Naval INFOSEC Universe Description Report

(IUDR)

Space and Naval Warfare Systems Command
Information Systems Security Office (SPAWAR PD 51)

18 January 1994

1.0 INTRODUCTION

1.1 Background

As demonstrated in Operations Desert Shield and Desert Storm, information is an essential ingredient of modern Naval operations for both war fighting and peacetime situations. The security of that information and the associated information processing resources is critical to the success of military missions. However, the unprecedented development of information system technology and the proliferation of wide area networks have exposed new vulnerabilities of the Navy's information systems. The mission criticality of information coupled with these new vulnerabilities introduces special requirements for the security of information systems that drives the need for an Information Systems Security (INFOSEC) program. Although security tools and products are available to address some of the new vulnerabilities, there is a need to focus security resources within the Department of the Navy (DoN) and to implement a top- down systems engineering approach to the development and fielding of INFOSEC, both to achieve economies and timeliness in system acquisition and to achieve the effectiveness required of fielded secure information systems.

On 27 December 1992, the SPAWAR Information Systems Security Office (initially SPAWAR ;00I, recently renamed SPAWAR ;PD 51) was established as the focal point for implementing DoN INFOSEC policy. SPAWAR PD 51 is organized into three primary divisions: PD 51E, Chief Engineer, PD 51C, Customer Service, and PD 51M, Program Manager. PD ;51 is supported by PD ;50L, Integrated Logistics Support, PD ;50I, Foreign Military Sales, and PD ;50P4, Financial Management.

PD 51E is responsible for developing Naval INFOSEC architectures, standards, and tools; for developing INFOSEC investment strategies; for focusing the Naval INFOSEC technology base; for developing and promoting INFOSEC interoperability strategies; and for identifying and coordinating resource requirements to support the Operational Users and program managers of Naval INFOSEC systems. PD 51C is responsible for identifying Operational User requirements for INFOSEC products, technologies, systems, and services and for providing INFOSEC engineering services to the PMs and Operational Users. PD 51M is responsible for managing the development and implementation of INFOSEC products and systems for operational use in Naval information systems, and potentially Joint Service or Allied information systems for which the Navy is the lead Service for all or at least the INFOSEC portions of the system. The Appendix provides a summary of the interactions among these primary divisions of SPAWAR ;PD ;51 and the interactions of each with the remainder of the INFOSEC Universe. These are derived from the interactions developed later in this report from the most recent organization statements for PD ;51.

1.2 Purpose

The Naval INFOSEC Universe (NIU) is that portion of the total universe of systems with INFOSEC requirements and organizations with INFOSEC responsibilities (i.e., the total INFOSEC Universe) that is subject to Naval INFOSEC policy. The purpose of this document, the Naval INFOSEC Universe Description Report (IUDR), is the following:

1.3 Scope

This document concentrates on the role of SPAWAR PD ;51 as the Navy's INFOSEC focal point for information systems that are subject to Naval INFOSEC policy. This INFOSEC role is accomplished through systems engineering, customer support, program management, and mutual interactions among the following major participants in the INFOSEC Universe:

Also important to the INFOSEC role are the essential INFOSEC- related interactions between these three participants and the remaining government organizations in the INFOSEC Universe. (It is assumed that contractor organizations will support and occasionally act for their government organization principals.) Discussion of the interaction among these remaining organizations is outside the scope of this document.

The information systems that are subject to Naval INFOSEC policy, and are thus members of the INFOSEC Universe, have the following uses:

These systems are employed during peacetime, wartime, training exercises, or test evaluations. They are used by organizations that are part of the DoN, by organizations that are provided INFOSEC support by the DoN, and by organizations for which the Navy is the lead service for development of the information system. These user organizations are the following:


2.0 DERIVATION OF NAVAL INFOSEC ATTRIBUTES

INFOSEC is defined in National Security Telecommunications and Information Systems Security Instruction (NSTISSI) 4009 as "the protection of information systems against unauthorized access to, or modification of information, whether in storage, processing, or transit and against the denial of service to authorized users, or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats."

Previously, separate security policies and doctrines addressed protection of computer systems (COMPUSEC), information transfer systems (COMSEC), and emanations (TEMPEST). With today's proliferation of information processing networks, the separate implementation of these related disciplines for information protection is no longer technically or fiscally feasible. Information systems security (INFOSEC) is the modern discipline that provides an integrated and systematic approach to the security of all aspects of information systems. The term "secure information system" is used throughout this document to mean any information storage, processing, or transfer system that requires or uses INFOSEC features and/or components.

