The property that allows auditing of information system activities to be traced to persons or processes that may then be held responsible for their actions.

The official management decision to permit operation of an IS in a specified environment at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards.

The management constraints, operational, administrative, and accountability procedures and supporting control established to provide an acceptable level of protection for data.

Attempt to gain unauthorized access to an IS’s services, resources, or information, or the attempt to compromise an IS’s integrity, availability, or confidentiality.

Means used to confirm the identity of a station, originator, or individual. For example, a password is often used to authenticate the individual using a particular user identifier.

Identification or recognition of a person based on distinguishing characteristics or traits (e.g., fingerprint, retinal pattern).

Blacklisting is the process of the system invalidating a user ID based on the user’s inappropriate actions. A blacklisted user ID cannot be used to logon to the system, even with the "correct" authenticator. Blacklisting can be permanent (i.e., until lifted by administrative action), or temporary (i.e., until lifted by the system, without administrative action, usually after a time has elapsed). Blacklisting and lifting of a blacklisting are both security-relevant events.

For purposes of identifying the Protection Level for confidentiality of a system to be accredited, the system has a conceptual boundary that extends to all intended users of the system, both directly and indirectly connected, who receive output from the system without a reliable human review by an appropriate authority. The location of such a review is commonly referred to as an "air gap."

The comprehensive evaluation of the technical and non-technical security features of an IS and other safeguards, made as part of and in support of the accreditation process, to establish the extent to which a particular design and implementation meet a specified set of security requirements.

Formal certification of authorization to have access to classified information other than that protected in a special access program (including SCI). Clearances are of three types: confidential, secret, and top secret. A top secret clearance permits access to top secret, secret, and confidential material; a secret clearance, to secret and confidential material; and a confidential clearance, to confidential material.

Removal of data from an information system, its storage devices, and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using common system capabilities (i.e., through the keyboard); however, the data may be reconstructed using laboratory methods.

An individual or a process acting on behalf of an individual who makes requests of a guard or dedicated server. The client’s requests to the guard or dedicated server can involve data transfer to, from, or through the guard or dedicated server

The applications and technology (e.g., whiteboarding, group conferencing) that allow two or more individuals to share information in an inter- or intra-enterprise environment enabling them to work together toward a common goal.

A mechanism that facilitates the adjudication of different interconnected system security policies (e.g., controlling the flow of information into or out of an interconnected system).

Operations performed in converting encrypted messages to plain text without initial knowledge of the cryptoalgorithm and/or key employed in the encryption.

All information significantly descriptive of cryptographic techniques and processes or of cryptographic systems and equipment, or their functions and capabilities, and all cryptomaterial.

The documents, devices, equipment, and associated techniques that are used as a unit to provide a means of encryption (enciphering or encoding).

Art or science concerning the principles, means, and methods for rendering plain information unintelligible and for restoring encrypted information to intelligible form.

The organization that has final statutory and operational authority for specified information.

An administrative action following sanitization of the IS or the storage media that the owner of the IS or media takes when the classification is lowered to unclassified. Declassification allows release of the media from the controlled environment if approved by the appropriate authorities.

A specialized IS in which there is no user code present, which can only be accessed by IS administrators and maintainers, and which provides non-interactive services to clients (e.g., packet routing or messaging services).

(1) To reduce the magnetization to zero by applying a reverse (coercive) magnetizing force, commonly referred to as demagnetizing, or (2) to reduce the correlation between previous and present data to a point that there is no known technique for recovery of the previous data.

An electrical device or hand-held permanent magnet assembly that generates a coercive magnetic force for the purpose of degaussing magnetic storage media or other magnetic material.

A procedure that reduces the magnetic flux to virtual zero by applying a reverse magnetizing field.

The official with the authority to formally assume responsibility for operating a system at an acceptable level of risk.

A plan that provides for the continuity of system operations after a disaster that makes normal system operation infeasible.

A means of restricting access to objects (e.g., files, data entities) based on the identity and need-to-know of subjects (e.g., users, processes) and/or groups to which the object belongs. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).

Security level S1 is said to dominate security level S2 if the hierarchical classification (confidential, secret, or top secret) of S1 is greater than or equal to that of S2 and the non-hierarchical categories (e.g., specific SCI or SAP controls) of S1 include all of those of S2 as a subset.

