Source:
http://www.isf.rl.af.mil:8001/IRD/isisjitf/isis/amhs/isad/amhs3.html
Information Systems Accreditation Document
Volume 3 of 4
System Security Requirements
for the
Department of Defense Intelligence Information System (DoDIIS)
Automated Message Handling System (AMHS) V2.x
Approved by:
S. Hersch, MDA AMHS Program Mgr
Approved by:
LtCol J. Schepley
Electronics Systems Center
AMHS Program Manager
Approved by:
H. Williams, MDA AMHS QA Mgr
Approved by:
G. Gies, MDA AMHS Chief Engineer
Prepared by:
J. Evans, AMHS Development Mgr.
Submitted by:
McDonnell Douglas Aerospace (MDA)
8201 Greensboro Drive, McLean, VA, 22102
Developed for:
Electronic Systems Center (ESC)
Air Force Materiel Command (AFMC)
Table of Contents
1. EXECUTIVE SUMMARY
2. BACKGROUND
3. PURPOSE
4. SAFEGUARDS AND ANALYSIS
4.a Planned Safeguards to Fulfill the Administrative,
Environmentalm and Technical Security Requirements for an AIS Mode of
Operation
4.b Planned Safeguards to Fulfill the Administrative,
Environmental, and Technical Security Requirements for a Seperately Accredited
Network Mode of OPeration
4.c Safeguards to Satisfy Security Requirements Due
to Other Network Connections
4.d Safeguards to Satisfy Security Requirements Required
by Data Originators
4.e Safeguards to Satisfy Security Requirements from
the Accediting Authority
4.f Safeguards to Reduce the Rish Exposure for Significant
Risks Identified During a Threat Assesment
5. REVISED EXCEPTIONS TO SECURITY REQUIREMENTS
6. VULNERABILITIES AND LEVELS OF RISK
1. Executive Summary
[AN EXECUTIVE SUMMARY SHOULD BE PREPARED FOR THIS DOCUMENT
IN SUPPORT OF THE ACCREDITATION OF AN AIS OR NETWORK.]
The DoDIIS AMHS provides automated message handling capabilities
for the military intelligence community. It includes four basic message handling
capabilities:
The AMHS is intended as a hardware and software add-on to
existing environments that include user workstations and application servers
connected via a LAN. It is anticipated that these environments will have
been previously accredited at System High. The AMHS software is distributed,
residing on both AMHS servers and user workstations.
The System Security Analysis is the third in a sequence of
documents supporting system accreditation of AMHS 2.x, namely:
Collectively, these documents satisfy the Director of Central
Intelligence requirements for a "Security Plan".
The System Security Analysis Document provides the analysis
that shows how AMHS 2.x meets technical and non-technical requirements for
processing US intelligence information in the System High Mode of
operation.
This analysis shows that safeguards for the AMHS are provided
in large part by the OSF/1 C2 Enhanced Security technology on the AMHS servers.
2. Background
The AMHS design uses the features inherent in OSF/1 to provide
the necessary safeguards for the server side of the AMHS.
In addition, the AMHS includes software residing on user
workstations. Portions of this software will be trusted to provide necessary
AMHS safeguards.
TOPIC, a COTS product that provides the AMHS with a text search
capability, includes a system profiling mechanism. TOPIC system profiles
are applied as safeguards to enforce site discretionary access control policies
for both message distribution and retrospective search.
3. Purpose
This System Security Analysis document provides a vehicle
for recording the minimum technical and non-technical requirements for AISs
or networks processing US intelligence, and for recommending and analyzing
appropriate safeguards to fulfill the security requirements. The document
is an amplification of requirements set forth in the DIA supplement to DIA
regulation 50-11/DIAR 50-23/DIA manual 50-5, Vol II (referred to as the "Systems
Security Handbook").
