US Space Command

DEPARTMENT OF DEFENSE USSPACECOM HOI 700-1
Headquarters United States Space Command
Peterson Air Force Base, Colorado 80914-5003 10 January 1991

Communications-Computer Systems

COMPUTER SECURITY

This headquarters operating instruction (HOI) provides policy and procedures for
reporting computer security-related incidents for investigation, resolution, and
dissemination to other commands. These procedures supplement existing computer
guidelines contained in AFR 205-16, Computer Security Policy. It applies to HQ
United States Space Command (USSPACECOM).

1. General:

a. Specific policies contained in this HOI are intended to supplement the
references listed in paragraph 2 with respect to computer security. In the
event of a conflict, the procedures prescribed in the respective references take
precedence.

b. This HOI and the procedures identified affect all communications-compu-
ter systems regardless of size (such as mainframes, minicomputers, and microcom-
puters); type (such as personal computers or dedicated word processors); or use
(such as administrative and embedded systems). All incidents of computer
security violations or attempts at violations are reported through the HQ
USSPACECOM computer security officer (CSO) to HQ AFSPC Director of Systems
Security as outlined in paragraph 5.

2. References:

a. DOD Instruction 5215.2, Computer Security Technical Vulnerability Re-
porting Program (SCTVRP).

b. AFR 205-16/N/S Sup 1 (Cl), Computer Security Policy.

C. USSPACE-AFSPC Interservice Support Agreement FB2500-86297-001.

d. USSPACECOMR 700-1, Communications-Computer Systems Requirements Document
Processing.

e. AFR 700-3, Communications-Computer Systems Requirements Processing.

f. AFR 700-26, Communication-Computer Systems Management of Small Compu--
ters.

No. of Printed Pages: 9
OPR: SPJ4-J6P (Lt Col Lawrence A. Tomei)
Approved by: Maj Gen Carl G. O'Berry
Editor: Pamela K. Gatson
Distribution: F

2 USSPACECOM HOI 700-1 10 January 1991

g. HQ USAF/SCT Letter, 27 Mar 90, Incident Reporting Procedures.

3. Terms. The following terms are used:

a. Access. A specific interaction between a subject (such as a person,
process, or input device) and an object (such as an automated record, file,
program, or output device) that results in the flow of information.

b. Computer Hacker. A person who gains or attempts to gain unauthorized
access to a Computer system.

C. Incident. The detection of unauthorized access to, tampering with, or
destruction of an automated file or system.

d. Malicious Logic. Hardware, software, or firmware that is intentionally
included or introduced into a system for any unauthorized purpose.

4. Responsibilities:

a. HQ USSPACECOM Director of Command Systems Control and Logistics. Ap-
points, in writing, a communications-computer security officer (CSO) as point of
contact to HQ AFSPC Director of Systems Security for all matters and issues
pertaining to computer security within HQ USSPACECOM. The CSO:

(1) Maintains this HOI.

(2) Assists in the identification, resolution, and reporting of compu-
ter security incidents to HQ AFSPC Director of Systems Security. All
incidents and resulting reports are coordinated by the GSO before sending to HQ
AFSPC/LKX.

(3) Disseminates pertinent information within HQ USSPACECOM regarding
published incidents on a valid "need-to-know" basis to avert similar detrimental
actions.

b. HQ USSPACECOM J-Staff directorates, Joint Strategic Defense Planning
Staff, Inspector General, and Center for Aerospace Analysis. Assign a terminal
area security officer (TASO) to administer the incident reporting procedure
(IRP) as outlined in this HOI. The TASO:

(1) Identifies incidents and reports them to the CSO.

(2) Provides the required minimum information and prepares the incident
report. The required information for reporting an incident is outlined in
attachment 1. The incident report is disseminated and handled on a strict
"need-to-know" basis within the established time constraints.

(3) Ensures compliance with this HOI does not preclude the responsi-
bility to take necessary and prudent actions to protect HQ USSPACECOM
information at all times.

USSPACECOM HOI 700-1 10 January 1991 3

(4) Disseminates pertinent information within their respective direc-
torates regarding published incidents on a valid "need-to-know" basis.