The short name referring to investigation, study, and control of compromising emanations from IS equipment.

The acronym for Erasable, Programmable, Read-Only Memory—a field-programmable read-only memory that can have the data content of each memory cell altered more than once. Sometimes referred to as a re-programmable read-only memory.

A private network that uses Web technology, permitting the sharing of part of an enterprise’s information or operations with suppliers, vendors, partners, customers, or other enterprises.

A formalization of a security determination that an individual is authorized access, on a need-to-know basis, to a specific type of classified information, such as Sensitive compartmented Information (SCI), that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.

The intelligence derived from the data on or about a system, or the intelligence obtained from the structure or organization of that data.

Information Operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing restoration of information systems by incorporating protection, detection, and reaction capabilities.

Action taken to affect adversary information and information systems while defending one’s own information and information systems.

Any telecommunications and/or computer related equipment or interconnected system or subsystems of equipment that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of voice and/or data (digital or analog); includes software, firmware, and hardware.

The manager responsible for an organization’s information system security program.

The person responsible to the ISSM for ensuring that operational security is maintained for a specific IS, sometimes referred to as a Network Security Officer.

A cryptographic checksum designed and implemented so that the order of difficulty in undetectably modifying the item checksummed (e.g., file, message) is comparable to the order of difficulty in breaking the cryptographic algorithm used.

For purposes of this manual, intelligence information refers to Sensitive Compartmented Information and special access programs for intelligence under the purview of the DCI.

A set of separately-accredited systems that are connected together.

A private network using Web technology that is employed within the confines of a given enterprise (e.g., internal to a business or agency).

An accreditation process that is required when an IS is not under the sole jurisdiction of a single accrediting authority.

The principle requiring that each subject is granted the most restrictive set of privileges or accesses needed for the performance of authorized tasks.

The Level-of-Concern is a rating assigned to an IS by the DAA. A separate Level-of-Concern is assigned to each IS for confidentiality, integrity, and availability. The Level-of-Concern for confidentiality, integrity, and availability can be Basic, Medium, or High. The Level-of-Concern assigned to an IS for confidentiality is based on the sensitivity of the information it maintains, processes, and transmits. The Level-of-Concern assigned to an IS for integrity is based on the degree of resistance to unauthorized modifications. The Level-of-Concern assigned to an IS for availability is based on the needed availability of the information maintained, processed and transmitted by the system for mission accomplishment, and how much tolerance for delay is allowed.

Software or firmware that is designed with the intent of having some adverse impact on the confidentiality, integrity, or availability of an IS.

A means of restricting access to objects based on the sensitivity of the information contained in the objects and the formal authorization (i.e., clearance, formal access approvals, and need-to-know) of subjects to access information of such sensitivity.

An identification of common security information for "similar systems" at a given site or facility. The MSSP, which is required for all site-based accreditations, contains the site CONOPS and architecture and includes a listing of all systems covered under the site based accreditation, a description of how the site complies with the requirements of this manual, and a "wiring diagram" showing external connections.

A written agreement among the DAAs responsible for the information processed and maintained by an IS (or collection of ISs). The MOA stipulates all of the terms and conditions of the security arrangements that will govern the operation of the IS(s). The MOA shall include at least: (1) a general description of the information to be offered by each participating DAA; and (2) a discussion of all of the security details pertinent to the exchange of information between the DAAs. In addition, where the MOA is to cover an interconnected network of ISs of under the purview of different DAAs, then the MOA shall also include a description of the types of information services each participating IS will provide, and identify a lead DAA. If no lead DAA is named, then both parties share responsibility.

Any information processed, transmitted, stored, or displayed within or over an intelligence information system that is determined to be essential to the operational readiness or mission effectiveness of the intelligence community or its components, where essential refers to information related to any function, the loss of which would slow, impede, or stop the basic operations of the intelligence community.

Any information system (or components thereof) that is used to process, store, or display mission-critical information.

The code obtained from remote systems, transmitted across a network, and then downloaded onto and executed on a local system.

A system that under normal operation has more than one user accessing it simultaneously. Systems that are accessed by more than one user sequentially (i.e., by one user at a time) without clearing or sanitization between users, are also considered to be multi-user systems; but the DAA can explicitly choose to protect such systems as if they were single-user systems.

