STATUS OF ACTIVITIES -- OVERSEAS COMPUTER SECURITY POLICY COMMITTEE

Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1 OS REGISTRY- I United States Department of State Washington, U.C. :.'O:i10 August 6, 1986 MEMORANDUM T0: Members of the Overseas Secnurity Policy Group (OSPG) FROM: DS/ST/ISS - Lynn McNulty ~(.~ SUBJECT: Status of Activities -- Overseas Computer Security Policy Committee The Overseas Computer Security Policy Committee was established within the OSPG last January to develop and coordinate uniform policies and standards for overseas automated information systems. Membership on the Committee is comprised of the following departments and agencies: U.S. Department of State Central Intelligence Agency Defense Intelligence Agency United States Information Agency U.S. Agency for International Development U.S. Department of Agriculture U.S. Department of Commerce U.S. Department of Justice The first priority of the Committee was to develop a uniform policy on information systems security for inclusion in the Department of State's Foreign Affairs Manual (5 FAM 800). This policy (a copy of which is attached) will require all federal agencies operating under the authority of the Chief of Mission to a foreign country to comply with systems security regulations jointly issued by the Department of State and other foreign affairs agencies. Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1  Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1 This policy was sent for clearance to all members of the Committee from the Director for Diplomatic Security, Mr. Robert E. Lamb. Each of the departments and agencies has now responded and we will soon issue uniform system security regulations. The Committee is now considering standards drafted by the Department of State for networking automated information systems. cc: DS/ST - Mr. Daniel S. Carlin Attachment: As Stated. Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1  Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1 DRAFT FOREIGN AFFAIRS MANUAL, VOLUME 5, CHAPTER 800 AUTOMATED INFORMATION SYSTEMS SECURITY 810 AUTOMATED INFORMATION SYSTEMS POLICY (attached) 820 SECURITY POLICY FOR FEDERAL AGENCIES USING AUTOMATED INFORMATION SYSTEMS AT FOREIGN POSTS This policy establishes the requirement that all agencies operating under the authority of the Chief of Mission to a foreign country comply with all applicable automated information system security directives and standards jointly promulgated by the U.S. Department of State and other foreign affairs agencies. The legal basis for this policy includes: a. Public Law 96-465, the "Foreign Service Act of 1980." Section 207 of the Foreign Service Act states that "Under the direction of the President, the Chief of Mission to a foreign country (1) shall have full responsibility for the direction, coordination, and supervision of all Government employees in that country (except for employees under the command of a United States area military commander); and (2) shall keep fully and currently informed with respect to all activities and operations of the Government within that country, and shall insure that all Government employees in that country (except for employees under the command of a United States area military commander) fully comply with all applicable directives of the chief of mission." a. This policy has been adopted by the following federal agencies: United States Department of State United States Information Agency United States Agency for International Development United States Department of Agriculture United States Department of Commerce Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1  Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1 DRAFT United States Department of Transportation United States Department of the Treasury United States Department of Justice Defense Intelligence Agency Central Intelligence Agency As such it is applicable to all employees of these and any other agencies under the authority of the Chief of Mission to a foreign country (excluding personnel under the command of a United States area military commander). It applies to all foreign posts which (a) originate, process, or store classified or unclassified information, or (b) have classified or unclassified automated information systems. This includes data processing systems, word processing systems, and supporting telecommunications networks. b. This policy has been issued by the Interagency Committee for Computer Security which is composed of representatives from all agencies issuing this as a joint regulation. The Interagency Committee for computer security reports to the Overseas Security Policy Group (OSPG) chaired by the Deputy Assistant Secretary and Director, Diplomatic Security Service, U.S. Department of State. All system security standards applicable to foreign posts will be coordinated with the Committee. a. The Department of State, in coordination with other foreign affairs agencies, has issued minimum security standards for classified and unclassified automated information systems at foreign posts. These include: System Security Standard Number 2 - Security Standards for Classified Automated Information Systems at Foreign Service Posts. System Security Standard Number 3 - Security Standards for Unclassified Automated Information Systems at Foreign Service Posts. System Security Standard Number 3 (Addendum) - Security Standards for Unclassified Automated Information Systems at High Technical Threat Foreign Service Posts (classified). Security Standards for Portable Tempest-Approved Microcomputers. Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1  Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1 DRAFT Unless specifically stated in supplemental guidance, all agencies shall comply with these minimum security standards. All new minimum security standards will be issued by the Department of State in coordination with the Interagency Committee on Computer Security. b. Questions on interpretations and exemption requests to the minimum system security standards shall be sent to the operating agency originating the request. The agency response shall be cleared by the Department of State (DS/ST/ISS). a. Each agency reserves the right to issue supplemental guidance regarding the security of automated information systems purchased and operated exclusively by that agency. All supplemental security guidance applicable to systems operating at foreign posts shall be cleared with the Office of Information Systems Security, Bureau of Diplomatic Security, U.S. Department of State (DS/ST/ISS). The issuance of supplemental guidance does not preclude compliance with minimum system security standards. b. Questions on interpretations and exemption requests to supplemental agency policy shall be sent to the agency involved who issued the policy. Resource requirements resulting from the implementation of system security requirements applicable to foreign posts will be justified and requested in accordance with each federal agency's existing budgetary procedures. Administrative costs associated with issuing, publishing, distributing, and maintaining minimum systems security policies applicable to foreign posts will be borne by the U.S. Department of State. a. In an automated systems environment at a foreign post, security is a shared responsibility. In descending order, these responsibilities belong to the Chief of Mission, the Administrative Officer, the Regional Security Officer, the Information Systems Security Officer, supervisors, and system users. Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1  Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1 DRAFT b. Each foreign post with an automated information system shall ensure that responsibility for the security of that system .is assigned to an American citizen identified as the Information Systems Security Officer (ISSO). Specific responsibilities of the ISSO are outlined in minimum system security standards. c. The ISSO will be a Department of State employee when the automated information system is owned by the Department of State and/or the system is located on Department of State controlled premises. Agencies that own and operate automated information systems located off Department of State controlled premises and independent of any Department of State system will designate their own ISSO to be fully responsible for all automation equipment at that site. d. Each ISSO at each post will prepare an annual review of post automated information systems under their jurisdiction. The report will be sent to the appropriate federal agency, with a copy to DS/ST/ISS. The reporting format will be issued as supplemental guidance. Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1