SECURITY OF FOREIGN INTELLIGENCE IN AUTOMATED SYSTEMS AND NETWORKS
Document Type:
Collection:
Document Number (FOIA) /ESDN (CREST):
CIA-RDP87B01034R000500150032-0
Release Decision:
RIFPUB
Original Classification:
K
Document Page Count:
19
Document Creation Date:
December 16, 2016
Document Release Date:
August 11, 2005
Sequence Number:
32
Case Number:
Content Type:
DCID
File:
Attachment | Size |
---|---|
![]() | 1.05 MB |
Body:
Approved FoP ilsLy 1051ogP1 `CTR- O*t"34R000500150032-0
Automated Systems and Networks
( Effective )
Pursuant to section 102 of the National Security Act of 1947, Executive
Order 12356, and National Security Council (NSC) Directives, this Director
of Central Intelligence Directive (DCID) establishes policy and prescribes
authority and responsibilities for the protection of foreign intelligence
and counterintelligence (2). derived through sensitive sources and methods
and processed, stored, or communicated by automated systems or networks
3).
This Directive applies to all United States government departments and
agencies which use automated systems to process, store, or communicate
intelligence information. It applies with equal force to automated systems
or networks owned or operated by the United States Government and those
owned or operated by contractors or consultants performing for the United
States Government.
The rapid proliferation of automated tools and methods for the electronic
processing of information reinforces the requirement for providing security
and surety for the intelligence information they contain and process equal
to that heretofore applied to the manual and printed world. Automated
systems and networks of the Intelligence Community (IC) will be managed and
protected in a manner which insures that both the intelligence information
and the sensitive sources and methods through which it is derived are
effectively secured against successful attack by hostile intelligence
activities. The goal. of this Directive and the accompanying Regulation is
to provide policy and broad technical guidance which will enforce the same
classification, compartmentation, and need-to-know standards now applied to
the manual handling of intelligence information.
1. Supercedes DCID 1/16, 6 June 1978
2. Foreign intelligence and counterintelligence are used in
this directive as defined in Executive Order. 12331 and as
classified under the provisions of Executive Order 12356.
For the purposes of this Directive, the term "intelligence
information" shall include both foreign intelligence and
foreign counterintelligence.
3. Automated systems and networks are defined as collec-
tions of computer-based equipment and software which are
designed to process, store, or communicate information as
digital data. Automated systems and networks include au-
tomated data processing (ADP),shared logic word processing
(WP), automated office (AO), and electronic mail (EM) sys-
tems.
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87B01034R000500150032-0
The diversity and complexity of automated systems and networks now in
operation in the U.S. Intelligence Community and those already designed for
future installation may not provide for full compliance with the provisions
of the Directive and the attached Computer Security Regulation. Therefore,
the extent to which the exceptions to this Directive are applied to such
systems and networks is left to the determination of each National Foreign
Intelligence Board (NFIB) member in view of his ultimate responsibility for
the protection of classified intelligence information.
The NFIB member shall establish and maintain a formal security program to
ensure adequate protection is provided for classified intelligence
information processed in the community's automated systems and networks.
The use of automated systems requires that classified intelligence
information, when processed by computers, be afforded protection equivalent
to that dictated by Presidential Policy, NSC Directives, Director of
Central (DCI) Directives, and other regulations concerning the overall.
information security requirements, need-to-know controls, handling caveats,
personnel access requirements, and dissemination procedures.
The minimum security requirements for the authorized modes of operation and
the recommended criteria for determining whether the specific system or
network provides the required protection is contained in the attached
security regulation. The NFIB member(s) concerned, may establish for
specific systems or networks additional security measures and capabilities
if deemed appropriate. Automated systems involving foreign governments
shall be addressed on a case-by-case basis by the NFIB member(s) involved.
This Directive does not supercede or augment the requirements on the
control, use, and dissemination of Restricted Data, Formerly Restriced
Data, or Communications Security (COMSEC) related material as establihed by
or under existing statutes, directives, or Presidential Policy.
The NFIB members are assigned the following authority concerning automated
systems/network accreditations:
Automated System/Network - When an automated system or network is
serving only a single NFIB member agency, the NFIB member who is the
single user of the automated system/network Is designated the
Accreditation Authority for that system/network.