4. Safeguards and Analysis
4.a Planned Safeguards to Fulfill the Administrative,
Environmental, and Technical Security Requirements for an AIS Mode of
Operation.
|
|
Security Req't
|
Safeguards, Vulnerabilities, and Analysis
|
|
4.
|
Access by Foreign Nationals
|
Site Specific: [The site must describe the conditions under
which foreign nationals will be granted access to the AMHS.]
|
|
5.
|
Accreditation / Reaccreditation
|
The DoDIIS AMHS will operate in System High Mode of
operation.
|
|
6.
|
Joint Accreditations
|
Site Specific: [The AMHS System Specification does not specify
any sharing of the AMHS by multiple government activities]
|
|
7.
|
Interim Approval to Operate
|
Site Specific: [Handbook Guidance: Pending accreditation,
an Accrediting Authority may grant interim approval to operate provided 3
conditions are met: a. A security survey has been completed. b. The system
security plan has been developed. c. A schedule describing steps to advance
to accreditation exists. (Classified Handbook Guidance).]
|
|
8.
|
Security Briefings
|
Site Specific: [All AMHS users will be briefed on the need
for exercising sound security practices in protecting the intelligence
information processed and/or stored in the AMHS, including marking and reviewing
all input and output.]
|
|
9.
|
Automated Guard Processors and Filters
|
Site Specific: [The AMHS System Specification does not specify
any automated guard processes or security filters.]
|
|
10.
|
Protection of High Density/ Transportable Storage Devices
|
Site Specific: [Containers of all media will be marked with
the highest classification level and handling procedures of the information
which can be stored on the media until execution of approved destruction
or sanitization proc edures.] [The approved release procedure for the media
of the AMHS will be stated in the System Security Plan.]
|
|
11.
|
Memory Remanence
|
Site Specific: [Magnetic storage media will be physically
controlled and safeguarded in the manner prescribed for the highest
classification of data ever recorded thereon until approved destruction of
the media or execution of approved sanitization procedures.] [The approved
release procedure for the media of the AMHS will be stated in the System
Security Plan.]
|
|
12.
|
Protected Software and Hardware
|
Site Specific: [(Classified Handbook Guidance).]
|
|
13.
|
Shipment of Equip. to High-Risk Area
|
Government transportation of major equipment will be utilized
for OCONUS sites. Equipment will be shipped from CONUS Aerial Port of Embarkation
(APOE). Site Specific: [Currently, no sites are located in high-risk
areas.]
|
|
14.
|
Marking Storage Media
|
Site Specific: [Removable information storage media will bear
external labels indicating the security classification of the information
and applicable associated security markings.] [DCID 3/14, Annex B, specifies
the use of standard labels for identifying security classification of removable
ADP media, including SCI labels.]
|
|
15.
|
Marking Printed Output
|
The AMHS relies upon the Client Server Environment (CSE) to
provide print services including the proper bannering of printed output.
The AMHS provides CSE with the target file and CSE determines bannering and
printer selection.
|
|
16.
|
Manual Review of Human Readable Output
|
Site Specific: [(Classified Handbook Guidance).]
|
|
17.
|
System Disposal Plan
|
Site Specific: [Handbook Guidance: The site must develop and
maintain a plan for the disposal of hardware and software components of the
AMHS. It must specify the release, reutilization, or destruction conditions
for each AMHS component.]
|
|
18.
|
COMSEC
|
Site Specific: [Handbook Guidance: The communications links
connecting the components of the AMHS, associated data communications, and
networks must be protected with COMSEC policies and procedures applicable
to the sensitivity level of intelligence data being transmitted over such
links.]
|
|
19.
|
Use of Dial-Up Lines
|
Site Specific: [(Classified Handbook Guidance). The AMHS does
not support dial-up lines for system connection.]
|
|
20.
|
TEMPEST
|
Site Specific: [(Classified Handbook Guidance).]
|
|
21.
|
Physical Security
|
Site Specific: [The AMHS and all central and remote equipment
will reside in a Sensitive Compartmented Intelligence Facility (SCIF).] [Handbook
Guidance: The AMHS and all central and remote facilities housing attached
equipment must comply with DIAM 50-3, Physical Standards for Sensitive
Compartmented Intelligence Facilities (SCIFs).]
