AR 380-19 Information Systems Security


Appendix C
Security Plan/Accreditation Document Format

The format in this appendix is to be used as an outline when preparing accreditation documentation. Each paragraph of the format must be addressed with the exception of accreditations for small computers, that may have those sections marked by an "*" omitted. The degree of detail required in each paragraph can and should vary with the system's size, complexity sensitivity designation, mode of operation, and number of users.

C-1. Basic systems information and identification

a. System name or title. (If the system does not have a name or title, use the manufacturer and model number for the main processing units.)

b. System category. (Indicate whether or not the system is a general AIS support system or has a specific application; for example, intelligence, personnel, financial, and so forth.)

c. Type accreditation. (Indicate whether or not this is a generic or operational accreditation. For operational accreditation, indicate whether or not a single identifiable system or a group of similar systems is covered.)

d. System status. (Indicate either "developmental" or "operational" as appropriate.)

e. System overview. (Provide a description of the function and purpose of the system.)

f. System environment and special considerations. (Describe physical, operational, or other factors external to the system which affect its security. Describe system interfaces to other systems or networks.)

g. Information contacts. (List, as a minimum, the name and telephone number of the appointed ISSO. Other personnel with technical knowledge of the system may be listed.)

h. System identification. (The systems must be identified in the accreditation in a manner sufficient to determine which systems are governed by that particular accreditation. For operational accreditations, this will be done through a serial number listing of the central processing units of the AIS accredited, or through another means that clearly defines the systems accredited. A separate enclosure may be used. For generic accreditations, use military nomenclature, a commonly accepted system acronym, or other method determined by the DAA.)

(*)i. Near- and long-term goals. (Describe near- and long-term goals of the system and the contribution of this accreditation to accomplishing these goals.)

C-2. Sensitivity, Protection Requirements, Security Mode, and Minimum Trusted Class

a. Sensitivity designation. (List the sensitivity designation from paragraph 2-2a. Further describe, in general terms, the nature of the information and the reason it requires protection. Cite appropriate laws requiring protection, such as the Privacy Act, if applicable.)

b. Protection requirements. (Indicate whether the system protection requirements are based on the need for confidentiality, integrity, or availability of the information. For each of these three categories, indicate whether they are of primary, secondary, or no concern. There may be more than one primary concern designated. For example, confidentiality and integrity may both be primary concerns, and availability of information of no concern.)

c. Security mode of operation. (Indicate the security mode of operation from para 2-2b.)

d. Minimum trusted class. (Enter the required minimum trusted system class as determined from appendix B. Indicate how the system meets the class, or include a timetable for meeting the required class according to paragraph 2-3b. Include any applicable information regarding use of products from the EPL.)

C-3. Risk management review (Include in this section a risk management review which includes an examination of threats, vulnerabilities, and the resulting risks according to chapter 5. After determining risks, indicate in the next paragraph the selected countermeasures that result in acceptable risk. For small computers, reference may be made to a single command-wide or installation-wide risks management review, if one exists.)

C-4. Implementation of controls and countermeasures (Include a description of measures taken in the areas of personnel, physical, environmental, procedural, hardware, software, TEMPEST and communications security. Specifically state whether or not a Facility TEMPEST Assessment/Risk Analysis (FTA/RA) is required by confidential AR 380-19-1, and if so the results of the INSCOM review. This section must *WORD* measures support the mode of operation *WORD* tingency planning information or *WORD* plan.)

(*)C-5. Certification (Describe the certification testing that was *WORD* port the accreditation. Attach the certification *WORD* creditations. For operational accreditations, *WORD* plan or describe the certification process in this *WORD*

C-6. Facility information (As with all the documentation associated with accreditation, *WORD* facility information should be tailored to the size, criticality, mode of operation, data sensitivity, and number of users for the AIS.) The following paragraphs will be addressed in compiling facility information:

a. Facility identification and location.

(*)b. Architectural drawings or building plans. (Plans of the building housing the facility should show the location of exists. guard posts, fire alarms and hoses, master utility panels, and facilities adjacent to, above, and below the facility.)

(*)c. Facility floor plan. (The floor plan will show placement of all equipment, fire extinguishers and sprinklers, smoke and motion detection devices, emergency lighting, and so forth.)

(*)d. System interface description. (Include a diagram or a description of interfaces for all major equipment, processing units, terminals, peripherals, communications modems, controllers, concentrators, encryption devices, and other connections.)

(*)e. Other diagrams. (If applicable, diagrams will show specialized displays of communication, electrical wiring, special communication switching, or patching panels.)

f. Operating system. (List the release or level number and date first put into operation on the system.)

g. Applications software. (List the major applications programs or systems.)

(*)C-7. Network considerations (For systems being accredited as a separate AIS in the interconnected Accredited AIS (IAA), view (para 2-23), indicate the network DAA (if identifiable), and describe the conditions under which connection to the IAA has been approved. For Single Trusted System (STS) view networks, this section should address the network's capability to provide communications integrity, protection against denial of service, and compromise protection. (See para 2-23c.))

C-8. Attachments (This section is not applicable while the document is serving as the security plan; however, when used as an accreditation document and forwarded to the DAA, the below items should be attached as applicable.)

a. Users security manual/SOP. (This is a mandatory and extremely critical item for generic accreditations. It is recommended for operational accreditations, although such procedures may be incorporated in other documents.)

b. TEMPEST FTA/RA and INSCOM response if required by confidential AR 380-19-1.

c. Appointment orders for the ISSO or NSO, as applicable.

d. Approved waivers (for example, COMSEC waivers approved according to chap 4, TEMPEST waivers approved per confidential AR 380-19-1, trusted computer class waivers approved according to para 2-3b, and so forth.)

(*)e. Certification plan.