9 March 1997
Source:
http://www.hr.doe.gov/compsec/compsec.htm
DEPARTMENT OF ENERGY
HEADQUARTERS
September 1, 1996
Revision #2 01/15/97
Classified Automated Information System Security Site Manager Approval:
______________________________________________
Classified Information System Security Operations Manager Approval:
______________________________________________
Assistant Secretary for Human Resources and Administration
Office of the Chief Information Officer
Operations Group
(THIS PAGE INTENTIONALLY LEFT BLANK)
For the purpose of this security plan AIS and System are synonymous
and include all of the following - as single-user systems (used by only one
person at a time) being used in a stand-alone mode such as Personal Computers
(PCs), Laptop Computers, or Notebook Computers hereafter referred to as Portable
Personal Computers (PPCs), dedicated word processors, and as remote terminals
connected via Secure Telephone Unit-III (STU-III) Secure Data Devices (SDDs)
to the HQ IBM ES/9000 accredited host computer, as terminals connected to
STU-III Secure Voice/Data Set (SV/DS) equipment for limited, nonscheduled
transmittal of data.
Memory typewriters are not used at the HQ to process classified data, and
are, therefore, omitted from this Master AIS Security Plan. Should the need
arise to process classified information on memory typewriters, the Classified
AIS Security Site Manager must first be contacted for guidance.
The Master AIS Security Plan has been approved for general use; however,
it alone does not fully meet the requirements for an approved security plan
and cannot be used as the sole basis to gain accreditation to process classified
information.
Individual AIS operated under the authority of this plan will each be identified
in one of the Attachment 5, Individual Security Plan, which details specific
system characteristics not covered in one of the subsections of this plan.
All of the requirements in the plan must be met.
Any additions to or deviations from the requirements in this Master AIS Security
Plan will be documented in sections V and VI of Attachment 5.
Each Individual Security Plan must be separately approved by the
Classified Information System Security Officer (CSSO) and forwarded to the
Classified Automated Information System Security Site Manager (CSSM) with
certification that it meets the requirements of the Master AIS Security
Plan. The CSSM will review the Individual Security Plan, verify
the CSSO's certification, and accredit the system under the authority delegated
by the Classified Information System Security Operations Manager (CSOM).
All reorganizations which result in changes of users and/or CSSO responsibilities
must immediately be brought to the attention of the CSSM so that resulting
actions necessary to update the Individual Security Plans can be developed.
The Master AIS Security Plan and Individual Security Plans specifically do
not apply to mainframe host systems or local area network servers/controllers
(It does, however apply to local area network nodes), or other multi-user
AIS.
The following items are available for viewing and/or downloading from the HR Home Page on the World Wide Web at: http://www.hr.doe.gov/compsec/compsec.htm
DOE O 471.2, Information Security Program, dated 9/26/95.
DOE M 471.2-1, Manual for Classified Matter Protection and Control, dated
9/26/95.
DOE 1360.2B, Unclassified Computer Security Program, dated 5/18/92.
DOE 5300.2D, Telecommunications: Emission Security (TEMPEST), dated 5/18/92.
DOE 5300.3D, Telecommunications: Communications Security, dated 8/30/93.
DOE 5632.1C, Protection and Control of Safeguards and Security Interests,
dated 7/15/94
DOE M 5632.1C-1, Manual for Protection and Control of Safeguards and Security
Interests, dated 7/15/94.
DOE M 5639.6A-1, Manual of Security Requirements for the Classified Automated
Information System Security Program, dated 7/15/94.
DOE/MA-0427, Computer Security Guide for Users, dated September 1990.
DOE Headquarters Classified Computer Security Program CSSO Guidelines, dated
3/31/92.
Headquarters Security Officer's STU-III Procedural Guide.
DOE HQ Facilities Master Security Plan, dated January 1995 with changes 1,
2, & 3.
SA-123 (NN-512.3) Memorandum, dated May 3, 1993, Subject: Protection of
Combinations or Passwords.
NN-514 Memorandum, dated 10/11/95, Subject: Security Requirements for New
and Emerging Office Technologies.
NN-514.2 Memorandum, dated 2/26/96, Subject: Deviation from the Headquarters
Master Automated ISS Systems Security Plan for Automated Office Support Systems.
(THIS PAGE INTENTIONALLY LEFT BLANK)
TITLE PAGE WITH APPROVAL SIGNATURES Intro-i
INTRODUCTION Intro-iii
REFERENCES Intro-v
TABLE OF CONTENTS Intro-vii
1. IDENTIFICATION AND LOCATION OF THE SYSTEM
1.1 Facility/Organization Name and Address1.2 System Location
1.3 Accreditation Information
2. NAME, ORGANIZATION, MAIL STOP, AND PHONE NUMBER OF THE RESPONSIBLE SECURITY PERSONNEL
2.1 Classified Information System Security Operations Manager (CSOM)2.2 Classified Information System Security Site Manager (CSSM)
2.3 Classified Information System Security Officer (CSSO)
2.4 User/Security Officer (U/SO)
3. NARRATIVE DESCRIPTION OF THE SYSTEM AND ACCESS RESTRICTIONS
3.1 Purpose of the System3.2 Rules for Permitting/Denying Access to the AIS
5.1 Protection Rating5.2 Methods Used
5.3 Individual System Description
5.4 Modification Controls
5.5 Periods Processing
5.5.1 Classified PC Connected to a Unclassified LAN5.5.2 Classified PC Connected to both a Classified LAN and an Unclassified LAN
5.6 Maintenance Swap Controls
5.7 Approved Mechanical Switch Boxes
6.1 Clearance Verification6.2 U/SOs' Responsibilities
7.1 Building Access7.2 Additional AIS Security Procedures
7.3 Security Areas for PCs, and PPCs
7.3.1 Vaults7.3.2 Limited Areas/Exclusion Areas
7.4 Transporting Classified PPCs Outside Headquarters
7.5 AIS Placement and Control
7.5.1 PCs7.5.2 PPCs
7.6 Peripheral Sharing
8.1 Commercial Non-encrypting Modems8.2 STU-III Secure Voice/Data Set (SV/DS)
8.3 STU-III Secure Data Device (SDD) Model 1900/1910
8.4 Emission Security
8.5 Wireless Communications (Infrared) Ports
9.1 Access Control9.2 Prohibited Software
9.3 Software Vulnerabilities
9.4 Trusted Copy Program (TRCOPY)
10.1 Configuration Management10.1.1 AIS Configuration Identification10.1.2 AIS Configuration Control
10.1.3 AIS Configuration Status Accounting
10.1.4 AIS Configuration Auditing
10.2 Access Controls
10.3 Installation Control Procedures
10.4 Media Security
10.4.1 Marking of Removable Magnetic Media10.4.1.1 Marking During Classified Sessions10.4.1.2 Marking During Unclassified Sessions
10.4.2 Marking of Fixed Magnetic Media
10.4.3 Storage Containers (Disk Holders)
10.4.4 Personal Computer Monitors
10.4.5 Printouts
10.4.6 Printer Ribbons
10.4.6.1 Dot Matrix Printer Ribbons10.4.6.2 All Other (Non-Dot Matrix) Printer Ribbons
10.4.7 Toner Cartridges
10.4.8 Color Printer-Color Transfer Rolls
10.4.9 Media Storage
10.4.10 Classified Software Protection
10.4.11 Magnetic Media Sanitization Procedures
10.4.12 Magnetic Media Clearing Procedures
10.4.13 Destruction Procedures
10.4.14 Document (or Media) Accountability
10.5 System Sanitization
10.5.1 All AIS10.5.2 PPCs
10.5.3 Laser Printer Toner Cartridges
10.5.4 Color Printer-Color Transfer Rolls
10.6 Host Computer Access Controls
10.6.1 User Identification Code and Password Controls10.6.1.1 HQ IBM Host
10.6.1.2 Other Accredited Hosts
10.6.2 Password Maintenance
10.6.3 IBM ES/9000 Host Computer Access Control Mechanisms (Implemented in Software)
10.6.4 IBM ES/9000 Host Computer Access Control Mechanism (Implemented in Hardware Via STU-III Encryption Devices)
10.7 Property Removal Authorization
10.7.1 Removal of Accredited PPCs10.7.2 Removal for Repair
10.8 Analog Or Digital Audio Recording Capabilities Of AIS
10.9 New and Emerging Office Technology
11.1 Definition and Reporting11.2 Review of System Files by the CSSO
11.3 Unannounced Reviews by the CSSM
11.4 Recognition of Copyright and Licensing Agreements
11.5 Software Scan Program (SW-SCAN)
12.1 Threat Identification12.2 Asset Identification
12.3 Summary of Qualitative Risk Assessment
13.1 CSSOs13.2 AIS U/SOs
13.3 Computer Security-Trained Escorts
14.1 Incident Recognition by U/SO14.2 Notification Procedures
14.3 Documentation and Review
15.1 Critical Resources15.2 Non-Critical Resources
17. INTERIM OPERATING PROCEDURES
18. REMOTE DIAGNOSTIC SERVICES
20. ACQUISITION SPECIFICATIONS
Attachement 1 -- ANNUAL AIS USER/SECURITY OFFICER
ACKNOWLEDGEMENT OF COMPLIANCE RESPONSIBILITIES
Attachment 2 -- STU-III USER LOG FOR CLASSIFIED DATA
PROCESSING
Attachment 3 -- WASTE, FRAUD, AND ABUSE REVIEW CHECKLIST
FOR ACCREDITED DOS BASED PERSONAL COMPUTERS
Attachment 4 -- SECURITY REVIEW CHECKLIST FOR PERSONAL COMPUTER
CERTIFICATION
Attachment 5 -- INDIVIDUAL PERSONAL COMPUTER SECURITY
PLAN
Attachment 6 -- LABELING DISKETTES, REMOVABLE HARD DISKS,
AND COMPACT DISC (CDs)
Attachment 7 -- ACCREDITED PORTABLE PERSONAL COMPUTER VALIDATION
CARD
Attachment 8 -- STATEMENT OF SECURITY
RISK
(THIS PAGE INTENTIONALLY LEFT BLANK)
Headquarters
Germantown Forrestal
United States Department of Energy
and
U.S. Department of Energy
19901 Germantown Road 1000 Independence Avenue, S.W.
Germantown, Maryland 20874-1290 Washington, D.C. 20585
The specific location (where the system is installed) of each system is
identified in the applicable Individual Security Plan (Attachment 5). The
location specified for Portable Personal Computers (PPCs) is the room number
where the PPC is stored when not being used.
AIS at the HQ are individually accredited to process classified information
up to, and including, the highest classification level and most restrictive
category identified in Paragraph VI-3 of the applicable Individual Security
Plan (Attachment 5). Accreditation of the system referred to in the Individual
Security Plan is effective upon completion of the signature of the CSSM in
Paragraph VI-3.
(THIS PAGE INTENTIONALLY LEFT BLANK)
Jack L. Cowden, NN-514.2, GTN, (301) 903-9992
John E. Staley, HR-441, GTN, (301) 903-4566
The name, organization, mail stop, and phone number of the assigned CSSO
is provided in the applicable Individual Security Plan.
The U/SOs are the primary, responsible users of their assigned accredited
system. As such, they are responsible for complying with all AIS security
requirements that pertain to their assigned system. They are also responsible
for remaining aware of and knowledgeable about their responsibilities in
regard to classified AIS security. Further, they are accountable for their
actions on accredited AIS, including their assigned system.
The name, organization, mail stop, and phone number of the U/SO is provided
in the applicable Individual Security Plan.
(THIS PAGE INTENTIONALLY LEFT BLANK)
The DOE is composed of organizations that encompass many diverse programmatic
missions. These include, but are not limited to: design, development, and
production of nuclear weapons; energy research and development; nuclear research
and development; uranium enrichment; management of radioactive wastes; and
marketing of hydroelectric power. AIS equipment provides the facility for
the required work to be processed in a timely, cost-effective manner. PCs
and PPCs are used for word processing, data bases, spreadsheets, graphics,
and communications in an office environment to enhance DOE program management
activities.
U/SOs are responsible for granting access privileges to their assigned AIS.
All personnel that process classified information on AIS equipment will be
cleared for the highest level and most restrictive category of classified
information processed on the system.
During each given period of operation, a stand-alone AIS may be operated by a single U/SO who has the required "need-to-know" for all information contained on the system and controls all system resources at that specific time.
The specific administrative security controls implemented to deny access
to uncleared personnel within the facility are listed in paragraph 10
Administrative Security.
(THIS PAGE INTENTIONALLY LEFT BLANK)
No threats unique to this system exist that were not considered and are not
mitigated by the requirements and countermeasures delineated in both DOE
Order 471.2 and DOE Manual 5639.6A-1.
(THIS PAGE INTENTIONALLY LEFT BLANK)
A Protection Index rating of 0 (zero) has been established for all systems
(PCs and PPCs) operating in a single-user/stand-alone capacity with no connection
to another computer. This is based on the fact that only one U/SO with the
appropriate clearance level and required "need-to-know" is allowed access
to an individual system at any given time in accordance with DOE O 471.2
and DOE M 5639.6A-1.
When connected to another computer (Host, LAN or another PC) (connection
with a host or LAN is identified in Section III of the Individual Security
Plan), the protection index of the system changes from an index of 0 (zero)
to an index of 1 (one). This is because the U/SO of one connected system
may not have a "need-to-know" for all information contained on the host or
other connected system.
Any system (PC or PPC) with a protection index greater than 1 (one)
must be accredited under a separate security plan.
The methods used to meet the above requirements will be described in paragraphs
6 through 10 of this Plan. All security measures identified in this
Plan must be implemented. (All deviations must be identified
in Section VI of Attachment 5. Any security measures implemented in addition
to those mentioned in this plan must be identified in Section V of
Attachment 5).
Individual Security Plans describe each AIS and identify the level and amount of classified data to be processed. AIS equipment is included in each HQ organization's property accounting inventory. A risk review was conducted on the methods of assigning, distributing, installing, and supporting AIS software and hardware at the HQ. This risk review has shown that sufficient controls have been placed on each element of the procurement, storage, installation planning, installation, maintenance, and software support to minimize the risk of unauthorized targeting of specific hardware and software packages to classified areas. Since the risk of targeting specific systems to classified use has been determined to be low, an additional inventory of hardware and software in the AIS Security Plan is unnecessary. Each Individual Security Plan will, however, list the following information:
a. System Identification Number, as assigned by the CSSM.
b. Location (* see below)Building, RoomResponsible organization, official
c. Hardware
Manufacturer of CPU
Model number of CPU
DOE Property Tag Number of CPU
* For PPCs, location will be the storage location. The building and number of the room where the equipment is stored when not being used.
d. Security Related Software and Communications Software
Developer
Product Name
Version Number
The U/SO is responsible for bringing all planned system modifications to
the attention of the CSSO at the earliest opportunity. All modifications
planned for accredited AIS will be discussed with the CSSO prior to
implementation. The CSSO will analyze the proposed modification to determine
the expected impact on security caused by the changes and, if applicable,
gain any approval required of the TEMPEST Coordinator, HR-433/GTN, or other
security official. In addition, the Individual Security Plan must be updated
to reflect the modification, and forwarded with appropriate attachments for
certification and reaccreditation (See also, Paragraph 17 for applicability.)
