NAVCOMTELCOMINST 5239.1

NCTC-N24 - 7 Jul 93

Subj:
AUTOMATED INFORMATION SYSTEM (AIS) SECURITY PROGRAM
Ref:
(a) SECNAVINST 5239.2
(b) DODDIR 5200.28

1. Purpose. The purpose of this instruction is to:

2. Cancellation. NAVTELCOMINST 5239.1.

3. Scope. This instruction applies to:

4. Policy

5. Responsibilities. To ensure the requirements of reference (a) and NAVCOMTELCOM AIS security programs are developed, implemented and maintained, the following responsibilities and authority are assigned as indicated:

6. AIS Security Program Elements. NAVCOMTELCOM DAAs and managers of AISs, networks, and computer resources must support and place an emphasis on the following elements:

7. Terms. Glossary of terms are provided in Appendix D.


/s/K. L. LAUGHTON



Distribution:

SNDL FG2  Naval Computer and Telecommunications Stations and NAVCOMMSTA Stockton

     FG4  Naval Computer and Telecommunications Activity, San Diego

     FG5  Radio Station (Jim Creek only)

     FG6  Naval Computer and Telecommunications Area Master Stations

     FG9  Chief, Navy-Marine Corps MARS

     FG13 Navy Resale Activities 

     FL4  NARDAC (San Francisco only)

     FE4  Security Group Activity (ADAK only)

     FE6  DCMS

     C46A Naval Telecommunication Centers

     C46B NAVCOMM Detachments

     C46C Navy Radio transmitting Facility

     C46D Navy Radio Receiver Facility

     C46E Navy Link Station

     C46F NCTAMS LANT Detachments

     C46G CNCTC Resale Activity Detachments

     HQ Reserve Unit 

     NAVTELSYSIC 

     NAVEMSCEN 



AIS SECURITY IMPLEMENTATION


APPENDIX A
AIS SECURITY IMPLEMENTATION

1. Program Foundation. In the development of an AIS security program the following are the basic rules to apply:

2. Security Implementation. As specified by SECNAV all computer resources that process or handle classified or sensitive unclassified information shall implement Class C2 functionality by the end of the 1992 calendar year. (Controlled Access Protection) as defined in DODDIR 5200.28STD.

3. Program Requirements. The DON AIS Security Guidelines of December 1990, can be used for guidance in preparing documentation.



ADDITIONAL CONSIDERATIONS


APPENDIX B
ADDITIONAL CONSIDERATIONS

1. Data classification. Classification of data is divided into three categories; Classified, Sensitive Unclassified, and Unclassified.

2. Security Mode. Security mode is useful for categorizing AISs into groups based on the classification of information being processed and the clearance level of employees using the AIS.

3. Physical Control

4. User Access. An AIS, network or other computer resource must function in accordance with the "least privilege" principle (as defined in DODDIR 5200.28STD "Orange Book") so that each user is granted access to only the information to which the user is entitled by virtue of security clearance, of formal access approval, and only the resources necessary to perform assigned functions. In the absence of a specific positive grant of access, user access defaults to no access.

5. Individual Accountability

6. Data Integrity. Assurances must be in place to protect the data being processed. Such as:

7. Marking/Handling

8. Operational Data. All data must be identified by its classification or sensitivity before being stored onto an AIS or network. Approval must be obtained from the data owner where appropriate.

9. Internal Security Mechanisms. When an AIS system becomes operational, software and files which provide internal security controls, passwords, and audit trails shall be safeguarded at the highest level data contained in the AIS. Access to internal security mechanisms will be controlled on a strict needtoknow basis.

10. Access Warning. An unauthorized access warning shall be displayed on all visual display devices (i.e., Cathode Ray Tubes (CRTs)) upon system startup, log on, or connection of all computer systems (local or remote). AISs and components which operate in dedicated or system high security mode should use printed labels to identify the highest level processed.

11. Public Disclosure. Prior to public disclosures of limitation, vulnerabilities, or capabilities, AISs must be in compliance with SECNAVINST 5720.44A and OPNAVINST 5510.1H.

12. Malicious Code. Procedures shall be in place to prevent malicious code.

13. Privately Owned Resources. Use of privately owned or leased personal computers, microcomputers or public data networks to conduct official business is allowed only with prior written authorization of the cognizant DAA. Privately owned computers will not be used to process classified data.

14. Encryption. Type 1 encryption must be used when processing classified information. Encryption methods, standards and devices used to protect classified data being processed on AISs and networks must be in accordance with NSA guidance.

15. Interoperability. Security measures for systems connected to other systems via networks or long-haul communications will employ those security solutions/technology which will provide the optimum amount of integrity to satisfy the security requirements. This will be accomplished to the maximum extent feasible.

16. Communications Security. Cryptographic techniques and measures taken to deny unauthorized persons information derived from telecommunications of U.S. Government related to national security and to ensure the authenticity of any such communication.

17. Network/Communications Links. Communication circuits will be secure per the communications security program. AISs handling plain text classified will be installed in an approved Protected Distribution System (PDS). For accreditation purposes, a network shall be treated as: (1) an interconnection of an accredited AIS (which may be a network) or (2) a single distributed system.

18. Emanation Security. AISs and networks will comply with the emanations security (TEMPEST) requirements in OPNAVINST C5510.93.