A determination made by an authorized holder of classified information that a prospective recipient of information requires access to specific classified information in order to perform or assist in a lawful and authorized governmental function.

Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data.

A passive entity that contains or receives information. Access to an object potentially implies access to the information that it contains.

An object that is sharable between users.

An object that supports both read and write accesses.

Encompasses all those components of the system that are to be accredited by the DAA, and excludes separately accredited systems to which the system is connected.

The processing of various levels of classified and unclassified information at distinctly different times. Under the concept of periods processing, the system must be purged of all information from one processing period before transitioning to the next.

The senior official having the authority and responsibility for all intelligence systems within an agency. Within the Intelligence Community, the PAAs are the DCI, EXDIR/CIA, AS/DOS (Intelligence & Research), DIRNSA, DIRDIA, ADIC/FBI (National Security Div), D/Office of Intelligence/DOE, SAS/Treasury (National Security), D/NIMA, and the D/NRO.

The management constraints, operational, administrative, and accountability procedures, and supplemental controls established to provide protection for sensitive information.

The state that exists when information is being accessed or acted upon by one or more steps proceeding in a predetermined sequence or method.

The means by which data is presented to a user without a specific action initiated by that user. In client-server terminology, the server initiates, or "pushes," the data to the client, usually in accordance with a pre-established user profile. This interest profile typically contains information categories of interests, e.g., weather forecasts, stock quotes.

A combination of technologies for information dissemination and retrieval. Traditionally, data is retrieved by a user request, such as by a Web user. In this case, the user "pulls" information. Alternatively, an information server may "push" information to the client without client intervention, usually by applying a predefined profile that filters information.

The policy for the tagging of information for records keeping requirements as mandated in the Federal Records Act and the National Archival and Records Requirements.

Any communication over a non-direct data link, including internets, intranets, client-server LANs, telephone lines, etc.

The operational procedure that involves connection of a system to an external (i.e., outside of the facility securing the system) remote service for analysis or maintenance.

An attack that involves the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access.

The individual—approved in writing by the Data Owner—who has final statutory or operational responsibility for establishing protection requirements for a given piece of information within the responsible official’s agency. Operationally, the responsible official makes decisions regarding protection of the Data Owner’s information within the responsible official’s agency.

All data concerning the following, but not including data declassified or removed from the RD category pursuant to section 142 of the Atomic Energy Act:

The expected loss from a given attack or incident. For an attack/defense scenario, risk is assessed as a combination of threat (expressed as the probability that a given action, attack or incident will occur, but may also be expressed as frequency of occurrence), vulnerability (expressed as the probability that the given action, attack, or incident will succeed, given that the action, attack or incident occurs) and consequence (expressed as some measure of loss, such as dollar cost, resources cost, programmatic impact, etc.). The total risk of operating a system is assessed as a combination of the risks associated with all possible threat scenarios. Risk is reduced by countermeasures.

The discipline of identifying and measuring security risks associated with an IS, and controlling and reducing those risks to an acceptable level.

The removal of information from media or equipment such that data recovery using any known technique or analysis is prevented, as well as the removal of all classified labels and markings.

The guidance provided to those associated with a system concerning the standard operating procedures relating to security protection.

A piece of information that represents the hierarchical classification (confidential, secret, or top secret) and non-hierarchical compartments (e.g., specific SCI or SAP controls) of a subject or object and that thus describes the sensitivity of the data in the subject or object. Security labels are used as the basis for mandatory access control.

Indicators applied to a document, storage media, or hardware component to designate categorization and handling restrictions applicable to the information in the document. For intelligence information, these could include compartment and sub-compartment indicators and handling restrictions. For DOE information, these could include indicators of information type (such as Restricted Data), and Sigma categories.

The highest classification and all appropriate associated security markings of the information processed.

System testing designed to evaluate the relative vulnerability of the system to hostile attacks. Penetration testers often try to obtain unauthorized privileges (especially attempts to obtain "root" or "superuser" privileges) by exploiting flaws in system design or implementation.

An event that an experienced ISSO would consider to require noting, investigation, or prevention (e.g., the discovery of malicious code in an IS, the discovery of an attempt to introduce malicious code into an IS). Security-relevant events include any event that would cause a deleterious change in the system or its environment.

