DEPARTMENT OF THE NAVY
COMMANDER NAVAL RESERVE FORCE
NEW ORLEANS, LOUISIANA 70146-5000
COMNAVRESFORINST 5239.1A
16 JUL 1993
COMNAVRESFOR INSTRUCTION 5239.1A
Subj :
NAVAL RESERVE FORCE AUTOMATED INFORMATION SYSTEMS SECURITY
PROGRAM
Ref:
(a) DODDIR 5200.28, Security Requirements for Automated
Information Systems (NOTAL)
(b) OPNAVINST 551O.1H, DON Information and Personnel
Security Program
(c) OMB Circular A-130 Management of Federal Information
Resources (NOTAL)
(d) DODINST 5215.2, Computer Security Technical
Vulnerability Reporting Program (CSTVRP) (NOTAL)
(e) P.L. 100-235, Computer Security Act of 1987
(f) SECNAVINST 5239.2, DON Automated Information Systems
(AIS) Security Program
OPNAVINST
5239.1A, DON Automatic Data Processing (ADP)
(g)
Security Program
(h) DOD 5200.28-STD, Trusted Computer System Evaluation
Criteria (NOTAL)
(i) OPNAVINST C551O.93E, Navy Implementation of National
Policy on Control of Compromising Emanations
(j) COMNAVRESFORINST 5500.3, Naval Reserve Force Security
Manual
(k) CNO Washington 241959Z Jan 86 (NAVOP 006/86)
(canceled 24 Apr 86)
(l) CSP-1, Communications Security Policy Manual
(m) OPNAVINST 5530.14B, DON Physical Security and Loss
Prevention
Encl:
(1)
(2)
(3)
(4)
1.
Definition of Terms
Minimum Program Requirements
Related Documents
Incident and Vulnerability Report Format
Purpose
a. To establish the Naval Reserve Force Automated
Information Systems (AIS) Security Program.
b. To define the organizational structure to execute the
Naval Reserve Force AIS Security Program.
c. To issue policies and guidelines necessary for
consistent and effective implementation throughout the Naval
Reserve.
d. To apply basic policy and principles of security as
they relate to computer-based systems which handle classified,
sensitive unclassified, and unclassified information.
(A
COMNAVRESFORINST 5239.1A
16 JUL 1993
e.
A)
To implement references (a) through (g).
2. Cancellation. COMNAVRESFORINST 5239.1, COMNAVRESFORNOTE
5239 of 9 JUL 1990 and reports COMNAVRESFOR 5239-1 and 5239-2.
3. Objective. To ensure the availability of reliable information and automated support required to meet the Commander,
Naval Reserve Force (COMNAVRESFOR) mission by adequately protecting all AISs, networks and computer resources against accidental
or intentional destruction, unauthorized disclosure, denial of
service and unauthorized modification. This objective will be
met by ensuring that countermeasures provided by physical, administrative and operational procedures, personnel, communications,
emanations, hardware, software, and data security elements are
collectively adequate to protect against such events as material
hazards, fire, misuse, espionage, sabotage, or malicious acts.
4.
Scope.
a.
This instruction applies to:
All COMNAVRESFOR activities.
b. All contractors who operate, own or control AIS, networks or computer resources on COMNAVRESFOR premises, or those
command-owned systems at government-owned, contractor-operated
facilities or those command-owned systems at contractor facilities.
c. All AISs, networks, and computer resources designed,
developed or procured by COMNAVRESFOR activities.
d. Joint service or other AIS, networks, or computer resources
operated by, but not owned by COMNAVRESFOR, when security requirements have not been specified.
e. Printing and imaging equipment or systems which are part
of an AIS, connected to a network, or driven by process control
or embedded computers.
5. Definitions. Accreditation is an essential program concept.
Accreditation is a decision by the responsible Designated Approving Authority (DAA) resulting in formal declaration that appropriate countermeasures have been properly implemented for the
computer activity or network, so that activity or network is
operating at an acceptable level of risk. Enclosure (1) contains
additional definitions.
R)
6. Minimum Program Requirements. Enclosure (2) outlines
minimum requirements essential to the accomplishments of the
objectives of this instruction. DAAs will ensure that these
minimum requirements are satisfied to meet the needs of their
area of responsibility.
COMNAVRESFORINST 5239.1A
16 JUL 1993
7. Related Material. Enclosure (3) lists related directives
and instructions used in management of the Department of Navy AIS
Security Program.
(R
8. Policy. All AIS, networks and computer resources will be
protected by continuous employment of appropriate protective
measures. The following policies apply:
a. Accreditation. AIS, networks and computer resources
will be accredited by the appropriate DAA based on a risk
management process.
(1) AIS not accredited may operate if the appropriate
DAA has issued an Interim Authority To Operate (IATO) for a
period not to exceed one year.
(2) An accreditation or IATO may be issued for an
entire system or group of systems in those instances where the
DAA has determined that such a "blanket" IATO or accreditation
represents the most efficient means of maintaining system
operability while ensuring security.
