INDEX
CHAPTER I
CLASSIFIED AUTOMATED INFORMATION SYSTEMS SECURITY PROGRAM MANAGEMENT
1. OVERVIEW. Managers and users are responsible for ensuring the
implementation of the Classified Automated Information Systems (AIS)
Security Program. This responsibility also applies to all personnel who
interact with a Classified AIS.
2. PROTECTION REQUIREMENTS AND COUNTERMEASURES. Protection requirements
and countermeasures for DOE classified AISs are designed to provide for
the protection of the resources and the information therein from
compromise or loss. The protection is to be commensurate with the
classification level and classification category of the information, the
threats, and the operational requirements associated with the
environment of the classified AIS.
3. PROTECTION METHODOLOGY. The Classified AIS Security Program promotes
the use of a combination of management, personnel security, physical
security, telecommunications security, administrative security, and
technical security requirements to provide protection for classified
information processed, stored, transferred, or accessed by the
classified AIS and protection of the classified AIS itself. When used
appropriately, these protection requirements and countermeasures provide
protection for hardware, software, firmware, and classified information
against destruction, disclosure, or modification. The following
provisions are intended to satisfy the basic requirements for the
protection of information stored or processed in classified AISs. The
requirements include assurance that access to the classified information
is granted only to properly cleared and authorized individuals. The
classified AIS shall be accredited before processing classified
information.
4. RISK MANAGEMENT CONCEPT OF OPERATION.
a. Risk Management. Is the integrated process of assessing the
threat, the vulnerabilities, and the value of the asset, and
applying cost effective countermeasures. The purpose of risk
management is to balance the risk of loss, damage, or disclosure of
an asset against the costs of countermeasures and to select a mix
that provides adequate protection without excessive cost in dollars
or in the efficient flow of information to those who require ready
access to it. The use of the risk management process provides a
rational, cost-effective framework as the underlying basis for
security decision making. Risk management consists of the
following five-step process:
(1) Asset valuation and judgement about consequence of loss. The
determination of what is to be protected and its value.
Note: Assets may have a value to an adversary that differs
from the owner.
(2) Identification and characterization of the threats to specific
assets. Intelligence assessments must address threats to the
asset in as much detail as possible based on the needs of the
customer.
(3) Identification and characterization of the vulnerability of
specific assets. Vulnerability assessments help identify
weaknesses in the asset that could be exploited.
(4) Identification of countermeasures, costs, and tradeoffs.
There may be a number of different countermeasures available,
each with varying costs and effectiveness.
(5) Risk Assessment. The consideration of asset valuation, threat
analysis, and vulnerability assessments, along with the
acceptable level of risk and any uncertainties to make a
judgment of what countermeasures to apply.
b. Residual Risk. The most successful design and implementation of
the requirements and countermeasures detailed in DOE 5639.6A and
this Manual cannot eliminate all risks associated with the use of a
classified AIS. Therefore, the goal of these requirements and
countermeasures is to reduce the risk remaining (residual risk),
after implementation of the protections and countermeasures, to a
range that is acceptable to DOE management. Independent Validation
and Verification teams will be used to identify risks and
vulnerabilities in high risk classified AISs and networks. In
accrediting the classified AIS, the Designated Accrediting
Authority (DAA) accepts the residual risk of operating the
classified AIS.
c. Site and Facility Risk Assessments. The security requirements
established by DOE 5639.6A and this Manual provide countermeasures
to the Revised DOE Design Basis Threat, as well as threats and
risks defined in the Annual DOE Classified AIS Security Program
Risk Assessment (Annual Risk Assessment). Sites and facilities do
not need to conduct additional documented risk assessments unless a
unique local threat has been identified and the provisions of the
5639.6A and this Manual do not provide mitigation of that threat;
or unless directed by the DAA.
d. Annual DOE Classified AIS Security Program Risk Assessment. The
Classified AIS Security Program Manager (CSPM) shall perform and
document the Annual Risk Assessment. This assessment shall
determine if the countermeasures identified in DOE 5639.6A and this
Manual are adequate to minimize the risk accepted against the
nationally recognized threat.
e. Threat Identification. The Annual Risk Assessment shall be
considered in assessing the threat to DOE classified AISs.