19. Security Levels. As specified by the SECNAVINST 5239.2 and NAVSO P-5239-15 all AISs, networks and computer resources must meet a minimum of C2 functionality as described by the DODDIR 5200.28STD. Software and hardware security requirements should be determined in accordance with DODDIR 5200.28STD.



RESPONSIBILITIES OF AIS SECURITY STAFF


APPENDIX C
RESPONSIBILITIES OF AIS SECURITY STAFF

1. ADP Security Officer (ADPSO). The activity ADPSO will perform the following duties:

2. Network Security Officer (NSO). The NSO will be appointed for major networks which cross Unit Identification Codes (UICs). This appointment will be in writing by the activity commanding officer. The NSO will:

3. ADP System Security Officer (ADPSSO). The ADPSSO will execute an AIS Security Program and be responsive to operational requirements. The ADPSSO will:

4. Terminal Area Security Officer (TASO). The TASO will enforce all security requirements designated by the ADPSSO for remote terminal areas. The TASO will:



GLOSSARY OF TERMS


APPENDIX D
GLOSSARY OF TERMS

ACCREDITATION: The formal management authorization for operation of a specific application of an AIS, network or computer resource, based on the results of a security certification and risk assessment. It is a formal decision by the Designated Approving Authority (DAA) that a system is approved to operate in a particular security environment meeting a prescribed set of security requirements.

ASSET: Any software, data, hardware, administrative, physical, communications, or personnel resource within an automated information system or network.

AUTOMATED INFORMATION SYSTEM (AIS): An assembly of computer hardware, software, and/or firmware configured to collect, create, communicate, compute, disseminate, process, store and/or control data or information.

CERTIFICATION: The formal statement made in support of the accreditation process, which establishes the extent that a specific application of an AIS, network or computer resource meets a set of specific technical security requirements.

COMPROMISING EMANATIONS: Unintentional relay of intelligence bearing signals which, if intercepted and analyzed, disclosed the classified information transmitted, received, handled or otherwise processed by any information processing equipment. TEMPEST is an unclassified name referring to investigations and studies of compromising emanations.

COMPUTER SECURITY: Measures required to protect against unauthorized (accidental or intentional) disclosure, modification, or destruction of AISs, networks, and computer resources or denial of service to process data. It includes consideration of all hardware and software functions, characteristics, and/or features; operational procedures, accountability procedures, and access controls at the central computer facility, remote devices; and personnel and communications controls needed to provide an acceptable level of risk for the AIS or network and for the data or information contained therein.

CONTINGENCY PLAN: A plan for emergency response, backup operations, and postdisaster recovery, maintained by an activity as a part of its security program. A comprehensive statement of all the planned actions to be taken before, during and after a disaster or emergency condition including documented, tested procedures which will ensure the availability of critical computer resources which will facilitate maintaining the continuity of operations in an emergency situation.

DATA INTEGRITY: The state that exists when data is unchanged from its source and has not been subjected to accidental or malicious modification, unauthorized disclosure or destruction.

DESIGNATED APPROVING AUTHORITY (DAA): The official who has the authority to decide that an AIS, network or computer resource may operate based on an acceptable level of risk considering the operational need for, and threats to, the system; and who is responsible for issuing an accreditation statement that records the decision.

DENIAL OF SERVICE: Action or actions that result in the inability of an AIS or any essential part to perform its designated mission, each by loss or degradation of operational capability.

LONGHAUL TELECOMMUNICATIONS: Networks spanning long geographic distances usually connected by telephone lines or satellite radio bands. Specifically, leased and governmentfurnished circuits or facilities that comprise Defense Communications Systems (DCS) and leased private line circuits for which mileage cost is charged as full air mile increments or cross tariff boundaries. Also includes services that cross local access and transport area boundaries.

NETWORK: The interconnection of two or more independent AIS components that provide for the transfer or sharing of computer system assets. It is composed of the communications medium and all components attached to the medium whose responsibility is the transfer of information. Such components may include AISs, packet switches, telecommunications controllers, key distribution centers and technical control devices.

RISK MANAGEMENT: A process through which undesirable events can be identified, measured, controlled and prevented to effectively minimize their impact or frequency of occurrence. The fundamental element of risk management is the identification of the security posture, i.e., the characteristics of the functional environment from a security perspective. Risk management identifies the impact of events on the security posture and determines whether or not such impact is acceptable and, if not acceptable, provides for corrective action. Risk management, ST&E and contingency planning are parts of the risk management process.

SAFEGUARDS: Any action, device, procedure, technique or other measure that reduces the vulnerability of a system.

SENSITIVE UNCLASSIFIED INFORMATION: Any information which the loss, misuse or unauthorized access to or modification of could adversely affect the U.S. national interest, the conduct of Department of the Navy programs or the privacy of Department of the Navy personnel (e.g., Freedom of Information Act (FOIA), exempt information and information whose distribution is limited by OPNAVINST 5510.161, Withholding of Unclassified Technical Data from Public Disclosure); including any information so identified and marked by authority of the head of any U.S. Government department or agency.

VIRUS: Code that covertly replicates itself onto previously uncontaminated media without initiation by the operator or authorized users. Replication usually occurs during copying of files to magnetic media, or during computer to computer communications. The code usually contains malicious logic that is triggered by some predetermined event. When triggered, the code then takes a hostile action against host computer systems.