DoD 5220.

S2-M-Sup 1

NATIONAL
INDUSTRIAL

PROGRAM

OPERATING
MANUAL
SUPPLEMENT
o

19970127 004
February 1 995
REPORT DOCUMENTATION PAGE
1. AGENCY USE ONLY 2. REPORT DATE 3. REPORT TYPE & DATE
(leave blank) COVERED
February 1995
DoD 5220.22-M-Sup 1

4. TITLE & SUBTITLE 5. FUNDING NUMBERS

National Industrial Security Program (Operating Manual Supplement)

6. AUTHOR(S)

J. Frields

7. PERFORMING ORGANIZATION NAME(S) & ADDRESS(ES) 8. PERFORMING ORGANIZATION

REPORT NUMBERS
Assistant Secretary of Defense for Command, Control, Communications,
and Intelligence
6000 Defense Pentagon
Washington, DC 20301-6000

9. SPONSORING/MONITORING AGENCY NAME(S) & ADDRESS(ES) 10. SPONSORING/MONITORING

AGENCY REPORT NUMBERS

11. SUPPLEMENTARY NOTES

12a. DISTRIBUTION/AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE

Unclassified, Release unlimited.

13. ABSTRACT (Maximum 200 Words)

This Supplement to the National Industrial Security Program Operating Manual (NISPOMSUP) provides the enhanced security
requirements, procedures, and options to the National Security Program Operating Manual (NISPOM) for critical restricted
data (RD) classsified at the Secret and Top Secret levels, special access programs (SAPs) and SAP-type compartmented efforts
established and approved by the Executive Branch, sensitive compartmented information (SCI) or other DCI SAP-type compart-
mented programs under the Director of Central Intelligence which protect intelligence sources and methods, and acquisition,
intelligence, and operations and support SAPs.

14. SUBJECT TERMS 15. NUMBER OF PAGES

89 Pages

16. PRICE CODE

17. SECURITY 18. SECURITY 19. SECURITY 20. LIMITATION

CLASSIFICATION OF CLASSIFICATION OF CLASSIFICATION OF OF ABSTRACT
REPORT THIS PAGE ABSTRACT

Unclassified Unclassified Unclassified

NSN 7540-01-280-5500 Standard Form 298

ij:.j.;j ■*%<-
 THE UNDER SECRETARY OF DEFENSE

WASHINGTON, D.C. 20301-2000

POLICY December 29,1994

FOREWORD

I am pleased to promulgate this inaugural edition of the Supplement to the National Industrial
Security Program Operating Manual (NISPOMSUP). It provides the enhanced security require-
ments, procedures, and options to the National Industrial Security Program Operating Manual
(NISPOM) for:

Critical Restricted Data (RD) classified at the Secret and Top Secret levels;

Special Access Programs (SAPs) and SAP-type compartmented efforts established and
approved by the Executive Branch;
Sensitive Compartmented Information (SCI) or other DCI SAP-type compartmented pro-
grams under the Director of Central Intelligence which protect intelligence sources and
methods; and

Acquisition, Intelligence, and Operations and Support SAPs.

This Supplement is applicable to contractor facilities located within the United States, its Trust
Territories and Possessions. In cases of inconsistencies between the NISPOM (baseline) and this
Supplement as imposed by a Cognizant Security Agency (CSA), as defined herein, the Supple-
ment will take precedence.
The NISPOM Supplement has been written as a menu of options. Throughout this NISPOMSUP
it is understood that whenever a security option is specified for a SAP by the Government Pro-
gram Security Officer (PSO), his or her authority is strictly based on the security menu of options
originally approved in writing by the CSA, or designee. CSAs may delegate such responsibility
for the implementation of SAP security policies and procedures. Since SAPs have varying
degrees of security based on sensitivity and threat, all programs may not have the same require-
ments. When a security option is selected as a contract requirement, it becomes a "shall" or "will"
rather than a "may" in this document. Bold and italicized print denotes contractor security
requirements, except in chapter titles and paragraphs.

The Director of Central Intelligence Directives (DCIDs), which prescribe procedures for the DCI
Sensitive Compartmented Information (SCI) or other SAP-type DCI programs also set the upper
standard of security measures for programs covered by this Supplement. DCIDs may be used by
any SAP program manager with approval from the CSA. Specific security measures that are
above the DCIDs (noted by asterisks) shall be approved by the CSA or designee.

The provisions of this NISPOMSUP apply to all contractors participating in the administration of
programs covered by this Supplement. In cases of doubt over the specific provisions, the contrac-
tor should consult the PSO prior to taking any action or expending program-related funds. In
cases of extreme emergency requiring immediate attention, the action taken should protect the
Government's interest and the security of the program from compromise.
 TABLE OF CONTENTS

CHAPTER 1. GENERAL PROVISIONS AND REQUIREMENTS

Page
11-1-1
1 1
Section 1. Introduction " "
Section 2. General Requirements 1-2-1
Section 3. Reporting Requirements

CHAPTER 2. SECURITY CLEARANCES

Section 1. Facility Clearances ^7 1 1

2 2_1
Section 2. Personnel Clearances and Access "

CHAPTER 3. SECURITY TRAINING AND BRIEFINGS

3 1_1
Section 1. Security Training and Briefings "

CHAPTER 4. CLASSIFICATION AND MARKING

4_1
Section 1. Classification
4 2-1
Section 2. Marking Requirements ~

CHAPTER 5. SAFEGUARDING CLASSD7IED INFORMATION

5 1_1
Section 1. General Safeguarding Requirements "
5 2_1
Section 2. Control and Accountability ~
Section 3. Storage and Storage Equipment *-3-l
5
Section 4. Transmission
5 5
Section 5. Disclosure "
5
Section 6. Reproduction ""_1
Section 7. Disposition and Retention 5-7-1
Section 8. Construction Requirements 5-8-1

CHAPTER 6. VISITS and MEETINGS

6 M
Section 1. Visits ~
6 2 1
Section 2. Meetings " "

CHAPTER 7. SUBCONTRACTING

7 1 1
Section 1. Prime Contractor Responsibilities "-

111
 TABLE OF CONTENTS

Page
CHAPTER 8. AUTOMATED INFORMATION SYSTEM SECURITY

Section 1. Responsibilities 01 1
Section 2. Security Modes 09 1
Section 3. System Access and Operation %-3-\
Section 4. Networks 9,-A-\
Section 5. Software and Data Files g_5_j
Section 6. AIS Acquisition, Maintenance, and Release g_6_l
Section 7. Documentation and Training 8-7-1

CHAPTER 9. RESTRICTED DATA

Section 1. Introduction o 1 .
Section 2. Secure Working Areas 9-2-1
Section 3. Storage Requirements 9-3-1

CHAPTER 10. INTERNATIONAL SECURITY REQUIREMENTS

CHAPTER 11. MISCELLANEOUS

Section 1. TEMPEST , M_j

Section 2. Government Technical Libraries 11-2-1
Section 3. Independent Research and Development 11-3-1
Section 4. Operations Security j J_4_J
Section 5. Counterintellegence (CI) Support 11-5-1
Section 6. Decompartmentation, Disposition, and Technology Transfer 11-6-1
Section 7. Other Topics 11-7-1

APPENDICES

Appendix A. Definitions ^-1

Appendix B. AIS Acronyms B_j
AppendixC. AISSP Outline Z...ZZ.C-1
Appendix D. AIS Certification and Accreditation j)_ 1
Appendix E. References JJ.J

FIGURES

Figure 1. SAP Government and Contractor Relationships 1-1-2

TABLES

Table 1. Clearing and Santization Data Storage 8-5-4

Table 2. Sanitizing AIS Components 8-5-5

IV
 Chapter 1
General Provisions and Requirements
Section 1. Introduction

1-100. Purpose b. The following is restated from the baseline for clarity.
If a contractor determines that implementation of any
a. This Supplement provides special security measures provision of this Supplement is more cosdy than pro-
to ensure the integrity of SAPs, Critical SECRET visions imposed under previous U.S. Government
Restricted Data (SRD), and TOP SECRET Restricted policies, standards, or requirements, the contractor
Data (TSRD) and imposes controls supplemental to shall notify the Cognizant Security Agency. Contrac-
security measures prescribed in the NISPOM for tors shall, however, implement any such provision
classified contracts. Supplemental measures fall within three years from the date of this Supplement,
under the cognizance of the DoD, DCI, DOE, NRC unless a written exception is granted by the CSA.
or other CSA as appropriate. See page 1-1-2 for Fig-
ure 1, SAP Government and Contractor Relation- c. The DCIDs apply to all SCI and DCI programs and
ships. Additionally, specific contract provisions any other SAP that selects them as the program secu-
pertaining to these measures applicable to associated rity measures.
unacknowledged activities will be separately pro-
vided. Any Department, Agency, or other organiza- 1-102. Agency Agreement SAP Program Areas. The
tional structure amplifying instructions will be Government Agency establishing a SAP will designate
inserted immediately following the applicable secu- a Program Executive Agent for the administration, secu-
rity options selected from the NISPOMSUP. This will rity, execution, and control of the SAP. The Program
facilitate providing a contractor with a supplement Security Officer (PSO), rather than the Facility CSA,
that is overprinted with the options selected. will be responsible for security of the program and all
program areas.
b. Security Options. This Supplement contains secu-
rity options from which specific security measures 1-103. Security Cognizance. Those heads of Agencies
may be selected for individual programs. The authorized under E.O. 12356 or successor order to cre-
options selected shall be specifically addressed in the ate SAPs may enter into agreements with the Secretary
Program Security Guide (PSG) and/or identified in of Defense that establish the terms of the Secretary of
the Contract. The PSG shall be endorsed by the CSA Defense's responsibilities for the SAP. When a Depart-
or his/her designee, establishing the program, ment or Agency of the Executive Branch retains cogni-
although, as a rule, the DCIDs sets the upper limits. zant security responsibilities for its SAP, the provisions
In some cases, security or sensitive factors may of this Supplement will apply.
require security measures that exceed DCID stan-
dards. In such cases, the higher standards shall be 1-104. Supplement Interpretations. All contractor
listed separately and specifically endorsed by the requests for interpretation of this Supplement will be
CSA creating the program and may be reflected as an forwarded to the PSO.
overprint to this Supplement.
1-105. Supplement Changes. Users of this Supple-
ment are encouraged to submit recommended changes
1-101. Scope.
and comments through their PSO in concurrence with
a. The policy and guidance contained herein and the baseline.
imposed by contract is binding upon all persons who
are granted access to SAP information. Acceptance 1-106. Waivers and Exceptions. The purpose of hav-
of the contract security measures is a prerequisite to ing a waiver and exception policy is to ensure that devi-
any negotiations leading to Program participation ations from established SAP criteria are systematically
and accreditation of a Special Access Program Facil- and uniformly identified to the Government Program
ity (SAPF). Manager (GPM). Every effort will be made to avoid

1-1-1
waivers to established SAP policies and procedures b. There are two types of SAPs, acknowledged and
unless they are in the best interest of the Government. In unacknowledged. An acknowledged SAP is a pro-
those cases where waivers are required, a request will be gram which may be openly recognized or known;
submitted to the PSO. As appropriate, the PSO, and if however, specifics are classified within that SAP.
necessary the GPM (if a different individual) will assess The existence of an unacknowledged SAP or an
the request for waiver and provide written approval. If unacknowledged portion of an acknowledged pro-
deemed necessary, other security measures which gram, will not be made known to any person not
address the specific vulnerability may be implemented. authorized for this information.

1-107. Special Access Programs Categories and

Types.

a. There are four generic categories of SAPs: (1)

Acquisition SAP (AQ-SAP); (2) Intelligence SAP
(IN-SAP); (3) Operations and Support SAP (OS-
SAP); and (4) SCI Programs (SCI - SAP) or other
DCI programs which protect intelligence sources and
methods.

SAP
Government/Contractor Relationships

Cognizant Security Agency

Contracting
c Program Executive Agent
<u Officer
E
c
CD
>
O
(D Government Program Manager

Program Security Officer

Contractor Program Manager

o
<ö
v_
■*-•
Contractor Program Security Officer
C
o
Ü

Information System
Security Representative1

ISSR may woik for the CPSO, or work as a peer to the CPSO for AIS purposes, depending on Program Requirements.

1-1-2
 Section 2. General Requirements

1-200. Responsibilities. A SAP Contractor Program (9) Establish and oversee visitor control program.
Manager (CPM) and Contractor Program Security
(10) Monitor reproduction and/or duplication and
Officer (CPSO) will be designated by the contractor.
destruction capability of SAP information.
These individuals are the primary focal points at the
contractor facility who execute the contract. They are
(11) Ensure adherence to special communications
responsible for all Program matters. The initial nomina-
capabilities within the SAPF.
tion or appointment of the CPSO and any subsequent
changes will be provided to the PSO in writing. The
(12) Provide for initial Program indoctrination of
criteria necessary for an individual to be nominated as
employees after their access is approved;
the CPSO will be provided in the Request for Proposal
rebriefand debriefpersonnel as required
(RFP). For the purposes of SAPs, the following respon-
sibilities are assigned: (13) Establish and oversee specialized procedures
for the transmission of SAP material to and
a. The CPM is (sometimes the same as, or in addition
from Program elements.
to a Contract Project Manager) the contractor
employee responsible for: (14) When required, ensure contractual specific
security requirements such as TEMPEST,
(1) Overall Program management. Automated Information System (AIS), and
Operations Security (OPSEC) are accom-
(2) Execution of the statement of work, contract,
task orders and all other contractual obliga- plished.
tions. (15) Establish security training and briefings spe-
cifically tailored to the unique requirements
b. The CPSO oversees compliance with SAP security
of the SAP.
requirements.
1-201. *Standard Operating Procedures (SOP). The
The CPSO will: CPSO may be required to prepare a comprehensive SOP
to implement the security policies and requirements for
(1) Possess a personnel clearance and Program
each SAP. When required, SOPs will address and reflect
access at least equal to the highest level of
the contractor's method of implementing the PSG. For-
Program classified information involved.
ward proposed SOPs to the PSO for approval. SOPs
may be a single plan or series of individual documents
(2) Provide security administration and manage-
each addressing a security function. Changes to the SOP
ment for his/her organization.
will be made in a timely fashion, and reported to the
(3) Ensure personnel processed for access to a PSO as they occur.
SAP meet the prerequisite personnel clearance
1-202. Badging. Contractors performing on Programs
and/or investigative requirements specified.
where all individuals cannot be personally identified,
may be required to implement a PSO-approved badging
(4) Ensure adequate secure storage and work
spaces. system.

(5) Ensure strict adherence to the provisions of 1-203. Communications Security (COMSEC). Clas-
the NISPOM and its Supplement. sified SAP information will be electronically transmit-
ted only by approved secure communications channels
(6) When required, establish and oversee a classi- authorized by the PSO.
fied material control program for each SAP.
1-204. *Two-Person Integrity (TPI) Requirement
(7) When required, conduct an annual inventory The TPI rule may be required and exercised only with
of accountable classified material the Program CSA approval. This requirement does not

(8) When required, establish a SAPE

1-2-1
apply to those situations where one employee with have security review responsibility for the Program
access is left alone for brief periods of time, nor dictate facility. In order to ensure the most uniform and
that those employees will be in view of one another. efficient application of security criteria, review
activities at contractor facilities will be consoli-
1-205. Contractors Questioning Perceived Excessive dated to the greatest extent possible.
Security Requirements. All personnel are highly
encouraged to identify excessive security measures that c. Prime Contractor Representative. A security rep-
they believe have no added value or are cost excessive resentative from the prime contractor may be
and should report this information to their industry con- present and participate during reviews of subcon-
tracting officer for subsequent reporting through con- tractors, but cannot be the individual appointed by
tracting channels to the appropriate GPM/PSO. The the CSA to conduct security reviews specified in
GPM/PSO will respond through appropriate channels to paragraph l-206a.
the contractor questioning the security requirements.
d. Review Reciprocity. In order to ensure the most
1-206. Security Reviews. uniform and efficient application of security reviews,
review reciprocity at contractor facilities will be con-
a. General. The frequency of Industrial Security sidered whenever possible.
Reviews (e.g., Reviews, evaluations, and security
surveys) is determined by the NISPOM and will be e. Contractor Reviews. When applicable, the U.S.
conducted by personnel designated by the CSA. Government may prescribe the intervals that the con-
tractor will review their systems.
b. Joint Efforts. In certain cases, an individual Pro-
gram may be a joint effort of more than one compo- f. Team Reviews. Team Reviews may be conducted by
nent of the U.S. Government or more than one more than one PSO based on mutual consent and
element of the same component. In such a case, one cooperation of both the Government and the contrac-
element will, by memorandum of agreement, take tor.
the lead as the Cognizant Security Agency and may

