Beruflich Dokumente
Kultur Dokumente
Security
Information
Systems
Security
Headquarters
Department of the Army
Washington, DC
27 February 1998
UNCLASSIFIED
SUMMARY of CHANGE
AR 380–19
Information Systems Security
This regulation--
o Replaces the acronyms US1, US2, CS1, CS2, and CS3 with Unclassified
Nonsensitive, Sensitive But Unclassified, Confidential, Secret, Top Secret,
and Sensitive Compartmented Information Subsystem to comply with national
policies (para 2-2).
o Introduces the Land Information Warfare Activity as the Army focal point for
reporting system vulnerabilities (2-27).
o Introduces a warning banner for the monitoring of the Army system (para 4-1m).
o Reconstructs chapter 5, Risk Management, to meet the ISS environment
currently facing ISS managers.
Security
Contents (Listed by paragraph and page number) U.S. Army Information Systems Security Program • 1–6, page 4
Chapter 1 Chapter 2
Introduction, page 1 Computer Security, page 6
Purpose • 1–1, page 1
References • 1–2, page 1
Section I
Explanation of abbreviations and terms • 1–3, page 1
General Policy, page 6
Responsibilities • 1–4, page 1
Overview • 2–1, page 6
Security-related requirements • 1–5, page 4
UNCLASSIFIED
Contents—Continued
System sensitivity designation and mode of operation • 2–2, Interim approval to operate before accreditation • 3–10, page 18
page 6 Site-based accreditation • 3–11, page 18
Minimum requirements • 2–3, page 7
Chapter 4
Section II Communications Security, page 19
Software Security, page 8 Overview • 4–1, page 19
Software controls • 2–4, page 8 Protection of transmitted information • 4–2, page 19
Data base management systems • 2–5, page 8 Protection of Sensitive but Unclassified Information • 4–3,
Software security packages • 2–6, page 8 page 19
Software design and test • 2–7, page 8 Radio systems • 4–4, page 20
Protected distribution systems • 4–5, page 20
Section III Approval of protected distribution systems • 4–6, page 20
Hardware Security, page 8
Hardware-based security controls • 2–8, page 9 Chapter 5
Maintenance personnel • 2–9, page 9 Risk Management, page 21
Risk management overview • 5–1, page 21
Section IV Risk management program • 5–2, page 21
Physical Security, page 9 Risk analysis • 5–3, page 21
Security objectives and safeguards • 2–10, page 9 Management decision to implement countermeasures • 5–4,
Physical security standards for smaller computers and other page 22
automated information systems • 2–11, page 9 Implementation of safeguards • 5–5, page 22
Periodic review of the Risk Management Program • 5–6, page 22
Section V
Procedural Security, page 9 Appendixes
Reporting and accountability • 2–12, page 9
A. References, page 23
SCI policy • 2–13, page 10
Password control • 2–14, page 10 B. Army-Sponsored Use of the Internet Computer Systems,
page 24
Section VI
C. Management Control Evaluation Checklist, page 25
Personnel Security, page 10
Training and awareness programs • 2–15, page 10 D. Security Plan/Accreditation Document, page 26
Personnel security standards • 2–16, page 11
E. DOD 5200.28-STD Guidelines for Determining Minimum AIS
Foreign national employees • 2–17, page 11
Requirements, page 27
Section VII F. Clearing, Sanitizing, and Releasing Computer Components,
Automated Information System Media, page 11 page 28
Protection requirements • 2–18, page 11
G. Information Systems Security Monitoring Capabilities and
Labeling and marking media • 2–19, page 11
Restrictions, page 30
Clearing, purging, declassifying, and destroying media • 2–20,
page 12
Table List
Non-removable storage media • 2–21, page 12
Table E–1: Determining minimum evaluation class from DOD
Section VIII
5200.28-STD for multilevel operations, page 27
Network Security, page 12
Table F–1: Sanitizing data storage media, page 29
Two views of a network • 2–22, page 12
Table F–2: Sanitizing system components, page 29
Section IX
Figure List
Miscellaneous Provisions, page 13
Remote devices • 2–23, page 13
Figure 3–1: Example of the format of an accreditation approval
Employee-owned computers and off-site processing • 2–24,
statement, page 17
page 13
Figure G–1: Computer defense assistance program process,
Tactical or Battlefield Automation Systems • 2–25, page 13
page 33
Laptop, notebook, or portable automated information systems
• 2–26, page 13
Glossary
Automated information system security incidents • 2–27, page 14
Index
Chapter 3
Automated Information System Accreditation, page 14
Accreditation overview • 3–1, page 14
Generic accreditation • 3–2, page 15
Operational accreditation • 3–3, page 16
Certification • 3–4, page 16
The accreditation process • 3–5, page 16
Reaccreditation • 3–6, page 17
Accreditation records • 3–7, page 17
Designated approving authorities • 3–8, page 17
Accreditation of sensitive compartmented information (sci) systems
• 3–9, page 18
2. I have reviewed the security measures that have been planned and implemented in the areas of secu-
rity management (that is, software, hardware, procedures, communications, personnel, and physical
security) and operation of the (computer, room, building, and address) and its associated peripher-
als) is considered to be an acceptable risk.
