DoD 5 2 2 0 . 2 2 - M - S u p 1

N A T I O N A L

I N D U S T R I A L

S E C U R I T YP R O G R A M

O P E R A T I N G

M A N U A L

S U P P L E M E N T

F e b r u a r y 1995

,

.

POLICY

THE UNDER SECRETARY OF DEFENSE

WASHINGTON, D.C. 20301-2000

December 29, 1994

FOREWORD

I am pleased to promulgate this inaugural edition of the Supplement to the National IndustrialSecurity Program Operating Manual (NISPOMSUP). It provides the enhanced security require-ments, procedures, and options to the National Industrial Security Program Operating Manual(NISPOM) for:

Critical Restricted Data (RD) classified at the Secret and Top Secret levels;

Special Access Programs (SAPS) and SAP-type compartmented efforts established andapproved by the Executive Branch;

Sensitive Compartmented Information (SCI) or other DCI SAP-type compartmented pro-grams under the Director of Central Intelligence which protect intelligence sources andmethods; and

Acquisition, Intelligence, and Operations and Support SAPS.

This Supplement is applicable to contractor facilities located within the United States, its TrustTerritories and Possessions. In cases of inconsistencies between the NISPOM (baseline) and thisSupplement as imposed by a Cognizant Security Agency (CSA), as defined herein, the Supple-ment wiH take precedence.

The NISPOM Supplement has been written as a menu of options. Throughout this NISPOMSUPit is understood that whenever a security option is specified for a SAP by the Government Pro-gram Security Officer (PSO), his or her authority is strictly based on the security menu of optionsoriginally approved in writing by the CSA, or designee. CSAS may delegate such responsibilityfor the implementation of SAP security policies and procedures. Since SAPS have varyingdegrees of security based on sensitivity and threat, all programs may not have the same require-ments. When a security option is selected as a contract requirement, it becomes a “shall” or “will”rather than a “may” in this document. Bold and italicized print denotes contractor securityrequirements, except in chapter titles and paragraphs.

The Director of Central Intelligence Directives (DCIDS), which prescribe procedures for the DCISensitive Compartmented Information (SCI) or other SAP-type DCI programs also set the upperstandard of security measures for programs covered by this Supplement. DCIDS may be used byany SAP program manager with approval from the CSA. Specific security measures that areabove the DCIDS (noted by asterisks) shall be approved by the CSA or designee.

The provisions of this NISPOMSUP apply to all contractors participating in the administration ofprograms covered by this Supplement. In cases of doubt over the specific provisions, the contrac-tor should consult the PSO prior to taking any action or expending program-related funds. Incases of extreme emergency requiring immediate attention, the action taken should protect theGovernment’s interest and the security of the program from compromise.

This NISPOMSUP is intended to be a living document. Users are encouraged to submit changesthrough their CSA to the Executive Agent’s designated representative at the following address:

Department of DefenseODTUSD(P)PSAm: Director Special ProgramsThe Pentagon, Room 3C285Washington, D.C. 20301-2200

This NISPOMSUP will be reviewed and updatedyear from the date of publication.

as necessary, but in any case no more than one

n

Waker B. SlocornbeUnder Secretary of Defense (Policy)

ii

TABLE OF CONTENTS

CHAPTER 1. GENERAL PROVISIONS AND REQUIREMENTS

Page

Section 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ................... 1-1-1Section 2. General Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... 1-2-1Section 3. Reporting Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3-1

CHAPTER 2. SECURITY CLEARANCES

Section 1. Facility Clearances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........2.l.lSection 2. Personnel Clearances and Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..2.2.l

CHAPTER 3. SECURITY TRAINING AND EtRIEFINGS

Section 1. Security Training and Briefings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..3.l.l

CHAPTER 4. CLASSIFICATION AND MARKING

Section 1. Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ................4l.lSection 2. Marking Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..4.2.l

CHAPTER 5. SAFEGUARDING CLASSIFIED INFORMATION

Section 1. General Safeguarding Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..5.l.lSection 2. Control and Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..5.2.lSection 3. Storage and Storage Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..5.3.lSection 4. Transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .................54.lSection 5. Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ......................5.5.lSection 6. Reproduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .................5.6.lSection 7. Disposition and Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..5.7.lSection 8. Construction Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..5.8.l

CHA~ER 6. VISITS and MEETINGS

Section 1. Vkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..............................6.l.lSection 2. Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........................&2.1

CHAPTER 7. SUBCONTRACTING

Section 1. I%me Contractor Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..7.l.l

. . .111

TABLE OF CONTENTS

.

.

Section 1.Section 2.Section 3.

Section 1.Section 2.

Section 1.

Section 1.Section 2.

Section 1.Section 2.Section 3.Section 4.Section 5.Section 6.Section 7.Section 8.

Section 1.Section 2.

Section I,

CHAPTER 1. GENERAL PROVISIONS AND REQUIREMENTS

Page

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...................l.l.lGeneral Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2-1

Reporting Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3-1

CHAPTER 2 SECURITY CLEARANCES

Facility Clearances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........2.l.lPersonnel Clearances and Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..2.2.l

CHAPTER 3. SECURITY TRAINING AND BRIEFINGS

Security Training and Briefings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..3.l.l

CHAPTER 4. CLASSIFICATION AND MARKING

Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....4-1-1

Marking Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..4.2.l

CHAPTER 5. SAFEGUARDING CLASSIFIED INFORMATION

General Safeguarding Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..5.l.lControl and Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..5.2.lStorage and Storage Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..5.3.lTransmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..54.lDisclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... -.5-5-1

Reproduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..............5.6.lDisposition and Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-7-1

Construction Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..5.8.l

CHAPTER 6. VISITS and MEETINGS

Wits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... ....... 6-1-1

Meetings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

CHAPTER

Rime Contractor Responsibilities . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..&2.l

7. SUBCONTRACTING

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1-1

.Ill

1-1oo. Purpose.

Chapter 1General Provisions and Requirements

Section 1. Introduction

a.

b.

This Supplement provides special security measuresto ensure the integrity of SAPS, Critical SECRETRestricted Data (SRD), and TOP SECRET RestrictedData (TSRD) and imposes controls supplemental tosecurity measures prescribed in the NISPOM forclassified contracts. Supplemental measures fallunder the cognizance of the DoD, DCI, DOE, NRCor other CSA as appropriate. See page 1-1-2 for Fig-ure 1, SAP Government and Contractor Relation-ships. Additionally, specific contract provisionspertaining to these measures applicable to associatedunacknowledged activities will be separately pro-vided. Any Department, Agent y, or other organiza-tional stmcture amplifying instructions will beinserted imme&ately following the applicable sezu-rity options selected from the NISPOMSUP. This willfacilitate providing a contractor with a supplementthat is overprinted with the options selected.

Security Options. This Supplement contains secu-rity options from which specific security measuresmay be selected for individual programs. Theoptions selected shall be specifically addressed in theProgram Security Guide (PSG) and/or identified inthe Contract. The PSG shall be endorsed by the CSAor hislher designee, establishing the program,although, as a rule, the DCIDS sets the upper limits.In some cases, security or sensitive factors mayrequire security measures that exceed DCID stan-dards. In such cases, the higher standards shall belisted separately and specifically endorsed by theCSA creating the program and maybe reflected as anoverprint to this Supplement.

1-101. scope.

a. The policy and guidance contained herein andimposed by contract is binding upon all persons whoarc granted access to SAP information. Acceptanceof the contract security measures is a prerequisite toany negotiations leading to Program participationand accreditation of a Special Access Program Facil-ity (SAPF).

b. The following is restated from the baseline for clarity.If a contractor determines that implementation of anyprovision of this Supplement is more costly than pro-visions imposed under previous U.S. Governmentpolicies, standards, or requirements, the contractorshall notitj the Cognizant Security Agency. Con&ae-tors SW howeve~ itnpkment any such proviswnwithin three years from the date of this Suppkment,unkss a written exception is granted by the CSA.

c. The DCIDS apply to all SCI and DCI programs andany other SAP that selects them as the program secu-rity measures.

1-102. Agency Agreement SAP Program Areas. TheGovernment Agency establishing a SAP will designatea Program Executive Agent for the administration, seeu-nty, execution, and control of the SAP. The ProgramSecurity Officer (PSO), rather than the Facility CSA,will be responsible for security of the program and allprogram areas.

1-103. Security Cognizance. Those heads of Agenciesauthorized under E.O. 12356 or successor order to cre-ate SAPS may enter into agreements with the Secretaryof Defense that establish the terms of the Secretary ofDefense’s responsibilities for the SAP. When a Depart-ment or Agency of the Executive Branch retains cogni-zant security responsibilities for its SAP, the provisionsof this Supplement will apply.

1-104. Supplement Interpretations. AU contractorrequests for interpretation of this Suppkment will beforwarded to the PSO.

1-105. Supplement Changes. Users of this Supple-ment are encouraged to submit recommended changesand comments through their PSO in concurrence withthe baseline.

1-106. Waivers and Exceptions. The purpose of hav-ing a waiver and exception policy is to ensure that devi-ations from established SAP criteria are systematicallyand uniformly identified to the Government ProgramManager (GPM). Every effort will be made to avoid

1-1-1

, waivers to established SAP policies and proceduresunless they are in the best interest of the Government. Inthose cases where waivers are required, a request will besubmitted to the PSO. As appropriate, the PSO, and ifnecessary the GPM (if a different individual) will assessthe request for waiver and provide written approval. Ifdeemed necessary, other security measures whichaddress the specific vulnerability may be implemented.

1-107. Special Access Programs Categories andTypes.

a. There are four generic categories of SAPS: (1)Acquisition SAP (AQ-SAP); (2) Intelligence SAP(IN-SAP); (3) Operations and Support SAP (OS-SAP); and (4) SCI Programs (SCI - SAP) or otherDCI programs which protect intelligence sources andmethods.

b. There are two types of SAPS, acknowledged andunacknowledged. An acknowledged SAP is a pro-gram which may be openly recognized or known;however, specifics are classified within that SAP.The existence of an unacknowledged SAP or anunacknowledged portion of an acknowledged pro-gram, will not be made known to any person notauthorized for this information.

Government/Contractor Relationships

I Cognizant Security AgencyI

E Program Executive Agent - - -a)s

Government Program Manager

I

I

I Program Security Officer I

ContractingOfficer

r Contractor Program Manager

L ‘:’-6E$J Contractor Program Security OfficerF

~

Information SystemSecurity Representative’

‘ I SSR may WJ k for the CPSO, Or work a.. a peer to the CPSO for A IS purposes, depending on Program Requirements.

1-1-2

Section 2. General Requirements

1-200. Responsibilities A SAP Contractor programManager (CPM) and Contractor Program SecurityO@er (CPSO) wifl be designated by the contractor.These individuals are the primary focal points at thecontractor facility who execute the contract. They areresponsible for all Program matters. The initial nomina-tkn or appointment of the CPSO and any subsequentchanges wifl be provided to the PSO in writing. Thecriteria necessary for an individual to be nominated as

. the CPSO will be provided in the Request for Proposal(RFP). For the purposes of SAPS, the following respon-sibilities are assigned:

a. The CPM is (sometimes the same as, or in additionto a Contract Project Manager) the contractoremployee responsible fo~

(1) Overall Program management.

(2) Execution of the statement of work, contract,task orders and all other contractual obliga-tions.

b. The CPSO oversees compliance with SAP securityrequirements.

The CPSO will:

(1) Possess a personnel clearance and Programaccess at least equal to the highest level ofProgram cfassijied informatwn involved.

(2) Provide security administration and manage-ment for hidher organiwtwn.

(3) Ensure personnel processed for access to aSAP meet the prerequisite pemonnel clearanceand/or investig&”ve requirements specijied.

(4) Ensure adequate secure storage and workspaces.

(5) Ensure strkt adherence to the proviswns ofthe NISPOM and its Suppkment.

(6) When required, establish and oversee a classi-fied material control program for each SAE

(7) When required, conduct an annual inventoryof accountabk chrss&ied material

(8) When requ@ed, estiblirh a SAPE

(9) Estizb[i.rh and oversee visitor controlprogram

(10) Monitor reproduction andor duplication anddestruction capability of SAP information.

(11) Ensure adherence to special communicationscapabilities within the SAPl?

(12) Provide for initiul Progmm indoctrinatkn ofempikyees afler their access is approved;rebrief and debrief personnel as required

(13) Estlzblish and oversee spectied proceduresfor the transmission of SAP material to andfrom Program elements.

(14) When required ensure contractual spec#@esecurity requkements such as TEMPESZAutomated Information System (AIS), andOperations Security (OPSEC) are accom-plkhed.

(15) Estnblish security tmining and briefings spe-cifialfy tailored to the unique requirementsof the SAl?

1-201. *Standard Operating Procedures (SOP). TheCPSO maybe required to prepare a comprehensive SOPto implement the security policies and requirements foreach SAP. When required, SOPS will address and reflectthe contractor’s method of implementing the PSG. For-ward proposed SOPS to the PSO for approval. SOPSmay be a single plan or series of individual documentseach addressing a security function. Changes to the SOPwill be made in a timely fashion, and reported to thePSO as they occur.

1-202. Badging. Contractors performing on Programswhere all individuals cannot be personally identified,may be required to implement a PSO-approved badgingsystem.

1-203. Communications Security (COMSEC). Cfas-sifid SAP informatwn will be ekctronically transmit-ted only by approved secure communicating channelsauthorized by the PSO.

1-204. *Two-Pemon Integrity (TPI) RequirementThe TPI rule may be required and exercised only withthe Program CSA approval. This requirement does not

1-2-1

apply to those situations where one employee withaccess is left alone for brief periods of time, nor dictatethat those employees will be in view of one another.

1-205. Contractors Questioning Perceived ExcessiveSecurity Requirements. All personnel are highlyencouraged to identify excessive security measures thatthey believe have no added value or are cost excessiveand should report this information to their industry con-tracting officer for subsequent reporting through con-tracting channels to the appropriate GPM/PSO. TheGPXWPSO will respond through appropriate channels tothe contractor questioning the security requirements.

1-206. Security Reviews.

a. General. ‘I%e frequency of Industrial SecurityReviews (e.g., Reviews, evaluations, and securitysurveys) is determined by the NISPOM and will beconducted by personnel designated by the CSA.

b. Joint Efforts. In certain cases, an individual Pro-gram may be a joint effort of more than one compo-nent of the U.S. Government or more than oneelement of the same component. In such a case, oneelement will, by memorandum of agreement, takethe lead as the Cognizant Security Agency and may

have security review responsibility for the Programfacility. In order to ensure the most uniform andefficient application of security criteria, reviewactivities at contractor facilities will be consoli-dated to the greatest extent possible.

c. Prime Contractor Representative. A security representative from the prime contractor may bepresent and participate during reviews of subcon-tractors, but cannot be the individual appointed bythe CSA to conduct security reviews specified inparagraph 1-206a.

d. Review Reciprocity. In order to ensure the mostuniform and efficient application of security reviews,review rmiprocity at contractor facilities will be con-sidered whenever possible.

e. Contractor Reviews. When applicable, the U.S.Government may prescribe the intervals that the con-tractor will review their systems.

f. Team Reviews. Team Reviews maybe conducted bymore than one PSO based on mutual consent andcooperation of both the Government and the contrac-tor.

I -2-2

Section 3. Reporting Requirements

1-300. General. All reports required by the NISPOMwill be made through the PSO. In those instances wherethe report affects the baseline facility clearance or theincident is of a personnel security clearance nature, thereport will also be provided to the Facility CSA. In thoserare instances where classified program informationmust be included in the repo~ the report will be pro-vided only to the PSO, who will sanitize the re&xt andprovide the information to the CSA, if appropriate.

a. Adverse Information. Contractors will report tothe PSO any information which may adverselyrefict on the Program-briefed employee’s abii~ toproperly safeguard cLzss@ed Program infor&n.

b. SAP Non-Disclosure Agreement (NDA). A reportwiff be submitted to the PSO on an emphyee whorefuses to sign a SAP NDA.

c. Change in Employee Status. A written report of allchanges in the personal status of SAP indoctrin-ated personnel wiU be provided to the PSO. Inaddition to those changes identified in MSPOM sub-paragraph 1 -302c., include censure or probation aris-ing from an adverse personnel action, andrevocation, or suspension downgrading of a secunt yclearance or Program access for reasons other thansecurity administration purposes.

d. Employees Desiring Not to Perform on SAPClassified Work. A report will be made to thePSO upon notification by an accessed employeeor an employee for whom access has beenrequested that they no longer wish to perform onthe SAP Pending further instructions from thePSO, the report will be destroyed in 30 days.

e. *Foreign Travel. The PSO may require reports of alltravel outside the continental United States, Hawaii,Alaska and the U.S. possessions (i.e., Puerto Rico)except same-day travel to border areas (i.e., Canada,Mexico) for Program-accessed personnel. Suchtravel is to be reported to the CPSO, and retained forthe life of the Contract/Program travel. Travel byProgram-briefed individuals into or through coun-tries determined by the CSA as high-risk areas,should not be undertaken without prior notification.A supplement to the report outlining the type andextent of contact with foreign nationals, and anyattempts to solicit information or establish a continu-ing relationship by a foreign national may berequired upon completion of travel.

f. Arms Control Treaty Viiits. The GPM and PSOwdl be not@ed in advance of any Arms ControlTreaty Visits. Such reports permit the GPM and PSOto assess potential impact on the SAP activity andeffectively provide guidance and assistance.

g. LMgation. Litigation or public proceedings whichmay involve a SAP wiU be reported. These includelegal proceedings and/or administrative actions inwhich the prime contractor, subcontractors, or Gov-ernment organizations and their Program-briefedindividuals are a named party. The CPSO wiil reportto the PSO any litigation actions thut may pertainto the SAR to include the physical environments,fmilities or personnel or as otherwire duected bythe GPM.

1-301. Security Violations and Improper Handing ofClassified Information. Requirements of the NISPOMbaseline pertaining to security violation are applicable,except that all communications will be appropriatelymade through Program Security Channels within 24hours of discovery to the PSO. The PSO must promptlyadvise the Facility CSA in all instances where nationalsecurity concerns would impact on collateral securityprograms or clearances of individuals under the cogni-zant of the Facility CSA.

a. Security Violations and Infractions

(1) Security Violation. A security violation is anyincident that involves the loss, compromise, orsuspected compromise of classified information.Security violations will be immediatelyreported within 24 hours to the PSO.

(2) Security Infraction. A security infraction is anyother incident that is not in the best interest ofsecurity that does not involve the loss, compro-mise, or suspected compromise of classifiedinformation. Security infractions will be doc-umented and made available for review bythe PSO during visits.

b. Inadvertent Disclosure. An inadvertent disclosure isthe involuntary unauthorized access to classified SAPinformation by an individual without SAP accessauthorization. Personnel determined to have hadunauthorized or inadvertent access to classified SAPinformation (1) should be interviewed to determinethe extent of the exposing, and (2) maybe requested tocomplete an Inadvertent Dkclosure Oath.

1-3-1

(1) If during emergency response situations, guardpersonnel or local emergency authorities (e.g.,police, medical, fire, etc.) inadvertently gainaccess to Program material, they should be inter-viewed to determine the extent of the exposure.If circumstances warran~ a preliminary inquirywill be conducted. Men in doubt, contact thePSO for advice.

(2) Refisal to sign an inadvetient disclosure oathwill be reported by the CPSO to the PSO.

(3) Contractors shaU report ail unauthorized dk-closures involving RD or Formerly RestrictedData (FRD) to Department of Energy @OE)or Nuclear Regulatory Commisswn (NRC)through their CSA.

1-3-2

Chapter 2Security Clearances

Section 1. Facility Clearances

2-100. General. Contractors will possess a FacilitySecurity Clearance to receive, generate, use, and storeclassified information that is protected in SAPs.

a.

b.

c.

If a facility clearance has already been granted, theSAP Program Executive Agent may carve in theFacility CSA. The agreement entered into by theSecretary of Defense (SECDEF) with the otherCSA’S will determine the terms of responsibility forthe Facility CSA with regard to SAP programs. Dueto the sensitivity of some SAPS, the program may becarved out by the Executive Agent designated by theCSA.

The CPSO shall notify the PSO of any activity whichaffects the Facility Security Clearance, (FCL).

In certain instances, security and the sensitivity ofthe project may require the contract and the associa-tion of the contractor with the Program CSA berestricted and kept at a classified level. The existenceof any unacknowledged effort, to include its SAPF,will not be released without prior approval of thePso.

2-101. Co-Utilization of SAPF. If multiple SAPS arelocated within a SAPF, a Memorandum of Agreement(MOA) shall be written between government programoffices defining areas of authorities and responsibilities.The first SAP in an area shall be considered to be thesenior program and therefore the CSA for the zoneunless authority or responsibility is specifically dele-gated in the MOA. The MOA shall be executed prior tothe introduction of the second SAP into the SAPF.