The focus of this section is the description of the security- relevant characteristics, termed "attributes," of information systems in the context of the NIU. These attributes will be used to define the interactions among the key players necessary to field and support secure information systems that will contribute to the successful prosecution of Naval missions. Naval INFOSEC attributes must, therefore, be derived from an understanding of Naval missions, information value, and threat scenarios. The platforms, information systems, and organizations that implement these attributes in the NIU, and their interactions among the key NIU organizations in support of these attributes, are described in Section 3.

2.1 Naval INFOSEC Threat Scenarios

Naval information systems store, process, and communicate large quantities of information. Much of this information is critical to satisfying the Naval war fighting and support missions. Recent advances in communications and information processing technology that increase the distribution and exposure of this information also increase the vulnerability of Naval systems to exploitation both by accidental and malicious threat agents. Modern information systems may be vulnerable to any or all of the following threats:

Threats can exploit system vulnerabilities when adversaries have the intent and adequate resources. Appropriate security mechanisms must be incorporated in Naval information systems to protect system vulnerabilities from exploitation.

2.2 INFOSEC Attributes of Naval Information Systems

This section summarizes the INFOSEC attributes of Naval information systems. These attributes were derived from a detailed analysis of Naval information systems based on Naval missions (spanning peacetime to wartime), information value, and threat scenarios. The criticality of information to these missions has raised its protection through INFOSEC engineering to the same level of importance in the systems engineering process as, for example, fault tolerance, real- time operation, and interoperability. Correct INFOSEC engineering to achieve the correct INFOSEC attributes demands strict adherence to security policy, formal validation and verification of security designs, absolute traceability of design to requirements, and acceptance (by signature and with legal implications) of residual security risks by the Operational Users and information owners. The INFOSEC attributes summarized in this section form the basis for the roles of and required interactions among the three primary participants in the NIU and their required interactions with the remaining INFOSEC Universe organizations.

2.2.1 Security Features

2.2.1.1 Confidentiality

The confidentiality attribute is defined by the extent of the protection afforded by the security service from disclosure of information to unauthorized entities (e.g., individuals, organizations, equipment, processes). Examples of protected information include user and operational information, administrative information, security parameters (e.g., cryptographic key material), system characteristics (e.g., operational capabilities, location, or vulnerabilities). At a more detailed level, confidentiality may be divided into four subordinate services: information confidentiality, traffic flow confidentiality, emanations security, and signals security. Security mechanisms that implement the confidentiality attribute include access control, object reuse, encryption, TEMPEST techniques, physical isolation, and administrative procedures.

2.2.1.2 Integrity

The integrity attribute is defined by the extent of the protection afforded by the security service from information or resources being created, inserted, modified, or deleted by entities not authorized for these actions. Examples of integrity protection include the prevention or detection from these actions, and may also provide capabilities to recover from successful attacks on the integrity of a system. At the next lower level of detail, the Integrity attribute may be divided into system integrity, equipment and software integrity, and information integrity. The integrity attribute also includes authenticity, the means for proving the identity of the source of an action taken on the system, and non- repudiation, the ability to protect against an entity's falsely denying sending information or falsely denying receipt of information. Security mechanisms that implement the integrity attribute include cryptographic checksums, error detection and correction techniques, message authentication codes, and digital signatures.

2.2.1.3 Availability

The availability attribute is defined by the extent to which the security services ensure that a system's capabilities are accessible and/or operational and information is obtainable by authorized entities. Availability services allow the system and/or individual components of the system to meet user- specified requirements for unobstructed operation and allow the system to make information accessible to users when needed. Failure of availability results in denial of service conditions. For the NIU, availability is limited to services that protect the system when threatened by malicious threat agents. Security mechanisms that implement the availability attribute include robust routing algorithms, duplication of critical system functions, security audit and alarm procedures, and system resource usage controls.

2.2.2 Strength of Security Features

The strength of security is defined by the extent to which a hostile entity must expend resources to defeat the security feature. The items listed in Section 2.3.1 are the primary security features to be provided. These features may be implemented by a number of security mechanisms. In addition to the "what" that is to be implemented to provide the security services, the question of "how much" security is adequate must also be described. For example, longer key lengths generally provide additional protection of encrypted information from threats of eavesdropping and cryptanalysis. The known threat environment for a system in the context of its mission and operational environment should drive the required strength of security features. Generally, stronger security features involve additional costs; therefore, a goal of the security engineering process is to provide "enough" security, as described in 3.3, but not more than can be afforded.

