Source:
http://www.isf.rl.af.mil:8001/IRD/isisjitf/isis/amhs/isad/amhs2.html
Information Systems Accreditation Document
Volume 2 of 4
System Security Requirements
for the
Department of Defense Intelligence Information System (DoDIIS)
Automated Message Handling System (AMHS) V2.x
Approved by:
S. Hersch, MDA AMHS Program Mgr
Approved by:
LtCol J. Schepley
Electronics Systems Center
AMHS Program Manager
Approved by:
H. Williams, MDA AMHS QA Mgr
Approved by:
G. Gies, MDA AMHS Chief Engineer
Prepared by:
J. Evans, AMHS Development Mgr.
Submitted by:
McDonnell Douglas Aerospace (MDA)
8201 Greensboro Drive, McLean, VA, 22102
Developed for:
Electronic Systems Center (ESC)
Air Force Materiel Command (AFMC)
Table of Contents
1. Executive Summary
2. Background
3. Purpose
4. Mode of Operation
5. Security Requirements
5.a Selection and Compliance to Administrative,
Environmental, and Technical Security Requirements
for an AIS Mode of Operation
5.b Selection and Compliance to Administrative,
Environmental, and Technical Security Requirements
for a Separately Accredited Network Mode of Operation
5.c Security Requirements Due to Other Network Connections
5.d Security Requirements Required by Data Originators
5.e Security Requirements From the Accrediting Authority
6. Exceptions to Security Requirements
1. Executive Summary
The DoDIIS AMHS provides automated message handling capabilities for the
military intelligence community. It includes four basic message handling
capabilities:
-
Incoming Message Processing
-
User Services
-
Outgoing Message Processing
-
System Administration.
The AMHS is intended as a hardware and software add-on to existing environments
that include user workstations and application servers connected via a LAN.
It is anticipated that these environments will have been previously accredited
at System High. The AMHS software resides on the AMHS server. Optionally,
it may also reside on the user workstations to improve performance.
The System Security Requirements is the second in a sequence of documents
supporting system accreditation of the (Increment 2) DoDIIS AMHS, namely:
-
System Concept of Operations
-
System Security Requirements
-
System Security Analysis
-
System Security Test Plan
-
System Security Test Procedures.
Collectively, these documents satisfy the Director of Central Intelligence
requirements for a "Security Plan".
The System Security Requirements Document establishes the compliance of the
AMHS 2.x with technical and non-technical requirements for processing US
intelligence information in the System High Mode of operation.
2. Background
[A short paragraph describing the functional requirements
for the design of the subject system, and how the security requirements will
be fused with the functional requirements in the conceptual phase.]
The AMHS provides automated message handling capabilities
for the military intelligence community. It replaces the Modular Architecture
for the eXchange of Intelligence (MAXI), the current DoDIIS standard, and
other existing message handling systems within the community. The AMHS also
provides automated message handling for sites that do not currently have
an automated capability.
The AMHS provides four basic message handling capabilities:
Through these capabilities, the AMHS enhances the analysis
of intelligence data and development of related products at DoDIIS sites
by providing sophisticated information management tools for analysts and
system administrators. Site users will correlate message intelligence data
more efficiently and effectively using current communication sources
(automatically routed by the AMHS). Analysis will be comprehensive; documents
will be produced, coordinated, and distributed easily. The system user,
regardless of experience level, will be free to concentrate on product
development and not be encumbered by the mechanics of system operation.
The AMHS integrates Proven Non Developmental Item (PNDI) hardware
and software with contractor developed software. The principal PNDI software
products within the AMHS are DEC's OSF/1 Operating System, and Verity's TOPIC,
a text search and retrieval engine.
AMHS functional and security requirements are fused through
the OSF/1 C2 Enhanced Security protections, TOPIC system profiles, and contractor
developed security software.
