230 of 234
First Highlight
Graphics, exponents, and equations will not display within the text file. A link to the PDF version of this section will be in this spot in the future.
CHAPTER XI
CLASSIFIED AIS NETWORK SECURITY REQUIREMENTS
1. OVERVIEW. The characteristics and capabilities of classified AISs
implemented as networks require special security considerations. This
chapter imposes additional requirements on a network or expands on
previously stated security requirements as they apply to a network.
a. Scope. A Classified AIS implemented as a network may be small (two
or three personal workstations) or very large (several
supercomputers and supporting equipment with thousands of connected
terminals). Networks may be internal to a site or location, local
to a municipal area, or global in nature. Networks may be internal
to a contractor (including a global network) or external with
connections from various contractors or agencies.
b. Security Protections. As with other classified AISs, the
Protection Index of the network determines the security protections
and countermeasures required for the network.
c. Classified AIS Networks. For the purposes of this Manual, there
are two types of networks, a Unified Network and an Interconnected
Network. A Unified Network is a network operating under a single
Protection Index (Security Requirements Specification). An
Interconnected Network is composed of two or more networks or
separately accredited AISs separated by a Security Support
Structure that adjudicates the differences in security requirements
between the networks or AISs. This can be as simple as the
Security Support Structure only being used to adjudicate
need-to-know differences between networks or AISs with the same
protection indexes or as complex as using the Security Support
Structure to adjudicate the security differences of networks or
AISs with different protection indexes.
d. Security Plans and Security Requirements Specification. Each
Unified Network shall have a Classified AIS Security Plan (see
Chapter V). The Classified AIS Security Plan for the
Interconnected Network consists of the Security Requirements
Specification from each connected network or AIS plus the Security
Requirements Specification for the Interconnected Network and any
additional paperwork needed to describe and secure the
Interconnected Security Support Structure adjudicating the security
differences of the Interconnected networks or AISs (See page XI-4,
paragraph 4a.)
e. Accreditation.
(1) Unified Network. Unified Networks are accredited by a single
DAA to operate under a single Protection Index.
(2) Interconnected Networks. Interconnected Networks are also
accredited by a single DAA to operate under a single
Protection Index. This Protection Index may be different than
the Protection Indices of each attached network or AIS.
Interconnected Networks are composed of networks or AISs that
were each separately accredited before they were
interconnected. These networks or AISs do not need to be
reaccredited; they are now part of an Interconnected Network
and can continue to operate as separate, independently,
accredited networks. The DAA for the Interconnected Network
shall authorize these networks or AISs to operate together and
accredits only the Interconnected Network Security Support
Structure as capable of adjudicating the security differences
of the networks or AISs that now make up the Interconnected
Network.
2. SECURITY SUPPORT STRUCTURE. The Security Support Structure includes all
the resources (hardware, software, firmware, and communications) of a
Classified AIS that perform security functions directly related to the
transfer of information over communications lines, such as Controlled
Interfaces, Network Security Controllers, and Secure File Servers. The
secure operation of the classified AIS depends on the reliable operation
of the Security Support Structure. No reliance for secure operation
will be placed on resources that are not part of the Security Support
Structure.
a. Secure Operation. All the trust for the secure operation of the
classified AIS is placed in the components of the Security Support
Structure.
b. Secure Transmission. The network Security Support Structure shall
ensure that the security parameters are delivered to the correct
component without change or loss.
c. Certification Testing. For a Classified AIS implemented as a
network with a Protection Index of two or greater, the secure
operation of the Security Support Structure shall be validated and
verified by an Independent Verification and Validation team
appointed by the CSPM.
3. UNIFIED NETWORK. A Unified Network is composed of network components or
AISs and has a well-defined network architecture and design. It is
generally administered by a single organizational authority (e.g.,
contractor, Operations Office). A Unified Network operates under one
Classified AIS Security Plan, under one DAA, and with one set of
Security Requirements Specifications.