The term "periods processing" denotes the method of operation used at DOE
HQ to allow accredited AIS to operate securely within sequential processing
sessions of distinctly differing levels of information sensitivity (From
NON-SENSITIVE UNCLASSIFIED up to, and including the highest
processing level (based on classification and category) of information the
system is accredited to process).
Periods processing provides the capability to either:
a. sequentially, have more than one user on a single-user accredited AIS with different levels of information or need-to-know; and/or;b. sequentially, use an accredited AIS at more than one processing level;
c. transmit or receive different levels of information or need-to-know.
Only accredited PCs and PPCs with removable hard disks can perform
periods processing. Accredited PCs with permanently fixed hard disk drives
may not perform periods processing. PPCs will
not be accredited to process classified information if they contain internal
fixed hard disks. They must be equipped with removable hard
disks.
Accredited PCs and PPCs employed in periods processing shall have separate
sets of media, one for each level of classified and unclassified processing,
including operating systems, utilities, and applications software. Classified
removable hard disks may be shared only between U/SOs with common security
clearances and need-to-know.
Accredited systems are sanitized in accordance with Paragraph 10.5
before making the transition from a processing session with higher
classification/category to a processing session of lower classification/category.
They are also sanitized between processing sessions when all U/SOs who have
had access to the system since the last sanitization process have differing
need-to-know restrictions than those U/SOs who are to be given subsequent
access to the system.
Accredited PCs and PPCs with removable hard disks may be used to process
data in a strictly unclassified environment only after the system has been
sanitized to the unclassified level in accordance with procedures stated
in Paragraph 10.5 of this Plan. During periods of processing in an unclassified
mode, all data processed will be handled in accordance with the policy stated
in DOE 1360.2B, Unclassified Computer Security Program, with the exception
that all input and output magnetic media must be individually marked
"UNCLASSIFIED" in accordance with procedures detailed in Paragraph 10.4 of
this Plan. All other security controls (Physical, Administrative,
Hardware/Software, Telecommunications, and Personnel) must comply with this
Plan.
Accredited PCs (approved to process classified information) may be connected
to an unclassified LAN only when all of the conditions specified in this
paragraph are met: The PC must not be configured with fixed hard
disk drives. The PC must be configured to use removable hard disk
drives. The user must have at a minimum two separate removable hard
disk drives (one classified and one unclassified). The hard drives will be
marked and stored as required in paragraph 10.4 of this plan. The PC must
be configured to boot (load the operating system) from the removable
hard drives. No LAN operating system software (i.e., lsl.com, ipx.odi,
etc.) will be installed on the classified hard disk drive. Communication
software (e.g., DOECOMM) may only be installed on the classified hard disk
drive when the PC is approved to communicate with other classified computer
systems via SDD.
An approved mechanical switching device, e.g. A/B Switch Box will be used
as an interface and positive disconnect between the PC and the unclassified
LAN connection. See paragraph 5.7 for a list of approved mechanical switch
boxes. The A/B selector switch will be marked with an "Approved for Classified"
sticker on the top or side where it can be easily seen. Additionally the
switch will be marked to indicate "A" as "Unclassified" and "B"
as "Classified". The A/B switch box will be configured in a manner that
connects the unclassified LAN cable to the "A" connector port.
The "B" port will not be connected.
Before processing CLASSIFIED information, the user must perform the
following:
If an unclassified LAN session was/is in progress, the user must log off
of the LAN, the unclassified hard disk drive must be removed, and the entire
system, including peripherals powered down.
The A/B selector switch must be repositioned to the "B" position.
The classified removable hard disk drive will be placed in the hard
drive receptacle (in the computer) and the computer will be powered on.
After completing classified processing, remove the classified hard disk drive, perform all required sanitization routines as specified in paragraph 10.5 of this plan, including turning off the power to the entire system and repositioning the selector switch to the "A" position. The user may now proceed to process unclassified information.
Accredited PCs (approved to process classified information) may be connected
to both an unclassified LAN and a classified LAN only when all of the
conditions specified in this paragraph are met: The PC must not
be configured with fixed hard disk drives. The PC must be configured
to use removable hard disk drives. The user must have at a minimum
two separate removable hard disk drives, one to access the classified LAN
and to use for stand-alone classified processing, and one to access the
unclassified LAN and to use for stand-alone unclassified processing. The
hard drives will be marked and stored as required in paragraph 10.4 of this
plan. The PC must be configured to boot (load the operating system)
from the removable hard drives and the PC's operating system must not allow
for "Hot Swapping" (the removal of one drive and inserting another drive
without interrupting LAN connectivity). This will (initially) be accomplished
by signature packet selection. The hard drive signature packets (established
by the LAN configuration file during boot-up) will be set at a value of "3"
for the classified hard drive and a value of "0" for the unclassified hard
drive.
An approved mechanical switching device will be used as an interface and
positive disconnect between the PC and the LAN connections. See paragraph
5.7 for a list of approved mechanical switch boxes. The A/B selector switch
will be marked with an "Approved for Classified" sticker on the top or side
where it can be easily seen. Additionally the switch will be marked to indicate
"A" as "Unclassified" and "B" as "Classified". The A/B switch
box will be configured in a manner that connects the unclassified
LAN cable to the "A" connector port, and the classified LAN cable
to the "B" port.
Before processing CLASSIFIED information, the user must perform the
following:
After completing classified processing, the user will remove the classified
hard disk drive, perform all required sanitization routines as specified
in paragraph 10.5 of this plan, including turning off the power to the
entire system and repositioning the selector switch to the "A" position.
The user may now proceed to process unclassified
information.
Hardware and software systems occasionally suffer failure due to old age,
manufacturing defects, and other - normally unforeseen - reasons. When failures
occur, maintenance personnel normally replace the affected hardware or software
items with like (same manufacturer, model, and version numbers) items in
good repair, and the affected items are turned in for repair or replacement
and returned to the supply stock. If like items in good repair are not available
as "loaners" or replacements, then compatible items are sometimes used. If
the item being replaced is the CPU, and the replacement is identical, the
system does not have to be reaccredited, however the individual security
plan (attachment 5) must be updated to show the DOE property number of the
replacement CPU and a copy of the updated attachment 5 submitted to the CSSM
with a note that the CPU has been replaced. If the affected item cannot be
replaced with a like item, the U/SO must notify the CSSO, who must then gain
reaccreditation of the "new" or "changed" system (Paragraph 17 may also be
applicable).
The following mechanical switch boxes are currently approved for use with
classified PCs: SW045A, QVSCA284-2, and SW046A-FFMFF.
The security clearance level and "need-to-know" of any potential U/SO will
be verified by the CSSO prior to granting the U/SO access to an accredited
AIS. The CSSO will verify each U/SO's clearance level by checking his or
her DOE Identification Badge.
Temporary use of an accredited stand-alone AIS by a person other than the
assigned U/SO may be granted, only after the temporary user's clearance and
AIS security-related training is verified by the assigned U/SO or CSSO. The
U/SO or CSSO granting temporary access must ensure the temporary user is
aware of the contents of the documents listed at paragraph 13.1 and has signed
the Annual User/Security Officer Acknowledgement of Compliance Responsibilities
Form (Attachment 1) cited in paragraph 13.2. Temporary use of an accredited
AIS that is connected to a STU-III device may also be permitted, but only
within the additional limitations and procedures documented in Section 2.0
of the Headquarters Security Officer's STU-III Procedural Guide.
Organizations must ensure that appropriately cleared and security-trained
personnel are assigned to repair or support AIS in the classified environment,
or that non-cleared maintenance personnel are escorted. The Office of Information
Management, HR-4, provides only cleared personnel (cleared for the highest
classification level and most restrictive category of information for which
the AIS are accredited to process) to service and maintain accredited AIS
without the need to be escorted. If an accredited AIS is maintained by an
organization other than HR-4, the U/SO must include procedures in the Individual
Security Plan for ensuring that maintenance and support personnel are
appropriately trained and cleared - or describe the alternative methods employed
to ensure the security of the system during maintenance or support activities.
U/SOs will verify with the Data Owner (if someone other than the U/SO) and
the CSSO that any personnel requesting access to their accredited AIS or
information possess the proper security clearance and "need-to-know" commensurate
with the highest classification level and most restrictive category of
information processed on the AIS prior to granting access.
When a PPC is being used in a location within the Germantown or Forrestal
buildings other than the primary or storage location, the U/SO will ensure
that the security clearance and need-to-know of individuals in the immediate
area where the processing is taking place is consistent with the classification
level of the information being processed. Additionally, If the area where
the PPC is being used is under the jurisdiction of another CSSO, approval
to process must be obtained from that CSSO before processing can begin. The
"Accredited Portable Computer Validation Card" Attachment 7, carried by the
U/SO of PPCs will be used to provide evidence that the PPC is accredited
for processing classified information.
Paragraph 7.4 provides guidance for US/Os who need to transport and
use an accredited PPC to process classified information at a location other
than the Germantown or Forrestal buildings.
The classified removable hard disk drive must be transported separately from
the PPC in accordance with the requirements stated in the DOE Headquarters
Facilities Master Security Plan, Chapter XI Classified Matter Protection
and Control.
See the DOE HQ Facilities Master Security Plan, Chapter IV, Physical Protection Program for details on building access controls
7.2 Additional AIS Security Procedures
The following are additional security guidelines which are meant to supplement
DOE Headquarters Facilities Master Security Plan, Chapter XI, Classified
Matter Protection and Control (CMPC). This chapter contains exacting procedures
to protect classified information. Individuals processing classified information
must comply with Chapter XI:
(Note: Chapter XI outlines requirements for: Classifying, reviewing and releasing classified documents; storage of classified matter; protection of classified matter while in use; accountability; top secret accounts; reproduction; transmission of material; and destruction.)
Individuals accessing the classified media/system must be cleared to the level and category of information and have a verified need-to-know.
The AIS shall be sanitized in accordance with Paragraph 10.5, HQ Master AIS
Security Plan.
Classified media must be stored in accordance with Para 3, Chapter XI, DOE
Headquarters Facilities Master Security Plan.
A placard (DOE F DP/0018/1 or its multi-color, unnumbered replacement) depicting
the processing classification level will be posted.
The video display and printed matter containing classified information will
be oriented so that it cannot be seen from outside the security area, (i.e.
door to the area will be closed, blinds closed if display screen can be seen
from the windows). Limited or Exclusion areas sign will be posted on the
outside of the door.
All personnel without a clearance and need-to-know commensurate to the system
accreditation will be excluded from the immediate area where classified
processing is taking place.
PCs and PPCs accredited to process classified information within the HQ complex
(Germantown and Forrestal buildings) must be physically located within:
A vault or vault-type room authorized for the open storage and the
processing of classified information; or,
Limited area A security area which is established for protection of
classified matter where security officers or other internal controls can
prevent access to classified matter by unauthorized persons; or
Exclusion area A security area which is established for protection
of classified matter where mere presence in the area would normally result
in access to classified information.
Vaults or vault-type rooms are well defined in DOE 5632.1C and DOE
M 5632.1C-1. Stand-alone PCs and PPCs located in these areas do not have
to be attended when processing classified information. However, when
PCs/terminals are connected to a classified network or other classified
computers, they must be attended by personnel authorized to access the
information on the network or the computer/terminal must be logged off the
network.
The following procedures will be used to secure accredited PCs and PPCs within
limited areas/Exclusion Areas:
When they are not attended by a person cleared to the level and category
of system accreditation:
The AIS shall be sanitized as described in paragraph 10.5 and have all classified
information (media) removed and stored in an approved security container
as defined by DOE 5632.1C and DOE M 5632.1C-1.
The color transfer rolls shall be removed from color printers that use that
technology and placed in an approved security container.
Crypto ignition keys shall be removed from STU-III SV/DSs and SDDs and stored
on the terminal user's person or in an approved security container.
If multiple systems are located in a common area, and all the U/SOs assigned
to these systems do not have a common need-to-know, then each U/SO is responsible
for controlling physical and visual access to their system and sanitizing
and securing his or her assigned system before leaving it unattended.
For exclusion areas the last U/SO to leave the area must lock the door and,
if at the end of the work day, annotate the Security Container Check Sheet.
When the AIS located within those offices are being used to process classified
information:
They must be attended by a U/SO with a clearance commensurate to the level
of system accreditation and with a need-to-know for all of the information
contained on the system.
A placard (DOE F DP/0018/1 or its multi-color, unnumbered replacement) depicting
the classification level of the information being processed will be posted.
The video display and printed matter containing classified information will
be oriented so that it cannot be seen from outside the exclusion area or
the door to the area will be closed. An "EXCLUSION AREA" or "SECURITY AREA"
sign will be posted on the outside of the door. Blinds will be closed if
display screens can be seen from a window.
All personnel without a clearance and need-to-know commensurate to the system
accreditation will be excluded from the immediate area where classified
processing is taking place.
When there is the need to transport and use an accredited PPC to process
classified information at a location other than the Germantown or Forrestal
buildings the US/O must have the PPC accredited by the cognizant CSOM, i.e.
the Rocky Flats CSOM must accredit a HQ PPC when that PPC is to be used to
process classified information at Rocky Flats. The cognizant HSO must be
consulted for specific requirements and guidance.
Once installed, accredited AIS equipment may not be moved from the room in
which it was installed by anyone without the expressed permission of the
CSSO. It must remain in the room where it was installed until its movement
or reinstallation elsewhere is approved by the CSSO. The CSSM will provide
the CSSO an "Approved For Classified" label that must be affixed to each
peripheral and the main system cabinet of the accredited AIS prior to
commencement of classified processing.
