INDEX
U.S. Department of Energy ORDER
Washington, D.C. DOE 5639.6A
7-15-94
SUBJECT: CLASSIFIED AUTOMATED INFORMATION SYSTEM SECURITY PROGRAM
1. PURPOSE. To establish uniform policy, responsibilities, and authorities
for the implementation of the Department of Energy (DOE) Classified
Automated Information System (AIS) Security Program which will ensure
the security of classified information entrusted to the Department in
classified AISs. To establish DOE M 5639.6A-1, MANUAL OF SECURITY
REQUIREMENTS FOR THE CLASSIFIED AIS SECURITY PROGRAM, which provides the
protection requirements and specifications that implement this Order.
2. CANCELLATION. DOE 5639.6, CLASSIFIED COMPUTER SECURITY PROGRAM, of
9-15-92.
3. APPLICABILITY/EXCLUSIONS/DEVIATIONS.
a. General. This Order applies to Departmental Elements responsible
for management and operation of the Classified Automated
Information System Security Program to ensure the protection of
classified information and classified automated resources.
b. Application to Contracts. The provisions of this Order are to be
applied to covered contractors and they will apply to the extent
implemented under a contract or other agreement. A covered
contractor (e.g., management and operating contractor, service
support contractor, onsite contractor) is a seller of supplies or
services that has been awarded a procurement contract or
subcontract to provide supplies or services on an AIS.
c. Exclusions. Departmental facilities and activities subject to
regulation by the Nuclear Regulatory Commission are exempt from the
requirements of this Order.
d. Deviations. Deviations from requirements shall be processed
according to DOE 5630.11A, SAFEGUARDS AND SECURITY PROGRAM.
4. REFERENCES AND DEFINITIONS. See Attachment 1.
5. POLICY. Classified information and unclassified information processed
on classified AISs shall be protected in accordance with this Order and
DOE M 5639.6A-1.
a. Systems requiring this protection include but are not limited to
the following examples:
(1) Mainframe Classified AISs, word processors, microprocessors,
personal computers, programmable controllers, Automated Office
Support Systems (AOSS), memory typewriters, and other
standalone or special systems that process, store, transfer,
or provide access to classified information, including those
classified AISs that also process, store, transfer, or provide
concurrent or simultaneous access to both classified and
unclassified information.
(2) Special purpose computers that perform classified functions
and/or contain classified data, such as numerically controlled
machines, smart switches, single-task preprogrammed
controllers, programmable facsimile devices, automated
testers, and digital to analog and analog to digital
converters.
(3) Networks wherein classified information is processed, stored,
transferred, or accessed in one or more components of the
network.
b. Unclassified information processed on the systems identified in
Paragraph 8. is subject to the requirements of this Order and DOE M
5639.6A-1, unless processed under period processing procedures. If
processing of only unclassified information takes place during
periods processing, the information processed will be subject to
the requirements of DOE 1360.2B, UNCLASSIFIED COMPUTER SECURITY
PROGRAM.
c. The following subparagraphs elaborate the Departmental classified
AIS security policy:
(1) Protection of Classified Information and Resources. The
Classified AIS Security Program shall be implemented to ensure
that:
(a) The integrity of the information on the classified AIS is
preserved;
(b) Information processed on a classified AIS is protected
from unauthorized access, alteration, modification,
disclosure, transmission, or destruction;
(c) The classified AISs resources provide an appropriate
level of protection against denial of service, subversion
of security measures, or improper use; and
(d) The classified AISs resources are protected from damage,
destruction, and unauthorized modification.
(2) Protection Measures. DOE and covered contractors shall use
all reasonable measures to protect AISs that process, store,
transfer, or provide access to classified information. These
measures include but are not limited to the following:
(a) Measures related to personnel security, physical
security, telecommunications security, administrative
security, technical security, and hardware and software
security shall be used to provide the necessary
protection for the information on the Classified AIS in a
manner that shall result in an acceptable level of risk
against loss, improper use, compromise, or unauthorized
alteration or modification of classified information.
(b) Acquisitions or other procurement actions to obtain AIS
equipment or related contractual services (as defined in
DOE 1360.1B, ACQUISITION AND MANAGEMENT OF COMPUTING
RESOURCES) that will be used to process, store, transfer,
or provide access to classified information shall be:
1 Evaluated by the Classified AIS Security Site
Manager (CSSM) to assure that appropriate security
technology is being specified; and
2 Integrated into the Information Resources Management
Long Range Plan in accordance with DOE 1360.1B.
(c) AISs used to process, store, transfer, or provide access
to classified information shall be:
1 Accredited by a Designated Accrediting Authority
(DAA) to be operated:
a In a particular mode of operation as defined in
DOE M 5639.6A-1;
b With a prescribed set of personnel,
administrative, operational, physical,
telecommunications, hardware, software, and
technical requirements;
c Under a stated operational concept; and
d With identified interconnections to other AISs.
2 Reaccredited by a DAA at least once every 3 years
except for classified AISs processing Sensitive
Compartmented Information.
3 Protected in accordance with the requirements of
this Order and DOE M 5639.6A-1.
4 Covered by a continuity of operations decision or a
plan (see Page I-6, paragraph 9, DOE M 5639.6A-1).
5 Operated under the oversight of a designated
Departmental or covered contractor manager or
supervisor.
6 Accessed only by personnel who have:
a Received training in their security
responsibilities;
b A proper level of security clearance and need-
to-know; and
c Acknowledged, in writing, their
responsibilities to protect classified
information on classified AISs.
7 Located in a Limited, Protected, or Exclusion Area
as required by DOE 5632.5, PHYSICAL PROTECTION OF
CLASSIFIED MATTER.
(3) AISs Containing Intelligence Information. The requirements of
this Order and DOE M 5639.6A-1 apply to Classified AISs that
process classified intelligence information within a Sensitive
Compartmented Information Facility. However, these
requirements may not fully represent the protection
requirements for processing intelligence information. Further
requirements may be established by directives of the
intelligence community or DOE Orders established by the
Director, Office of Intelligence, in coordination with the
Computer Security Program Manager (CSPM).
