COMPUTER SECURITY MANUAL

&fidential Pease 2006/01/03 ? CIA-RDP87B01034R00060001006co entral COMPUTER SECURITY MANUAL Prepared for The Director of Central Intelligence by the Security Committee Confidential 4 January 1983 Approved For Release 2006/01/03 : CIA-RDP87B01034R000600010063-0  Approved For Release 2006/ Ib~I I 08% DP87B01034R000600010063-0 COMPUTER SECURITY MANUAL (Attachment to "Security Policy on Intelligence Information in Automated Systems and Networks") CL BY DCI DELL OADR CONFIDENTIAL Approved For Release 2006/01/03 : CIA-RDP87BO1034R000600010063-0  Approved For Release 2006/01/03 : CIA-RDP87BO1034R000600010063-0 Page CHAPTER I Introduction ........................................................................................................................ 1 CHAPTER II Modes of Operation and Minimum Security Requirements for Processing .................... 3 and/or Storing Intelligence Information in ADP Systems II.1 General Security Requirements for ADP Systems Processing .................... 3 and/or Storing Intelligence Information 11.2 Modes of Operation and Minimum Security Requirements 3 CHAPTER III ADP Networks ......................................................... . .......................................................... 9 III.1 Definition ........................... . .......................................................................... 9 111.2 Responsibilities for ADP Network Security Administration ...................... 10 111.3 Accreditation Process .................................................................................... 12 111.4 Minimum ADP Network Security Requirements ........................................ 12 GLOSSARY ...................................................................................................................... 15 III CONFIDENTIAL Approved For Release 2006/01/03 : CIA-RDP87BO1034R000600010063-0  Approved For Release 2006/01/03 : CIA-RDP87BO1034R000600010063-0 CHAPTER I I.I. Director of Central Intelligence security policy requires Intelligence Community agencies and all other United States Government departments and agencies processing and/or storing intelligence information in ADP systems and networks to establish and maintain a formal ADP security program to ensure adequate protection of intelligence information. This Manual is promulgated to establish the minimum security requirements for the allowed operating modes of an ADP system or network as defined in Chapters II and III. ADP security programs shall be based on these programs. 1.2. All ADP systems and networks not otherwise exempted pursuant to DCI Security Policy on Intelligence Information in Automated Systems and Networks, which process and/or store intelligence information, must meet the requirements prescribed in Chapters II and III of this Manual. Accreditation, as prescribed herein, is required for the operation of each ADP system and network. The accreditation is contingent upon the results of a recurring review, testing, and favorable evaluation of employed security features. These security features shall include hardware/ software features, operating procedures, account- ability procedures, access controls, management constraints, physical structures, and appro- priate communications security (COMSEC) measures to provide minimum security protec- tion for intelligence information processed and/or stored by the ADP system or network. 1.3. An Information System Security Officer (ISSO) shall be appointed for each ADP system processing and/or storing intelligence information. An ISSO may serve for more than one system. Duties and responsibilities of the ISSO are specified in Chapters II and III. 1.4. The SOIC or his designee responsible for the management of an ADP network shall appoint a Network Security Officer (NSO). Duties and responsibilities of the NSO are specified in Chapter III of this Manual. 1 CONFIDENTIAL Approved For Release 2006/01/03 : CIA-RDP87BO1034R000600010063-0  Approved For Release 2006/01/03CONFl%- 1'IAl.7BO1034RO00600010063-0 CHAPTER II Modes of Operation and Minimum Security Requirements for Processing and/or Storing Intelligence Information in ADP Systems Three modes of operation of an ADP system are allowed for the processing and/or stor- ing of intelligence information. They are: (a) Dedicated Mode; (b) System High Mode; and (c) Compartmented Mode. The minimum security requirements for each mode of operation are contained in this Chapter. Chapter III identifies the requirements for ADP networks which are formed by the interconnection of ADP systems operating in any of these allowed modes. 11.1. General security requirements for ADP systems processing and/or storing intelligence information. II.1.a. Information System Security Officer (ISSO). The ISSO is specifically responsi- ble for ensuring continued compliance with the requirements set forth in this Manual, providing system accreditation statements, reporting major security deficiencies in system operation to the SOIC or his designee, and monitoring any changes in system operation that may affect the security status of the total system. II. Lb. Communications Links. The communications links between all components of the ADP system shall be secured in accordance with appropriate directives for the highest classification of information designated for transmission. II. 1.c. Emanations Security Aspects. The vulnerability of system operations to exploita- tion through compromising emanations shall be determined in the process of system accreditation. Evaluation of the risks associated with the central computer facility and the re- mote terminal areas and application of control measures shall be in accordance with appropriate directives. 