19 November 1999
Source: Hardcopy from the National Security Agency TEMPEST Endorsement Programs, received November 17, 1999. Three packages, listed in the cover letter below, were provided by NSA in response to a telephone request. None of the material is classified.
This is the Zoned Equipment Program (ZEP) Procedures Package, 16 pages total.
See the other two packages, Endorsed TEMPEST Products Program (ETPP) Procedures Package, (96 pages) and Endorsed TEMPEST Test Services Procedures (ETTSP) Package (56 pages).
The material was requested as follow-up to other TEMPEST-related documents obtained by FOIA.
NATIONAL SECURITY AGENCY
FORT GEORGE G. MEADE, MARYLAND 20755-6000
10 November 1999
251 West 89th Street
New York, NY 10024
Dear Mr. Young:
As requested, enclosed is the National Security Agency's Endorsed TEMPEST Test Services Program (ETTSP) Procedures Package, the Endorsed Products Program (ETPP) Procedures Package and the Zoned Equipment Program (ZEP) Procedures Package. Please note that TEMPEST Export Controls can be found on page 18 of the Endorsed Products Program (ETPP) Procedures Package.
If you have any questions in regards to the NSA TEMPEST Programs, please give me a call at (410) 854-6091.
[Name omitted by request]
NSA TEMPEST Endorsement Programs
NATIONAL SECURITY AGENCY
FORT GEORGE G. MEADE, MARYLAND 20755-6000
18 November 1993
MEMORANDUM TO ALL CURRENT AND PROSPECTIVE COMPANIES PARTICIPATING
IN THE TEMPEST ENDORSEMENT PROGRAM (TEP)
SUBJECT: ZONED EQUIPMENT PROGRAM (ZEP) PROCEDURES PACKAGE
In keeping with changes to the National TEMPEST Policy the TEMPEST Endorsement Program (TEP) Office has introduced a new subprogram which will be known as the Zoned Equipment Program (ZEP). This program will involve Industry in the zoning process and allow non-TEP companies to participate.
The ZEP will allow equipment to be zone tested and available for purchase much earlier in a product's life than has been the case with the present Endorsed TEMPEST Products Program (ETPP). Therefore, the latest technology will be available in TEMPEST zoned products. The ZEP products will be listed in the INFOSEC Products and Services Catalogue.
The attached ZEP procedures package is provided as guidance in entering this
program. Any questions pertaining to this procedures package should be addressed
to the TEMPEST Endorsement Program staff using the address and telephone
number listed on the cover page to this procedures package.
[Name omitted by request]
Manager, TEMPEST Endorsement Programs
Office of Programs and Acquisition
1. Zoned Equipment Products Program Procedures
2. Memorandum of Agreement (MOA)
POINT OF CONTACT FOR THE
ZONED EQUIPMENT PROGRAM
ISSO BUSINESS AFFAIRS OFFICE
NATIONAL SECURITY AGENCY
9800 SAVAGE ROAD
FORT GEORGE G. MEADE, MD. 20755-6740
STANDARD OPERATING PROCEDURES FOR THE EVALUATION AND LISTING
ZONED EQUIPMENT PROGRAM
The Zoned Equipment Program (ZEP) is an unclassified program established
to facilitate industry's testing of Commercial Off-The-Shelf (COTs) products
which are not designed to meet the National standard promulgated by NSTISSAM
TEMPEST/1-92, but have been tested against a portion of that standard and
assigned a Zone rating.
2.0 PROGRAM OBJECTIVES
The ZEP is intended to involve industry in the U.S. Government TEMPEST Zoning
Program and to encourage companies to test and market Zoned products with
full understanding of how the Government uses the Zoning Program. The ZEP
will result in more commercial products having a Zone assignment. The streamlined
procedures of the ZEP will allow products to be Zoned and available for purchase
early in a product's life.