2-102 Access of Senior Management Officials. Onlythose Senwr Management O~ials requiring informu-twn perkzining to the SAP shall be processed SAPaccess.

2-103. Facility Clearances for Multifacility Organi-zations.

a.

b.

When cleared employees are located at unclearedlocations, the CPSO may designate a cleared mana-gement official at the uncleared location who shall:

(1)

(2)

(3)

Process classified visit requests, conduct initialor recurring briefings for cleared employees, andprovide written confirmation of the briefing tothe CPSO.

Implement the reporting requirements of theNISPOM and this Supplement for all clearedemployees and furnish reports to the CPSO forfurther submittal to the CSA.

Ensure compliance with all applicable measuresof the NISPOM and this Supplement by allcleared employees at that location.

If a cleared management official is not available atthe uncleared location, the CPSO (or designee) shallconduct the required briefing during visits to theuncleared location or during employee visits to thelocation or establish an alternative procedure withCSA approval.

2-1-1

Section 2. Personnel Clearances and Access

2-200. General. This section establishes the require-ments for the selection, processing, briefing, anddebriefing of contractor personnel for SAPS.

2-201. Program Accessing Requirements and Proc-edures.

a. The individual wiU have a valid need-to-know(NTK) and will materially and directly con~”bute hthe Program,

b. The individual will possess a minimum of a cur-rent, jinal SECRET security ckaranee or meet theinvestigative criteria required for the kvel ofaccess. If a person’s periodic reinvestigation (PR) isoutside the five-year scope and all other access pro-cessing is current and valid, the PSO may authorizeaccess. However, the individual will be immediatelyprocessed for either a Single Scope BackgroundInvestigation (SSBI) or National Agency Check withCredit (NACC) as required by the level of clearanceor as otherwise required by the contract.

c. The contractor will nominate the individucd andprovide a description of the NTK just@xtion. TheCPM will concur with the nomination and verifiProgram contribution by signature on the ProgramAccess Request (PAR). The CPSO wilI complete thePAR and review it for accuracy ensuring aUrequired signatures are present. The CPSO signa-ture verifies that the security clearance and investiga-tive criteria are accurate, and that these criteriasatisfy the requirements of the Program. Informationregarding the PAR may be electronically submitted.While basic information shall remain the same, sig-natures may not be required. The receipt of the PARpackage via a preapproved channel shall be consid-ered sufficient authentication that the requiredapprovals have been authenticated by the CPSO andcontractor program manager.

d. Access Criteria and Evaluation Process. In orderto eliminate those candidates who clearly will notmeet the scope for access and to complete the Per-sonnel Security Questionnaire (PSQ), access evalua-tion may be required. In the absence of writteninstructions from the contracting activity, the evalua-tion process will conform to the following guide-lines:

(1) Evaluation criteria will not be initiated at thecontractor level unless both the employee andcontractor agree.

(2) Contractors will not perform access evaluationfor other contractors.

(3) Access evaluation criteria will be specific andwill not require any analysis or interpretation bythe contractor. Access evaluation criteria will beprovided by the government as required.

(4) Those candidates eliminated during this processwill be advised that access processing has termi-nated.

e. Submit a Letter of Compelling Need or other docu-mentation when requested by the PSO.

f. Formats required for the processing of a SAP accessfall into two categories: those required for the con-duct of the investigation and review of the individ-ual’s eligibility, and those that explain or validate thei ndividual’s NTK. These constitute the PAR package.The PAR package used for the access approval andNTK verification will contain the following: the PARand a recent (within 90 days) PSQ reflecting pen andink changes, if any, signed and dated by the nominee.

g. Once the PAR package has been completed, theCPSO will forward the candidate’s nomination pack-age to the PSO for review:

(I) The PSO will review the PAR package anddetermine access eligibility.

(2) Access approval or denial will be determined bythe GPM and/or access approval authority.

(3) The PSO will notify the contractor of accessapproval or denial.

(4) Subcontractors may submit the PAR package tothe prime. The prime will review and concur onthe PAR and forward the PAR and the unopenedPSQ package to the PSO.

2-2- I

h. SCI access will follow guidelines established inDCID 1/14.

2-202. Supplementary Measures and Polygraph.

a. Due to the sensitivity of a Program or criticality ofinformation or emerging technology, a polygraphmay be required. The polygraph examination will beconducted by a properly trained, certified, U.S. Gov-ernment Polygraph Specialist. If a PR is outside the5-year investigative scope, a polygraph maybe usedas an interim basis to grant access until completionof the PR.

b. There are three categories of gmlygraph: Counterin-telligence (CI), Full Scope (CI and life style), andSpecial Issues Polygraph (SIP). The type of poly-graph conducted will be determined by the CSA.

2-203. Suspension and Revocation. All PSO directionto contractors invoIving the suspension or revocation ofan employee’s access will be provided in writing and ifappropriate, thru the contracting officer.

2-204. Appeal Process. The CSA will establish ana p p e a l p r o c e s s .

2-205. Agent of the Government- The Government maydesignate a contractor-nominated employee as an Agentof the Government on a case-by-case basis. Applicabletraining and requirements will be provided by the Gov-ernment to contractor designated as Agents of the Gov-ernment.

2-206 Access Rwter or Lwt Current access rostersof Program-briefed individuals are required at eachcontractor location. They should be properly protectedand maintained in accordance with the PSG. The accessroster should be continually reviewed and reconciled forany discrepancies. The data base or listing may containthe name of the individual organization, position, billetnumber (if applicable), level of access, social securitynumber, military rarddgrade or comparable civilian rat-ing scheme, and security clearance information. Secu-rity personnel required for adequate securdy oversightwill not count against the billet structure.

2-2-2

Chapter 3Security Training and Briefings

Section 1. Security ‘Ihining and Briefings

3-100. General. Every Special Access Program (SAP)wiU have u Security Training and Brkfing Progmm.As a minimum, SAP-indoetrinated personnel will beprovided the same or similar training and briefings asoutlined in the baseline NISPOM. In addition, CPSOSresponsibk for SAPS at contractor fuilhies wiU estab-lish a Security ZMucation Progmm to meet any spectficor unique requirements of individual speciirl accessprograms. Topics which will be addressed, if appropr-iate to the facility or the SAP(s), include:

a. Security requirements unique to SAPS;

b. Protection of classified relationships;

c. Oprations Security (OPSEC);

d. Use of nicknames and code words;

e. Use of special transmission methods;

f. Special test-range security procedures;

g. Procedures for unacknowledged SAP security. Anunacknowledged SAP will require additional secu-rity training and briefings, beyond that required inthe baseline. Additional requirements will be speci-fied in the Contract Security Classification Specifica-tion and will address steps necessary to protectsensitive relationships, locations, and activities.

h. Specific procedures to report fraud, waste, andabuse.

i. Computer security education that is to include opera-tional procedures, threats, and vulnerabil ities.

j. Writing unclassified personnel appraisals andreviews.

k. Third-Party Introductions. The purpose of the Third-Party Introduction is to provide a clearance. and/oraccess verification to other cleared personnel. Theintroduction is accomplished by a briefed third party,who has knowledge of both individual’s access.

3-101. Security ‘lhiiing. The CPSO wifl ensure thatthe foUowing security training meosures are imple-mented:

a. Initial Program Security Indoctrinatwn. Everyindividual accessed to a SAP wiU be given an initialindoctrination. The briefing wiU ckarly tientrfi theinformation to be protected, the reasons why thisinformatkn requires protection, and the need toexecute a NDA. The individual will be properlybriefed concerning the security requirements forthe Program, understand their particular secu-rity responsibilities, and will sign a NDA. TMindoctrination is in addition to any other briefingrequired for access to collateral classified or com-pany proprietary information. It will be the responsi-bility of the PSO to provide to the contractorinformation as to what will be included in the initialindoctrination to include fraud, waste, and abusereporting procedures.

b. Professionalized AIS training maybe required of allcontractor Information Systems Security Representa-tives (ISSRS) to ensure that these individuals havethe appropriate skills to perform their job functionsin a competent and cost-effective manner. This train-ing will be made available by the CSA. The trainingshould consist of, but not be limited to, the followingcriteria:

(1) Working knowledge of all applicable andnational CSA regulations and policies includingthose contained in this supplement;

(2) Use of common Information Security(INFOSEC) practices and technologies;

(3) AIS certification testing procedures;

(4) Use of a risk management methodology;

(5) Use of configuration management methodology.

3-1-1

3-102. Unacknowledged Special Access Programs(SAP). Unacknowledged SAPS require a significantlygreater degree of protection than acknowledged SAPS.Special emphasis should be placed on:

a. My the SAP is unacknowledged;

b. Classification of the SAl+

c. Approved communications system;

d. Approved transmission systems;

e. V]sit procedures;

f. Specific program guidance.

3-103. Refresher Briefings. Every accessed inalvidudwiU receive an annual refresher bn-efig from theCPSO to include the folbwing, as a minimum:

a. Review of Program-unique security directives orguidance;

b. Review of those elements contained in the originalNDA.

Note. The PSO may require a record to be maintained ofthis training.

3-104. Debriefing and/or Access Termination. Per-sons briefed to SAPS will be debriefed by the CPSO orhis designee. The debrie~ng will include as a mini-mum a reminder of each individual’s responsibili-ties according to the NDA which states that theindividual has no Program or Program-relatedmaterhd in his/her possession, and that helsheunderstands his/her responsibilities regarding thedisclosure of classi~ed Program information.

a. Debriefings should be conducted in a SAPF, Sensi-tive Compartmented Information Facility (SCIF), orother secure area when possible, or as authorized bythe PSO.

b. Procedures for debriefing will be amanged to alloweach individual the opportunity to ask questions andreceive substantive answers from the debriefer.

c. Debriefing Ackno wledgments will be used and exe-cuted at the b-me of the debriefing and include thefollowing:

(1) Remind the individual of hi.dher continuingobligations a~eed to in the SAP NDA.

(2) Remind the individual that the NDA is a legalcontract between the individual and the U.S.Government.

(3) Advise that aU classified informatiim to includeProgram information is now and forever theproperty of the U.S. Government.

(4) Remind the individual of the penalties for espi-onage and unauthorized disclosure as con-ku”ned in Tides 18 and 50 of the U.S. Code. Thebriefer should have these documents avaikzblefor handout upon request Require the individ-ual to sign and agree that questions about theiVDA have been answered and that Tides 18and 50 (U.S. Codes) were made avaihzble andunderstood.

(5) Remind the individual of his/her obligation notto discuss, publish, or otherwise reveal infor-mation about the Program. The appearance ofProgram information in the public domaindoes not constitute a de facto ret%ase from thecontinuing secrecy agreement.

(6) Advtie thut any future questwns or concernsregarding the Program (e.g., soltiitations forinformatwn, approval to publish materialbased on Program knowledge and/or experi-ence) wiU be directed to the CPSO. The indi-vidual will be provided a telephone number forthe CPSO or PSO.

(7) Advise that each provision of the agreement isseverable, i.e., if one proviswn is declaredunenforceable, all others remain in force.

(8) Emphasize that even though an individualsigns a Debriejlng Ackno wledgment Statement,he/she is never released from the originalNDA/secrecy agreement unless specificallynotijied in writing.

d. Verify the return of any and all SAP classified mate-rial and unclassified Program-sensitive material andidentify all security containers to which the individ-ual had access.

3-1-2

e. When debriefed for cause, include a brief statementas to the reason for termination of access and notifythe PSO. In addition the CPSO will notify all agen-cies holding interest in that person’s clearance/accesses.

f. The debriefer will advise persons who refuse to signa debriefing acknowledgment that such refusal couldaffect future access to special access programs and/or continued clearance eligibility. It could be causefor administrative sanctions and it will be reported tothe appropriate” Government Clearance Agency.

g. Provide a point of contact for debriefed employees toreport any incident in the future which might affectthe security of the Program.

3-105. Administrative Debriefings. Efforts to have allProgram-briefed personnel sign a Debriefing Acknowl-edgment Statement may prove ditlicult. If attempts tolocate an individual either by telephone or mail are notsuccessful, the CPSO should prepare a DebriefingAcknowledgment Statement reflecting the individualwas administratively debriefed. The DebriefingAcknowledgment Statement will be forwarded to thePSO. The CPSO will check to ensure that no Programmaterial is charged out to, or in the possession of thesepersons.

3-106. Recognition and Award Program. Recognitionand award programs could be established to single outthose employees making significant contributions toProgram contractor security. If used, CPSOS will reviewaward write-ups to ensure recommendations do not con-tain classified information.

3- I -3

Chapter 4Classification and Markings

Section 1. Classification

Challenges to Classification. AU challenges to SAPdassijied information andor material shall be for-warded Uwwugh the ,CPSO to the PSO to the appropri-@? Government contracting activity. AU suchchallenges shaU remain in I%ogram channelk

4-1-1

Section 2. Marking Requirements

4-200. General. Ckmsijied material that is developedunder a SAP will be marked and controlled inaccordance with the NISPOM, this Supplement, theProgram Security Classification Guide, and otherProgram guidance as directed by the PSO.

4-201. Additional Provisions and Controls. The PSOmay specify additional markings to be applied to SAPworkkg papers based on the sensitivity and criticality ofthe Program, when approved by the CSA.

4-202. Engineer’s Notebook. An engineer’s notebookis a working record of continually changing Programtechnical data. It should NOT include drafts of corre-spondence, reports, or other materials. The outer coverand first page will be marked with the highest chmsi-jication level contained in the notebook. Portionmarking or numbering is not required. Other require-ments pertaining to these notebooks may be imposed bythe PSO.

4-203. Cover Sheets. Cover sheets will be applied toSAP documents when the documents are created ordistributed. NOTE: CODE WORDS WILL NOT BEPR{NTED ON THE COVER SHEETS. The unclassi-fied nickname, digraph, or trigraph may be used.

4-204. Warning Notices. Generally, Program classi-fied marking and transmission requirements willfollow this Supplement. Transmission of Program orProgram-related material will be determined by thePSO. Besides the cfassijications markings, innercontainers will be marked:

“TO BE OPENED ONLY BYS’ followed by thename of the individual to whom the material is sent.A receipt may be required. Apply the following mark-ings on the bottom center of the front of the inner con-tainec

. .

WARNING

THIS PACKAGE CONTAINS CLASSIFIED U.S.GOVERNMENT INFORMATION. TRANSMISSIONOR REVELATION OF THIS INFORMATION INANY MANNER TO AN UNAUTHORIZED PERSONIS PROHIBITED BY TITLE 18, U.S. CODE, SEC-TION 798 (OR TITLE 42, SECTION XX FOR RD ORFRD MATERIAL). IF FOUND, PLEASE DO NOTOPEN. “CALL COLLECT” THE FOLLOWING NUM-BERS, (area code) (number) (PSO/CPSO work number)DURING WORKLNG HOURS OR (area code) (num-ber) (PSO/CPSO) AFTER WORKING HOURS.

4-2- I

Chapter 5Safeguarding Classified Information

Section 1. General Safeguarding Requirements

5-100. General. Classified and unclassified sensitiveSAP material must be stored in SAP CSA approvedfacilities only. Any deviations must have prior approvalof the SAP CSA or designee.

5-1-1

Section 2. Control and Accountability

5-200. General. Contractors shall develop and main-kizin a system that enabkks control of SAP classifiedinformation and unckwified Program sensitive infor-matiim for whikh the contractor is responsible.

5-24)1. Accountability. Accountability of ckssijied SAPmaterial shaU be determined and approved in writingby the CSA or designee at the time the SAP is approved.A separate accountability control system may berequired for each SAP.

5-203. Collateral classified material required to supporta SAP contract may be transferred withk SAP controls.Transfer will be accomplished in a manner that willnot compromise the SAP or any classified information.The PSO wh’lprovide oversight for cokteral classifidmaterial maintained in the SAP Collateral classifiedmaterial generated during the performance of a SAPcontract may be transferred from the SAP to the con-tractor’s collateral classified system. The precautionsrequired to prevent compromise will be approved by thePso.

5-202. Annual Inventory. An annual inventory of ac-countable SAP classified material may be required. Theresults of the inventory and any discrepancies may berequired to be reported in writing to the PSO.

5-2-1

Section 3. Storage and Storage Equipment

(not further supplemented)

5-3-1

Section 4. Transmission

5-400. General. SAP clhssijied material shall be tmns-mitted outside the contractor’s fmility in a mannerthat prevents /0ss or unauthorized access.

5-401. Preparation. AU cfassifwd SAP material will beprepared, reproduced and packaged by Progmm-briefed personnel in approved Program fmilities.

5-402. Couriers. The PSO through the CPSO will pro-vide detaikd courier instructions to couriers whenhand-carrying SAP material The CPSO will provtiethe courier with an authorization letter. Report anytravel anomalies to the CPSO as soon as practical. TheCPSO will notify the PSO.

5-403. Secure Facsimile an#or Electronic Transmis-sion. Secure facsimile and/or electronic transmissionencrypted communications equipment may be used forthe transmission of Program classified information.

When secure facsimile andor ekctronic transmissionis permitted the PSO or other Government cognizantsecurity reviewing activity will approve the system inwriting. Transmission of classified Program material bythis means may be reeeiptcd for by an automated systemgenerated message that transmission and receipt hasbeen accomplished. For TOP SECRET documents areceipt on the secure facsimile may be required by thePso.

5-404. U.S. Postal Mailing. A U.S. Postal mailing chan-nel, when approved by the PSO, may be established toensure mail is receiwxi only by appropriately cleared andaccessed peisonnel.

5-405. TOP SECRET Transmisdon. TOP SECRET(TS) SAP will be transmitted via secure &ti transmis-sion or via Defense Courkr Service unless othermeans have been authorized by the PSO.

5-4-1

Section 5. Disclosure

5-500. Release of Information. Public rehmse of SAPinfor&n is not authorized without written authorityporn the Government as provided for in U.S. Code,Titles 10 and 42. Any attempt by unauthorized person-nel to obtain Program information and sensitive datawill be reported immediately to the Government Pro-gram Manager (GPM) through the PSO using approvedsecure communication channels.

5-5-1

Section 6. Reproduction

5-600. General. Program material will be repro-duced on equipment specifically designated by theCPSO and may require approval by the PSO. TheCPMS and CPSOS may be required to prepare writtenreproduction procedures.

5-601. The PSO or designee may approve reproductionof TS material.

5-6-1

Section 7. Disposition and Retention

5-700. Deposition. CPSOS may be required to inven-tory, dispose of, request retention, or return for disposi-tion all classified SAP-related material (including AISmedia) at contract completion and/or close-out. Requestfor proposal (RFP), solichiztion, or bid and proposalcolkteral classified and unchass#ied material con-tm”ned in Programfiks will be reviewed and screenedto determine appropriate disposition (Le., destruction,request for retention). Disposition recommenddionsby categories of information or by document controlnumbeq when required, will be submitted to the PSOfor concurrence. Requests for retention of ck.@edinformation (SAP and non-SAP) will be submitted tothe Contracting O@ceq through the PSO for reviewand approval. Requirements for storage and control ofmaterkls approved for retention will be approved bythe Pso.

5-701. Retention of SAP Material. The contractor maybe required to submit a request to the ContractingOfficer (CO), via the PSO, for authority to retain classi-fied material beyond the end of the contract perfor-mance period. The request will also include anyretention of Program-related material. The contractorwill not retuin any Program information unless spec$ically authorized in writing by the Contracting Ojjicer.Storage and control requirements of SAP materi.n?swill be approved by the PSO.

5-702. Destruction. Appropriately indoctrinated per-sonnel shall ensure the destruction of cfass~ed SAP&zkz. The CSA or designee may determine that two per-sons are required for destruction. Nonaccountable wasteand unclassified SAP material may be destroyed by asingle Program-briefed employee.

5-7-1

Section 8. Construction Requirements

5-800. General. Establishing a Special Access Pro-gram Facility (SAPF). Prior to commencing work on aSAP, the contractor may be required to establish anapproved SAPF to afford protection for Program classi-fied information and material. Memorandums of Agree-ment (MOA) are required prwr to allowing SAPS withdiflerent CSAS to share a SAPl?

5-801. Special Access Program Facility.

a. A SAPF is a program area, room, group of rooms,building, or an enclosed facility accredited by thePSO where classified SAP Program business is con-ducted. SAPFS will be afforded personnel accesscontrol to preclude entry by unauthom”zed person-nel Non-accessed persons entering a SAPF will beescorted by an indoctn”nated person.

b. A Sensitive Compartmented Information Facility(SCIF) is an area, room, building, or installation thatis accredited to store, use, discuss, or electronicallyprocess SCI. The standard and procedures for a SCIFare stated in DCIDS 1/19 and 1/21.

c. SAPFS accredited prior to implemen~”on of thisSupplement will retain accreditatwn until nolonger required or recertl>cation is required due tomajor modification of the external perimeteq orchanges to the Intruswn Detectwn System (IDS),which affects the physical safeguarding capabilityof the facility.

d. Physical security stindards will be stated in theGovernment’s RF~ RFQ, contract, or other pre-contract or contractual document.

e. The need-to-know (NTK) of the SAP effort maywarrant establishment of multi-compartments withinthe same SAPF.

f. *There may be other extraordinary or unique circum-stances where existing physical security standardsare inconsistent with facility operating requirements,for example, but not limited to, research and testfacilities or production lines. Physical securityrequirements under these circumstances will beestablished on a case-by-case basis and approvedby the PSO/Contracting O@cer, as appropriate.(Note: as approved by the CSA at establishment ofthe SAR)

g. The PSO will determine the appropriate securitycountermeasures for discussion areas.

