Skip to main content
U.S. flag

An official website of the United States government

440.4 - National Security Information Automated Information Systems

By Survey Manual

.

Date: 12/15/1995

OPR: Admin/Security

1. Purpose. This chapter establishes policy for securing and protecting National Security Information (hereafter referred to as classified information) when processed, stored, or transmitted in computer and networking systems (collectively referred to as an automated information system (AIS)).

2. Scope. The policy set forth in this chapter applies to all U.S. Geological Survey (USGS) systems which store, process, or transmit classified information. A USGS system is an AIS which is owned, leased, or operated by a USGS office or by a contractor on behalf of the USGS.

3. Authority.

A. Executive Order 12958, Classified National Security Information, dated April 17, 1995.

B. Office of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated Information Systems.

C. Computer Fraud and Abuse Act of 1986 (P.L. 99-474).

D. Computer Security Act of 1987 (P.L. 100-235).

4. Definitions. A glossary of terms and definitions which relates to AIS classified applications is at Appendix A.

5. Policy.

A. All AIS's that store, process, or transmit classified information shall be protected in a manner consistent with Federal policies, procedures, standards, and statutes cited in paragraph 3 above. Classified material contained in an AIS shall be safeguarded by the continuous employment of protective features in the system's hardware and software design and configuration. Furthermore, AIS's that process, store, or use classified data and produce classified information shall, with reasonable dependability, prevent deliberate or inadvertent access to classified material by unauthorized persons, and unauthorized manipulation of the computer and its associated peripheral devices.

B. Classified projects undertaken for another Government agency that require the use of a classified AIS may be carried out either under the security regulations of the sponsoring agency or this chapter. Security measures to apply will be prescribed when the agreement is made, and there will be no deviation from the agreement thereafter except with mutual consent of both the performing office and the sponsoring organization. When security measures are not prescribed in the agreement, the provisions of this chapter shall apply. A copy of any such agreement together with a copy of the sponsoring agency's security regulation, if applicable, will be provided by the AIS owner to the USGS Security Officer.

6. Responsibilities.

A. Division Chiefs. Division Chiefs are responsible for ensuring the security of their information and telecommunications systems by complying with Federal policies, procedures, standards, and statutes cited in paragraph 3 above and the procedures contained in this Chapter. Unless specifically delegated in writing, Division Chiefs also serve as the accreditation authority for all classified AIS's in their respective divisions.

B. Designated Accrediting Authorities (DAA). DAA's are responsible for reviewing certification results, threat assessment, employed safeguards, vulnerabilities, and risk levels and making an accreditation decision to either: (a) accept the risk; (b) grant interim approval to operate and fix deficiencies; or (c) shutdown, fix deficiencies, and recertify.

C. AIS Owners. AIS owners are responsible for ensuring that the AIS is designed, developed, operated, used, maintained, and disposed of in accordance with the Federal policies, procedures, standards, and statutes cited in paragraph 3 above and the procedures contained in this chapter. Owners must also designate a Sensitive Applications Security Officer (SASO) and a Network Security Manager, if applicable; establish and maintain the system documentation described in paragraph 8 below; and ensure that the AIS has been properly accredited by an accreditation authority.

D. USGS Security Officer. The USGS Security Officer shall ensure that all AIS's that store, process, transfer, or communicate classified information are properly secured in compliance with Federal policies, procedures, standards, and statutes cited in paragraph 3 above and this chapter. Also the USGS Security Officer shall serve as the designated certification agent, coordinating the various activities of the certification team's review process and jointly certifying all classified AIS operations with the Bureau Automated Information Systems Security Administrator (BAISSA).

E. BAISSA. The BAISSA certifies, jointly with the USGS Security Officer, all classified AIS operations.

F. SASO. Designated SASO's are responsible for ensuring compliance with security requirements. This responsibility includes, but is not limited to the following:

(1) Ensure that the AIS is used, operated, and maintained in accordance with the applicable AIS Security Plan.

(2) Enforce the security policy and safeguards on all personnel who have access to the AIS.

(3) Ensure that users have the required clearances and authorizations, have been indoctrinated, and are familiar with documented security practices before gaining access to the AIS.

(4) Ensure that audit trails are reviewed and analyzed as prescribed in the AIS Security Plan.

(5) Initiate protective or corrective measures if a security problem develops.

(6) Report security incidents to the BAISSA, the accrediting authority, and, if involving the possible loss or compromise of classified information, to the USGS Security Officer.

(7) Evaluate known vulnerabilities to determine whether additional safeguards are needed.

(8) Approve and document the movement of AIS equipment.

(9) Approve the release of equipment and components in accordance with clearing and sanitizing standards.

(10) Administer the AIS Security Plan procedures to prevent classified information from migrating to unclassified AIS's and leaving the security area.

G. Network Security Manager. When designated, a Network Security Manager is responsible for ensuring compliance with the network security requirements as described in the AIS Security Plan.

H. Classified AIS Users. Each user must adhere strictly to the specific security measures and internal security controls that are established for safeguarding the integrity and validity of the classified AIS and the information it contains. User must report immediately any violations or suspected violations of AIS security measures to the SASO.

7. Certification and Accreditation. The AIS owner shall obtain written accreditation from an accrediting authority prior to processing classified information on an AIS. To obtain accreditation, the AIS owner shall submit a formal request together with the system documentation described in paragraph 8 below through the certification agent to the accrediting authority.

A. Certification. Certification is the comprehensive evaluation of technical and nontechnical security features to establish the extent to which an AIS has met the security requirements necessary for it to process classified information. Certification is performed by a certification team composed of the USGS Security Officer (certification agent), BAISSA, and other technically qualified and appropriately cleared personnel as determined by the certification agent. Certification is based on the analysis and evaluation of the system documentation submitted by the AIS owner.

The certification, made as part of and in support of the accreditation process, shall identify risks in operating the system as specified and to determine the extent to which a particular design and implementation meet a specified set of security requirements. Certification concludes with a written recommendation to the accrediting authority to accept, reject, or operate the system under conditions different from those specified in the system documentation.

B. Accreditation. Accreditation is the formal approval by the Director, an Associate Director, a Division Chief, or a DAA to use a system to process classified information. An official written declaration by the accreditation authority shall be issued for all certified AIS's to operate with specified security safeguards. Associate Directors and Division Chiefs have the authority to delegate accreditation authority to line managers who possess the authority to allocate resources to achieve acceptable security and to remedy security deficiencies.

(1) Reaccreditation. Reaccreditation includes those steps required for the initial accreditation except that existing documentation found to be valid and current may be used. All classified systems must be reaccredited every 3 years or after any of the following occurs:

(a) A change in criticality and/or sensitivity level that causes a change in the countermeasures required.

(b) A change in the security policy (e.g., access control policy).

(c) A change in the threat or system risk.