1I. 1.d. Individual Security Responsibilities. All users of the system shall be briefed on the need for exercising sound security practices in protecting the information processed and/or stored in the system, including all input and output. Users shall be informed of the se- curity mode in which the system is operating and that the receipt of any information not spe- cifically requested shall be reported immediately to the ISSO, or his designee. II.1.e. Administrative Approvals. Administrative approvals (not requiring substantive briefings) may be used to grant persons access to the central computer facility and remote terminal areas when such persons do not require access to the intelligence information processed and/or stored in the system. 11.2. Modes of Operation and Minimum Security Requirements. II.2.a. Dedicated Mode. II.2.a(1) Intelligence information may be processed and/or stored in an ADP system operating in the Dedicated Mode; that is, the system is specifically and exclusively dedicated 3 Approved For Release 2006/01/03CP FA~I7B01034R000600010063-0  Approved For Release 2006/01/03 : CIA CONFIDENTIAL to, and controlled for, the processing of that one particu ar type of intelligence information, either for full-tiff a operation or for a specified period of time. II.2.a(2) Accreditation Process. The SOIC or his designee can accredit an ADP system operating in the Dedicated Mode after receiving written assurance from the computer system manager and thr, responsible ISSO that the ADP sy tem meets the minimum security requirements for this mode as outlined below. II.2.a(3) Personnel Security. All unescorted personnel requiring access to the central computer facility or any remote terminal shall have a valid security clearance and formal ac- cess approval for the one particular type of intelligent information contained within the ADP system. II.2.a(4) Physical Security. The central computer facility and any remote terminals connected to it shall be secured in a manner commensura e with the classification and control caveats of the ono; type of intelligence information contained in the system. II.2.a(5) System. All peripheral devices not dedica ed for use in the processing of the specific type of intelligence information shall be disconne ted from the system in an approved manner. A controlled copy of the operating system shall be used to initialize an ADP system for processing TC>P SECRET intelligence information or Sensitive Compartmented Informa- tion (SCI). II.2.a(6) Termination of Dedicated Mode Operation. On changing from Dedicated Mode operation, all intelligence information and the med a used in its processing and/or stor- ing shall be secured or sanitized in an approved manner. n ADP system which has operated in the Dedicated :Mode may then be returned to its origin 1 or different mode, as appropriate. II.2.b. System High Mode II.2.b.(1) Intelligence information may be processe and/or stored in an ADP system operating in the System High Mode; that is, the system is operating with security measures commensurate with the highest classification and se sitivity of the information being processed and/or stored. II.2.b(2) Accreditation Process. The SOIC or his designee can accredit an ADP system operating in the System High Mode after receiving written assurance from the computer sys- tem manager and the responsible ISSO that the ADP sys em meets the minimum security re- quirements for this mode as outlined below. IL2.b(3) Personnel Security. All unescorted personnel requiring access to the central computer facility or any remote terminal shall have a val d security clearance and formal ac- cess approvals for all data processed and/or stored in the ADP system. Unescorted personnel do not automatically have authorization to see or use all of the data processed and/or stored in the system. Need-to-know criteria shall apply. II.2.b(4) Physical Security. The central computer a d remote terminal facilities shall be secured in a manner commensurate with the highe t classification and sensitivity of information contained in the system. 