Joint DoDIIS/Cryptologic SCI Information Systems Security Standards
31 March 2001
Revision 2
This Page Intentionally Blank
EXECUTIVE SUMMARY
(U) The policy of the U.S. Government is that all classified information must be appropriately safeguarded to assure the confidentiality, integrity, and availability of that information. This document provides procedural guidance for the protection, use, management, and dissemination of Sensitive Compartmented Information (SCI), and is applicable to the Department of Defense (DoD) to include DoD components and Government contractors who process SCI. The combination of security safeguards and procedures used for Information Systems (IS) shall assure compliance with DCID 6/3, NSA/CSS Manual 130-1 and DIAM 50-4. The JDCSISSS is a technical supplement to both the NSA/CSS Manual 130-1 and DIAM 50-4.
(U) The prime purpose of this document is to provide IS security implementation guidance relative to the management of SCI and the automated infrastructure used to process this information at the organizational level.
(U) Nothing in this document shall be construed to countermand or waive provisions of any Executive Order, National Policy, Department of Defense (DoD) Directive, or other provisions of regulatory policies or laws which are beyond the scope of authority of the Directors of the Defense Intelligence Agency (DIA) and the National Security Agency/Central Security Service (NSA/CSS).
TABLE OF CONTENTS
Paragraph
Executive Summary
Chapter 1--General Information
BACKGROUND................................................................................................................................................................. 1.1
POLICY................................................................................................................................................................................ 1.2
SCOPE AND APPLICABILITY....................................................................................................................................... 1.3
REFERENCES, ACRONYMS, AND DEFINITIONS..................................................................................................... 1.4
ROLES AND RESPONSIBILITIES.................................................................................................................................. 1.5
Principal Accrediting Authority (PAA)...................................................................................................................... 1.5.1
Data Owner...................................................................................................................................................................... 1.5.2
Designated Approving Authority (DAA).................................................................................................................. 1.5.3
DAA Representative (Rep)/Service Certifying Organization (SCO)....................................................................... 1.5.4
NSA/CSS Senior Information Systems Security Program Manager (SISSPM)..................................................... 1.5.5
Service Cryptologic Element (SCE) Information Systems Security Program Manager (ISSPM)........................ 1.5.6
Commander/Commanding Officer Responsibility...................................................................................................... 1.5.7
Information Systems Security Manager (ISSM)........................................................................................................ 1.5.8
Information Systems Security Officer (ISSO)............................................................................................................. 1.5.9
Program Management Office (PMO)/Program manager (PM)............................................................................... 1.5.10
Privileged Users (e.g., System Administrator (SA))................................................................................................ 1.5.11
General Users................................................................................................................................................................ 1.5.12
Prohibited Activities.................................................................................................................................................... 1.5.13
CONFIGURATION CONTROL BOARD (CCB) OVERSIGHT..................................................................................... 1.6
OTHER DOCUMENTATION SUPERSESSION............................................................................................................ 1.7
Chapter 2--Life Cycle Security
PURPOSE............................................................................................................................................................................ 2.1
SCOPE................................................................................................................................................................................. 2.2
PROCEDURES.................................................................................................................................................................... 2.3
Concepts Development Phase...................................................................................................................................... 2.3.1
IS Security Design....................................................................................................................................................... 2.3.1.1
Statement of Work (SOW) Requirements................................................................................................................ 2.3.1.2
Additional Documentation......................................................................................................................................... 2.3.1.3
Design Phase................................................................................................................................................................... 2.3.2
Levels-of-Concern....................................................................................................................................................... 2.3.2.1
Protection Levels......................................................................................................................................................... 2.3.2.2
Development Phase........................................................................................................................................................ 2.3.3
Test, Certification and Accreditation Phase............................................................................................................... 2.3.4
Time Line for Certification Activities........................................................................................................................ 2.3.4.1
Deployment and Operations Phase............................................................................................................................. 2.3.5
Recertification Phase...................................................................................................................................................... 2.3.6
Disposal Phase................................................................................................................................................................ 2.3.7
Chapter 3--Signals Intelligence (SIGINT) Systems Accreditation Process and Procedures
PURPOSE............................................................................................................................................................................ 3.1
SCOPE................................................................................................................................................................................. 3.2
DISCUSSION...................................................................................................................................................................... 3.3
Accreditation................................................................................................................................................................... 3.3.1
Configuration Management.......................................................................................................................................... 3.3.2
ACCREDITATION IN GENERAL................................................................................................................................... 3.4
Formal Accreditation...................................................................................................................................................... 3.4.1
Issuing Accreditation.................................................................................................................................................... 3.4.2
Reaccreditation............................................................................................................................................................... 3.4.3
Rescinding Accreditation.............................................................................................................................................. 3.4.4
Accreditation 3-Year Anniversary Review................................................................................................................. 3.4.5
Authorized Exemptions From Accreditation.............................................................................................................. 3.4.6
IS Approval-To-Operate................................................................................................................................................ 3.4.7
TEMPEST........................................................................................................................................................................ 3.4.8
ACCREDITATION PROCEDURES................................................................................................................................. 3.5
Accreditation Requests................................................................................................................................................. 3.5.1
Accreditation Requests Initiated at the Unit Level................................................................................................ 3.5.1.1
Accreditation Initiated Through Downward-Directed Programs......................................................................... 3.5.1.2
Accreditation at a Single-Service Site Including the Regional SIGINT Operation Centers............................. 3.5.1.3
Accreditation at a Multi-Service Site........................................................................................................................ 3.5.1.4
Operational Systems Under Control of the Commander/Commanding Officer............................................... 3.5.1.4.1
SCE Unique Systems Not Directly Supporting The Primary Mission.............................................................. 3.5.1.4.2
Assignment of a HSO at a Multi-Service Site...................................................................................................... 3.5.1.4.3
Accreditation by SCE Tenants Located at Non-SCE Interservice or Intercommand Sites.............................. 3.5.1.5
Submitting The System Security Plan (SSP)............................................................................................................... 3.5.2
Single Accreditation.................................................................................................................................................... 3.5.2.1
Type Accreditation..................................................................................................................................................... 3.5.2.2
Format and Content..................................................................................................................................................... 3.5.2.3
SSP and Database Classification.................................................................................................................................. 3.5.3
Database Classification.............................................................................................................................................. 3.5.3.1
SSP Classification........................................................................................................................................................ 3.5.3.2
Chapter 4--Department of Defense Intelligence Information Systems (DoDIIS) Site-Based Accreditation
PURPOSE............................................................................................................................................................................ 4.1
SCOPE................................................................................................................................................................................. 4.2
SYSTEM CERTIFICATION AND ACCREDITATION PROCEDURES..................................................................... 4.3
System Certification and Accreditation Compliance................................................................................................. 4.3.1
The System Certification and Accreditation Process............................................................................................... 4.3.2
Phase 1.......................................................................................................................................................................... 4.3.2.1
Phase 2.......................................................................................................................................................................... 4.3.2.2
Phase 3.......................................................................................................................................................................... 4.3.2.3
Phase 4.......................................................................................................................................................................... 4.3.2.4
SITE-BASED ACCREDITATION METHODOLOGY................................................................................................... 4.4
Site-Based Accreditation Methodology Compliance............................................................................................... 4.4.1
The Site-Based Accreditation Process........................................................................................................................ 4.4.2
(Site Initial Visit) Initial Site Certification Visit........................................................................................................ 4.4.2.1
(Site Evaluation Visit) Site Security and Engineering Certification Testing and Evaluation and Site Accreditation 4.4.2.2
(Site Compliance Visit) Vulnerability Assessment and Compliance Verification............................................... 4.4.2.3
CONTRACTOR ACCREDITATION............................................................................................................................... 4.5
ACCREDITATION REVIEW........................................................................................................................................... 4.6
MINIMUM SECURITY REQUIREMENTS.................................................................................................................... 4.7
Chapter 5--TEMPEST
PURPOSE............................................................................................................................................................................ 5.1
SCOPE................................................................................................................................................................................. 5.2
DEFINITIONS.................................................................................................................................................................... 5.3
TEMPEST COMPLIANCE............................................................................................................................................... 5.4
ACCREDITATION............................................................................................................................................................ 5.5
TEMPEST Countermeasures Review.......................................................................................................................... 5.5.1
General Documentation................................................................................................................................................. 5.5.2
TEMPEST/ISD Accreditation....................................................................................................................................... 5.5.3
Installation Requirements................................................................................................................................................. 5.6
Chapter 6--Security Requirements for Users
PURPOSE............................................................................................................................................................................ 6.1
SCOPE................................................................................................................................................................................. 6.2
MINUMUM SECURITY REQUIREMENTS.................................................................................................................. 6.3
Identification and Authentication Requirements...................................................................................................... 6.3.1
Password Requirements................................................................................................................................................ 6.3.2
IS Warning Banner......................................................................................................................................................... 6.3.3
Configuration Requirements......................................................................................................................................... 6.3.4
Malicious Code Detection............................................................................................................................................. 6.3.5
Virus Scanning Requirements....................................................................................................................................... 6.3.6
Information Storage Media........................................................................................................................................... 6.3.7
Label Placement........................................................................................................................................................... 6.3.7.1
Data Descriptor Label................................................................................................................................................. 6.3.7.2
Classification Markings.............................................................................................................................................. 6.3.7.3
Control and Accounting of Media............................................................................................................................ 6.3.7.4
Information Storage Media Control....................................................................................................................... 6.3.7.4.1
Inspections................................................................................................................................................................ 6.3.7.4.2
Control Procedures................................................................................................................................................... 6.3.7.4.3
Other Categories of Storage Media....................................................................................................................... 6.3.7.4.4
Hardware Labeling Requirements................................................................................................................................ 6.3.8
Security Training Requirements................................................................................................................................... 6.3.9
Security Awareness and Training Program............................................................................................................. 6.3.9.1
Awareness Level...................................................................................................................................................... 6.3.9.1.1
Performance Level.................................................................................................................................................... 6.3.9.1.2
Destruction of Media................................................................................................................................................... 6.3.10
Information Transfer and Accounting Procedures................................................................................................. 6.3.11
Chapter 7--Security Guidelines for the Privileged User and General User (GU)
PURPOSE............................................................................................................................................................................ 7.1
SCOPE................................................................................................................................................................................. 7.2
SECURITY TRAINING..................................................................................................................................................... 7.3
General Users Training.................................................................................................................................................. 7.3.1
Privileged Users Training.............................................................................................................................................. 7.3.2
Security Awareness Training Program........................................................................................................................ 7.3.3
Awareness Level......................................................................................................................................................... 7.3.3.1
Performance Level....................................................................................................................................................... 7.3.3.2
PROCEDURES.................................................................................................................................................................... 7.4
Identification and Authentication Requirements...................................................................................................... 7.4.1
Documenting USERIDs and Passwords.................................................................................................................. 7.4.1.1
USERID and Password Issuing Authority and Accountability........................................................................... 7.4.1.2
Supervisor Authorization........................................................................................................................................... 7.4.1.3
Access Requirements Validation.............................................................................................................................. 7.4.1.4
Control Guidelines.......................................................................................................................................................... 7.4.2
System Access Removal Procedures.......................................................................................................................... 7.4.3
Audit Trail Requirements.............................................................................................................................................. 7.4.4
Automated Audit Trail Information Requirements................................................................................................. 7.4.4.1
Manual Audit Trail Implementation.......................................................................................................................... 7.4.4.2
Products of Audit Trail Information......................................................................................................................... 7.4.4.3
Audit Trail Checks and Reviews............................................................................................................................... 7.4.4.4
