Introduction
This regulation establishes Department of the Army (DA) Information
Systems Security (ISS) policy. It specifically addresses three
of the four ISS subdisciplines: communications security (COMSEC),
computer security(COMPUSEC), and electronic security (ELSEC).
A confidential supplement, AR380-19-1, governs the fourth subdiscipline,
control of compromising emanations (commonly referred to as TEMPEST).
This regulation-
a. Prescribes security policy for the protection of classified and unclassified-sensitive information contained in or derived from telecommunications or automated information systems (TAIS) and noncommunications emitters.
b. Uses the term ISS when the policy applies across the four ISS subdisciplines to TAIS and noncommunications emitters, but also prescribes unique policy for the subdisciplines of-
(1) COMPUSEC, which applies to automated information systems (AIS). (See 3.)
(2) COMSEC, which applies to telecommunications systems. (See chap 3), but must be accomplished per separate NSA promulgations.
(2) Worldwide Military Command and Control Systems (WWMCCS) sites will also comply with JCS Publication 6-03.7 and other applicable WWMCCS publications.
(3) Systems processing Single Integrated Operational Plan-Extremely Sensitive Information (SIOP-ESI) will also comply with Memorandum, Joint Chiefs of Staff (MJCS) 75-87.
(4) The Automated Message Processing Exchange System sites in which sensitive compartmented information (SCI) is stored or processed in a consolidated Defense Special Security Communications System or General Service facility will also be guided by DOD Pub C-5030-58-M.
(5) Systems processing special access program (SAP) information will also comply with confidential AR 380-381.
d. Describes ISS policy as it applies to security in the areas of-
(1) Hardware.
(2) Software.
(3) Procedures.
(4) Communications.
(5) Personnel.
(6) Physical environment.
(7) Networks.
(8) Electronics.
(9) Control of compromising emanations (covered in a confidential supplement, AR 380-19-1).
e. Applies to-
(1) Classified information in an electronic form, thereby augmenting AR380-5.
(2) Unclassified-sensitive information, which requires protection to ensure its confidentiality, integrity, or availability.
Required and related publications and referenced forms are listed in appendix A.
Abbreviations and special terms used in this regulation are explained
in the 1-4. Responsibilities
a. The Deputy Chief of Staff for Intelligence (DCSINT) will-
(1) Review, develop, and coordinate Army input to DOD ISS policy documents.
(2) Establish and issue Army ISS policy and standards.
(3) Oversee the collection, analysis, and dissemination of information on the threat to Army TAIS and noncommunications emitters.
(4) Act as the accrediting authority for security accreditation of certain AIS which process intelligence information. (See chap 3.)
(17) Recommend systems for support under the AISSAP to the Commanding General, U.S. Army Intelligence and Security Command (CG, USAISC).
(18) Recommend ISS doctrine to the Commanding General, U.S. Army Training and Doctrine Command (CG, TRADOC).
c. The Deputy Chief of Staff for Operations and Plans (DC-SOPS) will-
(1) Monitor training activities to ensure that proper emphasis is given to ISS during training conducted at all levels.
(2) In matters involving Army combat developments-
(a) Approve ISS studies, concepts, and proposed doctrine.
(b) Approve operational and organizational plans and required operational capabilities for crypto equipment and noncommunications emitter equipment and systems. Establish priorities for the research, development, test, and evaluation (RDTE) effort.
(c) Include realistic and essential ISS requirements in materiel requirements documents for TAIS and noncommunications emitters.
(d) Monitor the allocation of manpower to accomplish essential ISS functions.
(e) Ensure that individual training programs at Army Service Schools include adequate ISS instruction.
(3) When establishing requirements for the use of Army forces-
(a) Integrate ISS into operations security (OPSEC) planning and practices.
(b) Set operational priorities, considering both operational and security requirements, for worldwide distribution of crypto equipment.
(4) Prescribe policy and procedure for physical security planning.
(5) Advise the DCSINT and DISC4 on crime and fraud prevention as they relate to TAIS.
(6) In coordination with DISC4, validate Army ISS requirements and establish priorities for procurement and fielding of ISS equipment and systems.
d. The Deputy Chief of Staff for Logistics (DCSLOG) will-
(1) Develop logistics policies (including integrated logistics support policy), concepts, procedures, and guidance for distribution, supply, maintenance, and transportation of ISS equipment used in support of all Army information management equipment and systems.
(2) Prescribe execution of NSA or DOD logistics management directives that apply to COMSEC material.
