COMNAVRESINTCOMINST 5239.1B

15 May 1994

COMNAVRESINTCOM INSTRUCTION 5239.1B

Subj: NAVAL RESERVE INTELLIGENCE PROGRAM AUTOMATIC DATA PROCESSING/INFORMATION SYSTEMS (ADP/IS) SECURITY PROGRAM



Ref: (a) SECNAVINST 5239.2

(b) COMNAVDAC AUTOMATED INFORMATION SYSTEMS SECURITY GUIDELINES

(c) OPNAVINST C5510.93

Encl: (1) Media Security Controls

(2) COMNAVRESINTCOM 5239/1, Release and Hold Harmless

 

1. Purpose. Provide guidance to Reserve Intelligence Area Commanders (RIACs) and Selected Reserve unit commanding officers to meet Department of the Navy requirements regarding AIS security and the use of privately owned microcomputers and software for processing data related to Department of the Navy (DON) matters.

2. Cancellation. COMNAVRESINTCOMINST 5239.1A.

2. Background. ADP/IS security policies for the Navy were established by reference (a) which directed commanding officers to implement a comprehensive program of ADP/IS security. Enclosure (1) provides procedures for the control and safeguarding of classified AIS storage media and classified AIS system products similar to hard copy classified material of similar classification.

3. Scope. This instruction applies to all Automated Data Processing (ADP) and Office Information Systems (OIS) users and personnel in the NRIP. Each member has a personal responsibility to ensure the continued protection of classified AIS information, material, hardware and software. Consult your unit AIS Security Officer (AISSO) or Terminal Area Security Officer (TASO) for assistance with any AIS security related questions or problems. In the event items in this instruction are in conflict with directives of higher authority, the directives of higher authority will take precedence. In such instances notify the COMNAVRESINTCOM AISSO as soon as possible.

4. Definitions. The following definitions, as defined in references (a) and (b), apply throughout this instruction.

a. AADPSP - Activity ADP Security Plan

b. ADP - Automated Data Processing

c. ADPSO - ADP/IS Security Officer

d. ADPSSO - ADP System Security Officer

e. AIS - Automated Information System

f. DAA - Designated Approving Authority

g. IS - Information Systems

h. Level I Data - All classified data (CONFIDENTIAL AND HIGHER)

i. Level II Data - All UNCLASSIFIED SENSITIVE data (For Official Use Only, Privacy Act, Financial, etc.)

j. Level III Data - All UNCLASSIFIED data

k. OIS - Office Information Systems

l. OISSO - OIS Security Officer

m. TASO - Terminal Area Security Officer

5. Responsibilities

a. Commander, Naval Reserve Intelligence Command. The Commander is responsible for:

(1) Accrediting all ADP and OIS for which he/she is the Designated Approving Authority (DAA). The DAA is the official with authority to approve ADP elements, activities and networks under his/her jurisdiction/command. The Commander is authorized to approve all AIS processing up to GENSER top secret. For all other classifications refer to reference (b) paragraphs 3.2.2.1 through 3.2.2.7. Activities processing classified information are required to comply with reference (c).

(2) Developing an Activity Automated Data Processing Security Plan (AADPSP) to provide adequate security to protect all ADP and OIS, including the integrity of the data being handled.

(3) Authorizing by position for the headquarters staff, in writing, the use of privately owned computer equipment for official government business. Privately owned computer equipment may be used for level II and III data only.

(4) Ensuring personnel filling billets authorized to use privately owned computer equipment complete COMNAVRESINTCOM form 5239/1 enclosure (2) and return it to a designated member of the COMNAVRESINTCOM Active Duty Staff.

(5) Ensuring a designated member of the COMNAVRESINTCOM Active Duty Staff maintains a current listing of all positions, including the name and Social Security Number of the personnel filling authorized positions, authorized to use personal computers and insure a completed COMNAVRESINTCOM form 5239/1 is on file for the individual filling each authorized position.

(6) Appointing an ADP/IS Security Officer (ADPSO) in writing to act as the focal point for all ADP Security matters. The ADPSO will:

(a) Coordinate with the command security manager on matters concerning ADP/IS security to comply with references (a) and (b).