1-2-2
 Section 3. Reporting Requirements

f. Arms Control Treaty Visits. The GPM and PSO

1-300. General. All reports required by the NISPOM
will be notified in advance of any Arms Control
will be made through the PSO. In those instances where
the report affects the baseline facility clearance or the Treaty Visits. Such reports permit the GPM and PSO
to assess potential impact on the SAP activity and
incident is of a personnel security clearance nature, the
effectively provide guidance and assistance.
report will also be provided to the Facility CSA. In those
rare instances where classified program information
g. Litigation. Litigation or public proceedings which
must be included in the report, the report will be pro-
may involve a SAP will be reported. These include
vided only to the PSO, who will sanitize the report and
legal proceedings and/or administrative actions in
provide the information to the CSA, if appropriate.
which the prime contractor, subcontractors, or Gov-
ernment organizations and their Program-briefed
a. Adverse Information. Contractors will report to
the PSO any information which may adversely individuals are a named party. The CPSO will report
reflect on the Program-briefed employee's ability to to the PSO any litigation actions that may pertain
to the SAP, to include the physical enviroments,
properly safeguard classified Program information.
facilities or personnel or as otherwise directed by
b. SAP Non-Disclosure Agreement (NDA). A report the GPM.
will be submitted to the PSO on an employee who
1-301. Security Violations and Improper Handing of
refuses to sign a SAP NDA.
Classified Information. Requirements of the NISPOM
c. Change in Employee Status. A written report of all baseline pertaining to security violation are applicable,
except that all communications will be appropriately
changes in the personal status of SAP indoctri-
made through Program Security Channels within 24
nated personnel will be provided to the PSO. In
addition to those changes identified in NISPOM sub- hours of discovery to the PSO. The PSO must promptly
paragraph l-302c., include censure or probation aris- advise the Facility CSA in all instances where national
ing from an adverse personnel action, and security concerns would impact on collateral security
revocation, or suspension downgrading of a security programs or clearances of individuals under the cogni-
clearance or Program access for reasons other than zant of the Facility CSA.
security administration purposes.
a. Security Violations and Infractions
d. Employees Desiring Not to Perform on SAP
Classified Work. A report will be made to the (1) Security Violation. A security violation is any
PSO upon notification by an accessed employee incident that involves the loss, compromise, or
suspected compromise of classified information.
or an employee for whom access has been
Security violations will be immediately
requested that they no longer wish to perform on
the SAP. Pending further instructions from the reported within 24 hours to the PSO.
PSO, the report will be destroyed in 30 days.
(2) Security Infraction. A security infraction is any
e. »Foreign Travel. The PSO may require reports of all other incident that is not in the best interest of
travel outside the continental United States, Hawaii, security that does not involve the loss, compro-
Alaska and the U.S. possessions (i.e., Puerto Rico) mise, or suspected compromise of classified
except same-day travel to border areas (i.e., Canada, information. Security infractions will be doc-
Mexico) for Program-accessed personnel. Such umented and made available for review by
travel is to be reported to the CPSO, and retained for the PSO during visits.
the life of the Contract/Program travel. Travel by
Program-briefed individuals into or through coun- b. Inadvertent Disclosure. An inadvertent disclosure is
tries determined by the CSA as high-risk areas, the involuntary unauthorized access to classified SAP
should not be undertaken without prior notification. information by an individual without SAP access
A supplement to the report outlining the type and authorization. Personnel determined to have had
extent of contact with foreign nationals, and any unauthorized or inadvertent access to classified SAP
attempts to solicit information or establish a continu- information (1) should be interviewed to determine
ing relationship by a foreign national may be the extent of the exposing, and (2) may be requested to
complete an Inadvertent Disclosure Oath.
required upon completion of travel.

1-3-1
(1) If during emergency response situations, guard
personnel or local emergency authorities (e.g.,
police, medical, fire, etc.) inadvertently gain
access to Program material, they should be inter-
viewed to determine the extent of the exposure.
If circumstances warrant, a preliminary inquiry
will be conducted. When in doubt, contact the
PSO for advice.

(2) Refusal to sign an inadvertent disclosure oath

will be reported by the CPSO to the PSO.

(3) Contractors shall report all unauthorized dis-

closures involving RD or Formerly Restricted
Data (FRD) to Department of Energy (DOE)
or Nuclear Regulatory Commission (NRC)
through their CSA.

1-3-2
 Chapter 2
Security Clearances
Section 1. Facility Clearances

2-100. General. Contractors will possess a Facility 2-102. Access of Senior Management Officials. Only
Security Clearance to receive, generate, use, and store those Senior Management Officials requiring informa-
classified information that is protected in SAPs. tion pertaining to the SAP shall be processed SAP
access.
a. If a facility clearance has already been granted, the
SAP Program Executive Agent may carve in the 2-103. Facility Clearances for Multifacility Organi-
Facility CSA. The agreement entered into by the zations.
Secretary of Defense (SECDEF) with the other
CSA's will determine the terms of responsibility for a. When cleared employees are located at uncleared
the Facility CSA with regard to SAP programs. Due locations, the CPSO may designate a cleared man-
to the sensitivity of some SAPs, the program may be agement official at the uncleared location who shall:
carved out by the Executive Agent designated by the
CSA. (1) Process classified visit requests, conduct initial
or recurring briefings for cleared employees, and
b. The CPSO shall notify the PSO of any activity which provide written confirmation of the briefing to
affects the Facility Security Clearance, (FCL). the CPSO.

c. In certain instances, security and the sensitivity of (2) Implement the reporting requirements of the
the project may require the contract and the associa- NISPOM and this Supplement for all cleared
tion of the contractor with the Program CSA be employees and furnish reports to the CPSO for
restricted and kept at a classified level. The existence further submittal to the CSA.
of any unacknowledged effort, to include its SAPF,
will not be released without prior approval of the (3) Ensure compliance with all applicable measures
PSO. of the NISPOM and this Supplement by all
cleared employees at that location.
2-101. Co-Utilization of SAPF. If multiple SAPs are
located within a SAPF, a Memorandum of Agreement b. If a cleared management official is not available at
(MOA) shall be written between government program the uncleared location, the CPSO (or designee) shall
offices defining areas of authorities and responsibilities. conduct the required briefing during visits to the
The first SAP in an area shall be considered to be the uncleared location or during employee visits to the
senior program and therefore the CSA for the zone location or establish an alternative procedure with
unless authority or responsibility is specifically dele- CSA approval.
gated in the MOA. The MOA shall be executed prior to
the introduction of the second SAP into the SAPF.

2-1-1
 Section 2. Personnel Clearances and Access

2-200. General. This section establishes the require- (1) Evaluation criteria will not be initiated at the
ments for the selection, processing, briefing, and contractor level unless both the employee and
debriefing of contractor personnel for SAPs. contractor agree.

2-201. Program Accessing Requirements and Proce- (2) Contractors will not perform access evaluation
dures. for other contractors.

a. The individual will have a valid need-to-know (3) Access evaluation criteria will be specific and
(NTK) and will materially and directly contribute to will not require any analysis or interpretation by
the Program. the contractor. Access evaluation criteria will be
provided by the government as required.
b. The individual will possess a minimum of a cur-
rent, final SECRET security clearance or meet the (4) Those candidates eliminated during this process
investigative criteria required for the level of will be advised that access processing has termi-
access. If a person's periodic reinvestigation (PR) is nated.
outside the five-year scope and all other access pro-
cessing is current and valid, the PSO may authorize e. Submit a Letter of Compelling Need or other docu-
access. However, the individual will be immediately mentation when requested by the PSO.
processed for either a Single Scope Background
Investigation (SSBI) or National Agency Check with f. Formats required for the processing of a SAP access
Credit (NACC) as required by the level of clearance fall into two categories: those required for the con-
or as otherwise required by the contract. duct of the investigation and review of the individ-
ual's eligibility, and those that explain or validate the
c. The contractor will nominate the individual and individual's NTK. These constitute the PAR package.
provide a description of the NTK justification. The The PAR package used for the access approval and
CPM will concur with the nomination and verify NTK verification will contain the following: the PAR
Program contribution by signature on the Program and a recent (within 90 days) PSQ reflecting pen and
Access Request (PAR). The CPSO will complete the ink changes, if any, signed and dated by the nominee.
PAR and review it for accuracy ensuring all
required signatures are present. The CPSO signa- g. Once the PAR package has been completed, the
ture verifies that the security clearance and investiga- CPSO will forward the candidate's nomination pack-
tive criteria are accurate, and that these criteria age to the PSO for review:
satisfy the requirements of the Program. Information
regarding the PAR may be electronically submitted. (1) The PSO will review the PAR package and
While basic information shall remain the same, sig- determine access eligibility.
natures may not be required. The receipt of the PAR
package via a preapproved channel shall be consid- (2) Access approval or denial will be determined by
ered sufficient authentication that the required the GPM and/or access approval authority.
approvals have been authenticated by the CPSO and
contractor program manager. (3) The PSO will notify the contractor of access
approval or denial.
d. Access Criteria and Evaluation Process. In order
to eliminate those candidates who clearly will not (4) Subcontractors may submit the PAR package to
meet the scope for access and to complete the Per- the prime. The prime will review and concur on
sonnel Security Questionnaire (PSQ), access evalua- the PAR and forward the PAR and the unopened
tion may be required. In the absence of written PSQ package to the PSO.
instructions from the contracting activity, the evalua-
tion process will conform to the following guide-
lines:

2-2-1
h. SCI access will follow guidelines established in 2-204. Appeal Process. The CSA will establish an
DCID 1/14. appeal process.

2-202. Supplementary Measures and Polygraph. 2-205. Agent of the Government The Government may
designate a contractor-nominated employee as an Agent
a. Due to the sensitivity of a Program or criticality of of the Government on a case-by-case basis. Applicable
information or emerging technology, a polygraph training and requirements will be provided by the Gov-
may be required. The polygraph examination will be ernment to contractors designated as Agents of the Gov-
conducted by a properly trained, certified, U.S. Gov- ernment.
ernment Polygraph Specialist. If a PR is outside the
5-year investigative scope, a polygraph may be used 2-206 Access Roster or List Current access rosters
as an interim basis to grant access until completion of Program-briefed individuals are required at each
of the PR. contractor location. They should be properly protected
and maintained in accordance with the PSG. The access
b. There are three categories of polygraph: Counterin- roster should be continually reviewed and reconciled for
telligence (CI), Full Scope (CI and life style), and any discrepancies. The data base or listing may contain
Special Issues Polygraph (SIP). The type of poly- the name of the individual organization, position, billet
graph conducted will be determined by the CSA. number (if applicable), level of access, social security
number, military rank/grade or comparable civilian rat-
2-203. Suspension and Revocation. All PSO direction ing scheme, and security clearance information. Secu-
to contractors involving the suspension or revocation of rity personnel required for adequate security oversight
an employee's access will be provided in writing and if will not count against the billet structure.
appropriate, thru the contracting officer.

2-2-2
 Chapter 3
Security Training and Briefings
Section 1. Security Training and Briefings

3-100. General. Every Special Access Program (SAP) 3-101. Security Training. The CPSO will ensure that
will have a Security Training and Briefing Program. the following security training measures are imple-
As a minimum, SAP-indoctrinated personnel will be mented:
provided the same or similar training and briefings as
outlined in the baseline NISPOM. In addition, CPSOs a. Initial Program Security Indoctrination. Every
responsible for SAPs at contractor facilities will estab- individual accessed to a SAP will be given an initial
lish a Security Education Program to meet any specific indoctrination. The briefing will clearly identify the
or unique requirements of individual special access information to be protected, the reasons why this
programs. Topics which will be addressed, if appropri- information requires protection, and the need to
ate to the facility or the SAP(s), include: execute a NDA. The individual will be properly
briefed concerning the security requirements for
a. Security requirements unique to SAPs; the Program, understand their particular secu-
rity responsibilities, and will sign a NDA. This
b. Protection of classified relationships; indoctrination is in addition to any other briefing
required for access to collateral classified or com-
c. Operations Security (OPSEC); pany proprietary information. It will be the responsi-
bility of the PSO to provide to the contractor
d. Use of nicknames and code words; information as to what will be included in the initial
indoctrination to include fraud, waste, and abuse
e. Use of special transmission methods; reporting procedures.

f. Special test-range security procedures; b. Professionalized AIS training may be required of all
contractor Information Systems Security Representa-
g. Procedures for unacknowledged SAP security. An tives (ISSRs) to ensure that these individuals have
unacknowledged SAP will require additional secu- the appropriate skills to perform their job functions
rity training and briefings, beyond that required in in a competent and cost-effective manner. This train-
the baseline. Additional requirements will be speci- ing will be made available by the CSA. The training
fied in the Contract Security Classification Specifica- should consist of, but not be limited to, the following
tion and will address steps necessary to protect criteria:
sensitive relationships, locations, and activities.
(1) Working knowledge of all applicable and
h. Specific procedures to report fraud, waste, and national CSA regulations and policies including
abuse. those contained in this supplement;

i. Computer security education that is to include opera- (2) Use of common Information Security
tional procedures, threats, and vulnerabilities. (INFOSEC) practices and technologies;

j. Writing unclassified personnel appraisals and (3) AIS certification testing procedures;
reviews.
(4) Use of a risk management methodology;
k. Third-Party Introductions. The purpose of the Third-
Party Introduction is to provide a clearance and/or (5) Use of configuration management methodology.
access verification to other cleared personnel. The
introduction is accomplished by a briefed third party,
who has knowledge of both individual's access.

3-1-1
3-102. Unacknowledged Special Access Programs (1) Remind the individual of his/her continuing
(SAP). Unacknowledged SAPs require a significantly obligations agreed to in the SAP NDA.
greater degree of protection than acknowledged SAPs.
Special emphasis should be placed on: (2) Remind the individual that the NDA is a legal
contract between the individual and the U.S.
a. Why the SAP is unacknowledged; Government.

b. Classification of the SAP; (3) Advise that all classified information to include
Program information is now and forever the
c. Approved communications system; property of the U.S. Government.

d. Approved transmission systems; (4) Remind the individual of the penalties for espi-
onage and unauthorized disclosure as con-
e. Visit procedures; tained in Titles 18 and 50 of the U.S. Code. The
briefer should have these documents available
f. Specific program guidance. for handout upon request. Require the individ-
ual to sign and agree that questions about the
3-103. Refresher Briefings. Every accessed individual NDA have been answered and that Titles 18
will receive an annual refresher briefing from the and 50 (U.S. Codes) were made available and
CPSO to include the following, as a minimum: understood.

a. Review of Program-unique security directives or (5) Remind the individual of his/her obligation not
guidance; to discuss, publish, or otherwise reveal infor-
mation about the Program. The appearance of
b. Review of those elements contained in the original Program information in the public domain
NDA. does not constitute a de facto release from the
continuing secrecy agreement.
Note. The PSO may require a record to be maintained of
this training. (6) Advise that any future questions or concerns
regarding the Program (e.g., solicitations for
3-104. Debriefing and/or Access Termination. Per- information, approval to publish material
sons briefed to SAPs will be debriefed by the CPSO or based on Program knowledge and/or experi-
his designee. The debriefing will include as a mini- ence) will be directed to the CPSO. The indi-
mum a reminder of each individual's responsibili- vidual will be provided a telephone number for
ties according to the NDA which states that the the CPSO or PSO.
individual has no Program or Program-related
material in his/her possession, and that he/she (7) Advise that each provision of the agreement is
understands his/her responsibilities regarding the severable, i.e., if one provision is declared
disclosure of classified Program information. unenforceable, all others remain in force.

a. Debriefings should be conducted in a SAPF, Sensi- (8) Emphasize that even though an individual
tive Compartmented Information Facility (SCIF), or signs a Debriefing Acknowledgment Statement,
other secure area when possible, or as authorized by he/she is never released from the original
the PSO. NDA/secrecy agreement unless specifically
notified in writing.
b. Procedures for debriefing will be arranged to allow
each individual the opportunity to ask questions and d. Verify the return of any and all SAP classified mate-
receive substantive answers from the debriefer. rial and unclassified Program-sensitive material and
identify all security containers to which the individ-
c. Debriefing Acknowledgments will be used and exe- ual had access.
cuted at the time of the debriefing and include the
following:

3-1-2
e. When debriefed for cause, include a brief statement 3-105. Administrative Debriefings. Efforts to have all
as to the reason for termination of access and notify Program-briefed personnel sign a Debriefing Acknowl-
the PSO. In addition the CPSO will notify all agen- edgment Statement may prove difficult. If attempts to
cies holding interest in that person's clearance/ locate an individual either by telephone or mail are not
successful, the CPSO should prepare a Debriefing
accesses.
Acknowledgment Statement reflecting the individual
was administratively debriefed. The Debriefing
f. The debriefer will advise persons who refuse to sign
Acknowledgment Statement will be forwarded to the
a debriefing acknowledgment that such refusal could
PSO. The CPSO will check to ensure that no Program
affect future access to special access programs and/
material is charged out to, or in the possession of these
or continued clearance eligibility. It could be cause
persons.
for administrative sanctions and it will be reported to
the appropriate Government Clearance Agency. 3-106. Recognition and Award Program. Recognition
and award programs could be established to single out
g. Provide a point of contact for debriefed employees to those employees making significant contributions to
report any incident in the future which might affect Program contractor security. If used, CPSOs will review
the security of the Program. award write-ups to ensure recommendations do not con-
tain classified information.

3-1-3
 Chapter 4
Classification and Markings
Section 1. Classification

Challenges to Classification. All challenges to SAP

classified information and/or material shall be for-
warded through the CPSO to the PSO to the appropri-
ate Government contracting activity. All such
challenges shall remain in Program channels.