5-802. Physical Security Criteria Standar&

a. DCID 1/21 standasds may apply to a SAPF whenone or more of the following criteria are applicable:

(1) State-of-the-art technology as determined byCSAS to warrant enhanced protection.

(2) Contractor facility is known to be working onspecific critical technology.

(3) Contractor facility is one of a few (3 or less)known facilities to have the capability to workon specific critical technology.

(4) TOP SECRET or SECRET material is main-tained in open storage.

(5) A SAPF is located within a commercial build-ing, and the contractor does not control all adja-cent spaces.

(6) SCI or Intelligence Sources and methods areinvolved.

(7) Contractors or technologies known to be a targetof foreign intelligence services (FIS).

b. The NISPOM baseline closed area constructionrequirements with Sound Transmission Class (STC)in accordance with DCID 1/21, Annex E and intru-sion alarms in accordance with Annex B, DCID 1/21may apply to a SAPF when one of the following cri-teria are applicable.

(1) Not state-of-the-art technology and the technol-ogy is known to exist outside U.S. Governmentcontrol.

(2) The SAP is a large-scale weapon system pro-duction program.

(3) No open storage of Confidential SAP material ina secure working area unless permitted by thePSO on a case-by-case basis.

5-8-1

(4) A SAPF located within a controlled access area.

(5) Intelligence related activities.

c. The PSO may approve baseline closed area construc-tion requirements as an additional option for someSAP program areas.

5-803. SAP Secure Working Area. The PSO may ap-prove any facility as a SAP Secure Workhg Area. Vkmaland sound protection may be provided by a mix of phys-ical construction, perimeter control, guards, and/or in-doctrinated workers.

5-804. Temporary SAPF. The PSO may accredit a tem-porary SAPF.

5-S05. Guard Response.

a.

b.

c.

Response to ahums will be in accordance withDCID 1/21, or

The AVSPOM

Response personnel will remain at the scene untilrekased by the CPSO or designated representative.

NOTE: The CPSO will immediately provide no@ica-tion to the PSO if there is evidence of forced entry,with a wrilten report to follow within 72 hours.

5-806. Facility Accreditation.

a Once a facility has been accredited to a stated levelby a Government Agency, that accreditation shouldbe accepted by any subsequent agency.

b.

c.

For purposes of co-utilization, costs associated withany security enhancements in a SCIF or SAPF abovepreexisting measures may be negotiated for reim-bursement by the contractor’s contracting officer ordesignated representative. Agreements will be nego-tiated between affected organizations.

If a rwevwuslv accredited SAPF becomes inactive~or a-period n;t to exceed one year, the SAPaccred-itation will be reinwlzted by the gaining accreditingagency provided the following is true:

(1)

(2)

(3)

(4)

The threat in the environment sumounding theSAPF has not changed;

No modifications have been made to the SAPFwhich affect the level of safeguarding;

The level of safeguarding for the new Programis comparable to the previous Program;

The SAPF has not lost its SAP accreditationintegrity and the contractor has maintained con-tinuous control of the facility.

A technical surveillance countermeasure survey(TSCM) maybe required.

(5)

NOTE: Previously granted waivers are subject to nego-tiation.

5-807. Prohibited Items. Items that constitute a threatto the security integrity of the SAPF (e.g., cameras orrecording devices) are prohibited unless authorized bythe PSO. All categories of storage media entering andleaving the SAPFS may require the PSO or his/her des-ignated representative approval.

5-8-2

Chapter 6Visits and Meetings

Section 1. Vkits

6-100. General. A visit certzfiation request for aUProgram vi..wls will he made prior to a visit to a Pro-gram f(dity. W%en telephone requests are made, asecure telephone should be used whenever possible.Visit requests will be handled exclusively by the cogni-zant CPSO or designated represen~”ve. The GPM orPSO or his/her designated representative will approveall visits between Program activities. However, visitsbetween a pn”me contractor and the prime’s subcon-tractors and approved associates wti be approved bythe CPSO. Twelve-month visit requests are not autho-rized unless approved by the PSO.

6-101. V&t Request Procedures. All visit requests wdlbe sent only via approved channels. In addition to theNISPOM, the follo wing a&tional information for vis-its to a SAPF will include:

a. Name and tekphone number of individual (notorganizatwn) to be visited;

b. Designatwn of person as a Program courier whenapp[icab[e; and

c. Verijlcation (e.g., signature) of the CPSO or desig-nated representative that the visit request informa-twn is correct.

6-102. Terminatwn ana70r Cancellation of a VisitRequest. If a person is debriefed @om the Programprior to expiration of a visit cert@tion, or if cancel-latwn of a current visit certijicatwn is otherwiseappropriate, the CPSO/FSO or hidher designated rep-resentative will immediately notifi all recipients of thecancellation or terrninadon of the visit request.

6-103. Viiit Procedures.

a. Identification of Visitors. An oj&al photographif iakntijication such as a valid driver’s license isrequired

b. Extension. When a visit extends past the date on thevisit certification, a new visit request is not requiredif the purpose remains the same as that stated on thecurrent visit request to a specific SAPF.

c. Rescheduling. When a rescheduled visit occurs aftera visit request has been received, the visit certificationwill automatically apply if the visit is rescheduledwithin thirty days and the purpose remains the same.

d. Hand-carrying. It is the responsibility of the hostCPSO to contact the visitor’s CPSO should the visi-tor plan to hand-cany classified material. CPSOSwill use secure means for no@ication. In emer-gency situations where secure communications arenot available, contact the PSO for instructions.When persons return to their facility with SAPmaterial, they will relinquish custody of the mate-rial to the CPSO .or designated represenkzti.ve.Arrangements will be made to ensure appropriateovernight storage and protection for materialreturned ajler close of business.

6-104. Collateral Clearances and Special Access Pro-gram Vkit Requests. Collateral clearances and SAPaccesses may be required in conjunction with the SAPvisit. If access to collateral classified information isrequired outside the SAPF, then the CPSO can certifyclearances and accesses as required within the facility.Certification will be based on the SAP visit request -received by the CPSO. The CPSO will maintain therecord copy of the visit certification. SCI visit certifica-tion will be forwarded through appropriate SCI channels.

6-105. Non-Program-Briefed Visitors. Zn instanceswhere entry to a SAPF by non-Program-briefed per-sonnel is requued (e.g., maintenance, repair), they willcomplete and sign a visitor’s record and will beescorted by a Program-briefed person at all times. San-itizdon procedures will be implemented in advance toensure that personnel terminate ciassijied discussionsand other actwns and protect SAP information when-ever a non-briefed wkitor is in the area. If mainte-nance is required of a classified device, the unclearedmaintenance person shall be escorted by a Program-briefed, technically knowledgeable individual Everyeffort shouhi be made to have a technically knowledge-able Program-briefed person as an escort.

6-1-1

6-106. Viiitor Record. *The PSO may require theCPSO to establish a Program visitor’s reeord. Thisrecord wilf be maimizined inside the SAPF, and reten-tion may be required.

6-1-2

Section 2. Meetings

(not further supplemented)

6-2-1

Chapter 7Subcontracting

Section 1. Prime Contracting Responsibilities

7-100. General. This section addresses the responsibili-ties and authorities of prime contractors concerning therelease of classified SAP information to subcontractors.Prior to any release of classified information to a pro-spective subcontractor, the prime contractor will deter-mine the scope of the bid and procurement effort. Primecontractors will use extreme caution ,when conductingbusiness with non-l%ogram-bnefed subcontractors topreclude the release of information that would divulgeProgram-related (classified or unclassified Program sen-sitive) information.

7-101. Determinhg Clearance Status of ProspectiveSubcontractors. AU prospective subcontractor person-nel wiZl have the appropriate secun”ty clearance andmeet the investigative criteria as speczjied in this Sup-plement prior to being briefed into a SAP The eligibil-ity criteria will be determined in accordance with theNISPOM and thk Supplement. For acknowledged Pro-grams, in the event a prospective subcontractor does nothave the appropriate security clearances, the prime con-tractor will request that the cognizant PSO initiate theappropriate security clearance action. A determinationwill be made in coordination with the PSO as to the lev-els of facility clearance a prospective subcontractorfacility has for access to classified information and thestorage capability level.

7-102. Security Agreements and Briefings. In the pre-contract phase, the prime contractor wil I fully advise theprospective subcontractor (prior to any release of SAP

? information) of the procurement’s enhanced specialsecurity requirements. Arrangements for subcontractorProgram access will be pre-coordinated with the PSO.When approved by the PSO, the prime contractor CPSOwill provide Program indoctrinations and obtain NDAsfrom the subcontractors. A security requirements agree-ment will be prepared that specifically addresses thoseenhanced security requirements that apply to the sub-contractor. The security requirements agreement mayinclude the fol!owing elements, when applicable:

a. General Security Requirements.

b.

c.

d.

e.

f.

g.

h.

i.

j.

k.

1.

m.

Reporting Requirements.

Physical andlor Technical Security Requirements.

Release of Information.

Program Classified Control or Accountability.

Personnel Access Controls.

Security Classification Guidance.

Automated Information System.

Security Audits and Reviews.

Program Access Criteria.

Subcontracting.

Transmittal of Program Material.

Storage.

n. Testing and/or Manufacturing.

o. Program Travel.

p. Finances.

q. Sanitization of Classified Material.

r. Security Costs and Charging Policy.

s. Fraud, Waste, and Abuse Reporting.

t. Test Planning.

u. OPSEC.

v. TEMPEST.

7-1-1

7-103. Transmitting Security Requirements.Contract Security Classi@ation Spect&ztions pre-pared by the prime contractor wikl be coordinated withthe GPM/PSO and contracting ofierprior to transmit-ting to the subcontractor. tintract Security Classi@a-tion Speci@tions prepared by h prime contractor willbe forwaded to the GPMLPSO and contracdng o~erfor cooniination and signature.

7-1-2

8-100. Introduction

a.

b.

AutomatedChapter 8

Information Systems (AIS)

Section 1. Responsibilities

Purpose and Scope. This chapter addresses the pro-tection and control of information processed on AIS.This entire chapter is contractor required and is notan option. The type is not bohi or iti-dicued, becauseit would include the conrpkte chapter. AISS typi-cally consist of computer hardware, software, and/orfirmware configured to collect, create, communicate,compute, disseminate, process, store, or control dataor information. This chapter specifies requirementsand assurances for the implementation, operation,maintenance, and management of seeure AIS used insupport of SAP activities. Prior to using an AIS orAIS network for processing U.S. Government, Cus-tomer, or Program information, the Contractor/ Pro-vider will develop an AIS Security Plan (AISSP) asdescribed herein and receive written Customerauthorization to process Customer information. Suchauthorization to process requires approval by theCustomer. The Provider will also assign an Informa-tion System Security Representative (ISSR) to sup-port the preparation of these documents and tosubsequently manage AIS security on-site for theCustomer’s program. After the AISSP is approved bythe Customer, the Provider will thereafter conform tothe plan for all actions related to the Customer’s pro-gram information. This information includes theselection, installation, test, operation, maintenance,and modification of AIS facilities, hardware, soft-ware, media, and output.

Requirements. The AISSP selected menu upgradesto the NISPOM baseline will be tailored to the Pro-vider’s individual AIS configuration and processingoperations. Alternatives to the protective measures inthis Supplement may be approved by the Customerafter the Provider demonstrates that the alternativesare reasonable and necessary to accommodate theCustomer’s needs. Prior to implementation, the Pro-vider will coordinate any envisioned changes orenhancements with the Customer. Approved changeswill be included in the AISSP. Any verbal approvalswill subsequently be documented in writing. Theinformation and guidance needed to prepare andobtain approval for the AISSP is described herein.

c. Restrictions. No personally owned AISS will be usedto process classified information.

8-101. Responsibilities.

The Customer is the Government organization responsi-ble for sponsoring and approving the classified and/orunclassified processing. The Provider is the Contractorwho is responsible for accomplishing the processing forthe Customer. The Information System Security Repre-sentative (ISSR) is the Provider-assigned individualresponsible for on-site AIS processing for the Customerin a secure manner.

a.

b.

Provider Responsibilities. The Provider will takethose actions necessary to meet with the policies andrequirements outlined in this document. The pro-vider will:

(1)

(2)

(3)

(4)

Publish and promulgate a corporate AIS Secu-rity Policy that addresses the classified process-ing environment.

Designate an individual to act as the ISSR.

Incorporate AISS processing Customer informa-tion as part of a configuration management pro-gram.

Enforce the AIS Security Policy.

ISSR Responsibilities. The Provider-designatedISSR has the following responsibilities:

(1) AIS Security Policy. Implement the AIS Secu-rity Policy.

(2) AIS Security Program. Coordinate the establish-ment and maintenance of a formal AIS SeeurityProgram to ensure compliance with this docu-ment:

(a) AIS Security Plan (AISSP). Coordinate thepreparation of an AISSP in accordancewith the outline and instructions providedin this document. After Customer

8-1-1

approval, the AISSP becomes the control-ling security document for AIS processingCustomer information. Changes affectingthe security of the AIS must be approvedby the Customer prior to implementationand documented in the AISSP.

(b)AIS Technical Evaluation Test Plans. Forsystems operating in the compartmented ormulti-level modes, prepare an AIS Techni-cal Evaluation Test Plan in coordinationwith the Customer and applicable securitydocuments.

(c) Certification. Conduct a certification testin accordance with 8-102, c. and provide acertification report.

(d) Continuity of Operations Plan (COOP).When contractually required, coordinatethe development and maintenance of anAIS COOP to ensure the continuation ofinformation processing capability in theevent of an AIS-related disaster resultingfrom fire, flood, malicious act, humanerror, or any other occurrence that mightadversely impact or threaten to impact thecapability of the AIS to process informa-tion. This plan will be referenced in theAISSP.

(e) Documentation. Ensure that all AIS secu-rity-related documentation as required bythis chapter is current and is accessible toproperly authorized individuals.

(f) Customer Coordination. Coordinate allreviews, tests, and AIS security actions.

(g) Auditing. Ensure that the required audittrails are being collected and reviewed asstated in 8-303.

(h) Memorandum of Agreement. As applica-ble, ensure that Memoranda of Agreementare in place for AISS supporting multipleCustomers.

(i) Compliance Monitoring. Ensure that thesystem is operating in compliance with theAISSP.

(j) AIS Security Education and Awareness.Develop an on-going AIS Security Educa-tion and Awareness Program.

(k) Abnormal Occurrence. Advise Customerin a timely manner of any abnormal eventthat affects the security of an approvedAIS.

(1) Virus and malicious code. Advise Cus-tomer in a timely manner of any virus andmalicious code on an approved AIS.

(3) Configuration Management. Participate in theconfiguration management process.

(4) Designation of Alternates. The ISSR may desig-nate alternates to assist in meeting the require-ments outlined in the chapter.

c. Special Approval Authority. In addition to theabove responsibilities, the Customer may authorizein writing an ISSR to approve specific AIS securityactions including:

(1) Equipment Movement. Approve and documentthe movement of AIS equipment.

(2) Component Release. Approve the release of san-itized components and equipment in accordancewith Tables 1 and 2 in 8-501.

(3) Stand-alone Workstation and Portable AISApproval. Approve and document new worksta-tions in accordance with an approved AIS secu-rity plan and the procedures defined in thisdocument for workstations with identical func-tionality. Approve and document portable AIS.

(4) Dedicated and System High Network Worksta-tion Approval. Approve and document addi-tional workstations identical in functionality toexisting workstations on an approved LocalArea Network (LAN) provided the workstationsare not located outside of the previously definedboundary of the LAN.

(5) Other AIS Component Approval. Approve anddocument other AIS components identical infunctionality to existing components on anapproved LAN provided the components are notlocated outside of the previously defined bound-ary of the LAN.

8-102. Approval To Process.Prior to using any AIS to process Customer information,approval will be obtained from the Customer. The fol-lowing requirements will be met prior to approval.

8-1-2

a. AIS Security Program. The Provider will have anAIS security program that includes:

c. AIS Certification and AccreWation.

(1) An AIS security policy and a formal AIS secu-rity structure to ensure compliance with theguidelines specified in this document;

(2) An individual whose reporting functionalitiesare within the Provider’s security organizationformally named to act as the ISSR,

(3) The incorporation of AISs processing Customerinformation into the Provider’s configurationmanagement program. The Provider’s configura-tion management program shall managechanges to an AIS throughout its life cycle. As aminimum the program will manage changes inan AIS’s:

(4)

(a) Hardware components (data retentiveonly)

(b) Connectivity (external and internal)

(c) Firmware

(d) Software

(e) Security features and assurances

(f) AISSP

(g)Test Plan

Control. Each AIS will be assigned to a desig-nated custodian (and alternate custodian) who isresponsible for monitoring the AIS on a continu-ing basis. The custodian will ensure that thehardware, installation, and maintenance asapplicable conform to appropriate requirements.The custodian will also monitor access to eachAIS. Before giving users access to any suchAIS, the custodian will have them sign a state-ment indicating their awareness of the restric-tions for using the AIS. These statements will bemaintained on file and available for review bythe ISSR.

b. AIS Security Plan (AESP). The Provider will pre-pare and submit an AISSP covering AISS processinginformation in a Customer’s Special Access ProgramFacility (SAPF), following the format in AppendixC. For RD, the Customer may modify the AISSP for-mat.

(1) Certification. Certification is the comprehensiveevaluation of technical and non-technical secu-rity features to establish the extent to which anAIS has met the security requirements necessaryfor it to process the Customer information. Cer-tification precedes the accreditation. The certifi-cation is based upon an inspwtion and test toverify that the AISSP accurately describes theAIS configuration and operation (See AppendixC and D). A Certification Report summarizingthe following will be provided to the Customer:

(a) For the dedicated mode of operation, theprovider must verify that access controls,configuration management, and otherAISSP procedures are functional.

(b)In addition, for System High AIS the LSSRwill verify that discretionary controls areimplemented.

(c) For compartmented and multilevel AIS,certification also involves testing to verifythat technical security features required forthe mode of operation are functional. Com-partmented and multi-level AIS must havea Technical Evaluation Test Plan thatincludes a detailed description of how theimplementation of the operating systemsoftware, data management system soft-ware, firmware, and related security soft-ware packages will enable the AIS to meetthe Compartmented or Multilevel Moderequirements. The plan outlines the inspec-tion and test procedures to be used to dem-onstrate this compliance.

(2) Accreditation. Accreditation is the formal decla-ration by the Customer that a classified AIS ornetwork is approved to operate in a particularsecurity mode; with a prescribed set of technicaland non-technical security features; against adefined threat; in a given operational environ-ment; u rider a stated operational concept; withstated interconnections to other AIS; and at anacceptable level of risk. The accreditation deci-sion is subject to the certification process. Anychanges to the accreditation criteria describedabove may require a new accreditation.

d. Interim Approval. The Customer may grant aninterim approval to operate.

8-1-3

e. Withdrawal of Accreditation. The Customer maywithdraw accreditation ifi

(1) The security measures and controls establishedand approved for the AIS do not remain effec-tive.

(2) The AIS is no longer required to process Cus-tomer information.

f. Memorandum of AgreemenL A Memorandum ofAgreement (MOA) is required whenever an accred-ited AIS is co-utilized, interfaced, or networkedbetween two or more Customers. This document willbe included, as required, by the Customer.

g. Procedures for Delegated Approvals. For AISSoperating in the dedicated or system high modes, theCustomer may delegate special approval authority tothe ISSR for additional AISS that are identical indesign and operation. That is: two or more AIS areidentical in design and operate in the same securityenvironment (same mode of operation, process infor-mation with the same sensitivities, and require thesame accesses and clearances, etc). Under these con-ditions the AISSP in addition to containing the infor-mation required by Appendix C shall also includethe certification requirements (inspection and tests)and procedures that will be used to accredit all AISS.The CSA will validate that the certification require-ments are functional by accrediting the first AISusing these certification requirements and proce-dures. The ISSR may allow identical AIS to operateunder that accreditation if the certification proce-dures are followed and the AIS meets all the certifi-cation requirements outline in the AISSP. The AISSPwill be updated with the identification of the newlyaccredited AIS and a copy of each certificationreport will be kept on file.