Audit Trail Records Retention................................................................................................................................... 7.4.4.5
Automatic Logout Requirements................................................................................................................................. 7.4.5
Limited Access Attempts.............................................................................................................................................. 7.4.6
Use of Windows Screen Locks.................................................................................................................................... 7.4.7
Testing, Straining, and Hacking................................................................................................................................... 7.4.8
Warning Banners............................................................................................................................................................ 7.4.9
Network Monitoring..................................................................................................................................................... 7.4.10
Maintenance Monitoring......................................................................................................................................... 7.4.10.1
Targeted Monitoring................................................................................................................................................. 7.4.10.2
Chapter 8--Information Systems (IS) Incident Reporting
PURPOSE............................................................................................................................................................................ 8.1
SCOPE................................................................................................................................................................................. 8.2
PROCEDURES.................................................................................................................................................................... 8.3
Reporting Decision......................................................................................................................................................... 8.3.1
Types of IS Incidents and Reports.............................................................................................................................. 8.3.2
Reporting Incidents........................................................................................................................................................ 8.3.3
Report Format and Content........................................................................................................................................... 8.3.4
Follow-On Action........................................................................................................................................................... 8.3.5
Chapter 9--Information System (IS) Monitoring Activities
PURPOSE............................................................................................................................................................................ 9.1
SCOPE................................................................................................................................................................................. 9.2
PROCEDURES.................................................................................................................................................................... 9.3
IS Warning Banner......................................................................................................................................................... 9.3.1
Warning Labels............................................................................................................................................................... 9.3.2
Action To Be Taken In A Monitoring Incident......................................................................................................... 9.3.3
Review System Specific Security Features................................................................................................................. 9.3.4
Chapter 10--Malicious Code Prevention
PURPOSE.......................................................................................................................................................................... 10.1
SCOPE............................................................................................................................................................................... 10.2
DEFINITIONS.................................................................................................................................................................. 10.3
Malicious Code............................................................................................................................................................. 10.3.1
Mobile Code.................................................................................................................................................................. 10.3.2
Malicious Mobile Code............................................................................................................................................... 10.3.3
Mobile Code Technologies......................................................................................................................................... 10.3.4
Trusted Source.............................................................................................................................................................. 10.3.5
Screening....................................................................................................................................................................... 10.3.6
PROCEDURES.................................................................................................................................................................. 10.4
Preventive Procedures................................................................................................................................................. 10.4.1
Malicious Code Detection........................................................................................................................................... 10.4.2
MALICIOUS CODE SECURITY REQUIREMENTS................................................................................................... 10.5
Prevention Steps to be Taken..................................................................................................................................... 10.5.1
Chapter 11--Software
PURPOSE.......................................................................................................................................................................... 11.1
SCOPE............................................................................................................................................................................... 11.2
PROCEDURES.................................................................................................................................................................. 11.3
LOW RISK SOFTWARE................................................................................................................................................ 11.4
HIGH RISK SOFTWARE................................................................................................................................................ 11.5
Public Domain Software............................................................................................................................................... 11.5.1
Unauthorized Software................................................................................................................................................ 11.5.2
EMBEDDED SOFTWARE............................................................................................................................................. 11.6
POLICY EXCEPTIONS.................................................................................................................................................... 11.7
Chapter 12--Information Storage Media Control and Accounting Procedures
PURPOSE.......................................................................................................................................................................... 12.1
SCOPE............................................................................................................................................................................... 12.2
PROCEDURES.................................................................................................................................................................. 12.3
Information Storage Media Control........................................................................................................................... 12.3.1
Inspections................................................................................................................................................................. 12.3.1.1
Control Procedures.................................................................................................................................................... 12.3.1.2
Other Categories of Storage Media........................................................................................................................ 12.3.1.3
Audits and Reports...................................................................................................................................................... 12.3.2
Destruction of Media................................................................................................................................................... 12.3.3
Chapter 13-- Information Storage Media Labeling and Product Marking Requirements
PURPOSE.......................................................................................................................................................................... 13.1
SCOPE............................................................................................................................................................................... 13.2
PROCEDURES.................................................................................................................................................................. 13.3
Information Storage Media......................................................................................................................................... 13.3.1
Label Placement......................................................................................................................................................... 13.3.1.1
Data Descriptor Label............................................................................................................................................... 13.3.1.2
Classification Markings............................................................................................................................................... 13.3.2
Chapter 14--Information Systems (IS) Maintenance Procedures
PURPOSE.......................................................................................................................................................................... 14.1
SCOPE............................................................................................................................................................................... 14.2
PROCEDURES.................................................................................................................................................................. 14.3
Maintenance Personnel............................................................................................................................................... 14.3.1
Maintenance by Cleared Personnel........................................................................................................................ 14.3.1.1
Maintenance by Uncleared (or Lower-Cleared) Personnel................................................................................. 14.3.1.2
General Maintenance Requirements.......................................................................................................................... 14.3.2
Maintenance Log....................................................................................................................................................... 14.3.2.1
Location of Maintenance......................................................................................................................................... 14.3.2.2
Removal of Systems/Components.......................................................................................................................... 14.3.2.3
Use of Network Analyzers....................................................................................................................................... 14.3.2.4
Use of Diagnostics.................................................................................................................................................... 14.3.2.5
Introduction of Maintenance Equipment Into a Sensitive Compartmented Information Facility (SCIF)..... 14.3.2.6
Maintenance and System Security............................................................................................................................ 14.3.3
Remote Maintenance................................................................................................................................................... 14.3.4
Maintenance Performed With The Same Level of Security................................................................................ 14.3.4.1
Maintenance Performed With a Different Level of Security............................................................................... 14.3.4.2
Initiating and Terminating Remote Access........................................................................................................... 14.3.4.3
Keystroke Monitoring Requirements..................................................................................................................... 14.3.4.4
Other Requirements/Considerations...................................................................................................................... 14.3.4.5
Life Cycle Maintenance............................................................................................................................................... 14.3.5
Chapter 15--Portable Electronic Devices
PURPOSE.......................................................................................................................................................................... 15.1
SCOPE............................................................................................................................................................................... 15.2
PROCEDURES.................................................................................................................................................................. 15.3
Approval Requirements............................................................................................................................................... 15.3.1
Handling Procedures.................................................................................................................................................... 15.3.2
Standard Operating Procedure (SOP) Development............................................................................................ 15.3.2.1
Classified Processing................................................................................................................................................ 15.3.2.2
Standard Operating Procedures (SOP) Approval.................................................................................................... 15.3.3
Chapter 16—Security Procedures for Information Systems (IS) and Facsimile (FAX) use of the Public Telephone Network
PURPOSE.......................................................................................................................................................................... 16.1
SCOPE............................................................................................................................................................................... 16.2
PROCEDURES.................................................................................................................................................................. 16.3
DAA Rep/SCO Validation and Approval................................................................................................................. 16.3.1
UNCLASSIFIED CONNECTIVITY................................................................................................................................ 16.4
Unclassified Facsimile Guidelines.............................................................................................................................. 16.4.1
Unclassified Facsimile Approval............................................................................................................................. 16.4.1.1
Request for Unclassified Fax Approval.............................................................................................................. 16.4.1.1.1
Physical Disconnect of Unclassified Fax Equipment........................................................................................... 16.4.1.2
Fax Header Information............................................................................................................................................. 16.4.1.3
Unclassified Computer FAX/modem - telephone guidelines................................................................................ 16.4.2
Unclassified Computer FAX/modem accreditation support............................................................................... 16.4.2.1
Physical Disconnect of Unclassified Computer Fax/Modem equipment.......................................................... 16.4.2.2
Fax/Modem header Information.............................................................................................................................. 16.4.2.3
Data Retrieval............................................................................................................................................................. 16.4.2.4
Importation of High Risk software.......................................................................................................................... 16.4.2.5
Publicly Accessible Unclassified Open Source Information Systems................................................................. 16.4.3
Open Source Information Systems Connectivity ................................................................................................ 16.4.3.1
CLASSIFIED CONNECTIVITY...................................................................................................................................... 16.5
Secure Telephone Unit (STU)-III/Data Port Security Procedures......................................................................... 16.5.1
Identification and Authentication.............................................................................................................................. 16.5.2
Use of the Defense Switching Network (DSN) with a STU-III.............................................................................. 16.5.3
STU-III Data Port/Fax Connectivity........................................................................................................................... 16.5.4
Request for STU-III/Fax Connectivity.................................................................................................................... 16.5.4.1
STU-III Fax Audit Logs............................................................................................................................................ 16.5.4.2
STU-III Connectivity Restrictions.......................................................................................................................... 16.5.4.3
STU-III Data Port Connectivity within a SCIF......................................................................................................... 16.5.5
Connectivity Requirements...................................................................................................................................... 16.5.5.1
STU-III Data Port Audit Logs............................................................................................................................... 16.5.5.1.1
Connectivity Restrictions...................................................................................................................................... 16.5.5.1.2
Chapter 17-Interconnecting Information Systems
PURPOSE.......................................................................................................................................................................... 17.1
SCOPE............................................................................................................................................................................... 17.2
DISCUSSION.................................................................................................................................................................... 17.3
Interconnected Information Systems........................................................................................................................ 17.3.1
Inter-Domain Connections.......................................................................................................................................... 17.3.2
Controlled Interface...................................................................................................................................................... 17.3.3
One-Way Connections............................................................................................................................................. 17.3.3.1
Equal Classification Connection.......................................................................................................................... 17.3.3.1.1
Low to High Connections..................................................................................................................................... 17.3.3.1.2
High to Low Connections..................................................................................................................................... 17.3.3.1.3
Other Unequal Classification Level Connections.............................................................................................. 17.3.3.1.4
Dual-Direction Connections.................................................................................................................................... 17.3.3.2
Multi-Domain Connections...................................................................................................................................... 17.3.3.3
Review Procedures....................................................................................................................................................... 17.3.4
Reliable Human Review............................................................................................................................................ 17.3.4.1
Automated Review.................................................................................................................................................... 17.3.4.2
Chapter 18-Information Transfer and Accounting Procedures
PURPOSE.......................................................................................................................................................................... 18.1
SCOPE............................................................................................................................................................................... 18.2
PROCEDURES.................................................................................................................................................................. 18.3
Reliable Human Review of Data................................................................................................................................. 18.3.1
Media Transfers In/Out of an Organization............................................................................................................. 18.3.2
Disposition of Excess or Obsolete COTS Software................................................................................................. 18.3.3
