COMNAVRESINTCOMINST 5239.1B
15 May 1994
COMNAVRESINTCOM INSTRUCTION
5239.1B
Subj: NAVAL RESERVE INTELLIGENCE PROGRAM AUTOMATIC DATA
PROCESSING/INFORMATION SYSTEMS (ADP/IS) SECURITY PROGRAM
Ref: (a) SECNAVINST 5239.2
(b) COMNAVDAC AUTOMATED INFORMATION SYSTEMS SECURITY GUIDELINES
(c) OPNAVINST C5510.93
Encl: (1) Media Security Controls
(2) COMNAVRESINTCOM 5239/1, Release and Hold Harmless
1. Purpose. Provide guidance to Reserve Intelligence Area
Commanders (RIACs) and Selected Reserve unit commanding officers to
meet Department of the Navy requirements regarding AIS security and
the use of privately owned microcomputers and software for processing
data related to Department of the Navy (DON) matters.
2. Cancellation. COMNAVRESINTCOMINST 5239.1A.
2. Background. ADP/IS security policies for the Navy were
established by reference (a) which directed commanding officers to
implement a comprehensive program of ADP/IS security. Enclosure (1)
provides procedures for the control and safeguarding of classified
AIS storage media and classified AIS system products similar to hard
copy classified material of similar classification.
3. Scope. This instruction applies to all Automated Data
Processing (ADP) and Office Information Systems (OIS) users and
personnel in the NRIP. Each member has a personal responsibility to
ensure the continued protection of classified AIS information,
material, hardware and software. Consult your unit AIS Security
Officer (AISSO) or Terminal Area Security Officer (TASO) for
assistance with any AIS security related questions or problems. In
the event items in this instruction are in conflict with directives
of higher authority, the directives of higher authority will take
precedence. In such instances notify the COMNAVRESINTCOM AISSO as
soon as possible.
4. Definitions. The following definitions, as defined in
references (a) and (b), apply throughout this
instruction.
a. AADPSP - Activity ADP Security Plan
b. ADP - Automated Data Processing
c. ADPSO - ADP/IS Security Officer
d. ADPSSO - ADP System Security Officer
e. AIS - Automated Information System
f. DAA - Designated Approving Authority
g. IS - Information Systems
h. Level I Data - All classified data (CONFIDENTIAL AND
HIGHER)
i. Level II Data - All UNCLASSIFIED SENSITIVE data (For
Official Use Only, Privacy Act, Financial, etc.)
j. Level III Data - All UNCLASSIFIED data
k. OIS - Office Information Systems
l. OISSO - OIS Security Officer
m. TASO - Terminal Area Security Officer
5. Responsibilities
a. Commander, Naval Reserve Intelligence Command. The
Commander is responsible for:
(1) Accrediting all ADP and OIS for which he/she is the Designated
Approving Authority (DAA). The DAA is the official with authority to
approve ADP elements, activities and networks under his/her
jurisdiction/command. The Commander is authorized to approve all AIS
processing up to GENSER top secret. For all other classifications
refer to reference (b) paragraphs 3.2.2.1 through 3.2.2.7. Activities
processing classified information are required to comply with
reference (c).
(2) Developing an Activity Automated Data Processing Security Plan
(AADPSP) to provide adequate security to protect all ADP and OIS,
including the integrity of the data being handled.
(3) Authorizing by position for the
headquarters staff, in writing, the use of privately owned computer
equipment for official government business. Privately owned computer
equipment may be used for level II and III data only.
(4) Ensuring personnel filling billets authorized to use privately
owned computer equipment complete COMNAVRESINTCOM form 5239/1
enclosure (2) and return it to a designated member of the
COMNAVRESINTCOM Active Duty Staff.
(5) Ensuring a designated member of the COMNAVRESINTCOM Active
Duty Staff maintains a current listing of all positions, including
the name and Social Security Number of the personnel filling
authorized positions, authorized to use personal computers and insure
a completed COMNAVRESINTCOM form 5239/1 is on file for the individual
filling each authorized position.
(6) Appointing an ADP/IS Security Officer (ADPSO) in writing to
act as the focal point for all ADP Security matters. The ADPSO
will:
(a) Coordinate with the command security manager on matters
concerning ADP/IS security to comply with references (a) and
(b).
