) MNPs will share cyber threat assessments when available with the SAB via
email.

1.9. Share endorsed CSRS Share the endorsed MN CSRS and Annexes with the MNPs Mission Network Security MNP Security Assurance Coordinator
(IER-634) Accreditation Board

IDP-1166: Primary Informal Messaging Email routing (TIN-11) CSRS shall be shared by xMN Security Accreditation Board (SAB) via email to
all National SAA s

IDP-1167: Alternative Web Hosting Web-based Collaboration (TIN-9) Endorsed CSRS for mission network shall be shared by MN SAB to all MNPs
potentially via portal

1.10. Initial CSRS (IER-628) Share initial CSRS with MNPs MN CIS Sec WG MNP Security Assurance Coordinator

IDP-1172: Primary Informal Messaging Email routing (TIN-11) initial CSRS will be shared to all MNPs via email

1.11. Share residual risk (IER-637) Communicate decision and residual risks to CISOA Mission Network Security CISOA
Accreditation Board

IDP-1021: Primary Informal Messaging Email routing (TIN-11) The residual risk should be exchanged using encrypted email service.

1.12. Consolidated threat Share the consolidated threat assessment with MNPs Mission Network Security MNP Security Assurance Coordinator
assessment (IER-630) Accreditation Board

IDP-1168: Primary Web Hosting Web-based Collaboration (TIN-9) CIS Security information is shared between partners via collaboration portal in
agreed / structured format where possible.

IDP-1169: Alternative Informal Messaging Email routing (TIN-11) CIS Security information is shared between MNPs by email between dedicated
Security Operations Centres / operators.

1.13. Escalated CIS Security incident Due to the nature / severity of the CIS Security Incident, and an inability to Mission Security Operations Centre Mission Cyber Operation Centre
report (IER-500) resolve it between the MSOC and MNPs, the MSOC escalates the incident to (MSOC) (MCyOC) Cyberspace Picture
the MCyOC. Manager

Conditionality
Cannot resolve incident amongst MNPs in a timely manner.

IDP-943: Primary Informal Messaging Email routing (TIN-11) As long as no dedicated information exchange service with a standardized
format is available, it is possible to use Email services to exchange
asynchronous information such as a CIS Security Incident Report.

11 September 2024 Page 24

Procedural Instructions for CIS Security 5 Interoperability Architecture

1.14. Provide I/ATO (IER-638) Inform MNPs by providing them the I/ATO that their network can be Mission Network Security MNP Security Assurance Coordinator
connected. Accreditation Board

IDP-1022: Primary Informal Messaging Email routing (TIN-11) The I/ATO should be exchanged using encrypted email service.

1.15. SPIF Download (IER-594) This IER is used to provide the SPIF in the Mission Network Participants. Mission Network Information MNP Security Assurance Coordinator
Management Authority
Conditionality
The mission specific SPIF needs to be provided by the MN IMA

IDP-966: Primary Web Hosting Web-based Collaboration (TIN-9) The SPIF will be provided by the MN IMA to the MNP via a web-based
collaboration service.

1.16. Submit SoC (IER-636) Submit the signed Statement of Compliance MNP SAA Mission Network Security
Accreditation Board

IDP-1020: Primary Informal Messaging Email routing (TIN-11) The Statement of Compliance should be exchanged using the encrypted email
service.

11 September 2024 Page 25

Procedural Instructions for CIS Security Annex A. Definitions

Annex A. Definitions
Term Definition

Accreditation An administrative action by which a designated authority declares that an information system is approved to operate in a
particular security configuration with a prescribed set of safeguards. ("Guideline for Computer Security Certification and
Accreditation", FIPS PUB 102, 27 September 1983.)

CIS Infrastructure Actions taken to employ, secure, operate and maintain CIS in a way that creates and preserves data availability, integrity,
Operations and confidentiality, as well as user/entity authentication and non-repudiation. (Defensive Cyberspace Operations Concept in
a Federated Mission Environment)

CIS Infrastructure Steady-state operations which ensure that security measures are applied for both the CIS and the data processed by the
Security CIS. (FMN Defensive Cyberspace Operations Concept)

CIS Security Event CIS Security Events are security-related events with a negative consequence, such as system crashes, packet floods,
unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data.
(Computer Security Incident Handling Guide, NIST Special Publication 800-61 Revision 2, August 2012)

CIS Security Incident A CIS Security Incident (a.k.a. Cyber Incident) is a violation or imminent threat of violation of CIS Security policies,
acceptable use policies, or standard security practices such as attempts to gain unauthorized access to a system or its data,
unexpected deliberate disruption or denial of service, unauthorized use of a system for the processing or storage of data,
changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent
(such as the introduction of malicious code). (U.S. National Institute of Standards and Technology)

Electronic Security The Electronic Security Environment (ESE) represents the security provided by the CIS systems themselves. The security
Environment mechanisms and measures provided as separate systems or integrated into the systems (e.g. boundary protection devices,
intrusion detection/protection systems, identification and authentication, audit, etc.) are distinct and separate from those
measures provided outside of the CIS systems.

Global Security The Global Security Environment (GSE) represents the physical areas which encompasses the Theatre of Operations and
Environment all other external locations where service assets of a federated Mission Network are present (e.g. Data Centres, Antenna
Sites, and Communication Satellites). As such the GSE covers all federated MN sections and extends to the Boundary
Protection Systems (BPS) that might connect the federated MN with other domains or networks.

