NATIONAL POLICY ON TELECOMMUNICATIONS AND AUTOMATED INFORMATION SYSTEMS SECURITY - ACTION MEMORANDUM

Approved For Release 2008/03/17: CIA-RDP87B01034R000700080012-8 NSC REVIEW COMPLETE TAB DIA review(s) completed. Approved For Release 2008/03/17: CIA-RDP87B01034R000700080012-8  Approved For Release 2008/03/17: CIA-RDP87BO1034R000700080012-8 DEFENSE INTELLIGENCE AGENCY WASHINGTON. D.G. 20301 10 APR ]984 SUBJECT: National Policy on Telecommunications and Automated Information Systems Security - ACTION MEMORANDUM I am writing to you as your Senior Intelligence Advisor to assist in your review of the final draft National Security Decision Directive (NSDD) on a National Policy for Telecommunications and Automated Information Systems Security to replace the current PD/NSC-24, Telecommunications Protection Policy, dated 16 November 1977. The final draft NSDD contains important policy issues that will significantly impact the Intelligence Community and military operations in the decades ahead. Accordingly, the initial draft sparked considerable controversy and varied positions within DoD and the Intelligence Community. I have now learned that the final draft NSDD has been released to you for comment by 16 April 1984, and that it contains very little change from the initial draft. Given the importance of this directive, I urge your consideration of the various positions that have been developed on the matter. Briefly summarized they are: - Joint Chiefs of Staff: The Joint Chiefs of Staff strongly supported the conceptual approach of integrating Telecommunications and Automated Information Systems Security, but had strong reservations in some areas. To highlight the principal areas of concern, they proposed revision of the membership of the National Telecommunications and Information Systems Security Committee to include adding the Director, DIA and Commandant of the Marine Corps to this important policy body. They nonconcurred with national funding by NSA for consolidated telecommunications and computer,security programs. The JCS concurred with designating NSA as the national manager, but restricted the scope of its authority and responsibilities to require coordination with operating agencies in developing security standards, restricted NSA's authority to examine and monitor automated information systems in other Services and agencies without prior approval, and proposed that current directives pertaining to certification and accreditation of automated information systems remain in effect. Lastly, NSA authority to enter into agreement with foreign governments with regard to telecommunications and computer security was restricted to a technical liaison role.. With the exception of the addition of the Commandant of the Marine Corps to the National Committee, all other proposed revisions were excluded from the final draft. NSC review completed U-14,142/RSE-4 MEMORANDUM FOR THE SECRETARY OF DEFENSE - Deputy Under Secretary for Policy: General Stilwell has.taken the position that the pace and extent of centralization of management and policymaking proposed in the NSDD are premature. In brief', DUSD(P) has proposed a phased approach to gradual integration of Telecommunications and Automated Information Systems Security -- to include two-separate Approved For Release 2008/03/17: CIA-RDP87BOl034R000700080012-8  Approved For Release 2008/03/17: CIA-RDP87B01034R000700080012-8 committees under the Steering, Group; deferral for study of the need for the establishment of an executive agent and national manager for combined telecommunications and computer security programs; and deletion of the proposal in the NSDD for a consolidated national program/budget.- In addition, DUSD(P) proposed that the Director, DIA and Commandant of the Marine Corps be added as members of the two national committees,_but opposed combining the two committees pending further evaluation and completion of the internal DoD comprehensive computer security program review-that you initiated in January 1984. Again, essentially none of these concerns were addressed in the final draft. - Director of Central Intelligence : The DCI also nonconcurred in the draft N DD over concerns about the erosion of the DCI authorities for developing computer security policies and standards for systems processing compartmented intelligence information and establishing policy and accreditation for intelligence systems. These policies and accreditation authorities are further