(b) Ensure that an AADPSP and accreditation schedule is developed
and maintained.
(c) Ensure that an ADP System Security Officer (ADPSSO)/Office
Information System Security Officer (OISSO) is appointed in writing,
where applicable. If not applicable, the ADPSO assumes the
responsibilities. An ADPSSO/OISSO will be appointed by the Commander
for each system on board, but two or more systems may have the same
ADPSSO/OISSO. The ADPSSO/OISSO will:
1 Execute the COMNAVRESINTCOM ADP/IS security program as it
applies to the systems under their cognizance, including preparation
and submission of the accreditation support
documentation.
2 Be the focal point for all security matters for the
systems assigned.
3 Maintain an inventory of all ADP/OIS hardware and
software.
4 Maintain physical security of the ADP/OIS facility as
necessary, depending on the classification of the
system.
5 Report all security incidents to the ADPSO.
6 Monitor system activity, including the levels and types
of data handled by the system, assignment of passwords, and review of
outputs to ensure compliance with security procedures.
7 Maintain liaison with remote facilities served by the
system to ensure compliance with all applicable security
requirements.
8 Conduct periodic checks to ensure the security
requirements of the system are met.
9 Monitor ADP procurement for security impact to ensure
compliance with security requirements.
10 Develop and test annually all contingency
plans.
11 Supervise, test and monitor changes in the system
affecting the ADP security posture.
12 Provide guidance and direction to the Terminal Area Security Officer (TASO) in remote terminal and ADP security.
13 Provide local procedures as necessary to ensure adequate
security.
14 Periodically scan for viruses all computer systems under
his/her cognizance. Upon detection of a virus take necessary steps to
"clean" the infected system(s).
(d) Appoint TASOs where applicable for each remote terminal or
cluster of terminals. If not applicable, the ADPSSO/OISSO or ADPSO
assumes these responsibilities. The TASO is responsible for the
security of each remote terminal or cluster of terminals for which
he/she is assigned. In maintaining an acceptable level of terminal
security, the TASO will:
1 Ensure that personnel authorized remote terminal access
have a security clearance comparable to data available for
processing.
2 Establish and maintain a listing of all authorized remote
terminal users.
3 Provide the ADPSO with a copy of the above list of
authorized personnel, designating them as users at the following
times:
a upon initial installation of a remote
terminal;
b upon accession of a new operator; and
c when an operator is disqualified due to transfer,
termination, job change or other cause.
4 Store and secure password assignments as
applicable.
5 Notify operators verbally, on an individual basis, of
their assigned passwords.
6 Enforce all security requirements set forth by the host
command of the network to which the remote terminal is
connected.
7 Ensure all removable storage media is labeled in
accordance with enclosure (1).
(e) Implement an activity risk management program in accordance
with chapter 5 of reference (a).
(f) Ensure all security incidents or violations are investigated,
documented and reported to proper authority (i.e., command security
manager, commander, type commander, COMNAVDAC, etc.).
(g) Conduct periodic checks to ensure COMNAVRESINTCOM ADP/IS
security requirements are met. At a minimum, checks will be performed
annually or when the command's security posture changes.
(h) Ensure the development and testing of all contingency plans,
if applicable.
(i) Ensure accreditation support documentation is developed and
maintained.
(j) Ensure system test evaluations are conducted in accordance
with chapter 10 of reference (b) and the NAVDAC Advisory Bulletins
(ST&E Handbook).
(k) Ensure applicable personnel/procedures security guidelines are
established for all departments and divisions.
(l) Provide guidance and direction to RIAs in ADP
Security.
(m) Ensure all provisions of enclosure (1) are
followed.
(4) Ensuring that contract specification for ADP equipment,
software, maintenance and professional service satisfy the
COMNAVRESINTCOM ADP security requirements.
(5) Ensuring that security requirements are included in Life Cycle
Management (LCM) documentation as required in reference
(a).
(6) Review RIA Accreditation Support Documentation prior to final
approval by the DAA.
b. Reserve Intelligence Area Commanders. RIACs are
responsible for:
(1) Accrediting all ADP and OIS for which he/she is the Designated
Approving Authority (DAA). The DAA is the official with authority to
approve ADP elements, activities and networks under his/her
jurisdiction/command. The RIAC is authorized to approve all AIS
processing up to GENSER top secret. For all other classifications
refer to reference (b) paragraphs 3.2.2.1 through 3.2.2.7. Activities
processing classified information are required to comply with
reference (c).