(3) Accreditations will be reviewed at least once every
three years, or when changes to the functionality, architectural
data processed, user population, or environment may result in
increased exposure of the AIS, network, or computer resource to
harm. If no such change has taken place, the accreditation may
be reissued based upon a thorough review of the previous accreditation documentation.
b. Life Cycle Management. Action shall be taken throughout
the life cycle of an AIS, network, or other automated information
resource to ensure compliance with security policies.
(1) The developing command or activity is responsible
for ensuring the early and continuous involvement of the users,
security staff, data owners and DAAs in defining and implementing
security requirements of the system.
(2) Acquisition and procurement documents for all
COMNAVRESFOR AIS, networks, or other computer resources must
require compliance with this and related computer security
directives.
(3) To the maximum extent possible, computer security
will be built into systems such that system users are relieved
of the details of assessing, testing, and developing security
for those systems.
c. Risk Management. DAAs will ensure that a continuing
risk management process is in effect to minimize the potential
for unauthorized disclosure of sensitive information,
modification, or destruction of assets or denial of service.
Risk management shall be applied throughout the life cycle.
3
(R
COMNAVRESFORINST 5239.1A
16 JUL 1993
d. Contingency Planning. Contingency plans shall be
developed and, to the maximum extent feasible, tested to ensure
that they function in a reliable manner and that adequate backup
functions are in place to ensure that critical service is maintained.
(1) DAAs are responsible for determining contingency
plan requirements for systems under their purview.
(2) Plans shall be tested prior to accreditation or
reaccreditation under realistic operational conditions to the
maximum extent feasible.
(3) If contingency plans cannot be tested realistically
prior to accreditation, the DAA may issue an IATO pending testing
within one year.
e. DAA. The DAA is responsible for formally granting
authority to operate systems based upon an acceptable level of
risk.
R)
A)
(1) DAA responsibility is vested in the commanding
officer with the exceptions of: Systems processing Sensitive
Compartmented Information (SCI)/Intelligence Data, National
Cryptologic data, or Single Integrated Operational PlanExtremely Sensitive Information (SIOP-ESI). References (f)
and (g) designate DAA for above excepted systems.
R)
(2) COMNAVRESFOR program managers for embedded systems
will ensure identification of the DAA for those systems.
In such circumstances, the DAAs need not have direct control over
their systems’ users.
R)
(3) The senior COMNAVRESFOR officer using a Joint Service
or non-Department of the Navy AIS, network or computer resource
shall be the DAA for the Naval Reserve Force.
f. User Access. An AIS, network or other computer
resource will follow the “least privilege” principle (as defined
in reference (a) ) so that each user is granted access to only the
information to which the user is entitled by virtue of security
clearance or formal access approval, and only the resources
necessary to perform assigned functions. In absence of a specific positive access grant, user access defaults to no access.
R)
9“ Security Implementation. All computer resources that
process or handle classified or sensitive unclassified information shall implement Controlled Access Protection (Class C2)
functionality as defined in reference (h).
R)
(1) Class C2 protection provides for discretionary
access control, clearing of storage objects before reuse,
individual accountability and audit trails. Implementation of
4
COMNAVRESFORINST 5239.1A
16 JUL 1993
Class C2 security for all appropriate systems may not be
feasible if the required security technology is not available.
(2) Personal computers will be protected by hardware,
software, and security operating procedures to provide
reasonable security until such time as effective Class C2 protection becomes available for personal computers.
(3) Personal computers processing classified information (A
will use strictly removable data storage systems with the following exceptions:
(a) Systems located in an area certified for open
storage of information classified at an equal or higher level
as processed on the system.
(A
(b) Systems for which written procedures are
developed and implemented that allow classified data only on
removable media components of the system. Fixed storage media
components of the system will be examined for classified data
on a routine basis. Systems operating under this exception
will be upgraded to use strictly removable storage media as
soon as possible.
(A
h. Emanations Security (TEMPEST). Per reference (i) , a
TEMPEST Vulnerability Assessment Request (TVAR) will be forwarded, via the Chain of Command, to Commander, Naval
Investigative Service Command for all AISs processing data
classified Secret and above. A TVAR must be submitted prior
to processing of any Secret and higher data. TEMPEST certified
equipment is not required for CONUS commands, including Alaska
and Hawaii, processing GENSER Secret or below and SPECAT Confidential and below.
(A
i. Interoperability. Security measures for systems that
are connected to other systems via networks or long-haul
communications will employ those technological security solutions which provide for interoperability to the maximum extent
feasible.
j. The echelon II command Automated Information System(s)
Security Officer (AISSO) functions as the AIS Security Program
Manager and will have direct access to COMNAVRESFOR, the Chief
of Staff, and the Inspector General. AISSOs at lower echelons
should have direct access to their activity commanding officer
or officer in charge on matters relating to AIS security.
