CHAPTER 8
Automated Information System Security
Section 1. Responsibilities
8-100. General.
a. Computer and networking systems (collectively referred to as
Automated Information Systems (AISs)) used to capture, create,
store, process or distribute classified information must be
operated so that the information is protected against unauthorized
disclosure or modification.
b. Protection requires a balanced approach that includes AIS
features as well as administrative, operational, physical, and
personnel controls. Protection is commensurate with the
classification level and category of the information, the threat,
and the operational requirements associated with the environment of
the AIS.
8-101. Scope.
This Chapter describes the minimum security requirements for an AIS
processing classified information.
8-102. Responsibilities.
a. The CSA shall establish a line of authority for oversight,
review, inspection, certification, and accreditation of AISs used
by its contractors.
b. The contractor shall publish and promulgate an AIS Security
Policy that addresses the classified processing environment. The
contractor shall appoint an Information Systems Security
Representative (ISSR) whose responsibilities are to:
(1) Maintain liaison with the CSA.
(2) Implement and administer the contractor's AIS Security
Policy.
(3) Ensure the preparation of an AIS Security Plan (AISSP).
(4) Ensure the establishment and maintenance of security
safeguards and access controls.
(5) Ensure that users have the security clearance, special
access authorizations, and need-to-know for the information
that they can access.
(6) Ensure that all AIS security related documentation is
current.
(7) Advise the CSA of any abnormal event that effects the
security of the AIS.
(8) Ensure that secure maintenance procedures are followed.
(9) Ensure that security audit records are maintained,
accessible, and reviewed and analyzed at least weekly.
(10) Designate Security Custodians in facilities with multiple
AIS or multiple shifts.
(11) Ensure the development and implementation of an ongoing
AIS security education program.
(12) Perform threat based, aperiodic inspections pursuant to
the AISSP. The frequency of inspections may be adjusted for
sufficient cause.
(13) Ensure that Memoranda of Agreement are in place for AIS
supporting multiple CSAs.
(14) Approve and document the movement of AIS equipment.
(15) Approve the release of sanitized equipment and components
in accordance with the sanitization matrix.
(16) Approve and document additional AIS operated in dedicated
security mode that is substantially the same as described in
the AISSP. The classification level of the additional AIS must
be the same as that of the approved AIS.
(17) Approve and document additional or replacement components
of a dedicated or system high AIS that are identical in
functionality and do not affect the security of the AIS.
(18) Document in the security plan and administer any
procedures necessary to prevent classified information from
migrating to unclassified AISs and leaving the security area.
Section 2. Accreditation and Security Modes
8-200. AIS Accreditation
a. The contractor shall obtain written accreditation from the CSA
prior to processing classified information on AISs. To obtain
accreditation, the contractor shall submit a formal request to the
CSA and an AISSP. Where similar AIS are located within the same
facility, a single security plan is permitted.
b. Accreditation is the CSAs approval for an AIS to process
classified information in an operational environment. The
accreditation is based on documentation, analysis, and evaluation
of AIS operations with respect to security risks and also on the
safeguards associated with operation of the AIS.
c. Interim accreditation may be granted in order for a contractor
to start processing classified information. This interim action
shall be for a specific period and shall specify the contractor
actions to be completed and the minimum security requirements to be
met during this period.
d. AIS accreditation may be withdrawn by the CSA should
procedures and controls established in the AISSP be assessed
ineffective by the CSA. Accreditation may also be withdrawn by the
CSA when there has been an unacceptable change in system or
security configuration.
e. The contractor can self-approve AISs that are similar to
previously accredited AIS security profile and components provided
the self-approval plan and procedures are included in the AISSP. In
the event of discrepancies, or determination by the CSA that the
self-approval plan is not administered effectively, the CSA may
withdraw the contractor's self-approval authority.
f. An AIS may be reaccredited or self-approval authority can be
reinstated by the CSA after review, analysis, and approval of an
updated AISSP. An accredited AIS may be reaccredited when
significant changes to the original accreditation or baseline
occur.
8-201. Equipment not Requiring Accreditation.
Some equipment/components, to include test equipment, fits the
definition of an AIS, whereas others may not. The ISSR will
determine and document the capability of such equipment in the
context of the equipment/components ability to collect and process
information. As a general rule, equipment composed of volatile
memory with no other storage media would not require accreditation.
AIS components that need not be included in the system
accreditation include but are not limited to:
a. Electronic typewriters, basic function calculators, and test
equipment.
b. Security requirements for AISs that are embedded as an
integral element of a larger system that is used to perform or
control a function, such as test stands, simulators, control
systems or weapons systems should be established concurrently with
the design and development of the system. If not provided, the
contractor shall request them from the appropriate GCA. In the
absence of such requirements, the security requirements and
procedures of this Manual will be applied to the extent appropriate
as determined by the CSA.