Those components of a system (hardware, firmware, software, data, interfaces, storage media, and communications media) that are essential to the enforcement of the system’s security policies.

Classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of Central Intelligence (DCID 1/19).

An accredited area, room, group of rooms, buildings, or installation where SCI may be stored, used, discussed, and/or processed (DCID 1/19).

A program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level (EO 12958).

A facility formally accredited by an appropriate agency in accordance with DCID 1/21 in which SAP information may be processed.

The state that exists when information is being held for use until needed for processing.

A form of authentication whereby it is very difficult or impossible for a hostile user to successfully intercept and employ a transmitted authenticator (i.e., highly resistant to replay attack).

An active entity, generally in the form of a person, process, or device, that causes information to flow among objects or that changes the system state.

The description of the necessary protections to allow the system to operate securely. A sample SSP is described in Appendix C.

Any circumstance or event with the potential to cause harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or denial of service.

The state that exists when information is being sent from one location to one or more other locations.

The document containing the operational requirements; security environment; hardware and software configurations and interfaces; and all security procedures, measures, and contingency plans.

A mechanism by which a person at a terminal can communicate directly with the Security Support Structure. This mechanism can be activated only by the person or the Security Support Structure and cannot be imitated by untrusted software, hardware, and firmware.

An individual who can receive information from, input information to, or modify information on, a system without a reliable human review. In a processing context, this also includes a process acting on behalf of a user. It is often convenient to refer to a user who is NOT a privileged user as a General User.

A user who is electronically connected to an IS typically via an interactive link and whose access is automatically limited in real-time by the IS on some basis (e.g., security clearance, authorization, need-to-know).

In contrast to a direct user, indirect users receive system output produced outside their control, either: (a) by an automated mechanism within the IS, or (b) from a process initiated by a direct user. An indirect user is precluded from initiating a process on the IS and receiving the output therefrom.

An indirect user is one who is electronically connected to an IS by other than a direct, interactive link. An IS supporting indirect users does not have to withstand direct attacks against the system’s security controls because an intervening processor(s) between the user and the IS affords some protection and control. The processing capabilities of the IS must protect the data being processed from inadvertent control. The processing capabilities of the IS must protect the data being processed from inadvertent system spillage and misroutes; generally, the IS provides control over indirectly connected users who may attempt to gain unauthorized access to its protection facilities. While a wide range of security risks associated with this type of user exists, such risks are not considered to be as significant as those associated with directly connected users. There are no geographic restrictions on how far an indirectly connected user may be from an IS.

A user who has access to system control, monitoring, or administration functions (e.g., system administrator, system ISSO, maintainers, system programmers, etc.). See also Client.

Executable software or firmware selected, controlled, or generated by a general user and not under the explicit control of a privileged user.

A weakness in an IS, or cryptographic system, or component (e.g., system security procedures, hardware design, internal controls) that could be exploited.

1.1 Security Administration

1.2 Mission

2.1 Physical Environment

2.2 Floor Layout

2.3 Secure Facility Access

2.4 TEMPEST

3.1 General Information

3.2 Interconnection Interface Description

7.1 System-Specific Threats

7.2 User Access and Operation

7.3 Protection of the Security Support Structure

7.4 Security Features

7.5 Marking and Labeling

7.6 Maintenance Procedures

7.7 Sanitization and Destruction

7.8 Software Procedures

7.9 Media Movement

Describe the purpose and scope of the SSP, provide an overview of its contents, and explain its format. The Introduction may include any topic intended to help the reader understand and appreciate the purpose of the SSP. Pertinent background information may also be presented to provide clarity.

Provide the name of the system and the date of the plan, and indicate whether it is an original or revised plan.

Identify the system owner whose activity it will support and any applicable contract numbers.

Provide the system owner’s name and address. Identify the location of the system equipment (including the building and room number [s]).

Provide the names, telephone numbers (including secure numbers, if appropriate), and normal office hours of the ISSM, ISSO, and their alternates, if any.

If there are multiple DAAs for the system, provide the agreements under which the system will operate.

Provide an organizational structure showing the name and title of all security management levels above the ISSO.

Provide joint-use information, if applicable.