(b) Ensure that an AADPSP and accreditation schedule is developed and maintained.

(c) Ensure that an ADP System Security Officer (ADPSSO)/Office Information System Security Officer (OISSO) is appointed in writing, where applicable. If not applicable, the ADPSO assumes the responsibilities. An ADPSSO/OISSO will be appointed by the Commander for each system on board, but two or more systems may have the same ADPSSO/OISSO. The ADPSSO/OISSO will:

1 Execute the COMNAVRESINTCOM ADP/IS security program as it applies to the systems under their cognizance, including preparation and submission of the accreditation support documentation.

2 Be the focal point for all security matters for the systems assigned.

3 Maintain an inventory of all ADP/OIS hardware and software.

4 Maintain physical security of the ADP/OIS facility as necessary, depending on the classification of the system.

5 Report all security incidents to the ADPSO.

6 Monitor system activity, including the levels and types of data handled by the system, assignment of passwords, and review of outputs to ensure compliance with security procedures.

7 Maintain liaison with remote facilities served by the system to ensure compliance with all applicable security requirements.

8 Conduct periodic checks to ensure the security requirements of the system are met.

9 Monitor ADP procurement for security impact to ensure compliance with security requirements.

10 Develop and test annually all contingency plans.

11 Supervise, test and monitor changes in the system affecting the ADP security posture.

12 Provide guidance and direction to the Terminal Area Security Officer (TASO) in remote terminal and ADP security.

13 Provide local procedures as necessary to ensure adequate security.

14 Periodically scan for viruses all computer systems under his/her cognizance. Upon detection of a virus take necessary steps to "clean" the infected system(s).

(d) Appoint TASOs where applicable for each remote terminal or cluster of terminals. If not applicable, the ADPSSO/OISSO or ADPSO assumes these responsibilities. The TASO is responsible for the security of each remote terminal or cluster of terminals for which he/she is assigned. In maintaining an acceptable level of terminal security, the TASO will:

1 Ensure that personnel authorized remote terminal access have a security clearance comparable to data available for processing.

2 Establish and maintain a listing of all authorized remote terminal users.

3 Provide the ADPSO with a copy of the above list of authorized personnel, designating them as users at the following times:

a upon initial installation of a remote terminal;

b upon accession of a new operator; and

c when an operator is disqualified due to transfer, termination, job change or other cause.

4 Store and secure password assignments as applicable.

5 Notify operators verbally, on an individual basis, of their assigned passwords.

6 Enforce all security requirements set forth by the host command of the network to which the remote terminal is connected.

7 Ensure all removable storage media is labeled in accordance with enclosure (1).

(e) Implement an activity risk management program in accordance with chapter 5 of reference (a).

(f) Ensure all security incidents or violations are investigated, documented and reported to proper authority (i.e., command security manager, commander, type commander, COMNAVDAC, etc.).

(g) Conduct periodic checks to ensure COMNAVRESINTCOM ADP/IS security requirements are met. At a minimum, checks will be performed annually or when the command's security posture changes.

(h) Ensure the development and testing of all contingency plans, if applicable.

(i) Ensure accreditation support documentation is developed and maintained.

(j) Ensure system test evaluations are conducted in accordance with chapter 10 of reference (b) and the NAVDAC Advisory Bulletins (ST&E Handbook).

(k) Ensure applicable personnel/procedures security guidelines are established for all departments and divisions.

(l) Provide guidance and direction to RIAs in ADP Security.

(m) Ensure all provisions of enclosure (1) are followed.

(4) Ensuring that contract specification for ADP equipment, software, maintenance and professional service satisfy the COMNAVRESINTCOM ADP security requirements.

(5) Ensuring that security requirements are included in Life Cycle Management (LCM) documentation as required in reference (a).

(6) Review RIA Accreditation Support Documentation prior to final approval by the DAA.

b. Reserve Intelligence Area Commanders. RIACs are responsible for:

(1) Accrediting all ADP and OIS for which he/she is the Designated Approving Authority (DAA). The DAA is the official with authority to approve ADP elements, activities and networks under his/her jurisdiction/command. The RIAC is authorized to approve all AIS processing up to GENSER top secret. For all other classifications refer to reference (b) paragraphs 3.2.2.1 through 3.2.2.7. Activities processing classified information are required to comply with reference (c).

