Department of Defense


NUMBER 5200.28

March 21, 1988


SUBJECT:  Security Requirements for Automated Information
Systems (AISs) 

References:  (a)  DoD Directive 5200.28, "Security Requirements
for Automatic Data Processing (ADP) Systems," December
18, 1972 (hereby canceled)

(b)  DoD 5200.1-R, "Information Security Program Regulation,"
June 1986, authorized by DoD Directive 5200.1, June
7, 1982

(c)  DoD Directive C-5200.5, "Communications Security
(COMSEC) (U)," October 6, 1981

(d)  DoD Directive S-5200.19, "Control of Compromising
Emanations (U)," February 10, 1968

(e)  through (v), see enclosure E1.


This Directive:

1.1.  Reissues and revises reference (a) to update uniform
policy in addition to the policy set forth in reference
(b) for the safeguarding of classified, sensitive unclassified,
and unclassified information processed in AISs.

1.2.  Updates the DoD-wide program for Automated Information
System (AIS) security.

1.3.  Provides mandatory, minimum AIS security requirements.
  More stringent requirements may be necessary for selected
systems based on an assessment of acceptable levels
of risk.

1.4.  Promotes the use of cost-effective, computer-based
(e.g., hardware, software, and firmware controls) security
features for AISs.   However, it is emphasized that
system users have a personal responsibility to protect
classified information under subparagraph 10-101.a.
of reference (b).

1.5.  Requires a more accurate specification of overall
DoD security requirements for AISs that process classified
or sensitive unclassified information.

1.6.  Stresses the importance of a life-cycle management
approach to implementing computer security requirements.


2.1.  This Directive applies to the Office of the Secretary
of Defense (OSD), the Military Departments and the Military
Services within those Departments, the Joint Chiefs
of Staff (JCS), the Joint Staff, the Unified and Specified
Commands, the Defense Agencies, the DoD Field Activities,
and such other offices, Agencies, activities, and commands
as may be established or designated by law, by the President,
or by the Secretary of Defense (hereafter referred to
collectively as "DoD Components").

2.2.  This Directive applies to the following classes
of information:

2.2.1.  Classified information.   Thereby, supplementing
DoD 5200.l-R (reference (b)) for such information when
contained in the AISs.

2.2.2.  Sensitive unclassified information.

2.2.3.  Unclassified information.

2.3.  This Directive applies to all AISs including stand-alone
systems, communications systems, and computer network
systems of all sizes, whether digital, analog, or hybrid;
associated peripheral devices and software; process
control computers; embedded computer systems; communications
switching computers; personal computers; intelligent
terminals; word processors; office automation systems;
application and operating system software; firmware;
and other AIS technologies, as may be developed.

2.4.  This Directive, reference (b), and DoD Directive
C-5200.5 (reference (c)) apply to transmission and communications
media connecting components of or to an AIS.

2.5.  This Directive, DoD Directive S-5200.19 (reference
(d)), NACSI 5004 (reference (e)), and NACSI 5005 (reference
(f)) apply to the emanations security requirements of

2.6.  This Directive and DCID No. 1/16 (reference (g))
apply to AISs processing foreign intelligence and/or
counterintelligence information.

2.7.  This Directive and SM-313-83 (reference (h)) apply
to AISs processing Single Integrated Operational Plan-Extremely
Sensitive Information (SIOP-ESI).

2.8.  This Directive and DoD Instruction 5215.2 (reference
(i)) apply to the reporting and dissemination of AIS
technical vulnerabilities and corrective measures.

2.9.  All AISs that handle classified, sensitive unclassified,
or unclassified information shall comply with the pertinent
requirements of this Directive.   Unless otherwise required
by the Designated Approving Authority (DAA), AISs that
meet any of the following conditions shall be excluded
from meeting policy subsections 4.5. through 4.7., below,
of this Directive:

2.9.1.  AISs that are operated only in the dedicated
security mode.

2.9.2.  Personal computers, word processors, and similar
stand-alone AISs in which it technically is not feasible
to configure the equipment to support internal security
controls.   Such AISs may be characterized as being
single-state machines without a privileged instruction
set or memory lock features, and shall be operated only
in the dedicated mode.

2.9.3.  An AIS that is embedded in a larger system and
is not removed easily, is without users, and normally
receives input from, or gives output only to, other
parts of the system.

2.10.  AIS networks must be examined on a case-by-case
basis for application of policy in this Directive. 
 The DAA for the network should obtain guidance through
established command channels, from the National Security
Agency.   (NSA), or where applicable, from the Defense
Intelligence Agency (DIA) on evaluation and accreditation
(see enclosure E5.).


Terms used in this Directive are defined in enclosure


It is DoD policy that:

4.1.  Classified information and sensitive unclassified
information shall be safeguarded at all times while
in AISs.   Safeguards shall be applied so that such
information is accessed only by authorized persons,
is used only for its intended purpose, retains its content
integrity, and is marked properly as required.   When
classified information is involved, the information
security requirements in DoD 5200.1-R (reference (b))
shall be met.

4.2.  Unclassified information while in AISs shall be
safeguarded against tampering, loss, and destruction
and shall be available when needed.   This is necessary
to protect the DoD investment in obtaining and using
information and to prevent fraud, waste, and abuse.
  Suggested safeguards for unclassified information
are in OMB Circular No. A-130 (reference (j)), and include
applicable personnel, physical, administrative, and
technical controls.

4.3.  The safeguarding of information and AIS resources
(against sabotage, tampering, denial of service, espionage,
fraud, misappropriation, misuse, or release to unauthorized
persons) shall be accomplished through the continuous
employment of safeguards consisting of administrative,
procedural, physical and/or environmental, personnel,
communications security, emanations security, and computer
security (i.e., hardware, firmware, and software), as
required.   The mix of safeguards selected shall achieve
the requisite level of security or protection.