4-1-1
 Section 2. Marking Requirements

4-200. General. Classified material that is developed 4-204. Warning Notices. Generally, Program classi-
under a SAP will be marked and controlled in fied marking and transmission requirements will
accordance with the NISPOM, this Supplement, the follow this Supplement. Transmission of Program or
Program Security Classification Guide, and other Program-related material will be determined by the
Program guidance as directed by the PSO. PSO. Besides the classifications markings, inner
containers will be marked:
4-201. Additional Provisions and Controls. The PSO
may specify additional markings to be applied to SAP "TO BE OPENED ONLY BY:" followed by the
working papers based on the sensitivity and criticality of name of the individual to whom the material is sent.
the Program, when approved by the CSA. A receipt may be required. Apply the following mark-
ings on the bottom center of the front of the inner con-
4-202. Engineer's Notebook. An engineer's notebook tainer:
is a working record of continually changing Program
technical data. It should NOT include drafts of corre- WARNING
spondence, reports, or other materials. The outer cover
and first page will be marked with the highest classi- THIS PACKAGE CONTAINS CLASSIFIED U.S.
fication level contained in the notebook. Portion GOVERNMENT INFORMATION. TRANSMISSION
marking or numbering is not required. Other require- OR REVELATION OF THIS INFORMATION IN
ments pertaining to these notebooks may be imposed by ANY MANNER TO AN UNAUTHORIZED PERSON
the PSO. IS PROHIBITED BY TITLE 18, U.S. CODE, SEC-
TION 798 (OR TITLE 42, SECTION XX FOR RD OR
4-203. Cover Sheets. Cover sheets will be applied to FRD MATERIAL). IF FOUND, PLEASE DO NOT
SAP documents when the documents are created or OPEN. "CALL COLLECT" THE FOLLOWING NUM-
distributed. NOTE: CODE WORDS WILL NOT BE BERS, (area code) (number) (PSO/CPSO work number)
PRINTED ON THE COVER SHEETS. The unclassi- DURING WORKING HOURS OR (area code) (num-
fied nickname, digraph, or trigraph may be used. ber) (PSO/CPSO) AFTER WORKING HOURS.

4-2-1
 Chapter 5
Safeguarding Classified Information
Section 1. General Safeguarding Requirements

5-100. General. Classified and unclassified sensitive

SAP material must be stored in SAP CSA approved
facilities only. Any deviations must have prior approval
of the SAP CSA or designee.

5-1-1
 Section 2. Control and Accountability

5-200. General. Contractors shall develop and main- 5-203. Collateral classified material required to support
tain a system that enables control of SAP classified a SAP contract may be transferred within SAP controls.
information and unclassified Program sensitive infor- Transfer will be accomplished in a manner that will
mation for which the contractor is responsible. not compromise the SAP or any classified information.
The PSO will provide oversight for collateral classified
5-201. Accountability. Accountability of classified SAP material maintained in the SAP. Collateral classified
material shall be determined and approved in writing material generated during the performance of a SAP
by the CSA or designee at the time the SAP is approved. contract may be transferred from the SAP to the con-
A separate accountability control system may be tractor's collateral classified system. The precautions
required for each SAP. required to prevent compromise will be approved by the
PSO.
5-202. Annual Inventory. An annual inventory of ac-
countable SAP classified material may be required. The
results of the inventory and any discrepancies may be
required to be reported in writing to the PSO.

5-2-1
 Section 3. Storage and Storage Equipment

(not further supplemented)

5-3-1
 Section 4. Transmission

5-400. General. SAP classified material shall be trans- When secure facsimile and/or electronic transmission
mitted outside the contractor's facility in a manner is permitted, the PSO or other Government cognizant
that prevents loss or unauthorized access. security reviewing activity will approve the system in
writing. Transmission of classified Program material by
5-401. Preparation. All classified SAP material will be this means may be receipted for by an automated system
prepared, reproduced, and packaged by Program- generated message that transmission and receipt has
briefed personnel in approved Program facilities. been accomplished. For TOP SECRET documents a
receipt on the secure facsimile may be required by the
5-402. Couriers. The PSO through the CPSO will pro- PSO.
vide detailed courier instructions to couriers when
hand-carrying SAP material The CPSO will provide 5-404. U.S. Postal Mailing. A U.S. Postal mailing chan-
the courier with an authorization letter. Report any nel, when approved by the PSO, may be established to
travel anomalies to the CPSO as soon as practical. The ensure mail is received only by appropriately cleared and
CPSO will notify the PSO. accessed personnel.

5-403. Secure Facsimile and/or Electronic Transmis- 5-405. TOP SECRET Transmission. TOP SECRET
sion. Secure facsimile and/or electronic transmission (TS) SAP will be transmitted via secure data transmis-
encrypted communications equipment may be used for sion or via Defense Courier Service unless other
the transmission of Program classified information. means have been authorized by the PSO.

5-4-1
 Section 5. Disclosure

5-500. Release of Information. Public release of SAP

information is not authorized without written authority
from the Government as provided for in U.S. Code,
Titles 10 and 42. Any attempt by unauthorized person-
nel to obtain Program information and sensitive data
will be reported immediately to the Government Pro-
gram Manager (GPM) through the PSO using approved
secure communication channels.

5-5-1
 Section 6. Reproduction

5-600. General. Program material will be repro-

duced on equipment specifically designated by the
CPSO and may require approval by the PSO. The
CPMs and CPSOs may be required to prepare written
reproduction procedures.

5-601. The PSO or designee may approve reproduction

of TS material.

5-6-1
 Section 7. Disposition and Retention

5-700. Disposition. CPSOs may be required to inven- 5-701. Retention of SAP Material. The contractor may
tory, dispose of, request retention, or return for disposi- be required to submit a request to the Contracting
tion all classified SAP-related material (including AIS Officer (CO), via the PSO, for authority to retain classi-
media) at contract completion and/or close-out. Request fied material beyond the end of the contract perfor-
for proposal (RFP), solicitation, or bid and proposal mance period. The request will also include any
collateral classified and unclassified material con- retention of Program-related material. The contractor
tained in Program files will be reviewed and screened will not retain any Program information unless specif-
to determine appropriate disposition (Le., destruction, ically authorized in writing by the Contracting Officer.
request for retention). Disposition recommendations Storage and control requirements of SAP materials
by categories of information or by document control will be approved by the PSO.
number, when required, will be submitted to the PSO
for concurrence. Requests for retention of classified 5-702. Destruction. Appropriately indoctrinated per-
information (SAP and non-SAP) will be submitted to sonnel shall ensure the destruction of classified SAP
the Contracting Officer, through the PSO for review data. The CSA or designee may determine that two per-
and approval. Requirements for storage and control of sons are required for destruction. Nonaccountable waste
materials approved for retention will be approved by and unclassified SAP material may be destroyed by a
the PSO. single Program-briefed employee.

5-7-1
 Section 8. Construction Requirements

5-800. General. Establishing a Special Access Pro- g. The PSO will determine the appropriate security
countermeasures for discussion areas.
gram Facility (SAPF). Prior to commencing work on a
SAP, the contractor may be required to establish an
approved SAPF to afford protection for Program classi- 5-802. Physical Security Criteria Standards.
fied information and material. Memorandums ofAgree-
ment (MOA) are required prior to allowing SAPs with a. DCID 1/21 standards may apply to a SAPF when
one or more of the following criteria are applicable:
different CSAs to share a SAPF.
(1) State-of-the-art technology as determined by
5-801. Special Access Program Facility.
CSAs to warrant enhanced protection.
a. A SAPF is a program area, room, group of rooms,
building, or an enclosed facility accredited by the (2) Contractor facility is known to be working on
PSO where classified SAP Program business is con- specific critical technology.
ducted. SAPFs will be afforded personnel access
control to preclude entry by unauthorized person- (3) Contractor facility is one of a few (3 or less)
nel Non-accessed persons entering a SAPF will be known facilities to have the capability to work
escorted by an indoctrinated person. on specific critical technology.

b. A Sensitive Compartmented Information Facility (4) TOP SECRET or SECRET material is main-
(SCIF) is an area, room, building, or installation that tained in open storage.
is accredited to store, use, discuss, or electronically
process SCI. The standard and procedures for a SCIF (5) A SAPF is located within a commercial build-
ing, and the contractor does not control all adja-
are stated in DCIDs 1/19 and 1/21.
cent spaces.
c. SAPFs accredited prior to implementation of this
Supplement will retain accreditation until no (6) SCI or Intelligence Sources and methods are
longer required or recertification is required due to involved.
major modification of the external perimeter, or
changes to the Intrusion Detection System (IDS), (7) Contractors or technologies known to be a target
which affects the physical safeguarding capability of foreign intelligence services (FIS).
of the facility.
b. The NISPOM baseline closed area construction
d. Physical security standards will be stated in the requirements with Sound Transmission Class (STC)
Government's RFP, RFQ, contract, or other pre- in accordance with DCID 1/21, Annex E and intru-
contract or contractual document. sion alarms in accordance with Annex B, DCID 1/21
may apply to a SAPF when one of the following cri-
e. The need-to-know (NTK) of the SAP effort may teria are applicable.
warrant establishment of multi-compartments within
(1) Not state-of-the-art technology and the technol-
the same SAPF.
ogy is known to exist outside U.S. Government
f. *There may be other extraordinary or unique circum- control.
stances where existing physical security standards
are inconsistent with facility operating requirements, (2) The SAP is a large-scale weapon system pro-
for example, but not limited to, research and test duction program.
facilities or production lines. Physical security
requirements under these circumstances will be (3) No open storage of Confidential SAP material in
established on a case-by-case basis and approved a secure working area unless permitted by the
by the PSO/Contracting Officer, as appropriate. PSO on a case-by-case basis.
(Note: as approved by the CSA at establishment of
the SAP.)

5-8-1
 (4) A SAPF located within a controlled access area. b. For purposes of co-utilization, costs associated with
any security enhancements in a SCIF or SAPF above
(5) Intelligence related activities. preexisting measures may be negotiated for reim-
bursement by the contractor's contracting officer or
c. The PSO may approve baseline closed area construc- designated representative. Agreements will be nego-
tion requirements as an additional option for some tiated between affected organizations.
SAP program areas.
c. If a previously accredited SAPF becomes inactive
5-803. SAP Secure Working Area. The PSO may ap- for a period not to exceed one year, the SAP accred-
prove any facility as a SAP Secure Working Area. Visual itation will be reinstated by the gaining accrediting
and sound protection may be provided by a mix of phys- agency provided the following is true:
ical construction, perimeter control, guards, and/or in-
doctrinated workers. (1) The threat in the environment surrounding the
SAPF has not changed;
5-804. Temporary SAPF. The PSO may accredit a tem-
porary SAPF. (2) No modifications have been made to the SAPF
which affect the level of safeguarding;
5-805. Guard Response.
(3) The level of safeguarding for the new Program
a. Response to alarms will be in accordance with is comparable to the previous Program;
DCID1/21, or
(4) The SAPF has not lost its SAP accreditation
b. TheNISPOM integrity and the contractor has maintained con-
tinuous control of the facility.
c. Response personnel will remain at the scene until
released by the CPSO or designated representative. (5) A technical surveillance countermeasure survey
(TSCM) may be required.
NOTE: The CPSO will immediately provide notifica-
tion to the PSO if there is evidence of forced entry, NOTE: Previously granted waivers are subject to nego-
with a written report to follow within 72 hours. tiation.

5-806. Facility Accreditation. 5-807. Prohibited Items. Items that constitute a threat
to the security integrity of the SAPF (e.g., cameras or
a. Once a facility has been accredited to a stated level recording devices) are prohibited unless authorized by
by a Government Agency, that accreditation should the PSO. All categories of storage media entering and
be accepted by any subsequent agency. leaving the SAPFs may require the PSO or his/her des-
ignated representative approval.

5-8-2
 Chapter 6
Visits and Meetings
Section 1. Visits

6-100. General. A visit certification request for all c. Rescheduling. When a rescheduled visit occurs after
Program visits will be made prior to a visit to a Pro- a visit request has been received, the visit certification
gram facility. When telephone requests are made, a will automatically apply if the visit is rescheduled
secure telephone should be used whenever possible. within thirty days and the purpose remains the same.
Visit requests will be handled exclusively by the cogni-
zant CPSO or designated representative. The GPM or d. Hand-carrying. It is the responsibility of the host
PSO or his/her designated representative will approve CPSO to contact the visitor's CPSO should the visi-
all visits between Program activities. However, visits tor plan to hand-carry classified material. CPSOs
between a prime contractor and the prime's subcon- will use secure means for notification. In emer-
tractors and approved associates will be approved by gency situations where secure communications are
the CPSO. Twelve-month visit requests are not autho- not available, contact the PSO for instructions.
rized unless approved by the PSO. When persons return to their facility with SAP
material, they will relinquish custody of the mate-
6-101. Visit Request Procedures. All visit requests will rial to the CPSO or designated representative.
be sent only via approved channels. In addition to the Arrangements will be made to ensure appropriate
NISPOM, the following additional information for vis- overnight storage and protection for material
its to a SAPF will include: returned after close of business.

a. Name and telephone number of individual (not 6-104. Collateral Clearances and Special Access Pro-
organization) to be visited; gram Visit Requests. Collateral clearances and SAP
accesses may be required in conjunction with the SAP
b. Designation of person as a Program courier when visit. If access to collateral classified information is
applicable; and required outside the SAPF, then the CPSO can certify
clearances and accesses as required within the facility.
c. Verification (e.g., signature) of the CPSO or desig- Certification will be based on the SAP visit request
nated representative that the visit request informa- received by the CPSO. The CPSO will maintain the
tion is correct. record copy of the visit certification. SCI visit certifica-
tion will be forwarded through appropriate SCI channels.
6-102. Termination and/or Cancellation of a Visit
Request. If a person is debriefed from the Program 6-105. Non-Program-Briefed Visitors. In instances
prior to expiration of a visit certification, or if cancel- where entry to a SAPF by non-Program-briefed per-
lation of a current visit certification is otherwise sonnel is required (e.g., maintenance, repair), they will
appropriate, the CPSO/FSO or his/her designated rep- complete and sign a visitor's record and will be
resentative will immediately notify all recipients of the escorted by a Program-briefed person at all times. San-
cancellation or termination of the visit request. itization procedures will be implemented in advance to
ensure that personnel terminate classified discussions
6-103. Visit Procedures. and other actions and protect SAP information when-
ever a non-briefed visitor is in the area. If mainte-
a. Identification of Visitors. An official photograph nance is required of a classified device, the uncleared
if identification such as a valid driver's license is maintenance person shall be escorted by a Program-
required. briefed, technically knowledgeable individual Every
effort should be made to have a technically knowledge-
b. Extension. When a visit extends past the date on the able Program-briefed person as an escort.
visit certification, a new visit request is not required
if the purpose remains the same as that stated on the
current visit request to a specific SAPF.

6-1-1
6-106. Visitor Record. *The PSO may require the
CPSO to establish a Program visitor's record. This
record will be maintained inside the SAPF, and reten-
tion may be required.

6-1-2
 Section 2. Meetings

(not further supplemented)

6-2-1
 Chapter 7
Subcontracting
Section 1. Prime Contracting Responsibilities

7-100. General. This section addresses the responsibili- b. Reporting Requirements.

ties and authorities of prime contractors concerning the
release of classified SAP information to subcontractors. c. Physical and/or Technical Security Requirements.
Prior to any release of classified information to a pro-
spective subcontractor, the prime contractor will deter- d. Release of Information.
mine the scope of the bid and procurement effort. Prime
contractors will use extreme caution when conducting e. Program Classified Control or Accountability.
business with non-Program-briefed subcontractors to
preclude the release of information that would divulge f. Personnel Access Controls.
Program-related (classified or unclassified Program sen-
sitive) information. g. Security Classification Guidance,

7-101. Determining Clearance Status of Prospective h. Automated Information System,

Subcontractors. All prospective subcontractor person-
nel will have the appropriate security clearance and i. Security Audits and Reviews.
meet the investigative criteria as specified in this Sup-
plementprior to being briefed into a SAP. The eligibil- j. Program Access Criteria.
ity criteria will be determined in accordance with the
NISPOM and this Supplement. For acknowledged Pro- k. Subcontracting.
grams, in the event a prospective subcontractor does not
have the appropriate security clearances, the prime con- 1. Transmittal of Program Material.
tractor will request that the cognizant PSO initiate the
appropriate security clearance action. A determination m. Storage.
will be made in coordination with the PSO as to the lev-
els of facility clearance a prospective subcontractor n. Testing and/or Manufacturing.
facility has for access to classified information and the
storage capability level. o. Program Travel.

7-102. Security Agreements and Briefings. In the pre- p. Finances.

contract phase, the prime contractor will fully advise the
prospective subcontractor (prior to any release of SAP q. Sanitization of Classified Material.
information) of the procurement's enhanced special
security requirements. Arrangements for subcontractor r. Security Costs and Charging Policy.
Program access will be pre-coordinated with the PSO.
When approved by the PSO, the prime contractor CPSO s. Fraud, Waste, and Abuse Reporting.
will provide Program indoctrinations and obtain NDAs
from the subcontractors. A security requirements agree- t. Test Planning.
ment will be prepared that specifically addresses those
enhanced security requirements that apply to the sub- u. OPSEC.
contractor. The security requirements agreement may
include the following elements, when applicable: v. TEMPEST.

a. General Security Requirements.

7-1-1
 7-103. Transmitting Security Requirements.
Contract Security Classification Specifications pre-
pared by the prime contractor will be coordinated with
the GPM/PSO and contracting officer prior to transmit-
ting to the subcontractor. Contract Security Classifica-
tion Specifications prepared by the prime contractor will
be forwarded to the GPM/PSO and contracting officer
for coordination and signature.