(3) Act as proponent of the Army COMSEC Commodity Logistics Accounting Information Management System.
(4) Prescribe and supervise the implementation of procedures for property control and the accounting of COMSEC material during distribution, storage, maintenance, use, and disposal. All guidance will conform with the security standards developed by the DCSINT for safeguarding COMSEC material.
(5) Supervise logistics support planning to ensure the availability of materiel and publications needed for repair, test measurement, and diagnosis of ISS equipment and systems.
e. The Assistant Secretary of the Army for Research, Development; and Acquisition (ASA(RDA)) will-
(1) Develop, coordinate, and allocate RDTE and procurement resources in support of program requirements for ISS. Supervise the execution of RDTE and procurement.
(2) Justify and defend program and budget requirements for ISS RDTE and procurement.
(3) Serve as the other procurement Army appropriations director for COMSEC material.
(4) Forward to NSA, Headquarters, Department of the Army (HQDA) approved materiel requirements documents for crypto equipment, along with requests for RDTE efforts to fulfill those needs. Designate an Army materiel developer to monitor development and to satisfy Army materiel life cycle management milestones.
(5) Monitor NSA or other service COMSEC or ISS RDTE projects which are of interest to the Army, but are conducted by NSA or another military department. Designate an Army developing agency as defined in AR 70-1 for each project having potential application for Army use. Require the designated agency to maintain liaison with the developer and inform interested Army agencies of the progress of such projects.
(6) Establish, in coordination with NSA, concurrent life cycle management milestones for the development of crypto equipment and any companion information system.
(7) Provide the primary Army member for the NSA COMSEC research and engineering coordination group.
f. Commanders of major Army commands (MACOMs) and the Administrative Assistant (AA) to the Secretary of the Army (acting as the MACOM for all HQDA staff agencies) will-
(1) Administer all aspects of ISS for TAIS and noncommunications emitters developed or operated by command personnel or contractors under their jurisdiction, including field operating agencies.
(2) Appoint an ISS Program Manager (ISSPM) to implement the ISS program within their commands. Provide the ISSPM with sufficient staff to effectively manage the COMPUSEC, COMSEC, Control of Compromising Emanations(see AR 380-19-1 for TEMPEST control officer requirements), and ELSEC subdisciplines of ISS.
(3) Establish an ISS personnel structure in which ISS responsibilities are delineated at all echelons of the MACOM as required by paragraph 1-6.
(4) Ensure proper accreditation of those AIS that fall under their authority to accredit as specified in chapter 3.
g. The Commanding General, U.S. Army Intelligence and Security Command(CG, INSCOM), in addition to the MACOM responsibilities above, will-
(1) Provide Army-wide technical advice and assistance in matters related to INSCOM support of the Army Information Systems Security Program (AISSP).
(2) Provide for counterintelligence support to Army elements on ISS matters, including advising accreditation authorities on the hostile intelligence threat.
(3) Implement the DA AISSAP.
(4) Act as the Army executive agent for the Computer Security Technical Vulnerability Reporting Program.
(5) Recommend TEMPEST technical authorities for certification per confidential AR 380-19-1.
(6) Act as the Army point of contact for AIS under the purview of NSA, providing implementing guidance to NSA promulgations as required.
(7) Review, analyze, and correlate reports of AIS security incidents to detect trends indicating significant weaknesses or threat agent attacks.
h. The Commanding General, U.S. Army Information Systems Command (CG,USAISC), in addition to the MACOM responsibilities above, will-
(1) Establish procedures for accrediting those networks operated by USAISC in support of all Army users. The procedures will establish the specifications a user must take to connect to a particular network, and will support the overall architecture, integrity, and security of the sustaining base network.
(2) Assist TAIS functional proponents and PMs in identifying security requirements for proposed or existing systems.
i. The Commanding General, U.S. Army Training and Doctrine Command (CG,TRADOC), in addition to the MACOM responsibilities above, will-
(1) Integrate approved ISS doctrine, procedures, and techniques into applicable programs of instruction for TRADOC schools.
(2) Develop Army-wide training literature and training aids in support of the ISS training and awareness program.
(3) Integrate ISS procedures and techniques into the formal evaluations of both individual soldiers and units.
(4) Develop, test, and recommend operational and organizational concepts and doctrine to achieve ISS goals.