4.4.  The mix of safeguards selected for an AIS that
processes classified or sensitive unclassified information
shall ensure the AIS meets the minimum requirements
as set forth in enclosure E3.   These minimum requirements
shall be met through automated and manual means in a
cost-effective and integrated manner.   An analysis
shall be performed using enclosure E4. to identify any
additional requirements over and above the set of minimum

4.5.  Computer security features of commercially produced
products and Government-developed or -derived products
shall be evaluated (as requested) for designation as
trusted computer products for inclusion on the Evaluated
Products List (EPL).   Evaluated products shall be designated
as meeting security criteria maintained by the National
Computer Security Center (NCSC) at NSA defined by the
security division, class, and feature (e.g., B, B1,
access control) described in DoD 5200.28-STD (reference

4.6.  The following timetable shall be adhered to:

4.6.1.  All AISs that process or handle classified and/or
sensitive unclassified information and that require
at least controlled access protection (i.e., class C2
security), based on the risk assessment procedure described
in enclosure E4., shall implement required security
features by 1992.

4.6.2.  If security features above class C2 are required
for an AIS, based on the risk assessment procedure described
in enclosure E4., a timetable for meeting these more
stringent requirements shall be determined on an individual
system basis and submitted to the DAA for approval.
  These requirements shall be met either by implementing
trusted computer products listed on the EPL or by using
a product not on the EPL that has security features
that meet the level of trust required for the AIS. 
 In either case, to assess whether adequate security
measures have been taken to permit the AIS to be used
operationally, an accreditation must be accomplished
and approved by the cognizant DAA.

4.7.  There are cases where introduction of additional
computer-based security features, according to the schedule
given in subsection 4.6., above, for an existing AIS
or an AIS already under development, may be prohibitively
expensive, time-consuming, unsound technically, or adversely
may impact operational effectiveness to an unacceptable
degree.   In such cases, the following shall apply:

4.7.1.  Other safeguards (e.g., physical controls, administrative
controls, etc.) may be substituted as long as the requisite
level of system security or protection, as determined
by the DAA, is attained.

4.7.2.  Exceptions to subsection 4.6., above, may be
authorized only by the DoD Component Head, or a senior
DAA appointed by the DoD Component Head.   Such authorization
shall be based on a written determination that one or
more of the conditions of subsection 4.7., above, exists.
  Exceptions shall be reviewed at each reaccreditation.

4.8.  When AISs managed by different DAAs are interfaced
or networked, a memorandum of agreement (MOA) is required
that addresses the accreditation requirements for each
AIS involved.   The MOA should include description and
classification of the data; clearance levels of the
users; designation of the DAA who shall resolve conflicts
among the DAAs; and safeguards to be implemented before
interfacing the AISs.   MOAs are required when one DoD
Component's AIS interfaces with another AIS within the
same DoD Component or in another DoD Component and when
a contractor's AIS interfaces with a DoD Component's
AIS or to another contractor's AIS.

4.8.1.  For a multi-user telecommunications network
(e.g., the Defense Data Network or the World Wide Military
Command and Control System Intercomputer Network), a
DAA shall be designated as responsible for the overall
security of the network and shall determine the security
and protection requirements for connection of AISs to
the network.

4.8.2.  Necessary safeguards shall be agreed to and
implemented and the AISs accredited for interconnection
before they are connected to the network.

4.8.3.  The security of each AIS connected to the network
remains the responsibility of its DAA.

4.8.4.  The DAA responsible for the overall security
of the network shall have the authority and responsibility
to remove from the network any AIS not adhering to the
security requirements of the network.

4.8.5.  It is permissible to define network interfaces
and boundaries into manageable subnetworks based upon
physical or logical boundaries, when there is a need
to do so.   Cryptographic separation and/or equivalent
computer security measures, as defined by the NSA or
the DIA where applicable, shall be a basis for defining
such network and/or subnetwork interfaces or boundaries.

4.8.6.  Networks, including all connected subnetworks,
shall be accredited for the highest division and class
of security required based on the concepts and procedures
in enclosures E4. and E5.

4.9.  Security policy shall be considered throughout
the life cycle of an AIS from the beginning of concept
development, through design, development, operation,
and maintenance until replacement or disposal.   A DAA
shall be designated as responsible for the overall security
of the AIS.   The following conditions shall be met:

4.9.1.  The AIS developer is responsible for ensuring
the early and continuous involvement of the users, information
system security officers, data owners, and DAA(s) in
defining and implementing security requirements of the
AIS.   There shall be an evaluation plan for the AIS
showing progress towards meeting full compliance with
stated security requirements through the use of necessary
computer security safeguards.

4.9.2.  Mandatory statements of safeguard requirements
shall be included, as applicable in the acquisition
and procurement specifications for AISs.   The statements
shall be the result of an initial risk assessment, and
shall specify the level of trust required under DoD
5200.28-STD (reference (k)).

4.9.3.  No classified or sensitive unclassified data
shall be introduced into an AIS without designation
of the classification and sensitivity of the data. 
 Approval to enter the data shall be obtained from the
data owner where applicable.

4.9.4.  The accreditation of an AIS shall be supported
by a certification plan, a risk analysis of the AIS
in its operational environment, an evaluation of the
security safeguards, and a certification report, all
approved by the DAA.   Accreditation of computers embedded
in a system may be at the system level.

4.9.5.  A program for conducting periodic reviews of
the adequacy of the safeguards for operational, accredited
AISs shall be established.   To the extent possible,
reviews are to be conducted by persons who are independent
of the user organization and of the AIS operation or

4.9.6.  Where required, as specified in OMB Circular
No. A-130 (reference (j)), a program for developing
and testing contingency plans shall be established.
  The objective of contingency planning is to provide
reasonable continuity of AIS support if events occur
that prevent normal operations.   The plans should be
tested periodically under realistic operational conditions.

4.9.7.  Changes affecting the security of an AIS must
be anticipated.   Any changes to the AIS or associated
environment that affect the accredited safeguards or
result in changes to the prescribed security requirements
shall require reaccreditation.   Reaccreditation shall
take place before the revised system is declared operational.
  Minimally, an AIS shall be reaccredited every 3 years,
regardless of changes.

4.10.  Access by foreign nationals to a U.S. Government-owned
or U.S. Government-managed AIS may be authorized only
by the DoD Component Head, and shall be consistent with
the Department of Defense, the Department of State (DoS),
and the Director of Central Intelligence (DCI) policies.

4.11.  An AIS accredited to process and/or store Sensitive
Compartmented Information (SCI) may use automated means
(software, firmware, or hardware) to permit classified
non-SCI data to be extracted from the SCI system for
use at the non-SCI classified level.   This capability
is permissible only if it was considered and approved
as part of the security accreditation and the AIS is
operating at a minimum security class of B1.