7-1-2
 Chapter 8
Automated Information Systems (AIS)
Section 1. Responsibilities

8-100. Introduction c. Restrictions. No personally owned AISs will be used

to process classified information.
a. Purpose and Scope. This chapter addresses the pro-
tection and control of information processed on AIS. 8-101. Responsibilities.
This entire chapter is contractor required and is not
an option. The type is not bold or italicized, because The Customer is the Government organization responsi-
it would include the complete chapter. AISs typi- ble for sponsoring and approving the classified and/or
cally consist of computer hardware, software, and/or unclassified processing. The Provider is the Contractor
firmware configured to collect, create, communicate, who is responsible for accomplishing the processing for
compute, disseminate, process, store, or control data the Customer. The Information System Security Repre-
or information. This chapter specifies requirements sentative (ISSR) is the Provider-assigned individual
and assurances for the implementation, operation, responsible for on-site AIS processing for the Customer
maintenance, and management of secure AIS used in in a secure manner.
support of SAP activities. Prior to using an AIS or
AIS network for processing U.S. Government, Cus- a. Provider Responsibilities. The Provider will take
tomer, or Program information, the Contractor/ Pro- those actions necessary to meet with the policies and
vider will develop an AIS Security Plan (AISSP) as requirements outlined in this document. The pro-
described herein and receive written Customer vider will:
authorization to process Customer information. Such
authorization to process requires approval by the (1) Publish and promulgate a corporate AIS Secu-
Customer. The Provider will also assign an Informa- rity Policy that addresses the classified process-
tion System Security Representative (ISSR) to sup- ing environment.
port the preparation of these documents and to
subsequently manage AIS security on-site for the (2) Designate an individual to act as the ISSR.
Customer's program. After the AISSP is approved by
the Customer, the Provider will thereafter conform to (3) Incorporate AISs processing Customer informa-
the plan for all actions related to the Customer's pro- tion as part of a configuration management pro-
gram information. This information includes the gram.
selection, installation, test, operation, maintenance,
and modification of AIS facilities, hardware, soft- (4) Enforce the AIS Security Policy.
ware, media, and output.
b. ISSR Responsibilities. The Provider-designated
b. Requirements. The AISSP selected menu upgrades ISSR has the following responsibilities:
to the NISPOM baseline will be tailored to the Pro-
vider's individual AIS configuration and processing (1) AIS Security Policy. Implement the AIS Secu-
operations. Alternatives to the protective measures in rity Policy.
this Supplement may be approved by the Customer
after the Provider demonstrates that the alternatives (2) AIS Security Program. Coordinate the establish-
are reasonable and necessary to accommodate the ment and maintenance of a formal AIS Security
Customer's needs. Prior to implementation, the Pro- Program to ensure compliance with this docu-
vider will coordinate any envisioned changes or ment:
enhancements with the Customer. Approved changes
will be included in the AISSP. Any verbal approvals (a) AIS Security Plan (AISSP). Coordinate the
will subsequently be documented in writing. The preparation of an AISSP in accordance
information and guidance needed to prepare and with the outline and instructions provided
obtain approval for the AISSP is described herein. in this document. After Customer

8-1-1
 approval, the AISSP becomes the control- (k)Abnormal Occurrence. Advise Customer
ling security document for AIS processing in a timely manner of any abnormal event
Customer information. Changes affecting that affects the security of an approved
the security of the AIS must be approved AIS.
by the Customer prior to implementation
and documented in the AISSP. (1) Virus and malicious code. Advise Cus-
tomer in a timely manner of any virus and
(b)AIS Technical Evaluation Test Plans. For malicious code on an approved AIS.
systems operating in the compartmented or
multi-level modes, prepare an AIS Techni- (3) Configuration Management. Participate in the
cal Evaluation Test Plan in coordination configuration management process.
with the Customer and applicable security
documents. (4) Designation of Alternates. The ISSR may desig-
nate alternates to assist in meeting the require-
(c) Certification. Conduct a certification test ments outlined in the chapter.
in accordance with 8-102, c. and provide a
certification report. c. Special Approval Authority. In addition to the
above responsibilities, the Customer may authorize
(d)Continuity of Operations Plan (COOP). in writing an ISSR to approve specific AIS security
When contractually required, coordinate actions including:
the development and maintenance of an
AIS COOP to ensure the continuation of (1) Equipment Movement. Approve and document
information processing capability in the the movement of AIS equipment.
event of an AIS-related disaster resulting
from fire, flood, malicious act, human (2) Component Release. Approve the release of san-
error, or any other occurrence that might itized components and equipment in accordance
adversely impact or threaten to impact the with Tables 1 and 2 in 8-501.
capability of the AIS to process informa-
tion. This plan will be referenced in the (3) Stand-alone Workstation and Portable AIS
AISSP. Approval. Approve and document new worksta-
tions in accordance with an approved AIS secu-
(e)Documentation. Ensure that all AIS secu- rity plan and the procedures defined in this
rity-related documentation as required by document for workstations with identical func-
this chapter is current and is accessible to tionality. Approve and document portable AIS.
properly authorized individuals.
(4) Dedicated and System High Network Worksta-
(f) Customer Coordination. Coordinate all tion Approval. Approve and document addi-
reviews, tests, and AIS security actions. tional workstations identical in functionality to
existing workstations on an approved Local
(g)Auditing. Ensure that the required audit Area Network (LAN) provided the workstations
trails are being collected and reviewed as are not located outside of the previously defined
stated in 8-303. boundary of the LAN.

(h)Memorandum of Agreement. As applica- (5) Other AIS Component Approval. Approve and
ble, ensure that Memoranda of Agreement document other AIS components identical in
are in place for AISs supporting multiple functionality to existing components on an
Customers. approved LAN provided the components are not
located outside of the previously defined bound-
(i) Compliance Monitoring. Ensure that the ary of the LAN.
system is operating in compliance with the
AISSP. 8-102. Approval To Process.
Prior to using any AIS to process Customer information,
(j) AIS Security Education and Awareness. approval will be obtained from the Customer. The fol-
Develop an on-going AIS Security Educa- lowing requirements will be met prior to approval.
tion and Awareness Program.

3-1-2
a. AIS Security Program. The Provider will have an c. AIS Certification and Accreditation.
AIS security program that includes:
(1) Certification. Certification is the comprehensive
(1) An AIS security policy and a formal AIS secu- evaluation of technical and non-technical secu-
rity structure to ensure compliance with the rity features to establish the extent to which an
guidelines specified in this document; AIS has met the security requirements necessary
for it to process the Customer information. Cer-
(2) An individual whose reporting functionalities tification precedes the accreditation. The certifi-
are within the Provider's security organization cation is based upon an inspection and test to
formally named to act as the ISSR; verify that the AISSP accurately describes the
AIS configuration and operation (See Appendix
(3) The incorporation of AISs processing Customer C and D). A Certification Report summarizing
information into the Provider's configuration the following will be provided to the Customer:
management program. The Provider's configura-
tion management program shall manage (a) For the dedicated mode of operation, the
changes to an AIS throughout its life cycle. As a provider must verify that access controls,
minimum the program will manage changes in configuration management, and other
an AIS's: AISSP procedures are functional.

(a) Hardware components (data retentive (b)In addition, for System High AIS the ISSR
only) will verify that discretionary controls are
implemented.
(»Connectivity (external and internal)
(c)For compartmented and multilevel AIS,
(c) Firmware certification also involves testing to verify
that technical security features required for
(d) Software the mode of operation are functional. Com-
partmented and multi-level AIS must have
(e) Security features and assurances a Technical Evaluation Test Plan that
includes a detailed description of how the
(f) AISSP implementation of the operating system
software, data management system soft-
(g) Test Plan ware, firmware, and related security soft-
ware packages will enable the AIS to meet
(4) Control. Each AIS will be assigned to a desig- the Compartmented or Multilevel Mode
nated custodian (and alternate custodian) who is requirements. The plan outlines the inspec-
responsible for monitoring the AIS on a continu- tion and test procedures to be used to dem-
ing basis. The custodian will ensure that the onstrate this compliance.
hardware, installation, and maintenance as
applicable conform to appropriate requirements. (2) Accreditation. Accreditation is the formal decla-
The custodian will also monitor access to each ration by the Customer that a classified AIS or
AIS. Before giving users access to any such network is approved to operate in a particular
AIS, the custodian will have them sign a state- security mode; with a prescribed set of technical
ment indicating their awareness of the restric- and non-technical security features; against a
tions for using the AIS. These statements will be defined threat; in a given operational environ-
maintained on file and available for review by ment; under a stated operational concept; with
the ISSR. stated interconnections to other AIS; and at an
acceptable level of risk. The accreditation deci-
b. AIS Security Plan (AISSP). The Provider will pre- sion is subject to the certification process. Any
pare and submit an AISSP covering AISs processing changes to the accreditation criteria described
information in a Customer's Special Access Program above may require a new accreditation.
Facility (SAPF), following the format in Appendix
C. For RD, the Customer may modify the AISSP for- d. Interim Approval. The Customer may grant an
mat. interim approval to operate.

8-1-3
e. Withdrawal of Accreditation. The Customer may 8-103. Security Reviews.
withdraw accreditation if:
a. Purpose. Customer AIS Security Reviews are con-
(1) The security measures and controls established ducted to verify that the Provider's AIS is operated in
and approved for the AIS do not remain effec- accordance with the approved AISSP.
tive.
b. Scheduling. Customer AIS Reviews are normally
(2) The AIS is no longer required to process Cus- scheduled at least once every 24 months for Provider
tomer information. systems processing Customer program information.
The Customer will establish specific review sched-
f. Memorandum of Agreement A Memorandum of ules.
Agreement (MOA) is required whenever an accred-
ited AIS is co-utilized, interfaced, or networked c. Review Responsibilities. During the scheduled
between two or more Customers. This document will Customer AIS Security Review, the Provider will
be included, as required, by the Customer. furnish the Customer representative conducting the
Review with all requested AIS or network documen-
g. Procedures for Delegated Approvals. For AISs tation. Appropriate Provider security, operations, and
operating in the dedicated or system high modes, the management representatives will be made available
Customer may delegate special approval authority to to answer questions that arise during the Customer
the ISSR for additional AISs that are identical in AIS Review process.
design and operation. That is: two or more AIS are
identical in design and operate in the same security d. Review Reporting. At the conclusion of the Cus-
environment (same mode of operation, process infor- tomer AIS Review visit, the Customer will brief the
mation with the same sensitivities, and require the Provider's appropriate security, operations, and man-
same accesses and clearances, etc). Under these con- agement representatives on the results of the Review
ditions the AISSP in addition to containing the infor- and of any discrepancies discovered and the recom-
mation required by Appendix C shall also include mend measures for correcting the security deficien-
the certification requirements (inspection and tests) cies. A formal report of the Customer AIS Review is
and procedures that will be used to accredit all AISs. provided to the Provider's security organization no
The CSA will validate that the certification require- later than 30 days after the Review.
ments are functional by accrediting the first AIS
using these certification requirements and proce- e. Corrective Measures. The Provider will respond to
dures. The ISSR may allow identical AIS to operate the Customer in writing within 30 days of receipt of
under that accreditation if the certification proce- the formal report of deficiencies found in the Cus-
dures are followed and the AIS meets all the certifi- tomer AIS Review process. The response will
cation requirements outline in the AISSR The AISSP describe the actions taken to correct the deficiencies
will be updated with the identification of the newly outlined in the formal report of Customer AIS
accredited AIS and a copy of each certification Review findings. If proposed actions will require an
report will be kept on file. expenditure in funds, approval will be obtained from
the Contracting Officer prior to implementation.

8-1-4
 Section 2. Security Modes

8-200. Security Modes-General. (3) A valid need to know for all information stored
on or processed within the AIS.
a. AISs that process classified information must oper-
ate in the dedicated, system high, compartmented, or b. The following security requirements are established
multilevel mode. Security modes are authorized vari- for AISs operating in the dedicated mode:
ations in security environments, requirements, and
methods of operating. In all modes, the integration of (1) Be located in a SAPF.
automated and conventional security measures shall,
with reasonable dependability, prevent unauthorized (2) Implement and enforce access procedures to the
access to classified information during, or resulting AIS.
from, the processing, storage, or transmission of
such information, and prevent unauthorized manipu- (3) All hard copy output will be handled at the level
lation of the AIS that could result in the compromise for which the system is accredited until
or loss of classified information. reviewed by a knowledgeable individual.

b. In determining the mode of operation of an AIS, (4) All media removed from the system will be pro-
three elements must be addressed: the boundary and tected at the highest classification level of infor-
perimeter of the AIS, the nature of the data to be pro- mation stored or processed on the system until
cessed, and the level and diversity of access privi- reviewed and properly marked according to pro-
leges of intended users. Specifically: cedures in the AIS security plan.

(1) The boundary of an AIS includes all users that c. Security Features for Dedicated Security Mode.
are directly or indirectly connected and who can
receive data from the AIS without a reliable (1) Since the system is not required to provide tech-
human review by an appropriately cleared nical security features, it is up to the user to pro-
authority. The perimeter is the extent of the AIS tect the information on the system. For networks
that is to be accredited as a single entity. operating in the dedicated mode, automated
identification and authentication controls are
(2) The nature of data is defined in terms of its clas- required.
sification levels, compartments, subcompart-
ments, and sensitivity levels. (2) For DoD, the Customer may require audit
records of user access to the system. Such
(3) The level and diversity of access privileges of its records will include: user ID, start date and
users are defined as their clearance levels, need- time, and stop date and time. Logs will be main-
to-know, and formal access approvals. tained IAW 8-303.

8-201. Dedicated Security Mode. d. Security Assurances for Dedicated Security

Mode.
a. An AIS is operating in the dedicated mode (process-
ing either full time or for a specified period) when (1) AIS security assurances must include an
each user with direct or indirect access to the AIS, its approach for specifying, documenting, control-
peripherals, remote terminals, or remote hosts has all ling, and maintaining the integrity of all appro-
of the following: priate AIS hardware, firmware, software,
communications interfaces, operating proce-
(1) A valid personnel clearance for all information dures, installation structures, security documen-
stored or processed on the AIS. tation, and changes thereto.

(2) Formal access approvals and has executed all (2) Examination of Hardware and Software. Classi-
appropriate non-disclosure agreements for all the fied AIS hardware and software shall be exam-
information stored and/or processed (including all ined when received from the vendor and before
compartments, subcompartments, and/or SAPs). being placed into use.

8-2-1
 (a) Classified AIS Hardware. An examination (a) Define and control access between system
shall result in assurance that the equipment users and named objects (e.g., files and
appears to be in good working order and programs) in the AIS. The enforcement
have no parts that might be detrimental to mechanism must allow system users to
the secure operation of the resource. Sub- specify and control the sharing of those
sequent changes and developments which objects by named individuals and/or
affect security may require additional explicitly defined groups of individuals.
examination. The access control mechanism must, either
by explicit user action or by default, pro-
(b) Classified AIS Software. vide that all objects are protected from
unauthorized access (discretionary access
1. Commercially procured software shall be control). Access permission to an object by
examined to assure that the software con- users not already possessing access per-
tains no features which might be detri- mission must only be assigned by autho-
mental to the security of the classified rized users of the object.
AIS.
(b)Time Lockout. Where technically feasible,
2. Security-related software shall be exam- the AIS shall time lockout an interactive
ined to assure that the security features session after an interval of user inactivity.
function as specified. The time interval and restart requirements
shall be specified in the AIS Security Plan.
(c) Custom Software or Hardware Systems.
New or significantly changed security rele- (c) Audit Trail. Provide an audit trail capabil-
vant software and hardware developed spe- ity that records time, date user ID, terminal
cifically for the system shall be subject to ID (if applicable), and file name for the
testing and review at appropriate stages of following events:
development.
1. Introduction of objects into a user's
8-202. System High Security Mode. address space (e.g., file open and pro-
gram initiation as determined by the Cus-
a. An AIS is operating in the system high mode (pro- tomer and ISSR).
cessing either full time or for a specified period)
when each user with direct or indirect access to the 2. Deletion of objects (e.g., as determined
AIS, its peripherals, remote terminals, or remote by the Customer and ISSR).
hosts has all of the following:
3. System log-on and log-off.
(1) A valid personnel clearance for all information
on the AIS. 4. Unsuccessful access attempts.

(2) Formal access approval and has signed non-dis- (d)Require that memory and storage contain
closure agreements for all the information stored no residual data from the previously con-
and/or processed (including all compartments tained object before being assigned, allo-
and subcompartments). cated, or reallocated to another subject.

(3) A valid need-to-know for some of the informa- (e) Identification Controls. Each person having
tion contained within the system. access to a classified AIS shall have the proper
security clearances and authorizations and be
b. AISs operating in the system high mode, in addition uniquely identified and authenticated before
to meeting all of the security requirements, features, access to the classified AIS is permitted. The
and assurances established for the dedicated mode, identification and authentication methods used
will meet the following: shall be specified and approved in the AIS
Security Plan. User access controls in classi-
(1) Security Features for System High Mode fied AISs shall include authorization, user

8-2-2
 in the AIS Security Plan. User access controls b. Protection of Authenticator. An
in classified AISs shall include authorization, Authenticator that is in the form of
user identification, and authentication admin- knowledge or possession (password,
istrative controls for assigning these shall be smart card, keys) shall not be shared
covered in the AISSP. with anyone. Authenticators shall be
protected at a level commensurate
1. User Authorizations. The manager or with the accreditation level of the
supervisor of each user of a classified Classified AIS.
AIS shall determine the required authori-
zations, such as need-to-know, for that 2. Additional Authentication Countermea-
user. sures. Where the operating system pro-
vides the capability, the following
2. User Identification. Each system user features shall be implemented:
shall have a unique user identifier and
authenticator. a. Log-on Attempt Rate. Successive
log-on attempts shall be controlled
a. User ID Removal. The ISSR shall by denying access after multiple
ensure the development and imple- (maximum of five) unsuccessful
mentation of procedures for the attempts on the same user ID; by
prompt removal of access from the limiting the number of access
classified AIS when the need for attempts in a specified time period;
access no longer exists. by the use of a time delay control
system; or other such methods, sub-
b. User ID Revalidation. The AIS ject to approval by the Customer.
ISSR shall ensure that all user IDs
are revalidated at least annually, and b. Notification to the User. The user
information such as sponsor and shall be notified upon successful
means of off-line contact (e.g., log-on of: the date and time of the
phone number, mailing address) are user's last log-on; the ID of the ter-
updated as necessary. minal used at last log-on; and the
number of unsuccessful log-on
(f) Authentication. Each user of a classified attempts using this user ID since the
AIS shall be authenticated before access is last successful log-on. This notice
permitted. This authentication can be shall require positive action by the
based on any one of three types of infor- user to remove the notice from the
mation: something the person knows (e.g., screen.
a password); something the person pos-
sesses (e.g., a card or key); something (g)The audit, identification, and authentica-
about the person (e.g., fingerprints or tion mechanisms must be protected from
voiceprints); or some combination of these unauthorized access, modification, or dele-
three. Authenticators that are passwords tion.
shall be changed at least every six months.
c. Security Assurances for System
1. Requirements. High Mode. The system security
features for need-to-know controls
a. Log-on. Users shall be required to will be tested and verified. Identi-
authenticate their identities at "log- fied flaws will be corrected.
on" time by supplying their authen-
ticator (e.g., password, smart card, 8-203. Compartmented Security Mode.
or fingerprints) in conjunction with
their user ID. a. An AIS is operating in the compartmented mode
when users with direct or indirect access to the AIS,

8-2-3
 its peripherals, or remote terminals have all of the (4) Support a trusted communications path between
following: itself and each user for initial log-on and verifi-
cation.
(1) A valid personnel clearance for access to the
most restricted information processed in the (5) Enforce, under system control, a system-gener-
AIS. ated, printed, and human-readable security clas-
sification level banner at the top and bottom of
(2) Formal access approval and have signed nondis- each physical page of system hard-copy output.
closure agreements for that information to which
he/she is to have access (some users do not have (6) Audit these additional events: the routing of all
formal access approval for all compartments or system jobs and output, and changes to security
subcompartments processed by the AIS.) labels.

