SECNAVINST 5239.3 NISMC 14 JULY 1995 SECNAV INSTRUCTION 5239.3 From: Secretary of the Navy Subj: DEPARTMENT OF THE NAVY INFORMATION SYSTEMS SECURITY (INFOSEC) PROGRAM Ref: (a) DODD TS3600.1 of 21 Dec 92, Information Warfare (NOTAL) (b) P.L. 100-235 of 8 Jan 88, Computer Security Act of 1987 (c) OMB Circular A-130 of 15 Jul 94, Management of Federal Information Resources (NOTAL) (d) NSTISSID No. 500 of 25 Feb 93, Telecommunications and Automated Systems Security Education, Training and Awareness (e) NSTISSD No. 501 of 16 Nov 92, National Training Program for Information System Security (INFOSEC) Professionals (f) NSTISSD No. 502 of 5 Feb 93, National Security Telecommunications and Automated Information Security (g) NSTISSP No. 6 of 8 Apr 94, National Policy on Certification and Accreditation of National Security Telecommunications and Information Systems, (NOTAL) (h) DODD 5200.28 of 21 Mar 88, Security Requirements for Automated Information Systems (AISs) (NOTAL) (i) DODD C-5200.5 of 21 Apr 90, Communication Security (COMSEC) (NOTAL) (j) DODD C-5200.19 of 23 Feb 90, Control of Compromising Emanations (NOTAL) (k) DODD 5000.2 of 23 Feb 91, Defense Acquisition Policies and Procedure (NOTAL) (l) CJCSI 6510.01 of 1 Sep 93, Chairman of the Joint Chiefs of Staff Instruction, Joint and Combined Communications Security (NOTAL) (m) NSTISSI 4009 of 5 Jun 92, National Information Systems Security (INFOSEC) Glossary (NOTAL) (n) SECNAVINST 5000.2A of 9 Dec 92, Implementation of Defense Acquisition Management Policies, Procedures, Documentation, and Reports (NOTAL) (o) SECNAVINST 5231.1C of 10 Jul 93, Life Cycle Management Policy and Approval Requirements for Information System Projects (p) SECNAVINST 5200.32A of 3 May 93, Acquisition Management Policies and Procedures for Computer Resources Encl: (1) List of Acronyms (2) Glossary of Terms SECNAVINST 5239.3 1. Purpose. Emerging as an overarching strategy, the discipline of Information Warfare (IW), as promulgated by reference (a), encompasses not only actions that may be taken to potentially affect an adversary's information or information systems but also addresses those defensive aspects necessary to ensure that U.S. information or information systems are protected against attack. Under this defensive portion of IW, Information Systems Security (INFOSEC) is a subset of information assurance which addresses actions taken to protect U.S. information and information systems. The Department of the Navy (DON) INFOSEC policy and procedures, when properly applied, will be a major component of the efforts necessary to ensure the defense of DON information and information systems. The purpose of this instruction is: a. To establish DON policy for the INFOSEC Program within the IW discipline and to define the organizational responsibilities for implementation of the security disciplines of Communications Security (COMSEC), Computer Security (COMPUSEC), and Emanations Security (TEMPEST) per references (a) through (l). b. To provide the basic policy and guidelines necessary for consistent and effective application of resources in ensuring the security of national security systems as well as the security and privacy of DON systems/information under the Computer Security Act of 1987 (reference (b)). 2. Cancellation. SECNAVINST 5239.2. 3. Definitions. Reference (m) contains the official glossary of INFOSEC terms. Additional terms and acronyms relevant to this instruction are contained in enclosures (1) and (2). 4. Objectives a. To establish a DON INFOSEC program that addresses the defensive aspects of IW as promulgated by reference (a). b. To ensure that information processed, stored or transmitted by DON information systems is adequately protected with respect to confidentiality, integrity, availability and privacy. c. To integrate the technical and management processes of the various security disciplines (COMSEC, COMPUSEC, and TEMPEST) into a cohesive INFOSEC program. d. To establish and implement programs that mandate the certification and accreditation of information systems under DON control. e. To require a life cycle management approach to implementing INFOSEC requirements. f. To establish standardized INFOSEC training within the DON. 2 SECNAVINST 5239.3 5. Scope a. This instruction applies to: (1) All DON activities. (2) All DON-sponsored contractors who own, procure, use, operate, or maintain information systems at government or contractor facilities. (3) All information systems and other system resources designed, developed, procured, or managed by DON activities; and by their contractors. (4) Information systems operated, but not owned, by DON (e.g., Joint Staff, Department of Defense (DoD)). b. This instruction applies to the protection of all elements of the information systems. Of all the elements, COMSEC, COMPUSEC, and TEMPEST are managed per this instruction. The other Information Security activities, such as protection of information against accidents, disasters, human error, physical, personnel, and operational security are managed under separate instructions. 