An accredited PPC may be assigned to an individual U/SO or may be assigned
to a pool of portable computers for temporary assignment to users. Data files
are to be encrypted using the DES or other approved encryption when they
are stored to provide need-to-know protection. When PPCs are accredited an
"Accredited Portable Computer Validation Card (Attachment 7)" is assigned
to the individual unit. This card must be carried by the U/SO whenever the
computer is in his/her possession. The "Approved for Classified" stickers
are not used on PPCs.
Peripheral sharing between accredited systems and non-accredited systems
constitutes a risk of unauthorized disclosure. Due to this risk, U/SOs must
exercise extreme caution at all times to ensure that output from a shared
device receives the proper security considerations.
Accredited systems may only share peripheral devices with non-accredited
systems under the following circumstances:
a. All elements of the systems must be located in the same room and within the view of the U/SO of the accredited system.
b. Only printers, plotters, and scanners may be shared.
c. Only mechanically switched connection devices (e.g., A/B or X switch boxes) or temporary direct connect/disconnect cable may be used. Electronically switched devices (e.g., Logical Connection) are prohibited.
d. Before attaching an accredited system to a peripheral shared by a non-accredited system, the CSSO must ensure:(1) that the Individual Security Plan for the accredited system identifies the intention to share peripherals with a non-accredited system;(2) that Sections V and VI of the Individual Security Plan be updated to specify the conditions under which the two systems can share a peripheral without causing undue risk of disclosure; and,
(3) that the CSSM has approved the updated Individual Security Plan.
(THIS PAGE INTENTIONALLY LEFT BLANK)
Each communications link used to support an accredited AIS is protected
commensurate with the level of classification and category of the information
for which the system is accredited. The protection features of each link
are implemented in accordance with DOE 5300.3D, Telecommunications:
Communications Security, and DOE 5300.2D, Telecommunications: Emission Security
(TEMPEST).
The only dial-up, point-to-point communications authorized for use with
classified information among accredited PCs, PPCs, and other automated
information resources (e.g., host computers) are those provided by National
Security Agency-approved encryption devices (e.g., KG-84s and the STU-III
family of devices).
The use of any internal or external modem, FAX/modem, or dial-up capable
datapath unit to process unclassified information with an accredited
PC or PPC represents a very high risk and is therefore prohibited except
under the following circumstances.
If the U/SO of an accredited PC or PPC needs unclassified communications
capability to perform their official duties and that service is either not
available, is impractical, or otherwise cannot be accomplished through an
unclassified LAN then a Statement of Security Risk (Attachment 8) must be
executed. Additionally, section VI (Deviations from DOE HQ Master AIS Security
Plan) of the Individual Personal Computer Security Plan (Attachment 5 must
be completed and the system must be reaccredited.
Once Accredited, PCs and PPCs operating under the provisions above must adhere
to the following procedures:
The modem and/or FAX/modem must only be used to process
unclassified information;
Data communications software may only be installed on the unclassified
removable hard disk drive, unless the system has an authorized connection
to a STU-III device or an accredited classified LAN;
The modem or FAX/modem must be connected to the telephone line through an
approved mechanical switching device (A/B switch) that provides a positive
disconnect from the phone line when processing in the classified mode. The
unclassified telephone line must be connected to the "A" side of the switch
and nothing connected to the "B" side of the switch;
When processing unclassified information, all classified media must be removed from the PC or PPC and stored in an approved security container. The entire PC or PPC configuration must be sanitized by turning off power including removal of PPC batteries prior to turning the A/B switch to the position for unclassified processing;
The unclassified removable hard disk drive inserted into the PC or PPC and
the system rebooted.
The following protection considerations apply in all cases of accredited
AIS classified communications at the DOE HQ.
These procedures outline the minimum requirements for use by an AIS of a
STU-III SV/DS (the variety of models supporting both voice and data) as an
encryption device for the limited, nonscheduled, point-to-point transmission
of ad hoc data. Use of a STU-III SV/DS for the scheduled transmission of
classified information is not covered by this plan. In such cases, the
requirements of DOE M 5639.6A-1, relating to the accreditation of networks,
must be met.
Section IV of Attachment 5 will be appropriately annotated and the system
accredited by the CSSM prior to use. An "Approved for Classified" label must
be affixed to the STU-III SV/DS prior to any classified data transmission.
To initiate secure data transmission, a valid Cryptographic Ignition Key
must be locked into the STU-III SV/DS and confirmation of the secure mode
must be received and indicated.
Properly cleared personnel with the proper "need-to-know" must be present
at both terminals, during the entire period of interconnection. This ensures
by visual verification that the proper classification level and identification
information of the STU-III SV/DS display matches the classification of the
data being transmitted and the recipient's need-to-know.
It is the responsibility of both sender and receiver to ensure that no data
is transmitted that is of a higher classification level or more restrictive
category than their highest common clearance/access level.
Removable hard disks in the AIS must be the same level of classification
and category as the data to be processed. To prevent a higher classification
of data being sent than is authorized, visual inspection of the data before
transmission by the sender is mandatory.
A log (a blank example may be found at Attachment 2) will be used to show
the use of the STU-III SV/DS with the AIS. The log will identify the distant
end, time of use, level of classification, and the type of data transmitted
and/or received.
These procedures outline the minimum requirements for using SDDs as the primary
means for protecting point-to-point communications between accredited AIS
and the accredited HQ IBM ES/9000 host computer within the DOE HQ or in point
to point operation with other devices external or internal to the HQ.
Installation, operation, maintenance, and removal of each SDD terminal will
be in accordance with procedures presented in the STU-III Procedural Guide.
The Secure Access Control System (SACS) is implemented at each host-end SDD, providing a "good guy" list that ensures only authorized access from calling SDDs.
To initiate secure data transmission, a valid Cryptographic-Ignition Key
must be properly inserted into the SDD and confirmation of the secure mode
must be received and indicated before communications can proceed.
The U/SO may not leave the SDD unattended while it is in the secure mode
of operation.
When not in use, the crypto-ignition key must be removed from the SDD and
either carried on the user or stored in a repository authorized for the
classification level of the SDD.
The CSSO ensures a pre-installation site survey is performed to ensure that
the site is suitable for accredited system placement. Aperiodic checks are
also performed by the CSSO and the CSSM to ensure continued compliance.
Classified AIS (the entire system, including peripheral devices) must
be at least 6 inches from any part of an unclassified AIS (entire
system, including peripheral devices) and at least 2 inches from unclassified
transmission media (e.g., telephone lines, data lines, alarm lines, etc.)
In the situation where a classified PC shares a peripheral device (such as
a printer) with a unclassified PC, both PCs must be separated from the shared
device and each other by at least 6 inches.
The separation requirements specified above do not apply to AIS located in
the Forrestal building rooms GA-301, the Emergency Operations Center, and
the Communications Center. Separation requirements for these facilities are
specified in the applicable TEMPEST Plan, maintained by the Headquarters
TEMPEST Coordinator, HR-433. Consultation with the TEMPEST Coordinator should
be effected for those systems planned for these areas.
The use of wireless communications (infrared) ports found on most PPCs to interface with printers and other peripheral devices is strictly forbidden when processing classified information. These ports must be disabled on all accredited PPCs and peripherals by covering the window with a numbered security seal or physically removing the infrared transmitter.
AIS that do not have DOE-approved hardware and/or software security programs
(i.e., the Watchdog or similar programs) installed rely exclusively on the
administrative and physical security access controls contained in this plan.
Unauthorized software is prohibited on DOE AIS that are accredited to process
classified information. Unauthorized software consists of:
any personal, commercial, shareware, or public domain software application, operating system, or utility software package that has not been introduced into the DOE HQ environment through procurement and distribution channels approved by HR-4, and that has not been approved for use on a specific accredited AIS by the assigned CSSO after testing.any software that was not developed within a secure environment and that was not properly tested and approved for use on a specific accredited AIS by the assigned CSSO after testing.
The Windows terminal function must be disabled by deleting
the program "TERMINAL.EXE" (in the accessory group) on all accredited personal
computers (the classified removable hard disk).
E - Mail software (including the mail feature in WordPerfect) is
prohibited (and must be removed if installed) on the classified
removable hard disk for all accredited personal computers, except those connected
to a classified LAN.
Commercial off the shelf software (COTS) packages often contain features that are designed to save the user time and make their job easier. Occasionally, features designed to make a job easier may actually create vulnerabilities especially when classified or sensitive unclassified information is involved.The following are software features that present potential vulnerabilities and the safeguards that will mitigate those vulnerabilities.
The WordPerfect for Windows version 6.1 "Undo/Redo History" function is a
potential security vulnerability. This function allows users to recall and
undo changes or deletions made to a document during its creation. The number
of sequential changes retained that can be undone is selectable by the document's
author - the default being 10, but the author/editor may set it to as high
as 300 retentions. WordPerfect makes this capability possible by storing
the changes within the document. This is not readily apparent to the user.
Therefore, a change that has been previously performed can then be recovered
any time in the future by the author or any subsequent person who has been
given the document. While this may be a very desirable feature during document
creation and editing, there is the potential for unauthorized release of
classified or sensitive unclassified information.
The Undo/Redo History function can be turned on and off. When turned off,
deleted and changed text is not saved with the document. It is recommended
that this option be disabled or set at the minimum level to minimize the
threat of information compromise. The option must be disabled and
the document saved prior to executing TRCOPY to migrate unclassified data
from classified media. It should be kept in mind that this capability
also exists in other versions of WorkPerfect and other user friendly software.
The Trusted Copy Program (TRCOPY) is designed for use in classified areas
when the need exists to migrate an unclassified file from the classified
environment of an accredited system to an unclassified environment.
TRCOPY provides safeguards to ensure that only the designated information
is actually copied and that the target diskette contains only the intended
information.
The diskette containing TRCOPY is not classified and will not become classified
by using it to move unclassified files. If it is used to move classified
files, the diskette will become classified and must be protected at the
appropriate level.
TRCOPY operates under DOS, version 3.2 or later, on the IBM PC or compatible
microcomputer.
It is the responsibility of the U/SO to ensure that the files being copied
to the TRCOPY diskette do not contain any classified information. If this
should occur, then the diskette must be marked, processed, protected, and
destroyed according to the highest level and most restrictive category of
the information it contains.
Copies of the Trusted Copy program and documentation may be acquired from the CSSM computer security support team 903-2106 or 903-0611 in Germantown or 586-5346 at the Forrestal building.
(THIS PAGE INTENTIONALLY LEFT BLANK)
The following procedures have been established to ensure that all AIS within
HQ facilities have adequate administrative controls to restrict access to
the appropriate U/SOs and to ensure the protection of classified AIS assets.
Configuration management procedures are used to ensure that development and
changes to an AIS take place in an identifiable and controlled manner.
The following four specific aspects of configuration management are used
to provide assurance that modifications in the environment of the AIS do
not adversely affect the security of that system.
Configuration identification employs the identification of system components
and documentation that supports security control procedures. In the Master
AIS Security Plan, requirements stipulate the necessary controls that will
be used. Attachment 5, Individual Security Plan, provides the necessary support
documentation. The following criteria is either in the Master AIS Security
Plan or will be identified in the attachment 5, thereby establishing a system
baseline to be used as a reference.
Security control procedures, e.g., Personnel, Physical, Telecommunications, Software, Administrative.Modification control procedures.
System-specific design documentation.
Major Equipment Component Identification, Attachment 5.
Equipment Configuration, Attachment 5.
CSSO Certification date, Attachment 5.
CSSM Accreditation date, Attachment 5.
The task of configuration control is performed by subjecting system components
and documentation to a review and approval process within the computer security
organization. Configuration control is implemented by the Modification Controls,
paragraph 5.4. Modification controls identify the procedures used to evaluate,
coordinate, and submit for approval requests for AIS modifications.
Status accounting is possible through both manual and online systems. The
U/SO and CSSO account for the requirements defined in paragraph 10.1.1 by
means of the documentation required by this plan. The CSSM monitors the
accreditation process and maintains accreditation files.
Configuration auditing is accomplished via the review processes embodied
in the Classified AIS Security Program life cycle. Initially, the CSSO conducts
an assurance review before recommending the system for certification. The
CSSO also has the authority to exercise security oversight, at any time,
AIS within his/her responsibility to ensure that all control procedures
identified in the Master AIS Security Plan are used. The CSSM provides oversight
on security control procedures by providing the initial certification review
and through periodic program compliance reviews. This continual auditing
program assures that criteria stated in AIS configuration identification
are met.
10.2 Access Controls
Physical access control procedures are identified in paragraph 7, Physical
Security.
Most, if not all 386/486 based personal computers have the ability to set
"Power On" and "Keyboard" passwords. These features are easily defeated by
knowledgeable operators. These specific types of "password" should only be
relied upon to provide a minimal added layer of security for the AIS and
should only be used in conjunction with other approved physical security
safeguards when the AIS is not attended.
PPCs may be used in any limited area, however they cannot be left unattended. When unattended, PPCs must have the removable classified hard disks removed and stored in an approved security container, and the PPC must be sanitized by not only turning off the power switch, but the battery must also be removed.
Because PPCs are not permanently installed, special care must be exercised
when processing classified information. The following precautions must be
taken:
Orient the computer where the screen and any printed material cannot be viewed by uncleared individuals.Maintain proper separation from other electronic devices, telephones, and electrical equipment.
Post a "Classified Processing Do Not Enter" sign on the door to the room and close it.
Control is applied at various checkpoints prior to the installation of an
AIS earmarked for classified processing. AIS equipment received at DOE from
the manufacturers is immediately controlled and securely stored. Those items
of equipment to be used for classified processing are selected at random
from the store of existing stocks immediately prior to installation. This
practice precludes the equipment from being targeted specifically for a
classified installation until the last possible moment before the installation
process.
Access to AIS storage media (i.e., magnetic disks or tapes, compact disks
(CD ROM), paper, or printer ribbons) containing classified data will be
restricted to individuals possessing the appropriate DOE clearance and approved
need-to-know.
10.4.1.1 Marking During Classified Sessions
The following marking and handling requirements do not apply to unclassified compact discs used in systems with read only CD drives. Unclassified CDs used in read only CD drives remain unclassified even after being used during a classified processing session.
Prior to beginning a classified processing session on an accredited AIS, all removable magnetic media to be used during the session will be appropriately labeled for protection. Standard Form SF 709 ("CLASSIFIED" label) is no longer allowed per DOE M 5639.6A-1. Any storage medium currently labeled with SF 709 must be immediately reviewed and marked with the appropriate classification level and category. The appropriate classification label (examples are shown at Attachment 6, Labeling Diskettes) will be placed in the top right corner of 5 1/4-inch diskettes. If known, the highest classification and most restrictive category of data stored on the magnetic media may be identified on the first line of Standard Form (SF) 711, Data Descriptor Label (optional), or if SF-711 is not used, the category must be entered on the classification label. Standard Form (SF) 711, Data Descriptor Label, may either be placed in the top-left corner, or on the left side under the manufacturer's label. All classified 3 1/2-inch diskettes may have SF 711 or equivalent placed in the center of the diskette label area with the appropriate classification label directly below (the excess is folded around the edge).
