15 February 1998
Source: http://isd.redstone.army.mil/ar38019/ar38019ch2.html

See balance of AR 380-19 (Department of the Army Information Security Program):

Chapter 2 Computer Security

Section I General Policy

2-1. Overview

a. This chapter provides guidance to implement ISS requirements defined in national level security directives and policies and establishes the Army security policies which apply uniquely to AIS.

b. Security policy for AIS will be defined at concept development. Security requirements based on this policy will be considered throughout the life cycle. There will be a security plan for AIS processing classified and SBU information showing the steps planned to comply fully with stated security requirements.

c. A DAA will be responsible for the overall security of each AIS.

d. The AIS developer must ensure the early and continuous involvement of the PEO, PM, the functional proponent, users, ISSM, ISSO data owners, certification authority, and DAAs in defining and implementing security requirements of the AIS. e. Statements of security requirements will be included, as applicable, in the acquisition and procurement specifications for AIS. The statements will reflect an initial risk assessment and will specify the required level of trust per DOD 5200.28-STD. PEOs/PMs or functional proponents will not field, and Commanders will not accept, the following systems:

(1) Systems which do not meet minimum standards stated in the acquisition and procurement specifications.

(2) Systems which do not provide complete documentation supporting certification and accreditation.

(3) Systems which have not been fully certified or generically accredited.

f. Classified or SBU data will not be introduced into an AIS until the data classification and sensitivity of the AIS has been determined. The appropriate AIS protection mechanisms will be in place and DAA approval to operate will be obtained. The data owner will approve entering the data, where applicable. Data will not exceed security classification level for which the AIS is approved to process.

g. Commanders are responsible for ensuring that AIS under their purview are operated in a manner consistent with the system accreditation and this regulation.

h. Organizations must strive to ensure that new AIS development and modification to existing AIS are performed in a manner that makes security an integral part of the development, acquisition, fielding and operational processes. i. There will be a security plan for AIS processing classified and SBU information showing the steps to comply fully with stated security requirements. The security plan evolves through system life cycle and security requirements into the Security Plan/Accreditation Document (see Appendix C).

2-2. System Sensitivity Designation and Mode of Operation

a. AIS will be categorized based on the sensitivity of information for which the system is authorized to process or store.

(1) AIS processing classified information will be designated by the highest classification, handling code, and category of information processed (e.g., CONFIDENTIAL, SECRET, TS/SCI, SIOP-ESI).

(2) AIS processing unclassified information will be designated as SBU.

b. The security processing modes of operation are based on DOD 5200.28 and DCID 1/16 for systems processing intelligence information. Determination of the security processing mode of an AIS is based on the classification or sensitivity and formal categories of data processed and the clearance, formal access approval, and need-to-know of users of the system. Formal categories of data are those for which a written approval must be issued before access; e.g., SCI compartments, North Atlantic Treaty Organization (NATO) information, or SAPs. The available or proposed security features of the system are not relevant in determining the actual security mode. All AIS will be accredited to operate in one of the following security processing modes:

(1) Dedicated security mode. A mode of operation wherein all users accessing the system directly or indirectly possess the required personnel security clearance or authorization, formal access approval, and need-to-know for all information the system is accredited to process.

(2) Systems high security mode. A mode of operation wherein all users accessing the system directly or indirectly possess the required personnel security clearance or authorization, formal access approval, but not necessarily a need-to-know, for all information the system is accredited to process.

(3) Compartmented security mode. A mode of operation wherein all users accessing the system directly or indirectly possess the required personnel security clearance or authorization, but not necessarily formal access approval or a need-to-know, for all information the system is accredited to process.

(4) Multilevel security mode. A mode of operation wherein not all users accessing the system directly or indirectly possess the required personnel security clearance or authorization, formal access approval, or a need-to-know for all information the system is accredited to process.

2-3. Minimum Requirements

a. All AIS processing classified or SBU information will achieve the minimum requirements of this paragraph through automated or manual means. Commanders and accreditation authorities may impose more stringent requirements based on a risk analysis. All risk analyses will evaluate the possible vulnerabilities and the security impact on associated AIS and networks within their area of responsibility. Although manual procedures are acceptable when an automated safeguard is not feasible, security safeguards should be embedded into design of AIS to ensure a secure infrastructure.

(1) Accountability. Safeguards will be in place to ensure that each person having access to an AIS may be held accountable for his or her actions on the AIS. For all AIS except small computers (see glossary - Workstations, laptops), a security audit trail will provide a documented history of AIS use. In a Client Server Environment (CSE), audits will not be collected at the workstation level but will be maintained at the server level. The audit trail will be of sufficient detail to reconstruct events in determining the cause or magnitude of compromise or damage should a security violation or malfunction occur. Audit trails should be reviewed for security implications daily, but as a minimum, will be reviewed once per week. DAAs will determine how long to retain the audit information. The manual or automated audit trail will document the following:
(a) The identity of each person and devices accessing the AIS.

(b) The date and time of the access.

(c) User activity sufficient to ensure user actions are controlled and open to scrutiny.

(d) Activities that might modify, bypass, or negate safeguards controlled by the AIS.

(e) Security-relevant actions associated with periods of processing or the changing of security levels or categories of information.

(f) Other security relevant events. The list of events will be provided as part of the accreditation request for approval by the DAA.

(2) Access. Each AIS will have an associated access control policy which will include features or procedures to enforce the access control measures required for the information within the AIS. The identity of each authorized user will be established positively before granting access.

(3) Security Training and Awareness. All persons accessing an AIS will be a part of the security training and awareness program. The program will ensure that all persons responsible for managing AIS resources or who access AIS are aware of proper operational and security-related procedures and risks. As a minimum, items detailed in paragraph 2-16 below will be covered.