5.1.  The Assistant Secretary of Defense (Command, Control,
Communications, and Intelligence) (ASD(C3I)) shall:

5.1.1.  Oversee and review implementation of this Directive.

5.1.2.  Develop overall AIS security policies and procedures
in accordance with U.S. national policies and Directives
in coordination with the Under Secretary of Defense
(Policy) (USD(P)), and consistent with DoD policies
under DoD 5200.1-R (reference (b)), DoD Directive 7920.1
(reference (l)), DCID No. 1/16 (reference (g)), and
DoD Instruction 5210.74 (reference (m)).

5.1.3.  Promulgate Instructions, Standards, Manuals,
and other issuances, as required, in accordance with
this Directive.

5.1.4.  Represent the Department of Defense on interagency
committees engaged in development of security policy,
standards, and criteria for AISs.

5.2.  The Deputy Under Secretary of Defense (Policy)
(DUSD(P)) shall continue to review, oversee, and formulate
overall policies that govern DoD security practices
and programs, to include developing, coordinating, and
presenting DoD positions on the following:

5.2.1.  Information Security.

5.2.2.  Physical Security.

5.2.3.  Personnel Security.

5.2.4.  Industrial Security.

5.3.  The Director, Defense Investigative Service (DIS),
shall implement an AIS security program for DoD contractor
AISs in accordance with DoD Directive 5220.22 (reference
(n)) and DoD 5220.22-R (reference (o)).

5.4.  The Director, Defense Communications Agency (DCA),
shall implement an AIS security program for long-haul
communication systems that do not handle SCI and shall
certify devices that perform secured or protected telecommunications
switching functions.

5.5.  The Director, Defense Intelligence Agency (DIA),
shall implement a program for the security of DoD Component
and DoD contractor AISs and networks (e.g., the DoD
Intelligence Information System network) that handle
SCI.   The program shall not apply to AISs and networks
under the cognizance of the National Security Agency
and/or the Central Security Service (NSA/CSS).

5.6.  The National Security Agency and/or the Central
Security Service (NSA/CSS) shall:

5.6.1.  Implement an AIS security program for all AISs
under NSA/CSS jurisdiction, including those of NSA/CSS

5.6.2.  As requested, provide DoD Components with communications
and computer security assistance and advice in support
of effective AIS security measures.

5.6.3.  Establish and maintain technical standards and
criteria for evaluating and certifying trusted computer
products.   Review, at least yearly, DoD 5200.28-STD
(reference (k)) and provide recommendations for revision
to the ASD(C3I).

5.6.4.  Provide training for DoD Components in evaluation
techniques and procedures as applicable to reference
(k), and certify such DoD Components to conduct evaluations.

5.6.5.  Evaluate computer products intended for use
by DoD Components or contractors as trusted computer
products.   These evaluations may be conducted on computer
products developed or derived by either industry or
Government sources.   Also, perform quality assurance
and certify evaluations performed by DoD Components.

5.6.6.  Maintain and publish the EPL of evaluated industry
and Government-developed or -derived trusted computer

5.6.7.  Conduct, approve, and sponsor research and development
of techniques and equipment for trusted computer products
and for computer security evaluation and verification
methods and techniques.

5.6.8.  Serve as the focal point for technical matters
on using trusted computer products and systems and,
with DoD Component computer security testing and evaluation
activities, provide technical advice to the DoD Components
on using trusted products and systems.

5.6.9.  Ensure that AIS security posture assessments,
made in accordance with the DoD computer security program,
are incorporated into NCSC goals and objectives.

5.6.10.  Annually assess the overall AISs security posture
and disseminate information on hostile threats against

5.6.11.  Operate a central technical center to provide,
as requested, technical assistance to evaluate and certify
the computer-based security features of AISs used in
operational environments.

5.6.12.  Prescribe the minimum security standards, methods,
and procedures for safeguarding an AISs classified and
sensitive technical security material, techniques, and

5.6.13.  Review and approve standards, techniques, systems,
and equipment for telecommunications and automated information
systems security.

5.7.  The Joint Chiefs of Staff (JCS) shall:

5.7.1.  Implement an AIS security program under this
Directive and SM-313-83 (reference (h)) for AISs of
DoD Components and their contractors that handle SIOP-ESI.

5.7.2.  Provide a source of education and training for
managers in AIS security through the Department of Defense
Computer Institute (DoDCI) of the National Defense University
(NDU) (DoD Directive 5200.2 (reference (p))).

5.8.  The Heads of DoD Components shall:

5.8.1.  Implement and maintain an overall AIS security
program designed to ensure compliance with this Directive.

5.8.2.  Ensure that contractual requirements to protect
classified and sensitive unclassified information are
provided to their contractors.

5.8.3.  Ensure that funding and resources are programmed
for staffing, training, and supporting for this AIS
security program and for implementation of AISs safeguards,
as required, within the DoD Component.

5.8.4.  Assign official(s) as the DAA (e.g., senior
AIS policy official) responsible for accrediting each
AIS under his or her jurisdiction and for ensuring compliance
with AIS security requirements.

5.8.5.  Establish and maintain an AIS security training
and awareness program for all DoD military, civilian,
and contractor personnel requiring access to AISs.

5.8.6.  Ensure that periodic independent reviews of
the security and protection of their AISs are done to
ensure compliance with stated AIS security goals.  
Such reviews may be done using the procedures in DoD
Directive 5010.38 (reference (q)).

5.8.7.  Support the Computer Security Technical Vulnerability
Reporting Program in accordance with DoD Instruction
5215.2 (reference (i)).

5.9.  Each Designated Approving Authority (DAA) shall:

5.9.1.  Review and approve security safeguards of AISs
and issue accreditation statements for each AIS under
the DAA's jurisdiction based on the acceptability of
the security safeguards for the AIS.

5.9.2.  Ensure that all the safeguards required, as
stated in the accreditation documentation for each AIS,
are implemented and maintained.

5.9.3.  Identify security deficiencies and, where the
deficiencies are serious enough to preclude accreditation,
take action (e.g., allocate additional resources) to
achieve an acceptable security level.