(4) Protection Level Requirements. This Order and DOE M 5639.6A-1
are the DOE implementation of National Telecommunications and
Information System Security Publication 200, National Policy
on Controlled Access Protection (C2).
6. CONCEPT OF OPERATIONS.
a. Terminology. The terms "information," "data," and "documents" are
considered synonymous and used interchangeably in this Order and
DOE M 5639.6A-1. They refer to all data regardless of its physical
form (e.g., data on paper printouts, on tapes, on disks or disk
packs, in memory chips, in Random Access Memory, in Read Only
Memory, on microfilm or microfiche, on communication lines, and on
display terminals).
b. Baseline for Protection. This Order and DOE M 5639.6A-1 provide a
uniform baseline for the protection of classified AISs. Each DAA,
as described in this Order and DOE M 5639.6A-1, is responsible for
ensuring that the security requirements of this Order and DOE M
5639.6A-1 are met for each classified AIS that he/she accredits.
c. DOE Directives. This Order and DOE M 5639.6A-1 shall be used in
conjunction with the DOE directives identified in Attachment 1 to
provide a comprehensive protection program for classified AISs.
These directives establish minimum requirements for the design,
procurement, and implementation of AISs which process, store,
transfer, or provide access to classified information.
d. Risk Assessment. The security requirements established by this
Order and DOE M 5639.6A-1 provide countermeasures to the threats
defined in the "Annual DOE Classified AIS Security Program Risk
Assessment," (see DOE M 5639.6A-1, Chapter I, paragraph 4c.).
Sites and facilities shall only conduct additional documented
classified AIS risk assessments when:
(1) A unique local threat has been identified and the provisions
of this Order and DOE M 5639.6A-1 do not provide mitigation of
that threat; or
(2) The DAA has so directed.
e. Software Requirements. Security relevant software developed for
use on classified AISs shall be developed using software
engineering techniques as prescribed in DOE 1330.1D, COMPUTER
SOFTWARE MANAGEMENT, of 5-18-92. The use of personally owned
software and/or hardware is strictly prohibited. The CSSM shall
control the use of public domain software on classified AISs.
Vendor supplied software shall be appropriately licensed before it
is installed on a classified AIS.
f. Security Labeling Requirement. All classified AISs operating in
the Compartmented or Multilevel Mode of Operation shall, at a
minimum, implement security labeling (see Chapter 3, DOE M 5639.6A-
1).
7. RESPONSIBILITIES AND AUTHORITIES.
a. The Secretary, through the Director of Nonproliferation and
National Security, and the Director of Naval Nuclear Propulsion
Program shall provide overall management of the Classified AIS
Security Program.
b. Heads of Headquarters Elements.
(1) Responsible for a Sensitive Compartmented Information Facility
may appoint the Sensitive Compartmented Information Facility
Security Officer as the CSSM for classified AISs processing
intelligence information within that Sensitive Compartmented
Information Facility.
(2) Shall ensure that:
(a) This Order and other related directives are followed
within their respective programs and facilities.
(b) All managers and supervisors are aware of and fulfill
their responsibilities for the security of classified
AISs.
(c) AIS acquisitions intended for classified use meet the
requirements for the protection of classified
information.
(d) This Order and DOE M 5639.6A-1 are implemented.
(e) Through each manager or supervisor responsible for one or
more Classified AISs, ensure:
1 A Classified AIS Security Officer (CSSO), either a
DOE or covered contractor employee, is appointed for
each classified AIS under his/her direction or
control, and is identified in the Classified AIS
Security Plan. An individual may serve as the CSSO
for one or more classified AISs.
2 That CSSOs are aware of and fulfill their duties as
described in this Order and DOE M 5639.6A-1.
3 The implementation of a Configuration Management
Program for each AIS processing classified
information under his/her cognizance.
4 That appropriate authorizations are provided to an
employee who needs to become a user of a classified
AIS.
5 Participation in or review of the unique threat
identification for the classified AIS under his/her
direction or supervision.
6 The identification and funding of Independent
Validation and Verification testing for classified
AISs, under their cognizance, with a Protection
Index of two or greater (as described in Chapter IV,
DOE M 5639.6A-1).
c. Assistant Secretary for Human Resources and Administration, in
addition to the responsibilities in paragraph 7b, shall through the
Director of Information Technology Services and Operations:
(1) Ensure:
(a) The implementation of the Classified AIS Security Program
for the Headquarters facilities.
(b) That the resource requirements contained in the
Information Resources Management Long Range Plan for each
year include classified AIS security requirements.
(c) That managers and supervisors are aware of and fulfill
their responsibilities for the security of classified
AISs.
(d) That the CSSM under his/her jurisdiction undergoes
security qualification training within 1 year of
appointment.
(e) The implementation of a Configuration Management Program
for each AIS processing classified information on the
site as described on Page I-3, paragraph 5, DOE M
5639.6A-1.
(2) Appoint, in writing, a CSSM to implement the Classified AIS
Security Program in the Headquarters as described in this
Order and DOE M 5639.6A-1.
(3) Through each manager or supervisor responsible for a
classified AIS, ensure the:
(a) Appointment of a Classified AIS Security Officer (CSSO),
either a DOE or covered contractor employee, for each
classified AIS at a facility and the identification of
the individual in the Classified AIS Security Plan. An
individual may serve as the CSSO for one or more
classified AISs.
(b) CSSO for each classified AIS is aware of and fulfills
his/her duties as described in this Order and
DOE M 5639.6A-1.
(c) Proper authorization of any employee having a need to
become a user of a classified AIS.
(d) Participation in or review of the unique threat
identification for the classified AIS under his/her
direction or supervision.
d. Director of Nonproliferation and National Security, in addition to
the responsibilities in Paragraph 7b, shall:
(1) Authorize specific DOE organizations and covered contractors
to create and retain information designated as Protect as
Restricted Data.