High to Low Data Transfers by Media...................................................................................................................... 18.3.4
PL-3 and Below Functionality.................................................................................................................................. 18.3.4.1
PL-4 and Above Functionality................................................................................................................................ 18.3.4.2
Low to High Data Transfers by Media...................................................................................................................... 18.3.5
Demonstration Software.............................................................................................................................................. 18.3.6
Chapter 19--Multi-Position Switches
PURPOSE.......................................................................................................................................................................... 19.1
SCOPE............................................................................................................................................................................... 19.2
POLICY.............................................................................................................................................................................. 19.3
RESPONSIBILITIES........................................................................................................................................................ 19.4
DAA Rep....................................................................................................................................................................... 19.4.1
ISSM............................................................................................................................................................................... 19.4.2
ISSO/System Administrator........................................................................................................................................ 19.4.3
AIS Requirements............................................................................................................................................................ 19.5
Labels............................................................................................................................................................................. 19.5.1
Desktop Backgrounds................................................................................................................................................. 19.5.2
Screenlocks.................................................................................................................................................................... 19.5.3
Smart Keys/Permanent Storage Medium.................................................................................................................. 19.5.4
Hot Key Capability....................................................................................................................................................... 19.5.5
Scanning Capability..................................................................................................................................................... 19.5.6
Wireless or Infrared Technology............................................................................................................................... 19.5.7
Unique Password Requirement.................................................................................................................................. 19.5.8
Data Hierarchy.............................................................................................................................................................. 19.5.9
Security CONOPS....................................................................................................................................................... 19.5.10
Training........................................................................................................................................................................ 19.5.11
TEMPEST.................................................................................................................................................................... 19.5.12
Procedures for LOGON/Switching Between Systems........................................................................................... 19.5.13
KVM SWITCH USER AGREEMENT........................................................................................................................... 19.6
Chapter 20--Clearing, Sanitizing, and Releasing Computer Components
PURPOSE.......................................................................................................................................................................... 20.1
SCOPE............................................................................................................................................................................... 20.2
RESPONSIBILITIES........................................................................................................................................................ 20.3
PROCEDURES.................................................................................................................................................................. 20.4
Review of Terms........................................................................................................................................................... 20.4.1
Clearing....................................................................................................................................................................... 20.4.1.1
Sanitizing (Also Purging)......................................................................................................................................... 20.4.1.2
Destruction................................................................................................................................................................. 20.4.1.3
Declassification.......................................................................................................................................................... 20.4.1.4
Periods Processing.................................................................................................................................................... 20.4.1.5
Overwriting Media........................................................................................................................................................ 20.4.2
Overwriting Procedure.............................................................................................................................................. 20.4.2.1
Overwrite Verification............................................................................................................................................... 20.4.2.2
Degaussing Media....................................................................................................................................................... 20.4.3
Magnetic Media Coercivity..................................................................................................................................... 20.4.3.1
Types of Degausser.................................................................................................................................................. 20.4.3.2
Degausser Requirements.......................................................................................................................................... 20.4.3.3
Use of a Degausser................................................................................................................................................... 20.4.3.4
Sanitizing Media........................................................................................................................................................... 20.4.4
Destroying Media......................................................................................................................................................... 20.4.5
Expendable Item Destruction................................................................................................................................... 20.4.5.1
Destruction of Hard Disks and Disk Packs............................................................................................................ 20.4.5.2
Hard Disks............................................................................................................................................................... 20.4.5.2.1
Shipping Instructions............................................................................................................................................ 20.4.5.2.2
Disk Packs................................................................................................................................................................ 20.4.5.2.3
Optical Storage Media........................................................................................................................................... 20.4.5.2.4
Malfunctioning Media................................................................................................................................................. 20.4.6
Release of Memory Components and Boards.......................................................................................................... 20.4.7
Volatile Memory Components................................................................................................................................. 20.4.7.1
Nonvolatile Memory Components.......................................................................................................................... 20.4.7.2
Other Nonvolatile Media.......................................................................................................................................... 20.4.7.3
Visual Displays....................................................................................................................................................... 20.4.7.3.1
Printer Platens and Ribbons.................................................................................................................................. 20.4.7.3.2
Laser Printer Drums, Belts, and Cartridges......................................................................................................... 20.4.7.3.3
Clearing Systems for Periods Processing................................................................................................................. 20.4.8
Release of Systems and Components....................................................................................................................... 20.4.9
Documenting IS Release or Disposal..................................................................................................................... 20.4.9.1
Chapter 21--Other Security Requirements
PURPOSE.......................................................................................................................................................................... 21.1
SCOPE............................................................................................................................................................................... 21.2
REQUIREMENTS............................................................................................................................................................ 21.3
Contingency Planning................................................................................................................................................. 21.3.1
Backup......................................................................................................................................................................... 21.3.1.1
Responsibilities.......................................................................................................................................................... 21.3.1.2
Foreign National Access to Systems Processing Classified Information............................................................ 21.3.2
Tactical/Deployable Systems..................................................................................................................................... 21.3.3
Resolving Conflicting Requirements...................................................................................................................... 21.3.3.1
Specific Conflicting Requirements.......................................................................................................................... 21.3.3.2
Guest Systems in a SCIF.............................................................................................................................................. 21.3.4
SCI Systems With Certification............................................................................................................................... 21.3.4.1
SCI Systems Without Certification......................................................................................................................... 21.3.4.2
Unclassified or Collateral Systems.......................................................................................................................... 21.3.4.3
Other Requirements...................................................................................................................................................... 21.3.5
Chapter 22--Information Systems (IS) and Network Security Self-Inspection Aid
PURPOSE.......................................................................................................................................................................... 22.1
SCOPE............................................................................................................................................................................... 22.2
APPLICABILITY............................................................................................................................................................. 22.3
PROCEDURES.................................................................................................................................................................. 22.4
Figures Page
3.1 General Accreditation Review and Approval Cycle....................................................................................................... 14
3.2 Multi-Service Accreditation Flow..................................................................................................................................... 17
7.1 Sample NSA/CSS Form G6521............................................................................................................................................ 30
8.1 Sample Incident Report Message...................................................................................................................................... 36
9.1 Information System Warning Banner............................................................................................................................... 38
9.2 Warning Label...................................................................................................................................................................... 38
19.1 KVM Switch User Agreement Form................................................................................................................................ 65
20.1 Sample NSA/CSS Form G6522.......................................................................................................................................... 72
Tables
9.1. Recommended Incident Response Actions.................................................................................................................... 39
9.2. Sample Monitoring Investigation Questions................................................................................................................. 39
20.1. Sanitizing Data Storage Media........................................................................................................................................ 67
20.2. Sanitizing System Components...................................................................................................................................... 68
22.1. Is and Network Security Self-Inspection Checklist..................................................................................................... 78
Appendices
Appendix A--References......................................................................................................................................................... A-1
Appendix B--Glossary of Acronyms, Abbreviations, and Terms..................................................................................... B-1
Appendix C--Summary of Revisions...................................................................................................................................... C-1
CHAPTER 1
GENERAL INFORMATION
1.1. (U) BACKGROUND. The DIA DoDIIS Information Assurance (IA) Program (Air Force, Army, and Navy Service Certification Organizations -- SCO -- and NIMA Certification Authority) and NSA/CSS Information Assurance (IA) Program (Air Force, Army, and Navy Service Cryptologic Elements - SCE) identified a requirement to standardize security procedures used in the management of Sensitive Compartmented Information (SCI) systems and the information they process. SCI is defined as information and materials requiring special community controls indicating restricted handling within present and future community intelligence collection programs and their end products. These special community controls are formal systems of restricted access established to protect the sensitive aspects of sources, methods, and analytical procedures of foreign intelligence programs. It was also determined that by standardizing procedural guidelines, it would significantly improve support to the increasingly interconnected customer base of the Joint Services. This document describes the protection philosophy and functional procedures essential in the implementation of an effective Information Assurance (IA) Program. Further, it provides implementation guidelines and procedures applicable to the protection, use, management, and dissemination of SCI; assigns responsibilities; and establishes procedures for the development, management, and operations of systems and networks used for processing SCI. The primary purpose of this supplemental guidance is to address day-to-day IS security issues and provide support to those responsible for managing SCI and the automated infrastructure used to process this information at the organizational level.
1.2. (U) POLICY. U.S. Government policy requires all classified information be appropriately safeguarded to ensure the confidentiality, integrity, and availability of the information. Safeguards will be applied such that information is accessed only by authorized persons and processes, is used only for its authorized purpose, retains its content integrity, is available to satisfy mission requirements, and is marked and labeled as required. SCI created, stored, processed, or transmitted in or over Information Systems (ISs) covered by DCI policy and supplementing directives shall be properly managed and protected throughout all phases of a system's life cycle. The combination of security safeguards and procedures shall assure that the system and users are in compliance with DCID 6/3, NSA/CSS Manual 130-1, DIAM 50-4, and the JDCSISSS supplement to NSA/CSS Manual 130-1 and DIAM 50-4. This document shall not be construed to countermand or waive provisions of any Executive Order, National Policy, Department of Defense (DoD) Directive, or other provisions of regulatory policies or laws which are beyond the scope of authority of the Directors of the Defense Intelligence Agency (DIA) and the National Security Agency/Central Security Service (NSA/CSS). Any perceived contradictions with higher-level policy should be forwarded to the appropriate Designated Approving Authority (DAA) Representative (Rep)/Service Certifying Organization (SCO) for resolution.
1.3. (U) SCOPE AND APPLICABILITY. This document contains procedures and identifies requirements that shall be applied to all systems processing Sensitive Compartmented Information (SCI) under the cognizance of the Department of Defense (DoD), to include: Office of the Secretary of Defense (OSD), the Chairman of the Joint Chiefs of Staff and the Joint Staff, the United and Joint Commands, the Defense Agencies and Field Activities, the Military Departments (including their National Guard and Reserve components), National Security Agency (NSA)/Central Security Service (CSS) and Service Cryptologic Elements, National Image and Mapping Agency (NIMA), the Inspector General of the DoD, and Government contractors supporting DoD who process SCI. This includes systems that are: airborne, mobile, afloat, in-garrison, tactical, mission, administrative, embedded, portable, Government purchased, Government leased, or on loan from other Government sources. Contained also within this document is a collective set of procedures and protection mechanisms for Information Systems (ISs) and networks used in SCI processing that must be enforced throughout all phases of the IS life-cycle, to include:
· Concept Development
· Design
· Development
· Deployment
· Operations
· Recertification
· Disposal
1.4. (U) REFERENCES, ACRONYMS, AND DEFINITIONS. Appendix A provides a comprehensive list of national, department, and agency publications that are used in conjunction with this document and augments these reference sources. The acronyms used in this document are contained in part 1 of Appendix B. The terminology extracted from various IS related documents are included as part 2 of Appendix B.
1.5. (U) ROLES AND RESPONSIBILITIES. The roles and responsibilities of the personnel involved with IS security are summarized in the paragraphs below. Personnel in the roles defined below must attend training and certification as directed by DoD and meet DCID 6/3 prerequisites.
1.5.1. (U) Principal Accrediting Authority (PAA). The PAA has ultimate security responsibility for his/her organization. This responsibility includes IA program oversight, development
,and implementation. In general, much of this person's operational authority is delegated to DAAs. Responsibilities of the PAA shall include:· Establishing a department or agency IA Security Program.
· Appointing DAAs.
· Approving or disapproving further delegation of the DAA's authority.
· Ensuring that the DAA is supported by individuals knowledgeable in all areas of security such that a technically correct assessment of the security characteristics of new ISs can be formalized.
· Ensuring the implementation of the requirements set forth in U.S. Government IS security policy.
· Ensuring accountability for the protection of the information under his/her purview.
· Ensuring availability of security education, training, and awareness, to ensure consistency and reciprocity.
· Establishing a joint compliance and oversight mechanism to validate the consistent implementation of IS security policy.
· Approving the operation of system(s) that do not meet the requirements specified in DoD and Intelligence Community (IC) IS security documents. However, such approval shall be in writing, and the PAA granting such approval shall also document, in writing, his/her responsibility for the resulting residual risk(s) and inform other PAAs responsible for systems interconnected to this system.
· Overseeing the management of new IS development and implementation.
· Ensuring that security is incorporated as an element of the IS life-cycle process.
1.5.2. (U) Data Owner. Responsibilities of the Data Owner shall include, but are not limited to:
· Providing guidance to the PAA/DAA concerning:
· the sensitivity of information under the Data Owner's purview;
· the PAA/DAA's decision regarding the Levels-of-Concern for confidentiality, integrity, and availability; and
· specific requirements for managing the owner's data (e.g., incident response, information contamination to other systems/media, and unique audit requirements).
· Determining whether foreign nationals may access information systems accredited under this manual. Access must be consistent with DCID 1/7 and DCID 5/6.
1.5.3. (U) Designated Approving Authority (DAA). The DAA shall:
· Be a U.S. citizen;
· Be an employee of the United States Government; and
· Hold U.S. Government security clearance/access approvals commensurate with the level of information processed by the system.