Describe how the security of the system will be managed. State the purpose or mission and scope of the system. Identify the projects the system supports.

Provide a physical overview of the facility (including its surroundings) housing the system. Include information about the secure environment required to protect the system equipment, software, hardware, and firmware, media, and output.

State whether the secure facility is accredited or approved to process and store information at the level covered by the SSP, who accredited or approved it, the maximum level of information allowed, and when approved. State whether the secure facility is approved for open or closed storage.

State whether the approval includes unattended processing.

Specify whether the storage approval is for systems, hard disk drives, diskettes, tapes, printouts, or other items.

Provide a floor plan showing the location of system equipment and any protected distribution systems. (This may be included in a referenced appendix.) The building and room number(s) must match the information provided in the hardware listing (see 4.0).

Describe procedures for controlling access to the system, including personnel access controls, after-hours access, and procedures for providing access to uncleared visitors (e.g., admitting, area sanitizing, escorting).

If applicable, describe TEMPEST requirements.

Provide a detailed description of the system.

Provide a system overview and description.

Specify clearance level, any formal access requirements, and need-to-know requirements that are being supported.

Identify the data to be processed, including classification levels and any relevant compartments and special handling restrictions.

State the Protection Level for confidentiality.

State the Levels-of-Concern for confidentiality, integrity, and availability for all information on the system.

Indicate the percentage of the system’s usage that will be dedicated to the Government’s activity (e.g., periods processing).

Identify any system users who are not US citizens.

Provide a description of the residual risk of operating the system after the security requirements specified in this document have been implemented.

Provide a complete listing of the major hardware. This list may be in tabular form located either in this section or a referenced appendix. The following information is required for all major system hardware: nomenclature, model, location (i.e., building/room number), and manufacturer.

Provide a description of any custom-built system hardware.

Indicate whether the system hardware has volatile or nonvolatile memory components. Identify the nonvolatile components.

Describe the procedures for the secure control, operation, and maintenance of the hardware. If they have been authorized, describe the procedures for using readily transportable systems for unclassified processing in the secure facility.

Provide a complete listing of system software, including security software (e.g., audit software, anti-virus software), special-purpose software (e.g., in-house, custom, commercial utilities), and operating system software. This list may be in tabular form and may be located either in the section or in a referenced appendix. The following information is required for security-relevant software: software name, version, manufacturer, and intended use or function.

Provide a description of the types of data storage media. Discuss their controls.

Indicate whether the system is configured with removable or non-removable hard disk drives.

Discuss any system-specific threats to the security of the information on the system.

Describe the system operation start-up and shut-down (mode termination). Provide any unique equipment clearing procedures.

Discuss all system user access controls (e.g., log-on ID, authenticators, file protections).

Identify the number of privileged users and the criteria used to determine privileged access.

If DAC or MAC is required, discuss those mechanisms that implement the DAC and MAC controls.

Discuss procedures for the assignment and distribution of authenticators, their frequency of change, and the granting of access to information and/or files.

Indicate whether system operation is required 24 hours per day.

Discuss procedures for after-hours processing.

Discuss the protections provided to the Security Support Structure.

Discuss procedures for incident reporting.

Discuss remote access and operations requiring specific approval by the Government security authority.

Describe the configuration management program. Describe the procedures to ensure that changes to the system are coordinated with the ISSO before being implemented.

Discuss any security features unique to the system.

Discuss the auditing procedures used to monitor user access and operation of the system and the information that is to be recorded in the audit trail. State whether user access audit trails are manual or automatic.

Identify the individual responsible for ensuring the review of audit trails and how often the reviews must be performed.

Describe procedures for handling discrepancies found during audit trail reviews.

Describe all system hardware maintenance logs, the information recorded on them, the individual responsible for reviewing them, and how often they are reviewed.

Describe how the system hardware will be labeled to identify its classification level, if applicable, for example, when classified and unclassified systems are co-located in the same secure area.

Describe how the data storage media will be labeled (identify the classification level and contents).

Discuss how classified and unclassified data storage media is handled and secured in the secure facility (e.g., safes, vaults, locked desk).

Discuss procedures for marking and controlling system printouts.

Describe the procedures to be used for maintenance or repair of defective systems.

Describe the procedures or methods used to sanitize and or destroy software and hardware (volatile or nonvolatile components).