4 Approved For Release 290M~1 IACIA RDP87B01034R000600010063-0  Approved For Release 2006/01 /03CaA RFR 'B01034R000600010063-0 II.2.b(5) System. II.2.b(5)(a) All terminals and peripheral devices not designated for use in the current System High Mode of operation shall be disconnected from the system in an approved manner. II.2.b(5)(b) Authentication of remote terminals and personnel shall be performed by the system. System controls shall be in conformity with those required for the protection of the most sensitive information being processed and/or stored in the system. System controls shall consist of software, hardware, and/or other appropriate measures designed to validate the identity and file access authority of the system users. II.2.b(5)(c) Security classification and other required control caveats shall be identified with the information and programs in the system, and appropriate labeling of the output shall be ensured. II.2.b(6) Audit Trails. Each system shall produce, in a secure manner, an audit trail containing sufficient information to permit the ISSO to perform a regular security review of the system activity. II.2.b(7) Termination of System High Mode Operation. On changing from System High Mode operation, all intelligence information and the media used in its processing and/or storage shall be secured or sanitized in an approved manner. An ADP system which has operated in the System High Mode may then be returned to its original or different mode, as appropriate. II.2.c. Compartmented Mode. II.2.c(l) SCI may be processed and/or stored in an ADP system operating in the Compartmented Mode; that is, the system is processing two or more types of SCI, or any one type of SCI with other than SCI, and system access is secured to at least the TOP SECRET level, but all system users need not necessarily be formally authorized access to all types of SCI being processed and/or stored in the system. II.2.c(2) Accreditation Process. I1.2.c(2)(a) Only the SOIC can accredit an ADP system for operation in the Compart- mented Mode. II.2.c(2)(b) The accreditation will be based upon the results of a security analysis, test, and evaluation to assure that the ADP system meets the minimum security requirements for this mode as outlined below. The ISSO will ensure that the security analysis, test, and evalu- ation is carried out and the results reported along with his recommendations to the SOIL. I1.2.c(3) Personnel Security. II.2.c(3)(a) All unescorted personnel requiring access to the central computer facility shall have a valid TOP SECRET clearance I and formal access approvals for all data processed and/or stored in the ADP system. Need-to-know criteria shall apply. 'Such clearance must have been granted based on the provisions of DCID 1/ 14, "Minimum Personnel Security Standards and Procedures Governing Eligibility for Access to Sensitive Compartmented Information," or successor policy guidance. 5 Approved For Release 2006/01/03 ~'1R- O 1B01034R000600010063-0  RDP87B01034R000600010063-0 Approved For Release 2006/01/03 : CIAI CONFIDENTIAL II.2.c(3)(b) All unescorted personnel requiring acce shall have a valid TOP SECRET clearance z and for designated for input/output at that terminal facility. Nee II.2.c(4) Physical Security. to any remote terminal facility al access approvals for all data -to-know criteria shall apply. II.2.c(4Xa) The central computer facility shall be s4cured in a manner commensurate with the handling of TOP SECRET material and the mo contained in the t.cility. t sensitive intelligence information II.2.c(4)(b) Each remote terminal area will be securod in a manner commensurate with the :handling of TOP SECRET material and the most designated for inp it/output at that terminal facility. II.2.c(5) System. The ADP system through a coml capabilities shall provide the requisite protection for and/or stored by it. Systems not presently equipped with curil:y capabilities prescribed below must compensate for tion of other security measures and procedures which a.ffi II.2.c(5)(a) All terminal and peripheral devices not Compartmented Mode of operation shall be disconnects manner. II.2.c(5)(b) Authentication of remote terminals and system. System controls shall be in conformity with thos most sensitive information being processed and/or stored consist of software, hardware, and/or other appropriate identity and file a xcess authority of the system users. sensitive intelligence information, ination of hardware and software ntelligence information processed he required hardware/software se- he lack thereof by the implementa- rd the same degree of protection. designated for use in the current d from the system in an approved ersonnel shall be performed by the required for the protection of the n the system. System controls shall measures designed to validate the II.2.c(5Xc) Security classification and other require4 control caveats shall be identified with. the information and programs in the system and ap opriate labeling of the output shall be ensured. II.2.c(5)(d) Memory Access. System hardware/soft are features shall exercise control over the memory ocations to which a user program has access. II.2.c(5)(e) P,ivilleged Instructions. The system shall utilize a special class or subset of instructions to perform and control all input/output o erations and changes to memory boundaries, execr.tion state variables, data elements or tables, and files of the operating system. The operating system alone shall execute these in tructions or provide access to them. II.2.c(5Xf) Verijiled Response. Machine instruction s/operation codes, both privileged and user, with all possible tags or modifiers, whether legal or not, shall be designed and tested to produce results in a predefined set of responses by the computer hardware/firm.ware. II.2.c(5)(g) Read, Write, and Execute Privileges. he system shall enforce the read, write, and execut: privileges of a user with respect to an given file. II.2.c(5)(h) Separation of User/Privileged Modes o Operation. The user and privileged modes of system operation shall be separated so that a program operating in user mode is pre- vented from unarthorized utilization of privileged funct ons. Controls shall be implemented to maintain conti: sued separation of these modes. 