cfISAC.org     Central Florida Industrial Security Awareness Council   
         

Industrial Security Letters  

 
ISL 95L-3
December 5, 1995

This issue of the Industrial Security Letter (ISL) is in response to questions received regarding Chapter 8 of the NISPOM,"Automated Information System (AIS) Security"

  1. Question: ISL 95L-1 and paragraph 1-102c of the NISPOM both state that if any provision of the NISPOM costs more to implement than the 1991 ISM, a notification to my Field Office (FO) explaining the ISM policy, along with an explanation of the additional cost, could result in an extension of up to three years. It is my understanding that I had until July 31, 1995 to do so. Although it is well past the deadline, I have not identified the more costly requirements to my FO nor have I implemented certain new requirements of Chapter 8. What guidance can you provide?

    2. Answer: DIS understood that the July 31st deadline established for implementation would be difficult for some contractors, impossible for others.

    Therefore, contractors that have not yet implemented NISPOM requirements, should develop an implementation schedule consistent with the guidance provided in ISL 95L-1 or ask for a waiver pursuant to paragraph 1-102c of the NISPOM. Your IS Rep and/or AIS Specialist will assist you in developing a timetable for conversion.
     

  2. Question: Is it necessary to convert AISSPs for systems approved under previous policy, merely to make them consistent with the format in paragraph 8-202 of the NISPOM?

    3. Answer: AISSPs for previously accredited systems must be updated to incorporate substantive policy and procedural changes contained in the NISPOM.

    However, it is not necessary to update or convert AISSPs simply to conform to the format at paragraph 8-202 of the NISPOM. The format of AISSPs is not of any particular significance to the Department of Defense. The arrangement of information within AISSPs should be determined by each Information Systems Security Representative (ISSR) based upon company needs.
     

  3. Question: Can I process classified information associated with a contract awarded after July 31, 1995, on an AIS approved under ISM standards?

    4. Answer: Yes. Systems accredited (approved) under previous policy (the Industrial Security Manual) remain accredited and may continue to be used for processing classified information. There are no plans to summarily withdraw accreditations or to prohibit classified processing for AISs accredited under the ISM. However, it is important that contractors implement the requirements of the NISPOM in a timely manner. Systems being used for new contracts should be scheduled for conversion to the NI SPOM requirements as soon as possible.
     

  4. Question: All of my ISM approved SPPS were updated to include the NISPOM requirements and forwarded to my field office for accreditation. When can I begin to follow the new AISSPs?

    5. Answer: As soon as you receive interim or final approval from DIS. Until you receive such approval, you should continue to use the previously approved procedures.
     

  5. Question: Paragraphs 8-100b, 8-102(12), and 8-403c(1) discuss the "threat" as it relates to the accredited AIS. How do contractors obtain threat data?

    6. Answer: The standards and requirements of the NISPOM are designed in response to the general threat. When specific threat information known to the DoD exists, it will be conveyed to the facility FSO (usually by DIS) who will advise the ISSR as necessary.
     

  6. Question: Paragraph 8-101 states that Chapter 8 describes the minimum security requirements for an AIS "processing" classified information. Taken literally, does this mean that Chapter 8 would not apply when the AIS is "not processing" classified information?

    7. Answer: No, the requirements of Chapter 8, specifically paragraph 8-300 (Physical Security) and paragraph 8-301 (Software Controls) apply throughout all phases of accreditation. "Processing" as discussed in paragraph 8-101 should be interpreted as "accredited to process."
     

  7. Question: Paragraph 8-102b states that the contractor shall appoint an ISSR and identifies 18 responsibilities. Can multiple ISSR's be appointed or can designated security custodians (8-102b(10)) act in behalf of the ISSR?

    8. Answer: Only one ISSR can be appointed by the contractor (each cleared facility). However, security custodians can be designated by the ISSR in facilities with multiple AISs or multiple classified shifts to act on behalf of the ISSR.
     

  8. Question: Paragraph 8-102b(9) and paragraph 8-303b differ in the interval for audit reviews. Paragraph 8-102b(9) says "at least weekly"; paragraph 8- 303b says "at intervals specified in the AISSP." When should the ISSR and/or custodian perform the audit reviews?

