SIPR vs NIPR: Understanding DoD Network Access with CAC
SIPR and NIPR are the two primary networks DoD personnel use daily, but understanding the differences – what each network is for, who can access them, how CAC authentication works on each, and what you can and cannot do on each network – is essential for operational security and productivity. Misunderstanding these networks can lead to security violations, classification spillage, or inability to access critical systems when needed.
This comprehensive guide explains what SIPR and NIPR are, key differences between them, how your CAC enables access to each, security requirements, common misconceptions, and best practices for working across both networks.
Understanding DoD Network Classifications
NIPR: Non-Classified Internet Protocol Router Network
Official name: Non-Classified Internet Protocol Router Network (NIPRNet)
Classification level: Unclassified (may include CUI – Controlled Unclassified Information)
Purpose: DoD’s primary unclassified network for day-to-day operations, email, administration, and internet access.
What you do on NIPR:
- Send/receive unclassified email (.mil addresses)
- Access unclassified websites and portals (MyPay, DTS, milConnect, etc.)
- Process unclassified administrative documents
- Conduct unclassified training
- Access limited controlled internet (filtered)
- Use office productivity software (Word, Excel, PowerPoint)
- Unclassified collaboration and file sharing
SIPR: Secret Internet Protocol Router Network
Official name: Secret Internet Protocol Router Network (SIPRNet)
Classification level: Secret (handles Secret and below)
Purpose: DoD’s classified network for sensitive operations, intelligence, mission planning, and classified communications.
What you do on SIPR:
- Send/receive classified email (up to Secret level)
- Access classified intelligence systems
- View classified operational plans and orders
- Conduct classified mission planning
- Access classified databases and reports
- Classified video conferences (VTC)
- Classified collaboration with other DoD organizations
Key Differences at a Glance
| Aspect | NIPR (Unclassified) | SIPR (Secret) |
|---|---|---|
| Classification | Unclassified, CUI | Secret and below |
| Access Requirement | CAC card only | CAC + Secret clearance |
| Internet Access | Filtered public internet | No internet (closed network) |
| Email Domain | @mail.mil, @us.af.mil, etc. | @mail.smil.mil |
| Physical Security | Standard office environment | Secured spaces, locked when unattended |
| Remote Access | VPN available for telework | No remote access (facility access only) |
| Removable Media | Restricted but sometimes allowed | Strictly prohibited (except approved devices) |
| Mobile Devices | Approved devices (CAC-me, Purebred) | No mobile device access |
How CAC Enables Network Access
CAC Authentication on NIPR
Your CAC provides two-factor authentication for NIPR systems:
- Something you have: Physical CAC card
- Something you know: CAC PIN
NIPR login process:
- Insert CAC into reader at NIPR workstation
- Windows prompts for credential selection
- Select your CAC certificate
- Enter CAC PIN (typically 6-8 digits)
- Windows validates certificate and PIN
- User profile loads, NIPR access granted
NIPR access requirements:
- Valid CAC card (not expired)
- CAC PIN (set during RAPIDS issuance)
- No security clearance required (CAC investigation sufficient)
- Active duty, DoD civilian, or contractor with CAC eligibility
CAC Authentication on SIPR
SIPR uses same CAC authentication method but with additional security:
- Insert CAC into reader at SIPR workstation
- Windows prompts for credential selection
- Select your CAC certificate
- Enter CAC PIN
- Additional check: SIPR validates your security clearance status
- If clearance active and favorable, access granted
SIPR access requirements:
- Valid CAC card
- Active Secret (or higher) security clearance
- Clearance adjudicated favorably
- Need-to-know for specific SIPR information
- Proper SIPR training completed
- Physical access to SIPR-capable facility
Same CAC, Different Networks
Important: Your single CAC card works on both NIPR and SIPR. The difference isn’t the card – it’s the clearance associated with your profile in DEERS (Defense Enrollment Eligibility Reporting System).
- CAC without clearance: NIPR access only
- CAC with Secret clearance: NIPR and SIPR access
- CAC with TS clearance: NIPR, SIPR, and higher networks (JWICS)
Physical Network Separation
Air-Gapped Networks
NIPR and SIPR are physically separate networks – no connection between them.
