226 of 234
First Highlight
Graphics, exponents, and equations will not display within the text file. A link to the PDF version of this section will be in this spot in the future.
CHAPTER IX
ADMINISTRATIVE SECURITY REQUIREMENTS
1. BASELINE REQUIREMENTS. Procedures shall be established to ensure that
all classified AIS and classified AIS Facilities have adequate
administrative controls for access to the facility and appropriate
handling of classified information. These procedures shall be
documented in each classified AIS Security Plan. The CSSO is
responsible for ensuring that these security procedures are enforced.
DOE 5635.1A, CONTROL OF CLASSIFIED DOCUMENTS AND INFORMATION, applies to
all classified matter removed from the boundary of the classified AIS.
2. USER WARNING NOTICE.
a. Notice to All Users. All users of classified AISs shall be
notified prior to gaining access to a Classified AIS that system
usage is monitored, recorded, and subject to audit. The user must
also be advised that using the system grants the consent of the
user to such monitoring and recording and that unauthorized use is
prohibited and subject to criminal and civil penalties.
(1) Initial Screen Notice. Where the operating system of the
classified AIS permits, each initial screen (displayed before
user logon) shall contain a warning text to the user. The
following is a suggested warning text to the user. The user
must take positive action to remove the notice from the
screen.
"WARNING: To protect the system from unauthorized use and to
ensure that the system is functioning properly, activities on
this system are monitored and recorded and subject to audit.
Use of this system is expressed consent to such monitoring and
recording. Any unauthorized access or use of this Automated
Information System is prohibited and could be subject to
criminal and civil penalties."
(2) Other Methods of Notification. Where it is not possible to
provide an "initial screen" Warning Notice, other methods of
notification shall be developed by the CSSM for approval of
the DAA.
b. Monitoring and Recording. Monitoring and recording is a
requirement of this Manual.
3. USER ACCESS CONTROLS. Each person having access to a multiuser
classified AIS shall have the proper security clearances and
authorizations and be uniquely identified and authenticated before
access to the classified AIS is permitted. The identification and
authentication methods used shall be specified and approved in the
Classified AIS Security Plan. User access controls in multiuser
classified AISs shall be assigned by the CSSO and shall include
authorization, user identification, and authentication.
a. User Authorizations. The manager or supervisor of each user of a
Classified AIS shall determine the required authorizations, such as
need-to-know, for that user.
b. User Identification (User IDs). Each user ID shall be assigned to
only one person at any one time. No person shall share the same
user ID with another person. A record of the user ID assignment
shall be kept available for a minimum of 12 months after the user
access has been terminated.
Note: Alternate forms for identifying users (e.g., group IDs,
functional titles) may be used for nonidentification purposes
(e.g., data base access control, mail).
(1) User ID Reuse. Prior to reuse of a user ID, all previous
access authorizations (including file accesses for that user
ID) shall be removed from the classified AIS.
(2) User ID Removal. The CSSM shall ensure the development and
implementation of a procedure whereby prompt notification is
given to the CSSO when a user ID and its authentication shall
be removed from the classified AIS (e.g., when an employee
leaves the sponsoring organization, when notified of the need
to remove access for cause).
(3) User ID Revalidation. The CSSO shall ensure that all user IDs
are revalidated at least annually, and information such as
sponsor and means of offline contact (e.g., phone number,
mailing address) are updated as necessary.
c. Authentication. Each user of a multiuser Classified AIS shall be
authenticated before access is permitted. This authentication can
be based on any one of three types of information: something the
person knows (e.g., a password); something the person possesses
(e.g., a card or key); something about the person (e.g.,
fingerprints or voiceprints); or some combination of these three.
Authenticators that are passwords shall be developed in accordance
with Attachment IX-2 and shall be changed at least every 6 months
(For classified AISs operated at a Protection Index of zero or one,
that only process information at the Confidential level, the DAA
may approve the changing of passwords every 12 months).
(1) Logon. Users shall be required to authenticate their
identities at "logon" time by supplying their authenticator
(e.g., password, smart card, or fingerprints) in conjunction
with their user ID.