The marking and handling requirements for removable magnetic media do apply to systems with recordable CD drives.
Removable hard disks will be labeled in the same manner as 3 1/2-inch diskettes. Diskette folders and removable hard disk containers will be marked at the top and bottom, front and back, with the appropriate classification of data stored on the enclosed magnetic media. Most restrictive category markings will be placed in the lower left corner of the folder. Only properly labeled removable hard disks and diskettes are used to store or process classified data files. If a label is placed on the disk or folder to identify the individual documents contained on the disk, the appropriate portion marking designator will be placed parenthetically after the title of the document it governs.
All Classified Compact Disc (CD) must be physically marked on both sides with the appropriate classification and category. These markings are placed on the hub of the CD, which is a narrow blank space adjacent to the center hole. See illustration in attachment 6. One technique is to use a silk screening method that permanently marks the disk, another option is to use a classification stamp with permanent indelible ink that won't rub off.
Warning: do NOT put any markings on the recording surface portion of the disc.
Also, certain types of ink may cause damage to the surface of a CD. Users may want to test mark a blank CD before using an untried marking device on a CD containing information.
10.4.1.2 Marking During Unclassified Sessions
Prior to being inserted into a sanitized, accredited AIS during unclassified processing sessions, unclassified magnetic media will be labeled with SF 710 ("UNCLASSIFIED" label). In addition, unclassified magnetic media known to contain sensitive information will be appropriately marked.
PCs with fixed internal hard disk drives (must be permanently located in
a vault approved for the open storage of classified information.) will have
marked on the front of each system the highest classification level and most
restrictive category of data for which the system is accredited to process.
PPCs with fixed internal hard disk drives may NOT be used to process
classified information.
Disk file folders or boxes, including those for compact disc will be marked
in accordance with paragraph 10.4.1, above, similar to files or folders
containing classified information.
During classified processing sessions, colored classification marking signs
or DOE/DP-0018/1, Department of Energy Computer/Terminal Sensitive Data Warning
Signs (sometimes referred to as a security flip-chart or tent sign) identifying
the highest classification level and most restrictive category of information
the AIS is accredited to process will be prominently displayed.
Specific guidance for reviewing, handling, storing and marking can be found
in Chapter XI, paragraphs 2 through 6 of the DOE HQ Facilities Master Security
Plan.
10.4.6.1 Dot Matrix Printer Ribbons
All dot matrix printer ribbons must, however, be destroyed as classified scrap in the manner described in paragraph 10.4.13, below.
Multiple-strike printer ribbons used in dot matrix printers during classified processing are exempted from security labeling. Multiple-strike dot matrix printer ribbons may remain in the printer (do not have to be stored in a safe) at all times, as long as the printer remains in a limited area within the Germantown or Forrestal buildings of the HQ.
Single-strike ribbons used in dot matrix printers during classified processing are not exempted from security labeling--they must be labeled with the highest classification and most restrictive category of the data they are used to process. Single-strike (e.g., carbon film) ribbons must be removed from the printer and stored in a safe when not in use or when the system is unattended or being used in an unclassified mode.
10.4.6.2 All Other (Non-Dot Matrix) Printer Ribbons
Non-dot matrix printer ribbons used in classified processing sessions will be marked with the highest classification level and most restrictive category of information for which the AIS is accredited to process. Non-dot matrix printer ribbons used during unclassified processing sessions (on sanitized AIS that have been accredited for classified processing) will be marked with "UNCLASSIFIED" or "SENSITIVE UNCLASSIFIED," as the case may be.
(Sanitized) toner cartridges may be left in laser printers until they are
depleted without being marked with a classification label. Depleted toner
cartridges that have been sanitized in accordance with the procedures stated
in Paragraph 10.5.3 need not be marked as long as they have been sanitized
and will be returned to non-cleared sources for reloading.
Some color printers use a color transfer roll in place of a ribbon or toner
cartridge. Once used the information that has been printed can be read on
the roll. For this reason separate rolls must be used during classified and
unclassified operations. The roll used for classified information must be
marked and protected as specified for single strike (carbon film) ribbons
(see paragraph 10.4.6.1, above). When the classified roll is depleted and
replaced it must be destroyed appropriately (see paragraph 10.4.13, below).
All classified removable media, when not being used by the system (i.e.,
diskette/removable hard disk, CDs, ribbon(s), hard copy reports, etc.), will
be stored in a security container that is approved for the highest classification
level and most restrictive category of data stored on the media.
Media containing the operating and software systems used for classified
processing sessions will be labeled and protected as appropriate for the
highest level of classification and most restrictive category of information
for which the AIS is accredited to process. When the accredited AIS is used
for periods processing (for alternating classified and unclassified sessions),
separate software systems must be maintained on separate media (removable
hard drive, diskette, etc.); a classified version for use during classified
sessions and an unclassified version for use during unclassified sessions.
Sanitization refers to the elimination of classified information from
(declassification of) magnetic media to permit the reuse of the media at
a lower classification level or to permit the release to uncleared personnel
or personnel who do not possess the proper information access authorizations.
There is currently no acceptable method for sanitizing magnetic media.
Magnetic media that is unusable or no longer needed must be destroyed using
the destruction procedures cited in paragraph 10.4.13. Magnetic
media should be "cleared" before being released to the destruction process.
Clearing procedures follow in the next paragraph.
"Clearing" magnetic media refers to a procedure by which classified information
recorded on the media is removed, but the totality of declassification is
lacking. Clearing is a procedure used when the magnetic media will continue
to be safe-guarded within the controlled environment. Magnetic media will
be cleared by overwriting the media a minimum of one time with any one character.
Verification of the overwrite process may be accomplished by random reread
of the overwritten information to determine that only the overwrite character
can be recovered.
Cleared magnetic media may be reused or released for destruction; however,
it will be marked and controlled at the level of the highest classification
of data ever recorded.
The programs "CLRDSK.EXE," "CLRDSKC.EXE," and "CLRDISK.COM," previously used
to clear magnetic media are no longer approved for use at DOE Headquarters.
The approved method to accomplish magnetic media clearing now uses Norton
utilities for DOS (version 5.0 or higher) "WIPEINFO". This utility program
offers much more flexibility than the CLRDSK programs. Options are available
that allow either the entire disk to be cleared, specific files on the disk,
the unused portions of disks, or the slack area of a disk. Another option
is "Wipe Methods". There are two choices. FAST WIPE and GOVERNMENT WIPE.
FAST WIPE satisfies the minimum DOE HQ requirements. Government wipe provides
additional assurance by writing 0s (zeros) followed by 1s (ones) 3 times,
then writing the character with the decimal value 246 one time. For more
information on the WIPEINFO utility consult your technical support personnel,
or the computer security support team 903-2106 or 903-0611 in Germantown
or 586-5346 at the Forrestal building.
Specific destruction procedures can be found in chapter XI of the DOE
Headquarters Facilities Master Security Plan.
The definition for "documents" includes "AIS input and contents of equipment
and/or media, including memory, punch cards, tapes, diskettes, removable
hard disk drives, CD ROM, and visual displays."
Magnetic media which is used in a sanitized, accredited computer when it
is operating in the unclassified mode (the removable hard disk drive marked
Unclassified is in the system) does not have to be placed in an accountability
system.
Removable magnetic media will be appropriately labeled as described in Paragraph
10.4.1, above. The space marked "Control:" on the optional SF 711, Data
Descriptor Label, will contain the accountability control number for the
diskette, if applicable. If SF 711 is not used, the control number will be
written on the Standard Form classification label. Once magnetic media is
appropriately marked with Secret labels, it will be entered into the accountable
document inventory file, if applicable, maintained by the CSSO or classified
document custodian.
Accountable documents/media that are to be destroyed in accordance with
procedures stated in Paragraph 10.4.13, will be annotated on DOE F 5635.9,
"Record of Destruction."
The accredited AIS including all peripheral devices must be sanitized:
before being left unattended, see paragraph 12.3
during periods processing:
when ramping down from a session of higher level classification/category to a session of lower level classification/category.before being used by another U/SO who doesn't possess the same need-to-know.
Before being repaired or sent off-site for repair by uncleared hardware technicians.
To sanitize the system, all media will be removed and stored in accordance
with classified media storing specifications. System memory (to include the
printer buffer and the buffers of any other peripheral devices) will be sanitized
or purged of classified information (This is accomplished by turning off
the power for the entire system including all connected peripheral devices
and battery backup (if present on anything but clock-function chips or other
printed circuit boards) for at least one minute). The system must then be
rebooted with a separate copy of the software system that has been reserved
for use during unclassified processing sessions only.
In addition to turning off external power (see 10.5.1 above), PPCs also must
have the battery or power pack removed in order to sanitize memory.
For AIS connected to a Laser printer at least five pages of unclassified
information will be printed to sanitize and clear classified residual information
associated with the toner cartridge. The program LASERSAN.EXE, written and
distributed by the CSSM to U/SOs through their CSSO, should be run to sanitize
classified laser printers connected to MS-DOS-based computer systems.
LASERSAN.EXE, when executed, generates five pages of printed, unclassified
information to sanitize any residual data in the laser printer toner cartridge
and provides on-screen instructions to the U/SO for completing the sanitization
of the printer and computer system by turning off power for at least one
minute. Because LASERSAN generates a set series of characters (starting with
a random character and excluding spaces and solid black), a distinct pattern
of unclassified characters is printed on each of the five pages. These pages
are then visually reviewed by the U/SO to verify the absence of classified
residual data on each of the five printed pages. If they contain classified
information, they will be destroyed in accordance with the highest classification
level and most restrictive category of data for which the AIS is accredited
to process and the process will be repeated.
In the event LASERSAN.EXE is not appropriate, the "TEST/FONT"
function key on the main control panel of the laser printer can be used to
produce these five pages (To print a "test" page, first press the "ON LINE"
button once to switch the printer off line, then press the TEST/FONT button
five times, once for each page of output. Finally, turn the printer off for
at least one minute to clear any residual memory). These five pages will
be reviewed to verify that they do not contain classified information before
being destroyed as unclassified trash. If they contain classified information,
they will be destroyed in accordance with the highest classification level
and most restrictive category of data for which the AIS is accredited to
process and the process will be repeated.
Once sanitized, the laser printer toner cartridge may be released to unclassified
channels for replenishment.
Copies of the LASERSAN program may be acquired from the computer security
support team 903-2106 or 903-0611 in Germantown or 586-5346 at the Forrestal
building. The LASERSAN program and documentation may also be downloaded from
the HR Home Page, whose URL is
http://www.hr.doe.gov/compsec/compsec.htm.
To sanitize color printers that use the color transfer rolls, in addition
to turning off the power to the printer, the transfer roll must be removed,
marked with the proper security classification level, and stored in an approved
security container.
U/SOs of AIS must use a valid user identification code (Userid) and password
to authenticate their privilege to access an accredited host.
U/SOs that require access to the HQ mainframe applications must first apply
for issuance of userid and passwords by submitting DOE-F-1450.5, Request
for Timesharing Services and LOGON ID and DOE-F-1450.5A, Certification of
Timesharing LOGON ID Owner Responsibilities, through their office management,
and through the application system owner (Data Owner), to the Team Leader,
Germantown Integrated Services Team, HR-441.
U/SOs that require access to LANs or other hosts must follow the application
procedures for those computer resources.
10.6.1.1 HQ IBM Host
AIS connected to the IBM ES/9000 host computer must be identified and authenticated through the use of userids' and passwords. Security on the host mainframe is highly
dependent on the proper protection of the passwords used to access them. Password management is the responsibility of the mainframe CSSO. Password protection is the responsibility of the U/SO. Procedures for protecting passwords are described below. Initial passwords are machine-generated and issued to the new U/SO with the approval of the organizational CSSO, the mainframe CSSO, and the CSSM. The first time the U/SO logs on to the host system with the issued password, the U/SO is forced by the system to generate a new machine-generated password. This new password is known to no one other than the receiving U/SO. Under no circumstances may U/SOs create their own password. Passwords recorded by the U/SO shall be protected and marked in accordance with the procedures stated in the SA-123 (NN-512.3) Memorandum of May 3, 1993, regarding Protection of Combinations or Passwords.
Under no circumstances may a password be shared with or disclosed to any other individual. No U/SO should be knowledgeable of another U/SO's password. If a password is compromised, or a compromise is suspected, notify the CSSO or the CSSM immediately.
The System Administrator, HR-441, monitors password usage on a daily basis to reconcile access violation attempts and suspended or canceled userid and passwords.
If reinstatement is required (e.g., forgotten password), notify the System Administrator, HR-441.
10.6.1.2 Other Accredited Hosts
For reinstatement on other accredited hosts, follow procedures approved for that particular system.
U/SOs are to notify the application owner and the System Administrator, HR-441,
when the U/SO no longer requires the need for access to the HQ IBM host (i.e.,
when changing jobs, organizations, etc.) so that userid and password will
be suspended. For other accredited hosts, follow their notification procedures.
Use of passwords will conform to the guidance in DOE M 5639.6A-1, Attachment
IX-2, Password Management.
U/SOs will change their passwords in accordance with the host procedures.
The add-on software security package, Access Control Facility 2 (ACF2), controls
access to the accredited IBM ES/9000 host computer applications through the
use of user identification codes and passwords. Before a U/SO can access
this mainframe, the application system owner (Data Owner) must attest to
the appropriateness of this U/SO's access and need to know in a request to
the ACF2 system administrator. Through ACF2, the system administrator defines
access levels down to the mini-disk level. ACF2 provides object protection
and all passwords are stored in a one-way encrypted password file. Through
ACF2, the system administrator controls access by terminal and/or port
identification. Terminals and ports are logically disconnected based on
terminal/port ID number, date, and time.
Hardware-oriented access control devices have been installed at the HQ in
the form of National Security Agency-approved encryption devices (STU-III
SDD Model 1900/1910) at each end of the communications lines that connect
accredited AIS to the accredited host computer. Each SDD is placed into a
secure mode by the insertion and turning of a pre-approved and programmed
crypto-ignition key device into the SDD terminal. In reverse, sanitization
is performed by turning the crypto-ignition key in the opposite direction
and removing it from the SDD terminal.