What “air-gapped” means:
- Separate physical network cables
- Separate servers and routers
- Separate workstations (or dual-boot/dual-monitor setups)
- No data transfer capability between networks
- Physically impossible for NIPR data to reach SIPR (or vice versa) electronically
Workstation Configurations
Separate workstations:
- One computer for NIPR, separate computer for SIPR
- Common in offices with frequent SIPR use
- Clearest separation, easiest security compliance
Dual-boot systems:
- Single computer with two operating systems
- Boot into NIPR OS or SIPR OS (not both simultaneously)
- Requires shutdown and reboot to switch networks
KVM switches (dual-monitor setups):
- Two computers (one NIPR, one SIPR)
- Single keyboard, mouse, monitor shared via KVM switch
- Toggle between networks with button press
- Common in space-constrained environments
Visual Security Markers
SIPR systems have clear visual indicators:
- Monitor banners: Red “SECRET” banner at top and bottom of screen
- Desktop wallpaper: Often red or with classification markings
- Physical labels: “SECRET” stickers on computer, keyboard, mouse
- Network cable colors: Sometimes color-coded (red = SIPR, blue/green = NIPR)
Purpose: Prevent accidental spillage by making it visually obvious which network you’re using.
Security Requirements and Restrictions
NIPR Security Requirements
- Physical security: Standard office environment, lock computer when away (Ctrl+Alt+Delete → Lock)
- Screen privacy: Position monitor away from public view
- Visitor awareness: Don’t display CUI when visitors present without need-to-know
- Removable media: Use only approved government-provided USB drives
- Printing: Properly mark and control CUI printouts
- Email: Don’t email classified information (even if you think it’s “just a little bit classified”)
SIPR Security Requirements
- Physical security: Access only in secured spaces (SCIF, vault, secure office)
- Lock when unattended: Immediately lock screen when leaving desk (no exceptions)
- End of day: Log out completely, ensure SIPR systems locked in secure container if required
- No removable media: USB drives, CDs, external drives strictly prohibited (exceptions require security approval)
- No personal devices: No phones, smartwatches, fitness trackers in SIPR spaces
- No photography: No cameras, no taking pictures of screens
- Visitor control: Visitors must have clearance and need-to-know, must be escorted
- Printing: All printouts marked SECRET, controlled destruction required
Data Transfer Between Networks
NIPR to SIPR: Allowed via approved methods
- Guard systems: Automated systems that scan and transfer unclassified files to SIPR
- Removable media: Approved cross-domain USB drives (require security office authorization)
- Manual retyping: View unclassified info on NIPR, manually type into SIPR (inefficient but always allowed)
SIPR to NIPR: Prohibited without formal declassification
- Cannot move classified data to unclassified network
- Doing so is “spillage” – serious security incident
- Exceptions require formal declassification by Original Classification Authority
- Penalty: Loss of clearance, administrative action, potential criminal charges
Network Capabilities and Limitations
What You Can Do on NIPR
Internet access (filtered):
- Access .mil, .gov websites freely
- Access commercial websites (most, but filtered for security)
- Social media blocked on most DoD NIPR networks
- Streaming video often blocked (YouTube, Netflix, etc.)
- File sharing sites blocked (Dropbox, Google Drive personal accounts)
Email capabilities:
- Send/receive unclassified email to military and civilians
- Email external addresses (.com, .net, etc.) – usually allowed with restrictions
- Attachment size limits (typically 10-25MB)
- Automatic scanning for malware and sensitive content
Collaboration tools:
- Microsoft Teams (unclassified)
- SharePoint (unclassified)
- Video conferencing (unclassified)
- Shared network drives
What You Can Do on SIPR
No internet access:
- SIPR is completely isolated – no public internet
- Can only access .smil.mil domain sites
- Cannot access .com, .net, .org, etc.
- Cannot Google search or access Wikipedia
Email capabilities:
- Send/receive classified email (up to Secret) to .smil.mil addresses only
- Cannot email external/unclassified addresses
- Must properly mark subject lines and content with classification
- Automatic security scanning for spillage indicators
Specialized systems:
- Intelligence databases (JWICS cross-links for some users)
- Classified operational planning tools
- Classified collaboration platforms
- Classified video conferencing
- Mission-specific classified applications
Remote Access
NIPR Remote Access (Telework)
VPN access available:
- DoD organizations provide VPN clients for remote NIPR access
- Requires CAC reader on home computer
- Must use approved government laptop or personally owned device with security software
- Connect to VPN, authenticate with CAC, access NIPR resources
Typical remote NIPR capabilities:
- Access NIPR email (Outlook Web Access)
- Access SharePoint and collaboration tools
- Use office applications
- Some administrative systems (DTS, MyPay, etc.)
SIPR Remote Access (Not Allowed)
SIPR requires physical presence at approved facility.