(2) Through the Director Security Affairs and the Director of
Safeguards and Security:
(a) Develop and propose policy and establish the Classified
AIS Security Program to assure an adequate level of
security for all classified AIS hardware and software and
for the classified information and unclassified,
sensitive information that is processed, stored,
transferred, or accessed on classified AISs.
(b) Appoint, in writing, the Classified AIS Security Program
Manager (CSPM) to manage the Classified AIS Security
Program and ensure that he/she is knowledgeable and
formally trained in classified AIS security.
(c) Ensure the establishment of an Independent Validation and
Verification capability to be made available to DOE site
and facility managers.
(d) Ensure that classified AIS security qualification
training programs for CSOMs and CSSMs are developed,
presented, and maintained.
(e) Appoint the Director of Headquarters Operations Division,
Office of Safeguards and Security, to be responsible for
the Headquarters Classified AIS Security Program and:
1 Ensure the implementation of this Order and DOE M
5639.6A-1 for classified AISs under his/her
cognizance including those of covered contractors.
2 For classified AISs operated by Heads of
Headquarters Elements, Headquarters contractor
organizations, and Field Organizations reporting to
Headquarters:
a Serve as the DAA as defined in this Order and
DOE M 5639.6A-1, in coordination with the CSPM,
for Classified AISs operated at a Protection
Index of five. This authority may not be
redelegated.
b Appoint, in writing (see Sample Appointment
Letter, Attachment 3), a senior level
Headquarters Security Operations Division
employee knowledgeable in AIS Security as the
DAA to serve as the accrediting authority, in
coordination with the CSPM, for classified AISs
operated at a Protection Index of three.
c Appoint, in writing (see Sample Appointment
Letter, Attachment 3), a DOE employee
knowledgeable in AIS security as the Classified
AIS Security Operations Manager (CSOM) and as
the DAA to serve as the accrediting authority
for classified AISs operated at a Protection
Index of zero, one, or two.
3 Appoint, in writing, a Classified AIS Security Site
Manager (CSSM) to implement the site Classified AIS
Security Program for the covered contractor
organizations under contract to the Secretarial
Offices.
4 Ensure that technical classified AIS security staff
members are trained to support the requirements of
the Classified AIS Security Program.
5 Ensure that the CSOM and CSSM under his/her
jurisdiction undergo security qualification training
within 1 year of appointment.
6 Designate an individual(s) to be responsible for
bringing to the attention of the contracting officer
each procurement falling within the scope of this
Order. Unless another individual is designated, the
responsibility is that of the procurement request
originator (the individual responsible for
initiating a requirement on DOE F 4200.33,
"Procurement Request Authorization").
(3) Authorize the Director of Intelligence (DOE Senior
Intelligence Officer) to:
1 Be the DAA for classified AISs that process
intelligence information and are located in
Sensitive Compartmented Information Facilities.
2 Establish, as necessary, policy and procedures,
beyond those described in this Order and DOE M
5639.6A-1, for the processing of classified
intelligence information in Sensitive Compartmented
Information Facilities in coordination with the
CSPM.
e. Director, Naval Nuclear Propulsion Program shall, in accordance
with the responsibilities and authorities assigned by Executive
Order 12344 (statutorily prescribed by Public Law 98-525 (42 U.S.C.
7158, note)) and to ensure consistency throughout the joint
Navy/DOE organization of the Naval Nuclear Propulsion Program,
implement and oversee all policy and practices pertaining to this
Order for activities under the Director's cognizance.
f. The Manager of Each Operations Office (including the Manager of the
Rocky Flats Office) that use AISs to process classified information
shall:
(1) Serve as the DAA as defined in this Order and DOE M 5639.6A-1,
in coordination with the CSPM, for classified AISs under the
cognizance of the Operations Office or Rocky Flats Office to
be operated at a Protection Index of five. This authority may
not be redelegated.
(2) Appoint, in writing (see Sample Appointment Letter, Attachment
3), a senior level DOE employee knowledgeable in AIS security
as the DAA, to serve as the accrediting authority, in
coordination with the CSPM, for classified AISs under the
cognizance of the Operations Office or Rocky Flats Office to
be operated at a Protection Index of three.
(3) Appoint, in writing (see Sample Appointment Letter, Attachment
3), a DOE employee knowledgeable in AIS security as the CSOM
and as the DAA to serve as the accrediting authority for
classified AISs under the cognizance of the Operations Office
or Rocky Flats Office to be operated at a Protection Index of
zero, one, or two.
(4) Ensure:
(a) The implementation of this Order and DOE M 5639.6A-1 for
classified AISs under their management and control
including those of covered contractors.
(b) That the resource requirements contained in the
Information Resources Management Long Range Site Plan for
each year include classified AIS security requirements.
(c) That technical classified AIS security staff members are
trained to support the requirements of the Classified AIS
Security Program.
(d) That the CSOM and all CSSMs under their jurisdiction
undergo security qualification training within 1 year of
appointment.
(e) The implementation of a Configuration Management Program
for each AIS processing classified information at each
site under their jurisdiction.
(5) Designate an individual(s) to be responsible for bringing to
the attention of the contracting officer each procurement
falling within the scope of this Order. Unless another
individual is designated, the responsibility is that of the
procurement request originator (the individual responsible for
initiating a requirement on DOE F 4200.33).
g. Manager, Oak Ridge Operations Office, in addition to the
responsibilities in paragraph 10h, shall ensure the implementation
of the DOE Classified AIS Security Program in the Office of
Scientific and Technical Information.
h. Designated Accrediting Authority shall:
(1) Serve as accrediting authority for each DOE and covered
contractor classified AIS for which he/she is the DAA and
shall:
(a) Ensure that each classified AIS under his/her
jurisdiction is accredited or reaccredited at least every
3 years (except for classified AISs processing Sensitive
Compartmented Information) and that the accreditation or
reaccreditation is documented.