5.9.4.  Ensure that an Information System Security Officer
(ISSO) is named for each AIS, and that he or she receives
applicable training to carry out the duties of this
function.   It is recommended that the ISSO not report
to operational elements of the AIS over which security
requirements of this Directive must be enforced.

5.9.5.  Require that an AIS security education and training
program be in place.

5.9.6.  Ensure that data ownership is established for
each AIS, to include accountability, access rights,
and special handling requirements.

5.10.  Each Information System Security Officer (ISSO)

5.10.1.  Ensure that the AIS is operated, used, maintained,
and disposed of in accordance with internal security
policies and practices.

5.10.2.  Have the authority to enforce security policies
and safeguards on all personnel having access to the
AIS for which the ISSO has cognizance.

5.10.3.  Ensure that users have the required personnel
security clearances, authorization and need-to-know,
have been indoctrinated, and are familiar with internal
security practices before access to the AIS.

5.10.4.  Ensure that audit trails are reviewed periodically.

5.10.5.  Begin protective or corrective measures if
a security problem exists.

5.10.6.  Report security incidents in accordance with
DoD 5200.1-R (reference (b)) and to the DAA when an
AIS is involved.

5.10.7.  Report the security status of the AIS, as required
by the DAA.

5.10.8.  Evaluate known vulnerabilities to ascertain
if additional safeguards are needed.

5.10.9.  Maintain a plan for system security improvements
and progress towards meeting the accreditation.


6.1.  This Directive is effective immediately.

6.2.  Accreditations made using the requirements of
the previous version of this Directive remain valid,
but shall be updated within 3 years from the date of
this Directive.

6.3.  AISs that have started the design phase of the
life-cycle process before the date of this Directive
shall be accredited within 3 years of that date or before
initial operational capability.

6.4.  Each DoD Component Head shall forward an implementation
plan for compliance with this Directive to the Assistant
Secretary of Defense for Command, Control, Communications
and Intelligence (ASD(C3I)) within 180 days of the date
of this Directive.   This Directive shall be implemented
without new DoD Component issuances.

Enclosures - 5 

1.  References, continued

2.  Definitions

3.  Minimum Security Requirements

4.  Procedure for Determining Minimum AIS Computer-Based
Security Requirements

5.  Network Considerations


REFERENCES, continued

(e)  National Communication Security Instruction 5004,
"TEMPEST Countermeasures for Facilities Within the United
States," January 1, 1984

(f)  National Communication Security Instruction 5005,
"TEMPEST Countermeasures for Facilities Outside the
United States," January 1, 1984

(g)  Director of Central Intelligence Directive Number
1/16, "Security Policy on Intelligence Information in
Automated Systems and Networks (U)," January 4, 1983

(h)  SM-313-83, "Safeguarding the Single Integrated
Operational Plan (U)," May 10, 1983

(i)  DoD Instruction 5215.2, "Computer Security Technical
Vulnerability Reporting Program," September 2, 1986

(j)  Office of Management and Budget Circular No. A-130,
"Management of Federal Information Resources," December
12, 1985

(k)  DoD 5200.28-STD, "Department of Defense Trusted
Computer System Evaluation Criteria," December 1985,
authorized by DoD Directive 5200.28, December 18, 1972

(l)  DoD Directive 7920.1, "Life-Cycle Management of
Automated Information Systems (AIS)," October 17, 1978

(m)  DoD Instruction 5210.74, "Security of DoD Contractor
Telecommunications," June 26, 1985

(n)  DoD Directive 5220.22, "Industrial Security Program,"
November 1, 1986

(o)  DoD Regulation 5220.22-R, "Industrial Security
Regulation," December 1985, authorized by DoD Directive
5220.22, December 8, 1980

(p)  DoD Directive 5200.2, "DoD Personnel Security Program,"
December 20, 1979

(q)  DoD Directive 5010.38, "Internal Management Control
Program," July 16, 1984 

(r)  Executive Order 12356, "National Security Information,"
April 6, 1982

(s)  DoD Directive 5230.24, "Distribution Statement
on Technical Documents," March 18, 1987

(t)  DoD 5200.28-M, "ADP Security Manual," January 1973,
authorized by DoD Directive 5200.28, December 18, 1972

(u)  CSC-STD-003-85, "Computer Security Requirements,"
June 25, 1985

(v)  NSC-TG-005, Version 1, "Trusted Network Interpretations,"
July 31, 1987



E2.1.1.  Access.   A specific type of interaction between
a subject (i.e., person, process, or input device) and
an object (i.e., an AIS resource such as a record, file,
program, output device) that results in the flow of
information from one to the other.   Also, the ability
and opportunity to obtain knowledge of classified, sensitive
unclassified, or unclassified information.

E2.1.2.  Accountability.    The property that enables
activities on an AIS to be traced to individuals who
may then be held responsible for their actions.

E2.1.3.  Accreditation.    A formal declaration by the
DAA that the AIS is approved to operate in a particular
security mode using a prescribed set of safeguards.
  Accreditation is the official management authorization
for operation of an AIS and is based on the certification
process as well as other management considerations.
  The accreditation statement affixes security responsibility
with the DAA and shows that due care has been taken
for security.

E2.1.4.  AIS Security.    Measures and controls that
safeguard or protect an AIS against unauthorized (accidental
or intentional) disclosure, modification, or destruction
of AISs and data, and denial of service.   AIS security
includes consideration of all hardware and/or software
functions, characteristics, and/or features; operational
procedures, accountability procedures, and access controls
at the central computer facility, remote computer, and
terminal facilities; management constraints; physical
structures and devices; and personnel and communication
controls needed to provide an acceptable level of risk
for the AIS and for the data and information contained
in the AIS.   It includes the totality of security safeguards
needed to provide an acceptable protection level for
an AIS and for data handled by an AIS.

E2.1.5.  Assurance.    A measure of confidence that
the security features and architecture of an AIS accurately
mediate and enforce the security policy.   If the security
features of an AIS are relied on to protect classified
or sensitive unclassified information and restrict user
access, the features must be tested to ensure that the
security policy is enforced and may not be circumvented
during AIS operation.

E2.1.6.  Audit.    An independent review and examination
of system records and activities to test for adequacy
of system controls, to ensure compliance with established
policy and operational procedures, and to recommend
any indicated changes in controls, policy, or procedures.