8-202. The AIS Security Plan.
a. User Operational Procedures. These procedures describe how
access to an AIS and classified information is authorized and
revoked; the protection mechanisms provided by the AIS, guidelines
on their use, and how they interact with one another, procedures
for screening and preventing the introduction of malicious code,
and the like.
b. System Configuration Management Procedures. These procedures
describe the documenting, controlling, changing, and maintaining of
the accountability of AIS hardware, firmware, software,
communications interfaces, operating procedures, and installation
structures.
c. Audit Features and Controls. These describe:
(1) A chronological record of AIS usage and system support
activities.
(2) Maintenance and repair of AIS hardware, including
installation or removal of equipment, devices or components.
(3) Transaction receipt s, equipment
sanitization, declassification and release records.
d. Concept of Operations (CONOP). The CONOP describes what the
AIS will be used for and how it will operate.
e. Continuity of Operations Procedures (COOP). The COOP describes
procedures to ensure continuous operations of AISs in the event of
a disaster resulting from fire, flood, malicious act, human error,
or any other occurrence. When the GCA determines a COOP to be
necessary, the requirements will be contractually imposed. Costs
directly related to the COOP requirements when in addition to
safeguards required by this Manual, will be charged to the specific
contract for which the requirements are imposed. At a minimum, the
COOP must include:
(1) Identification of mission-essential resources, including
AIS components, key response and recovery personnel, and
alternate site processing requirements.
(2) Identification of mission-essential applications.
(3) The type of response necessary to continue the mission,
based on the projected recovery time.
(4) Frequency of performing backups to ensure, at a minimum,
that current back-up copies of mission essential software and
data exist.
(5) An estimate of the cost of exercising the plan, software,
or alternate site.
f. System Administration and Maintenance Procedures. These
describe maintenance and repair procedures, including adding,
changing, and removing components, and the use of maintenance
devices and utilities.
g. Training Procedures. Security awareness training must be
provided prior to assigning the individual access to the AIS and
updated as needed. An individual receiving the training may be
required to sign an agreement to abide by the security requirements
specified in the AISSP.
h. Startup and Shut-down Procedures. These include system
upgrading and downgrading, handling of user data and output, access
controls to the AIS and remote AIS areas during, between, and after
classified processing; and the declassification, release and
destruction of storage media and AIS.
i. Certification Test Plan. This plan outlines the inspection and
test procedures to demonstrate compliance with the security
requirements associated with the mode of operation. It must include
a detailed description of how the implementation of the operating
system software, data management software, firmware, and related
security software packages will enable the AIS to meet the
compartmented or multilevel mode requirements. Products,
subsystems, and systems that have been endorsed through formal
evaluation programs (e.g., the Evaluated Products List supporting
the TCSEC) must be evaluated as part of the AIS in the
certification and accreditation process. In lieu of a certification
test plan for the dedicated and system high mode, the ISSR will:
(1) Verify that system access controls and/or procedures are
functional for the dedicated mode.
(2) Provide test results that verify that need to know
controls are implemented for the system high mode.
8-203. Security Modes-General.
a. AISs that process classified information must operate in the
dedicated, system-high, compartmented, or multilevel mode. Security
modes are authorized variations in security environments,
requirements, and methods of operating. In all modes, the
integration of automated and conventional security measures shall,
with reasonable dependability, prevent unauthorized access to
classified information during, or resulting from the processing of
such information, and prevent unauthorized manipulation of the AIS
that could result in the compromise of classified information.
b. In determining the mode of operation, three elements must be
addressed:
(1) The boundary of an AIS includes all users that are
directly or indirectly connected, and who can receive data from the
system without a reliable human review by a cleared authority. The
perimeter is the extent of the system that is to be accredited as
a single system.
(2) The nature of data is defined in terms of its
classification levels, compartments, subcompartments, and
sensitivities.
(3) The level and diversity of access privileges of its users
are defined as their clearance levels, need-to-know, and formal
access approvals.
8-204. Dedicated Security Mode.
a. An AIS is operating in the dedicated mode when each user with
direct or indirect access to the AIS, its peripherals, remote
terminals, or remote hosts has all of the following:
(1) A PCL and need-to-know for all information stored or
processed.
(2) If applicable, has all formal access approvals and has
executed all appropriate nondisclosure agreements for all the
information stored and/or processed (including all
compartments and sub-compartments).
b. The following security requirements are established for AISs
operating in the dedicated mode:
(1) Enforce system access procedures.
(2) All hardcopy output and media removed will be handled at
the level for which the system is accredited until reviewed by
a knowledgeable individual.
8-205. Security Features for Dedicated Security Mode.