The crypto-ignition key must be physically removed from the SDD before the
accredited AIS can be sanitized/declassified and may not be inserted into
the SDD during an unclassified session.
The responsible user of the crypto-ignition key, who is also the U/SO of
the AIS, is required to be cognizant of the location and status of the
crypto-ignition key at all times. This may be accomplished by the user carrying
the crypto-ignition key on his or her person when the crypto-ignition key
is not physically inserted in the terminal during a classified session or
placing it in an approved security container.
All host-end SDDs used at DOE will utilize the Secure Access Control System
(SACS), otherwise known as a "Good Guy" list. This system ensures that only
the holders of authorized crypto-ignition keys and SDD terminals can access
the SDDs physically connected to the accredited mainframe host computer.
It further assures (since only host-end SDDs have the AUTO-ANSWER feature
turned on) that terminal-end SDDs prevent access of the terminal AIS by other
remote devices.
A properly completed and approved DOE Property Pass must be presented to
the security guard before exiting a HQ complex building with any Government/DOE
piece of AIS equipment, diskettes, magnetic cartridges, or removable hard
drive cartridges, unless specifically exempted from the requirement by written
authority. Classified magnetic media can only be removed from the HQ complex
by a person who has specific authority to hand-carry classified matter in
accordance with Chapter XI, Paragraph 10 of the DOE HQ Facilities Master
Security Plan.
Before an accredited PPC can be removed from the Headquarters complex for
use to process classified information, the cognizant HSO must be consulted
for requirements in addition to the ones specified in paragraph 10.7 above.
Also see paragraph 7.1.5.
Before removing an accredited PC, PPC, or peripheral device from the room
where it is installed for off-site repair all "Approved for Classified" stickers
or other markings that indicate use to process classified information must
be removed.
Microphones/Video Cameras in computers used in areas designated for classified
or sensitive unclassified discussion must be disabled. Any exceptions to
this policy that are needed to support extenuating conditions, (e.g., physically
challenged) and then only with the employment of additional safeguards (e.g.,
soundproofing, etc.), will only be granted after the user first obtains a
deviation in accordance with Paragraph 4.f. DOE 470.1, Safeguards and Security
Program, paragraph dated 9/28/95 and then approval by the Classified AIS
Security Site Manager prior to enabling.
Some recently developed peripheral devices used with personal computers such as multi-function printers (i.e printers that can operate as FAX, optical scanners, as well as printers, internal and external modems that have voice capability) present a significant vulnerability in equipment to be used to process classified information. Many of these devices are equipped with internal secondary memory that is used to store information for diagnostic purposes to allow service technicians to quickly resolve problems. Another technology in wide use with PPCs is the wireless or infrared communications port used to interface with printers and other peripheral devices equipped with that technology. Wireless technology cannot be used when processing classified information. Before any equipment with these types of features can be used with an accredited AIS a deviation must be acquired in accordance with Paragraph 4.f DOE 470.1. See attachment 8.
Incidents of waste, fraud, and abuse are to be reported in accordance with
paragraph 14. The definitions are as follows:
Waste - Misuse of computer time (i.e., games, private use, use of unauthorized software), or resources, whether intentional or not.Fraud - Illegal activities, including misrepresentation, personal gain, copyright violations.
Abuse - Intentional alteration or destruction of software, hardware, or information.
A random sampling of files (100 percent of the files found on 10 percent
of the systems assigned the CSSO is required) is to be reviewed and documented
at least semiannually by the CSSO. Attachment 3A, Waste Fraud and Abuse Review
Checklist for Accredited DOS Based Systems (applies only to Microsoft/IBM
Disk Operating System-based systems, Attachment 3B applies to Macintosh systems),
are provided for the CSSO's use in this purpose. This documentation is required
to list the files reviewed, identify any corrective and follow-up action
found to be necessary, and certify that the AIS contain only legitimate
government information, programs, and proprietary software (authorized and
licensed to the specific AIS). This documentation is to be retained by the
CSSO for one year.
Given the condition of a single system with the CSSO as the user, no Waste,
Fraud, and Abuse or Compliance Reviews are required of the CSSO--random reviews
conducted by the CSSM will suffice.
During program compliance reviews, the CSSM reviews all evidence of the waste, fraud, and abuse checks that have been performed by the CSSO during the period prior to the review. Random, aperiodic reviews of program and data files on selected systems are also performed and documented by the CSSM. These reviews are unannounced.
Each HQ Element shall ensure compliance with licensing agreements for software
packages used on accredited AIS within their respective organization.
Documentation of this compliance shall be maintained within the HQ Element
and will be reviewed by the CSSM during (re)accreditation and other Classified
Computer Security Program reviews.
U/SOs must recognize and respect the copyright protection and licensing
agreements applicable to commercially available software packages, and use
the software accordingly. Copyright and licensing infringements are violations
of Federal law.
SW-SCAN is a software program developed by Battelle Memorial Institute who
operate the Pacific Northwest Laboratory for the DOE. The program was developed
for the purpose of monitoring compliance with commercial software licensing
agreement requirements. SW-SCAN is itself copyrighted by Battelle. DOE
Headquarters has been granted use of the program to monitor software licensing
compliance. Copies of SW-SCAN may be obtained from the CSSM computer security
support team 903-2106 or 903-0611 in Germantown or 586-5346 at the Forrestal
building.
A qualitative risk assessment has been performed for AIS at the Germantown
and Forrestal facilities. This assessment is general in nature because it
encompasses all AIS within these facilities. The level of protection provided
each AIS is based on the U/SOs knowledge of the security procedures detailed
in this plan.
The following table (continued on next page) identifies some specific threats
to accredited AIS, their probability of occurrence rating (i.e., Low, Moderate,
High), the impact of an occurrence, and implemented countermeasures.
| THREAT | PROB | IMPACT | COUNTERMEASURE |
| Fire | Low | High | Fire extinguishers, some areas protected by fire suppression systems. |
| Power Disturbances | Low | Low | Systems protected by surge protection devices |
| Power Outages | High | Low | U/SOs are required to backup data on a regular basis. |
| Water Damage | Low | Low | Construction of building and placement of AIS negates water damage. |
| Malicious Authorized U/SOs | Low | Low | All U/SOs processing classified have security clearances and have been trained in the protection of classified information and the systems that process classified information. |
| Covert Action | Low | Low | Building guards, visitor controls, and use of approved safes for document, removable magnetic media, and ribbon storage. Limited Security Areas with electronic and combination locks control access. Hardware and software procurement, installation, and support cannot be targeted to accredited AIS. |
| Casual Visitors | Low | Low | Posted signs for classified processing, room divider around accredited systems in some rooms, visitor controls, magnetic media removed during non-use periods, 3-way combination locks and limited security areas control access. |
| Emanation | Low | Low | Use of TEMPEST-protected or other DOE-approved low-emanation equipment. |
| Natural Hazards | Low | Low | Inherently secure/safe building. |
| System Abuse | Low | Low | Monitoring by supervisor and the CSSO. Personnel security briefings. Regular Waste, Fraud, and Abuse surveys. |
| Physical Damage to Portable PCs | High | Low | Portability of laptop computers make them vulnerable to damage from being dropped. Padded carrying cases and removable hard disks reduce the risks substantially. |
| Theft of Portable PCs | Moderate | High | Portable PCs are vulnerable to theft. This threat is reduced by encrypting the files on the removable hard disks and diskettes, storing PPCs and removable magnetic media in approved security containers, and user vigilance. |
All items of AIS equipment and operating systems software are considered
low value assets. Each equipment and operating system asset will be identified
in the Individual Security Plan. The information files (to include such files
as data, query routines, or application software) processed on these systems
may be of higher value; therefore, U/SOs have been cautioned to protect their
information investment by performing regular backups and storing them at
a prudently safe distance from their primary working copy.
The qualitative threat identification chart, paragraph 12.1, depicts the
risk management technique used to identify and counter all known and potential
threats. Based on the analyses of these threats and the fact that all classified
processing is performed within DOE Security Areas, the protection mechanisms
implemented for these areas are deemed sufficient for the low value assets
covered by this plan. Except for AIS located in vaults approved for open
storage of classified information, see Chapter II of DOE M 471.2-1 Manual
for Classified Matter Protection and Control for specific guidance on the
control of all classified media. All classified media must be controlled
(if necessary) by document-accountability procedures. The protection mechanisms
implemented within the Security Areas for the protection of documents have
been evaluated by the CSSM and deemed sufficient for the protection of the
information processed. A risk assessment conducted of the AIS procurement,
installation, support functions, processes, and procedures indicated a low
risk associated with the threat of targeting specific hardware or software
for covert action.
All CSSOs are required to attend the CSSO Training Class provided by the
CSSM. As a minimum, the CSSOs will provide the following instructional material
to each U/SO.
Master AIS Security Plan. The CSSO and U/SO must retain a copy of the currently
approved Master AIS Security Plan for AIS at their respective systems. These
copies may be maintained in an electronic format (as a data file), in lieu
of maintaining a printed copy. Electronic copies of the Plan and its attachments
(blank forms) may be obtained by calling the CSSM.
DOE/MA-0427, "Computer Security Guide For Users."Personal Computer Security Quick Reference Guide.
All classified AIS U/SOs are responsible for reading the documents cited
above. Personnel who receive a userid for the mainframe will receive training
through the automated security briefing resident on the system. A PC-DOS
based version of the automated security briefing is installed on the individual
AIS as a part of the initial software loading by the Microsystems Support
personnel. This PC version steps the U/SO through standard security procedures
for the protection of their systems.
Each responsible U/SO will read the Master AIS Security Plan for AIS annually.
The responsible U/SO will, also annually, sign Attachment 1, Annual AIS
User/Security Officer Acknowledgment of Compliance Responsibilities, accepting
responsibility for the security of their assigned AIS.
Every DOE and DOE Contractor Employee at the HQ has been issued a copy of
DOE/MA-0427, Computer Security Guide for Users. This guide discusses personnel,
software, physical, telecommunications, and administrative security for HQ
AIS.
To qualify as a computer security-trained escort, the candidate must have
received all the training listed in the previous paragraph for U/SOs and
must have attended a viewing of the DOE-produced video "The Outsider."
(THIS PAGE INTENTIONALLY LEFT BLANK)
In order to thwart deliberate and/or malicious acts (i.e., equipment tampering,
Trojan horses, virus programs) directed at AIS, all personnel utilizing DOE
AIS resources will observe the following procedures for reporting any perceived
attacks. Also, any occurrence of a security infraction or of waste, fraud,
and abuse, as defined in paragraph 11 above, will be reported using the
procedures below. These procedures will permit each U/SO to properly report
potentially damaging incidents. By initiating the following actions in a
timely manner, U/SOs may assist in controlling and limiting the damage that
may be caused by an incident.
Upon noticing or suspecting unusual or uncharacteristic performance from
your system, suspend processing on the affected system. Attempts to determine
the cause through use of the system may distort or destroy any evidence
investigators might need to identify and/or correct the situation.
U/SOs are to immediately notify, through secure means (e.g., face-to-face,
encrypted voice), the responsible CSSO (and/or Alternate CSSO) of the affected
system concerning the possibility of a successful threat occurrence. This
will allow the CSSO to immediately begin a preliminary inquiry and notify
other potential targets, thereby limiting further potential damage. If the
CSSO or Alternate is not readily available, call the CSSM. During non-business
hours, if the incident involves the HQ mainframe the U/SO should call the
CSSO on duty at the Computer Center in Germantown (3-4437). Minor incidents
associated with the use of AIS (generally those whose adverse impact can
be contained within the authority and responsibility of the CSSO) need not
be reported to the CSSM, but are to be documented, investigated, and resolved
by the CSSO.
Incidents whose scope and adverse impact extend beyond the authority and
responsibility of the CSSO (e.g., LAN or mainframe connectivity is involved)
are to be communicated to the CSSM as soon as practical. The intent is to
coordinate efforts to limit the potential damage which could be incurred.
After incident notification, the U/SO will annotate the following information,
if known, for use by security personnel.
a. Time of Occurrenceb. Source of Problem (e.g., imported software, diskette/hard disk drive, etc.)
c. Nature of the Incident - explain what happened prior to and during the occurrence.
d. The U/SO should review Chapter VI, Headquarters Incident Reporting Procedures, in the CSSO Guidelines for more guidance.
In general, AIS equipment assets are low cost, easily replaceable items.
However, contingency planning is addressed for all systems that process
classified information, as follows.
It is the responsibility of the U/SO to identify any hardware configuration or software system that is considered critical for the successful completion of the DOE mission. If a system is designated as critical, backup procedures and matching system configurations must be identified in writing to ensure continuity of operations. Additional procedures, specific to the critical system, will be identified in the Individual Security Plan for the critical system. These procedures must be tested annually. All AIS identified as critical will be backed up by the U/SO once a week, at a minimum, and the backup media will be stored at an alternate location that is reasonably distant from the primary processing and information storage site.
All non-critical systems will be backed up by the U/SO on a regular basis
to assure a continuity of the operations that support the conduct of the
DOE mission.
(THIS PAGE INTENTIONALLY LEFT BLANK)
Visitors (cleared, but without a need-to-know, or uncleared) to office areas
where accredited AIS are present must be escorted in accordance with DOE
Headquarters Facilities Master Security Plan and may not be permitted physical
access to accredited AIS or to view classified information. In addition,
escorts for visitors who are going to have access to the inside of an accredited
computer (uncleared repair technician) must be computer security-trained
in accordance with paragraph 13.3 of this plan.
(THIS PAGE INTENTIONALLY LEFT BLANK)
The following procedures govern the operations of accredited AIS in the interim
periods during updates or changes to their environment. The environment of
an accredited AIS encompasses those items of hardware and software listed
in Attachment 5; the location of the AIS; the assigned U/SO; and, the approved
security controls in place at the time of the current accreditation.
Interim reaccreditation is granted for a period of 15 work days only for
those systems previously accredited and only under the following conditions:
U/SO Changes,Hardware replacement with similar equipment,
Software changes, or
System relocations.
Interim accreditation begins when the change is effected (e.g., hardware
has been reinstalled at the new location).
If not reaccredited in these 15 work days, the system will be considered
unaccredited and will only be authorized to process unclassified
information.
(THIS PAGE INTENTIONALLY LEFT BLANK)
Remote diagnostic services are not permitted on accredited systems.