(d) A change in the activity that requires a different security mode of operation.

(e) Additions or a change to the operating system or to software providing security features.

(f) Except as provided in paragraph 21J, additions or a change to the hardware that requires a change in the approved security countermeasures.

(g) A breach of security, a breach of system integrity, or an unusual situation that appears to invalidate the accreditation by revealing a flaw in security design.

(h) A significant change to the physical structure of the facility or to the operating procedures.

(i) A significant change to the configuration of the system (e.g., a workstation is connected to the system outside the approved configuration).

(j) For networks, the inclusion of an addition (separately accredited system(s)) or the modification/replacement of a subscribing system that affects the security of that system, unless accredited inclusion procedures are approved in the AIS Security Plan.

(k) Results of an audit or external analysis.

(2) Deaccreditation. The accreditation authority and certifying agent must be notified in writing by the AIS owner when the requirement to process classified material on an AIS no longer exists. The notification shall include a statement regarding the location of all pertinent system records for the required retention period. When appropriate, a certification of sanitization/disposition of memory components and/or magnetic media shall be provided in the notification. Accreditation may also be withdrawn due to inactivity if the AIS has not processed classified data during the previous 6 months or failure to adhere to the security practices and procedures.

C. Equipment not Requiring Accreditation. Some equipment/components, to include test equipment, fits the definition of an AIS, whereas others may not. The AIS owner will determine and document the capability of such equipment in the context of the equipment/components ability to collect and process information. As a general rule, equipment composed of volatile memory with no other storage media would not require accreditation and only requires approval by the USGS Security Officer to process classified information. AIS components that need not be included in the system accreditation include but are not limited to, electronic typewriters, basic function calculators, and test equipment.

8. System Documentation. The AIS owner will develop and maintain the following system documentation, tailored to the processing requirements and system environment.

A. AIS Security Plan. A system security plan will be prepared and maintained. The document must identify all actions to be taken to implement or modify the security features of the system and bring together all applicable regulations and special procedures. It will describe the required degree of compliance to the requirements and provide for review and revision as appropriate whenever hardware, software, configuration, or usage changes are made that have an impact on security. The AIS Security Plan Outline, Appendix B, is provided to assist plan preparers and to ensure the submitted plan is in a recognizable format and complete. An AIS Security Plan Guide that provides an annotated outline, with prompts, questions, and instructions can be obtained from the certification agent.

B. Risk Management. A risk management review shall be conducted in accordance with SM 600.5.8B to identify risks and needed countermeasures and specify additional security requirements based on the review. The risk analysis produces the statement of the level of risk associated with operating the AIS. The risk analysis, as a minimum, shall include or calculate the potential risk to a classified AIS using the AIS Threat List, Appendix C. A risk assessment methodology and instructions for conducting a manual risk assessment can be obtained from the certification agent.

C. Contingency Plan. A contingency plan is required for each computer installation and classified AIS application to ensure that interruptions of service are kept at a minimum. The plan must provide procedures to ensure the continuation of information processing capability in the case of an AIS-related disaster resulting from fire, flood, malicious act, human error or any other occurrence that might adversely affect or threaten to affect the capability of the AIS or network to process information. The disaster recovery plan may be included as part of the AIS Security Plan and must as a minimum, include the following elements:

(1) Backup. Backup copies of the data and software vital to the continued functions of the AIS must be made as specified in the AIS Security Plan. Backup copies must be stored and periodically updated at a secure site sufficiently distant from the primary AIS site to assure that backups will not be destroyed by the same local event.

(2) Documentation. Pre-planned disaster recovery action must be documented, including provisions for special security measures, damage assessment, repairing or obtaining computer hardware, and any other action required for restoration of AIS processing capabilities.

(3) Implementation and Testing. Appropriately cleared personnel must be designated to implement the contingency plan in the event of an actual or potential AIS-related disaster. A simulation or test of the contingency plan must be conducted at least annually in order to validate its adequacy for ensuring the continuation of information processing capability in response to a disaster.

D. Configuration Management.

(1) The AIS owner must implement and document a configuration management program for the security of AIS's processing classified information. The configuration management program must include an approach for specifying, documenting, controlling, and maintaining the visibility and accountability of all appropriate AIS hardware, firmware, software, communication interfaces, operating procedures, installation structures, and changes thereto. Except for those changes that require reaccreditation, all changes to the baseline documentation must be reported to the accreditation authority and certification agent.

(2) The configuration management plan will include the following as a minimum: procedures for identifying the trusted baseline (i.e., those portions of the documentation defining the hardware, firmware, and software communications, interfaces, operating procedures, and installation structures related to the security of the AIS); procedures and policies to be used for controlling the trusted baseline, including a configuration control board; and a configuration accounting system. (Note: for a small and simple AIS, the AIS owner may develop a configuration management system that is commensurate with the complexity of the system. For example, a configuration control board may not be practical for a small system.) The configuration management plan may be submitted as part of the AIS Security Plan.

9. Security Modes. All classified AIS's and networks must be accredited to operate in one of the following modes (described in subsequent paragraphs): Dedicated Security Mode, System-High Security Mode, Compartmented Security Mode, or Multilevel Security Mode. Accreditation requirements for classified AIS's vary with their mode of operation. In determining the mode of operation of an AIS, three elements must be addressed: the boundary and perimeter of the system, the classification level of the data to be processed, and the clearance level and access privileges of intended users. The boundary of a system includes all users that are directly or indirectly connected and who can receive data from the system. The perimeter is the extent of the system that is to be accredited as a single system.

10. Dedicated Security Mode. An AIS is operating in the dedicated mode when each user with direct or indirect access to the AIS, its peripherals, remote terminals, or remote hosts has:

- a personnel security clearance and need-to-know for all information stored or processed, and

- if applicable, has all formal access approvals and has executed all appropriate nondisclosure agreements for all the information stored and/or processed (including all compartments and sub-compartments).

A. Security Requirements for the Dedicated Mode. The following security requirements are established for AIS's operating in the dedicated mode:

(1) Enforce system access procedures.

(2) All hardcopy output and media removed will be handled at the level for which the system is accredited until reviewed by a knowledgeable individual.

 

B. Security Features for the Dedicated Mode. Since the system is not required to provide technical security features, it is up to the user to protect the information on the system.

C. Security Assurances for the Dedicated Mode. Configuration management procedures must be employed to maintain the ability of the AIS to protect classified information. The system configuration management procedures shall include an approach for specifying, documenting, controlling, and maintaining the visibility and accountability of all appropriate AIS hardware, firmware, software, communication interfaces, operating procedures, installation structures and changes thereto.

11. System-High Security Mode. An AIS is operating in the system high mode when each user with direct or indirect access to the AIS, its peripherals, remote terminals, or remote hosts has:

- a personnel security clearance for all information on the AIS;

- has access approval and has signed nondisclosure agreements for all he

information stored and/or processed; and

- a need-to-know for some of the information contained within the system.