(2) Protection of Authenticator. An authenticator that is in the
form of knowledge or possession (password, smart card, keys,)
shall not be shared with anyone.
(a) Protection Index of Zero, One, or Two. When passwords
are used as authenticators, they shall be protected at a
level commensurate with the accreditation level of the
classified AIS.
(b) Protection Index of Three or Greater. When passwords are
used as authenticators, they shall be protected at a
level commensurate with the classification level and
classification category of the information to which it
allows access.
4. USER ACCOUNTABILITY. The classified AIS shall ensure individual
accountability. This shall be accomplished by identifying the user,
authenticating the user, and maintaining audit trails.
5. MARKING OF CLASSIFIED AIS COMPONENTS. The CSSM shall develop procedures
to ensure that all components of a Classified AIS, including
input/output devices, terminals, standalone microprocessors, or word
processors used as terminals, shall bear a conspicuous, external label
which states the highest classification level and most restrictive
classification category of the information accessible to the component
in the classified AIS. This labeling may be accomplished using
permanent markings on the component; a sign placed on the terminal
(e.g., DOE Computer/Terminal Processing Warning Signs); or labels
generated by the classified AIS and displayed on the screen.
6. MARKING OF CLASSIFIED AIS MEDIA. The CSSM shall ensure the development
and implementation of procedures to ensure that the security
classification levels and categories of information are clearly
identified as outlined below.
a. Hardcopy Output. Hardcopy output includes paper, fiche, film, and
other printed media. The CSSO shall ensure that personnel handling
classified information or Protect as Restricted Data information
(see Attachment IX-1) apply the appropriate markings to hardcopy
output. Security measures appropriate to the classification level,
classification category, and other controls shall be utilized to
protect the information, such as the use of an approved secure
storage container or vault for storage of classified information.
(1) Protection Index Zero, One, or Two. The accreditation level
of the accredited classified AIS shall be marked on all
hardcopy output that is retained in, or distributed from, the
Classified AIS Facility unless an appropriate classification
review has been conducted or the information has been output
by a tested program verified to produce consistent results and
approved by the DAA. Such programs will be tested on a
statistical basis to assure continuing performance.
(2) Protection Index Three or Greater. The highest classification
level and classification category of the information recorded
on the hardcopy shall be marked on all hardcopy output that is
retained in, or distributed from, the Classified AIS Facility.
b. Removable Media. The CSSO shall ensure that personnel handling
removable media apply visible, human-readable, external markings to
the media.
(1) Protection Index of Zero, One, or Two. Removable media shall
be marked with the accreditation level of the classified AIS
unless an appropriate classification review has been conducted
or the information on the media has been outputted by a tested
program or methodology verified to produce consistent results
and approved by the DAA.
(2) Protection Index of Three or Greater. Removable media shall
be marked with the highest classification level and most
restrictive classification category of the information ever
recorded on the media since it was last sanitized.
(3) Classified AIS Facilities. In Classified AIS Facilities where
some of the AISs are operated as classified and some are
dedicated to unclassified operation, the removable
unclassified media shall be uniquely marked to protect from
the mixing of the media.
(4) Additional Requirements. The following additional external
labeling requirements apply:
(a) Information Security Oversight Office standard labels
denoting the classification level of the media shall be
used where it is practical to apply the label without
impeding the operation of the removable media.
(Information Security Oversight Office labels denoting
only "Classified" shall not be used.)
(b) If the label can impede the operation of the removable
media, (e.g., not allowing the media to properly seat),
then alternate marking methods are required. The
classification markings shall be visible and
human-readable, and shall easily communicate the
classification level and category of the information.
Marking procedures that differ from this shall be
submitted in the Classified AIS Security Plan for
approval by the DAA.
(c) If Information Security Oversight Office labels are used,
then either:
1 The category shall be overprinted or written in; or
2 An additional label shall be utilized to display the
classification category information.
(d) If other labels are to be used, their use shall follow
CSSM established procedures to display the classification
level and classification category.