Multiple NFIB Members` System/Network - When an automated system or
network is serving two or more NFIB member agencies, one NFIB member,
selected by those NFIB members involved, will be designated as the
Principal Accreditation Authority for that system/network.
NFIB Members' Concatenated Systems/Networks - When two or more
systems/ networks are interconnected or when a system is connected to
Approved For Release 2005/08/24: CIA-RDP87B01034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87B01034R000500150032-0
a network of systems, the NFIB members who are already designated as
the Accreditation or Principal Accreditation Authority of any of the
systems/networks involved will become members of the Joint
Accreditation Authority for the concatenated systems/networks. One of
the NFIB members of the Joint Accreditation Authority will be
designated, by joint agreement, Principal Joint Accreditation,
Authority and all participating NFIB members shall act as a common
body for executing the responsibilities of the Joint Accreditation
Authority.
RESPONSIBILITIES - The NFIB member(s) serving as Accreditation Authorities
are responsible to:
a. assure that compliance with stated DCI policy is accomplished in
the most economical and effective operational manner.
b. Identify the information security requirements for the specific
system/ network based on applicable intelligence information security
policies and regulations.
c. Define the complete set of security measures/mechanisms required
based on the functionality of the system/network, the user/operational
environment, the information characteristics, and applicable
information security criteria.
d. Perform the technical assessments, risk analyses, and security
tests upon which an accreditation of the system/network can be
granted.
e. Evaluate the system/network for compliance with this Directive and
the requirements established in the accompanying Regulation, and
certify such compliance.
f. Accredit or re-accredit the system/network and establish the
allowable operational environment based on the assessment and the
security tests of the system/network.
g. Coordinate all. system security actions 'to ensure that all. managers
and users of an automated system or network implement the established
security measures and capabilities.
EXEMPTIONS - The NFIB member or his designee may temporarily exempt
specific systems under his jurisdiction from complete compliance with this
Directive and the accompanying Regulation when such compliance would
significantly impair the execution of his mission. An exemption shall be
granted only when the NFIB member or his designee has assured himself that
additional temporary measures in place will adequately protect the
intelligence information being processed in the specific automated system
or network.
Approved For Release 2005/08/24: CIA-RDP87B01034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
- 4 -
SUPERSESSION - This Directive supersedes Director of Central Intelligence
Directive No. 1/16, "Security of Foreign Intelligence in Automated Data
Processing Systems and Networks", effective _; and all existing
directives, regulations, and other documents referencing the superseded
Directive.
IMPLEMENTATION - Within one year of the effective date of this Directive
each NFIB member will develop and promulgate a formal automated systems
security program, implementing directives and regulations for systems and
networks under his jurisdiction.
ADMINISTRATIVE REPORTS - Each NFIB member or his designee will provide to
the DCI (attn. Chairman, Security Committee) an annual report as of 31
December detailing the accredited and exempted systems currently operating
under his jurisdiction.
REVIEW - This Directive and the accompanying Regulation will be reviewed
within three years from the effective date.
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
- 5 -
DCI Reg. xx-xx
Security Standards
for the
Protection of. Intelligence Information
Automated Systems and Networks
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
- 6 -
Chapter I
GENERAL
Introduction
I.1 Director of Central Intelligence Directive No. 1/1.6 (DCID 1/16)
requires that all United States Government departments and agencies which
store, process, or communicate classified intelligence information by means
of computer-based automated systems or networks establish and maintain
formal systems security programs for the protection of that information and
the sensitive sources and methods through which it was derived. DCID 1/16
assigns primary responsibility for the management of that protection to
the National Foreign Intelligence Board (NFIB) members involved.
I.l.a The purpose of this regulation is to:
(1) Define a set of generic security requirements which must be
satisfied by any system processing classified intelligence
information. These are intended to be used as criteria by which a
system can be engineered and evaluated.
(2) Prescribe certain minimum security requirements;
(3) Define the security modes under which automated systems and
networks of the Intelligence Community (IC) may be operated;
(4) Establish a set of security standards and criteria suitable for
use with various combinations of security modes, functions performed,
and operating environments;
(5) Describe an accreditation process through which individual NFIB
members, or groups of members, may manage the defense of automated
systems or networks against hostile intelligence attack.
Provided minimum security requirements are met, individual NFIB members, or
consortiums of members, are encouraged to exercise every initiative to
provide cost-effective security to their systems.