Responsibilities of the DAA shall include, but are not limited to:
· Ensuring each system is properly accredited/certified based on system environment, sensitivity levels and security safeguards.
· Issuing written accreditation/certification statements.
· Ensuring records are maintained for all IS accreditations/certifications under his/her purview to include use of automated information assurance tools.
· Ensuring all of the appropriate roles and responsibilities outlined in this directive are accomplished for each IS.
· Ensuring that operational information systems security policies are in place for each system, project, program, and organization or site for which the DAA has approval authority.
· Ensuring that a security education, training, and awareness program is in place.
· Ensuring that security is incorporated as an element of the life-cycle process.
· Ensuring that the DAA Representatives (Rep)/Service Certifying Organization (SCO) members are trained and certified to properly perform their responsibilities.
· Providing written notification to the cognizant PAA and Data Owner prior to granting any foreign national access to the system.
· Ensuring that organizations plan, budget, allocate, and spend adequate resources in support of IS security.
· Ensuring consideration and acknowledgement of Counter-Intelligence activities during the C&A process.
· Reporting security-related events to affected parties (i.e., interconnected systems), data owners, and all involved PAAs.
1.5.4. (U) DAA Representative (Rep)/Service Certifying Organization (SCO)
· The DAA Rep/SCO member shall be a U.S. citizen and
· Hold U.S. Government security clearance/access approvals commensurate with the level of information processed by the system.
Responsibilities of the DAA Rep/SCO, under the direction of the DAA, shall include:
· Developing and overseeing operational information systems security implementation policy and guidelines.
· Ensuring that security testing and evaluation is completed and documented.
· Advising the DAA on the use of specific security mechanisms.
· Maintaining appropriate system accreditation documentation.
· Overseeing and periodically reviewing system security to accommodate possible changes that may have taken place.
· Advising the Information Systems Security Managers (ISSMs) and Information System Security Officers (ISSOs) concerning the levels of concern for confidentiality, integrity, and availability for the data on a system.
· Evaluating threats and vulnerabilities to ascertain the need for additional safeguards.
· Ensuring that a record is maintained of all security-related vulnerabilities and ensuring serious or unresolved violations are reported to the DAA.
· Ensuring that certification is accomplished for each IS.
· Evaluating certification documentation and providing written recommendations for accreditation to the DAA.
· Ensuring all ISSMs and ISSOs receive technical and security training to carry out their duties.
· Assessing changes in the system, its environment, and operational need that could affect the accreditation.
1.5.5. (U) NSA/CSS Senior Information Systems Security Program Manager (SISSPM)
· The SISSPM shall be a U.S. citizen and
· Hold U.S. Government security clearance/access approvals commensurate with the level of information processed by the system.
The SISSPM responsibilities shall include but are not limited to the following:
· Developing metrics, measuring and reporting progress on improving ISS in operational systems and networks.
· Establishing and maintaining career development and training for ISS personnel under their purview.
· Serving as the operational representative to the NSA/CSS Information System Security Incident Board (NISSIB).
· Representing the operational ISS view to the Operational Information Systems Security Steering Group.
· Directing Field, SCE and regional ISSPMs in actions related to the NSA/CSS Operational IS Security Program.
· Assisting the NISIRT in managing ISS incidents and in implementing fixes to identified vulnerabilities in operational ISs.
· Promoting general operational information systems security awareness.
· Providing technical and policy guidance to ISS Security personnel.
· Providing a forum for information exchange on computer security issues with the Information Systems Security Managers.
1.5.6. (U) Service Cryptologic Element (SCE) Information Systems Security Program Manager (ISSPM).
· The SCE ISSPM shall be a U.S. citizen and
· Hold U.S. Government security clearance/access approvals commensurate with the level of information processed by the system.
The SCE ISSPM responsibilities include:
· Acting as liaison on matters concerning IS and Network security to the NSA/CSS Senior Information Systems Security Program Manager (SISSPM) and to the appropriate military headquarters.
· Ensuring the accreditation of all SCE ISs.
· Reviewing all certification/accreditation support documentation for proof of adequate IS and Network security procedures and, based upon the review, recommending approval or disapproval to the appropriate DAA.
· Forwarding reviewed certification/System Security Plan (SSP) for ISs to the NSA/CSS SISSPM, as required.
· Granting interim approval-to-operate and formal accreditation of ISs as authorized by NSA/CSS DAA.
· Reviewing requests to bypass, strain, or test security mechanisms, or conduct network monitoring or keystroke monitoring and obtaining approval/disapproval for SCI requests from the NSA/CSS SISSPM and approving/disapproving requests for unclassified and collateral systems.
· Ensuring life-cycle security integrity of all SCE ISs.
· Developing procedures necessary to implement higher level regulations and directives.
· Providing guidance and policy to all subordinate SCE organizations.
· Promoting the nomination of SCE personnel for NSA/CSS Security Achievement Awards.
· Managing the SCE IS and Network Security Training Program to include:
· Ensuring all SCE ISSMs and ISSOs attend the National Cryptologic School ND-225 course, “Operational IS Security” or equivalent.
· Coordinating the training of nominees with the National Cryptologic School.
· Publishing SCE annual training schedules for the ND-225 course, which is published in October-November for the following calendar year.
· Reporting name, organization, and address of all students to the National Cryptologic School for certificates of completion.
· Developing unique SCE courses and materials for training, as necessary.
· Maintaining a level of expertise by attending IS and Network security conferences, symposiums, and training courses sponsored by other agencies.
· Augmenting SCE inspections, both Inspector General (IG) and others, upon request.
· Reviewing requirements for approving public-domain software before its use on any SCE IS.
1.5.7. (U) Commander/Commanding Officer (CO)/Senior Intelligence Officer (SIO) Responsibility. Commanders/CO/SIOs, in conjunction with their ISSM/ISSOs/System Administrators (SA), will work together to present a cohesive training program, both for users and IS & network security personnel. If well developed, and effectively implemented, the security program can help neutralize IS security threats, prevent the compromise or loss of classified information, and produce users who act effectively to secure system resources. The responsibilities of the Commander/CO/SIO include:
· Appointing an ISSM in writing and, where applicable, ensuring a copy of orders are forwarded to the SCE organization's ISSPM or the DIA DAA Rep/SCO.
· Ensuring the establishment and funding of an effective and responsive IS Security (ISS) Program.
· Participating as an active member of the organization's CCB or appoint a representative to act in his/her absence.
· Ensuring that users and ISS personnel receive DoD-mandated certification training IAW their responsibilities as part of an approved ISS training program.
· Ensuring ISS policies are enforced and implemented.
1.5.8. (U) Information Systems Security Manager (ISSM). The ISSM is appointed in writing by the authority at a site responsible for information system security. ISSM responsibilities should not be assigned as collateral duties, if at all possible. The ISSM shall:
· Be a U.S. citizen;
· Hold U.S. Government security clearance/access approvals commensurate with the level of information processed by the system; and
· Attend ND-225 training or equivalent.
The ISSM responsibilities include:
· Forwarding a copy of his/her appointment letter to the DAA Rep/SCO.
· Developing and maintaining a formal IS security program.
· Implementing and enforcing IS security policies.
· Reviewing and endorsing all IS accreditation/certification support documentation packages.
· Overseeing all ISSOs to ensure they follow established IS policies and procedures.
· Ensuring ISSM/ISSO review weekly bulletins and advisories that impact security of site information systems to include, AFCERT, ACERT, NAVCIRT, IAVA, and DISA ASSIST bulletins.
· Ensuring that periodic testing (monthly for PL-5 systems) is conducted to evaluate the security posture of the ISs by employing various intrusion/attack detection and monitoring tools (shared responsibility with ISSOs).
· Ensuring that all ISSOs receive the necessary technical (e.g., operating system, networking, security management, SysAdmin) and security training (e.g., ND-225 or equivalent) to carry out their duties.
· Assisting ISSOs to ensure proper decisions are made concerning the levels of concern for confidentiality, integrity, and availability of the data, and the protection levels for confidentiality for the system.
· Ensuring the development of system accreditation/certification documentation by reviewing and endorsing such documentation and recommending action to the DAA Rep/SCO.
· Ensuring approved procedures are in place for clearing, purging, declassifying, and releasing system memory, media, and output.
· Maintaining, as required by the DAA Rep/SCO, a repository for all system accreditation/certification documentation and modifications.
· Coordinating IS security inspections, tests, and reviews.
· Investigating and reporting (to the DAA/DAA Rep/SCO and local management) security violations and incidents, as appropriate.
· Ensuring proper protection and corrective measures have been taken when an IS incident or vulnerability has been discovered.
· Ensuring data ownership and responsibilities are established for each IS, to include accountability, access and special handling requirements.
· Ensuring development and implementation of an effective IS security education, training, and awareness program.
· Ensuring development and implementation of procedures in accordance with configuration management (CM) policies and practices for authorizing the use of hardware/software on an IS. Any changes or modifications to hardware, software, or firmware of a system must be coordinated with the ISSM/ISSO and appropriate approving authority prior to the change.
· Developing procedures for responding to security incidents, and for investigating and reporting (to the DAA Rep/SCO and to local management) security violations and incidents, as appropriate.
· Serving as a member of the configuration management board, where one exists (however, the ISSM may elect to delegate this responsibility to the ISSO.)
· Working knowledge of system functions, security policies, technical security safeguards, and operational security measures.
· Accessing only that data, control information, software, hardware, and firmware for which they are authorized access and have a need-to-know, and assume only those roles and privileges for which they are authorized.
1.5.9. (U) Information Systems Security Officer (ISSO). The ISSO shall:
· Be a U.S. citizen and
· Hold U.S. Government security clearance/access approvals commensurate with the level of information processed by the system.
Responsibilities of the ISSO shall include:
· Ensuring systems are operated, maintained, and disposed of in accordance with internal security policies and practices as outlined in the accreditation/certification support documentation package.
· Attending required technical (e.g., operating system, networking, security management, SysAdmin) and security (e.g., ND-225 or equivalent) training relative to assigned duties.
· Ensuring all users have the requisite security clearances, authorization, need-to-know, and are aware of their security responsibilities before granting access to the IS.
· Ensuring that proper decisions are made concerning levels of concern for confidentiality, integrity, and availability of the data, and the protection level for confidentiality for the system.
· Reporting all security-related incidents to the ISSM.
· Initiating protective and corrective measures when a security incident or vulnerability is discovered, with the approval of the ISSM.
· Developing and maintaining an accreditation/certification support documentation package for system(s) for which they are responsible.
· Conducting periodic reviews to ensure compliance with the accreditation/certification support documentation package.
· Ensuring Configuration Management (CM) for IS software and hardware, to include IS warning banners, is maintained and documented.
· Serving as member of the Configuration Management Board if so designated by the ISSM.
· Ensuring warning banners are placed on all monitors and appear when a user accesses a system.
· Ensuring system recovery processes are monitored and that security features and procedures are properly restored.
· Ensuring all IS security-related documentation is current and accessible to properly authorized individuals.
· Formally notifying the ISSM and the DAA Rep/SCO when a system no longer processes classified information.
· Formally notifying the ISSM and the DAA Rep/SCO when changes occur that might affect accreditation/certification.
· Ensuring system security requirements are addressed during all phases of the system life cycle.
· Following procedures developed by the ISSM, in accordance with configuration management (CM) policies and practices, for authorizing software use prior to its implementation on a system. Any changes or modifications to hardware, software, or firmware of a system must be coordinated with the ISSM and appropriate approving authority prior to the change.
· Establishing audit trails and ensuring their review.
· Administering user identification (USERID) and authentication mechanisms of the IS or network.