|
|
22.
|
Personnel Security
|
Site Specific: [Users will be granted access to the AMHS only
after: a. Favorable adjudication of clearance for access to SCI b. Favorable
administration determination of need-to-know c. Verification of indoctrination
by the SSO.]
|
|
23.
|
Commercial Vendor Maintenance
|
Site Specific: [(Classified Handbook Guidance).]
|
|
24.
|
Tech. Req'ts for Dedicated Mode
|
Not Applicable
|
|
a.
|
(2.1.1.1) Discretionary Access Control
|
|
b.
|
(2.1.2.1) Identification and Authentication
|
|
c.
|
(2.1.3.1.1) System Architecture
|
|
d.
|
(2.1.3.1.2) System Integrity
|
|
e.
|
(2.1.3.2.1) Security Testing
|
|
f.
|
(2.1.4.1) Security Features User's Guide
|
|
g.
|
(2.1.4.2) Trusted Facility Manual
|
|
h.
|
(2.1.4.3) Test Documentation
|
|
i.
|
(2.1.4.4) Design Documentation
|
|
25.
|
Tech. Req'ts for System High Mode
|
The Technical Requirements for System High Mode operation
are satisfied through a number of mechanisms. Principal among these are the
AMHS server hardware (DEC 2100) and operating system (OSF/1).
|
|
a.
|
(2.2.1.1) Discretionary Access Control
|
OSF/1 has the usual self/group/public controls. These are
used appropriately within the AMHS software to enforce discretionary controls.
Additionally, the AMHS uses system profiles (internal to TOPIC) to enforce
a profile-based discretionary access control policy for message distribution
and retrospective searches.
|
|
b.
|
(2.2.1.2) Object Reuse
|
The AMHS does not store named objects locally on workstations.
All AMHS named objects are stored on AMHS servers using OSF/1 that automatically
provides for object reuse. (Objects [i.e., messages] stored to user owned
storage devices [non-AMHS] are not considered AMHS objects.)
|
|
c.
|
(2.2.2.1) Identification and Authentication
|
When logging the user on to the AMHS server, AMHS applications
use the user identity that has been authenticated and provided by the
workstation. Site Specific: [The AMHS System Specification explicitly assumes
that the user workstations on which AMHS software must run will authenticate
the user's identity and will be able to make that identity known to an AMHS
application upon request.]
|
|
d.
|
(2.2.2.2) Audit
|
The AMHS servers, through OSF/1, provides audit information
to the CSE that satisfies enhanced C2 requirements. Additionally, AMHS software
collects application level events and provides the audit information to the
CSE. The storage, maintenance, reduction, reporting, and managements of audit
information is the responsibility of the CSE. The AMHS provides all necessary
audit information to the CSE in support of the CSE's audit requirements.
|
|
e.
|
(2.2.3.1.1) System Architecture
|
OSF/1 provides a system architecture that: a. Protects AMHS
servers from external interference or tampering, and b. Isolates AMHS resources
to be protected so that they are subject to access control and auditing
requirements. Key to meeting the system architecture requirement is the AMHS
design approach which uses storage objects (i.e., files) to individually
store AMHS storage objects (i.e., messages) and to indirectly store AMHS
storage objects through TOPIC (i.e., profiles and Message Queues). Site Specific:
[The system architecture provisions for the user workstations must be
described.]
|
|
f.
|
(2.2.3.1.2) System Integrity
|
OSF/1 provides hardware and software features that can be
used periodically to validate the correct operation of the on-site hardware
and firmware elements of the AMHS servers. Site Specific: [The system integrity
provisions for the user workstations must be described.]
|
|
g.
|
(2.2.3.2.1) Security Testing
|
OSF/1 meets the enhanced C2 security testing requirement.
This is supplemented by AMHS accreditation tests which show that the AMHS
security mechanisms work as claimed, and that the OSF/1 security mechanisms
have been correctly incorporated within the AMHS design. Site Specific: [The
security testing provisions for the user workstations must be described.]
|
|
h.
|
(2.2.4.1) Security Features User's Guide
|
OSF/1 meets the C2 Security Features User's Guide requirement.