(4) Controls. AIS hardware, software, documentation, and all data handled by the AIS will be protected to prevent unauthorized (intentional or unintentional) disclosure, destruction, or modification and will provide control measures. The level of control and protection will be commensurate with the maximum sensitivity of the information present in the system and will provide the most restrictive control measures required by the data to be handled. This includes personnel, physical, administrative, and configuration controls. Unclassified hardware, software, or documentation of an AIS will be protected if access to such AIS resources reveals classified information, or information that may be used to eliminate, circumvent, or otherwise render ineffective the security safeguards for classified information. Software development and related activities (e.g., systems analysis) will incorporate appropriate security measures.

(5) Marking. Markings on classified or SBU output will reflect the sensitivity of the information as required by existing directives. AR 380-5 contains requirements for security classification and applicable markings for classified information and AR 25-55 governs FOUO information. Appropriate markings will be applied manually or through an automated means (that is, the AIS has a feature that produces the markings). Automated markings on classified output must not be relied on for accuracy unless the security features and assurances of the AIS meet the requirements for a minimum trusted computing base class B1 as specified in DOD 5200.28-STD. If the B1 requirement is not met, but automated controls are used, all classified output will be protected at the highest level of classification level of the information handled by the AIS until an authorized person manually reviews it to ensure that it was marked accurately with the classification and special markings. All media will be marked and protected commensurate with the requirements for the highest security classification level and the most restrictive category of information ever stored on the media until the media is declassified or destroyed under this regulation, or until the information is declassified or downgraded under AR 380-5.

(6) Least privilege. The AIS will function so that each user has access to only the information to which he or she is entitled (by virtue of clearance and formal access approval). In the case of need-to-know for classified information, access must be deemed essential to accomplish lawful and authorized Government purposes. Users will also be restricted from having access to system privileges that allow operations on data and other system resources not required to perform their job.

(7) Data continuity. An owner or proponent will be identified for each file or data grouping on the AIS throughout its life cycle. The file or data grouping accessibility, maintenance, movement, and disposition will be governed by security clearance, formal access approval, need-to-know, and protective marking as appropriate. All files or data groupings will be labeled to ensure that the security classification and or special markings are maintained during storage, processing, and communication transfer.

(8) Data integrity. Appropriate safeguards will be in place to detect and minimize unauthorized access, inadvertent, malicious or non-malicious modification or destruction of data. There will be an appropriate safeguard to ensure that security classification labels remain with the data if it is transmitted via a network to some other AIS.

(9) Contingency planning. A contingency plan will be developed, per DA PAM 25-30, so that recovery procedures are available if data is modified or destroyed or if the integrity of the system is suspect. The contingency plan should include at a minimum a Continuity of Operation (COOP), an emergency destruction plan, and an emergency destruction plan. Deployable systems must have an emergency destruction plan The contingency planning process may include Memorandum of Agreement (MOA) back-up for critical support services with another Army Command or federal agency.

(10) Accreditation. Before operation, each AIS will be certified and accredited under a set of security requirements and safeguards approved by the DAA.

(11) Risk Management. A risk management program will be put in place to determine what level of protection is required, what currently exists, and the most economical way of providing the needed protection (See Chapter 5).

(12) Security Planning. An AIS security plan will be developed and maintained for the life of each AIS including prototype, test, and developmental systems. An AIS security plan will also be prepared and maintained for each prototype, test, or developmental system. The security plan evolves into the accreditation document and will be maintained to reflect system changes. (See Appendix C for suggested format).

(13) Copyright Laws. Personnel who violate copyright laws will be subject to disciplinary actions per USC 17 section 504 and 506 and appropriate Army regulations, which may result in civil or criminal penalties by judicial action.

b. In addition to the requirements above, AIS operating in other than the dedicated security mode must provide security features which meet the trusted computing base (TCB) from DOD 5200.28-STD as determined by the procedures in Appendix B of this document. The following instructions for implementation of these provisions apply:

(1) All AIS which process or handle classified or SBU information and require at least Controlled Access Protection (i.e., TCB class C2 security protection) will implement required security features based on the procedures described in Appendix B of this document.

(2) If the procedures in Appendix B require a Trusted Systems class above the trusted computing class of C2, a timetable for meeting this requirement will be determined individually for each system. This timetable will be part of the accreditation and it must be approved by the DAA.

(3) These requirements will be met either by using trusted computer products listed in the NSA Information System Security and Service Catalogue, using a product not in the Catalogue that has security features which meet the level of trust required for the AIS, or developing a product that has security features which meet the level of trust required. In any case, the cognizant DAA will determine whether or not all security requirements in DOD 5200.28-STD have been satisfied. (4) There are cases where introduction of additional computer-based security features according to the schedule given in subparagraphs 2-3 b(1) and (2), for an existing AIS, may be prohibitively expensive, time-consuming, technically unsound, or may adversely affect operational effectiveness to an unacceptable degree. In such cases, an exception to the requirement may be approved by the DAA with the written concurrence of the MACOM commander or the Administrative Assistant to the Secretary of the Army (acting as the MACOM commander for HQDA activities). Application for such exceptions will include a determination that one or more of the conditions in this paragraph exists. Exceptions should be reviewed during each reaccreditation.

Section II Software Security

2-4. Software controls

a. Controls will be implemented to protect system software from against compromise, subversion, or unauthorized manipulation.

b. All software used on Army AIS must be approved by the ISSM or ISSO prior to installation and operation.

c. Army activities which operate or propose to operate an approved database of executable software for other Army activities to use must have approval from each parent MACOM. Requests must include a description of countermeasures employed to reduce the risk of introducing malicious software. Public domain, shareware, or other privately purchased software, whether obtained from an approved database or from another source, will not be used on Army AIS unless approved locally under AR 25-1, paragraph 2-7.

d. Each Army AIS will include an identified set of executable software which is authorized to be run on that AIS. Such software will be protected from unauthorized modification to the maximum extent possible by the hardware and software mechanisms of the AIS. If the risk analysis reveals unacceptable risk from attacks by malicious software, additional measures; e.g. , commercial "anti-viral" programs, tamper-resistant holographic seals and non-technical security methods; will be employed to reduce this risk to an acceptable level.

e. Documentation which addresses the software design and capabilities will be maintained for use of programming, operations, and user personnel. Only personnel performing official duties should be allowed access to this software documentation.

f. Upon acceptance for operational use, whether developmental, GOTS, or COTS, software must be kept under close and continuous configuration management controls so that unauthorized changes are not made. A master copy of the software must be safeguarded and never used for actual production operations. Production copies of software should be generated from the master copy as required. System and application program libraries will be protected and backup copies maintained. Strict configuration management controls will be enforced to lessen the risk of introducing untested or malicious software.

g. Operational software may be modified and maintained only under rigorously controlled conditions requiring verification.

h. Personnel who violate computer software copyright laws will be subject to disciplinary actions per United States Code 17, section 504 and 506, and United States Code 18 - 2319, and appropriate Army Regulations, and (where applicable) the UCMJ. Such actions may result in civil and/or criminal penalties by the software manufactures and/or the Army.