1.2 Generic Security Requirements
I.2.a The various policy statements concerning the protection to be
afforded to classified intelligence information allow one to derive several
fundamental. requirements, which fall under the following headings:
(1) Information protection based upon classification and
compartmentation.
(2) Information protection based upon Need-to-Know
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
7 -
(3) Labelling
(4) Accountability
(5) Continuous Protection
I.2.b. In this section it will be useful to define the concept of
"protection system", which will be defined as the totality of mechanisms
which enforce the identified security requirements. Thus, the protection
system for automated systems and.networks includes hardware and software
features, personnel security, physical security, and administrative
procedures. The intent of this regulation is to define a uniform level of
protection to be afforded foreign intelligence and counterintelligence, and
to provide sufficient guidance to allow specific protection systems to be
engineered for specific operational environments which will provide the
requisite level of security in a cost-effective manner. Thus, it is
allowed, within the limits defined herein, to substitute security features
with others which provide an equivalent level of protection.
I.2.b(l) Protection based upon classification and compartmentation - The
protection system must enforce the formal system of information control
reflected in the security classification and compartmentation definitions
associated with classified intelligence information, together with the
clearance and special access authorizations associated with individuals who
may request access to the information.
I.2.b(2) Protection based upon Need-to Know - The protection system must
enforce access limitations placed on information which is based on the
determination that identified individuals or groups of individuals have
valid operational Need-to-Know for the information.
I.2.b(3) Labelling - In order to he able to Insure that proper controls can
be afforded to foreign intelligence and counterintelligence, its
classification level and any compartmentation restrictions must be clearly
identified. Thus, the protection system must be able to reliably and
accurately associate security labels with all information for which it has
responsibility, which identifies classification, compartmentation, and
special handling restrictions. The direct implication of this requirement
for an automated system is that information which is intended to be
exported from the system (e.g., tapes, line printer output) be labelled
either on the basis of internally maintained security markings, or on the
basis of unique characteristics of the installation.
A.I.2.b(4) Accountability - The protection system must be capable of
tracing actions affecting security to the party responsible for the action.
This requirement implies that the protection system be able to establish
the identity of individuals, determine and authenticate their clearance
level and access authorizations, and maintain accounting information of
sufficient detail and granularity to support tracing the auditable events
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
to a specific individual who has taken the actions in question, or in whose
behalf the action was taken.
I.2.b(4) Continuous Protection - The protection system must be able to
provide continuous protection to classified data under its control. The
implication of this requirement for that portion of the protection system
which is implemented in an automated system is that the security relevant
portions of the automated system be identified and maintained under
continuous control to assure that unauthorized changes have not been made
which could possibly subvert the system's ability to control classified
information.
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
- Q -
Chapter II
Minimum Requirements
for
System Security
As established in this chapter, the general standards, the system security
requirements for automated data processing systems (hereinafter referred to
as the system), and the criteria for evaluating a system's ability to
protect intelligence information will be uniformly applied throughout the
NFIB Community.
II-1. General Security Standards
II.I.a. Information System Security Officer - An Information System
Security Officer (ISSO) will be appointed for each ADP system processing
intelligence information. The ISSO is responsible for ensuring compliance
with the security standards established in this Regulation as well as the
implementing directives promulgated by the responsible authority. The ISSO
will monitor any changes in system operation that may affect the security
status of the total system, report major security deficiencies in system
operation, and provide system accreditation statements and recommendations
to the responsible authority.
11.2.. Personnel Security
II.2.a. When a system is approved to process collateral information up to
but excluding Top Secret, all personnel requiring unescorted access to
either the central computing facility or the magnetic media storage
facility must have a valid security clearance for the security
classification level of the collateral information being processed by the
system. All personnel requiring unescorted access to a remote
terminal/terminal area must have a valid security clearance for the highest
security classification of the information designated for input/output at
the assigned terminal.
II.2.h. When a system is approved to process Top Secret collateral
intelligence information, all personnel requiring unescorted access to
either the central computing facility or magnetic storage facility must
have a valid Top Secret clearance, and all personnel requiring unescorted
access to a remote terminal/terminal area must have a valid security
clearance for the highest security classification of the information
accessible through the assigned terminal
II.2.c. When a system is approved to process Sensitive Compartmented
Information (SCI), all personnel requiring unescorted access to the central
computing facility or magnetic media storage facility must be security
approved in accordance with DCID 1/14 and have formal access approval for
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
each SCI program being processed by the system, and all personnel requiring
unescorted access to a terminal/terminal area must be security approved for
the highest security classification of information accessible through the
assigned terminal.
