222 of 234
First Highlight
Graphics, exponents, and equations will not display within the text file. A link to the PDF version of this section will be in this spot in the future.
CHAPTER V
CLASSIFIED AIS SECURITY PLAN
1. OVERVIEW.
a. The Classified AIS Security Plans are prepared by the CSSO as the
basic classified AIS security document and as evidence that the
proposed classified AIS, or update to an existing classified AIS,
meets the appropriate Classified AIS Security Program requirements.
The Classified AIS Security Plan is used throughout the
certification and accreditation process and serves for the lifetime
of the classified AIS as the formal record of the AIS and its
environment as approved for operation. The Classified AIS Security
Plan also serves as the basis for inspections of the Classified
AIS. Each CSSO shall maintain the copy of record of the Classified
AIS Security Plan and associated documents for each classified AIS.
Each CSSM shall (at a minimum) maintain a current list of the
classified AIS on his/her site or facility. The designated DAA
shall maintain accreditation documentation for each of the
classified AIS he/she has accredited.
b. Each AIS, such as a standalone mainframe, minicomputer, personal
work station, Unified Network, or Interconnected Network that
processes classified information shall be covered by a Classified
AIS Security Plan. Two or more similar Classified AISs may be
combined under a Classified AIS Security Plan (see page II-2,
paragraph 2h).
Note: If a Classified AIS Security Plan is determined to contain
classified information, the plan shall be appropriately marked and
protected.
2. COMMON DOCUMENTS. Information common to several classified AISs at a
site or information contained in other documents may be attached to or
referenced in the Classified AIS Security Plan.
3. CLASSIFIED AIS SECURITY PLAN. The Classified AIS Security Plan formally
documents the operation of a Classified AIS and the measures that are
used to control access and protect the classified AIS and its
information. To make appropriate accreditation decisions, the DAA needs
to understand the complete classified AIS environment. Therefore, at a
minimum, each Classified AIS Security Plan (including Classified AIS
Security Plans covering two or more similar classified AISs) shall
contain the following information:
a. Introduction.
(1) The identification and location of the classified AIS.
(2) A brief narrative description of the classified AIS including
its mission or purpose.
b. Security Requirements Specification. The Security Requirements
Specification is a unique sub-set of the Classified AIS Security
Plan that defines the secure operating environment of the
classified AIS (see Figure V-1). The Security Requirements
Specification shall be developed as an attachment to the Classified
AIS Security Plan for use if the classified AIS is to become part
of an interconnected network. If at any time it is necessary or
desirable to link a classified AIS into a network, the information
in the Security Requirements Specification will be used to
determine any necessary changes in or additions to protections or
countermeasures.
(1) Security Personnel. The name, location, and phone number of
the responsible System Owner, DAA, CSSO, CSSM, and Data/
Application Owner (if appropriate).
(2) Secure Operating Environment. Brief description of the secure
operating environment of the classified AIS.
(3) Data Sensitivity. The determination of the data sensitivity
by analysis and documentation of the following:
(a) The classification levels (i.e., Top Secret, Secret,
Confidential) and categories (i.e., Restricted Data,
Formerly Restricted Data, National Security Information)
of the data, and the percentages of each, to be
processed, stored, transferred, or accessed;
(b) Any compartments (as defined in Director Central
Intelligence Directive, 1/16) or special access programs
for the data;
(c) Any special formal access approvals necessary for access
to the data (e.g., Access to Special Access Programs);
(d) Any special handling instructions or caveats (e.g., NO
CONTRACT, WNINTEL);
(e) The need-to-know restrictions on all users, directly
connected to the classified AIS; and
(f) The presence of any sensitive unclassified data (e.g.,
Privacy, Proprietary, Unclassified Controlled Nuclear
Information).
(4) Personnel Security. State the range of security clearance
levels, the set of formal access approvals, and the
need-to-know of users of the classified AIS.
(5) Protection Index. Identify the mode of operation and the
protection index (as described in Chapters III and IV).
(6) Physical Protection. The documentation of any special
physical protection requirements that are unique to the
classified AIS.
(7) Security Contracts. A copy of any security contracts
(memoranda of understanding) with other Federal agencies or
entities and a list of all security contracts associated with
the classified AIS.
(8) Approved Waivers, Variances, or Exceptions. A descriptive
list and a copy of the approval documentation of any approved
waivers, variances, or exceptions.
(9) Special Security Countermeasures. The details of any special
security countermeasures in use in the classified AIS.
c. System Description. A brief description of the classified AIS,
including all hardware components, showing the organization,
interconnections, and interfaces of these components (block
diagrams may be used to satisfy this requirement).
d. Configuration Management Program. A brief description of, or
reference to, the Configuration Management Program associated with
the classified AIS.
e. Risks and Vulnerabilities.
(1) A statement about the risk assessment of any unique
vulnerabilities or threats to the classified AIS shall
document or reference threats unique to the site, the
information, or threats unique to the classified AIS itself.
If there are no unique threats or vulnerabilities, a statement
to that effect will be entered (see page I-2, paragraph 4d).