    9. Answer: The interval for audit reviews is dependent upon the security mode and amount of classified information processed. The frequency of audit reviews should be mutually determined between the ISSR and DIS representatives, but as a general rule, these reviews should be weekly.
     

  9. Question: Paragraph 8-102b(13) states that a Memorandum of Agreement (MOA) is required when the AIS supports multiple CSAs and paragraph 8-401b states that an MOA is required when there are multiple accrediting authorities. When is an MOA required?

    10. Answer: An MOA is required when there is an interconnection of 2 or more AISs having different accrediting authorities in order to stipulate the terms and conditions for the overall security of the network. The resulting network must be separately accredited by the Cognizant Security Agency (CSA), that is, the Department of Defense (DoD), the Department of Energy, the Central Intelligence Agency, or the Nuclear Regulatory Commission. If the DoD is the accrediting agency for all AISs proposed for the interconnected network, the DoD would be responsible for accrediting the resulting network of systems.

    The DoD accrediting authority, normally the Defense Investigative Service, is responsible for the accreditation of the network jointly wit h all DoD components and non-DoD agencies that have separately accredited AISs proposed for the network.
     

  10. Question: Paragraph 8-200d states that accreditation can be withdrawn by the CSA when there is an unacceptable change in the system or its security configuration. Please explain.

    11. Answer: The CSA is obligated to withdraw accreditation when a change is made to the AIS that could reasonably result in the compromise of classified information.
     

  11. Question: Paragraph 8-200e does not appear to limit the contractor's self-approval authority to only the dedicated mode as does paragraph 8-102b(16). Can self-approval authority be authorized for the system high, compartmented and/or multilevel mode?

    12. Answer: Self approval authority is only authorized for the dedicated mode. The ISSR may also approve changes to dedicated and system high mode AISs pursuant to paragraph 8-102b(17).
     

  12. Question: Paragraph 8-200f states that an AIS may be reaccredited after review, analysis and approval of an updated AISSP. What events require reaccreditation?

    13. Answer: Any hardware, software or procedural change that the ISSR and/or the CSA determines will affect accredited security controls of the AIS.
     

  13. Question: Is an inventory listing required as part of the configuration management procedures described in paragraph 8-202b?

    14. Answer: As a practical matter, all major hardware/firmware configured for classified processing must be identified by nomenclature, model and manufacturer. All resident software used for classified and unclassified processing must be identified by software name, version, manufacturer, and intended use or function. The ISSR or designee is responsible for maintaining and keeping such information current.
     

  14. Question: Paragraph 8-202b refers to "installation structures" as being part of the CM procedures. What are they?

    15. Answer: The procedures or process used to install hardware or software.
     

  15. Question: Paragraph 8-202c(3) refers to "transaction receipts" as part of the accredited AIS audit features and controls. What are they?

    16. Answer: Any receipts associated with the AIS, such as maintenance, from accreditation to final declassification.
     

  16. Question: Paragraph 8-202g states that individuals receiving AIS training "may" be required to sign an agreement to abide by the security requirements specified in the AISSP. When should this agreement be required?

    17. Answer: The decision to require execution of an agreement is made by the ISSR.
     

  17. Question: If a contractor is processing only collateral classified information on an AIS, would there ever be a requirement to process in the compartmented mode?

    18. Answer: No.
     

  18. Question: Paragraph 8-204b(1) states that security requirements for the dedicated mode will "enforce system access procedures." Are the access procedures physical, logical, and/or administrative?

    19. Answer: Contractors may use physical, technical and/or administrative measures to control access to dedicated mode AISs; however, technical security controls are not required for dedicated mode AISs.
     

  19. Question: What are the audit requirements for the dedicated mode?

    20. Answer: The audit logs identified in paragraph 8-303 are the only audit requirements for the dedicated mode.
     

  20. Question: Paragraph 8-208b discusses the use of a "time lockout" during interactive sessions in the system high mode. Are "time lockouts" required beginning in the system high mode?

    21. Answer: No. Time lockouts were included in the NISPOM as a means of assisting the AIS user in protecting classified information. Under normal circumstances, AIS users should never leave their terminal unattended during classified processing. However, if necessary, time lockouts are available as part of the access control policy as long as their use is described in the AISSP.
     

