MINIMUM SECURITY REQUIREMENTS FOR MULTI- LEVEL COMPUTER SYSTEMS
Document Type:
Collection:
Document Number (FOIA) /ESDN (CREST):
CIA-RDP78B05703A000200040002-8
Release Decision:
RIPPUB
Original Classification:
S
Document Page Count:
19
Document Creation Date:
December 28, 2016
Document Release Date:
December 19, 2003
Sequence Number:
2
Case Number:
Publication Date:
April 27, 1970
Content Type:
MF
File:
Attachment | Size |
---|---|
![]() | 641.52 KB |
Body:
ROUTING AND RECORD SHEET
SUBJECT: (Optional)
Minimum Security Requirements for
Multi-Level Computer Sys tem
FROM:
EXTENSION
NO.
CIA Member y,~, 4'~= 3
U SI
DATE
27 Apr 25
il 1970
TO: (Officer designation, room number, and
building)
DATE
OFFICER'S
COMMENTS (Number each comment to show from whom
RECEIVED
FORWARDED
INITIALS
to whom. Draw a line across column after each comment.)
D~NPIC thru C/DDI Planning
Staff 2F-24 Hq.
DEADLINE:: 6 May 1970
2.
3.
5.
6.
7.
8.
10.
11.
12.
13.
Declass Review by NIMA/DOD
14.
15.
'
FORM
3-62
'UN#LASSIFIED ~j - CONFIDE IAL SECRET
PW
61 a USE
x
U SECRET CONFIDENTIAL TERNAL UNCLASSIFIED
T ^ USE ONLY [:1
pf'. ii i4,
1
Approved For-Release 2004/02/11: CIA- b A 15703e 000200040002-8
27 April 1970
MEMORANDUM FOR: D/GCS
D/CRS
nbt9C
D/ORD
.DIP, Operational Services Systems Group
D/MIIG Thru C/DDI P-laming Staff
WELT )Finirrun Security R.tquireer eats for
MM.ulti*Level Computer systenks
1. The Computer Security Subcommittee has been tasked by
11 Security Committee to develop n i i?x un security require..
n;euts for multi-level operation of resource-sharing compu
systems. In order to obtain optirrun, input fron= all possible
sources, the attached first draft of these requirements is being
widely distributed throughout the CIA and the other U S Member
enciees.
Z. It is requested that the appropriate -r-embers of your
staff be asked to renew and s ibr .it written comv.tnts on this
draft. For example Section IV, Definitions, nay generate ques-
tions, regarding the correctness of the definitions or the cor?plete-
neess of the list itself. There also nay be son.* feeling that a
section should be added to include additional or optional features
to enhance system security. Specific comments on these aspects
would be appreciated.
oaoor 1
Approved For Release 2004/02/11: CIA-RDP78BO5703A0002000 Gy2d$rom automatic
SECRET owner atio
dec;aas i!icatan
nom.
'ET
Approved For Release 2004/02/11: CIA-RDP78BO5703A000200040002-8
3. Since the Intelligence Board Security +Cozx?wtttee has placed
a short deadline date for completion of this project, it is therefore
necessary that replies be forwarded to the undersigned no later than
6 May 1970.
3 red
25X1
USIB Can puter Security bcon n ittee
Approved For Release 2004/02/11: CIA-RDP18 03A000200040002-8
[SECRFr
Approved For R ? DP78BO5703AIM200040002-8
MINIMUM SECURITY REQUIREMENTS FOR MULTI-LEVEL
OPERATION OF RESOURCE-SHARING COMPUTER SYSTEMS
1. Purpose:
This paper defines basic USIB policy concerning the security
aspects of utilizing remotely-accessed resource-sharing computer
systems for the concurrent processing and/or storage of classified
information of different security levels and/or certain special
access control categories. It specifies the conditions under which,
such systems may be operated in a multi-security level mode and
prescribes minimum security requirements for the operation of
such systems. Further, it assigns the responsibility for the security
testing and accreditation of such systems to individual USIB members.
Approved For Release 20
NoWfulamatla
doli,gn ing 2aii
hrMuswrm1 r.
25X1
i'tl ^C^ j
Approved For Release 2d f JTCIA-RDP78B05703A000200040002-8
25X1
II. Background:
A. In view of the high cost of modern computing hardware and
of developing the accompanying system software, and because of the
trend toward the centralization of computing capabilities, sound
management of ADP resources dictates their use in as cost-effective
manner as possible within the constraints of good security practices.