E2.1.7.  Audit Trail.    A chronological record of system
activities that is sufficient to enable the reconstruction,
reviewing, and examination of the sequence of environments
and activities surrounding or leading to an operation,
a procedure, or an event in a transaction from its inception
to final results.

E2.1.8.  Automated Information Systems (AISs).    An
assembly of computer hardware, software, and/or firmware
configured to collect, create, communicate, compute,
disseminate, process, store, and/or control data or

E2.1.9.  Category.    A grouping of classified or sensitive
unclassified information to which an additional restrictive
label is applied for signifying that personnel are granted
access to the information only if they have formal access
approval or other applicable authorization (e.g., proprietary
information, for official use only, compartmented information).

E2.1.10.  Certification.    The technical evaluation
of an AISs security features and other safeguards, made
in support of the accreditation process, which establishes
the extent that a particular AIS design and implementation
meet a set of specified security requirements.

E2.1.11.  Classified Information.    Information or
material that is (a) owned by, produced for or by, or
under the control of the U.S. Government; and (b) determined
under E.O. 12356 (reference (r)), or prior orders, DoD
5200.1-R (reference (b)), to require protection against
unauthorized disclosure; and so designated.

E2.1.12.  Computer.   A machine capable of accepting,
performing calculations on, or otherwise manipulating
or storing data.   It usually consists of arithmetic
and logical unit, and a control unit, and may have input
and output devices and storage devices.

E2.1.13.  Data.    A representation of facts, concepts,
information, or instructions suitable for communication,
interpretation, or processing by humans or by an AIS.

E2.1.14.  Data Integrity.    The state that exists when
data is unchanged from its source and accidentally or
maliciously has not been modified, altered, or destroyed.

E2.1.15.  Data Owner.    The authority, individual,
or organization who has original responsibility for
the data by statute, Executive order, or Directive.

E2.1.16.  Dedicated Security Mode.    A mode of operation
wherein all users have the clearance or authorization
and need-to-know for all data handled by the AIS.  
If the AIS processes special access information, all
users require formal access approval.   In the dedicated
mode, an AIS may handle a single classification level
and/or category of information or a range of classification
levels and/or categories.

E2.1.17.  Denial of Service.    Action or actions that
result in the inability of an AIS or any essential part
to perform its designated mission, either by loss or
degradation of operational capability.

E2.1.18.  Designated Approving Authority (DAA).    The
official who has the authority to decide on accepting
the security safeguards prescribed for an AIS or the
official who may be responsible for issuing an accreditation
statement that records the decision to accept those
safeguards.   The DAA must be at an organizational level,
have authority to evaluate the overall mission requirements
of the AIS, and to provide definitive directions to
AIS developers or owners relative to the risk in the
security posture of the AIS.

E2.1.19.  Embedded System.    An embedded system is
one that performs or controls a function, either in
whole or in part, as an integral element of a larger
system or subsystem (e.g., ground support equipment,
flight simulators, engine test stands, or fire control

E2.1.20.  Evaluated Products List (EPL).    A documented
inventory of equipments, hardware, software, and/or
firmware that have been evaluated against the evaluation
criteria found in DoD 5200.28-STD (reference (k)).

E2.1.21.  Features.    (See Security Features, definition
E2.1.40., below.)

E2.1.22.  Formal Access Approval.    Documented approval
by a data owner to allow access to a particular category
of information.

E2.1.23.  Handled By.    The term "handled by" denotes
the activities performed on data in an AIS, such as
collecting, processing, transferring, storing, retrieving,
sorting, transmitting, disseminating, and controlling.

E2.1.24.  Information.    Knowledge such as facts, data,
or opinions, including numerical, graphic, or narrative
forms, whether oral or maintained in any medium.

E2.1.25.  Information System.    The organized collection,
processing, transmission, and dissemination of information
in accordance with defined procedures, whether automated
or manual.

E2.1.26.  Information System Security Officer (ISSO).
   The person responsible to the DAA for ensuring that
security is provided for and implemented throughout
the life cycle of an AIS from the beginning of the concept
development phase through its design, development, operation,
maintenance, and secure disposal.

E2.1.27.  Intelligent Terminal.    A terminal that is
programmable, able to accept peripheral devices, able
to connect with other terminals or computers, able to
accept additional memory, or which may be modified to
have these characteristics.

E2.1.28.  Multilevel Security Mode.    A mode of operation
that allows two or more classification levels of information
to be processed simultaneously within the same system
when not all users have a clearance or formal access
approval for all data handled by the AIS.

E2.1.29.  Need-to-Know.    A determination made in the
interest of U.S. national security by the custodian
of classified or sensitive unclassified information,
which a prospective recipient has a requirement for
access to, knowledge of, or possession of the information
to perform official tasks or services.

E2.1.30.  Network.    A network is composed of a communications
medium and all components attached to that medium whose
responsibility is the transference of information. 
 Such components may include AISs, packet switches,
telecommunications controllers, key distribution centers,
and technical control devices.

E2.1.31.  Orange Book Terminology.    Reference (k),
also called the Orange Book, classifies AISs into four
broad hierarchical divisions of security protection.
  Within divisions C and B there are further subdivisions
called classes.   These classes also are ordered in
a hierarchical manner characterized by the set of computer
security features they possess (see Security Features,
definition E2.1.40., below).

E2.1.32.  Partitioned Security Mode.    A mode of operation
wherein all personnel have the clearance, but not necessarily
formal access approval and need-to-know, for all information
handled by the AIS.   This security mode encompasses
the compartmented mode defined in DCID No. 1/16, reference

E2.1.33.  Periods Processing.    A manner of operating
an AIS in which the security mode of operation and/or
maximum classification of data handled by the AIS is
established for an interval of time (or period) and
then changed for the following interval of time.   A
period extends from any secure initialization of the
AIS to the completion of any purging of sensitive data
handled by the AIS during the period.

E2.1.34.  Purge.    Removal of sensitive data from an
AIS at the end of a period of processing, including
from AIS storage devices and other peripheral devices
with storage capacity, in such a way that there is ensurance
proportional to the sensitivity of the data that the
data may not be reconstructed.   An AIS must be disconnected
from any external network before a purge.