3.0 TEMPEST ZONING PROGRAM
The U.S. Government TEMPEST Zoning Program offers a low cost alternative TEMPEST countermeasure to government organizations which require TEMPEST protection. TEMPEST Zoning consists of three distinct processes: facility Zone assignment, equipment Zone assignment and matching Zoned equipment to appropriate facility Zones. Facility Zones are determined by measuring the combined attenuation provided by both the free space distance to the control boundary and the physical building structure. Equipment Zones are obtained by comparing laboratory NSTISSAM TEMPEST/1-92 test results to specified equipment Zone criteria. The resulting equipment and facility Zones are matched (e.g., Zone C equipment is placed in a Zone C facility) to ensure that the radiation from the equipment operating within the facility is reduced to an acceptable level at the nearest control boundary.
Government organizations have Zoned many of their facilities. Facility Zoning
is a relatively low cost activity. The Zoned Equipment Program creates a
mechanism for producers to arrange for Zone testing of their products and
for a Zone Products List to inform users of the the Zone rating of products.
4.0 TEMPEST ENDORSEMENT PROGRAM AND THE ZONED EQUIPMENT PROGRAM
The TEMPEST Endorsement Program (TEP) exists to encourage industry to develop
products which satisfy Level I of NSTISSAM TEMPEST/1-92, the National TEMPEST
Standard. Satisfying Level I requirements involves rigorous design and testing
which requires a classified relationship between the producer, tester and
the government. The TEP provides the mechanism for a no cost, classified,
contractual relationship between companies and the National Security Agency
to produce Level I TEMPEST products which are endorsed by the Government.
The TEP also includes a process for endorsing TEMPEST Test Services. These
same endorsed TEMPEST Test Services will be conducting all Zone testing within
5.0 SUMMARY OF ZONED EQUIPMENT PROGRAM FEATURES
A company may wish to have one or more of its products Zone tested by an
NSA endorsed TEMPEST Test Service. Test plan and test report documentation
will be in accordance with the abbreviated requirements for documentation
in NSTISSAM TEMPEST/1-92 NSA will review and validate the product Zone test
plan and test report before notifying the company of the results and listing
the product on the Zoned Products List (ZPL). Products which satisfy Zones
B or C (corresponding to NSTISSAM TEMPEST/1-92 levels II and III, respectively)
will be listed. Producing companies will be required to arrange for an annual
Zone test of the product to confirm its Zone rating and to demonstrate that
the company wishes to keep the product on the ZPL. A producing company will
only obtain a Zone rating, not the classified test results A Memorandum of
Agreement between the producing company and NSA is required to establish
a formal mechanism by which the parties agree to assume certain responsibilities
and obligations associated with the ZEP. Zoned products will be listed in
the ZPL in the NSA Information Systems Security Organization's Products and
6.0 MARKET AND EXPORT FEATURES
ZEP products may be marketed as any other Commercial Off-The-Shelf equipment.
They will not be subject to export control restrictions based on the TEMPEST
zone rating, unless the ZEP product has been specifically designed to meet
any level of NSTISSAM TEMPEST/1-92. Export control procedures levied by the
State Department or Commerce Department because of non-TEMPEST reasons (e.g.,
high technology, cryptographic, etc.) must still be met. Products which do
not currently require a State Department export license will not require
a State Department export license as a result of a ZEP test. Products submitted
for a ZEP zone rating will not have been designed or modified to incorporate
TEMPEST features. These products are commercial off-the-shelf products which
the manufacturer will submit for a zone test to improve the products'
7.0 ZONED EQUIPMENT PROGRAM REQUIREMENTS
7.1 Eligibility Requirements
Participation via submission of an equipment to an NSA endorsed TEMPEST test facility under the terms of the MOA is open to both U.S. and foreign companies in accordance with the following eligibility requirements:
A) The company, at time of application, must not be presently debarred or suspended from contracting with the U.S. Government.
B) If a company is participating in the TEP at time of application, the company must be in good standing in the TEP, meaning the Agency has not taken action within the last year to exclude the company from participating pursuant to its Operating Procedures for the TEP.
C) The company signs a Memorandum of Agreement (MOA) with NSA (see Section 7.2).