Describe the procedures or methods used to clear, sanitize, and destroy the data storage media.

Indicate whether a separate version of the operating system software will be used for maintenance.

Describe the procedures for procuring and introducing new system software to support program activities.

Describe the procedures for evaluating system software for security impacts.

Describe procedures for protecting software from computer viruses and malicious code and for reporting incidents.

Describe the procedures or receipting methods for moving data storage media into and out of the secure facility.

Describe the procedures for copying, reviewing, and releasing information on data storage media.

Describe the procedures or receipting methods used to release and transport the system hardware from the secure facility.

Describe the procedures or receipting methods for temporarily or permanently relocating the system hardware within the secure facility.

Describe the procedures for introducing hardware into the secure facility.

Discuss the security awareness program.

Denial of physical access by unauthorized individuals unless under constant supervision of technically qualified, authorized personnel.

Procedures controlling access by users and maintainers to IS resources, including those that are at remote locations.

Some process or mechanism(s) that allows users (or processes acting on their behalf) to determine the formal access approvals (e.g., compartments into which users are briefed) granted to another user. This process or mechanism is intended to aid the user in determining the appropriateness of information exchange.

Some process or mechanism(s) that allow users for (or processes acting on their behalf) to determine the sensitivity level (i.e., classification level, classification category, and handling caveats) of data. This process or mechanism is intended to aid the user in determining the appropriateness of information exchange.

The Security Support Structure to enforce a mandatory access control policy over all subjects and storage objects under its control (e.g., processes, files, segments, devices).

These subjects and objects to be assigned sensitivity labels that combine hierarchical classification levels and non-hierarchical categories; the labels shall be used as the basis for mandatory access control decisions.

The Security Support Structure to be able to support two or more such security levels.

Identification and authentication data to be used by the Security Support Structure to authenticate the user’s identity and to assure that the security level and authorization of subjects external to the Security Support Structure that may be created to act on behalf of the individual user are dominated by the clearance and authorization of that user.

Application of the following restrictions to all accesses between subjects and objects controlled by the Security Support Structure:

Identifying types of accounts (individual and group, conditions for group membership, associated privileges).

Establishing an account (i.e., required paperwork and processes).

Activating an account.

Modifying an account (e.g., disabling an account, changing privilege level, group memberships, authenticators).

Terminating an account (i.e., processes and assurances).

Providing the capability to ensure that all audit records include enough information to allow the ISSO to determine the date and time of action (e.g., common network time), the system locale of the action, the system entity that initiated or completed the action, the resources involved, and the action involved.

Protecting the contents of audit trails against unauthorized access, modification, or deletion.

Maintaining collected audit data at least 5 years and reviewing at least weekly.

The system’s creating and maintaining an audit trail that includes selected records of:

Successful and unsuccessful logons and logoffs.

Individual accountability (i.e., unique identification of each user and association of that identity with all auditable actions taken by that individual) shall be enforced.

Periodic testing by the ISSO or ISSM of the security posture of the IS by employing various intrusion/attack detection and monitoring tools. The ISSO/M shall not invoke such attack software without approval from the appropriate authorities and concurrence of legal counsel. The output of such tools shall be protected against unauthorized access, modification, or detection.

Individual accountability (i.e., unique identification of each user and association of that identity with all auditable actions taken by that individual).

Periodic testing by the ISSO or ISSM of the security posture of the IS by employing various intrusion/attack detection and monitoring tools. The ISSO/M shall not invoke such attack software without approval from the appropriate authorities and concurrence of legal counsel. The output of such tools shall be protected against unauthorized access, modification, or deletion. These tools shall build upon audit reduction and analysis tools to aid the ISSO or ISSM in the monitoring and detection of suspicious, intrusive, or attack-like behavior patterns.

Enforcement of the capability to audit changes in security labels.

Enforcement of the capability to audit accesses or attempted accesses to objects or data whose labels are inconsistent with user privileges.

Enforcement of the capability to audit all program initiations, information downgrades and overrides, and all other security-relevant events (specifically including identified events that may be used in the exploitation of covert channels).

In the event of an audit failure, system shutdown unless an alternative audit capacity exists.

The capability of the system to monitor occurrences of, or accumulation of, auditable events that may indicate an imminent violation of security policies.

