SIPRNet and NIPRNet Security Requirements
The Secret Internet Protocol Router Network (SIPRNet) and the Non-classified Internet Protocol Router Network (NIPRNet) are the two primary wide-area networks underpinning U.S. federal government and Department of Defense communications. This page describes the security architecture, classification boundaries, access requirements, and compliance obligations governing both networks. Understanding the structural differences between the two — and the regulatory frameworks that enforce their separation — is essential for any organization operating within or adjacent to federal information systems.
Definition and scope
SIPRNet is a classified network authorized to carry information up to and including the SECRET classification level under the U.S. government's classification system established by Executive Order 13526. NIPRNet carries Controlled Unclassified Information (CUI) and unclassified but sensitive data, and provides controlled access to the public internet through approved gateways. Both networks fall under the definition of National Security Systems (NSS) as codified in 44 U.S.C. § 3552(b)(6), which assigns oversight authority to the Committee on National Security Systems (CNSS) rather than solely to the Civilian-facing frameworks administered by NIST.
The scope of SIPRNet spans the Department of Defense (DoD), the Intelligence Community, and cleared federal agencies. NIPRNet scope is broader, encompassing the entire DoD enterprise and interconnected federal entities operating at the unclassified level. Both networks are explicitly excluded from standard Federal Information Security Modernization Act (FISMA) frameworks in favor of NSS-specific policy instruments, most notably CNSSI No. 1253, which establishes security categorization and control selection for national security systems.
The networks are described in the security systems listings maintained across this reference directory, where classified and unclassified infrastructure types are catalogued by operational category.
How it works
SIPRNet and NIPRNet operate as physically and logically separated infrastructures. Physical separation — sometimes called "air-gapping" — is mandatory between the two, meaning no direct data path exists between a SIPRNet endpoint and a NIPRNet endpoint without a hardware-enforced Cross Domain Solution (CDS). Cross Domain Solutions approved for DoD use are evaluated and listed on the Unified Cross Domain Management Office (UCDMO) Baseline, which is administered under DoD authority.
Access to SIPRNet requires:
- Personnel Security Clearance — A minimum SECRET clearance granted through an authorized adjudicating facility under the National Industrial Security Program (NISP), governed by 32 C.F.R. Part 117 (NISPOM).
- Need-to-Know Determination — A verified operational requirement, documented by an authorized program or facility security officer.
- Approved Hardware and PKI Credentials — SIPRNet tokens issued by the Defense Information Systems Agency (DISA), which manages SIPRNet infrastructure and access policy.
- Endpoint Compliance — Systems must conform to DoD Security Technical Implementation Guides (STIGs) published by DISA at public.cyber.mil.
- Network Accreditation — The connecting system must hold an Authorization to Operate (ATO) under the Risk Management Framework (RMF) as described in NIST SP 800-37, adapted for NSS environments per CNSSI 1253.
NIPRNet access follows a parallel but lower-threshold pathway: personnel require background investigation commensurate with their role, endpoints must be STIG-compliant, and connections to the public internet are mediated exclusively through DoD-managed Boundary Control Points. The DoD Cyber Strategy, published by the Office of the Secretary of Defense, designates DISA as the network service provider responsible for both networks' transport infrastructure.
Common scenarios
Cross-agency information sharing — When a cleared contractor operating under a Facility Clearance (FCL) requires access to SIPRNet at a government site, the National Industrial Security Program Operating Manual (NISPOM, 32 C.F.R. Part 117) governs the physical, personnel, and technical controls required. The contractor's Information Systems Security Manager (ISSM) must coordinate an ATO with the sponsoring government Authorizing Official (AO).
Coalition and foreign partner access — Approved foreign partners may access compartmented segments of SIPRNet through Releasable (REL) network extensions, governed by bilateral agreements and the CNSS-issued policies for Controlled Interfaces. These arrangements require additional CNSS approvals beyond standard SIPRNet access.
Incident response on NIPRNet — Under DoD Directive 8570.01 (now transitioned to DoD 8140 series, DoD Instruction 8140.02), personnel performing cyber incident response on NIPRNet must hold qualifying certifications mapped to their workforce role category. Incident reporting flows through the DoD Cyber Crime Center (DC3) and U.S. Cyber Command.
Remote access via SIPRNet — Remote SIPRNet access requires hardware-based multi-factor authentication, and sessions must traverse DISA-approved Virtual Private Network (VPN) solutions that appear on the DoD Approved Products List (APL). The security-systems-directory-purpose-and-scope page contextualizes how infrastructure categories of this type are classified within the broader NSS landscape.
Decision boundaries
The central classification boundary separating SIPRNet from NIPRNet is the information classification level of the data processed, stored, or transmitted. No system authorized solely for NIPRNet may process SECRET or above data without a separate SIPRNet ATO. The reverse is equally enforced: SIPRNet systems must not route unclassified traffic to NIPRNet without hardware-enforced CDS intermediation.
A structured contrast of the two networks:
| Dimension | NIPRNet | SIPRNet |
|---|---|---|
| Max data classification | Unclassified / CUI | SECRET |
| Governing personnel standard | Background Investigation (T3 minimum) | SECRET clearance (T5 minimum) |
| Internet gateway | DISA Boundary Control Points | None — isolated |
| Primary regulatory instrument | CNSSI 1253, NIST SP 800-53 (NSS controls) | CNSSI 1253, NISPOM, STIG compliance |
| Oversight body | DISA, DoD CIO | DISA, CNSS, DoD CIO |
Organizations evaluating whether a given system requires SIPRNet accreditation apply the CNSSI 1253 categorization process: if any data element processed reaches the SECRET threshold under EO 13526, SIPRNet classification is mandatory. Systems handling only CUI categories defined in the National Archives CUI Registry operate on NIPRNet, not SIPRNet. The how-to-use-this-security-systems-resource page provides orientation for navigating the directory categories relevant to both network types.
Dual-use endpoints — systems that must interface with both networks — require a hardware CDS solution from the UCDMO Baseline and a separate ATO for each network boundary. No software-only solution satisfies the cross-domain separation requirement under current DoD policy.
References
- Committee on National Security Systems (CNSS) — CNSSI No. 1253
- NIST SP 800-37 Rev. 2 — Risk Management Framework
- NIST SP 800-53 Rev. 5 — Security and Privacy Controls
- 32 C.F.R. Part 117 — National Industrial Security Program Operating Manual (NISPOM)
- DoD Instruction 8140.02 — Identifying, Tracking, and Reporting the Cyberspace Workforce
- DISA Security Technical Implementation Guides (STIGs)
- National Archives CUI Registry
- 44 U.S.C. § 3552 — Federal Information Security Modernization Act Definitions
- Executive Order 13526 — Classified National Security Information