Local Security The Local Security Environment (LSE) represents the physical security area over which the Site Security Officer (SSO),
Environment Security Administrator or System Administrator have control. Areas with different security standards (e.g. CLASS I, CLASS
II or administrative zones) shall be identified as separate LSEs. All LSEs shall be contained within the Global Security
Environment (GSE).

Network Interconnection An Interoperability Point between networks.

Point

Permissible Action In a conceptual schema language, an action conforming to specified rules or constraints that changes a presumably
consistent collection of sentences into a consistent one or makes known a consistent one present in the information base or
conceptual schema. (NATOTerm)

Permissible Actions Classification how the received information can be used, used in Cyber Threat information.
Protocol

Security Accreditation A document produced by the xMNSAB based on review of all xMN Affiliate Statements of Compliance. It presents the
Statement overall risk of operation of the xMN to the Mission Comd for review, and authorization to operate.

Security Mode of The security mode of operation of a federated Mission Network is normally SYSTEM HIGH. That is, ALL individuals with
Operation access to the system are cleared (personnel security) to the highest classification level of information stored, processed, or
transmitted within the system, but NOT ALL individuals with access to the system have a common Need-To-Know for all the
information stored, processed or transmitted within the system; approval to access information may be granted at an
informal or individual level.

Security Risk A process of identifying system assets and how these assets can be compromised, assessing the level of risk that threats
Assessment pose to assets, and recommending security measures to mitigate threats.

Situational Awareness The perception of the elements in the environment within a volume of time and space. (Endsley (1988, p97))

Threat Assessment A process of identifying any potential event or act (deliberate or accidental) or natural hazard that could compromise IT
assets.

Vulnerability Systematic examination of an information system or product to determine the adequacy of security measures, identify
Assessment security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the
adequacy of such measures after implementation.

11 September 2024 Page 26

Procedural Instructions for CIS Security Annex B. Roadmap

Annex B. Roadmap
This annex provides an overview of all Capability Enhancements (CPEs) that are fulfilled with these procedural instructions, bundled per corresponding Spiral
Objectives (SPOs). Where applicable, the associated operational requirements are listed.

The table below presents Spiral Objectives and Capability Enhancements which are driving changes in this document for FMN Spiral 5

Spiral Objective

Capability Enhancement Operational Requirements

Provide initial cyber defence communication and collaboration by defining common procedures (SPO-74)
Problem
The sharing of cyber defence information, including background and reference information, cyber vulnerability, detection, and mitigation information, builds trust and aids partners in cyber protection,
detection, and mitigation across the mission network, building towards a federated cyber defence.
Change
This objective will define the types of information that fall into these categories, and will define procedures for sharing relevant information about them.
Benefit
Implementation of this objective will allow the creation of a community of interest for Cyber Defence, and will allow Mission Network Participants to collaborate and support each other on federation-level
CIS Security vulnerability, detection, and mitigation techniques via common defined procedures, building towards better shared situational awareness.

Define procedures for sharing of newly discovered vulnerabilities (CPE-272) • Ability to collect and collate relevant cyberspace inputs (REQ-840)
Newly discovered vulnerabilities are critical components of most successful cyber attacks, as
they provide a very high possibility of exploitation until a security patch can be available.
Responsible disclosure of such vulnerabilities when discovered by coalition participants will
speed up the overall mitigation for the coalition and therefore enhance the collective ability to
defend the network.

Define procedures for sharing of general cyber defence information (CPE-190) • Provide Cyber Defence monitoring and situational awareness of the transport and
Define procedures for sharing of general enabling cyber defence information, including Points information layers (REQ-219)
of Contact Information, cyber security reports and statistics, to help build and mature the cyber • Provide agility, flexibility and scalability necessary to respond to emerging operational
defence community of interest. requirements during a mission (REQ-536)
• Provide governance and management to effectively accommodate the dynamic
composition of a coalition during its life-cycle without harming the efficiency of the
federation (REQ-537)

Define procedures for sharing of cyber mitigation information (CPE-294) • Ability to collect and collate relevant cyberspace inputs (REQ-840)
Define procedures for sharing cyber mitigation information. This should include at the national
/ federation level, the technical level, lessons learned / best practices, and patching / remedial
activities for bespoke software.

Define procedures for sharing of cyber detection information (CPE-273) • Ability to collect and collate relevant cyberspace inputs (REQ-840)
Define procedures for sharing of cyber detection information including known malicious cyber
assets, indicators of compromise, and malware detection.
By sharing this type of information with the Cyber Defence Community of Interest the
respective workload can be shared and duplication of effort can be avoided.

11 September 2024 Page 27

Procedural Instructions for CIS Security Annex B. Roadmap

Provide a federated security labelling policy (SPO-264)

Problem
Security labels provide a way of indicating the sensitivity of a piece of information, for example e-mail message, document, directory information. They indicate to both the recipient and the associated
applications how the information should be handled.
A security labelling policy defines all of the security labels that may be used with that policy so that security labels can be consistently applied, consistently displayed and subjected to an access control
decision. The policy is often represented in a file, referred to as a SPIF (Security Policy Information File). It provides an electronic representation of the complete security labelling policy in one place that
can be shared and installed on systems that need to implement the security labelling policy. Unfortunately, these is no consensus on the standards used.
A common security labelling policy based on a specified standard can support the use of labels across the federation while allowing participants to configure and handle these labels in their own
(proprietary) mechanisms.
Change
This objective will ensure the use of a common standard (SPIF) for the representation of different national security labelling and classification policies and common security labelling policies for coalition
missions. In addition, various security labelling policies will be mapped to each other to enable common use of originator and alternative confidentiality labels iaw ADatP-4774. Providing security labelling
policies represented in a standardized format that can be used by systems relevant for cross-Domain information exchange, such as email clients or cross domain solutions/guards.
Benefit
Alliance and national security labelling and classification policies do not change frequently over time. Having these translated into a SPIF enables the federation to maintain a SPIF collection before
mission preparation and deployment. This enables Affiliates to implement federated security labelling in support of day zero interoperability.