· Ensuring the most feasible security safeguards and features are implemented for the IS or network.
· Ensuring no attempt is made to strain or test security mechanisms, or perform network line monitoring, or keystroke monitoring without appropriate authorization.
· Performing network monitoring for the purpose of identifying deficiencies, but only with approved software, and after notifying the ISSM and other appropriate authority.
· Accessing only that data, control information, software, hardware, and firmware for which they are authorized access and have a need-to-know, and assume only those roles and privileges for which they are authorized.
1.5.10. (U) The Program Management Office (PMO)/Program Manager (PM).
· The PM/PMO shall be a U.S. citizen and
· Hold U.S. Government security clearance/access approvals commensurate with the level of information processed by the system.
The responsibilities of the PMO/PM will include:
· Ensuring compliance with current IA policies, concepts, and measures when designing, procuring, adopting, and developing new ISs. This includes systems that are developed under contracts with vendors or computer services organizations and includes those systems that store, process, and/or transmit intelligence information.
· Ensuring that the Configuration Management process is addressed and used when new SCI ISs are under development, being procured, or delivered for operation. An integral part of configuration management is the System Accreditation process. Therefore, it is imperative that accreditation authorities be advised of configuration management decisions. This will ensure systems are fielded or modified within acceptable risk parameters and the latest security technology is being incorporated into system designs. This participation is most important at the Preliminary Design Review (PDR) and the Critical Design Review (CDR).
· Performing a risk assessment on the IS while under development and keep the risk assessment current throughout the acquisition development portion of the life cycle.
· Enforcing security controls that protect the IS during development.
· Ensuring all steps involved in the acquisition and delivery of a certifiable IS are followed. These include:
· Evaluating interoperability with other systems.
· Describing the IS mission so that it is clearly understood.
· Determining the protection level of the new IS.
· Fully defining the security requirements for the IS. This must include any measures that have to be implemented to ensure the confidentiality, integrity, and availability of the information being processed.
· Formulating an approach for meeting the security requirements.
· Incorporating security requirements during system development.
· Developing accreditation Support documentation to be fielded with the IS.
· Ensuring the IS undergoes Certification and/or Accreditation (C&A) Testing and Evaluation (T&E) prior to operation.
1.5.11. (U) Privileged Users (e.g., System Administrator (SA)). The responsibilities inherent to IS administration are demanding, and require a thorough knowledge of the IS. These responsibilities include various administrative and communications processes that, when properly carried out, will result in effective IS utilization, adequate security parameters, and sound implementation of established IA policy and procedures. System administrators shall:
· Be U.S. citizens;
· Be IA trained and certified in compliance with DoD requirements; and
· Hold U.S. Government security clearance/access approvals commensurate with the level of information processed by the system.
In addition to the requirements for a general user, responsibilities of the system administration personnel shall include:
· Implementing the IS Security guidance and policies as provided by the ISSM/ISSO.
· Maintaining IS and networks to include all hardware and software (COTs/GOTs).
· Monitoring system performance ensuring that system recovery processes are monitored to ensure that security features and procedures are properly restored.
· Reporting all security-related incidents to the ISSM/ISSO.
· Ensuring that all users have the requisite security clearances, authorization, need-to-know, and are aware of their security responsibilities before granting access to the IS.
· Performing equipment custodian duties by providing other system unique requirements that may be necessary. Ensuring systems are operated, maintained, and disposed of in accordance with internal security policies and practices outlined in the accreditation/certification support documentation package.
· Maintaining software licenses and documentation.
· Notifying the ISSM/ISSO and the SCO formally when changes occur that might affect accreditation/certification.
· Ensuring Configuration Management (CM) for security-relevant IS software and hardware, to include IS warning banners, is maintained and documented.
· Monitoring hardware and software maintenance contracts.
· Establishing user identification (USERID) and authentication mechanisms of the IS or network and issue user logon identifications and passwords.
· Ensuring adequate network connectivity by ensuring that proper decisions are made concerning levels of concern for confidentiality, integrity, and availability of the data, and the protection level for confidentiality for the system.
· Establishing audit trails and conducting reviews and archives as directed by the ISSM/ISSO.
· Providing backup of system operations.
· Assisting the ISSM/ISSO in developing and maintaining accreditation/certification support documentation package for system(s) for which they are responsible.
· Conducting periodic reviews to ensure compliance with the accreditation/certification support documentation package.
· Ensuring all IS security-related documentation is current and accessible to properly authorized individuals.
· Formally notifying the ISSM/ISSO and the SCO when a system no longer processes classified information.
· Following procedures developed by the ISSM/ISSO, authorizing software use before implementation on the system.
· Assisting the ISSM/ISSO in maintaining configuration control of the systems and applications software ensuring the most feasible security safeguards and features are implemented on the IS or network.
· Prohibiting attempts to strain or test security mechanisms, or perform network line monitoring or keystroke monitoring without appropriate authorization.
· Performing network monitoring for the purpose of rectifying deficiencies, but only with approved software, and after notifying the ISSM and other appropriate authority and advising the ISSM/ISSO of security anomalies or integrity loopholes.
· Participating in the Information Systems Security incident reporting program and with the approval of the ISSM/ISSO, initiate protective or corrective measures when a security incident or vulnerability is discovered.
1.5.12. (U) General Users. General users must hold U.S. Government security clearance/access approvals commensurate with the level of information processed by the system. The responsibilities of a general user shall include:
· Using the system for official use, only. Appropriate personal use of IS must be approved first by the individual's supervisor.
· Participating, at a minimum, in annual computer security awareness briefings/training.
· Providing appropriate caveat and safeguard statements on all IS files, output products, and storage media.
· Protecting ISs and IS peripherals located in his/her respective areas.
· Safeguarding and reporting any unexpected or unrecognizable output products to the ISSO/SA as appropriate. This includes both display and printed products.
· Safeguarding and reporting the receipt of any media received through any channel to the appropriate ISSO/SA for subsequent virus inspection and inclusion into the media control procedures.
· Reporting all security incidents to the ISSO/SA or ISSM.
· Protecting passwords at the same level as the highest classification of material which the system is accredited to process.
· Protecting passwords by never writing passwords down and destroying the original password documentation following initial review.
· Protecting passwords from inadvertent disclosure.
· Protecting all files containing classified data.
· Notifying the system ISSO/SA if he or she suspects that a possible IS and/or network security problem exists.
· Ensuring access doors, covers, plates and TEMPEST seals are properly installed on ISs to eliminate security hazards.
· Protecting their authenticators and reporting any compromise or suspected compromise of an authenticator to the appropriate ISSO.
1.5.13. (U) Prohibited Activities. In general, there are activities which all users shall not perform on any Government systems:
· Use networked ISs for personal gain, personal profit or illegal activities.
· Release, disclose, or alter information without the consent of the data owner or the disclosure officer's approval. Violations may result in prosecution of military members under the Uniform Code of Military Justice, Article 92 or appropriate disciplinary action for civilian employees.
· Attempt to strain or test security mechanisms, or perform network line monitoring or keystroke monitoring without proper authorization.
· Attempt to bypass or circumvent computer security features or mechanisms. For example, when users leave their workstation unattended without using appropriate screenlock, other users shall not use the system.
· Modify the system equipment or software or use it in any manner other than its intended purpose.
· Relocate or change IS equipment or the network connectivity of IS equipment without proper security authorization.
·Introduce malicious code into any IS or network and will comply with rules and regulations for scanning all magnetic media that he/she introduces, mails, or transports into or out of the organization.1.6. (U) CONFIGURATION CONTROL BOARD (CCB) OVERSIGHT. This document is under the purview of a Joint Service CCB consisting of the Services SCOs, SCEs, and a representative from DIA, NSA and NIMA. Any recommended changes to the document should be forwarded to the appropriate CCB member.
1.7. (U) OTHER DOCUMENTATION SUPERSESSION. This document supersedes Supplement 1 to NSA/CSS Manual 130-1, Information System and Network Security Procedures for Service Cryptologic Elements (SCEs), current edition, and Joint DoDIIS/Cryptologic SCI Information Systems Security Standards, all previous editions.
CHAPTER 2
LIFE CYCLE SECURITY
2.1. (U) PURPOSE. The Director of Central Intelligence Directive (DCID) 6/3, for the Intelligence Community is used to provide a system of evaluating the degree of trust needed for an Information System (IS) processing classified and sensitive information. It is the basis for specifying security requirements in acquisition specifications, both for existing and planned systems. The Program Manager (PM), during acquisition, will require that security be an integral part of any contract used for acquisition consistent with the security requirements of the system. The PM and IS developers involved in the acquisition process of new ISs must ensure these new systems operate as intended and are accredited. They must ensure that systems are designed to meet user requirements, are developed economically, and contain appropriate security controls and audit trails. Procedures must be implemented and precisely followed to ensure new ISs are created and can be readily approved for operation at an acceptable level of risk. Acquisition procedures must address all aspects of IS development, to include the security requirements that must be met, the IS security features required, the IS operating environment, and a plan that properly tracks the process by which IS definition, development, and security testing are to take place. The purpose of this chapter is to address acquisition security requirements and includes:
·National security policy requirements as they pertain to system development.· The responsibilities involved in the accreditation process.
· Levels of Concern and Protection Levels.
· Guidance that appropriate security requirements are identified early in the acquisition process.
2.2. (U) SCOPE. The early and complete identification of security requirements for an IS is a major security objective in all phases of the IS life cycle. These guidelines apply to all security personnel who must consider, improve, or change security throughout the life cycle to ensure continued adequate protection. These procedures are effective in the following life cycle phases:
CONCEPTS DEVELOPMENT PHASE
YES
DESIGN PHASE
YES
DEVELOPMENT PHASE
YES
DEPLOYMENT PHASE
YES
OPERATIONS PHASE
YES
RECERTIFICATION PHASE
YES
DISPOSAL PHASE
YES
2.3. (U) PROCEDURES. Within each organization, life-cycle security requirements will be related to one of the seven life cycle phases which apply to all systems; Government owned, leased, or on loan from other organizations. Designated Approving Authority (DAA) Representatives (Reps)/Service Certifying Organizations (SCOs) must review and approve detailed system or subsystem security specifications.
2.3.1. (U) Concepts Development Phase. During the conceptual phase, security personnel must determine the data sensitivity and criticality of the IS being planned. This is accomplished by conducting sensitivity, risk/threat, interoperability, and economic assessments. The results of these assessments provide the data necessary to perform the analysis and design of the next phase. These guidelines apply to all personnel performing acquisition of ISs with the objective of fielding ISs with the appropriate security requirements identified early in the acquisition process.
2.3.1.1. (U) IS Security Design. The PMO/PM should ensure all IS security requirements are incorporated in the Critical Design Review, the System Security Plan (SSP)/Systems Security Authorization Agreement (SSAA) and the Security Concept of Operations (SECONOPS) (see DCID 6/3, 4.B.1.c.(1)). In concert with the Systems Design Security Officer (SDSO)/ Information Systems Security Engineer (ISSE), the PMO/PM will ensure the IS security design meets the requirements of DCID 6/3.
2.3.1.2. (U) Statement of Work (SOW) Requirements. The SOW will include a DD Form 254 and address contractor related issues pertaining to contractor personnel security, physical security, contractor ISs in support of the contract, TEMPEST requirements, and applicable security regulations. A Government official, either the SDSO/ISSE or DAA Rep/SCO, will coordinate these specific requirements depending on the particular acquisition.
2.3.1.3. (U) Additional Documentation. Additional documentation based on the system's identified Protection Level to include guide(s) or manual(s) for the system's privileged users (test plans, procedures and results) and a general user's guide may be required.