A. Security Features for System-High Mode. AIS's operating in the system high mode, in addition to meeting all the security standards established for the dedicated mode, will:

(1) Define and control access between system users and name objects (e.g., files and programs). The enforcement mechanism must allow system users to specify and control the sharing of those objects by named individuals and/or explicitly defined groups of individuals. The access control mechanism must either, by explicit user action or by default, provide that all objects are protected from unauthorized access (discretionary access control). Access permission to an object by users not already possessing access permission must only be assigned by authorized users of the object.

(2) Provide an audit trail capability that records time, date, user ID, terminal ID (if applicable), and file name for the following events:

(a) System log on and log off.

(b) Unsuccessful access attempts.

(3) Protect the audit, identification, and authentication mechanisms from unauthorized access modification, access, or deletion.

(4) Require that storage contain no residual data from the previously contained object before being assigned, allocated, or reallocated to another object.

(5) Ensure that each person having access to a multi-user AIS have the proper security clearances and authorizations and be uniquely identified and authenticated before access to the AIS is permitted. The identification and authentication methods used shall be specified and approved in the AIS security plan. User access controls in multi-user AIS's shall include authorization, user identification, and authentication; administrative controls for assigning these shall be covered in the AIS security plan.

(a) User Authorizations. The AIS owner or designated manager or supervisor of each user of an AIS shall determine the required authorizations, such as need-to-know for that user.

(b) User Identification. Each system user shall have a unique user identifier and authenticator. Prior to reuse of a user ID, all previous access authorizations (including file accesses for that user ID) shall be removed from the AIS. The SASO shall ensure the development and implementation of procedures for the prompt removal of access from the AIS when the need for access no longer exists. The SASO shall ensure that all user ID's are revalidated at least annually, and information such as sponsor and means of off-line contact (e.g., phone number, mailing address) are updated as necessary.

(6) Authenticate each user of a multi-user AIS before access is permitted. This authentication can be based on any one of three types of information: something the person knows (e.g., a password); something the person possesses (e.g., a card or key); something about the person (e.g., fingerprints or voiceprints); or a combination of these three. Authenticators that are passwords shall be changed at least every 6 months. Multi-user AIS's shall ensure that each user of the AIS is authenticated before access is permitted.

(a) Logon. Users shall be required to authenticate their identities at "logon" time by supplying their authenticator (e.g., password, smart card or fingerprints) in conjunction with their user ID.

(b) Protection of Authenticator. An authenticator that is in the form of knowledge or possession (password, smart card, or keys.) shall not be shared with anyone. Authenticators shall be protected at a level commensurate with the accreditation level of the AIS.

(c) Additional Authentication Countermeasures. Where the operating system provides the capability, the following features shall be implemented:

(7) Control successive logon attempts by denying access after multiple (maximum of five) unsuccessful attempts on the same user ID, by limiting the number of access attempts in a specified time period, by the use of a time delay control system, or other such methods accredited in the AIS security plan.

(8) Notify the user upon successful logon of the date and time of the user's last logon; the ID of the terminal used at last logon, and the number of unsuccessful logon attempts using this user ID since the last successful logon. This notice shall be displayed after each successful logon and require positive action by the user to remove the notice from the screen.

B. Security Assurances for System-High Mode.

(1) Examination of Hardware and Software. AIS hardware and software shall be examined when received from the vendor and before being placed into use.

(a) AIS Hardware. An examination shall result in assurance that the equipment appears to be in good working order and has no elements that might be detrimental to the secure operation of the resource. Subsequent changes and developments which affect security may require additional examination.

(b) AIS Software. Commercially procured software shall be examined commensurate with the risk management review to assure that the software contains no features that might be detrimental to the security of the AIS. Security-related software shall be examined to assure that the security features function as specified.

(c) Custom Software or Hardware Systems. New or significantly changed security relevant software and hardware developed specifically for the system shall be subject to testing and review at appropriate states of development.

(2) Security Testing. The system security features for need-to-know controls will be tested and verified. Identified flaws will be corrected.

12. Compartmented Security Mode. An AIS is operating in the compartmented mode when a user with direct or indirect access to the AIS, its peripherals, or remote terminals has:

- a personnel security clearance for the most restricted information processed;

- formal access approval but some users do not have formal access approval for all compartments or sub-compartments processed by the AIS;

- signed nondisclosure agreements for that information to which they are to have access; and

- a valid need-to-know for that information for which they are to have access.

A. Security Features for Compartmented Mode. In addition to all security features and security assurances required for the system high mode of operation, AIS's operating in the compartmented mode of operation shall also include:

(1) Security Labels. The AIS shall place security labels on all entities (e.g., files) reflecting the sensitivity (classification level, classification category, and handling caveats) of the information and the authorizations (security clearances, need-to-know, formal access approvals) for users. These labels shall be an integral part of the electronic data or media. These security labels shall be compared and validated before a user is granted access to a resource.

(2) Export of Security Labels. Security labels exported from the AIS shall be accurate representations of the corresponding security labels on the information in the originating AIS.

(3) Mandatory Access Controls. Mandatory access controls shall provide a means of restricting access to files based on the sensitivity (as represented by the label) of the information contained in the files and the formal authorization (i.e., security clearance) of users to access information of such sensitivity.

(4) Compartmented Access. No information shall be accessed whose compartment is inconsistent with the session log on.

(5) Trusted Communications Path. support a trusted communications path between itself and each user for initial logon and verification for AIS's processing Top Secret information.

(6) Hard-Copy Marking. Enforce, under system control, a system-generated, printed, and human-readable security classification level banner at the top and bottom of each physical page of system hard-copy output.

(7) Audit. Audit these additional events: the routing of all system jobs and output, and changes to security labels.

B. Security Assurances for Compartmented Mode.

(1) Confidence in Software Source. In acquiring resources to be used as part of an AIS, consideration shall be given to the level of confidence placed in the vendor to provide a quality product, to support the security features of the product, and to assist in the correction of any flaws.

(2) Flaw Discovery. A vendor shall have implemented a method for ensuring the discovery of flaws in the system (hardware, firmware, or software) that may have an effect on the security.

(3) Description of Security Enforcement Mechanisms. The protections and provisions of the security enforcement mechanisms (often referred to as the Trusted Computing Base) shall be documented in such a manner to show the underlying planning for the security. The security enforcement mechanisms shall be isolated and protected from any user or unauthorized process interference or modification. Hardware and software features shall be provided that can be used to periodically validate the correct operation of the elements of the security enforcement mechanisms.

(4) Validation and Verification. The AIS owner shall perform validation and verification testing of the system. An AIS Test Plan shall be documented and approved by the Certification Team. The AIS Test Plan and the testing results shall be included in the AIS Security Plan.