7.2 ZONE TESTING REQUIREMENTS
Equipment zone testing consists of conducting tests in accordance with portions of the classified standard NSTISSAM TEMPEST/1-92. This will not be provided to companies under the ZEP These tests must be performed at an NSA Endorsed TEMPEST Test Services Facility and documentation must be signed by a Certified TEMPEST Professional, Level II (CTP II). The personnel at the Test Service Facility are aware of the necessary zone test requirements. A list of Endorsed TEMPEST Test Services is provided in Chapter Nine of the Information Systems Security Products and Services Catalogue.
7.3 ZONE TESTING DOCUMENTATION REQUIREMENTS
In order for NSA to consider a product for the Zoned Products List, the TEMPEST
Test Service company must complete and forward an abbreviated TEMPEST Test
plan, a TEMPEST test report and a TEMPEST test profile sheet to the TEP office
in accordance with NSTISSAM TEMPEST/1-92, Section 6.8 and Appendix M.
8.0 THE PROCESS FOR LISTING A ZONED PRODUCT
8.1 Written Application for Participation
The company shall submit a written request to the TEP Office including the complete name and address of the company, and the name and telephone number of the Point of Contact (POC) within the company who shall be responsible for answering any questions regarding the request. Subsequent requests to add more products to the ZPL shall reference the initial request and the MOA number assigned to the company. The company POC must be the same individual for all products included under the MOA.
8.2 Memorandum of Agreement (MOA) for the Zoned Equipment Program
The purpose of the MOA (APPENDIX A) is to establish a formal mechanism by which the parties agree to assume certain responsibilities and obligations associated with the ZEP.
8.2.1 Execution of the MOA
Following an assessment that a company meets the eligibility requirements, the Agency shall forward an MOA to the company for execution. Subsequent requests to add more products will not require the execution of another MOA, but will result in product modification to the MOA. The List of Active Products (LAP), which consists of products which have been zone tested, rated, and compiled as an attachment to the MOA, will be revised and dated by the TEP Office and forwarded to the company. The company will then attach the updated LAP to their MOA. A copy of the standard MOA used under this program is attached as Appendix A to these procedures. The MOA must be signed by a company official with the actual legal authority to bind the company to the legal obligations and responsibilities of the MOA.
8.2.2 Attachments to the MOA
The MOA will incorporate by reference these operating procedures and its appendices. These documents specify the administrative and technical requirements for Zoned Product Listing. In the event of a conflict between these procedures and MOA, the MOA shall control. All conflicts should be brought to the attention of the TEP Office.
8.3 Zoned Product Listing
Within 10 working days of the Agency's determination that the product has met the testing and documentation requirements for achieving a Zone assignment, the company shall be notified and the product shall be entered into the National TEMPEST Information Center Data Base, an on-line data base available to portions of the Government user community, and included on the Zoned Product Listing (ZPL) of the next quarterly publication of the Catalogue.
8.3.1 Product Descriptions for Listing
The following guidelines must be used in preparing product descriptions. These descriptions are intended to provide users of the ZEP listing with clear, concise, meaningful information that is not confusing or redundant. Currently, products listed in the ZEP fall into eight categories: computer, computer system, personal computer, portable computer, workstation, facsimile, printer, and scanner. A product may only be listed in one of the categories. In addition to the general category for the product, the product listing should contain the model number of the product and the model numbers of interchangeable units (options) tested with the product; i e., keyboards, monitors, etc. Options cannot be listed as separate products, but only as adjuncts to a product.
The Testing Service will assist the product manufacturer in complying with ZEP product description requirements. The product description must not exceed 5 lines, 80 characters per line. NSA must approve the product description prior to listing on the ZPL. An example of a ZEP listing is provided below
COMPUTER, PERSONALACME Computer, Model 486XTS
ACME Extended Keyboard; 5 MB Main Memory; 3.5 Internal Floppy Disk Drive; ACME Mouse.
((This line available if required)) Zone Rating-C; Testing Service - Realtime Measurement Systems
PRINTERHyperprint, Model Laser IV
1 MB Memory Controller, RS232 and Parallel Controller
((This line available if required.))