3. Purpose
THIS SYSTEM SECURITY REQUIREMENTS DOCUMENT PROVIDES A VEHICLE
FOR LISTING, AND ESTABLISHING COMPLIANCE WITH, THE MINIMUM TECHNICAL AND
NON-TECHNICAL REQUIREMENTS FOR AISS OR NETWORKS PROCESSING US INTELLIGENCE
IN A SPECIFIED MODE OF OPERATION. THE DOCUMENT IS AN AMPLIFICATION OF
REQUIREMENTS SET FORTH IN THE DIA SUPPLEMENT TO DIA REGULATION 50-11/DIAR
50-23/DIA MANUAL 50-5, VOL II (REFERRED TO AS THE "SYSTEMS SECURITY HANDBOOK").
4. Mode of Operation
Systems High.
5. Security Requirements
5.a Selection and Compliance to Administrative, Environmental,
and Technical Security Requirements for an AIS Mode of Operation
|
|
Security Requirement
|
Short Description
|
Acknowledgement
|
|
1a.
|
Conceptual Design
|
A systems engineering approach will be used to develop AISs.
|
Will Comply
|
|
b.
|
Mode of Operation
|
System High
|
Will Comply
|
|
c.
|
ID of Accrediting Authority(ies)
|
Identify all accreditation authorities in column to right.
|
[Site Specific: Will Comply]
|
|
2.
|
System Security Plan
|
The overall planning document of which this Sec. Req'ts document
is a part.
|
[Site Specific: Will Comply]
|
|
3.
|
Appt. of ISSO
|
An ISSO has been/will be appointed for this AIS and will perform
the documented duties (An ISSO is required throughout the life cycle).
|
[Site Specific: Will Comply]
|
|
4.
|
Access by Foreign Nationals
|
Foreign nationals may not access a system except under strict
conditions known to this facility.
|
[Site Specific: Will Comply]
|
|
5.
|
Accreditation/ Reaccreditation
|
Accreditation docs must list specific modes of operation and
satisfy other requirements.
|
Will Comply
|
|
6.
|
Joint Accreditations
|
This applies when an AIS involves more than one accreditation
authority.
|
[Site Specific: Will Comply]
|
|
7.
|
Interim Approval to Operate
|
Three conditions must be met if an interim approval is
requested.
|
[Site Specific: Will Comply]
|
|
8.
|
Security Briefings
|
All users, managers, operators will be briefed on the need
for sound security practices.
|
[Site Specific: Will Comply]
|
|
9.
|
Automated Guard Processors and Filters
|
Automated guards or filters must satisfy certain criteria
for proper filtering of data streams. They are interim measures and must
meet specific accreditation assurances.
|
[Site Specific: Will Comply]
|
|
10
|
Protection of High Density/ Transportable Storage Devices
|
Media containers will be marked with the highest sensitivity
label until approved destruction or sanitization.
|
[Site Specific: Will Comply]
|
|
11.
|
Memory Remanence
|
Memory will be safeguarded for highest sensitivity of data
ever recorded unless sanitized or destroyed.
|
[Site Specific: Will Comply]
|
|
12.
|
Protected Software and Hardware
|
All hardware, software, firmware, etc. shall be protected
to prevent disclosure, destruction, modification.
|
[Site Specific: Will Comply]
|
|
13.
|
Shipment of Equip. to High-Risk Area
|
System for use in these areas must be protected from time
of assembly until it is installed and operational. Areas are defined in "Dept
of State Composite Threat List" (issued quarterly).
|
Will Comply
|
|
14.
|
Marking Storage Media
|
All removable media will bear external labels with proper
sensitivity labels and markings.
|
[Site Specific: Will Comply]
|
|
15.
|
Marking Printed Output
|
Comply with appropriate paragraphs of the detailed description
in the Handbook for each of the four modes of operation.
|
Will Comply
|
|
16.
|
Manual Review of Human Readable Output
|
When markings cannot be trusted, properly cleared and authorized
person provides reliable human review of output media.
|
[Site Specific: Will Comply]
|
|
17.
|
System Disposal Plan
|
A Plan will be maintained for the secure disposal of the AIS,
including release, reutilization, or destruction of AIS components.
|
[Site Specific: Will Comply]
|
|
18.
|
COMSEC
|
Comm links, data comm, and networks of AIS will be protected
with COMSEC policies to sensitivity level of data.
|
[Site Specific: Will Comply]
|
|
19.
|
Use of Dial-Up Lines
|
Dial-up use shall not be allowed for access to sensitive
intelligence unless protections are certified, or authorized by DIA
|
[Site Specific: Will Comply]
|
|
20.
|
TEMPEST
|
Processing facilities must be in compliance with the appropriate
national policy on compromising emanations.
|
[Site Specific: Will Comply]
|
|
21.
|
Physical Security
|
For sensitive intelligence DIAM 50-3 standards shall apply.
