| Review network diagrams, enterprise sensor reports, and network scans submitted to the Connection Approval Office. Determine that only global IP addresses assigned by the NIC are in use within the organization's SIPRNet enclave. |
NOTE: This requirement also applies to IPv6 ULA addresses. The IPv6 ULA is unauthorized on SIPR without approval.
Determine whether NAT and unauthorized IP address space is in use in the organization's SIPRNet enclave.
Exceptions to this requirement are listed below:
1. Closed classified networks logically transiting SIPRNet for enclave-to-enclave VPN transport only.
2. Out-of-Band management networks, where the NATd nodes do not access SIPRNet base enterprise services.
3. Thin client deployments where the hosting thin client server serves as the SIPRNet access point for its thin clients and that the organization maintains detailed thin client service usage audit logs.
4. Valid operational mission need or implementation constraints.
All exceptions must have approval by the SIPRNet DISN accreditation official, DISA AO.
If NAT and unauthorized IP address space is in use on the organization's SIPRNet infrastructure, this is a finding.