3. Accordingly, accreditation is granted to store and process (insert sensitivity level from para-
graph 2-2a) information in the (insert security mode from paragraph 2-2b) security mode.
(Signature)
Authentication by
Accreditation Authority
AR 15–6 CSC–STD–004–85
Procedures for Investigating Officers and Boards of Officers. Technical Rationale Behind CSC–STD–003-85: Computer Security
Requirements.
AR 25–1
The Army Information Resources Management Program. DA Pam 25–380–2
Security Procedures for Controlled Cryptographic Items (CII).
NCSC–TG–003 Appendix B
A Guide to Understanding Discretionary Access Control in Trusted Army-Sponsored Use of the Internet Computer
Systems. Systems
This policy covers Army-sponsored use of the Internet computer
NCSC–TG–006 systems. It provides the minimum guidelines for such use and does
A Guide to Understanding Configuration Management in Trusted not preclude MACOMs from imposing more stringent local proce-
Systems. dures. The MACOMs may further delegate responsibilities to the
appropriate designated approval authorities, as desired. However,
Table E–1
Determining minimum evaluation class from DOD 5200.28-STD for multilevel operations
Maximum data classification Minimum clearance level of users Case 1 Case 2 Case 3
TS S B2 B3 A1
C B3 A1 N/A
Unclas, Sen A1 N/A N/A
Uncleared N/A N/A N/A
S C B1 B2 B3
Unclas, Sen B2 B3 A1
Uncleared B3 A1 N/A
C Unclas, Sen B1 B2 B2
Uncleared B2 B3 A1
Table F–1
Sanitizing data storage media
Media type Procedure(s)
Magnetic tape
Type I a or b
Type II b
Type III Destroy
Magnetic disk packs
Type I a or b
Type II b
Type III Destroy
Magnetic disks
Floppies Destroy
Bernoullis Destroy
Removable hard disks a or b or c
Non-removable hard disks a or b or c
Optical disks
Read Only (including CD-ROMs) Destroy
Write Once, Read Many (WORM) Destroy
Read Many, Write Many Destroy
Procedures
These procedures will be performed or supervised by the ISSO.
a. Degauss with a Type I degausser.
b. Degauss with a Type II degausser.
c. Overwrite all locations three times (first time with a random character, second time with a specified character, third time with the complement of
the specified character).
Table F–2
Sanitizing system components
Type of component Procedure
C2 ISSRP SIO
command and control information systems security resources senior intelligence officer
program
C2W SIOP–ESI
command and control warfare IW Single Integrated Operational Plan–Extra
information warfare Sensitive Information
C4I
command, control, communications, com- SIPRNET
JWICS
puters, and intelligence secret internet protocol router network
Joint Worldwide Intelligence Communication
CAW System SSA
Certification Authority Workstation system security administrator
LIWA
CD Land Information Warfare Activity SSBI
compact disk Single Scope Background Investigation
MAN
CDAP metro area network TAP
Computer Defense Association Program tactics, techniques, and procedures
NACSIM
CERT National Communications Security (COM- TCB
computer emergency response team SEC) Information Memorandum trusted computing base
PIN: 049400–000
DATE: 06-15-98
TIME: 15:07:16
PAGES SET: 47