2.3.2. (U) Design Phase. During this phase of the life-cycle, the certification and accreditation process should begin. The DAA first determines the Levels of Concern (LOC) for Confidentiality, Availability, and Integrity based on the information characteristics determined in the Concepts Development Phase. The DAA then determines the required Protection Level for confidentiality based on the need-to-know, formal access approval(s), and clearance level(s), if applicable, of system users as compared to the sensitivity, formal compartments, and classification of the data to be stored, processed, or transmitted on the system. The Levels of Concern and Protection Levels are:
Security Features
Level of Concern
Protection Levels
Confidentiality
(Basic/Medium not used in Intelligence ISs) High
PL-1, PL-2, PL-3, PL-4, PL-5
Integrity
Basic, Medium, High
Availability
Basic, Medium, High
2.3.2.1. (U) Levels-of-Concern. Based on the characteristics of the information in the IS, a Level-of-Concern must be determined in each of three categories: confidentiality, integrity, and availability. The available Level-of-Concern ratings are Basic, Medium or High. The DAA determines the Level-of-Concern separately for each category based on the following:
· The Confidentiality Level-of-Concern rating for all ISs that process intelligence information is, by definition, High.
· The Integrity Level-of-Concern is determined by the necessary degree of resistance to unauthorized modification of the data in the IS. The greater the need for data integrity, the higher the Level of Concern.
· The Availability Level-of-Concern rating is based on the need of ready access to the system data. The greater the need for rapid data availability, the higher the Level-of-Concern.
· A detailed description of the determination and assignment of Levels-of-Concern can be found in DCID 6/3, section 3.B. and Table 3.1, with even greater detail of each category in Chapters 4 (Confidentiality), 5 (Integrity), and 6 (Availability).
2.3.2.2. (U) Protection Levels. The Protection Level of an IS is the implicit level of trust placed in the system's technical capabilities, and applies only to confidentiality. After determining that the Level-of-Concern for confidentiality must be high (since the system processes intelligence data), the DAA must then determine the necessary Protection Level based on:
· Required clearances,
· Formal access approval, and
· Need-to-know of all IS users.
2.3.2.2.1. (U) The DAA must explicitly determine the Protection Level for each IS to be accredited. DCID 6/3, Section 3.C. and Table 4.1 differentiate between the five Protection Levels (PL1 - PL5). Chapter 4 details the security features required for each Protection Level.
2.3.2.2.2. (U) The LOCs for Availability and Integrity and the PL for Confidentiality are identified using DCID 6/3 Chapters 4-6. During the design phase, the Project Management Office (PMO) develops the System Security Plan (SSP)/System Security Authorization Agreement (SSAA). This is a living document and should be updated throughout the IS's life cycle. It incorporates security documentation requirements found in DCID 6/3 and includes the mission need, system and environment description, intended system users, system security requirements, and development schedule. A template for the SSAA can be found in the DoD Intelligence Information System (DoDIIS) Security Certification and Accreditation Guide, Appendix D. A template for the SSP can be found in the NSA/CSS Information System Certification and Accreditation Process (NISCAP). The initial draft of the SSP/SSAA must be approved by the DAA Rep/SCO prior to system development. Actions must be taken by the Program Managers (PM) and SDSO/ISSE to ensure compliance with directives according to DCID 6/3.
2.3.3. (U) Development Phase. Adequate implementation of the necessary security measures is ensured during the development phase. The Development Security Manager, appointed by the PMO, has the major responsibility during the development phase. He should ensure a test plan is prepared and participate in all project meetings including site surveys. Security support from the certifying organization and/or DIA is required based on the Protection Level of the IS. Hardware, software, telecommunications and the entire operational environment must comply with the System Security Authorization Agreement (SSAA). This extends beyond the system itself; the proposed or existing facility that will house the system must be considered to ensure that proper physical security is available. During the development phase, design reviews may identify security considerations which were overlooked in the initial system design. If so, the SSAA must be updated accordingly. If major security considerations are discovered, the development may return to a previous phase for rework.
2.3.4. (U) Test, Certification and Accreditation Phase. During the test phase, the entire system is critically reviewed to ensure compliance with all specified security measures. A Security Test and Evaluation (ST&E) is conducted to certify that the system's security and contingency operations are properly implemented. Any shortcomings and/or vulnerabilities are identified, and a risk analysis is conducted. Based upon the outcome of the risk analysis, a plan addressing the shortcomings (fixes, work-arounds, etc.) is developed. All this is detailed in the Security Certification Test Report, which is used by the DAA when making the approval decision. A template for the Security Certification Test Report is located in the DoDIIS Security Configuration and Accreditation Guide, Appendix G. Following the resolution of any shortcomings, the conclusion of security testing, and after the appropriate Designated Approval Authority (DAA) grants accreditation approval, the system is released for operational use.
2.3.4.1. (U) Time Line for Certification Activities. A 90-day period is the basis for providing enough time for certifiers to properly prepare for and conduct a system certification evaluation and recommendation to the DAA. The 90 day timetable begins with the submission of the Request for Certification from the Program Manager (PM/PMO) to the Service Cryptologic Element (SCE)/Service Certification Office (SCO).
90 days
60 days
30 days
0 days
PM Request for Certification/Accreditation
X
SSP/SSAA
X
SCE/SCO approval of SSP/SSAA
X
SRTM & Test Procedures (SFUG if necessary)
X
SCE/SCO approval of Test Procedures
X
SCE/SCO submits Test Report and Test Memo
X
2.3.5. (U) Deployment and Operations Phase. Once the system is operational, the site operations staff and ISSO/ISSM are responsible for monitoring its security. They do this by controlling changes to the system via strict Configuration Management. IS users are responsible for operating the system in compliance with the security guidelines found in the SSP/SSAA. As required by DCID 6/3, the DAA Rep/SCO periodically reviews the adequacy of system security as required by all applicable regulations for unclassified, sensitive-unclassified, collateral, and SCI material. This review will take into account any system modifications and changes, including both hardware and software, to ensure that security requirements are adequate to meet any identified risks, threats to, or vulnerabilities of the system. All changes are updated in the SSP/SSAA as they occur. If any changes significantly affect the system's security posture, the DAA is notified so that the need for recertification can be determined.
2.3.6. (U) Recertification Phase. As required by the DAA, a system must be recertified whenever security changes occur in the LOC and PL, technical or non-technical security safeguards, threats to the system, operational environment, operational concept, interconnections, or any other significant increases in the level of residual risk. The recertification process includes: a review of existing security documentation to verify that these documents still accurately represent the system, a reevaluation of the system vulnerabilities, threat and risk, and a complete ST&E, or a subset of the original ST&E will be conducted. Even if no security-significant changes occur, recertification and accreditation of a system must be re-evaluated every three years after the issuance of an accreditation. Site Based accreditation provides for continued reevaluation.
2.3.7. (U) Disposal Phase. When an IS is no longer needed, disposition can occur in several ways: purging information residue from an IS or a component; releasing the IS or a component for reuse within the Intelligence Community; destroying an IS or a component through authorized channels; or, the method of shipment for an IS or component. All of the above actions must be approved by the DAA Rep/SCO. While emergency destruction of an IS is a possibility that occurs during the normal operational phase, it is considered a special case during the disposal phase.
CHAPTER 3
SIGNALS INTELLIGENCE (SIGINT) SYSTEMS
ACCREDITATION PROCESS AND PROCEDURES
3.1. (U) PURPOSE. This chapter provides the accreditation processing requirements and procedures that, when implemented, will ensure Information Systems (ISs) do not operate without proper authority and effective security controls. All SIGINT ISs must be formally accredited or granted an approval-to-operate before they legally may be used to process, store, transmit, or receive data of any classification, to include sensitive-but-unclassified (SBU). This is in accordance with the NSA/CSS Information Systems Certification and Accreditation Process (NISCAP). Note: This chapter does not apply to intelligence information systems under the cognizance of the Director, Defense Intelligence Agency (DIA).
3.2. (U) SCOPE. These procedures are effective in the following life cycle phases:
CONCEPTS DEVELOPMENT PHASE
NO
DESIGN PHASE
YES
DEVELOPMENT PHASE
YES
DEPLOYMENT PHASE
YES
OPERATIONS PHASE
YES
RECERTIFICATION PHASE
YES
DISPOSAL PHASE
YES
3.3. (U) DISCUSSION:
3.3.1. (U) Accreditation. Accreditation is the official authorization granted by the appropriate Designated Approving Authority (DAA), on a case‑by‑case basis, permitting the processing of information on an IS. Approval is based upon the DAA's review of the System Security Plan (SSP). Under certain conditions interim approval-to-operate (IATO) may be granted by the DAA/designee in accordance with section 9.D.4 of DCID 6/3.
3.3.2. (U) Configuration Management. The accreditation process and associated security concerns are integral to configuration management enforcement. Therefore, accreditation authorities will be included in configuration management decisions to ensure systems are fielded or modified within acceptable risk parameters and the latest security technology is incorporated into system designs. This participation is most important at the Preliminary Design Review (PDR) and the Critical Design Review (CDR). Where there is no formal configuration management process in an acquisition or system modification, the Program Manager (PM) will coordinate all relevant activities with the accreditation authority.
3.4. (U) ACCREDITATION IN GENERAL. Figure 3.1, General Accreditation Review and Approval Cycle, outlines the current cryptologic accreditation process. As the figure indicates, accreditation may be initiated from one of three different logical points: Unit, Service Cryptologic Element (SCE), and the National Security Agency (NSA)/Central Security Service (CSS).
3.4.1. (U) Formal Accreditation. Formal accreditation for any cryptologic IS can only be granted by the DAA, or DAA designee, after a site visit and only after a full test of the security controls of the entire system. This applies to ISs processing any classification level of information and those which may currently have an IATO.
3.4.2. (U) Issuing Accreditation. Once an SSP has been submitted and reviewed, the next step in the process is to issue accreditation/approval. The Information Systems Security Program Manager (ISSPM) and certain accrediting action officers have the authority to accredit all unclassified systems, collateral systems, and certain Sensitive Compartmented Information (SCI) systems within SCI Facilities (SCIFs). For certain systems, the ISSPM has the authority to issue accreditation on behalf of the NSA/CSS DAA.
FIGURE 3.1. (U) GENERAL ACCREDITATION REVIEW AND APPROVAL CYCLE.
3.4.3. (U) Reaccreditation. When certain operational changes are made to an accredited IS, it must be submitted for reaccredidation by the Information System Security Officer (ISSO)/System Administrator (SA). If this is not done, the DAA may rescind the current accreditation. Reaccredidation is required when:
· The type of Central Processing Unit (CPU) and/or IS operating system changes.
· The IS is relocated to another area or TEMPEST zone.
· The IS Protection Level (PL) changes.
· The classification of material processed by the IS is changed.
· The IS is being connected to another IS or a network not previously connected.
· When users with a lower security clearance are added to the system.
· Any change to the IS which impacts security.
3.4.4. (U) Rescinding Accreditation. The DAA may cancel the accreditation of an operational IS if violations are found in the operational status of the IS. However, there are acceptable reasons for operational changes that do not normally constitute rescinding accreditation. Accreditation is not rescinded for:
· The substitution of similar components while components are in maintenance. However, if the original CPU is not returned to the IS when repair is completed, then an update to the SSP must be accomplished to reflect the correct serial numbers of the replacement CPU.
· The addition of new terminals, peripheral devices, or relocation of an IS providing the SSP is updated within 90 days to reflect the system additions or relocation. These actions can only be done with appropriate coordination (TEMPEST, Physical Security Office, etc.) and with Information Systems Security Manager (ISSM) approval.