(b) Determine the protection requirements from the
requirements of this Order and DOE M 5639.6A-1 to be
applied to special purpose computers that perform
classified functions and/or contain classified data as
specified in Paragraph 5a(2).
(c) Ensure that the accreditation and documentation files
exist for accredited classified AISs.
(2) Serve as the approving official of the Classified AIS Security
Plan for classified AISs under the cognizance of the
organization for which he/she is the DAA.
(3) Ensure that the Risk Management process described on Page I-1,
paragraph 4, DOE M 5639.6A-1, is used to determine Classified
AIS protection requirements.
(4) Be authorized to assume the acceptable level of risk following
the application of those countermeasures as described in the
Classified AIS Security Plan.
(5) Concur with the identification of unique threats for sites
under his/her jurisdiction and, as required, direct that a
risk assessment be performed.
i. Site Directors and Management & Operating Contractor/Facility
Managers who operate AISs processing classified information shall:
(1) Ensure:
(a) The implementation of the Classified AIS Security Program
for their site or facility.
(b) That managers and supervisors are aware of and fulfill
their responsibilities for the security of classified
AISs.
(c) That classified AIS security requirements are included in
all Information Resources Management site long range
planning.
(d) The implementation of a Configuration Management Program
for each AIS processing classified information on the
site as described on Page I-3, paragraph 5, DOE M
5639.6A-1.
(e) The identification and funding of an Independent
Validation and Verification capability for classified
AISs with a Protection Index of two or greater (as
defined in DOE M 5639.6A-1) under their cognizance.
(f) That the CSSM under his/her jurisdiction undergoes
security qualification training within 1 year of
appointment.
(2) Appoint, in writing, an employee as the CSSM to implement the
site Classified AIS Security Program described in this Order
and DOE M 5639.6A-1.
(3) With Sensitive Compartmented Information Facilities, appoint
the Sensitive Compartmented Information Facility Security
Officer as the CSSM for Classified AISs processing
intelligence information within that Sensitive Compartmented
Information Facility.
(4) Through each manager or supervisor responsible for a
classified AIS, ensure the:
(a) Appointment of a Classified AIS Security Officer (CSSO),
either a DOE or covered contractor employee, for each
classified AIS at a site and the identification of the
individual in the Classified AIS Security Plan. An
individual may serve as the CSSO for one or more
classified AISs.
(b) CSSO for each classified AIS is aware of and fulfills
his/her duties as described in this Order and DOE M
5639.6A-1.
(c) Proper authorization of any employee having a need to
become a user of a classified AIS.
(d) Participation in or review of the unique threat
identification for the classified AISs under his/her
direction or supervision.
j. Procurement Request Originators (the individuals responsible for
initiating a requirement on DOE F 4200.33 or such other
individual(s) as designated by the cognizant Head of a Departmental
Element) shall bring to the attention of the cognizant contracting
officer the following:
(1) Each procurement or agreement requiring the application of
this Order.
(2) Requirements for flowdown of provisions of this Order to any
subcontract or subaward.
(3) Identification of the paragraphs or other portions of this
Order with which the awardee or, if different, a subawardee is
to comply.
k. Contracting Officers shall, based on advice received from the
procurement request originator or other designated individual,
apply applicable provisions of this Order to awards falling within
its scope. For awards, other than management and operating
contracts, this shall be by incorporation or reference using
explicit language in a contractual action, usually bilateral.
l. The Classified AIS Security Program Manager shall:
(1) Develop and recommend DOE policies, standards, and procedures
for the protection of AISs that process, store, transfer, or
provide access to classified information.
(2) Maintain a continuing review of DOE M 5639.6A-1 to assure that
current technology is being applied to the protection of
classified AISs that process, store, transfer, or provide
access to classified information and to eliminate those
practices that are no longer needed or effective.
(3) Approve secure remote diagnostic and maintenance facilities
proposed for use with classified AISs.
(4) Prepare and perform an annual review of the "Annual DOE
Classified AIS Security Program Risk Assessment."
(5) Designate the DAA for classified AIS where the DAA cannot be
determined or for those classified AISs that are to be
operated under the jurisdiction of more than one DAA.
(6) Coordinate the establishment of an Independent Validation and
Verification capability to be made available to DOE site and
facility managers.
(7) Represent the Department before Federal, private, and public
organizations concerned with the protection of classified
AISs.
(8) Coordinate:
(a) With DAAs on the accreditation of classified AISs to be
operated with a Protection Index of three or greater.
(b) The Classified AIS Security Program with the Unclassified
Computer Security Program.
(c) The protection of Sensitive Compartmented Information in
classified AISs with the Office of Intelligence.
(d) The implementation of the Classified AIS Security Program
with the Classified Material Protection and Control,
Personnel Security, Physical Security, Communications
Security, Protected Distribution Systems, TEMPEST,
Materials Control and Accountability, and other
applicable programs, as appropriate.
(9) Develop, publish, and distribute technical AIS guidelines for
the security of classified AISs.
(10) Coordinate, through the Central Training Academy, the
development, presentation, and maintenance of classified AIS
security qualification training programs for CSOMs and CSSMs.
(11) Provide:
(a) Overall guidance and direction for field assistance and
research and development for classified AIS security in
coordination with the Field Operation Division, Office of
Safeguards and Security.
(b) Guidance and direction for an education and awareness
program for the Classified AIS Security Program.
(c) Comanagement and direction, with the Office of
Information Resources Management Policy, Plans and
Oversight, of the DOE Computer Incident Advisory
Capability.
(d) For the collection and dissemination of information
relevant to the Classified AIS Security Program.
(12) Monitor the Classified AIS Security Program findings and
deficiencies resulting from surveys, inspections, and reviews.
