229 of 234
First Highlight
Graphics, exponents, and equations will not display within the text file. A link to the PDF version of this section will be in this spot in the future.
CHAPTER X
TECHNICAL SECURITY REQUIREMENTS
1. BASELINE REQUIREMENTS. A combination of technical security features and
assurances shall be implemented (in addition to other measures, such as
physical and personnel security) to provide the required protection for
classified data processed, stored, transferred, or accessed via the
classified AIS. This chapter delineates those technical security
features and assurances that shall be activated and certified as
operational prior to accreditation. Tabular forms of the specification
of these requirements are in Figures X-2 and X-3. The determination of
the particular measures to be used are a function of the Protection
Index of the Classified AIS.
2. SECURITY FEATURES. The following features shall be implemented as
required by the Protection Index of the classified AIS.
a. Identification Controls. Multiuser classified AISs shall control
and limit user access based on identification and authentication of
the user. The requirements for user authorization and use of user
IDs are found on page IX-2, paragraphs 3a and b.
b. Authentication. Multiuser classified AISs shall ensure that each
user of the classified AIS is authenticated before access is
permitted.
(1) Requirements. Requirements for authentication controls and
the use of authenticators are found on page IX-2, paragraph
3c.
(2) Additional Authentication Countermeasures. Where the
operating system provides the capability, the following
features shall be implemented:
(a) Logon Attempt Rate. Successive logon attempts shall be
controlled by denying access after multiple (maximum of
five) unsuccessful attempts on the same user ID; by
limiting the number of access attempts in a specified
time period; by the use of a time delay control system;
or other such methods, subject to approval by the DAA.
(b) Notification to the User. The user shall be notified
upon successful logon of: the date and time of the
user's last logon; the location of the user (as can best
be determined) at last logon; and the number of
unsuccessful logon attempts using this user ID since the
last successful logon. This notice shall require
positive action by the user to remove the notice from the
screen.
c. Audit Capability. A record of each logon and logoff to any
multiuser classified AIS shall be maintained. Where there are
multiple users of the classified AIS and where an automated
capability does not exist, a manual log shall be maintained at the
discretion of the DAA.
(1) Audit Capability Failure. The Classified AIS Security Plan
shall provide procedures to be followed in the event of a
failure in the audit record capability. These procedures
shall include shutdown criteria for the classified AIS.
(2) Accountability for Electronic Information. Accountability for
information that is accessed electronically shall be via the
classified AIS accountability records (audit trail).
(3) User Accountability. The classified AIS shall ensure
individual accountability. This shall be accomplished by
identifying the user, authenticating the user, and maintaining
audit trails.
(4) Audit Trail Generation and Protection. Where the classified
AIS provides the capability, audit records shall be generated
automatically. To ensure user accountability, the
accountability records shall be protected from access by
unauthorized users (i.e., only the CSSO or other authorized
person shall have access to these records).
(5) Audit Trail Requirements. For classified AISs that implement
automated access controls, the classified AIS shall create an
audit trail of user IDs, authentication records, and
subsequent changes to these as an accountability record.
Audit trails shall provide the capability to reconstruct a
security incident.
(a) Recording Anomalies. The events causing an entry in the
audit trail shall include at least the following:
1 For all classified AISs:
a Use of authentication changing procedures.
b Unsuccessful logon attempts.
c The blocking of a user ID and the reason for
the blocking (e.g., due to its password
reaching the end of its lifetime).
2 For classified AISs to be operated at a Protection
Index of one or greater:
a Actions to open, close, create, and destroy
files.
b Unauthorized system file access attempts.
3 For classified AISs to be operated at a Protection
Index of two or greater, changes to security labels
that lower the classification levels or reduce the
restrictions of a classification category.
(b) Additional Events. Other events that may be included for
the purpose of reconstructing security incidents are:
1 Start and stop of classified periods processing.
2 Initiation and termination of pertinent system
security related events.
(c) The DAA may decide to supplement or reduce the recorded
events, described in subparagraph (b) above, in order to
meet operational requirements.
(6) Audit Trail Monitoring. All audit trails created by multiuser
classified AIS shall be monitored by the CSSO for unauthorized
access, attempted access, or other anomalies on a scheduled
basis but at least weekly. These reviews shall be documented.
Large AISs and AISs with a high level of activity shall
require more frequent monitoring. The frequency of the review
shall be stated in the Classified AIS Security Plan. Other
audit trail monitoring capabilities shall be implemented as
follows:
(a) Automated Extraction of Audit Data. For classified AIS
operating with a Protection Index of two or greater, the
AIS shall provide tools for the automated extraction of
audit data.
(b) Automated Analysis of Audit Data. For classified AIS
operating with a Protection Index of three or greater,
the AIS shall provide tools for the automated analysis of
audit data.
(c) Continuous, Online Automated Monitoring and Real Time
Warning. For classified AISs operating with a Protection
Index of three or greater, the AIS shall provide for
continuous, online monitoring (audit) of use and real
time warning to the CSSO of suspected misuse.