Since the system is not required to provide technical security
features, it is up to the user to protect the information on the
system.
8-206. Security Assurances for Dedicated Security Mode.
Configuration management procedures must be employed to maintain
the ability of the AIS to protect the customer's classified
information. Configuration management procedures must be conducted
in coordination with the ISSR. The systems configuration management
procedures shall include an approach for specifying, documenting,
controlling, and maintaining the visibility and accountability of
all appropriate AIS hardware, firmware, software, communications
interfaces, operating procedures, installation structures and
changes thereto.
8-207. System High Security Mode.
An AIS is operating in the system-high mode when each user with
direct or indirect access to the AIS, its peripherals, remote
terminals, or remote hosts has all of the following:
a. A PCL for all information on the AIS.
b. Access approval and has signed nondisclosure agreements for
all the information stored and/or processed.
c. A need-to-know for some of the information contained within
the system.
8-208. Security Features for System High Mode.
AISs operating in the system high mode, in addition to meeting all
of the security standards established for the dedicated mode, will:
a. Define and control access between system users and named
objects (e.g., files and programs). The enforcement mechanism must
allow system users to specify and control the sharing of those
objects by named individuals and/or explicitly defined groups of
individuals. The access control mechanism must either, by explicit
user action or by default, provide that all objects are protected
from unauthorized access (discretionary access control). Access
permission to an object by users not already possessing access
permission must only be assigned by authorized users of the object.
b. When feasible, as determined by the CSA, provide a time
lockout in an interactive session after an interval of user
inactivity. The time interval and restart requirements shall be
specified in the AISSP.
c. Provide an audit trail capability that records time, date user
ID, terminal ID (if applicable), and file name for the following
events:
(1) System log on and log off.
(2) Unsuccessful access attempts.
d. Protect the audit, identification, and authentication
mechanisms from unauthorized access modification, access or
deletion.
e. Require that storage contain no residual data from the
previously contained object before being assigned, allocated, or
reallocated to another subject.
f. Ensure that each person having access to a multi-user AIS have
the proper security clearances and authorizations and be uniquely
identified and authenticated before access to the AIS is permitted.
The identification and authentication methods used shall be
specified and approved in the AISSP. User access controls in
multi-user AISs shall include authorization, user identification,
and authentication; administrative controls for assigning these
shall be covered in the AISSP.
(1) User Authorizations. The manager or supervisor of each
user of an AIS shall determine the required authorizations,
such as need-to-know for that user.
(2) User Identification. Each system user shall have a unique
user identifier and authenticator.
(a) User ID Reuse. Prior to reuse of a user ID, all
previous access authorizations (including file accesses for
that user ID) shall be removed from the AIS.
(b) User ID Removal. The ISSR shall ensure the
development and implementation of procedures for the prompt
removal of access from the AIS when the need for access no
longer exists.
(c) User ID Revalidation. The ISSR shall ensure that all
user ID's are revalidated at least annually, and information
such as sponsor and means of off-line contact (e.g., phone
number, mailing address) are updated as necessary.
g. Authentication. Each user of a multi-user AIS shall be
authenticated before access is permitted. This authentication can
be based on any one of three types of information: something the
person knows (e.g., a password); something the person possesses
(e.g., a card or key); something about the person (e.g.,
fingerprints or voiceprints); or some combination of these three.
Authenticators that are passwords shall be changed at least every
6 months. Multi-user AISs shall ensure that each user of the AIS is
authenticated before access is permitted.
(1) Logon. Users shall be required to authenticate their
identities at "logon" time by supplying their authenticator (e.g.,
password, smart card, or fingerprints) in conjunction with their
user ID.
(2) Protection of Authenticator. An authenticator that is in
the form of knowledge or possession (password, smart card, keys,)
shall not be shared with anyone. Authenticators shall be protected
at a level commensurate with the accreditation level of the AIS.
(3) Additional Authentication Countermeasures. Where the
operating system provides the capability, the following features
shall be implemented:
(a) Logon Attempt Rate. Successive logon attempts shall
be controlled by denying access after multiple (maximum of
five) unsuccessful attempts on the same user ID, by limiting
the number of access attempts in a specified time period, by
the use of a time delay control system, or other such methods,
subject to approval by the CSA.
(b) Notification to the User. The user shall be notified
upon successful logon of the date and time of the user's last
logon; the ID of the terminal used at last logon, and the
number of unsuccessful logon attempts using this user ID since
the last successful logon. This notice shall require positive
action by the user to remove the notice from the screen.
8-209. Security Assurances for System High Mode.
a. Examination of Hardware and Software. AIS hardware and
software shall be examined when received from the vendor and before
being placed into use.