(5) Security Label Integrity. The methodology shall ensure: integrity of the security labels, the association of security labels with the transmitted data, and enforcement of the control features of the security labels.

(6) Detailed Design of Security Enforcement Mechanisms. An informal description of the security policy model enforced by the system shall be available.

13. Multilevel Security Mode. An AIS is operating in the multilevel security mode when all the following states are satisfied concerning the users with direct or indirect access to the AIS, its peripherals, remote terminals, or remote hosts:

- all the users of the multilevel system must have a personnel security clearance but some users may not have a personnel security clearance for all levels of the classified information residing on the system; and

- all users are cleared, have a need-to-know, and the appropriate access approval (i.e., signed nondisclosure agreements) for information to be accessed.

A. Security Features for Multilevel Mode. In addition to all security features and security assurances required for the compartmented mode of operation, AIS's operating in the multilevel mode shall also include:

(1) A mechanism that is able to monitor the occurrence or accumulation of security relevant events that may indicate an imminent violation of security policy. This mechanism shall be able to immediately notify the SASO when thresholds are exceeded and, if the occurrence or accumulation of these security relevant events continues, the system shall take the least disruptive action to terminate the event.

(2) Access controls that are capable of specifying, for each named object, a list of named individuals and list of groups of named individuals with their respective modes of access to that object. It will be possible to specify for each named object a list of named individuals and a list of groups of named individuals for which no access to the object is to be given.

(3) Support a trusted communications path between the AIS and users for use when a positive AIS-to-user connection is required (i.e., logon, change subject security level). Communications via this trusted path shall be activated exclusively by a user or the AIS and shall be logically isolated and unmistakably distinguishable from other paths.

(4) Support separate operator and administrator functions. The functions performed in the role of a security administrator shall be identified. The AIS system administrative personnel shall only be able to perform security administrator functions after taking distinct adaptable action to assume the security administrative role of the AIS system. Non-security functions that can be performed in the security administrative role shall be limited strictly to those essential to performing the security role effectively.

(5) Provide procedures and/or mechanisms to assure that, after an AIS system failure or other discontinuity, recovery without a protection compromise is obtained.

(6) Immediately notify a terminal user of each change in the security level associated with that user during an interactive session. A user shall be able to query the system as desired for a display of the user's complete sensitivity label.

(7) Enforce an upgrade or downgrade principle where all users processing have a system-maintained classification; no data is read that is classified higher than the processing session authorized; and no data is written unless its security classification level is equal to the user's authorized processing security classification.

B. Security Assurances of Multilevel Mode.

 

(1) Flaw Tracking and Remediation. The vendor shall provide evidence that all discovered flaws have been tracked and remedied.

(2) Life-Cycle Assurance. The development of the AIS hardware, firmware, and software shall be under life-cycle control and management (i.e., control of the AIS from the earliest design stage through decommissioning).

(3) Separation of Functions. The functions of the SASO and the AIS manager shall not be performed by the same person.

(4) Device Labels. The methodology shall ensure that the originating and destination device labels are part of each message header and enforce the control features of the data flow between originator and designation.

(5) Trusted Path. The system shall support a trusted communications path between the user and system security mechanisms.

(6) Security Isolation. The security enforcement mechanism shall maintain a domain for its own execution that protects it from external interference and tampering (e.g., by reading or modification of its code and data structures). The protection of the security enforcement mechanism shall provide isolation and noncircumvention of isolation functions.

(7) Security Penetration Testing. In addition to testing the performance of the AIS for certification, there shall be testing to attempt to penetrate the security measures of the system. The test procedures shall be documented in the test plan for certification and also in the test plan for ongoing testing.

14. Trusted Computing Base (TCB) Systems.

A. Criteria. The criteria for characterizing the technical level of trust (i.e. standards of technical security protection) to be met by systems processing classified information are those set forth in Department of Defense Standard 5200.28-SDT, December 1985, "Department of Defense Trusted Computer System Evaluation Criteria." These criteria for trusted systems establish levels of trust that represent a relative measure of a system's ability to protect classified information. For each mode of operation, a higher level of TCB may be mandated for a particular AIS by the owner or the responsible accrediting authority.

B. Implementation. A trusted system with an appropriate level of trust may be implemented by: (1) using and correctly implementing products available on the National Computer Security Center's Evaluated Products List (EPL); (2) designing and implementing a new AIS to meet the specified level of trust; or (3) a combination of both. In any event, the resulting system shall be evaluated in its operational environment to ensure that all appropriate criteria are satisfied. When suitable products are available on the EPL, they should be incorporated into new systems and into the upgrade of existing systems when feasible. The national goal is for all classified AIS's to become trusted systems incorporating trusted products by the year 2000.

15. Physical Security.

A. Physical Security safeguards shall be established that prevent or detect unauthorized access to accredited system entry points and unauthorized modification of the AIS hardware and software. Hardware integrity of the AIS, including remote equipment, shall be maintained at all times, even when the AIS is not processing or storing classified information.

B. Attended classified processing shall take place in an area, normally a Controlled Area (see Paragraph 2, Chapter 5, Physical Security Handbook (440-2-H)), where authorized persons can exercise constant surveillance and control of the AIS. All unescorted personnel to the area must have an appropriate level personnel security clearance and controls must be in place to restrict visual and aural access to classified information.

C. When the AIS is processing classified information unattended, or when classified information remains on an unattended AIS, the area shall be approved by the USGS Security Officer for open storage. An open storage area shall be confined to a Restricted Area (see Paragraph 2, Chapter 5, Physical Security Handbook (440-2-H)). The area shall meet the construction criteria for a strongroom (see Paragraph 5, Chapter 5, Physical Security Handbook (440-2-H)). Supplemental protection is also required. The supplemental protection shall consist of a USGS Security Officer approved intrusion detection system or patrols by appropriately cleared security guards every 2 hours for Top Secret open storage and every 4 hours for Secret open storage.

D. When the AIS is not in use, and has been downgraded to unclassified, physical security safeguards shall be implemented through one or more of the following methods:

(1) Continuous supervision by authorized personnel.

(2) Use of approved cabinets, enclosures, seals, locks or a Controlled Area that provides continuous area controls that prevent or detect tampering or theft of hardware and software.

16. Software Controls.

A. Employees and contractor personnel who design, develop, test, install, or make modifications to systems, or use security software, shall be cleared to the level of the AIS. Non-system or applications software that will be used during classified processing periods can be developed or modified by personnel without a clearance. However, before software developed by uncleared persons is used in a classified processing period, it must be reviewed or tested by authorized knowledgeable cleared employees to provide reasonable assurance that security vulnerabilities do not exist.

B. The AIS security plan must provide procedures for approval by the accrediting authority for the installation of any software on the AIS.