Create and maintain SPIFs for Affiliates and other potential mission participants • Provide mission participants the ability to exchange information between their mission
(CPE-561) environment and their own national information sources (REQ-8)
Develop and manage a process to analyze organization and national policies from which
labelling policy information needs to be derived, and produce SPIFs for all FMN Affiliates.
Preferably, additional SPIFs should be made available from other organizations and nations
that could participate in future missions.

Develop a SPIF implementation and equivalency mapping methodology for exploitation • Provide mission participants the ability to exchange information between their mission
(CPE-560) environment and their own national information sources (REQ-8)
Define a data format for equivalency mappings between Security Policy Information Files
(SPIFs) and implementation guidance. Additionally, set up a methodology to develop, store,
maintain and disseminate these SPIFs and SPIF equivalence mappings across the federation.

Develop a procedure for creating a security labelling policy for a federated Mission • Provide mission participants the ability to exchange information between their mission
Network (CPE-562) environment and their own national information sources (REQ-8)
Develop a procedure for defining and agreeing a common security labelling policy for a
mission, and the dissemination of Security Policy Information Files (SPIFs).

11 September 2024 Page 28

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

Annex C. Information Exchange Requirements Details

This annex provides the details for the Information Exchange Requirements (IERs) that are defined in these procedural
instructions. For each IER, the following information is displayed:

• Description -- the description of the IER, complemented with an ArchiMate model.

• Conditionality -- only when available.
• Architecture Items -- a table of three columns for the Providers (expressed in Business Activities (BAs) and/or
Organizational Entities (ORGs)), Information Product (IP) and Consumers (also as BAs and/or ORGs).
• Information Product -- the description of the associated Information product (IP).
• Technology -- a table to show the Technology Dependencies (IDPs), grouped per dependent service instructions, each
linked to the corresponding Technology Interactions (TINs) of those other instructions, and stating the obligation (Primary
or Alternative) with a description and a conditionality statement if available.

11 September 2024 Page 29

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

C.1 Generic CIS Security Information Exchange

Description
(IER-502) -- This IER is intended to cover / group all the specific CIS Security IER.
IER-502 Generic CIS Security Information Exchange Process Context

CIS Security Informations

IER-502 Generic CIS

Security Information
Exchange

Figure 5. Generic CIS Security Information Exchange

Architecture Items

Providers Information Product Consumers

CIS Security Informations (IP-38)

Information Product
(IP-38) -- CIS Security informations are exchanged within the CIS security processes between mission partners.

11 September 2024 Page 30

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

C.1.1 Initial MNP CIS Security Incident Report

Description
(IER-469) -- The MNP SOC has determined that an internal CIS Security Incident needs to be assessed and coordinated by
the MSOC.

Mission Network Participant Initial MNP CIS Security Incident Report Mission Security Operations
Security Operation Center (MNP Centre (MSOC)
SOC)

IER-469 Initial MNP CIS Security Incident Report Process Context

Initial MNP CIS Security Incident

Report

Mission Network Participant Security Operation Center (MNP Mission Security Operations Centre (MSOC)
SOC)
Inform MSOC of CIS Security incident requiring IER-469 Initial MNP CIS Receive CIS Security Incident Coordination
coordination Security Incident Report Notice

Email routing

Figure 6. Initial MNP CIS Security Incident Report

Architecture Items

Providers Information Product Consumers

Inform MSOC of CIS Security incident requiring Initial MNP CIS Security Incident Report Receive CIS Security Incident Coordination
coordination (BA-1529) (IP-1785) Notice (BA-1532)
Mission Network Participant Security Operation Mission Security Operations Centre (MSOC)
Center (MNP SOC) (ROLE-343) (ROLE-296)

Information Product
(IP-1785) -- Initial report describing key details about a CIS Security incident, identified by an MNP, which meets criteria for
sharing with wider federation / other MNPs via the MSOC. (child of “Initial MNP CIS Security report”) This contains all relevant
information that the MNP can share (permitted within his national policy), that he assesses as relevant / useful to the other
partners to aid incident handling and resolution.
Technology

ID Interaction

Obligation Description / Conditionality

Service Instructions for Informal Messaging

IDP-941 Email routing (TIN-11)

Primary As long as no dedicated information exchange service with a standardized format is available, it is possible to use Email
services to exchange asynchronous information such as a CIS Security Incident Report.

11 September 2024 Page 31

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

C.1.2 Initial MNP CIS Security Report

Description
(IER-470) -- The MNP SOC has determined that an Mission Participant internal CIS Security Incident needs to be reported to
the Mission Security Operations Centre (MSOC).