(1) AIS Hardware. An examination shall result in assurance
that the equipment appears to be in good working order and have no
elements that might be detrimental to the secure operation of the
resource. Subsequent changes and developments which affect security
may require additional examination.
(2) AIS Software. Commercially procured software shall be
examined to assure that the software contains no features that
might be detrimental to the security of the AIS. Security-related
software shall be examined to assure that the security features
function as specified.
(3) Custom Software or Hardware Systems. New or significantly
changed security relevant software and hardware developed
specifically for the system shall be subject to testing and review
at appropriate stages of development.
b. Security Testing. The system security features for
need-to-know controls will be tested and verified. Identified flaws
will be corrected.
8-210. Compartmented Security Mode.
An AIS is operating in the compartmented mode when users with
direct or indirect access to the AIS, its peripherals, or remote
terminals have all of the following:
a. A PCL for the most restricted information processed.
b. Formal access approval and has signed nondisclosure agreements
for that information to which he or she is to have access (some
users do not have formal access approval for all compartments or
subcompartments processed by the AIS).
c. A valid need-to-know for that information for which he/she is
to have access.
8-211. Security Features for Compartmented Mode.
In addition to all security features and security assurances
required for the system high mode of operation, AIS operating in
the compartmented mode of operation shall also include:
a. Security Labels. The AIS shall place security labels on all
entities (e.g., files) reflecting the sensitivity (classification
level, classification category, and handling caveats) of the
information for resources and the authorizations (security
clearances, need-to-know, formal access approvals) for users. These
labels shall be an integral part of the electronic data or media.
These security labels shall be compared and validated before a user
is granted access to a resource.
b. Export of Security Labels. Security labels exported from the
AIS shall be accurate representations of the corresponding security
labels on the information in the originating AIS.
c. Mandatory Access Controls. Mandatory access controls shall
provide a means of restricting access to files based on the
sensitivity (as represented by the label) of the information
contained in the files and the formal authorization (i.e. security
clearance ) of users to access information of such sensitivity.
d. No information shall be accessed whose compartment is
inconsistent with the session log on.
e. Support a trusted communications path between itself and each
user for initial logon and verification for AIS processing TOP
SECRET information.
f. Enforce, under system control, a system-generated, printed,
and human-readable security classification level banner at the top
and bottom of each physical page of system hard-copy output.
g. Audit these additional events: the routing of all system jobs
and output, and changes to security labels.
8-212. Security Assurances for Compartmented Mode.
a. Confidence in Software Source. In acquiring resources to be
used as part of an AIS, consideration shall be given to the level
of confidence placed in the vendor to provide a quality product, to
support the security features of the product, and to assist in the
correction of any flaws.
b. Flaw Discovery. The vendor shall have implemented a method for
ensuring the discovery of flaws in the system (hardware, firmware,
or software) that may have an effect on the security.
c. Description of Security Enforcement Mechanisms (often referred
to as the Trusted Computing Base). The protections and provisions
of the security enforcement mechanisms shall be documented in such
a manner to show the underlying planning for the security. The
security enforcement mechanisms shall be isolated and protected
from any user or unauthorized process interference or modification.
Hardware and software features shall be provided that can be used
to periodically validate the correct operation of the elements of
the security enforcement mechanisms.
d. Independent Validation and Verification. An independent
validation and verification team shall assist in the certification
testing of an AIS and shall perform validation and verification
testing of the system as required by the CSA.
e. Security Label Integrity. The methodology shall ensure, (1)
Integrity of the security labels; (2) The association of a security
label with the transmitted data; and (3) Enforcement of the control
features of the security labels.
f. Detailed Design of Security Enforcement Mechanisms. An
informal description of the security policy model enforced by the
system shall be available.
8-213. Multilevel Security Mode.
An AIS is operating in the multilevel mode when all of the
following statements are satisfied concerning the users with direct
or indirect access to the AIS, its peripherals, remote terminals,
or remote hosts:
a. All users of the multilevel system must have a PCL but some
users may not have a PCL for all levels of the classified
information residing on the system.
b. All users are cleared, have a need-to-know, and the
appropriate access approval (i.e., signed nondisclosure agreements)
for information to be accessed.
8-214. Security Features for Multilevel Mode.
In addition to all security features and security assurances
required for the compartmented mode of operation, AIS operating in
the multilevel mode shall also include:
a. A mechanism that is able to monitor the occurrence or
accumulation of security auditable events that may indicate an
imminent violation of security policy. This mechanism shall be able
to immediately notify the security administrator when thresholds
are exceeded and, if the occurrence or accumulation of these
security relevant events continues, the system shall take the least
disruptive action to terminate the event.
b. Access controls that are capable of specifying, for each named
object, a list of named individuals and a list of groups of named
individuals with their respective modes of access to that object.