((This line available if required.))
Zone Rating-C; Testing Service - American Test Service
8.3.2 Continued Listing Requirements
In order to maintain listing on the ZPL, a yearly Zone retest must be completed on a current production model and the results forwarded to NSA from the Endorsed TEMPEST Test Service prior to the anniversary date of the initial listing on the ZPL. Failure to have the product retested will result in removal of the product from the Zoned Product List.
9.0 DEADLINES FOR PUBLICATION
The complete INFOSEC Products and Services Catalogue is published semiannually with the TEMPEST Supplement to the Catalogue updated on a quarterly basis. Therefore, ZEP products will be added four times per year. The quarterly deadlines for publication are set forth below. A company desiring a product listing for the quarter listed in Column I must ensure that the Endorsed TEMPEST Test Facility with whom it contracts delivers all required documentation to the Agency prior to the publication deadline listed in Column II:
10.0 THE PROCESS FOR AGENCY REMOVAL OF A PRODUCT FROM THE ZPL OR TERMINATION OF THE MOA
10.1 The Process for Agency Removal of a Product From the ZPL
The Agency may initiate the process to remove a single product or products from the ZPL if the company refuses or fails to adhere to the procedural and administrative requirements delineated in the MOA and in these operating procedures.
10.2 The Process for Agency Termination of the MOA
The Agency may initiate the process to terminate the company's MOA and exclude the company from future participation in the program if it finds that:
A) The company is suspended or debarred from contracting with the U.S. Government or,
B) The company refuses or fails to adhere to the procedural and administrative requirements as delineated in the MOA or,
C) The company has knowingly misrepresented the status of its product(s) with respect to compliance with the ZEP.
10.3 Show Cause Notice
The Agency shall notify the company in writing, certified mail, return receipt requested, of its intent to remove a product from the ZPL or to terminate the MOA; inform the company of the grounds upon which such action is founded; and will afford the company ten (10 ) working days to show why the product(s) should not be removed from the ZPL or the MOA should not be terminated.
10.4 Termination Decision
If the company does not respond within 10 days by certified mail, the product will be removed from the ZPL or the MOA will be terminated immediately. Once a product is terminated, the company is prohibited from advertising the product as listed on the ZPL. The Agency shall notify the company, in writing through certified mail, return receipt requested and provide the effective date of termination. If the Agency decides not to remove or terminate, the company shall be notified in writing through routine mail. In the event of an adverse decision, the company shall be advised of instructions on how to appeal the Agency's decision should the company elect to do so. In the case of an adverse decision, the Agency shall not remove the product from the ZPL or terminate the MOA for an additional 14 working days following company receipt of the termination letter, to allow the company an opportunity to appeal the decision to the Agency's Deputy Director for Information Systems Security (DDI). The appeal must be submitted in writing to the TEP Office. The appeal must specify the company's grounds for appeal and must include all pertinent evidence in support of the company's position. Agency termination of the product or MOA shall be based solely on the written evidence submitted, and there shall be no opportunity for oral argument. The DDI shall be the final arbiter of the dispute and his decision is final. Written notice of the DDI decision shall be sent to the company within 10 working days of receipt of an appeal.
10.5 Termination of the MOA and LAP
The MOA shall be terminated when the company no longer has any products on
the ZPL or is no longer pursuing listing on the ZPL.
11.0 THE PROCESS FOR A COMPANY WITHDRAWAL OF A PRODUCT
When a company determines that it no longer desires to maintain a product's listing on the ZPL, the company may submit a written request to the TEP Office to have the product removed from the program. The company's letter must state the reason for withdrawal of the product (e.g., the product is no longer in production).
Upon receipt of the company's letter, the Agency shall notify the company in writing that the product will be removed from the ZPL. It will not appear in the next issuance of the INFOSEC Products & Services Catalogue. The letter shall include, as an attachment, a revised List of Active Products (LAP) under the program.
