The property that allows auditing of information system activities to be traced to persons or processes that may then be held responsible for their actions.

The official management decision to permit operation of an IS in a specified environment at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards.

The management constraints, operational, administrative, and accountability procedures and supporting control established to provide an acceptable level of protection for data.

Attempt to gain unauthorized access to an IS’s services, resources, or information, or the attempt to compromise an IS’s integrity, availability, or confidentiality.

Means used to confirm the identity of a station, originator, or individual. For example, a password is often used to authenticate the individual using a particular user identifier.

Identification or recognition of a person based on distinguishing characteristics or traits (e.g., fingerprint, retinal pattern).

Blacklisting is the process of the system invalidating a user ID based on the user’s inappropriate actions. A blacklisted user ID cannot be used to logon to the system, even with the "correct" authenticator. Blacklisting can be permanent (i.e., until lifted by administrative action), or temporary (i.e., until lifted by the system, without administrative action, usually after a time has elapsed). Blacklisting and lifting of a blacklisting are both security-relevant events.

For purposes of identifying the Protection Level for confidentiality of a system to be accredited, the system has a conceptual boundary that extends to all intended users of the system, both directly and indirectly connected, who receive output from the system without a reliable human review by an appropriate authority. The location of such a review is commonly referred to as an "air gap."

The comprehensive evaluation of the technical and non-technical security features of an IS and other safeguards, made as part of and in support of the accreditation process, to establish the extent to which a particular design and implementation meet a specified set of security requirements.

Formal certification of authorization to have access to classified information other than that protected in a special access program (including SCI). Clearances are of three types: confidential, secret, and top secret. A top secret clearance permits access to top secret, secret, and confidential material; a secret clearance, to secret and confidential material; and a confidential clearance, to confidential material.

Removal of data from an information system, its storage devices, and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using common system capabilities (i.e., through the keyboard); however, the data may be reconstructed using laboratory methods.

An individual or a process acting on behalf of an individual who makes requests of a guard or dedicated server. The client’s requests to the guard or dedicated server can involve data transfer to, from, or through the guard or dedicated server

The applications and technology (e.g., whiteboarding, group conferencing) that allow two or more individuals to share information in an inter- or intra-enterprise environment enabling them to work together toward a common goal.

A mechanism that facilitates the adjudication of different interconnected system security policies (e.g., controlling the flow of information into or out of an interconnected system).

Operations performed in converting encrypted messages to plain text without initial knowledge of the cryptoalgorithm and/or key employed in the encryption.

All information significantly descriptive of cryptographic techniques and processes or of cryptographic systems and equipment, or their functions and capabilities, and all cryptomaterial.

The documents, devices, equipment, and associated techniques that are used as a unit to provide a means of encryption (enciphering or encoding).

Art or science concerning the principles, means, and methods for rendering plain information unintelligible and for restoring encrypted information to intelligible form.

The organization that has final statutory and operational authority for specified information.

An administrative action following sanitization of the IS or the storage media that the owner of the IS or media takes when the classification is lowered to unclassified. Declassification allows release of the media from the controlled environment if approved by the appropriate authorities.

A specialized IS in which there is no user code present, which can only be accessed by IS administrators and maintainers, and which provides non-interactive services to clients (e.g., packet routing or messaging services).

(1) To reduce the magnetization to zero by applying a reverse (coercive) magnetizing force, commonly referred to as demagnetizing, or (2) to reduce the correlation between previous and present data to a point that there is no known technique for recovery of the previous data.

An electrical device or hand-held permanent magnet assembly that generates a coercive magnetic force for the purpose of degaussing magnetic storage media or other magnetic material.

A procedure that reduces the magnetic flux to virtual zero by applying a reverse magnetizing field.

The official with the authority to formally assume responsibility for operating a system at an acceptable level of risk.

A plan that provides for the continuity of system operations after a disaster that makes normal system operation infeasible.

A means of restricting access to objects (e.g., files, data entities) based on the identity and need-to-know of subjects (e.g., users, processes) and/or groups to which the object belongs. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).

Security level S1 is said to dominate security level S2 if the hierarchical classification (confidential, secret, or top secret) of S1 is greater than or equal to that of S2 and the non-hierarchical categories (e.g., specific SCI or SAP controls) of S1 include all of those of S2 as a subset.

The short name referring to investigation, study, and control of compromising emanations from IS equipment.