C. Software provided on media that may be written to (e.g., magnetic media) must be safeguarded commensurate with the accreditation level unless a physical write-protect mechanism is used. (Mechanisms shall be tested and verified by attempting to write to the media.) The write protection mechanism must be verified once during each session when it is used to process classified information.

D. Unclassified software provided on media that cannot be changed (e.g., CD read-only media) may be loaded into the classified system without being labeled or classified.

E. The AIS owner shall validate the functionality of the security-related software (e.g., access control, auditing, sanitizing, etc.) before the AIS is accredited. The software shall be revalidated when changed.

F. The AIS owner must verify that all software is free of malicious code prior to installation.

G. Unclassified vendor-supplied software used for maintenance or diagnostics must be controlled as though classified.

H. Incidents involving malicious software will be immediately reported to the BAISSA. If the incident affects the integrity of classified information, the USGS Security Officer will be notified immediately and a written report detailing the findings of this investigation will be submitted to the USGS Security Officer in accordance with SM 440.3.16B.

17. Media Controls.

A. In general, media that contains classified information will be handled in accordance with the procedures contained in National Security Information Handbook (440-3-H).

B. All storage media used for classified data on dedicated and system high AIS's must be labeled and controlled to the highest level of the information on the AIS. However, information not at the highest level may be written to appropriate classified/unclassified media using accredited AIS Security Plan procedures.

C. All data storage media for compartmented and multi-level AIS's must be labeled and controlled to the highest level of the information contained on the media.

D. When two or more AIS's are collocated in the same security area and processing at different levels or compartments, procedures described in the AIS Security Plan will be used to distinguish among them.

E. Authorized sanitization procedures for the most commonly used memory and storage media are defined in the Clearing and Sanitization Matrix, Appendix D.

F. Media must be sanitized and all classification markings and labels removed before media can be declassified. Sanitization actions must be verified and recorded to show the date, the particular sanitization action taken, and the person taking the action.

G. Media must be sanitized and declassified prior to release from continuous protection.

H. All printed output from an AIS processing in the dedicated or system high mode must be treated as though classified until verified to be unclassified.

18. Security Audits.

A. In addition to the audits required under security modes, the following logs are required regardless of mode of operation. The logs must include the date, the event, and the person responsible.

(1) Maintenance, repair, installation, or removal of hardware components. Log must include the component involved, and action taken.

(2) Installation, testing, and modification of operating system and security-related software. Log must include the software involved and action taken.

(3) Upgrading and downgrading actions.

(4) Sanitization and declassifying media and devices.

(5) Application and reapplication of seals, when used.

(6) Area Register. When property, or a portion thereof, is closed to the public (designated a Closed Area or Restricted Area), admission is restricted to authorized personnel who will register upon entry into the property as prescribed by Chapter 8, Identification and Admittance to Facilities, Physical Security Handbook (440-3-H).

B. At intervals specified in the AIS Security Plan, the SASO (or designee) shall review, analyze, and annotate audit records created during classified processing periods to ensure that all pertinent activity is properly recorded and appropriate action has been taken to correct anomalies.

C. Audit trail records shall be retained until reviewed and released by the SASO. But in any case, they should be reviewed and released before they are 12 months old.

19. AIS Operations.

A. Security Level Upgrading. To increase the level of processing on an AIS, the following procedures must be implemented:

(1) Adjust the area control to the level of information to be processed.

(2) Configure the AIS as described in the AIS Security Plan. The use of logical disconnects is prohibited for AIS processing Top Secret information.

(3) Remove and store removable data storage media not to be used during the processing period.

(4) Clear all memory including buffer storage.

(5) Initialize the system for processing at the approved level of operation with a dedicated copy of the operating system. This copy of the operating system must be protected commensurate with the highest security classification and access levels of the information to be processed.

B. Security Level Downgrading. To lower the level of processing, the following procedures must be implemented:

(1) Remove and store removable data storage media not to be used during the lower processing period.

(2) Clear the memory and buffer storage of the equipment to be downgraded, for collateral Secret and below; sanitize for Top Secret.

(3) Sanitize printers.

(4) For classified processing, configure the AIS as described in the AIS Security Plan.

(5) Adjust the area controls to the level of information to be processed.

(6) Initialize the system for processing at the lower level with a dedicated copy of the operating system. This copy of the operating system must be protected commensurate with the security classification and access levels of the information to be processed during the period.

20. Identification and Authentication Techniques. When the AIS is processing classified information, access to any unattended hardware must conform to those required for the highest level of classified material processed on the AIS. Specific user identification and authentication techniques and procedures will be included in the AIS Security Plan. Examples of identification and authentication techniques include, but are not limited to: user ID's and passwords, tokens, biometrics, and smartcards.

A. User ID's identify users in the system and are used in conjunction with authentication techniques to gain access to the system. User ID's will be disabled whenever a user no longer has a need-to-know or proper clearance. The user ID will be deleted from the system only after review of programs and data associated with the ID. Disabled accounts will be removed from the system as soon as practical. Access attempts will be limited to five tries. Users who fail to access the system within the established limits will be denied access until the user's ID is reactivated.

B. When used, system logon passwords will be randomly selected and will be at least six characters in length.

(1) Appropriate guidance must be provided by the SASO to users prior to their choosing their own logon passwords. When an automated system logon-password generation routine is used, it must be described in the AIS Security Plan.

(2) Passwords must be validated by the system each time the user accesses the system.

(3) System logon passwords must not be displayed at any terminal or printed on any printer.

(4) Passwords will not be shared by any user.

(5) Passwords will be classified and controlled at the highest level of the information accessed.

(6) Passwords must be changed at least every 6 months.

(7) Immediately following a suspected or known compromise of a password, the SASO will be notified and a new password issued.

C. Master data files containing the user population system logon passwords will be encrypted when practical. Access to the files will be limited to the SASO and a designee identified in the AIS Security Plan.

D. When classified and unclassified AIS are collocated, the following requirements apply:

(1) The AIS owner must document procedures in the AIS Security Plan to ensure the protection of classified information.

(2) The unclassified AIS cannot be connected to the classified AIS.

(3) Users shall be provided a special awareness briefing.

E. When two or more AIS's are collocated in the same security area and processing at different levels or compartments, procedures described in the AIS Security Plan will be used to distinguish among them.

21. Maintenance.

A. Cleared personnel who perform maintenance or diagnostics do not normally require an escort. Need-to-know for access to classified information must be enforced. Uncleared maintenance personnel must always be escorted by a cleared and technically knowledgeable individual. The SASO must ensure that escorts of uncleared maintenance personnel are trained and sufficiently knowledgeable concerning the AIS Security Plan, established security policies and practices, and escorting procedures.