Mission Network Participant Initial MNP CIS Security Report Mission Security Operations
Security Operation Center (MNP Centre (MSOC)
SOC)

IER-470 Initial MNP CIS Security Report Process Context

Initial MNP CIS Security Report

Mission Network Participant Security Operation Center (MNP Mission Security Operations Centre (MSOC)
SOC)
Inform MSOC of CIS Security Information of IER-470 Initial MNP CIS Receive initial CIS Security Report
Interest Security Report

Email routing

Figure 7. Initial MNP CIS Security Report

Architecture Items

Providers Information Product Consumers

Inform MSOC of CIS Security Information of Initial MNP CIS Security Report (IP-1789) Receive initial CIS Security Report (BA-1377)
Interest (BA-1378) Mission Security Operations Centre (MSOC)
Mission Network Participant Security Operation (ROLE-296)
Center (MNP SOC) (ROLE-343)

Information Product
(IP-1789) -- Any CIS Security information object that meets criteria for sharing with the wider federation via the MSOC.
Technology

ID Interaction

Obligation Description / Conditionality

Service Instructions for Informal Messaging

IDP-942 Email routing (TIN-11)

Primary As long as no dedicated information exchange service with a standardized format is available, it is possible to use Email
services to exchange asynchronous information such as a CIS Security Incident Report.

11 September 2024 Page 32

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

C.1.3 Escalation MSOC-annotated CIS Security Report

Description
(IER-471) -- The MSOC disseminates the CIS Security Incident Report to the MCyOC.

Mission Security Operations MSOC-annotated CIS Security Report Mission Cyber Operation Centre
Centre (MSOC) (MCyOC)
MSOC-annotated CIS Security Report

Cyberspace Picture Manager

IER-471 Escalation MSOC-annotated CIS Security Report Process Context

MSOC-annotated CIS Security

Report

Mission Security Operations Centre (MSOC) Cyberspace Picture Manager

Inform MCyOC of CIS Security information of IER-471 Escalation Check/Validate RCP Information Update
interest MSOC-annotated CIS
Security Report

Mission Cyber Operation Centre (MCyOC)

Receive CIS Security Report

Email routing

Figure 8. Escalation MSOC-annotated CIS Security Report

Architecture Items

Providers Information Product Consumers

Inform MCyOC of CIS Security information of MSOC-annotated CIS Security Report Check/Validate RCP Information Update
interest (BA-1380) (IP-1786) (BA-1177)
Mission Security Operations Centre (MSOC) Receive CIS Security Report (BA-1379)
(ROLE-296) Mission Cyber Operation Centre (MCyOC)
(ROLE-294)
Cyberspace Picture Manager (ROLE-313)

Information Product
(IP-1786) -- CIS Security information evaluated by MSOC and considered relevant to share (with MNPs and / or MCyOC).
Technology

ID Interaction

Obligation Description / Conditionality

Service Instructions for Informal Messaging

IDP-944 Email routing (TIN-11)

Primary As long as no dedicated information exchange service with a standardized format is available, it is possible to use Email
services to exchange asynchronous information such as a CIS Security Incident Report.

11 September 2024 Page 33

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

C.1.4 Multinational CIS Security Incident Ticket

Description
(IER-501) -- Coordination of cyber incident via exchange of incident “ticket” between affected MNPs.

Mission Security Operations Multinational CIS Security Incident Ticket Mission Network Participant
Centre (MSOC) Security Operation Center (MNP
SOC)

IER-501 Multinational CIS Security Incident Ticket Process Context

Multinational CIS Security

Incident Ticket

Mission Security Operations Centre (MSOC) Mission Network Participant Security Operation Center (MNP
SOC)
Coordinate CIS Security incident response IER-501 Multinational CIS Respond to CIS Security incident (in
activities Security Incident Ticket coordination)

Ongoing incident involving/affecting multiple MNPs. Instant Messaging

Email routing

Figure 9. Multinational CIS Security Incident Ticket

Conditionality
Ongoing incident involving/affecting multiple MNPs.
Architecture Items

Providers Information Product Consumers

Coordinate CIS Security incident response Multinational CIS Security Incident Ticket Respond to CIS Security incident (in
activities (BA-1533) (IP-1788) coordination) (BA-1535)
Mission Security Operations Centre (MSOC) Mission Network Participant Security Operation
(ROLE-296) Center (MNP SOC) (ROLE-343)

Information Product
(IP-1788) -- Multinational CIS Security Incident Ticket
Technology

ID Interaction

Obligation Description / Conditionality

Service Instructions for Informal Messaging

IDP-946 Email routing (TIN-11)

Primary As long as no dedicated information exchange service with a standardized format is available, it is possible to use Email
services to exchange asynchronous information such as a CIS Security Incident Report.

Service Instructions for Text-based Collaboration

IDP-940 Instant Messaging (TIN-138)

Alternative As long as no dedicated information exchange service with a standardized format is available, it is possible to use Instant
Messaging services to exchange timely information or to coordinate incident response.

11 September 2024 Page 34

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

C.1.5 MSOC-annotated CIS Security Report

Description
(IER-472) -- The MSOC disseminates the Security Incident Report to the relevant MNP.

Mission Security Operations MSOC-annotated CIS Security Report Mission Network Participant
Centre (MSOC) Security Operation Center (MNP
SOC)

IER-472 MSOC-annotated CIS Security Report Process Context

MSOC-annotated CIS Security

Report

Mission Security Operations Centre (MSOC) Mission Network Participant Security Operation Center (MNP
SOC)
Inform relevant MNPs of CIS Security IER-472 MSOC-annotated Receive CIS Security Report
information of interest CIS Security Report

Email routing

Figure 10. MSOC-annotated CIS Security Report

Architecture Items

Providers Information Product Consumers

Inform relevant MNPs of CIS Security MSOC-annotated CIS Security Report Receive CIS Security Report (BA-1381)
information of interest (BA-1375) (IP-1786) Mission Network Participant Security Operation
Mission Security Operations Centre (MSOC) Center (MNP SOC) (ROLE-343)
(ROLE-296)

Information Product
(IP-1786) -- CIS Security information evaluated by MSOC and considered relevant to share (with MNPs and / or MCyOC).
Technology

ID Interaction

Obligation Description / Conditionality

Service Instructions for Informal Messaging

IDP-945 Email routing (TIN-11)

Primary As long as no dedicated information exchange service with a standardized format is available, it is possible to use Email
services to exchange asynchronous information such as a CIS Security Incident Report.