(THIS PAGE INTENTIONALLY LEFT BLANK)
Each AIS installation is separately accredited and, as a part of the
accreditation process, is reviewed for compliance with this Master AIS Security
Plan and its associated Individual Security Plan. Attachment 4 presents a
brief security compliance checklist that is used as an aid in the compliance
review process. The accrediting official has determined that compliance reviews
adequately test the security implemented for each.
(THIS PAGE INTENTIONALLY LEFT BLANK)
DOE and DOE Contractor organizations shall ensure that appropriate technical,
administrative, physical, and personnel security requirements are included
in specifications for the acquisition of hardware, software, or related services
to be utilized in a classified environment. The CSSM will be included in
the planning process for any new hardware or software procurement or developments
that apply to classified in the DOE HQ environment.
(THIS PAGE INTENTIONALLY LEFT BLANK)
U/SO's Initials
1. _____ I have read the Master AIS Security Plan and am familiar with its
contents. I have also read DOE/MA-0427, Computer Security Guide for Users,
and the Personal Computer Security Quick Reference Guide.
2. _____ I am aware of my responsibility for knowing what constitutes a security
infraction and the procedures for responding to an infraction.
3. _____ I am aware of my responsibility for reporting any incidents of data
intrusion or other security-related events to the Classified Computer System
Security Officer (CSSO) in accordance with current DOE and local policy.
4. _____ I am aware that, when the system is to be left unattended, accredited
systems must be sanitized, and that classified computer media, such as removable
hard drives, diskettes, compact disc (CD ROM), cassettes, single-strike printer
ribbons, and printed output must be locked in a DOE approved security container.
5. _____ I am aware that individual userids and passwords must be unique,
are intended only for the assigned user, and may not be shared with anyone
else. I am responsible for protecting passwords and records of passwords
used with classified AIS at the highest level and most restrictive category
approved for the AIS.
6. _____ I am aware that users of classified systems are to prevent (to the
extent possible) unauthorized persons from entering the work area during
classified processing and that the AIS must be positioned so that it cannot
be viewed from outside the processing area (i.e., in view from open doors
or uncovered windows). I am further aware that users must logoff of classified
AIS and remove and properly store all media prior to leaving the system
unattended.
7. _____ I am aware that all data should be backed up periodically to preclude
the need for extensive reconstruction of files following a system failure
or emergency. I am also aware that, ideally, these files should be stored
in a separate remote location.
8. _____ I am aware that classified media and printed output and their covers
or containers must bear appropriate classification markings that indicate
the highest level of data contained therein. I am further aware of my
responsibility to follow Document (or Media) Accountability Procedures located
in Paragraph 10.4.14 of the Master AIS Security Plan .
9. _____ I am aware that removable hard drives, diskettes, CD ROM, cassettes,
tapes, toner cartridges, printed output, and printer ribbons used for classified
processing must be sanitized, declassified, and/or destroyed according to
the policies, practices, and procedures listed in Paragraph 10.4 of the Master
AIS Security Plan.
10. _____ I am aware of and will comply with the procedures specified in
the Master AIS Security Plan sections 5.5.1 & 5.5.2 regarding system
sanitization and proper transition between LAN connections and stand-alone
processing.
11. _____ I am aware of my responsibility to continually improve security.
Through my daily interaction with a system, I am able to detect weaknesses
and vulnerabilities within the system. I will make a conscientious effort
to express ideas on enhancing security to the designated Classified AIS Security
Officer.
12. _____ I am aware that, as a U/SO of Department of Energy systems, I must
ensure that the equipment is used only for job related processing and that
all other uses are prohibited. I am aware that I am subject to periodic review
for compliance and audit for waste, fraud, and abuse by the CSSO, CSSM, and
other internal and external auditing agencies (i.e., IG, GAO, etc.).
13. _____ I am aware that electronic equipment, antennas, etc., may not be
placed in the immediate proximity of the classified AIS without being listed
and approved by the CSSM in the Individual AIS Security Plan. I am also aware
that any modifications to the AIS, either in addition to or deletion of hardware
or software, may not be performed without the prior approval of the CSSO.
14. _____ I am aware that only DOE-authorized software may be used on an
accredited AIS. I will abide by any licensing agreements applicable and am
aware that any software copyright and licensing infringements are violations
of Federal law.
* In addition to the statements above, users of portable personal computers
must attest to statements 15 through 22.
15. _____ I am aware that before I can use a PPC to process classified
information in an area at the Germantown or Forrestal buildings, but outside
the jurisdiction of my CSSO, I must have the approval of the CSSO who has
jurisdiction over the area.
16. _____ I am aware that before I can use a PPC at a facility other than
the Germantown or Forrestal buildings, the PPC must be accredited by the
Designated Accrediting Authority (DAA) for the facility I am visiting.
17. _____ I am aware that classified removable hard disk must be transported
separately from the portable computer in accordance with the requirements
stated in the DOE Headquarters Facilities Master Security Plan, Chapter XI
Classified Matter Protection and Control.
18. _____ I am aware that portable computers may not be used to process
classified information except in (1)an approved vault or vault-type room,
(2) a limited area, or (3) an exclusion area.
19. _____ I am aware that classified documents must be encrypted when stored
on magnetic media to provide need-to-know protection.
20. _____ I am aware that I must carry the Computer Validation Card for the
PPC assigned to me when ever the PPC is in my possession.
21. _____ I am aware that I must turn off all electrical power sources including
physical removal of the battery in order to sanitize the PPC.
22. _____ I am aware that PPCs are highly vulnerable to theft and must be
given appropriate protection when in my possession, especially in public
places.
I have read the above statements and understand my responsibilities for
protecting classified systems and information as indicated by my initials.
I am aware that I am required to review, initial, and resign this form annually
no later than the anniversary date as indicated next to my signature below.
U/SO: ____________________________________________ __________________________________________ ____/____/____
Printed Name Signature Date
The purpose of this form is to provide a documented means of insuring that
each U/SO is aware of his/her responsibilities for processing classified
information on an AIS.
This form contains a series of statements, for which the U/SO will initial
each to indicate that he/she understands and acknowledges his/her
responsibilities. This will be done annually (not later than 1 year from
the date signed on the previous form) by each U/SO to provide a refresher
to the U/SO of his/her responsibilities. After the U/SO has completed this
form (all the statements are initialed) and the CSSO is confident that the
U/SO understands his/her responsibilities, then the CSSO may allow the U/SO
to perform classified processing on an accredited AIS. This form is not required
to be submitted with the accreditation/reaccreditation package to the CSSM,
but will be reviewed by the CSSM representative when a site or compliance
review is held. The CSSO will retain the original of this form until replaced
by the next annual form completion and provide a copy of same to the U/SO
for reference purposes.
Location: __________ Room No.: __________ STU-III Serial No.: __________
(GTN, FORS)
|
|
|
|
CLASSIFICATION
LEVEL |
CATEGORY |
TRANSMITTED/
RECEIVED |
|
This attachment demonstrates the form used to log users utilizing a STU-III SV/DS to transmit classified data processing. This form records the room and building location of the STU-III as well as the serial number of the STU-III. Each user must record the date and time of use, the name and location of the distant end, the level of classification, category, whether it was transmitted or received, and the user signature.
SYSTEM ID: HQ-_______(Assigned by CSSM)
DATE:______/______/______
ORGANIZATION:____________________________ EQUIP:_______________________
LOCATION: BUILDING______________________ ROOM NO. ____________________
U/SO: NAME:________________________________________
SIGNATURE:______________________________________
CSSO: NAME:_______________________________________
SIGNATURE:______________________________________
Reviewed BY: _____________________________________
SIGNATURE:______________________________________
ORG:_______________________________ DATE:_____/_______/______
PROCEDURES: Perform the following on both CLASSIFIED
and UNCLASSIFIED removable hard disk or fixed hard
disk assigned to systems that are accredited to process
CLASSIFIED information:
1. Prior to reviewing each hard drive, perform the Disk Operating System
change drive function at the Disk Operating System prompt ["C:" press Enter];
["D:" press Enter]; ["E:" press Enter]; ["F:" press ENTER]; etc. until "invalid
drive specification" is displayed. This will determine the logical drives
assigned to each physical drive. Annotate the assigned logical drives by
circling the appropriate selections below. Prior to performing the following
functions, change to the specified drive that you wish to review by entering
["C:"; "D:"; etc. then press Enter key].
Drive Type: Removable / Fixed / Other:_______________________________
Security System: None / Package Name:__________________________________________
UNCLASSIFIED Drives assigned: C: D: E: F: None Other_________
CLASSIFIED Drives assigned: C: D: E: F: None Other_________
2. On each logical drive run the Disk Operating System Utility program CHKDSK, or SCANDSK.
[ "CHKDSK or SCANDISK /V |MORE" press ENTER ]*
*note ('|' pipe; uppercase backslash, not ':' colon)
(should the program not execute press Ctrl/C to invoke).
The CHKDSK or SCANDISK utility will list all file names (including hidden
files) by screen page. Press "Enter" after reviewing each page. Validate
that there are no unauthorized software packages, games, or personal files
on the system, and that the system appears used for performing only DOE related
functions. If a "suspicious" file name is discovered, review the file by
either executing (if an executable file with .EXE, .COM, .SYS extension [Key
the entire filename and press Enter]) or by performing the Disk Operating
System Utility TYPE command on text files. ["TYPE filename" press Enter].
Document the findings in the FINDINGS Section of this form.
3. (Optional or as required at reviewers discretion) Using the DOS UNDELETE
command or a current copy of NORTON UTILITIES program software, run
the utility "UNERASE" (["UNERASE" press ENTER] and follow the menu-driven
instructions) to validate any previously erased software. Document the findings
in the FINDINGS Section of this form. (If this function is performed in
classified mode, the diskette must be appropriately labeled and treated
accordingly. It may not then be used in UNCLASSIFIED mode. If the NORTON
diskette copy is left with the CSSO because it is classified for destruction
purposes then the programs on the diskette must first be erased for protection
against licensing infringement).FINDINGS:
UNCLASSIFIED
ASSIGNED DRIVE C: D: E: F:
Other:______
Total Files: ___________ ___________ ____________ ___________ ____________
Total Hidden
Files: ___________ ___________ ____________ ___________ ____________
Evidence of waste, fraud, or abuse (Y/N) (Y requires remarks):
___________ ___________ ___________ ___________ ____________
CLASSIFIED
ASSIGNED DRIVE C: D: E: F: Other:________
Total Files: ___________ ___________ ___________ ___________ ____________
Total Hidden
Files: ___________ ___________ ___________ ___________ ____________
Evidence of waste, fraud, or abuse (Y/N) (Y requires remarks):
___________ ___________ ___________ ___________ ___________
Further action required: (Y/N) ____________
REMARKS:
SYSTEM ID: ___________ (Assigned by CSSM)
DATE:_____/_____/_____
ORGANIZATION:_________________________________
EQUIP:___________________________________
LOCATION: BUILDING___________________________ ROOM
NO.________________________________
U/SO: NAME:________________________________
SIGNATURE:__________________________________________
CSSO: NAME:_______________________________ _______
SIGNATURE:__________________________________________
Reviewed BY: NAME:_________________________
SIGNATURE:__________________________________________
ORG:________________________ DATE:______/______/______
GENERAL INSTRUCTIONS:
1. To open a drive, folder, or file, double click on it at the desktop.
2. To close files, quit the program, (quit from the file menu).
3. To close windows to folders and drives, either click once in the close
box on the left corner of it's title bar, or select the window and then select
close ( W) from the file menu.
4. Anything that is not a drive or a folder is either a file or a program. We want to check all files by looking through all of the folders (sub- folders, etc.) open each file and review it. Then close it without save changes if prompted.
DRIVE TYPE: REMOVABLE / FIXED DRIVE /
OTHER:________________
SECURITY SYSTEM: _________________________ NONE
FINDINGS:
UNCLASSIFIED: Total Files:________ CLASSIFIED: Total Files:________
Is there any evidence of waste, fraud, or abuse? Enter Y or N in the appropriate box(s) below.
