AFMAN17-1301 12 FEBRUARY 2020 41
6.2.7. For time-sensitive operational interoperability in support of operations with limited
duration, Information System Owners and authorizing officials may request temporary use of
ports, protocols, and services not listed on the DoD Ports, Protocols, and Services Management
Category Assurance List according to DoDI 8551.01. Follow the Department of Defense
Ports, Protocols, and Services Management Exception Management Process and ports,
protocols, and services guidance on the Air Force Information Assurance Collaborative
Environment.
6.2.8. Records in the DoD Ports, Protocols, and Services Management Registry require review
on an annual basis, at a minimum, to validate system information, point of contacts, and all
communications interfaces remain accurate and up-to-date. Failure to keep records current
will result in removal from the DoD Ports, Protocols, and Services Management Registry,
which will impact connection authorizations. (T-2).
6.2.9. Boundary protection devices employ a “deny by default, permit by exception” policy
for both ingress and egress rules or policy objects. (T-0).
6.2.9.1. Changes to rules require supporting evidence of authorizing official approval for
the information system, connection authorization, and DoD ports, protocols, and services
registration. (T-0).
6.2.9.2. Changes to rules under the applicability of DoDI 8551.01 require the DoD Ports,
Protocol, and Services Registration Confirmation Details artifact as supporting evidence
for the change.
6.2.9.3. Changes to other network devices that enable Internet Protocol-based
communications follow the same requirements for boundary protection devices. This
includes, but is not limited to, application whitelisting, Domain Name Service records,
firewalls, next-generation firewalls, application-layer gateways, web application firewalls,
web content filtering, and web proxy services.
6.2.10. For cloud services ports, protocols, and services, follow the guidance in the Defense
Information Systems Agency Cloud Computing Security Requirements Guide and procedures
on the Air Force Information Assurance Collaborative Environment at
https://cs2.eis.af.mil/sites/10060/Wiki/AF%20PPS.aspx.
6.2.11. Information systems with a public component, a public-facing presence, or Internet-
facing applications require review and approval through the DoD demilitarized zone whitelist
process. Follow guidance on the AF Information Assurance Collaborative Environment at
https://cs2.eis.af.mil/sites/10060/Wiki/AF%20PPS.aspx.
6.3. Ports, Protocols, and Services Management Registry. The DoD Ports, Protocols, and
Services Management operates two databases, one for unclassified systems (Ports, Protocols, and
Services Management-U) and another for classified systems (Ports, Protocols, and Services
Management-C). Upon registration, each information system/enclave registered in the DoD Ports,
Protocols, and Services Management Registry receives a DoD Ports, Protocols, and Services
Management Tracking Identifier as proof of registration, retained throughout the lifecycle of the
system. Records in the DoD Ports, Protocols, and Services Management Registry remain valid
according to the information system/enclave authorization termination date; system/enclave
registration records are removed from the DoD Ports, Protocols, and Services Management
Registry upon the authorization termination date expiration.