FAS Homepage | Government Secrecy | Gov Docs ||| Index | Search |

For Official Use Only

An Inventory of Standards Affecting Security (U)

Compiled by the



Modified for




Caveat: This edition of the Annotated Inventory of Security Standards represents a compendium of standards available as of this date. Readers are urged to advise of any additional relevant documents not addressed herein.

Editor's Note:

This Annotated Inventory of Security Standards has been compiled by the DCI Center for Security Evaluation (CSE) Standards Group, to assist analysts and staff members to understand better the requirements of laws, executive orders, and other national level standards, in applying existing and developing new departmental and agency security standards.

Because requirements of many relevant authority documents tire constantly changing, CSE will annually update this Annotated Inventory to keep it current.

15 September 1995



National Security Act of 1947 (50 USC 401)
P.L. 81--733 (1950), (5 USC 7501) Security of Government Employees
P.L. 86-36, The National Security Agency Act of 1959 (50 USC 402)
P.L. 88-290, National Security Agency - Personnel Security Procedures
P.L. 99-145, Defense Authorization Act, FY 88 and 89
P.L. 99-399, Omnibus Diplomatic Security and Antiterrorism Act of 1986, as amended.
P.L. 100-204, Foreign Relations Authorization Act for FY 88 and 89
P.L. 101-246, Foreign Relations Authorization Act for FY 90 91
P.L. 102-238, Foreign Relations Authorization Act for FY 92- 93
Intelligence Authorization Act for FY 89, H.R. 4387, and Senate Bill 1324, Section 603, amending the jurisdiction of the FBI to investigate allegations of espionage by persons employed by or assigned to United States Diplomatic missions abroad.
P.L. 100-235, The Computer Security Act of 1987


E.O. 10450, (1953) "Security Requirements For Government Employees"
E.O. 10865, (1960) "Safeguarding Classified Information Within Industry"
E.O. 12333, (1982) "United States Intelligence Activities"
E.O. 12356, (1982) "National Security Information"
E 0. 12829, (1993) "National Industrial Security Program."
E.O. 12958, (1995) "Classified National Security Information"
E.O. 12968, (1995) 'Access to Classified Information"


NSD 1, 30 Jan 1989, "Organization of the National Security Council System" [by the incoming Bush Administration.]
NSD 42, 5 Jul 1990, "National Policy for the Security of National Security Telecommunications and Information Systems (U)"
NSD 47, 5 Oct 1990, "Counterintelligence and Security Countermeasures."
NSD 63, 21 Oct 1991, "Single Scope Background Investigation Standards."
NSDD 38, 2 Jun 1982, "Staffing at Diplomatic Missions and Their Constituent Posts."
NSDD 84, Mar 1983, "Safeguarding National Security Information."
NSDD 145, IV Sep 1984, "National Policy on Telecommunications and Automated Information Systems Security." (replaced by NSD 42, supra)
NSDD 196, Nov 1985, "Counterintelligence/Countermeasure Implementation Task Force."
NSDD 197, 1 Nov 1985, "Reporting Foreign Contacts and Security Awareness." (rescinded by PDD/NSC 12)
NSDD 298, 22 Jan 1988, "National Operations Security Program."
PDD/NSC-12, 5 August 1993, "Security Awareness and Reporting of Foreign Contacts."
PDD/NSC-24, 3 May 1994, "U.S. Counterintelligence Effectiveness."
PDD/NSC-29, 16 Sep 1994, "Security Policy Coordination."


Office of Management and Budget

OMB Bulletin No. 85-11, 28 Mar 1985, "Data on Security of Automated Information Systems that Process Information Related to the National Security Interest." (Earliest implementation of NSDD 145.)
OMB Circular No. A-130, 12 Dec 1985, "Management of Federal Information Resources."
OMB Bulletin No. 88-16, 1 Jul 1988, "Guidance for Preparation and Submission of Security Plans for Federal Computer Systems Containing Sensitive Information."

Attorney General of the United States

National Security Threat List (NSTL), 9 January 1994.
Department of Justice legal memorandum dated May 10, 1990, "Legal Authority Underlying Communications Security Monitoring."
Attorney General "Guidelines for FBI Supervision or Conduct of Espionage Investigations of U.S. Diplomatic Missions Personnel Abroad," dated 17 April 1990.