II.3.a. All system users must be briefed on the need for exercising sound
security practices to protect the intelligence information processed by the
system. Users will be informed of the security classification level at
which the system is operating and the security requirements for that level.
II.3.a. The processing of intelligence information at any level requires
that the Need-to-Know criteria be rigidly enforced. That is, even though
all personnel are appropriately cleared, not all personnel shall
automatically have authorization to see or use all of the data being
processed.
II.3.b. Approval for unescorted visits to a system approved to process
intelligence information will be requested in advance via appropriate
command channels. In all cases, the request must indicate that the person
to make the visit possesses a valid security clearance, is access
approvable for any SCI data being processed, and has an established need-
to-know.
II.3.c. Administrative approvals (i.e., those not requiring substantive
briefings) may be used to grant persons escorted access to the central
computing facility and remote terminal areas when, and only when, such
persons do not require access to the intelligence information being
.processed.
11.4 Physical Security
II.4.a. When used for the processing of collateral intelligence information
the central computing facility and any remote terminal areas must be
secured in a manner commensurate with the classification of the information
being processed by the system.
II.4.b. When used for the processing of Top Secret and/or SCI intelligence
information, the central computing facility and any remote terminal areas
must be secured in accordance with the provisions of USIC Physical Security
Standards for SCIFS, NFIB/NFIC-9.1/47.
11.5. Communications Security. - Communications links used to transmit
intelligence information between system components or systems must be
secured in accordance with appropriate communications security directives
for the security level and SCI control channel(s) of the information
designated for transmission.
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
- 11 -
11.6 Emanations Security - The vulnerability of a specific system's
operation to exploitation of compromising emanations must be determined
during system configuration. For new procurements, guidance on equipment
TEMPEST characteristics should he obtained from the appropriate
communications security office, and equipment known to have acceptable
TEMPEST profiles should be selected. During the system accreditation
process, appropriate communications security directives will be implemented
for all security elements.
11.7. System Acquisition - Secure system criteria required to meet the
general security standards and system security requirements set forth in
this Regulation, or system features/capabilities available from advanced
state-of-the-art technology, will. be included as mandatory in procurement
requests for all new systems which will process or handle intelligence
information. Vendor submissions for either the development of integrated
systems or the delivery of hardware systems must include a review of how
the system satisfies the security-related specifications included.
11.8. Systems Maintainance
II.8.a. All vendor maintenance personnel who service automated systems used
for the processing of intelligence information should possess a security
clearance commensurate with the highest classification level. of the
information being processed and access approvable for all SCT being
processed.
Tl.8.b. All uncleared vendor maintenance personnel will be monitored at all
times by a system knowledgeable individual possessing a valid security
clearance and access approvals for the highest security classification and
SCI control channel(s) of the information being processed.
IT-8.c As a rule, the use of remote diagnostic links for the maintenance of
systems processing classified intelligence information is prohibited. The
NFIB member may, however, grant exceptions on a case-by-case basis provided
all channels to data storage devices are disabled, internal memory and
memory buffers are cleared (both before and after the use of the diagnostic
capability), and a separate operating system is used during the diagnostic
procedure.
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
Chapter III
Security Modes of Operation
At this time there are four modes of operation defined for automated systems
which process classified intelligences information. They are (a) Dedicated
Mode, (b) System High Mode, (c) Compartmented Mode, and (d) Expanded
Compartmented Mode. In each of these, the combination of hardware/software
capability, personnel security, physical security, and administrative
procedures are intended to satisfy the set of generic security requirements
of Section I.2 (Generic Requirements). However, it is recognized that
operating environments will exist, with unique sets of requirements, for
which none of the modes defined herein provide the best cost-effective
solution to achieving the requisite level of security while still allowing
for operational requirements to be satisfied. Thus, some latitude is
authorized in engineering specific installations, insofar as the equivalent
level of protection is achieved. Deviations from the modes defined herein
may only be accredited by the NFIB member in accordance with the procedures
defined herein. However, no deviations are allowed to any of the modes
which result in either (a) access to an ADP system containing SCI by a user
cleared less than SECRET, or (b) granting of programming capability on a
system which processes and/or stores SCI, to any user not authorized access
to SCI.