The acronym for Erasable, Programmable, Read-Only Memory—a field-programmable read-only memory that can have the data content of each memory cell altered more than once. Sometimes referred to as a re-programmable read-only memory.

A private network that uses Web technology, permitting the sharing of part of an enterprise’s information or operations with suppliers, vendors, partners, customers, or other enterprises.

A formalization of a security determination that an individual is authorized access, on a need-to-know basis, to a specific type of classified information, such as Sensitive compartmented Information (SCI), that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.

The intelligence derived from the data on or about a system, or the intelligence obtained from the structure or organization of that data.

Information Operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing restoration of information systems by incorporating protection, detection, and reaction capabilities.

Action taken to affect adversary information and information systems while defending one’s own information and information systems.

Any telecommunications and/or computer related equipment or interconnected system or subsystems of equipment that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of voice and/or data (digital or analog); includes software, firmware, and hardware.

The manager responsible for an organization’s information system security program.

The person responsible to the ISSM for ensuring that operational security is maintained for a specific IS, sometimes referred to as a Network Security Officer.

A cryptographic checksum designed and implemented so that the order of difficulty in undetectably modifying the item checksummed (e.g., file, message) is comparable to the order of difficulty in breaking the cryptographic algorithm used.

For purposes of this manual, intelligence information refers to Sensitive Compartmented Information and special access programs for intelligence under the purview of the DCI.

A set of separately-accredited systems that are connected together.

A private network using Web technology that is employed within the confines of a given enterprise (e.g., internal to a business or agency).

An accreditation process that is required when an IS is not under the sole jurisdiction of a single accrediting authority.

The principle requiring that each subject is granted the most restrictive set of privileges or accesses needed for the performance of authorized tasks.

The Level-of-Concern is a rating assigned to an IS by the DAA. A separate Level-of-Concern is assigned to each IS for confidentiality, integrity, and availability. The Level-of-Concern for confidentiality, integrity, and availability can be Basic, Medium, or High. The Level-of-Concern assigned to an IS for confidentiality is based on the sensitivity of the information it maintains, processes, and transmits. The Level-of-Concern assigned to an IS for integrity is based on the degree of resistance to unauthorized modifications. The Level-of-Concern assigned to an IS for availability is based on the needed availability of the information maintained, processed and transmitted by the system for mission accomplishment, and how much tolerance for delay is allowed.

Software or firmware that is designed with the intent of having some adverse impact on the confidentiality, integrity, or availability of an IS.

A means of restricting access to objects based on the sensitivity of the information contained in the objects and the formal authorization (i.e., clearance, formal access approvals, and need-to-know) of subjects to access information of such sensitivity.

An identification of common security information for "similar systems" at a given site or facility. The MSSP, which is required for all site-based accreditations, contains the site CONOPS and architecture and includes a listing of all systems covered under the site based accreditation, a description of how the site complies with the requirements of this manual, and a "wiring diagram" showing external connections.

A written agreement among the DAAs responsible for the information processed and maintained by an IS (or collection of ISs). The MOA stipulates all of the terms and conditions of the security arrangements that will govern the operation of the IS(s). The MOA shall include at least: (1) a general description of the information to be offered by each participating DAA; and (2) a discussion of all of the security details pertinent to the exchange of information between the DAAs. In addition, where the MOA is to cover an interconnected network of ISs of under the purview of different DAAs, then the MOA shall also include a description of the types of information services each participating IS will provide, and identify a lead DAA. If no lead DAA is named, then both parties share responsibility.

Any information processed, transmitted, stored, or displayed within or over an intelligence information system that is determined to be essential to the operational readiness or mission effectiveness of the intelligence community or its components, where essential refers to information related to any function, the loss of which would slow, impede, or stop the basic operations of the intelligence community.

Any information system (or components thereof) that is used to process, store, or display mission-critical information.

The code obtained from remote systems, transmitted across a network, and then downloaded onto and executed on a local system.

A system that under normal operation has more than one user accessing it simultaneously. Systems that are accessed by more than one user sequentially (i.e., by one user at a time) without clearing or sanitization between users, are also considered to be multi-user systems; but the DAA can explicitly choose to protect such systems as if they were single-user systems.

A determination made by an authorized holder of classified information that a prospective recipient of information requires access to specific classified information in order to perform or assist in a lawful and authorized governmental function.

Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data.

A passive entity that contains or receives information. Access to an object potentially implies access to the information that it contains.