B. If maintenance is being conducted by appropriately cleared personnel, system sanitizing or component isolation are a local option. If maintenance is being performed by uncleared personnel, steps must be taken to effectively deny access to classified information by the uncleared person and any maintenance equipment or software used; these procedures should be documented in the AIS Security Plan. A technically knowledgeable escort is preferred. If access to classified data cannot be precluded by the escort, either the component under maintenance must be physically disconnected from the classified AIS (and sanitized before and after maintenance) or the entire AIS must be sanitized before and after maintenance.

C. The dedicated copy of the system software with a direct security function shall not be used for maintenance purposes by uncleared personnel.

D. When a system failure prevents sanitization of the system prior to maintenance by uncleared vendor personnel, AIS Security Plan procedures must be enforced to deny the uncleared persons visual and electronic access to any classified data that may be contained in the system.

E. When practical, all maintenance and diagnostics will be performed in the AIS facility. Any AIS components or equipment released from secure control is no longer part of an accredited system.

F. Vendor-supplied software/firmware used for maintenance or diagnostics must be protected at the level of the accredited AIS. The AIS Security Plan may prescribe procedures, on a case-by-case basis, for the release of certain types of costly magnetic media for maintenance, such as disk head-alignment.

G. All maintenance tools, diagnostic equipment, and other devices used to service an accredited AIS must be approved by the SASO.

 

H. Any component board placed into an accredited AIS must remain in the security area until proper release procedures are completed.

I. Remote diagnostic or maintenance services are strongly discouraged. If remote diagnostic or maintenance services become necessary, the AIS shall be sanitized and disconnected from any communication links to a network, prior to the connection of any non-secured communication line.

J. The SASO may approve and document additional or replacement components of a dedicated or system high AIS that are identical in functionality and do not affect the security of the AIS.

22. Networks. Network operations shall maintain the integrity of the security features and assurances of its mode of operation.

A. Types of Networks.

(1) A unified network is a collection of AIS's or network systems that are accredited as a single entity by a single accrediting authority. A unified network may be as simple as a small standalone local area network (LAN) operating in a dedicated mode, following a single security policy, accredited as a single entity, and administered by a single SASO. The perimeter of such a network encompasses all its hardware, software, and attached devices. Its boundary extends to all its users. A unified network has a single mode of operation based on the clearance level, access, and need-to-know. This mode of operation will be commensurate with the level of trust required and will address the risk of the least trusted user obtaining the most sensitive information processed or stored on the network.

(2) An interconnected network is comprised of separately accredited AIS's and/or unified networks. Each self-contained AIS maintains its own intra-AIS services and controls, protects its own resources, and retains its individual accreditation. Each participating AIS or unified network has its own SASO. The interconnected network must have a security support structure capable of adjudicating the different security policies (implementations) of the participating AIS's or unified networks. An interconnected network requires accreditation, which may be as simple as an addendum to a Memorandum of Agreement (MOA) between the accrediting authorities.

B. Method of Interconnection.

(1) Security Support Structure (SSS) is the hardware, software, and firmware required to adjudicate security policy and implementation differences among connecting unified networks and/or AIS's. The SSS must be accredited. The following requirements must be satisfied as part of the SSS accreditation:

(a) Document the security policy enforced by the SSS.

(b) Identify a single mode of operation.

(c) Document minimum contents of MOA's required for connection to the SSS.

(2) Separately Accredited Network (SAN) is a medium of interconnection of convenience. Networks and/or AIS's that are interconnected through a SAN must meet the connection rules of the SAN.

(3) The interconnection of previously accredited systems into an accredited network may require a reexamination of the security features and assurances of the contributing system to ensure their accreditations remain valid.

(a) Once an interconnected network is defined and accredited, additional networks or separate AIS's (separately accredited) may only be connected through the accredited SSS.

(b) The addition of components to contributing unified networks that are members of an accredited interconnected network are allowed provided these additions do not change the accreditation of the contributing system.

C. Network Requirements.

(1) Network Security Management. The AIS owner shall designate a Network Security Manager (NSM) for each accredited network to oversee security. The NSM is responsible for ensuring compliance with the network security requirements as described in the AIS Security Plan.

(2) Network Security Coordination.

(a) Every network must have a security plan.

(b) When different accrediting authorities are involved, a single NSM may be named that will be responsible for network security (including the network AIS security Plan). The NSM will ensure a comprehensive approach to enforce the overall security policy required by the network security plan.

(3) Specific network requirements must be determined on a case-by case basis; however, as a minimum, the AIS security plan for the network must address the following additional requirements:

(a) Description of security services and mechanisms protecting against network specific threats. Consistent with its mode of operation, the network must provide the following security services:

(i) Access control.

(ii) Data flow control.

(iii) Data separation.

(iv) Auditing.

(v) Communications integrity.

(b) Consistent implementation of security features across the network components.

(c) Configuration control of network interconnections.

(d) Protection of control of data transfers.

(e) Security features incorporated in communications protocols.

(f) Adequacy of any filtering bridge, secure gateway, or other

similar security device in controlling access and data flow

(g) Compatibility of the entire combination of operating modes when connecting a new system.

(h) Adequacy of the external system's features to support the local security policy.

23. Electronic Transmission. Protected distribution systems or National Security Agency approved encryption methodologies and devices shall be used to protect classified information when it is being transmitted between AIS or network components.

24. TEMPEST. TEMPEST is the unclassified short name used to refer to the general study of compromising emanations. These emanations are unintentional, intelligence bearing electromagnetic signals that might disclose sensitive information transmitted, received, handled or otherwise processed by an information-processing system. To prevent this, AIS's that process classified information must be protected in accordance with the National Policy on the Control of Compromising Emanations. For specific TEMPEST applications see National Telecommunications & Information Systems Security Instruction 7000, TEMPEST Countermeasures for Facilities (U).

25. Additional Awareness Training. Because personnel are an integral part of the security protection surrounding a classified AIS, they must particularly understand the vulnerabilities, threats, and risks inherent with classified AIS usage. All classified AIS users, custodians, maintenance personnel, and others whose work is associated with a classified AIS application must be briefed on their security responsibilities.

Appendix A

Part 440, Chapter 4

Glossary

Access. The ability and opportunity to obtain knowledge of classified information.

Accreditation. A formal declaration by an accrediting authority that the AIS is approved to operate in a particular security mode using a prescribed set of safeguards. Accreditation is the official management authorization for operation of an AIS and is based on the certification process as well as other management considerations. The accreditation statement affixes security responsibility with the accrediting authority and shows that due care has been taken for security.

Audit trail. A chronological record of system activities that is sufficient to enable the reconstruction reviewing and examination of the sequence of environments and activities surrounding or leading to an operation, a procedure, or an event in a transaction from its inception to final results.

Authenticate. To establish the validity of a claimed identity.

Automated Information System (AIS). An assembly of computer hardware, software and/or firmware configured to collect, create, communicate, compute, disseminate, process, store, and/or control data or information.

