Source:
http://www.isf.rl.af.mil:8001/IRD/isisjitf/isis/amhs/isad/amhs1.html
Information Systems Accreditation Document
Volume 1 of 4
System Security Requirements
for the
Department of Defense Intelligence Information System (DoDIIS)
Automated Message Handling System (AMHS) V2.x
Approved by:
S. Hersch, MDA AMHS Program Mgr
Approved by:
LtCol J. Schepley
Electronics Systems Center
AMHS Program Manager
Approved by:
H. Williams, MDA AMHS QA Mgr
Approved by:
G. Gies, MDA AMHS Chief Engineer
Prepared by:
J. Evans, AMHS Development Mgr.
Submitted by:
McDonnell Douglas Aerospace (MDA)
8201 Greensboro Drive, McLean, VA, 22102
Developed for:
Electronic Systems Center (ESC)
Air Force Materiel Command (AFMC)
TABLE OF CONTENTS
1. BACKGROUND
2. EXECUTIVE SUMMARY
3. PURPOSE OF SYSTEM
3a. Mission Supported
3b. Requirement for the System
4. SYSTEM DESCRIPTION
4a. System Name and Location
4b. AMHS System Architecture
4b (1) Hardware
4b (2) Software
4b (3) Firmware
4b (4) Communications
4c. Systems Operations
4c (1) System/Subsystem Functions
4c (2) Functions performed jointly with other system(s)
4c (3) Information Flow
5. MODE OF OPERATION
5a. Sensitivity of Data Processed - [Site Specific]
5b. Clearance Levels/Formal Access Approvals/ Need-to-Know
5b (1) Of Direct Users - [Site Specific]
5b (2) Of Indirect Users -[Site Specific]
5c. Mode of Operation - System High Mode
5d. Accrediting Authority - [Site SpecificDIA is the Designated
Approving Authority (DAA) for the DoDIIS AMHS. For Increment2,
DIA at its discretion may elect to delegate accreditation
authority to the cognizant service(s) for Army, Navy, and/or
Air Force DoDIIS AMHS installations which are under
CUBIC management.]
5e. ISSOs -[Site Specific Include names and phone numbers when known.]
5f. Configuration Management
6. SYSTEM ACCREDITATION SCHEDULE
7. SYSTEM SCOPE
FIGURES
Figure 4-1. Generic Site Architecture
Figure 4-2. AMHS Hardware Architecture and External Interfaces
TABLES
Table 4-1 Summary of AMHS Architecture Components
Table 4-2 AMHS Information Flow.
Table 6-1 AMHS Accreditation Schedule
Table 7-1 AMHS Scope of Responsibility
1. BACKGROUND
This document has been developed generically. It must be tailored for the
individual site. Specifically, only the version of figure 4-2 that corresponds
to the site's size should be retained.
2. EXECUTIVE SUMMARY
The System/Network Security Concept of Operations (SECONOPS) is the first
of the required ADP accreditation documentation, and all remaining documentation
flows from and is based upon the documentation it provides. The SECONOPS
identifies all of the intended users of the AIS or network, their clearance
levels, access approvals, and need-to-know authorizations. This, plus the
knowledge of the sensitivity of the information to be processed on the
AIS/network, leads to the early identification of the expected mode of operation.
This in turn results in the establishment of the preliminary minimum security
requirements that must be achieved. Inputs to this document include the system
purpose, the system description, mode of operation, and system accreditation
schedule.
3. PURPOSE OF SYSTEM
3a. Mission Supported
[Site Specific: Describe the site's general mission.]
The mission of the DoDIIS AMHS is to provide:
-
Secure, timely, and accurate receipt and delivery of messages;
-
The tools and capabilities to display, review, and assimilate the message
data into an analyst's area of responsibility;
-
Storage of message data and the capability to retrieve and display the queried
message;
-
The capability to compose and transmit messages.
3b. Requirement for the System
The AMHS improves automated message handling capabilities in the military
intelligence community. It replaces the Modular Architecture for the eXchange
of Intelligence (MAXI), the current DoDIIS standard, and other existing message
handling systems within the community. The AMHS also provides automated message
handling for sites that do not currently have an automated capability.
The AMHS enhances the process of intelligence data analysis and related product
development at DoDIIS sites by providing sophisticated information management
tools for analysts and system administrators. Site users will correlate message
intelligence data more efficiently and effectively using current communication
sources (automatically routed by the AMHS), and stored message data. Analysis
will be comprehensive; documents will be produced, coordinated, and distributed
easily. The system user, regardless of experience level, will be free to
concentrate on product development and not be encumbered by the mechanics
of system operation.
4. SYSTEM DESCRIPTION
4a. System Name and Location
[Site Specific: Provide as known the base address,
building, room(s) for the system and any subsystems.]
4b. AMHS System Architecture
The generic architecture for an AMHS site is shown Figure
4-1. The site LAN interconnects a number of intelligence applications and
user workstations. The architecture is based on the the client/server model.