It will be possible to specify for each named object a list of
named individuals and a list of groups of named individuals for
which no access to the object is to be given.
c. Support a trusted communication path between the AIS and users
for use when a positive AIS-to-user connection is required (i.e.,
logon, change subject security level). Communications via this
trusted path shall be activated exclusively by a user or the AIS
and shall be logically isolated and unmistakably distinguishable
from other paths.
d. Support separate operator and administrator functions. The
functions performed in the role of a security administrator shall
be identified. The AIS system administrative personnel shall only
be able to perform security administrator functions after taking a
distinct auditable action to assume the security administrative
role of the AIS system. Non-security functions that can be
performed in the security administrative role shall be limited
strictly to those essential to performing the security role
effectively.
e. Provide procedures and/or mechanisms to assure that, after an
AIS system failure or other discontinuity, recovery without a
protection compromise is obtained.
f. Immediately notify a terminal user of each change in the
security level associated with that user during an interactive
session. A user shall be able to query the system as desired for a
display of the user's complete sensitivity label.
g. Enforce an upgrade or downgrade principle where all users
processing have a system-maintained classification; no data is read
that is classified higher than the processing session authorized;
and no data is written unless its security classification level is
equal to the user's authorized processing security classification.
8-215. Security Assurances for Multilevel Mode.
a. Flaw Tracking and Remediation. The vendor shall provide
evidence that all discovered flaws have been tracked and remedied.
b. Life-Cycle Assurance. The development of the AIS hardware,
firmware, and software shall be under life-cycle control and
management (i.e., control of the AIS from the earliest design stage
through decommissioning).
c. Separation of Functions. The functions of the ISSR and the AIS
manager shall not be performed by the same person.
d. Device Labels. The methodology shall ensure that the
originating and destination device labels are a part of each
message header and enforce the control features of the data flow
between originator and destination.
e. Trusted Path. The system shall support a trusted communication
path between the user and system security mechanisms.
f. Security Isolation. The security enforcement mechanism shall
maintain a domain for its own execution that protects it from
external interference and tampering (e.g., by reading or
modification of its code and data structures). The protection of
the security enforcement mechanism shall provide isolation and non
circumvention of isolation functions.
g. Security Penetration Testing. In addition to testing the
performance of the AIS for certification, there shall be testing to
attempt to penetrate the security countermeasures of the system.
The test procedures shall be documented in the test plan for
certification and also in the test plan for ongoing testing.
Section 3. Controls and Maintenance
8-300. Physical Security.
a. Physical security safeguards shall be established that prevent
or detect unauthorized access to accredited system entry points and
unauthorized modification of the AIS hardware and software.
Hardware integrity of the AIS, including remote equipment, shall be
maintained at all times, even when the AIS is not processing or
storing classified information.
b. Attended classified processing shall take place in an area,
normally a Restricted Area, where authorized persons can exercise
constant surveillance and control of the AIS. All unescorted
personnel to the area must have a government granted PCL and
controls must be in place to restrict visual and aural access to
classified information.
c. When the AIS is processing classified information unattended,
or when classified information remains on an unattended AIS, a
Closed Area is required.
d. When the AIS is not in use, all classified information has
been removed and properly secured, and the AIS has been downgraded,
continuous physical protection, to prevent or detect unauthorized
modification of the AIS hardware and software, shall be implemented
through one or more of the following methods:
(1) Continuous supervision by authorized personnel.
(2) Use of approved cabinets, enclosures, seals, locks or
Closed Areas.
(3) Use of area controls that prevent or detect tampering or
theft of the hardware and software. These controls will vary
depending on the overall physical security controls in effect
in the immediate secure area.
8-301. Software Controls.
a. Contractor personnel that design, develop, test, install, or
make modifications to systems, or use security software, shall be
cleared to the level of the AIS. Non-system or applications
software that will be used during classified processing periods can
be developed or modified by personnel without a clearance. However,
before software developed by uncleared persons is used in a
classified processing period, it must be reviewed or tested by
authorized and knowledgeable contractor personnel to provide
reasonable assurance that security vulnerabilities do not exist.
b. The AISSP must provide procedures for approval of installation
of any software on the AIS.
c. Software provided on media that may be written to (e.g.,
magnetic media) must be safeguarded commensurate with the
accreditation level unless a physical write-protect mechanism is
used. (Mechanisms shall be tested and verified by attempting to
write to the media.) The write protection mechanism must be
verified once during each session when it is used to process
classified information.
d. Unclassified software provided on media that cannot be changed
(e.g., CD read-only media) may be loaded onto the classified system
without being labeled or classified provided it is immediately
removed from the security area upon completion of the loading
procedure. If the media is to be retained in the security area, it
may be controlled and stored as unclassified media.
e. The contractor shall validate the functionality of
security-related software (e.g., access control, auditing, purge,
etc.) before the AIS is accredited. The software shall be
revalidated when changed.
f. Use of software of unknown or suspect origin is strongly
discouraged.
g. The contractor must verify that all software is free of
malicious code prior to installation.
h. Unclassified vendor-supplied software used for maintenance or
diagnostics must be controlled as though classified.
i. Incidents involving malicious software will be investigated by
the ISSR. If the incident affects the integrity of classified
information, the CSA will be notified immediately and a written
report detailing the findings of this investigation will be
submitted to the CSA in accordance with the AISSP.
