24 March 1998

From: stocknws15454764664@juno.com
by toad.com for jya@pipeline.com
Date: Tue, 24 Mar 98 11:50:49 EST
To: stocknws15454764664@juno.com
Subject: NSA planning "penetration study" of NASA computer security


Date: 23 Mar 98 10:07 -0800
TO:   Ames Resident Staff
FROM:   S. Scott Santiago, NASA-ARC CIO
SUBJECT:   Notification That Use of Computer System Constitutes Consent
           to Monitoring



The General Accounting Office (GAO) will soon initiate a Penetration
Study of NASA systems.  GAO intends to use the National Security Agency
(NSA) to conduct the penetration tests.  NASA and GAO are in the process
of developing a protocol for the test.  This test will affect computers
which are Government-owned or Government-funded.  Also, for users, there
can be no expectation of privacy, and that in using the system, they
consent to their keystrokes and data content being monitored.

The National Telecommunications and Information Systems Security,
Communications Security (COMSEC), monitoring guidelines state that users
of systems to be monitored must be properly notified in advance that
their use of these systems constitutes consent to monitoring for COMSEC
purposes.  NSA has told NASA and GAO that before they begin their test,
they need written verification that users have been notified consistent
with these guidelines.

A notification in the Centerwide Email will satisfy providing notice for
this penetration study.  NASA is required to provide a written
certification that this notification has been sent and that a valid
attempt was made to notify all employees and contractors affected by
this penetration testing.

If you would like to respond to this memo electronically, you may do so
by double-clicking the following: mailto:amescio@mail.arc.nasa.gov.