2.2.3 Assurance of Security Features

The assurance attribute is the level of confidence that a system's security approach is suitable for countering identified threats (effectiveness) and that security components used within the system are capable of performing their security functions correctly (correctness). Assurance is provided through top- down policy- driven security design and implementation, through analyses of the implemented security mechanisms, and validation through the formal Certification and Accreditation processes that requirements are met. In addition, assurance is provided for operational systems by on- line monitoring of the security status of the system and feedback of this status to the system operator or to the system or security administrator. For fielded systems, reaccreditation is invoked frequently for increased assurance, especially when system security features are modified.

2.2.4 Operability

Operability is the extent to which the integration of INFOSEC into an information system affects system performance. Factors that influence operability include security- relevant information overhead (e.g., security management information exchanges, cryptographic synchronization preambles)and security interoperability of the information systems.

2.2.5 Useability

Useability defines the extent to which integration of INFOSEC features into the information system affects the system operators. Important mechanisms for useability include end- user transparency, menu- driven operator interface, built- in training, support of user and device mobility, support of single logon, ease of maintenance, on- line accountability, and visible security/risk indicators.

2.2.6 Affordability

The affordability attribute is the extent to which INFOSEC features are cost effective (for both recurring and non- recurring costs). Affordability of INFOSEC features can be supported by incorporation of commercial off- the- shelf (COTS) and/or government off- the- shelf (GOTS) products where possible, modularity of INFOSEC design, life cycle logistics supportability (e.g., vendor support for upgrades), reuse of software, components, and certification documentation and evidence, and conservative use of security mechanisms to avoid over- design.

2.2.7 Timeliness

The timeliness attribute for INFOSEC system development and fielding is the extent to which the information system's schedule is met for implementation of the system's INFOSEC features. Mechanisms for achieving timeliness include rapid prototyping; reuse of relevant designs, security documentation, and certification evidence; advance planning for INFOSEC products to ensure time for certification/evaluation; use of open systems standards; and use of COTS and/or GOTS products.

2.2.8 Criticality

The criticality attribute is the degree of importance associated with an information system's mission, operational scenario, threat environment, and consequences of system failure or subversion. The criticality attribute supports prioritization of INFOSEC system engineering activities. The operational scenario includes peacetime, wartime, training, and test and evaluation (T&E). The consequences of system failure or subversion include mission failure, loss of physical resources, loss of national economic status, loss of national security, and loss of life.

3.0 THE NAVAL INFOSEC UNIVERSE

3.1 Definition and Boundaries

The NIU is defined as the set of all organizations and secure information systems that are subject to Naval INFOSEC policy and the platforms on which they reside. The NIU is a subset of the larger INFOSEC Universe that encompasses all systems, activities, and organizations with INFOSEC content. In the characterization adopted in the IUDR, systems and organizations that may affect Naval INFOSEC but which are not subject to Naval INFOSEC policy occupy positions outside the NIU boundary. There are some systems (e.g., Joint C4I systems) that are partially subject to Naval INFOSEC policy and partially outside its influence. These occupy positions on the NIU boundary.

3.2 Platforms in the NIU

The platforms in the NIU provide the environment for personnel and systems to implement their assigned missions. Platforms in the NIU include:

Each of these platforms has specific INFOSEC implications, particularly with respect to physical, personnel, and procedural security characteristics.

3.3 NIU and Interfacing Information Systems

Figure 1 summarizes the systems of the INFOSEC Universe. The portion of the INFOSEC Universe subject to Naval policy (i.e., the NIU) includes the information storage, processing, and transfer systems resident on NIU platforms that allow personnel to implement assigned missions. These systems are divided into the following categories:

Figure 1. Systems of the INFOSEC Universe
External to the NIU (but maintaining important interfaces to it) are the following

On the boundary (i.e., subject in part to Naval policy) are the following:

3.4 Organizations of the INFOSEC Universe

Figure 2 summarizes the organizational structure of the NIU and depicts its relationship with the larger INFOSEC Universe. As with the systems of the INFOSEC Universe, organizations subject to Naval policy are shown inside the NIU boundary, and organizations that have important INFOSEC roles but are not subject to Naval policy are shown outside the boundary.