(1) The Classified AIS System Security Officer (CSSO), in
coordination with the managers of the Classified AIS and the
data owners, shall identify and document any threats unique to
the classified AIS or the information contained therein.
(2) The Classified AIS Security Site Manager (CSSM) shall identify
and document any threats unique to the site; for instance:
natural phenomena such as earthquakes, tornados, etc; unique
emissions repression (TEMPEST) requirements; proximity to
potential adversaries (e.g., foreign nationals with access to
resources). These threats shall be documented in the Site
Safeguards and Security Plan or the Site Security Plan and
referenced in the Classified AIS Security Plan.
(3) If there are threats to the information, classified AIS, or
site, the DAA shall determine if the implementation of this
Manual's requirements mitigates those threats or that an
additional documented risk assessment is necessary.
(4) The Classified AIS Security Plan shall either state that there
are no unique or different threats; or identify by reference
those threats to the information, Classified AIS, or site that
are unique or different and describe how they are to be
mitigated.
f. Vulnerability Identification. The CSSO shall identify any known
hardware/software vulnerabilities and determine if the
countermeasures required by DOE 5639.6A and this Manual are
satisfactory to mitigate the vulnerabilities and meet the security
requirements. The results of this vulnerability identification
shall be documented in the Classified AIS Security Plan and shall
include any unique countermeasures that shall be implemented as a
result.
g. Risk Acceptance. A DAA accredits the classified AIS to operate
within certain parameters: within a particular security Mode of
Operation; with a prescribed set of technical and nontechnical
security countermeasures; against a defined threat; in a given
operating environment; under a stated operational concept; with
stated interconnections to other classified AISs; under a stated
configuration; and at a level of risk for which the DAA has been
formally authorized to assume responsibility.
5. CONFIGURATION MANAGEMENT PROGRAM.
a. Baseline Requirements. The AIS security baseline for AIS
configuration management shall encompass the Hardware/Software
Descriptions outlined below, the test plans, the Classified AIS
Security Plans, and the procedures for making changes to these
descriptions and plans.
Note: This Configuration Management Program does not include the
life cycle assurance requirements for vendor supplied security
products supporting classified AISs operating with a Protection
Index of three or greater.
b. Hardware/Software Description. The description requirements are
defined as follows:
(1) Hardware Type Description. A Hardware Type Description is
defined as containing the major components of the classified
AIS. It shall identify the type of AIS component
(workstations/Personal Computers (but does not include
connected support equipment (printers, hard drives, etc.),
hosts, servers, multiplexers, routers, gateways, etc.), its
connectivity (to what the component is connected), physical
location, and the communication media that support the AIS
(ethernet, broadband, modems, etc.).
(2) Detailed Hardware/Software Description. A Detailed Hardware/
Software Description shall include the hardware model numbers
and the software product names and release numbers.
(3) Hardware/Software Description Implementation.
(a) For Single-user, Standalone Classified AISs. A Hardware
Type Description is required.
(b) For Classified AISs Operating With a Protection Index of
Zero, One, or Two. A Hardware Type Description is
required plus the Detailed Hardware/Software Description
for the Security Support Structure.
(c) For Classified AISs Operating With a Protection Index of
Three or Greater. The description shall include the same
requirements as detailed in paragraph b above, plus the
identification of the sensitivity level
(Secret-Restricted Data, Confidential-Restricted Data,
Secret-National Security Information,
Confidential-National Security Information) and, where
applicable, the unclassified sensitivity level
(Proprietary, Privacy Act, Unclassified Controlled
Nuclear Information, Unclassified Sensitive) of each
connection (Port) to the Security Support Structure.
(d) Controlled Interfaces. For AISs functioning as
Controlled Interfaces supporting Interconnected Networks,
the Hardware/Software Descriptions will include the
requirements described in paragraph (b) above, plus the
identification of the sensitivity level of each
connection (Port) to the Controlled Interface.
c. Ongoing Security Performance Test Plans. The Configuration
Management Program shall include procedures for ensuring that the
ongoing security performance test plan for the classified AIS is
updated and maintained.
d. Classified AIS Security Plans. The Configuration Management
Program shall include procedures for ensuring that the classified
AIS Security Plan is updated and maintained.
e. Media Resources. Media containing classified information shall be
controlled in accordance with approved site accountability
requirements, DOE 5635.1A, and Information Resources Management
practices.