Additionally, the various positional handbooks (System Administrator, ISSO,
Profile Administrator, Generic User, Message Administrator) meet the Security
Features User's Guide requirement for the individual positions.
|
|
i.
|
(2.2.4.2) Trusted Facility Manual
|
OSF/1 meets the C2 Trusted Facility Manual requirement. AMHS
"User Positional Handbooks" for the system administrator, profile administrator,
and ISSO address AMHS-level trusted facility manual requirements.
|
|
j.
|
(2.2.4.3) Test Documentation
|
OSF/1 meets the enhanced C2 test documentation requirement.
This is supplemented by the AMHS accreditation test plans, test procedures,
and test reports. Site Specific: [The test documentation provisions for the
user workstations must be described.]
|
|
k.
|
(2.2.4.4) Design Documentation
|
OSF/1 meets the C2 design documentation requirement. The AMHS
Informal Model of Security Policy describes the security policy enforced
by the AMHS and shows how this approach is translated into OSF/1, TOPIC,
and contractor developed software. Site Specific: [The design documentation
provisions for the user workstations must be described.]
|
|
The following are additional requirements mandated by DCID
1/16, and described in the Handbook:
|
|
l.
|
Identification of User Terminals
|
Site Specific [(Classified Handbook Guidance).]
|
|
m.
|
Configuration Management
|
OSF/1 meets the configuration management requirement. AMHS
software and documentation development is controlled in accordance with
DOD-STD-2167A, as tailored, and the CUBIC Configuration Management Plan.
Site Specific [(Classified Handbook Guidance).]
|
|
n.
|
Trusted Distribution
|
[(Classified Handbook Guidance).]
|
|
The following are additional requirements mandated by the
DoDIIS AMHS System Specification and described there:
|
|
o.
|
System Profiles
|
The AMHS provides an additional form of access control, known
as AMHS DAC, through System Profiles. The profile administrator specifies
an access control policy for each user or group of users, and codifies this
policy in a System Profile. The AMHS enforces the restrictions codified in
the System Profiles for: (1) All profile-based distribution of incoming messages,
locally distributed outgoing messages, and submitted text; and (2) All
retrospective queries of the Message Data Base.
|
|
26.
|
Tech. Req'ts for Compartmented Mode
|
Not Applicable.
|
|
27.
|
Tech. Req'ts for Multilevel Mode
|
Not Applicable.
|
|
28.
|
AUTODIN Connectivity
|
Site Specific [The site connects to AUTODIN via the Communications
Support Processor (CSP).]
|
|
29.
|
DODIIS Network Connectivity
|
AMHS 2.x does not support DNSIX. Site Specific [Site DNSIX
requirements must be documented here.]
|
|
30.
|
Connectivity to Other AISs and Networks
|
Site Specific [(Classified Handbook Guidance).]
|
|
31 & 32.
|
Personal Computer Security Requirements
|
Site Specific [(Classified Handbook Guidance).]
|
|
33.
|
System High and Compartmented Mode Workstation Req'ts
|
Site Specific [Site requirements for system high workstations
used to host AMHS applications must be documented here.]
|
4.b Planned Safeguards to Fulfill the Administrative,
Environmental, and Technical Security Requirements for a Separately Accredited
Network Mode of Operation
[NOTE:The responses below should address the sufficiency
of the particular mechanisms or conventions chosen to implement the safeguards
and protective features for each requirement. Vulnerabilities should be
identified and countering mechanisms should be recommended, where possible.
In many cases, vulnerabilities can be countered by procedural mechanisms.
External dependencies should also be identified. This occurs when a security
aspect of the system is dependent on some external factor.