8-302. Media Controls.
a. In general, media that contains classified information will be
handled in a manner consistent with the handling of classified
documents.
b. All storage media used for classified data on dedicated and
system high AIS must be labeled and controlled to the highest level
of the information on the AIS. However, information not at the
highest level may be written to appropriately
classified/unclassified media using authorized procedures and/or
methods.
c. All data storage media for compartmented and multilevel AIS
must be labeled and controlled to the highest level of the
information contained on the media.
d. When two or more AISs are collocated in the same security area
and processing at different levels or compartments, procedures
described in the system security plan will be used to distinguish
among them.
e. Authorized sanitization procedures for the most commonly used
memory and storage media are defined in the sanitization matrix.
f. Media must be sanitized and all markings and labels removed
before media can be declassified. Sanitization actions must be
verified and a record must be annotated to show the date, the
particular sanitization action taken, and the person taking the
action.
g. Media must be sanitized and declassified prior to release from
continuous protection.
h. All printed output from an AIS processing in the dedicated or
system high mode must be treated as though classified until
verified to be unclassified.
8-303. Security Audits
a. In addition to the audits required under security modes, the
following logs are required regardless of mode of operation. The
logs must include the date, the event, and the person responsible.
(1) Maintenance, repair, installation, or removal of hardware
components. Log must include the component involved, and action
taken.
(2) Installation, testing, and modification of operating
system and security-related software. Log must include the software
involved and action taken.
(3) Upgrading and downgrading actions.
(4) Sanitization and declassifying media and devices.
(5) Application and reapplication of seals.
b. At intervals specified in the AISSP, the ISSR (or designee)
shall review, analyze, and annotate audit records created during
classified processing periods to ensure that all pertinent activity
is properly recorded and appropriate action has been taken to
correct anomalies.
c. Audit trail records shall be retained until reviewed and
released by the contractor or CSA but not more than 12 months.
8-304. AIS Operations
a. Security Level Upgrading. To increase the level of processing
on an AIS the following procedures must be implemented:
(1) Adjust the area controls to the level of information to
be processed.
(2) Configure the AIS as described in the AISSP. The use of
logical disconnects is prohibited for AIS processing TOP SECRET
information.
(3) Remove and store removable data storage media not to be
used during the processing period.
(4) Clear all memory including buffer storage.
(5) Initialize the system for processing at the approved
level of operation with a dedicated copy of the operating system.
This copy of the operating system must be protected commensurate
with the security classification and access levels of the
information to be processed during the period.
b. Security Level Downgrading. To lower the level of processing,
the following procedures must be implemented:
(1) Remove and store removable data storage media not to be
used during the lower processing period.
(2) Clear the memory and buffer storage of the equipment to
be downgraded, for collateral SECRET and below; sanitize for TOP
SECRET.
(3) Sanitize printers.
(4) For classified processing, configure the AIS as described
in the AISSP.
(5) Adjust the area controls to the level of information to
be processed.
(6) Initialize the system for processing at the lower level
with a dedicated copy of the operating system. This copy of the
operating system must be protected commensurate with the security
classification and access levels of the information to be processed
during the period.
8-305. Identification and Authentication Techniques.
When the AIS is processing classified information, access to any
unattended hardware must conform to those required in this document
for the highest level of classified material processed on the AIS.
Specific user identification and authentication techniques and
procedures will be included in the AISSP. Examples of
identification and authentication techniques include, but are not
limited to: user IDs and passwords, tokens, biometrics and
smartcards.
a. User IDs identify users in the system and are used in
conjunction with authentication techniques to gain access to the
system. User IDs will be disabled whenever a user no longer has a
need-to-know or proper clearance. The user ID will be deleted from
the system only after review of programs and data associated with
the ID. Disabled accounts will be removed from the system as soon
as practical. Access attempts will be limited to five tries. Users
who fail to access the system within the established limits will be
denied access until the user's ID is reactivated.
b. When used, system logon passwords will be randomly selected
and will be at least six characters in length.
(1) Appropriate guidance must be provided by the ISSR or
contractor to users prior to their choosing their own logon
passwords. When an automated system logon-password generation
routine is used, it must be described in the AISSP.
