DOC

DCID 63 Manual

By Mark Jackson,2014-05-07 10:45
7 views 0
DCID 63 Manual

     FOR OFFICIAL USE ONLY

    PROTECTING SENSITIVE COMPARTMENTED INFORMATION WITHIN

    INFORMATION SYSTEMS (DCID 6/3)MANUAL

    24 MAY 2000

    TABLE OF CONTENTS

    1 INTRODUCTION .............................................................................................................. 1-1 1.A Purpose and Content ......................................................................................................... 1-1 1.B Applicability ...................................................................................................................... 1-1 1.C Administration .................................................................................................................. 1-2 1.D Background ...................................................................................................................... 1-2 1.E System Information Collection. ......................................................................................... 1-3 1.F How To Use This Manual.................................................................................................. 1-3 1.G Use of Cryptography......................................................................................................... 1-5 1.H General Notes ................................................................................................................... 1-5 2 ROLES AND RESPONSIBILITIES ................................................................................. 2-1

    2.A Overview.. ........................................................................................................................ 2-1 2.A.1 Separation of Roles ........................................................................................................ 2-1 2.A.2 Applicability.. ................................................................................................................. 2-1 2.B Roles and Responsibilities ................................................................................................. 2-1 2.B.1 Special Provision for Waivers of Citizenship Requirements. ............................................ 2-1

    2.B.2 Principal Accrediting Authority ...................................................................................... 2-1 2.B.3 Data Owner ................................................................................................................... 2-2 2.B.4 Designated Accrediting Authority .................................................................................. 2-3

    2.B.5 Designated Accrediting Authority Representative (DAA Rep) ........................................ 2-5

    2.B.6 Information System Security Manager (ISSM) ............................................................... 2-6

    2.B.7 Information System Security Officer (ISSO) ................................................................... 2-7

     FOR OFFICIAL USE ONLY i

     FOR OFFICIAL USE ONLY

    2.B.8 Privileged Users ............................................................................................................. 2-8 2.B.9 General Users ................................................................................................................ 2-9 3 LEVELS-OF-CONCERN AND PROTECTION LEVELS .............................................. 3-1

    3.A Overview.. ........................................................................................................................ 3-1 3.A.1 Conformance with technical security requirements. ........................................................ 3-1

    3.A.2 Non-Multi-User Systems.. .............................................................................................. 3-1 3.B Description of Levels-of-Concern...................................................................................... 3-1

    3.B.1 Overview ....................................................................................................................... 3-1 3.B.2 Determining the Level-of-Concern ................................................................................. 3-1

    3.C Protection Levels .............................................................................................................. 3-2 3.C.1 Protection Level Overview ............................................................................................. 3-2 3.C.2 Determining Protection Levels ....................................................................................... 3-2 3.D Determining Security Features and Assurances.................................................................. 3-3

    4 CONFIDENTIALITY SYSTEM SECURITY FEATURES AND ASSURANCES ......... 4-1

    4.A Overview .......................................................................................................................... 4-1 4.B Confidentiality Requirements............................................................................................. 4-1 4.B.1 Protection Level 1 .......................................................................................................... 4-3 4.B.2 Protection Level 2 .......................................................................................................... 4-8 4.B.3 Protection Level 3 .........................................................................................................4-15 4.B.4 Protection Level 4 .........................................................................................................4-23 4.B.5 Protection Level 5 .........................................................................................................4-33 5 INTEGRITY SYSTEM SECURITY FEATURES AND ASSURANCES ........................ 5-1

    5.A Overview .......................................................................................................................... 5-1 5.B Integrity Requirements.. .................................................................................................... 5-1 5.B.1 Integrity - Basic ............................................................................................................. 5-3 5.B.2 Integrity - Medium ......................................................................................................... 5-4 5.B.3 Integrity - High .............................................................................................................. 5-6 6 AVAILABILITY SYSTEM SECURITY FEATURES AND ASSURANCES ................. 6-1

    6.A Overview .......................................................................................................................... 6-1 6.B Availability Requirements.. ................................................................................................ 6-1 6.B.1 Availability - Basic ......................................................................................................... 6-3 6.B.2 Availability - Medium ..................................................................................................... 6-4 6.B.3 Availability - High .......................................................................................................... 6-6 7 REQUIREMENTS FOR INTERCONNECTED ISS AND ADVANCED TECH............ 7-1