11 September 2024 Page 35

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

C.1.6 Multinational CIS Security Incident Ticket

Description
(IER-503) -- Coordination of cyber incidents through the exchange of an incident ticket between the MSOC and the MNOC /
the entity responsible for network operations.

Mission Security Operations Multinational CIS Security Incident Ticket Mission Network Service
Centre (MSOC) Management Authority

IER-503 Multinational CIS Security Incident Ticket Process Context

Multinational CIS Security

Incident Ticket

Mission Security Operations Centre (MSOC) Mission Network Service Management Authority

Coordinate CIS Security incident response IER-503 Multinational CIS Coordinate incident response activities with
activities Security Incident Ticket MSOC

Email routing

Figure 11. Multinational CIS Security Incident Ticket

Architecture Items

Providers Information Product Consumers

Coordinate CIS Security incident response Multinational CIS Security Incident Ticket Coordinate incident response activities with
activities (BA-1533) (IP-1788) MSOC (BA-1539)
Mission Security Operations Centre (MSOC) Mission Network Service Management
(ROLE-296) Authority (ROLE-22)

Information Product
(IP-1788) -- Multinational CIS Security Incident Ticket
Technology

ID Interaction

Obligation Description / Conditionality

Service Instructions for Informal Messaging

IDP-1033 Email routing (TIN-11)

Primary The Multinational CIS Security Incident Ticket could be exchanged using encrypted email service.

11 September 2024 Page 36

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

C.1.7 Security Risk Management Report

Description
(IER-633) -- Share the ratified MN Security Risk Assessment Report

Mission Network Security Security Risk Management Report MNP Security Assurance
Accreditation Board Coordinator

IER-633 Security Risk Management Report Process Context

Security Risk Management

Report

Mission Network Security Accreditation Board MNP Security Assurance Coordinator

Ratify and share MN Security Risk Assessment IER-633 Security Risk Receive and exploit MN Risk Assessment
Management Report

Email routing

Figure 12. Security Risk Management Report

Architecture Items

Providers Information Product Consumers

Ratify and share MN Security Risk Assessment Security Risk Management Report (IP-1388) Receive and exploit MN Risk Assessment
(BA-1852) (BA-1853)
Mission Network Security Accreditation Board MNP Security Assurance Coordinator
(ROLE-21) (ROLE-443)

Information Product
(IP-1388) -- A report that includes the objective and scope of the related security risk assessment, the value of the assets, a
threat and vulnerability summary, a description of the countermeasures to be implemented, a description of the residual risk,
and the processes for ongoing security risk management
Technology

ID Interaction

Obligation Description / Conditionality

Service Instructions for Informal Messaging

IDP-1170 Email routing (TIN-11)

Primary security risk management reports are shared via email, in agreed format for the mission network.

11 September 2024 Page 37

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

C.1.8 MNP specific threat assessment

Description
(IER-629) -- Provide the MNP specific threat assessment to the MN CIS Sec WG.

MNP Security Assurance Threat Assessment MN CIS Sec WG

Coordinator

IER-629 MNP specific threat assessment Process Context

Threat Assessment

MNP Security Assurance Coordinator MN CIS Sec WG

Provide MNP specific cyber security threat IER-629 MNP specific threat Consolidate a Mission Threat Assessment
assessment assessment

Email routing

Figure 13. MNP specific threat assessment

Architecture Items

Providers Information Product Consumers

Provide MNP specific cyber security threat Threat Assessment (IP-1531) Consolidate a Mission Threat Assessment
assessment (BA-1849) (BA-1848)
MNP Security Assurance Coordinator MN CIS Sec WG (ROLE-438)
(ROLE-443)

Information Product
(IP-1531) -- An assessment of the threat of deliberate physical or electromagnetic attacks, and of threats through "acts of
God", for example fire, flood, lightning, storms or earthquakes.
Technology

ID Interaction

Obligation Description / Conditionality

Service Instructions for Informal Messaging

IDP-1171 Email routing (TIN-11)

Primary MNPs will share cyber threat assessments when available with the SAB via email.

11 September 2024 Page 38

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

C.1.9 Share endorsed CSRS

Description
(IER-634) -- Share the endorsed MN CSRS and Annexes with the MNPs

Mission Network Security Community Security Requirements Statement MNP Security Assurance
Accreditation Board Coordinator

IER-634 Share endorsed CSRS Process Context

Community Security
Requirements Statement

Mission Network Security Accreditation Board MNP Security Assurance Coordinator

Review and endorse MN CSRS and Annexes IER-634 Share endorsed Use approved MN CSRS to prepare capabilities
CSRS

Email routing

Web-based Collaboration

Figure 14. Share endorsed CSRS

Architecture Items

Providers Information Product Consumers

Review and endorse MN CSRS and Annexes Community Security Requirements Statement Use approved MN CSRS to prepare
(BA-1854) (IP-382) capabilities (BA-1847)
Mission Network Security Accreditation Board MNP Security Assurance Coordinator
(ROLE-21) (ROLE-443)