(2) Passwords must be validated by the system each time the
user accesses the system.
(3) System logon passwords must not be displayed at any
terminal or printed on any printer.
(4) Passwords will not be shared by any user.
(5) Passwords will be classified and controlled at the
highest level of the information accessed.
(6) Passwords must be changed at least every 6 months.
(7) Immediately following a suspected or known compromise of
a password, the ISSR will be notified and a new password issued.
c. Master data files containing the user population system logon
passwords will be encrypted when practical. Access to the files
will be limited to the ISSR and a designee identified in the AISSP.
d. When classified and unclassified AIS are collocated the
following requirements apply:
(1) The ISSR must document procedures to ensure the
protection of classified information.
(2) The unclassified AIS cannot be connected to the
classified AIS.
(3) Users shall be provided a special awareness briefing.
e. When two or more AISs are collocated in the same security area
and processing at different levels or compartments, procedures
described in the AISSPwill be used to distinguish among them.
8-306. Maintenance
a. Cleared personnel who perform maintenance or diagnostics do
not normally require an escort. Need-to-know for access to
classified information must be enforced. Uncleared maintenance
personnel must always be escorted by a cleared and technically
knowledgeable individual. The ISSR must ensure that escorts of
uncleared maintenance personnel are trained and sufficiently
knowledgeable concerning the AISSP, established security policies
and practices, and escorting procedures.
b. If maintenance is being conducted by appropriately cleared
personnel, system sanitizing or component isolation are a local
option. If maintenance is being performed by uncleared personnel,
steps must be taken to effectively deny access to classified
information by the uncleared person and any maintenance equipment
or software used; these procedures should be documented in the
AISSP. A technically knowledgeable escort is preferred. If access
to classified data cannot be precluded by the escort, either the
component under maintenance must be physically disconnected from
the classified AIS (and sanitized before and after maintenance) or
the entire AIS must be sanitized before and after maintenance.
c. The dedicated copy of the system software with a direct
security function shall not be used for maintenance purposes by
uncleared personnel.
d. When a system failure prevents sanitization of the system
prior to maintenance by uncleared vendor personnel, AISSP
procedures must be enforced to deny the uncleared person visual and
electronic access to any classified data that may be contained on
the system.
e. When practical, all maintenance and diagnostics will be
performed in the contractor's facility. Any AIS components or
equipment released from secure control is no longer part of an
accredited system.
f. Vendor-supplied software/firmware used for maintenance or
diagnostics must be protected at the level of the accredited AIS.
The CSA may allow, on a case-by-case basis, the release of certain
types of costly magnetic media for maintenance, such as disk
head-alignment.
g. All maintenance tools, diagnostic equipment, and other devices
used to service an accredited AIS must be approved by the
contractor.
h. Any component board placed into an accredited AIS must remain
in the security area until proper release procedures are completed.
i. Remote diagnostic or maintenance services are strongly
discouraged. If remote diagnostic or maintenance services become
necessary, the AIS shall be sanitized and disconnected from any
communication links to network, prior to the connection of any
nonsecured communication line.
Clearing and Sanitization Matrix
Media Clear Sanitize
Magnetic Tape
Type I a or b a, b, or m
Type II a or b b or m
Type III a or b m
Magnetic Disk
Bernoullis a, b, or c m
Floppies a, b, or c m
Non-Removable Rigid Disk c a, b, d, or m
Removable Rigid Disk a, b, or c a, b, d, or m
Optical Disk
Read Many, Write Many c m
Read Only m, n
Write Once, Read Many (Worm) m, n
Memory
Dynamic Random Access Memory (DRAM) c or g c,g, or m
Electronically Alterable PROM (EAPROM) i j or m
Electronically Erasable PROM (EEPROM) i h or m
Erasable Programmable (ROM (EPROM) k l then c, or m
Flash EPROM (FEPROM) i c then i, or m
Programmable ROM (PROM) c m
Magnetic Bubble Memory c a, b, c, or m
Magnetic Core Memory c a, b, e, or m
Magnetic Plated Wire c c and f, or m
Magnetic Resistive Memory c m
Nonvolatile RAM (NOVRAM) c or g c, g, or m
Read Only Memory ROM m
Static Random Access Memory (SRAM) c or g c and f, g, or m
Equipment
Cathode Ray Tube (CRT) g q
Printers
Impact g p then g
Laser g o then g
Clearing and Sanitization Matrix
a. Degauss with a Type I degausser
b. Degauss with a Type II degausser.
c. Overwrite all addressable locations with a single character.
d. Overwrite all addressable locations with a character, its
complement, then a random character and verify. THIS METHOD IS NOT
APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP SECRET INFORMATION.