6. SOFTWARE PROTECTION. Software resident on any classified AIS shall be
limited to only the software authorized for that classified AIS.
Authorized software shall be determined by the responsible manager or
supervisor.
a. Malicious Activities. Policies and procedures shall be established
and documented by the CSSM to detect and deter incidents caused by
malicious logic or unauthorized modification to software.
b. Public Domain Software. The use of public domain software on a
classified AIS is strongly discouraged. Policies regarding the
installation of public domain software shall be established,
documented, and implemented by the CSSM. If such software is
required or is desired to enhance the operation of the classified
AIS, each use of such software shall be approved by the CSSM. This
software shall be examined carefully and determined to contain no
subversive or malicious code before it is introduced into the
operating environment of the classified AIS.
c. Personally Owned Software. The use of personally owned software on
a Classified AIS is prohibited.
d. Proprietary Software. Any software that is owned and licensed by a
commercial vendor is considered proprietary and shall only be
introduced into the operating environment of the classified AIS
after the proper license to use the software has been acquired.
e. Custom Software Developed by DOE or Covered Contractors. DOE or
covered contractor organizations developing security-relevant,
custom software specifically for use in classified AIS facilities
shall use software engineering techniques as described in DOE
1330.1D, COMPUTER SOFTWARE MANAGEMENT, of 5-18-92, and the SOFTWARE
MANAGEMENT GUIDE, DOE/AD-0028, of June 1992. Such software shall
be tested for correct operation and for the presence of any
malicious or subversive code before being used on a Classified AIS.
Problems that are identified in custom software that has been
developed by other DOE sites or organizations shall be reported to
the developing organization.
7. SECURITY-RELEVANT SOFTWARE MODIFICATIONS. All modifications to
security-relevant resources (software, firmware, hardware, or interfaces
and interconnections to networks) shall be reviewed and approved by the
responsible manager (or designee) and the CSSO for the classified AIS
prior to implementation. All security-relevant modifications shall be
subject to the provisions of the Configuration Management Program.
a. Those modifications which could have an effect upon the security of
the Classified AIS shall be reviewed by the CSSM.
b. All security-relevant software that is resident in a Classified AIS
is included in these requirements, including operating systems,
utilities, and security-relevant application programs.
(1) The responsible manager (or designee) and the CSSO may review
and approve nonsecurity-related changes or additions (e.g.,
adding or deleting applications software) to existing
classified AISs that do not deviate from the requirements of
the approved Classified AIS Security Plan.
(2) Requests for changes to resources for accredited classified
AISs that deviate from the requirements of the approved
Classified AIS Security Plan shall be forwarded in writing to
the CSSM for approval. Examples include: adding, deleting,
or changing security-relevant software or hardware; or
modifications to software (including the operating system)
that represent a security impact.
(3) The CSSM shall notify the CSOM and the DAA of requests for
changes to the resources for the classified AIS that deviate
from the requirements of the approved Classified AIS Security
Plan. The DAA shall consider the classified AIS for
reaccreditation.
8. CLASSIFIED AIS ACQUISITION SPECIFICATIONS. DOE and covered contractor
organizations shall ensure that appropriate technical, administrative,
physical, and personnel security requirements are considered in
specifications for the acquisition of classified AIS equipment,
software, or related services to be utilized in the classified AIS
environment. These security requirements shall reflect the requirements
of the Protection Index for the classified AIS. The acquisition
specifications shall be reviewed and approved by the CSSM. This
approval shall be documented prior to issuance of the procurement and
included in the classified AIS procurement documents.
9. CONTINUITY OF OPERATIONS PLANNING. A decision concerning the need for a
continuity of operations plan (including contingency planning and
disaster recovery planning) for each classified AIS shall be made by the
manager or supervisor directly responsible for the classified AIS. This
decision shall be documented and signed by the manager or supervisor. A
statement of the decision and the basis for that decision shall be
documented in the Classified AIS Security Plan. If a continuity of
operations plan is not needed, a statement to that effect shall be
included in the Classified AIS Security Plan. If a continuity of
operations plan is needed, it shall be developed by site management and
designed to ensure that users can continue to perform essential
functions in the event the classified AIS cannot continue to perform its
functions. The plan will be signed by the manager or supervisor and, at
a minimum, the following topics shall be addressed:
a. Mission Essential Applications. Mission essential applications
shall be identified.