The capability of the system to notify the ISSO of suspicious events and taking the least-disruptive action to terminate the suspicious events.

Individual accountability (i.e., unique identification of each user and association of that identity with all auditable actions taken by that individual).

At least monthly testing by the ISSO or ISSM of the security posture of the IS by employing various intrusion/attack detection and monitoring tools. The ISSO/M shall not invoke such attack software without approval from the appropriate authorities and concurrence of legal counsel. The output of such tools shall be protected against unauthorized access, modification, or deletion. These tools shall build upon audit reduction and analysis tools to aid the ISSO or ISSM in the monitoring and detection of suspicious, intrusive, or attack-like behavior patterns.

The capability of the system to monitor, in real-time, occurrences of, or accumulation of, auditable events that may indicate an imminent violation of security policies.

The capability of the system to notify the ISSO of suspicious events and taking the least-disruptive action to terminate the suspicious event.

A capability to conduct backup storage and restoration of data and access controls.

Frequent backups of data.*

At least annual restoration of backup data.

Backup storage that is located to allow the immediate restoration of data. There shall additionally be off-site backup storage of the data, as per approved SSP; such storage is intended to enable recovery if a single event eliminates both the original data and the on-site backup data. If regular off-site backup is not feasible, such as on a ship at sea, alternative procedures, such as secure transmission of the data to an appropriate off-site location, should be considered.

Frequent backups of data.

To the extent deemed necessary by the DAA, assurance that system state after the restore will reflect the security-relevant changes to the system between the backup and the restore.

Assurance that the availability of information in storage is adequate for all operational situations, and that catastrophic damage to any single storage entity will not result in system-wide loss of information. These policies shall include, among others, procedures for ensuring the physical protection of operational and backup media and equipment, and for ensuring the continued functionality of the operational and backup media and equipment.

Restoration of any security-relevant segment of the system state (e.g., access control lists, cryptologic keys, deleted system status information) without requiring destruction of other system data.

Assurance that the system state after the restore will reflect security-relevant changes to the system between the backup and the restore.

Consideration to the use of technical features that enhance data integrity and availability including, among others, remote journaling, Redundant Array of Inexpensive Disks (RAID) 1 and above, and similar techniques.

Mechanisms that notify users of the time and date of the last change in data content.

Procedures and technical system features to assure that changes to the data or to security-related items are:

A secure, unchangeable audit trail that will facilitate the correction of improper data changes.

Transaction-based systems (e.g., database management systems, transaction processing systems) shall implement transaction roll-back and transaction journaling, or technical equivalents.

Policies that assure the effectiveness of storage integrity.

Procedures to assure the appropriate physical and technical protection of the backup and restoration hardware, firmware, and software, such as router tables, compilers, and other security-related system software.

A CM Plan, including:

A CM process to implement the CM Plan.

A CM process to test, and verify the CM Plan periodically.

A CM control board, which includes the ISSM/ISSO as a member.

A verification process that assures it is neither technically nor procedurally feasible to make changes to the Security Support Structure outside of the CM process.

Adequate hardware, firmware, software, power, and cooling to accomplish the mission when the operational equipment is unavailable. Consideration shall be given to fault-tolerant or "hot-backup" operations. The decision whether or not to use these techniques must be explicit.

Regular exercising and testing of the contingency plans. The plans for the tests shall be documented in the Contingency/Disaster Recovery Plan.

A System Security Plan (see Appendix C).

A Security Concept of Operations (CONOPS) (the Security CONOPS may be included in the System Security Plan). The CONOPS shall at a minimum include a description of the purpose of the system, a description of the system architecture, the system’s accreditation schedule, the system’s Protection Level, integrity Level-of-Concern, availability Level-of-Concern, and a description of the factors that determine the system’s Protection Level, integrity Level-of-Concern, and availability Level-of-Concern.

Certification test plans and procedures detailing the implementation of the features and assurances for the required Protection Level.

Reports of test results.

A general user’s guide that describes the protection mechanisms provided, and that supplies guidelines on how the mechanisms are to be used, and how they interact.

Initial authenticator content and administrative procedures for initial authenticator distribution.

Individual and Group authenticators. (Group authenticators may only be used in conjunction with an individual/unique authenticator, that is, individuals must be authenticated with an individual authenticator prior to use of a group authenticator).