This is especially true of contemporary systems with large storage
capacity, multitasking capabilities, and accessibility not only in the
computer center but also from terminals remotely located from the
computer itself.
B. While technological advances in the state-of-the-art as well
as cost anct other operational factors have contributed to the trend
toward centralized computer installations with large on-line data
bases and a diversified spectrum of users, this centralization when
applied to a classified environment has compounded already complex
security problems identified in the use of modern information processing
equipment and techniques.
C. Fundamental to the exercise of sound security practices in
the USIB community has been the concept of "need-to-know" and its
accompanying control procedures for the dissemination of classified
25X1 Approved For Relea a 2004/02/11: CIA-R P78B05703A000200040002-8
Approved For R'ease 200]P T CIA-RDP78BO5703A760200040002-8
25X1
information. This concept has been carried out by compartmenting
the distribution of official data in a manner commensurate with its
sensitivity. Such compartmentation when applied to the more sensitive
materials is more rigidly and usually more formally required by
appropriate directives.
D. The traditional "Need-to-Know" concept can become especially
vulnerable in the processing of classified data by modern resource-
sharing computer systems with their remote accessibility to large numbers
of users, unless appropriate measures are taken to provide adequate
control of the data resident in these systems. The compartmentation
problem in this environment is created by operational requirements to process
different groups or levels of data in the system concurrently and by
security demands to maintain separation of the levels at output stations.
E. In the case of formally compartmented data this separation is
a problem of matching the clearance and access approval level of a given
user and terminal with the classification and dissemination restrictions
of the data. More broadly, the security problem is one of preventing a
user from intentionally accessing groups of data for which he is not
authorized and of ensuring against the unintentional spillage from the
system of data to a user or terminal not approved to receive such data.
Approved For Release - 05703A000200040002-8 25X1
Approved For Re%ase
I: CIA-RDP781305703A'0200040002-8
. potentially, the spectrum of clearance levels can cover the range from
none to Top Secret to several special access approvals; the corresponding
data classifications and dissemination restrictions can run from unclassi-
fied through the hierarchical national levels (Confidential, Secret, Top
Secret) to several special access categories.
25X1
Approved For Release 2 04/02/11: CIA_-RDP7 05703A000200040002-8
25X1
25X.1
25X1
Approved For_RdWase 2004/02/11: CIA-RDP78B05703A0200040002-8
~I I;~ 1 !~ ll.I ,iE IIINNI
_ nor LLllnd W
III. Scopes
A. The provisions of this paper are applicable to the utilization
within the USIB community of resource-sharing remotely-accessed
computer ,systems for the concurrent processing and/or storage of
classified information of different security levels including SI, TKH,
II
.w.
compartmented intelligence 'data. Its provisions are equally
applicable to contractor and non-USIB government systems handling
intelligence data. in a multi-security level mode of operation.
B. Since the paper prescribes minimum security requirements
for multi-level operation of resource-sharing computer systems,' it
does not inhibit an individual agency from requiring additional protection
features or procedures in the multi-level operation of its own systems.
Approved For Release - P78B05703A000200040002-8
Approved For Reeease, E J : CIA-RDP78BO5703A0 0200040002-8
IV. Definitions:
A. Resource-Sharing Remotely Accessed Computer Systems:
Modern information processing computer systems having a capability
for multi-processing, i. e. , concurrently handling more than one job
utilizing time-slicing or other techniques, which are accessible for
input or output purposes not only in the immediate area of the computer
center but also from terminals located at a distance from the central
processing unit which may vary from several feet to several thousand
miles.
B. Multi-Security Level Mode of Operation: Utilization of
resource-sharing computer systems for the concurrent processing of
two or more tasks whose security classification or access control
levels are different and where system access from local or remote
terminals is afforded personnel holding different levels of security
clearances or access approvals.
C. Benign Environment: A resource-sharing computer system
which is secured and controlled from a physical, technical, and personnel
security standpoint at the minimum requirements for the processing and
handling of Top Secret material; in such an environment all personnel
accessing the system holding a minimum of a final Top Secret clearance;
all communications links are protected and approved for the transmission
Approved For Release 2
25X1
Approved For Release
CIA-RDP78B05703A0200040002-8
of Top Secret data; the computer center and the areas housing all
remote terminals on the system are afforded physical security protection
as required for Top Secret material.