8-103. Security Reviews.

a. Purpose. Customer AIS Security Reviews are con-ducted to verify that the Provider’s AIS is operated inaccordance with the approved AISSP.

b. Scheduling. Customer AIS Reviews are normallyscheduled at least once every 24 months for Providersystems processing Customer program information.The Customer will establish specific review sched-ules.

c. Review Responsibilities. During the scheduledCustomer AIS Security Review, the Provider willfurnish the Customer representative conducting theReview with all requested AIS or network documen-tation. Appropriate Provider security, operations, andmanagement representatives will be made availableto answer questions that arise during the CustomerAIS Review process.

d. Review Reporting. At the conclusion of the Cus-tomer AIS Review visit, the Customer will brief theProvider’s appropriate security, operations, and man-agement representatives on the results of the Reviewand of any discrepancies discovered and the reeom-mend measures for correcting the security deficien-cies. A formal report of the Customer AIS Review isprovided to the Provider’s security organization nolater than 30 days after the Review.

e. Corrective Measures. The Provider will respond tothe Customer in writing within 30 days of receipt ofthe formal report of deficiencies found in the Cus-tomer AIS Review process. The response willdescribe the actions taken to correct the deficienciesoutlined in the formal report of Customer AISReview findings. If proposed actions will require anexpenditure in funds, approval will be obtained fromthe Contracting Officer prior to implementation.

8-1-4

Section 2. Security Modes

8-200. Security Modes-General.

a. AISs that process classified information must oper-ate in the ddlcated, system high, compartmentcd, ormultilevel mode. Stmrity modes are authorized vari-ations in security environments, re@ements, andmethods of operating. In all modes, the integration ofautomated and conventional security measures shall,with reasonable dependability, prevent unauthorizedaccess to classified information during, or resultingfrom, the processing, storage, or transmission ofsuch information, and prevent unauthorized manipu-lation of the AIS that could result in the compromiseor loss of classified information.

b. In determining the mode of operation of an AIS,three elements must be addressed: the boundary andperimeter of the AIS, the nature of the data to be pro-cessed, and the level and diversity of access privi-leges of intended users. Specifically:

(1) The boundary of an AIS includes all users thatare directly or indirectly connected and who canreceive data from the AIS without a reliablehuman review by an appropriately clearedauthority. The perimeter is the extent of the AISthat is to be accredkd as a single entity.

(2) The nature of data is defined in terms of its chl.s-sification Ievels, compartments, subcompart-ments, and sensitivity levels.

(3) The level and diversity of access privileges of itsusers are defined as their clearance levels, need-to-know, and formal access approvals.

8-201. D@cated Security Modcz

a. An AIS is operating in the dedicated mode (process-ing either full time or for a specified period) wheneach user with direct or indirect access to the AIS, itsperipherals, remote terminals, or remote hosts has allof the following:

(1) A valid personnel clearance for all informationstored or processed on the AIS.

(2) Formal access approvals and has executed allappropriate non-disclosure agreements for all theinformation stored and/or processed (including allcompartments, subcompartments, and/or SAPS).

(3) A valid need to know for all information storedon or processed within the AIS.

b. The following security requirements are establishedfor AISS operating in the de&catcd mode:

(1) Be loeatcd in a SAPF.

(2) Implement and enforee access procedures to the

c.

d.

AIs.

(3) All hard copy output will be handled at the levelfor which the system is accredited untilreviewed by a knowledgeable individual.

(4) All media removed from the system will be pro-tected at the highest classification level of infor-mation stored or processed on the system untilreviewed and properly marked according to pro-cedures in the AIS sceurity plan.

Security Features for Dedicated Security Mode.

(1) Since the system is not required to provide tech-nical security features, it is up to the user to pro-teet the information on the system. For networksoperating in the dedicated mode, automatedidentification and authentication controls arerequired.

(2) For DoD, the Customer may require auditrecords of user access to the system. Suchrecords will include: user ID, start date andtime, and stop date and time. Logs will be main-tained IAW 8-303.

Seeurity Assurances for Dedicated SecurityMode.

(1) AIS seeurity assurances must inciude anapproach for specifying, documenting, control-ling, and maintaining the integrity of all appro-priate AIS hardware, firmware, software,communicant ions interfaces, operating proce-dures, installation structures, security documen-tation, and changes thereto.

(2) Examination of Hardware and Software. Classi-fied AIS hardware and software shall be exam-ined when received from the vendor and beforebeing placed into use.

8-2-1

(a) Classified AIS Hardware. An examinationshall result in assurance that the equipmentappears to be in good working order andhave no parts that might be detrimental tothe secure operation of the resource. Sub-sequent changes and developments whichaffect security may require additionalexamination.

(b) Classified AIS Software.

1. Commercially procured software shall beexamined to assure that the software con-tains no features which might be detri-mental to the security of the classifiedAIS.

2. Security-related software shall be exam-ined to assure that the security featuresfunction as specified.

(c)Custom Software or Hardware Systems.New or significantly changed security rele-vant software and hardware developed spe-cifically for the system shall be subject totesting and review at appropriate stages ofdevelopment.

8-202. System High Security Mode.

a. An AIS is operating in the system high mode (pro-cessing either full time or for a specified period)when each user with direct or indirect access to theAIS, its peripherals, remote terminals, or remotehosts has all of the following:

(1) A valid personnel clearance for ail informationon the AIS.

(2) Formal access approval and has signed non-dis-closure agreements for all the information storedand/or processed (including all compartmentsand subcompartments).

(3) A valid need-to-know for some of the informa-tion contained within the system.

b. AISS operating in the system high mode, in additionto meeting all of the security requirements, features,and assurances established for the dedicated mode,will meet the following:

(1) Security Features for System High Mode

(a) Define and control access between systemusers and named objects (e.g., files andprograms) ‘in the AIS. The enforcementmechanism must allow system users tospecify and control the sharing of thoseobjects by named individuals and/orexplicitly defined groups of individuals.The access control mechanism must, eitherby explicit user action or by default, pro-vide that all objects are protected fromunauthorized access (discretionary accesscontrol). Access permission to an object byusers not already possessing access per-mission must only be assigned by autho-rized users of the object.

(b)Time Lockout. Where technically feasible,the AIS shall time lockout an interactivesession after an interval of user inactivity.The time interval and restart requirementsshall be specified in the AIS Security Plan.

(c) Audit Trail. Provide an audit trail capabil-ity that records time, date user ID, terminalID (if applicable), and file name for thefollowing events:

1. Introduction of objects into a user’saddress space (e.g., file open and pro-gram initiation as determined by the Cus-tomer and ISSR).

2. Deletion of objects (e.g., as determinedby the Customer and ISSR).

3. System log-on and log-off

4. Unsuccessful access attempts.

(d) Require that memory and storage containno residual data from the previously con-tained object before being assigned, allo-cated, or reallocated to another subject.

(e) Identification Controls. Each person havingaccess to a classified AIS shall have the propersecurity clearances and authorizations and beuniquely identified and authenticated beforeaccess to the classified AIS is permitted. Theidentification and authentication methods usedshall be specified and approved in the AISSecurity Plan. User access controls in classi-fied AISS shall include authorization, user

8-2-2

in the AIS Security Plan. User access controlsin classified AISS shall include authorization,user identification, and authentication admin-istrative controls for assigning these shall becovered in the AISSP.

1. User Authorizations. The manager orsupervisor of each user of a classifiedAIS shall determine the required authori-zations, such as need-to-know, for thatuser.

2. User Identification. Each system usershall have a unique user identifier andauthenticator.

a. User ID Removal. The ISSR shallensure the development and imple-mentation of procedures for theprompt removal of access from theclassified AIS when the need foraccess no longer exists.

b. User ID Revalidation. The AISISSR shall ensure that all user IDsare revalidated at least annually, andinformation such as sponsor andmeans of ‘off-line contact (e.g.,phone number, mailing address) areupdated as necessary.

(f) Authentication. Each user of a classifiedAIS shall be authenticated before access ispermitted. This authentication can bebased on any one of three types of infor-mation: something the person knows (e.g.,a password); something the person pos-sesses (e.g., a card or key); somethingabout the person (e.g., fingerprints orvoiceprints); or some combination of thesethree. Authenticators that are passwordsshall be changed at least every six months.

1. Requirements.

a. Log-on. Users shall be required toauthenticate their identities at “log-on” time by supplying their authen-ticator (e.g., password, smart card,or fingerprints) in conjunction withtheir user ID.

b. Protection of Authenticator. AnAuthenticator that is in the form ofknowledge or possession (password,smart card, keys) shall not be sharedwith anyone. Authenticators shall beprotected at a level commensuratewith the accreditation level of theClassified AIS.

2. Additional Authentication Countermea-sures. Where the operating system pro-vides the capability, the followingfeatures shall be implemented:

a. Log-on Attempt Rate. Successivelog-on attempts shall be controlledby denying access after multiple(maximum of five) unsuccessfulattempts on the same user ID; bylimiting the number of accessattempts in a specified time period;by the use of a time delay controlsystem; or other such methods, sub-ject to approval by the Customer.

b. Notification to the User. The usershall be notified upon successfullog-on of: the date and time of theuser’s last log-on; the ID of the ter-minal used at last log-on; and thenumber of unsuccessful log-onattempts using this user ID since thelast successful log-on. This noticeshall require positive action by theuser to remove the notice from thescreen.

(g) The audit, identification, and authentica-tion mechanisms must be protected fromunauthorized access, modification, or dele-tion.

c. Security Assurances for SystemHigh Mode. The system securityfeatures for need-to-know controlswill be tested and verified. Identi-fied flaws will be corrected.

8-203. Compartmented Security Mode.

a. An AIS is operating in the compmtmented modewhen users with direct or indirect access to the AIS,

8-2-3

its peripherals, or remote termina[s have all of thefollowing:

(1) A valid personnel clearance for access to themost restricted information processed in theAIs.

(2) Formal access approval and have signed nondis-closure agreements for that information to whichhe/she is to have access (some users do not haveformal access approval for all compartments orsubcompartments processed by the AIS.)

(3) A valid need-to-know for that information forwhich he/she is to have access.

b. Security Features for Compartmented Mode. Inaddition to all Security Features and Security Assur-ances required for the System High Mode of Opera-tion, Classified AIS operating in the CompartmentedMode of Operation shall also include:

(1) Resource Access Controls,

(a) Security Labels. The Classified AIS shallplace security labels on all entities (e.g.,files) reflecting the sensitivity (classifica-tion level, classification category, and han-dling caveats) of the information forresources and the authorizations (securityclearances, need-to-know, formal accessapprovals) for users. These labels shall bean integral part of the electronic data ormedia. These security labels shall be com-pared and validated before a user isgranted access to a resource.

(4) Support a trusted communications path betweenitself and each user for initial log-on and verif-ication.

(5) Enforce, under system control, a system-gener-ated, printed, and human-readable security clas-sification level banner at the top and bottom ofeach physical page of system hard-copy output.

(6) Audit these additional events: the routing of allsystem jobs and output, and changes to securitylabels.

(7) Security Level Changes. The system shallimmediately notify a terminal user of eachchange in the security level associated with thatuser during an interactive session. A user shallbe able to query the system as desired for a dis-play of the user’s complete sensitivity label.

c. Security Assurances for Cornpartmented Mode.

(3)(b) Export of Security Labels. Security labels

exported from the Classified AIS shall beaccurate representations of the correspond-ing security labels on the information inthe originating Classified AIS.

(I) Confidence in Software Source. In acquiringresources to be used as part of a Classified AIS,consideration shall be given to the level of confi-dence placed in the vendor to provide a qualityproduct, to support the security features of theproduct, and to assist in the correction of anyflaws.

(2) Flaw Discovery. The Provider shall ensure thevendor has implemented a method for the dis-covery of flaws in the system (hardware, firm-ware, or software) that may have an effect on thesecurity of the AIS.

(2) Mandatory Access Controls. Mandatory accesscontrols shall be provided. These controls shallprovide a means of restricting access to filesbased on the sensitivity (as represented by thelabel) of the information contained in the filesand the formal authorization (i.e., security clear-ance) of users to access information of such sen-sitivity.

(3) No information shall be accessed whose com-partment is inconsistent with the session log-on.

No Read Up, No Write Down. Enforce anupgrade or downgrade principle where ail usersprocessing have a system-maintained classifica-tion; no data is read that is classified higher thanthe processing session authorized; and no data iswritten unless its security classification level isequal to or lower than the user’s authorized pro-cessing security classification and all non-hier-archical categories are the same.

(4) Description of the Security Support Structure(often referred to as the Trusted ComputingBase). The protections and provisions of thesecurity support structure shall be documentedin such a manner to show the underlying plan-ning for the security of a Classified AIS. Thesecurity enforcement mechanisms shall be iso-lated and protected from any user or unautho-rized process interference or modification.

8-2-4

Hardware and software features shall k pro-vided that can be used to periodically validatethe correct operation of the elements of the secu-rity enforcement mechanisms.

required for the compartmented mode of operation,classified AIS operating in the multilevel mode ofoperation shall also include:

(1)(5) Independent Validation and Verification. An

Independent Validation and Verification teamshall assist in the technical evaluation testing ofa classified AIS and shall perform validation andverification testing of the system as required bythe Customer.

(6) Security Label Integrity. The methodology shallensure the following:

(a) Integrity of the security labels;

(b) The association of a security label with thetransmitted data; and

(c) Enforcement of the control features of thesecurity labels.

(7) Detailed Design of security enforcement mecha-nisms. An informal description of the securitypolicy model enforced by the system shall beavailable.

8-204. Multilevel Security Mode. NOTE: MultilevelSecurity Mode is not routinely -authorized for SCI orSAP applications. Exceptions for SCI may be made bythe heads of CIA, DIA, or NSA on a case-by-case basis.Exceptions for SAP may be made by the Customer.

a. An AIS is operating in the multilevel mode when allof the following statements are satisfied concerningthe users with direct or indirect access to the AIS, itsperipherals, remote terminals, or remote hosts:

Audit. Contain a mechanism that is able to mon-itor the occurrence or accumulation of securityaudhable events that may indicate an imminentviolation of security policy. This mechanismshall be able to immediately notify the securityadministrator when thresholds are exceeded and,if the occurrence or accumulation of these secu-rity relevant events continues, the system shalltake the least disruptive action to terminate theevent.

(2) Trusted Path. Support a trusted communicationpath between the AIS and users for use when apositive AIS-to-user connection is required (i.e.,log-on, change subject security level). Commu-nications via this trusted path shall be activatedexclusively by a user or the AH and shall belogically isolated and unmistakably distinguish-able from other paths. For Restricted Data, thisrequirement is only applicable to multilevel AISthat have at least one uncleared user on the AIS.

(3)

(4)(1) Some users do not have a valid personnel clear-

ance for all of the information processed in theAIS. (Users must possess a valid CONFIDEN-TIAL, SECRET, or TOP SECRET clearance.)

(2) All users have the proper clearance and have theappropriate access approval (i.e., signed nondis-closure agreements) for that information towhich they are intended to have access.

(3) All have a valid need-to-know for that informa-tion to which they are intended to have access.

b. Security Features for Multilevel Mode. In addi-tion to all security features and security assurances

Support separate operator and administratorfunctions. The functions performed in the role ofa security administrator shall be identified. TheAIS system administrative personnel shall onlybe able to perform security administrator func-tions after taking a distinct auditable action toassume the security administrative role on theAIS system. Non-security functions that can beperformed in the security administrative roleshall be limited strictly to those essential to per-forming the security role effectively.

Security Isolation. The AIS security enforce-ment mechanisms shall maintain a domain forits own execution that protects it from externalinterference and tampering (e.g., by reading ormodification of its code and data structures).The protection of the security enforcementmechanisms shall provide isolation and noncir-cumvention of isolation functions. ForRestricted Data, this requirement is only appli-cable to multilevel AIS that have at least oneuncleared user on the AIS.

(5) Protection of Authenticator. Authenticators shallbe protected at the same level as the informationthey access.

8-2-5

c. Security Assurances for Multilevel Mode.

(1) Flaw Tracking and Remediation. The Providershall ensure the vendor provides evidence thatall discovered flaws have been tracked and rem-edied.

(2) Life-Cycle Assurance. The development of theClassified AIS hardware, firmware, and soft-ware shall be under life-cycle control and man-agement (i.e., control of the Classified AIS fromthe earliest design stage through decommission-ing).

(3) Separation of Functions. The functions of theAIS ISSR and the Classified AIS manager shallnot be performed by the same person.

the control features of the data flow betweenoriginator and destination.

(5) Seeurity Penetration Testing. In addition to test-ing the performance of the classified AIS forcertification and for ongoing testing, there shallbe testing to attempt to penetrate the securitycountermeasures of the system. The test proce-dures shall be documented in the test plan forcertification and for ongoing testing.

(6) Trusted Recovery. Provide procedures and/ormechanisms to assure that, after an AIS systemfailure or other discontinuity, recovery without aprotection compromise is obtained.

(7) Covert Channels. A covert channel analysisshall be performed.

(4) Device Labels. The methodology shall ensurethat the originating and destination device labelsare a part of each message header and enforce

8-2-6

Section 3. System Access and Operation

8-300 System Access. Access to the system will be lim-ited to authorized personnel. Assignment of AIS accessand privileges will be coordinated with the ISSR.Authentication techniques must be used to provide con-trol for information on the system. Examples of authen-tication techniques include, but are not limited to:passwords, tokens, biometrics, and smart cards. Userauthentication techniques and procedures will bedescribed in the AISSI?

a. User IDs. User IDs identify users in the system andare used in conjunction with other authenticationtechniques to gain access to the system. User IDswill be disabled whenever a user no longer has aneed-t-know. The user ID will be deleted from thesystem only after review of programs and data asso-ciated with the ID. Disabled accounts will beremoved from the system as soon as practical.Whenever possible, access attempts will be limitedto five tries. Users who fail to access the systemwithin the established limits will be denied accessuntil the user ID is reactivated.

b. Access Authentication.

(1) Password. When used, system log-on passwordswill be randomly selected and will be at least sixcharacters in length. The system log-on pass-word generation routine must be approved bythe Customer.

(2) Validation. Authenticators must be validated bythe system each time the user accesses the AIS.

(3) Display. System log-on passwords must not bedisplayed on any terminal or contained in theaudit trail. When the AIS cannot prevent a pass-word from being displayed (e.g., in a half-duplex connection), an overprint mask shall beprinted before the password is entered to con-ceal the typed password.

(4) Sharing. Individual user authenticators (e.g.,passwords) will not be shared by any user.

(5) Password Life. Passwords must be changed atleast every six months.

will be notified and a new password or PINissued.

(7) Group Log-on Passwords. Use of group log-onpasswords must be justified and approved by theCustomer. After log-on, group passwords maybe used for file access.

c. Protection of Authenticators. Master data filescontaining the user population system log-on authen-ticators will be encrypted when practical. Access tothe files will be limited to the ISSR and designatedalternate(s), who will be identified in writing.

d. Modems. Modems require Customer approval priorto connection to an AIS located in a Customer SAPF.

e. User Warning Notice. The Customer may requirelog-on warning banners be installed.

8-301. System Operation.

a. Processing initialization is the act of changing theAIS from unclassified to classified, from one classi-fied processing level to another, or from one com-partment to another or from one Customer toanother. To begin processing classified informationon an approved AIS the following procedures mustbe implemented:

(1) Verify that prior mode termination was properlyperformed.

(2) Adjust the area security controls to the level ofinformation to be processed.

(3) Configure the AIS as described in the approvedAISSP. The use of logical disconnects requiresCustomer approval.

(4) Initialize the system for processing at theapproved level of operation with a dedicatedcopy of the operating system. This copy of theoperating system must be labeled and controlledcommensurate with the security classificationand access levels of the information to be pro-cessed during the period.

(6) Compromise. Immediately following a sus- b. Unattended Processing. Unattended processingpetted or known compromise of a password or will have open storage approval and concurrencePersonal Identification Numbq (PIN) the ISSR from the customer. Prior to unattended processing,

8-3-1

all remote input and/or output (1/0) not in approvedopen storage areas will be physically or electricallydisconnected from the host CPU. The disconnectwill be made in an area approved for the open stor-age. Exceptions are on a case-by-case basis and willrequire Customer approval.

c. Processing Termination. Processing terminationof any AIS will be accomplished according to thefollowing requirements.

(1) Peripheral Device Clearing. Power down allconnected peripheral devices to sanitize all vola-tile buffer memories. Overwriting of thesebuffer areas will be considered by the Customeron a case-by-case basis.

(2) Removable Storage Media. Remove and prop-erly store removable storage media.

(3) Non-removable (Fixed) Storage Media. Discon-nect (physically or electrical] y) all storagedevices with nonremovable storage media notdesignated for use during the next processingperiod.

(4) CPU Memory. Clear or sanitize as appropriateall internal memory including buffer storage andother reusable storage devices (which are notdisabled, disconnected, or removed) in accor-dance with 8-501, Table 2.