2-5. Database management systems (DBMS)

a. Protecting shared databases is essential as they represent a significant asset and frequently reveal considerably more information taken as a whole than can be obtained from their individual parts. Commercial database management systems have different characteristics, such as those listed below, that affect their security stability and must be considered when acquiring a system for handling classified or unclassified information:

(1) Distributed database access and synchronization,

(2) Database integrity,

(3) Database availability (failover, recovery, and restart functions),

(4) Data and program protection mechanism which control read and write permission levels, and

(5) Audit mechanisms and utilities.

b. When database management systems containing classified defense information are used, the classified identifiable element (e.g., word, field, or record) within the database must be protected according to the highest security classification of any database element. If the database cannot provide field protection, then it should provide record protection to the highest security classification level of the fields within the record. Database systems which do not provide protection at the record or field level, will be restricted to operation in the dedicated or system high security mode. In all cases the DBMS must meet the minimum trust requirements identified in para 2-3 above.

c. Database systems that bypass the production of operating system audit trail data must produce their own audit trail data similar to those prescribed for the operating system. These audit trails must also be used in determining the confidentiality, integrity, and availability of the automated system and the data contained therein.

d. Designers and developers of database management systems, in coordination with security specialists and proponents for the data elements, must consider the effect that compilation of data will have on the final security classification of the database system. The degree to which a given user can be reliably denied access to portions of the database will influence the final classification decision. e. A Database Administrator (DBA) will be appointed for each database and appropriate duties assigned by the ISSM.

2-6. Software Security Packages

a. Software security packages are available from various commercial vendors. Products other than those evaluated by the NSA and included on the NSA Information System Security Products and Services Catalogue may be used; however, such products must be approved by the DAA and based on a valid justification.

b. The evaluation of software security packages must be included in the risk assessment so that the accreditation authority can document advantages and disadvantages.

c. The decision to use software security packages will be based upon cost and the level of security protection required.

d. HQDA (DISC4) must approve purchase or annual lease costs of products not listed in the NSA Information System Security and Services Catalogue which exceed $50,000.00.

2-7. Software Design and Test

a. Software security requirements must be considered in the future design, development, and acquisition of Army systems.

b. Examination of the control over the procedures used to develop computer programs is an integral part of the software certification and AIS accreditation process. The key to eventual certification is to develop systems that are easily understood and verifiable.

c. Programs must be completely tested before becoming operational. Both valid and invalid data must be used for testing. Testing is not complete until all security mechanisms have been examined and expected results are attained and attempts to circumvent or defeat these mechanism fail.

d. Upon completion of maintenance or modification of software, independent testing and verification will be required before returning software to operation.

Section III Hardware Security

2-8. Hardware-based Security Controls

a. Hardware-based security controls represent an important factor when evaluating the security environment of any Army system. The absence of hardware-embedded security features or the presence of known hardware vulnerabilities will require compensation in other elements of the security program.

b. Hardware security requirements must be considered in the future design, development, and acquisition of Army systems.

c. Procurement documentation for PCs and workstations must specify the capability to support at least two Personal Computer Memory Card International Association (PCMCIA) cards of the Type II height configuration (i.e., MISSI-FORTEZZA).

2-9. Maintenance Personnel

a. Maintenance personnel must be cleared to the highest level of data the AIS is accredited to process. b. Maintenance personnel who do not access classified data during their maintenance operation should, nevertheless, be cleared for the highest level of data processed on the system. However, if this is not feasible, maintenance personnel will be monitored at all times during their maintenance operation by individuals with the technical expertise to detect unauthorized modifications.

c. Non-U.S. citizens will not perform maintenance on TS/SCI and SIOP-ESI accredited AIS or on AIS which process SAP information. If non-U.S. citizens are employed to maintain other AIS, such use will be addressed as a system vulnerability in the risk assessment and appropriate countermeasures will be employed.

d. Any parts removed from an AIS operating in a sensitive compartmented information facility (SCIF) will be retained in the facility until approved for release by the local special security officer (SSO) in coordination with the ISSM or ISSO per AR 380-5, AR 380-28, and DCID 1/21.

Section IV Physical Security

2-10. Security Objectives and Safeguards

a. A balanced AIS security program must include a firm physical security foundation with the following objectives:

(1) Safeguard personnel.

(2) Prevent unauthorized access to equipment, facilities, material, media, and documents.

(3) Safeguard against espionage, sabotage, damage, and theft.