(2) Developing an AADPSP to provide adequate security to protect
all ADP and OIS including the integrity of the data being
handled.
(3) Authorizing by position for all RIA
staff and unit members, in writing, the use of privately owned
computer equipment for official government business. Privately owned
computer equipment may be used for level II and III data
only.
(4) Ensuring RIA staff and unit members filling billets authorized
to use privately owned computer equipment complete enclosure (2) and
return it to a designated member of the RIA Active Duty
Staff.
(5) Ensuring a designated member of the RIA Active Duty Staff
maintains a current listing by unit of all positions, including the
name and Social Security Number of the personnel filling authorized
positions, authorized to use personal computers and insure a
completed COMNAVRESINTCOM form 5239/1 is on file for the individual
filling each authorized position.
(6) Appointing an ADPSO in writing to act as the focal point for
all ADP Security matters. The ADPSO will:
(a) Coordinate with the command security manager on matters
concerning ADP/IS security to comply with references (a) and
(b).
(b) Ensure that an AADPSP and accreditation schedule is developed
and maintained.
(c) Ensure that an ADPSSO/OISSO is appointed in writing where
applicable. If not applicable, the ADPSO will assume the
responsibilities. An ADPSSO/OISSO will be appointed by the Commander
for each system on board. Two or more systems may have the same
ADPSSO/OISSO. The ADPSSO/OISSO will:
1 Execute the RIA ADP/IS security program as it applies to
the systems under their cognizance including preparation and
submission, via COMNAVRESINTCOM, of the accreditation support
documentation.
2 Be the focal point for all security matters for the
systems assigned.
3 Maintain an inventory of all ADP/OIS hardware and
software.
4 Maintain physical security of the ADP/OIS facility as
necessary, depending on the classification of the
system.
5 Report all security incidents to the ADPSO.
6 Monitor system activity, including the levels and types
of data handled by the system, assignment of passwords, and review of
outputs to ensure compliance with security procedures.
7 Maintain liaison with remote facilities served by the
system to ensure compliance with applicable security
requirements.
8 Conduct periodic checks to ensure the security
requirements of the system are met.
9 Develop and test annually all contingency
plans.
10 Supervise, test and monitor changes in the system
affecting the ADP security posture.
11 Provide guidance and direction to the TASO in remote
terminal and ADP security.
12 Provide local procedures as necessary to ensure adequate
security.
(d) Appoint a TASO where applicable for each remote terminal or
cluster of terminals. If not applicable, the ADPSSO/ OISSO or ADPSO
assumes these responsibilities. The TASO is responsible for the
security of each remote terminal or cluster of terminals for which
he/she is assigned. In maintaining an acceptable level of terminal
security, the TASO will:
1 Ensure that personnel authorized remote terminal access
have a security clearance comparable to data available for
processing.
2 Establish and maintain a listing of all authorized remote
terminal users.
3 Provide the ADPSO with a copy of the above list of
authorized personnel, designating them as users at the following
times:
a upon initial installation of a remote terminal;
b upon accession of a new operator; and
c when an operator is disqualified due to transfer,
termination, job change or other cause.
4 Store and secure password assignments as
applicable.
5 Notify operators verbally, on an individual basis, of
their assigned passwords.
6 Enforce all security requirements set forth by the host
command of the network to which the remote terminal is
connected.
7 Periodically scan for viruses all computer systems under
his/her cognizance. Upon detection of a virus, notify the ADPSO
immediately.
8 Ensure all removable storage media is labeled in
accordance with enclosure (1).
(e) Implement an activity risk management program in accordance
with chapter 5 of reference (a).
(f) Ensure all security incidents or violations are investigated,
documented and reported to the COMNAVRESINTCOM ADPSO.
(g) Conduct periodic checks to ensure RIA ADP/IS security
requirements are met. At a minimum, checks will be performed
annually, or when the command's security posture
changes.
(h) Ensure the development and testing of all contingency plans,
as applicable.
(i) Ensure accreditation support documentation is developed and
maintained.