    7.A Overview. ......................................................................................................................... 7-1 7.B Controlled Interface .......................................................................................................... 7-1 7.C Web Security .................................................................................................................... 7-6 7.D Securing Servers ............................................................................................................... 7-7

     FOR OFFICIAL USE ONLY 1-ii

     FOR OFFICIAL USE ONLY 7.E Mobile Code and Executable Content ................................................................................ 7-9

    7.F Electronic Mail (E-mail) ...................................................................................................7-10 7.G Collaborative Computing .................................................................................................7-11 7.H Distributed Processing. ....................................................................................................7-12 8 ADMINISTRATIVE SECURITY REQUIREMENTS ..................................................... 8-1

    8.A Overview. ......................................................................................................................... 8-1 8.B Procedural Security ........................................................................................................... 8-1 8.B.1 Security Training, Education, and Awareness ................................................................. 8-1

    8.B.2 Marking and Labeling.. .................................................................................................. 8-3 8.B.3 Manual Review of Human-Readable Output. .................................................................. 8-7

    8.B.4 Media Accountability. .................................................................................................... 8-8 8.B.5 Media Clearing and Sanitization. .................................................................................... 8-8 8.B.6 Co-Location ..................................................................................................................8-11 8.B.7 Incident Reporting and Response ..................................................................................8-12

    8.B.8 Maintenance. .................................................................................................................8-13 8.B.9 Records Management. ...................................................................................................8-17 8.C Environmental Security ....................................................................................................8-17 8.C.1 Communications Security.. ............................................................................................8-17 8.C.2 Protected Hardware, Software, and Firmware ...............................................................8-17

    8.C.3 EMSEC/TEMPEST. .....................................................................................................8-18

    8.C.4 Technical Surveillance Countermeasures (TSCM). ........................................................8-18

    8.D Physical Security ..............................................................................................................8-18 8.E Personnel Security.. ..........................................................................................................8-18 8.F Access by Foreign Nationals to Systems Processing Intelligence Information ....................8-18

    8.G Handling Caveats and Handling Restrictions. ...................................................................8-19

    9 RISK MANAGEMENT, CERTIFICATION, AND ACCREDITATION ........................ 9-1

    9.A Overview. ......................................................................................................................... 9-1 9.B Risk Management ............................................................................................................. 9-1 9.C Certification ...................................................................................................................... 9-3 9.D Accreditation .................................................................................................................... 9-4 9.D.1 Overview ....................................................................................................................... 9-4 9.D.2 Accreditation Authority ................................................................................................. 9-5 9.D.3 Accreditation Process. ................................................................................................... 9-6 9.D.4 Accreditation Decision.: ................................................................................................. 9-8 9.D.5 Invalidation of an Accreditation. .................................................................................... 9-9 9.D.6 Withdrawal of Accreditation .......................................................................................... 9-9 9.D.7 Re-evaluation of an Accreditation .................................................................................. 9-9

    9.E The Certification and Accreditation (C&A) Process........................................................... 9-9

    9.F C&A Process: Exceptions.................................................................................................9-12 9.G Special Categories of ISs .................................................................................................9-13 9.G.1 General .........................................................................................................................9-13 9.G.2 Dedicated Servers .........................................................................................................9-14 9.G.3 Embedded and Special-Purpose ISs. .............................................................................9-15

     FOR OFFICIAL USE ONLY iii

     FOR OFFICIAL USE ONLY

    9.G.4 Tactical or Deployable Systems. ....................................................................................9-15

    9.G.5 ISs With Group Authenticators .....................................................................................9-15

    9.G.6 Information Systems Using Periods Processing .............................................................9-15

    9.G.7 Single-User, Standalone ISs. .........................................................................................9-16

    APPENDICES

A CONTENTS OF AN INTERCONNECTION SECURITY AGREEMENT ................. A-1

B GLOSSARY OF TERMS ................................................................................................. B-1

C SAMPLE SYSTEM SECURITY PLAN .......................................................................... C-1

D REQUIRED SYSTEM SECURITY FEATURES AND ASSURANCES ....................... D-1

    E BIBLIOGRAPHY ............................................................................................................. E-1

    F ACRONYMS .................................................................................................................... F-1

     FOR OFFICIAL USE ONLY 1-iv

     FOR OFFICIAL USE ONLY Introduction

1 INTRODUCTION

    1.A Purpose and Content

    1.A.1 This manual provides uniform policy guidance and requirements for ensuring adequate

    protection of certain categories of intelligence information (hereinafter intelligence

    information) that is stored or processed on an information system (IS). For purposes

    of this manual, intelligence information refers to Sensitive Compartmented

    Information and special access programs for intelligence under the purview of the DCI.