C. Others: AFR 205-16 outlines other pertinent responsibilities:

(1) The Air Force Cryptologic Support Center (AFCSC) establishes and
manages the IRP structure that HQ USSPACECOM follows (HQ USAF/SCT letter, para-
graph 5a). AFCSC:

(a) Reports incidents of computer security violations to the Air
Force Office of Special Investigation (AFOSI) and Headquarters Air Force Commun-
ications Command (AFCC) for support and assistance to local units, including HQ
USSPACECOM, if required.

(b) Is the office of primary responsibility (OPR) for all incident
information including collection and dissemination to the National Information
Security Assessment Center, AFOSI, and participating commands.

(c) Establishes and maintains an automated data base of incident
information.

(2) AFOSI determines the need for a criminal investigation on incidents
and conducts an investigation, when applicable (HQ USAF/SCT letter, paragraph
5c).

5. Procedures:

a. Reporting Incidents:

(1) The following categories represent nominal gradients for iden-
tifying computer security violations or incidents. The severity and timeliness
of the threat are factors to consider when determining which of the categories
to use. Report incidents as one of the three possible categories:

(a) Immediate. Malicious logic or computer hacker activity is
confirmed and in progress.

(b) Priority. Malicious logic or computer hacker activity has
been confirmed but is no longer in progress.

(c) Routine. Malicious logic or computer hacker activity is sus-
pected or threatening a computer system.

(2) The TASO documents and reports all incidents detected in HQ US-
SPACECOM systems to the CSO immediately. After coordination with the CSO, send
the incident report to HQ AFSPC/LKX within the timeframes as follows:

(a) Upon detection, the respective TASO contacts the CSO for
Immediate incidents. Together with the user of the affected system, the GSO
seeks prompt assistance from HQ AFSPC Director of Systems Security or
AFCSC. The user of the affected system prepares a draft message for CSO coor-
dination and HQ AFSPC Director of Systems Security release. The informa-
tion is sent, via immediate message, to AFCSC KELLY AFB TX//SRV//.

4 USSPACECOM HOI 700-1 10 January 1991

(b) Report Priority incidents, via a priority message, by close of
business the next duty day to AFCSC. The TASO prepares the message and coor-
dinates with the CSO. HQ AFSPC Director of Systems Security releases the
message.

(c) Send Routine incident reports, via a routine message, within 3
duty days to AFCSC. Message preparation and coordination is as identified
above.

Note: The incident report should be in sufficient detail so the event can be
validated and resolved.

(3) To change the level of an incident, the user of the affected system
updates the existing report and its category and sends the revised report
through the CSO and HQ AFSPC Director of Systems Security for release.

b. Procedures for Requesting Incident Information. All requests initiated
by this Headquarters for information regarding incidents are directed to AFCSC
Security Incident Reporting Branch through HQ AFSPC Director of Systems
Security with an information copy of the request to the CSO.

(1) Organizations having a justified requirement for incident informa-
tion use the incident information request outlined in attachment 2.

(2) HQ AFSPC Director of Systems Security reviews the request for
technical accuracy and completeness. AFCSC validates the request and provides
the information within 15 work days, per HQ USAF/SCT letter, paragraph 2g.

C. Protection and Handling of Incident Information. Observe the following
procedures to ensure a secure mechanism for reporting incidents and dissem-
inating incident information.

(1) Review program and project security classification guides to assist
classification decisions. Release incident information to foreign nationals on
a case-by-case basis.

(2) Appropriately mark and strictly control all incident information
according to applicable directives.

(3) Details pertaining to incidents, when authorized for release to
vendors, are disseminated only by official government channels. Prior written
approval from AFCSC Security Incident Reporting Branch, through the designated
approval authority (DAA), HQ AFSPC DCS Systems Integration Logistics and

USSPACECOM HOI 700-1 10 January 1991 5

Support, is obtained before release of this information outside the US
Government. All such information is otherwise protected from public disclosure
according to applicable directives, statutes, executive orders, and references
as identified in paragraph 2 of this HOI.