(13) For AISs located in Sensitive Compartmented Information
Facilities that process, store, transfer, or provide access to
intelligence information, review the Classified AIS Security
Plan and the certification of the classified AIS received from
cognizant CSOMs and, if acceptable, send the plan and
certification to the Office of Intelligence CSSO with a
recommendation that the Classified AIS Security Plan be
forwarded for approval or accreditation by the Office of
Intelligence DAA.
m. Classified AIS Security Operations Managers shall:
(1) Ensure the implementation of this Order and DOE M 5639.6A-1
for the sites under the jurisdiction of the responsible
Operations Office, or Headquarters Operation Division, Office
of Safeguards and Security.
(2) Ensure the review of the classified AIS security program at
each site under the jurisdiction of the Operations Office or
Headquarters Operation Division, Office of Safeguards and
Security.
(3) Coordinate:
(a) The Classified AIS Security Program with the Unclassified
Computer Security Program Coordinator.
(b) The implementation of the Classified AIS Security Program
with the Classified Material Protection and Control,
Personnel Security, Physical Security, Communications
Security, Protected Distribution Systems, TEMPEST,
Materials Control and Accountability, and other
applicable programs, as appropriate.
(c) The reporting of occurrences under DOE 5000.3B,
OCCURRENCE REPORTING AND PROCESSING OF OPERATIONS
INFORMATION, involving classified AISs by the site(s)
under the jurisdiction of the Operations Office, the
Rocky Flats Office, or the Headquarters Operations
Division, Office of Safeguards and Security.
(4) Evaluate and recommend for accreditation by the appropriate
DAA for those classified AISs for which he/she is not the DAA.
(5) Monitor the responses to findings and other deficiencies
reported in surveys, inspections, and reviews of each site
Classified AIS Security Program to assure that any necessary
corrective or compensatory actions have been completed.
(6) Review site submissions of unique threats to classified AISs.
(7) Review and recommend approval of the appropriate DAA of those
Classified AIS Security Plans for which he/she is not the DAA.
n. Classified AIS Security Site Managers shall:
(1) Establish, document, implement, and monitor the Classified AIS
Security Program for the site and assure site compliance with
Departmental policies, standards, and procedures for
classified AISs.
(2) Identify and document the unique site threats for classified
AISs and forward to the DAA in coordination with the CSOM.
(3) Approve changes to site classified AISs that do not deviate
from the Classified AIS Security Requirements Specification
(see DOE M 5639.6A-1, Chapter V).
(4) Review any modifications to a classified AIS that deviate from
the Security Requirements Specification and forward to the DAA
in coordination with the CSOM for approval.
(5) Ensure:
(a) That each AIS processing classified information on the
site or facility is included in a Configuration
Management Program.
(b) Appointment of a Classified AIS Security Officer (CSSO),
either a DOE or covered contractor employee, for each
classified AIS at a site or facility and the
identification of the individual in the Classified AIS
Security Plan. An individual may serve as the CSSO for
one or more classified AISs.
(c) That site data owners are queried to identify any special
security requirements for classified AISs.
(d) The development of the security test plans for each
classified AIS.
(e) The implementation of a procedure for the periodic
validation/revalidation of user identification (user ID)
and for prompt cancellation when a user ID is no longer
needed.
(f) That the site classified AIS security program is
consistent with the Site Safeguards and Security Plan or
the Site Security Plan.
(g) That classified AIS security training and awareness
programs for CSSOs and users are developed, presented,
and documented.
(h) That a training program for classified AIS escorts is
developed, presented, and documented.
(6) Assist the CSSO in the development of a security test plan and
submit the security test plan for approval by the appropriate
DAA for each classified AIS that is proposed for
accreditation.
(7) Review and approve Classified AIS Security Plans prior to
transmittal to the CSOM for action.
(8) Certify, in writing, to the CSOM that a classified AIS that is
proposed for accreditation is protected as described in the
Classified AIS Security Plan and that the specified security
controls are in place and properly implemented.
(9) Certify, in compliance with DOE 1360.1B, that classified AIS
site procurements (hardware, software, and services) meet
security requirements.
(10) Assist the CSSO in the development of Classified AIS Security
Plans for each classified AIS.
(11) Maintain a list of all accredited classified AISs on the site
or facility.
(12) Establish site procedures:
(a) To detect and deter waste, fraud, or abuse.
(b) To govern marking, handling, control, transportation,
destruction, and removal of classified AIS media and
equipment containing classified information.
(c) For clearing and sanitizing classified AIS media (for
subsequent treatment as unclassified media) and for
ensuring the use of approved degaussing equipment.
(d) To ensure that vendor-supplied authentication (password,
account names) features or security-relevant features are
properly implemented.
(e) For the reporting of occurrences involving classified AIS
in compliance with DOE 5000.3B.
(f) For user acknowledgement of the Code of Conduct as
provided in DOE M 5639.6A-1.
(g) For protection of classified AISs from malicious code,
viruses, and intruders (hackers).
(h) To govern the use of public domain software and enforce
the prohibition against the use of personally owned
software and/or hardware on classified AIS.
(13) Coordinate:
(a) The implementation of the site classified AIS security
program with the classified material protection and
control, personnel security, physical security,
communications security, protected distribution systems,
TEMPEST, materials control and accountability, and other
site programs, as appropriate.
(b) The site classified AIS security program with the
Unclassified Computer Security Program Manager as defined
in DOE 1360.2B, UNCLASSIFIED COMPUTER SECURITY PROGRAM.
(14) Develop a site self-assessment program for the classified AIS
security program as defined in DOE 5639.1, INFORMATION
SECURITY PROGRAM.
(15) Perform an internal review (see page I-8, paragraph 11b,
DOE M 5639.6A-1) of the site classified AIS security program,
midway between surveys conducted as required by DOE 5634.1B,
FACILITY APPROVALS, SECURITY SURVEYS, AND NUCLEAR MATERIALS
SURVEYS. Upon completion of the review, prepare a summary,
including actions taken to correct identified findings or
vulnerabilities.
(16) Initiate requests (to the CSPM) for the Independent Validation
and Verification review and testing of classified AISs with a
Protection Index of two or greater.
o. Classified AIS Security Officers shall:
(1) Ensure the implementation of security measures for each
classified AIS for which he/she is responsible.