    An information system is defined as any telecommunications and/or computer related

    equipment or interconnected system or subsystems of equipment that is used in the

    acquisition, storage, manipulation, management, movement, control, display, switching,

    interchange, transmission, or reception of voice and/or data (digital or analog); it

    includes software, firmware, and hardware. The Director of Central Intelligence

    requires all United States Government departments and agencies, their contractors,

    and Allied governments processing intelligence information to establish, implement,

    maintain, and abide by the protection measures identified in this manual.

    1.A.2 This manual includes:

    1.A.2.a Requirements for an Information System Security Program;

    1.A.2.b Guidance on an approach to risk management for systems;

    1.A.2.c Technical and administrative security requirements for a system in a given

    environment; and

    1.A.2.d Examples of appropriate documentation.

    1.A.3 This manual provides guidance to assist a Designated Accrediting Authority (DAA) or

    DAA Representative (described in Chapter 2) in determining the appropriate set of

    technical and non-technical safeguards for protecting the information in a given system.

    1.A.4 This manual provides guidance to assist an Information System Security Manager

    (ISSM) or Information System Security Officer/Network Security Officer (ISSO/NSO)

    in structuring and implementing the security protections for a system.

    1.B Applicability

    1.B.1 This manual applies to all entities that process, store, or communicate intelligence

    information, including United States government organizations, their commercial

    contractors, and Allied governments.

    1.B.2 The term ―information system,‖ as defined in this manual, makes the distinction

    between traditional systems (e.g., computers, hosts) and networks irrelevant to the

    selection of protection requirements. Unless noted otherwise, the terms ―system‖ and

    ―information system‖ and ―IS‖ are used interchangeably throughout this manual.

     FOR OFFICIAL USE ONLY 1-1

Introduction FOR OFFICIAL USE ONLY

    1.B.3 Traditionally, providing security for a system has meant protecting the confidentiality

    of the information on it, although for some systems protecting data integrity and

    system and data availability has always been a concern. While the traditional

    operational concern over confidentiality of classified information has not diminished,

    integrity and availability have become critical parts of security for all systems. The

    requirements in this manual reflect that understanding. 1.B.4 The operational elements of a government organization have, in the past, been

    concerned with and fiscally responsible for ensuring the integrity and availability of the

    information on the system. While this manual describes requirements for ensuring the

    integrity and availability of the system and of the information on it, nothing in this

    manual shall be construed to state or imply that there has been a transfer of fiscal

    responsibility to the security element(s) from the operational element(s). 1.B.5 This manual establishes the security requirements for all applicable systems.

    Accrediting authorities may establish additional security measures, if deemed

    appropriate. Any such measures shall comply with the relevant references listed in this

    manual.

    1.C Administration

    CIA, NSA

    Contractors should address all issues pertaining to the administration of this manual

    through their Government Security Representative (GSR).

    DIA, NIMA, NRO

    Contractors should address all issues pertaining to the administration of this manual

    through their DAA Rep.

    1.C.1 The DDCI/CM has designated the Community Management Staff (CMS) to act in

    matters pertaining to the administration of this manual for intelligence related issues. 1.C.2 The DDCI/CM shall review any unresolved conflicts relating to this manual or its

    associated policy and will either attain agreed-to resolution of them by all affected

    parties or forward them with recommendations for resolution to the DCI. 1.C.3 CMS shall maintain a current directory of DAAs and a current directory of Data

    Owners.

    1.C.4 This manual supersedes Director of Central Intelligence Directive (DCID) 1/16

    Supplement dated July 1988.

     FOR OFFICIAL USE ONLY 1-2

     FOR OFFICIAL USE ONLY Introduction

    1.D Background

    1.D.1 United States intelligence information has three attributes that require protection:

    confidentiality, integrity, and availability. The degree of emphasis on each varies with

    the type of information processed and the mission of the organization responsible for

    the data.