E2.1.35.  Risk.    A combination of the likelihood that
a threat shall occur, the likelihood that a threat occurrence
shall result in an adverse impact, and the severity
of the resulting adverse impact.

E2.1.36.  Risk Analysis.    An analysis of system assets
and vulnerabilities to establish an expected loss from
certain events based on estimated probabilities of occurrence.

E2.1.37.  Risk Index.    The disparity between the minimum
clearance or authorization of AIS users and the maximum
sensitivity (e.g., classification and categories) of
data handled by the AIS.

E2.1.38.  Risk Management.    The total process of identifying,
measuring, and minimizing uncertain events affecting
AIS resources.   It includes risk analysis, cost benefit
analysis, safeguard selection, security test and evaluation,
safeguard implementation, and systems review.

E2.1.39.  Safeguards.    (See Security Safeguards, definition
E2.1.42., below.)

E2.1.40.  Security Features.    The security-relevant
functions, mechanisms, and characteristics of AIS hardware
and software (e.g., identification, authentication,
audit trail, access control).

E2.1.41.  Security Mode.    A mode of operation in which
the DAA accredits an AIS to operate.   Inherent with
each of the four security modes (dedicated, system high,
multilevel, and partitioned) are restrictions on the
user clearance levels, formal access requirements, need-to-know
requirements, and the range of sensitive information
permitted on the AIS.

E2.1.42.  Security Safeguards.    The protective measures
and controls that are prescribed to meet the security
requirements specified for an AIS.   These safeguards
may include, but are not necessarily limited to, hardware
and software security features; operation procedures;
accountability procedures; access and distribution controls;
management constraints; personnel security; and physical
structures, areas, and devices.

E2.1.43.  Sensitive Compartmented Information (SCI).
   Classified information about or derived from intelligence
sources, methods, or analytical processes that is required
to be handled exclusively within formal access control
systems established by the Director, Central Intelligence.

E2.1.44.  Sensitive Unclassified Information.    Any
information the loss, misuse, or unauthorized access
to, or modification of which, adversely might affect
U.S. national interest, the conduct of DoD programs,
or the privacy of DoD personnel (e.g., FOIA exempt information
and information whose distribution is limited by DoD
Directive 5230.24 (reference (s))).

E2.1.45.  SIOP-ESI.    An acronym for Single Integrated
Operational Plan-Extremely Sensitive Information, a
DoD Special Access Program.

E2.1.46.  Special Access Program.    Any program imposing
need-to-know or access controls beyond those normally
required for access to Confidential, Secret, or Top
Secret information.   Such a program includes, but is
not limited to, special clearance of investigative requirements,
special designation of officials authorized to determine
need-to-know, or special lists of persons determined
to have a need-to-know.

E2.1.47.  System High Security Mode.    A mode of operation
wherein all users having access to the AIS possess a
security clearance or authorization, but not necessarily
a need-to-know, for all data handled by the AIS.   If
the AIS processes special access information, all users
must have formal access approval.

E2.1.48.  Telecommunications.    Under this Directive,
a general term expressing data transmission between
computing systems and remotely located devices via a
unit that performs the necessary format conversion and
controls the rate of transmission.

E2.1.49.  Trusted Products.    Products evaluated and
approved for inclusion on the Evaluated Products List

E2.1.50.  Unclassified Information.   Any information
that need not be safeguarded against disclosure, but
must be safeguarded against tampering, destruction,
or loss due to record value, utility, replacement cost
or susceptibility to fraud, waste, or abuse.

E2.1.51.  Users.    People or processes accessing an
AIS either by direct connections (i.e., via terminals)
or indirect connections (i.e., prepare input data or
receive output that is not reviewed for content or classification
by a responsible individual).



minimum requirements shall be met through automated
or manual means in a cost-effective manner and integrated

E3.1.1 1.  Accountability.    There shall be in place
safeguards to ensure each person having access to an
AIS may be held accountable for his or her actions on
the AIS.   There shall be an audit trail providing a
documented history of DAIS use.   The audit trail shall
be of sufficient detail to reconstruct events in determining
the cause or magnitude of compromise should a security
violation or malfunction occur.   To fulfill this requirement,
the manual and/or automated audit trail shall document
the following:

E3.  The identity of each person and device
having access to the AIS.

E3.  The time of the access.

E3.  User activity sufficient to ensure user
actions are controlled and open to scrutiny.

E3.  Activities that might modify, bypass, or
negate safeguards controlled by the AIS.

E3.  Security-relevant actions associated with
periods processing or the changing of security levels
or categories of information.


DAAs shall cause a review to be made of audit trails
associated with the AIS(s) over which the DAAs have
cognizance to determine an adequate retention period
for the audit information.   The decision to require
an audit trail of user access to a stand-alone, single-user
AIS (e.g., personal computer (PC), memory typewriter,
drafting machine) should be left to the discretion of
the DAA.

E3.1.1.2.  Access.    There shall be in place an access
control policy for each AIS.   It shall include features
and/or procedures to enforce the access control policy
of the information within the AIS.   The identify of
each user authorized access to the AIS shall be established
positively before authorizing access.

E3.1.1.3.  Security Training and Awareness.    There
shall be in place a security training and awareness
program with training for the security needs of all
persons accessing the AIS.   The program shall ensure
that all persons responsible for the AIS and/or information,
therein, and all persons who access the AIS are aware
of proper operational and security-related procedures
and risks.

E3.1.1.4.  Physical Controls.    AIS hardware, software,
and documentation, and all classified and sensitive
unclassified data handled by the AIS shall be protected
to prevent unauthorized (intentional or unintentional)
disclosure, destruction, or modification (i.e., data
integrity shall be maintained).   The level of control
and protection shall be commensurate with the maximum
sensitivity of the information and shall provide the
most restrictive control measures required by the data
to be handled.   This includes having personnel, physical,
administrative, and configuration controls. Additionally,
protection against denial of service of AIS resources
(e.g., hardware, software, firmware, and information)
shall be consistent with the sensitivity of the information
handled by the AIS.   Unclassified hardware, software,
or documentation of an AIS shall be protected if access
to such hardware, software, or documentation reveals
classified information, or access provides information
that may be used to eliminate, circumvent, or otherwise
render ineffective the security safeguards for classified
information.   Software development and related activities
(e.g., systems analysis) shall be controlled by physical
controls (e.g., two-person control) and protected when
it is determined that the software shall be used for
handling classified or sensitive unclassified data.