Length, composition, and generation of authenticators.

Change Processes (periodic and in case of compromise).

Aging of static authenticators (i.e., not one-time passwords or biometric patterns).

History of authenticator changes, with assurance of non-replication of individual authenticators, per direction in approved SSP.

Protection of authenticators to preserve confidentiality and integrity.

Implementation and support of a trusted communications path between the user and the Security Support Structure of the desktop for login and authentication. Communication via this path shall be initiated exclusively by the user and shall be unmistakably distinguishable from other paths.

In the case of communication between two or more systems (e.g. client server architecture), bi-directional authentication between the two systems.

Internal security labels that are an integral part of the electronic data or media.

Procedures for managing content, generation, attachment, and persistence of internal labels that are documented in the SSP.

Security labels that reflect the sensitivity (i.e., classification level, classification category, and handling caveats) of the information.

Maintenance by the Security Support Structure of a record of the kind(s) of data allowed on each communications channel.

A means for the system to ensure that labels that a user associates with information provided to the system are consistent with the sensitivity levels that the user is allowed to access.

On-call maintenance.

On-site diagnostics.

Control of Remote Diagnostics, where applicable.

Be enabled either by explicit user action or if the desktop/terminal/laptop is left idle for a specified period of time (e.g., 15 minutes or more).

Ensure that once the desktop/laptop/terminal security/screen-lock software is activated, access to the desktop/terminal/laptop requires knowledge of a unique authenticator.

Not be considered a substitute for logging out (unless a mechanism actually logs out the user when the user idle time is exceeded).

Notification to all users users prior to gaining access to a system that system usage may be monitored, recorded, and subject to audit. Electronic means shall be employed where technically feasible.

Notification to all users that use of the system indicates (1) the consent of the user to such monitoring and recording and (2) that unauthorized use is prohibited and subject to criminal and civil penalties. Electronic means shall be employed where technically feasible.

Procedures for controlling and auditing concurrent logons from different workstations.

Station or session time-outs, as applicable.

Limited retry on logon as technically feasible.

System actions on unsuccessful logons (e.g., blacklisting of the terminal or user identifier).

Information stored in an area approved for open storage* of the information.

Information stored in an area approved for continuous personnel access control (when continuous personnel access control is in effect), i.e., a 24-hour, 7-day-a-week operational area.

Information secured as appropriate for closed storage.

Information encrypted using NSA-approved encryption mechanisms appropriate (see paragraph 1.G.1) for the classification of the stored data.

Features and procedures to validate the integrity and the expected operation of the security-relevant software, hardware, and firmware.

Features or procedures for protection of the operating system from improper changes.

Control of access to the Security Support Structure (i.e., the hardware, software, and firmware that perform operating system or security functions).

Assurance of the integrity of the Security Support Structure.

Isolating the Security Support Structure, by means of partitions, domains, etc., including control of access to, and integrity of, hardware, software, and firmware that perform security functions.

Using up-to-date vulnerability assessment tools to validate the continued integrity of the Security Support Structure by ensuring that the system configuration does not contain any well-known security vulnerabilities.

Certification testing shall be conducted including verification that the features and assurances required for the Protection Level are functional.

A test plan and procedures shall be developed and shall include:

Security Penetration Testing shall be conducted to determine the level of difficulty in penetrating the security countermeasures of the system.

An Independent Validation and Verification team shall be formed to assist in the security testing and to perform validation and verification testing of the system.

Security Penetration Testing to determine the level of difficulty in penetrating the security countermeasures of the system.

Formation of an Independent Verification and Validation team that at least annually assists in security testing and performing validation and verification testing of the system.

Information distributed only within an area approved for open storage of the information.

Information distributed via a Protected Distribution System* (PDS).

[*A PDS provides physical protection or intrusion detection for communications lines. A PDS can also provide need-to-know isolation for communications lines.]

Information distributed using NSA-approved encryption mechanisms appropriate (see paragraph 1.G.1) for the classification of the information.

Information distributed using a trusted courier.

Integrity mechanisms adequate to assure the integrity of transmitted information (including labels and security parameters).

Mechanisms to detect or prevent the hijacking of a communication session (e.g., encrypted communication channels).