(Y requires remarks):
UNCLASSIFIED: [
] CLASSIFIED: [ ] FURTHER
ACTION REQUIRED: [ ]
REMARKS:
(THIS PAGE INTENTIONALLY LEFT BLANK)
SYSTEM ID: HQ-________(CSSM WILL ASSIGN)
ORGANIZATION:______________________
LOCATION: BUILDING:__________________________ ROOM
NUMBER:__________________
|
|
|
|
|
| U/SO | |||
| CSSO | |||
|
|
|||
|
CSSM
STAFF |
|||
|
|
|||
| CSSM |
|
||
NUMBER OF "APPROVED FOR CLASSIFIED" STICKERS
REQUIRED:_________
|
|
YES |
|
| 1. IS THE CERTIFICATION DOCUMENTATION COMPLETE AND ACCURATE? | ||
| 2. IS THE SYSTEM LOCATED (OR STORED AND USED IF PORTABLE) IN A LIMITED AREA (WITHIN SECURITY ISLANDS OR IN OFFICES LOCKED WITH DOE-APPROVED LOCK? | ||
| 3. ARE LIMITED AREA WARNING SIGNS AVAILABLE FOR THE DOORS LEADING TO THE ROOMS WHERE CLASSIFIED SYSTEMS ARE LOCATED? | ||
| 4. ARE DOE/DP-00181/1, DOE COMPUTER/TERMINAL SENSITIVE DATA WARNING SIGNS (CLASSIFICATION LEVEL FLIP CHART SIGNS) AVAILABLE FOR THE SYSTEM? | ||
| 5. IS THE U/SO AWARE OF THE CLASSIFIED DOCUMENT/MEDIA MARKING LABELLING PROCEDURES AND IS THERE EVIDENCE OF ADEQUATE SUPPLIES OF LABELLING STOCK? IF THIS IS A REACCREDITATION REVIEW, IS THERE EVIDENCE OF PREVIOUS COMPLIANCE WITH MARKING/LABELLING PROCEDURES? | ||
| 6. IS THE U/SO AWARE OF THE PROPER PROCEDURES FOR COMPLYING WITH CLASSIFIED DOCUMENT/MEDIA ACCOUNTABILITY REQUIREMENTS? IF THIS IS A REACCREDITATION REVIEW, IS THERE EVIDENCE OF PREVIOUS COMPLIANCE WITH ACCOUNTABILITY REQUIREMENTS? | ||
| 7. HAS THE U/SO READ DOE/MA-0427, COMPUTER SECURITY GUIDE FOR USERS? | ||
| 8. IS RED/BLACK SEPARATION IN COMPLIANCE, OR IF SYSTEM IS A PORTABLE IS THE U/SO AWARE OF AND COMPLY WITH RED/BLACK SEPARATION REQUIREMENTS WHEN USING SYSTEM? | ||
| 9. IS THE U/SO KNOWLEDGEABLE OF BACK-UP PROCEDURES, AND, IF THIS IS A REACCREDITATION REVIEW AND APPLICABLE, ARE SYSTEMS DATA AND PROGRAMS ADEQUATELY BACKED-UP? | ||
| 10. IS THE SYSTEM MAINTAINED AND SUPPORTED BY HR-4 (OR, IF SYSTEM IS NOT MAINTAINED AND SUPPORTED BY HR-4, HAVE MAINTENANCE PROCEDURES BEEN APPROVED BY THE CSSM AND INCLUDED IN THE INDIVIDUAL PERSONAL COMPUTER SECURITY PLAN?)? | ||
| 11. ARE WRITTEN PROCEDURES IN PLACE TO MONITOR AND DOCUMENT COMPLIANCE WITH LICENSING AGREEMENTS FOR EACH SOFTWARE PACKAGE USED ON THE SYSTEM? IF THIS IS A REACCREDITATION REVIEW IS THERE EVIDENCE THAT PROCEDURES ARE BEING FOLLOWED? | ||
| 12. IF THE SYSTEM CONTAINS AN INTERNAL OR EXTERNAL NON-ENCRYPTING MODEM OR FAX/MODEM TO PROCESS UNCLASSIFIED INFORMATION DOES THE U/SO HAVE A SIGNED STATEMENT OF SECURITY RISK? |
|
|
|
|
| 13. IF THE SYSTEM IS EQUIPPED WITH AN INFRARED PORT HAS IT BEEN DISABLED? | ||
| 14. IF THE SYSTEM IS NOT LOCATED IN A VAULT THAT IS APPROVED FOR OPEN STORAGE OF CLASSIFIED MATTER, HAS THE INTERNAL FIXED HARD DISK BEEN REMOVED? | ||
| 15 IF THE SYSTEM IS EQUIPPED WITH A MICROPHONE, HAS IT BEEN REMOVED OR OTHERWISE DISABLED? | ||
| 16. IS THE SYSTEM CONNECTED TO A CLASSIFIED AND/OR UNCLASSIFIED LAN, AND IF SO IS THE CONNECTION THROUGH AN APPROVED MECHANICAL SWITCH? | ||
| 17. IF THE SYSTEM IS NOT CONNECTED TO A CLASSIFIED LAN AND/OR AUTHORIZED FOR TRANSMITTING CLASSIFIED INFORMATION USING A STU-III TYPE DEVICE, HAS ALL COMMUNICATION SOFTWARE, INCLUDING ALL MAIL COMMUNICATION SOFTWARE BEEN ELIMINATED FROM THE CLASSIFIED REMOVABLE HARD DRIVE? | ||
| NOTE: THE FOLLOWING QUESTIONS MAY NOT BE APPLICABLE TO THE SYSTEM BEING REVIEWED. IF NON-APPLICABLE, ENTER N/A IN THE "YES" COLUMN. | ||
| 18. IS THE U/SO AWARE OF THE APPROVED METHOD AND FREQUENCY FOR SANITIZING LASER PRINTER TONER CARTRIDGES | ||
| 19. IF APPLICABLE, IS THE U/SO AWARE THAT THE COLOR TRANSFER ROLLS USED IN SOME COLOR PRINTERS MUST BE REMOVED, MARKED AS CLASSIFIED AND STORED IN AN APPROVED SECURITY CONTAINER WHEN THOSE PRINTERS ARE UNATTENDED? | ||
| 20. IF APPLICABLE, AND IF THIS IS AN INITIAL CERTIFICATION REVIEW, IS THE U/SO AWARE OF PROCEDURES FOR USING A STU-III SV/DS OR SDD FOR DATA COMMUNICATIONS? IF APPLICABLE, AND THIS IS A REACCREDITATION REVIEW, IS THERE EVIDENCE OF COMPLIANCE WITH THE PROCEDURES? | ||
| 21. IF THE AIS USES FIXED MAGNETIC STORAGE MEDIA (DESKTOP Pcs ONLY), OR IF THE AIS IS LOCATED, STORED AND/OR USED IN AN APPROVED VAULT, IS THERE EVIDENCE OF CERTIFICATION FROM THE HEADQUARTERS OPERATIONS DIVISION (NN-514) DOCUMENTING THEIR APPROVAL FOR OPEN STORAGE OF CLASSIFIED INFORMATION? | ||
| 22. IF THE COMPACT DISC DRIVE HAS THE CAPABILITY TO RECORD, IS THE U/SO AWARE OF THE MARKING POLICIES FOR CD'S? | ||
| 23. IF THIS IS A REACCREDITATION REVIEW, AND IF THEY ARE USED ON THIS SYSTEM, ARE NON-DOT MATRIX PRINTER RIBBONS MARKED WITH THE HIGHEST CLASSIFICATION LEVEL AND MOST RESTRICTIVE CATEGORY OF INFORMATION THAT IS PRINTED? | ||
| 24. IF THIS IS A REACCREDITATION REVIEW, IS DOCUMENTATION OF WASTE, FRAUD, AND ABUSE CHECKS ON FILE WITH THE CSSO? |
THIS FORM IS PROVIDED TO AID THE U/SO IN DOCUMENTING HIS OR HER ASSURANCE
THAT THE AIS BEING REVIEWED IS CERTIFIABLE AS MEETING ALL THE APPLICABLE
AIS SECURITY REQUIREMENTS NECESSARY TO PROCESS CLASSIFIED INFORMATION IN
A SECURE ENVIRONMENT.
THE CHECKLIST CONTAINS A SERIES OF QUESTIONS, FOR WHICH YES OR NO
ANSWERS WILL SUFFICE. ALL OF THE QUESTIONS APPLY, AND EACH MUST BE ANSWERED
IN THE AFFIRMATIVE BEFORE THE SECURITY OF THE AIS CAN BE CERTIFIED BY THE
CSSO TO THE CSSM.
WHEN ALL OF THE QUESTIONS HAVE BEEN ANSWERED IN THE AFFIRMATIVE,
AND THE U/SO AND THE CSSO ARE SATISFIED THAT ADEQUATE PROTECTION HAS BEEN
PROVIDED FOR THE SECURITY OF THE SYSTEM, THE SIGNED AND DATED FORM MUST BE
FORWARDED IN A PACKAGE, ALONG WITH THE INDIVIDUAL PERSONAL COMPUTER SECURITY
PLAN AND OTHER APPLICABLE DOCUMENTATION TO THE CSSM, HR-441/GTN. REGARDING
QUESTION 1, APPLICABLE DOCUMENTATION INCLUDES THE CURRENT, APPROVED DOE HQ
MASTER AIS SECURITY PLAN AND COPIES, SIGNED WHERE NECESSARY, OF THE FOLLOWING
ATTACHMENTS:
ATTACHMENT 1 - ANNUAL AIS U/SO ACKNOWLEDGEMENT OF COMPLIANCE
RESPONSIBILITIES.
ATTACHMENT 4 - THIS SECURITY REVIEW CHECKLIST FOR PERSONAL COMPUTER
CERTIFICATION.
ATTACHMENT 5 - INDIVIDUAL PERSONAL COMPUTER SECURITY PLAN.
ATTACHMENTS 2, AND 3 ARE NOT REQUIRED TO DOCUMENT THE INITIAL CERTIFICATION OF THE AIS, APART FROM THE FACT THEY ARE PRESENT AS ATTACHMENTS IN THE MASTER AIS SECURITY PLAN.
SYSTEM ID: HQ-________ (ASSIGNED BY CSSM) DATE OF PLAN:_____/_____/_____
"I"NITIAL ACCREDITATION:______
"D"ECOMMISSIONED______
Effective Date:____/____/____ CSSO's
Signature_____________________________________
SECTION I. PERSONAL INFORMATION
|
|
N |
|
NUMBER |
|
| I-1. CSSO | ||||
| I-2. ALTERNATE CSSO | ||||
| I-3.USER/SECURITY OFFICER | ||||
| I-4. LOCATION, BUILDING: | ROOM NUMBER: | |||
SECTION II. SYSTEM IDENTIFICATION
II-1. TYPE OF PERSONAL COMPUTER: DESKTOP (PC):______ PORTABLE (PPC):______
II.2. CLASSIFICATION LEVELS AND AMOUNTS
| UNCLASSIFIED % | S/RD % | S/FRD % | S/NSI % | C/RD % | C/FRD % | C/NSI % |
II-3. EQUIPMENT CONFIGURATION IDENTIFICATION: DOE PROPERTY TAG NUMBER (CPU
ONLY):_______________
|
|
COMPLETE MODEL NUMBER |
|
COMPLETE MODEL NUMBER |
| CPU: | PRINTER: | ||
| PLOTTER: | SCANNER: | ||
| OTHER: | OTHER: |
II-4. EQUIPMENT CONFIGURATION (YES, IF PRESENT. NO, IF NOT)
| FIXED HARD DRIVES: | REMOVABLE HARD DRIVES: | READ ONLY COMPACT DISC DRIVE: |
| PCMCIA CARDS (ATTACH LIST): | MULTIMEDIA: | RECORDABLE COMPACT DISC DRIVE: |
THE FOLLOWING ARE TO BE USED FOR UNCLASSIFIED PROCESSING ONLY
| INTERNAL FAX/MODEM: | EXTERNAL MODEM: | A/B SWITCH: (SHOW MODEL NUMBER) |
II-5. SOFTWARE IDENTIFICATION:
| TYPE OF SOFTWARE |
|
|
| OPERATING SYSTEM | ||
| SECURITY SYSTEM | ||
| COMMUNICATIONS |
SECTION III. INTERCONNECTION INFORMATION
| III-1. IS THE AIS CONNECTED TO ANY OF THE FOLLOWING? |
|
|
| (A) HQ IBM ES/9000 CLASSIFIED HOST VIA SDD? | ||
|
(B) LIMITED NONSCHEDULED CLASSIFIED DATA TRANSMISSIONS VIA STU-III SV/DS?
(IF YES, STU-III MANUFACTURER IS:____________________________________________________________
HIGHEST CLASSIFICATION LEVEL AUTHORIZED IS: |
||
| (C) CLASSIFIED LAN? IF YES, WHICH ONE(S)? | ||
| (D) OTHER CLASSIFIED SYSTEM? IF YES, IDENTIFY SYSTEM AND IT'S SECURITY PLAN | ||
| (E) UNCLASSIFIED LAN? IF YES, WHICH ONE(S)? | ||
| (F) OTHER UNCLASSIFIED CONNECTIVITY? IF YES, IDENTIFY |
NOTE: IF EITHER (E) OR (F) ABOVE IS "YES", SYSTEM
CONFIGURATION MUST INCLUDE AN A/B SWITCH FOR A POSITIVE DISCONNECT WHEN
PROCESSING CLASSIFIED INFORMATION.
SECTION IV. ADDITIONS TO THE DOE HQ MASTER AIS SECURITY PLAN
| IV-1. STATEMENT OF THREAT | |
| IV-2. RISK ASSESSMENT | |
| IV-3. CONTINGENCY PLAN | |
| IV-4. COMMENTS |
SECTION V. DEVIATIONS FROM THE DOE HQ MASTER AIS SECURITY PLAN
| V-1. MASTER PLAN REFERENCE(S) | |
| V-2. ALTERNATE PROCEDURE(S) |
SECTION VI. CERTIFICATION/ACCREDITATION SIGNATURES
BY SIGNING BELOW, THE FOLLOWING OFFICIALS ASSURE A FULL UNDERSTANDING OF
THEIR RESPONSIBILITIES AS PRESCRIBED IN THE MASTER AIS SECURITY PLAN, AND
THAT THE ABOVE INFORMATION IS CORRECT.
|
|
|
|
|
|
VI-1. U/SO
ASSURANCE |
|
||
|
VI-2. CSSO
CERTIFICATION |
|
||
|
THE SYSTEM REPRESENTED BY THIS PLAN IS ACCREDITED TO PROCESS CLASSIFIED
INFORMATION UP TO AND INCLUDING THE LEVEL OF: |
|||
|
VI-3. CSSM
ACCREDITATION |
|
|
|
THE INDIVIDUAL PERSONAL COMPUTER SECURITY PLAN DETAILS SPECIFIC SYSTEM
CHARACTERISTICS, WHICH INCLUDES THE UNIQUE SYSTEM ID THAT IS ASSIGNED BY
THE CSSM. THIS FORM ASSURES THAT THE ASSIGNED AIS COMPLIES WITH THE STANDARD
CLASSIFIED GUIDELINES AND RECORDS PERSONNEL, SYSTEM, AND INTERCONNECTION
INFOEMATION; AS WELL AS ANY INTERCONNECTION BETWEEN THE AIS AND A STU-III
SV/DS. FINALLY, THIS FORM RECORDS ADDITIONS TO, AND DEVIATIONS FROM, THE
DOE HQ MASTER AIS SECURITY PLAN, ALONG WITH SIGNATURES CERTIFICATION AND
ACCREDITATION. IT SHOULD BE NOTED THAT THE INDIVIDUAL PERSONAL COMPUTER SECURITY
PLAN IS USED WITH THE MASTER AIS SECURITY PLAN AND IT IS NOT USED TO GAIN
ACCREDITATION TO PROCESS CLASSIFIED INFORMATION IN AND OF ITSELF.
THIS FORM IS DIVIDED INTO SIX SECTIONS.
SECTION I - PERSONAL INFORMATION: THIS FIRST SECTION, PERSONAL
INFORMATION, IS SELF-EXPLANATORY AND INCLUDES THE NAME, ORGANIZATION, MAIL
STOP, AND TELEPHONE NUMBER OF THE U/SO, CSSO, AND THE ALTERNATE CSSO.
SECTION II - SYSTEM IDENTIFICATION: THE SECOND SECTION, SYSTEM
IDENTIFICATION, INCLUDES THE CLASSIFICATION LEVELS AND AMOUNTS, A DESCRIPTION
OF THE CPU CONFIGURATION, AND A LIST OF OPERATING SYSTEMS, SECURITY SEND
COMMUNICATIONS SOFTWARE PACKAGES.
SECTION III - INTERCONNECTION INFORMATION: THIS BRIEF SECTION REQUESTS
INFORMATION ON THE SYSTEM INTERCONNECTION AND STU-III CONNECTION AND TRANSMISSION
CAPABILITIES.