(4) Reduce the exposure to threats which could cause a denial of service or unauthorized alteration of data.

b. Commanders and managers will protect AIS assets under their control through cost-effective physical security measures. c. Facilities housing systems, computer rooms, network components (e.g., routers or file servers), and related sensitive areas may be designated as restricted areas or mission essential vulnerable areas under AR 190-13. Facilities and systems so designated will be included in the installation physical security plan required by the same regulation. Periodic physical security inspection requirements are also contained in AR 190-13 and AR 190-51.

d. Facilities housing systems processing SCI material will be subject to the provisions in DCID 1/21.

e. Particular attention must be paid to the physical security of AIS which are not operated or otherwise attended continuously. AIS which process classified defense information must be properly declassified prior to being left unattended, unless secured in areas or containers approved for storage of classified material under AR 380-5.

f. The number and diversity of Army AIS (fixed and deployable systems) and installations make it impractical to establish universal, rigid physical security standards. However, adequate physical security at each installation is essential to achieving a secure data processing environment. Physical security standards must be based on an analysis of both wartime and peacetime mission criticality, sensitivity levels of the information processed, overall value of the information to the mission of the organization, local criminal and intelligence threat, and the value of the automated equipment.

g. Physical security will be provided through an in-depth application of barriers and procedures, which may include continuous monitoring (human or electronic) of the protected area. Barriers and procedures include structural standards, key control, lighting, lock application, and inventory and accountability.

h. Physical access controls commensurate with the level of processing will be established to deter unauthorized entry into the facility and other critical areas (such as input or output area, programming, data preparation, and storage) which support or affect the overall operation.

i. Facilities housing AIS equipment will be of sufficient structural integrity to provide effective physical security at a reasonable cost. Trained physical security specialists will be consulted in all phases of selection, design, and modification of such facilities to provide expertise in physical security requirements.

2-11. Physical Security Standards for Smaller Computers and Other Automated Information Systems

a. Many AIS, including some file servers, clearly do not warrant the physical protection detailed in paragraphs 2-11 and 2-12 above. These include personal computers, workstations, notebook computers, laptop computers as well as other AIS where the computing environment is fully integrated into the work environment. Application of the above standards will depend on AIS size, complexity, manufacturer specifications, number of terminals, sensitivity of data, and environmental requirements. If the mainframe physical security requirements do not apply, the provisions in this paragraph will be followed.

b. Physical security requirements must be considered and selected based on the sensitivity and classification of data being protected, as well assessed risk to the information and the risk of equipment theft. The physical security requirements must be examined to ensure protection of equipment is cost effective, the impact mission on objectives is negligible, and the level of risk is acceptable to local commander.

c. All AIS must be protected and physical security requirements must be carefully selected.

(1) AIS with nonremovable media which process classified information must be stored in an area or a container approved for safeguarding classified media per AR 380-5.

(2) AIS with SBU information on nonremovable media should be in a locked office or building during non-duty hours, or be otherwise secured to prevent loss or damage.

(3) All users will log-off or lock the keyboard and screen until reauthentication, when they leave their workstation or personal computer.

(4) Workstations and personal computers should include a local "idle lockout/screen saver" feature which automatically locks the screen and keyboard after a specified period of no activity (i.e., 3 - 5 minutes), requiring reauthentication before unlocking the system (e.g., password protected screen saver).

Section V Procedural Security

2-12. Reporting and Accountability

a. Procedural security measures can be cost-effective since they usually involve a minimum financial expenditure while producing a higher corresponding level of security.

b. The procedures and techniques described herein apply to AIS operations as well as to software development, maintenance activities, and other support operations. Control of software during the development process is as important as control over the AIS in operation.

c. The procedural measures listed below will be an integral part of each AIS security program.

(1) Key duties will be clearly delineated and separated to reduce the risk of one individual adversely affecting the entire system operation. Checks and balances will be established to detect deviations from assigned duties.

(2) The ISSO must report directly to the responsible manager of the AIS on security-related matters. The ISSM should be positioned organizationally to avoid having a vested interest in keeping the system operational at the expense of security.

(3) Proposed changes to the AIS configuration (to include changes to the software, facility, environmental support, or equipment interfaces) will be reported to the ISSO for a determination about the security implications of the change. If required by AR 381-14 (S), a TEMPEST Countermeasures Review will be conducted by or validated by a Certified TEMPEST Technical Authority (CTTA).

(4) AIS hardware, software, firmware, and documentation will be protected to prevent intentional or unintentional disclosure, destruction, or modification. This includes having appropriate physical, personnel, administrative, and configuration controls.

2-13. SCI Policy

a. All AIS equipment used for processing, handling, and storing of SCI will be operated and secured in compliance with Defense Intelligence Agency Manual (DIAM) 50-4, NSA Manual 130-1, DCID 1/16, this regulation and/or successor documents.

b. Prior to use, automated information systems located in a SCIF must be accredited under the provisions of this regulation, or DIAM 50-4 or NSAM 130-1.

c. All AIS processing SCI and classified collateral information will comply with the following requirements:

(1) Any removable magnetic media placed in an AIS with fixed media must be protected at the same classification level as the system. Fixed media includes systems having memory retention capabilities such as internal memory retention devices or non-removable hard disks.

(2) Any removable magnetic media placed in an AIS without fixed media (e.g., diskless workstation in a client server environment) must be protected at the highest classification level of any media used simultaneously in the AIS.

(3) If the classification of removable media is more restrictive than the level for which the AIS is accredited under this regulation, the Special Security Officer (SSO) must be notified of a security violation, and the AIS must be protected at the more restrictive level. Additionally, the AIS accreditation must be resubmitted to accommodate the more restrictive level, unless the system is completely sanitized and there is no intent to process at the more restrictive level in the future. (4) All fixed media systems processing SCI data must be stored in a GSA approved container or the SCIF must have authority for open storage of SCI material. If such authority is not granted in the facility accreditation, permission will be requested through command channels to HQDA (DCSINT).

d. Contractors utilizing AIS within a contractor SCIF which is intended to process or store SCI in support of Army SCI contractual efforts, will refer to DIAM 50-5, DIAM 50-4, AR 381-14, or successor documents, and separate guidance provided from the Contractor Support Element, 716th MI Battalion, Ft Meade, MD.

(1) Supporting Contractor Support Detachments (CSD) of the 902d MI Group may approve the entry of processing equipment into contractor SCIFs. This approval does not constitute processing approval.

(2) DD Form 254 (Contract Security Classification Specification) and other contractual documents will require appropriate TEMPEST countermeasures to be applied in the contract (see AR 381-14 (S) ).

e. All equipment used to transmit, handle or process SCI electronically (including communications, word processing and automated information systems equipment) must satisfy the requirements of AR 381-14 (S). Army activities processing SCI electronically will use AR 381-14 (S) for TEMPEST guidance. After consulting with the ISSM, SSO's may approve the entry of any processing equipment listed on the current Preferred Products List (PPL) or Endorsed Tempest Product List (ETPL) into a SCIF. Entry approval does not constitute processing approval.

f. Appendix E of this document contains guidance in declassifying, releasing, and shipping of media containing sensitive compartmented information.