Certification. The comprehensive evaluation of the technical and nontechnical security features of an AIS and other safeguards, made in support of the accreditation process, that establishes the extent to which a particular design and implementation meets a specified set of security requirements.

Classified information. Official information which has been identified and marked as Top Secret, Secret, or Confidential in the interests of national security.

Compromise. A violation of the security policy of a system such that unauthorized disclosure of classified information may have occurred.

Compromising emanation. Unintentional data-related or intelligence-bearing signals that, if intercepted and analyzed, disclose the information transmission received, handled, or otherwise processed by any information processing equipment.

Configuration management. The management of security features and assurances through control of changes made to a system's hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the development and operational life of the system.

Contingency plan. A plan for emergency response, backup operations, and post-disaster recovery maintained by an activity as part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation.

A-1

Appendix A

Part 440, Chapter 4

Discretionary access control. A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).

Encryption. The protection of information passed in a telecommunications system by cryptographic means, from point of origin to point of destination.

Evaluated Products List (EPL). A list of equipment, hardware, software, and/or firmware that has been evaluated against, and found to be technically compliant, at a particular level of trust, with the DOD TSCEC by the National Computer Security Center. The EPL is included in the National Security Agency Information Systems Security Products and Services Catalogue, which is available at the Security Management Office.

Firmware. A method of organizing control of an AIS in a microprogrammed structure in addition to, or rather than, software or hardware. Micro programs are composed of microinstructions, normally resident in read-only memory, to control the sequencing of computer circuits directly at the detailed level of the single machine instruction.

Flaw. An error of commission, omission, or oversight in a system that allows protection mechanisms to be bypassed.

Internal security controls. Hardware, firmware, and software features within a system that restrict access to resources (hardware, software, and data) to authorized subjects only (persons, programs, or devices).

Mandatory access control. A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity.

Need-to-know. In addition to a personnel security clearance, a person must have a need to have access to the particular classified information or material sought in connection with the performance of their official duties or by contractual obligations. The determination of that need will be made by the official(s) having responsibility for the classified information or material.

Network. A network is composed of a communications medium and all components attached to that medium whose responsibility is the transference of information. The term covers a broad spectrum of situations ranging from the ad hoc interconnection of a small number of geographically close, heterogeneous systems to the routine connection of an off-the shelf system to a long-haul, larger scale packet-switched network.

A-2

Appendix A

Part 440, Chapter 4

Reference monitor. An access control concept that refers to an abstract machine that mediates all accesses to objects by subjects.

Risk. The probability that a particular threat will exploit a particular vulnerability of the system.

Risk analysis. The process of identifying security risks, determining their magnitude, and identifying areas needing safeguards. Risk analysis is a part of risk management.

Risk management. The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. It includes risk analysis, cost benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review.

Security relevant event. Any event that attempts to change the security state of the system, (e.g., change discretionary access controls, change the security level of the subject, change user passwords, etc.).

Sensitive information. Any information, the loss, misuse, modification of, or unauthorized access to, could affect the national interest or conduct of Federal programs, or the privacy to which individuals are entitled under Section 552a of Title 5, U.S. Code, but that has not been specifically authorized under criteria established by an Executive order or an act of Congress to be kept classified in the interest of national defense or foreign policy.

TEMPEST. The study and control of spurious electronic signals emitted by electrical equipment.

Threat assessment. The examination of all actions and events that might adversely affect a system or operation.

Trusted computer system. A system that employs sufficient hardware and software assurance measures to allow its use for simultaneous processing of a range of sensitive or classified information.

Trusted Computing Base (TCB). The totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system. The ability of a TCB to enforce correctly a unified security policy depends solely on the mechanisms within the TCB and on the correct input by system administrative personnel of parameters (e.g., a user's clearance level) related to the security policy.

Trusted Path. A mechanism by which a person at a terminal can communicate directly with the TCB. This mechanism can only be activated by the person or the TCB and cannot be imitated by untrusted software.

A-3

Appendix A

Part 440, Chapter 4

User. Person or process accessing an AIS either by direct connections (i.e., via terminals), or indirect connections (i.e., prepare input data or receive output that is not reviewed for content or classification by a responsible individual).

Vulnerability. A weakness in system security procedures, system design, implementation, internal security controls, etc., that could be exploited to violate system security policy.

A-4

Appendix B

Part 440, Chapter 4

SECURITY PLAN OUTLINE

1. INTRODUCTION

- Purpose and Scope

- AIS Name

- AIS Owner

- AIS Usage

- System Management

2. SECURITY POLICY

3. AIS OVERVIEW

- Facility Description

- Data Processed

- Users Clearances, Formal Access, and Need-to-Know

- Mode of Operation

4. AIS DESCRIPTION

- AIS Configuration

- Software Description

- Connectivity

- Configuration Management

5. AIS ACCESS AND OPERATION

- AIS Access Controls

- Data Access Controls

- AIS Startup/Shutdown

- Mode Termination

- Backup Procedures

6. AIS AUDIT

- Manual Audit

- Automated Audit

7. SOFTWARE AND HARDWARE CONTROL

- Virus Protection

- Labeling

- Storage

- Media Transportation

- Equipment Release

8. MAINTENANCE

9. SANITIZATION AND DESTRUCTION

10. DOCUMENTATION

11. TRAINING

B-1

Appendix C

Part 440, Chapter 4

AIS THREAT LIST

Compromising Emanations. Compromising emanations are unintentional data-related or intelligence-bearing signals that, if intercepted and analyzed, may disclose the information transmission received, handled, or otherwise processed by any information processing equipment. Compromising emanations (emissions) can be picked up from AIS equipment and can reveal classified information.

Covert Channels. Two kinds of covert channels, timing and storage, can be threats to the AIS. Covert storage channels include all vehicles that would allow the direct or indirect writing of a storage location by one process and the direct or indirect reading of it by another. Covert timing channels include all vehicles that would allow one process to signal information to another process by modulating its own use of the system resources in such a way that the change in response time observed by the second process would provide information.

Compromise of Crypto Key. Crypto Key is the key used in the encryption/decryption of data traffic. These keys are highly sensitive and should be highly protected.

Data Corruption. Malicious modification of files, alteration of data due to hardware or software failure, and two or more users writing to a file or database at the same time are examples of data corruption. Data corruption can cause damage to an AIS's mission.

Data Loss. Data loss is defined as deletion of data, whether accidental or deliberate. Database files and user data files are included in data loss. This data does not include application programs or system software. Data can be lost through user activity or even computer programming commands. It is possible that a computer program could provide the wrong command to another program, causing data to be overwritten.

Denial of Service. During denial of service, users are not able to utilize the AIS. Denial of service can be caused accidentally or deliberately. Equipment failure may result in the denial of service to only a few users or the entire AIS.