b. Mission Essential Resources. Mission essential hardware and
software resources related to a Classified AIS, key response and
recovery personnel, and alternate site processing requirements
shall be identified.
c. Response. The type of response (i.e., hot site, cold site,
exchange agreements, etc.) necessary to continue the mission shall
be determined based on the projected recovery time and response
requirements.
d. Responsible Personnel. Site management is responsible for ensuring
that the continuity of operations plan is properly implemented.
e. Backup Frequency and Location. Frequency of performing backups
shall be established to ensure, at a minimum, that current backup
copies of mission essential software and data exist (i.e., software
or data essential to the operation of the classified AIS, and
software or data necessary to support any mission essential
application). The location of the backups shall be identified.
f. Documentation. Procedures shall be established to assure that all
necessary documentation is maintained and available for continuity
of operations and for disaster recovery. The location of
documentation for continuity of operations or disaster recovery
operations shall be identified.
g. Exercise of Continuity of Operations Plans. Continuity of
operations plans shall be exercised (tested) and the results
documented. The frequency of the testing shall be commensurate
with the magnitude of loss or harm that could result from
disruption of service and as approved by the DAA in the classified
AIS Security Plan.
h. Cost to Exercise Plan. The documentation for the procedures shall
include an estimate of the cost of exercising the plan.
10. DATA AND OPERATING SYSTEM BACKUP PROCEDURES. The CSSO is responsible
for ensuring that procedures are established, documented, and
implemented to back up all essential data, utility, and operating system
files (including network interface software) on a regular basis. Media
containing such backups shall be stored at a remote location.
11. CLASSIFIED AIS SECURITY PROGRAM EVALUATIONS. Program evaluations ensure
that the Classified AIS Security Program management process continues to
meet the requirements of the policies and procedures of the Department.
a. CSOM Review. Each CSOM shall ensure the review of the Classified
AIS security program implemented by each CSSM. These reviews shall
be conducted in compliance with DOE 5634.1B, FACILITY APPROVALS,
SECURITY SURVEYS AND NUCLEAR MATERIALS SURVEYS, and they shall be
documented.
b. CSSM Review. Each CSSM shall perform a self assessment of the site
Classified AIS Security Program as defined in DOE 5639.1,
INFORMATION SECURITY PROGRAM, including compliance by each CSSO
with the site Classified AIS Security Program midway between the
surveys conducted as defined in DOE 5634.1B, FACILITY APPROVALS,
SECURITY SURVEYS, AND NUCLEAR MATERIALS SURVEYS. The CSSM shall
prepare a summary of this review, including actions taken to
correct identified findings or vulnerabilities, and transmit it to
the site senior management official and notify the CSOM of this
action. For sites that have many small Classified AISs (e.g.,
personal workstations, process control AISs) or have many similar
systems such as distributed processors, this review may be
performed on a selected basis so that each such classified AIS is
reviewed by the CSSM at least once every 3 years.
12. ALTERNATIVE PROTECTION MEANS AND DEVIATIONS. Where it is impossible or
impracticable to implement the protection requirements and
countermeasures described in DOE 5639.6A and this Manual in the
classified AIS, alternative protection means and deviations (variances,
waivers, or exceptions) shall be approved under the procedures described
in DOE 5630.11A.
13. USER AWARENESS AND RESPONSIBILITIES.
a. User Guidelines. Each site shall have a site-specific Classified
AIS Security Guideline available to all users. The purpose of this
guideline is to provide all users with a basic understanding of
their responsibilities for protecting classified information
contained in classified AIS and of the local security procedures
for the use of classified AISs. The information in this guideline
shall be included in user training. Additionally, the guideline
shall include at least the following site:
(1) Physical security procedures;
(2) Systems and data backup policy and procedures;
(3) Locked door policies; and
(4) Protection procedures for special purpose computers and
equipment (i.e., facsimile machines) processing classified
information.