DCI Directives (DCIDS)

DCID 1/7, 12 April 1995, "Security Controls on the Dissemination of Intelligence Information."
DCID 1/14, 22 Jan 1992, "Personnel Security Standards and Procedures Governing Eligibility for Access to Sensitive Compartmented Information (SCI)," together with Annex A effective 12 Auq 1994 and Annex B effective 14 April 1994 (reprint of 12 April 1995).
DCID 1/16, Jul 1988, "Security Policy for Uniform Protection of Intelligence Processed in Automated Information Systems and Networks."
DCID 1/19, 1 March 1995, "Security Policy for Sensitive Compartmented Information" and "Security Policy Manual."
DCID 1/20, Dec 1991, "Security Policy Concerning Travel and AssigrLment of Personnel with Access to Sensitive Compartmented Information." (Annex A rescinded Dec 1994)
DCTD 1/21, 30 Jan 1994, "Physical Security Standards for Sensitive Compartmented Information Facilities (SCIFs)."
DCID 1/22, Jul 1985, "Technical Surveillance Countermeasures."
DCID 3/1, 15 Jun 1995, "National Foreign intelligence Board. "
DCID 3/3, 12 June 1995, "Community Management Staff."
DCID 3/28, 13 December 1994, "Committee on International Organized Crime Intelligence Issues."
DCI Procedural Guides 1, 2 and 3, August 1984, Technical Surveillance Countermeasures (TSCM) (contained in one booklet). Revised and reissued DCI Procedural Guides I and II, dated 15 April 1993, same subject, are contained in separate booklets.
NAG/CI&SCM, 9 Jan 1991, "National Advisory Group/Counterintelligence and Security Countermeasures Advisory 1: January 1991."

National Security Telecommunications and Information Systems Security Committee (NSTISSC) and predecessor committees

