DIRECTOR OF CENTRAL INTELLIGENCE SECURITY COMMITTEE COMPUTER SECURITY SUBCOMITTEE

- Declassified in Part - Sanitized Copy Approved for Release 2013/07/30: CIA-RDP89B01354R000400500002-1 C-) STAT STAT STAT STAT DIRECTOR OF CENTRAL INTELLIGENCE SECURITY COMMITTEE COMPUTER SECURITY SUBCOMITTEE --December 1981 DCISEC-CSS-M141 1. The One Hundred and Forty-First meeting of the Computer Security Subcomittee was held on 17 November 1981 The meeting was convened at 0930 and in attendance were: Mr. Robert Graytock, Department of Justice Mr. Carl Martz, Navy Mr. Lynn McNulty, Department of State Mr. Robert Storck, FBI Mr. James Studer, Army Mr. James Schenken, U.S. Secret Service Mr. Lynn Culkowski, Air Force 2. The minutes from the previous meeting were reviewed; there were no changes or comments, and thus the minutes were accepted as written. 3. The discussions on the rewrite of DCID 1/16 were continued from the last meeting, at which the NSA member presented a proposed policy statement of, and approach to, the DCID. For this meeting the CIA, Army, and Department of State members were requested to be prepared to present their views/proposals. These are summarized below: a. Department of State - Mr. McNulty stated that after giving the problem considerable thought, that he was essentially in agreement with the approach proposed by the NSA member at the previous meeting. However, he felt that it was important that the document also include: - a statement of scope; since the scope of the document clearly has resource implications, he felt that a "bottom limit" should be defined so that it was clear as to which system types/ ADP applications the document applied. - a tie-in with other pertinent policy; the DCID should recognize other efforts within DoD, DCI, and the civil sector of the government (e.g., TM-1 of the OMB circular). Declassified in Part - Sanitized Copy Approved for Release 2013/07/30: CIA-RDP89B01354R000400500002-1 Declassified in Part- Sanitized Copy Approved forRelease2013/07/30 : CIA-RDP89B01354R000400500002-1 - an accountability mechanism; he felt that the present document allows individual agencies to effectively ignore the DCI's policy, and thus that it is important to incorporate a mechanism, such as periodic reporting of compliance status, accreditation actions, etc., which would provide sufficient visibility at the DCI level. In the discussions which followed, there was general agreement on the desirability of an accounting/visibility mechanism. However, on the question of scope, some of the membership voiced the opinion that the applicability of the document should not be artificially and unnecessarily limited. They felt that the resource problem could, and should be, managed locally. b. CIA - provided copies of a proposed document (copies attached), and discussed his approach. Basically, the draft provides a succinct statement of policy, to which is added sections dealing with the following topics: - allowable modes of operation and minimum requirements; - procurement/acquisition; - accountability on compliance; - memoranda of agreements' for joint operations; - reaccreditation and review of threats/vulnerabilities; - temporary exemptions for unusual and/or emergency situations. STAT Comments on the proposed rewrite centered on the details of the exemption mechanism, and on the section dealing with allowable modes; basically, some of the members felt that the definition of allowable modes/minimum requirements was overly restrictive and did not allow sufficient flexibility to take into account technological innovation or environmental factors. There was additional discussion concerning what to do about word processors and stand-alone systems, with no consensus being reached. c. Army - Mr. Studer reiterated his support for the approach proposed at the previous meeting by He also discussed the specifics that STAT needed to be appended to such a document, primarily: - technical guidelines which allow- the NFIRmember to choose the combination of system features and security countermeasures required to engineer a system which satisfies ,at least a minimum, and hopefully an optimum, security system, consonant with operational requirements. - the capability to incorporate technological innovation. In the discussion which followed, there was general agreement on the need for the DCID to be sufficiently flexibile to allow case-by-case systems engineering, where warranted, to incorporate new technology and consideration for environmental factors. Declassified in Part - Sanitized Copy Approved for Release 2013/07/30: CIA-RDP89B01354R000400500002-1 Declassified in Part - Sanitized Copy Approved for Release 2013/07/30: CIA-RDP89B01354R000400500002-1 d.? The Chairman emphasized that the proposed rewrites and the opinions being voiced on the subject at this time were intended to be the views of the individual member only, and therefore need not have been staffed throughout the parent organization. Thus, he cautioned the membership against representing the comments/opinions expressed on this subject by any of the participants as anything but personal contributions which are intended to lead to a Subcommittee proposal for a rewrite of the DCID. 4. The Chairman thanked the Army, CIA, and Department of State members for their contributions, and asked for volunteers for presentation of further views at the next meeting. These will be the Navy, FBI, Department of Justice and the Secret Service members. 5. The next meeting was set for 09.30.on Tuesday, 15 December 1981 at the txecutive secretary Declassified in Part - Sanitized Copy Approved for Release 2013/07/30: CIA-RDP89B01354R000400500002-1 STAT STAT Declassified in Part - Sanitized Copy Approved for Release 2013/07/30: CIA-RDP89B01354R000400500002-1 DRAFT OF NEW DCID 1/16 CONTENTS SIMPLIFIED 1ST SECTION DEALING WITH POLICY .AND RESPONSIBILITIES AND EXEMPTIONS.; FOLLOWED TY REQUIREMENTS (CHAPTER II). "REQUIREMENTS" SECTION (CHAPTER II) COVERS NEW MODES TO. REFLECT EXISTING ENVIRONMENT WITH MATRIX TO MAKE IT UNDERSTANDABLE. . ? ? EXEMPTIONS FOR "OPERATIONAL" TACTICAL/STRATEGIC ELEMENTS NEW SECTION(S) DEALING WITH . ACQUISITIONS/PROCUREMENT STD'S - UNCLASSIFIED PROGRAM PROCESSING RELATED TO SOFTWARE DEVELOPMENT ACTIVITY - MOA 'S BY MEMBER AGENCIES - "OVER THE COUNTER" ACCESS CONTROLS- - AREA OF MAINTENANCE/SERVICE OF EQUIPMENT - WORD PROCESSING EQUIPMENT - PROVIDING DCI "FEEDBACK" ON STATE OF ACCREDITATIONS, EXEMPTIONS Declassified in Part - Sanitized Copy Approved for Release 2013/07/30: CIA-RDP89B01354R000400500002-1 Declassified in Part - Sanitized Copy Approved for Release 2013/07/30: CIA-RDP89B01354R000400500002-1 R Next 15 Page(s) In Document Denied Declassified in Part - Sanitized Copy Approved for Release 2013/07/30: CIA-RDP89B01354R000400500002-1 STAT