(3) A valid need-to-know for that information for (7) Security Level Changes. The system shall
which he/she is to have access. immediately notify a terminal user of each
change in the security level associated with that
b. Security Features for Compartmented Mode. In user during an interactive session. A user shall
addition to all Security Features and Security Assur- be able to query the system as desired for a dis-
ances required for the System High Mode of Opera- play of the user's complete sensitivity label.
tion, Classified AIS operating in the Compartmented
Mode of Operation shall also include: c. Security Assurances for Compartmented Mode.

(1) Resource Access Controls. (1) Confidence in Software Source. In acquiring

resources to be used as part of a Classified AIS,
(a) Security Labels. The Classified AIS shall consideration shall be given to the level of confi-
place security labels on all entities (e.g., dence placed in the vendor to provide a quality
files) reflecting the sensitivity (classifica- product, to support the security features of the
tion level, classification category, and han- product, and to assist in the correction of any
dling caveats) of the information for flaws.
resources and the authorizations (security
clearances, need-to-know, formal access (2) Flaw Discovery. The Provider shall ensure the
approvals) for users. These labels shall be vendor has implemented a method for the dis-
an integral part of the electronic data or covery of flaws in the system (hardware, firm-
media. These security labels shall be com- ware, or software) that may have an effect on the
pared and validated before a user is security of the AIS.
granted access to a resource.
(3) No Read Up, No Write Down. Enforce an
(b)Export of Security Labels. Security labels upgrade or downgrade principle where all users
exported from the Classified AIS shall be processing have a system-maintained classifica-
accurate representations of the correspond- tion; no data is read that is classified higher than
ing security labels on the information in the processing session authorized; and no data is
the originating Classified AIS. written unless its security classification level is
equal to or lower than the user's authorized pro-
(2) Mandatory Access Controls. Mandatory access cessing security classification and all non-hier-
controls shall be provided. These controls shall archical categories are the same.
provide a means of restricting access to files
based on the sensitivity (as represented by the (4) Description of the Security Support Structure
label) of the information contained in the files (often referred to as the Trusted Computing
and the formal authorization (i.e., security clear- Base). The protections and provisions of the
ance) of users to access information of such sen- security support structure shall be documented
sitivity. in such a manner to show the underlying plan-
ning for the security of a Classified AIS. The
(3) No information shall be accessed whose com- security enforcement mechanisms shall be iso-
partment is inconsistent with the session log-on. lated and protected from any user or unautho-
rized process interference or modification.

8-2-4
 Hardware and software features shall be pro- required for the compartmented mode of operation,
vided that can be used to periodically validate classified AIS operating in the multilevel mode of
the correct operation of the elements of the secu- operation shall also include:
rity enforcement mechanisms.
(1) Audit. Contain a mechanism that is able to mon-
(5) Independent Validation and Verification. An itor the occurrence or accumulation of security
Independent Validation and Verification team auditable events that may indicate an imminent
shall assist in the technical evaluation testing of violation of security policy. This mechanism
a classified AIS and shall perform validation and shall be able to immediately notify the security
verification testing of the system as required by administrator when thresholds are exceeded and,
the Customer. if the occurrence or accumulation of these secu-
rity relevant events continues, the system shall
(6) Security Label Integrity. The methodology shall take the least disruptive action to terminate the
ensure the following: event.

(a) Integrity of the security labels; (2) Trusted Path. Support a trusted communication
path between the AIS and users for use when a
(b)The association of a security label with the positive AIS-to-user connection is required (i.e.,
transmitted data; and log-on, change subject security level). Commu-
nications via this trusted path shall be activated
(c) Enforcement of the control features of the exclusively by a user or the AIS and shall be
security labels. logically isolated and unmistakably distinguish-
able from other paths. For Restricted Data, this
(7) Detailed Design of security enforcement mecha- requirement is only applicable to multilevel AIS
nisms. An informal description of the security that have at least one uncleared user on the AIS.
policy model enforced by the system shall be
available. (3) Support separate operator and administrator
functions. The functions performed in the role of
8-204. Multilevel Security Mode. NOTE: Multilevel a security administrator shall be identified. The
Security Mode is not routinely authorized for SCI or AIS system administrative personnel shall only
SAP applications. Exceptions for SCI may be made by be able to perform security administrator func-
the heads of CIA, DIA, or NSA on a case-by-case basis. tions after taking a distinct auditable action to
Exceptions for SAP may be made by the Customer. assume the security administrative role on the
AIS system. Non-security functions that can be
a. An AIS is operating in the multilevel mode when all performed in the security administrative role
of the following statements are satisfied concerning shall be limited strictly to those essential to per-
the users with direct or indirect access to the AIS, its forming the security role effectively.
peripherals, remote terminals, or remote hosts:
(4) Security Isolation. The AIS security enforce-
(1) Some users do not have a valid personnel clear- ment mechanisms shall maintain a domain for
ance for all of the information processed in the its own execution that protects it from external
AIS. (Users must possess a valid CONFIDEN- interference and tampering (e.g., by reading or
TIAL, SECRET, or TOP SECRET clearance.) modification of its code and data structures).
The protection of the security enforcement
(2) All users have the proper clearance and have the mechanisms shall provide isolation and noncir-
appropriate access approval (i.e., signed nondis- cumvention of isolation functions. For
closure agreements) for that information to Restricted Data, this requirement is only appli-
which they are intended to have access. cable to multilevel AIS that have at least one
uncleared user on the AIS.
(3) All have a valid need-to-know for that informa-
tion to which they are intended to have access. (5) Protection of Authenticator. Authenticators shall
be protected at the same level as the information
b. Security Features for Multilevel Mode. In addi- they access.
tion to all security features and security assurances

8-2-5
c. Security Assurances for Multilevel Mode. the control features of the data flow between
originator and destination.
(1) Flaw Tracking and Remediation. The Provider
shall ensure the vendor provides evidence that (5) Security Penetration Testing. In addition to test-
all discovered flaws have been tracked and rem- ing the performance of the classified AIS for
edied. certification and for ongoing testing, there shall
be testing to attempt to penetrate the security
(2) Life-Cycle Assurance. The development of the countermeasures of the system. The test proce-
Classified AIS hardware, firmware, and soft- dures shall be documented in the test plan for
ware shall be under life-cycle control and man- certification and for ongoing testing.
agement (i.e., control of the Classified AIS from
the earliest design stage through decommission- (6) Trusted Recovery. Provide procedures and/or
ing)- mechanisms to assure that, after an AIS system
failure or other discontinuity, recovery without a
(3) Separation of Functions. The functions of the protection compromise is obtained.
AIS ISSR and the Classified AIS manager shall
not be performed by the same person. (7) Covert Channels. A covert channel analysis
shall be performed.
(4) Device Labels. The methodology shall ensure
that the originating and destination device labels
are a part of each message header and enforce

8-2-6
 Section 3. System Access and Operation

8-300 System Access. Access to the system will be lim- will be notified and a new password or PIN
ited to authorized personnel. Assignment of AIS access issued.
and privileges will be coordinated with the ISSR.
Authentication techniques must be used to provide con- (7) Group Log-on Passwords. Use of group log-on
trol for information on the system. Examples of authen- passwords must be justified and approved by the
tication techniques include, but are not limited to: Customer. After log-on, group passwords may
passwords, tokens, biometrics, and smart cards. User be used for file access.
authentication techniques and procedures will be
described in the AISSP. c. Protection of Authenticators. Master data files
containing the user population system log-on authen-
a. User IDs. User IDs identify users in the system and ticators will be encrypted when practical. Access to
are used in conjunction with other authentication the files will be limited to the ISSR and designated
techniques to gain access to the system. User IDs alternate(s), who will be identified in writing.
will be disabled whenever a user no longer has a
need-to-know. The user ID will be deleted from the d. Modems. Modems require Customer approval prior
system only after review of programs and data asso- to connection to an AIS located in a Customer SAPF.
ciated with the ID. Disabled accounts will be
removed from the system as soon as practical. e. User Warning Notice. The Customer may require
Whenever possible, access attempts will be limited log-on warning banners be installed.
to five tries. Users who fail to access the system
within the established limits will be denied access 8-301. System Operation.
until the user ID is reactivated.
a. Processing initialization is the act of changing the
b. Access Authentication. AIS from unclassified to classified, from one classi-
fied processing level to another, or from one com-
(1) Password. When used, system log-on passwords partment to another or from one Customer to
will be randomly selected and will be at least six another. To begin processing classified information
characters in length. The system log-on pass- on an approved AIS the following procedures must
word generation routine must be approved by be implemented:
the Customer.
(1) Verify that prior mode termination was properly
(2) Validation. Authenticated must be validated by performed.
the system each time the user accesses the AIS.
(2) Adjust the area security controls to the level of
(3) Display. System log-on passwords must not be information to be processed.
displayed on any terminal or contained in the
audit trail. When the AIS cannot prevent a pass- (3) Configure the AIS as described in the approved
word from being displayed (e.g., in a half- AISSP. The use of logical disconnects requires
duplex connection), an overprint mask shall be Customer approval.
printed before the password is entered to con-
ceal the typed password. (4) Initialize the system for processing at the
approved level of operation with a dedicated
(4) Sharing. Individual user authenticators (e.g., copy of the operating system. This copy of the
passwords) will not be shared by any user. operating system must be labeled and controlled
commensurate with the security classification
(5) Password Life. Passwords must be changed at and access levels of the information to be pro-
least every six months. cessed during the period.

(6) Compromise. Immediately following a sus- b. Unattended Processing. Unattended processing

pected or known compromise of a password or will have open storage approval and concurrence
Personal Identification Number (PIN) the ISSR from the customer. Prior to unattended processing,

8-3-1
 all remote input and/or output (I/O) not in approved (7) Impact-type Printers. Impact-type printers (e.g.,
open storage areas will be physically or electrically dot-matrix) in areas not approved for open stor-
disconnected from the host CPU. The disconnect age will be secured as follows: Remove and
will be made in an area approved for the open stor- secure all printer ribbons or dispose of them as
age. Exceptions are on a case-by-case basis and will classified trash. Inspect all printer platens. If any
require Customer approval. indication of printing is detected on the platen,
then the platen will be either cleaned to remove
c. Processing Termination. Processing termination such printing or removed and secured in an
of any AIS will be accomplished according to the approved classified container.
following requirements.
(8) Adjust area security controls.
(1) Peripheral Device Clearing. Power down all
connected peripheral devices to sanitize all vola- 8-302. Collocation of Classified and Unclassified AIS.
tile buffer memories. Overwriting of these
buffer areas will be considered by the Customer a. Customer permission is required before a Provider
on a case-by-case basis. may collocate unclassified AIS and classified AIS.
This applies when:
(2) Removable Storage Media. Remove and prop-
erly store removable storage media. (1) The unclassified information is to be processed
on an AIS located in a SAPF, or
(3) Non-removable (Fixed) Storage Media. Discon-
nect (physically or electrically) all storage (2) The unclassified information is resident in a
devices with nonremovable storage media not database located outside of a SAPF but accessed
designated for use during the next processing from terminals located within the SAPF.
period.
b. AIS approved for processing unclassified informa-
(4) CPU Memory. Clear or sanitize as appropriate tion will be clearly marked for UNCLASSIFIED
all internal memory including buffer storage and USE ONLY when located within a SAPF. In addition
other reusable storage devices (which are not the following requirements apply:
disabled, disconnected, or removed) in accor-
dance with 8-501, Table 2. (1) Must be physically separated from any classified
AIS.
(5) Laser Printers. Unless laser printers operating in
SAPFs will operate at the same classification (2) Cannot be connected to the classified AIS.
level with the same access approval levels dur-
ing the subsequent processing period, they will (3) Users shall be provided a special awareness
be cleared by running three pages of unclassified briefing.
randomly generated text. For SCI, five pages of
unclassified pages will be run to clear the (4) ISSR must document the procedures to ensure
printer. These pages will not include any blank the protection of classified information.
spaces or solid black areas. Otherwise, no pages
need be run through the printer at mode termina- (5) All unmarked media is assumed to be classified
tion. until reviewed and verified.

(6) Thermal printers. Thermal printers have a ther- c. Unclassified portable AIS devices are prohibited in a
mal film on a spool and take-up reel. Areas in SAPF unless Customer policy specifically permits
which these types of laser printers are located their use. If permitted, the following procedures
will be either approved for open storage, or the must be understood and followed by the owner and
spools and take-up reels will be removed and user:
placed in secure storage. The printer must be
sanitized prior to use at a different classification (1) Connection of unclassified portable AIS to clas-
level. sified AIS is prohibited.

8-3-2
 (2) Connection to other unclassified AISs may be review, and examination of events involving possible
allowed provided Customer approval is compromise. Audit trails will be protected from
unauthorized access, modification, and deletion.
obtained.
Audit trail requirements are described under mode of
(3) Use of an internal or external modem with the operation.
AIS device is prohibited within the SAPF.
b. Additional Records and Logs. The following
(4) The Provider will incorporate these procedures additional records or logs will be maintained by the
in the owner's initial and annual security brief- Provider regardless of the mode of operation. These
ing. will include:

(5) Procedures for monitoring portable AIS devices (1) Maintenance and repair of AIS hardware,
within the SAPF shall be outlined in either the including installation or removal of equipment,
AISSP or the Facility Security Plan. These devices, or components.
devices and the data contained therein are sub-
ject to security inspection by the ISSR and the (2) Transaction receipts, such as equipment saniti-
Customer. Procedures will include provisions zation, release records, etc.
for random reviews of such devices to ensure
that no classified program-specific or program- (3) Significant AIS changes (e.g., disconnecting or
sensitive data is allowed to leave the secure area. connecting remote terminals or devices, AIS
Use of such a device to store or process classi- upgrading or downgrading actions, and applying
fied information may, at the discretion of the seals to or removing them from equipment or
Customer, result in confiscation of the device. device covers).
All persons using such devices within the secure
area will be advised of this policy during secu- c. Audit Reviews. The audit trails, records, and logs
rity awareness briefings. created during the above activities will be reviewed
and annotated by the ISSR (or designee) to be sure
(6) Additionally, where Customer policy permits, that all pertinent activity is properly recorded and
personally owned portable AIS devices may be appropriate action has been taken to correct anoma-
used for unclassified processing only and must lies. The Customer will be notified of all anomalies
follow the previous guidelines. that have a direct impact on the security posture of
the system. The review will be conducted at least
8-303. System Auditing. weekly.

a. Audit Trails. Audit trails provide a chronological d. Record Retention. The Provider will retain the
record of AIS usage and system support activities most current 6 to 12 months (Customer Option) of
related to classified or sensitive processing. In addi- records derived from audits at all times. The Cus-
tion to the audit trails normally required for the oper- tomer may approve the periodic use of data reduc-
ation of a stand-alone AIS, audit trails of network tion techniques to record security exception
activities will also be maintained. Audit trails will conditions as a means of reducing the volume of
provide records of significant events occurring in the audit data retained. Such reduction will not result in
AIS in sufficient detail to facilitate reconstruction, the loss of any significant audit trail data.