(R
9. Program Elements. There are several interdependent
elements in any security program. Of these elements, only AIS
security is managed per this instruction. The remaining elements
are managed under other directives which will be used as required
to support the AIS Security Program. The major elements are:
(R
COMNAVRESFORINST 5239.1A
16 JUL 1993
a. Information Security. A system of policies and
procedures for identifying, controlling and protecting from
unauthorized disclosure, information whose protection is
authorized by statute or executive order. Managed by the Chief
of Naval Operations (CNO) under reference (b) and COMNAVRESFOR
under reference (j) .
b. AIS/Computer Security. Technical and procedural measures
to provide an acceptable level of protection for AISs, networks
or other computer resources. Managed by the Deputy Assistant
Secretary of the Navy for Information Resources Management following references (a) and (c) through (g). Special emphasis placed
on:
(1) Computer security training and awareness. All hands,
civilian, military and contractor, should receive appropriate
training and awareness information, commensurate with their
duties and responsibilities.
(2) Access Control. Physical, procedural and technical
controls must be put in place to ensure that only authorized
personnel with need-to-know are allowed to manipulate data. In
the absence of positive grants of access, systems should default
to no access (least privilege).
R)
(3) Risk Assessment. Per reference (g) a risk assessment should be performed to provide decision makers with management tools to aid in securing systems. Automation of risk
assessment should be used to reduce the administrative burden
wherever feasible. Risk assessment methods should be commensurate with complexity and quantity of AIS resources. The
reporting requirements for risk assessment documentation as
outlined in reference (g) have been canceled by reference (k) .
Accreditation documentation should be retained at the activity
as a special interest item.
R)
(4) Contingency Planning. Contingency plans are
necessary for all systems essential to the performance of an
activity’s mission. A contingency plan is not complete until
it has been tested under realistic operational conditions.
Complexity of the contingency plan is dependent upon the system
configuration and its need for mission performance.
R)
(5) Analysis and Correction of Security Incidents and
Per references (d) , (f), and (g) AIS security
Vulnerabilities.
incidents and vulnerabilities will be reported, via the Chain
of Command, to the COMNAVRESFOR AISSO. Enclosure (3) provides
the reporting format. AIS security incidents and vulnerabilities in the following categories will be reported:
A)
(a) Virus infection or occurrence of other malicious programs such as Trojan Horses, Logic Bombs, or Worms.
COMNAVRESFORINST 5239.1A
16 JUL 1993
(b) Disclosure or loss of classified or sensitive
unclassified data.
(c) Unauthorized, intentional destruction or loss
of software or hardware.
(A
(d) Accidental destruction or loss of software or
hardware resulting in losses of $1000 or greater.
c. Communications Security. Protective measures taken to
deny unauthorized persons information derived from telecommunications and to ensure the authenticity of such communications.
Managed by CNO (N6) under reference (l).
d. Personnel Security. Procedures for screening all
individuals to ensure a level of trustworthiness which is
commensurate with the duties of the individual. Managed by
CNO (N09N1) under reference (b) and COMNAVRESFOR under
reference (j).
e. Physical Security. Physical measures designed to safeguard personnel, prevent unauthorized access to equipment,
installations, material, computer media and documents, and to
safeguard against espionage, sabotage, damage and theft.
Managed by CNO (N09N2) under reference (m) and COMNAVRESFOR
under reference (j) .
f. Emanations Security (TEMPEST). TEMPEST is the study and
control of spurious signals emitted by electrical equipment.
Managed under reference (i). The COMNAVRESFOR AISSO will also
function as the TEMPEST Control Officer.
g. Network Security. COMNAVRESFOR network security
management and control will be accomplished by the designated
echelon II and/or III Network Security Officer (NSO) under
guidance of the COMNAVRESFOR AISSO.
10.
Responsibilities
a. COMNAVRESFOR is responsible for the claimancy-wide AIS
Security Program.
b. The commanders or directors of all echelon III Naval
Reserve Force commands are responsible for their respective AIS
Security Programs which will be in concert with the intent and
spirit of references (f) and (g).
c. Subordinate commanding officers are equally responsible
for AIS security at their respective levels.
d. The echelon II command AISSO is a full-time program
management billet in which the incumbent, serving under a
COMNAVRESFOR warrant, performs the below duties:
7
(R
COMNAVRESFORINST 5239.1A
16 JUL 1993
(1) Provide policy, coordination, and management oversight
of the overall COMNAVRESFOR AIS Security program including
unclassified data, program development, implementation, control,
and planning, programming and budgeting consistent with national
goals and policies established at the Department of Defense (DoD)
and Department of the Navy (DoN) level.
(2) Serve as the COMNAVRESFOR focal point in all matters
relating to the DoN AIS Security Program.
(a) Coordinate, consolidate, present, and defend
Program Objective Memoranda inputs.
(b) Provide for COMNAVRESFOR’s compliance with the
DoD Computer Security Technical Vulnerability Reporting Program.
(c) Represent COMNAVRESFOR in National Computer
Security Center policy actions and requests for assistance.
(d) Advise Naval Computer and Telecommunications
Command, Naval Electronics Systems Security Center, and others
of computer security and/or TEMPEST matters of general DoN
interest for publication, as appropriate. Emphasis should be
placed on reporting significant security difficulties and
their correction.