III.I.a. Intelligence information may be processed and/or stored in an
automated system operating in the Dedicated Mode; that is, the system is
specifically and exclusively dedicated and controlled for the processing of
that one particular type of intelligence information, either for full-time
operation or for a specified period of time.
III.i.b. Hardware/Software. The automated system, at a minimum, must be
able to enforce Need-to-Know access control measures on a project, group,
or per-user basis.
III.I.c. Accreditation Process. The NFIB member or his designee can
accredit an automated system operating in the Dedicated Mode after
receiving written assurance from the computer system manager and the
responsible ISSO that the ADP system meets the minimum security
requirements for this mode as outlined herein.
III-1.d. Personnel Security. All unescorted personnel requiring access to
the central computer facility or any remote terminal shall have a valid
security clearance for the one particular type of intelligence information
contained within the system.
III.l.e. Physical Security. The central computer facility and any remote
terminals connected to it shall be secured in a manner commensurate with
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
the classification and control. caveats of the one type of intelligence
information contained in the system.
III.I.f. Administrative. All peripheral devices not dedicated for use in
the processing of the specific type of intelligence information shall be
disconnected from the system in an approved manner. A controlled copy of
the operating system shall be used to initialize an automated system.
III.I.g. Termination of Dedicated Mode Operation. On changing from
Dedicated Mode of operation, all. intelligence information and the media
used in its processing and/or storing shall be secured or cleared in an
approved manner. An automated system which has operated in the Dedicated
Mode may then be returned to its original or different mode, as
appropriate.
III.2 System High Mode
III.2.a. Intelligence information may be processed and/or stored in an
automated system operating in the System High Mode; that is, the system is
operating with security measures commensurate with the highest
classification and sensitivity of information being processed and/or
stored.
III.2.b. Hardware/Software. The automated system shall, at a minimum:
(1) enforce Need-to-Know access controls on a per-user basis.
(2) produce, selectively and securely, an audit trail of security
events, containing enough information to permit the ISSO to perform a
security review of system activity.
(3) reliably place security labels on removable output media.
III.2.c. Accreditation Process. The NFIB member or his designee can
accredit an automated system operating in the System High Mode after
receiving written assurance from the computer system manager and the
responsible ISSO that the system meets the minimum security requirements
for this mode as specified herein.
III.2.d. Personnel Security. All unescorted personnel requiring unescorted
access to the central computer facility or any remote terminal shall have a
valid security clearance and formal access approvals for all data processed
and/or stored in the system. Need-to-Know criteria shall apply.
III.2.e. Physical Security. The central computer and remote terminal
facilities shall be secured in a manner commensurate with the highest
classification and sensitivity of information contained in the system.
III.2.f. Administrative. All terminals and peripheral devices not
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
designated for use in the current System High Mode of operation shall. be
disconnected from the system in an approved manner.
III.2.g. Termination of System High Mode of Operation. On changing from
System High Mode of Operation, all. intelligence information and the media
used in its processing and/or storage shall be secured or cleared in an
approved manner. An automated system which has operated in the System High
Mode may then be returned to its original or different mode, as
appropriate.
111.3 Compartmented Mode
III.3.a. SCI may be processed and/or stored in an automated system
operating in the Compartmented Mode; that is, the system is processing two
or more types of SCI with any other type of SCI, or any one type of SCT.
with other than SCI, and the system access is secured to at least the TOP
SECRET level, but all system users need not necessarily be formally
authorized access to all types. of SCI being processed and/or stored in the
system.
III.3.b. Hardware/Software. The automated system shall, at a minimum:
(1) enforce classification/compartmentation access controls on all
system storage objects (e.g., files, segments, devices). That is, the
system must be able to support the identification of a number of
hierarchical classification levels and an appropriate number of non-
hierarchical categories at each level (to be labelled as desired by
the system administrator), and enforce the access control rules based
upon these attributes.
(2) enforce Need-to-Know access control on a per-user basis.
(3) produce, selectively and securely, an audit trail of security
events, containing enough information to permit the ISSO to perform a
security review of system activity.