(2) Developing an AADPSP to provide adequate security to protect all ADP and OIS including the integrity of the data being handled.

(3) Authorizing by position for all RIA staff and unit members, in writing, the use of privately owned computer equipment for official government business. Privately owned computer equipment may be used for level II and III data only.

(4) Ensuring RIA staff and unit members filling billets authorized to use privately owned computer equipment complete enclosure (2) and return it to a designated member of the RIA Active Duty Staff.

(5) Ensuring a designated member of the RIA Active Duty Staff maintains a current listing by unit of all positions, including the name and Social Security Number of the personnel filling authorized positions, authorized to use personal computers and insure a completed COMNAVRESINTCOM form 5239/1 is on file for the individual filling each authorized position.

(6) Appointing an ADPSO in writing to act as the focal point for all ADP Security matters. The ADPSO will:

(a) Coordinate with the command security manager on matters concerning ADP/IS security to comply with references (a) and (b).

(b) Ensure that an AADPSP and accreditation schedule is developed and maintained.

(c) Ensure that an ADPSSO/OISSO is appointed in writing where applicable. If not applicable, the ADPSO will assume the responsibilities. An ADPSSO/OISSO will be appointed by the Commander for each system on board. Two or more systems may have the same ADPSSO/OISSO. The ADPSSO/OISSO will:

1 Execute the RIA ADP/IS security program as it applies to the systems under their cognizance including preparation and submission, via COMNAVRESINTCOM, of the accreditation support documentation.

2 Be the focal point for all security matters for the systems assigned.

3 Maintain an inventory of all ADP/OIS hardware and software.

4 Maintain physical security of the ADP/OIS facility as necessary, depending on the classification of the system.

5 Report all security incidents to the ADPSO.

6 Monitor system activity, including the levels and types of data handled by the system, assignment of passwords, and review of outputs to ensure compliance with security procedures.

7 Maintain liaison with remote facilities served by the system to ensure compliance with applicable security requirements.

8 Conduct periodic checks to ensure the security requirements of the system are met.

9 Develop and test annually all contingency plans.

10 Supervise, test and monitor changes in the system affecting the ADP security posture.

11 Provide guidance and direction to the TASO in remote terminal and ADP security.

12 Provide local procedures as necessary to ensure adequate security.

(d) Appoint a TASO where applicable for each remote terminal or cluster of terminals. If not applicable, the ADPSSO/ OISSO or ADPSO assumes these responsibilities. The TASO is responsible for the security of each remote terminal or cluster of terminals for which he/she is assigned. In maintaining an acceptable level of terminal security, the TASO will:

1 Ensure that personnel authorized remote terminal access have a security clearance comparable to data available for processing.

2 Establish and maintain a listing of all authorized remote terminal users.

3 Provide the ADPSO with a copy of the above list of authorized personnel, designating them as users at the following times:

a upon initial installation of a remote terminal;

b upon accession of a new operator; and

c when an operator is disqualified due to transfer, termination, job change or other cause.

4 Store and secure password assignments as applicable.

5 Notify operators verbally, on an individual basis, of their assigned passwords.

6 Enforce all security requirements set forth by the host command of the network to which the remote terminal is connected.

7 Periodically scan for viruses all computer systems under his/her cognizance. Upon detection of a virus, notify the ADPSO immediately.

8 Ensure all removable storage media is labeled in accordance with enclosure (1).

(e) Implement an activity risk management program in accordance with chapter 5 of reference (a).

(f) Ensure all security incidents or violations are investigated, documented and reported to the COMNAVRESINTCOM ADPSO.

(g) Conduct periodic checks to ensure RIA ADP/IS security requirements are met. At a minimum, checks will be performed annually, or when the command's security posture changes.

(h) Ensure the development and testing of all contingency plans, as applicable.

(i) Ensure accreditation support documentation is developed and maintained.