(3) Draft instructions relating to AIS security.
(4) Coordinate procedures for physical protection of
AIS resources throughout the command and prepare instructions
and manuals relating to these procedures.
R)
(5) Provide guidance to AIS security staff at echelon
II command headquarters, echelon III, IV, and V commands, and
other field activities in formulating and implementing adequate security plans, procedures, risk assessments and contingency plans.
A)
(6) Review and forward all TEMPEST Vulnerability
Assessment Requests to Commander, Naval Investigative Service
Command.
R)
(7) Review and forward accreditation requests for
activities and networks processing National Cryptologic, Sensitive Compartmented Information (SCI)/Intelligence and Single
Integrated Operational Plan - Extremely Sensitive Information
(SIOP-ESI) to the appropriate DAA.
R)
(8) Develop and conduct command AIS security awareness
and training courses.
(9) Make necessary reports to CNO, DoD, and other AIS
security managers.
8
COMNAVRESFORINST 5239.1A
16 JUL 1993
(10) Serve as a senior advisor to contracting officers’
technical representative(s) and/or as a designated contract
task monitor.
(11) Design and coordinate security procedures for new
systems.
(12) Review current and planned automated systems and
procedures to ensure that effective security integrity is
included and maintained.
e. The NSO, appointed by the Deputy Chief of Staff for
Information Systems, will:
(R
(1) Oversee, manage, control, and report to the AISSO
on AIS security matters relative to COMNAVRESFOR Wide Area Networks (WAN).
(R
(2) Conduct periodic AIS security surveys of COMNAVRESFOR
WANs.
(3) Coordinate with AISSO in performing risk assessments (A
for COMNAVRESFOR WANs.
(4) Maintain a registry of authorized WAN users.
f. A Terminal Area Security Officer (TASO) will be
appointed by each Flag Special Assistant and Deputy Chief of
Staff. Each TASO will:
(R
(R
(1) Maintain a complete AIS equipment and software
inventory consistent with standards and procedures established
by the AISSO.
(2) Conduct and report on periodic (minimum annually)
audits of AIS devices to ensure that only authorized software
is being used and that there is no unauthorized software duplication, distribution, or use (piracy) occurring within the area
of responsibility.
(R
(3) Conduct and/or assist the AISSO in conducting
periodic AIS Security Surveys and Risk Assessments.
(R
(4) Assist the AISSO in preparing TVARs as necessary.
(A
(5) Enforce all security requirements implemented by the
AISSO for remote terminal areas and stand-alone devices.
(6) Ensure that all countermeasures required to protect
the areas, data, devices, and information are in place.
(7) Provide AIS Security Incident and Vulnerability
Reports to the AISSO.
9
(A
CONNAVRESFORINST 5239.1A
16 JUL 1993
g.
Each echelon III, IV, and V command will:
(1) Develop and manage a program to implement Secretary
of the Navy, CNO and COMNAVRESFOR policy.
(2) Coordinate with echelon II and other echelon III,
IV, and V commands, as appropriate.
R)
(3) Appoint, in writing, in the command Collateral Duty
Notice a command AISSO to act as the focal point for all AIS
security matters. Appoint additional AIS security staff as NSO
and TASOs as appropriate. Provide a copy of the notice to
COMNAVRESFOR (Code 10).
(4) Provide program management recommendations to the
command AISSO, as appropriate.
(5) Provide support to COMNAVRESFOR teams performing
computer security inspections and audits, as requested.
R)
(6) Tailor accreditation guidelines to meet their
unique requirements.
(7) Provide life cycle management technical support.
(8) Make Program Objective Memoranda recommendations
to the COMNAVRESFOR AISSO, as appropriate.
(9) Provide security training expertise or assistance,
as necessary.
A)
(10) Provide AIS Security Incident and Vulnerability
reports to the COMNAVRESFOR AISSO.
(11) Ensure that accreditation requests for systems and
networks processing National Cryptologic, SCI/Intelligence and
SIOP-ESI data are forwarded via the chain of command to
Commander, Naval Security Group or Commander, Naval Intelligence Command, as appropriate, for forwarding to higher authority DAA.
A)
(12) Ensure that TVARs are forwarded via the chain of
command to Commander, Naval Investigative Service Command.
(13) Conduct periodic (minimum annually) audits of AIS
devices to ensure that only authorized software is being used and
that there is no unauthorized software duplication, distribution,
or use occurring within their area of responsibility.
R)
11. Action. Echelon II and subordinate commands will implement
this guidance within their commands.
10
COMNAVRESFORINST 5239.1A
16 JUL 1993
12. Report. The AIS Security Incident and Vulnerability Report
cited in subparagraph 9b(5) above has been assigned Report Control
Symbol NSA/CSS-1057 per reference (d) .