(j) Ensure system test evaluations are conducted in accordance
with chapter 10 of reference (b) and NAVDAC Advisory Bulletins
(ST&E Handbook).
(k) Ensure applicable personnel/procedures security guidelines are
established for all departments and divisions.
(l) Provide guidance and direction to unit commanding officers in
ADP Security.
(m) Ensure unit ADPSOs are on board whenever ADP assets are
utilized by Selective Reserve Personnel.
(n) Ensure all provisions of enclosure (1) are
followed.
(o) Periodically scan for viruses all computer systems under
his/her cognizance. Upon detection of a virus take necessary steps to
"clean" the infected system and notify the COMNAVRESINTCOM ADPSO
immediately.
c. NRIP Unit Commanding Officers. Each Commanding Officer
is responsible for:
(1) Appointing an ADPSO in writing to act as the focal point for
all ADP Security matters. The ADPSO will:
(a) Coordinate with the command security manager on matters
concerning ADP/IS security to comply with references (a) and
(b).
(b) Execute the RIA ADP/IS security program as it applies to the
systems under their cognizance.
(c) Be the focal point for all security matters for the systems
assigned.
(d) Maintain physical security of the ADP/OIS facility as
necessary depending on the classification of the system.
(e) Provide local procedures as necessary to ensure adequate
security.
(f) Be responsible for the security of each remote terminal or
cluster of terminals.
(g) Ensure that personnel authorized remote terminal access have a
security clearance comparable to data available for
processing.
(h) Establish and maintain a listing of all authorized remote
terminal users.
(i) Provide the RIA ADPSO with a copy of the above list of
authorized personnel, designating them as users at the following
times:
1 upon initial installation of a remote
terminal;
2 upon accession of a new operator; and
3 when an operator is disqualified due to transfer,
termination, job change or other cause.
(j) Store and secure password assignments as
applicable.
(k) Notify operators verbally, on an individual basis, of their
assigned passwords.
(l) Enforce all security requirements set forth by the host
command of the network to which the remote terminal is
connected.
(m) Ensure all security incidents or violations are investigated,
documented and reported to the RIAC staff ADPSO.
(n) Ensure applicable personnel/procedures security guidelines are
established for all departments and divisions.
(o) Ensure all provisions of enclosure (1) are
followed.
d. Users. All ADP and OIS users and their responsible
supervisors will familiarize themselves with the contents of
reference (a) and all directives set forth by the host command of the
network or system utilized. All users will ensure the following
procedures are strictly adhered to:
(1) No user will leave a terminal for an extended period of time
without signing off.
(2) No user will gain access to a terminal by other than his/her
own log-on and assigned password when applicable.
(3) All users are responsible for guarding their password and
ensuring it is not divulged to anyone, including other authorized
terminal users.
(4) No user will attempt to perform any function for which he/she
is not authorized or trained to perform.
(5) No user will alter or attempt to alter any hardware or
software configuration on any system or terminal without express
written permission from COMNAVRESINTCOM as requested via the
chain-of-command.
(6) In the event of compromise or password failure, the ADPSO/TASO
will be notified immediately in order that appropriate and timely
action may be taken.
(7) No user will introduce media that has been brought into
command spaces into a computer system without first having the media
scanned for viruses by the ADPSO.
(8) Supervisors will notify the ADPSO/TASO when subordinates are
disqualified as authorized users due to transfer, termination, job
change or other cause.
6. Action.
(a) This instruction will be effective immediately. Deviation from
the procedures prescribed herein is prohibited without written
approval.
(b) All RIAs will implement the accountability and labeling
procedures identified within enclosure (1) and associated
annexes.
(c) The use of privately owned personal computers and software is
not authorized in any area where Level I data is processed. In no
circumstances shall Level I data be processed on non-DOD equipment.
This policy extends to hand-held calculators which contain
non-volatile memory and electronic devices used for storing
appointments, phone numbers, etc.
(d) Only software provided/authorized by competent authority may
be installed on DOD computers.
(e) Authorized individuals using privately owned computer
equipment shall assume full responsibility for use and will hold the
Navy harmless from any and all circumstances relating to the use of
such equipment. They shall also assume full responsibility for any
effect on Navy systems caused by use of privately owned equipment
other than Navy standard supported connection such as bulletin
boards.