3.4.5. (U) Accreditation 3-Year Anniversary Review. Each IS accreditation will be reviewed every 3 years. The ISSM is responsible for ensuring that recertification of each accredited IS is completed upon its 3-year anniversary. The SSP will be updated to reflect any undocumented changes and will be coordinated and forwarded to the appropriate DAA for approval.
3.4.6. (U) Authorized Exemptions From Accreditation. As stated, all ISs must be accredited before they may legally process any information. However, certain computers are never exposed to, contain, or process national security information (NSI) and are exempted from accreditation. The current approved list for accreditation exemptions is as follows:
· Computerized test equipment.
· Computers used in driving drill presses and their operations.
· Computers used in engraving devices or machines.
3.4.7. (U) IS Approval-to-Operate. Once an SSP has been submitted, you may receive an IATO or formal accreditation (see paragraph 3.1), based on the circumstances involved. The IATO is typically the first step in the accreditation process. An IATO may be granted based upon a preliminary review of the SSP. Upon review, temporary waivers may be granted, on a case-by-case basis, for the operation of an IS which has security deficiencies if the waiver supports the time-critical, mission-essential processing requirements. An IATO may be issued with an expiration date for temporary projects. Upon approval of the IATO, approval letters or messages are sent by the DAA directly to the organizational-level ISSM with information copies as necessary to ensure proper notification. The issuing of any approval is based upon the DAA's willingness to accept the risk for the IS based upon the documented evidence that adequate security measures have been taken to safeguard NSI. An IATO should not exceed 180 days. If required, an additional 180-day extension may be granted by the DAA Rep, but may not exceed 360 days.
3.4.8. (U) TEMPEST. Refer to Chapter 5 for applicable TEMPEST procedures involved with IS accreditation.
3.5. (U) ACCREDITATION PROCEDURES. It is imperative that all cryptologic ISs operate with appropriate approval and with the security controls necessary to protect the information they process. To ensure this is accomplished, well-defined and effective procedures must be established and followed.
3.5.1. (U) Accreditation Requests:
3.5.1.1. (U) Accreditation Requests Initiated at the Unit Level:
3.5.1.1.1. (U) The ISSO/SA obtains a new IS through channels such as supply, local purchase, or from the unit's Headquarters (HQ) through a planned program. The ISSO/SA completes an SSP for the new system and forwards it to the organization ISSM. The ISSM ensures proper organizational‑level coordination with the SCIF manager for approval to use within the SCIF and with the TEMPEST officer for proper red/black installation. The ISSM coordinates with other local personnel as necessary to ensure that the SSP is properly coordinated. Once coordination is complete, and the package is approved at the unit level, the ISSM forwards the package to the DAA Rep for formal review.
3.5.1.1.2. (U) The DAA Rep reviews each SSP to ensure that adequate IS and network security measures have been implemented. The DAA Rep then coordinates with other personnel, as required, in the final approval process. Examples include, but are not limited to:
· A review by the TEMPEST Officer of each accreditation package to assess TEMPEST and technical security concerns.
· A review by the SCIF Manager or Physical Security Office to identify any facility security concerns.
· A review of the accreditation support documentation by the ISSM for proof of adequate network security measures and properly authorized connections.
3.5.1.1.3. (U) Following coordination, the SSP is then returned to the DAA Rep for final review and appropriate action. This is the critical point in the review process. If any non-concurrence exists, the SSP may be returned to the originator for correction. A non-concurrence can create an undesired delay in meeting a proposed operational capability. Therefore, it is important that the ISSM ensures the completeness and accuracy of each SSP before it leaves the organization.
3.5.1.2. (U) Accreditation Initiated Through Downward-Directed Programs. The other logical points from which an SSP may be generated and submitted relate to downward‑directed programs. Within the SCEs, the DAA has the responsibility to ensure that all IS acquisitions are reviewed for IS and Network security concerns. A Systems Design Security Officer (SDSO) should be appointed to ensure that adequate built-in security capabilities are developed, tested, and implemented. This ensures that the new system is accreditable prior to its deployment. Ideally, the formal accreditation or an approval-to-operate should be delivered with the system at the time of installation. However, on occasion, ISs are fielded to NSA field sites by outside installation teams and often delivered without an SSP. This directly impacts the Initial Operational Capability (IOC) of the IS being delivered. To prevent this type of situation, unit involvement in the downward-directed program is critical to successful installation and operation of the IS.
It is unrealistic for an organization Commander/Commanding Officer and the ISSM/ISSO/SA to generate an SSP for these systems before the installation team departs the organization. However, without accreditation the newly fielded system cannot legally operate. To assist in eliminating this problem, the organization Commander/Commanding Officer will ensure the following guidelines are followed:
· The organization fielding the new system will be notified 90 days prior to the planned installation if an SSP has not been received. Ensure that survey teams understand the requirements of this chapter and that they must submit an SSP to the ISSM prior to their arrival for installation. The SSP will identify all communications connections to be made at the unit and must be coordinated with the DAA.
NOTE: In implementing the provisions of NSA Directive 130-1 and its references, the organization Commander/Commanding Officer is authorized to deny access, or refuse country clearance, if overseas, to any team installing an IS being fielded without proper accreditation documentation.
· Coordination with the DAA and PM should be accomplished to determine the IS security impact of planned delivery of new ISs and/or changes to existing systems.
· Ensure that an ISSO/SA for the new system is assigned. The ISSM or ISSO/SA should be an active participant during all site survey team visits, upgrade meetings, etc.
3.5.1.3. (U) Accreditation at a Single-Service Site Including the Regional SIGINT Operation Centers. Processing of SSPs for ISs located at an organization controlled by only one military authority for SCIF management, TEMPEST, and IS and Network security will be handled by organization personnel through their chain of command. Accreditation of ISs belonging to a particular SCE can only be approved through the DAA/DAA Rep. At the RSOCs, a courtesy copy of the accreditation document will be provided to the parent service DAA.
3.5.1.4. (U) Accreditation at a Multi-Service Site. The processing of SSPs for ISs located at a SCE-site with two or more collocated SCE elements and controlled by one military authority (either an Air Intelligence Agency (AIA), Intelligence and Security Command (INSCOM), or Commander, Naval Security Group (COMNAVSECGRU) Commander/Commanding Officer), will follow the guidelines depicted in Figure 3.2. The following rules apply:
3.5.1.4.1. (U) Operational Systems Under Control of the Commander/Commanding Officer. All ISs directly supporting operations of the SCE-site, regardless of the functional user, are either under the ownership of, or the direct responsibility of the Commander/CO, regardless of his/her military affiliation. As such, all ISs supporting the direct mission of the site will be accredited by the DAA of the Commander/CO or the NSA/CSS SISSPM, as appropriate. This includes all ISs used for typical administrative support.
3.5.1.4.2. (U) SCE Unique Systems Not Directly Supporting The Primary Mission. The SSP on unique Mission ISs, belonging to a particular SCE, will be forwarded by the Host Security Office (HSO) to the SCE owning the IS. The owning SCE DAA will ensure the accreditation of the IS.
3.5.1.4.3. (U) Assignment of a HSO at a Multi-Service Site. Each multi-Service SCE site will assign a single office to perform the entire IS and Network security function for the site. All SSPs, regardless of the originating ISSO/SA, will be forwarded to the HSO for local review and coordination (See Figure 3.2). Once coordinated, the HSO will forward the SSP to the appropriate DAA to ensure proper approval. The HSO will maintain the complete database of all SSPs generated by the site.
3.5.1.5. (U) Accreditation by SCE Tenants Located at Non-SCE Interservice or Intercommand Sites. Accreditation of a cryptologic IS, functionally managed by any SCE, can only be approved by the appropriate DAA/DAA Rep, unless a separate written Memorandum of Understanding (MOU) provides different policy. The processing of SSPs for SCE ISs installed at interservice or intercommand sites will be handled according to the following procedures:
3.5.1.5.1. (U) The host Service is responsible for accreditation of the facility as a SCIF and facility TEMPEST certification. Therefore, the host Service facility manager and TEMPEST officer will be the coordinating authority on SSPs for cryptologic ISs located in facilities under their authority.
3.5.1.5.2. (U) The tenant organization functionally managing the cryptologic IS is responsible for obtaining accreditation through his/her chain of command. The HQ-level ISSPM will provide a copy of the IATO or final accreditation to the host Service facility manager and TEMPEST officer for their files.
3.5.2. (U) Submitting the SSP. Before full operation of the IS, and during the test phase, an SSP describing the IS must be prepared and submitted to the DAA/DAA Rep to document the IS use and the control mechanisms which are implemented to safeguard the system. The SSP should be submitted not later than 60-90 days prior to the desired IOC or as soon as the required information is known on specific components, configuration, and interfaces. On large ISs, where the purchase contract calls for a CDR, the SDSO should submit the package in the development phase immediately after the CDR. There are two ways of submitting SSPs; each is based upon organization requirements.
3.5.2.1. (U) Single Accreditation. This method of requesting accreditation is to submit only one IS accreditation per package. The reasons for submission vary, but range from the complexity of accrediting a large IS to the simplicity of being able to manage accountability easier by having only one IS accreditation per package. Under the Single Accreditation method there are no restrictions. For example, a system may be a standalone personal computer or any mainframe IS with personal computers being used as terminals or multiple personal computers connected on a local area network.
3.5.2.2. (U) Type Accreditation. This method permits the submission of one package requesting accreditation of multiple standalone ISs at one time. There are certain restrictions on a type accreditation submission. These restrictions are that all the ISs:
· Must be standalone and used for the same mission.
· Must be installed in the same general location.
· Are operating at the same protection level.
· Are processing the same data classification levels.
· Have the same basic hardware configuration.
· Are assigned to the same ISSO/SA.
3.5.2.3. (U) Format and Content. The acceptable format to present an SSP to the DAA/DAA Rep is the System Security Plan (SSP) Version 1.3, dated 11 October 2000.
3.5.3. (U) SSP and Database Classification. The classification of the accreditation database and an SSP, while directly related, are not necessarily the same. The following rules apply:
3.5.3.1. (U) Database Classification. The overall classification for the accreditation database is logically determined by the highest classification contained within any SSP in the database. The database may become classified SCI if the packages are independently classified at that level.
3.5.3.2. (FOUO) SSP Classification. An individual SSP may become classified for any of the following reasons:
· CONFIDENTIAL--If it contains a valid SIGINT Address (SIGAD).
· CONFIDENTIAL NOFORN--If it contains a valid TEMPEST zone in the building database.
· CONFIDENTIAL--If it pinpoints a particular building and room as being an SCI accredited area.
CHAPTER 4
DODIIS SITE-BASED ACCREDITATION AND SYSTEM CERTIFICATION
4.1. (U) PURPOSE. The DoDIIS Information Assurance Program has two components: The DoDIIS Systems Security Certification and Accreditation Process and the DoDIIS Site-Based Accreditation Methodology. This applies to all systems that process, store, or communicate intelligence information under the purview of the Director, DIA. Note: This chapter does not apply to intelligence information systems under the cognizance of the Director, National Security Agency/Chief, Central Security Service (NSA/CSS). The DoDIIS Systems Security Certification and Accreditation (C&A) Process addresses information systems being developed or undergoing modification that are evaluated prior to being fielded to DoDIIS sites. The DoDIIS Security Certification and Accreditation Guide describes the process for determining the appropriate security requirements that the new or modified system must meet, provides information on the requisite security documentation needed to support system security certification, and outlines the process for testing and fielding systems within the DoDIIS community. All Information Systems within DoDIIS will be tested and evaluated prior to achieving approval to operate or being granted formal certification and fielding to a DoDIIS site. The DoDIIS Site-Based Accreditation Methodology examines and establishes a baseline of all eligible information systems within a defined area, and designates this as a “Site”. An Information System Security Manager (ISSM) is appointed by the Command authority for the site, and that individual, in coordination with the cognizant Certification Organization, manages all security related issues impacting the site's accredited baseline. Details of the Site-Based Accreditation Process can be found in DIA Manual (DIAM) 50-4.
