STATUS OF ACTIVITIES -- OVERSEAS COMPUTER SECURITY POLICY COMMITTEE
Document Type:
Collection:
Document Number (FOIA) /ESDN (CREST):
CIA-RDP89B00297R000400960007-1
Release Decision:
RIFPUB
Original Classification:
K
Document Page Count:
6
Document Creation Date:
December 23, 2016
Document Release Date:
April 23, 2013
Sequence Number:
7
Case Number:
Publication Date:
August 6, 1986
Content Type:
MEMO
File:
Attachment | Size |
---|---|
CIA-RDP89B00297R000400960007-1.pdf | 228.15 KB |
Body:
Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1
OS REGISTRY- I
United States Department of State
Washington, U.C. :.'O:i10
August 6, 1986
MEMORANDUM
T0: Members of the Overseas Secnurity Policy Group (OSPG)
FROM: DS/ST/ISS - Lynn McNulty ~(.~
SUBJECT: Status of Activities -- Overseas Computer Security
Policy Committee
The Overseas Computer Security Policy Committee was
established within the OSPG last January to develop and
coordinate uniform policies and standards for overseas
automated information systems.
Membership on the Committee is comprised of the following
departments and agencies:
U.S. Department of State
Central Intelligence Agency
Defense Intelligence Agency
United States Information Agency
U.S. Agency for International Development
U.S. Department of Agriculture
U.S. Department of Commerce
U.S. Department of Justice
The first priority of the Committee was to develop a
uniform policy on information systems security for inclusion in
the Department of State's Foreign Affairs Manual (5 FAM 800).
This policy (a copy of which is attached) will require all
federal agencies operating under the authority of the Chief of
Mission to a foreign country to comply with systems security
regulations jointly issued by the Department of State and other
foreign affairs agencies.
Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1
Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1
This policy was sent for clearance to all members of the
Committee from the Director for Diplomatic Security, Mr. Robert
E. Lamb. Each of the departments and agencies has now
responded and we will soon issue uniform system security
regulations. The Committee is now considering standards
drafted by the Department of State for networking automated
information systems.
cc: DS/ST - Mr. Daniel S. Carlin
Attachment:
As Stated.
Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1
Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1
DRAFT
FOREIGN AFFAIRS MANUAL, VOLUME 5, CHAPTER 800
AUTOMATED INFORMATION SYSTEMS SECURITY
810 AUTOMATED INFORMATION SYSTEMS POLICY (attached)
820 SECURITY POLICY FOR FEDERAL AGENCIES USING
AUTOMATED INFORMATION SYSTEMS AT FOREIGN POSTS
This policy establishes the requirement that all
agencies operating under the authority of the Chief of
Mission to a foreign country comply with all applicable
automated information system security directives and
standards jointly promulgated by the U.S. Department of
State and other foreign affairs agencies.
The legal basis for this policy includes:
a. Public Law 96-465, the "Foreign Service Act of 1980."
Section 207 of the Foreign Service Act states that "Under
the direction of the President, the Chief of Mission to a
foreign country (1) shall have full responsibility for the
direction, coordination, and supervision of all Government
employees in that country (except for employees under the
command of a United States area military commander); and
(2) shall keep fully and currently informed with respect
to all activities and operations of the Government within
that country, and shall insure that all Government
employees in that country (except for employees under the
command of a United States area military commander) fully
comply with all applicable directives of the chief of
mission."
a. This policy has been adopted by the following federal
agencies:
United States Department of State
United States Information Agency
United States Agency for International Development
United States Department of Agriculture
United States Department of Commerce
Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1
Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1
DRAFT
United States Department of Transportation
United States Department of the Treasury
United States Department of Justice
Defense Intelligence Agency
Central Intelligence Agency
As such it is applicable to all employees of these and
any other agencies under the authority of the Chief of
Mission to a foreign country (excluding personnel under
the command of a United States area military commander).
It applies to all foreign posts which (a) originate,
process, or store classified or unclassified information,
or (b) have classified or unclassified automated
information systems. This includes data processing
systems, word processing systems, and supporting
telecommunications networks.
b. This policy has been issued by the Interagency
Committee for Computer Security which is composed of
representatives from all agencies issuing this as a joint
regulation. The Interagency Committee for computer
security reports to the Overseas Security Policy Group
(OSPG) chaired by the Deputy Assistant Secretary and
Director, Diplomatic Security Service, U.S. Department of
State. All system security standards applicable to
foreign posts will be coordinated with the Committee.
a. The Department of State, in coordination with
other foreign affairs agencies, has issued minimum
security standards for classified and unclassified
automated information systems at foreign posts. These
include:
System Security Standard Number 2 - Security Standards
for Classified Automated Information Systems at
Foreign Service Posts.
System Security Standard Number 3 - Security Standards
for Unclassified Automated Information Systems at
Foreign Service Posts.
System Security Standard Number 3 (Addendum) -
Security Standards for Unclassified Automated
Information Systems at High Technical Threat Foreign
Service Posts (classified).
Security Standards for Portable Tempest-Approved
Microcomputers.
Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1
Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1
DRAFT
Unless specifically stated in supplemental guidance, all
agencies shall comply with these minimum security
standards. All new minimum security standards will be
issued by the Department of State in coordination with the
Interagency Committee on Computer Security.
b. Questions on interpretations and exemption
requests to the minimum system security standards shall be
sent to the operating agency originating the request. The
agency response shall be cleared by the Department of
State (DS/ST/ISS).
a. Each agency reserves the right to issue
supplemental guidance regarding the security of automated
information systems purchased and operated exclusively by
that agency. All supplemental security guidance
applicable to systems operating at foreign posts shall be
cleared with the Office of Information Systems Security,
Bureau of Diplomatic Security, U.S. Department of State
(DS/ST/ISS). The issuance of supplemental guidance does
not preclude compliance with minimum system security
standards.
b. Questions on interpretations and exemption
requests to supplemental agency policy shall be sent to
the agency involved who issued the policy.
Resource requirements resulting from the
implementation of system security requirements applicable
to foreign posts will be justified and requested in
accordance with each federal agency's existing budgetary
procedures. Administrative costs associated with issuing,
publishing, distributing, and maintaining minimum systems
security policies applicable to foreign posts will be
borne by the U.S. Department of State.
a. In an automated systems environment at a foreign post,
security is a shared responsibility. In descending order,
these responsibilities belong to the Chief of Mission, the
Administrative Officer, the Regional Security Officer, the
Information Systems Security Officer, supervisors, and
system users.
Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1
Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1
DRAFT
b. Each foreign post with an automated information system
shall ensure that responsibility for the security of that
system .is assigned to an American citizen identified as
the Information Systems Security Officer (ISSO). Specific
responsibilities of the ISSO are outlined in minimum
system security standards.
c. The ISSO will be a Department of State employee when
the automated information system is owned by the
Department of State and/or the system is located on
Department of State controlled premises. Agencies that
own and operate automated information systems located off
Department of State controlled premises and independent of
any Department of State system will designate their own
ISSO to be fully responsible for all automation equipment
at that site.
d. Each ISSO at each post will prepare an annual review
of post automated information systems under their
jurisdiction. The report will be sent to the appropriate
federal agency, with a copy to DS/ST/ISS. The reporting
format will be issued as supplemental guidance.
Declassified and Approved For Release 2013/04/23: CIA-RDP89B00297R000400960007-1