    1.D.2 This manual recognizes the contributions to security made by operating environments,

    and allows the technical safeguards of systems to be modified accordingly. For

    example, while encryption can be an effective way to protect the confidentiality of

    information during transmission, if the information passes only through areas that are

    approved for open storage of the information or across a protected distribution system

    within an inspectable space, then encryption of the information for that purpose may

    be unnecessary.

    1.D.3 The requirements specified in this manual are based on the assumption that the system

    is otherwise protected at an appropriate level for the information processed on it.

    These other protections include appropriate levels of physical, personnel,

    communications, emanations, and technical surveillance countermeasures (TSCM)

    security, as required in other directives.

    1.E System Information Collection. The following information must be collected to

    determine the requirements for operating a system:

    1.E.1 The category, classification, and all applicable security markings for all of the

    information on, or to be put on, the system;

    1.E.2 The need-to-know status of the users on the system, including their formal access

    approval(s), clearance(s), and nationality(ies);

    1.E.3 The perimeter and boundary of the system;

    1.E.4 The operating environment of the system and connecting systems, including the

    service provided (e.g., electronic mail, Internet access), and foreign access to the

    system, connecting systems, and the facilities housing these systems; and 1.E.5 The technical and administrative security requirements of the system.

    1.F How To Use This Manual. Eleven steps are required to accredit an IS. The following

    summarizes those steps and in each case refers to the relevant chapter or chapters of this

    manual:

    IC

    Contractor roles and responsibilities under this policy differ from government.

    Contractors should reference Chapter 2 of this manual to determine their roles and

    responsibilities.

     FOR OFFICIAL USE ONLY 1-3

Introduction FOR OFFICIAL USE ONLY

1.F.1 Determine Levels-of-Concern (Ch. 3). The DAA, using formal specifications from the

    Data Owner, examines the information* characteristics in light of the material in Table

    3.1 and determines the appropriate Level-of-Concern ratings, one each for

    confidentiality, integrity, and availability. The Level-of-Concern ratings for integrity

    and availability are each Basic, Medium, or High. Because all of the ISs covered by

    this manual process intelligence information, the Level-of-Concern rating for

    confidentiality is always High.

    [*In this context, information is expressed as human-recognizable data and

    machine-recognizable data, in hardware, software, firmware, and, especially,

    data that is used to control security functions, such as router table entries.] 1.F.2 Determine Protection Level (Ch. 3). Based on the guidance provided in Chapter 3,

    the DAA determines a Protection Level for confidentiality for the system and also

    determines any threats unique to the system or the information.

    1.F.3 Determine Interconnected System Requirements (Ch. 7) and Administrative

    Requirements (Ch. 8). The DAA determines the appropriate security requirements for

    interconnected systems and for the use of advanced technology specified in Chapter 7

    and the administrative requirements specified in Chapter 8.

    1.F.4 Identify Technical Security and Assurance Requirements (Ch. 4, 5, and 6). The

    applicable technical security requirements and assurances are identified. Chapter 4

    presents the technical security requirements and assurances for confidentiality

    organized by Protection Levels. Chapters 5 and 6 present the technical security

    requirements and assurances for integrity and availability, respectively, organized by

    Levels-of-Concern.

    1.F.5 Determine Required Documentation and Testing Activities (Ch. 4, 5, and 6). The

    assurance requirements in Chapters 4, 5, and 6 are examined to determine the

    appropriate documentation and testing activities required for the system.

    1.F.6 Write the System Security Plan (Ch. 9 and Appendix C). The System Security Plan

    (SSP), described in Appendix C, is written to describe the planned operating

    conditions of the system and the expected residual risk of operating the system

    (Chapter 9). The DAA and/or ISSM approves the SSP, and the system is then

    implemented with the security requirements that have been determined for it

    (paragraphs 1.F.1 through 1.F.5). In the case of operational systems (with their

    security requirements already implemented), the SSP is written to describe the

    operating conditions of the system and the residual risk of operating the system.

    1.F.7 Validate Security in Place. The ISSO ensures that the security requirements and

    procedures are in place for the system.

    1.F.8 Testing against Security Requirements (Ch. 4, 5, and 6) The system is tested based on

    the security testing requirements in Chapters 4, 5, and 6 .