Information Product
(IP-382) -- A Community Security Requirements Statement (CSRS) is a Security Requirements Statement where the
community of interest is comprised of a number of interconnected CIS; or where a large organization / HQs / civil or military
body has a number of different CIS operating within the same global security environment.
Technology

ID Interaction

Obligation Description / Conditionality

Service Instructions for Informal Messaging

IDP-1166 Email routing (TIN-11)

Primary CSRS shall be shared by xMN Security Accreditation Board (SAB) via email to all National SAA s

Service Instructions for Web Hosting

IDP-1167 Web-based Collaboration (TIN-9)

Alternative Endorsed CSRS for mission network shall be shared by MN SAB to all MNPs potentially via portal

11 September 2024 Page 39

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

C.1.10 Initial CSRS

Description
(IER-628) -- Share initial CSRS with MNPs

MN CIS Sec WG Community Security Requirements Statement MNP Security Assurance

Coordinator

IER-628 Initial CSRS Process Context

Community Security
Requirements Statement

MN CIS Sec WG MNP Security Assurance Coordinator

Tailor MN CSRS and Annexes IER-628 Initial CSRS Use approved MN CSRS to prepare capabilities

Email routing

Figure 15. Initial CSRS

Architecture Items

Providers Information Product Consumers

Tailor MN CSRS and Annexes (BA-1846) Community Security Requirements Statement Use approved MN CSRS to prepare
MN CIS Sec WG (ROLE-438) (IP-382) capabilities (BA-1847)
MNP Security Assurance Coordinator
(ROLE-443)

Information Product
(IP-382) -- A Community Security Requirements Statement (CSRS) is a Security Requirements Statement where the
community of interest is comprised of a number of interconnected CIS; or where a large organization / HQs / civil or military
body has a number of different CIS operating within the same global security environment.
Technology

ID Interaction

Obligation Description / Conditionality

Service Instructions for Informal Messaging

IDP-1172 Email routing (TIN-11)

Primary initial CSRS will be shared to all MNPs via email

11 September 2024 Page 40

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

C.1.11 Share residual risk

Description
(IER-637) -- Communicate decision and residual risks to CISOA

Mission Network Security Security Risk Management Report CISOA

Accreditation Board

IER-637 Share residual risk Process Context

Security Risk Management

Report

Mission Network Security Accreditation Board CISOA

Communicate decision and residual risks to IER-637 Share residual risk Receive information about accreditation
CISOA decision and residual risks

Email routing

Figure 16. Share residual risk

Architecture Items

Providers Information Product Consumers

Communicate decision and residual risks to Security Risk Management Report (IP-1388) Receive information about accreditation
CISOA (BA-1857) decision and residual risks (BA-1859)
Mission Network Security Accreditation Board CISOA (ROLE-439)
(ROLE-21)

Information Product
(IP-1388) -- A report that includes the objective and scope of the related security risk assessment, the value of the assets, a
threat and vulnerability summary, a description of the countermeasures to be implemented, a description of the residual risk,
and the processes for ongoing security risk management
Technology

ID Interaction

Obligation Description / Conditionality

Service Instructions for Informal Messaging

IDP-1021 Email routing (TIN-11)

Primary The residual risk should be exchanged using encrypted email service.

11 September 2024 Page 41

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

C.1.12 Consolidated threat assessment

Description
(IER-630) -- Share the consolidated threat assessment with MNPs

Mission Network Security Threat Assessment MNP Security Assurance

Accreditation Board Coordinator

IER-630 Consolidated threat assessment Process Context

Threat Assessment

Mission Network Security Accreditation Board MNP Security Assurance Coordinator

Endorse and share consolidated Mission Threat IER-630 Consolidated threat Receive and exploit MN Threat Assessment
Assessment assessment

Web-based Collaboration

Email routing

Figure 17. Consolidated threat assessment

Architecture Items

Providers Information Product Consumers

Endorse and share consolidated Mission Threat Assessment (IP-1531) Receive and exploit MN Threat Assessment
Threat Assessment (BA-1850) (BA-1851)
Mission Network Security Accreditation Board MNP Security Assurance Coordinator
(ROLE-21) (ROLE-443)

Information Product
(IP-1531) -- An assessment of the threat of deliberate physical or electromagnetic attacks, and of threats through "acts of
God", for example fire, flood, lightning, storms or earthquakes.
Technology

ID Interaction

Obligation Description / Conditionality

Service Instructions for Informal Messaging

IDP-1169 Email routing (TIN-11)

Alternative CIS Security information is shared between MNPs by email between dedicated Security Operations Centres / operators.

Service Instructions for Web Hosting

IDP-1168 Web-based Collaboration (TIN-9)

Primary CIS Security information is shared between partners via collaboration portal in agreed / structured format where possible.

11 September 2024 Page 42

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

C.1.13 Escalated CIS Security incident report

Description
(IER-500) -- Due to the nature / severity of the CIS Security Incident, and an inability to resolve it between the MSOC and
MNPs, the MSOC escalates the incident to the MCyOC.