(2) Prepare, maintain, and implement a Classified AIS Security
Plan that accurately reflects the installation and security
provisions for each classified AIS for which he/she is
responsible.
(3) Perform a risk assessment to determine if additional
countermeasures beyond those identified in this Order and DOE
M 5639.6A-1 are required, if so directed by the DAA and an
identified unique local threat exists.
(4) Identify and document any unique threats for the classified
AIS for which he/she is the CSSO and forward to the CSSM.
(5) Develop and implement a certification test plan for each
classified AIS for which he/she is the CSSO.
(6) Advise the CSSM, in writing, that the classified AIS security
program has been implemented as described in the Classified
AIS Security Plan and that the specified security controls are
in place and properly implemented.
(7) Maintain the record copy of the Classified AIS Security Plan
and related documentation for each classified AIS for which
he/she is the CSSO.
(8) Ensure:
(a) The development, documentation, and testing, if required,
of a continuity of operations plan based on guidance from
the responsible management official.
(b) That each classified AIS for which he/she is responsible
is covered by the site Configuration Management Program.
(c) That the proper sensitivity level of the information is
determined prior to use on the classified AIS and that
the proper security measures are implemented to protect
this information.
(d) That unauthorized personnel are not granted use of, or
access to, a classified AIS.
(e) The implementation of formal access controls for each
classified AIS, except personal computers and standalone
workstations.
(9) Document any special security requirement identified by the
data owners and the protection measures implemented to fulfill
these requirements for the information contained in the
classified AIS.
(10) Implement and document audit and review processes for each
classified AIS.
(11) Implement site procedures:
(a) To govern marking, handling, controlling, removing,
transporting, sanitizing, reuse, and destruction media
and equipment containing classified information.
(b) To detect and deter waste, fraud, or abuse.
(c) To ensure that vendor-supplied authentication (password,
account names) features or security-relevant features are
properly implemented.
(d) For the reporting of classified AIS security incidents.
(e) Requiring that each classified AIS user sign an
acknowledgement of responsibility (Code of Conduct) for
the security of classified AISs and classified
information.
(f) For the detection of malicious code, viruses and
intruders (hackers).
(12) Identify classified AIS security training (including
system-specific training) needs to ensure that system users
are properly trained and recommend personnel to attend
training programs.
(13) Conduct classified AIS ongoing security reviews and testing to
periodically verify that security features and operating
controls are functional and effective.
(14) Evaluate proposed changes or additions to the classified AIS
and advise the CSSM of their security relevance.
p. Classified AIS Application/Data Owners shall:
(1) Determine and declare the sensitivity level of information
prior to the information being processed, stored, transferred,
or accessed on the classified AIS.
(2) Advise the CSSO of any special security requirements for
information to be processed on the classified AIS.
(3) Determine and document the data and application(s) that are
essential to the fulfillment of the mission of the site and
ensure that requirements for contingencies are determined and
implemented.
q. Users of the Classified AIS shall:
(1) Comply with the Classified AIS Security Program requirements.
(2) Be aware of and knowledgeable about their responsibilities in
regard to classified AIS security.
(3) Be accountable for their actions on a classified AIS.
(4) Ensure that any authentication mechanisms (including
passwords) issued for the control of their access to
classified AISs are not shared and are protected at the
highest classification level and most restrictive
classification category of information to which they permit
access.
(5) Acknowledge, in writing, their responsibilities (Code of
Conduct) for the protection of classified AISs and classified
information.
8. IMPLEMENTATION. The security requirements contained in this Order and
DOE M 5639.6A-1 are to be implemented as follows:
a. Existing Accredited Classified AISs. Shall remain accredited until
such time as reaccreditation is required either because of
expiration of accreditation (3 years) or because of significant
changes in the security requirements of the AIS. Reaccreditation
shall be accomplished under the requirements of this Order and DOE
M 5639.6A-1.
b. Classified AISs in Process of Accreditation. May be accredited
under DOE 5639.6, however, the security requirements of this Order
and DOE M 5639.6A-1 must be met within eighteen months of issuance.
c. New Classified AISs in Development. Classified AISs that are under
development that have not begun certification and security
performance testing shall meet the security requirements of this
Order and DOE M 5639.6A-1 to be accredited.
9. SUPPLEMENTARY DIRECTIVES AND GUIDANCE. Supplementary directives to this
Order pertaining to requirements, standards and procedures shall be
published as DOE Manuals. These Manuals shall contain requirements,
standards, and procedures that are non-discretionary, mandatory
requirements for AIS that process, store, transfer, or provide
concurrent or simultaneous access to both classified and unclassified
information. Such Manuals will be coordinated and published through the
Departmental Directives System. Additional guidance may be issued
containing information pertaining to matters that are discretionary.
10. ASSISTANCE. Questions concerning this Order should be referred, through
the cognizant CSOM, to the CSPM, Information Security Policy Branch,
Office of Safeguards and Security, telephone (301) 903-3019.
BY ORDER OF THE SECRETARY OF ENERGY:
ARCHER L. DURHAM
Assistant Secretary for
Human Resources and Administration
REFERENCES
1. Atomic Energy Act of 1954, as amended, which provides the policy to
control the dissemination and declassification of Restricted Data and
Formerly Restricted Data in such a manner as to assure the common
defense and security.
2. Freedom of Information Act of 1974 (Public Law 93-502) (Title 5 U.S.C.
552) as amended, which establishes guidelines and regulations to
implement the Freedom of Information Act.
3. Privacy Act of 1974 (Public Law 93-579, 88 Stat. 1986 (Title 5 U.S.C.
552a) as amended, which establishes the guidelines and regulations to
implement the Privacy Act. NOTE: Information collected should be
maintained in accordance with the Privacy Act system of records for
maintenance of certain information. The originating office should
contact the Freedom of Information/Privacy Acts Branch, Office of
Administrative Services, for assistance.