2-14. Password Control

a. User identification and password systems support the minimum requirements of accountability, access control, least privilege, and data integrity contained in paragraph 2-3a above. These mechanisms, while not always appropriate for stand-alone small systems or for other systems operating in the dedicated mode, are often the most cost-effective and efficient method of achieving these minimum security requirements. Other techniques (e.g., biometrics access control devices or smart cards) provide practical alternatives for use in conjunction with, or in place, of password systems.

b. The ISSO or designated representative is responsible for managing generation, issuance, and control of all passwords.

c. After creation, passwords will be handled and stored at the level of the most sensitive data contained in the system. In the case of multilevel security mode operations, passwords will be classified according to the level of system-access to which the user is authorized. Knowledge of individual passwords will be limited to a minimum number of persons, and passwords will not be shared. Passwords will be issued if the user has a confirmed authorization to access the system.

d. Method of password distribution will be appropriate to the level of the data which they protect.

e. At the time of password issuance, individual users will be briefed on the following:

(1) Password classification and exclusiveness;

(2) Measures to safeguard classified and unclassified passwords;

(3) Prohibitions against disclosure to unauthorized personnel, even though they may be assigned to the same project and hold identical clearances; and

(4) The requirement to inform an ISSO or designated representative immediately of password disclosure, misuse or other potentially dangerous practices.

f. A password will be issued only once and will be retired when the time limit has expired or the user has been transferred to other duties, reassigned, retired, discharged, or otherwise separated from the duties or the function for which the password was required. The holder of a password is the only authorized user of that password. Personnel may not use, without proper authority, another person's password or allow another person, who does not have proper authority, to use his or her password.

g. Passwords on classified systems will be changed at least quarterly. Passwords on nonsensitive and SBU will be changed semi-annually.

h. Passwords will be inhibited, overprinted, or otherwise protected from unauthorized observation on terminals and video displays.

i. Passwords for AIS processing SCI/SIOP-ESI must be randomly generated with, as a minimum, eight character strings using the 36 alphabetic-numeric characters. Passwords for systems processing other classified or SBU information must be at least a eight character string using the 36 alphabetic-numeric characters and do not need to be randomly generated. At least two of the characters should be numeric.

Section VI Personnel Security

2-15. Training and Awareness Program

All individuals who are appointed as ISSPM, ISSMs, ISSOs, and systems administrators must complete an AIS security course of instruction equal to the duties assigned to them. All other personnel who manage, design, develop, maintain, or operate AIS will undergo a training and awareness program consisting of the following topics:

a. An initial security training and awareness briefing for AIS managers and users. This briefing can consist of training material governing ISS in general; but, must be tailored to the system the employee will be managing or using. The briefing will include the following:

(1) Threats, vulnerabilities, and risks associated with the system. Under this portion, specific information regarding measures to reduce the threat from malicious software will be provided, including prohibitions on loading unauthorized software, the need for frequent backup, and the requirement to report abnormal program behavior immediately.

(2) Information security objectives (i.e., what is it that needs to be protected?)

(3) Responsibilities and accountability associated with system security.

(4) Information accessibility, handling, and storage considerations.

(5) Physical and environmental considerations which are necessary to protect the system.

(6) System data and access controls.

(7) Emergency and disaster plans.

(8) Authorized system configuration and associated configuration management requirements.

b. Periodic security training and awareness which may include various combinations of the following:

(1) Self-paced or formal instruction.

(2) Security education bulletins.

(3) Security posters.

(4) Training films and tapes.

(5) Computer-aided instruction.

2-16. Personnel Security Standards

a. Personnel who require access to AIS processing classified defense information to fulfill their duties will possess a security clearance based on the appropriate personnel security investigation as delineated in AR 380-67.

b. Civilian, military, consultant, and contractor personnel meeting the requirements of an ADP I, II, or III position (see AR 380-67) will, successfully complete a security investigation as listed below. The investigation must be completed before the individual is permitted access to an AIS and is placed in an ADP position.

(1) ADP-I. Single Scope Background Investigation (SSBI).

(2) ADP-II. National Agency Check or National Agency Check with Inquiries.

(3) ADP-III. National Agency Check, Entrance National Agency Check, or National Agency Check with Inquiries.

c. Before users are granted access to any system, the system owner must determine if access requires a background check and the type of background check required per the level of ADP sensitivity and the ADP position requirements defined in paragraph b above.

d. All positions will be designated as Critical-Sensitive for ADP-I, Non-Critical Sensitive for ADP II, and Non-Sensitive for ADP III per AR 380-67, Paragraph 3-101.

e. Criteria for occupying an ADP I, II, or III position are contained in AR 380-67, Paragraph 2-200. Commanders or supervisors who become aware of adverse information, either through the formal security investigation or through other official sources, will follow the procedures in chapter 8 of AR 380-67, which may include suspension from duties. Suspensions or other more adverse actions will be based on the normal security clearance determination process contained in AR 380-67. The investigation must be successfully completed prior to assigning an individual to any ADP I or II duties.

f. Additional responsibilities for personnel managing, supervising, and performing ADP I, II, and III duties are found in AR 380-67, Chapter 9.

