Headquarters Army Regulation 380-19 Department of the Army Washington, DC 1 August 1990 Effective 4 September 1990
AR 380-19 |
|---|
Information |
Chapter 1
Introduction
Purpose 1-1
References 1-2
Explanation of abbreviations and terms 1-3
Responsibilities 1-4
Policy 1-5
U.S. Army Information Systems Security Program (AISSP) 1-6
Information Systems Security Assistance 1-7
Section I
General Policy
Overview 2-1
Systems sensitivity designation and mode of operation 2-2
Minimum requirements 2-3
Section II
Software Security
Software controls 2-4
Database management systems 2-5
Software security packages 2-6
Software design and test 2-7
Section III
Hardware Security
Hardware-based security controls 2-8
Maintenance personnel 2-9
Section IV
Physical Security
Security objectives and safeguards 2-10
Location and construction standards of a central computer complex 2-11
Mainframe computer equipment room standards 2-12
Physical security standards for small computers and other automatedinformation systems 2-13
Section V
Procedural Security
Reporting and accountability 2-14
Password control 2-15
Section VI
Personnel Security
Training and awareness program 2-16
Personnel security standards 2-17
Foreign national employees 2-18
Section VII
Automated Information System Media
Protection requirements 2-19
Labeling and marking media 2-20
Clearing, purging, declassifying, anddestroying media 2-21
Nonremovable storage media 2-22
Section VIII
Network Security
Two views of a network 2-23
Section IX
Miscellaneous Provisions
Remote devices 2-24
Employee-owned computers and off-site processing 2-25
Tactical or battlefield automation systems (BAS) 2-26
Laptop or portable automated information systems 2-27
Automated information system security incidents 2-28
Technical vulnerability reporting (RCS: NSA/CSS 1057) 2-29
U.S. Army Automated Information Systems Security Assessment Program (AISSAP)2-30
Chapter 3
Automated Information System Accreditation
Accreditation overview 3-1
Generic accreditation 3-2
Operational accreditation 3-3
Certification 3-4
The accreditation process 3-5
Reaccreditation 3-6
Accreditation records 3-7
Designated accreditation authorities 3-8
Special provisions for systems processing intelligence data (RCS: CIA 1003)3-9
Interim approval to operate before accreditation 3-10
Chapter 4
Communications Security
Overview 4-1
Protection of classified information 4-2
Protection of unclassified-sensitive information 4-3
Radio systems 4-4
Protected distribution systems 4-5
Approval of protected distribution systems 4-6
Chapter 5
Risk Management
Risk management overview 5-1
Risk management methodology 5-2
Risk assessment 5-3
Management decision to implement countermeasures 5-4
Control implementation 5-5
Effectiveness review 5-6
Application of risk analysis 5-7
Appendixes
A. References
B. Determining Minimum Requirements from DOD 5200.28-STD
C. Security Plan/Accreditation Document Format
D. - Army Internet Policy
E. - Clearing, Sanitizing, and Releasing Computer Components
F. - Management Control Evaluation Checklist