(COMNAVRESFORINST 5216.1H)
Distribution:
List B1
B2 (Less RPAAT PAC/LANT, 21A3, FT24)
C
D
F (PSD, NAS, NSA New Orleans only)
copy to:
List A (A3 (CNO N095 only))
Stocked:
COMNAVRESFOR (Code 01A)
11
COMNAVRESFORINST 5239.1A
16 JUL 1993
DEFINITION OF TERMS
ASSET: Any software, data or hardware resource within an AIS
or network.
AUTOMATED INFORMATION SYSTEM (AIS): An assembly of computer
hardware, software, and/or firmware configured to collect,
create, communicate, compute, disseminate, process, store and/
or control data or information.
CERTIFICATION: The technical evaluation made as part of and in
support of the accreditation process, that establishes the
extent to which a particular computer system or network design
and implementation meets a pre-specified set of security
requirements.
(A
COMPROMISING EMANATIONS: Unintentional relay of intelligencebearing signals which, if intercepted and analyzed, disclose the
classified information transmitted, received, handled or otherwise processed by any information processing equipment.
TEMPEST is an unclassified short name referring to investigations and studies of compromising emanations.
COMPUTER SECURITY: Measures required to protect against
unauthorized (accidental or intentional) disclosure,
modification, or destruction of AISs, networks and computer
resources or denial of service to process data. It includes
consideration of all hardware and software functions,
characteristics, and/or features; operational procedures,
accountability procedures, and access controls at the central
computer facility, remote computer and terminal facilities;
management constraints; physical structures and devices; and
personnel and communication controls needed to provide an
acceptable level of risk for the AIS or network and for the data
or information contained therein.
COMPUTER VIRUS:
See “VIRUS.”
CONTINGENCY PLAN: A plan for emergency response, backup operations, and post-disaster recovery, maintained by an activity as
a part of its AIS security program. A comprehensive statement
of all the planned actions to be taken before, during and after
a disaster or emergency condition including documented, tested
procedures which will ensure the availability of critical
computer resources and which will facilitate maintaining the
continuity of AIS operations in an emergency situation.
COUNTERMEASURE : Any action, device, procedure, technique or
other measure that reduces the vulnerability of a system.
Encl (1)
(R
COMNAVRESFORINST 5239.1A
16 JUL 1993
DATA INTEGRITY: The state that exists when data is unchanged
from its source and has not been subjected to accidental or
malicious modification, unauthorized disclosure, or destruction.
DENIAL OF SERVICE: Action or actions that result in the inability
of an AIS or any essential part to perform its designated mission,
either by loss or degradation of operational capability.
A)
EMBEDDED SYSTEM: A system that performs or controls a function,
either in whole or in part, as an integral element of a larger
system or subsystem.
INTELLIGENCE : Intelligence refers to foreign intelligence and
counter intelligence involving sensitive sources or methods.
Intelligence also includes SCI and all information that is (or
should be) marked WARNING NOTICE - INTELLIGENCE SOURCES AND
METHODS INVOLVED.
NEED-TO-KNOW: A determination made in the interest of United
States national security by the custodian of classified or
sensitive unclassified information, that a prospective recipient
has a requirement for access to, knowledge of, or possession of
the information to perform official tasks or services.
NETWORK: The interconnection of two or more independent AIS
components that provides for the transfer or sharing of computer
system assets. It is composed of a communications medium and all
components attached to that medium whose responsibility is the
transfer of information. Such components may include AISs,
packet switches, telecommunications controllers, key distribution
centers and technical control devices.
RESEARCH, DEVELOPMENT AND ACQUISITION PROCESS ACQUIRED - MISSION
CRITICAL COMPUTER RESOURCES: Includes computer resources
acquired under research, development, and acquisition procedures
for use as integral parts of weapons; command and control;
communications; intelligence; and other tactical or strategic
systems aboard ships, aircraft and shore facilities and their
support systems.
RISK: A combination of the likelihood that a threat shall occur,
the likelihood that a threat occurrence shall result in an
adverse impact, and the severity of the resulting adverse impact.
RISK ASSESSMENT: An analysis of computer system and network
assets, vulnerabilities, and threats to determine the security
requirements which must be satisfied to ensure that the system
can be operated at an acceptable level of risk.
RISK MANAGEMENT: A process through which undesirable events can
be identified, measured, controlled and prevented so as to
effectively minimize their impact or frequency of occurrence.
The fundamental element of risk management is the identification
of the security posture; i.e. , the characteristics of the
Encl (1)
2
COMNAVRESFORINST 5239.1A
16 JUL 1993
functional environment from a security perspective. Risk
management identifies impact of events on the security posture
and determines whether or not such impact is acceptable and, if
not acceptable, provides for corrective action. Risk assessment,
Security Test and Evaluation (ST&E) and contingency planning
are parts of the risk management process.
SAFEGUARDS: Protective measures and controls that are prescribed
to meet the security requirements specified for an AIS, network,
or computer resource. Those safeguards may include, but are not
necessarily limited to, hardware and software security features,
operational procedures, accountability procedures, access and
distribution controls, management constraints, personnel security and physical structures, areas and devices.