8-3-3
 Section 4. Networks

(a) Document the security policy enforced by

8-400 Networks. This section addresses network-spe-
cific requirements that are in addition to the previously the SSS.
stated AIS requirements. Network operations must pre-
(b)Identify a single mode of operation.
serve the security requirements associated with the
AIS's mode of operation. (c) Document the network security architec-
ture and design.
a. Types of Networks.
(d) Document minimum contents of MOA's
(1) A unified network is a collection of AIS's or net-
required for connection to the SSS.
work systems that are accredited as a single
entity by a single CSA. A unified network may
(2) The interconnection of previously accredited
be as simple as a small LAN operating in dedi-
systems into an accredited network may require
cated mode, following a single security policy,
a reexamination of the security features and
accredited as a single entity, and administered
assurances of the contributing systems to ensure
by a single ISSR. The perimeter of such a net-
work encompasses all its hardware, software, their accreditations remain valid.
and attached devices. Its boundary extends to all
(a) Once an interconnected network is defined
its users. A unified network has a single mode of
and accredited, additional networks or sep-
operation. This mode of operation will be
arate AISs (separately accredited) may
mapped to the level of trust required and will
only be connected through the accredited
address the risk of the least trusted user obtain-
ing the most sensitive information processed or SSS.
stored on the network.
(b)The addition of components to contribut-
ing unified networks which are members of
(2) An interconnected network is comprised of sep-
an accredited interconnected network are
arately accredited AISs and/or unified networks.
allowed provided these additions do not
Each self-contained AIS maintains its own intra-
change the accreditation of the contribut-
AIS services and controls, protects its own
resources, and retains its individual accredita- ing system.
tion. Each participating AIS or unified network
has its own ISSR. The interconnected network Network Security Management The Provider
must have a security support structure capable will designate an ISSR for each Provider network.
of adjudicating the different security policy The ISSR may designate a Network Security Man-
(implementations) of the participating AISs or ager (NSM) to oversee the security of the Provider's
unified networks. An interconnected network network(s), or may assume that responsibility. The
requires accreditation, which may be as simple ISSR is responsible for coordinating the establish-
as an addendum to a Memorandum of Agree- ment and maintenance of a formal network security
ment (MOA) between the accrediting authori- program based on an understanding of the overall
security-relevant policies, objectives, and require-
ties. ments of the Customer. The NSM is responsible for
ensuring day-to-day compliance with the network
b. Methods of Interconnection.
security requirements as described in the AISSP (as
(1) Security Support Structure (SSS) is the hard- covered below) and this Supplement.
ware, software, and firmware required to adjudi-
cate security policy and implementation I. Network Security Coordination. When different
differences between and among connecting uni- accrediting authorities are involved, a Memorandum
fied networks and/or AISs. The SSS must be of Agreement is required to define the cognizant
accredited. The following requirements must be authority and the security arrangements that will
govern the operation of the overall network. When
satisfied as part of the SSS accreditation:

8-4-1
 two or more ISSRs are designated for a network, a unauthorized access or destruction an
lead ISSR will be named by the Provider(s) to ensure audit trail of successful and unsuccessful
a comprehensive approach to enforce the Customer's accesses to the AIS network components
overall security policy.
within the perimeter of the accredited
network. The audit data shall be pro-
e. Network Security.
tected so that access is limited to the
ISSR or his/her designee.
The AISSP must address:
2. For Restricted Data, methods of continu-
(1) A description of the network services and mecha- ous on-line monitoring of network activi-
nisms that implement the network security policy. ties may be included in each network
operating in the Compartmented Security
(2) Consistent implementation of security features Mode or higher. This monitoring may also
across the network components.
include realtime notification to the ISSR
of any system anomalies.
(a) Identification and Authentication Forward-
ing. Reliable forwarding of the identifica- 3. For Restricted Data networks operating in
tion shall be used between AISs when the Compartmented Mode or higher, the
users are connecting through a network. Customer may require the audit trail to
When identification forwarding cannot be include the changing of the configuration
verified, a request for access from a remote of the network (e.g., a component leaving
AIS shall require authentication before the network or rejoining).
permitting access to the system.
4. The audit trail records will allow associa-
(b) Protection of Authenticator Data. In for- tion of the network activities with corre-
warding the authenticator information and sponding user audit trails and records.
any tables (e.g., password tables) associated
with it, the data shall be protected from 5. Provisions shall be made and the proce-
access by unauthorized users (e.g., encryp- dures documented to control the loss of
tion), and its integrity shall be ensured. audit data due to unavailability of
resources.
(c) Description of the network and any exter-
nal connections.
6. For Restricted Data, the Customer may
require alarm features that automatically
(d)The network security policy including terminate the data flow in case of a mal-
mode of operation, information sensitivi- function and then promptly notify the
ties, and user clearances.
ISSR of the anomalous conditions.
(e)Must address the internode transfer of (h) Secure Message Traffic. The communica-
information (e.g., sensitivity level, com- tions methodology for the network shall
partmentation, and any special access ensure the detection of errors in traffic
requirements), and how the information is across the network links.
protected.
Transmission Security. Protected Distribution
(f) Communications protocols and their secu- Systems or National Security Agency approved
rity features.
encryption methodologies shall be used to protect
classified information on communication lines
(g)Audit Trails and Monitoring.
that leave the SAPF. Protected distribution sys-
tems shall be either constructed in accordance
1. If required by the mode of operation, the with the national standards or utilize National
network shall be able to create, main- Security Agency approved protected distribution
tain, and protect from modification or systems.

8-4-2
Records. The Customer may require records be
maintained of electronic transfers of data between
automated information systems when those systems
are not components of the same unified network.
Such records may include the identity of the sender,
identity and location of the receiver, date/time of the
transfer, and description of the data sent. Records are
retained according to 8-303.d.

8-4-3
 Section 5. Software and Data Files

8-500. Software and Data Files. (3) Releasing Software. Software that has not been
used on an AIS processing classified information
a. Acquisition and Evaluation. ISSR approval will may be returned to a vendor. If media containing
be obtained before software or data files may be software (e.g., applications) are used on a classi-
brought into the SAPF. All software must be fied system and found to be defective, such media
acquired from reputable and/or authorized sources as may not be removed from a SAPF for return to a
determined by the ISSR. The Provider will check all vendor. When possible, software will be tested
newly-acquired software or data files, using the most prior to its introduction into the secure facility.
current version and/or available of virus checking
software and procedures identified in the AISSP to c. Targetability. For SCI and SAP the software,
improve assurance that the software or data files are whether obtained from sources outside the facility or
developed by Provider personnel, must be safe-
free from malicious code.
guarded to protect its integrity from the time of
b. Protection. Media that may be written to (e.g., mag- acquisition or development through its life cycle at
netic media) must be safeguarded commensurate the Provider's facility (i.e., design, development,
with the level of accreditation of the dedicated or operational, and maintenance phases). Uncleared
system high AIS. Media on compartmented or multi- personnel will not have any knowledge that the soft-
level AISs will be protected commensurate with the ware or data files will be used in a classified area,
level of the operating session. If a physical write- although this may not be possible in all cases. Before
protect mechanism is utilized, media may be intro- software or data files that are developed or modified
duced to the AIS and subsequently removed without by uncleared personnel can be used in a classified
changing the original classification. The integrity of processing period, it must be reviewed by appropri-
the write-protection mechanism must be verified at a ately cleared and knowledgeable personnel to ensure
minimum of once per day by attempting to write to that no security vulnerabilities or malicious code
the media. Media which cannot be changed (e.g., CD exists. Configuration management must be in place
read-only media) may be loaded onto the classified to ensure that the integrity of the software or data
system without labeling or classifying it provided it files is maintained.
is immediately removed from the secure area. If this
media is to be retained in the secure area, it must be d. Maintenance Software. Software used for mainte-
labeled, controlled, and stored as unclassified media nance or diagnostics will be maintained within the
as required by the Customer. secure computing facility and, even though unclassi-
fied, will be separately controlled. The AISSP will
(1) System Software. Provider personnel who are detail the procedures to be used.
responsible for implementing modifications to
system or security-related software or data files e. Remote Diagnostics. Customer approval will be
on classified AISs inside the SAPF will be obtained prior to using vendor-supplied remote diag-
appropriately cleared. Software that contains nostic links for on-line use of diagnostic software.
security related functions (e.g., sanitization, The AISSP will detail the procedures to be used.
access control, auditing) will be validated to
confirm that security-related features are fully 8-501. Data Storage Media. Data storage media will be
functional, protected from modification, and controlled and labeled at the appropriate classification
effective. level and access controls of the AIS unless write-pro-
tected in accordance with 8-500.b. Open storage
(2) Application Software. Application software or approval will be required for non-removable media.
data files (e.g., general business software), that
will be used by a Provider during classified pro- a. Labeling Media. All data storage media will be
cessing, may be developed/modified by person- labeled in human-readable form to indicate its classi-
nel outside the security area without the fication level, access controls (if applicable), and
requisite security clearance with the concur- other identifying information. Data storage media
rence of the Customer. that is to be used solely for unclassified processing

8-5-1
 and collocated with classified media will be marked degauss magnetic media containing classified infor-
as UNCLASSIFIED. Color coding (i.e., media, mation. Each action or procedure taken to overwrite
labels) is recommended. If required by the Customer, or degauss such media will be verified. Magnetic
all removable media will be labeled with a classifica- storage media that malfunctions or contains features
tion label immediately after removing it from its fac- that inhibit overwriting or degaussing will be
tory-sealed container. reported to the ISSR, who will coordinate repair or
destruction with the Customer. (See Table 1.)
b. Reclassification. When the classification of the
media increases to a higher level, replace the classifi- Caution: Overwriting, degaussing, and sanitizing are not
cation label with a higher classification-level label. synonymous with declassification. Declassification is a
The label will reflect the highest classification level, separate administrative function. Procedures for declas-
and access controls (if applicable) of any informa- sifying media require Customer approval.
tion ever stored or processed on the AIS unless the
media is write-protected by a Customer-approved (1) Overwriting Media. Overwriting is a software
mechanism. Media may never be downgraded in procedure that replaces the data previously
classification without the Customer's written stored on magnetic storage media with a pre-
approval. defined set of meaningless data. Overwriting is
an acceptable method for clearing. Only
c. Copying Unclassified Information from a Clas- approved overwriting software that is compati-
sified AIS. ble with the specific hardware intended for over-
writing will be used. Use of such software will
(1) The unclassified data will be written to factory- be coordinated in advance with the Customer.
fresh or verified unclassified media using The success of the overwrite procedure will be
approved copying routines and/or utilities and/ verified through random sampling of the over-
or procedures as stated in the AISSP. For SCI written media. The effectiveness of the over-
and SAP, media to be released will be verified write procedure may be reduced by several
by reviewing all data on the media including factors: ineffectiveness of the overwrite proce-
embedded text (e.g., headers and footers). Data dures, equipment failure (e.g., misalignment of
on media that is not in human readable form. read/write heads), or inability to overwrite bad
(e.g., imbedded graphs, sound, video) will be sectors or tracks or information in inter-record
examined for content with the appropriate soft- gaps. To clear magnetic disks, overwrite all
ware applications. Data that cannot be reason- locations three (3) times (first time with a char-
ably observed in its entirety will be inspected by acter, second time with its complement, and the
reviewing random samples of the data on the third time with a random character). Items
media. which have been cleared must remain at the pre-
vious level of classification and remain in a
(2) Moving Classified Data Storage Media Between secure, controlled environment.
Approved Areas. The ISSR will establish proce-
dures to ensure that data will be written to fac- (2) Degaussing Media. Degaussing (i.e., demagne-
tory-fresh or sanitized media. The media will be tizing) is a procedure that reduces the magnetic
reviewed to ensure that only the data intended flux to virtual zero by applying a reverse mag-
was actually written and that it is appropriately netizing field. Properly applied, degaussing
classified and labeled. Alternatives for special renders any previously stored data on magnetic
circumstances may be approved by the Cus- media unreadable and may be used in the sani-
tomer. All procedures will be documented in the tization process. Degaussing is more reliable
AISSP. than overwriting magnetic media. Magnetic
media are divided into three types. Type I
d. Overwriting, Degaussing, Sanitizing, and degaussers are used to degauss Type I magnetic
Destroying Media. Cleared and sanitized media media (i.e., media whose coercivity is no
may be reused within the same classification level greater than 350 Oersteds (Oe)). Type II
(i.e., TS-TS) or to a higher level (i.e., SECRET-TS). degaussers are used to degauss Type II mag-
Sanitized media may be downgraded or declassified netic media (i.e., media whose coercivity is no
with the Customer's approval. Only approved equip- greater than 750 Oe). Currently there are no
ment and software may be used to overwrite and degaussers that can effectively degauss all

3-5-2
 Type III magnetic media (i.e., media whose Sanitizing is a two-step process that includes
coercivity is over 750 Oe). Some degaussers removing data from the media in accordance
are rated above 750 Oersteds and their specific with Table 1 and removing all classified labels,
approved rating will be determined prior to markings, and activity logs.
use. Coercivity of magnetic media defines the
magnetic field necessary to reduce a magneti- (4) Destroying Media. Data storage media will be
cally-saturated material's magnetization to destroyed in accordance with Customer-
zero. The correct use of degaussing products approved methods.
improves assurance that classified data is no
longer retrievable and that inadvertent disclo- (5) Releasing Media. Releasing sensitive or classi-
sure will not occur. Refer to the current issue of fied Customer data storage media is a three-step
NSA's Information Systems Security Products process. First, the Provider will sanitize the
and Services Catalogue (Degausser Products media and verify the sanitization in accordance
List Section) for the identification of degauss- with procedures in this chapter. Second, the
ers acceptable for the procedures specified media will be administratively downgraded or
herein. These products will be periodically declassified either by the CSA or the ISSR, if
tested to ensure continued compliance with the such authority has been granted to the ISSR.
specification NSA CSS Media Declassification Third, the sanitization process, downgrading or
and Destruction Manual NSA 130-2. declassification, and the approval to release the
media will be documented.
(3) Sanitizing Media. Sanitization removes informa-
tion from media such that data recovery using
any known technique or analysis is prevented.

8-5-3
 Table 1
Clearing and Sanitization Data Storage

Type Media Clear Sanitize

(a) Magnetic Tape

Type I a orb a, b, or destroy
Typen a orb b or destroy
Type HI a orb Destroy

(b) Magnetic Disk Packs

Type I a, b,or c
Type II b ore
Type III Destroy

(c) Magnetic Disk Packs

Floppies a, b, or c Destroy
Bernoulli's a, b, or c Destroy
Removable Hard Disks a, b, or c a, b, c, or destroy
Non-Removable Hard Disks c a, b, c, or destroy

(d) Optical Disk

Read Only Destroy
Write Once, Read Many (Worm) Destroy
Read Many, Write Many Destroy

These procedures will be performed by or as directed by the ISSR.

a. Degauss with a Type I degausser

b. Degauss with a Type II degausser

c. Overwrite all locations with a character, its complement, then with a random character. Verify that all sectors have
been overwritten and that no new bad sectors have occurred. If new bad sectors have occurred during classified pro-
cessing, this disk must be sanitized by method a or b described above. Use of the overwrite for sanitization must be
approved by the Customer.

Note: For hand-held devices (e.g., calculators or personal directories), sanitization is dependent upon the type and
model of the device. If there is any question about the correct sanitization procedure, contact the manufacturer or the
Customer. In general, sanitization is accomplished as follows: Depress the "CLEAR ENTRY" and the "CLEAR
MEMORY" buttons, remove the battery for several hours, and remove all associated magnetic media and retain it in
the SAPF or destroy. In some models there are special-purpose memories and key-numbered memories, as well as
"register stacks." Caution will be taken to clear all such memories and registers. This may take several key-strokes
and may require the use of the operator's manual. Test the hand held device to ensure that all data has been removed.
If there is any question, the device will remain in the SAPF or be destroyed.

8-5-4
 Table 2
Sanitizing AIS Components

PROCEDURE
TYPE

Magnetic Bubble Memory a, b, or c

a, b, or d
Magnetic Core Memory
dore
Magnetic Plated Wire
Magnetic-Resistive Memory Destroy

Solid State Memory Components

Random Access Memory (RAM) (Volatile) f, thenj

1
Nonvolatile RAM (NOVRAM)
Read Only Memory (ROM) Destroy (see k)
Programmable ROM (PROM) Destroy (see k)
Erasable Programmable ROM (EPROM) g, then d and j
Electronically Alterable PROM (EAPROM) h, then d and j
Electronically Erasable PROM (EEPROM) i, then d and j
Flash EPROM (FEPROM) i, then d and j

These procedures will be performed by or as directed by the ISSR.

a. Degauss with a Type I degausser.

b. Degauss with a Type II degausser.
c. Overwrite all locations with any character.
d. Overwrite all locations with a character, its complement, then with a random character.
e. Each overwrite will reside in memory for a period longer than the classified data resided.
f. Remove all power, including batteries and capacitor power supplies, from RAM circuit board.
g. Perform an ultraviolet erase according to manufacturer's recommendation, but increase time requirements by a
factor of 3.
h. Pulse all gates.
i. Perform a full chip erase. (See Manufacturer's data sheet.)
j. Check with Customer to see if additional procedures are required.
k. Destruction required only if ROM contained a classified algorithm or classified data.
1. Some NOVRAM are backed up by a battery or capacitor power source; removal of this source is sufficient for
release following item f procedures. Other NOVRAM are backed up by EEPROM which requires application of
the procedures for EEPROM (i.e., i, then d and j).