2-17. Foreign National Employees

a. Use of foreign national employees in positions which allow access to AIS is discouraged. However, when circumstances necessitate this practice, the requirements in this paragraph apply.

b. AR 380-67, paragraph 3-608, requires pre-employment checks of prospective foreign nationals who will not require access to classified information to perform their duties. Before employment, each foreign national must have a favorable National Agency Check or host country equivalent. If the foreign national is hired prior to the completion of the security check, the employment contract will state that retention in the position is contingent upon completion of a favorable security screening.

c. Foreign nationals will not be employed in positions which meet the definition of ADP I or II, unless specifically approved by officials listed in AR 380-67, Appendix F, paragraph F-2.

d. Foreign nationals will not be employed in AIS positions which will afford access to classified defense information except when the foreign national meets the provisions for a limited access authorization (LAA) due to other special expertise. An LAA may be granted only under the provisions of AR 380-67 and only if there are no qualified U.S. personnel available. Access must be limited to that described in the approved LAA, and the foreign national must be supervised at all times by appropriately cleared U.S. personnel. The LAA must be reviewed annually to verify that it is still required as approved and has not evolved into a need for greater access. LAAs will always be kept to the minimum, consistent with mission requirements, and will be terminated when no longer required. Section VII Automated Information System Media

2-18. Protection Requirements

a. AIS media consist of any substance or material on which information is represented or stored, used for either input or output to an AIS, or is an integral part of the AIS.

b. Users of classified media must protect the media in accordance with the procedures of AR 380-5 unless media is properly declassified or destroyed pursuant to this regulation ot the NSA.

c. All toner cartridge assemblies used in laser printers which are connected to a collateral classified AIS will be considered to be unclassified after three blank pages have been printed. Cartridge assemblies used in printers connected to an AIS which processes SAP or SCI must be controlled per NSA policies as defined in NSTISSAM COMPUSEC/2-90 and or DCI policies as defined in DCID 1/21.

2-19. Labeling and Marking Media

a. Personnel will mark and label all media, which are not integral parts of the AIS, according to the highest accrediation level o fhte system in which they were operated in accordance with AR 380-5. Personnel must label components with memory capabilities according to the highest accredited classofication of the system when they remove the component for repair or exchange. Personnel will use SF 706 (Top Secret), SF 707 (Secret), or SF 708 (Confidential) to mark non-paper collateral cllassified media. Personnel will affix two tables to SCI media; SF 712 (Classified SCI) and a completed SF 711 (Date Descriptor). The SF 711 will indicate the security classification of the date.

b. Personnel will use the label SF 710 (Unclassified) to label unclasified media which contain dat representtiives that cannot be read by the human eye when media are stored, transmitted, or otherwise intermingled with classified media.

c. Personnel will mark paper printouts from AIS in accordance with AR 380-5, Chapter 4.

d. General requirements for accountability, receipting, transmission, and all other measures for classified material prescribed in AR 380-5 will apply to AIS media as appropriate to its classification.

e. Personnel will mark and label all compact disc (CD) for AIS according to the highest classification level of the system in which they were operqted. Personnel will mark the non-readable side of the CD with permanent ink to the case and the accreditation level of the system in which it was operated.

2-20. Clearing, Purging, Declassifying, and Destroying media

a. Clearing of media means erasing or overwriting all information on the media without the totality and finality of purging. The clearing procedure is adequate when the media will remain within the facility; however, removable media must continue to be controlled at their prior classification or sensitivity level. Purging or sanitizing of media means to erase or overwrite, totally and unequivocally, all information stored on the media. Declassifying of media refers to the administrative action taken after it has been purged. Declassifying is required when the media must leave the facility under the control of uncleared personnel; for example, for maintenance operations.

b. The decision to declassify media will be made only after comparing the inherent risks (in the Magnetic Media Remanence Guide - Rainbow Series) with the financial or operational benefit of media declassification. For example, destruction of media is normally more appropriate than declassification and reuse, given the low cost of the media.

c. Media can be declassified only after purging. The appropriate ISSO must verify that the technique chosen for purging (or sanitizing) meets applicable requirements. Additionally, the ISSO must establish a method to periodically verify the results of the purging. As a minimum, a random sampling will be taken to verify each purge.

d. Degaussing must be accomplished using NSA approved equipment from the Degausser Products List of the Information Systems Security Products and Services Catalogue. Information on degaussers is available through the information systems security management structure. Some listed products may be used only to degauss magnetic media that has coercivity no greater than 350 oersteds (also known as Type I media), while others are approved for media with coercivity no greater than 750 oersteds (also known as Type II media). Certain tape media have a coercivity greater than 750 oersteds (also known as Type III media) and cannot, at this time, be completely degaussed. (See Appendix E for more information.)

e. AR 380-5 governs destruction of most AIS media. Appendix E (of this document) and DCID 1/21 provides guidance on destruction of laser printer cartridges. A CD-ROM will be destroyed by scratching both surfaces with some abrasive substance to render the CD unreadable prior to breaking the CD into numerous pieces with some type of impact devices.

f. Storage media containing Sensitive Compartmented Information (SCI) will be handled as stated in Appendix E of this document.

2-21. Non-Removable Storage Media

a. Using an AIS with non-removable, non-volatile media for processing classified information is discouraged. Classified information may not be stored on such media except under one of the following conditions:

(1) The AIS is housed in an area approved under AR 380-5, for open storage at the highest classification level processed.

(2) The AIS can be secured when unattended in a storage container approved for the highest classification level of information processed.

(3) The AIS is continually controlled by individuals cleared for the highest level of material stored.

(4) The media are declassified according to Paragraph 2-21 during all periods when not attended by properly cleared individuals.

b. If the conditions of a (above) are not met and the DAA elects to approve the use of non-removable, nonvolatile media on AIS processing classified information, specific countermeasures must be implemented to ensure that classified information is not written on such media. These countermeasures must be identified in the accreditation documentation. Administrative techniques, such as an SOP requiring users to write classified information only to removable media, are not sufficient to meet the requirements of this paragraph, due to the high possibility of user error and the possibility of systems or application software using the non-removable media for its files.

c. Appendix E of this document provides additional information concerning fixed storage media containing sensitive compartmented information.

Section VIII Network Security

2-22. Two views of a network

a. The provisions of this regulation apply to networks, which are included in the definition of an AIS. However, for the purpose of applying these standards and identifying responsible officials, the following views of a network must be considered:

(1) The interconnected accredited AIS (IAA) view is one in which the network is treated as an interconnection of separately created, managed, and accredited AIS. IAA consist of multiple systems that have been accredited to operate within a range of values and may include systems which do not fall under DOD directives.