National Security Teiecommunications and Information Systems Security advisory Memorandum (NSTISSAM) COMPUSEC/1-90, "Protection of Information Systems Outside the Continental United States (OCONUS)," dated 14 Sep 1990.
National Communications Security Committee "TEMPEST GLOSSARY" (S), dated 30 Mar 1981.
NCSC-1, 16 Jan 1981, "National Policy for Safeguarding and Control of Communications Material."
NCSC-5, 16 Jan 1981, "National Policy on Use of Cryptomaterial by Activities Operating in High Risk Environments" with Appendices I and II.
NCSC-9, 1 Sep 1982, "National Communications Security (COMSEC) Glossary" (FOUO).
NCSC-11, 3 May 1982, "National Policy for Protection of Telecommunications Systems Handling Unclassified National Security-Related Information."
NTISSP No. 3, 19 Dec 1988, "National Policy for Granting Access to U.S. Classified Cryptographic Information."
NTISSD No. 500, 8 Jun 1987, "Telecommunications and Automated Information Systems Security Education, Training and Awareness.
NTISSD No. 600, 10 Apr 1990, "Communications Security (COMSEC) Monitoring."
NSTISSD No. 900, 20 Mar 1991, "Governing Procedures of the National Security Telecommunications and information Systems Security Committee (NSTISSC)."
NSTISS Directive No. 901, 28 Sep 1992, "National Security Telecommunications and Information Systems Security (NSTISS) Issuance System."
NACSI No. 4005, 12 Oct 1979, National COMSEC Instruction, "Safeguarding and Control of Communications Security Material."
NACSI No. 4008, 4 Mar 1982, National COMSEC Tnstruction, "Safeguarding COMSEC Facilities."
NTISSI No. 3013, 8 Feb 1990, "Operational Security Doctrine I for the Secure Telephone Unit III (STU-111), Type I Terminal."
ANNEX E, 22 Feb 1991, "System Security Guidance for the Motorola Vehicular-Mounted STU-III Cellular Telephone (Type 1)"
ANNEX F, 22 Feb 1991, " Supplemental Operational Security Doctrine for the STU-III/A Terminal (Type 1)."
ANNEX G, 22 Feb 1991, "System Security Guidance for the AT&T STU-III Access Control System (SACS) (Type 1)."
ANNEX H, 27 Nov 1991, "STU-III Data Port Guidance."
NSTISSI No. 3017, 11 Sep 1991, "Operational Security Doctrine for Stand-Alone KG-84, KG-84A, and KG-84C."
NSTTSST No. 4000, 1 Feb 1991, "Communications Security Equipment Maintenance and Maintenance Training."
NTISSI No. 4001, 14 Mar 1985, "Controlled Cryptographic Items."
NTTSST No. 4002, 5 Jun 1986, "Classification Guide for COMSEC Information."
NSTISSI No. 4003, 2 Dec 1991, "Reporting and Evaluating COMSFC Incidents." (Supersedes NTISSI 4003, 3 Nov 86)
NTISSI No. 4004, 11 Mar 198-7, "Routine Destruction and Emergency Protection of COMSEC Material."
NTISSI No. 4005, 17 Jul 1987, "Control of TOP SECRET Keying Material."
NSTISSI No. 4006, 2 Dec 1991, "Controlling Authorities for COMSEC Material." (Supersedes NTISSI No. 4006, 2 May 89)
NSTISSI No. 4009, 5 June 1992, "National Information Systems Security (INFOSEC) Glossary."
NSTISSI No. 7000, 29 Nov 1993, "TEMPEST Countermeasures for Facilities."
NTISSP No. 200, 15 Jul 198-7, "National Policy on Controlled Access Protection (for automated information systems]."
NTISSP No. 300, 3 Oct 1988, "National Policy on Control of Compromising Emanations."
NTISSAM COMSEC/1-85, 19 Oct 1985, "Advisory Memorandum on Release of Communications Security Equipment, Material or Information to Foreign Enterprises."
NTISSAM COMPUSEC/1-87, 16 Jan 1987, "Advisory Memorandum on Office Automation Security Guideline."
NSTISSAM COMPUSEC/1-90, 14 Sep 1990, "Protection of Information Systems (IS) outside the Continental United States (OCONUS)."
NACSI 4000A, 9 Feb 1984, "Guidelines for the Conduct of Communications Security (COMSEC) Monitoring Activities."
NACSIM 4004, 3 Jul 1980, "Communications Security Survey Guide."
NACSIM 5000, 1 Feb 1982, "TEMPEST Fundamentals."
NACSIM 5203, 30 Jun 1982, "Guideiines for Facility Design and Red/Black Installation."
NSTISSAM TEMPEST/1-92, 15 Dec 1992, "Compromising Emanations Laboratory Test Requirements, Electromagnetics." [Note: Supersedes NSTISSAM TEMPEST 1-91 of 21 Mar 1991; NSTISSAM TEMPEST 1-91 superseded NACSIM 5100A of 1981.]
NSTISSAM TEMPEST/1-93, 30 Aug 1993, "Compromising Emanations Field Test Requirements Electromagnetics." (Supersedes NACSEM 5110 of July 1973.) (U)
NSTISSAM TEMPEST 2-91, 20 Dec 1991, "Compromising Emanations Analysis Handbook." (Supersedes NACSEM No. 5106)
NSTISSAM TEMPEST 3-91, 20 Dec 1991, "Maintenance and Disposition of TEMPEST Equipment."
NSTISSAM TEMPEST 2-92, 30 Dec 1992, "Procedures for TEMPEST Zoning."
NACSEM 5109, Mar 1973, "TEMPEST Testing Fundamentals."
NACSEM 5201, Sep 1978, "TEMPEST Guidelines for Equipment/ System Design."
NACSEM 5204, "Shielded Enclosures," promulgated May 1978, together with Appendix A, Specification NSA 65-5, 30 Oct 1964, "RF Shielded Acoustical Enclosures for Communications Equipment: General Specification;" Appendix B, Specification NSA No. 65-6, 30 October 1964, "RF Shielded Enclosures for Communications Equipment: General Specification;" land Appendix C, Specification NSA No. 73-2A, "National Security Agency Specification for Foil RF Shielded Enclosure."
NSA draft Specification NSA No. 89-01 dated 31 May 1989, entitled "NSA Specification for a High Performance Shielded Enclosure."
NACAM-84/1, 11 May 1984, "Advisory Memorandum on Protection of Unclassified National Security-Related Telecommunications."

Telephone Security Group Issuances

Telephone Security Group (TSG), a subcommittee of the IG-Countermeasures, has issued six (6) standards for telephone security, as follows:

Interagency Advisory Committee on Security Equipment

Subcommittee on Containers, Vaults and Locking Devices TEST REPORT, Jan 1987, "Manipulation Resistance of Underwriters Laboratories Listed Group 1 and 1R Combination Locks."