  21. Question: Paragraph 8-208c requires that the security features at the system high mode provide an audit trail capability. Does this mean only the "capability" and the actual auditing of user events is not required?

    22. Answer: No. Beginning at the system high mode, automated audit trails are required.
     

  22. Question: Paragraph 8-208c identifies two audit events for the system high mode, where the 1991 ISM identified many. Are these the only two audit events that have to be recorded?

    23. Answer: Yes.
     

  23. Question: In discussing the logon attempt rate, paragraph 8-208g(3)(a) states that the CSA will approve other such methods besides those that are listed. What are they?

    24. Answer: The methods discussed in the NISPOM are common practices; however, other methods meeting the intent of the requirements of user authentication are also acceptable.
     

  24. Question: Paragraph 8-209a states that beginning at the system high mode, "hardware and software is examined when received from the vendor." Is the vendor the person or place where you buy or lease your AIS? What if the hardware and/or software is received not directly from the vendor but from a third party?

    25. Answer: All hardware and software must be examined before being used, regardless of the source.
     

  25. Question: If I have contracts that have compartments or subcompartments, and I have an accredited compartmented mode AIS, can I also process classified collateral information?

    26. Answer: As a general rule, yes. The ISSR should consult with appropriate contract and accreditation officials.
     

  26. Question: Paragraph 8-213 discusses the multilevel security mode. One of the conditions of this mode is that all users have a personnel security clearance (PCL). My customer runs a multilevel system and they allow uncleared users. What should I do if my customer wants to network my AIS to their multilevel system?

    27. Answer: Uncleared contractor personnel are not allowed to be users or to access an AIS accredited to process classified information. Accordingly, the possibility of a policy exception would have to be considered by the CSA in coordination with the customer.
     

  27. Question: Paragraph 8-300b requires that attended classified processing " shall take place in an area, normally a Restricted Area, where authorized persons can exercise constant surveillance and control of the AIS." What requirements should I use in establishing restricted areas?

    28. Answer: Use whatever procedures, processes, and/or physical or technical means necessary to effectively control access to the AIS during attended processing. Additional guidance regarding Restricted Areas is contained in Chapter 5, Section 3.
     

  28. Question: Paragraph 8-300b states that all unescorted personnel to the area where classified processing is taking place "must have a government granted PCL..." Is the requirement directed to the thousands of contractor granted CONFIDENTIAL clearances carried over from the ISM?

    29. Answer: Individuals with contractor granted CONFIDENTIAL PCLs do not require escorts in an area where CONFIDENTIAL processing is taking place, provided the access limitations prescribed by paragraph 2-205 are not exceeded.
     

  29. Question: Paragraph 8-301f states that use of software of unknown or suspect origin is "strongly discouraged." However, in various security forums around the country, DIS is saying that it can not be used to process classified information. What is the policy?

    30. Answer: DoD strongly discourages the use of software derived from non-conventional sources because it is at greater risk for malicious code. However, the policy does not prohibit the use of such software, provided proper procedures to review the software prior to installation are documented in the AISSP and followed.
     

  30. Question: Paragraph 8-301h requires "vendor-supplied software" used for maintenance or diagnostics be "controlled as though classified." Is this requirement restricted to software supplied only by a vendor or does it apply to all maintenance and diagnostics software?

    31. Answer: All software used for maintenance or diagnostics must be protected at the level of the accredited AIS. Exceptions for vendor supplied software on write-protected media may be permitted on a case-by-case basis by the CSA. When authorized, procedures for handling such software on write-protected media must be contained within the AISSP.
     

  31. Question: What are the marking requirements for AIS media?

    32. Answer: In general, the overall marking requirements of paragraph 4-200 apply. The media is marked as to its identification (4-202), its overall markings (4-203), and the classified by, downgraded to and/or declassified on lines (4-208).
     

  32. Question: Paragraph 4-311b of the 1991 ISM required that AISs provide for "internally recorded" security markings on AIS media. The NISPOM is silent on this requirement. Are internal markings required on AIS media?