(5) Laser Printers. Unless laser printers operating inSAPFS will operate at the same classificationlevel with the same access approval levels dur-ing the subsequent processing period, they willbe cleared by running three pages of unclassifiedrandomly generated text. For SCI, five pages ofunclassified pages will be run to clear theprinter. These pages will not include any blankspaces or solid black areas. Otherwise, no pagesneed be run through the printer at mode terminat-ion.

(6) Thermal printers. Thermal printers have a ther-mal film on a spool and take-up reel. Areas inwhich these types of laser printers are locatedwill be either approved for open storage, or thespools and take-up reels will be removed andplaced in secure storage. The printer must besanitized prior to use at a different classificationlevel.

(7) Impict-type Printers. Impact-type printers (e.g.,dot-matrix) in areas not approved for open stor-age will be secured as follows: Remove andsecure all printer ribbons or dispose of them ascklssified trash. Inspect all printer platens. If anyindication’ of printing is detected on the platen,then the platen will be either cleaned to removesuch printing or removed and secured in anapproved classified container.

(8) Adjust area security controls.

8-302. Collocation of Classified and Unclassified AIS.

a. Customer permission is required before a Providermay collocate unclassified AIS and classified AIS.This applies when:

(1) The unclassified information is to be processedon an AIS located in a SAPF, or

(2) The unclassified information is resident in adatabase located outside of a SAPF but accessedfrom terminals located within the SAPF.

b. AIS approved for processing unclassified informa-tion will be clearly marked for UNCLASSIFIEDUSE ONLY when located within a SAPF. In additionthe following requirements apply:

(I) Must be physically separated from any classifiedAIS.

(2) Cannot be connected to the classified AIS.

(3) Users shall be provided a special awarenessbriefing.

(4) ISSR must document the procedures to ensurethe protection of classified information.

(5) All unmarked media is assumed to be classifieduntil reviewed and verified.

c. Unclassified portable AIS devices are prohibited in aSAPF unless Customer policy specifically permitstheir use. If permitted, the following proceduresmust be understood and followed by the owner anduser

(1) Connection of unclassified portable AIS to clas-sified AIS is prohibited.

8-3-2

(2) Connection to other unclassified AISS may beallowed provided Customer approval isobtained.

(3) Use of an internal or external modem with theAIS device is prohibited within the SAPF.

(4) The Provider will incorporate these proceduresin the owner’s initial and annual security brief-ing.

(5) Procedures for monitoring portable AIS deviceswithin the SAPF shall be outlined in either theAISSP or the Facility Security Plan. Thesedevices and the data contained therein are sub-ject to security inspection by the ISSR and theCustomer. Procedures will include provisionsfor random reviews of such devices to ensurethat no classified program-specific or program-sensitive data is allowed to leave the secure area.Use of such a device to store or process classi-fied information may, at the discretion of theCustomer, result in confiscation of the device.All persons using such devices within the securearea will be advised of this policy during secu-rity awareness briefings.

(6) Additionally, where Customer policy permits,personally owned portable AIS devices may beused for unclassified processing only and mustfollow the previous guidelines.

8-303. System Auditing.

a. Audit Trails. Audit trails provide a chronologicalrecord of AIS usage and system support activitiesrelated to classified or sensitive processing. In addi-tion to the audit trails normally required for the oper-ation of a stand-alone AIS, audit trails of networkactivities will also be maintained. Audit trails willprovide records of significant events occurring in theAIS in sufficient detail to facilitate reconstruction,

review, and examination of events involving possiblecompromise. Audit trails will be protected fromunauthorized access, modification, and deletion.Audit trail requirements are described under mode ofoperation.

b. Additional Records and Logs. The followingaddhional records or logs will be maintained by theProvider regardless of the mode of operation. Thesewill include:

(1) Maintenance and repair of AIS hardware,including installation or removal of equipment,devices, or components.

(2) Transaction receipts, such as equipment saniti-zation, release records, etc.

(3) Significant AIS changes (e.g., disconnecting orconnecting remote terminals or devices, AISupgrading or downgrading actions, and applyingseals to or removing them from equipment ordevice covers).

c. Audit Reviews. The audit trails, records, and logscreated during the above activities will be reviewedand annotated by the ISSR (or designee) to be surethat all pertinent activity is proper] y recorded andappropriate action has been taken to correct anoma-lies. The Customer will be notified of all anomaliesthat have a direct impact on the security posture ofthe system. The review will be conducted at leastweek] y.

d. Record Retention. The Provider will retain themost current 6 to 12 months (Customer Option) ofrecords derived from audits at all times. The Cus-tomer may approve the periodic use of data reduc-tion techniques to record security exceptionconditions as a means of reducing the volume ofaudit data retained. Such reduction will not result inthe loss of any significant audit trail data.

8-3-3

Section 4. Networks

8-400 Networks. This section addresses network-spe-cific requirements that are in addition to the previouslystated AIS requirements. Network operations must pre-serve the security requirements associated with theAIS’s mode of operation.

a. Types of Networks.

(1) A unified network is a collection of AIS’S or net-work systems that are accredited as a singleentity by a single CSA, A unified network maybe as simple as a small LAN operating in dedi-cated mode, following a single security policy,accredited as a single entity, and administeredby a single ISSR. The perimeter of such a net-work encompasses all its hardware, software,and attached devices. Its boundary extends to allits users. A unified network has a single mode ofoperation. This mode of operation will bemapped to the level of trust required and willaddress the risk of the least trusted user obtain-ing the most sensitive information processed orstored on the network.

(2) An interconnected network is comprised of sep-arately accredited AISS andlor unified networks.Each self-contained AIS maintains its own intra-AIS services and controls, protects its ownresources, and retains its individual accredita-tion. Each participating AIS or unified networkhas its own ISSR. The interconnected networkmust have a security support structure capableof adjudicating the different security policy(implementations) of the participating AISS orunified net works. An interconnected networkrequires accreditation, which may be as simpleas an addendum to a Memorandum of Agree-ment (MOA) between the accrediting authori-ties.

b. Methods of Interconnection.

(1) Security Support Structure (SSS) is the hard-ware, software, and firmware required to adjudi-cate security policy and implementationdifferences between and among connecting uni-fied networks and/or AISS. The SSS must beaccredited. The following requirements must besatisfied as part of the SSS accreditation:

(a) Document the security policy enforced bythe SSS.

(b) Identify a single mode of operation.

(c) Document the network security architec-ture and design.

(d) Document minimum contents of MOA’Srequired for connection to the SSS.

(2) The interconnection of previously accreditedsystems into an accredited network may requirea reexamination of the security features andassurances of the contributing systems to ensuretheir accreditations remain valid.

(a) Once an interconnected network is definedand accredited, additional networks or sep-arate AISS (separately accredited) mayonly be connected through the accreditedSss.

(b) The addition of components to contribut-ing unified networks which are members ofan accredited interconnected network areallowed provided these additions do notchange the accreditation of the contribut-ing system.

c. Network Security Management. The Providerwill designate an ISSR for each Provider network.The ISSR may designate a Network Security Man-ager (NSM) to oversee the security of the Provider’snetwork(s), or may assume that responsibility. TheISSR is responsible for coordinating the establish-ment and maintenance of a formal network securityprogram based on an understanding of the overallsecurity-relevant policies, objectives, and require-ments of the Customer. The NSM is responsible forensuring day-to-day compliance with the networksecurity requirements as described in the AISSP (ascovered below) and this Supplement.

d. Network Security Coordination. When differentaccrediting authorities are involved, a Memorandumof Agreement is required to define the cognizantauthority and the security arrangements that willgovern the operation of the overall network. When

8-4-1

two or more ISSRS are designated for a network, alead ISSR will be named by the Provider(s) to ensurea comprehensive approach to enforce the Customer’soverall security policy.

e. Network Security.

The AISSP must address:

(1) A description of the network services and mecha-nisms that implement the network security policy.

(2) Consistent implementation of security featuresacross the network components.

(a) Identification and Authentication Forward-ing. Reliable forwarding of the identifica-tion shall be used between AISS whenusers are connecting through a network.When identification forwarding cannot beverified, a request for access from a remoteAIS shall require authentication beforepermitting access to the system.

(b) Protection of Authenticator Data. In for-warding the authenticator information andany tables (e.g., password tables) associatedwith it, the data shall be protected fromaccess by unauthorized users (e.g., encryp-tion), and its integrity shall be ensured.

(c) Description of the network and any exter-nal connections.

(d) The network security policy includingmode of operation, information sensitivi-ties, and user clearances.

(e) Must address the internode transfer ofinformation (e.g., sensitivity level, com-partmentation, and any special accessrequirements), and how the information isprotected.

f.(f) Communications protocols and their secu-

rity features.

(g) Audit Trails and Monitoring.

1. If required by the mode of operation, thenetwork shall be able to create, main-tain, and protect from modification or

unauthorized access or destruction anaudit trail of successful and unsuccessfulaccesses to the AIS network componentswithin the perimeter of the accreditednetwork. The audit data shall be pro-tected so that access is limited to theISSR or his/her designee.

2. For Restricted Data, methods of continu-ous on-line monitoring of network activi-ties may be included in each networkoperating in the Compartmented Secunt yMode or higher. This monitoring may alsoinclude realtime notification to the ISSRof any system anomalies.

3. For Restricted Data networks operating inthe Compartmented Mode or higher, theCustomer may require the audit trail toinclude the changing of the configurationof the network (e.g., a component leavingthe network or rejoining).

4. The audit trail records will allow associa-tion of the network activities with corre-sponding user audit trails and records.

5. Provisions shall be made and the proce-dures documented to control the loss ofaudit data due to unavailability ofresources.

6. For Restricted Data, the Customer mayrequire alarm features that automaticallyterminate the data flow in case of a mal-function and then promptly notify theISSR of the anomalous conditions.

(h) Secure Message Traffic. The communica-tions methodology for the network shallensure the detection of errors in trafficacross the network links.

Transmission Security. Protected DistributionSystems or National Security Agency approvedencryption methodologies shall be used to protectclassified information on communication linesthat leave the SAPF. Protected distribution sys-tems shall be either constructed in accordancewith the national standards or utilize NationalSecurity Agency approved protected distributionsystems.

8-4-2

g. Records. The Customer may require records bemaintained of electronic transfers of data betweenautomated information systems when those systemsare not components of the same unified network.Such records may include the identity of the sender,identity and location of the receiver, datehime of thetransfer, and description of the data sent. Records areretained according to 8-303.d.

8-4-3

Section 5. Software

8-500. Software and Data Fk.

a.

b.

Acquisition and Evaluation. ISSR approval willbe obtained before software or data files may bebrought into the SAPF. All software must beacquired from reputable and/or authorized sources asdetermined by the ISSR. The Provider will check allnewly-acquired software or data files, using the mostcurrent version and/or available of virus checkingsoftware and procedures identified in the AISSP toimprove assurance that the software or data files arefree from malicious code.

Protection. Media that may be written to (e.g., mag-netic mdla) must be safeguarded commensuratewith the level of accreditation of the dedicated orsystem high AIS. Media on compartmented or multi-level AISS will be protected commensurate with thelevel of the operating session. If a physical write-protect mechanism is utilized, media may be intro-duced to the AIS and subsequently removed withoutchanging the original classification. The integrity ofthe write-protection mechanism must be verified at aminimum of once per day by attempting to write tothe media. Media which cannot be changed (e.g., CDread-only media) may be loaded onto the classifiedsystem without labeling or classifying it provided itis immediately removed from the secure area. If thismedia is to be retained in the secure area, it must belabeled, controlled, and stored as unclassified mediaas required by the Customer.

(1)

(2)

System Software. Provider personnel who areresponsible for implementing modifications tosystem or security-related software or data fileson classified AISS inside the SAPF will beappropriately cleared. Soft ware that containssecurity related functions (e.g., sanitization,access control, auditing) will be validated toconfirm that security-related features are ful i yfunctional, protected from modification, andeffective.

Application Software. Application soflware ordata files (e.g., general business software), thatwill be used by a Provider during classified pro-cessing, may be developed/modified by person-nel outside the security area without therequisite security clearance with the concur-rence of the Customer.

c.

d

e.

and Data Files

(3) Releasing Software. Software that has not beenused on an AIS processing classified informationmay be returned to a vendor. If media containingsoftware (e.g., applications) are used on a classi-fied system and found to be defective, such mediamay not he removed from a SAPF for return to avendor. When possible, software will be testedprior to its introduction into the secure facility.

Targetability. For SCI and SAP the software,whether obtained from sources outside the facility ordeveloped by Provider personnel, must be safe-guarded to protect its integrity from the time ofacquisition or development through its life cycle atthe Provider’s facility (i.e., design, development,operational, and maintenance phases). Unclearedpersonnel will not have any knowledge that the soft-ware or data files will be used in a classified area,although this may not be possible in all cases. Beforesoftware or data files that are developed or modifiedby uncleared personnel can be used in a classifiedprocessing period, it must be reviewed by appropri-ately cleared and knowledgeable personnel to ensurethat no security vulnerabilities or malicious codeexists. Configuration management must be in placeto ensure that the integrity of the software or datafiles is maintained.

Maintenance Software. Software used for mainte-nance or diagnostics will be maintained within thesecure computing facility and, even though unclassi-fied, will be separately controlled. The AISSP willdetail the procedures to be used.

Remote Diagnostics. Customer approval will beobtained prior to using vendor-supplied remote diag-nostic links for on-line use of diagnostic software.The AISSP will detail the procedures to be used.

8-501. Data Storage Media. Data storage media will becontrol led and labeled at the appropriate classificationlevel and access controls of the AIS unless write-pro-tected in accordance with 8-500.b. Open storageapproval will be required for non-removable media.

a. Labeling Media. All data storage media will belabeled in hurnamreadable form to indicate its classi-fication level, access controls (if applicable), andother identifying information. Data storage mediathat is to be used solely for unclassified processing

8-5-1

and collocated with classified media will be markedas UNCLASSIFIED. Color coding (i e., media,labels) is recommended. If required by the Customer,all removable media will be labeled with a classifica-tion label immediately after removing it from its fac-tory-sealed container.

b. Reclassification. When the classification of themedia increases to a higher level, replace the classifi-cation label with a higher classification-level label.The label will reflect the highest classification level,and access controls (if applicable) of any informa-tion ever stored or processed on the AIS unless themedia is write-protected by a Customer-approvedmechanism. Media may never be downgraded inclassification without the Customer’s writtenapproval.

c. Copying Unclassified Information from a Clas-sified AIS.

(1) The unclassified data will be written to factory-fresh or verified unclassified media usingapproved copying routines and/or utilities and/or procedures as stated in the AISSP. For SCIand S.@ media to be released will be verifiedby reviewing all data on the media includingembedded text (e.g., headers and footers). Dataon media that is not in human readable form(e.g., imbedded graphs, sound, video) will beexamined for content with the appropriate soft-ware applications. Data that cannot be reason-ably observed in its entirety will be inspected byreviewing random samples of the data on themedia.

(2) Moving Classified Data Storage Media BetweenApproved Areas. The ISSR w il I establish proce-dures to ensure that data will be written to fac-tory-fresh or sanitized media. The media will bereviewed to ensure that only the data intendedwas actually written and that it is appropriatelyclassified and labeled. Alternatives for specialcircumstances may be approved by the Cus-tomer. All procedures will be documented in theAISSP.

d. Overwri t ing , Degaussing, Sanitizing, andDestroying Media. Cleared and sanitized mediamay be reused within the same classification level(i.e., TS-TS) or to a higher level (i.e., SECRET-TS).Sanitized media may be downgraded or declassifiedwith the Customer’s approval. Only approved equip-ment and software may be used to overwrite and

degauss magnetic media containing classified infor-mation. Each action or procedure taken to overwriteor degauss such media will be verified. Magneticstorage media that malfunctions or contains featuresthat inhibit overwriting or degaussing will bereported to the ISSR, who will coordinate repair ordestruction with the Customer. (See Table 1.)

Caution: Overwriting, degaussing, and sanitizing are notsynonymous with declassification. Declassification is aseparate administrative function. Procedures for declas-sifying media require Customer approval.

(1) Overwriting Media. Overwriting is a softwareprocedure that replaces the data previouslystored on magnetic storage media with a pre-define set of meaningless data. Overwriting isan acceptable method for clearing. Onlyapproved overwriting software that is compati-ble with the specific hardware intended for over-writing will be used. Use of such software willbe coordinated in advance with the Customer.The success of the overwrite procedure will beverified through random sampling of the over-written media. The effectiveness of the over-write procedure may be reduced by severalfactors: ineffectiveness of the overwrite proce-dures, equipment failure (e.g., misalignment ofread/write heads), or inability to overwrite badsectors or tracks or information in inter-recordgaps. To clear magnetic disks, overwrite alllocations three (3) times (first time with a char-acter, second time with its complement, and thethird time with a random character). Itemswhich have been cleared must remain at the pre-vious level of classification and remain in asecure, controlled environment.

(2) Degaussing Media. Degaussing (i.e., demagne-tizing) is a procedure that reduces the magneticflux to virtual zero by applying a reverse mag-netizing field. Properly applied, degaussingrenders any previously stored data on magneticmedia unreadable and may be used in the sani-tization process. Degaussing is more reliablethan overwriting magnetic media. Magneticmedia are divided into three types. Type Idegaussers are used to degauss Type I magneticmedia (i.e., media whose coercivity is nogreater than 350 Oersteds (Oe)). Type Hdegaussers are used to degauss Type 11 mag-netic media (i.e., media whose coercivity is nogreater than 750 Oe). Currently there are nodegaussers that can effectively degauss all

8-5-2

Type HI magnetic media (i.e., media whosecoercivity is over 750 Oe). Some degaussersare rated above 750 Oersteds and their specificapproved rating will be determined prior touse. Coercivity of magnetic media defines themagnetic field necessary to reduce a magneti-cally-saturated material’s magnetization tozero. The correct use of degaussing productsimproves assurance that classified data is nolonger retrievable and that inadvertent disclo-sure will not occur. Refer to the current issue ofNSAS Information Systems Security Productsand Services Catalogue (Degausser ProductsList Section) for the identification of degauss-ers acceptable for the procedures specifiedherein. These products will be periodicallytested to ensure continued compliance with thespecification NSA CSS Media Declassificationand Destruction Manual NSA 130-2.

Sanitizing is a two-step process that includesremoving data from the media in accordancewith Table 1 and removing all classified labels,markings, and activity logs.

(4) Destroying Media. Data storage media will bedestroyed in accordance with Customer-approved methods.

(5) Releasing Media. Releasing sensitive or classi-fied Customer data storage media is a three-stepprocess. First, the Provider will sanitize themedia and verify the sanitization in accordancewith procedures in this chapter. Second, themedia will be administratively downgraded ordeclassified either by the CSA or the ISSR, ifsuch authority has been granted to the ISSR.Third, the sanitization process, downgrading ordeclassification, and the approval to release themedia will be documented.

(3) Sanitizing Media. Sanitization removes informa-tion horn media such that data recovery usingany known technique or analysis is prevented.

8-5-3

~pe Media

(a) Magnetic T~eType IType IIType III

(b) Magnetic Disk PacksType IType IIType III

(c) Magnetic Disk PacksFloppiesBernoulli’sRemovable Hard DisksNon-Removable Hard Disks

(d) Optical DiskRead OnlyWrite Once, Read Many (Worm)Read Many, Write Many

Table 1Clearing and Sanitization Data Storage

Clear Sanitize

s o r b a, b, or destroya o r b b or destroya o r b Destroy

a, b, or ca, b, or ca, b, or cc

c

a, b,or cb o r eDestroy

DestroyDestroya, b, c, or destroya, b, c, or destroy

DestroyDestroyDestroy

These procedures will be performed by or as directed by the ISSR.

a. Degauss with a Type I degausser

b. Degauss with a Type LI degausser

c. Overwrite all locations with a character, its complement, then with a random character. Verify that all sectors havebeen overwritten and that no new bad sectors have occurred. If new bad sectors have occurred during classified pro-cessing, this disk must be sanitized by method a or b described above. Use of the overwrite for sanitization must beapproved by the Customer.

Note: For hand-held devices (e.g., calculators or personal directories), sanitization is dependent upon the type andmodel of the device. If there is any question about the correct sanitization procedure, contact the manufacturer or theCustomer. In general, sanitization is accomplished as follows: Depress the “CLEAR ENTRY” and the “CLEARMEMORY” buttons, remove the battery for several hours, and remove all associated magnetic media and retain it inthe SAPF or destroy. In some models there are special-purpose memories and key-numbered memories, as well as“register stacks.” Caution will be taken to clear all such memories and registers. This may take several key-strokesand may require the use of the operator’s manual. Test the hand held device to ensure that all data has been removed.If there is any question, the device will remain in the SAPF or be destroyed.