For SAPs and SAPIs, other appropriate standards apply.
|
[Site Specific: Will Comply]
|
|
22.
|
Personnel Security
|
For each mode, specific clearance, access approvals, and
need-to-know requirements must be met.
|
[Site Specific: Will Comply]
|
|
23.
|
Commercial Vendor Maintenance
|
Maintenance personnel must be cleared and approved for access
at the highest level of info on the system. Access will be given to only
info/processes required to perform tasks. Uncleared personnel must be escorted
by technically competent site personnel.
|
[Site Specific: Will Comply]
|
|
24.
|
Tech. Req'ts for Dedicated Mode
|
CY 2000 goal = C1 products based on Orange Book req'ts (see
Figure 1 for Summary)
|
Not Applicable
|
|
a.
|
(2.1.1.1) Discretionary Access Control
|
Not Applicable
|
|
b.
|
(2.1.2.1) Identification and Authentication
|
Not Applicable
|
|
c.
|
(2.1.3.1.1) System Architecture
|
Not Applicable
|
|
d.
|
(2.1.3.1.2) System Integrity
|
Not Applicable
|
|
e.
|
(2.1.3.2.1) Security Testing
|
Not Applicable
|
|
f.
|
(2.1.4.1) Security Features User's Guide
|
Not Applicable
|
|
g.
|
(2.1.4.2) Trusted Facility Manual
|
Not Applicable
|
|
h.
|
(2.1.4.3) Test Documentation
|
Not Applicable
|
|
i.
|
(2.1.4.4) Design Documentation
|
Not Applicable
|
|
25.
|
Tech. Req'ts for System High Mode
|
CY 2000 goal = C2 products based on Orange Book req'ts
|
Will Comply
|
|
CY 1992 objective = automated controlled access protection
for AISs at system high and above.
|
Will Comply
|
|
a.
|
(2.2.1.1) Discretionary Access Control
|
Will Comply
|
|
b.
|
(2.2.1.2) Object Reuse
|
Will Comply
|
|
c.
|
(2.2.2.1) Identification and Authentication
|
Will Comply
|
|
d.
|
(2.2.2.2) Audit
|
Will Comply
|
|
e.
|
(2.2.3.1.1) System Architecture
|
Will Comply
|
|
f.
|
(2.2.3.1.2) System Integrity
|
Will Comply
|
|
g.
|
(2.2.3.2.1) Security Testing
|
Will Comply
|
|
h.
|
(2.2.4.1) Security Features User's Guide
|
Will Comply
|
|
i.
|
(2.2.4.2) Trusted Facility Manual
|
Will Comply
|
|
j.
|
(2.2.4.3) Test Documentation
|
Will Comply
|
|
k.
|
(2.2.4.4) Design Documentation
|
Will Comply
|
|
The following are additional requirements mandated by DCID
1/16, and described in the Handbook:
|
|
l.
|
Identification of User Terminals
|
Will Comply
|
|
m.
|
Configuration Management
|
[Site Specific: Will Comply]
|
|
n.
|
Trusted Distribution
|
Will Comply
|
|
The following are additional requirements mandated by the
DoDIIS AMHS System Specification and described there:
|
|
o.
|
System Profiles
|
Will Comply
|
|
26.
|
Tech. Req'ts for Compartmented Mode
|
CY 2000 goal = B1+ to B2 products based on DIA CMW Evaluation
Criteria Ver 1 (DDS-2600-6243-90) and Orange Book requirements.
|
Not Applicable
|
|
CY 1992 objective = automated controlled access protection
for AISs at system high and above.