(5) Conduct or participate in operational tests of ISS implementations as part of system-wide operational tests, as directed.
j. The Commanding General, U.S. Army Materiel Command (CG, AMC), in addition to MACOM responsibilities above, will-
(1) Provide ISS technical advise and assistance in matters related to architecture, hardware, software, and systems engineering on those systems for which AMC is the materiel developer.
(2) Provide ISS materiel developer support Army-wide (both in RDTE and in production).
(3) Assist TAIS functional proponents and PMs in identifying security requirements for proposed or existing tactical battlefield systems.
(4) Perform integrated materiel management of the COMSEC commodity.
k. Program executive officers (PEOs) and PMs will-
(1) Ensure that the requirements of this regulation are applied in the project development of TAIS and noncommunications emitters.
(2) Act as the accrediting authority for generic accreditation of systems as indicated in paragraph 3-8.
a. TAIS and noncommunications emitters exhibit inherent security vulnerabilities and are known to be targeted by foreign intelligence services. Cost-effective ISS measures are established and enforced in recognition of these vulnerabilities and threats.
(1) Measures taken to attain ISS objectives will be commensurate with the importance of the operation to mission attainment, the sensitivity and criticality of the material being processed, and the relative risks (threats and vulnerabilities) to the system. Cost-effective ISS measures will be applied to counter identified risks.
(2) Statements of security-related requirements will be part of the original design of the TAIS or noncommunications emitter.
(3) TAIS or noncommunications emitter procurement packages will include security-related specifications that are based on stated needs and a cost-benefit analysis.
(4) Costly or elaborate security countermeasures should be applied only when the risk analysis indicates that administrative, personnel, physical, and other less costly measures do not achieve an acceptable level of assurance.
(5) TAIS and noncommunications emitters will not be procured unless
they comply with this regulation.
b. Classified and unclassified-sensitive defense information in Army TAIS must be safeguarded against unauthorized disclosure, modification, access, use, destruction, and denial of use. ISS measures are designed to ensure data confidentiality, data integrity, and data availability. The specific mix of ISS measures chosen will depend on the relative importance of each of these factors. Data confidentiality is normally the greatest concern for classified information, although data integrity and availability will frequently be a significant secondary concern. For certain unclassified-sensitive information, data confidentiality may be the greatest concern, while for other such information, data integrity or availability may be paramount.
c. For the purposes of this regulation, unclassified-sensitive information is divided into two categories. These categories are used in establishing ISS measures based on the relative importance of the protection requirements(data confidentiality, data integrity, and data availability). They are also used to describe requirements in this regulation (such as the need for encryption of data (1-5c(1).
(b) May require no protection to ensure data confidentiality. Examples include certain categories of financial data, routine administrative applications, and other data readily available through other sources.
d. Information will be safeguarded by continuous protective measures. These safeguards consist of-
(1) Hardware security.
(2) Software security.
(3) Procedural security.
(4) Communications security.
(5) Personnel security.
(6) Physical security.
(7) Network security.
(8) Electronic security.
(9) Control of compromising emanations (covered in a confidential supplement, AR 380-19-1).
e. Each TAIS handling classified or unclassified-sensitive information will be subject to a formal risk management program according to chapter 3.
g. Measures designed to protect noncommunications emitters will include both-
(1) Operational measures such as site placement, operation, and maintenance considerations for noncommunications emitters.
(2) Inherent measures which incorporate ELSEC design features
in noncommunications equipment.
h. Compliance with ISS requirements is an integral part of the information mission area, the Army information architecture, and life cycle management of information systems defined in AR 25-1.
i. The application of ISS measures must include interoperability and compatibility considerations.
j. Training in ISS principles and techniques will be integrated into unit operations at all levels of command.
a. The AISSP is established to consolidate and focus Army efforts in securing information. It is a unified approach to protecting classified and unclassified-sensitive information while in TAIS or noncommunications emitters. The AISSP encompasses security of TAIS and noncommunications emitters during development, acquisition, training, deployment, operations, maintenance, and disposition. The AISSP has been created in recognition of the Army's widespread use of TAIS and noncommunications emitters, and the unique problems associated with their security. As the information they handle and the functions they perform become more sensitive, risk potential of these systems increases. This regulation and its confidential supplement, AR 380-19-1, establish the framework for the AISSP.
b. The AISSP is designed to achieve the most effective and economical security possible for all TAIS and noncommunications to develop policy and guidance, identify problems and requirements, and adequately plan for required resources.
c. Commanders and managers implement the AISSP in their command or activity to ensure that-
(1) Systems within their command or activity are operated within the requirements of this regulation.