3.4.1 Roles of Organizations Inside the NIU

The security- relevant roles of the organizations inside the NIU are the following:


Figure 2. Organizations of the NIU.

3.4.2 Roles of Organizations Outside the NIU

The roles of the organizations that play a role in Naval INFOSEC but are outside the NIU boundary are the following:

3.5 Interactions in the NIU

The interactions described in this section are those required to ensure that the INFOSEC attributes set out in Section 2 are an integral part of Naval information systems in the future. Figure 3 summarizes the principal interactions of the Operational Users in the NIU; these interactions are described in more detail in Section 3.5.1. The interactions of the Program Managers of information systems with INFOSEC requirements are summarized in Figure 4 and described in more detail in Section 3.5.2. Section 3.5.3 describes the interactions of SPAWAR PD 51 in the INFOSEC Universe more fully. In each figure, the information flows for two- way interactions are grouped so that the information items closest to an arrowhead flow in the direction of the arrowhead.

3.5.1 Operational Users

One of SPAWAR ;PD 51's important roles is to reduce the burden on Operational Users for interpreting security policies, obtaining and operating secure information systems, and acquiring life cycle support for security capabilities. Figure 3 illustrates (using dotted lines) how SPAWAR ;PD 51 fulfills this role in the NIU through coordination of the interactions between the Operational Users and the other INFOSEC- related organizations so that the Operational User has available one central point of contact for all security- relevant issues and activities. The Operational User need interact directly only with OPNAV, SPAWAR ;PD 51, and the information system.

The direct and indirect interactions (via SPAWAR PD 51) of Naval Operational Users with other organizations in the INFOSEC Universe (summarized in Figure 3) are the following:


Figure 3. Principal Interactions of the Operational User in the INFOSEC Universe

3.5.2 Program Managers

Another of SPAWAR PD 51's roles is to assist Program Managers responsible for developing new information systems with security requirements to effectively integrate INFOSEC into their systems. Figure 4 illustrates that PD 51, as an integral member of the PM's system engineering/integration team, interprets and applies INFOSEC policies and doctrine, acquires and develops standard and supportable products, integrates INFOSEC throughout the system's life cycle, and interacts with DISA, NSA, and the Joint Service Community. This allows the PM to focus on working with the Operational User and the DAA to develop a secure, operational information system. SPAWAR PD ;51 uses its knowledge base, on- going NIU interactions (described in Section 3.5.3), and lessons learned from related efforts to accomplish the security engineering objectives. Program Managers of information systems with INFOSEC requirements have the following direct and indirect (via PD 51) interactions with the other organizations in the INFOSEC Universe:


Figure 4. Principal Interactions of the Program Manager in the INFOSEC Universe

3.5.3 SPAWAR PD 51

This section describes the interactions of SPAWAR PD 51 with the NIU and the broader INFOSEC Universe that support its roles described in the previous sections and its long term role as the focal point for Naval INFOSEC. In this latter role, SPAWAR ;PD 51 uses lessons learned from the operational community and other PMs to coordinate and influence security policies, architectures, standards, protocols, secure products and applications, technology R&D and insertion efforts to ensure that Naval information systems possess the INFOSEC attributes identified in Section 2.3. Figure 5 summarizes these interactions.