An object that is sharable between users.

An object that supports both read and write accesses.

Encompasses all those components of the system that are to be accredited by the DAA, and excludes separately accredited systems to which the system is connected.

The processing of various levels of classified and unclassified information at distinctly different times. Under the concept of periods processing, the system must be purged of all information from one processing period before transitioning to the next.

The senior official having the authority and responsibility for all intelligence systems within an agency. Within the Intelligence Community, the PAAs are the DCI, EXDIR/CIA, AS/DOS (Intelligence & Research), DIRNSA, DIRDIA, ADIC/FBI (National Security Div), D/Office of Intelligence/DOE, SAS/Treasury (National Security), D/NIMA, and the D/NRO.

The management constraints, operational, administrative, and accountability procedures, and supplemental controls established to provide protection for sensitive information.

The state that exists when information is being accessed or acted upon by one or more steps proceeding in a predetermined sequence or method.

The means by which data is presented to a user without a specific action initiated by that user. In client-server terminology, the server initiates, or "pushes," the data to the client, usually in accordance with a pre-established user profile. This interest profile typically contains information categories of interests, e.g., weather forecasts, stock quotes.

A combination of technologies for information dissemination and retrieval. Traditionally, data is retrieved by a user request, such as by a Web user. In this case, the user "pulls" information. Alternatively, an information server may "push" information to the client without client intervention, usually by applying a predefined profile that filters information.

The policy for the tagging of information for records keeping requirements as mandated in the Federal Records Act and the National Archival and Records Requirements.

Any communication over a non-direct data link, including internets, intranets, client-server LANs, telephone lines, etc.

The operational procedure that involves connection of a system to an external (i.e., outside of the facility securing the system) remote service for analysis or maintenance.

An attack that involves the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access.

The individual—approved in writing by the Data Owner—who has final statutory or operational responsibility for establishing protection requirements for a given piece of information within the responsible official’s agency. Operationally, the responsible official makes decisions regarding protection of the Data Owner’s information within the responsible official’s agency.

All data concerning the following, but not including data declassified or removed from the RD category pursuant to section 142 of the Atomic Energy Act:

The expected loss from a given attack or incident. For an attack/defense scenario, risk is assessed as a combination of threat (expressed as the probability that a given action, attack or incident will occur, but may also be expressed as frequency of occurrence), vulnerability (expressed as the probability that the given action, attack, or incident will succeed, given that the action, attack or incident occurs) and consequence (expressed as some measure of loss, such as dollar cost, resources cost, programmatic impact, etc.). The total risk of operating a system is assessed as a combination of the risks associated with all possible threat scenarios. Risk is reduced by countermeasures.

The discipline of identifying and measuring security risks associated with an IS, and controlling and reducing those risks to an acceptable level.

The removal of information from media or equipment such that data recovery using any known technique or analysis is prevented, as well as the removal of all classified labels and markings.

The guidance provided to those associated with a system concerning the standard operating procedures relating to security protection.

A piece of information that represents the hierarchical classification (confidential, secret, or top secret) and non-hierarchical compartments (e.g., specific SCI or SAP controls) of a subject or object and that thus describes the sensitivity of the data in the subject or object. Security labels are used as the basis for mandatory access control.

Indicators applied to a document, storage media, or hardware component to designate categorization and handling restrictions applicable to the information in the document. For intelligence information, these could include compartment and sub-compartment indicators and handling restrictions. For DOE information, these could include indicators of information type (such as Restricted Data), and Sigma categories.

The highest classification and all appropriate associated security markings of the information processed.

System testing designed to evaluate the relative vulnerability of the system to hostile attacks. Penetration testers often try to obtain unauthorized privileges (especially attempts to obtain "root" or "superuser" privileges) by exploiting flaws in system design or implementation.

An event that an experienced ISSO would consider to require noting, investigation, or prevention (e.g., the discovery of malicious code in an IS, the discovery of an attempt to introduce malicious code into an IS). Security-relevant events include any event that would cause a deleterious change in the system or its environment.

Those components of a system (hardware, firmware, software, data, interfaces, storage media, and communications media) that are essential to the enforcement of the system’s security policies.

Classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of Central Intelligence (DCID 1/19).

An accredited area, room, group of rooms, buildings, or installation where SCI may be stored, used, discussed, and/or processed (DCID 1/19).

A program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level (EO 12958).

A facility formally accredited by an appropriate agency in accordance with DCID 1/21 in which SAP information may be processed.