7. Review Responsibility. COMNAVRESINTCOM will review this instruction annually or when there is a change to the security posture.
8. Forms. COMNAVRESINTCOM 5239/1 is available through
Commander, Naval Reserve Intelligence Command. An electronic version
of this form can be downloaded from the COMNAVRESINTCOM electronic
bulletin board.
B. A. BLACK
Distribution: (refer to COMNAVRESINTCOMINST 5216.1F)
Lists I, II, III, IV, V, VIII
MEDIA SECURITY CONTROLS
Ref: (a) OPNAVINST 5510.1H
1. The objectives of COMNAVRESINTCOM media security controls
are:
a. Prevent the introduction of unauthorized software onto
information systems used by NRIP personnel.
b. Prevent the unauthorized removal of sensitive unclassified
information, classified information, and licensed software from NRIP
information systems.
c. Enforce Intelligence Community security standards by having all
information system storage media properly labeled, see reference
(a).
2. Those objectives are to be satisfied by enacting more rigid
controls upon the entry and removal of information system media to
and from command environments; and having all information system
media labeled in accordance with Intelligence Community
Standards.
3. Control objective 1a. is accomplished by requiring a property
pass signed by competent authority for all information system media
entering and leaving the command. All media transfers must be
approved by the ADPSO. The ADPSO is responsible for proper labeling
of outgoing media and for supplying proper labeling for incoming
media.
4. When storage medium is initially assigned to an individual the
ADPSO will ensure that the medium contains no data for which the user
is not authorized.
5. When a storage medium is accepted from an external source it
must be properly labeled and controlled in accordance with approved
procedures. Prior to any incoming media being used by an end-user the
ADPSO will use appropriate software to check for the presence of
computer viruses. Any discovery of a virus requires notification of
the supplier via the chain of command.
6. Control objective 1.b. is accomplished by: ensuring that each
information system media user is responsible for the labeling of that
media. Removable storage media, will contain appropriate security
classification markings, compartmentalization markings, dissemination
controls, and handling caveats as per reference (a).
7. All storage media will be controlled through user-prepared, DAA
approved, procedures for classification labeling, storage, and final
disposition of storage media. Examples of media include magnetic tape
reels, cartridges, and cassettes; removable disks, disk packs and
diskettes, paper tape reels, and magnetic and punched
cards.
8. Security labels shall be human readable and non-removable. They
shall be conspicuously placed on media in a manner that would not
adversely affect operation of the equipment in which the media is
used. If possible, separate media should be used to store data of
different security classifications.
9. All media will be classified at the level of the highest
classified data element on the media.
10. Each medium (classified and unclassified) within SCI
environments must be brought under control and be individually
accounted for. A continuous trail of accountability for each
controlled medium will exist from time of introduction until removal.
The ADPSO is responsible for maintaining control over each medium.
Inventory may be kept manually or in an automated
manner.
11. For those units that drill in SCI spaces where desktop
workstations are accredited in the "System High" security mode of
operation, all media will be controlled as SCI material. The actual
sensitivity of data on the media is often unclassified, however the
memory residue problems of common workstations allow SCI data to find
its way onto the media. Users will only introduce media marked with
the same sensitivity level as the workstation or
terminal.
COMNAVRESINTCOMINST 5239.1B
RELEASE AND HOLD HARMLESS |
1. KNOW ALL MEN BY THESE PRESENTS: I, , having permission to use my personal computer and associated peripheral equipment and software, hereinafter "My Computer Equipment", do so entirely of my own initiative, risk, and responsibility. I fully understand that the United States Government, its officers, agents, and employees will not be responsible for damage, loss, theft, or malfunction of My Computer Equipment. I do hereby, for myself, my heirs, executors, administrators, and assigns, remiss, release, and forever discharge and agree to hold harmless the Government of the United States and all it officers, agents, and employees, acting officially or otherwise from any and all claims, demands, actions or causes of actions, on account of any damage, loss, theft, or malfunction of My Computer Equipment which may, at anytime, occur or be attributable to the use of My Computer Equipment for Government-related tasks. |
2. Signature / Date / Unit: Position: |
3. Witness Signature / Date / Unit: Position: |
COMNAVRESINTCOM 5239/1 (4-94)
Enclosure (2)