SECTION IV - ADDITIONS TO THE MASTER PLAN: THIS SECTION IS DEVOTED
TO THE COMPLIANCE OF THE SYSTEM TO THE DOE HQ MASTER AIS SECURITY PLAN. THIS
SECTION SHOULD DESCRIBE ANT ADDITIONAL SAFEGUARDS IMPLEMENTED IN THE AIS
THAT DO NOT APPEAR IN THE MASTER AIS SECURITY PLAN.
SECTION V - DEVIATIONS FROM THE MASTER PLAN: THIS SECTION IS DEVOTED
TO ANY WAYS IN WHICH THE SAFEGUARDS IMPLEMENTED IN THE INDIVIDUAL AIS DEVIATE
FROM THOSE DESCRIBED IN THE MASTER AIS SECURITY PLAN. ANT DEVIATIONS MUST
BE LISTED AND ALTERNATIVE METHODS OF PROTECTION DESCRIBED.
SECTION VI - CERTIFICATION/ACCREDITATION SIGNATURES: THIS SECTION PROVIDES A PLACE FOR EACH SECURITY OFFICIAL TO CERTIFIY COMPLIANCE WITH THE DOE CLASSIFIED COMPUTER SECURITY PROGRAM AND THAT SAFEGUARDS ARE IMPLEMENTED TO PROTECT CLASSIFIED PROCESSING ON THE AIS.
(THIS PAGE INTENTIONALLY LEFT BLANK)
This attachment demonstrates the types of classification labels used for
labeling diskettes and their location on those 3.5-inch and 5.25-inch diskettes,
and Mercury and Passport removable hard disk cartridges/drives. These labels
identify the highest classification and most restrictive category of data
for which the AIS has been accredited to process.
(THIS PAGE INTENTIONALLY LEFT BLANK)
The illustration below shows the proper location for the classification markings
on classified compact Disc (CD). The markings must appear on both sides of
the disk. Additionally, the plastic storage container must also be marked
using the appropriate classification label (SF-707, SF-708, SF-710). Use
of SF-711 (Data Discriptor Label) is optional. If SF-711 is not used then
the most restrictive category of information must be hand-written on the
classification label.
MARKING REQUIREMENTS FOR CLASSIFIED
RECORDABLE COMPACT DISC (CD)
AND CD STORAGE CONTAINER
(THIS PAGE INTENTIONALLY LEFT BLANK)
|
The Portable Personal Computer identified below by make/model and DOE Property Tag Number is accredited to process classified information up to and including:_______________________________________ in
accordance with the DOE Headquarters Master AIS Security Plan. SYSTEM DOE PROPERTY
MAKE/MODEL:________________________ TAG NUMBER:__________________________
CSSO:_______________________________ __________________________ ____/____/____
Printed Name Signature Date CSSM:_______________________________ __________________________ ____/____/____
Printed Name Signature Date DOE SYSTEM No. HQ-______ ACCREDITATION EXPIRATION DATE: ____/____/____ |
|
This System is accredited to process classified information within the limits
of authorized
security areas of the Department of Energy Headquarters Only.
Permission must be obtained from other cognizant area CSSOs prior to processing classified information of temporarily connecting to any peripheral device within the boundaries of their
areas of responsibility. |
(THIS PAGE INTENTIONALLY LEFT BLANK)
The following user has a requirement involving a computer which has or will
be accredited to process classified information that cannot be met without
a deviation from the DOE HQ Master AIS Security Plan. (Attach a completed
copy of Attachment 5, Individual Personal Computer Security Plan.)
U/SO:_____________________________________________________
Printed Name
Mission Requirement: The user has a need to ...[insert description of requirement
and its justification].
Deviation: [Describe the engineered procedure/technique which addresses the
mission requirement. Explain how the procedure/technique is the most effective
way of providing the necessary functionality.]
Security Risk: I understand that the security risks are inherently greater
when the above is effected. Appropriate security countermeasures have been
developed to negate this potential risk of compromise. However, I understand
a residual risk of compromise still remains.
User's Acknowledgement: I understand my responsibilities as prescribed in
[supplemental security procedures, and] the Master AIS Security Plan. I will
take the necessary countermeasures to safeguard classified information. Further,
I understand that failure to adhere to these policies may result in a security
infraction.
U/SO Assurance:___________________________________________________________/___/___
Printed Name Signature Date
Office Director's or Program Manager's Risk Acceptance: I certify that the
above requirements cannot be provided utilizing the prior approved
methods/techniques associated with a currently accredited system and that
the deviation from present policy as cited above is necessary. I understand
the potential risk involved with the above procedure/technique. I assume
management responsibility for the security risks involved. Further, I understand
that revocation of classified accreditation may occur if the user does not
comply with established procedures.
Manager's Assurance:________________________________________________________/___/___
Printed Name Signature Date
(THIS PAGE INTENTIONALLY LEFT BLANK)
"clearing" magnetic media (10-7)
"D"ecommissioned (ATTACHMENT 5-1)
access (intro-vii-intro-ix, 5-3, 5-5, 7-1-7-3, 8-2, 8-3, 10-2, 10-3, 10-7, 10-10-10-12, 16-1)
accountability (intro-ix, 7-1, 10-8, 12-2, ATTACHMENT 4-1)
accredit (intro-iv, 7-3)
accreditation (intro-iii, intro-vii, 7-2, 7-3, 8-2, 10-1-ATTACHMENT 1-2, ATTACHMENT 5-1, ATTACHMENT 5-3, ATTACHMENT 5-4)
accredited portable computer validation card (6-2, 7-4)
acquisition specifications (intro-x)
administrative security (intro-viii, 13-1)
ais (intro-iii, intro-iv, intro-vii-intro-x, 5-1-5-3, 7-1-7-4, 8-1-8-4, 10-1-10-6, 10-8-10-10, 10-12-10-14, 11-1, 11-2, 12-1, 12-2, ATTACHMENT 1-1-ATTACHMENT 5-4, ATTACHMENT 8-1)
ais placement and control (intro-viii, 7-4)
building access (intro-viii, 7-1)
cd rom (10-3, 10-8, ATTACHMENT 1-1)
certification (intro-iii, intro-iv, intro-x, 5-2, 10-1, 10-2, 10-10, ATTACHMENT 4-1-ATTACHMENT 5-4)
certify (11-1, ATTACHMENT 8-1)
clearance verification (intro-vii, 6-1)
color transfer rolls (intro-ix, 7-2, 10-6, 10-10, ATTACHMENT 4-2)
compliance review (19-1, ATTACHMENT 1-2)
computer security-trained escorts (intro-x, 13-1)
configuration auditing (intro-viii, 10-2)
configuration control (intro-viii, 10-1, 10-2)
configuration identification (intro-viii, 10-1, 10-2, ATTACHMENT 5-1)
configuration management (intro-viii, 10-1)
configuration status accounting (intro-viii, 10-2)
contingency (intro-x, 15-1, ATTACHMENT 5-3)
copyrights (11-1)
cryptographic ignition key (8-2)
crypto-ignition key (8-3, 10-12)
csom (intro-iv, intro-vii, 2-1, 7-3)
cssm (intro-iii, intro-iv, intro-vii, intro-ix, 5-1, 7-4, 7-5, 8-2-9-3, 10-1, 10-2, 10-9, 10-11, 11-1-12-2, ATTACHMENT 1-1, ATTACHMENT 1-2, ATTACHMENT 4-1, ATTACHMENT 4-2, ATTACHMENT 5-1, ATTACHMENT 5-3, ATTACHMENT 5-4, ATTACHMENT 7-1)
csso (intro-iii-intro-v, intro-vii, intro-ix, 2-1, 5-2, 5-6, 6-1, 6-2, 7-4, 7-5, 8-3, 10-2, 10-8, 10-9, 10-11, 11-1, 12-2, 14-1, 14-2, ATTACHMENT 1-1, ATTACHMENT 1-2, ATTACHMENT 3-1-ATTACHMENT 4-2, ATTACHMENT 5-1, ATTACHMENT 5-3, ATTACHMENT 5-4, ATTACHMENT 7-1)
datapath unit (8-1)
destruction (intro-ix, 7-1, 10-7, 10-8, 11-1, ATTACHMENT 3-2)
disk holders (intro-viii, 10-5)
diskettes (intro-xi, 10-3, 10-4, 10-8, 10-13, 12-2, ATTACHMENT 6-1)
documentation and review (intro-x, 14-1)
dot matrix (intro-viii, intro-ix, 10-5, 10-6, ATTACHMENT 4-2)
emission security (intro-v, intro-viii, 8-1, 8-3)
escort (intro-x)
escorts (intro-x)
exclusion area (7-2, 7-3, ATTACHMENT 1-2)
fax/modem (8-1-ATTACHMENT 5-1)
fixed magnetic media (intro-viii, 10-4)
flip chart (ATTACHMENT 4-1)
individual ais security plan (ATTACHMENT 1-2)
individual personal computer security plan (8-1, ATTACHMENT 4-1, ATTACHMENT 4-2, ATTACHMENT 5-1, ATTACHMENT 5-4, ATTACHMENT 8-1)
individual system description (intro-vii, 5-1)
installation (intro-viii, 5-1, 10-3, 12-1, 12-2, 19-1)
installation control procedures (intro-viii, 10-3)
interim accreditation (17-1)
interim operating procedures (intro-x, 17-1)
labeling (intro-xi, 10-3, 10-5, ATTACHMENT 6-1)
lan (intro-vii, 5-1, 5-4, 5-5, ATTACHMENT 4-2, ATTACHMENT 5-3)
licensing (intro-ix, 11-1-ATTACHMENT 3-2, ATTACHMENT 4-1)
limited area (7-2, 10-2, 10-5, ATTACHMENT 1-2, ATTACHMENT 4-1)
magnetic media (intro-viii, intro-ix, 10-3, 10-4, 10-7, 10-8, 10-13, 12-1-ATTACHMENT 1-2)
maintenance swap controls (intro-vii, 5-5)
marking during classified sessions (intro-viii, 10-3)
marking during unclassified sessions (intro-viii, 10-4)
marking of fixed magnetic media (intro-viii, 10-4)
marking of removable magnetic media (intro-viii, 10-3)
mechanical switching device (5-4, 5-5, 8-1)
media security (intro-viii, 10-3)
media storage (intro-ix, 10-6)
modem (8-1-ATTACHMENT 5-1)
modification controls (intro-vii, 10-2)
monitors (intro-viii, 10-2, 10-5, 10-11)
multi-function printers (10-13)
need-to-know (5-1, 5-3, 7-1, 7-3, 7-4, 8-2, 10-8, 16-1, ATTACHMENT 1-2)
optical scanners (10-13)
organization (intro-vii, 2-1, 5-2, 6-1-11-2, ATTACHMENT 5-4)
password controls (intro-ix, 10-10)
password maintenance (intro-ix, 10-11)
pc (intro-vii, 5-1, 5-4, 5-5, 8-1-8-3, 9-2, 10-13)
periods processing (intro-vii, 5-2, 5-3, 10-6, 10-8)
peripheral sharing (intro-viii, 7-4)
personnel security (intro-vii, 6-1, 12-2, 20-1)
physical security (intro-viii, 10-2)
plotter (ATTACHMENT 5-1)
portable (intro-iii, intro-xi, 1-1, 6-2, 7-4, ATTACHMENT 1-2, ATTACHMENT 7-1)
ppc (1-1-7-4, 8-1-10-2, 10-13, ATTACHMENT 1-2, ATTACHMENT 5-1)
printer (intro-viii, intro-ix, 10-5, 10-6, 10-9, 10-10, ATTACHMENT 1-1, ATTACHMENT 4-2, ATTACHMENT 5-1)
printer ribbons (intro-viii, intro-ix, 10-3, 10-5, 10-6, ATTACHMENT 1-1, ATTACHMENT 4-2)
printouts (intro-viii, 10-5)
prohibited software (intro-viii, 9-1)
property removal authorization (intro-ix, 10-12)
protection index (5-1)
protection rating (intro-vii, 5-1)
qualitative risk assessment (intro-ix, 12-1, 12-2)
reaccreditation (5-2, 5-6, 17-1, ATTACHMENT 1-2, ATTACHMENT 4-1, ATTACHMENT 4-2)
remote diagnostic (intro-x, 18-1)
removable hard disks (intro-xi, 5-3, 8-2, 10-4, 12-2, ATTACHMENT 6-1)
risk assessment (intro-ix, 12-1-ATTACHMENT 5-3)
rules for permitting/denying access (intro-vii, 3-1)
sanitization (intro-ix, 5-3-5-5, 10-7-10-9, 10-12, ATTACHMENT 1-1)
sanitize (10-9, 10-10, ATTACHMENT 1-2)
sdd (intro-viii, 5-4, 8-3, 10-12, ATTACHMENT 4-2, ATTACHMENT 5-3)
security areas (intro-viii, 7-2, 12-1, 12-2, ATTACHMENT 7-1)
security environment (intro-vii, 5-1)
security review checklist (intro-x, ATTACHMENT 4-1, ATTACHMENT 4-2)
security testing (intro-x, 19-1)
software protection (intro-ix, 10-6)
software security (intro-viii, 9-1, 10-12)
stand-alone (3-1, 5-1, 5-5, 6-1, 7-2)
statement of threat (intro-vii, 4-1, ATTACHMENT 5-3)
Storage containers (intro-viii, 10-5)
stu-iii secure data device (intro-viii, 8-3)
stu-iii secure voice/data set (intro-iii, intro-viii)
stu-iii user log (intro-x)
telecommunications security (intro-viii, 8-1)
tent sign (10-5)
testing (intro-x)
threat identification (intro-ix, 12-1, 12-2)
toner cartridges (intro-ix, 10-6, 10-9, ATTACHMENT 1-1, ATTACHMENT 4-2)
training (intro-x, 13-1)
trcopy (intro-viii, 9-2)
trusted copy program (intro-viii, 9-2, 9-3)
u/so (intro-vii, intro-x, 5-1, 5-2, 5-6, 6-1-7-4, 8-1, 8-3, 10-8, 10-9, 10-11, 10-12, 14- 1-ATTACHMENT 1-2, ATTACHMENT 4-1-ATTACHMENT 5-4, ATTACHMENT 8-1)
undo/redo history (9-2)
user identification code (intro-ix, 10-10)
vault-type room (7-2, ATTACHMENT 1-2)
Waste, fraud, and abuse (intro-ix, intro-x, 11-1-ATTACHMENT 4-2)
(THIS PAGE INTENTIONALLY LEFT BLANK)
[End]
Conversion from original WordPerfect format to hypertext by JYA/Urban Deadline.