SENSITIVE COMPARTMENTED INFORMATION (SCI): Information and
material that requires special controls for restricted handling
within compartmented intelligence systems and for which compartmentation is established.
SENSITIVE INFORMATION:
See Sensitive Unclassified Information.
SENSITIVE UNCLASSIFIED INFORMATION: Any information the loss,
misuse, or unauthorized access to or modification of which could
adversely affect the United States national interest, the conduct
of Department of the Navy programs or the privacy of Department
of the Navy personnel (e.g. , Freedom of Information Act exempt
information) .
SIOP-ESI: An acronym for Single Integrated Operational Plan
Extremely Sensitive Information; a DoD Special Access program.
TELECOMMUNICATIONS:
Any transmission, emission, or reception of
signs, signals, writing, images, sounds, or information of any
nature, by wire, radio, visual, or other electromagnetic systems.
VIRUS: Code that covertly replicates itself onto previously
uncontaminated media without initiation by the operator or
authorized users. Replication usually occurs during copying of
files to magnetic media, or during computer to computer
communications. The code usually contains malicious logic that
is triggered by some predetermined event. When triggered, the
code then takes a hostile action against host computer systems.
3
Encl (1)
COMNAVRESFORINST 5239.1A
16 JUL 1993
MINIMUM PROGRAM REQUIREMENTS
1. Designated Approving Authorities will take such action as
necessary to ensure that these minimum requirements are satisfied
in a cost effective manner to meet the unique needs of their
area of responsibility:
a. Individual Accountability. Access to AISs, networks,
and other computer resources will be controlled and monitored to
ensure each person having access can be identified and held
accountable for their actions.
b. Physical Control. AIS, networks, and other computer
resources will be physically protected against damage and
unauthorized access.
c. Data Integrity. Each data base or collection of data
elements in an AIS will have an identifiable origin and use.
Its use, backup, accessibility, maintenance, movement, and
disposition will be governed on the basis of classification,
sensitivity, type of data, need-to-know and other restrictions.
d. Marking.
Permanent human-readable output shall be
marked to accurately reflect the sensitivity of the information.
The marking may be automated (i.e., the AIS has the capability
to produce the markings) or may be done manually. Automated
markings on output from systems which process or handle classified information must not be relied upon to be accurate unless
security features and assurances of the system meet the requirements for a minimum security Class B1 as defined in reference
(h).
e. Access. There shall be in place an access control policy
for each AIS. It shall include features and/or procedures to
enforce the access control policy of the information contained
within the AIS. The identity of each user authorized access to
AIS shall be positively established prior to authorizing access.
f. Network/Communication Links. All communications circuits
will be secured per the communications security program. Those
handling plain text classified will be installed in an approved
protected distribution system. For purposes of accreditation, a
network shall be treated as either an interconnection of
accredited AIS (which may, themselves, be networks) or as a
single distributed system.
g. Accreditation. Each AIS, network or computer resource
shall be accredited to operate per a DAA-approved set of security
requirements.
h. Risk Management. There shall be in place a risk
management program to determine how much protection is required,
Encl (2)
(R
COMNAVRESFORINST 5239.1A
16 JUL 1993
how much exists and the most economical way of providing needed
protection. Risk assessments shall be conducted:
(1) Prior to design approval.
(2) To support accreditation.
(3) Whenever there is a significant change to the system.
(4) At least once every three years.
i. Certification. Systems developers shall certify to the
users and the DAA that the system's security requirements have
been met and specify any constraints on the system or its
environment necessary to maintain the certification.
j. Contingency Planning. Each Department of the Navy
activity will develop and test a contingency plan, addressing
both automated and manual backup systems, to provide for
continuation of its mission during abnormal operating conditions. The contingency plan will be developed, tested and
maintained to ensure continued performance of mission support
and mission critical functions. It must be consistent with
disaster recovery and continuity of operations plans. Detail
and complexity should be consistent with the value and criticality of the systems.
k. Internal Security Mechanisms. After the system becomes
operational, software and files providing internal security
controls, passwords or audit trails will be safeguarded at the
highest level of data contained in the AIS, network or computer
resource. Access to internal security mechanisms will be controlled on a strict need-to-know basis.
l. Encryption.
Encryption methods, standards and devices
used to protect classified data processed by an AIS, network or
computer resource must be approved by National Security Agency.
m. Emanations Security. AISs, networks and computer
resources shall comply with the emanations security (TEMPEST)
requirements of reference (i).
R)
n. Privately Owned Resources. Use of privately owned or
leased computers, software, or Public Data Networks to conduct
official COMNAVRESFOR Navy business in a government workplace or
connected to a Navy or Marine Corps network is allowed only with
the prior written authorization of the commanding officer or DAA.
Privately owned computers shall not be used to process classified data. Policy for use of privately owned computers in
government spaces and government-owned computers on travel or in
private locations (i.e., homes) shall be established following
Federal Information Resources Management Regulation Bulletin 30
and other appropriate guidance.