Department of Defense

DoD 5200.2-R, Jan 1987, "Personnel Security Program."
DoD 5220.22-M, Jan 1995, "National Industrial Security Program" (NISP) Operating Manual (NISPOM).
DoD Dir 5210.48, 24 Dec 1984, "DoD Polygraph Program."
DepSecDef Memorandum (S), 20 Jun 1988, "Polygraph Examinations of DoD Personnel Assigned to Criteria Countries."
DoD Instruction 5210.84, 22 Jan 1992, "Security of DoD Personnel at U.S. Missions Abroad."
DoD Dir 5200.1, 7 June 1982, and DoD 5200.1-R, Jun 1986, "Information Security Program Regulation."
DoD Dir C-5200.5, 21 April 1990, "Communications Security (COMSEC) (U)"
DoD Dir 5200.28, 21 Mar 1988, "Security Requirements for Automated Information Systems (AISs)."
DoD Dir 5200.33, 7 Dec 1994, "Defense Courier Service (DCS) .
DoD 5200.33-R, 5 Jan 1995, "Defense Courier Service Regulation."
DoD Manual 5200.28-M, Jan 1973 [sic], "ADP Security Manual."
DoD 5200.28-STD, Dec 1985, "Department of Defense Trusted Computer Security Evaluation Criteria." (ORANGE BOOK)
DoD Dir 5205.2, 7 Jul 1983, "DoD Operations Security Program."
DoD Instruction 5240.5, 23 May 1984, "DoD Technical Surveillance Countermeasures (TSCM) Survey Program."
DoD Dir 2000.12, 27 Aug 1990, "DoD Combatting Terrorism Program."
DoD 2000.12-H, Apr 1983, Handbook, "Protection of DoD Personnel Against Terrorist Acts."

National Security Agency (NSA)

NSA/CSS Regulation No. 120-12, 20 Sep 1978, "Personnel Security Program for Continued Access."
NSA/CSS Regulation No. 120-18, 28 Jul 1988, "Association with Foreign Nationals."
NSA/CSS Regulation No. 122-2, 6 Apr 1987, "Special Personnel Security Program for Uncleared Maintenance Contractors."
NSA/CSS Requlation No. 10-10, 4 may 1988, "The NSA/CSS Industrial Security Program."
NSA/CSS Regulation No. 122-3, 6 Apr 1984, "Polygraph Examinations and Examiners."
NSA "Procedures for Security Processinq of Personnel and SOP for Permanent Change of Station." [undated]
NSA/CSS Directive No. 120-01, 14 Feb 1985, "NSA/CSS Operations Security Program."
NSA Memorandum, 8 Dec 1987, "Operational Doctrine for the STU-III Type 1 Terminal."
NSA Information Systems Security Bulletin No 87-009, "Information Guide for the STU-III Low Cost Terminal, Type I, 20 Sep 1987.
NSA Information Systems Security (INFOSEC) Manual 1993.
NSA Information Security Organization booklet, October 1988, "TEMPEST Alternatives Data Book (Including Maps of Zoned Facilities)."
NSA Communications Security Organization, January 1985, "Procedures for TEMPEST Zoning information-Processing Equipment, Systems and Facilities."
CSC-STD-002-85, 12 Apr 1985, "Department of Defense Password Management Guideline."
CSC-STD-003-85, 25 Jun 1985, "Computer Security Requirements: Guidance for Applying the Department of Defense Trusted Computer System Evaluation Criteria in Specific Environments."
CSC-STD-004-85, 25 Jun 1985, "Technical Rationale Behind CSC-STD-003-85: Computer Security Requirements."
NCSC-TG-001, I Jun 1988, "A Guide to Understanding AUDIT in Trusted Systems, Version 2."
NCSC-TG-003, 30 Sep 1987, "A Guide to Understandinq DISCRETIONARY ACCESS CONTROL in Trusted Systems, Version I."
NCSC-TG-004, 21 Oct 1988, "Glossary of Computer Security Terms, Version l."
NCSC-TG-005, 31 Jul 1987, "Trusted Network Interpretation, Version l."
NCSC-TG-006, 29 Mar 1988, "A Guide to Understanding CONFIGURATION MANAGEMENT in Trusted Systems, Version l."
NCSC-TG-007, 2 Oct 1988, "A Guide to Understanding DESIGN DOCUMENTATION in Trusted Systems, Version l."
NCSC-TG-008, 15 Dec 1988, "A Guide to Understanding TRUSTED DISTRIBUTION in Trusted Systems, Version I."
NCSC-TG-009, draft version, September 1988, "Computer Security Subsystem Interpretation of DoD Trusted Computer Evaluation Criteria DoD 5200.28-STD, Version l."
NCSC-TG-014, I Apr 1989, "Guidelines for FORMAL VERIFICATION SYSTEMS, Version l."
NCSC-TG-015, 18 Oct 1989, "A Guide to Understanding TRUSTED FACILITY MANAGEMENT, Version I"
NCSC-TG-020-A, 18 Aug 1989, "Trusted UNIX Working Group (TRUSIX), Rationale for Selecting Access Control List Features for the UNIX System, Version l."
NCSC-WA-002-85, Dec 1985, "Personal Computer Security Considerations."
NSA/CSS Directive No. 10-27, 29 Mar 1984, "Security Requirements for Automatic Data Processing (ADP) Systems."
NSA/CSS Regulation 130-4, 27 July 1993, "Computer Security Policy for Connection of an Automated Information System (AIS) to the STU-III (Type 1) Terminal Data Port."
NSA/CSS SCSC/129/88, 16 Jun 1988, "Computer Security Technical Vulnerability Reporting Program - INFORMATION MEMORANDUM."
NSA/CSS SCSC/169/88, 29 Jul 1988, "Guidance for the Declassification and Release of Automated Information System Storage Media - INFORMATION MEMORANDUM."
NSA/CSS DDT-425-88, 20 Oct 1988, "Operational Computer Security Policy Memorandum - Computer Viruses (FOUO) - INFORMATION MEMORANDUM."
NSA/CSS Regulation No. 90-5, 20 Aug 1980, "TEMPEST Security Program."
NSA/CSS Manual 90-5A, 1 Feb 1984 (S), "TEMPEST Security Requirements for NSA/CSS Contractors Processing Sensitive Compartmented Information."