8-5-4

Table 2Sanitizing AIS Components

TYPE PROCEDURE

Magnetic Bubble MemoryMagnetic Core MemoryMagnetic Plated WireMagnetic-Resistive Memory

Solid State Memory Components

Random Access Memory (RAM) (Volatile)Nonvolatile RAM (NOVRAM)Read Only Memory (ROM)Programmable ROM (PROM)Erasable Programmable ROM (EPROM)Electronically Alterable PROM (EAPROM)Electronically Erasable PROM (EEPROM)Flash EPROM (FEPROM)

These procedures will be performed by or as directed by the ISSR.

a.

b.

c.

d.

e.

f.

g.

h.

i.

j.

k.

1.

a, b, or ca, b, ord

d o r eDestroy

f, then j1

Destroy (see k)Destroy (see k)

g, then d and jh, then d and ji, then d and ji, then d and j

Degauss with a Type I degausser.

Degauss with a Type II degausser.

Overwrite all locations with any character.

Overwrite all locations with a character, its complement, then with a random character.

Each overwrite will reside in memory for a period longer than the classified data resided.

Remove all power, including batteries and capacitor power supplies, from RAM circuit board.

Perform an ultraviolet erase according to manufacturer’s recommendation, but increase time requirements by afactor of 3.

Pulse all gates.

Perform a full chip erase. (See Manufacturer’s data sheet.)

Check with Customer to see if additional procedures are required.

Destruction required only if ROM contained a classified algorithm or classified data.

Some NOVRAM are backed up by a battery or capacitor power source; removal of this source is sufficient forrelease following item f procedures. Other NOVRAM are backed up by EEPROM which requires application ofthe procedures for EEPROM (i.e., i, then d and j).

8-5-5

Section 6. AIS Acquisition, Maintenance, and Release

S-600. AIS Acquisition, Maintenance, and Release.

a. Acquisition. AISS and AIS components that willprocess classified information will be protected dur-ing the procurement process from direct associationwith the Customer’s program, When required by theCustomer, protective packaging methods and proce-dures will be used while such equipment is in transitto proteet against disclosure of classified relation-ships that may exist between the Customer and theProvider.

b. Maintenance Policy. The Provider will discussmaintenance requirements with the vendor beforesigning a maintenance contract. The Customer mayrequire that AISS and AIS components used for pro-cessing Customer information will be protected dur-ing maintenance from direct association with theCustomer’s program.

(1) Cleared maintenance personnel are those whohave a valid security clearance and accessapprovals commensurate with the informationbeing processed. Complete sanitization of theAIS is not required during maintenance bycleared personnel, but need-to-know will beenforced. However, an appropriately clearedProvider individual will be present within theSAPF while a vendor performs maintenance toensure that proper security procedures are beingfollowed. Maintenance personnel without theproper access authorization and seeurity clear-ance will always be accompanied by an individ-ual with proper security clearance and accessauthorization and never left alone in a SAPF.The escort shall be approved by the ISSR and betechnically knowledgeable of the AIS to berepaired.

(2) Prior to maintenance by a person requiringescort, either the device under maintenance shallbe physically disconnected from the classifiedAIS (and sanitized before and after mainte-nance) or the entire AIS shall be sanitized beforeand after maintenance. When a system failureprevents clearing of the system prior to mainte-nance by escorted maintenance personnel, Cus-tomer-approved procedures will be enforced todeny the escorted maintenance personnel visualand electronic access to any classified data thatmay be contained on the system.

(3) All maintenance and diagnostics should be per-formed in the Provider’s secure facility. AnyAIS component or equipment released fromsecure control for any reason may not bereturned to the SAPF without the approval of theISSR. The Customer may require that a perma-nent set of procedures be in place for the releaseand return of components. These procedureswill be incorporated into the AISSP.

c. Maintenance Materials and Methods.

(1) Unclassified Copy of Operating System. A sepa-rate, unclassified, dedicated for maintenancecopy of the operating system (i.e., a specificcopy other than the copy(s) used in processingCustomer information), including any micro-code floppy disks or cassettes that are integralto the operating system, will be used whenevermaintenance is done by uncleared personnel.This copy will be labeled “UNCLASSIFIED-FOR MAINTENANCE USE ONLY.” Proce-dures for an AIS using a nonremovable storagedevice on which the operating system is residentwill be considered by the Customer on a case-by-case basis.

(2) Vendor-supplied Software and/or Firmware.Vendor-supplied software andfor firmware usedfor maintenance or diagnostics will be main-tained within the secure computing facility andstored and controlled as though classified. If per-mitted by the Customer, the ISSR may allow, ona case-by-case basis, the release of certain typesof costly magnetic media for maintenance suchas disk head-alignment packs.

(3) Maintenance Equipment and Components. Alltools, diagnostic equipment, and other devicescarried by the vendor to the Provider’s facilitywill be controlled as follows:

(a) Tool boxes and materials belonging to a vendor rep-resentative will be inspected by the assigned escortbefore the vendor representative is permitted to enterthe secure area.

(b) The ISSR will inspect any maintenance hardware(such as a data scope) and make a best technicalassessment that the hardware cannot access classifieddata. The equipment will not be allowed in the

8-6-1

secure area without the approval of the ISSR.

(c) Maintenance personnel may bring kits containingcomponent boards into the secure facility for the pur-pose of swapping out component boards that may befaulty. Any component board placed into an unsani-tized AIS will remain in the security facility untilproper release procedures are completed. Any com-ponent board that remains in the kit and is not placedin the AIS may be released from the seeure facility.

(d) Any communication devices with transmit capabilitybelonging to the vendor representative or any datastorage media not required for the maintenance visitwill be retained outside the SAPF for return to thevendor representative upon departure from thesecure area.

(4) Remote Diagnostic Links. Remote diagnosticlinks require Customer approval. Permission forthe installation and use of remote diagnosticlinks will be requested in advance and in wri-ting. The detailed procedures for controlling theuse of such a link or links will have the writtenapproval of the Customer prior to implementa-tion.

d. Release of Memory Components and Boards.Prior to the release of any component from an areaused to process or store Customer information, thefollowing requirements will be met in respect tocoordination, documentation, and written approval.This section applies only to components identifiedby the vendor or other technically knowledgeableindividual as having the capability of retaining useraddressable data and does not apply to other items(e.g., cabinets, covers, electrical components notassociated with data), which may be released withoutreservation. For the purposes of this document, amemory component is considered to be the LowestReplaceable Unit (LRU) in a hardware device.Memory components reside on boards, modules, andsub-assemblies. A board can be a module or mayconsist of several modules and subassemblies.Unlike media sanitization, clearing may be anacceptable method of sanitizing components forrelease (see 8-501, Table 2). Memory componentsare specifically handled as either volatile or nonvola-tile as described below.

(1) Volatile Memory Components. Memory compo-nents that do nor retain data after removal of allelectrical power sources, and when reinsertedinto a similarly configured AIS do nor contain

residual data, are considered volatile memorycomponents. Volatile components may bereleased only after accomplishing the followingStl

(a

x:

Maintain a record of the equipment releaseindicating that all component memory isvolatile and that no data remains in/on thecomponent when power is removed.

(b) Equipment release procedures shall bedeveloped by the ISSR and stated in theAISSP.

(2) Nonvolatile Memory Components. Memorycomponents that do retain data when all powersources are disconnected are nonvolatile mem-ory components. Nonvolatile memory compo-nents defined as read only memory (ROM),programmable ROM (PROM), or erasablePROM (EPROM)that have been programmed atthe vendor’s commercial manufacturing facilityare considered to be unalterable in the field andmay be released. Customized components ofthis nature that have been programmed with aclassified algorithm or classified data will bedestroyed. All other nonvolatile componentsmay be released after successful completion ofthe procedures outlined in 8-501, Table 2. Fail-ure to accomplish these procedures will requirethe ISSR to coordinate with the Customer for adetermination of releasability. Nonvolatile com-ponents shall be released only after accomplish-ing the following steps:

(a) Maintain a record of the equipment releaseindicating the procedure used for sanitiz-ing the component, who performed thesanitization, and who it was released to.

(b) Equipment release procedures must bedeveloped by the ISSR and stated in the

AISSP. The record will be retained for 12months.

(3) Inspecting AIS Equipment. All AIS equipmentdesignated for release will be inspected by theISSR. This review will ensure that all mediaincluding internal disks have been removed.

8-601. Test Equipment. The Provider will determinethe capability of individual test instruments to collectand process information. If necessary, the manufacturerwill be asked to provide this information. A description

8-6-2

of the capabilities of individual test equipment will lxprovided to the Customer. Security requirements arebased on concerns about the capability of the equipmentto retain sensitive or classified data. Test equipment withnonvolatile fixed or removable storage media will com-ply with the requirements of this Supplement and beapproved by the Customer for introduction and use inthe SAPF. Test equipment with no data retention and nosecondary storage does not require Customer approval.

8-6-3

Section 7. Documentation and Training

8-700. Documentation and Training.

a. Provider Documentation. The Provider willdevelop, publish, and promulgate a corporate AISsecurity policy, which will be maintained on file bythe ISSR.

b. Security Documentation. The Provider willdevelop and maintain security-related documentationwhich are subject to review by the Customer as fol-lows:

(1) AISSP. Prepare and submit to the Customer forapproval an AISSP in accordance with Cus-tomer guidance that covers each AIS which willprocess information for the Customer. This planwill appropriately reference all other applicableProvider security documentation. In many cases,an AISSP will include information that shouldnot be provided to the general user population.In these cases, a separate user security guide willbe prepared to include only the security proce-dures required by the users.

(2) Physical Security Accreditation. Maintain onfile the physical security accreditation documen-tation that identifies the date(s) of accreditation,and classification level(s) for the system devicelocations identified in the AISSP, and any openstorage approvals.

(3) Processing Approval. Maintain on file the Cus-tomer’s processing approval (i.e., interimapproval or accreditation) that specifies the dateof approval, system, system location, mode ofoperation, and classification level for which theAIS is approved.

(4) Memorandum of Agreement. Maintain on file aformal memorandum of agreement signed by allCustomers having data concurrently processedby an AIS or attached to the network.

(5) AIS Technical Evaluation Test Plan. As a pre-requisite to processing in the compartmented ormultilevel mode, develop and submit a technicalevaluation tes~ plan to the Customer forapproval. The technical evaluation test plan willprovide a detailed description of how the imple-mentation of the operating system software, data

management system software, and related secu-rity soflware packages will enable the AIS tomeet the compartmented or multilevel moderequirements stated herein. The test plan willalso outline the test procedures proposed todemonstrate this compliance. The results of thetest will be maintained for the life of the system.

(6) Certification Report. The Certification Reportwill be maintained for the life of the system.

c. System User Training and Awareness. All AISusers, custodians, maintenance personnel, and otherswhose work is associated with the Customer will bebriefed on their security responsibilities. These brief-ings will be conducted by the Provider. Each individ-ual receiving the briefing will sign an agreement toabide by the security requirements specified in theAISSP and any additional requirements initiated bythe Customer. This secunt y awareness training willbe provided prior to the individual being grantedaccess to the classified AIS and at least annuallythereafter. The awareness training will cover the fol-lowing items and others as applicable:

(1) The security classifications and compartmentsaccessible to the user and the protection respon-sibilities for each. If the user is a privileged user,discuss additional responsibilities commensu-rate with those privileges;

(2) Requirements for controlling access to AISS(e.g., user lDs, passwords and password secu-rity, the need-to-know principle, and protectingterminul screens and printer output from unau-thon”zed access);

(3) Methods of securing unattended AISS such aschecking print routes, logging off the host sys-tem or network, and turning the A IS off,

(4) Techniques for securing printers such as remov-ing latent images from laser drums, cleaningplatens, and locking up ribbons;

(5) Caution against the use of government-spon-sored computer resources for unauthorizedapplications;

8-7- i

(6) The method of reporting security-related inci-dents such as misuse, violations of system secu-rity, unprotected media, improper labeling,network data spillage, etc.;

(7) Me&a labeling, including classification labels,datadescriptor labels, placement of labels onmedia, and maintenance of label integrity;

(8) Secure methods of copying and verifying medi%

(9) Methods of safeguarding media, including writeprotection, removal from unattended AISS, andstorage;

(10) Methods of safeguarding hard-copy output,including marking, protection during printing,and storage;

(11) Policy on the removal of mediz

(12) Methods of clearing and sanitizing medim

(14) Methods of avoiding viruses and other mali-cious code includhg authorized methods ofacquiring software, examining systems regu-larly, controlling software and media, and plan-ning for emergencies. Dkcuss the use ofrecommended software to protect againstviruses and steps to be taken when a virus is sus-pected;

(15)AIS maintenance procedures including the stepsto be taken prior to AM maintenance and theuser’s point-of-contact for AIS maintenancematters;

(16)Any special security requirements with respectto the user’s AIS environment including connec-tions to other AIS equipment or networks;

( 17)The use of personally owned electronic deviceswithin the SAPF;

(18) Any other items needed to be covered for thespecific Customer’s program.

(13) Procedures for destroying and disposing ofmedia, printer ribbons, and AIS circuit boardsand security aspects of disposing of AISS;

8-7-2

Chapter 9Restricted Data

Section 1. Introduction

9-100. General. This chapter of the NISPOMSUPaddresses those supplemental security requirements forSECRET Restricted Data (SRD) and TOP SECRETRestricted Data (TSRD) information which have beenidentified as being sufficiently sensitive to necessitatesecurity standards above and beyond those mandated bythe NISPOM baseline document. Hereafter these arereferred to as Critical SRD or TSRD. CONFIDEN-TIAL RD and all classification kvels of FormerlyRestricted Data shall be protected in accordancewith the requirements in the NISPOM baseline doc-ument. In addition to those requirements in Chapter 9of the NISPOM, this chapter prescribes the supplemen-tal requirements for the protection of Critical SRD andTSRD information. Neither the NISPOM nor the NIS-POMSUP are to be construed to apply to the safeguard-ing requirements for Special Nuclear Material, NuclearExplosive Like Assemblies, or Nuclear Weapons.

9-101. Requirements. Under the authority of theAtomic Energy Act of 1954, the Secretary of Energy,using his/her authority over Restricted Data, may issueorders, guides, and manuals concerning protection ofRestricted Data. These issuances serve as the basis forgovernment-wide implementation procedures. How-ever, these procedures of other agencies have not beenendorsed by DOE. As a result of changes in the worldsituation, these policy issuances are currently underreview by the Joint DOE/DOD Nuclear Weapons Infor-mation Access Authorization Review Group. Until theReview Group’s recommendations are approved as pol-icy by the Secretary of Energy, DOD contractors willcontinue to protect Critical SRD and TSRD in accor-dance with established contractual provisions. A revi-sion of this chapter will be developed and promulgatedfollowing the results of the Joint DOE/DOD NuclearWeapons Information Access Authorization ReviewGroup. Nothing in this paragraph alters or abridges theauthority of the Secretary of Energy under the AtomicEnergy Act of 1954, as amended. DOD contractsawarded in the interim period dealing with the physicsof nuclear weapons design, as specified in 9-101 .athrough 9-101 .i, will be reviewed by technically quali-fied representatives to determine if the contract involvesthe above specified Critical SRD or TSRD information.

If so, this chapter’s requirements will be included inthe contractual document. DOE technical experts willbe available to provide advice and assistance uponrequest by contracting agency representative. Should theresults of the Joint DOWDOD Nuclear Weapons Infor-mation Access Authorization Review Group modfy theinformation specified in 9-101 .a through 9-101 .i, theaffected contracts may be amended. For DOE contrac-tors, Restricted Datla will continue to be protected inaccordance with the Department of Energy’s 5600series Safeguards and Secur@ orders until theReview Group’s recommendations are approved aspolicy by the Secretary of Energy and this chapter isrevised to conform to the new policy.

a.

b.

c.

d.

e.

Theory of operation (hydrodynamic and nuclear) orcompleted design of thermonuclear weapons or theirunique components. This definition includes specificinformation about the relative placement of compo-nents and their functions with regard to initiating andsustaining the thermonuclear reaction.

Theory of operation or complete design of fissionweapons or their unique components. This defini-tion includes the high explosive system with its det-onators and firing unit, pit system, and nuclearinitiating system as they pertain to weapon designand theory.

Manufacturing and utilization information whichreveals the theory of operation or design of the phys-ics package.

Information concerning inertial confinement fusionwhich reveals or is indicative of weapon data.

Complete theory of operation, complete or partialdesign information revealing sensitive design fea-tures or information on energy conversion of anuclear directed energy weapon. Sensitive informa-tion includes but is not limited to the nuclear energyconverter, energy director, or other nuclear directedenergy system or components outside the envelopeof the nuclear source but within the envelope of thenuclear directed energy weapon.

9- I-I

f. Manufacturing and utilization information and out-put characteristics for nuclear energy converters,directors, or other nuclear directed energy weaponsystems or components outside the envelope of thenuclear source and which do not comprehensivelyreveal the theory of operation, sensitive design fea-tures of the nuclear directed energy weapon or howthe energy conversion takes place.

g. Nuclear weapon vulnerability assessment informa-tion concerning use control systems that reveals anexploitable design feature, or an exploitable systemweakness or deficiency, which could be expected topermit the unauthorized use or detonation of anuclear weapon.

h. Detailed design and functioning information ofnuclear weapon use control systems and their com-ponents. Includes actual hardware and drawings thatreveal design or theory of operation. This alsoincludes use control information for passive andactive systems as well as for disablement systems.

i. Access to specific categories of noise and quietinginformation, fuel manufacturing technology andbroad policy or program direction associated withNaval Nuclear Propulsion Plants as approved by theNaval Nuclear Propulsion Program CSA.

9-102.

a. Contractors shall establish protective measures forthe safeguarding of Critical SRD and TSRD inaccordance with the requirements of this chapte~Where these requirements are not appropriate forprotecting specifi ~pes or forms of mateti~ com-pensatory proviswns shaU be developed andapproved by the CSAJ with the concurrence ofDOE, as appropriate. Nothing in this NLSPOMSUPshall be construed to contradict or inhibit compli-ance with the law or building codes.

b. Access to Restricted D& shall be limited to per-sons who possess appropriate access authorizatwn,or PC& and who require such access (need-to-know) in the performance of oficial duties (i.e.,have a verifiable need-to-know). For access to TOPSECRET Restricted Da@ an individual must pos-sess an active Q access authorization, or a jinalTOP SECRET PCG based on a SSBI. For accessto Critica[ SECRET Restricted Data, as defined in9-101.a through 9-101.i, an individual must pos-sess an active Q access authorization, orjinul TOPSECRET or SECRET PC~ based on a SSBI.Controls shall be established to detect and deterunauthorized access to Restricted Data.

9-1-2

Section 2. Secure Working Areas

9-200. Secure Working Areas.

a. General. When not placed in approved storage, Criti-cal SRI) and TSRD must be maintained in approvedSecured Working Areas, and be constantly attended toby, or under the control of, a person or persons havingthe proper access authorization, or PCL, and a need-to-know, who are responsible for its protection.

b. Requirements. Secure Working Area boundariesshall be defined by physical barriers (e.g., fences,walls, doors). Protective personnel or other measuresshall be used to control authorized access throughdesignated entry portals and to deter unauthorizedaccess to the area. A personnel identification system(e.g., security badge) shall be used as a control mea-sure when there are more than 30 persons per shift.Entrance/Exit inspections for prohibited articles and/or Government property may be conducted by protec-tive personnel. When access to a Secure WorkingArea is authorized for a person without appropriateaccess authorization or need-to-know, measures shallbe taken to prevent compromise of classified matter.Access to safeguards and security interests within aSecure Working Area, when not in approved storage,is controlled by the custodian(s) or authorized user(s).Means shall be used to detect unauthorized intrusionappropriate to the classified matter under protection.

9-201. Barriers. Physical barriers shall be used todemarcate the boundaries of a Secure WorkingArea. Permanent barriers sha!l be used to enclosethe area, except during construction or transientactivities, when temporary barriers may be erected.Temporm-y barriers may be of any height and materialthat effectively impede access to the area.

a. Walls. Building materials shall offer penetrationresistance to, and evidence of, unauthorizedentry into the area. Construction shall meet localbuilding codes. Walls that constitute exterior bar-riers of Security Areas shall extend from thejioor to the structural ceiling, unk?ss equivalentmeans are used.

(1) When transparent glazing material is used,visual access to the classified material shailbe prevented by the use of drapes, blinds, orother means.

(2) Insert-type panels (if used) shall be such thatthey cannot be removed from outside the areabeing protected without showing visual evi-dence of tampering.

b. Ceilings and Floors. Ceilings andjhmrs shall beconstructed of building materials that offer pene-tration resistance to, and evidence of, unautho-rized entry into the area. Construction shall meetlocal building codes.

c. Doors. Doors and doorjambs shall provide thenecessary barrier dehty rati”ng requii 3Y theapplicable procedure. As a minimum, require-ments shall include the following:

(1) Doors with transparent glazing material maybe used if visual access is not a security con-cern; however, they shall o~er penetrationresistance to, and evidence of, unauthorizedentry into the area.

(2) A sight bafle shall be used if visual access isa factor.