(2) The single trusted system (STS) view is one in which the network is accredited as a single entity by one DAA. The STS view is normally appropriate for local area networks, but can also be applicable to wide-area networks where a single agency or official has responsibility.

b. The following security provisions are applicable to the IAA view network:

(1) Even though there are multiple individually accredited AIS, there should still be a single identified network DAA, (e.g., DISA, has overall control and publishes security parameters for use of the Defense Data Network (DDN)). However, a central focal point cannot always be identified. In this latter case, each individual AIS DAA must establish procedures to protect the data contained in the AIS and to ensure that only authorized data is transmitted on the IAA network.

(2) The DAA of the individual AIS must specifically approve connection of the AIS to an IAA. This approval will be part of the AIS accreditation. It will be made only after assessing the additional risks involving the potential exposure of data within the larger community of AIS infrastructure.

(3) The DAA's approval will include a description of the classification and categories of information which can be sent over the IAA. Unless the AIS is accredited for multilevel operations and can reliably separate and label data, the AIS is assumed to be transmitting the highest level of data present on the system during network connection.

(4) The DAAs of the participating AIS and the DAA of the overall network (if one has been designated) will sign a Memorandum of Understanding (MOU). In those cases where standard procedures for connecting to the network have been defined by a DAA, those procedures, coupled with the approval of the DAA to connect, will serve as the MOU.

(5) Connections between accredited AIS must be consistent with the mode of operation, sensitivity level or range of levels, and any other restrictions imposed by the accredited AIS.

(6) Connections to unaccredited AIS (that is, from other agencies or non-governmental entities) are authorized, but only nonsensitive unclassified and SBU data may be transmitted to and from such AIS. SBU data must be afforded the proper protection requirements (data confidentiality, data integrity, and data availability) to ensure compliance to paragraph 1-5b of this regulation.

(7) National Computer Security Center - Technical Guidance (NCSC-TG)-005 contains additional restrictions that apply to connecting AIS to an IAA when the AIS is accredited in the multi-level or compartmented mode.

c. The following security provisions apply to the STS view network:

(1) The STS view provides the greatest probability that security will be adequately addressed in a network, and it will be used in lieu of the IAA view whenever possible.

(2) Sensitivity category and mode of operation of the STS network will be determined as described in Paragraph 2-2 above. Minimum requirements of Paragraph 2-3 are fully applicable, including the minimum trusted class requirement when the network operates in other than the dedicated mode. NCSC-TG-005, Part I, can be used to determine how to interpret DOD 5200.28-STD for an STS network. Additionally, Part II describes three other security services, each with three sub-elements, which must be addressed in the STS network accreditation:

(a) Communications Integrity, including authentication capability, field integrity, and ability of the network to enforce non-repudiation of a message;

(b) Denial of Service characteristics including continuity of operations, protocol-based protection against Denial of Service, and adequacy of network management; and,

(c) Compromise protection, including data confidentiality, traffic flow confidentiality, and the ability to route transmissions selectively in the network.

(3) The security services described in 2-23 c(2) above can be addressed only in a subjective manner and may not be applicable or desirable in all situations. Nevertheless, ISSOs and network DAAs must consider each of them in defining their network security requirements and develop countermeasures for those services which are required but not present.

Section IX Miscellaneous Provisions

2-23. Remote Devices

a. Remote terminal devices must be secured consistent with the mode of operation and information which the remote terminal is authorized to access.

b. Remotely accessed computer systems and file servers must possess features to positively identify users and authenticate their identification before processing.

c. Physical safeguards will be implemented to ensure that only authorized persons use remote terminal equipment and that only authorized persons receive and remove sensitive information from the remote access areas. During periods when effective monitoring cannot be maintained, the doors to these terminal areas will be locked, or the terminals otherwise secured, to prevent loss, damage, or unauthorized access.

d. An AIS with remote terminal access containing classified will have a "Time-Out" protection feature that automatically disconnects the remote terminal from the computer after a predetermined period has passed without communication between the terminal and the computer. The system should make periodic checks to verify that the disconnect is still valid. The automatic disconnect must be preceded by a clearing of the remote terminal's screen followed by the recording of an audit trail record for the System Administrator to use. The time period should not exceed 15 minutes, but may vary depending on the sensitivity of the data, the frequency of use and location of the terminal, the strength of the audit mechanism, and other physical or procedural controls in place. The "Time-Out" feature is not required if the accreditation authority determines the AIS must remain active because it is being used as a communications device. However, physical security for the terminal will meet the requirements for storage of data at the highest level which could be received at the terminal.

e. Systems which process classified or SBU information will limit the number of user log-on attempts to three before denying access to that user. Users will not be re-instated until the ISSO or his designee has verified the reason for failed log-on attempts.

2-24. Employee-Owned Computers and Off-Site Processing

a. AR 25-1, Chapter 5, contains policy on approval to use employee-owned computers. If approved for use, employee-owned computers must also comply with all provisions of this regulation, including accreditation. Classified information will not be processed on employee-owned computers. b. AR 25-1, Chapter 5, also contains policy on approval to use for off-site processing. Additional security policy is contained in Paragraph below.

2-25. Tactical or Battlefield Automation Systems (BAS)

a. The requirements of this regulation apply to BAS, to include all systems developed under the PEO/PM structure. When one or more of the minimum security requirements from Paragraph 2-3 are impractical because of the function or design of the BAS, (i.e., it is not intended for, nor can it be converted to a general purpose garrison environment), the generic accreditation will address this situation and will describe how that particular requirement is not applicable and does not present an unacceptable risk to the information.

b. Prior to deployment or fielding, BAS will be generically accredited in accordance with Chapter 3.

c. BAS which also function as peacetime systems must fully comply with this regulation. Their accreditation must address operation in both garrison and deployed modes.

d. The following additional items must be considered in the security planning for BAS:

(1) Physical security objectives and safeguards (paragraph 2-10) and physical security standards (paragraph 2-13) must be employed to enhance security during transportation of BAS.