|
Not Applicable
|
|
a.
|
(CMR1) Discretionary Access Control
|
Not Applicable
|
|
b.
|
(CMR2) Object Reuse
|
Not Applicable
|
|
c.
|
(CMR3) Mandatory Access Control (MAC)
|
Not Applicable
|
|
d.
|
(CMR4) Sensitivity Labels
|
Not Applicable
|
|
e.
|
(CMR5) Information Labels
|
Not Applicable
|
|
f.
|
(CMR6) User Identification and Authentication
|
Not Applicable
|
|
g.
|
(CMR7) Trusted Path
|
Not Applicable
|
|
h.
|
(CMR8) Audit
|
Not Applicable
|
|
i.
|
(CMR9) System Architecture
|
Not Applicable
|
|
j.
|
(CMR10) System Integrity
|
Not Applicable
|
|
k.
|
(CMR11) Trusted Facility Management
|
Not Applicable
|
|
l.
|
(CMR12) Trusted Recovery
|
Not Applicable
|
|
m.
|
(CMR13) Security Testing
|
Not Applicable
|
|
n.
|
(CMR14) Design Specification and Verification
|
Not Applicable
|
|
o.
|
(CMR15) Configuration Management
|
Not Applicable
|
|
p.
|
(CMR16) Trusted Distribution
|
Not Applicable
|
|
q.
|
(CMR17) Security Features User's Guide
|
Not Applicable
|
|
r.
|
(CMR18) Trusted Facility Manual
|
Not Applicable
|
|
s.
|
(CMR19) Test Documentation
|
Not Applicable
|
|
t.
|
(CMR20) Design Documentation
|
Not Applicable
|
|
The following is an additional requirement mandated by
DCID 1/16, and described in the Handbook:
|
|
u.
|
Identification of User Terminals
|
Not Applicable
|
|
27.
|
Tech. Req'ts for Multilevel Mode
|
CY 2000 goal = B2 to A1 products based on DIA CMW Evaluation
Criteria Ver 1 (DDS-2600-6243-90) and Orange Book.
|
Not Applicable
|
|
CY 1992 objective = automated controlled access protection
for AISs at system high and above.
|
Not Applicable
|
|
a.
|
(CMR1) ++ Discretionary Access Control
|
Not Applicable
|
|
b.
|
(CMR2) Object Reuse
|
Not Applicable
|
|
c.
|
(CMR3) ++ Mandatory Access Control (MAC)
|
Not Applicable
|
|
d.
|
(CMR4) ++ Sensitivity Labels
|
Not Applicable
|
|
e.
|
(CMR5) Information Labels
|
Not Applicable
|
|
f.
|
(CMR6) User Identification &Authentication
|
Not Applicable
|
|
g.
|
(CMR7) ++ Trusted Path
|
Not Applicable
|
|
h.
|
(CMR8) ++ Audit
|
Not Applicable
|
|
i.
|
(CMR9) ++ System Architecture
|
Not Applicable
|
|
j.
|
(CMR10) System Integrity
|
Not Applicable
|
|
k.
|
(CMR11) ++ Trusted Facility Management
|
Not Applicable
|
|
l.
|
(CMR12) Trusted Recovery
|
Not Applicable
|
|
m.
|
(CMR13) ++ Security Testing
|
Not Applicable
|
|
n.
|
(CMR14) ++ Design Specification and Verification
|
Not Applicable
|
|
o.
|
(CMR15) ++ Configuration Management
|
Not Applicable
|
|
p.
|
(CMR16) Trusted Distribution
|
Not Applicable
|
|
q.
|
(CMR17) Security Features User's Guide
|
Not Applicable
|
|
r.
|
(CMR18) ++ Trusted Facility Manual
|
Not Applicable
|
|
s.
|
(CMR19) ++ Test Documentation
|
Not Applicable
|
|
t.
|
(CMR20) ++ Design Documentation
|
Not Applicable
|
|
The following is an additional requirement mandated by DCID
1/16, and described in the Handbook:
|
|
u.
|
Identification of User Terminals
|
Not Applicable
|
|
28.
