221 of 234
First Highlight
Graphics, exponents, and equations will not display within the text file. A link to the PDF version of this section will be in this spot in the future.
CHAPTER IV
PROTECTION INDICES
1. PROTECTION INDICES. To provide a graded method for categorizing the
risk level involved in the different Modes of Operation, the following
Protection Indices have been developed. The particular protection
measures (security features and assurances) to be used are a function of
the operating environment and Mode of Operation for the classified AIS.
The description of the implementation of security features and security
assurances assumes that physical, personnel, telecommunication, and
administrative controls appropriate to the classification level of the
data are in place. A general description of each requirement is
contained in this Chapter. A detailed description of each requirement
is contained in Chapter X.
a. Protection Index 0. This applies to classified AIS operating in
the Dedicated Mode of Operation. Protection measures include:
(1) Security Features. For multiuser classified AIS, the security
features shall provide for identification, authentication, and
audit capability.
(2) Security Assurances. The security measures shall provide for
configuration management, examination of hardware and
software, and security performance testing.
b. Protection Index 1. This applies to classified AIS operating in
the System High Mode of Operation. Protection measures include:
(1) Security Features. The security program shall provide for
resource reallocation, file access controls, file access
authorizations, time lockout, and the security features of
subparagraph a(1) above.
(2) Security Assurances. The security program shall provide the
assurances of subparagraph a(2) above.
c. Protection Index 2. This applies to classified AIS operating in
the Compartmented Mode of Operation.
(1) Security Features. The security program shall provide
resource access controls, non-discretionary access controls,
continuous on-line monitoring, and the security features of
subparagraphs a(1) and b(1) above.
(2) Security Assurances. The security program shall provide for
confidence in source, flaw discovery, security penetration
testing, description of Security Support Structure
protections, independent validation, independent verification,
security label integrity, detail design of Security Support
Structure, and the security assurances of subparagraphs a(2)
and b(2) above. (The Security Support Structure is described
in Chapter X).
d. Protection Index 3. This applies to classified AISs operating in
the Multilevel Mode of Operation where personnel with two adjacent
clearance levels are allowed access to the classified AIS (i.e.,
the information on the AIS is a maximum of Secret-Restricted Data
and personnel with "L" and "Q" clearance levels are allowed
access), and is located in a secure facility.
(1) Security Features. The security program shall provide for
continuous online, automated monitoring, security level
changes, and the security features of subparagraphs a(1),
b(1), and c(1) above.
(2) Security Assurances. The security program shall provide for
flaw tracking and remediation, life-cycle assurance,
separation of function, device labels, and the security
assurances of subparagraphs a(2), b(2), and c(2) above.
e. Protection Index 4. Reserved.
f. Protection Index 5. Multilevel Mode of Operation (if at least one
terminal is located in a Property Protection Area and no terminal
is located outside a Property Protection Area, and is processing
unclassified information). The "user security clearance" meets or
exceeds the classification level for all of the data for which the
user has access.
(1) Security Features. The security program shall provide for
trusted path, security isolation, and all the security
features of subparagraphs a(1), b(1), c(1), and d(1) above.
(2) Security Assurances. The security program shall provide for
detailed design of the Security Support Structure and the
security assurances of subparagraphs a(2), b(2), c(2), and
d(2) above.
g. Protection Index 6. Reserved.
h. Protection Index 7. Reserved.
i. Protection Index 8. Reserved.
2. DETERMINATION OF THE PROTECTION INDEX. Tabular forms of the
specification of these requirements are in Figures X-2 and X-3. (See
Chapter X for detailed descriptions of Security Features and Security
Assurances). The applicability of the specific security features and
assurances is specified in these tables; e.g., the appropriate row of
Figure X-2 is chosen based on the Protection Index and the required
security features for that Protection Index are marked.
a. Example 1.
(1) A Classified AIS processing Confidential and Secret Restricted
Data, but which has at least one user with an L access
authorization (i.e., Protection Index 3), would require
identification; authentication; audit capability; resource
reallocation; file access controls; file access
authorizations; time lockout; resource access controls;
non-discretionary access controls; continuous on-line
automated monitoring; security level changes; and physical,
personnel, telecommunication, and administrative controls
appropriate to the sensitivity of the data.
(2) The security assurances necessary for this Protection Index
include: examination of hardware and software; security
performance testing; configuration management; confidence in
the software source; flaw discovery; security penetration
testing; description and detailed design of the Security
Support Structure; independent validation; independent
verification; security label integrity; flaw tracking and
remediation; life-cycle assurance; separation of function; and
device labels.
b. Example 2.
(1) If all users of the Classified AIS had, at a minimum, a Q
access authorization and the need-to-know all data on the
classified AIS (i.e., Protection Index 0), the classified AIS
would require identification; authentication; audit
capability, and the physical, personnel, telecommunications,
and administrative security controls appropriate for the
sensitivity of the data.
(2) The security assurances necessary for this Protection Index
include: examination of hardware and software; security
performance testing; and configuration management.
3. INDETERMINATE PROTECTION INDEX. When it is not clear what the
Protection Index should be for a Classified AIS, the CSPM shall make the
determination of the required Protection Index.
Top of Document