(e) Classifier or classification source documentation are not
required to be applied to the removable media unless the
media is to be transferred beyond the boundary of the
classified AIS.
(f) In accordance with Director Central Intelligence
Directive 1/16 or other programmatic requirements,
additional markings and accountability controls shall be
applied to all removable media, as required.
(5) Security Labels. Procedures shall be implemented internal to
classified AISs processing at Protection Index of two or
greater to ensure that output media (magnetic tape, magnetic
disks) that are to be reused by the classified AIS or
transferred beyond the boundary of the classified AIS have
both security labels and external markings indicating
classification level, classification category, and handling
instructions.
7. TRANSFER OF REMOVABLE MEDIA. Removable media being transferred beyond
the boundary of the classified AIS that contain classified information
shall be marked as described above and protected and controlled in
accordance with DOE 5635.1A.
8. PROTECTION OF MEDIA CONTAINING SYSTEM SOFTWARE.
a. Protection Index Zero, One, or Two. All media containing program
software including operating systems, security systems, utilities,
and vendor-supplied diagnostics, application programs, and data
that have been used on a Classified AIS shall be protected at the
accreditation level for the classified AIS, unless the media has
been subjected to a process, approved by the DAA, which proves that
the media has not been contaminated with classified information.
b. Protection Index Three or Greater. All media containing program
software including operating systems, security systems, utilities,
and vendor-supplied diagnostics, application programs, and data
that have been used on the Classified AIS shall be protected at the
highest level of classification and most restrictive category of
information authorized in the component using the media.
9. PROTECTION OF PRINTER MEDIA. Specific methods for protecting printer
media shall be described in the Classified AIS Security Plan and
approved by the DAA.
a. Protection and Destruction of Multistrike Printer Ribbons.
Multi-strike printer ribbons used in a Classified AIS or in the
classified component of a Classified AIS need not be labeled for
classification or sensitivity if they remain in the printer. They
may remain in the printer if the printer is located in at least a
DOE Limited Security Area. When these media are removed and
replaced, they shall be destroyed in a manner approved for the
disposal of classified waste. If a ribbon is removed for purposes
other than destruction, it must be appropriately marked, handled,
and stored at the highest level and category of the classified
information that it printed.
b. Laser Toner Cartridges. Laser printer toner cartridges that have
been used in a Classified AIS must be protected as classified until
they have been sanitized.
(1) Sanitization of Laser Printer Toner Cartridges. Laser printer
toner cartridges shall be sanitized by running five "full"
pages of randomly-generated characters through the printer.
The pages of text must contain no blanks or solid black areas
and shall be treated as unclassified. Once the cartridge is
sanitized, the cartridge may either be recycled, released for
destruction as unclassified waste, or used on an unclassified
AIS.
(2) Maintenance of Laser Printer Toner Cartridges. Laser toner
cartridges used in a Classified AIS must be sanitized before
sending them out for maintenance. If the cartridge cannot be
sanitized, it must be treated as classified waste when
replaced.
10. CLEARING AND SANITIZATION. When a Classified AIS resource has been used
to process classified information, all residual data shall be removed
before reallocation of the resource. More detailed information on the
procedures required can be found in guidance issued periodically by the
CSPM.
a. Clearing. Clearing permits the reuse of the resource within the
same environment (i.e., the same Protection Index and operating
environment). Clearing does not lower the classification level or
the classification category of the resource.
(1) Clearing of Storage Media. Storage media, such as magnetic
tape or disks, on which classified information has been
recorded may be cleared by overwriting the media once with
unclassified information. Detailed instructions on the
clearing of storage media shall be issued periodically by the
CSPM.