(7) Audit Records Retention. Audit records shall be retained for
a minimum of 6 months.
d. Resource Reallocation and Allocation.
(1) Resource Reallocation. Classified AISs with a Protection
Index of one or greater shall clear memory and storage before
reallocation to a different user (see page IX-6, paragraph
10a).
(2) Resource Allocation. For classified AISs operating with a
Protection Index of two or greater, the Security Support
Structure shall provide the capability to control a defined
set of system resources (e.g., memory, disk space) such that
no one user can deny access to the resources of another user.
e. File Access Controls. For classified AISs operating with a
Protection Index of one or greater, classified files shall be
protected by a secondary access control measure. This may be
implemented by measures such as file passwords, access control
lists, or other techniques, as approved by the DAA.
f. File Access Authorization. For classified AISs operating with a
Protection Index of one or greater, the operating system shall
provide a file access control measure that allows the data owner to
specify which other users can access each file that he or she owns
and the specific type of access granted (such as read, write, or
execute).
g. Time Lockout. For classified AISs operating with a Protection
Index of one or greater, the AIS shall time lockout an interactive
session after an interval of user inactivity. The time interval
and restart requirements shall be specified in the Classified AIS
Security Plan.
h. Resource Access Controls. Classified AISs operating with a
Protection Index of two or greater shall store and preserve the
integrity of the classification and other sensitivity of all
information internal to the classified AIS.
(1) Security Labels. The classified AIS shall place security
labels on all entities.
(a) Resource security labels reflect the sensitivity
(classification level, classification category, and
handling caveats) of the information on the resource
(e.g., files). Resource labels shall be an integral part
of the electronic data or media.
(b) User security labels reflect the authorizations (security
clearances, need-to-know, formal access approvals) of
users.
(c) Resource and user security labels shall be compared and
validated before a user is granted access to a resource.
(2) Export of Security Labels. Security labels exported from the
classified AIS shall be accurate representations of the
corresponding security labels on the information in the
originating classified AIS.
i. Nondiscretionary Access Controls. For classified AISs operating
with a Protection Index of two or greater, nondiscretionary access
controls shall be provided. These controls shall provide a means
of restricting access to objects based on the sensitivity (as
represented by the label) of the information contained in the
objects and the formal authorization (i.e. security clearance) of
subjects to access information of such sensitivity.
j. Security Level Changes. For classified AISs operating with a
Protection Index of three or greater, the system shall immediately
notify a terminal user of each change in the security level
associated with that user during an interactive session. A user
shall be able to query the system as desired for a display of the
user's complete sensitivity label.
k. Trusted Path. For classified AISs operating with a Protection
Index of five or greater, the AIS shall support a trusted path
between itself and the classified AIS user for initial
identification and authentication.
l. Security Isolation. For classified AISs operating with a
Protection Index of five or greater, the AIS Security Support
Structure shall maintain a domain for its own execution that
protects it from external interference and tampering (e.g., by
reading or modification of its code and data structures). The
protection of the Security Support Structure shall provide
isolation and noncircumventability of isolation functions.
3. SECURITY ASSURANCES. Security assurances provide the confidence that
the classified AIS is operating as expected and in accordance with the
Classified AIS Security Plan.
a. Examination of Hardware and Software. Classified AIS hardware and
software shall be examined when received from the vendor and before
being placed into use.
(1) Classified AIS Hardware. Commercially procured hardware shall
be examined to assure that the hardware contains no features
which might be detrimental to the security of the classified
AIS. Subsequent changes and developments which affect
security may require additional examination.
(2) Classified AIS Software. Commercially procured software shall
be examined to assure that the software contains no features
which might be detrimental to the security of the classified
AIS. Security related software shall be examined to assure
that the security features function as specified.
(3) Custom Software or Hardware Systems. New or significantly
changed software and hardware developed by or specifically for
the Department shall be subject to testing and review at all
stages of development. Security requirements shall be defined
by the data owner. Security reviews shall occur at the Design
Review, System Testing, and Operational Review stages.
b. Security Performance Testing. Security performance testing
includes both certification testing that is performed before the
classified AIS is accredited and ongoing performance testing that
is performed on a regular basis. Requirements for certification
testing are found on page II-3, paragraph 4, and requirements for
ongoing security testing are found in page I-5, paragraph 5c.
c. Configuration Management. The requirements for configuration
management are specified on page I-3, paragraph 5.
d. Confidence in Software Source. In acquiring resources to be used
as part of a classified AIS operating with a Protection Index of
two or greater, consideration shall be given to the level of
confidence placed in the vendor to provide a quality product, to
support the security features of the product, and to assist in the
correction of any flaws.
e. Flaw Discovery. For classified AIS with a Protection Index of two
or greater, the vendor shall provide a method for ensuring the
discovery of flaws in the system (hardware, firmware, or software)
that may have an effect on the security of the AIS.