(j) Ensure system test evaluations are conducted in accordance with chapter 10 of reference (b) and NAVDAC Advisory Bulletins (ST&E Handbook).

(k) Ensure applicable personnel/procedures security guidelines are established for all departments and divisions.

(l) Provide guidance and direction to unit commanding officers in ADP Security.

(m) Ensure unit ADPSOs are on board whenever ADP assets are utilized by Selective Reserve Personnel.

(n) Ensure all provisions of enclosure (1) are followed.

(o) Periodically scan for viruses all computer systems under his/her cognizance. Upon detection of a virus take necessary steps to "clean" the infected system and notify the COMNAVRESINTCOM ADPSO immediately.

c. NRIP Unit Commanding Officers. Each Commanding Officer is responsible for:

(1) Appointing an ADPSO in writing to act as the focal point for all ADP Security matters. The ADPSO will:

(a) Coordinate with the command security manager on matters concerning ADP/IS security to comply with references (a) and (b).

(b) Execute the RIA ADP/IS security program as it applies to the systems under their cognizance.

(c) Be the focal point for all security matters for the systems assigned.

(d) Maintain physical security of the ADP/OIS facility as necessary depending on the classification of the system.

(e) Provide local procedures as necessary to ensure adequate security.

(f) Be responsible for the security of each remote terminal or cluster of terminals.

(g) Ensure that personnel authorized remote terminal access have a security clearance comparable to data available for processing.

(h) Establish and maintain a listing of all authorized remote terminal users.

(i) Provide the RIA ADPSO with a copy of the above list of authorized personnel, designating them as users at the following times:

1 upon initial installation of a remote terminal;

2 upon accession of a new operator; and

3 when an operator is disqualified due to transfer, termination, job change or other cause.

(j) Store and secure password assignments as applicable.

(k) Notify operators verbally, on an individual basis, of their assigned passwords.

(l) Enforce all security requirements set forth by the host command of the network to which the remote terminal is connected.

(m) Ensure all security incidents or violations are investigated, documented and reported to the RIAC staff ADPSO.

(n) Ensure applicable personnel/procedures security guidelines are established for all departments and divisions.

(o) Ensure all provisions of enclosure (1) are followed.

d. Users. All ADP and OIS users and their responsible supervisors will familiarize themselves with the contents of reference (a) and all directives set forth by the host command of the network or system utilized. All users will ensure the following procedures are strictly adhered to:

(1) No user will leave a terminal for an extended period of time without signing off.

(2) No user will gain access to a terminal by other than his/her own log-on and assigned password when applicable.

(3) All users are responsible for guarding their password and ensuring it is not divulged to anyone, including other authorized terminal users.

(4) No user will attempt to perform any function for which he/she is not authorized or trained to perform.

(5) No user will alter or attempt to alter any hardware or software configuration on any system or terminal without express written permission from COMNAVRESINTCOM as requested via the chain-of-command.

(6) In the event of compromise or password failure, the ADPSO/TASO will be notified immediately in order that appropriate and timely action may be taken.

(7) No user will introduce media that has been brought into command spaces into a computer system without first having the media scanned for viruses by the ADPSO.

(8) Supervisors will notify the ADPSO/TASO when subordinates are disqualified as authorized users due to transfer, termination, job change or other cause.

6. Action.

 

(a) This instruction will be effective immediately. Deviation from the procedures prescribed herein is prohibited without written approval.

(b) All RIAs will implement the accountability and labeling procedures identified within enclosure (1) and associated annexes.

(c) The use of privately owned personal computers and software is not authorized in any area where Level I data is processed. In no circumstances shall Level I data be processed on non-DOD equipment. This policy extends to hand-held calculators which contain non-volatile memory and electronic devices used for storing appointments, phone numbers, etc.

(d) Only software provided/authorized by competent authority may be installed on DOD computers.

(e) Authorized individuals using privately owned computer equipment shall assume full responsibility for use and will hold the Navy harmless from any and all circumstances relating to the use of such equipment. They shall also assume full responsibility for any effect on Navy systems caused by use of privately owned equipment other than Navy standard supported connection such as bulletin boards.

