MINIMUM REQUIREMENTS FOR SYSTEM SECURITY

Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070014-4 Chapter II Minimum Requirements for System Security As established in this chapter, the genera]. standards, t}~e system security requirements for automated data processing systems (hereinafter referred to as the system), and the criteria for evaluating a system's ability to protect intelligence information wil]_ be uniformly applied throunhout the NFiB Community. II.l. General Security Standards Il.l.a. Information System Security officer - An lnforrnation system Security officer (iSSn) will be appointed for each .11~Y system proc~ssinp, intelligence information. The ISSG is responsible fur ensuring compliance with the security standards established in this Regulation as well as the implementing directives promulgated by the responsible authority. The TS~;~ will monitor any changes in system operation that may affect. the security status of the total system, report major security deficiencies in system operation, and provide system accreditation staterne.nts and recommendations to the responsible authority. TI.7_.a. When a system is approved to process collatE~ral information up to but excluding Top Secret, all personnel requiring unescorted access to either the central computing facility or the magnetic methcuri ty classification level of the collateral information h~>ing processed by th~~ system. All personnel requiring unescorted accF+ss to a remote terminal/terminal area must have a valid security clcararrce for the highest security classification of the information designated for input/out.piit rat the assigned terminal. II.2.b. When a system is approved to process Top Secret collateral intelligence information, all personnel. rnquirin~.>, ~rnoscortc>~l access to either the central comlxiting facility or magnetic stor~~ge facility mast have a valid Top Secret clearance, and ;rll p~>r~;,~nnel rc?q~ii_ring unescorted access to a remote terminal/terminal wren must have a valid security clearance for the highest security classificnt.ion of the information accessible through the assigned terminal II.2.c. When a system is approved to process sensitive ~ompartmen*cri Information (SCI), all personnel requiring nnc>scorted access ro thc> central comlaiting facility or magnetic media storage facility must h~, security approved in accordance with DCID 1/14 and havc> t-ormal access approval. for each SCI program being processed by the system, ;ind all T~ersonnel requiring unescorted access to a terminal/terminal aria mu 5t he security approved for the highest security classification of information acc,>5~?ihic~ tttrongh nc~~ assigned terminal. Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070014-4  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070014-4 TI.3.a. All system users must be briefed on the need for exercising sound security practices to protect the intelligence information processed by the system. Users will be informed of the security classification Level r;t which the system is operating and the security requir?ments for that level. II.3.a. The processing of intelligence information at any level requirFrs that the Need-to-Know criteria he rigidly enforced. That is, even thrnigh all personnel are appropriately cleared, not all personnel shall automatically have authorization to see or use all of the data hfrinn processed. II.3.b. Approval for unescorted visits to a system approved to process intelligence information will be requested in advance via appropri,:~tf~ command channels. In all cases, the requF~st must indicate that the per ,on to make the visit possesses a valid secnriry cla~aranee, is access approvable for any SCT data being processed, and has an est.?~hlished ne~~d- to-know. II.3.c. Administrative approvals (i.e., those not requiring suhstantive briefings) may be used to grant persons escorte-i ~iccess to the cc~ntr-:l computing facility and remote terminal areas when, and only when, snc'i persons do not require access to the intelligence information heini; processed. TI.4 Physical Security 7I.4.a. When used for the processing of cnllatcrIli};c>nc~ infnrmrattr~n the central computing facility and any remote terminal areas must hr~ secured in a manner commensurate with thc~ classificati~r~ ~f thy' information being processed by the system. II.4.b. When used for the processing of Top Secret and~~r SCT intc~llinc~ncc> information, the central computing facility and any remote terminal :;revs must be secured in accordance with the provisions of I}ETC Physical Security Standards for SCIFS, NFIB/NFIC-9.1/47. TI.S. Communications Security. - Commmunications ' in'?:s used to tran:ami t intelligence information between system components or systems must hr~ secured in accordance with appropriate communications sec~irity directi~~es for the security level and SCT control. channel(sl of r_ht information designated for transmission. TI.6 Emanations Security - The w lnernhility of :~ specific system"s operation to exploitation of compromising emanation=. must he determined during system configuration. For new procurements, gui~'nnce on equipment TEMPEST characteristics should be obtained from the appropri,~tc comnninications security office, and equipment known to have acceptahlr~ TEMPEST profiles should be selected. i>tirini; the system accreditation process, appropriate communications security dirnctivns will. ho impiementc>d for all security elements. TI.7. System Acquisition - Secure system criteria required to mcc>t th,> general security standards and system securtty requirements set forth in this Regulation, or system features/capabilities ova i 1 ~~hl e from ndv~anced state-of-the-art technology, wilt be included as mandatory in procnr~~m~~nt requests for all new systems which will process or handle inteltit;c~n~~> information. Vendor s~.ibmissi_ons for either the development of int~~str?at~~~1 Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070014-4  Sanitized Copy Approved for Release 2010/11/17 :CIA-RDP87T00623R000200070014-4 systems or the delivery of hardware systems rmist includes a review of how the system satisfies the security-relaters spc~ci.fications inclrlded. II.S3. Systems Maintenance II.R.a. All vendor maintenance personnel ,rho service automate!i systr~ms used for the processing of intelligence information shall possess a security clearance commensurate with the hi};hest classi.firation level of th,:~ information being processed and access approvahlf, for all SC? hc~inq processed. II.R.b. All uncleared vendor maintenance personnel. will be monstnrerl nt all times by a system knowledgeable indi~!idual poss~~ssinn, a v.:rl id ser?nri ry clearance and access approvals for the hi i;hest sE~cnri ty cl nss i f i c?at i nn ,~.nri SCT control channel(sl of the information being processed. II.R.c As a rule, the use of. remote diagnostic links for the m.~intenancr~ of systems processing classified intelligence information is prohibited. T'~~~ NFIB member may, however, grant exceptions nn a rase-by-casn basis provided all channels to data storage devices are riisablr~d, intc'rnnl rnE~mory ,rn~', memory buffers are cleared (both before and after th~~ use of the di~? nostic capability), and a separate operatinn system is Wised d~iring the diaQnnsrir? procedure. Sanitized Copy Approved for Release 2010/11/17 :CIA-RDP87T00623R000200070014-4  STAT Sanitized Copy Approved for Release 2010/11/17 :CIA-RDP87T00623R000200070014-4 Next 10 Page(s) In Document Denied Q Sanitized Copy Approved for Release 2010/11/17 :CIA-RDP87T00623R000200070014-4  Sanitized Copy Approved for Release 2010/11/17 :CIA-RDP87T00623R000200070014-4 Sanitized Copy Approved for Release 2010/11/17 :CIA-RDP87T00623R000200070014-4