Figure 5. Principal Interactions of SPAWAR PD 51 in the INFOSEC Universe

GLOSSARY

AIS
automated information system
APC
armored personnel carrier
ASN
Assistant Secretary of the Navy
C&A
certification and accreditation
C3I
command, control, communication, and intelligence
C4I
command, control, communication, computers, and intelligence
CIA
Central Intelligence Agency
CMS
Cryptologic Materiel System
COMINT
communications intelligence
COMPUSEC
computer security
COMSEC
communications security
CONOPS
concept of operations
COTS
commercial-off-the-shelf
CT&E
certification test and evaluation
DAA
designated approval authority
DIA
Defense Intelligence Agency
DISA
Defense Information Systems Agency
DoD
Department of Defense
DoN
Department of the Navy
EMSEC
emissions security
GOTS
government-off-the-shelf
HMMWV
high mobility multi- terrain wheeled vehicle
IED
INFOSEC Engineering Division
IFF
identification friend or foe
IG
Inspector General
IU
INFOSEC Universe
ILS
integrated logistics support
INFOSEC
information systems security
ISEA
In-Service Engineering Activity
IUDR
INFOSEC Universe Description Report
MCCR
mission critical computer resources
MNS
Mission Need Statement
MOA
memorandum of agreement
MSC
Maritime Sealift Command
NATO
North Atlantic Treaty Organization
NAVCIRT
Naval Computer Incident Response Team
NAVSECGRU
Naval Security Group
NAVMIC
Naval Maritime Intelligence Command
NCCOSC
Naval Command, Control and Ocean Surveillance Center
NCTC
Naval Computer and Telecommunications Command
NESSEC
Naval Electronics System Security Engineering Center
NIC
Naval Intelligence Command
NIS
Naval Investigative Service Command
NISE
NCCOSC In- Service Engineering East
NISMC
Naval Information Systems Management Center
NIST
National Institute of Standards and Technology
NIU
Naval INFOSEC Universe
NKDS
Naval Key Distribution System
NRaD
Naval Research and Development
NRL
Naval Research Laboratory
NSA
National Security Agency
NSG
Naval Security Group
NSTISSI
National Security Telecommunications and Information Systems Security Instruction
NTC
Naval Training Center
ONI
Office of Naval Intelligence
OPNAV
Office of the Chief of Naval Operations
OPR
Office of Primary Responsibility
OPTEVFOR
Operational Test and Evaluation Forces
ORD
Operational Requirements Document
OSD
Office of the Secretary of Defense
PEO
Program Executive Officer
PM
program manager
POM
Program Objectives Memorandum
R&D
research and development
ROC
Required Operational Capability
SCI
special compartmented information
SECNAV
Secretary of the Navy
SFUG
Security Features Users Guide
SIGINT
signals intelligence
SPAWAR
Space and Naval Warfare Systems Command
SPAWAR 00I
SPAWAR Information Systems Security Office (original title)
SPAWAR PD 51
SPAWAR Information Systems Security Office (new title)
SPAWAR PD 51C
SPAWAR Information Systems Security Office, Customer Service Division
SPAWAR PD 51E
SPAWAR Information Systems Security Office, Systems Engineering Division
SPAWAR PD 51M
SPAWAR Information Systems Security Office, Program Management Division
SSA
software support activity
ST&E
security test and evaluation
T&E
test and evaluation
TEMP
test and evaluation master plan
TFM
Trusted Facilities Manual


APPENDIX


SUMMARIES OF THE INTERACTIONS OF SPAWAR PD 51C, PD 51E, PD 51M AMONG THEMSELVES AND WITH THE REST OF THE INFOSEC UNIVERSE

1. INFORMATION EXCHANGES AMONG 51E, 51C, AND 51M

The functions performed by each component of PD 51 complement the other components' functions in an overall integrated process. The information generated by each for use by the others is summarized in Table A 1 in the form of a 3x3 matrix, each row and column being titled by a component. The matrix diagonal in bold type contains the functions performed by each component. Each row presents the information passed from the component in bold type to each of the other components as identified in the title row. Each column, therefore, identifies the information passed from each of the components identified in the title column to the component in bold type.

2. INFORMATION EXCHANGES BETWEEN EACH OF 51E, 51C, 51M AND THE REST OF THE INFOSEC UNIVERSE

Each component of PD 51 collects information from and provides information to other organizations in the INFOSEC universe for use in performing its functions and preparing responses to its customers' requests. These exchanges are summarized in Table A 2, in which the first column identifies the external organization, the second column the direction in which information is being passed, the third column identifies the PD 51 component involved, and the last column defines the data being passed.