|
AUTODIN Connectivity
|
In addition to req'ts for each mode for an AIS processing
intelligence information, other specific requirements must be met prior to
authorizing an AUTODIN connection.
|
[Site Specific: Will Comply]
|
|
29.
|
DODIIS Network Connectivity
|
AISs satisfying appropriate requirements for each of the four
modes of operation, through the accreditation process, may be authorized
connectivity to the DODIIS Network when full DNSIX capabilities are employed
by the AIS, or its front end components.
|
[Site Specific: Will Comply]
|
|
30.
|
Connectivity to Other AISs and Networks
|
For connection of AISs using other than separately accredited
networks, specific requirements apply, including the need for both sensitivity
markings and information markings for interconnections involving compartmented
AISs.
|
[Site Specific: Will Comply]
|
|
31. 32.
|
Personal Computer Security Requirements
|
Specific requirements apply for PCs in a network and PCs used
as intelligent terminals to a host AIS.
|
[Site Specific: Will Comply]
|
|
33.
|
System High and Compartmented Mode Workstation Req'ts
|
DIA Document DDS-2600-5502-87 Security Requirements for
System High and Compartmented Mode Workstations, (11/87) describes what
must be met for workstations to act as hosts in these modes.
|
[Site Specific: Will Comply]
|
5.b Selection and Compliance to Administrative, Environmental,
and Technical Security Requirements for a Separately Accredited Network Mode
of
Operation
|
|
Security Requirement
|
Short Description
|
Acknowledgement
|
|
40.
|
|
|
|
|
a.
|
Conceptual Design
|
A systems engineering approach will be used to develop
Networks.
|
Will Comply
|
|
b.
|
Mode of Operation
|
System High.
|
Will Comply
|
|
c.
|
ID of Accrediting Authority(ies)
|
Identify all accreditation authorities in column to right.
|
[Site Specific: Will Comply]
|
|
41.
|
Network Security Plan
|
The overall planning document of which this Sec. Req'ts document
is a part.
|
[Site Specific: Will Comply]
|
|
42.
|
Appt. of Network Security Officer
|
An NSO has been/will be appointed for this network and will
perform the documented duties (An NSO is required throughout the life
cycle).
|
[Site Specific: Will Comply]
|
|
43.
|
Appt. of Network Manager
|
A Network Manager has been/will be appointed for this network
and will perform the documented duties.
|
[Site Specific: Will Comply]
|
|
44.
|
Security Report
|
Routine security reports will be made of network or subscriber
malfunctions that have security implications for the network.
|
[Site Specific: Will Comply]
|
|
45.
|
Accreditation / Reaccreditation
|
Accreditation docs must list specific modes of operation and
other required caveats.
|
[Site Specific: Will Comply]
|
|
46.
|
Joint Accreditations
|
This applies when an AIS involves more than one accreditation
authority.
|
No Requirement
|
|
47.
|
Interim Approval to Operate
|
Four conditions must be met if an interim approval is requested.
a. A security survey has been completed, b. The system security plan has
been developed, c. A schedule describing steps to advance to accreditation
exists, d. (Classified Handbook Guidance).]
|
[Site Specific: Will Comply]
|
|
48.
|
Security Briefings
|
All users, managers, operators will be briefed on the need
for sound security practices.
|
[Site Specific: Will Comply]
|
|
49.
|
Automated Guard Processors and Filters
|
Automated guards or filters must satisfy certain criteria
for proper filtering of data streams. They are interim measures and must
meet specific accreditation assurances.
|
No Requirement
|
|
50
|
Protected Software and Hardware
|
All hardware, software, firmware, etc., shall be protected
to prevent disclosure, destruction, modification.
|
[Site Specific: Will Comply]
|
|
51.
|
Shipment of Equip. to High-Risk Area
|
System for use in these areas must be protected from time
of assembly until it is installed and operational. Areas are defined in "Dept
of State Composite Threat List" (issued quarterly).
|
[Site Specific: Will Comply]
|
|
52.
|
COMSEC
|
Comm links, data comm, and networks will be protected with
COMSEC policies to sensitivity level of data.
|
[Site Specific: Will Comply]
|
|
53.
|
TEMPEST
|
Processing facilities must be in compliance with the appropriate
national policy on compromising emanations.
|
[Site Specific: Will Comply]
|
|
54.
|
Physical Security
|
For sensitive intelligence DIAM 50-3 standards shall apply.