Note: A Unified Network may be as simple as two Personal Computers
connected together or a single host and collection of terminals or it
may be as complex as an interconnection of local area networks that
provide computing services for an entire facility.
a. Forming a Unified Network. Before linking two classified AISs
together to form a Unified Network, the Security Requirements
Specification of each Classified AIS to be linked into the network
shall be compared to determine the Protection Index of the
resulting network. This comparison of the Security Requirements
Specifications shall be used to determine any conflicts created by
linking the Classified AISs together and what additional
countermeasures shall be required to provide the necessary level of
security. The Security Requirements Specifications shall be
compared and any conflicts resolved whether the classified AISs
consist of standalone AISs, Personal Computers, or personal
workstations.
b. Adding a Classified AIS to a Unified Network. When adding a
Classified AIS to a Unified Network, the CSSM responsible for the
network shall compare the Security Requirements Specification for
the new network classified AIS with the Security Requirements
Specification for the currently accredited network.
(1) No Difference. If there is no difference between the Security
Requirements Specifications, the classified AIS may be added
to the network without reaccreditation of the network. The
CSSO is responsible for ensuring that the Classified AIS
Security Plan is current.
(2) Difference. If there is a difference between the Security
Requirements Specifications, the classified AIS shall not be
added until the differences have been resolved and the network
CSSM has certified that there are no differences. If the
differences cannot be resolved, the Security Requirements
Specification for the network shall be revised and the network
reaccredited.
c. Security Support Structure. The Security Support Structure of a
Unified Network consists of any and all portions of the Unified
Network that are relied upon to provide security for the network.
d. Classified AIS Security Plan. A Classified AIS Security Plan shall
be developed showing how the network complies with requirements for
secure operation as described in DOE 5639.6A and Chapter V of this
Manual. An abbreviated copy of the Classified AIS Security Plan
may be distributed to each CSSO.
4. INTERCONNECTED NETWORK. An Interconnected Network consists of two or
more networks or AISs interconnected with a DAA approved network
Security Support Structure. The networks or AISs that make up the
Interconnected Network may belong to different Federal agencies,
different Operations Offices, different DOE Programs, or simply
different Divisions of the same organization. A Partitioned Classified
Network, as described in Attachment XI-1, is a method of implementing an
Interconnected Network using controlled interfaces. An Interconnected
Network operating at a Protection Index of 3 or greater must utilize a
Controlled Interface as the Network Security Support Structure.
a. Interconnected Security Support Structure. The software, hardware,
firmware, and equipment that mediates the differences in security
and need-to-know between the attached networks or AISs that make up
the Interconnected Network is called the Network Security Support
Structure. This is used to limit information shared or transmitted
between attached networks or AISs. The Security Support Structure
of the Interconnected Network may overlap with its associated
networks or AISs. Where such an overlap occurs, it shall be the
responsibility of both DAAs and so documented in the Interconnected
Classified AIS Security Plan.
b. Controlled Interface Implementation. Each Controlled Interface
shall be implemented to monitor and enforce the security
protections and requirements of the network and adjudicate the
differences in security attributes between the separately
accredited networks or AISs to ensure compliance and security.
Controlled Interfaces are described in paragraph 8 of this Chapter.
c. Security Contract. An Interconnected Network shall have a security
contract (memorandum of understanding) between the administrative
entities (Agencies, contractors, etc.) involved which describes the
management of the network, the sensitivity of the data to be
transmitted, any special security considerations, and the
requirement that all parties to the security contract shall not
change the Security Requirements Specification of their network or
AIS without renegotiating the security contract. Each security
contract shall be reviewed annually for currency. A copy of each
network or AIS Security Requirements Specification shall be
attached to each security contract.
d. Certification Testing. The operation and security of the
Interconnected Security Support Structure shall be tested and
approved before accreditation of the Interconnected Network.
e. Interconnected Classified AIS Security Plan. A network operating
as an Interconnected Network shall have an Interconnected
Classified AIS Security Plan that meets the requirements of DOE
5639.6A and Chapter V of this Manual. Copies of the Interconnected
Classified AIS Security Plan will be furnished to the CSOM and the
CSSM for each network or AIS.
f. Interconnection. A network or AIS connected as a component of an
Interconnected network shall not connect to another network or AIS.