TABLE A -1. SPAWAR PD 51: INTERNAL INFORMATION EXCHANGE

TO FROM                        E                     C                                       M                                       
        E    SYSTEM ENGINEERING ACTIVITIES             Specific System Architectures           Architecture Criteria For Product     
             Architecture   Tech Base   System       Specific Security Standards   Staff     Or System Design   Feasible, Mature     
             Engineering     -  Standards     -      Guide, SE. Document Templates           Security Standards   Acquisition        
             Process/Methods     -  Tools            Design Guidance For Optimized           Templates   Security Engineering        
                                                     Certification Process   Engineering     Processes and Methods   Security        
                                                     Methods (E.G., Risk Assessments,        Engineering Tools   Evidence Required   
                                                     Requirements Analysis)   Security       For Certification   Technology For      
                                                     Engineering Tools   Awareness           Insertion Into Products Or Systems      
                                                     Materials   Guidance for Improved       Guidance for Improved Product           
                                                     System Engineering Processes            Development Processes    Guidance for   
                                                                                             Improved Products For Development or    
                                                                                             Acquisition                             
        C      System Security CONOPS and Issues     LIAISON WITH CUSTOMER (Operational        Customer-Specific System              
             System Engineering Constraints,         User, Information System PM, Sponsor)   Architectures And Constraints (e.g.,    
             Analysis of Interdependencies           INFOSEC Engineering Support             Cost, Schedule)   INFOSEC Engineering   
             Customer-Specific INFOSEC Product Or    Requirements Analysis And               Guidance and Support   Fleet Training   
             System Requirements   C Feedback on     Validation   Certification And          Materials for use by M   Training for   
             System Engineering Methods, Tools,      Recertification   INFOSEC Awareness     M (to Train Fleet)                      
             Processes   Customer Feedback on        -  Templates     -  Training     -                                              
             Security Engineering Processes and      Conferences     -  Publications                                                 
             Solutions   Fleet and Customer                                                                                          
             Requirements via C         -  OPNAV                                                                                     
             -  User Conferences         -                                                                                           
             Customer-Defined/Derived   Training                                                                                     
             for E                                                                                                                   
      M        M Feedback on Process, Methods,         INFOSEC Products, Systems             PM FOR INFOSEC SYSTEMS/PRODUCTS         
             Tools   Customer Feedback on Specific   Awareness Materials   Life Cycle        System/Product Development              
             INFOSEC Products, Systems               Support Materials, Documents            System/Product Acquisition   Life       
             (Architecture, Standards, Technology                                            Cycle Support Materials And Documents   
             Base, COTS, GOTS)                                                                                                       
Academia                       E   R and D Results                                                                               
                                   Naval INFOSEC Requirements; Funding                                                           
Allies and Other               C   INFOSEC Products and Applications                                                             
Services                                                                                                                         
                                   Coordination of Communications; Scheduling of Keying Material                                 
DAA                            C   System Accreditation; Lessons Learned                                                         
                                   Accreditation Documentation; Certification Support                                            
                               M   (DAA Role when Assigned to PD51M)                                                             
                                                                                                                                 
DIA                            C   Vulnerability Assessment of Naval Information Systems                                         
                                   Documentation of System Characteristics and Operations                                        
                               E   Vulnerability Assessment of Naval Information Systems                                         
                                   Naval Information Systems Descriptions                                                        
DISA                           C   DOD Standards; Security Architectures; INFOSEC Awareness/Concepts Training; Approved          
                                   Products                                                                                      
                                   Naval-unique Requirements                                                                     
                               E   Joint INFOSEC Architectures and Standards for Interoperability; Approved Products             
                                   Operational Users' Navy-unique INFOSEC Requirements                                           
INDUSTRY                       C   Systems Engineering; COTS Products and Applications for Systems Integration                   
                                   INFOSEC Requirements; System Engineering Concepts; Funding                                    
                               E   R and D Results                                                                               
                                   Naval INFOSEC Requirements; R and D Funding for Technology and Concepts                       
                               M   COTS Standalone Products and Systems; Development Plans and Budgets                           
                                   Naval INFOSEC Requirements; Funding for Development                                           
INFOSEC Products and           C   Operational Feedback                                                                         
Systems                                                                                                                         
                                   Developed, Tested, Verified, and Installed                                                   
                               E   Operational Feedback                                                                         
                                   Developed, Tested, Verified, and Installed                                                   
                               M   Operational Feedback                                                                         
                                   Developed, Tested, Verified, and Installed                                                   
Inspector General              C   Verification of Secure Operations of INFOSEC Systems and Products (when Integrated into      
                                   Information Systems)                                                                         
                                                                                                                                
                               M   Verification of Secure Operations of Installed INFOSEC Products                              
                                                                                                                                
NAVMIC                         C   Threat Assessments (for INFOSEC System/Product Evaluation, and Technology Planning to        
                                   Counter Deficiencies)                                                                        
                                   Anticipated Naval Environment (Natural, Induced, and Manmade) in which Threat can exist      
                               E   Threat Assessments (for INFOSEC System/Product Evaluation, and Technology Planning to        
                                   Counter Deficiencies)                                                                        
                                   Anticipated Naval Environment (Natural, Induced, and Manmade) in which Threat can exist      
                               M   Threat Assessments as Guides for Specific Products                                           
                                   Naval Environment for Threat, Security CONOPS; Feedback on Operations                        
NAVSECGRU                      C   Naval INFOSEC Vulnerability                                                                  
                                   Documentation of System Characteristics and Options                                          
                               E   Naval INFOSEC Vulnerability                                                                  
                                                                                                                                