- No SIPR VPN exists (by design – too high risk)
- Cannot access SIPR from home, hotel, or remote location
- Must physically go to SCIF, secure facility, or on-site SIPR terminal
- Exceptions: Deployed environments with mobile SIPR capability (controlled by unit)
Common Misconceptions
Myth: “SIPR is just classified NIPR”
Reality: SIPR is a completely separate network with different infrastructure, servers, email system, and websites. They share no components.
Myth: “I need a special CAC for SIPR”
Reality: Same CAC works on both networks. SIPR access is controlled by clearance in DEERS, not different CAC.
Myth: “Everything on SIPR is Top Secret”
Reality: SIPR handles information up to Secret level. Unclassified information can exist on SIPR (often does). Top Secret requires JWICS (Joint Worldwide Intelligence Communications System).
Myth: “I can just email myself info from SIPR to NIPR”
Reality: Impossible – SIPR and NIPR email systems don’t interconnect. Attempting this is a spillage violation.
Myth: “If I have a CAC, I can access SIPR”
Reality: CAC alone isn’t enough. Must also have active Secret clearance adjudicated favorably in DEERS.
Myth: “I can use my phone in SIPR spaces if I don’t turn it on”
Reality: No personal electronic devices allowed in SIPR spaces, even powered off. Facility security policies prohibit this.
Best Practices for Working Across Networks
Avoid Spillage
- When in doubt, keep it on SIPR: If you’re unsure if information is classified, don’t move it to NIPR
- Never summarize classified info in unclassified email: Even paraphrasing can be spillage
- Check screen before speaking: Make sure you’re looking at correct network before discussing information
- Use guards properly: Follow procedures for cross-domain transfer devices
- Report spillage immediately: If you accidentally receive classified on NIPR, report to security immediately
Maintain Operational Security
- Don’t discuss work specifics on NIPR: Use SIPR for operational discussions
- Be aware of aggregation: Multiple unclassified facts together can be classified
- Follow classification guides: Your organization’s guide specifies what’s classified
- Attend annual training: Security refreshers update policies
Workflow Efficiency
- Know which network you need: Plan work to minimize network switching
- Use NIPR for admin: Timecards, leave requests, training – all unclassified
- Use SIPR for operations: Mission planning, intel review, classified coordination
- Don’t recreate work: If info exists on both networks legitimately, use appropriate version
Troubleshooting Network Access Issues
Problem: CAC Works on NIPR But Not SIPR
Likely causes:
- Clearance not in DEERS or not current
- Clearance suspended or under investigation
- Never granted SIPR access (need request submitted)
- Clearance expired or reinvestigation overdue
Solution: Contact security office to verify clearance status in JPAS/DISS.
Problem: “Access Denied” on SIPR Despite Having Clearance
Likely causes:
- SIPR account not created (IT must provision)
- Account disabled due to inactivity
- Group policy restrictions for your role
- Need-to-know not established for this system
Solution: Contact SIPR help desk and supervisor to establish access.
Problem: Can’t Transfer File from NIPR to SIPR
Solution:
- Locate approved guard system in your facility
- Submit file through guard (scans for malware, inappropriate content)
- Retrieve on SIPR side after scan completes (10 min – 2 hours)
- If no guard available, manually retype (inefficient but always allowed)
Higher Classification Networks
Beyond NIPR and SIPR:
JWICS (Joint Worldwide Intelligence Communications System)
- Classification: Top Secret and TS/SCI
- Access requirement: TS/SCI clearance
- Purpose: Intelligence operations, most sensitive information
- Availability: Limited locations, primarily intelligence organizations
NSANet
- Classification: TS/SCI with special access
- Access requirement: NSA clearance and authorization
- Purpose: NSA-specific operations
- Availability: NSA facilities only
Conclusion
NIPR and SIPR serve fundamentally different purposes in DoD operations. NIPR handles unclassified day-to-day work, email, administration, and filtered internet access. SIPR handles classified operations, intelligence, and mission planning up to Secret level. Both networks use your CAC for authentication, but SIPR additionally requires active Secret clearance.
The networks are physically separated (air-gapped) with strict controls on data transfer between them. NIPR-to-SIPR transfer is allowed via approved methods; SIPR-to-NIPR requires formal declassification. Understanding these boundaries and following security protocols prevents spillage incidents that can result in clearance loss and criminal charges.
Your single CAC provides access to both networks based on your clearance level. The key is knowing which network to use for which purpose, following security requirements for each, and never mixing classified and unclassified data inappropriately.
Related Guides:
