NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL SUPPLEMENT
THE UNDER SECRETARY OF DEFENSE
WASHINGTON, D.C. 20301-2000
FOREWORD
December 29, 1994 I am pleased to promulgate this inaugural edition of
the Supplement to the National Industrial Security Program Operating Manual
(NISPOMSUP). It provides the enhanced security requirements, procedures, and
options to the National Industrial Security Program Operating Manual (NISPOM)
for: Critical Restricted Data (RD) classified at the Secret and Top Secret
levels; Special Access Programs (SAPs) and SAP-type compartmented efforts
established and approved by the Executive Branch;
Sensitive Compartmented Information (SCI) or other DCI SAP-type compartmented
programs under the Director of Central Intelligence which protect intelligence
sources and methods; and Acquisition, Intelligence, and Operations and Support
SAPs.
This Supplement is applicable to contractor facilities located within the United
States, its Trust Territories and Possessions. In cases of inconsistencies
between the NISPOM (baseline) and this Supplement as imposed by a Cognizant
Security Agency (CSA), as defined herein, the Supplement will take precedence.
The NISPOM Supplement has been written as a menu of options. Throughout this
NISPOMSUP it is understood that whenever a security option is specified for a SAP
by the Government Program Security Officer (PSO), his or her authority is
strictly based on the security menu of options originally approved in writing by
the CSA, or designee. CSAs may delegate such responsibility for the
implementation of SAP security policies and procedures. Since SAPs have varying
degrees of security based on sensitivity and threat, all programs may not have
the same requirements. When a security option is selected as a contract
requirement, it becomes a "shall" or "will" rather than a "may" in this document.
Bold and italicized print denotes contractor security requirements, except in
chapter titles and paragraphs. The Director of Central Intelligence Directives
(DCIDs), which prescribe procedures for the DCI Sensitive Compartmented
Information (SCI) or other SAP-type DCI programs also set the upper standard of
security measures for programs covered by this Supplement. DCIDs may be used by
any SAP program manager with approval from the CSA. Specific security measures
that are above the DCIDs (noted by asterisks) shall be approved by the CSA or
designee.
The provisions of this NISPOMSUP apply to all contractors participating in the
administration of programs covered by this Supplement. In cases of doubt over the
specific provisions, the contractor should consult the PSO prior to taking any
action or expending program related funds. In cases of extreme emergency
requiring immediate attention, the action taken should protect the Government's
interest and the security of the program from compromise. This NISPOMSUP is
intended to be a living document. Users are encouraged to submit changes through
their CSA to the Executive Agent's designated representative at the following
address:
Department of Defense
ODTUSD(P)PS
ATTN: Director Special Programs
The Pentagon, Room 3C285
Washington, D.C. 203012200
This NISPOMSUP will be reviewed and updated as necessary, but in any case no more
than one year from the date of publication.
Walter B. Slocombe
Under Secretary of Defense (Policy)
TABLE OF CONTENTS
CHAPTER 1. GENERAL PROVISIONS AND REQUIREMENTS
Page
Section I . Introduction 11 I
Section 2. General Requirements 121
Section 3. Reporting Requirements 131
CHAPTER 2. SECURITY CLEARANCES
Section 1. Facility Clearances 21 I
Section 2. Personnel Clearances and Access 221
CHAPTER 3. SECURITY TRAINING AND BRIEFINGS
Section 1. Security Training and Briefings 311
CHAPTER 4. CLASSIFICATION AND MARKING
Section I . Classification 411
Section 2. Marking Requirements 421
CHAPTER 5. SAFEGUARDING CLASSIFIED INFORMATION
Section 1. General Safeguarding Requirements .51l
Section 2. Control and Accountability 521
Section 3. Storage and Storage Equipment 531
Section 4. Transmission 541 Section 5. Disclosure 551
Section 6. Reproduction 561 Section 7. Disposition and Retention 571
Section 8. Construction Requirements 581
CHAPTER 6. VISITS and MEETINGS
Section I . Visits 611
Section 2. Meetings 621
CHAPTER 7. SUBCONTRACTING
Section 1. Prime Contractor Responsibilities 711
CHAPTER 8. AUTOMATED INFORMATION SYSTEM SECURITY
Section 1. Responsibilities 811
Section 2. Security Modes 821
Section 3. System Access and Operation 831
Section 4. Networks 841
Section 5. Software and Data Files 851
Section 6. AIS Acquisition, Maintenance, and Release 861
Section 7. Documentation and Training 871
CHAPTER 9. RESTRICTED DATA
Section I . Introduction 9l 1
Section 2. Secure Working Areas921
Section 3. Storage Requirements 931
CHAPTER 10. INTERNATIONAL SECURITY REQUIREMENTS
CHAPTER 11. MISCELLANEOUS
Section 1. TEMPEST 111 1
Section 2. Government Technical Libraries1121
Section 3. Independent Research and Development 1131
Section 4. Operations Security1141
Section 5. Counterintelligence (Cl) Support 1151
Section 6. Decompartmentations Disposition, and Technology Transfer 1161
Section 7. Other Topics 1171
APPENDICES
Appendix A. Definitions Al
Appendix B. AIS AcronymsBI
Appendix C. AISSP Outline .CI
Appendix D. AIS Certification and Accreditation D I
Appendix E. References .E I
FIGURES
Figure I . SAP Government and Contractor Relationships l 12
TABLES
Table 1. Clearing and Santization Data Storage..........854
Table 2. Sanitizing AIS Components......................855
Chapter 1 General Provisions and Requirements
Section 1. Introduction 1100.
Purpose.
a. This Supplement provides special security measures to ensure the integrity of
SAPs, Critical SECRET Restricted Data (SRD), and TOP SECRET Restricted Data
(TSRD) and imposes controls supplemental to security measures prescribed in the
NISPOM for classified contracts. Supplemental measures fall under the cognizance
of the DoD, DCI, DOE, NRC or other CSA as appropriate. See page 112 for Figure 1,
SAP Government and Contractor Relationships. Additionally, specific contract
provisions pertaining to these measures applicable to associated unacknowledged
activities will be separately provided. Any Department, Agency, or other
organizational structure amplifying instructions will be inserted immediately
following the applicable security options selected from the NISPOMSUP. This will
facilitate providing a contractor with a supplement that is overprinted with the
options selected.
b. Security Options. This Supplement contains security options from which
specific security measures may be selected for individual programs. The options
selected shall be specifically addressed in the Program Security Guide (PSG)
and/or identified in the Contract. The PSG shall be endorsed by the CSA or
his/her designee, establishing the program, although, as a rule, the DCIDs sets
the upper limits. In some cases, security or sensitive factors may require
security measures that exceed DCID standards. In such cases, the higher standards
shall be listed separately and specifically endorsed by the CSA creating the
program and may be reflected as an overprint to this Supplement.
1101. Scope.
a. The policy and guidance contained herein and imposed by contract is binding
upon all persons who are granted access to SAP information. Acceptance of the
contract security measures is a prerequisite to any negotiations leading to
Program participation and accreditation of a Special Access Program Facility
(SAPF).
b. The following is restated from the baseline for clarity. If a contractor
determines that implementation of any provision of this Supplement is more costly
than provisions imposed under previous U.S. Government policies, standards, or
requirements, the contractor shall notify the Cognizant Security Agency.
Contractors shad, however, implement any such provision within three years from
the date of this Supplement, unless a written exception is granted by the CSA.
The DCIDs apply to all SCI and DCI programs and any other SAP that selects them
as the program security measures.
1102. Agency Agreement SAP Program Areas. The Government Agency establishing a
SAP will designate a Program Executive Agent for the administration, security,
execution, and control of the SAP. The Program Security Officer (PSO), rather
than the Facility CSA, will be responsible for security of the program and all
program areas.
1103. Security Cognizance. Those heads of Agencies authorized under E.O. 12356 or
successor order to create SAPs may enter into agreements with the Secretary of
Defense that establish the terms of the Secretary of Defense's responsibilities
for the SAP. When a Department or Agency of the Executive Branch retains
cognizant security responsibilities for its SAP, the provisions of this
Supplement will apply.
1104. Supplement Interpretations AU contractor requests for interpretation of
this Supplement will be forwarded to the PSO.
1105. Supplement Changes Users of this Supplement are encouraged to submit
recommended changes and comments through their PSO in concurrence with the
baseline.
1106. Waivers and Exceptions The purpose of having a waiver and exception policy
is to ensure that deviations from established SAP criteria are systematically and
uniformly identified to the Government Program Manager (GPM). Every effort will
be made to avoid waivers to established SAP policies and procedures unless they
are in the best interest of the Government. In those cases where waivers are
required, a request will be submitted to the PSO. As appropriate, the PSO, and if
necessary the GPM (if a different individual) will assess the request for waiver
and provide written approval. If deemed necessary, other security measures which
address the specific vulnerability may be implemented.
1107. Special Access Programs Categories and Types.
a. There are four generic categories of SAPs:
(1) Acquisition SAP (AQSAP);
(2) Intelligence SAP (INSAP);
(3) Operations and Support SAP (OSSAP); and
(4) SCI Programs (SCI SAP) or other DCI programs which protect intelligence
sources and methods.
b. There are two types of SAPs, acknowledged and unacknowledged. An acknowledged
SAP is a program which may be openly recognized or known; however, specifics are
classified within that SAP. The existence of an unacknowledged SAP or an
unacknowledged portion of an acknowledged program, will not be made known to any
person not authorized for this information.
SAP Government/Contractor Relationships
Cognizant Security Agency
Program Executive Agent
GovernmentGovernment Program Manager
Program Security Officer
Contractor Program Manager
ContractorContractor Program Security Officer
Information System Security Representative
Section 2. General Requirements
1200. Responsibilities.
A SAP Contractor Program Manager (CPM) and Contractor Program Security Officer
(CPSO) will be designated by the contractor. These individuals are the primary
focal points at the contractor facility who execute the contract. They are
responsible for all Program matters. The initial nomination or appointment of the
CPSO and any subsequent changes will be provided to the PSO in writing. The
criteria necessary for an individual to be nominated as the CPSO will be provided
in the Request for Proposal (RFP). For the purposes of SAPs, the following
responsibilities are assigned:
a. The CPM is (sometimes the same as, or in addition to a Contract Project
Manager) the contractor employee responsible for:
(1) Overall Program management.
(2) Execution of the statement of work, contract, task orders and all other
contractual obligations.
b. The CPSO oversees compliance with SAP security requirements.
The CPSO will:
(1) Possess a personnel Clearance and Program access at least equal to the
highest level of Program classified information involved.
(2) Provide security administration and management for his/her organization.
(3) Ensure personnel processed for access to a SAP meet the prerequisite
personnel clearance and/or investigative requirements specified.
(4) Ensure adequate secure storage and work spaces.
(5) Ensure strict adherence to the provisions of the NISPOM and its Supplement.
(6) When required, establish and oversee a classified material control program
for each SAP.
(7) When required, conduct an annual inventory of accountable classified material.
(8) When required, establish a SAPPY
(9) Establish and oversee visitor control Program
(10) Monitor reproduction and/or dedication and destruction capability of SAP
information.
(11) Ensure adherence to special communications capabilities within the SAPS.
(12) Provide for initial Program indoctrination of employees after their access
is approved; rebrief and debrief personnel as required
(13) Establish and oversee specialized procedures for the transmission of SAP
material to and from Program element
(14) When required, ensure contractual specific security requirement such as
TEMPEST, Automated Information System (ADS), and Operations Security (OPSEC) arc
accomplished
(15) Establish security training and briefings specifically tailored to the
unique requirements of the SAP.
1201. *Standard Operating Procedures (SOP).
The CPSO may be required to prepare a comprehensive SOP to implement the security
policies and requirements for each SAP. When required, SOPs will address and
reflect the contractor's method of implementing the PSG. Forward proposed SOPs to
the PSO for approval. SOPs may be a single plan or series of individual documents
each addressing a security function. Changes to the SOP will be made in a timely
fashion, and reported to the PSO as they occur.
1202. Badging.
Contractors performing on Programs where all individuals cannot be personally
identified, may be required to implement a PSO approved badging system.
1203. Communications Security (COMSEC).
Classified SAP information will be electronically transmitted only by approved
secure communications channels authorized by the PSR
1204. *Two Person Integrity (TPI) Requirement.
The TPI rule may be required and exercised only with the Program CSA approval.
This requirement does not apply to those situations where one employee with
access is left alone for brief periods of time, nor dictate that those employees
will be in view of one another.
1205. Contractors Questioning Perceived Excessive Security Requirements.
All personnel are highly encouraged to identify excessive security measures that
c. they believe have no added value or are cost excessive and should report this
information to their industry contracting officer for subsequent reporting
through contracting channels to the appropriate GPM/PSO. The GPM/PSO will respond
through appropriate channels to the contractor questioning the security
requirements.
1206. Security Reviews.
a. General. The frequency of Industrial Security Reviews (e.g., Reviews,
evaluations, and security surveys) is determined by the NISPOM and will be
conducted by personnel designated by the CSA.
b. Joint Efforts. In certain cases, an individual Program may be a joint effort
of more than one component of the U.S. Government or more than one element of the
same component. In such a case, one element will, by memorandum of agreement,
take the lead as the Cognizant Security Agency and may have security review
responsibility for the Program facility. In order to ensure the most uniform and
efficient application of security criteria, review activities at contractor
facilities will be consolidated to the greatest extent possible.
Prime Contractor Representative. A security representative from the prime
contractor may be present and participate during reviews of subcontractors, but
cannot be the individual appointed by the CSA to conduct security reviews
specified in paragraph 1206a.
d. Review Reciprocity. In order to ensure the most uniform and efficient
application of security reviews, review reciprocity at contractor facilities will
be considered whenever possible.
e. Contractor Reviews.
When applicable, the U.S. Government may prescribe the intervals that the
contractor will review their systems.
f. Team Reviews.
Team Reviews may be conducted by more than one PSO based on mutual consent and
cooperation of both the Government and the contractor.
Section 3. Reporting Requirements
1300. General.
All reports required by the NISPOM will be made through the PSO. In those
instances where the report affects the baseline facility clearance or the
incident is of a personnel security clearance nature, the report will also be
provided to the Facility CSA. In those rare instances where classified program
information must be included in the report, the report will be provided only to
the PSO, who will sanitize the report and provide the information to the CSA, if
appropriate.
a Adverse Information. Contractors will report to the PSO any information which
may adversely reflect on the Program briefed employee's ability to properly
safeguard classified Program information.
b. SAP Non Disclosure Agreement (NDA).
A report will be submitted to the PSO on an employee who refuses to sign a SAP
NDA.
c. Change in Employee Status.
A written report of all changes in the personal status of SAP indoctrinated
personnel Will be provided to the PSO. In addition to those changes identified in
NISPOM sub paragraph l302c., include censure or probation arising from an adverse
personnel action, and revocation, or suspension downgrading of a security
clearance or Program access for reasons other than security administration
purposes.
d. Employees Desiring Not to Perform on SAP Classified Work.
A report will be made to the PSO upon notification by an accessed employee or an
employee for whom access has been requested that they no longer wish to perform
on the SAP. Pending further instructions from the PSO, the report will be
destroyed in 30 days.
e. *Foreign Travel.
The PSO may require reports of all travel outside the continental United States,
Hawaii, Alaska and the U.S. possessions (i.e., Puerto Rico) except some day
travel to border areas (i.e., Canada, Mexico) for Program accessed personnel.
Such travel is to be reported to the CPSO, and retained for he life of the
Contract/Program travel. Travel by Program briefed individuals into or through
countries determined by the CSA as high risk areas, should not be undertaken
without prior notification. A supplement to the report outlining the type and
extent of contact with foreign nationals, and any attempts to solicit information
or establish a continuing relationship by a foreign national may be required upon
completion of travel.
F. Arms Control Thread Visits.
The CPM and PSO will be notified in advance of any Arms Control Treaty V site
Such reports permit the GPM and PSO to assess potential impact on the SAP
activity and effectively provide guidance and assistance.
g. Litigation.
Litigation or pubic proceedings which may involve a SAP will be reported. These
include legal proceedings and/or administrative actions in which the prime
contractor, subcontractors, or Government organizations and their Program briefed
individuals are a named party. The CPSO will report to the PSO any litigation
actions that may pertain to the SAP, to include the physical environments,
facilities or personnel or as otherwise directed by the GPM.
1301. Security Violations and Improper Handing of Classified Information.
Requirements of the NISPOM baseline pertaining to security violation are
applicable, except that ad communications will be appropriately made through
Program Security Channels within 24 hours of discovery to the PSA The PSO must
promptly advise the Facility CSA in all instances where national security
concerns would impact on collateral security programs or clearances of
individuals under the cognizant of the Facility CSA.
a. Security Violations and Infractions
(l) Security Violation.
A security violation is any incident that involves the loss, compromise, or
suspected compromise of classified information. Security violations will be
immediately reported within 24 hours to the PSO.
(2) Security Infraction.
A security infraction is any other incident that is not in the best interest of
security that does not involve the loss, compromise, or suspected compromise of
classified information. Security infractions will be documented and mate
available for review by the PSO during visits.
Inadvertent Disclosure.
An inadvertent disclosure is the involuntary unauthorized access to classified
SAP information by an individual without SAP access authorization. Personnel
determined to have had unauthorized or inadvertent access to classified SAP
information (l) should be interviewed to determine the extent of the exposing,
and (2) may be requested to complete an Inadvertent Disclosure Oath.
(1) If during emergency response situations, guard personnel or local emergency
authorities (e.g., police, medical, fire, etc.) inadvertently gain access to
Program material, they should be interviewed to determine the extent of the
exposure. If circumstances warrant, a preliminary inquiry will be conducted. When
in doubt, contact the PSO for advice.
(2) Refusal to sign an inadvertent disclosure oath will be reported by the CPSO
to the PSO.
(3) Contractors shall report ad unauthorized disclosures involving RD or Formerly
Restricted Data (FRD) to Department of Energy (DOE) or Nuclear Regulatory
Commission (NRC) through their CSA.
Chapter 2 Security Clearances
Section 1. Facility Clearances
2100. General.
Contractors will possess a Facility Security Clearance to receive, generate, use,
and store classified information that is protected in SAPs.
a. If a facility clearance has already been granted, the SAP Program Executive
Agent may carve in the Facility CSA. The agreement entered into by the Secretary
of Defense (SECDEF) with the other CSA's will determine the terms of
responsibility for the Facility CSA with regard to SAP programs. Due to the
sensitivity of some SAPs, the program may be carved out by the Executive Agent
designated by the CSA.
b. The CPSO shall notify the PSO of any activity which affects the Facility
Security Clearance, (FCL).
c. In certain instances, security and the sensitivity of the project may require
the contract and the association of the contractor with the Program CSA be
restricted and kept at a classified level. The existence of any unacknowledged
effort, to include its SAPF, will not be released without prior approval of the
PSO.
2101. CoUtilization of SAPF.
If multiple SAPs are located within a SAPF, a Memorandum of Agreement (MOA) shall
be written between government program offices defining areas of authorities and
responsibilities. The first SAP in an area shall be considered to be the senior
program and therefore the CSA for the zone unless authority or responsibility is
specifically delegated in the MOA. The MOA shall be executed prior to the
introduction of the second SAP into the SAPF.
2102. Access of Senior Management of finials.
Only those Senior Management of finials requiring information pertaining to the
SAP shall be processed SAP access.
2103. Facility Clearances for Multi-facility Organizations
a. When cleared employees are located at uncleared locations, the CPSO may
designate a cleared management official at the uncleared location who shall:
(1) Process classified visit requests, conduct initial or recurring briefings for
cleared employees, and provide written confirmation of the briefing to the CPSO.
(2) Implement the reporting requirements of the NISPOM and this Supplement for
all cleared employees and furnish reports to the CPSO for further submittal to
the CSA.
(3) Ensure compliance with all applicable measures of the NISPOM and this
Supplement by all cleared employees at that location.
b. If a cleared management official is not available at the uncleared location,
the CPSO (or designee) shall conduct the required briefing during visits to the
uncleared location or during employee visits to the location or establish an
alternative procedure with CSA approval.
Section 2. Personnel Clearances and Access
2200. General.
This section establishes the requirements for the selection, processing,
briefing, and debriefing of contractor personnel for SAPs.
2201. Program Accessing Requirements and Procedure
a. The individual will have a valid need-to-know (NTK) and will Materially and
directly contribute to the Program.
b. The individual will possess a minimum of a current, final SECRET security
clearance or meet the investigative criteria required for the level of access. If
a person's periodic reinvestigation (PR) is outside the five-year scope and all
other access processing is current and valid, the PSO may authorize e access.
However, the individual will be immediately processed for either a Single Scope
Background Investigation (SSBI) or National Agency Check with Credit (NACC) as
required by the level of clearance or as otherwise required by the contract.
c. The contractor will nominate the individual and provide a description of the
NTK justification. The CPM will concur with the nomination and verify Program
contribution by signature on the Program Access Request (PAR). The CPSO will
complete the PAR and review it for accuracy ensuring a required signatures are
present. The CPSO signature verifies that the security clearance and
investigative criteria are accurate, and that these criteria satisfy the
requirements of the Program. Information regarding the PAR may be electronically
submitted. While basic information shall remain the same, signatures may not be
required. The receipt of the PAR package via a pre- approved channel shall be
considered sufficient authentication that the required approvals have been
authenticated by the CPSO and contractor program manager.
d. Access Criteria and Evaluation recess In order to eliminate those candidates
who clearly will not meet the scope for access and to complete the Personnel
Security Questionnaire (PSQ), access evaluation may be required. In the absence
of written instructions from the contracting activity, the evaluation process
will conform to the following guidelines:
(1) Evaluation criteria will not be initiated at the contractor level unless both
the employee and contractor agree.
(2) Contractors will not perform access evaluation for other contractors.
(3) Access evaluation criteria will be specific and will not require any analysis
or interpretation by the contractor. Access evaluation criteria will be provided
by the government as required.
(4) Those candidates eliminated during this process will be advised that access
processing has terminated.
e. Submit a Letter of Compelling Need or other documentation when requested by
the PSO.
f. Formats required for the processing of a SAP access fall into two categories:
those required for the conduct of the investigation and review of the
individual's eligibility, and those that explain or validate the individual's
NTK. These constitute the PAR package. The PAR package used for the access
approval and NTK verification will contain the following: the PAR and a recent
(within 90 days) PSQ reflecting pen and ink changes, if any, signed and dated by
the nominee.
g. Once the PAR package has been completed, the CPSO will forward the candidate's
nomination package to the PSO for review:
(1) The PSO will review the PAR package and determine access eligibility.
(2) Access approval or denial will be determined by the GPM and/or access
approval authority.
(3) The PSO will notify the contractor of access approval or denial.
(4) Subcontractors may submit the PAR package to the prime. The prime will review
and concur on the PAR and forward the PAR and the unopened PSQ package to the
PSO.
h. SCI access will follow guidelines established in DCID 1/14.
2202. Supplementary Measures and Polygraph.
a Due to the sensitivity of a Program or criticality of information or emerging
technology, a polygraph may be required. The polygraph examination will be
conducted by a properly trained, certified, U.S. Government Polygraph Specialist.
If a PR is outside the 5 year investigative scope, a polygraph may be used as an
interim basis to grant access until completion of the PR.
b. There are three categories of polygraph: Counterintelligence (CI), Full Scope
(CI and life style), and Special Issues Polygraph (SIP). The type of polygraph
conducted will be determined by the CSA.
2203. Suspension and Revocation. All PSO direction to contractors involving the
suspension or revocation of an employee's access will be provided in writing and
if appropriate, through the contracting officer.
2204. Appeal Process. The CSA will establish an appeal process.
2205. Agent of the Government. The Government may designate a contractor
nominated employee as an Agent of the Government on a case-by-case basis.
Applicable training and requirements will be provided by the Government to
contractors designated as Agents of the Government.
2206 Access Roster or List. Current access rosters of Program briefed individuals
are required at each contractor location. They should be properly protected and
maintained in accordance with the PSG. The access roster should be continually
reviewed and reconciled for any discrepancies. The data base or listing may
contain the name of the individual organization, position, billet number (if
applicable), level of access, social security number, military rank/grade or
comparable civilian rating scheme, and security clearance information. Security
perssonel required for adequate security oversight will not count against the
billet structure.
Chapter 3 Security Training and Briefings
Section 1. Security Training and Briefings
3100. General.
Every Special Access Program (SAP) will have a Security Training and Briefing
Program. As a minimum, SAP indoctrinated personnel will be provided the same or
similar training and briefings as outlined in the baseline NISPOM. In addition,
CPSOs responsible for SAPs at contractor facilities will establish a Security
Education Program to meet any specific or unique requirements of individual
special access programs Topics which will be addressed, if appropriate to the
facility or the SAP(s), include:
a. Security requirements unique to SAPs;
b. Protection of classified relationships;
c. Operations Security (OPSEC);
d. use of nicknames and code words;
e. use of special transmission methods;
f. Special test range security procedures;
g. Procedures for unacknowledged SAP security. An unacknowledged SAP will require
additional security training and briefings, beyond that required in the baseline.
Additional requirements will be specified in the Contract Security Classification
Specification and will address steps necessary to protect sensitive
relationships, locations, and activities.
h. Specific procedures to report fraud, waste, and abuse.
i. Computer security education that is to include operational procedures,
threats, and vulnerabilities.
j. Writing unclassified personnel appraisals and reviews.
k. Third Party Introductions.
The purpose of the Third Party Introduction is to provide a clearance and/or
access verification to other cleared personnel. The introduction is accomplished
by a briefed third party, who has knowledge of both individual's access.
3101. Security Straining.
The CPSO will ensure that the following security training measures arc
implemented:
a. Initial Program Security Indoctrination. Every individual accessed to a SAP
will be given an initial indoctrination. The briefing will clearly identify the
information to be protected, the reasons why this information requires
protection, and the need to execute a ADA. The individual will he Property
briefed concerning the security requirements for the Program, understand their
particular security responsibilities, and will sign a ADA. This indoctrination is
in addition to any other briefing required for access to collateral classified or
company proprietary information. It will be the responsibility of the PSO to
provide to the contractor information as to what will be included in the initial
indoctrination to include fraud, waste, and abuse reporting procedures.
b. Professionalized AIS training may be required of all contractor Information
Systems Security Representatives (ISSRs) to ensure that these individuals have
the appropriate skills to perform their job functions in a competent and
cost-effective manner. This training will be made available by the CSA. The
training should consist of, but not be limited to, the following criteria:
(1) Working knowledge of all applicable and national CSA regulations and
policies including those contained in this supplement;
(2) Use of common Information Security (INFOSEC) practices and technologies;
(3) AIS certification testing procedures;
(4) Use of a risk management methodology;
(5) Use of configuration management methodology.
3102. Unacknowledged Special Access Programs (SAP).
Unacknowledged SAPs require a significantly greater degree of protection than
acknowledged SAPs. Special emphasis should be placed on:
a. why the SAP is unacknowledged;
b. Classification of the SAP;
c. Approved communications system;
d. Approved transmission systems;
e. Visit procedures;
f. Specific program guidance.
3103. Refresher Briefings.
Every accessed individual will receive an annual refresher briefing from the CPSO
to include the following, as a minimum:
a. Review of Program unique security directives or guidance;
b. Review of those elements contained in the original NDA.
Note. The PSO may require a record to be maintained of this training.
3104. Debriefing and/or Access Termination.
Persons briefed to SAPs Will be debriefed by the CPSO or his designee. The
debriefing will include as a minimum a reminder of each individual's
responsibilities according to the ADA which states that the individual has no
Program or Program related material in his/her possession, and that he/she
understands his/her responsibilities regarding the disclosure of classified
Program information.
a. Debriefings should be conducted in a SAPF, Sensitive Compartmented Information
Facility (SCIF), or other secure area when possible, or as authorized by the PSO.
b. Procedures for debriefing will be arranged to allow each individual the
opportunity to ask questions and d. receive substantive answers from the
debriefer.
c. Debriefing Acknowledgments will be used and executed at the time of the
debriefing and include the following:
(1) Remind the individual of his/her continuing obligations agreed to in the SAP
ADA.
(2) Remind the individual that the NDA is a legal contract between the individual
and the U.S. Government.
(3) Advise that all classified information to include Program information is now
and forever the property of the U.S. Government.
(4) Remind the individual of the penalties for espionage and unauthorized
disclosure as contained in Sties. 18 and 50 of the U.S. Code. The briefer should
have these documents available for handout upon request. Require the individual
to sign and agree that questions about the ADA have been answered and that Sties
18 and 50 (U.S. Codes) were made available and understood.
(5) Remind the individual of his/her obligation not to discuss, publish, or
otherwise reveal information about the Program. The appearance of Program
information in the public domain does not constitute a de facto release from the
continuing secrecy agreement.
(6) Advise that any future questions or concerns regarding the Program (e.g.,
solicitations for information, approval to publish material based on Program
knowledge and/or experience) will be directed to the CPSO. The individual will be
provided a telephone number for the CPSO or PSO.
(7) Advise that each provision of the agreement is severable ie, if one provision
is declared unenforceable, all others remain in force.
(8) Emphasize that even though an individual signs a Debriefing Acknowledgment
Statement, he/she is never released from the original NDA/secrecy agreement
unless specifically notified in writing.
Verify the return of any and all SAP classified material and unclassified Program
sensitive material and identify all security containers to which the individual
had access.
e. When debriefed for cause, include a brief statement as to the reason for
termination of access and notify the PSO. In addition the CPSO will notify all
agencies holding interest in that person's clearance/ accesses.
f. The debriefer will advise persons who refuse to sign a debriefing
acknowledgment that such refusal could affect future access to special access
programs and/ or continued clearance eligibility. It could be cause for
administrative sanctions and it will be reported to the appropriate Government
Clearance Agency.
g. Provide a point of contact for debriefed employees to report any incident in
the future which might affect the security of the Program.
3105. Administrative Debriefings.
Efforts to have all Program briefed personnel sign a Debriefing Acknowledgment
Statement may prove difficult. If attempts to locate an individual either by
telephone or mail are not successful, the CPSO should prepare a Debriefing
Acknowledgment Statement reflecting the individual was administratively
debriefed. The Debriefing Acknowledgment Statement will be forwarded to the PSO.
The CPSO will check to ensure that no Program material is charged out to, or in
the possession of these persons.
3106 . Recognition and Award Program.
Recognition and award programs could be established to single out those employees
making significant contributions to Program contractor security. If used, CPSOs
will review award write- ups to ensure recommendations do not contain classified
information.
Chapter 4 Classification and Markings
Section 1. Classification
Challenges to Classification All challenges to SAP classified information and/or
material shall be forwarded through the CPSO to the PSO to the appropriate
Government contracting activity. All such challenges shall remain in Program
channels.
Section 2. Marking Requirements
4200. General.
Classified material that is developed under a SAP will be market and controlled
in accordance with the NISPOM, this Supplement, the Program Security
Classification Guide, and other Program guidance as directed by the PSO.
4201. Additional Provisions and Controls.
The PSO may specify additional markings to be applied to SAP working papers based
on the sensitivity and criticality of the Program, when approved by the CSA.
4202. Engineer's Notebook
An engineer's notebook is a working record of continually changing Program
technical data. It should NOT include drafts of correspondence, reports, or other
materials. The outer cover and first page will be marked with the highest
classification level contained in the notebook. Portion marking or numbering is
not required. Other requirements pertaining to these notebooks may be imposed by
the PSO.
4203. Cover Sheets
Cover sheets will be applied to SAP documents when the documents are created or
distributed NOTE: CODE WORDS WILL NOT BE PRINTED ON THE COVER SHEETS. The
unclassified nickname, digraph, or trigraph may be used.
42W. Warning Notices.
Generally, Program classified marking and transmission requirements will follow
this Supplement. Transmission of Program or Program related material will be
determined by the PSO. Besides the classifications markings, inner containers
will be marked:
"TO BE OPENED ONLY BY:" followed by the name of the individual to whom the
material is sent. A receipt may be required. Apply the following markings on the
bottom center of the front of the inner container:
WARNING
THIS PACKAGE CONTAINS CLASSIFIED U.S. GOVERNMENT INFORMATION. TRANSMISSION OR
REVELATION OF THIS INFORMATION IN ANY MANNER TO AN UNAUTHORIZED PERSON IS
PROHIBITED BY TITLE 18, U.S. CODE, SECTION 798 (OR TITLE 42, SECTION XX FOR RD OR
FRD MATERIAL). IF FOUND, PLEASE DO NOT OPEN. "CALL COLLECT" THE FOLLOWING
NUMBERS, (area code) (number) (PSO/CPSO work number) DURING WORKING HOURS OR
(area code) (number) (PSO/CPSO) AFTER WORKING HOURS.
Chapter 5
Safeguarding Classified Information
Section 1. General Safeguarding Requirements
5100. General.
Classified and unclassified sensitive SAP material must be stored in SAP CSA
approved facilities only. Any deviations must have prior approval of the SAP CSA
or designee.
Section 2. Control and Accountability
5.200. General Contractors shall develop and maintain a system that enables
control of SAP classified information and unclassified Program sensitive
information for which the contractor is responsible.
5201. Accountability.
Accountability of classified SAP material shall be determined and approved in
writing by the CSA or designee at the time the SAP is approved A separate
accountability control system may be required for each SAP.
5202. Annual Inventory.
An annual inventory of accountable SAP classified material may be required. The
results of the inventory and any discrepancies may be required to be reported in
writing to the PSO.
5203. Collateral classified material required to support a SAP contract may be
transferred within SAP controls. Transfer will be accomplished in a manner that
will not compromise the SAP or any classified information. The PSO will provide
oversight for collateral classified material maintained in the SAP Collateral
classified material generated during the performance of a SAP contract may be
transferred from the SAP to the contractor's collateral classified system. The
precautions required to prevent compromise will be approved by the PSO.
Section 3. Storage and Storage Equipment
(not further supplemented)
Section 4. Transmission
5400. General.
SAP classified material shall be transmitted outside the contractor's facility in
a manner that prevents loss or unauthorized access.
5401. Preparation.
AU classified SAP material will be prepared, reproduced, and packaged by Program
briefed personnel in approved Program facilities.
5402. Couriers The PSO through the CPSO will provide tailed courier instructions
to couriers when hand carrying SAP material. The CPSO will provide the courier
with an authorization letter. Report any travel anomalies to the CPSO as soon as
practical. The CPSO will notify the PSO.
5403. Secure Facsimile and/or Electronic Transmission. Secure facsimile and/or
electronic transmission encrypted communications equipment may be used for the
transmission of Program classified information.
When secure facsimile and/or electronic transmission is permitted, the PSO or
other Government cognizant security reviewing activity will approve the system in
writing. Transmission of classified Program material by this means may be
receipted for by an automated system generated message that transmission and
receipt has been accomplished. For TOP SECRET documents a receipt on the secure
facsimile may be required by the PSO.
5404. U.S. Postal Mailing.
A U.S. Postal mailing channel, when approved by the PSO, may be established to
ensure mail is received only by appropriately cleared and accessed personnel.
5405. TOP SECRET Transmission.
TOP SECRET (TS) SAP was be transmitted via secure data transmission or via
Defense Courier Service unless other means have been authorized by the PSO.
Section 5. Disclosure
5500. Release of Information.
Public release of SAP information is not authorized without written authority
from the Government as provided for in U.S. Code, Titles 10 and 42. Any attempt
by unauthorized personnel to obtain Program information and sensitive data will
be reported immediately to the Government Program Manager (GPM) through the PSO
using approved secure communication channels.
Section 6. Reproduction
5. General.
Program material will be reproduced on equipment specifically designated by the
CPSO and may require approval by the PSO. The CPMs and CPSOs may be required to
prepare written reproduction procedures.
5C01. The PSO or designee may approve reproduction of TS material.
Section 7. Disposition and Retention
5700. Disposition.
CPSOs may be required to inventory, dispose of, request retention, or return for
disposition all classified SAP related material (including AIS media) at contract
completion and/or close-out. Request for proposal (RFP), solicitation, or bid and
proposal collateral classified and unclassified material contained in Program
files will be reviewed and screened to determine appropriate disposition (ie.,
destruction, request for retention). Disposition recommendations by categories of
information or by document control number, when required, Will be submitted to
the PSO for concurrence. Requests for retention of classified information (SAP
and non SAP) will be submitted to the Contracting of peer, through the PSO for
review and approval. Requirements for storage and control of materials approved
for retention will be approved by the PSO.
5701. Retention of SAP Material.
The contractor may be required to submit a request to the Contracting Officer
(CO), via the PSO, for authority to retain classified material beyond the end of
the contract performance period. The request will also include any retention of
Program related material. The contractor will not retain any Program information
unless specifically authorized in writing by the Contracting Officer. Storage and
control requirements of SAP materials will be approved by the PSO.
5702. Destruction Appropriately indoctrinated personnel shall ensure the
destruction of classified SAP data. The CSA or designee may determine that two
persons are required for destruction. Non-accountable waste and unclassified SAP
material may be destroyed by a single Program briefed employee.
Section 8. Construction Requirements
5800. General. Establishing a Special Access Pro g. gram Facility (SAPF). Prior
to commencing work on a SAP, the contractor may be required to establish an
approved SAPF to afford protection for Program classified information and
material. Memorandums of Agreement (MOA) are required prior to allowing SAPs with
a. different CSAs to share a SAPS.
5801. Special Access Program Facility.
a. A SAPF is a program area, room, group of rooms, building, or an enclosed
facility accredited by the PSO where classified SAP Program business is
conducted. SAPFs will be afforded personnel access control to preclude entry by
unauthorized personnel. Non-accessed persons entering a SAPF will be escorted by
an indoctrinated person.
b. A Sensitive Compartmented Information Facility (SCIF) is an area, room,
building, or installation that is accredited to store, use, discuss, or
electronically process SCI. The standard and procedures for a SCIF are stated in
DCIDs 1/19 and l/21.
c. SAPFs accredited prior to implementation of this Supplement will retain
accreditation until no longer required or re-certification is required due to
major modification of the external perimeter, or changes to the Intrusion
Detection System (IDS), which affects the physical safeguarding capability of the
facility
d. Physical security standards will be stated in the Government's RFP RFQ,
contract, or other pre-contract or contractual document.
e. The need-to-know (NTK) of the SAP effort may warrant establishment of
multicompartments within the same SAPF.
f. *There may be other extraordinary or unique circumstances where existing
physical security standards are inconsistent with facility operating
requirements, for example, but not limited to, research and test facilities or
production lines. Physical security requirements under these circumstances will
be established on a case-by-case basis and approved by the PSO/Contracting
Officer, as appropriate. (Note: as approved by the CSA at establishment of the
SAP.)
The PSO will determine the appropriate security countermeasures for discussion
areas.
5802. Physical Security Criteria Standards
DCID 1/21 standards may apply to a SAPF when one or more of the following
criteria are applicable:
(1) State-of-the-art technology as determined by CSAs to warrant enhanced
protection.
(2) Contractor facility is known to be working on specific critical technology.
(3) Contractor facility is one of a few (3 or less) known facilities to have the
capability to work on specific critical technology.
(4) TOP SECRET or SECRET material is maintained in open storage.
(5) A SAPF is located within a commercial building, and the contractor does not
control all adjacent spaces.
(6) SCI or Intelligence Sources and methods are involved.
(7) Contractors or technologies known to be a target of foreign intelligence
services (E7IS).
b. The NISPOM baseline closed area construction requirements with Sound
Transmission Class (STC) in accordance with DCID l/21, Annex E and intrusion
alarms in accordance with Annex B. DCID 1/21 may apply to a SAPF when one of the
following criteria are applicable.
( l ) Not state-of-the-art technology and the technology is known to exist
outside U.S. Government control.
(2) The SAP is a large-scale weapon system production program.
(3) No open storage of Confidential SAP material in a secure working area unless
permitted by the PSO on a case- by-case basis.
(4) A SAPF located within a controlled access area.
(5) Intelligence related activities.
c. The PSO may approve baseline closed area construction requirements as an
additional option for some SAP program areas.
5803. SAP Secure Working Area The PSO may approve any facility as a SAP Secure
Working Area. Visual and sound protection may be provided by a mix of physical
construction, perimeter control, guards, and/or indoctrinated workers.
5804. Temporary SAPF. The PSO may accredit a temporary SAPF.
5805. Guard Response.
a. Response to alarms will be in accordance with DCID 1/21, or
b. The NISPOM
c. Response personnel will remain at the scene until released by the CPSO or
designated representative.
NOTE: The CPSO will immediately provide notification to the PSO if there is
evidence of forced entry, with a written report to the following within 72 hours.
5806. Facility Accreditation.
a. Once a facility has been accredited to a stated level by a Government Agency,
that accreditation should be accepted by any subsequent agency.
b. For purposes of Co-Utilization, costs associated with any security
enhancements in a SCIF or SAPF above preexisting measures may be negotiated for
reimbursement by the contractor's contracting officer or designated
representative. Agreements will be negotiated between affected organizations.
c. If a previously accredited SAPF becomes inactive for a period not to exceed
one year the SAP accreditation will be reinstated by the gaining accrediting
agency provided the following is true:
(l) The threat in the environment surrounding the SAPF has not changed;
(2) No modifications have been made to the SAPF which affect the level of
safeguarding;
(3) The level of safeguarding for the new Program is comparable to the previous
Program;
(4) The SAPF has not lost its SAP accreditation integrity and the contractor has
maintained continuous control of the facility.
(5) A technical surveillance countermeasure survey (TSCM) may be required.
NOTE: Previously granted waivers are subject to negotiation.
5807. Prohibited Items. Items that constitute a threat to the security integrity
of the SAPF (e.g., cameras or recording devices) are prohibited unless authorized
by the PSO. All categories of storage media entering and leaving the SAPFs may
require the PSO or his/her designated representative approval.
Chapter 6 Visits and Meetings
Section 1. Visits
6100. General. A visit certification request for ad r Program visits wag be made
prior to a visit to a Program facility. When telephone requests are made, a
secure telephone should be used whenever possible. Visit requests will be handled
exclusively by the cognizant CPSO or designated representative. The GPM or PSO or
his/her designated representative will approve all visits between Program
activities. However, visits between a prime contractor ant the prime's
subcontractors ant approved associates will be approved by the CPSO. Twelvemonth
visit requests are not authorized unless approved by the PSO.
6101. Visit Request Procedures. All visit requests was be sent only via approved
channels. In addition to the NISPOM, the following additional information for
visits to a SAPF wall include:
a. Name and telephone number of individual (not organization) to be visited;
b. Designation of person as a Program courier when applicable; ant
c. Verification (e.g., signature) of the CPSO or designate representative that
the visit request information is correct.
6102. Termination and/or Cancellation of a Visit Request. If a person is
debriefed from the Program prior to expiration of a visit certification, or if
cancellation of a current visit certification is otherwise appropriate, the
CPSO/FSO or his/her designated representative will immediately notify all
recipients of the cancellation or termination of the visit request.
6103. Visit Procedures.
a. Identification of Visitors. An official photograph if identification such as a
valid driver's license is required.
b. Extension. When a visit extends past the date on the visit certification, a
new visit request is not required if the purpose remains the same as that stated
on the current visit request to a specific SAPF.
c. Rescheduling. When a rescheduled visit occurs after a visit request has been
received, the visit certification will automatically apply if the visit is
rescheduled within thirty days and the purpose remains the same.
d. Hand carrying. It is the responsibility of the host CPSO to contact the
visitor's CPSO should the visitor plan to hand-carry classified material. CPSOs
will use secure means for notification. In emergency situations where secure
communications are not available, contact the PSO for instructions. When persons
return to their facility with SAP material, they will relinquish custody of the
material to the CPSO or designated representative. Arrangement will be made to
ensure appropriate overnight storage and protection for material returned after
close of business.
6104. Collateral Clearances and Special Access rap gram Visit Requests.
Collateral clearances and SAP accesses may be required in conjunction with the
SAP visit. If access to collateral classified information is required outside the
SAPF, then the CPSO can certify clearances and accesses as required within the
facility. Certification will be based on the SAP visit request received by the
CPSO. The CPSO will maintain the record copy of the visit certification. SCI
visit certification will be forwarded through appropriate SCI channels.
6105. Non Program Briefed Visitors. In instances where entry to a SAPF by
non-Program briefed personnel is required (e.g., maintenance, repair), they will
complete and sign a visitor's record and will be escorted by a Program briefed
person at all times. Sanitization procedures will be implemented in advance to
ensure that personnel terminate classified discussions and other actions and
protect SAP information whenever a non-briefed visitor is in the area. If
maintenance is required of a classified device, the uncleared maintenance person
shall be escorted by a Program briefed, technically knowledgeable individual.
Every effort should be made to have a technically knowledgeable Program briefed
person as an escort.
6106. Visitor Recorder *The PSO may require the CPSO to establish a Program
visitor's record. This record will be maintained inside the SAPS, and retention
may be required.
Section 2. Meetings
(not further supplemented)
Chapter 7 Subcontracting
Section 1. Prime Contracting Responsibilities
7100. General. This section addresses the responsibilities and authorities of
prime contractors concerning the release of classified SAP information to
subcontractors. Prior to any release of classified information to a prospective
subcontractor, the prime contractor will determine the scope of the bid and
procurement effort. Prime contractors will use extreme caution when conducting
business with non-Program briefed subcontractors to preclude the release of
information that would divulge Program related (classified or unclassified
Program sensitive) information.
7101. Determining Clearance Status of Prospective Subcontractors All prospective
subcontractor personnel will have the appropriate security clearance and meet the
investigative criteria as specified in this Supplement prior to being briefed
into a SAS! The eligibility criteria will be determined in accordance with the
NISPOM and this Supplement. For acknowledged Programs, in the event a prospective
subcontractor does not have the appropriate security clearances, the prime
contractor will request that the cognizant PSO initiate the appropriate security
clearance action. A determination will be made in coordination with the PSO as to
the levels of facility clearance a prospective subcontractor facility has for
access to classified information and the storage capability level.
7102. Security Agreements and Briefings. In the pre-contract phase, the prime
contractor will fully advise the prospective subcontractor (prior to any release
of SAP information) of the procurement's enhanced special security requirements.
Arrangements for subcontractor Program access will be pre-coordinated with the
PSO. When approved by the PSO, the prime contractor CPSO will provide Program
indoctrinations and obtain NDAs from the subcontractors. A security requirements
agreement will be prepared that specifically addresses those enhanced security
requirements that apply to the subcontractor. The security requirements agreement
may include the following elements, when applicable:
a. General Security Requirements.
b. Reporting Requirements. c. Physical and/or Technical Security Requirements.
d. Release of Information. e. Program Classified Control or Accountability. f.
Personnel Access Controls. g. Security Classification Guidance. h. Automated
Information System. i. Security Audits and Reviews. j. Program Access Criteria.
k. Subcontracting. ,. l. Transmittal of Program Material. m. Storage. n.
Testing and/or Manufacturing. o. Program Travel. p. Finances. q. Sanitization
of Classified Material. r. Security Costs and Charging Policy. s. Fraud, Waste,
and Abuse Reporting t. Test Planning. u. OPSEC. v. TEMPEST.
7103. Transmitting Security Requirements Contract Security Classification
Specifications prepared by the Prime contractor will be coordinated with the
GPM/PSO and contracting of dicer prior to transmitting to the shone Contract
Security Classification Specifications prepared by the prime contractor will be
forwarded to the GPM/PSO and contracting officer for coordinator and signature.
Chapter 8 Automated Information Systems (AIS)
Section 1. Responsibilities
8100. Introduction
a. Purpose and Scope. This chapter addresses the protection and control of
information processed on AIS. This entire chapter is contractor required and is
not an option. The type is not bold or italicized, because it would include the
complete chapter. AISs typically consist of computer hardware, software, and/or
firmware configured to collect, create, communicate, compute, disseminate,
process, store, or control data or information. This chapter specifies
requirements and assurances for the implementation, operation, maintenance, and
management of secure AIS used in support of SAP activities. Prior to using an AIS
or AIS network for processing U.S. Government, Customer, or Program information,
the Contractor/ Provider will develop an AIS Security Plan (AISSP) as described
herein and receive written Customer authorization to process Customer
information. Such authorization to process requires approval by the Customer. The
Provider will also assign an Information System Security Representative (ISSR) to
support the preparation of these documents and to subsequently manage AIS
security on-site for the Customer's program. After the AISSP is approved by the
Customer, the Provider will thereafter conform to the plan for all actions
related to the Customer's program information. This information includes the
selection, installation, test, operation, maintenance, and modification of AIS
facilities, hardware, software, media, and output. D. b. Requirements. The AISSP
selected menu upgrades to the NISPOM baseline will be tailored to the Provider's
individual AIS configuration and processing operations. Alternatives to the
protective measures in this Supplement may be approved by the Customer after the
Provider demonstrates that the alternatives are reasonable and necessary to
accommodate the Customer's needs. Prior to implementation, the Provider will
coordinate any envisioned changes or enhancements with the Customer. Approved
changes will be included in the AISSP. Any verbal approvals will subsequently be
documented in writing. The information and guidance needed to prepare and obtain
approval for the AISSP is described herein.
c. Restrictions. No personally owned AISs will be used to process classified
information.
8101. Responsibilities.
The Customer is the Government organization responsible for sponsoring and
approving the classified and/or unclassified processing. The Provider is the
Contractor who is responsible for accomplishing the processing for the Customer.
The Information System Security Representative (ISSR) is the Provider assigned
individual responsible for on-site AIS processing for the Customer in a secure
manner.
Provider Responsibilities. The Provider will take those actions necessary to meet
with the policies and requirements outlined in this document. The provider will:
(l) Publish and promulgate a corporate AIS Security Policy that addresses the
classified processing environment.
(2) Designate an individual to act as the ISSR.
(3) Incorporate AISs processing Customer information as part of a configuration
management program.
(4) Enforce the AIS Security Policy.
' ISSR Responsibilities. The Provider designated ISSR has the following
responsibilities:
(l) AIS Security Policy. Implement the AIS Security Policy.
(2) AIS Security Program. Coordinate the establishment and maintenance of a
formal AIS Security Program to ensure compliance with this document:
(a)AIS Security Plan (AISSP). Coordinate the preparation of an AISSP in
accordance with the outline and instructions provided in this document. After
Customer approval, the AISSP becomes the controlling security document for AIS
processing Customer information. Changes affecting the security of the AIS must
be approved by the Customer prior to implementation and documented in the AISSP.
(b)AIS Technical Evaluation Test Plans. For systems operating in the
compartmented or multilevel modes, prepare an AIS Technical Evaluation Test Plan
in coordination with the Customer and applicable security documents.
(c)Certification. Conduct a certification test in accordance with 8102, c. and
provide a certification report.c.
(d)Continuity of Operations Plan (COOP). When contractually required, coordinate
the development and maintenance of an AIS COOP to ensure the continuation of
information processing capability in the event of an AIS related disaster
resulting from fire, flood, malicious act, human error, or any other occurrence
that might adversely impact or threaten to impact the capability of the AIS to
process information. This plan will be referenced in the AISSP.
(e)Documentation. Ensure that all AIS security related documentation as required
by this chapter is current and is accessible to properly authorized individuals.
(f) Customer Coordination. Coordinate all reviews, tests, and AIS security
actions.
(g)Auditing. Ensure that the required audit trails are being collected and
reviewed as stated in 8303.
(h)Memorandum of Agreement. As applicable, ensure that Memoranda of Agreement are
in place for AISs supporting multiple Customers.
(1) Compliance Monitoring. Ensure that the system is operating in compliance with
the AISSP.
(j) AIS Security Education and Awareness. Develop an ongoing AIS Security
Education and Awareness Program.
(k)Abnormal Occurrence. Advise Customer in a timely manner of any abnormal event
that affects the security of an approved AIS.
(l) Virus and malicious code. Advise Customer in a timely manner of any virus and
malicious code on an approved AIS.
(3) Configuration Management. Participate in the configuration management
process.
(4) Designation of Alternates. The ISSR may designate alternates to assist in
meeting the requirements outlined in the chapter.
Special Approval Authority. In addition to the above responsibilities, the
Customer may authorize in writing an ISSR to approve specific AIS security
actions including:
(l) Equipment Movement. Approve and document the movement of AIS equipment.
(2) Component Release. Approve the release of sanitized components and equipment
in accordance with Tables I and 2 in 850l.
(3) Standalone Workstation and Portable AIS Approval. Approve and document new
workstations in accordance with an approved AIS security plan and the procedures
defined in this document for workstations with identical functionality. Approve
and document portable AIS.
(4) Dedicated and System High Network Workstation Approval. Approve and document
additional workstations identical in functionality to existing workstations on an
approved Local Area Network (LAN) provided the workstations are not located
outside of the previously defined boundary of the LAN.
(5) Other AIS Component Approval. Approve and document other AIS components
identical in functionality to existing components on an approved LAN provided the
components are not located outside of the previously defined boundary of the LAN.
8102. Approval To Process. Prior to using any AIS to process Customer
information, approval will be obtained from the Customer. The following
requirements will be met prior to approval.
a. AIS Security Program. The Provider will have an AIS security program that
includes:
(1) An AIS security policy and a formal AIS security structure to ensure
compliance with the guidelines specified in this document;
(2) An individual whose reporting functionalities are within the Provider's
security organization formally named to act as the ISSR;
(3) The incorporation of AISs processing Customer information into the Provider's
configuration management program. The Provider's configuration management program
shall manage changes to an AIS throughout its life cycle. As a minimum the
program will manage changes in an AIS's:
(a) Hardware components (data retentive only)
(b)Connectivity (external and internal)
(c) Firmware
(d) Software
(e) Security features and assurances
(f) AISSP
(g)Test Plan
(4) Control. Each AIS will be assigned to a designated custodian (and alternate
custodian) who is responsible for monitoring the AIS on a continuing basis. The
custodian will ensure that the hardware, installation, and maintenance as
applicable conform to appropriate requirements. The custodian will also monitor
access to each AIS. Before giving users access to any such AIS, the custodian
will have them sign a statement indicating their awareness of the restrictions
for using the AIS. These statements will be maintained on file and available for
review by the ISSR.
b. AIS Security Plan (AISSP). The Provider will prepare and submit an AISSP
covering AISs processing information in a Customer's Special Access Program
Facility (SAPF), following the format in Appendix C. For RD, the Customer may
modify the AISSP format.
c. AIS Certification and Accreditation.
(1) Certification. Certification is the comprehensive evaluation of technical and
non-technical security features to establish the extent to which an AIS has met
the security requirements necessary for it to process the Customer information.
Certification precedes the accreditation. The certification is based upon an
inspection and test to verify that the AISSP accurately describes the AIS
configuration and operation (See Appendix C and D). A Certification Report
summarizing the following will be provided to the Customer:
(a)For the dedicated mode of operation, the provider must verify that access
controls, configuration management, and other AISSP procedures are functional.
(b)In addition, for System High AIS the ISSR will verify that discretionary
controls are implemented.
(c) For compartmented and multilevel AIS, certification also involves testing to
verify that technical security features required for the mode of operation are
functional. Compartmented and multilevel AIS must have a Technical Evaluation
Test Plan that includes a detailed description of how the implementation of the
operating system software, data management system software, firmware, and related
security software packages will enable the AIS to meet the Compartmented or
Multilevel Mode requirements. The plan outlines the inspection and test
procedures to be used to demonstrate this compliance.
(2) Accreditation. Accreditation is the formal declaration by the Customer that a
classified AIS or network is approved to operate in a particular security mode;
with a prescribed set of technical and non-technical security features; against a
defined threat; in a given operational environment; under a stated operational
concept; with stated interconnections to other AIS; and at an acceptable level of
risk. The accreditation decision is subject to the certification process. Any
changes to the accreditation criteria described above may require a new
accreditation.
d. Interim Approval. The Customer may grant an interim approval to operate.
e. Withdrawal of Accreditation. The Customer may withdraw accreditation if:
(l) The security measures and controls established and approved for the AIS do
not remain effective.
(2) The AIS is no longer required to process Customer information.
f. Memorandum of Agreement. A Memorandum of Agreement (MOA) is required whenever
an accredited AIS is co- utilized, interfaced, or networked between two or more
Customers. This document will be included, as required, by the Customer.
g. Procedures for Delegated Approvals. For AISs operating in the dedicated or
system high modes, the Customer may delegate special approval authority to the
ISSR for additional AISs that are identical in design and operation. That is: two
or more AIS are identical in design and operate in the same security environment
(same mode of operation, process information with the same sensitivities, and
require the same accesses and clearances, etc). Under these conditions the AISSP
in addition to containing the information required by Appendix C shall also
include the certification requirements (inspection and tests) and procedures that
will be used to accredit all AlSs. The CSA will validate that the certification
requirements are functional by accrediting the first AIS using these
certification requirements and procedures. The ISSR may allow identical AIS to
operate under that accreditation if the certification procedures are followed and
the AIS meets all the certification requirements outline in the AISSP. The AISSP
will be updated with the identification of the newly accredited AIS and a copy of
each certification report will be kept on file.
8103. Security Reviews.
a. Purpose. Customer AIS Security Reviews are conducted to verify that the
Provider's AIS is operated in accordance with the approved AISSP.
b. Scheduling. Customer AIS Reviews are normally scheduled at least once every 24
months for Provider systems processing Customer program information. The Customer
will establish specific review schedules.
c. Review Responsibilities. During the scheduled Customer AIS Security Review,
the Provider will furnish the Customer representative conducting the Review with
all requested AIS or network documentation. Appropriate Provider security,
operations, and management representatives will be made available to answer
questions that arise during the Customer AIS Review process.
Review Reporting. At the conclusion of the Customer AIS Review visit, the
Customer will brief the Provider's appropriate security, operations, and
management representatives on the results of the Review and of any discrepancies
discovered and the recommend measures for correcting the security deficiencies. A
formal report of the Customer AIS Review is provided to the Provider's security
organization no later than 30 days after the Review.
Corrective Measures. The Provider will respond to the Customer in writing within
30 days of receipt of the formal report of deficiencies found in the Customer AIS
Review process. The response will describe the actions taken to correct the
deficiencies outlined in the formal report of Customer AIS Review findings. If
proposed actions will require an expenditure in funds, approval will be obtained
from the Contracting Officer prior to implementation.
Section 2. Security Modes
8200. Security Modes-GeneraL
a. AISs that process classified information must operate in the dedicated, system
high, compartmented, or b. multilevel mode. Security modes are authorized
variations in security environments, requirements, and methods of operating. In
all modes, the integration of automated and conventional security measures shall,
with reasonable dependability, prevent unauthorized access to classified
information during, or resulting from, the processing, storage, or transmission
of such information, and prevent unauthorized manipulation of the AIS that could
result in the compromise or loss of classified information.
b. In determining the mode of operation of an AIS, three elements must be
addressed: the boundary and perimeter of the AIS, the nature of the data to be
processed, and the level and diversity of access privileges of intended users.
Specifically:
(1) The boundary of an AIS includes all users that c. are directly or indirectly
connected and who can receive data from the AIS without a reliable human review
by an appropriately cleared authority. The perimeter is the extent of the AIS
that is to be accredited as a single entity.
(2) The nature of data is defined in terms of its classification levels,
compartments, subcompartments, and sensitivity levels.
(3) The level and diversity of access privileges of its users are defined as
their clearance levels, need-to-know, and formal access approvals.
8Z201. Dedicated Security Mode.
a An AIS is operating in the dedicated mode (processing either full time or for a
specified period) when each user with direct or indirect access to the AIS, its
peripherals, remote terminals, or remote hosts has all of the following:
(1) A valid personnel clearance for all information stored or processed on the
AIS.
(2) Formal access approvals and has executed all appropriate nondisclosure
agreements for all the information stored and/or processed (including all
compartments, subcompartments, and/or SAPs).
(3) A valid need to know for all information stored on or processed within the
AIS.
The following security requirements are established for AISs operating in the
dedicated mode:
(1) Be located in a SAPF.
(2) Implement and enforce access procedures to the AIS.
(3) All hard copy output will be handled at the level for which the system is
accredited until reviewed by a knowledgeable individual.
(4) All media removed from the system will be protected at the highest
classification level of information stored or processed on the system until
reviewed and properly marked according to procedures in the AIS security plan.
Security Features for Dedicated Security Mode.
b Since the system is not required to provide technical security features, it is
up to the user to protect the information on the system. For networks operating
in the dedicated mode, automated identification and authentication controls are
required.
(2) For DoD, the Customer may require audit records of user access to the system.
Such records will include: user ID, start date and time, and stop date and time.
Logs will be maintained IAW 8303.
d. Security Assurances for Dedicated Security Mode.
(l) AIS security assurances must include an approach for specifying, documenting,
controlling, and maintaining the integrity of all appropriate AIS hardware,
firmware, software, communications interfaces, operating procedures, installation
structures, security documentation, and changes thereto.
(2) Examination of Hardware and Software. Classified AIS hardware and software
shall be examined when received from the vendor and before being placed into use.
(a)Classified AIS Hardware. An examination shall result in assurance that the
equipment appears to be in good working order and have no parts that might be
detrimental to the secure operation of the resource. Subsequent changes and
developments which affect security may require additional examination.
(b)Classified AIS Software.
l. Commercially procured software shall be examined to assure that the software
contains no features which might be detrimental to the security of the classified
AIS.
2. Security related software shall be examined to assure that the security
features function as specified.
(c) Custom Software or Hardware Systems. New or significantly changed security
relevant software and hardware developed specifically for the system shall be
subject to testing and review at appropriate stages of development.
8202. System High Security Mode.
a. An AIS is operating in the system high mode (processing either full time or
for a specified period) when each user with direct or indirect access to the AIS,
its peripherals, remote terminals, or remote hosts has all of the following:
(1) A valid personnel clearance for all information on the AIS.
(2) Formal access approval and has signed nondisclosure agreements for all the
information stored and/or processed (including all compartments and
subcompartments).
(3) A valid need-to-know for some of the information contained within the system.
b. AISs operating in the system high mode, in addition to meeting all of the
security requirements, features, and assurances established for the dedicated
mode, will meet the following:
(1) Security Features for System High Mode
(a)Define and control access between system users and named objects (e.g., files
and programs) in the AIS. The enforcement mechanism must allow system users to
specify and control the sharing of those objects by named individuals and/or
explicitly defined groups of individuals. The access control mechanism must,
either by explicit user action or by default, provide that all objects are
protected from unauthorized access (discretionary access control). Access
permission to an object by users not already possessing access permission must
only be assigned by authorized users of the object.
(b)Time Lockout. Where technically feasible, the AIS shall time lockout an
interactive session after an interval of user inactivity. The time interval and
restart requirements shall be specified in the AIS Security Plan.
(c)Audit Trail. Provide an audit trail capability that records time, date user
ID, terminal ID (if applicable), and file name for the following events:
1. Introduction of objects into a user's address space (e.g., file open and
program initiation as determined by the Customer and ISSR).
2. Deletion of objects (e.g., as determined by the Customer and ISSR).
3. System logon and logoff.
4. Unsuccessful access attempts.
(d)Require that memory and storage contain no residual data from the previously
contained object before being assigned, allocated, or reallocated to another
subject.
(e)identification Controls. Each person having access to a classified AIS shall
have the proper security clearances and authorizations and be uniquely identified
and authenticated before access to the classified AIS is permitted. The
identification and authentication methods used shall be specified and approved in
the AIS Security Plan. User access controls in classified AISs shall include
authorization, user in the AIS Security Plan. User access controls in classified
AISs shall include authorization, user identification, and authentication
administrative controls for assigning these shall be covered in the AISSP.
1. User Authorizations. The manager or supervisor of each user of a classified
AIS shall determine the required authorizations, such as need-to-know, for that
user.
2. User Identification. Each system user shall have a unique user identifier and
authenticator.
a. User ID Removal. The ISSR shall ensure the development and implementation of
procedures for the prompt removal of access from the classified AIS when the need
for access no longer exists.
b. User ID Revalidation. The AIS ISSR shall ensure that all user IDs are
revalidated at least annually, and information such as sponsor and means of
off-line contact (e.g., phone number, mailing address) are updated as necessary.
Authentication. Each user of a classified AIS shall be authenticated before
access is permitted. This authentication can be based on any one of three types
of information: something the person knows (e.g., a password); something the
person possesses (e.g., a card or key); something about the person (e.g.,
fingerprints or voiceprints; or some combination of these three. Authenticators
that are passwords shall be changed at least every six months.
l. Requirements.
a. Logon. Users shall be required to authenticate their identities at "logon"
time by supplying their authenticator (e.g., password, smart card, or
fingerprints) in conjunction with their user ID.
b. Protection of Authenticator. An Authenticator that is in the form of knowledge
or possession (password, smart card, keys) shall not be shared with anyone.
Authenticators shall be protected at a level commensurate with the accreditation
level of the Classified AIS.
2. Additional Authentication Countermeasures. Where the operating system provides
the capability, the following features shall be implemented:
a. Logon Attempt Rate. Successive logon attempts shall be controlled by denying
access after multiple (maximum of five) unsuccessful attempts on the same user
ID; by limiting the number of access attempts in a specified time period; by the
use of a time delay control system; or other such methods, subject to approval by
the Customer.
b. Notification to the User. The user shall be notified upon successful logon of:
the date and time of the user's last logon; the ID of the terminal used at last
logon; and the number of unsuccessful logon attempts using this user ID since the
last successful logon. This notice shall require positive action by the user to
remove the notice from the screen.
(g)The audit, identification, and authentication mechanisms must be protected
from unauthorized access, modification, or deletion.
c. Security Assurances for System High Mode. The system security features for
need-to-know controls will be tested and verified. Identified flaws will be
corrected.
8203. Compartmented Security Mode.
a. An AIS is operating in the compartmented mode when users with direct or
indirect access to the AIS, its peripherals, or remote terminals have all of the
following:
(1) A valid personnel clearance for access to the most restricted information
processed in the AIS.
(2) Formal access approval and have signed nondisclosure agreements for that
information to which he/she is to have access (some users do not have formal
access approval for all compartments or subcompartments processed by the AIS.)
(3) A valid need-to-know for that information for which he/she is to have access.
b. Security Features for Compartmented Mode. In addition to all Security Features
and Security Assurances required for the System High Mode of Operation,
Classified AIS operating in the Compartmented Mode of Operation shall also
include:
(1) Resource Access Controls.
(a)Security Labels. The Classified AIS shall place security labels on all
entities (e.g., files) reflecting the sensitivity (classification level,
classification category, and handling caveats) of the information for resources
and the authorizations (security clearances, need-to-know, formal access
approvals) for users. These labels shall be an integral part of the electronic
data or media. These security labels shall be compared and validated before a
user is granted access to a resource.
(b)Export of Security Labels. Security labels exported from the Classified AIS
shall be accurate representations of the corresponding security labels on the
information in the originating Classified AIS.
(2) Mandatory Access Controls. Mandatory access controls shall be provided. These
controls shall provide a means of restricting access to files based on the
sensitivity (as represented by the label) of the information contained in the
files and the formal authorization (i.e., security clearance) of users to access
information of such sensitivity.
(3) No information shall be accessed whose compartment is inconsistent with the
session logon.
(4) Support a trusted communications path between itself and each user for
initial logon and verification.
(5) Enforce, under system control, a system generated, printed, and human
readable security classification level banner at the top and bottom of each
physical page of system hard copy output.
(6) Audit these additional events: the routing of all system jobs and output, and
changes to security labels.
(7) Security Level Changes. The system shall immediately notify a terminal user
of each change in the security level associated with that user during an
interactive session. A user shall be able to query the system as desired for a
display of the user's complete sensitivity label.
c. Security Assurances for Compartmented Mode.
(1) Confidence in Software Source. In acquiring resources to be used as part of a
Classified AIS, consideration shall be given to the level of confidence placed in
the vendor to provide a quality product, to support the security features of the
product, and to assist in the correction of any flaws.
(2) Flaw Discovery. The Provider shall ensure the vendor has implemented a
method for the discovery of flaws in the system (hardware, firmware, or software)
that may have an effect on the security of the AIS.
(3) No Read up, No Write Down. Enforce an upgrade or downgrade principle where
all users processing have a system maintained classification; no data is read
that is classified higher than the processing session authorized; and no data is
written unless its security classification level is equal to or lower than the
user's authorized processing security classification and all non-hierarchical
categories are the same.
(4) Description of the Security Support Structure (often referred to as the
Trusted Computing Base). The protections and provisions of the security support
structure shall be documented in such a manner to show the underlying planning
for the security of a Classified AIS. The security enforcement mechanisms shall
be isolated and protected from any user or unauthorized process interference or
modification.
Hardware and software features shall bee provided that can be used to
periodically validate the correct operation of the elements of the security
enforcement mechanisms.
(5) Independent Validation and Verification. An Independent Validation and
Verification team shall assist in the technical evaluation testing of a
classified AIS and shall perform validation and verification testing of the
system as required by the Customer.
(6) Security Label Integrity. The methodology shall ensure the following:
(a)Integrity of the security labels;
(b)The association of a security label with the transmitted data; and
(c)Enforcement of the control features of the security labels.
(7) Detailed Design of security enforcement mechanisms. An informal description
of the security policy model enforced by the system shall be available.
8204. Multilevel Security Mode. NOTE: Multilevel Security Mode is not routinely
authorized for SCI or SAP applications. Exceptions for SCI may be made by the
heads of CIA, DIA, or NSA on a case-by-case basis. Exceptions for SAP may be made
by the Customer.
a An AIS is operating in the multilevel mode when all of the following statements
are satisfied concerning the users with direct or indirect access to the AIS, its
peripherals, remote terminals, or remote hosts:
(1) Some users do not have a valid personnel clearance for all of the information
processed in the AIS. (Users must possess a valid CONFIDENTIAL, SECRET, or TOP
SECRET clearance.)
(2) All users have the proper clearance and have the appropriate access approval
(i.e., signed nondisclosure agreements) for that information to which they are
intended to have access.
(3) All have a valid need-to-know for that information to which they are intended
to have access.
b. Security Features for Multilevel Mode. In addition to all security features
and security assurances required for the compartmented mode of operation,
classified AIS operating in the multilevel mode of operation shall also include:
(1) Audit. Contain a mechanism that is able to monitor the occurrence or
accumulation of security auditable events that may indicate an imminent violation
of security policy. This mechanism shall be able to immediately notify the
security administrator when thresholds are exceeded and, if the occurrence or
accumulation of these security relevant events continues, the system shall take
the least disruptive action to terminate the event.
(2) Trusted Path. Support a trusted communication path between the AIS and users
for use when a positive AIS-to- user connection is required (i.e.,logon, change
subject security level). Communications via this trusted path shall be activated
exclusively by a user or the AIS and shall be logically isolated and unmistakably
distinguishable from other paths. For Restricted Data, this requirement is only
applicable to multilevel AIS that have at least one uncleared user on the AIS.
(3) Support separate operator and administrator functions. The functions
performed in the role of a security administrator shall be identified. The AIS
system administrative personnel shall only be able to perform security
administrator functions after taking a distinct auditable action to assume the
security administrative role on the AIS system. Non-security functions that can
be performed in the security administrative role shall be limited strictly to
those essential to performing the security role effectively.
(4) Security Isolation. The AIS security enforcement mechanisms shall maintain a
domain for its own execution that protects it from external interference and
tampering (e.g., by reading or modification of its code and data structures). The
protection of the security enforcement mechanisms shall provide isolation and
non-circumvention of isolation functions. For Restricted Data, this requirement
is only applicable to multilevel AIS that have at least one uncleared user on the
AIS.
(5) Protection of Authenticator. Authenticators shall be protected at the same
level as the information they access.
c. Security Assurances for Multilevel Mode.
(1) Flaw Tracking and Remediation. The Provider shall ensure the vendor provides
evidence that all discovered flaws have been tracked and remedied.
(2) Life-Cycle Assurance. The development of the Classified AIS hardware,
firmware, and software shall be under life-cycle control and management (i.e.,
control of the Classified AIS from the control features of the data flow between
originator and destination.
(3) Separation of Functions. The functions of the AIS ISSR and the Classified AIS
manager shall not be performed by the same person.
(4) Device Labels. The methodology shall ensure that the originating and
destination device labels are a part of each message header and enforce the
control features of the data flow between originator and destination.
(5) Security Penetration Testing. In addition to testing the performance of the
classified AIS for certification and for ongoing testing, there shall be testing
to attempt to penetrate the security countermeasures of the system. The test
procedures shall be documented in the test plan for certification and for on
going testing.
(6) Trusted Recovery. Provide procedure and/or mechanisms to assure that, after
an AIS system failure or other discontinuity, recovery without a protection
compromise is obtained.
(7) Covert Channels. A covert channel analysis shall be performed.
Section 3. System Access and Operation
8300 System Access. Access to the system will be limited to authorized personnel.
Assignment of AIS access and privileges will be coordinated with the ISSR.
Authentication techniques must be used to provide control for information on the
system. Examples of authentication techniques include, but are not limited to:
passwords, tokens, biometrics, and smart cards. User authentication techniques
and procedures will be described in the AISSP.
a. User IDs. User IDs identify users in the system and are used in conjunction
with other authentication techniques to gain access to the system. User IDs will
be disabled whenever a user no longer has a need-to-know. The user ID will be
deleted from the d. system only after review of programs and data associated with
the ID. Disabled accounts will be removed from the system as soon as practical.
e. Whenever possible, access attempts will be limited to five tries. Users who
fail to access the system within the established limits will be denied access
until the user ID is reactivated.
b. Access Authentication.
(1) Password. When used, system logon passwords will be randomly selected and
will be at least six characters in length. The system logon password generation
routine must be approved by the Customer.
(2) Validation. Authenticators must be validated by the system each time the user
accesses the AIS.
(3) Display. System logon passwords must not be displayed on any terminal or
contained in the audit trail. When the AIS cannot prevent a password from being
displayed (e.g., in a half-duplex connection), an overprint mask shall be printed
before the password is entered to conceal the typed password.
(4) Sharing. Individual user authenticators (e.g., passwords) will not be shared
by any user.
(5) Password Life. Passwords must be changed at least every six months.
(6) Compromise. Immediately following a suspected or known compromise of a
password or Personal Identification Number (PIN) the ISSR will be notified and a
new password or PIN issued.
(7) Group Logon Passwords. Use of group logon passwords must be justified and
approved by the Customer. After logon, group passwords may be used for file
access.
c. Protection of Authenticators. Master data files containing the user population
system logon authenticators will be encrypted when practical. Access to the files
will be limited to the ISSR and designated alternate(s), who will be identified
in writing.
d. Modems. Modems require Customer approval prior to connection to an AIS located
in a Customer SAPF.
e. User Warning Notice. The Customer may require logon warning banners be
installed.
8301. System Operation.
a. Processing initialization is the act of changing the AIS from unclassified to
classified, from one classified processing level to another, or from one
compartment to another or from one Customer to another. To begin processing
classified information on an approved AIS the following procedures must be
implemented:
(1) Verify that prior mode termination was properly performed.
(2) Adjust the area security controls to the level of information to be
processed.
(3) Configure the AIS as described in the approved AISSP. The use of logical
disconnects requires Customer approval.
(4) Initialize the system for processing at the approved level of operation with
a dedicated copy of the operating system. This copy of the operating system must
be labeled and controlled commensurate with the security classification and
access levels of the information to be processed during the period.
b. Unattended Processing. Unattended processing will have open storage approval
and concurrence from the customer. Prior to unattended processing, all remote
input and/or output (I/O) not in approved open storage areas will be physically
or electrically disconnected from the host CPU. The disconnect will be made in an
area approved for the open storage. Exceptions are on a case-by-case basis and
will require Customer approval.
c. Processing Termination. Processing termination of any AIS will be accomplished
according to the following requirements.
(1) Peripheral Device Clearing. Power down all connected peripheral devices to
sanitize all volatile buffer memories. Overwriting of these buffer areas will be
considered by the Customer on a case-by-case basis.
(2) Removable Storage Media. Remove and properly store removable storage media.
(3) Non-removable (Fixed) Storage Media. Disconnect (physically or electrically)
all storage devices with non- removable storage media not designated for use
during the next processing period.
(4) CPU Memory. Clear or sanitize as appropriate all internal memory including
buffer storage and other reusable storage devices (which are not disabled,
disconnected, or removed) in accordance with 8501, Table 2.
(5) Laser Printers. Unless laser printers operating in SAPFs will operate at the
same classification level with the same access approval levels during the
subsequent processing period, they will be cleared by running three pages of
unclassified randomly generated text. For SCI, five pages of unclassified pages
will be run to clear the printer. These pages will not include any blank spaces
or solid black areas. Otherwise, no pages need be run through the printer at mode
termination.
(6) Thermal printers. Thermal printers have a thermal film on a spool and take-up
reel. Areas in which these types of laser printers are located will be either
approved for open storage, or the spools and take-up reels will be removed and
placed in secure storage. The printer must be sanitized prior to use at a
different classification level.
(7) Impact-type Printers. Impact-type printers (e.g., dot-matrix) in areas not
approved for open storage will be secured as follows: Remove and secure all
printer ribbons or dispose of them as classified trash. Inspect all printer
platens. If any indication of printing is detected on the platen, then the platen
will be either cleaned to remove such printing or removed and secured in an
approved classified container.
(8) Adjust area security controls.
8302. Collocation of Classified and Unclassified AIS.
a. Customer permission is required before a Provider may collocate unclassified
AIS and classified AIS. This applies when:
(1) The unclassified information is to be processed on an AIS located in a SAPF,
or
(2) The unclassified information is resident in a database located outside of a
SAPF but accessed from terminals located within the SAPF.
b. AIS approved for processing unclassified information will be clearly marked
for UNCLASSIFIED USE ONLY when located within a SAPF. In addition the following
requirements apply:
(1) Must be physically separated from any classified AIS.
(2) Cannot be connected to the classified AIS.
(3) Users shall be provided a special awareness briefing.
(4) ISSR must document the procedures to ensure the protection of classified
information.
(5) All unmarked media is assumed to be classified until reviewed and verified.
c. Unclassified portable AIS devices are prohibited in a SAPF unless Customer
policy specifically permits their use. If permitted, the following procedures
must be understood and followed by the owner and user:
(1) Connection of unclassified portable AIS to classified AIS is prohibited.
(2) Connection to other unclassified AISS may be allowed provided Customer
approval is obtained.
(3) Use of an internal or external modem with the AIS device is prohibited within
the SAPF.
(4) The Provider will incorporate these procedures in the owner's initial and
annual security briefing.
(5) Procedures for monitoring portable AIS devices within the SAPF shall be
outlined in either the AISSP or the Facility Security Plan. These devices and the
data contained therein are subject to security inspection by the ISSR and the
Customer. Procedures will include provisions for random reviews of such devices
to ensure that no classified program specific or program sensitive data is
allowed to leave the secure area. Use of such a device to store or process
classified information may, at the discretion of the Customer, result in
confiscation of the device. All persons using such devices within the secure area
will be advised of this policy during security awareness briefings.
(6) Additionally, where Customer policy permits, personally owned portable AIS
devices may be used for unclassified processing only and must follow the previous
guidelines.
8303. System Auditing.
a. Audit Trails. Audit trails provide a chronological record of AIS usage and
system support activities related to classified or sensitive processing. In
addition to the audit trails normally required for the operation of a standalone
AIS, audit trails of network activities will also be maintained. Audit trails
will provide records of significant events occurring in the AIS in sufficient
detail to facilitate reconstruction, review, and examination of events involving
possible compromise. Audit trails will be protected from unauthorized access,
modification, and deletion. Audit trail requirements are described under mode of
operation.
b. Additional Records and Logs. The following additional records or logs will be
maintained by the Provider regardless of the mode of operation. These will
include:
(1) Maintenance and repair of AIS hardware, including installation or removal of
equipment, devices, or components.
(2) Transaction receipts, such as equipment sanitization, release records, etc.
(3) Significant AIS changes (e.g., disconnecting or connecting remote terminals
or devices, AIS upgrading or downgrading actions, and applying seals to or
removing them from equipment or device covers).
Audit Reviews. The audit trails, records, and logs created during the above
activities will be reviewed and annotated by the ISSR (or designee) to be sure
that all pertinent activity is properly recorded and appropriate action has been
taken to correct anomalies. The Customer will be notified of all anomalies that
have a direct impact on the security posture of the system. The review will be
conducted at least weekly.
Record Retention. The Provider will retain the most current 6 to 12 months
(Customer Option) of records derived from audits at all times. The Customer may
approve the periodic use of data reduction techniques to record security
exception conditions as a means of reducing the volume of audit data retained.
Such reduction will not result in the loss of any significant audit trail data.
Section 4. Networks
8400 Networks. This section addresses network specific requirements that are in
addition to the previously stated AIS requirements. Network operations must
preserve the security requirements associated with the AIS's mode of operation.
a. Types of Networks.
(1 ) A unified network is a collection of AIS's or network systems that are
accredited as a single entity by a single CSA. A unified network may be as simple
as a small LAN operating in dedicated mode, following a single security policy,
accredited as a single entity, and administered by a single ISSR. The perimeter
of such a network encompasses all its hardware, software, and attached devices.
Its boundary extends to all its users. A unified network has a single mode of
operation. This mode of operation will be mapped to the level of trust required
and will address the risk of the least trusted user obtaining the most sensitive
information processed or stored on the network.
(2) An interconnected network is comprised of separately accredited AISs and/or
unified networks. Each self- contained AIS maintains its own intra AIS services
and controls, protects its own resources, and retains its individual
accreditation. Each participating AIS or unified network has its own ISSR. The
interconnected network c must have a security support structure capable of
adjudicating the different security policy (implementations) of the participating
AISs or unified networks. An interconnected network requires accreditation, which
may be as simple as an addendum to a Memorandum of Agreement (MOA) between the
accrediting authorities.
b. Methods of Interconnection.
(1) Security Support Structure (SSS) is the hardware, software, and firmware
required to adjudicate security policy and implementation d differences between
and among connecting unified networks and/or AISs. The SSS must be accredited.
The following requirements must be satisfied as part of the SSS accreditation:
(a)Document the security policy enforced by the SSS.
(b)Identify a single mode of operation.
(c)Document the network security architecture and design.
(d)Document minimum contents of MOA's required for connection to the SSS.
(2) The interconnection of previously accredited systems into an accredited
network may require a reexamination of the security features and assurances of
the contributing systems to ensure their accreditations remain valid.
(a)Once an interconnected network is defined and accredited, additional networks
or separate AISs (separately accredited) may only be connected through the
accredited SSS.
(b)The addition of components to contributing unified networks which are members
of an accredited interconnected network are allowed provided these additions do
not change the accreditation of the contributing system.
c. Network Security Management. The Provider will designate an ISSR for each
Provider network. The ISSR may designate a Network Security Manager (NSM) to
oversee the security of the Provider's network(s), or may assume that
responsibility. The ISSR is responsible for coordinating the establishment and
maintenance of a formal network security program based on an understanding of the
overall security relevant policies, objectives, and requirements of the Customer.
The NSM is responsible for ensuring day to day compliance with the network
security requirements as described in the AISSP (as covered below) and this
Supplement.
d. Network Security Coordination. When different accrediting authorities are
involved, a Memorandum of Agreement is required to define the cognizant authority
and the security arrangements that will govern the operation of the overall
network. When two or more ISSRs are designated for a network, a lead ISSR will be
named by the Provider(s) to ensure a comprehensive approach to enforce the
Customer's overall security policy.
e. Network Security
The AISSP must address:
(1) A description of the network services and mechanisms that implement the
network security policy.
(2) Consistent implementation of security features across the network components.
(a) Identification and Authentication Forwarding. Reliable forwarding of the
identification shall be used between AISs when users are connecting through a
network. When identification forwarding cannot be verified, a request for access
from a remote AIS shall require authentication before permitting access to the
system.
(b)Protection of Authenticator Data. In forwarding the authenticator information
and any tables (e.g., password tables) associated with it, the data shall be
protected from access by unauthorized users (e.g., encryption), and its integrity
shall be ensured.
(c)Description of the network and any external connections.
(d)The network security policy including mode of operation, information
sensitivities, and user clearances.
(e) Must address the internode transfer of information (e.g., sensitivity level,
compartmentation, and any special access requirements), and how the information
is protected.
(f) Communications protocols and their security features.
(g)Audit Trails and Monitoring.
1. If required by the mode of operation, the network shall be able to create,
maintain, and protect from modification or unauthorized access or destruction an
audit trail of successful and unsuccessful accesses to the AIS network components
within the perimeter of the accredited network. The audit data shall be protected
so that access is limited to the ISSR or his/her designee.
2. For Restricted Data, methods of continuous on-line monitoring of network
activities may be included in each network operating in the Compartmented
Security Mode or higher. This monitoring may also include real-time notification
to the ISSR of any system anomalies.
3. For Restricted Data networks operating in the Compartmented Mode or higher,
the Customer may require the audit trail to include the changing of the
configuration of the network (e.g., a component leaving the network or
rejoining).
4. The audit trail records will allow association of the network activities with
corresponding user audit trails and records.
5. Provisions shall be made and the procedures documented to control the loss of
audit data due to unavailability of resources.
6. For Restricted Data, the Customer may require alarm features that
automatically terminate the data flow in case of a malfunction and then promptly
notify the ISSR of the anomalous conditions.
(h)Secure Message Traffic. The communications methodology for the network shall
ensure the detection of errors in traffic across the network links.
f. Transmission Security. Protected Distribution Systems or National Security
Agency approved encryption methodologies shall be used to protect classified
information on communication lines that leave the SAPF. Protected distribution
systems shall be either constructed in accordance with the national standards or
utilize National Security Agency approved protected distribution systems.
g. Records. The Customer may require records be maintained of electronic
transfers of data between automated information systems when those systems are
not components of the same unified network. Such records may include the identity
of the sender, identity and location of the receiver, date/time of the transfer,
and description of the data sent. Records are retained according to 8303.d.
Section 5. Software and Data Files
8500. Software and Data Files.
a. Acquisition and Evaluation. ISSR approval will be obtained before software or
data files may be brought into the SAPF. All software must be acquired from
reputable and/or authorized sources as determined by the ISSR. The Provider will
check all newly acquired software or data files, using the most current version
and/or available of virus checking software and procedures identified in the
AISSP to c. improve assurance that the software or data files are free from
malicious code.
b. Protection. Media that may be written to (e.g., magnetic media) must be
safeguarded commensurate with the level of accreditation of the dedicated or
system high AIS. Media on compartmented or multilevel AISs will be protected
commensurate with the level of the operating session. If a physical write protect
mechanism is utilized, media may be introduced to the AIS and subsequently
removed without changing the original classification. The integrity of the write
protection mechanism must be verified at a minimum of once per day by attempting
to write to the media. Media which cannot be changed (e.g., CD read-only media)
may be loaded onto the classified system without labeling or classifying it
provided it is immediately removed from the secure area. If this media is to be
retained in the secure area, it must be d. Labeled, controlled, and stored as
unclassified media as required by the Customer.
(1) System Software. Provider personnel who are responsible for implementing
modifications to system or security related software or data files e. on
classified AISs inside the SAPF will be appropriately cleared. Software that
contains security related functions (e.g., sanitization, access control,
auditing) will be validated to confirm that security related features are fully
functional, protected from modification, and effective.
(2) Application Software. Application software or data files (e.g., general
business software), that will be used by a Provider during classified processing,
may be developed/modified by personnel outside the security area without the
requisite security clearance with the concurrence of the Customer.