4.2. (U) SCOPE. These procedures are effective in the following life cycle phases:
CONCEPTS DEVELOPMENT PHASE
NO
DESIGN PHASE
NO
DEVELOPMENT PHASE
YES
DEPLOYMENT PHASE
YES
OPERATIONS PHASE
YES
RECERTIFICATION PHASE
YES
DISPOSAL PHASE
YES
4.3. (U) SYSTEM CERTIFICATION AND ACCREDITATION PROCEDURES:
4.3.1. (U) System Certification and Accreditation Compliance: The DoDIIS Security Certification and Accreditation Guide requires that all ISs be certified and accredited to ensure the IS meets the documented security requirements and that the security of the IS, as accredited, is maintained throughout its life cycle. The certification process validates that appropriate Levels-of-Concern for Integrity and Availability and an appropriate Protection Level have been selected for the IS from the descriptions in DCID 6/3 and the required safeguards have been implemented on the IS as described in the associated security documentation. The DoDIIS security certification and accreditation process has been harmonized with the DoD Information Technology Security Certification and Accreditation Process (DITSCAP).
4.3.2. (U) The System Certification and Accreditation Process:
4.3.2.1. (U) Phase 1. Definition - Focuses on understanding the IS requirement, the environment in which the IS will operate, the users of the IS, the security requirements that apply to the IS, and the level of effort necessary to achieve accreditation. The objective of Phase 1 is to agree on the intended system mission, security requirements, C&A boundary, schedule, level of effort, and resources required for the certification effort. This information is captured in the SSP/SSAA which is developed by the Program Manager.
4.3.2.2. (U) Phase 2. Development and Verification - Focuses on the system development activity and ensures that the system complies with the security requirements and constraints previously agreed during definition phase. This includes Beta-I system testing.
4.3.2.3. (U) Phase 3. Validation and Testing - Confirms compliance of the IS with the security requirements stated in the SSP/SSAA. The objective of this phase is to produce the required evidence to support the DAA in making an informed decision whether or not to grant approval to operate the system with an acceptable level of residual security risk. This includes Beta-II system testing.
4.3.2.4. (U) Phase 4. Post Accreditation - This phase starts after the system has been certified and accredited for operation. The Post Accreditation phase includes several activities to ensure an acceptable level of residual security risk is preserved. These activities include security documentation, configuration management, compliance validation reviews, and monitoring any changes to the system environment and operations. Changes to the security configuration of the system will require security review by the DAA.
4.4. (U) SITE-BASED ACCREDITATION METHOLODOGY:
4.4.1. (U) Site-Based Accreditation Methodology Compliance: The DoDIIS Site-Based Accreditation Process uses management techniques to assess risk by establishing a security domain called a "DoDIIS Site". This concept incorporates Site Security Management as a function of the DoDIIS Site's Configuration Management (CM) process. A DoDIIS Site Security Baseline defining the systems infrastructure is required, and any changes to the baseline must be documented in a timely manner. Before a DoDIIS site can establish a Site Security Baseline and be accredited, all system(s) must go through the security C&A process. The Site Security Baseline begins with the evaluation and accreditation of all individual ISs at the site. All ISs are then consolidated into this single management entity and evaluated as part of the security environment in which they operate. Site-Based Accreditation examines the ability of the organization to maintain a secure site baseline and environment. The maturity of site security policies, procedures, configuration management, system integration management, and risk management determines the site's ability to successfully establish and control a secure baseline. The certification process has a number of steps which, once successfully completed, will result in a Site Accreditation by the Director, Defense Intelligence Agency (DIRDIA), the Principal Accreditation Authority (PAA) for all DoDIIS Sites. DIAM 50-4 describes the step-by-step process to perform the Site-Based Accreditation and identifies documentation required to be maintained at the Site. Under Site-Based accreditation, intelligence mission applications entering the site will have already been certified by the responsible DAA Rep/SCO. All other agency systems are considered “Guest” systems at the site and are approved to operate as long as the agency has provided the appropriate documentation (see Chapter 21).
4.4.2. (U) The Site-Based Accreditation Process. The Site-Based Accreditation process consists of the following:
4.4.2.1. (U) Initial Site Visit (Initial Site Certification Visit). During this visit each site will be officially notified by the SCO that it was selected to undergo a Site-Based accreditation. A Certification Team will initiate the accreditation process by visiting the site. The purpose of this visit is to gather important baseline information. This function may be incorporated or combined in the Site Accreditation and Site Security and Engineering Certification Testing and Evaluation.
4.4.2.2. (U) Site Evaluation Visit (Site Security and Engineering Certification Testing and Evaluation and Site Accreditation). This visit will normally be conducted within 60-90 days following the Initial Site Certification Visit; however if the site has its site documentation, baseline, and security posture in order, it may be performed during the initial visit. It will consist of system security certification testing and/or security documentation review on each system.
4.4.2.3. (U) Site Compliance Visit (Vulnerability Assessment and Compliance Verification). This visit includes a vulnerability assessment of the networks, ISs, and linked operational elements. Assessments may be performed remotely or onsite. In addition, this periodic visit by the DAA Rep/SCO ensures that the site properly maintains control of the site security baseline. Vulnerability Assessment and Compliance Verification are normally conducted simultaneously as required.
4.5. (U) CONTRACTOR ACCREDITATION. Contractor facilities will not be site-based. Contractors should submit accreditation documentation in accordance with the National Industrial Security Program (NISP) Operating Manual (NISPOM).
4.6. (U) ACCREDITATION REVIEW. The ISSM is responsible for ensuring that the certification/recertification of each accredited IS is kept current based on the DoDIIS Security Certification and Accreditation Guide. The accreditation security documentation package will be updated to reflect any undocumented changes and will be coordinated and forwarded to the appropriate SCO.
4.7. (U) MINIMUM SECURITY REQUIREMENTS. All DoDIIS systems and networks processing SCI shall be protected according to DCID 6/3 by the continuous employment of appropriate administrative, environmental, and technical security measures. These measures will provide individual accountability, access control, enforcement of least privilege, auditing, labeling, and data integrity.
CHAPTER 5
TEMPEST
5.1. (U) PURPOSE. Information Systems (ISs), peripherals, associated data communications, and networks which may be used to process national security or security‑related information may need to meet certain procurement and installation specifications as required by national TEMPEST policies and procedures applicable to the sensitivity level of the data being processed. This applies to all systems installed or planned. The objective of this area of security control is to minimize the risk of Hostile Intelligence Services (HOIS) exploiting unintentional emanations from intelligence systems. TEMPEST is a short name referring to investigations and studies of compromising emanations.
5.2. (U) SCOPE. These procedures are effective in the following life cycle phases:
CONCEPTS DEVELOPMENT PHASE
NO
DESIGN PHASE
YES
DEVELOPMENT PHASE
YES
DEPLOYMENT PHASE
YES
OPERATIONS PHASE
YES
RECERTIFICATION PHASE
YES
DISPOSAL PHASE
YES
5.3. (U) DEFINITIONS. Certified TEMPEST Technical Authority (CTTA). An experienced, technically qualified U.S. Government employee who has met established certification requirements in accordance with National Security Telecommunications Information Systems Security Committee (NSTISSC)-approved criteria and has been appointed by a U.S. Government Department or Agency to fulfill CTTA responsibilities.
· Compromising Emanations. Unintentional intelligence-bearing signals which if intercepted and analyzed disclose the national security information being transmitted, received, handled, or otherwise processed by any information processing equipment.
· Inspectable Space. The three-dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and/or remove a potential TEMPEST exploitation exists.
· Routine Changes. Changes which have a minimal effect on the overall TEMPEST security of the Sensitive Compartmented Information (SCI) Facility (SCIF). Adding a different type of electronic information processing equipment (unless the equipment added is known to have an unusually large TEMPEST profile), movement of the equipment within the facility, and minor installation changes are examples of routine changes.
· Security Environment Changes. Changes which have a detrimental effect on the facility. Changes to the inspectable space, addition of a radio transmitter or a modem for external communications, removal or reduction of an existing TEMPEST countermeasure (Radio Frequency Interference [RFI] Shielding, Filters, Control/Inspectable space, etc.) would be changes to the security environment.
5.4. (U) TEMPEST COMPLIANCE. All facilities processing SCI will be reviewed by a CTTA for initial TEMPEST accreditation and/or Inspectable Space according to National Security Telecommunications Information Systems Security Policy (NSTISSP) 300, National Policy on Control of Compromising Emanations, and National Security Telecommunications and Information Systems Instruction (NSTISSI) 7000, TEMPEST Countermeasures for Facilities. The CTTA is authorized to make acceptable risk determinations for specific facilities when justified.
5.5. (U) ACCREDITATION:
5.5.1. (U) TEMPEST Countermeasures Review. A CTTA must conduct or validate all TEMPEST countermeasure reviews. However, the requirement for a CTTA to conduct or validate such reviews does not imply the need to implement TEMPEST countermeasures. The recommended countermeasures will be threat driven and based on risk management principles. The inspectable space, as determined by a CTTA, will be the primary countermeasure.
5.5.2. (U) General Documentation. The local SCI security official will complete documentation in accordance with local TEMPEST Manager requirements. The local TEMPEST Manager will submit documentation in accordance with (IAW) service directives. A record of the TEMPEST security accreditation or inspectable space determination (ISD) will be retained within the SCIF.
5.5.3. (U) TEMPEST/ISD Accreditation. When an inspectable site houses multiple IS facilities and has a relatively protected and uniform TEMPEST security environment, the CTTA may grant a TEMPEST site accreditation or ISD for electronic processing of SCI. Each SCIF within the inspectable site must be evaluated separately on its own merits and cannot be approved automatically by being inside an inspectable space. The accreditation/ISD could range from a building to a base/post if all space is inspectable. Compliance is reported within the SCIF Fixed Facility Checklist.
5.6. (U) INSTALLATION REQUIREMENTS:
5.6.1. (U) All computer equipment and peripherals must meet the requirements of National Security Telecommunications Information Systems Security Advisory Memorandum (NSTISSAM) TEMPEST/1-92 and be installed IAW NSTISSAM TEMPEST/2-95, RED/BLACK separation criteria or as determined by a CTTA. The local TEMPEST Manager will oversee all such installations and coordinate on all accreditation documents resulting from the installation.
5.6.2. (U) Use all equipment as intended. All TEMPEST access doors, covers, and plates must be closed and fastened. Unauthorized modifications, even for testing purposes, are strictly forbidden.
5.6.3. (U) Additional TEMPEST requirements may exist if the equipment is not TEMPEST approved. In such a case, your local TEMPEST Manager should be contacted for further guidance.
5.6.4. (U) The local TEMPEST Manager must inspect all equipment installations.
5.6.5. (U) Special prohibitions and installation requirements exist for all transmitters, modems, and other networking and communications devices or equipment. Because of the broad range of this category, coordinate all requests for these devices with your local TEMPEST Manager.
5.6.6. (U) Do not consider a RED IS for any network which has any direct connection to a BLACK IS or other communications medium such as administrative telephone lines except through an approved cryptographic device.
5.6.7. (U) Do not use acoustically coupled modems and transmitters or locate them in any secure area without specific written approval from your Designated Approving Authority (DAA).
5.6.8. (U) You may use nonacoustic wireline modems with stand-alone, dedicated BLACK ISs providing that all appropriate telephone security requirements are met, consult with your local TEMPEST Manager.