8-5-5
 Section 6. AIS Acquisition, Maintenance, and Release

8-600. AIS Acquisition, Maintenance, and Release. (3) All maintenance and diagnostics should be per-
formed in the Provider's secure facility. Any
a. Acquisition. AISs and AIS components that will AIS component or equipment released from
process classified information will be protected dur- secure control for any reason may not be
ing the procurement process from direct association returned to the SAPF without the approval of the
with the Customer's program. When required by the ISSR. The Customer may require that a perma-
Customer, protective packaging methods and proce- nent set of procedures be in place for the release
dures will be used while such equipment is in transit and return of components. These procedures
to protect against disclosure of classified relation- will be incorporated into the AISSP.
ships that may exist between the Customer and the
Provider. c. Maintenance Materials and Methods.

b. Maintenance Policy. The Provider will discuss (1) Unclassified Copy of Operati ng System. A sepa-
maintenance requirements with the vendor before rate, unclassified, dedicated for maintenance
signing a maintenance contract. The Customer may copy of the operating system (i.e., a specific
require that AISs and AIS components used for pro- copy other than the copy(s) used in processing
cessing Customer information will be protected dur- Customer information), including any micro-
ing maintenance from direct association with the coded floppy disks or cassettes that are integral
Customer's program. to the operating system, will be used whenever
maintenance is done by uncleared personnel.
(1) Cleared maintenance personnel are those who This copy will be labeled "UNCLASSIFIED-
have a valid security clearance and access FOR MAINTENANCE USE ONLY." Proce-
approvals commensurate with the information dures for an AIS using a nonremovable storage
being processed. Complete sanitization of the device on which the operating system is resident
AIS is not required during maintenance by will be considered by the Customer on a case-
cleared personnel, but need-to-know will be by-case basis.
enforced. However, an appropriately cleared
Provider individual will be present within the (2) Vendor-supplied Software and/or Firmware.
SAPF while a vendor performs maintenance to Vendor-supplied software and/or firmware used
ensure that proper security procedures are being for maintenance or diagnostics will be main-
followed. Maintenance personnel without the tained within the secure computing facility and
proper access authorization and security clear- stored and controlled as though classified. If per-
ance will always be accompanied by an individ- mitted by the Customer, the ISSR may allow, on
ual with proper security clearance and access a case-by-case basis, the release of certain types
authorization and never left alone in a SAPF. of costly magnetic media for maintenance such
The escort shall be approved by the ISSR and be as disk head-alignment packs.
technically knowledgeable of the AIS to be
repaired. (3) Maintenance Equipment and Components. All
tools, diagnostic equipment, and other devices
(2) Prior to maintenance by a person requiring carried by the vendor to the Provider's facility
escort, either the device under maintenance shall will be controlled as follows:
be physically disconnected from the classified
AIS (and sanitized before and after mainte- (a) Tool boxes and materials belonging to a vendor rep-
nance) or the entire AIS shall be sanitized before resentative will be inspected by the assigned escort
and after maintenance. When a system failure before the vendor representative is permitted to enter
prevents clearing of the system prior to mainte- the secure area.
nance by escorted maintenance personnel, Cus-
tomer-approved procedures will be enforced to (b)The ISSR will inspect any maintenance hardware
deny the escorted maintenance personnel visual (such as a data scope) and make a best technical
and electronic access to any classified data that assessment that the hardware cannot access classified
may be contained on the system. data. The equipment will not be allowed in the

8-6-1
 secure area without the approval of the ISSR. residual data, are considered volatile memory
components. Volatile components may be
(c) Maintenance personnel may bring kits containing released only after accomplishing the following
component boards into the secure facility for the pur- steps:
pose of swapping out component boards that may be
faulty. Any component board placed into an unsani- (a) Maintain a record of the equipment release
tized AIS will remain in the security facility until indicating that all component memory is
proper release procedures are completed. Any com- volatile and that no data remains in/on the
ponent board that remains in the kit and is not placed component when power is removed.
in the AIS may be released from the secure facility.
(b) Equipment release procedures shall be
(d) Any communication devices with transmit capability developed by the ISSR and stated in the
belonging to the vendor representative or any data AISSP
storage media not required for the maintenance visit
will be retained outside the SAPF for return to the (2) Nonvolatile Memory Components. Memory
vendor representative upon departure from the components that do retain data when all power
secure area.
sources are disconnected are nonvolatile mem-
ory components. Nonvolatile memory compo-
(4) Remote Diagnostic Links. Remote diagnostic nents defined as read only memory (ROM),
links require Customer approval. Permission for programmable ROM (PROM), or erasable
the installation and use of remote diagnostic PROM (EPROM)that have been programmed at
links will be requested in advance and in writ- the vendor's commercial manufacturing facility
ing. The detailed procedures for controlling the are considered to be unalterable in the field and
use of such a link or links will have the written may be released. Customized components of
approval of the Customer prior to implementa- this nature that have been programmed with a
tion. classified algorithm or classified data will be
destroyed. All other nonvolatile components
d. Release of Memory Components and Boards. may be released after successful completion of
Prior to the release of any component from an area the procedures outlined in 8-501, Table 2. Fail-
used to process or store Customer information, the ure to accomplish these procedures will require
following requirements will be met in respect to the ISSR to coordinate with the Customer for a
coordination, documentation, and written approval. determination of releasability. Nonvolatile com-
This section applies only to components identified ponents shall be released only after accomplish-
by the vendor or other technically knowledgeable ing the following steps:
individual as having the capability of retaining user
addressable data and does not apply to other items (a) Maintain a record of the equipment release
(e.g., cabinets, covers, electrical components not indicating the procedure used for sanitiz-
associated with data), which may be released without ing the component, who performed the
reservation. For the purposes of this document, a sanitization, and who it was released to.
memory component is considered to be the Lowest
Replaceable Unit (LRU) in a hardware device. (b)Equipment release procedures must be
Memory components reside on boards, modules, and developed by the ISSR and stated in the
sub-assemblies. A board can be a module or may AISSP. The record will be retained for 12
consist of several modules and subassemblies. months.
Unlike media sanitization, clearing may be an
acceptable method of sanitizing components for (3) Inspecting AIS Equipment. All AIS equipment
release (see 8-501, Table 2). Memory components designated for release will be inspected by the
are specifically handled as either volatile or nonvola- ISSR. This review will ensure that all media
tile as described below. including internal disks have been removed.

(1) Volatile Memory Components. Memory compo- 8-601. Test Equipment The Provider will determine
nents that do not retain data after removal of all the capability of individual test instruments to collect
electrical power sources, and when reinserted and process information. If necessary, the manufacturer
into a similarly configured AIS do not contain will be asked to provide this information. A description

8-6-2
of the capabilities of individual test equipment will be
provided to the Customer. Security requirements are
based on concerns about the capability of the equipment
to retain sensitive or classified data. Test equipment with
nonvolatile fixed or removable storage media will com-
ply with the requirements of this Supplement and be
approved by the Customer for introduction and use in
the SAPF. Test equipment with no data retention and no
secondary storage does not require Customer approval.

8-6-3
 Section 7. Documentation and Training

8-700. Documentation and Training. management system software, and related secu-
rity software packages will enable the AIS to
a. Provider Documentation. The Provider will meet the compartmented or multilevel mode
develop, publish, and promulgate a corporate AIS requirements stated herein. The test plan will
security policy, which will be maintained on file by also outline the test procedures proposed to
the ISSR. demonstrate this compliance. The results of the
test will be maintained for the life of the system.
b. Security Documentation. The Provider will
develop and maintain security-related documentation (6) Certification Report. The Certification Report
which are subject to review by the Customer as fol- will be maintained for the life of the system.
lows:
c. System User Training and Awareness. All AIS
(1) AISSP. Prepare and submit to the Customer for users, custodians, maintenance personnel, and others
approval an AISSP in accordance with Cus- whose work is associated with the Customer will be
tomer guidance that covers each AIS which will briefed on their security responsibilities. These brief-
process information for the Customer. This plan ings will be conducted by the Provider. Each individ-
will appropriately reference all other applicable ual receiving the briefing will sign an agreement to
Provider security documentation. In many cases, abide by the security requirements specified in the
an AISSP will include information that should AISSP and any additional requirements initiated by
not be provided to the general user population. the Customer. This security awareness training will
In these cases, a separate user security guide will be provided prior to the individual being granted
be prepared to include only the security proce- access to the classified AIS and at least annually
dures required by the users. thereafter. The awareness training will cover the fol-
lowing items and others as applicable:
(2) Physical Security Accreditation. Maintain on
file the physical security accreditation documen- (1) The security classifications and compartments
tation that identifies the date(s) of accreditation, accessible to the user and the protection respon-
and classification level(s) for the system device sibilities for each. If the user is a privileged user,
locations identified in the AISSP, and any open discuss additional responsibilities commensu-
storage approvals. rate with those privileges;

(3) Processing Approval. Maintain on file the Cus- (2) Requirements for controlling access to AISs
tomer's processing approval (i.e., interim (e.g., user IDs, passwords and password secu-
approval or accreditation) that specifies the date rity, the need-to-know principle, and protecting
of approval, system, system location, mode of terminal screens and printer output from unau-
operation, and classification level for which the thorized access);
AIS is approved.
(3) Methods of securing unattended AISs such as
(4) Memorandum of Agreement. Maintain on file a checking print routes, logging off the host sys-
formal memorandum of agreement signed by all tem or network, and turning the AIS off;
Customers having data concurrently processed
by an AIS or attached to the network. (4) Techniques for securing printers such as remov-
ing latent images from laser drums, cleaning
(5) AIS Technical Evaluation Test Plan. As a pre- platens, and locking up ribbons;
requisite to processing in the compartmented or
multilevel mode, develop and submit a technical (5) Caution against the use of government-spon-
evaluation test plan to the Customer for sored computer resources for unauthorized
approval. The technical evaluation test plan will applications;
provide a detailed description of how the imple-
mentation of the operating system software, data

8-7-1
(6) The method of reporting security-related inci- (14) Methods of avoiding viruses and other mali-
dents such as misuse, violations of system secu- cious code including authorized methods of
rity, unprotected media, improper labeling, acquiring software, examining systems regu-
network data spillage, etc.; larly, controlling software and media, and plan-
ning for emergencies. Discuss the use of
(7) Media labeling, including classification labels, recommended software to protect against
data-descriptor labels, placement of labels on viruses and steps to be taken when a virus is sus-
media, and maintenance of label integrity; pected;

(8) Secure methods of copying and verifying media; (15) AIS maintenance procedures including the steps
to be taken prior to AIS maintenance and the
(9) Methods of safeguarding media, including write user's point-of-contact for AIS maintenance
protection, removal from unattended AISs, and matters;
storage;
(16) Any special security requirements with respect
(10) Methods of safeguarding hard-copy output, to the user's AIS environment including connec-
including marking, protection during printing, tions to other AIS equipment or networks;
and storage;
(17) The use of personally owned electronic devices
(11) Policy on the removal of media; within the SAPF;

(12) Methods of clearing and sanitizing media; (18) Any other items needed to be covered for the
specific Customer's program.
(13) Procedures for destroying and disposing of
media, printer ribbons, and AIS circuit boards
and security aspects of disposing of AISs;

8-7-2
 Chapter 9
Restricted Data
Section 1. Introduction

9-100. General. This chapter of the NISPOMSUP If so, this chapter's requirements will be included in
addresses those supplemental security requirements for the contractual document. DOE technical experts will
SECRET Restricted Data (SRD) and TOP SECRET be available to provide advice and assistance upon
Restricted Data (TSRD) information which have been request by contracting agency representative. Should the
identified as being sufficiently sensitive to necessitate results of the Joint DOE/DOD Nuclear Weapons Infor-
security standards above and beyond those mandated by mation Access Authorization Review Group modify the
the NISPOM baseline document. Hereafter these are information specified in 9-101.a through 9-101.i, the
referred to as Critical SRD or TSRD. CONFIDEN- affected contracts may be amended. For DOE contrac-
TIAL RD and all classification levels of Formerly tors, Restricted Data will continue to be protected in
Restricted Data shall be protected in accordance accordance with the Department of Energy's 5600
with the requirements in the NISPOM baseline doc- series Safeguards and Security orders until the
ument. In addition to those requirements in Chapter 9 Review Group's recommendations are approved as
of the NISPOM, this chapter prescribes the supplemen- policy by the Secretary of Energy and this chapter is
tal requirements for the protection of Critical SRD and revised to conform to the new policy.
TSRD information. Neither the NISPOM nor the NIS-
POMSUP are to be construed to apply to the safeguard- a. Theory of operation (hydrodynamic and nuclear) or
ing requirements for Special Nuclear Material, Nuclear completed design of thermonuclear weapons or their
Explosive Like Assemblies, or Nuclear Weapons. unique components. This definition includes specific
information about the relative placement of compo-
9-101. Requirements. Under the authority of the nents and their functions with regard to initiating and
Atomic Energy Act of 1954, the Secretary of Energy, sustaining the thermonuclear reaction.
using his/her authority over Restricted Data, may issue
orders, guides, and manuals concerning protection of b. Theory of operation or complete design of fission
Restricted Data. These issuances serve as the basis for weapons or their unique components. This defini-
government-wide implementation procedures. How- tion includes the high explosive system with its det-
ever, these procedures of other agencies have not been onators and firing unit, pit system, and nuclear
endorsed by DOE. As a result of changes in the world initiating system as they pertain to weapon design
situation, these policy issuances are currently under and theory.
review by the Joint DOE/DOD Nuclear Weapons Infor-
mation Access Authorization Review Group. Until the c. Manufacturing and utilization information which
Review Group's recommendations are approved as pol- reveals the theory of operation or design of the phys-
icy by the Secretary of Energy, DOD contractors will ics package.
continue to protect Critical SRD and TSRD in accor-
dance with established contractual provisions. A revi- d. Information concerning inertial confinement fusion
sion of this chapter will be developed and promulgated which reveals or is indicative of weapon data.
following the results of the Joint DOE/DOD Nuclear
Weapons Information Access Authorization Review e. Complete theory of operation, complete or partial
Group. Nothing in this paragraph alters or abridges the design information revealing sensitive design fea-
authority of the Secretary of Energy under the Atomic tures or information on energy conversion of a
Energy Act of 1954, as amended. DOD contracts nuclear directed energy weapon. Sensitive informa-
awarded in the interim period dealing with the physics tion includes but is not limited to the nuclear energy
of nuclear weapons design, as specified in 9-101.a converter, energy director, or other nuclear directed
through 9-101.i, will be reviewed by technically quali- energy system or components outside the envelope
fied representatives to determine if the contract involves of the nuclear source but within the envelope of the
the above specified Critical SRD or TSRD information. nuclear directed energy weapon.

9-1-1
f. Manufacturing and utilization information and out- 9-102.
put characteristics for nuclear energy converters,
directors, or other nuclear directed energy weapon a. Contractors shall establish protective measures for
systems or components outside the envelope of the the safeguarding of Critical SRD and TSRD in
nuclear source and which do not comprehensively accordance with the requirements of this chapter.
reveal the theory of operation, sensitive design fea- Where these requirements are not appropriate for
tures of the nuclear directed energy weapon or how protecting specific types or forms of material, com-
the energy conversion takes place. pensatory provisions shall be developed and
approved by the CSA, with the concurrence of
g. Nuclear weapon vulnerability assessment informa- DOE, as appropriate. Nothing in this NISPOMSUP
tion concerning use control systems that reveals an shall be construed to contradict or inhibit compli-
exploitable design feature, or an exploitable system ance with the law or building codes.
weakness or deficiency, which could be expected to
permit the unauthorized use or detonation of a b. Access to Restricted Data shall be limited to per-
nuclear weapon. sons who possess appropriate access authorization,
or PCL, and who require such access (need-to-
h. Detailed design and functioning information of know) in the performance of official duties (i.e.,
nuclear weapon use control systems and their com- have a verifiable need-to-know). For access to TOP
ponents. Includes actual hardware and drawings that SECRET Restricted Data, an individual must pos-
reveal design or theory of operation. This also sess an active Q access authorization, or a final
includes use control information for passive and TOP SECRET PCL, based on a SSBI. For access
active systems as well as for disablement systems. to Critical SECRET Restricted Data, as defined in
9-101.a through 9-lOl.i, an individual must pos-
i. Access to specific categories of noise and quieting sess an active Q access authorization, orfinal TOP
information, fuel manufacturing technology and SECRET or SECRET PCL, based on a SSBI.
broad policy or program direction associated with Controls shall be established to detect and deter
Naval Nuclear Propulsion Plants as approved by the unauthorized access to Restricted Data.
Naval Nuclear Propulsion Program CSA.

9-1-2
 Section 2. Secure Working Areas

9-200. Secure Working Areas. (2) Insert-type panels (if used) shall be such that
they cannot be removed from outside the area
a. General. When not placed in approved storage, Criti- being protected without showing visual evi-
cal SRD and TSRD must be maintained in approved dence of tampering.
Secured Working Areas, and be constantly attended to
by, or under the control of, a person or persons having b. Ceilings and Floors. Ceilings and floors shall be
the proper access authorization, or PCL, and a need- constructed of building materials that offer pene-
to-know, who are responsible for its protection. tration resistance to, and evidence of, unautho-
rized entry into the area. Construction shall meet
b. Requirements. Secure Working Area boundaries local building codes.
shall be defined by physical barriers (e.g., fences,
walls, doors). Protective personnel or other measures c. Doors. Doors and door jambs shall provide the
shall be used to control authorized access through necessary barrier delay rating requi:. by the
designated entry portals and to deter unauthorized applicable procedure. As a minimum, require-
access to the area. A personnel identification system ments shall include the following:
(e.g., security badge) shall be used as a control mea-
sure when there are more than 30 persons per shift. (1) Doors with transparent glazing material may
Entrance/Exit inspections for prohibited articles and/ be used if visual access is not a security con-
or Government property may be conducted by protec- cern; however, they shall offer penetration
tive personnel. When access to a Secure Working resistance to, and evidence of, unauthorized
Area is authorized for a person without appropriate entry into the area.
access authorization or need-to-know, measures shall
be taken to prevent compromise of classified matter. (2) A sight baffle shall be used if visual access is
Access to safeguards and security interests within a a factor.
Secure Working Area, when not in approved storage,
is controlled by the custodian(s) or authorized user(s). (3) An astragal shall be used where doors used
Means shall be used to detect unauthorized intrusion in pairs meet.
appropriate to the classified matter under protection.
(4) Door louvers, baffle plates, or astragals,
9-201. Barriers. Physical barriers shall be used to when used, shall be reinforced and immov-
demarcate the boundaries of a Secure Working able from outside the area being protected.
Area. Permanent barriers shall be used to enclose
the area, except during construction or transient d. Windows. The following requirements shall be
activities, when temporary barriers may be erected. applicable to windows:
Temporary barriers may be of any height and material
that effectively impede access to the area. (1) When primary reliance is placed on windows
as physical barriers, they shall offer penetra-
a. Walls. Building materials shall offer penetration tion resistance to, and evidence of, unautho-
resistance to, and evidence of, unauthorized rized entry into the area.
entry into the area. Construction shall meet local
building codes. Walls that constitute exterior bar- (2) Frames shall be securely anchored in the
riers of Security Areas shall extend from the walls, and windows shall be locked from the
floor to the structural ceiling, unless equivalent inside or installed in fixed (nonoperable)
means are used. frames so the panes are not removable from
outside the area being protected.
(1) When transparent glazing material is used,
visual access to the classified material shall (3) Visual barriers shall be used if visual access
be prevented by the use of drapes, blinds, or is a factor.
other means.