The state that exists when information is being held for use until needed for processing.

A form of authentication whereby it is very difficult or impossible for a hostile user to successfully intercept and employ a transmitted authenticator (i.e., highly resistant to replay attack).

An active entity, generally in the form of a person, process, or device, that causes information to flow among objects or that changes the system state.

The description of the necessary protections to allow the system to operate securely. A sample SSP is described in Appendix C.

Any circumstance or event with the potential to cause harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or denial of service.

The state that exists when information is being sent from one location to one or more other locations.

The document containing the operational requirements; security environment; hardware and software configurations and interfaces; and all security procedures, measures, and contingency plans.

A mechanism by which a person at a terminal can communicate directly with the Security Support Structure. This mechanism can be activated only by the person or the Security Support Structure and cannot be imitated by untrusted software, hardware, and firmware.

An individual who can receive information from, input information to, or modify information on, a system without a reliable human review. In a processing context, this also includes a process acting on behalf of a user. It is often convenient to refer to a user who is NOT a privileged user as a General User.

A user who is electronically connected to an IS typically via an interactive link and whose access is automatically limited in real-time by the IS on some basis (e.g., security clearance, authorization, need-to-know).

In contrast to a direct user, indirect users receive system output produced outside their control, either: (a) by an automated mechanism within the IS, or (b) from a process initiated by a direct user. An indirect user is precluded from initiating a process on the IS and receiving the output therefrom.

An indirect user is one who is electronically connected to an IS by other than a direct, interactive link. An IS supporting indirect users does not have to withstand direct attacks against the system’s security controls because an intervening processor(s) between the user and the IS affords some protection and control. The processing capabilities of the IS must protect the data being processed from inadvertent control. The processing capabilities of the IS must protect the data being processed from inadvertent system spillage and misroutes; generally, the IS provides control over indirectly connected users who may attempt to gain unauthorized access to its protection facilities. While a wide range of security risks associated with this type of user exists, such risks are not considered to be as significant as those associated with directly connected users. There are no geographic restrictions on how far an indirectly connected user may be from an IS.

A user who has access to system control, monitoring, or administration functions (e.g., system administrator, system ISSO, maintainers, system programmers, etc.). See also Client.

Executable software or firmware selected, controlled, or generated by a general user and not under the explicit control of a privileged user.

A weakness in an IS, or cryptographic system, or component (e.g., system security procedures, hardware design, internal controls) that could be exploited.

1.1 Security Administration

1.2 Mission

2.1 Physical Environment

2.2 Floor Layout

2.3 Secure Facility Access

2.4 TEMPEST

3.1 General Information

3.2 Interconnection Interface Description

7.1 System-Specific Threats

7.2 User Access and Operation

7.3 Protection of the Security Support Structure

7.4 Security Features

7.5 Marking and Labeling

7.6 Maintenance Procedures

7.7 Sanitization and Destruction

7.8 Software Procedures

7.9 Media Movement

Describe the purpose and scope of the SSP, provide an overview of its contents, and explain its format. The Introduction may include any topic intended to help the reader understand and appreciate the purpose of the SSP. Pertinent background information may also be presented to provide clarity.

Provide the name of the system and the date of the plan, and indicate whether it is an original or revised plan.

Identify the system owner whose activity it will support and any applicable contract numbers.

Provide the system owner’s name and address. Identify the location of the system equipment (including the building and room number [s]).

Provide the names, telephone numbers (including secure numbers, if appropriate), and normal office hours of the ISSM, ISSO, and their alternates, if any.

If there are multiple DAAs for the system, provide the agreements under which the system will operate.

Provide an organizational structure showing the name and title of all security management levels above the ISSO.

Provide joint-use information, if applicable.

Describe how the security of the system will be managed. State the purpose or mission and scope of the system. Identify the projects the system supports.

Provide a physical overview of the facility (including its surroundings) housing the system. Include information about the secure environment required to protect the system equipment, software, hardware, and firmware, media, and output.

State whether the secure facility is accredited or approved to process and store information at the level covered by the SSP, who accredited or approved it, the maximum level of information allowed, and when approved. State whether the secure facility is approved for open or closed storage.

State whether the approval includes unattended processing.

Specify whether the storage approval is for systems, hard disk drives, diskettes, tapes, printouts, or other items.