(2) Clearing of Memory. All internal memory, buffer, or other
reusable memory shall be cleared to effectively deny access to
the higher classification level or more restrictive
classification category of information. Detailed instructions
on the clearing of memory shall be issued periodically by the
CSPM.
b. Sanitization. Sanitization permits the reuse of the media on a
classified AIS operating at another classification level and/or
classification category or at an unclassified level. Sanitization
of a classified AIS resource shall be accomplished before it may be
released from classified information controls or released for use
at a lower classification level. To sanitize storage media,
memory, and hardware, the following requirements shall be met:
(1) Sanitization of Storage Media. The media shall be degaussed
with an approved degausser for that specific type of media or
destroyed before it can be considered sanitized. Clearing is
not an approved method for sanitization. Detailed
instructions issued periodically by the CSPM detail the
sanitization and destruction procedures for different storage
technologies.
(2) Sanitization of Memory. Volatile semiconductor memory
normally can be sanitized by the removal of main and auxiliary
or backup power. Nonvolatile memory shall be sanitized using
the procedures outlined in guidance periodically issued by the
CSPM.
(3) Sanitization of Hardware Components. Hardware that has been
used to process classified information shall be sanitized in
accordance with the guidance issued periodically by the CSPM.
(4) Visual Examination of Hardware Components. To complete
sanitization of a Classified AIS, any classified media such as
diskettes, disk cartridges, disks, tapes, printer ribbons, and
hardcopy output shall be physically removed. An examination
of the display device for evidence of residual information
shall be conducted.
11. DESTRUCTION PROCEDURES.
a. Destruction of Media. Procedures shall be established by the CSSM
to ensure the sanitization of media such that the media can be
released for destruction without classification or other
sensitivity labels. The CSSO shall ensure that the established
procedures are followed for the destruction of media. Destruction
procedures for storage media, memory, and hardware are provided in
guidance issued periodically by the CSPM.
b. Destruction of Output. Classified printed data shall be destroyed
in accordance with procedures in the DOE 5635.1A.
12. MOVEMENT OF CLASSIFIED EQUIPMENT AND SOFTWARE. When the hardware or
software resources of a Classified AIS are used or marked for use in a
classified environment, they shall not be removed from the security area
except in the custody of trained classified AIS escort (see Page I-10,
paragraph 14.e) unless properly sanitized.
13. RELEASE OF CLASSIFIED AIS EQUIPMENT. The CSSM shall establish
procedures to assure that classified AIS equipment contains no
classified information before it is released to uncleared personnel or
to personnel without the proper access authorizations. Where practical,
markings and labels which indicate previous use or classification shall
be removed before release. The CSSO shall ensure compliance with
procedures to eliminate classified information from classified AIS
equipment.
14. RELEASE OF MEDIA. If information is to be released from a classified
environment to an environment at a lower classification level, it shall
be produced on new or sanitized media and subjected to a review by a
properly authorized, cleared individual (e.g., the data owner) or it
shall have been produced by a verified program approved by the DAA.
15. WASTE, FRAUD, AND ABUSE REVIEW. The files contained on all classified
AISs shall be randomly reviewed by the CSSO to identify any cases of use
of the equipment or AISs in a way that would constitute waste, fraud, or
abuse. At a minimum, one-third of all classified AISs shall be reviewed
annually (see Page I-10, paragraph 15). These reviews shall be
nonperiodic and unannounced. The reviews shall be documented and the
results reported to the CSSM. As an alternative, for facilities with a
large number of similar classified AISs, a statistical sampling method
of reviewing may be approved by the DAA.
16. REMOTE DIAGNOSTIC OR MAINTENANCE SERVICES FOR CLASSIFIED AISs. If
remote diagnostic or maintenance services are required, the classified
AIS shall be sanitized and disconnected from any communication links to
a network prior to the connection of any nonsecured communication line.
a. Site Procedures. The CSSM shall establish site procedures for the
use of the remote diagnostic or maintenance service. The use of a
remote diagnostic or maintenance service in a Classified AIS shall
be specified in the Classified AIS Security Plan. During normal
operation of the Classified AIS, this communication line shall be
physically disconnected from the Classified AIS by means of some
positive control measure such as a lockbox with a controlled key.
b. Secure Remote Classified Diagnostic Facility. If a secure remote
classified diagnostic facility can be established, and approved by
the CSPM, the DAA may approve the connection of the communication
line without previous sanitization of the classified AIS.
Top of Document