(3) An astraga[ shall be used where doors usedin pairs meet.

(4) Door 10U vers, baffle plates, or astragals,when used, shall be reinforced and immov-able from outside the area being protected.

d. Windows. The following requirements shall beapplicable to windows:

(1) When primary reliance is placed on windowsas physical barriers, they shall offer penetra-tion resistance to, and evidence o~ unautho-rized entry into the area.

(2) Frames shall be securely anchored in thewalls, and windows shall be locked from theinside or installed in jixed (nonoperable)frames so the panes are not removable fromoutside the area being protected.

(3) Visual barriers shall be used if visual accessis a factor.

9-2- I

e. Unattended Openings.

(1) Physical protection features shall be imple-mented at all locations where storm sewers,drainage swells, and site utilities intersectthe fence perimeten

(2) Unattended openings in security barriers,which meet the following criteria, mustincorporate compensatory measures such assecurity bars: greater than 96 inches square

(619.20 square centimeters) in area andgreater than 6 inches (15.24 centimeters) inthe smallest dimension; and located within18 feet (5.48 meters) of the ground, roo~ orledge of a lower Security Area; or located 14feet (4.26 m) diagonally or directly oppositewindows, jire escapes, roofs, or other open-ings in uncontrolled adjacent buildings; orlocated 6 feet (1.83 m) from uncontrolledopenings in the same barrier.

9-2-2

Section 3. Storage Requirements

9-300. General. Custodians and authorized users ofCritical SRD and TSRD are responsible for the pro-tection and control of such matter.

9-301. TSRD Storage. TOP SECRET Restricted Datathat is not under the personal control of an authorizedperson shall be stored within a security repositorylocated within a Secure Working Area with CSAapproved supplementary protectz”on consistent withChapter 5-307.a and 5-307.b of the NISPOM baseline.Authorized repositories are as follows:

a. In a locked, General Services Administration -approved security container.

b. In a vault or vault-type room.

9-302. Critical SRD Storage. Critical SRD shall bestored in a manner authon”zed for Top SecretRestricted Data matter or in one of the following ways:

b. Zn a General Services Administration-approvedsecurity container, not located within a SecureWorking Area, under supplemental protection (Le.,intrusion detection system protection or protectt”vepatrol).

c. In a steeljiling cabinet, not meeting General Ser-vices Administration requirements, but approvedfor use prior to the date of this NISPOMSU4which may continue to be used until there is aneed for replacement. It shall be equipped with aminimum of either an Underwriter LaboratoriesGroup 1, built-in, changeable combination lock ora lock that meets Federal Spec@cation FF-P-11O“Padlock, Changeabk Combination. ” Steel jilingcabinets located within a Secure Working Areashall be under approved supplemental protection(Le., intrusion detection system protection or pro-tective patrol). If the steel fding cabinet is notlocated within a Secure Working Are4 it shall beunder intruswn detection system protection.

a. In a locked General Services Administration-approved secun”ty container located within aSecure Working Area.

9-3-1

Chapter 10International Security Requirements

International security information that is required by aSAP or is SAP-related will conform to the NISPOM asdirected by the PSO.

10-1-1

Chapter 11Miscellaneous

Section 1:

TEMPEST Requirements. When compliance withTEMPEST standards is required for a contract, theGPNVPSO will issue specific guidance in accordancewith current national directives that afford considerationto realistic, validated, local threats, cost effectiveness,and zoning.

TEMPEST

11- I-I

Section 2. Government Technical Libraries

SAP information will not be sent to the NationalDefense Technical Information Center or the U.S.Department of Energy Ofice of Scientific and Tech-nical Information.

11-2- I

Section 3. Independent Research and Development

11-300. General. The use of SAP information for acontractor Independent Research and Development(IR&D) effort will occur only with the spec@c writtenpermisswn of the Contracting O@ez Procedures andrequirements necessary for safeguarding SAP classi-fied information when d is incorporated in a contrac-tor’s IR&D effort will be coordinated with the PSO.

11-301. Retention of SAP Classified Documents Gen-erated Under IR&D Efforts. With the permission ofthe Contracting Officer, the contractor may be allowedto retain the classified material generated in connection

with a classified IR&D effort. The classified documentsmay be required to be sanitized. If necessary, the Gov-ernment agency will provide the contractor assistance insanitizing the material to a collateral or unclassifiedlevel (i.e., by reviewing and approving the material forrelease).

11-302. Review of Classified IR&D Efforts. ZR&Doper~”ons and documenWion that contain SAP ckzs-sijied information will be subject to review in thesame manner as other SAP classified information inthe possession of the contractor. .,

11-3-1

Section 4. Operations Security

Special Access Programs may require unique Opera-tions Security (OPSEC) plans, surveys, and activities tobe conducted as a method to identify, define, and pro-vide countermeasures to vulnerabilities. These require-ments may be made part of the contractual provisions.

.

II-4- I

Section 5. Counterintelligence (CI) Support

11-500. Counterintelligence (CI) Support. Analysis offoreign intelligence threats and risks to Program infor-mation, material, personnel, and activities may beundertaken by the Government Agency. Resulting infor-mation that may have a bearing on the security of a SAPwill be provided by the Government to the contractorwhen circumstances permit. Contractors may use CIsupport to enhance or assist security planning and safe-guarding in pursuit of satisfying contractual obligations.Requests should be made to the PSO.

11-501. Countermeasures. Security countermeasuresmay be required for SAPS to protect critical information,assets, and activities. When OPSEC countermeasures

are neeessary, they will be made a part of the contractprovisions and cost implementation may be subject tonegotiation. Countermeasures may be active or passivetechniques, measures, systems, or procedures imple-mented to prevent or reduce the timely effective collec-tion and/or analysis of information which would revealintentions or capabilities (e.g., traditional seeurity pro-gram measures, electronic countermeasures, signaturemodification, operational and/or procedural changes,direct attack against and neutralization of threat agentsand/or platforms, etc.).

II-5-1

Section 6. Decompartmentation, Disposition, andTechnology Transfer

11-600. Every scientific pape~ journal article, book,brie$ng, etc., pertaining to a SAP and prepared bypersonnel currently or previously briefed on the SAPthat is proposed for pubficti”on or presentatwn out-side of the SAP will be reviewed by the PSO and a Pro-gram-briefed Public A~airs O@er (PAO) ifavaifable.Any release will be by the GPM. Often SAP-unique“tools” such as models, software, technology, and facil-ities may be valuable to other SAPS. Some information,material, technology, or components may not be indi-vidual y sensitive. If information or materials can besegregated and disassociated from the SAP aspects ofthe Program, decompartmentation and release of theinformation and/or materials may be approved to sup-port U.S. Government activities. The information andtiriak proposed for release will remain within theProgram Security Channels until authorized forrekase.

11-601. Procedures. The following procedures apply tothe partial or full decompartmentation, transfer (either toanother SAP or collateral Program), and disposition ofany classified information, data, material(s), and hard-ware or software developed under a SAP contract orsubcontract (SCI information will be handled withinSCI channels).

a. Deeompartmentation. Prior to decornpartmentingany classljied SAP inform~”on or other mderial(s)developed within the Program, the CPSO willobtain the written approval of the CPM. Decorn -partmentation initiatives at a Program activity willinclude compkti”on of a Decompartmentation orTransfer Review Format Include supportt”ng docu-mentatwn that will be submitted through the PSO

to the GPM. Changes, conditions and stipuhtionsdirected by the GPM will be adhered to. Approval ofProgram decompartmentin and all subsequenttransfers will be in writing.

b. Technology Transfer. Technologies may be trans-ferred through established and approved channels incases where there would be a net benefit to the U.S.Government and Program information is notexposed or compromised. The Contracting Officer isthe approval authority for technology transfers.

(1) Contractor Responsibilities. CPSOS will ensurethat technologies proposed for transfer receivea thorough security review. The review wiflinclude a written certification that all chzssifieditems and uncfassl#ied Program-sensitiveinformation have been redactedfiom the mate-rial in accordance with sanitizatwn proceduresauthorized by the GPM. A description of thesanitization method used and identific~ion ofthe ofiial who accomplished the reaktionwill accompany the information or material(s)forwarded to the GPMfor review and approval

(2) Government Responsibilities. The contractingofficer’s representative (COR), PSO, and GPMwill make every attempt to review requestsexpeditiously. Requests will be submitted atleast thirty (30) working days prior to therequested release date. This is particularlyimportant when requesting approval for Pro-gram-briefed personnel to make non-Programrelated presentations at conferences, symposia,etc.

11-6-1

Section 7. Other Topics

11-700. Close-out of a SAP. At the initiation of a con-tract close-out, terrninati”on or compkticm of the con-tract eflo~ the CPSO will consider actions fordisposition of residual hardware, sojlwwre, documen-tation, facilities, and personnel accesses. Securityactions to dose.out Program activities wiU preventcompromise of class@ed Program ekments or otherSAP secunly objectives. The contractor may berequired to submit a termination plan to the Gover-nment. The master classified material accountabilityrecord (log or register) normally will be transferred tothe PSO at Program close-out.

11- 70Z Patents. Patents involving SAP informationwill be forwarded to the GPMIPSO for submisswnto the Patents Oflce. The PSO wiU coordinate withGovernment attorneys and the Patent Ofice for sub-mission of the patent.

11-703. Telephone Security. The PSO will determinethe controls, active or inactive, to be placed on tekcom-munication lines. SAPFS accredited for discusswn orelectronic processing will comply with DCID 1/21and Telephone Security Group (TSG) standards asdetermined by the PSO.

11-701. Special Access Program Secure Communi-cations Network. SAPS may use a SAP secure commu-nications and/or data network linking the GPM and/orcontractors with associated technical, operational, andlogistic support activities for secure communications.

11-7- I

Appendix ADefinitions

Access Approval Authority. Individual responsiblefor final access approval and/or denial determination.

Access Roster. A database or listing of individualsbriefed to a special access program.

Access Termination. The removal of an individualfrom access to SAP or other Program information.

Accrediting Authority. A Customer official who hasthe authority to decide on accepting the security safe-guards prescribed or who is responsible for issuing anaccreditation statement that records the decision toacccept those safegumds.

Acknowledged Special Access Program. A SAPwhose existence is publicly acknowledged.

Acquisition Special Access Program (AQ-SAP). Aspecial access program established primarily to protectsensitive research, development, testing, and evaluation(RDT&E) or procurement activities in support of sensi-tive military and intelligence requirements.

Agent of the Government. A contractor employeedesignated in writing by the Government ContractingOfficer who is authorized to act on behalf of the Gov-ernment.

Authentication. a. To establish the validity of aclaimed identity. b. To provide protection against fraud-ulent transactions by establishing the validity of mes-sage, station, individual, or originator.

Automated Information System (AIS). A genericterm applied to all electronic computing systems. AISSare composed of computer hardware (i.e., automateddata processing (ADP) equipment and associateddevices that may include communication equipment),firmware, operating systems, and other applicable soft-ware. AISS collect, store, process, create, disseminate,communicate, or control data or information.

Billets. A determination that in order to meet need-to-know criteria, certain SAPS may elect to limit access toa predetermined number of properly cleared employees.Security personnel do not count against the billet sys-tem.

Boundary. The boundary of an AIS or networkincludes all users that are directly or indirectly con-nected and who can receive data from the system with-out a reliable human review by an appropriately clearedauthority.

Certification. A statement to an accrediting authorityof the extent to which an AIS or network meets its secu-rity criteria. This statement is made as pm of and insupport of the accreditation process.

Clearing. The removal of information from the mediato facilitate continued use and to prevent the AIS systemfrom recovering previously stored data. However, thedata may be recovered using laboratory techniques.Overwriting and degaussing are acceptable methods ofclearing media.

Codeword. A single classified word assigned to repre-sent a specific SAP or portions thereof.

Collateral Information. Collateral information isNational Security Information created in parallel withSpecial Access Information under the Provisions ofE.O. 12356 (et al) but which is not subject to the addedformal security protection required for Special AccessInformation (stricter access controls, need-to-know,compartmentation, stricter physical security standards,etc).

Compelling Need. A requirement for immediateaccess to special program information to prevent failureof the mission or operation or other cogent reasons.

Contractor Program Security Officer (CPSO). Anindividual appointed by the contractor who performs thesecurity duties and functions for Special Access Pro-grams.

Contractor Program Manager (CPM). A contrac-tor-designated individual who has overall responsibilityfor all aspects of a Program.

Counterintelligence Awareness. A state of beingaware of the sensitivity of classified information onepossesses, collaterally aware of the many modes ofoperation of hostile intelligence persons and otherswhose interests are inimical to the United States while

A-1

being able to recognize attempts to compromise one’sinformation, and the actions one should take, when onesuspects he has been approached, to impart the neces-sary facts to trained counterintelligence personnel.

Customer. The Government organization that sponsorsthe processing.

Data Integrity. a. The state that exists when computer-ized data is the same as that in the source documents andhas not been exposed to accidental or malicious alter-ation or destruction. b. The property that data has notbeen exposed to accidental or malicious alteration ordestruction.

Debriefing. The process of informing a person hisneed-to-know for access is terminated.

Declassification {Media). An administrative step thatthe owner of the media takes when the classification islowered to UNCLASSIFIED. The media must be prop-erly sanitized before it can be downgraded to UNCLAS-SIFIED.

Degauss. a. To reduce the magnetization to zero byapplying a reverse (coercive) magnetizing force, com-monly referred to as demagnetizing, or b. To reduce thecorrelation between previous and present data to a pointthat there is no known technique for recovery of the pre-vious data.

Degausser. An electrical device or hand-held perma-nent magnet assembly that generates a coercive mag-netic force for degaussing magnetic storage media orother magnetic material.

Degaussing (Demagnetizing). Procedure using anapproved device to reduce the magnetization of a mag-netic storage media to zero by applying a reverse (coer-cive) magnetizing force rendering any previously storeddata unreadable and unintelligible.

Digraph and/or Trigraph. A two and/or three-letteracronym for the assigned Codeword or nickname.

Disclosure Record. A record of names and dates ofinitial access to any Program information.

e.g. For example (exempli gratia).

EPROM. A field-programmable read-only memorythat can have the data content of each memory cellaltered more than once. An EPROM is bulk-erased byexposure to a high-intensity ultraviolet light. Sometimesreferred to as a reprogrammable read-only memory.

EEPROM. Abbreviation for electrically erasable pro-grammable read-only memory. These devices are fabri-cated in much the same way as EPROMs and, therefore,benefit from the industry’s accumulated quality and reli-ability experience. As the name implies, erasure isaccomplished by introducing electrical signals in theform of pulses to the device, rather than by exposing thedevice to ultraviolet light. Similar products using anitride NMOS process are termed EAROMS (for elec-trically alterable read-only memory).

Government Program Manager (GPM). The seniorGovernment Program official who has ultimate respon-sibility for all aspects of the Program.

i.e. That is (id est).

Inadvertent Disclosure. A set of circumstances or asecurity incident in which a person has had involuntaryaccess to classified information to which the individualwas or is not normally authorized.

Indoctrination. An initial indoctrination andforinstruction provided each individual approved to a SAPprior to his exposure concerning the unique nature ofProgram information and the policies, procedures, andpractices for its handling.

Information Systems Security Representative(ISSR). The Provider-assigned individual responsiblefor the on-site security of the AIS(S) processing infor-mation for the Customer.

Joint Use Agreement. A written agreement signed bytwo or more accrediting authorities whose responsibilityincludes information processed on a common AIS ornetwork. Such an agreement defines a cognizant secu-rity authority and the security arrangements that willgovern the operation of the network.

Memorandum of Agreement (MOA). An agreement,the terms of which are delineated and attested to by thesignatories thereto. MOA & MOU (Memorandum ofUnderstanding) are used interchangeably.

Eligibility. A determination that a person meets person-nel security standards for access to Program material.

A-2

Network. A computing environment with more thanone independent processor interconnected to permitcommunications and sharing of resources.

Nicknames. A combination of two separate unclassi-fied words assigned to represent a specific SAP or por-tion thereof.

Nonvolatile Memory Components. Memory compo-nents that do retain data when all power sources are dis-connected.

Object Reuse. The reassignment to some subject of amedium (e.g., page frame, disk sector, magnetic tape)that contained one or more objects. To be securely reas-signed, such media will contain no residual data fromthe previously contained object(s).

Office Information System (01S). An 01S is a spe-cial purpose AIS oriented to word processing, electronicmail, and other similar office functions. An 01S is nor-mally comprised of one or more central processingunits, control units, storage devices, user terminals, andinterfaces to connect these components.

Overwrite (Re-recording) Verification. An approvedprocedure to review, display, or check the success ofan overwrite procedure, or b. The successful testingand documentation through hardware and randomhard-copy readout of the actual overwritten memorysectors.

Perimeter. The perimeter of an AIS or network is theextent of the system that is to be accredited as a singlesystem.

Peripheral Devices. Any device attached to the net-work that can store, print, display, or enhance data (e.g.,disk and/or tape, printer and/or plotter, an optical scan-ner, a video camera, a punched-card reader, a monitor,or card punch).

Personal Computer System (PC). A PC is a systembased on a microprocessor and comprised of internalmemory (ROMs and RAMs), input and/or output, andassociated circui~. It typically includes one or moreread/write device(s) for removable magnetic storagemedia (e.g., floppy diskettes, tape cassettes, hard diskcartridges), a keyboard, CRT or plasma display, and aprinter. It is easily transported and is primarily used ondesk tops for word processing, database management, orengineering analysis applications.

Program Access Request (PAR). A formal requestused to nominate an individual for Program access.

Program Channels or Program Security Channels.A method or means expressly authorized for the han-dling or transmission of classified or unclassified SAPinformation whereby the information is provided toindoctrinated persons.

Program Executive Agent. The highest ranking mili-tary or civilian individual charged with direct respons-ibility for the Program and usually appoints theGovernment Program Manager.

Program Material. Program m~tenal and informationdescribing the service(s) provided, the capabilitiesdeveloped, or the item(s) produced under the SAP.

Program Security Officer (PSO). The Governmentofficial who administers the security policies for theSAP

Program Sensitive Information. Unclassified infor-mation that is associated with the Program. Material orinformation that, while not directly describing the Pro-gram or aspects of the Program, couId indirectly dis-close the actual nature of the Program to a non-Program-briefed individual.

Provider. The Contractor or Government-support orga-nization (or both) that provides the process on behalf ofthe Customer.

Sanitizing. The removal of information from the mediaor equipment such that data recovery using any knowntechnique or analysis is prevented. Sanitizing shallinclude the removal of data from the media, as well asthe removal of all classified labels, markings, and activ-ity logs. Properly sanitized media may be subsequentlydeclassified upon observing the organization’s respec-tive verification and review procedures.

Secure Working Area. An accredited facility or areathat is used for handling, dkcussing andlor processing,but not storage of SAP information.

Security level. A clearance or classification and a set ofdesignators of special access approvals; i.e., a clearanceand a set of designators of special access approval or aclassification and a set of such designators, the formerapplying to a user, the latter applying, for example, to acomputer object.

Security Policy. The set of laws, rules, and practicesthat regulate how an organization manages, protects,and distributes sensitive information. A complete secu-rity policy will necessarily address many concernsbeyond the scope of computers and communications.

A-3

Security Profile. The approved aggregate of hardwarclsoftware and administrative controls used to protect thesystem.

Security Testing. A process used to determine that thesecurity features of a system are implemented asdesigned and that they are adequate for a proposedapplication environment. This process includes hands-on functional testing, penetration testing, and venfica-tiort. See also: Functional Testing, Penetration Testing,Verification.

Sensitivity Label. A collection of information that rep-resents the security level of an object and that describesthe sensitivity of the data in the object. A sensitivity labelconsists of a sensitivity level (classification and compart-ments) and other required security markings (e.g., Code-words, handling caveats) to be used for labeling data.

Sensitive Activities. Sensitive activities are specialaccess or Codeword programs, critical research anddevelopment efforts, operations or intelligence activi-ties, special plans, special activities, or sensitive supportto the customer or customer contractors or clients.

Sensitive Compartmented Information (SCI). SCIis classified information concerning or derived fromintelligence sources and methods or analytical processesthat is required to be handled within a formal controlsystem established by Director of Central Intelligence.

Sensitive Compartmented Information Facility(SCIF). SCIF is an area, room(s), building installationthat is accredited to store, use, discuss, or electronicallyprocess Sensitive Compartmented Information (SCI).The standards and procedures for a SCIF are stated inDCIDS 1/19 and 1/21.

Special Access Program Facility (SAPF). A specificphysical space that has been formally accredited in writ-ing by the cognizant PSO which satisfies the criteria forgenerating, safeguarding, handling, discussing, and stor-ing CLASSIFIED and/or UNCLASSIFIED Programinformation, hardware, and materials.

Special Program Document Control Center. Thecomponent’s activity assigned responsibility by theISSR for the management, control, and accounting of alldocuments and magnetic media received or generated asa result of the special program activity.