6. Background. The DON has recognized the urgent need to integrate all available security capabilities into an unified system-oriented engineering approach to provide responsive, cost effective security measures for our information systems. The DON also recognizes that a thorough and consistent approach to INFOSEC for the protection of our information systems is key to the accomplishment of our defense mission and to the protection of lives, property and technology. Mission and organizational realignments have occurred at multiple levels to ensure an unified approach to DON INFOSEC requirements: a. INFOSEC Program Implementation: The Chief of Naval Operation (CNO) and the Commandant of the Marine Corps (CMC) have established centralized program development and implementation of the DON INFOSEC Program at their levels. b. INFOSEC Program Execution: Commander, Space and Naval Warfare Systems Command (COMSPAWARSYSCOM) has created a Program Management organization with DON-wide responsibilities for establishing and executing of an unified system-oriented engineering approach to INFOSEC. 7. Policy a. Precedence. Policy and requirements set forth by higher authority take precedence over the policy established in this instruction. 3 SECNAVINST 5239.3 b. Fundamental INFOSEC Policy (1) Data processed, stored and transmitted by information systems shall be adequately protected with respect to requirements for confidentiality, integrity, availability and privacy. (2) The nature of the DON mission, accompanied by connectivity and data aggregation issues, has led to the determination that all unclassified information processed by DON information systems is sensitive. Therefore, all DON information systems shall be protected by the continuous employment of appropriate safeguards. (3) Classified information processed or stored by DON information systems shall be safeguarded as required by that level of classification. c. Certification and Accreditation. The appropriate Designated Approving Authority (DAA) shall accredit every DON information system before operation. The accreditation statement shall identify the required confidentiality, integrity, and availability services and constraints under which the system can operate including data sensitivity, user authorization, physical and system configuration. For those information systems supporting cryptologic functions, Sensitive Compartmented Information (SCI)/Intelligence data, or Single Integrated Operations Plan (SIOP) data, accreditation requests shall be forwarded to the appropriate authority. (1) Certification of DON information systems shall be performed and documented by competent personnel in accordance with specified criteria, standards and guidelines. (2) Accreditation of DON information systems shall be performed by competent management personnel in a position to balance operational mission requirements and the residual risk of system operation. All accreditation decisions shall be documented and contain a statement of residual risk. (3) Accreditation of DON information systems shall be performed when information systems are interconnected to other previously accredited information systems and networks. The DAA shall ensure that operation of the resultant system does not incur any additional unacceptable risk. d. Life Cycle Management. This instruction shall be reviewed for applicability to all DON information systems being acquired in accordance with references (b), (n), (o), and (p). The INFOSEC policy and requirements are applicable throughout the life cycles of all DON systems. 4 SECNAVINST 5239.3 (1) A System Security Plan (SSP) should be developed and maintained for all computer systems (reference (b)). This plan includes the protection strategy planned, including the certification and accreditation processes. (2) At each milestone decision point, INFOSEC requirements shall be discussed in sufficient detail and tailored to the milestone under review and the complexity of the project. The discussion shall specifically address the issues of confidentiality, integrity and availability. e. Training. The ability to provide comprehensive assurance that DON information is adequately protected is directly related to the qualifications of the individuals operating DON information systems. In accordance with references (b), (d) and (e) all individuals operating DON information systems will be afforded appropriate training and awareness information commensurate with their duties, responsibilities and the level of information protection required. 