E3.1.1.5.  Marking.    Classified and sensitive unclassified
output shall be marked to accurately reflect the sensitivity
of the information.   Requirements for security classification
and applicable markings for classified information are
set forth in DoD 5200.1-R (reference (b)).   The marking
may be automated (i.e., the AIS has a feature that produces
the markings) or may be done manually.   Automated markings
on output must not be relied on to be accurate, unless
the security features and assurances of the AIS meet
the requirements for a minimum security class B1 as
specified in DoD 5200.28-STD (reference (k)).   If B1
is not met, but automated controls are used, all output
shall be protected at the highest classification level
of the information handled by the AIS until manually
reviewed by an authorized person to ensure that the
output was marked accurately with the classification
and caveats.   All media (and containers) shall be marked
and protected commensurate with the requirements for
the highest security classification level and most restrictive
category of the information ever stored until the media
are declassified (e.g., degaussed or erased) using a
DoD-approved methodology set forth in the DoD AIS Security
Manual, DoD 5200.28-M (reference (t)), or unless the
information is declassified or downgraded in accordance
with reference (b).

E3.1.1.6.  Least Privilege.    The AIS shall function
so that each user has access to all of the information
to which the user is entitled (by virtue of clearance,
formal access approval), but to no more.   In the case
of "need-to-know" for classified information, access
must be essential for accomplishment of lawful and authorized
Government purposes.

E3.1.1.7.  Data Continuity.    Each file or data collection
in the AIS shall have an identifiable source throughout
its life cycle.   Its accessibility, maintenance, movement,
and disposition shall be governed by security clearance,
formal access approval, and need-to-know.

E3.1.1.8.  Data Integrity.    There shall be safeguards
in place to detect and minimize inadvertent modification
or destruction of data, and detect and prevent malicious
destruction or modification of data.

E3.1.1.9.  Contingency Planning.    Contingency plans
shall be developed and tested in accordance with OMB
Circular No. A-130 (reference (j)) to ensure that AIS
security controls function reliably and, if not, that
adequate backup functions are in place to ensure that
security functions are maintained continuously during
interrupted service.   If data is modified or destroyed,
procedures must be in place to recover.

E3.1.1.10.  Accreditation.    Each AIS shall be accredited
to operate in accordance with a DAA-approved set of
security safeguards.

E3.1.1.11.  Risk Management.    There should be in place
a risk management program to determine how much protection
is required, how much exists, and the most economical
way of providing the needed protection.



E4.1.1.  RISK ASSESSMENT PROCEDURE.    The following
risk assessment procedure is extracted from CSC-STD-003-85
(reference (u)).   The procedure is used to determine
the minimum evaluation class required for an AIS, based
on the sensitivity of the information present in the
AIS and on the clearances of its users.   Any DoD Component
desiring to use a different method to accomplish the
intent of this enclosure may do so, if prior approval
has been granted by the ASD(C3I).


 NOTE:   In the case of a network, the procedure is
applied individually to each of the AISs in the network.
  The resulting evaluation class should be taken as
a minimum partial requirement since connection of an
AIS to another AIS or to a network may result in additional
risks (see enclosure E5.).   The DAA for a network also
may decide to apply the procedure once for the network,
and determine the evaluation class by applying the requirements
in DoD 5200.28-STD (reference (k)) to the network as
a whole. 

E4.1.1.1.  Step 1.    Determine System Security Mode
of Operation.   The system security mode of operation
for an AIS is determined as follows:

E4.  An AIS is defined as operating in the dedicated
security mode if all users have the clearance or authorization,
documented formal access approval, if required, and
the need-to-know for all information handled by the
AIS.   The AIS may handle a single classification level
and/or category of information or a range of classification
levels and/or categories.   The AIS shall be isolated
electrically, logically, and physically from all personnel
and AISs not possessing the requisite clearance or authorization,
formal access approval, if required, and need-to-know
for all of the information handled by the AIS.

E4.  An AIS is defined as operating in the system
high security mode if all users have the clearance or
authorization and documented formal access approval,
if required, but not necessarily the need-to-know for
all information handled by the AIS.

E4.  An AIS is defined as operating in the multilevel
security mode if not all users have the clearance, authorization,
or formal access approval, if required, for all information
handled by the AIS.

E4.  An AIS is defined as operating in the partitioned
security mode if all users possess the clearance, but
not necessarily a formal access approval, for all information
handled by the AIS.

E4.1.1.2.  Step 2.    Determine Minimum User Clearance
or Authorization Rating.   The minimum user clearance
or authorization (Rmin) is defined as the maximum clearance
or authorization of the least cleared or authorized
user.   Rmin is determined from Table E4.T1.   The clearances
used in the following table are defined in DoD Directive
5200.2 (reference (p)).




Uncleared OR Not Authorized (U)


Not Cleared but Authorized Access to Sensitive Unclassified
Information (N)


Confidential (C) 


Secret (S)


Top Secret (TS) and/or Current Background Investigation


Top Secret (TS) and/or Current Special Background Investigation


One Category (1C)


Multiple Categories (MC)


E4.1.1.3.  Step 3.    Determine Maximum Data Sensitivity
Rating.   The maximum data sensitivity (Rmax) is determined
from the following table:





Sensitivity Ratings 2

Without Categories






Maximum Data Sensitivity With Categories 1







Unclassified (U)


Not Applicable 3

Not Classified but Sensitive 4


N   With One or More Categories


Confidential (C)


C   With One or More Categories


Secret (S)


S   With One or More Categories

      With No More Than One Category Containing

      Secret Data

S   With Two or More Categories Containing

      Secret Data





Top Secret (TS)

5 5

TS   With One or More Categories

        With No More Than One Category Containing

        Secret or Top Secret Data

TS   With Two or More Categories Containing

         Secret or Top Secret Data






1   The only categories of concern are those for which
some users are not authorized access.   When counting
the number of categories, count all categories regardless
of the sensitivity level associated with the data. 
 If a category is associated with more than one sensitivity
level, it is only counted at the highest level.   Systems
in which all data is in the same category are treated
as without categories.