D. System Certification: Endorsement of a given computer system
that it meets all security requirements and established standards for
its utilization in processing classified information of a specific level.
E. System Accreditation: Approval by responsible authority
for a given computer system to be utilized for the processing of classi-
fied material of a given level or levels, e. g. , to permit its use in a
multi-security mode of operation covering classified material through
Top Secret including certain groups of compartmented data.
F. System Security Officer: The individual assigned responsi-
bility to monitor the security aspects of the utilization of a given
computer system.
Approved For Release ~
25X1
Approved For R4Tea -9-M4, arm- CIA- DP78B05703A00200040002-8
V. Policy:
A. The current state-of-the-art in computing technology does
not provide to resource-sharing multi-level systems having on-line
remote access capabilities any guarantee against deliberate unauthorized
intrusion into system files from and against unintentional spillage of
system data to remotely located ancillary devices. Further, the state-
of-the-art cannot even afford sufficient safeguards against intrusion and
spillage to permit on a calculated risk basis the operation of such a
system in a multi-security level mode covering, the full spectrum of
clearance /classification levels existing in the USIB environment.
B. However, when cogent cost and operational factors deem it
necessary, a sufficient degree of security can be achieved to allow
the operation of remotely accessed resource-sharing systems on a
multi-security level basis if such systems are limited to a benign
environment as defined above and provided that at least the minimum
protection features and procedures of this paper are made a part of
system operation. The features outlined represent basic require-
ments; the use of additional system security procedures and techniques
are to be encouraged.
C. Judicious implementation of the basic requirements out-
lined in this paper suggests a need to test and evaluate their effective-
ness when a plied to a specific s stem as a basis for multi-level
"Approved For Rele - DP78BO5703A000200040002-8
25X1
Approved For e?ese UA-KL)f
78 B05703AM200040002-8
certification or accreditation of that system. The Senior Intelligence
Officer in each USIB organization has the responsibility for conducting
such testing and evaluation and has the authority to certify that specific
systems meet the requirements specified by this paper as a means
for initial multi-level accreditation. This accreditation should be
subject to periodic review of the security of system operation and on
the occasion of major hardware and/or software modification to
retesting, reevaluation, and recertification procedures as deemed
appropriate.
Approved For Release 2004/02/11: CIA-R P78B05703A000200040002-8
Approved For Re'Pear= :' 1'Tm4-RDP78BO5703A 200040002-8
VI. Minimum Requirements:
A. Personnel Security and System Access Control:
1. Computer Center: Access to the area housing the
computer center must be limited to personnel holding Top Secret
clearances and approved for access to all compartmented data
being processed by the system. Where deemed necessary by
cognizant authority area access logs should be maintained as
a record of who enters computer center area and when.
2. Remote Terminal Sites:' Access to the immediate
area of a remote terminal should be limited to personnel holding
a Top Secret clearance and access approved for compartmented
data designed for input and output at that terminal. Direct use
of remote terminals should be controlled by a monitor assigned
responsibility for the security of that remote device.
B. Physical Security Protection:
1. Computer Center: Physical security requirements for
the temporary or permanent storage of classified material will
be followed in determining the degree of protection needed for
the computer center. Since the system will probably be processing
information classified through Top Secret and including compartmented
data, it is envisioned that secure area or vault construction require-
ments will be necessary. It must be remembered that such
Approved For Rel IA-R
Approved For Re ase - DP78B05703A0110200040002-8
requirements must be defined in terms of the highest classifi-
cation level or most demanding compartmented information
standards involved in system operations.
2. Remote Terminal Areas: Physical security protection
of a given remote terminal area must be in accordance with the
requirements specified for the level(s) of data designed for
input or output at that terminal. In the case of compartmented
data this means approval of the site at least as a working area
for the compartmented data involved.
C. Communications Security: The communications links between
remote terminals and the computer will be secured in a manner appropriate
for the transmission of Top Secret codeword material. Regardless of
any limitation on the classification level of material being transmitted
on a given link. Protection of these links may be provided by encryption
or special physical security isolation of cleart.ext distribution lines
within controlled areas.
D. Emanations Security Aspects: The vulnerability of system
operations through electromagnetic radiation will be considered in
the process of system certification for multi-level operations. Evaluation
of the on-site risks at the computer center and in the remote terminal
areas will be accomplished by cognizant authority within the appropriate
Approved For Release 2004/02/11: CIA-RD RET703A000200040002-8
Approved For Re -RDP78B05703A0200040002-8
agency. Cleartext distribution lines to terminals should be afforded
at least the protection of conduit installation.