Each intelligence application is configured as a server that supports
(application specific) client software on the user workstations.
The DoDIIS AMHS is one of these intelligence applications.
Figure 4-1 shows that it receives and transmits formal message traffic via
the Communications Support Processor (CSP).
Figure 4-1. Generic Site
Architecture
[Site Specific: Small/Medium/Large Site] The AMHS
Server Architecture is shown in Figure 4-2. The AMHS server is connected
to the site LAN. The synchronous and asynchronous communication ports, magnetic
disks and tape drives are shown as rectangles.
In the event that a redundant component fails or a spared
single point of failure component fails, the site will warmswap the redundant
component or replace the spared component and restart the system.
Figure 4-2. AMHS Hardware Architecture and
External Interfaces
[Site Specific: miniAMHS site] The miniAMHS Server
Architecture is generally illustrated in Figure 4-2. For the miniAMHS, however,
the 20GB tape unit is replaced by a 6GB tape unit. All other system features
are as depicted.
In the event that a redundant component fails or a spared
single point of failure component fails, the site will warmswap the redundant
component or replace the spared component and restart the system.
The hardware, software, firmware, and communication components
of the AMHS are summarized in Table 4-1. Significant aspects of these components
are elaborated in the following paragraphs.
4b (1) Hardware
Server: For a small, medium, or large AMHS configuration,
the AMHS Server hardware is the DEC 2100, a RISC based processor running
OSF/1. The miniAMHS employs a DEC 2300 RISC computer, also running OSF/1.
Both computers are configured with a color terminal and LK401 keyboard. Each
supports an internal thick Ethernet port, two serial communications ports,
and a synchronous SCSI controller on the base system module.
Magnetic Disk Drive 2.1 GB: The 2.1 GB System is
comprised of a Digital RZ28-MY 5400 rpm, random access, fixed-media disk
drive arrangement. The drive is internally mounted and supports 2.1 GB formatted
disks. Access is via a standard SCSI interface.
System Storage Component: The storage component
consists of a BA350 mounted Digital 20 GByte Linear Tape drive(TZ87-VA).
Access to the tape drive is via the standard SCSI bus interface. A 6 GB tape
unit is included with the miniAMHS configuration.
RAID: The RAID provides fault tolerance and data
reliability by incorporating a Redundant Array of Inexpensive Disks (RAID)
level 5. With RAID 5, data and parity are "striped" across all disks in the
array. Parity provides the data redundancy. The sub-system will tolerate
the failure of a disk in the array. The AMHS RAID 5 is a controller based
subsystem. RAID firmware is contained in the redundant controllers. The RAID
controller is a SCSI device and attaches to the Fast SCSI controller in the
DEC 2100 processor and provides 10 MBps bandwidth. The RAID controller provides
seven fast SCSI-2 ports which support a maximum of four SCSI-2 drives per
port. Modular chassis, redundant power supplies, and disk drives comprise
the remainder of the subsystem. Access to the drives is via the SCSI bus
interface.
RAID storage is an option for the miniAMHS configuration.
Vertical Frame (Rack): The Vertical Frame (Rack)
is comprised of the AMCO FX 61 series heavy duty rack used to house and support
the various hardware components which comprise the small, medium, and large
AMHS configurations. The rack is equipped with a power controller, rear door,
top exhaust fan, casters and levelers. Equipment frames may be bolted together
to form multi-bay cabinets; however, small, medium, and large AMHS configurations
can all be housed within a single FX 61 cabinet.
No rack is necessary for the miniAMHS configuration.
ACC Communications Device: This device is the hardware
which supports the external communications requirements of the AMHS. It supports
message traffic in DDCMP I2 and Ver. 4 protocols as well as FBIS and the
ANPA protocol for wire services. The ACP 3020 supports four asynchronous
and four synchronous serial ports. Communication protocols and device drivers
for the external connections are supported in PROM.
4b (2) Software
The AMHS Server operating system is OSF/1.
TOPIC, a standard commercial product, is a text search engine.
TOPIC supports both profiling and retrospective search. TOPIC will be used
to enforce the Discretionary Access Control (DAC) requirements of the AMHS
via System Profiles.
The AMHS provides a user interface on the user workstation
to to support message composition and word procesing. The AMHS provides these
via Aster*x, a standard commercial product.
Contractor developed software integrates the various commercial
software products.
4b (3) Firmware
All firmware within the AMHS is part of standard commercial
products that are delivered as components of standard commercial hardware.
4b (4) Communications
AMHS Communications: The AMHS directly supports four
(4) external communication links: Communications Support Processor (CSP),
the AGT Gateguard, wire services (AP, UPI, Reuters), and Foreign Broadcast
Information System (FBIS). The AMHS also receives SMTP messages directly
from the site LAN.
The AMHS communicates to the CSP via Generic Gateway using
DDCMP and FDMP in accordance with the CSP ICD, CS-IC-11 88-01, Nov 1988.