Provide a floor plan showing the location of system equipment and any protected distribution systems. (This may be included in a referenced appendix.) The building and room number(s) must match the information provided in the hardware listing (see 4.0).

Describe procedures for controlling access to the system, including personnel access controls, after-hours access, and procedures for providing access to uncleared visitors (e.g., admitting, area sanitizing, escorting).

If applicable, describe TEMPEST requirements.

Provide a detailed description of the system.

Provide a system overview and description.

Specify clearance level, any formal access requirements, and need-to-know requirements that are being supported.

Identify the data to be processed, including classification levels and any relevant compartments and special handling restrictions.

State the Protection Level for confidentiality.

State the Levels-of-Concern for confidentiality, integrity, and availability for all information on the system.

Indicate the percentage of the system’s usage that will be dedicated to the Government’s activity (e.g., periods processing).

Identify any system users who are not US citizens.

Provide a description of the residual risk of operating the system after the security requirements specified in this document have been implemented.

Provide a complete listing of the major hardware. This list may be in tabular form located either in this section or a referenced appendix. The following information is required for all major system hardware: nomenclature, model, location (i.e., building/room number), and manufacturer.

Provide a description of any custom-built system hardware.

Indicate whether the system hardware has volatile or nonvolatile memory components. Identify the nonvolatile components.

Describe the procedures for the secure control, operation, and maintenance of the hardware. If they have been authorized, describe the procedures for using readily transportable systems for unclassified processing in the secure facility.

Provide a complete listing of system software, including security software (e.g., audit software, anti-virus software), special-purpose software (e.g., in-house, custom, commercial utilities), and operating system software. This list may be in tabular form and may be located either in the section or in a referenced appendix. The following information is required for security-relevant software: software name, version, manufacturer, and intended use or function.

Provide a description of the types of data storage media. Discuss their controls.

Indicate whether the system is configured with removable or non-removable hard disk drives.

Discuss any system-specific threats to the security of the information on the system.

Describe the system operation start-up and shut-down (mode termination). Provide any unique equipment clearing procedures.

Discuss all system user access controls (e.g., log-on ID, authenticators, file protections).

Identify the number of privileged users and the criteria used to determine privileged access.

If DAC or MAC is required, discuss those mechanisms that implement the DAC and MAC controls.

Discuss procedures for the assignment and distribution of authenticators, their frequency of change, and the granting of access to information and/or files.

Indicate whether system operation is required 24 hours per day.

Discuss procedures for after-hours processing.

Discuss the protections provided to the Security Support Structure.

Discuss procedures for incident reporting.

Discuss remote access and operations requiring specific approval by the Government security authority.

Describe the configuration management program. Describe the procedures to ensure that changes to the system are coordinated with the ISSO before being implemented.

Discuss any security features unique to the system.

Discuss the auditing procedures used to monitor user access and operation of the system and the information that is to be recorded in the audit trail. State whether user access audit trails are manual or automatic.

Identify the individual responsible for ensuring the review of audit trails and how often the reviews must be performed.

Describe procedures for handling discrepancies found during audit trail reviews.

Describe all system hardware maintenance logs, the information recorded on them, the individual responsible for reviewing them, and how often they are reviewed.

Describe how the system hardware will be labeled to identify its classification level, if applicable, for example, when classified and unclassified systems are co-located in the same secure area.

Describe how the data storage media will be labeled (identify the classification level and contents).

Discuss how classified and unclassified data storage media is handled and secured in the secure facility (e.g., safes, vaults, locked desk).

Discuss procedures for marking and controlling system printouts.

Describe the procedures to be used for maintenance or repair of defective systems.

Describe the procedures or methods used to sanitize and or destroy software and hardware (volatile or nonvolatile components).

Describe the procedures or methods used to clear, sanitize, and destroy the data storage media.

Indicate whether a separate version of the operating system software will be used for maintenance.

Describe the procedures for procuring and introducing new system software to support program activities.

Describe the procedures for evaluating system software for security impacts.

Describe procedures for protecting software from computer viruses and malicious code and for reporting incidents.

Describe the procedures or receipting methods for moving data storage media into and out of the secure facility.

Describe the procedures for copying, reviewing, and releasing information on data storage media.

Describe the procedures or receipting methods used to release and transport the system hardware from the secure facility.

Describe the procedures or receipting methods for temporarily or permanently relocating the system hardware within the secure facility.

Describe the procedures for introducing hardware into the secure facility.

Discuss the security awareness program.