(3) Releasing Software. Software that has not been used on an AIS processing
classified information may be returned to a vendor. If media containing software
(e.g., applications) are used on a classified system and found to be defective,
such media may not be removed from a SAPF for return to a vendor. When possible,
software will be tested prior to its introduction into the secure facility.
c. Targetability. For SCI and SAP the software, whether obtained from sources
outside the facility or developed by Provider personnel, must be safeguarded to
protect its integrity from the time of acquisition or development through its
life cycle at the Provider's facility (i.e., design, development, operational,
and maintenance phases). Uncleared personnel will not have any knowledge that the
software or data files will be used in a classified area, although this may not
be possible in all cases. Before software or data files that are developed or
modified by uncleared personnel can be used in a classified processing period, it
must be reviewed by appropriately cleared and knowledgeable personnel to ensure
that no security vulnerabilities or malicious code exists. Configuration
management must be in place to ensure that the integrity of the software or data
files is maintained.
d. Maintenance Software. Software used for maintenance or diagnostics will be
maintained within the secure computing facility and, even though unclassified,
will be separately controlled. The AISSP will detail the procedures to be used.
e. Remote Diagnostics. Customer approval will be obtained prior to using vendor
supplied remote diagnostic links for on-line use of diagnostic software. The
AISSP will detail the procedures to be used.
8501. Data Storage Media Data storage media will be controlled and labeled at the
appropriate classification level and access controls of the AIS unless write
protected in accordance with 8500.b. Open storage approval will be required for
non-removable media.
Labeling Media. All data storage media will be labeled in human readable form to
indicate its classification level, access controls (if applicable), and other
identifying information. Data storage media that is to be used solely for
unclassified processing and collocated with classified media will be marked as
UNCLASSIFIED. Color coding (i.e., media, labels) is recommended. If required by
the Customer, all removable media will be labeled with a classification label
immediately after removing it from its factory sealed container.
b. Reclassification. When the classification of the media increases to a higher
level, replace the classification label with a higher classification level label.
The label will reflect the highest classification level, and access controls (if
applicable) of any information ever stored or processed on the AIS unless the
media is write protected by a Customer approved mechanism. Media may never be
downgraded in classification without the Customer's written approval.
c. Copying Unclassified Information from a Classified AIS.
(1) The unclassified data will be written to factory fresh or verified
unclassified media using approved copying routines and/or utilities and/ or
procedures as stated in the AISSP. For SCI and SAP, media to be released will be
verified by reviewing all data on the media including embedded text (e.g.,
headers and footers). Data on media that is not in human readable form (e.g.,
imbedded graphs, sound, video) will be examined for content with the appropriate
software applications. Data that cannot be reasonably observed in its entirety
will be inspected by reviewing random samples of the data on the media.
(2) Moving Classified Data Storage Media Between Approved Areas. The ISSR will
establish procedures to ensure that data will be written to factory fresh or
sanitized media. The media will be reviewed to ensure that only the data intended
was actually written and that it is appropriately classified and labeled.
Alternatives for special circumstances may be approved by the Customer. All
procedures will be documented in the AISSP.
d. Over writing, Degaussing, Sanitizing, and Destroying Media. Cleared and
sanitized media may be reused within the same classification level (i.e., TSTS)
or to a higher level (i.e., SECRETES). Sanitized media may be downgraded or
declassified with the Customer's approval. Only approved equipment and software
may be used to overwrite and degauss magnetic media containing classified
information. Each action or procedure taken to overwrite or degauss such media
will be verified. Magnetic storage media that malfunctions or contains features
that inhibit overwriting or degaussing will be reported to the ISSR, who will
coordinate repair or destruction with the Customer. (See Table 1.)
Caution: Overwriting, degaussing, and sanitizing are not synonymous with
declassification. Declassification is a separate administrative function.
Procedures for declassifying media require Customer approval.
(1) Overwriting Media. Overwriting is a software procedure that replaces the data
previously stored on magnetic storage media with a pre-defined set of meaningless
data. Overwriting is an acceptable method for clearing. Only approved overwriting
software that is compatible with the specific hardware intended for overwriting
will be used. use of such software will be coordinated in advance with the
Customer. The success of the overwrite procedure will be verified through random
sampling of the overwritten media. The effectiveness of the overwrite procedure
may be reduced by several factors: ineffectiveness of the overwrite procedures,
equipment failure (e.g., misalignment of read/write heads), or inability to
overwrite bad sectors or tracks or information in inter-record gaps. To clear
magnetic disks, overwrite all locations three (3) times (first time with a
character, second time with its complement, and the third time with a random
character). Items which have been cleared must remain at the previous level of
classification and remain in a secure, controlled environment.
(2) Degaussing Media. Degaussing (i.e., demagnetizing) is a procedure that
reduces the magnetic flux to virtual zero by applying a reverse magnetizing
field. Properly applied, degaussing renders any previously stored data on
magnetic media unreadable and may be used in the sanitization process. Degaussing
is more reliable than overwriting magnetic media. Magnetic media are divided into
three types. Type I degaussers are used to degauss Type I magnetic media (i.e.,
media whose coercivity is no greater than 350 Oersteds (Oe)). Type II degaussers
are used to degauss Type II magnetic media (i.e., media whose coercivity is no
greater than 750 Oe). Currently there are no degaussers that can effectively
degauss all Type III magnetic media (i.e., media whose coercivity is over 750
Oe). Some degaussers are rated above 750 Oersteds and their specific approved
rating will be determined prior to use. Coercivity of magnetic media defines the
magnetic field necessary to reduce a magnetically saturated material's
magnetization to zero. The correct use of degaussing products improves assurance
that classified data is no longer retrievable and that inadvertent disclosure
will not occur. Refer to the current issue of NSA's Information Systems Security
Products and Services Catalogue (Degausser Products List Section) for the
identification of degaussers acceptable for the procedures specified herein.
These products will be periodically tested to ensure continued compliance with
the specification NSA CSS Media Declassification and Destruction Manual NSA 1302.
(3) Sanitizing Media. Sanitization removes information from media such that data
recovery using any known technique or analysis is prevented.
Sanitizing is a two-step process that includes removing data from the media in
accordance with Table } and removing all classified labels, markings, and
activity logs.
(4) Destroying Media. Data storage media will be destroyed in accordance with
Customer approved methods.
(5) Releasing Media. Releasing sensitive or classified Customer data storage
media is a three step process. First, the Provider will sanitize the media and
verify the sanitization in accordance with procedures in this chapter. Second,
the media will be administratively downgraded or declassified either by the CSA
or the ISSR, if such authority has been granted to the ISSR. Third, the
sanitization process, downgrading or declassification, and the approval to
release the media will be documented.
Table 1 Clearing and Sanitization Data Storage
Type MediaClearSanitize
(a) Magnetic Tape Type Ia or ba, b, or destroy Type IIa or bb or destroy Type HIa
or bDestroy
(b) Magnetic Disk Packs Type Ia, b, or c Type IIb or c Type IIIDestroy
(c) Magnetic Disk Packs Floppiesa, b, or cDestroy Bernoulli'sa, b, or cDestroy
Removable Hard Disksa, b, or ca, b, c, or destroy Non Removable Hard Disksca, b,
c, or destroy
(d) Optical Disk Read OnlyDestroy Write Once, Read Many (Worm)Destroy Read Many,
Write ManycDestroy
These procedures will be performed by or as directed by the ISSR.
a. Degauss with a Type I degausser
b. Degauss with a Type II degausser
c. Overwrite all locations with a character, its complement, then with a random
character. Verify that all sectors have been overwritten and that no new bad
sectors have occurred. If new bad sectors have occurred during classified
processing, this disk must be sanitized by method a or b described above. Use of
the overwrite for sanitization must be approved by the Customer.
Note: For handheld devices (e.g., calculators or personal directories),
sanitization is dependent upon the type and model of the device. If there is any
question about the correct sanitization procedure, contact the manufacturer or
the Customer. In general, sanitization is accomplished as follows: Depress the
"CLEAR ENTRY" and the "CLEAR MEMORY" buttons, remove the battery for several
hours, and remove all associated magnetic media and retain it in the SAPF or
destroy. In some models there are specialpurpose memories and keynumbered
memories, as well as "register stacks." Caution will be taken to clear all such
memories and registers. This may take several keystrokes and may require the use
of the operator's manual. Test the hand held device to ensure that all data has
been removed. If there is any question, the device will remain in the SAPF or be
destroyed.
Table 2 Sanitizing AIS Components
TYPEPROCEDURE
Magnetic Bubble Memorya, b, or c Magnetic Core Memory a, b, or c Magnetic Plated
Wired or e Magnetic Resistive Memory Destroy
Solid State Memory Components
Random Access Memory (RAM) (Volatile)f then j Nonvolatile RAM (NOVRAM)l Read Only
Memory (ROM)Destroy (see k) Programmable ROM (PROM)Destroy (see k) Erasable
Programmable ROM (EPROM)g, then d and j Electronically Alterable PROM (EAPROM)h,
then d and j Electronically Erasable PROM (EEPROM)i, then d and j Flash EPROM
(FEPROM)i, then d and j
These procedures will be performed by or as directed by the ISSR.
a. Degauss with a Type I degausser.
b. Degauss with a Type II degausser.
c. Overwrite all locations with any character.
d. Overwrite all locations with a character, its complement, then with a random
character.
e. Each overwrite will reside in memory for a period longer than the classified
data resided.
f. Remove all power, including batteries and capacitor power supplies, from RAM
circuit board.
g. Perform an ultraviolet erase according to manufacturer's recommendation, but
increase time requirements by a factor of 3.
h. Pulse all gates.
i. Perform a full chip erase. (See Manufacturer's data sheet.)
j. Check with Customer to see if additional procedures are required.
k. Destruction required only if ROM contained a classified algorithm or
classified data.
1. Some NOVRAM are backed up by a battery or capacitor power source; removal of
this source is sufficient for release following item f procedures. Other NOVRAM
are backed up by EEPROM which requires application of the procedures for EEPROM
Section 6. AIS Acquisition, Maintenance, and Release
8600. AIS Acquisition, Maintenance, and Release.
a. Acquisition AISs and AIS components that will process classified information
will be protected during the procurement process from direct association with the
Customer's program. When required by the Customer, protective packaging methods
and procedures will be used while such equipment is in transit to protect against
disclosure of classified relationships that may exist between the Customer and
the Provider.
b. Maintenance Policy. The Provider will discuss maintenance requirements with
the vendor before signing a maintenance contract. The Customer may require that
AISs and AIS components used for processing Customer information will be
protected during maintenance from direct association with the Customer's program.
(1) Cleared maintenance personnel are those who have a valid security clearance
and access approvals commensurate with the information being processed. Complete
sanitization of the AIS is not required during maintenance by cleared personnel,
but need-to-know will be enforced. However, an appropriately cleared Provider
individual will be present within the SAPF while a vendor performs maintenance to
ensure that proper security procedures are being followed. Maintenance personnel
without the proper access authorization and security clearance will always be
accompanied by an individual with proper security clearance and access
authorization and never left alone in a SAPF. The escort shall be approved by the
ISSR and be technically knowledgeable of the AIS to be repaired.
(2) Prior to maintenance by a person requiring escort, either the device under
maintenance shall be physically disconnected from the classified AIS (and
sanitized before and after maintenance) or the entire AIS shall be sanitized
before and after maintenance. When a system failure prevents clearing of the
system prior to maintenance by escorted maintenance personnel, Customer approved
procedures will be enforced to (b deny the escorted maintenance personnel visual
and electronic access to any classified data that may be contained on the system.
(3) All maintenance and diagnostics should be performed in the Provider's secure
facility. Any AIS component or equipment released from secure control for any
reason may not be returned to the SAPF without the approval of the ISSR. The
Customer may require that a permanent set of procedures be in place for the
release and return of components. These procedures will be incorporated into the
AISSP.
c. Maintenance Materials and Methods
(1) Unclassified Copy of Operating System. A separate, unclassified, dedicated
for maintenance copy of the operating system (i.e., a specific copy other than
the copy(s) used in processing Customer information), including any microcoded
floppy disks or cassettes that are integral to the operating system, will be used
whenever maintenance is done by uncleared personnel. This copy will be labeled
"UNCLASSIFIED FOR MAINTENANCE USE ONLY." Procedures for an AIS using a
non-removable storage device on which the operating system is resident will be
considered by the Customer on a case-by-case basis.
(2) Vendor supplied Software and/or Firmware. Vendor supplied software and/or
firmware used for maintenance or diagnostics will be maintained within the secure
computing facility and stored and controlled as though classified. If permitted
by the Customer, the ISSR may allow, on a case-by-case basis, the release of
certain types of costly magnetic media for maintenance such as disk head
alignment packs.
(3) Maintenance Equipment and Components. All tools, diagnostic equipment, and
other devices carried by the vendor to the Provider's facility will be controlled
as follows:
(a) Tool boxes and materials belonging to a vendor representative will be
inspected by the assigned escort before the vendor representative is permitted to
enter the secure area.
(b)The ISSR will inspect any maintenance hardware (such as a data scope) and make
a best technical assessment that the hardware cannot access classified data. The
equipment will not be allowed in the secure area without the approval of the
ISSR.
(c)Maintenance personnel may bring kits containing component boards into the
secure facility for th