    33. Answer: For the dedicated and system high mode, it is the responsibility of the user to ensure that appropriate markings are affixed when classified information is reproduced or generated. For the compartmented and multilevel mode, security feature s of the AIS will automatically affix the appropriate markings.
     

  33. Question: Paragraph 8-302f requires that media sanitization actions be verified. If I have a significant number of classified media that need to be sanitized, would each sanitization action require verification?

    34. Answer: As a general rule, only a random sampling would need to be verified when using an approved degausser. However, every sanitization action would require verification when using an approved overwrite utility.
     

  34. Question: In addition to the verification of the sanitization action, paragraph 8-302f requires a record be annotated that "shows the date, the particular sanitization action taken, and the person taking the action." However, there isn't any mention of classification level of the media and since CONFIDENTIAL and SECRET do not require accountability, must the record be annotated?

    35. Answer: Yes. The requirement to record the sanitization action is not classification dependent. It should be noted that paragraph 8-303a(4) requires sanitization records be maintained as part of the audit logs.
     

  35. Question: Paragraph 8-303 states that the contractor will retain audit trail records until reviewed but not more than 12 months. Is it permissible for the ISSR to release audit trail records once they are reviewed?

    36. Answer: No. The contractor is responsible for retaining the latest 12 months of audit trail information for the CSA to review. This applies to both the security audit information (8-303) and the automated audit trail information identified under t he security features for the system high (8-208c), compartmented (8-211g) and multilevel (8-214a) mode.
     

  36. Question: Paragraph 8-304a does not mention non-removable storage media or any requirements for the use of non-removable storage media during security level upgrading. Can non-removable storage media be used to process classified information?

    37. Answer: Yes. Non-removable storage media can continue to be used to process classified information. If used, certain upgrading requirements (8-304a(4)), downgrading requirements (8-304b(2)) and declassification/sanitization requirements (8-302g) must be identified in the AISSP.
     

  37. Question: Paragraph 8-304a(5) requires that the AIS be initialized with a dedicated copy of the operating system protected commensurate to the classified level of the information to be processed. If I process CONFIDENTIAL, SECRET and TOP SECRET during different independent processing sessions, would I need three copies?

    38. Answer: Yes, unless administrative and procedural measures are taken that eliminate or reduce duplicate copies. Contact your IS Rep or AIS Specialist for additional guidance.
     

  38. Question: If I am downgrading from a TOP SECRET session and have used non-removable media, what procedures do I follow? Paragraph 8-304b(2) says sanitize but the "Clearing and Sanitization Matrix" says I can't use a three-time overwrite at the TOP SECRET level.

    39. Answer: Option "d" of the "Clearing and Sanitization Matrix" is referring only to sanitization for declassifying purposes. When downgrading (8-304b), TOP SECRET media can be sanitized (i.e., three-time overwrite).
     

  39. Question: Paragraph 8-305 limits access to unattended hardware only to personnel cleared for the highest level of classified information processed on the AIS. If I have an accredited multilevel mode system, can personnel cleared CONFIDENTIAL h ave access to unattended equipment (e.g., terminals, printers) that process only CONFIDENTIAL information?

    40. Answer: As a general rule, yes. Contact your IS Rep or AIS Specialist for additional guidance.
     

  40. Question: Paragraph 8-305c states that the logon password file should be encrypted when practical. Since authentication techniques, in this case passwords, are required beginning at the system high mode, should not the logon password file always be encrypted?

    41. Answer: No. However, when the logon password file is not encrypted, the AIS will need a strong access control policy. This will permit only authorized system administrators (e.g., ISSR) access to the non-encrypted passwords.
     

  41. Question: Paragraph 8-305d(2) does not address the "one-way" connection of an unclassified AIS to a classified AIS. Is this still permitted?

    42. Answer: This paragraph is discussing "general" connection requirements for collocated classified and unclassified AISs. One-way connection is allowed under specific conditions, when addressed in the AISSP. Contact your IS Rep or AIS Specialist for additional guidance.
     

  42. Question: Paragraph 8-306 states that cleared maintenance or diagnostics personnel do not normally require an escort but that need-to-know "must be enforced." This is a big change from previous policy. What advice do you have?