(4) accurately maintain security labels internal to the system, and
reliably place security labels on removable output media.
(5) ensure that residue from terminated user programs is cleared
before memory and on-line storage devices' locations are released by
the system for use by another user program.
(6) authenticate remote terminals and personnel.
(7) the system must exhibit sufficient internal structure to allow the
identification of the security perimeter; that is, it should he
possible to clearly distinguish security-critical code from non
security-critical code. Evidence must be available to support the
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
assertion that programs operating in user mode are incapable of
directly executing instructions which fall within the security
perimeter. Additionally, the correct operation of the security-
critical code must not he dependent upon the correct operation of any
other code in the system.
III.3.c(l) Only the NFIB member can accredit an automated system operating
in the Compartmented Mode.
III.3.c(2) The accreditation will be based upon the results of a security
analysis, test, and evaluation to assure that the system meets the minimum
requirements for this mode as defined herein. The ISSO will ensure that the
security analysis, test, and evaluation is carried out and the results
reported along with his recommendations to the NFIB member.
II.3.d. Personnel Security
III.3.d(l) All unescorted personnel requiring access to the central
computer facility shall have a valid TOP SECRET clearance (2) and formal
access approvals for all data processed and/or stored in the ADP system.
Need-to-Know criteria shall apply.
III.3.d(2) All unescorted personnel requiring access to any remote terminal
facility shall have a valid TOP SECRET clearance and formal access
approvals for all data designated for input/output at that terminal
facility. Need-to--Know criteria shall apply.
TIT.3.e. Physical Security
III.3.d(l) The Central computer facility shall be secured in a manner
commensurate with the handling of TOP SECRET material and the most
sensitive intelligence information contained in the facility.
III.3.d(2) Each remote terminal area will be secured in a manner
commensurate with the handling of TOP SECRET material and the most
sensitive intelligence information designated for input/output at that
terminal facility.
III.3.f(l) No user cleared for less than SCI access will be granted
programming capability on a system which processes and/or stores SCI.
Hardware/software mechanisms must be in place which are capable of
enforcing this restriction.
2. Such clearance must have been granted based on investi-
gative requirements of ACID 1/14.
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87B01034R000500150032-0
III.3.f(2) All terminal and peripheral devices not designated for use in
the current Compartmented Mode of operation shall be disconnected from the
system in an approved manner.
ITI.3.f(3) Effective controls shall be implemented to limit over-the-
counter (batch) users to authorized access to information and programs, as
well as to control, read and/or write access authorizations.
III.3.g. Termination of Compartmented Mode of Operation. On changing from
Compartmented Mode of Operation, all intelligence information and the media
used in its processing and/or storage shall be secured or cleared in an
approved manner. An automated system which has operated in the
Compartmented Mode may then be returned to its original or different mode,
as appropriate.
111.4 Expanded Compartmented Mode
III.4.a. SCI may be processed and/or stored in an automated system
operating in the Expanded Compartmented Mode; that is, the system is
processing one or more types of SCI along with collateral (non-SCI), and
system access is secured to at least the SECRET level., but all system users
need not necessarily be formally authorized access to SCI. This mode is
designed to accomodate unique instances (e.g., the tactical environment) in
which specific individuals have a valid operational need to access
collateral data which resides in a data base which also contains SCI data.
It assumes that such systems have well-defined functions (e.g., DBMS),
offering limited user interaction and, especially, do not support general
user programming. It is intended that systems that operate in the Expanded
Compartmented mode have been designed, engineered, and configured
specifically to operate in that mode. Thus, operational and security
requirements are documented and appropriate security mechanisms are
designed and engineered into the system. Additionally, the NFIB member is
involved in the decision to develop and implement a system operating in
this mode, and specifically approves any plans to operate a system in the
Expanded Compartmented Mode.
III.4.b Hardware/Software. The automated system shall, at a minimum:
(1) enforce classificati.on/compartmentation access controls on all
system storage objects (e.g., files, segments, devices). That is, the
system must be able to support the identification of a number of
hierarchical classification levels and an appropriate number of non-
hierarchical categories at each level (to be labelled as desired by
the system administrator), and enforce the access control rules based
upon these attributes.
(2) enforce Need-to-Know access controls on a per-user basis. The
principle of least privilege shall pervade system operations.