OFFICIAL DONALD J. KUTYNA
General, USAF'
Commander in Chief

WAYNE R. HEINKE 2 Attachments
Colonel, USAF 1. Sample Format for Incident
Director of Information Management Reporting
2. Sample Format for Requesting
Incident Information

6 USSPACECOM HOI 700-1 Attachment 1 10 January 1991

SAMPLE FORMAT FOR INCIDENT REPORTING

1. Required information:

a. Report date:

b. Contact:

(1) Incident report originator and originating office.

(2) Organization.

(3) Mailing and message address.

(4) Telephone number. Defense Switch Network (DSN) preferred.

(5) Position or Title.

C. Description of the incident:

(1) Describe the incident completely to include a full description of
the specific conditions surrounding the incident. The description should be in
sufficient detail to ensure it is clearly understood. Attach source or object
code and system error messages, if available. Attach system level diagrams, if
applicable.

(2) Describe the specific impact or effect of the incident in terms of
the following categories (cite specific examples as appropriate):

(a) Denial of service. Did the incident result in loss of time,
availability of the system, or loss of software?

(b) Integrity. Did the incident result in a loss of the "trust-
worthiness" of the system to process classified information?

(c) Compromise. Did the incident result in a security violation
attributable to the incident itself?

(d) Other.

(3) Indicate who has been notified of the incident. Note: This state-
ment should include, as a minimum, the CSO and HQ AFSPC Director of Systems
Security.

d. System specifics:

(1) Location.

(2) Owner of the system affected.

(3) Designated approval authority (DAA) as follows:

HQ AFSPC/ALK/DSN 692-3934

USSPACECOM HOI 700-1 Attachment 1 10 January 1991 7

(4) Major command communications-computer systems security manager
(MACS) as follows:

HQ AFSPC/LKX/DSN 692-3228

(5) Network connection, phone dial-up, or modem, if applicable.

(6) Security mode of operation.

(7) System use and highest classification of data on system.

(8) Software description:

(a) Operating system, (such as MSDOS) including release and ver-
sion number.

(b) Application software (such as WordStar, dbase III, etcetera).

(c) Source of application software (such as, military or commer-
cial).

(9) List hardware and system configuration.

(10) Describe any unique characteristics of the system or software that
could be attributable to the incident, such as local modification of the
software. Include names, dates, etcetera, of the modification, if available.

e. Log of events. HQ USSPACECOM requirement only. DO NOT send this
information outside Command channels unless specifically requested. The TASO
maintains a log of events regarding the incident, including:

(1) Individuals contacted since the incident began.

(2) Time of the contact.

(3) Actions taken and completed.

2. Executive summary of the incident. Describe the nature and effect of the
incident in general terms.

3. Suggested solution. Provide description of any solutions you may have
discovered which, when implemented, reduced the impact of the defined incident,
(such as rebooting the system, reloading previous versions of the software,
etcetera),

8 USSPACECOM HOI 700-1 Attachment 2 10 January 1991

SAMPLE FORMAT FOR REQUESTING INCIDENT INFORMATION

1. Point of Contact:

a. Name of requester and requesting organization.

b. Organization.

C. Mailing address and message routing indicator.

d. Telephone number (DSN preferred) of requester.

e. Position or title of requester.

f. Communications-computer security officer's name and address, as follows:

HO USSPACECOM/J4-J6P, Stop 35, DSN 629-5915.

2. System Specifics (to the level of detail known):

a. List hardware and system configuration desired.

b. Software description:

(1) Operating systems, including release and version numbers.

(2) Application software.

(3) Special security software.

(4) Other software.

3. Justification:

a. Identify the activity which is supported by the information (such as new
processing needs, current use of the system, etcetera.

b. Date required.

4. HQ AFSPC Director of Systems Security Validation. Include:

a. Name, message address, and telephone number of MCSSM, as follows:

HQ AFSPC/LYX//Peterson AFB CO//DSN 692-3228

b. Verification of requester's security clearance and need-to-know.

C. Signature block of the MCSSM.