MEMORANDUM OF AGREEMENT
THE NATIONAL SECURITY AGENCY
INFORMATION SYSTEMS SECURITY ORGANIZATION
THE ZONE EQUIPMENT PROGRAM
This memorandum of agreement (MOA) between the National Security Agency,
information Systems Security Organization (the Agency) and Company Name (the
company) is entered into for the purpose of describing the responsibilities
and obligations of the parties with respect to the Company's involvement
in the Agency's Zoned Equipment Program (ZEP). The Agency has established
the ZEP to facilitate Zone testing of commercial products which could be
included on the Zoned Products List (ZPL). The Zone testing requirements
are set forth in the national TEMPEST standard, NSTISSAM TEMPEST/1-92, entitled
(Compromising Emanations Laboratory Test Requirements, Electromagnetics,"
dated 15 December 1992. The enclosed List of Active Products shall determine
which products are covered by this MOA and which Zone is applicable to each
Therefore, in consideration of the foregoing, the parties agree:
1. The Company shall:
a. On a voluntary basis, at its own risk and expense, enter the program to arrange to Zone test products for consideration for listing under the Zoned Equipment Program. A test plan and test report, provided to NSA, is part of the expense incurred by the company for Zone testing its products.
b. Abide by all the terms and conditions of the following documents which are hereby incorporated into this MOA by reference:1. The Standard Operating Procedures for listing of Zoned products, as applicable. and all subsequent revisions thereto.
2. The List of Active Products (LAP - Attachment 1) for products accepted into the program, and all revisions thereto.
c. Not institute against the U.S. Government any suit or action at law or otherwise, nor in any way aid in the institution or prosecution of any claim, demand, action, or cause of action for damages, costs, loss of service, expenses or compensation arising out of the Company's performance under this MOA or in any way incident to the testing, marketing, or sale of Zoned products. Further, the Company shall hold harmless and indemnify the U.S. Government in any and all capacities for any loss occasioned by the contractors performance under this MOA.
2. The Agency will:
a. Evaluate the product in accordance with NSTISSAM TEMPEST/1-92 and list the Company's Zoned products on the Zoned Products List (ZPL) if the Agency determines from an examination of the test plan and test report that all test requirements of the applicable procedures have been satisfied and that the product satisfies the requirement for Zone B or Zone C. It is understood and agreed that the Agency's listing of the Company's product(s) is a statement of the Agency's findings that the product(s) satisfies the requirements set forth in the Procedures.
b. Include the product(s) that satisfies the requirements in the appropriate chapter of the Information Systems Security Products and Services Catalogue.
3. It is understood and agreed that execution of this MOA by the Agency shall not be construed as a commitment to the Company for the procurement of equipment, nor shall it preclude the U.S. Government from seeking full and open competition to meet its future requirement for such equipment.
4. It is mutually understood and agreed that no promise of payment is made herein and that this MOA constitutes the total obligation of the parties. No other promises, either expressed or implied, are made or are to be imputed between them. Changes to this MOA will not be effective unless reduced to writing and signed by both parties.
5 It is understood and agreed that the terms of this agreement apply to every product on the LAP. The LAP shall be revised every time a product is either accepted into or deleted from the program.
6. This MOA may be terminated by the Company for any reason upon written notice to the Agency. Such termination shall be effective immediately upon Agency receipt of the Company's termination notice, unless otherwise mutually agreed by the parties. Company termination of the MOA subsequent to any product listing will result in automatic revocation of the Agency's listing for every product associated with this MOA
7. The MOA and products may be terminated by the Government in accordance with the Standard Operating Procedures.
8. In the event of any disagreement arising out of, in connection with, or under this agreement, the parties shall, in good faith, reach a negotiated resolution by designating officers of appropriate authority to resolve the disagreement.
9. This agreement shall be governed by, and construed in accordance with Federal statutes and regulations, notwithstanding any State conflict of law statutes, practices or rules of construction.
10. This MOA will become effective as of the date of the latest signature.
|NATIONAL SECURITY AGENCY,
INFORMATION SYSTEMS SECURITY
SAMPLE LIST OF ACTIVE PRODUCTS (LAP)
[End ZEP package.]
Transcription and HTML by Cryptome.