b. Code of Conduct. Each user of a Classified AIS shall be required
to read and sign a Code of Conduct statement before initially
accessing a Classified AIS. These statements shall be maintained
for the period that the user requires access. Included in this
statement shall be acknowledgement of the responsibility for at
least the following:
(1) For protecting his/her unique authenticator (password);
(2) For protecting information accessed or controlled by the user;
(3) Not to use the classified AIS resources to defraud, cause
waste, or abuse resources;
(4) Not to introduce unauthorized software into the processing
environment;
(5) To use his/her access authorization appropriately; and
(6) To respect the operating rules of the classified AIS Security
Program.
c. Nondisclosure Agreements. Specific requirements may also exist for
users to sign a nondisclosure agreement before initial access to
information with special access or disclosure requirements, such as
Special Access Programs. Where these requirements exist, no user
shall access such data before signing the required agreement. Such
agreements shall be maintained.
14. AIS SECURITY TRAINING AND AWARENESS PROGRAM. A training program shall
be established, documented, and periodically reviewed for updating. The
program shall ensure that all personnel who have access to the
Classified AIS are aware of and familiar with the Classified AIS
Security Program, the security aspects of the classified AIS, and the
contents of associated DOE directives.
a. Training Responsibilities. Each DOE or covered contractor manager
or supervisor shall ensure that all personnel under his/her
direction or supervision who are authorized to use or have access
to a Classified AIS have received the required training in the use
of the classified AIS, and that users are familiar with their
responsibilities for the protection of classified information.
b. Qualification Training. The CSPM shall ensure that qualification
training programs for CSOMs and CSSMs are developed, periodically
presented, and documented. This training program shall be a
preparation for the role of managing the Classified AIS Security
Program. Personnel occupying either position shall complete the
prescribed training programs within 1 year of appointment.
c. Participation. DOE Site Directors, Contractor and Management and
Operating Facility Managers, Director, Office of Information
Technology Services and Operations, Assistant Secretary for Human
Resources and Administration, and the Director of Headquarters
Operations Division, Office of Security Affairs, shall ensure that
CSSMs under their cognizance participate in the qualification
training specified in paragraph 14b.
d. Classified AIS Security Awareness Training. Each CSSM shall ensure
that classified AIS security awareness training programs for CSSOs,
data owners, and users under his/her cognizance are developed,
presented, and documented. Each CSSO, data owner, and user shall
participate in this training annually. This participation shall be
documented.
e. Classified AIS Escort Training. Each CSSM shall ensure the
development, documentation, and presentation of a site training
program to train classified AIS escorts in their responsibilities
and in the proper techniques for monitoring the actions of
visitors, the work of maintenance personnel, and the transport of
classified AIS equipment. Completion of this training shall be
documented. Each classified AIS escort shall participate in the
training at least annually.
15. WASTE, FRAUD, AND ABUSE PROTECTION. The Classified AIS Security Plan
shall address the frequency of the review and document the management
controls established to detect and deter waste, fraud, and abuse of
Government property and resources.
16. CLASSIFIED AIS SECURITY INCIDENT HANDLING. Procedures for the
recording, reporting, investigating, documenting, and responding to AIS
security incidents shall be established by the CSSM and approved by the
cognizant CSOM for all classified AISs that process, store, transfer, or
provide access to classified information. These procedures shall be
defined in such a way that they will provide a vehicle for reporting,
documenting, and investigating the violation of laws and infractions of
procedures as described in DOE 5000.3B, OCCURRENCE REPORTING AND
PROCESSING OF OPERATIONS INFORMATION, of 1-19-93.
a. System-Specific Vulnerabilities. The CSSM shall ensure that any
discovery of a hardware or software system-specific security
vulnerability is also reported to the Department Computer Incident
Advisory Capability. This will facilitate communication to the
community of a newly discovered vulnerability. The Computer
Incident Advisory Capability shall provide assistance in resolving
software vulnerabilities.
b. Special Attention for Malicious Logic, Viruses, and Intruders.
(1) All incidents involving malicious logic, active viruses or
intruders, proven or suspected, shall be reported to the CSSM
immediately and measures shall be taken to prevent the spread
of the virus or the continuing activity of the intruder.
(2) Any discovery of malicious logic, an active virus or an
intruder shall be reported as an incident in accordance with
DOE 5000.3B.
(3) The DOE Computer Incident Advisory Capability shall provide
assistance in categorizing, preventing infection by, and
handling of malicious logic, viruses and intruders.