    43. Answer: The enforcement of need-to-know within the context of paragraph 8-306 means simply that the company has an obligation to ensure that personnel who perform maintenance and diagnostic actions are limited to data, information, hardware, firmware, and software for which they are authorized.
     

  43. Question: Must escorts for uncleared maintenance personnel be "technically knowledgeable" (8-306b)?

    44. Answer: A technically knowledgeable escort is preferred; however as a minimum, the escort must be sufficiently knowledgeable concerning the AISSP, established security policies and practices, and escorting procedures.
     

  44. Question: Paragraph 8-306c states that uncleared personnel doing maintenance shall not use the dedicated copy of the system software with a direct security function. Please explain.

    45. Answer: The dedicated copy of the system software shall never be used by uncleared personnel, maintenance or not. Even though system and/or maintenance software is not classified, both require control and protection at the level the AIS is accredited.
     

  45. Question: Paragraph 8-306e states that maintenance and diagnostics should be performed in the contractor facility when practical. What does this mean? The current practice in industry seems to be the opposite.

    46. Answer: Maintenance and diagnostics functions performed within the contractor's facility is generally preferable because the possibility of greater control exists; however, those functions may be performed outside the facility at the discretion of the ISSR. The ISSR must decide what is most practical under a particular set of circumstances, and security is but one of many considerations which must be taken into account.
     

  46. Question: Paragraph 8-306e states that any AIS component or equipment released from secure control for maintenance is no longer part of the accredited system. Once equipment is repaired and returned, can it again become part of the accredited system?

    47. Answer: Yes, but in some cases the reintroduction of equipment must be approved by the ISSR while CSA approval is required in other cases. In addition, beginning at the system high mode, the equipment must be examined prior to reintroduction.
     

  47. Question: Paragraph 8-306g requires the "contractor" to approve the use of certain maintenance tools. Does the "contractor" mean any employee, any user or just the ISSR?

    48. Answer: Only the ISSR and/or their security custodians can approve the use of maintenance equipment. This may be accomplished as part of the configuration management procedures, which include specific approval procedures and authorization requirements for the use of maintenance equipment and are described in the AISSP for each AIS.
     

  48. Question: Paragraph 8-306h discusses the "proper release procedures" that are completed before component boards are allowed to leave the security area. What are "proper release procedures?"

    49. Answer: The "Clearing and Sanitization Matrix" on page 8-3-5 discusses the technical requirements; the audit requirements are discussed in paragraph 8- 303a(1).
     

  49. Question: What procedures must be followed to utilize remote diagnostic or maintenance services?

    50. Answer: Paragraph 8-306i provides guidance on their use.
     

  50. Question: What procedures should be followed to sanitize static random access memory (SRAM)?

    51. Answer: The manner in which SRAM is used during a classified session is critical in determining the appropriate option identified on page 8-3-5. In certain cases, information remains stationary within the SRAM during processing. In those cases, op tions "c and f" might be appropriate. But in other cases, information "flows" through the SRAM and option "g" might be most appropriate. Importantly, procedures for effectively clearing and sanitizing units with residual memory need to be coordinat ed with DIS AIS Specialists.
     

  51. Question: The footnote on the bottom of the Clearing and Sanitization Matrix (page 8-3-5) states that all magnetic tapes "must be labeled" as to their "Type" if more than one type exists and the contractor has an approved degausser. If I have only Type I and II tapes and have an approved Type II degausser, should the tapes be labeled?

    52. Answer: As a general rule, no.
     

  52. Question: Sections 1, 2 and 3 of Chapter 8 do not include transmission control requirements. The 1991 ISM (paragraph 8-310) identified both Intra and Inter-Complex requirements. The NISPOM in Section 4 (Networks) does discuss "Protected Distr ibution Systems" (PDS) and National Security Agency approved encryption methodologies but only as they relate to transmitting classified information between network components. What requirements do I follow?

    53. Answer: The absence of transmission control standards within Chapter 8 was an oversight. Pending coordination and publication of an AIS transmission control policy for inclusion in the NISPOM, contractors under DoD security cognizance are requested to follow the standards contained in paragraph 8-310 of the 1991 ISM.