The only method of adding networks or AISs to an existing
Interconnected network is through the Interconnected Security
Support Structure and the revision of the Interconnected Classified
AIS Security Plan.
g. Adding to an Interconnected Network. A network or AIS must be
separately accredited before adding it to an Interconnected
Network.
h. Perimeter of a Network. For the purpose of determining the
security responsibilities of the DAA who accredits an
Interconnected Network, the perimeter of an Interconnected Network
is the network Security Support Structure. This perimeter does not
include the separately accredited networks or AISs, unless the
network Security Support Structure has components or parts in those
networks or AISs or other attached separately accredited networks
or AISs. The perimeter of the network does include any interface
component(s) (hardware or software) that may be installed in the
separately accredited classified AIS, terminal, or workstation
(i.e., any portion of the separately accredited AIS that is a
component of the network Security Support Structure).
5. NETWORK MODE OF OPERATION AND PROTECTION INDICES. See Chapters III and
IV.
6. CLASSIFIED AIS NETWORK MANAGEMENT. A Classified AIS Network shall
comply with all the management requirements specified for a Classified
AIS in Chapter I of this Manual. In addition, a Classified AIS network
(Unified or Interconnected) shall comply with the following
requirements:
a. Designated Accrediting Authority. The selection of a DAA for a
Classified AIS Network is based on the requirements of DOE 5639.6A
and Chapter II of this Manual. The DAA shall ensure the designation
of security officials (such as CSSO, CSSM) responsible for the
secure operation of the network.
b. Configuration Management Program. Since network configurations
change frequently, the Classified AIS Security Plan shall specify
procedures for configuration management and the methods for
ensuring continuing security as changes are implemented through the
Configuration Management Program. The CSSO who is responsible for
the network shall advise the cognizant CSSM of any proposed or
planned alterations to the network design or operation which impact
upon network security. The CSSM shall, in turn, advise the DAA for
the network of these proposed changes.
c. Software Implementation. If any component of the interconnected
Security Support Structure or Controlled Interface resides partly
in the software or firmware of a connecting Classified AIS, its
installation in the classified AIS shall be subjected to review in
the certification process conducted in support of that network's
accreditation.
d. Certification Testing.
(1) Network certification testing shall be conducted to
demonstrate that the implementation of the network meets the
requirements specified in the classified AIS Security Plan.
The tests to be performed shall be specified in writing. Each
feature shall be tested to ensure that it does not adversely
impact any of the other network security features.
(2) For classified AIS networks with a Protection Index of two or
greater, an Independent Verification and Validation team shall
assist in the certification testing.
e. Certification. The CSSM responsible for the network shall perform
the certification. The CSSM is responsible for ensuring
compatibility between the overall Classified AIS Security Plan and
the individual Classified AIS Security Plan of each network
component. The CSSM shall evaluate the implementation of the
classified AIS and the results of the certification tests to verify
that the network has been implemented as described in the
Classified AIS Security Plan and that the specified security
controls are in place and operating properly.
(1) Certification Statement. The CSSM shall issue a written
certification statement that assures the DAA that all
requirements have been met and that the classified AIS network
is ready for accreditation.
(2) Certification Report. The CSSM shall compile a certification
report as supporting evidence for the certification statement.
This report shall be forwarded through the accreditation
chain. The report shall, at a minimum, be composed of the
test plan, an analysis of the certification test results, and
the certification statement.
f. Accreditation. A network shall be accredited prior to its
operational use. Accreditation shall be accomplished or refused
within 30 days of receipt of certification documentation by the
office of the DAA.
g. Reaccreditation. Each classified AIS implemented as a network
shall be reaccredited by the DAA, at a minimum, every 3 years.
Reaccreditation shall also occur if there are modifications to a
classified AIS that impact its security; if the security aspects of
its environment change; or if the applicable security requirements
change.
7. CLASSIFIED NETWORK SECURITY REQUIREMENTS. The security requirements for
a Classified AIS network (Unified or Interconnected) follow the same
topical areas as those for a Classified AIS. In a network, the failure
of a security function may impact the security of not only a single
Classified AIS but also of the entire network and its individual
components. The following requirements are in addition to those
specified in Chapter X and shall be addressed and documented when
applied to a Classified AIS implemented as a network.
a. Access Control.