It will be useful in completing this document to have the
similar section of Volume 2 (System Security Requirements), Section 5.b,
side-by-side with this section for reference. The detailed descriptions of
the requirements are provided in the Handbook, Orange Book, or DIA CMW Evaluation
Criteria, Ver 1, respectively; "Security Req't" numbers below correspond
to paragraphs in the Handbook].
|
|
Security Req't
|
Safeguards, Vulnerabilities, and Analysis
|
|
43.
|
Appt. of Network Manager
|
Site Specific [Handbook Guidance: The network
manager/administrator is responsible for overall operation and control of
the network.]
|
|
44.
|
Security Report
|
Site Specific [Handbook Guidance: A routine security report
will be made of a network or subscriber malfunction that has potential security
implications for the overall security of the network and its subscribers.
The ISSO will immediately notify the NSO of system abnormalities that provide
reason to suspect any violation of the overall integrity of the network and
its subscribers.]
|
|
45.
|
Accreditation/ Reaccreditation
|
Site Specific [Handbook Guidance: The telecommunications equipment
must be considered when accrediting a network. Each network must be formally
reaccredited every five years or when significant changes occur in the
operational environment, whichever occurs first.]
|
|
46.
|
Joint Accreditations
|
Site Specific [Handbook Guidance: For multiple government
activities sharing the same network.]
|
|
47.
|
Interim Approval to Operate
|
Site Specific [Handbook Guidance: Pending accreditation, an
Accrediting Authority may grant interim approval to operate provided 4 conditions
are met: a. A security survey has been completed, b. The system security
plan has been developed, c. A schedule describing steps to advance to
accreditation exists, d. (Classified Handbook Guidance).]
|
|
48.
|
Security Briefings
|
Site Specific [Handbook Guidance: All AMHS users will be briefed
on the need for exercising sound security practices in protecting the
intelligence information processed and/or stored in the AMHS, including marking
and reviewing all input and output.]
|
|
49.
|
Automated Guard Processors and Filters
|
Site Specific [Handbook Guidance: The site must document software,
firmware, or hardware/software techniques or specialized equipment that filter
information in a data stream based on associated data labels.]
|
|
50.
|
Protected Software and Hardware
|
Site Specific [(Classified Handbook Guidance).]
|
|
51.
|
Shipment of Equip. to High-Risk Area
|
Site Specific [(Classified Handbook Guidance).]
|
|
52.
|
COMSEC
|
Site Specific [Handbook Guidance: The communications links
connecting the components of the AMHS, associated data communications, and
networks must be protected with COMSEC policies and procedures applicable
to the sensitivity level of intelligence data being transmitted over such
links.]
|
|
53.
|
TEMPEST
|
Site Specific [(Classified Handbook Guidance).]
|
|
54.
|
Physical Security
|
Site Specific [The AMHS and all central and remote equipment
will reside in a Sensitive Compartmented Intelligence Facility (SCIF).] [Handbook
Guidance: The AMHS and all central and remote facilities housing attached
equipment must comply with DIAM 50-3, Physical Standards for Sensitive
Compartmented Intelligence Facilities (SCIFs).]
|
|
55.
|
Personnel Security
|
Site Specific [Users will be granted access to the network
only after: a. Favorable adjudication of clearance for access to SCI, b.
Favorable administration determination of need-to-know, c. Verification of
indoctrination by the SSO.]
|
|
56.
|
Commercial Vendor Maintenance
|
Site Specific [(Classified Handbook Guidance).]
|
|
57.
|
Integrity of Intelligence Data
|
Site Specific [Handbook Guidance: The network interface components
of a system-high mode network will assure the integrity of the intelligence
they transmit, and must provide or support a reliable mechanism for enforcing
need-to-know separation of t he data transmitted between AISs over the network.
The network interface component, together with the security mechanisms of
the network and its attached AISs, will assure that each subscriber (e.g.,
AIS or individual workstation) receives from and/or transmits to the network
only that intelligence inform ation to which the subscriber is authorized.]
|
|
58.
|
Network Activity Audit Trails
|
Site Specific [Handbook Guidance: Audit trails of network
activities should be maintained and should include at minimum the following:
(1) A record of each action together with appropriate identification parameters,
(2) A record of the starting and ending times of each connection, (3) A record
of any exceptional conditions detected during the transactions between two
(or more) subscribers, (4) Such information as is necessary to allow association
of the network activities with corresponding user audit trails and records.