Encl (2)
2
COMNAVRESFORINST 5239.1A
16 JUL 1993
o. Access Warning. A warning against unauthorized access
will be displayed (physically or electronically) on all visual
display devices, cathode ray tubes or other input/output devices
upon initial connection, log-on, or system start-up of all
computer systems (direct or remote access) .
p. Security Levels. All COMNAVRESFOR AIS, networks or
other computer resources must implement at least C2 Level functionality as defined in reference (h), provided feasible security technology is available.
(R
q. Security Training and Awareness. There shall be inplace a security training and awareness program to provide
training for the security needs of all persons accessing an AIS,
network, or computer resource. The program shall ensure that
all persons responsible for an AIS, network, computer resource,
and/or the information contained therein and all persons who must
access them are aware of proper operational and security-related
procedures and risks. In addition, periodic security awareness
training will be provided to all personnel. At a minimum, the
program shall meet requirements of reference (e).
r. Operational Data. No classified or sensitive unclassified data shall be introduced into an AIS, network, or computer
resource without first identifying its classification or sensitivity. Approval shall be obtained from the data owner where
appropriate.
s. Communications Security. All COMNAVRESFOR activities
will establish measures designed to deny unauthorized persons
information of value which might be derived from the possession,
study or interpretation of telecommunications,
(1) Communication Links. Transmission and communication
lines and links which provide secure communication between components of a DoN AIS authorized to process classified data will be
secured in a manner appropriate to the highest classification of
the material transmitted through such lines or links.
(2) Interface with Communications Security. A Naval
Reserve activity that operates an AIS requiring communication
support from telecommunications networks will follow applicable
Navy communications directives for the handling of classified
material.
(a) The security measures will be agreed to and
implemented before connecting to the communication network.
(b) See subparagraph 9C of this instruction.
t. Removable Media. The use of removable, securable, data
storage systems is encouraged. Fixed internal hard disks are to
Encl (2)
(R
(R
COMNAVRESFORINST 5239.1A
16 JUL 1993
be avoided, especially in systems that may be used in classified
applications. See subparagraph 8g(3) of this instruction.
u. Emergency Destruction. The requirement to establish a
policy for the destruction of media, networks, and resources
in the event of an emergency shall be addressed in the overall
risk management and contingency planning programs.
R)
Commands processing classified information
v. Degaussing.
are encouraged to acquire and use degaussing equipment approved
by National Security Agency.
R)
w. Malicious Code. Special care shall be taken to reduce
the risk of introduction of malicious code, such as logic bombs,
trojan horses, trapdoors and viruses, into computer systems.
Prior to public disclosure or disx. Public-Disclosure.
cussion of specific capabilities, limitations or vulnerabilities
of systems, comply with reference (b) and Chapter 5, SECNAVINST
5720.44A.
Encl (2)
4
COMNAVRESFORINST 5239.1A
RELATED DOCUMENTS
1. The listing below is provided to assist in implementing and
managing the DoN AIS Security Program. It is unlikely that
any activity requires the entire list. All the documents are
“NOTAL.“
a. Non-Department of the Navy references may be obtained
from the following Department of the Navy sources:
(1) ACPs, CSPs and NTPs via Commander Naval Computer and
Telecommunication COMNAVOMTELCOM’s OPR office.
(2) DCIDs, DIAMs, SMs and UUIDs via Commander Naval
Intelligence Command COMNAVINTCOM
(4) NACSIs or NTISSIs via NESSEC Washington.
b.
title.
Documents are listed in alphanumeric order by short
Numbers are for convenience only.
(1) ACP 121, “Communications Instructions - General”
(2) ACP #22, “Communications Instructions - Security”
(3) CSC-STD-002-85, “Department of Defense Password Management Guideline”
(4) NCSC-TG-025, "A Guide to Understanding Data Remenance
in Automated Information Systems”
(5) CSP-1, "Communications Security Policy Manual”
(6) DCID No. 1/16, “Security Policy on Intelligence
Information in Automated Systems and Networks (U)"
(7) DIAM 50-3, Defense Intelligence Agency (DIA) Manual
No. 50-3, “Physical Security Standards for Sensitive Compartmented
Information Facilities (SCIFs)"
(8) DIAM 50-4, Defense Intelligence Agency (DIA) Manual No.