Approved For Release 2005/08/24: CIA-RDP87B01034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
(3) produce, selectively and securely, an audit trail of security
events, containing enough information to permit the ISSO to perform a
security review of system activity.
(4) accurately maintain security labels internal to the system, and
reliably place security labels on removable output media.
(5) ensure that residue from terminated user programs is cleared
before memory and on-line storage devices' locations are released by
the system for use by another user program.
(6) authenticate remote terminals and personnel.
(7) enforce, on a per-user/per-terminal basis, any limitations defined
for access to data and ability to exercise system capabilities.
(8) exhibit sufficient internal structure to allow the identification
of the security perimeter; that is, it should be possible to clearly
distinguish security-critical code from non security-critical code.
Evidence must be available to support the assertion that programs
operating in user mode are incapable of directly executing
instructions which fall. within the security perimeter. Additionally,
the correct operation of the security-critical code must not be
dependent upon the correct operation of any other code in the system.
(9) exhibit strong technical evidence to substantiate the claim that
the original system security requirements defined as design goals are,
in fact, satisfied by the operational system.
III .4.c(l) Only the NFIB member can accredit an automated system operating
in the Expanded Compartmented Mode.
III.4.c(2) The accreditation will be based upon the results of a security
analysis, test, and evaluation to assure that the system meets the minimum
requirements for this mode as defined herein. The ISSO will ensure that the
security analysis, test, and evaluation is carried out and the results
reported along with his recommendations to the NFIB member.
III.4.d. Personnel Security
III.4.d(l) All unescorted personnel. requiring access to the central
computer facility shall have a valid TOP SECRET clearance and formal access
approvals for all. data processed and/or stored in the system. Need-to-Know
criteria shall apply.
III.4.d(2) All. unescorted personnel requiring access to any remote terminal
facility shall be cleared to the level of the data designated for
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87B01034R000500150032-0
input/output at that facility, or at the SECRET level, whichever is higher.
Need-to-Know criteria shall apply.
III.4.e. Physical Security
III.4.e(l) The Central computer facility shall he secured in a manner
commensurate with the handling of TOP SECRET material.. and the most
sensitive intelligence information contained in the facility.
III.4.e(2) Each remote terminal area will be secured in a manner
commensurate with the handling of the most sensitive data designated for
output at that terminal facility, or at the SECRET level, whichever is
higher.
III.4.f(l) No user cleared for less than SCI access will be granted
programming capability on a system which processes and/or stores SCI.
Hardware/software mechanisms must be in place which are capable of
enforcing this restriction.
III.4.f(2) The capabilities granted to users who have access to an
automated system which processes and/or stores SCI, and who are cleared
less than TOP SECRET, must be clearly defined. Hardware/software mechanisms
must be in place which are capable of limiting access to only those
capabilities which have been defined.
III.4.f(3) All terminal and peripheral devices not designated for use in
the current Expanded Compartmented Mode of operation shall be disconnected
from the system in an approved manner.
III.4.f.(4) Effective controls shall be implemented to limit over-the-
counter (batch) users to authorized access to information and programs, as
well as to control read and/or write access authorizations.
III.4.g. Termination of Expanded Compartmented Mode of Operation. On
changing from Expanded Compartmented Mode of Operation, all intelligence
information and the media used in its processing and/or storage shall be
secured or cleared in an approved manner. An automated system which has
operated in the Compartmented Mode may then be returned to its original or
different mode, as appropriate.
Approved For Release 2005/08/24: CIA-RDP87B01034R000500150032-0
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0
Memorandum of Agreement
When more than one NFIB member is involved in an automated system or
network, a Memorandum of Agreement must be executed. This memorandum must,
at minimum, identify the Principal Accreditation Authority, or, in
concatenated systems or networks, the Joint Accreditation Authority and the
Principal Joint Accreditation Authority. It must identify the level(s) of
classification of data being processed and any operational restrictions
which are placed on the system or network. This memorandum will be updated
whenever a significant change is made to any of these items.
All automated systems and networks which processs classified foreign
intelligence or counterintelligence must be accredited. The accreditiation
statement must be supported by complete documentation which fully describes
the technical assessments of the automated system or network, the
vulnerabilities, risks, and associated countermeasures, and the results of
the security tests and analyses which have been performed.
Approved For Release 2005/08/24: CIA-RDP87BO1034R000500150032-0