Defense Intelligence Agency

DIA Regulation No. 50-8, 2 Oct 1975, "Personnel Security Program."
DIA Pegulation No. 50-17, 26 Sep 1989, "Foreign Contact."
DIA Regulation No. 50-11, 11 Jun 1990, "Reporting and Approval of Foreign Travel."
DIA Regulation No. 54-1, "Protection of DIA Personnel Abroad Against Terrorist Acts," 8 Mar 1993.

Department of Commerce

The following Department of Commerce standards relating to unclassified telecommunications and information systems are contained in a separate volume, marked "FIPS Publications":

FIPS Pub 31 Jun 1984, "Guidelines For ADP Physical Security and Risk Management."
FIPS Pub 39, Feb 1974, "Glossary for Computer Systems Security."
FIPS Pub 41, May 1975, "Computer Security Guidelines for implementing the Privacy Act of 1974."
FIPS Pub 46-1, Jan 1988, "Data Encryption Standard."
FIPS Pub 48, Apr 1977, "Guidelines on Evaluation of Techniques for Automated Personal identification."
FIPS Pub 65, Aug 1979, "Guidelines For Automatic Data Processing Risk Analysis."
FIPS Pub 73, Jun 1980, "Guidelines For Security of Computer Applications."
FIPS Pub 74, Apr 1981, "Guidelines For Implementing and Using the NBS Data Encryption Standard."
FIPS Pub 81, Dec 1980, "DES Modes of Operation."
FIPS Pub 83, Sep 1980, "Guidelines on User Authentication Techniques For Computer Network Access Control."
FIPS Pub 87, Mar 1981, "Guidelines For ADP Contingency Planning."
FIPS Pub 88, Aug 1981, "Guidelines On Integrity Assurance and Control in Database Applications."
FIPS Pub 94, Sep 1982, "Guidelines On Electrical Power For ADP Installations."
FIPS Pub 102, Sep 1983, "Guidelines For Computer Security Certification and Accreditation."
FTPS Pub 112, May 1985, "Standard on Password Usage."
FIPS Pub 113, May 1985, "Standard on Computer Data Authentication."
NBS Spec Pub 500-120, Jan 1985, "Security of Personal Computer Systems: A Management Guide."

Department of State

Foreign Affairs Manual:
3 FAM 170 - Personal Services Contracts for U.S. Citizens Abroad
3 FAM 4180 - Employee Marriage, Equivalent Bonds, and Cohabitation
3 FAM 900 Foreign Service National Employees, Consular Agents, and Special Categories, 1990.
12 FAM 100 - Courier Operations
12 FAM 230 - DOS Personnel Security
12 FAM 251 - Polygraph Policy
12 FAM 260 - Counterintelligence
12 FAM 314 - Collocation Policy and Waiver Procedures
12 FAM 320 - Local Guard Program
12 FAM 330 - Residential Security Program
12 FAM 340 - Marine Security Guard Program
12 FAM 540 - Sensitive But Unclassified (SBU)
12 FAM 551.3 - MOU between DOS and DoD on Overseas Security Support, 1990
12 FAM 562 - Interagency Coordination of Security Inspections
12 FAM 743 - Counterintelligence Working Groups
12 FAM 940 - Classified Automated Information Systems Abroad
12 FAM 1000 Information Security
12 FAM 1 - Emergency Planning Handbook

Department of State Security Standards Handbook, (the Red Book), classified SECRET, it being a compilation of all OSPG - approved security standards issued by the Department, published and disseminated to the foreign affairs community in June 1993.


FAS Homepage | Government Secrecy | Gov Docs ||| Index | Search |