(2) Another statement shall document vulnerability identification
by the CSSO and the implemented countermeasures to mitigate
these vulnerabilities (see page I-2, paragraph 4e).
f. Security Measures. Using the topics in Chapters VI - XIII as a
reference, a description of how these requirements have been met
shall be provided. This description shall specifically address:
(1) Personnel Security. Describe, attach, or reference the
classified AIS escort procedures (see page I-10, paragraph
14e).
(2) Physical Security. Provide a brief description of the
physical security environment, e.g., type of Security Area,
minimum security clearance level allowed without escort
(reference Site Safeguards and Security Plan or Safeguards and
Security Plan, DOE 5630.13A, MASTER SAFEGUARDS AND SECURITY
AGREEMENTS, or DOE 5630.14A, SAFEGUARDS AND SECURITY PROGRAM
PLANNING).
(3) Telecommunications Security. Include or reference the
Protected Distribution System documentation and the provisions
for TEMPEST security.
(4) Administrative Security.
(a) If passwords are used for authentication of system access
control, describe or reference procedures for
administration of passwords (see page IX-2, paragraph 3c
and Attachment IX-2).
(b) Describe the protection requirements and procedures for
all authenticators including passwords.
(c) Describe or reference procedures to protect against
scavenging.
(d) Describe the methods and procedures used to sanitize the
classified AIS between users and/or classification levels
when periods processing is used.
(e) Describe or reference the site marking procedures if
different from the requirements described on page IX-3,
paragraphs 5 and 6.
(5) Technical Security.
(a) Describe or reference the auditing procedures to be
followed in the event of the failure of the auditing
capability. Classified AIS shutdown criteria shall be
included (see page X-2, paragraph 2c(1)).
(b) For AISs operating with a Protection Index of one or
greater, define the time lockout interval of inactivity
in interactive sessions and describe the restart
requirements.
(c) Describe the use of Evaluated Products List products or
justification for alternative methods, hardware, or
software.
(d) Describe the application software certification process.
(6) Waste, Fraud, and Abuse. Describe the management controls
established to deter and detect waste, fraud, and abuse.
g. Network Requirements. If the classified AIS is implemented as a
network, the Classified AIS Security Plan shall also address the
following items:
(1) Overview of the Network. Include descriptions of the
sub-networks, servers, hosts.
(2) Communications Protocols. Briefly describe all protocols
used in the network.
(3) Security Support Structure. Briefly describe the Security
Support Structure including all controlled interfaces and
guards, their interconnection criteria, and their security
requirements. Also, describe any encryption methods used to
provide discretionary/nondiscretionary controls and the
communications security devices that protect intranetwork
communications.
(4) Security Policies. Describe or reference the network security
policies and procedures. If referenced, include a brief
synopsis of the referenced policies and procedures, including:
(a) Access control policies.
(b) Authorization and authentication policies.
(c) Audit policies.
h. Remote Maintenance/Diagnostics. If approved remote diagnostic or
maintenance services are to be used, specify the methods of
connection, disconnection, and security measures.
i. Ongoing Security Performance Test Plan. Describe the plan for
ongoing security performance testing and the frequency of such
testing.
j. Security Incidents. Attach or reference the procedures to be used
by the personnel associated with the classified AIS for reporting
any classified AIS security incidents to appropriate management and
DOE. These procedures shall include the actions to be taken to
secure the classified AIS during a security-related incident.
k. Continuity of Operations.
(1) State the continuity of operations decision. If the decision
was made to have a continuity of operations plan, reference
the plan, and include a short abstract of the plan. Include
the documentation of the frequency and cost to exercise the
plan, the DAA approval documentation, and provide or reference
a list of the applications on the classified AIS that require
a continuity of operations plan.
(2) If the decision was made not to require a Continuity of
Operations Plan, describe the process used to protect the
current backup copies of software, data, applications, and the
documentation judged to be essential to the continued
operation of the classified AIS.
4. INTERCONNECTED CLASSIFIED AIS SECURITY PLAN. A network operating as an
Interconnected Network shall have an Interconnected Classified AIS
Security Plan that:
a. Designates the individuals responsible for the secure operation
(e.g., CSOM, CSSM) of the Interconnected Network;
b. Describes the secure operating environment and protections of the
Network Security Support Structure including a description of the
operation of any Controlled Interfaces;
c. Identifies any special security responsibilities of the users of
the Interconnected Network;
d. Lists the networks (Interconnected or Unified) and AISs that
comprise the Interconnected Network.
e. Includes a copy of the Security Contract for each separately
accredited network or AIS with a copy of the Security Requirements
Specification. Also includes copies of the Security Requirements
Specifications for each network as attachments; and provides a
Security Requirements Specification for the Interconnected Network
(see Page XI-4. paragraph c.).
**** DATABASE NOTE:
ATTACHMENT OF FIGURE V-1 - DEVELOPMENT OF SECURITY REQUIREMENTS
SPECIFICATIONS (PAGE V-7 AND V-8) IS NOT INCLUDED IN DATABASE,
DUE TO ITS FORMAT.
Top of Document