f. Security Penetration Testing. In addition to testing the
performance of the classified AIS with a Protection Index of two or
greater for certification and for ongoing testing, there shall be
testing to attempt to penetrate the security countermeasures of the
system. The test procedures shall be documented in the test plan
for certification and also in the test plan for ongoing testing.
g. Description of Security Support Structure Protections. The
protections and provisions of the Security Support Structure shall
be documented in such a manner to show the underlying planning for
the security of a Classified AIS with a Protection Index of two or
greater. Hardware and software features shall be provided that can
be used to periodically validate the correct operation of the
elements of the Security Support Structure.
h. Independent Validation. An Independent Validation and Verification
team shall assist in the certification testing of a Classified AIS
with a Protection Index of two or greater and shall perform
validation of the system as required by the CSPM.
i. Independent Verification. An Independent Validation and
Verification team shall assist in the certification testing of
classified AIS with a Protection Index of two or greater and shall
perform verification testing of the system as required by the CSPM.
j. Security Label Integrity. For a classified AIS accredited to
operate with a Protection Index of two or greater, the methodology
shall ensure the following:
(1) Integrity of the security labels;
(2) The association of a security label with the transmitted data;
and
(3) Enforcement of the control features of the security labels.
k. Detailed Design of Security Support Structure.
(1) For classified AISs operating with a Protection Index of two
or greater, an informal description of the security policy
model enforced by the system shall be available.
(2) For classified AISs operating with a Protection Index of five
or greater, a formal description of the security policy model
enforced by the AIS shall be available and an explanation
provided to show that it is sufficient to enforce the security
policy. All interfaces to the Security Support Structure
shall be included in the design documentation.
l. Flaw Tracking and Remediation. For classified AISs operating with
a Protection Index of three or greater, the vendor shall provide
evidence that all discovered flaws have been tracked and remedied.
m. Life-Cycle Assurance. The development of the classified AIS
hardware, firmware, and software shall be under life-cycle control
and management (i.e., control of the classified AIS from the
earliest design stage through decommissioning) for a Classified AIS
with a Protection Index of three or greater. (This assurance shall
be contractually imposed upon the vendor.)
n. Separation of Functions. For classified AISs with a Protection
Index of three or greater, the functions of the CSSO and the
classified AIS manager shall not be performed by the same person.
o. Device Labels. For a Classified AISs accredited to operate with a
Protection Index of three or greater, the methodology shall ensure
that the originating and destination device labels are a part of
each message header and enforce the control features of the data
flow between originator and destination.
4. USE OF EVALUATED PRODUCTS LIST. The Department endorses the use of
products from the Evaluated Products List. When determined to be
properly implemented, these products shall be accepted as meeting the
security requirements for the portion of the classified AIS where they
are used.
Note: Caution should be used in combining Evaluated Products List
products either with other products from the Evaluated Products List or
with products that are not on the Evaluated Products List to assure that
they are being used in the same configuration that they were tested; to
assure that all the protection features are properly used; and to assure
that the integration of these products with other products (Evaluated
Products List listed or not) provides the necessary protection for the
classified AIS. (Figure X-1 is provided for comparison to Evaluated
Products List values.)
============================================================================
| Mode of Operation | Protection Index |Evaluated Products List Rating|
|========================|==================|==============================|
| Single-user, Standalone| 0 | D |
|------------------------|------------------|------------------------------|
| Dedicated (Multiuser) | 0 | C1 |
|------------------------|------------------|------------------------------|
| System High | 1 | C2 |
|------------------------|------------------|------------------------------|
| Compartmented | 2 | B1 |
|------------------------|------------------|------------------------------|
| Multilevel A * | 3 | B1+*** |
|------------------------|------------------|------------------------------|
| Multilevel B** | 5 | B3 |
|________________________|__________________|______________________________|
| |
| * Multilevel A is the Mode of Operation if the AIS has only one |
| security clearance level difference (minimum Confidential), and it |
| is located in a controlled (secure areas only) facility. |
| |
| ** Multilevel B is the Mode of Operation if the AIS has at least one |
| security clearance level difference (minimum unclassified), and it |
| is located in a controlled (secure and property protection areas) |
| facility. |
| |
| *** The B1+ level of protection can be achieved by attaining the |
| functionality of an National Computer Security Center, Evaluated |
| Products List rating of B1 (same as compartmented mode) plus the |
| following B2 security criteria: |
| |
| 1. Security Level Changes. |
| 2. Device Labels. |
| 3. Flaw Tracking and Remediation. |
| 4. Separation of Functions. |
| System Manager/Security Officer. |
| 5. Life-Cycle Assurance. |
| 6. Informal Model. More detailed than B1 but less than the |
| formal model required at B2. |
|==========================================================================|
Figure X-1
Equivalence Table
**** DATABASE NOTE:
ATTACHMENT OF FIGURE X-2 - SECURITY FEATURES (SUMMARY) (PAGE X-9
AND X-10) IS NOT INCLUDED IN DATABASE, DUE TO ITS FORMAT.
Top of Document