Eavesdropping. Eavesdropping is generally regarded as tapping the communications lines of a computer system. Eavesdropping can be accomplished via telecommunications channels.

Equipment Damage. Equipment damage is any damage to equipment, whether accidental or deliberate. Equipment damage can be caused by humans or acts of God.

C-1

Appendix C

Part 440, Chapter 4

Hacker Penetration. A hacker penetration is defined as the act of any person who has gained unauthorized access to an AIS through illegal means. This type of penetration does not always intend to cause harm to the AIS, yet can be very dangerous.

Hardware Implant. Hardware implants can be added to AIS hardware. These implants could impart damage to the AIS by causing it to behave in a way that is not consistent with its mission.

Hardware Theft. The act of stealing hardware is considered hardware theft. Disk packs, if stolen, may provide a perpetrator with classified information. A special hardware device, perhaps designed for a special or unique use, could prove beneficial to a perpetrator.

Knowledgeable Individuals. Knowledgeable individuals comprise the users of the AIS. They include not only the system management and operations personnel, but also the regular AIS user. Individuals' knowledge to be exploited could be of a sensitive program or project, or how to implement the AIS's security features.

Misdelivered Data. Misdelivered data includes any data received by a user or device that is not cleared for, does not have formal access to, or possess the need-to-know the information received. It is possible that a user could receive output that does not belong to them, or that for which they are not cleared. Misdelivered data can be a result of human error, system failure, or malicious activity.

Misuse of Network Connectivity. Network connectivity can be used for personal gain. An AIS may connect to another AIS for remote diagnostics. A user could utilize that AIS's hard disks for storage of personal data. A perpetrator could use illegally-gained network access as a gateway to other AIS's.

Misuse of Resources. Misuse of resources involves individuals using the AIS's resources (hard disks, etc.) to conduct personal business or for other unauthorized purposes.

Replay. Replay is defined as the unauthorized repetition of a process or transaction that permits the circumvention of system security measures. (An example of this is the ability to capture in order to replay other authorized users' user ID's and passwords in order to utilize their access rights.)

Software Corruption. The AIS's system software could be corrupted by an individual with system knowledge and system manager privileges. While the regular AIS user may not have access rights to the system software files, a knowledgeable user may have the ability to access and corrupt system software files, causing system downtime or possible data erasure.

C-2

Appendix C

Part 440, Chapter 4

Software Implant/Trojan Horse. Software implants or trojan horses can be embedded in software. Such anomalies can cause great harm to an AIS through data deletion or program malfunction.

Software Loss. Software loss is generally the deletion of software, whether intentional or accidental. It can happen though user error, software or hardware error, or malicious activity.

Software Theft. Software theft is the act of stealing software. This action can include an employee's "borrowing" a copy of the latest PC software for use on his home computer. It can violate licensing agreements between the software manufacturer and the USGS. It can also cause infringements of the U.S. Copyright Law.

Spoofing. "Spoofing" primarily threatens the security of the AIS's identification and authentication mechanism. As an example, a false AIS logon screen could be generated by a malicious program for the next user. The next user would input his user ID and password, and the malicious program would accept this input upon transmitting the fake logon request. That user would receive an error message, and would be logged off. The user will falsely believe that an incorrect user ID or password has been given, and simply try again.

Theft or Compromise of Classified Information. Theft or compromise of classified information is the act of deliberately stealing data, documents, etc., containing classified information. Compromise of classified information can be deliberate or accidental.

Unauthorized Access. Unauthorized access is defined as any unauthorized person, program, etc., receiving access to an AIS and its information through use of a pirated user ID or other means.

Unauthorized Software. Unauthorized software is any software installed on an AIS which is not authorized by the accrediting authority.

Viral Infection. A viral infection can attack an AIS through introduction of data diskettes or through network connections. Infection can cause data erasure, program malfunction, or just simple irritation. Viruses can be very dangerous through their ability to spread from AIS to AIS.

C-3

Appendix D

Part 440, Chapter 4

Clearing and Sanitization Matrix

Media Clear Sanitize

Magnetic Tape1

Type I a or b a, b, or m

Type II a or b b or m

Type III a or b m

Magnetic Disk

Bernoullis a, b, or c m

Floppies a, b, or c m

Non-Removable Rigid Disk c a, b, d, or m

Removable Rigid Disk a, b, or c a, b, d, or m

Optical Disk

Read Many, Write Many c m

Read Only m, n

Write Once, Read Many (Worm) m, n

Memory

Dynamic Random Access Memory (DRAM) c or g c, g, or m

Electronically Alterable PROM (EAPROM) i j or m

Electronically Erasable PROM (EEPROM) i h or m

Erasable Programmable ROM (EPROM) k l then c, or m

Flash EPROM (FEPROM) i c then i, or m

Programmable ROM (PROM) c m

Magnetic Bubble Memory c a, b, c, or m

Magnetic Core Memory c a, b, e, or m

Magnetic Plated Wire c c and f, or m

Magnetic Resistive Memory c m

Nonvolatile RAM (NOVRAM) c or g c, g, or m

Read Only Memory (ROM) m

Static Random Access Memory (SRAM) c or g c and f, g, or m

Equipment

Cathode Ray Tube (CRT) g q

Printers

Impact g p then g

Laser g o then g

1Type I and Type II magnetic tape can only be sanitized for reuse by using approved degaussing equipment. Type III tape cannot be sanitized by degaussing. Approved degaussing equipment are listed in the National Security Agency, Information Systems Security Products and Services Catalogue. Type I magnetic tape has a coerceivity of 350 oersteds or less; Type II has a coerceivity between 351 and 750 oersteds; and Type III has a coerceivity greater than 750 oersteds.

D-1

Appendix D

Part 440, Chapter 4

a. Degauss with a Type I degausser

b. Degauss with a Type II degausser.

c. Overwrite all addressable locations with a single character.

d. Overwrite all addressable locations with a character, its complement, then a random character and verify. This method is not approved for sanitizing media that contains Top Secret information.

e. Overwrite all addressable locations with a character, its complement, then a random character.

f. Each overwrite must reside in memory for a period longer than the classified data resided.

g. Remove all power to include battery power.

h. Overwrite all locations with a random pattern, all locations with binary zeros, all locations with binary ones.

i. Perform a full chip erase as per manufacturer's data sheets.

j. Perform i above, then c above, a total of three times.

k. Perform an ultraviolet erase according to manufacturer's recommendations.

l. Perform k above, but increase time by a factor of three.

m. Destroy - Disintegrate, incinerate, pulverize, shred, or smelt.

n. Destruction required only if classified information is contained.

o. Run five pages of unclassified text (font test acceptable).

p. Ribbons must be destroyed. Platens must be cleaned.

q. Inspect and/or test screen surface for evidence of burned-in information. If present, the cathode ray tube must be destroyed.