     FOR OFFICIAL USE ONLY 1-4

    Introduction FOR OFFICIAL USE ONLY 1.F.9 Prepare Certification Package (Ch. 4, 5, 6, 9). The ISSO and ISSM prepare the

    certification package, based on the documentation requirements in Chapters 4, 5, and

    6, and the certification package requirements specified in Chapter 9.

    1.F.10 Forward Certification Package. The certification package is presented to the DAA

    for accreditation.

    1.F.11 Accreditation Decision by the DAA. The DAA* determines whether the level of

    residual risk is acceptable and consistent with that indicated in the SSP, and if it is,

    accredits the system. Testing shall be performed to validate the extent of residual risk.

    [*When this manual refers to the DAA, the DAA Representative is assumed to

    be included, at the discretion of the DAA.] 1.F.11.a If the DAA accredits the system, the system goes into operation (or continues to

    operate) according to the accreditation.

1.F.11.b If the DAA grants an interim approval to operate, the system may be operated for

    up to 180 days, and the interim approval to operate can be renewed once for an

    additional 180 days. The DAA must indicate, in the agreement granting interim

    approval to operate, the actions necessary to meet accreditation. By the end of the

    second 180-day period, the system shall either be accredited or cease operation.

    1.F.11.c If the DAA neither accredits the system, nor grants an interim approval to operate,

    then the requester must modify the system or its safeguards, and the process

    repeats from paragraph 1.F.6, above, until the DAA accredits the system, grants an

    interim approval to operate, or decides to disallow system operation.

    1.G Use of Cryptography

    1.G.1 Cryptography is a critical tool used to protect confidentiality of data, to assure the

    authenticity of information, and to detect the alteration of information. National policy

    requires the National Security Agency (NSA) to review and approve all cryptography

    used to protect classified information from access by unauthorized persons (i.e., not

    cleared for the information).

    1.G.2 Cryptography may also be used to separate compartments or protect ―need-to-know‖

    among cleared users on classified systems. For such uses the DAA may select the

    cryptographic mechanisms (including commercially available products) to be used after

    consulting with the Data Owner on requirements. DAAs should also consult with

    NSA for assistance and advice regarding the security of the proposed implementation.

    They should pay particular attention to key management, since appropriate secure key

    management is an important factor in overall system security.

     FOR OFFICIAL USE ONLY 1-5

Introduction FOR OFFICIAL USE ONLY

    1.H General Notes

    1.H.1 In the following pages, the term ―good engineering practice‖ refers to the state of the

    engineering art for commercial systems that have equivalent problems and solutions; a

    good engineering practice by definition meets commercial requirements. These

    practices are usually part of the normal installation and operating procedures for

    systems. When placing security reliance on items that implement good engineering

    practice (such as commercial off-the shelf [COTS] software), the DAAs or their

    designees shall verify that the item(s) are set up properly and are operating as expected. 1.H.2 In this manual, the word ―or‖ is used in its common English meaning that includes all

    three cases of a single element in a list, any combination of elements in a list, and all

    elements in the list.

    1.H.3 Conventionally, information protection has been expressed as a combination of the

    following characteristics: confidentiality, integrity, and availability. Other expressions

    include other characteristics (such as utility, user accountability, authenticity,

    possession, currency, and non-repudiation), but most of these other characteristics are

    not independent of confidentiality, integrity, and availability. In other words, these

    additional characteristics can be expressed as some function of confidentiality, integrity,

    and availability. Thus, this manual will use the conventional characteristics

    (confidentiality, integrity, and availability) as the appropriate descriptive elements,

    while recognizing that some systems have additional operational requirements for

    services.

    1.H.4 The Security Support Structure consists of those components (hardware, firmware,

    and software) that are essential to maintaining the security policies of the system. To

    prevent access by general users, the Security Support Structure is normally protected

    at a greater level than the rest of the system.

    1.H.5 While this manual primarily discusses protection mechanisms for the information on

    systems, it explicitly assumes that the hardware, software, and firmware related to the

    system are given appropriate levels of protection.

    1.H.6 The terms ―department‖ and ―agency‖ refer to the organization that is responsible for

    information systems security in a given situation. When stating requirements, the

    terms ―department‖ or ―agency‖ are not limiting, but rather are intended to include all

    subordinate organizations involved in a given information systems security situation.

     FOR OFFICIAL USE ONLY 1-6

Report this document

For any questions or suggestions please email
cust-service@docsford.com