delegated to the Director, DIA for all DoD non- cryptologic systems. We are not aware of the specific revisions proposed by the DCI, but are advised that the final draft NSDD further exacerbates the situation by deleting responsibilities for DCI coordination with the activities established under the NSDD concerning unique requirements pertaining to the protection of intelligence sources and methods. - Deputy Under Secretary of Defense (C31): Dr. Latham has supported the NSDD and recommended that the Director, NSA exercise independent national roles for COMSEC and computer security programs under SecDef executive agency. Under the current Secretary of Defense and DCI policy, the Director, DIA, is responsible for the dissemination of all-source intelligence, including the processing and dissemination of intelligence through computers, to all echelons of military command. -I am also responsible for implementing security policy for the handling and dissemination of military intelligence, including the processing of compartmented intelligence on non-cryptologic computer systems throughout DoD. Promulgation of the NSDD, in the final draft form,~would substantially alter this policy framework and create a new computer security management structure without an effective system of checks and balances to ensure the security risks are balanced with the requirements for military operations. Given the growing threat and potential vulnerabilities of our computer systems, I support development and implementation of strong security measures and major R&D initiatives, particularly those underway at NSA. While improvements in computer security must be afforded high priority, we must ensure that stringent computer standards are developed considering the requirements for dissemination of all-source intelligence to users at every echelon and consistent with available technology and our ability to implement computer security improvements. The technology and expertise in the computer security arena are not as advanced as in the communications security area. Approved For Release 2008/03/17: CIA-RDP87BOl034R000700080012-8  Approved For Release 2008/03/17: CIA-RDP87BO1034R000700080012-8 As the manager of the General Defense Intelligence Program (GDIP), one of the major components of the National Foreign Intelligence Program, I am further concerned about balancing the affordability of computer security initiatives with other improvements in overall DoD intelligence . capabilities. Based on estimates in the FY 1985 budget, we have learned that developing new computer security techniques and retrofittin} existing systems are extremely costly. It is important that the Director, DIA, as the GRIP program manager, the intelligence officer of the Joint-Staff, and your senior military intelligence advisor continue to participate in balancing these priorities rather than assigning an independent activity the authority to develop a consolidated communications and computer security budget without regard to overall military intelligence priorities. I strongly recommend that you not concur in the final draft NSDD until the OSD staff, the JCS, the DCI and other members of the National Security Community can collectively agree on its key policy provisions and implementation. Coordination within OSD is not required. JAMES A. WILLIAMS Lieutenant Geaer4 U. S. Army Director CJCS Prepared by Mr. L.T. Busic, x22000 Approved For Release 2008/03/17: CIA-RDP87BOl034R000700080012-8  Approved For Release 2008/03/17: CIA-RDP87BO1034R000700080012-8 2. s, Initials Date 44 A12AP I9 131: 4 a Ion File Note and Return roval For Clearance Per Conversation Requested s For Correction Prepare Reply clate ir, For Your Information See Me ment Investigate Signature Coordination Justify /-d-,-)'7 15~~ -- v---~ A-57~1`5e Ga D~f '5F~". cif /3 act DO NOT use this form as a RECORD of approvals, concurrences, disposals, clearances, and similar actions OPTIONAL FORM 41 (Rev. 7-76) rnseribed by GSA Approved For Release 2008/03/17: CIA-RDP87BO1034R000700080012-8  Approved For Release 2008/03/17: CIA-RDP87B01034R000700080012-8 OFFICE OF THE DIRECTOR l`Jfipk. lPd' f A--h I'd ,~ SUBJECT: ' ~7 p Office of Security 0,C 2: P~2;/ y ' 4w l ow c /T ,r,,o ~~c~~ mac. ~ ''~'~'~~r~ T ?~.~' .~,7'- ~:. L. , rr -- -"c r 4^L C" T-/tT ly 1/1/6 (r,)lC ' z rS ( .0-~r,01=l e i (' l o p ? , o'", y, $ r- / Jusr ~oN'T -v, /riyE 0 ,E Fv,Esrwpq,&Yr 7P Approved For Release 2008/03/17: CIA-RDP87B01034R000700080012-8