4. Executive Order 12356, "National Security Information," of 4-2-82, which
prescribes a uniform system for classifying, declassifying, and
safeguarding National Security Information.
5. Executive Order 12829, National Industrial Security Program, of 1-6-93,
which establishes a program to safeguard Federal Government classified
information that is released to contractors, licensees, and grantees of
the United States Government.
6. National Security Directive 42, "National Policy for the Security of
National Security Telecommunications and Information Systems," of
7-5-90, which provides objectives, policies, and an organizational
structure to guide the conduct of national activities directed toward
safeguarding systems which possess or communicate sensitive information
from hostile exploitation; establishes a measure for policy development;
and assigns responsibilities for implementation. (Replaces NSDD 145)
7. National Telecommunications and Information System Security Publication
(NTISSP) 200, National Policy on Controlled Access Protection, of 7-15-
87, which establishes the requirement that all multiuser classified AIS
systems without a common need-to-know be protected at the C2 level, as
defined in DoD 5200.28-STD, DoD Trusted Computer Systems Evaluation
Criteria, by July 1992.
8. OMB Circular A-130, "Management of Federal Information Resources," of
12-12-85, which promulgates policy and responsibilities for the
development and implementation of computer security programs by
Executive Branch departments and agencies.
9. DOE 1324.2A, RECORDS DISPOSITION, of 9-13-88, which assigns
responsibilities and authorities and prescribes policies, procedures,
standards, and guidelines for the orderly disposition of the records of
the Department.
10. DOE 1324.6, AUTOMATED OFFICE ELECTRONIC RECORDKEEPING, of 7-8-87, which
establishes requirements for managing electronic records: records
created, stored, or transmitted using personal computers, word
processors, and associated electronic office equipment.
11. DOE 1330.1D, COMPUTER SOFTWARE MANAGEMENT, of 5-18-92. which establishes
policies and responsibilities for computer software management.
12. DOE 1360.1B, ACQUISITION AND MANAGEMENT OF COMPUTING RESOURCES, of
1-7-93, which establishes DOE policies and procedures for the
acquisition and management of AIS systems.
13. DOE 1360.2B, UNCLASSIFIED COMPUTER SECURITY PROGRAM, of 5-18-92, which
establishes policy for protecting DOE AIS systems and, in particular,
DOE sensitive unclassified information.
14. DOE 1360.3C, INFORMATION TECHNOLOGY STANDARDS, of 10-19-92, which
establishes responsibilities and policies for the implementation of
Governmentwide information technology standards and for the development
and implementation of Departmentwide information technology standards.
15. DOE 5000.3B, OCCURRENCE REPORTING AND PROCESSING OF OPERATIONS
INFORMATION, of 1-19-93, which establishes a system for reporting of
operations information related to DOE-owned or operated facilities and
processing of that information to provide for appropriate corrective
action in accordance with the policy set forth in paragraph 6 of that
Order.
16. DOE 5300.1C, TELECOMMUNICATIONS, of 6-12-92, which establishes policy
and general guidance for the use, review, coordination, and provision of
telecommunications services for the Department.
17. DOE 5300.2D, TELECOMMUNICATIONS: EMISSION SECURITY (TEMPEST), of
8-30-93, which establishes the telecommunications program for emission
security.
18. DOE 5300.3D TELECOMMUNICATIONS: COMMUNICATIONS SECURITY, of 8-30-93,
which establishes policy, responsibilities, and guidance concerning the
communications security aspects of telecommunications services of the
Department and implements the national telecommunications protection
policy.
19. DOE 5300.4D, TELECOMMUNICATIONS: PROTECTED DISTRIBUTION SYSTEMS, of
3-4-94, which establishes policy for the Department concerning protected
distribution systems used for the transmission of unencrypted classified
or sensitive unclassified information related to national security.
20. DOE 5630.11A, SAFEGUARDS AND SECURITY PROGRAM, of 12-7-92, which
establishes the policy and responsibilities for the Safeguards and
Security Program.
21. DOE 5630.13A, MASTER SAFEGUARDS AND SECURITY AGREEMENTS, of 6-8-92,
which establishes the policy, requirements, responsibilities, and
authorities for the development and implementation of Master Safeguards
and Security Agreements.
22. DOE 5630.14A, SAFEGUARDS AND SECURITY PROGRAM PLANNING, of 6-9-92, which
establishes a standardized approach to protection program planning, and
to prescribe policy objectives, responsibilities, and authority for that
planning process.
23. DOE 5630.15, SAFEGUARDS AND SECURITY TRAINING PROGRAM, of 8-21-92, which
establishes procedures for standardizing and implementing the Safeguards
and Security Training Program for safeguards and security personnel, and
to prescribe the policy, responsibilities, and authority for that
training program.
24. DOE 5630.16A, SAFEGUARDS AND SECURITY ACCEPTANCE AND VALIDATION TESTING
PROGRAM, of 6-3-93, which establishes policy, requirements, and
responsibilities that encompasses systematic processes for demonstrating
the adequacy and functional reliability of critical system elements
and/or total systems employed to meet Safeguards and Security Program
protection needs.
25. DOE 5630.17, SAFEGUARDS AND SECURITY (S&S) STANDARDIZATION PROGRAM, of
9-29-92, which provides policies, procedures, responsibilities, and
authority for the Safeguards and Security Standardization Program to
ensure the most effective and efficient use and procurement of
safeguards and security equipment and systems.
26. DOE 5631.1B, SECURITY EDUCATION BRIEFING AND AWARENESS PROGRAM, of
12-31-91, which establishes policies, responsibilities, and requirements
for the implementation of a security education program for the
Department.
27. DOE 5631.2C, PERSONNEL SECURITY PROGRAM, of 9-15-92, which establishes
the policy, responsibilities, and authorities for implementing the
personnel security program.
28. DOE 5632.1B, PROTECTION PROGRAM OPERATIONS, of 9-8-92, which prescribes
policies for the physical protection of security interests and baseline
physical protection standards.