NCCOSC                         M   Fleet User Support; In-service S/EA and SSA PD51 Product Support; Installation Guides and     
                                   Drawings; TEMPEST and Operational System Security Testing, Certification and Accreditation,   
                                   NAVCIRT, all at NESSEC                                                                        
                                   ISSEA and SSA Requests; Trouble Reports; Feedback on INFOSEC Effectiveness                    
NCTC                           C   Keying Material; Training                                                                     
                                                                                                                                 
                               M   Keying Material; Training                                                                     
                                                                                                                                 
NIS                            C   Security Policy for Operators                                                                 
                                                                                                                                 
                               M   Security Policy for Operators                                                                 
                                                                                                                                 
NIST                           C   INFOSEC Standards, GOTS Products, Applications                                                
                                                                                                                                 
                               E   INFOSEC Standards and Applications (for Product Technical Evaluation)                         
                                   Naval INFOSEC Requirements                                                                    
                               M   INFOSEC Products and Applications                                                             
                                   INFOSEC Product Requirements                                                                  
NRL                            E   INFOSEC Studies and Analyses, R and D, Prototypes                                             
                                   INFOSEC Research Goals and Plans; Tasking and Funding                                         
NSA                            C   INFOSEC Technology, Products, Standards, Policy, Doctrine; MOAs                               
                                   MOAs with Program Managers and PD51                                                           
                               E   INFOSEC Technology, Products, Profiles, Applications, C and A Strategies; MOAs                
                                   Operational Users' General INFOSEC Requirements; MOAs                                         
NTC                            C   Provides INFOSEC Product/Application Operation and Maintenance Training Curricula             
                                   Provides INFOSEC Product/Application Materials to Support Development of Curricula            
Operational Users              C   "1-800" PD51C Contact for INFOSEC Engineering Support, INFOSEC Requirements and               
                                   Deficiencies; System Implementation; C and A                                                  
                                   Responses to "1-800" Requests; Reports, Bulletins, etc.                                       
                               E   "1-800" PD51E Contact for INFOSEC Support,Technology and Systems Engineering Guidance,        
                                   Conference Participation; Operational Comments                                                
                                   Responses to "1-800" Requests; Reports, Bulletins, etc.                                       
                               M   "1-800" PD51M Contact for INFOSEC Product and Systems, Life-cycle Support, Implementation;    
                                   Feedback on INFOSEC Products and Systems                                                      
                                   Responses to "1-800" Requests; Reports, Bulletins, etc.; INFOSEC Standalone Products and      
                                   Systems, Operational Documentation; In-Service Engineering Support; Security Policies for     
                                   Operators; DAA Activities; Keying Materials                                                   
OPNAV                          C   Naval INFOSEC Requirements                                                                    
                                   Users' Requirements                                                                           
                               E   Naval INFOSEC Missions; Funding                                                               
                                   POM Requests for Funding; Operational Mission Feedback                                        
                               M                                                                                                 
                                   Users' Requirements                                                                           
OPTEVFOR                       C   OT&E Results                                                                                 
                                   Documentation of System and its Operation, Installation and Operator Training                
                               M   OT and E Results                                                                             
                                   Documentation of Product/Application and its Operation, Installation and Operator Training   
Program Managers               C   Review  INFOSEC Needs for Acquired and Supported Information Systems with Defined System     
                                   CONOPS; Request INFOSEC Support, Participation in System Design Process and Reviews          
                                   Risk Assessments, Security CONOPS, T&E Requirements; INFOSEC Engineering Support, Product    
                                   and Technology Insertion, Architectural Considerations, Standards, C&A Support; Embedded     
                                   Product Guidance; Users' Security Requirements and Feedback                                  
                               M   Identify Needs for Products and Systems                                                      
                                   Acquired and Supported Products, Systems, Associated Documentation; DAA Functions;           
                                   Feedback on Information System INFOSEC Performance; Users' Security Requirements             
SECNAV &/or NISMC              C   INFOSEC Policy                                                                               
                                   Operational Feedback and Lessons Learned