Stand-Alone AIS. A stand-alone AIS may includedesktop, laptop, and notebook personal computers, andany other hand-held electronic device containing classi-fied information. Stand-alone AISS by definition are notconnected to any LAN or other type of network.

System. An assembly of computer andlor communica-tions hardware, software, and firmware configured for thepurpose of classifying, sorting, calculating, computing,summarizing, transmitting and receiving, storing, andretrieving data with a minimum of human intervention.

Trigraph. (See Digraph ruder Trigraph.)

Trojan Horse. A computer program with an apparentlyor actually useful function that contains additional (hid-den) functions that surreptitiously exploit the legitimateauthorizations of the invoking process to the detrimentof security (for example, making a “blind copy” of asensitive file for the creator of the Trojan horse).

Trusted Computer System. A system that employssufficient hardware and software integrity measures toallow its use for processing simultaneously a range ofsensitive or classified information.

Trusted Path. A mechanism by which a person at a ter-minal can communicate directly with the trusted com-puting base. This mechanism can only be activated bythe person or the trusted computing base and cannot beimitated by untrusted software.

Two-Person Integrity. A provision that prohibits oneperson from working alone.

Unacknowledged Special Access Program. A SAPwith protective controls that ensures the existence of theProgram is not acknowledged, affirmed, or made knownto any person not authorized for such information. Allaspects (e.g., technical, operational, logistical, etc.) arehandled in an unacknowledged manner.

Users. Any person who interacts directly with an AISor a network system. This includes both those personswho are authorized to interact with the system and thosepeople who interact without authorization (e.g., activeor passive wiretappers).

Vendor. The manufacturer or sellers of the AIS equip-ment and/or software used on the special program.

Virus. Malicious software. A form of Trojan horse thatreproduces itself in other executable code.

Volatile Memory Components. Memory componentsthat do not retain data after removal of all electricalpower sources and when reinserted into a similarly con-figured AIS do not contain residual data.

Workstation. A high-performance, microprocessor-based platform that uses specialized software applicableto the work environment.

A-4

Appendix BAIS Acronyms

Many computer security-related acronyms are used in this Supplement. These acronyms, after first beingdefined, are used throughout this document to reduce its length. The acronyms used in this document are definedbelow:

AIs Automated Information SystemAISSP AIS SeJ urity Plan

CM Configuration ManagementCCB Configuration Control BoardCPU Central Processing UnitCRT Cathode Ray Tube (Monitor Screen Tube)CSA Cognizant Security Agency (Customer)

DAC Discretionary Access ControlDCID Director of Central Intelligence DirectiveDoD Department of Defense

E.O. Executive OrderEPROM Erasable Programmable Read-Only MemoryEAPROM Electrically Alterable Programmable Read-Only MemoryEEPROM Electrically Erasable Programmable Read-Only Memory

L/o Input and/or OutputISSR Information System Security Representative

K Thousand (kilo)

LAN Local Area NetworkLOOON Log On

MAC Mandatory Access ControlMODEM Modulator and/or Demodulator

NCSC National Computer Security CenterNSA National Security Agency

OMB Office of Management and Budget

IT Personal Computer (i.e., desktop, laptop, notebook, or hand-held computer)PL Public LawPROM Programmable Read-Only Memory

Random Access MemoryROM Read Only Memory

SAN Separately Accredited NetworkSAP Special Access ProgramSAPF Special Access Program Facility

B-1

SCISTD

TS

USER ID

Sensitive Compartmented InformationStandard

Top Secret

User Identification

B-2

Appendix CAISSP Outline

This outline provides the basis for preparing an AIS Security Plan (AISSP). The annotated outline, withprompts and instructions, will assist ISSRS in preparing a plan that includes necessary overviews, descriptions,listings, and procedures. It will also assist in covering the requirements contained in this NISPOM Supplement.In preparing the AISSP, any information that does not appropriately fit under a subtitle may be placed under amain title. For example, a hardware list or references to a hardware list will be placed under the 4.0 AIS HARD-WARE heading. For changes to an existing plan that do not require revision of the entire plan, provide name anddate of the plan to be modified, date of changes on each page, and cross reference to the plan’s applicable para-graph numbers. (For changes, only the change pages with the applicable plan name and date need to be sent tothe CSA.)

Table Of Contents

1.0 INTRODUCTION

1.1 Administration

1.2 Purpose and Scope

2.0 SAPF DESCRIPTION

2.1 Physical Environment

2.2 Floor Layout

2.3 SAPF Access

3.0 AIS DESCRIPTION

3.1 General Information

3.2 Configuration and Connectivity

3.3 User Access and Operation

3.4 Audit Trail

4.0 AIS HARDWARE

4.1 Labeling Hardware

4.2 Maintenance Procedures

4.3 Hardware Sanitization and Destruction

4.4 Hard ware Transport and Release

4.5 Hardware Control and Audit Trails

5.0 AIS SOFTWARE

5.1 Authorized Software

5.2 Software Procedures

6.0 DATA STORAGE MEDIA

6.1 Labeling and Storing Media

6.2 Media Sanitization and Destruction

6.3 Media Transport and Release

6.4 Media Control

7.0 AIS SECURITY AWARENESS

8.0 GLOSSARY OF TERMS

c-1

1.0

1.1

1.2

2.0

2.1

2.2

INTRODUCTION

This section will describe the purpose and scope of the AISSP. It may include any topic intended to helpthe reader understand and appreciate the purpose of the AISSP. Pertinent background information mayalso be presented to provide clarity.

Security Administration.

Provide the name and date of this plan and indicate whether it is an original or revised plan.

Specify the cognizant Customer Program Office whose activity the AIS will support and the contractnumber(s), if applicable.

Specify the Provider’s name and address. Identify the location of the AIS equipment (including thebuilding and room numbers(s)).

Provide the names of the Provider’s program manager, ISSR, alternate(s). Also provide their secure andunsecure telephone numbers and their normal office hours.

Provide an organizational structure showing the name and title of all security management levels abovethe ISSR.

Provide joint-use information if applicable.

Purpose and Scope.

The plan will describe how the Provider will manage the security of the system. Describe the purposeand scope of this AIS.

SAPF DESCRIPTION.

This section will provide a physical overview of the AIS SAPF (including its surroundings) that is usedto secure the Customer’s program activities. It will include information about the secure environmentrequired to protect the AIS equipment, software, media, and output.

Physical Environment.

State whether the SAPF is accredited or approved to process and store classified information, whoaccredited or approved it, the security level, and when approved. State whether the SAPF is approved foropen or closed storage.

Specify whether the storage approval is for hard disk drives, diskettes, tapes, printouts, or other items.

State whether the approval includes unattended processing.

Floor J.ayout.

Provide a floor plan showing the location of AIS equipment and any protected wire lines. (This may beincluded in a referenced appendix. ) The building and room number(s) will match the information pro-vided in the hardware listing (see 4.0).

P9L-L

2.3 SAPF Access.

Describe procedures for controlling access to the AIS(S) to include: after hours access, personnel accesscontrols, and procedures for providing access to uncleared visitors (e.g., admitting, sanitizing area,escorting).

2.4 TEMPEST.

If applicable, describe TEMPEST countermeasures.

3.0 AIS DESCRIPTION‘

This section will provide a detailed description of the system and describe its security features andassurances.

Describe variances and exceptions.

3.1 General Information

Provide a system overview and description.

Specify clearance level, formal access (if appropriate), and need-to-know requirements that are beingsupported.

Identify the data to be processed including classification levels, compartments, and special handlingrestrictions that are relevant.

State the mode of operations.

Indicate the AIS’s usage (in percent) that will be dedicated to the Customer’s activity (e.g, periods pro-cessing).

3.2 Configuration and Connectivity.

Specify whether the AIS is to operate as a stand-alone system, as a terminal connected to a mainframe,or as a network.

Describe how the AIS or network is configured. If a network, specify whether it is a unified network orinterconnected network. Describe the security support structure and identify any specialized securitycomponents and their role.

Identify and describe procedures for any connectivity to the AIS(S). Indicate whether the connectionsare to be classified or unclassified systems.

Provide a simplified block diagram that shows the logical connectivity of the major components (thismay be shown on the floor layout if necessary-see 2.2). For AISS operating in the compartmented ormultilevel modes an information flow diagram wili be provided.

If applicable, discuss the separations of classified and unclassified AISS within the SAPF.

Indicate whether the AIS is configured with removable or nonremovable hard disk drives.

c -3

Describe the configuration management program. Describe the procedures to ensure changes to the AISrequire prior coordination with the ISSR.

3.3 User Access and Operation.

Describe the AIS operation start-up and shut-down (mode termination). Provide any unique equipmentclearing procedures.

Discuss all AIS user access control (e.g., log-on ID, passwords, file protection, etc.).

Identify the number of system users and the criteria used to determine privileged access.

If the mode is other than dedicated, discuss those mechanisms that implement DAC and MAC controls.

Discuss procedures for the assignment and distribution of passwords, their frequency of change, and thegranting of access to information and/or files.

Indicate whether AIS operation is required 24 hours per day.

Discuss procedures for after hours processing. State whether the AIS(S) are approved for unattendedprocessing.

Discuss procedures for marking and controlling AIS printouts.

Discuss remote access and operations requiring specific approval by the CSA.

Discuss procedures for incident reporting.

3.4 Audit Trails.

If applicable, discuss the audit trails used to monitor user access and operation of the AIS and the infor-mation that is recorded in the audit (rail. State whether user access audit trails are manual or automatic.

Identify the individual who will review audit trails and how often.

Describe procedures for hand] ing discrepancies found during audit trails reviews.

4.0 AIS HARDWARE

This section will describe the AIS hardware that supports the Customer’s program. This section will pro-vide a listing of the AIS hardware and procedures for its secure control, operation, and maintenance.

Provide a complete listing of the major hardware used to support the Customer’s program activities. Thislist may be in tabular form located either in this section or a referenced appendix. The following infor-mation is required for all major AIS hardware: nomenclature, model, location (i.e., building/room num-ber), and manufacturer.

Provide a description of any custom-built AIS hardware,

Indicate whether the AIS hardware has volatile or nonvolatile memory components. Specifically, iden-tify components that are nonvolatile.

c - 4

.

If authorized, describe procedures for using portable devices for unclassified processing.

Identify the custodian(s) for AISS.

4.1 Labeling Hardware.

Describe how the AIS hardware will be labeled to identify its classification level (e.g., classified andunclassified AISS collocated in the same secure area).

4.2 Maintenance Procedures.

Describe the maintenance and sanitization procedures to be used for maintenance or repair of defectiveAIS hardware by inappropriately cleared personnel.

4.3 Hardware Sanitization and Destruction.

Describe the procedures or methods used to sanitize and or destroy AIS hardware (volatile or nonvola-tile components).

4.4 Hardware Movement.

Describe the procedures or receipting methods used to release and transport the AIS hardware from theSAPF.

Describe the procedures or receipting methods for temporarily or permanently relocating the AIS hard-ware within the SAPF.

Describe the procedures for introducing hardware into the SAPF.

4.5 Hardware Control and Audit Trails.

Describe all AIS hardware maintenance logs, the information recorded on them, who is responsible forreviewing them, and how often.

5.0 AIS SOFTWARE

This section will provide a listing of all the software that supports the Customer’s program. It will alsoprovide procedures for protecting and using this software.

5.1 Authorized Software.

Provide a complete listing of al I software used to support the Customer’s program activities. This listmay be in tabular form and may be located either in the section or in a referenced appendix. The listingwill also include security software (e. g., audits software, anti-virus software), special-purpose software(e.g., in-house, custom, commercial utilities), and operating system software. The following informationis required for AIS software: software name, version, manufacturer, and intended use or function.

c - 5

5.2 Software Procedures.

Indicate whether a separate unclassified version of the operating system software will be used for main-tenance.

Describe the procedures for procuring and introducing new AIS software to support program activities.

Describe the procedures for evaluating AIS software for security impacts.

Describe procedures for protecting software from computer viruses and malicious code and for reportingincidents.

6.0 DATA STORAGE MEDIA

This section provides a description of the types of data storage media to be used in the Customer’s pro-gram and their control.

6.1 Labeling and Storing Media.

Describe how the data storage media will be labeled (identify the classification level and contents).

Discuss how classified and unclassified data storage media is handled and secured in the SAPF (e.g.,,safes, vaults, locked desk).

6.2 Media Clearing, Sanitization, and Destruction.

Describe the procedures or methods used to clear, sanitize, and destroy the data storage media.

6.3 Media Movement.

Describe the procedures (or receipting methods) for moving data storage media into and out of theSAPF.

Describe the procedures for copying, reviewing, and releasing information on data storage media.

6.4 Media Control.

Describe the method of controlling data storage media.

7.0 AIS SECURITY AWARENESS PROGRAM

Discuss the Provider’s security awareness program.

Indicate that the AIS users are required to sign a statement acknowledging that they have been briefedon the AIS security requirements and their responsibilities.

8.0 GLOSSARY OF TERMS

C-6

Appendix DAIS Certification and Accreditation

A. CERTIFICATION

The ISSR, working jointly with the Customer, is responsible for coordinating and supporting the certification process.The ISSR is responsible for certifying, or coordinating the certification of, the AIS or network. Certification, which isa prerequisite for accreditation, is accomplished as follows:

1. Identi& operational requirements, define the Mode of Operation, and identify applicable security requirements,in accordance with this document and applicable documents referenced herein.

2. Conduct a Risk Management Review to identify risks and needed countermeasures and specify additional secu-rity requirements (countermeasures) based on the review.

3. Prepare an AISSP. Refine the plan throughout the certification process.

4. Conduct a test and inspection to establish the extent to which the AIS performs the stxurity functions needed tosupport the mode of operation and security policy for the system as outlined in the AISSP. The Customer willrequire a written certification report.

5. Operating in the compartmented or multilevel mode requires the development of an AIS Technical EvaluationPlan. After Customer concurrence, accomplish testing as described herein. AIS security testing provides assur-ance to the Customer that the subject AH(s) or network(s) meets the security requirements for operating in thecompartmented or multilevel mode. Such testing is a prerequisite for Customer accreditation.

a. Coordination Scheduling and Testing. The security test may be jointly conducted by the Provider and the CuS-tomer.

b. Testing Prerequisite. The Provider-developed A IS Technical Evaluation Test Plan will be coordinated andlorapproved by the customer.

B. ACCREDITATION

Accreditation is the Customer’s authorization and approval for an AIS or network to process sensitive data in an oper-ational environment. The Customer bases the accreditation on the results of the certification process. Following certi-fication, the Customer reviews the risk assessment, employed safeguards, vulnerabilities, and statement of level ofrisk and makes the accreditation decision to accept risk and grant approval to operate; grant interim approval to oper-ate (IATO) and fix deficiencies; or to shut-down, fix deficiencies, and recertify.

D- I

Appendix EReferences

1. U.S. Government Publications

OMB Circular Management of Federal Information Resources

A- 130 Appendix III, Security of Federal AISS

PL-99-474 Computer Fraud and Abuse Act of 1986

PL-I 00-235 Computer Security Act of 1987

EO 12333 United States Intelligence Activities

EO 12356 National Security Information

EO 12829 National Industrial Security Program

2. National Telecommunications & Information Systems Security (NTISS) Publications

COMPUSEC/1 -87 Security Guideline

NTISSAM Advisory Memorandum on Office Automation

NTISSI 300 National Policy on Control of Compromising Emanations

NTISSI 7000 TEMPEST Countermeasures for Facilities

NTISSIC 4009 National Information Systems Security (INFOSEC) Glossary

NACSIM 5000 TEMPEST Fundamentals

NACSIM 5201 TEMPEST Guidelines for Equipment/System Design Standard

NACSIM 5203 Guidelines for Facility Design and Red/Black Installation

NACSIM 7002 COMSEC Guidance for ADP Systems

3. National Computer Security Center (NCSC) Publications (The Rainbow Series)

NCSC-WA-002-85 Personal Computer Security Considerations

NCSC-TG-001 A Guide to Understanding Audit in Trusted Systems [Tan Book]

NCSC-TG-002 Trusted Product Evaluation - A Guide for Vendors [Bright Blue Book]

NCSC-TG-003 A Guide to Understanding Discretionary Access Control in Trusted Systems[Orange Book]

NCSC-TG-004 Glossary of Computer Security Terms [Aqua Book]

E-1

NCSC-TG-005

NCSC-TG-006

NCSC-TG-007

NCSC-TG-008

NCSC-TG-009

NCSC-TG-011

NCSC-TG-013

NCSC-TG-O 14

NCSC-TG-O 15

NCSC-TG-017

NCSC-TG-018

NCSC-TG-019

NCSC-TG-020A

NCSC-TG-02 I

NCSC-TG-022

NCSC-TG-025

NCSC-TG-026

NCSC-TG-027

NCSC-TG-028

NCSC C-Technical

NCSC C-Technical

NCSC C-Technical

Trusted Network Interpretation [Red Book]

A Guide to Understanding Configuration Management in Trusted Systems [OrangeBook]

A Guide to Understanding Design Documentation in Trusted Systems [BurgundyBook]

A Guide to Understanding Trusted Distribution in Trusted Systems [LavenderBook]

Computer Security Subsystem Interpretation of the Trusted Computer SystemEvaluation Criteria [Venice Blue Book]

Trusted Network Interpretation Environments Guideline-Guidance for Applyingthe Trusted Network Interpretation [Red Book]

Rating Maintenance Phase Program Document [Pink Book]

Guidelines for Formal Verification Systems [Purple Book]

A Guide to Understanding Trusted Facility Management [Brown Book]

A Guide to Understanding Identification and Authentication in Trusted Systems[Lt. Blue Book]

A Guide to Understanding Object Reuse in Trusted Systems [Lt. Blue Book]

Trusted Product Evaluation Questionnaire [Blue Book]

Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access ControlList Features for the UNIX System [Gray Book]

Trusted Database Management System Interpretation [Lavender Book]

A Guide to Understanding Trusted Recovery [Yellow Book]

A Guide to Understanding Data Remanence in Automated Information Systems[Green Book]

A Guide to Writi n: the Security Features User’s Guide for Trusted Systems [PeachBook]

A Guide to Understanding Information System Security Officer Responsibilitiesfor Automated Information Systems [Turquoise Book]

Assessing Controlled Access Protection [Violet Book]

Computer Viruses: Prevention, Detection, and Treatment Report-001

Integrity in Automated Information Systems (Sept. 91) Report 79-9 i

The Design and Evaluation of INFOSEC Systems: The Report 32-92 ComputerSecurity Contribution to the Composition Discussion

E-2

4. Department of Defense Publications

NSAICSS

DoD 5200.28-M

DoD 5200.28

DoD 5220.22-M

CSC-STD-002-85

CSC-STD-003-85

CSC-STD-004-85

CSC-STD-005-85

NSAICSS -

Media Declassification and Destruction Manual

Manual 130-2 Contractor Guidelines for AIS Processing of NSA SCI

Automated Information System Security Manual

DoD Trusted Computer System Evaluation Criteria

National Industrial Security Program Operating Manual

DoD Password Management Guidelines [Green Book]

Guidance for Applying the DoD Trusted Computer System Evaluation Criteria inSpecific Environments [Yellow Book]

Technical Rationale Behind CSC-STD-003-85: Computer Security Requirements[Yellow Book]

DoD Magnetic Remanence Security Guideline [NSA] Information SystemsSecurity Products and Services Catalogue

Section 5, Degaussing Level Performance Test Procedures Spec. L14-4-A55

5. Director of Central Intelligence Directives

DCID 1/7

DCID 1/14

DCID l/16

DCID 1/16

DCID l/19

DCID 1/20

DCID 1/21

DCID 1 /22

DCID 3/14-1

DCID 3/14-5

Security Controls on the Dissemination of Intelligence Information, [For OfficialUse Only]

Minimum Personnel Security Standards and Procedures Governing Eligibility forAccess to Sensitive Compartmented Information [Unclassified]

Security Policy for Uniform Protection of Intelligence Processed in AutomatedInformation Systems and Networks [SECRET]

Security Manual for Uniform Protection of Intelligence (Supplement) Processed inAutomated Information Systems and Networks [SECRET] (Supplement to DCID1/16)

DCI Security Policy Manual for SCI Control Systems [UNCLASSIFIED]

Security Policy Concerning Travel and Assignment of Personnel With Access toSensitive Compartmented Information (SCI) [UNCLASSIFIED]

Manual for Physical Security Standards for Sensitive Compartmented InformationFacilities (SCIFS) [For Official Use Only]

Technical Surveillance Countermeasures [CONFIDENTIAL]

Information Handling Committee [Unclassified]

Annex B, Intelligence Community Standards for Security Labeling of RemovableADP Storage Media [Unclassified]

E-3

6. Legislation, Directive, and Standards

Atomic Energy Act of 1954, as amended

National Security Act of 1947

National Security Decision Directive 298, “Operations Security”

Telephone Security Group standards

E-4