(2) Requests for new systems, or changes to existing systems, include security requirements appropriate to the system's concept of operation and that, once validated, these security requirements are incorporated into the system's design.
(3) Production-based requirements do not render necessary security measures impractical or cause unacceptable degradation in security.
d. A clearly defined structure of ISS personnel will assist commanders and managers in implementing the AISSP. These personnel act as the focal point for ISS matters within their command or activity. They have the authority to enforce security policies and safeguards for systems within their purview, to include stopping system operation if warranted by the seriousness of a security violation. This hierarchical structure will be established as follows:
(1) Information Systems Security Program Manager (ISSPM).
At each Army MACOM and within the office of AA to the Secretary
of the Army (acting as the HQDA MACOM), an ISSPM will be appointed
to establish, manage, and assess the effectiveness of the ISS
program within that command or activity. This individual will
be assigned sufficient personnel assets to effectively manage
the COMPUSEC, COMSEC, TEMPEST, and ELSEC subdisciplines of ISS.
The ISS PMs appointed by MACOM commanders and the AA to the Secretary
of the Army will-
(a) Establish and manage the command ISS program, to include defining the ISS personnel structure and directing the appointment of Information Systems Security Managers (ISSMs) at appropriate subordinate commands, installations, DA staff agencies, field operating activities, and so forth.
(b) Promulgate ISS guidance within each command, to include developing command-unique guidance as required.
(c) Establish a procedure within the command in which the status of all AIS accreditations, their sensitivity levels, and security modes of operation are documented and available.
(d) Act as liaison to INSCOM and nominate AIS for security support under the AISSAP. Establish a program for review and resolution of the findings noted during such support.
(e) Establish an ISS training and awareness program which meets the requirements of this regulation and reaches managers, operators, and users.
(2) Information Systems Security Manager (ISSM). At all appropriate levels of command below Army MACOM and at DA staff and field operating agencies, an ISSM will be appointed to establish and implement the ISS program for all TAIS and noncommunications emitters within that command or activity. This includes posts, installations, and installation equivalents, as well as units. In many cases, these appointments will result in a staff chain of command for ISSM which parallels the command structure. ISSM, for systems within their purview, will perform duties as follows:
(a) Oversee the execution of the MACOM's ISS training and awareness program.
(b) Ensure that an Information Systems Security Officer (ISSO) and network security officer (NSO), if appropriate, are appointed for each separate AIS, group of AIS, or network, and that a terminal area security officer (TASO)is appointed as necessary.
(c) Establish a program to protect telecommunications systems according to chapter 3 of this regulation.
(2) TEMPEST control officers (TCOs) will be appointed per confidential AR 380-19-1.
(3) COMSEC custodians and command COMSEC inspectors will be appointed per AR 380-40.
f. Implementing the AISSP in installation or installation-equivalent environments involving host and tenant units requires thorough coordination among assigned ISS personnel. Non-Army tenants comply with the ISS requirements of their parent agency, and this regulation does not apply. Army tenant units must comply with this regulation and the requirements of their parent MACOM. They must also comply with local installation ISS policy that does not conflict with parent command policy, and does not impede their operational mission.
(1) Host installation ISSM will-
(a) Ensure that adequate ISS support is provided to tenant activities.
(b) Ensure that tenant activities are included in the installation physical security plan, when appropriate.
(c) Ensure integration and coordination of installation level activities which affect security requirements of tenant activities.
(2) Army tenant activities will-
(a) Identify computer facilities to the host installation ISSM.
(b) Provide accreditation status (including date of accreditation and sensitivity level) to the host installation ISSM.
(c) Identify host installation security support requirements and provide technical assistance to the host installation ISSM.
(d) Identify a point of contact for ISS matters to the host installation ISSM.
a. Assistance in identifying TAIS security requirements is available from USAISC through the U.S. Army Information Systems Engineering Command(USAISEC). USAISEC assists functional proponents, systems developers, users, PMs, security personnel, and internal USAISC organizations in determining appropriate security requirements during TAIS design. The appropriate PM should request assistance from USAISEC directly from Commander, USAISEC,ATTN: ASQB-SEP-S, Ft. Huachuca, AZ 85613-5000. If there is no PM, requests should be addressed through the parent MACOM ISSPM to Commander, USAISC,ATTN: ASIS-A, Ft. Huachuca, AZ 85613-5000.
b. INSCOM provides support to Army activities operating AIS through the Automated Information Systems Security Assessment Program. Details are contained in paragraph 2-30 of this publication.