Mission Security Operations Escalated CIS Security incident report Mission Cyber Operation Centre
Centre (MSOC) (MCyOC)
Escalated CIS Security incident report

Cyberspace Picture Manager

IER-500 Escalated CIS Security incident report Process Context

Escalated CIS Security incident

report

Mission Security Operations Centre (MSOC) Cyberspace Picture Manager

Escalate CIS Security incident IER-500 Escalated CIS Check/Validate RCP Information Update
Security incident report

Mission Cyber Operation Centre (MCyOC)

Receive CIS Security incident escalation

Cannot resolve incident amongst MNPs in a timely manner. Email routing

Figure 18. Escalated CIS Security incident report

Conditionality
Cannot resolve incident amongst MNPs in a timely manner.
Architecture Items

Providers Information Product Consumers

Escalate CIS Security incident (BA-1531) Escalated CIS Security incident report Check/Validate RCP Information Update
Mission Security Operations Centre (MSOC) (IP-1787) (BA-1177)
(ROLE-296) Receive CIS Security incident escalation
(BA-1530)
Mission Cyber Operation Centre (MCyOC)
(ROLE-294)
Cyberspace Picture Manager (ROLE-313)

Information Product
(IP-1787) -- All relevant details of incident and attempted resolutions, for which resolution has not been possible between
MNPs and MSOC, for escalation to MCyOC.
Technology

ID Interaction

Obligation Description / Conditionality

11 September 2024 Page 43

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

Service Instructions for Informal Messaging

IDP-943 Email routing (TIN-11)

Primary As long as no dedicated information exchange service with a standardized format is available, it is possible to use Email
services to exchange asynchronous information such as a CIS Security Incident Report.

11 September 2024 Page 44

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

C.1.14 Provide I/ATO

Description
(IER-638) -- Inform MNPs by providing them the I/ATO that their network can be connected.

Mission Network Security Security Accreditation Statement MNP Security Assurance

Accreditation Board Coordinator

IER-638 Provide I/ATO Process Context

Security Accreditation Statement

Mission Network Security Accreditation Board MNP Security Assurance Coordinator

Inform MNPs that network can be connected / IER-638 Provide I/ATO Receive (I)ATO notifications
(I)ATO

Email routing

Figure 19. Provide I/ATO

Architecture Items

Providers Information Product Consumers

Inform MNPs that network can be connected / Security Accreditation Statement (IP-1377) Receive (I)ATO notifications (BA-1860)
(I)ATO (BA-1858) MNP Security Assurance Coordinator
Mission Network Security Accreditation Board (ROLE-443)
(ROLE-21)

Information Product
(IP-1377) -- A formal statement of the security accreditation decision.
Technology

ID Interaction

Obligation Description / Conditionality

Service Instructions for Informal Messaging

IDP-1022 Email routing (TIN-11)

Primary The I/ATO should be exchanged using encrypted email service.

11 September 2024 Page 45

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

C.1.15 SPIF Download

Description
(IER-594) -- This IER is used to provide the SPIF in the Mission Network Participants.

Mission Network Information SPIF MNP Security Assurance

Management Authority Coordinator

IER-594 SPIF Download Process Context

SPIF

Mission Network Information Management Authority MNP Security Assurance Coordinator

Make the Mission SPIF available to all MNP IER-594 SPIF Download Get MN SPIF from collaboration platform

The mission specific SPIF needs to be provided by the MN IMA Web-based Collaboration

Figure 20. SPIF Download

Conditionality
The mission specific SPIF needs to be provided by the MN IMA
Architecture Items

Providers Information Product Consumers

Make the Mission SPIF available to all MNP SPIF (IP-1831) Get MN SPIF from collaboration platform
(BA-1580) (BA-1581)
Mission Network Information Management MNP Security Assurance Coordinator
Authority (ROLE-359) (ROLE-443)

Information Product
(IP-1831) -- The Security Policy Information File (SPIF) describes all of the allowable values within a security policy and the
relationships between them. The SPIF can also include information that defines how the allowable values should be rendered
as a security marking. The SPIF can include information for rendering in different languages.
Technology

ID Interaction

Obligation Description / Conditionality

Service Instructions for Web Hosting

IDP-966 Web-based Collaboration (TIN-9)

Primary The SPIF will be provided by the MN IMA to the MNP via a web-based collaboration service.

11 September 2024 Page 46

Procedural Instructions for CIS Security Annex C. Information Exchange Requirements Details

C.1.16 Submit SoC

Description
(IER-636) -- Submit the signed Statement of Compliance

MNP SAA Statement of Compliance Mission Network Security

Accreditation Board

IER-636 Submit SoC Process Context

Statement of Compliance

MNP SAA Mission Network Security Accreditation Board

Accredit MNP network IER-636 Submit SoC Review of SoCs and SISRS by all SAAs

Email routing

Figure 21. Submit SoC

Architecture Items

Providers Information Product Consumers

Accredit MNP network (BA-1855) Statement of Compliance (IP-1421) Review of SoCs and SISRS by all SAAs
MNP SAA (ROLE-441) (BA-1856)
Mission Network Security Accreditation Board
(ROLE-21)

Information Product
(IP-1421) --
Technology

ID Interaction

Obligation Description / Conditionality

Service Instructions for Informal Messaging

IDP-1020 Email routing (TIN-11)

Primary The Statement of Compliance should be exchanged using the encrypted email service.

11 September 2024 Page 47

Procedural Instructions for CIS Security Annex D. Information Products

Annex D. Information Products

This annex provides the details from the Information Products that are created, exploited and disseminated in these
procedural instructions. These IPs are listed in alphabetical order of the titles. Per information product it provides the
description and a table with the associated Information Exchange Requirements (IERs) and the corresponding Business
Activities (BAs) for the provider and consumer sides.