E. Software Controls: Compartmented data of different security
levels being stored and/or processed in the system may be based on
the following factors and procedures. These factors are outlined as
minimum requirements and must be present in any system operating
in a multi-security level mode.
1. Security Flags: All data and programs stored or
processed by the system will be identified as to appropriate
security classification, special category controls and codewords,
dissemination caveats, and downgrading grouping. This identi-
fication must be insured not only internally for the data but also
upon output regardless of the output medium. The question of .
to what level data should be so identified should depend upon the
utilization of the file involved. It is foreseen that in many cases
these security flags will be carried at the file level only; but
in some case there may be a necessity to maintain such identi-
fication at the record or even field level.
The purpose of identifying data in this manner is notrnly
to provide the security level of the data to. a user who might
25X1
Approved For Release P004/02/11 ? ClA_RDF 78BO5703AO00200040002-8
Approved For Re~s 2004/' 11 : CIA-RDP78BO5703A 200040002-8
assimilate its content in the preparation of a new document,
but also to indicate to the user that upon receipt in hard copy
of such material he must implement required dissemination
control numbers. Further identification of compartmented
material may serve as an alert mechanism to personnel who
accidentally receives such data when they are not access
approved for it.
2. User Identification/Authentication: The system must
have a software (or software/hardware) based user-oriented
identification and/or authentication mechanism. This feature
should be a part of the log-on routine of the system whereby
a person attempting to access the system from a remote terminal
cannot gain access without identifying himself and providing
a unique authorized code recognizable by the system for the
purpose of insuring that he is the person so identified.
The purpose of this user/oriented identification/authenti-
cated mechanism is based on the need to assign security responsi-
bility to a specific individual when a given terminal is open to
the system. Terminal oriented identification mechanisms are
considered inadequate in that the security responsibility in a
sense is assigned to a portion of the hardware.
Approved For Release 20014/02/11: CIA-RDP78EP05703A000200040002-8
25X1
Approved For ReI se 2004/0)2/,11 : CIA-RDP78BO5703Ad200040002-8
t;.sx it
. ` J.
3. Access Control: Each system will have an access
control software feature to limit user entry to selected files,
groups of files, data, or programs, and if necessary to con-
trol read and/or write authority. This access control protection
may be exercised by the use of keywords or user access listing
techniques; however it should be recognized that keyword
utilization provides a significantly higher degree of security
to the system.
4. Audit Trail Capability: Each system will have a
capability of maintaining in as secure a fashion as possible an
audit trail which will serve as a log of system transactions
including a complete listing of personnel gaining access to the
system, the files they access, the date and time. In addition the
log should reflect a complete record of invalid log-on attempts
and:oeystem security violations.
The audit trail will be regularly reviewed by the system
security officer and appropriate portions thereof will be reviewed
by terminal monitors.
The audit trail serves not only as a check against individual
system use for security purposes and an inspection of invalid log-on
attempts or breeches of access limitations, but it also remains as
Approved For Relea
CIA-RDP78B05703A000200040002-8
a~~
Approved For ReEsd2'2OQ4/
11 : CIA-RDP78BO5703A0 200040002-8
a record for potential subsequent review in the event that security
flaws in system operations are later identified.
5. The above listed software features, viz. security
flagging, user authentication, access limitation, and audit trail
capabilities, will be contained in an appropriately determined
executive portion of the system software and should be modifiable
only under the.control of the system security officer. Such con-
trol is necessary for the protection of these features, such as
the tables utilized for authenticators and keywords.
F. Individual Security Responsibilities: All users of the system
must be advised of the need for exercising good security practices in
protecting the data stored and processed by the system. Users should
be informed of their responsibility to protect the authenticator assigned
to them and the keywords needed for system access to the security level
of the data to which these indicators provide access. Users are also
responsible for meeting the requirements in the handling of hard copy
output, including the assignment of control numbers and the maintenance
o= dissemination logs on such material as promulgated by appropriate
regulations. Users should also be informed of the tact that the system
Approved For Release 20
25X1
Approved For Ref se REIT1 : CIA-RDP78B05703AdV6200040002-8
D
is operating in a multi-security level mode and that any receipt
by them of data which they have not specifically requested
should be reported immediately to the system security officer.
Approved For Release 11 : CIA-RDP78BO5703A000200040002-8
,R M V T6