8. Responsibilities a. The Assistant Secretary of the Navy (ASN) for Research, Development, and Acquisition (RD&A) shall: (1) Issue the appropriate DON policies and guidance providing implementation details and procedures for the INFOSEC program. (2) Oversee the DON acquisition process as it relates to the INFOSEC program. b. The Deputy Assistant Secretary of the Navy (DASN) for Command and Control, Communications, Computers, and Intelligence/Electronic Warfare/Space (C4I/EW/Space) shall review resource requirements necessary to implement and execute the DON INFOSEC program. c. The Commander, Naval Information Systems Management Center (NISMC) shall: (1) Serve as the coordinator for DON INFOSEC Policy. (2) Ensure that INFOSEC activities, with respect to the scope of programs covered by reference (p), are integrated into the overall DON major system acquisition process. (3) Ensure that INFOSEC is integrated into the DON Life Cycle Management process. (4) Monitor the implementation of this instruction. 5 SECNAVINST 5239.3 d. The Chief of Naval Operations (CNO) shall: (1) Serve as the Program/Resource Sponsor for the DON INFOSEC Program. (2) Manage the Navy INFOSEC Program including DON program development, implementation, planning, programming, and budgeting. (3) Establish and validate Navy INFOSEC requirements; coordinate INFOSEC requirements of joint military department concern with the Joint Staff in accordance with reference (k). (4) Establish senior INFOSEC advisory boards with CMC representation to advise on DON INFOSEC policy and guidance as required. (5) Coordinate the development and implementation of appropriate guidance documents. (6) Provide Navy representative to the National Security Telecommunications and Information System Security Committee (NSTISSC), Subcommittee for Telecommunications Security (STS), and Subcommittee for Information System Security (SISS). (7) Serve as the DAA for Navy-wide and joint service information systems (where Navy is the assigned lead) and ensure that DAAs are identified for other Navy information systems. (8) Advise NISMC of INFOSEC issues that may have a DON or DoD-wide impact. (9) Develop a DON INFOSEC training program. (10) Develop and maintain the DON INFOSEC Master Plan in coordination with CMC and Systems Commands. (11) Coordinate DON INFOSEC requirements for the DON Service Cryptologic Element (SCE) security program with the National Security Agency (NSA). (12) Coordinate DON INFOSEC requirements for the DON Sensitive Compartmented Information (SCI)/Intelligence program, and the DON portion of the DoD Intelligence Information System (DODIIS) with the Defense Intelligence Agency (DIA). (13) Provide recommendations to NISMC for the revision of other DoD and DON documents to standardize DON INFOSEC across all activities. 6 SECNAVINST 5239.3 e. The Commandant of the Marine Corps (CMC) shall: (1) Advise NISMC of Marine Corps INFOSEC issues that may have a DON or DoD-wide impact. (2) Ensure that DAAs are identified and security services provided for Marine Corps information systems. (3) Endorse and forward Marine Corps validated INFOSEC software and equipment procurement requirements to CNO for equal consideration during the development of the DON Program Objective Memorandum (POM). (4) Submit validated Marine Corps INFOSEC requirements to CNO for inclusion in the DON INFOSEC Master Plan. (5) Establish senior INFOSEC advisory boards with CNO to advise on DON INFOSEC policy and guidance as required. (6) Provide recommendations to NISMC for the revision of other DoD and DON documents to institutionalize INFOSEC. (7) Provide CMC representation to the NSTISSC, STS, and SISS. f. The Chief of Naval Research (CNR) shall: (1) Manage the DON INFOSEC Program within the Office of Naval Research (ONR). (2) Advise NISMC of ONR INFOSEC issues that may have a DON or DoD-wide impact. (3) Provide appropriate representation to INFOSEC advisory boards. (4) Ensure that a DAA and security support are provided for each ONR information system. (5) Consolidate and forward the ONR COMSEC equipment requirements to CNO for validation and consideration during development of the POM. (6) Provide the technical base for the DON INFOSEC Research and Development (R&D) Program within ONR. (7) Designate a DON Center for Computer High Assurance Systems (CCHAS). As part of the DON INFOSEC Program, the CCHAS shall: (a) Maintain liaison with NSA regarding INFOSEC R&D. (b) Conduct R&D in evaluation methodologies for application systems. 