50-4, "Security of Compartmented Computer Operations”
(9) DODDIR C5105.21-M-I of Jan 85, “Sensitive Compartmented Information (SCI) Security Manual, Administrative Security (U)”
(10) DODDIR 5000.29 of 26 Apr 76, “Management of Computer
Resources in Major defense systems”
(11) DODDIR 5010.38 of 14 Apr 87, “Internal Management
Control Program”
Encl (3)
COMNAVRESFORINST 5239.1A
16 JUL 1993
(12) DODDIR C5030.58 of 16 May 77, “Consolidation of
Telecommunications Centers Involving Defense Special Security
Communications Systems and General Service Communications (U)”
(13) DODDIR 5200.1 of 7 Jun 82, “DOD Information Security
Program”
(14) DOD 5200.1-R of Jun 86, “Information Security
Program Regulation”
(15) DODDIR 5200.2 of 20 Dec 79, “DOD Personnel Security
Program”
(16) DODDIR C5200.5 of 6 Ott 81, “Communications Security
(COMSEC) (U)”
(17) DODDIR 5200.12 of 16 May 88, “Conduct of Classified
Meetings”
(18) DODDIR S5200.19 of 10 Feb 68, “Control of Compromising Emanations (U)“
(19) DODDIR 5200.28 of 21 Mar 88, “Security Requirements
for Automated Information Systems (AISs)"
(20) DOD 5200.28-M of 1 Jan 73, “ADP Security Manual”
(21) DOD 5200.28-STD of Dec 85, “Department of Defense
Trusted Computer System Evaluation Criteria”
(22) DODINST 5210.74 of 26 Jun 85, “Security of Defense
Contractor Telecommunications”
(23) DODDIR 5215.1 of 25 Ott 82, “Computer Security
Evaluation Center”
(24) DODINST 5215.2 of 2 Sep 86, “Computer Security
Technical Vulnerability Reporting Program (CSTVRP)”
(25) DODDIR 5220.22 of 8 Dec 80, “DOD Industrial
Security Program”
(26) DOD 5220.22-M of Mar 89, “Industrial Security
Manual for Safeguarding Classified Information”
(27) DODDIR 7740.1 of 20 Jun 83, “DOD Information
Resources Management Program”
(28) DODDIR 7920.1 of 20 Jun 88, “Life Cycle Management
of Automated Information Systems (AIS)”
(29) E.O. 12356, "National Security Information”
Encl (3)
2
(30) FIRMR Bulletin 30, "Use of small Government-owned
computers off site and use of personally owned computers in
Federal offices”
(31) JCS Publication 6-03.7, “Security Policy for the
WWMCCS Intercomputer Network”
(32) NSDD-145, “National Policy on Telecommunications
and Automated Information Systems Security”
-
(33) NTISSI 7000 of 17 Ott 88, “National Telecommunica
tions and Information System Security Instruction (NTISSI) 7000,
‘TEMPEST Countermeasures for Facilities (U)“
(34) NTP-4, "Naval Telecommunications Procedures - Fleet
Communications”
(35) OMB Bulletin 88-16, “Guidance for Preparation and
Submission of Security Plans for Federal Computer Systems
Containing Sensitive Information”
(36) OMB Circular A-130 “Management of Federal Information Resources”
(37) OPNAVINST 551O.1H, “Department of the Navy Information and Personnel Security Program Regulation”
(38) OPNAVINST C551O.93E, “Navy Implementation of
National Policy on Control of Compromising Emanations (U)”
(39) OPNAVINST 5530.14B, “Department of the Navy Physical Security and Loss Prevention”
(40) SECNAVINST 5720.44A, “Department of the Navy
Public Affairs Policy and Regulations”
(41) SM 313-83, “Safeguarding the Single Integrated
Operational Plan (U)”
(42) USSID 702, "Automatic Data Processing (ADP)
Systems Security (U)”
3
Encl (3)
COMNAVRESFORINST 5239.1A
16 JUL 1993
INCIDENT AND VULNERABILITY REPORT FORMAT
(Computer
Classification Markings/Distribution Statement.
incident and vulnerability reports are normally UNCLASSIFIED.
However, they will be classified at least CONFIDENTIAL if
classified data was disclosed or the report describes a
vulnerability allowing unauthorized access to classified data.)
A.
Required information.
1.
Report Date.
2.
Contact.
a.
b.
c.
d.
e.
3.
Name.
Organization.
Mailing Address.
Phone Number.
Position.
Hardware/Software.
a.
b.
List hardware and system configuration.
Software description.
(1) Operating system (include release/version number).
(2) Describe any unique attributes - i.e., locally
modified special security properties.
B. Summary of the security incident or vulnerability. A
description of the nature and effect of the incident or
(Penetration of
vulnerability in as general terms as possible.
the AIS by an unauthorized user, i.e, exploitation of a technical
vulnerability, introduction of malicious code.)
c. Detailed description of the security incident or vulnerability.
1. A scenario that describes specific conditions to
demonstrate the weakness or design deficiency. The description
should sufficiently describe the conditions so that the
vulnerability can be repeated without further information.
2. Describe the specific impact or effect of the incident
or vulnerability in terms of the following:
- Denial of service or recovery time (work hours) .
- Alteration of information.
- Compromise of data.
Encl (4)
COMNAVRESFORINST 5239.1A
16 JUL 1993
Indicate the number of systems affected and work hours expended
in resolving the incident. Cite specific examples as appropriate.
3. For incidents or vulnerabilities involving commercial
products indicate whether or not the affected vendor has been
notified.
D. Suggested fixes. Describe any procedures you have discovered
that will reduce the impact of the incident or vulnerability.
E.
Additional Information.
1.
Systems Specifics.
a.
Location
b.
Owner
c.
Network Connections
d.
Security Attributes
2.
System use and highest classification of data on system.
3.
Additional clarifying information
Encl (4)
2