29. DOE 5632.2A, PHYSICAL PROTECTION OF SPECIAL NUCLEAR MATERIAL AND VITAL
EQUIPMENT, of 2-9-88, which prescribes policy for the physical
protection of special nuclear material and vital equipment, including
nuclear reactors, and to establish baseline requirements and standards
for those security interests.
30. DOE 5632.5, PHYSICAL PROTECTION OF CLASSIFIED MATTER, of 2-3-88, which
establishes policy for the physical protection of classified matter.
31. DOE 5632.6, PHYSICAL PROTECTION OF DOE PROPERTY AND UNCLASSIFIED
FACILITIES, of 2-9-88, which establishes policy for the physical
protection of property and unclassified facilities.
32. DOE 5634.1B, FACILITY APPROVALS, SECURITY SURVEYS, AND NUCLEAR MATERIALS
SURVEYS, of 9-15-92, which establishes the requirements for granting
facility approvals prior to permitting safeguards and security interests
on the premises and for conducting onsite security and nuclear materials
surveys of facilities with safeguards and security interests.
33. DOE 5635.1A, CONTROL OF CLASSIFIED DOCUMENTS AND INFORMATION, of
2-12-88, which provides guidance for the safeguarding and control of
classified documents and information.
34. DOE 5639.1, INFORMATION SECURITY PROGRAM, of 10-19-92, which
establishes the Information Security Program and sets forth policies,
procedures and responsibilities for the protection and control of
classified and sensitive information. The Information Security Program
is a system of elements which serve to deter adversary collection
activities.
35. DOE 5639.3, VIOLATION OF LAWS, LOSSES, AND INCIDENTS OF SECURITY
CONCERNS, of 9-15-92, which assures timely and effective investigation
and other followup actions relating to violations of Federal laws and to
certain losses of security interests.
36. DOE 5639.5, TECHNICAL SURVEILLANCE COUNTERMEASURES PROGRAM, of 8-3-92,
which establishes the Technical Surveillance Countermeasures Program.
37. DOE M 5639.6A-1, MANUAL OF SECURITY REQUIREMENTS FOR THE CLASSIFIED
AUTOMATED INFORMATION SYSTEM (AIS) SECURITY PROGRAM, of xx-xx-xx, which
establishes requirements for the implementation of the DOE Classified
AIS Security Program.
38. DOE 5639.8A, SECURITY OF FOREIGN INTELLIGENCE INFORMATION AND SENSITIVE
COMPARTMENTED INFORMATION FACILITIES, of 7-23-93, which establishes
policy for the protection of Foreign Intelligence Information and
Sensitive Compartmented Information Facilities.
39. DOE 5650.2B, IDENTIFICATION OF CLASSIFIED INFORMATION, of 12-31-91,
which provides specific responsibilities, standards, policy, and
procedures for the management of the classification system.
40. DOE 5670.1A, MANAGEMENT AND CONTROL OF FOREIGN INTELLIGENCE, of 1-15-92,
which provides for the management of, and assigns responsibilities for,
the foreign intelligence activities of the Department.
41. DOE/AD-0028, SOFTWARE MANAGEMENT GUIDE, of 6-92, which assists sites
with developing a software management program to establish and to
maintain control of software integrity, manage software acquisitions,
developments, changes, maintenance, and disposition.
42. DOE/MA-0365, "DOE Risk Assessment Guideline," of 9-89, which provides a
structured approach to conducting risk assessments for DOE computer
systems and sites.
43. DCID 1/16 (Director of Central Intelligence Directive 1/16), "Security
Policy for Uniform Protection of Intelligence Processed in Automated
Information Systems and Networks," of 7-19-88, which establishes policy
for protecting intelligence information in Automated Information
Systems.
DEFINITIONS
1. AUTOMATED INFORMATION SYSTEM HARDWARE. Any equipment or device used in
the configuration and operation of an AIS. Includes general and special
purpose digital, analog and hybrid computers that perform logical,
arithmetic, or storage functions; and all such computers that are used
to process, create, compose, collect, store, edit, communicate, display,
or disseminate information.
2. AUTOMATED INFORMATION SYSTEM SECURITY. The protection resulting from
all measures designed to prevent deliberate or inadvertent unauthorized
disclosure, acquisition, manipulation, modification, or loss of
information contained in a computer system, as well as measures designed
to prevent denial of authorized use of the system.
3. AUTOMATED INFORMATION SYSTEM SECURITY INCIDENT. An adverse event
associated with an AIS; that is, a failure to comply with security
regulations or directives; that results in attempted, suspected, or
actual compromise of information; or that results in the waste, fraud,
abuse, loss, or damage of Government property or information.
4. AUTOMATED INFORMATION SYSTEM SOFTWARE. Programs, procedures, rules, and
any associated documentation developed or acquired for the operation of
a software product.
(Example)
APPOINTMENT DOCUMENT
FOR DESIGNATED ACCREDITING AUTHORITY
Appointment of the Designated Accrediting Authority for the Classified AIS
Security Program
John Doe , Classified AIS Security Operations
Manager,
Albuquerque Operations Office
Name Title, Organization
In accordance with DOE 5639.6A, CLASSIFIED AUTOMATED INFORMATION SYSTEMS
(AIS) SECURITY PROGRAM, dated xx-xx-xx, you are appointed as the Designated
Accrediting Authority for Automated Information Systems (AIS) as defined in
the Order and DOE M 5639.6A-1, MANUAL OF SECURITY REQUIREMENTS FOR THE
CLASSIFIED AIS SECURITY PROGRAM.
You are responsible for fulfilling all the duties and responsibilities
specified in the Order and Manual. You have the authority to assume
responsibility for accepting the remaining level of risk for Classified AIS
operating at a Protection Index of zero, one or two, when all protection
measures have been implemented as Classified AIS Security Plan.
James Jones
Name
Operations Office Manager
Title
cc:
Classified AIS Security Program Manager,
Office of Safeguards and Security