7 SECNAVINST 5239.3 (c) Provide INFOSEC research support to other DON activities. g. The Commanders, Naval Systems Commands (SYSCOMs) shall: (1) Submit INFOSEC POM recommendations to CNO for validation and consolidation in the DON INFOSEC Master Plan. Marine Corps recommendations shall be submitted via CMC. (2) Coordinate INFOSEC integration into information systems with COMSPAWARSYSCOM. (3) Ensure that each information system acquisition or deployment under the command's purview adheres to the DON life cycle management policy. h. Commander, Space and Naval Warfare Systems Command (COMSPAWARSYSCOM). In addition to the responsibilities set forth for SYSCOMs, COMSPAWARSYSCOM shall: (1) As the technical lead for DON INFOSEC, provide systems engineering and integration support to the systems commands for all DON information systems with INFOSEC requirements. (2) Budget for DON INFOSEC programs as defined in the INFOSEC Master Plan. (3) Integrate INFOSEC engineering and integration into the Warfare Systems Engineering Process. (4) Develop and manage the DON INFOSEC R&D Program. (5) Develop and acquire DON standard and specified INFOSEC products in accordance with the DON INFOSEC Master Plan, ensuring that a Certification Authority and an In-Service Engineering Activity (ISEA) and/or Software Support Activity (SSA) are assigned. (6) Budget for operations and maintenance funding for fielded DON centrally procured INFOSEC products and systems throughout their life-cycle. (7) Establish Memorandum of Agreement (MOA) with NSA, as necessary, to facilitate the embedding and/or development of INFOSEC equipment/models. (8) Provide direct liaison with NISMC on INFOSEC acquisition issues. i. The Director, Naval Criminal Investigative Service (NCIS) shall: 8 SECNAVINST 5239.3 (1) Investigate fraud, waste, abuse and other criminal violations involving DON information systems. (2) Maintain a staff skilled in the investigation of computer crime. This staff may be augmented, when necessary, by personnel provided by other DON activities. (3) Collect threat information and disseminate as appropriate. 9. Action. All action addressees shall implement this guidance within their organizations. All developing and operating activities shall budget for, fund and execute the actions necessary to comply with this instruction and the implementing documents that support it. W. C. Bowes Principal Deputy Assistant Secretary of the Navy (Research, Development and Acquisition) Distribution: SNDL A1 (Immediate Office of the Secretary) (AAUSN, ASN(RDA) and DASN (C4I/EW/Space) only) A2A (Department of the Navy Staff Offices) (CNR and NAVCOMPT only) A3 (Chief of Naval Operations) (N6 and N09 only) (25) A6 (CMC) (75) D30 (NAVINFOSYSMGTCEN) (50) FKA1 (Syscoms Commands) MARCORPS PCN 71000000000 and 71000000100 Copy to: SNDL 22A (Fleet Commanders) 24 (Type Commanders) (less 24E) 26H (Fleet Training Group and Detachment) A2A (Department of the Navy Staff Offices) (less CNR and NAVCOMPT) B1B (Offices of the Secretary of Defense) B3 (College and University) B5 (U. S. Coast Guard) C25A (OPNAV Support Activity Detachment (Ft. Ritchie, only)) C4L (Navy Laboratories 9 SECNAVINST 5239.3 Copy To: (Continued) SNDL C4EE (Center for Naval Analyses) FKP14 (FCDSSA) FKP16 (NAVSSES) FKP18 (NAVSEAADSA) FKP20 (AEGIS TRACEN) FL4 (Regional Data Automation Center, Data Automation Facitity FT74 (NROTCU) W (Department of the Navy Echelon 2 Activities) (less Syscoms) (5) SECNAV/OPNAV Directives Control Office Washington Navy Yard Building 200 901 M Street SE Washington DC 20374-5074 (20 copies) Order from: Naval Inventory Control Point Cog "I" Material 700 Robbins Avenue Philadelphia, PA 19111-5098 Stocked: 50 copies 10 SECNAVINST 5239.3 LIST OF ACRONYMS AIS Automated Information Systems ASN Assistant Secretary of the Navy CCHAS Center for Computer High Assurance Systems CMC Commandant of the Marine Corps COMPUSEC Computer Security COMSEC Communications Security CNO Chief of Naval Operations CNR Chief of Naval Research DAA Designated Approving Authority DASN Deputy Assistant Secretary of the Navy (Command, Control, (C4I/EW/Space) Communications, Computers and Intelligence/Electronic Warfare/Space) DIA Defense Intelligence Agency DoD Department of Defense DODIIS Department of Defense Intelligence Information System DON Department of the Navy INFOSEC Information Systems Security IS Information System ISEA In-Service Engineering Activity IW Information Warfare LCM Life Cycle Management MARCORSYSCOM Marine Corps Systems Command MOA Memorandum of Agreement NCIS Naval Criminal Investigative Service NISMC Naval Information Systems Management Center NSA National Security Agency NSTISSC National Security Telecommunications and Information System Security Committee ONR Office of Naval Research POM Program Objective Memorandum RD&A Research, Development and Acquisition R&D Research and Development SCI Sensitive Compartmented Information SECNAV Secretary of the Navy SIOP Single Integrated Operations Plan SISS Subcommittee on Information Systems Security SPAWAR Space and Naval Warfare Systems Command SSA Software Support Activity SSP System Security Plan STS Subcommittee on Telecommunications Security SYSCOM Systems Command 1 Enclosure (1)