For SAPs and SAPIs, other appropriate standards apply.
|
[Site Specific: Will Comply]
|
|
55.
|
Personnel Security
|
For each mode, specific clearance, access approvals, and
need-to-know requirements must be met.
|
[Site Specific: Will Comply]
|
|
56.
|
Commercial Vendor Maintenance
|
Maintenance personnel must be cleared and approved for access
at the highest level of info on the system. Access will be given to only
info/processes required to perform tasks. Uncleared personnel must be escorted
by technically competent site personnel.
|
[Site Specific: Will Comply]
|
|
57.
|
Integrity of Intelligence Data
|
The network interface components will assure the integrity
of the intelligence they transmit, and other requirements for each of the
four modes of operation.
|
[Site Specific: Will Comply]
|
|
58.
|
Network Activity Audit Trails
|
Audit trails of network activities shall be maintained to
permit regular or on-demand security reviews. They should include certain
minimum information.
|
[Site Specific: Will Comply]
|
|
59.
|
OPI for each Protected Resource
|
Each protected resource (e.g., file, data base) in each AIS
will have an OPI with responsibilities for security and access to the
resource.
|
[Site Specific: Will Comply]
|
|
60.
|
Security Markings for Exported Intelligence
|
Every AIS will be able to provide, either explicitly or
implicitly, security parameters for the intelligence it stores and processes.
Such parameters will be reliably associated with intelligence exchanged with
other AISs.
|
[Site Specific: Will Comply]
|
|
61.
|
Session Security Parameters (ASPs)
|
A control feature, such as a session security parameter, will
be provided for each exchange of intelligence by AISs, according to each
of the four modes of operation.
|
[Site Specific: Will Comply]
|
|
62.
|
Transmission of ASPs and Markings
|
For all intelligence information exchanged between AISs two
kinds of security control information will be provided: sensitivity labels
(ASPs) and information labels.
|
[Site Specific: Will Comply]
|
|
63.
|
Maintenance of User Authentication Data
|
For each AIS connected to a network, authentication data will
be maintained and protected for every user.
|
[Site Specific: Will Comply]
|
|
64.
|
Protection of Network Control Facilities
|
The integrity of user identification and other security-related
information provided to remote hosts will be assured by appropriate means.
|
[Site Specific: Will Comply]
|
|
65.
|
Integrity of Security Parameters with Associated Data
|
The network interface component will assure the integrity
of all security parameters provided to it by the subscriber and must assure
that the data association is not disturbed.
|
[Site Specific: Will Comply]
|
|
66.
|
Configuration Management
|
A system will be in place that maintains control of changes
of any of the security-related hardware or source or object code.
|
[Site Specific: Will Comply]
|
|
67.
|
Protected Distribution
|
A procedure will be provided for maintaining the integrity
of the mapping between the hardware and master copy of the code for the current
version.
|
[Site Specific: Will Comply]
|
5.c Security Requirements Due to Other Network
Connections
[Site Specific: e.g., Memoranda of Understanding (MOUs)
with other Agencies, gateway filtering requirements, etc. List the requirements
in the format of 5.a above.]
5.d Security Requirements Required by Data Originators
[Site Specific: e.g., Originator Controlled (ORCON).
List the requirements in the format of 5.a above.]
5.e Security Requirements From the Accrediting
Authority
[Site Specific: List the requirements in the format
of 5.a above.]
6. Exceptions to Security Requirements:6. Exceptions to Security
Requirements [SITE SPECIFIC: SEE HANDBOOK, SECTION 1, PAGE 9 FOR
PROCEDURES; ALSO INCLUDE REQUIREMENTS WHICH WILL BE ONLY PARTIALLY SATISFIED]
Go to Part 3 of 4