2   Where the number of categories is large or where
a highly sensitive category is involved, a higher rating
might be warranted.

3   Unclassified data by definition may not contain

4   Examples of N data include financial, proprietary,
privacy, and mission-sensitive data.   In some situations
(e.g., those involving extremely large financial sums
or critical mission-sensitive data), a higher rating
may be warranted.   Table E4.T2. prescribes minimum

5   The rating increment between the Secret and Top
Secret data sensitivity levels is greater than the increment
between other adjacent levels.   This difference derives
from the fact that the loss of Top Secret data causes
EXCEPTIONALLY GRAVE damage to U.S. national security,
whereas the loss of Secret data causes SERIOUS damage.

E4.1.1.4.  Step 4.    Determine Risk Index.   The risk
index depends on the rating associated with the AIS
minimum user clearance (Rmin) and the rating associated
with the maximum classification of the information handled
by the AIS (Rmax).


The risk index is computed as follows:

E4.  Case a.    If Rmin is less than Rmax, then
the risk index is determined by subtracting Rmin from


Risk Index = Rmax - Rmin


NOTE:  There is one anomalous value that results because
there are two "types" of Top Secret clearance and only
one "type" of Top Secret data.   When the minimum user
clearance is TS/BI and the maximum data sensitivity
is Top Secret without categories, then the risk index
is 0 (rather than the value 1, which should result from
a straight application of the formula).

E4.  Case b.   If Rmin is greater than or equal
to Rmax, then:


Risk Index = 1, if there are categories to which some
users are not authorized access, or:


Risk Index = 0, in all other cases.

E4.1.1.5.  Step 5.    Determine Minimum Security Evaluation
Class For Computer-Based Controls.

E4.  The following table shall be used to determine
the minimum security class required for an AIS based
on the computed risk index in Step 4, above.   The levels
in the table are those described in DoD 5200.28-STD
(reference (k)).



Risk Index

Security Mode

Minimum Security Class 4


Dedicated 5

No minimum class 1,2


System High

C2  2



B1  3






















1   Although there is no prescribed minimum class, the
integrity and denial of service requirements of many
systems warrant at least class C1 protection.

2   Automated markings on output must not be relied
on to be accurate unless at least class B1 is used.
  (See requirements for marking in enclosure E3.)

3   Where an AIS handles classified or compartmented
data and some users do not have at least a Confidential
clearance, or when there are more than two types of
compartmented information being handled, at least a
class B2 is required.

4   The asterisk (*) indicates that computer protection
for environments with that risk index is considered
to be beyond the state of current computer security

5   Most embedded systems and desk top computers operate
in the dedicated mode.

E4.1.1.6.  Step 6.    Adjustments to Computed Security
Evaluation Class Required.   Additional requirements
or recommendations relevant to determining the minimum
evaluation class include the following:

E4.  Where an AIS is connected to a network
or to another AIS, care should be taken to ensure that
the requirements for accreditation of the AIS are not
violated due to the presence of the network technology.

E4.  In the dedicated mode where the AIS is
connected to a network or to another AIS, it is recommended
(although not required) that at least level CI be used.
  This recommendation is made because level C1 might
provide a measure of security sufficient to prevent
users from accidentally altering or deleting each other's

E4.  An AIS using periods processing (i.e.,
operating in one or more security modes and/or at one
or more security levels for certain periods of time
where acceptable sanitization procedures are implemented
between processing periods) may have more than one risk
index.   In such cases, the highest value of risk index
shall be used in determining the minimum security feature



E5.1.1.  For purposes of accreditation, a network shall
be treated as either an interconnection of accredited
AISs (which may be networks) or as a unified network.
  These two cases are discussed below:

E5.1.1.1.  Case I.    Interconnections of Accredited

E5.  If a network consists of previously accredited
AISs, an MOA is required between the DAA of each DoD
Component AIS and the DAA responsible for the network
(as provided in section 4. of this Directive).   The
network DAA must ensure that interface restrictions
and limitations are observed for connections between
DoD Component AISs.   The NCSC-TG-005 (reference (v))
provides interface restriction and limitation that may
be applicable.   In particular, connections between
accredited AISs must be consistent with the mode of
operation of each AIS, the specific sensitivity level
or range of sensitivity levels for which each AIS is
accredited, any additional interface constraints associated
with the particular interface device used for the connection,
and any other restrictions required by the MOA.

E5.  Each AIS shall be assigned an accreditation
range, consisting of the set of security levels that
may be associated with data it sends over the network
connection.   If the accreditation range is more than
a single level, the AIS reliably must segregate data
by level within its accreditation range, and label it
accurately for transmission over multilevel interfaces.

E5.  DAAs of DoD Component AISs should be aware
that connection to a network may involve additional
risks because of the potential exposure of data in their
own AIS to the larger community of all users of AISs
in the network.   In connections to adjacent AISs, the
operational modes and security mechanisms of those AISs
should be taken into consideration, beyond the simple
fact of their accreditation.

E5.  Untrusted, unaccredited AISs, either individual
computer systems or subnetworks, also may be components
of a network.   Connections between them and other component
AISs are permissible under the same conditions in paragraph
E5., above.   Only unclassified information,
which does not include sensitive unclassified information,
may be sent to and from the untrusted, unaccredited

E5.  Special AISs or support, such as packet
switching nodes and terminal access interfaces, also
must have received individual accreditation if they
carry classified or sensitive unclassified information.
  The network DAA serves as the DAA for all such AISs.

E5.1.1.2.  Case II.    Unified Networks

E5.  Some networks may be accredited as a whole
without prior accreditation of each of their component
AISs.   It is necessary to treat a network as unified
when some of its component AISs are so specialized or
dependent on other components of the network for security
support that individual accreditation of such components
is not possible or meaningful with respect to secure
network operation.   In order to be accredited, a unified
network shall possess a coherent network security architecture
and design, and it should be developed with an attention
to security requirements, mechanisms, and assurances
commensurate with the range of sensitivity of information
for which it is to be accredited.

E5.  The recommended approach for accrediting
a unified network is to apply enclosure E4. to the entire
network to derive an evaluation class.   Requirements
to meet that evaluation class then are obtained from
an applicable interpretation of DoD 5200.28-STD (reference
(k)), such as NCSC-TG-005 (reference (v)).