(1) Identification and Authentication Forwarding. Reliable
forwarding of the identification shall be used between
classified AIS when users are connecting through a network.
When identification forwarding cannot be verified, a request
for access from a remote classified AIS shall require
authentication before permitting access to the system.
(2) Protection of Authenticator Data. In forwarding the
authenticator information and any tables (e.g., password
tables) associated with it, the data shall be protected from
access by unauthorized users (e.g., by encryption), and its
integrity shall be ensured.
b. Audit Trails and Monitoring.
(1) The classified AIS implemented as a network shall be able to
create, maintain, and protect from modification or
unauthorized access or destruction an audit trail of
successful and unsuccessful accesses to the classified AIS
network components within the perimeter of the accredited
network. The audit data shall be protected so that access is
limited to the CSSO or his/her designee.
(2) As Protection Index levels increase, monitoring of network
activity becomes more crucial to the security posture of the
network. Methods of continuous, online monitoring of network
activities shall be included in each network with a Protection
Index three or greater. This monitoring shall also include
real time notification to the CSSO of any system anomalies.
(3) The network audit trail shall contain the following types of
information.
(a) Identification of the user accessing any component of the
network.
(b) Starting and ending times of each access to any component
(including file access) of the network.
(c) For networks operating with a Protection Index of two or
greater, the changing of the configuration of the network
(e.g., a component leaving the network or rejoining).
(4) For each recorded event, the audit record shall contain, at a
minimum: date and time of the event; the user ID; type of
event; and success or failure of the event.
(5) Identification shall be included in the audit trail records to
allow association of all related (e.g., involving the same
network event) audit trail records (e.g., at different hosts)
with each other.
(6) Provisions shall be made and the procedures documented to
control the loss of audit data due to unavailability of
resources.
(7) The CSSO responsible for the Classified network shall be able
to selectively audit the actions of any one or more users
based on individual identity.
(8) Audit trail information sufficient to allow reconstruction of
possible information leakages or misrouted information in the
event of a malfunction.
(9) Alarm features that automatically terminate the data flow in
case of a malfunction and then promptly notify the CSSO of the
anomalous condition.
c. Secure Message Traffic. The communications methodology for the
network shall ensure the detection of errors in traffic across the
network links and the retransmission of erroneous traffic.
d. Communications Security For Classified AIS Networks. See Chapter
VIII.
8. CONTROLLED INTERFACES. Controlled Interfaces are a special class of
Security Support Structure components. They are unique in that no user
code runs on these components. This means that more trust can be placed
in Controlled Interfaces and fewer resources may be needed for
certification. In many cases, products that can be utilized as
Controlled Interfaces are available from the Evaluated Products List.
a. Controlled Interface Implementation. All separately accredited
networks or AISs that make up the Interconnected Network shall be
attached to the Controlled Interface, and the Controlled Interface
shall have the following properties:
(1) The Controlled Interface shall be implemented to monitor and
enforce the security requirements of the network and
adjudicate the differences in security attributes between the
attached networks or AISs.
(2) The Controlled Interface shall base its routing decisions on
information that is not supplied by the user.
(3) The Controlled Interface shall support the security
requirements of the most restrictive attached networks or
AISs.
(4) The Controlled Interface shall not run any user code.
b. Controlled Interface Functions. The Controlled Interface function
of a Classified AIS is composed of a combination of gateway and
guard functions. These two elements of the Controlled Interface
have significantly different functions, although the functions are
often interrelated and interdependent.
(1) Gateway Functions. Gateways provide a secure point of
interconnection between networks, connected peripheral
devices, remote terminals, or remote hosts and provide a
reliable exchange of security information to allow secure
interconnections between components.
(2) Guard Functions. Automated guard processes(ors) and security
filters (hereafter referred to as guards) are software or
hardware/software techniques or specialized equipment that
filter information in a data stream based on associated
security labels and/or data content. For example, a guard
might accept an input data stream of information of mixed
classifications up to Secret but permit only data classified
up to Confidential to pass.
Top of Document