7. Review Responsibility. COMNAVRESINTCOM will review this instruction annually or when there is a change to the security posture.

8. Forms. COMNAVRESINTCOM 5239/1 is available through Commander, Naval Reserve Intelligence Command. An electronic version of this form can be downloaded from the COMNAVRESINTCOM electronic bulletin board.









B. A. BLACK

Distribution: (refer to COMNAVRESINTCOMINST 5216.1F)

Lists I, II, III, IV, V, VIII

MEDIA SECURITY CONTROLS


Ref: (a) OPNAVINST 5510.1H

1. The objectives of COMNAVRESINTCOM media security controls are:

a. Prevent the introduction of unauthorized software onto information systems used by NRIP personnel.

b. Prevent the unauthorized removal of sensitive unclassified information, classified information, and licensed software from NRIP information systems.

c. Enforce Intelligence Community security standards by having all information system storage media properly labeled, see reference (a).

2. Those objectives are to be satisfied by enacting more rigid controls upon the entry and removal of information system media to and from command environments; and having all information system media labeled in accordance with Intelligence Community Standards.

3. Control objective 1a. is accomplished by requiring a property pass signed by competent authority for all information system media entering and leaving the command. All media transfers must be approved by the ADPSO. The ADPSO is responsible for proper labeling of outgoing media and for supplying proper labeling for incoming media.

4. When storage medium is initially assigned to an individual the ADPSO will ensure that the medium contains no data for which the user is not authorized.

5. When a storage medium is accepted from an external source it must be properly labeled and controlled in accordance with approved procedures. Prior to any incoming media being used by an end-user the ADPSO will use appropriate software to check for the presence of computer viruses. Any discovery of a virus requires notification of the supplier via the chain of command.

6. Control objective 1.b. is accomplished by: ensuring that each information system media user is responsible for the labeling of that media. Removable storage media, will contain appropriate security classification markings, compartmentalization markings, dissemination controls, and handling caveats as per reference (a).

7. All storage media will be controlled through user-prepared, DAA approved, procedures for classification labeling, storage, and final disposition of storage media. Examples of media include magnetic tape reels, cartridges, and cassettes; removable disks, disk packs and diskettes, paper tape reels, and magnetic and punched cards.

8. Security labels shall be human readable and non-removable. They shall be conspicuously placed on media in a manner that would not adversely affect operation of the equipment in which the media is used. If possible, separate media should be used to store data of different security classifications.

9. All media will be classified at the level of the highest classified data element on the media.

10. Each medium (classified and unclassified) within SCI environments must be brought under control and be individually accounted for. A continuous trail of accountability for each controlled medium will exist from time of introduction until removal. The ADPSO is responsible for maintaining control over each medium. Inventory may be kept manually or in an automated manner.

11. For those units that drill in SCI spaces where desktop workstations are accredited in the "System High" security mode of operation, all media will be controlled as SCI material. The actual sensitivity of data on the media is often unclassified, however the memory residue problems of common workstations allow SCI data to find its way onto the media. Users will only introduce media marked with the same sensitivity level as the workstation or terminal.































COMNAVRESINTCOMINST 5239.1B

RELEASE AND HOLD HARMLESS

1. KNOW ALL MEN BY THESE PRESENTS: I, , having permission to use my personal computer and associated peripheral equipment and software, hereinafter "My Computer Equipment", do so entirely of my own initiative, risk, and responsibility. I fully understand that the United States Government, its officers, agents, and employees will not be responsible for damage, loss, theft, or malfunction of My Computer Equipment. I do hereby, for myself, my heirs, executors, administrators, and assigns, remiss, release, and forever discharge and agree to hold harmless the Government of the United States and all it officers, agents, and employees, acting officially or otherwise from any and all claims, demands, actions or causes of actions, on account of any damage, loss, theft, or malfunction of My Computer Equipment which may, at anytime, occur or be attributable to the use of My Computer Equipment for Government-related tasks.

2. Signature / Date







/



Unit:



Position:

3. Witness Signature / Date







/



Unit:



Position:



COMNAVRESINTCOM 5239/1 (4-94)



















Enclosure (2)