D.1 CIS Security Informations

CIS Security informations are exchanged within the CIS security processes between mission partners.
IERs

IER Provider Activity Consumer Activity

Generic CIS Security Information Exchange

(IER-502)

D.2 Community Security Requirements Statement

A Community Security Requirements Statement (CSRS) is a Security Requirements Statement where the community of
interest is comprised of a number of interconnected CIS; or where a large organization / HQs / civil or military body has a
number of different CIS operating within the same global security environment.
IERs

IER Provider Activity Consumer Activity

Share endorsed CSRS (IER-634) Review and endorse MN CSRS and Annexes Use approved MN CSRS to prepare
(BA-1854) capabilities (BA-1847)

Initial CSRS (IER-628) Tailor MN CSRS and Annexes (BA-1846) Use approved MN CSRS to prepare
capabilities (BA-1847)

D.3 Escalated CIS Security incident report

All relevant details of incident and attempted resolutions, for which resolution has not been possible between MNPs and
MSOC, for escalation to MCyOC.
IERs

IER Provider Activity Consumer Activity

Escalated CIS Security incident report Escalate CIS Security incident (BA-1531) Check/Validate RCP Information Update
(IER-500) (BA-1177)
Receive CIS Security incident escalation
(BA-1530)

D.4 Initial MNP CIS Security Incident Report

Initial report describing key details about a CIS Security incident, identified by an MNP, which meets criteria for sharing with
wider federation / other MNPs via the MSOC. (child of “Initial MNP CIS Security report”) This contains all relevant information
that the MNP can share (permitted within his national policy), that he assesses as relevant / useful to the other partners to aid
incident handling and resolution.
IERs

IER Provider Activity Consumer Activity

Initial MNP CIS Security Incident Report Inform MSOC of CIS Security incident requiring Receive CIS Security Incident Coordination
(IER-469) coordination (BA-1529) Notice (BA-1532)

11 September 2024 Page 48

Procedural Instructions for CIS Security Annex D. Information Products

D.5 Initial MNP CIS Security Report

Any CIS Security information object that meets criteria for sharing with the wider federation via the MSOC.
IERs

IER Provider Activity Consumer Activity

Initial MNP CIS Security Report (IER-470) Inform MSOC of CIS Security Information of Receive initial CIS Security Report (BA-1377)
Interest (BA-1378)

D.6 MSOC-annotated CIS Security Report

CIS Security information evaluated by MSOC and considered relevant to share (with MNPs and / or MCyOC).
IERs

IER Provider Activity Consumer Activity

Escalation MSOC-annotated CIS Security Inform MCyOC of CIS Security information of Check/Validate RCP Information Update
Report (IER-471) interest (BA-1380) (BA-1177)
Receive CIS Security Report (BA-1379)

MSOC-annotated CIS Security Report Inform relevant MNPs of CIS Security Receive CIS Security Report (BA-1381)
(IER-472) information of interest (BA-1375)

D.7 Multinational CIS Security Incident Ticket

Multinational CIS Security Incident Ticket
IERs

IER Provider Activity Consumer Activity

Multinational CIS Security Incident Ticket Coordinate CIS Security incident response Respond to CIS Security incident (in
(IER-501) activities (BA-1533) coordination) (BA-1535)

Multinational CIS Security Incident Ticket Coordinate CIS Security incident response Coordinate incident response activities with
(IER-503) activities (BA-1533) MSOC (BA-1539)

D.8 SPIF
The Security Policy Information File (SPIF) describes all of the allowable values within a security policy and the relationships
between them. The SPIF can also include information that defines how the allowable values should be rendered as a security
marking. The SPIF can include information for rendering in different languages.
IERs

IER Provider Activity Consumer Activity

SPIF Download (IER-594) Make the Mission SPIF available to all MNP Get MN SPIF from collaboration platform
(BA-1580) (BA-1581)

D.9 Security Accreditation Statement

A formal statement of the security accreditation decision.
IERs

IER Provider Activity Consumer Activity

Provide I/ATO (IER-638) Inform MNPs that network can be connected / Receive (I)ATO notifications (BA-1860)
(I)ATO (BA-1858)

11 September 2024 Page 49

Procedural Instructions for CIS Security Annex D. Information Products

D.10 Security Risk Management Report

A report that includes the objective and scope of the related security risk assessment, the value of the assets, a threat and
vulnerability summary, a description of the countermeasures to be implemented, a description of the residual risk, and the
processes for ongoing security risk management
IERs

IER Provider Activity Consumer Activity

Security Risk Management Report (IER-633) Ratify and share MN Security Risk Assessment Receive and exploit MN Risk Assessment
(BA-1852) (BA-1853)

Share residual risk (IER-637) Communicate decision and residual risks to Receive information about accreditation
CISOA (BA-1857) decision and residual risks (BA-1859)

D.11 Statement of Compliance

IERs

IER Provider Activity Consumer Activity

Submit SoC (IER-636) Accredit MNP network (BA-1855) Review of SoCs and SISRS by all SAAs
(BA-1856)

D.12 Threat Assessment

An assessment of the threat of deliberate physical or electromagnetic attacks, and of threats through "acts of God", for
example fire, flood, lightning, storms or earthquakes.
IERs

IER Provider Activity Consumer Activity

MNP specific threat assessment (IER-629) Provide MNP specific cyber security threat Consolidate a Mission Threat Assessment
assessment (BA-1849) (BA-1848)

Consolidated threat assessment (IER-630) Endorse and share consolidated Mission Receive and exploit MN Threat Assessment
Threat Assessment (BA-1850) (BA-1851)

11 September 2024 Page 50