e. Overwrite all addressable locations with a character, its
complement, then a random character.
f. Each overwrite must reside in memory for a period longer than
the classified data resided.
g. Remove all power to include battery power.
h. Overwrite all locations with a random pattern, all locations
with binary zeros, all locations with binary ones.
i. Perform a full chip erase as per manufacturer's data sheets.
j. Perform i above, then c above, a total of three times.
k. Perform an ultraviolet erase according to manufacturer's
recommendation.
l. Perform k above, but increase time by a factor of three.
m. Destroy - Disintegrate, incinerate, pulverize, shred, or melt.
n. Destruction required only if classified information is
contained.
o. Run five pages of unclassified text (font test acceptable).
p. Ribbons must be destroyed. Platens must be cleaned.
q. Inspect and/or test screen surface for evidence of burned-in
information. If present, the cathode ray tube must be destroyed.
Section 4. Networks
8-400. Networks.
This Section identifies basic security requirements for protecting
classified information processed on accredited networks. Network
operations shall maintain the integrity of the security features
and assurances of its mode of operation. A "Reference Guide for
Security in Networks" can be obtained from the CSA.
8-401. Types of Networks.
a. A Unified Network is a collection of AIS's or network systems
that are accredited as a single entity by a single CSA. A unified
network may be as simple as a small standalone LAN operating in
dedicated mode, following a single security policy, accredited as
a single entity, and administered by a single ISSR. The perimeter
of such a network encompasses all its hardware, software, and
attached devices. Its boundary extends to all its users. A unified
network has a single mode of operation based on the clearance
levels, access, and need-to-know. This mode of operation will be
mapped to the level of trust required and will address the risk of
the least trusted user obtaining the most sensitive information
processed or stored on the network.
b. An interconnected network is comprised of separately
accredited AISs and/or unified networks. Each self-contained AIS
maintains its own intra-AIS services and controls, protects its own
resources, and retains its individual accreditation. Each
participating AIS or unified network has its own ISSR. The
interconnected network must have a security support structure
capable of adjudicating the different security policy
(implementations) of the participating AISs or unified networks. An
interconnected network requires accreditation, which may be as
simple as an addendum to a Memorandum of Agreement (MOA) between
the accrediting authorities.
8-402. Methods of Interconnection.
a. Security support structure (SSS) is the hardware, software,
and firmware required to adjudicate security policy and
implementation differences between and among connecting unified
networks and/or AISs. The SSS must be accredited. The following
requirements must be satisfied as part of the SSS accreditation:
(1) Document the security policy enforced by the SSS.
(2) Identify a single mode of operation.
(3) Document the network security architecture and design.
(4) Document minimum contents of MOA's required for
connection to the SSS.
b. Separately accredited network (SAN) is a medium of
interconnection of convenience. Networks and/or AISs that are
interconnected through a SAN must meet the connection rules of the
SAN.
c. The interconnection of previously accredited systems into an
accredited network may require a re-examination of the security
features and assurances of the contributing systems to ensure their
accreditations remain valid.
(1) Once an interconnected network is defined and accredited,
additional networks or separate AISs (separately accredited) may
only be connected through the accredited SSS.
(2) The addition of components to contributing unified
networks that are members of an accredited interconnected network
are allowed provided these additions do not change the
accreditation of the contributing system.
8-403. Network Requirements.
a. Network Security Management. The contractor shall designate an
ISSR for each accredited network to oversee security. The ISSR is
responsible for ensuring compliance with the network security
requirements as described in the AISSP.
b. Network Security Coordination.
(1) Every network must have a security plan.
(2) When different CSAs are involved, a single network
security manager (NSM) may be named that will be responsible for
network security (including the network AISSP). The NSM will ensure
a comprehensive approach to enforce the overall security policy
required by the network security plan.
c. Specific network requirements must be determined on a
case-by-case basis by the CSAs involved; however, as a minimum, the
AISSP for the network must address the following additional
requirements:
(1) Description of security services and mechanisms
protecting against network specific threats. Consistent with its
mode of operation, the network must provide the following security
services:
(a) Access control.
(b) Data flow control.
(c) Data separation.
(d) Auditing.
(e) Communications integrity.
(2) Consistent implementation of security features across the
network components.
(3) Configuration control of network interconnections.
(4) Protection and control of data transfers.
(5) Security features incorporated in communications
protocols.
(6) Adequacy of any filtering bridge, secure gateway, or
other similar security device in controlling access and data flow.
(7) Compatibility of the entire combination of operating
modes when connecting a new system.
(8) Adequacy of the external system's features to support the
local security policy.
8-404. Transmission Security.
Protected Distribution Systems or National Security Agency approved
encryption methodologies and devices shall be used to protect
classified information when it is being transmitted between network
components.