6 Approved For Release 2t6@W~WI'?E lA RDP87B01034R000600010063-0  Approved For Release 2006/01/87B01 034R000600010063-0 II.2.c(5)(i) Residue ClearOut. Measures shall be implemented to ensure that residue from terminated user programs are cleared before memory and on-line storage devices' locations are released by the system for use by another user program. II.2.c(5)(j) Over-the-Counter Access Control. Effective controls shall be implemented to limit over-the-counter (batch) users to authorized access to information and programs, as well as to control read and/or write access authorizations. II.2.c(6) Audit Trails. Each system shall produce, in a secure manner, an audit trail con- taining sufficient information to permit the ISSO to perform a regular security review of sys- tem activity. II.2.c(7) Termination of Compartmented Mode Operation. On changing from Compart- mented Mode operation, all intelligence information and the media used in its processing and/ or storing shall be secured .or sanitized in an approved manner. An ADP system which has operated in the Compartmented Mode may then be returned to its original or different mode, as appropriate. 7 COxF D NTIAL Approved For Release 2006/01/03: lA- DP87B01034R000600010063-0  25X1 Approved For Release 2006/01/03 : CIA-RDP87BO1034R000600010063-0 Next 4 Page(s) In Document Exempt Approved For Release 2006/01/03 : CIA-RDP87BO1034R000600010063-0  Approved For Release 2006/01/03 : &A-FQ~>17AY01034R000600010063-0 The following definitions apply to the terms used in the Computer Security Manual. Access. The ability and the means to approach, communicate with (input to or receive output from), or otherwise make use of any material or component in an ADP system or network. Accreditation. A formal declaration by the responsible SOIC, or his designee, as appropriate, that the ADP system or network provides an acceptable level of protection for processing and/or storing intelligence information. An accreditation should state the operating mode and other parameters peculiar to the ADP system or network being accredited. ADP System. The central computer facility and any remote processors, terminals, or other input/output/storage devices connected to it by communications links. Generally, all of the components of an ADP system will be under the authority of one SOIC or his designee. Authentication. A positive identification, with a degree of certainty sufficient for permitting certain rights or privileges to the person or thing positively identified. Central Computer Facility. One or more computers with their peripherals and storage units, central processing units, and communications equipment in a single controlled area. This does not include remote computer facilities, peripheral devices, or terminals which are located outside the single controlled area even though they are connected to the central computer facility by approved communication links. Escort. Duly designated personnel who have appropriate clearances and access approvals for the material contained in the ADP system and are sufficiently knowledgeable to understand the security implications and to control the activities and access of the individual being escorted. Front-end Processor. A computer associated with a host computer that performs preprocessing functions. It may perform line control, message handling, code conversion, error control, data control, data management, terminal handling, etc. (See Manual, Chapter III, Figure 1.) Operating System (O/S). An integrated collection of service routines for supervising the sequencing and processing of programs by a computer. Operating systems control the allocation of resources to users and their programs and play a central role in assuring the se- cure operation of a computer system. Operating systems may perform input/output, accounting, resource allocation, compilation, storage assignment tasks, and other system- related functions. Processing and/or Storing. All inclusive term used to include in addition to processing and storing such functions as manipulating, deleting, modifying, editing, outputting, etc. 15 CONFIDENTIAL Approved For Release 2006/01/03 : CIA-RDP87B01034R000600010063-0  RDP87B01034R000600010063-0 Approved For Release 2006/01/03 : CIAI CONFIDENTIAL Sensitive Compartmented Information (SCI). All information and materials requiring special Community controls indicating restricted handling within present and future Community intelligence collection programs and their end p oducts. These special Communi- ty controls are formn1 systems of restricted access establish d to protect the sensitive aspects of sources and methods and analytical procedures of foreig intelligence programs. The term does not include Restricted Data as defined in Section II, ublic Law 585, Atomic Energy Act of 1954, as ame:ided. 16 Approved For ReleasiM&06%3 : CIA-RDP87B01034R000600010063-0  Confidential Approved For Release 2006/01/03 : CIA-RDP87BO1034R000600010063-0 Confidential Approved For Release 2006/01/03 : CIA-RDP87BO1034R000600010063-0