The AMHS communicates with LDMX circuits via the AGT Gateguard
accredited front end. The AGT Gateguard supports the kermit protocol for
file transfer and the AMHS interfaces with the Gateguard in a receive only
mode.
The AMHS receives wire service traffic from three wire services:
Associated Press (AP), United Press International (UPI), and Reuters. The
wire service communication links are read only and are received via an
asynchronous RS232 line using American Newspaper Publishers Association (ANPA)
message coding protocol.
The AMHS receives FBIS wire service messages. The FBIS
communication link is read only and complies with FBIS ICD MPD-900-203A.
Site Communications: Site computing resources are
interconnected via the site LAN. Through the CSP, the site supports an external
communication link to the Automated Digital Network (AUTODIN) network. Through
the AGT Gateguard, the site support an external communication link to the
LDMX network.
[Site Specific: Describe Site LAN communications.
The site LAN interconnects the site's user workstations and application servers.
The LAN operates in the system high mode of operation.]
[Site Specific: Describe AUTODIN communications.
The sites communicate to the AUTODIN network via the CSP. The CSP system
is accredited and certified by USAF/INS and DCA, respectively, to handle
DSSCS and GENSER record message traffic in accordance with DOI-103 and JANAP
128. USAF/INXDX conducts security accreditation tests on behalf of USAF/INS.]
4c. Systems Operations
4c (1) System/Subsystem Functions
Incoming Message Processing: The AMHS receives message
traffic from the CSP, FBIS, LDMX via the AGT Gateguard, and the Wire Services,
stores it on disk, and then distributes it based on the address list and
special handling indicators appearing in the message headers.
The AMHS compares received traffic (formal message traffic,
FBIS, and wire services) against stored user and system profiles. The AMHS
disseminates messages to analysts' Message Queues (stored on AMHS Servers)
based on the results of these comparisons. The AMHS sends alarms for high
precedence messages directly to the active user workstations.
User Services: From their workstations, users can
select and display messages from an In-Box, perform profile creation and
refinement, formulate retrospective queries against the MDB and compose record
messages for transmission.
Outgoing Message Processing: The AMHS Servers and
the workstations cooperate during message coordination leading up to authorized
release. When a message is approved for release, the AMHS transmits it to
the CSP. After transmission, the AMHS compares the message with user and
system profiles to determine local distribution. The AMHS also distributes
released messages to local addresses supplied during message
composition/release.
System Administration: The AMHS supports System
Administrator operations for startup, shut down, AMHS user account management
only, system advisories, and system monitoring. The AMHS also supports ISSO
operations and profile administrator operations to manage and maintain user
and system profiles.
4c (2) Functions performed jointly with other system(s)
[Site Specific: Provide a description of those functions
and identify the systems with which these functions are performed jointly.
Identify which system performs which function and operation. Include high
level functional diagram(s).]
4c (3) Information Flow
The information flow within the AMHS is summarized within
Table 4c (3)-1.
5. MODE OF OPERATION
5a. Sensitivity of Data Processed - [Site Specific]
5b. Clearance Levels/Formal Access Approvals/
Need-to-Know
5b (1) Of Direct Users - [Site Specific]
5b (2) Of Indirect Users - [Site Specific]
5c. Mode of Operation - System High Mode
5d. Accrediting Authority - [Site Specific:
DIA is the Designated Approving Authority (DAA) for the DoDIIS AMHS. For
Increment 2, DIA at its discretion may elect to delegate accreditation authority
to the cognizant service(s) for Army, Navy, and/or Air Force DoDIIS AMHS
installations which are under CUBIC management.]
5e. ISSOs - [Site Specific: Include names
and phone numbers when known.]
5f. Configuration Management
AMHS documentation and software development is controlled
in accordance with DOD-STD-2167A, as tailored, and the CUBIC Configuration
Management Plan
[Site Specific: Indicate the organization(s) responsible
for the configuration management of the hardware, software, and firmware
of the system.]
6. SYSTEM ACCREDITATION SCHEDULE
The AMHS Accreditation Schedule is shown in Table 6-1.
7. SYSTEM SCOPE
This section explicitly delineates the division of
responsibility between the AMHS system and the Site LAN in which it operates.
This division of responsibility is significant since the AMHS is not being
developed as an independent and isolated system. Rather, the AMHS is intended
as a hardware and software add-on to existing environments that include user
workstations and application servers connected via a Site LAN. (Recall Figure
4b-1, Generic Site Architecture.)
It is anticipated that these environments will have been
previously accredited at System High. The AMHS does not attempt to override
or duplicate the security features that are or ought to be present in the
site environment (e.g. workstation login and deadman timeout mechanisms).
The AMHS does, however, build on these existing security features where
appropriate. Thus, AMHS identification and authentication relies on workstation
login.
Table 7-1 identifies the scope of responsibility for the
AMHS.
Go to Part 2 of 4