(2) Mechanisms must be available to render the BAS inoperable in case of imminent capture. Methods of purging (or sanitizing) classified AIS media (per paragraph 2-21) and methods of destroying hard copy and AIS media (per AR 380-5) must be developed.

(3) For systems processing SCI or SIOP-ESI, the system architecture, security classification level processed, security safeguards, and intended use of BAS, deployable AIS, and networks must be included in the System Security Plan and Security Concept of Operations documents. The DAA (both generic and operational, as appropriate) may accredit the BAS to operate In-Garrison, In-Transit, and while Deployed for exercises and operational missions.

2-26. Laptop, Notebook, or Portable Automated Information Systems

a. Laptop/notebook computers, or any other computers designed to allow periodic relocation, must be accredited in accordance with Chapter 3 of this regulation by the appropriate DAA. The DAA may accredit more than one computer on one document. The DAA will indicate on the accreditation document exactly where the computer may be taken and the kind of classified material that may be stored on the computer. Users of the portable computer must follow the accreditation instructions at al times and users must possess a copy of the accreditation documentat all times when the computer is removed from their regular place of work. Any media or other materail produced by the computer must be handled and stored by users of computers in accordance with AR 380-5. If a computer contains non-removable hard diskwhich store classified material, the entire computer must be storedin an approved storage area at all times that the computer is not in the possession of the user. Users of portable computers must not enter SCIFs with the computer without the approval of the local Special Security Officer.

b. If the accreditation document so provides, classified processing may be done on laptop/notebook computers if it occurs in normal work areas otherwise acceptable for the storage, preparation, or discussion of classified material. The accrediting authority may limit the classified processing to the user's regular place of work, or in cases of compelling operational need, may include approved areas while at a TDY location. In the latter case, the user will carry a copy of the accreditation statement while on TDY. Media or output products produced must be handled per this regulation and AR 380-5, including marking and storage standards.

c. If the computer configuration includes nonremovable hard disks which store classified material, the entire system must be stored in an area approved for storage of the highest classification of information the system is accredited to process when left unattended. The provisions of Paragraph 2-22 above also apply to configurations which include non-removable media.

d. Accreditation for laptop/notebook computers generally must address processing in the user's normal work location and in the official travel location. If classified processing is included in the accreditation, TEMPEST (inspectable space) requirements must be addressed for the normal work location. When approval has been granted to process classified information at a temporary location for more than 90 days, a TEMPEST Countermeasures Review must be performed for that location per AR 381-14 (S).

e. Personnel will not be allowed to enter and exit sensitive compartmented information facilities with laptop/notebook or other portable computers unless approval has been granted by the local Special Security Officer (SSO), after coordination with the Site ISSO.

2-27. Automated Information System Security Incidents

a. AIS security incidents will be investigated to determine their cause and the cost effective actions required to prevent reoccurrence. Suspected or actual incidents will be reported to the appropriate ISSO, who will notify the ISSM. Concurrently, the operator and ISSM will notify Army Computer Response Team/Coordination Center (ACERT) of the Land Information Warfare Activity (LIWA) and request immediate technical assistance. LIWA will notify HQ, CID, DISA/ASSIST, and ACCO INSCOM of actual penetrations of Army AIS. The ISSO or ISSM should also notify the supporting CID and INSCOM offices if an unauthorized person successfully penetrated the AIS. The two commands will coordinate to determine investigative jurisdiction with CID taking the lead if there are no indications of FIS involvement. If FIS involvement is suspected or known INSCOM will initiate a SEADA report per AR 381-12. INSCOM will notify the FBI if FIS involvement is known or strongly suspected. CID will investigate fraud, extortion, theft, and other criminal acts involving Army AIS. If CID, INSCOM and the FBI rule out FIS or criminal activity and decline investigative jurisdiction, the reporting command or agency is authorized to initiate a preliminary inquiry per AR 380-5 and/or AR 15-6 to determine and fix the security vulnerabilities contributing to the security incident. The LIWA ACERT may request assistance from the DISA/ASSIST. Examples of the types of incidents that will be reported include but not limited to the following :

(1) Known or suspected intrusions or attempted intrusions into classified and unclassified AIS by unauthorized users or by authorize users attempting unauthorized access.

(2) Unauthorized access to data, files or menus by otherwise authorized users.

(3) Indications of an unauthorized users attempting to access the AIS,including unexplained attempts to log-on unsuccessfully from a remote terminal.

(4) Indications of unexplained ,modifications of files or unrequested "writes" to media. (5) Unexplained output received at a terminal, such as receipt of unrequested information.

(6) Inconsistent or incomplete security marking on output with extraneous data included in the output or failure to protect the output properly.

(7) Abnormal system response.

(8) Malicious software.

(9) Alerts by Network Intrusion Detection (NID) systems installed to detect "hackers" and other unauthorized personnel attempting system penetration.

b. ISSOs will review all incident reports and related documentation and, in cooperation with other security and investigative personnel, advise the ISSM and commander or manager having jurisdiction over the possible system penetration or security violation. The ISSM will ensure that all available audit trail information is maintained until the incident is resolved.

c. In those cases where AIS security incidents affect the supported user community, the ISSM must formally advise all users of the problem and the action taken or expected. The centralized incident reporting activity for the Army will, through the ISSM or ISSO, as appropriate, the provide the user with guidance and instructions received from the CID or CI.

d. If the cause of the incident can be directly attributed to administrative error and be readily corrected then no further action is required. Otherwise the incident will be reported by the ISSO to the centralized incident reporting activity for the U S Army ACERT and to the appropriate ISSM. The initial notification will be within twenty-four (24) hours and will include a brief statement containing the location affected, system, a description of the suspected or confirmed incident, action taken, and point of contact. The centralized reporting activity will provide further guidance on any reporting requirements.

e. In cases where vulnerabilities have been revealed, support is available from ACERT and DISA.

f. When the incident is also reportable as a generic technical vulnerability as described below, required reports to Army's centralized reporting activity may be consolidated and will cite both applicable portions of this regulation.