The network audit trail should additionally contain references to more detailed
identification of exceptional conditions that are recorded in local AIS audit
trails.]
|
|
59.
|
OPI for each Protected Resource
|
Site Specific [Handbook Guidance: Each protected resource
(e.g., file, database) in each participating AIS will have an Office of Primary
Interest (OPI) that functions as the cognizant authority responsible for
establishing policies governing maintenance, classification, and other security
parameters of the resource, such as granting access privileges to users or
groups of users.]
|
|
60.
|
Security Markings for Exported Intelligence
|
Site Specific [The AMHS ensures a valid classification line
is included within each message to be transmitted. Data exported by other
means are not labeled.]
|
|
61.
|
Session Security Parameters (ASPs)
|
Site Specific [Handbook Guidance: If a network and all its
connected AISs function at the system-high mode, means will be provided to
establish a session security parameter at the beginning of each work session.
Each AIS initiating a network connection with another AIS will be identified
to the latter AIS host at least once per connection. Each user will be identified
for each AIS to which the user establishes network access, at least once
per connection. The session security parameter must be included in the Accredited
Security Parameters (ASPs) for the network and the attached AISs that are
accessible by the user.]
|
|
62.
|
Transmission of ASPs and Markings
|
Site Specific [Handbook Guidance: For all intelligence information
exchanged between AISs, two kinds of security control information will be
provided: (1) Information security of the intelligence, (2) (Classified Handbook
Guidance).]
|
|
63.
|
Maintenance of User Authentication Data
|
Site Specific [(Classified Handbook Guidance).]
|
|
64.
|
Protection of Network Control Facilities
|
Site Specific [(Classified Handbook Guidance).]
|
|
65.
|
Integrity of Security Parameters with Associated Data
|
Site Specific [Handbook Guidance: The network interface component
will assure the integrity of all security parameters provided to it by the
subscriber (e.g., AIS, human user at a workstation or terminal) and must
assure that the association between an element of data to be transmitted
and the security parameters that pertain to it is not disturbed.]
|
|
66.
|
Configuration Management
|
Site Specific [(Classified Handbook Guidance).]
|
|
67.
|
Protected Distribution
|
Site Specific [(Classified Handbook Guidance).]
|
4.c Safeguards to Satisfy Security Requirements Due to Other
Network Connections
[Site Specific: List the safeguards and requirements
in the format of 4.a above.]
4.d Safeguards to Satisfy Security Requirements Required by
Data Originators
[Site Specific: List the safeguards and requirements
in the format of 4.a above.]
4.e Safeguards to Satisfy Security Requirements from the
Accrediting Authority
[Site Specific: List the safeguards and requirements
in the format of 4.a above.]
4.f Safeguards to Reduce the Risk Exposure for Significant
Risks Identified During a Threat Assessment
A Threat Assessment is not required for AMHS 2.x.
5. Revised Exceptions to Security Requirements
[SITE SPECIFIC: REFERENCE HANDBOOK, SECTION 1, P.9.]
6. Vulnerabilities and Levels of Risks
[SITE SPECIFIC: THIS CONCLUDING SECTION SHALL REITERATE
AND SUMMARIZE FROM SECTION 5 THE SPECIFIC VULNERABILITIES TO THIS AIS/NETWORK
BASED ON SECURITY REQUIREMENTS NOT FULLY SATISFIED OR THOSE NEEDING EXCEPTIONS.
FOR EACH OF THE VULNERABILITIES, A LEVEL OF RISK WILL BE DESIGNATED (LOW,
MEDIUM, HIGH). THE ACCREDITATION PROCESS WILL ULTIMATELY EVALUATE THE
VULNERABILITIES AND RISK LEVELS TO DETERMINE IF THE AIS/NETWORK CAN BE ALLOWED
TO OPERATE.]
Go to Part 4 of 4