9-2-1
e. Unattended Openings. (619.20 square centimeters) in area and
greater than 6 inches (15.24 centimeters) in
(1) Physical protection features shall be imple- the smallest dimension; and located within
mented at all locations where storm sewers, 18 feet (5.48 meters) of the ground, roof, or
drainage swells, and site utilities intersect ledge of a lower Security Area; or located 14
the fence perimeter. feet (4.26 m) diagonally or directly opposite
windows, fire escapes, roofs, or other open-
(2) Unattended openings in security barriers, ings in uncontrolled adjacent buildings; or
which meet the following criteria, must located 6 feet (1.83 m) from uncontrolled
incorporate compensatory measures such as openings in the same barrier.
security bars: greater than 96 inches square

9-2-2
 Section 3. Storage Requirements

9-300. General. Custodians and authorized users of b. In a General Services Administration-approved

Critical SRD and TSRD are responsible for the pro- security container, not located within a Secure
tection and control of such matter. Working Area, under supplemental protection (i.e.,
intrusion detection system protection or protective
9-301. TSRD Storage. TOP SECRET Restricted Data patrol).
that is not under the personal control of an authorized
person shall be stored within a security repository c. In a steelfiling cabinet, not meeting General Ser-
located within a Secure Working Area with CSA vices Administration requirements, but approved
approved supplementary protection consistent with for use prior to the date of this NISPOMSUP,
Chapter 5-307.a and 5-307. b of the NISPOM baseline. which may continue to be used until there is a
Authorized repositories are as follows: need for replacement. It shall be equipped with a
minimum of either an Underwriter Laboratories
a. In a locked, General Services Administration- Group 1, built-in, changeable combination lock or
approved security container. a lock that meets Federal Specification FF-P-110
"Padlock, Changeable Combination." Steel filing
b. In a vault or vault-type room. cabinets located within a Secure Working Area
shall be under approved supplemental protection
9-302. Critical SRD Storage. Critical SRD shall be (i.e., intrusion detection system protection or pro-
stored in a manner authorized for Top Secret tective patrol). If the steel filing cabinet is not
Restricted Data matter or in one of the following ways: located within a Secure Working Area, it shall be
under intrusion detection system protection.
a. In a locked General Services Administration-
approved security container located within a
Secure Working Area.

9-3-1
 Chapter 10
International Security Requirements

International security information that is required by a

SAP or is SAP-related will conform to the NISPOM as
directed by the PSO.

10-1-1
 Chapter 11
Miscellaneous
Section 1: TEMPEST

TEMPEST Requirements. When compliance with

TEMPEST standards is required for a contract, the
GPM/PSO will issue specific guidance in accordance
with current national directives that afford consideration
to realistic, validated, local threats, cost effectiveness,
and zoning.

11-1-1
 Section 2. Government Technical Libraries

SAP information will not be sent to the National

Defense Technical Information Center or the U.S.
Department of Energy Office of Scientific and Tech-
nical Information.

11-2-1
 Section 3. Independent Research and Development

11-300. General. The use of SAP information for a with a classified IR&D effort. The classified documents
contractor Independent Research and Development may be required to be sanitized. If necessary, the Gov-
(IR&D) effort will occur only with the specific written ernment agency will provide the contractor assistance in
permission of the Contracting Officer. Procedures and sanitizing the material to a collateral or unclassified
requirements necessary for safeguarding SAP classi- level (i.e., by reviewing and approving the material for
fied information when it is incorporated in a contrac- release).
tor's IR&D effort will be coordinated with the PSO.
11-302. Review of Classified IR&D Efforts. IR&D
11-301. Retention of SAP Classified Documents Gen- operations and documentation that contain SAP clas-
erated Under IR&D Efforts. With the permission of sified information will be subject to review in the
the Contracting Officer, the contractor may be allowed same manner as other SAP classified information in
to retain the classified material generated in connection the possession of the contractor.

11-3-1
 Section 4. Operations Security

Special Access Programs may require unique Opera-

tions Security (OPSEC) plans, surveys, and activities to
be conducted as a method to identify, define, and pro-
vide countermeasures to vulnerabilities. These require-
ments may be made part of the contractual provisions.

11-4-1
 Section 5. Counterintelligence (CI) Support

11-500. Counterintelligence (CI) Support Analysis of are necessary, they will be made a part of the contract
foreign intelligence threats and risks to Program infor- provisions and cost implementation may be subject to
mation, material, personnel, and activities may be negotiation. Countermeasures may be active or passive
undertaken by the Government Agency. Resulting infor- techniques, measures, systems, or procedures imple-
mation that may have a bearing on the security of a SAP mented to prevent or reduce the timely effective collec-
will be provided by the Government to the contractor tion and/or analysis of information which would reveal
when circumstances permit. Contractors may use CI intentions or capabilities (e.g., traditional security pro-
support to enhance or assist security planning and safe- gram measures, electronic countermeasures, signature
guarding in pursuit of satisfying contractual obligations. modification, operational and/or procedural changes,
Requests should be made to the PSO. direct attack against and neutralization of threat agents
and/or platforms, etc.).
11-501. Countermeasures. Security countermeasures
may be required for SAPs to protect critical information,
assets, and activities. When OPSEC countermeasures

11-5-1
 Section 6. Decompartmentation, Disposition, and
Technology Transfer

11-600. Every scientific paper, journal article, book, to the GPM. Changes, conditions and stipulations
briefing, etc., pertaining to a SAP and prepared by directed by the GPM will be adhered to. Approval of
personnel currently or previously briefed on the SAP Program decompartmentation and all subsequent
that is proposed for publication or presentation out- transfers will be in writing.
side of the SAP will be reviewed by the PSO and a Pro-
gram-briefed Public Affairs Officer (PAO) if available. b. Technology Transfer. Technologies may be trans-
Any release will be by the GPM. Often SAP-unique ferred through established and approved channels in
"tools" such as models, software, technology, and facil- cases where there would be a net benefit to the U.S.
ities may be valuable to other SAPs. Some information, Government and Program information is not
material, technology, or components may not be indi- exposed or compromised. The Contracting Officer is
vidually sensitive. If information or materials can be the approval authority for technology transfers.
segregated and disassociated from the SAP aspects of
the Program, decompartmentation and release of the (1) Contractor Responsibilities. CPSOs will ensure
information and/or materials may be approved to sup- that technologies proposed for transfer receive
port U.S. Government activities. The information and a thorough security review. The review will
materials proposed for release will remain within the include a written certification that all classified
Program Security Channels until authorized for items and unclassified Program-sensitive
release. information have been redacted from the mate-
rial in accordance with sanitization procedures
11-601. Procedures. The following procedures apply to authorized by the GPM. A description of the
the partial or full decompartmentation, transfer (either to sanitization method used and identification of
another SAP or collateral Program), and disposition of the official who accomplished the redaction
any classified information, data, material(s), and hard- will accompany the information or material(s)
ware or software developed under a SAP contract or forwarded to the GPMfor review and approval
subcontract (SCI information will be handled within
SCI channels). (2) Government Responsibilities. The contracting
officer's representative (COR), PSO, and GPM
a. Decompartmentation. Prior to decompartmenting will make every attempt to review requests
any classified SAP information or other material(s) expeditiously. Requests will be submitted at
developed within the Program, the CPSO will least thirty (30) working days prior to the
obtain the written approval of the GPM. Decom- requested release date. This is particularly
partmentation initiatives at a Program activity will important when requesting approval for Pro-
include completion of a Decompartmentation or gram-briefed personnel to make non-Program
Transfer Review Format Include supporting docu- related presentations at conferences, symposia,
mentation that will be submitted through the PSO etc.

11-6-1
 Section 7. Other Topics

11-700. Close-out of a SAP. At the initiation of a con- 11- 702. Patents. Patents involving SAP information
tract close-out, termination or completion of the con- will be forwarded to the GPM/PSO for submission
tract effort, the CPSO will consider actions for to the Patents Office. The PSO will coordinate with
disposition of residual hardware, software, documen- Government attorneys and the Patent Office for sub-
tation, facilities, and personnel accesses. Security mission of the patent.
actions to close-out Program activities will prevent
compromise of classified Program elements or other 11- 703. Telephone Security. The PSO will determine
SAP security objectives. The contractor may be the controls, active or inactive, to be placed on telecom-
required to submit a termination plan to the Govern- munication lines. SAPFs accredited for discussion or
ment. The master classified material accountability electronic processing will comply with DCID 1/21
record (log or register) normally will be transferred to and Telephone Security Group (TSG) standards as
the PSO at Program close-out. determined by the PSO.

11- 701. Special Access Program Secure Communi-

cations Network. SAPs may use a SAP secure commu-
nications and/or data network linking the GPM and/or
contractors with associated technical, operational, and
logistic support activities for secure communications.

11-7-1
 Appendix A
Definitions

Access Approval Authority. Individual responsible Boundary. The boundary of an AIS or network
for final access approval and/or denial determination. includes all users that are directly or indirectly con-
nected and who can receive data from the system with-
Access Roster. A database or listing of individuals out a reliable human review by an appropriately cleared
briefed to a special access program. authority.

Access Termination. The removal of an individual Certification. A statement to an accrediting authority

from access to SAP or other Program information. of the extent to which an AIS or network meets its secu-
rity criteria. This statement is made as part of and in
Accrediting Authority. A Customer official who has support of the accreditation process.
the authority to decide on accepting the security safe-
guards prescribed or who is responsible for issuing an Clearing. The removal of information from the media
accreditation statement that records the decision to to facilitate continued use and to prevent the AIS system
acccept those safeguards. from recovering previously stored data. However, the
data may be recovered using laboratory techniques.
Acknowledged Special Access Program. A SAP Overwriting and degaussing are acceptable methods of
whose existence is publicly acknowledged. clearing media.

Acquisition Special Access Program (AQ-SAP). A Codeword. A single classified word assigned to repre-
special access program established primarily to protect sent a specific SAP or portions thereof.
sensitive research, development, testing, and evaluation
(RDT&E) or procurement activities in support of sensi- Collateral Information. Collateral information is
tive military and intelligence requirements. National Security Information created in parallel with
Special Access Information under the Provisions of
Agent of the Government A contractor employee E.O. 12356 (et al) but which is not subject to the added
designated in writing by the Government Contracting formal security protection required for Special Access
Officer who is authorized to act on behalf of the Gov- Information (stricter access controls, need-to-know,
ernment. compartmentation, stricter physical security standards,
etc).
Authentication, a. To establish the validity of a
claimed identity, b. To provide protection against fraud- Compelling Need. A requirement for immediate
ulent transactions by establishing the validity of mes- access to special program information to prevent failure
sage, station, individual, or originator. of the mission or operation or other cogent reasons.

Automated Information System (AIS). A generic Contractor Program Security Officer (CPSO). An
term applied to all electronic computing systems. AISs individual appointed by the contractor who performs the
are composed of computer hardware (i.e., automated security duties and functions for Special Access Pro-
data processing (ADP) equipment and associated grams.
devices that may include communication equipment),
firmware, operating systems, and other applicable soft- Contractor Program Manager (CPM). A contrac-
ware. AISs collect, store, process, create, disseminate, tor-designated individual who has overall responsibility
communicate, or control data or information. for all aspects of a Program.

Billets. A determination that in order to meet need-to- Counterintelligence Awareness. A state of being
know criteria, certain SAPs may elect to limit access to aware of the sensitivity of classified information one
a predetermined number of properly cleared employees. possesses, collaterally aware of the many modes of
Security personnel do not count against the billet sys- operation of hostile intelligence persons and others
tem. whose interests are inimical to the United States while

A-l
 being able to recognize attempts to compromise one's EPROM. A field-programmable read-only memory
information, and the actions one should take, when one that can have the data content of each memory cell
suspects he has been approached, to impart the neces- altered more than once. An EPROM is bulk-erased by
sary facts to trained counterintelligence personnel. exposure to a high-intensity ultraviolet light. Sometimes
referred to as a reprogrammable read-only memory.
Customer. The Government organization that sponsors
the processing. EEPROM. Abbreviation for electrically erasable pro-
grammable read-only memory. These devices are fabri-
Data Integrity, a. The state that exists when computer- cated in much the same way as EPROMs and, therefore,
ized data is the same as that in the source documents and benefit from the industry's accumulated quality and reli-
has not been exposed to accidental or malicious alter- ability experience. As the name implies, erasure is
ation or destruction, b. The property that data has not accomplished by introducing electrical signals in the Tf
t
been exposed to accidental or malicious alteration or form of pulses to the device, rather than by exposing the
destruction. device to ultraviolet light. Similar products using a
nitride NMOS process are termed EAROMS (for elec-
Debriefing. The process of informing a person his trically alterable read-only memory).
need-to-know for access is terminated.
Government Program Manager (GPM). The senior
Declassification (Media). An administrative step that Government Program official who has ultimate respon-
the owner of the media takes when the classification is sibility for all aspects of the Program.
lowered to UNCLASSIFIED. The media must be prop-
erly sanitized before it can be downgraded to UNCLAS- i.e. That is (id est).
SIFIED.
Inadvertent Disclosure. A set of circumstances or a
Degauss, a. To reduce the magnetization to zero by security incident in which a person has had involuntary
applying a reverse (coercive) magnetizing force, com- access to classified information to which the individual
monly referred to as demagnetizing, or b. To reduce the was or is not normally authorized.
correlation between previous and present data to a point
that there is no known technique for recovery of the pre- Indoctrination. An initial indoctrination and/or
vious data. instruction provided each individual approved to a SAP
prior to his exposure concerning the unique nature of
Degausser. An electrical device or hand-held perma- Program information and the policies, procedures, and
nent magnet assembly that generates a coercive mag- practices for its handling.
netic force for degaussing magnetic storage media or
other magnetic material. Information Systems Security Representative
(ISSR). The Provider-assigned individual responsible
Degaussing (Demagnetizing). Procedure using an for the on-site security of the AIS(s) processing infor-
approved device to reduce the magnetization of a mag- mation for the Customer.
netic storage media to zero by applying a reverse (coer-
cive) magnetizing force rendering any previously stored Joint Use Agreement. A written agreement signed by
data unreadable and unintelligible. two or more accrediting authorities whose responsibility
includes information processed on a common AIS or
Digraph and/or Trigraph. A two and/or three-letter network. Such an agreement defines a cognizant secu-
acronym for the assigned Codeword or nickname. rity authority and the security arrangements that will
govern the operation of the network.
Disclosure Record. A record of names and dates of
initial access to any Program information. Memorandum of Agreement (MOA). An agreement,
the terms of which are delineated and attested to by the
e.g. For example (exempli gratia). signatories thereto. MOA & MOU (Memorandum of
Understanding) are used interchangeably.
Eligibility. A determination that a person meets person-
nel security standards for access to Program material.

A-2
Network. A computing environment with more than Program Channels or Program Security Channels.
one independent processor interconnected to permit A method or means expressly authorized for the han-
communications and sharing of resources. dling or transmission of classified or unclassified SAP
information whereby the information is provided to
Nicknames. A combination of two separate unclassi- indoctrinated persons.
fied words assigned to represent a specific SAP or por-
Program Executive Agent The highest ranking mili-
tion thereof.
tary or civilian individual charged with direct respons-
Nonvolatile Memory Components. Memory compo- ibility for the Program and usually appoints the
nents that do retain data when all power sources are dis- Government Program Manager.
connected.
Program Material. Program material and information
Object Reuse. The reassignment to some subject of a describing the service(s) provided, the capabilities
medium (e.g., page frame, disk sector, magnetic tape) developed, or the item(s) produced under the SAP.
that contained one or more objects. To be securely reas-
signed, such media will contain no residual data from Program Security Officer (PSO). The Government
the previously contained object(s). official who administers the security policies for the
SAP.
Office Information System (OIS). An OIS is a spe-
cial purpose AIS oriented to word processing, electronic Program Sensitive Information. Unclassified infor-
mail, and other similar office functions. An OIS is nor- mation that is associated with the Program. Material or
mally comprised of one or more central processing information that, while not directly describing the Pro-
units, control units, storage devices, user terminals, and gram or aspects of the Program, could indirectly dis-
interfaces to connect these components. close the actual nature of the Program to a non-
Program-briefed individual.
Overwrite (Re-recording) Verification. An approved
procedure to review, display, or check the success of Provider. The Contractor or Government-support orga-
an overwrite procedure, or b. The successful testing nization (or both) that provides the process on behalf of
and documentation through hardware and random the Customer.
hard-copy readout of the actual overwritten memory
Sanitizing. The removal of information from the media
sectors.
or equipment such that data recovery using any known
Perimeter. The perimeter of an AIS or network is the technique or analysis is prevented. Sanitizing shall
extent of the system that is to be accredited as a single include the removal of data from the media, as well as
the removal of all classified labels, markings, and activ-
system.
ity logs. Properly sanitized media may be subsequently
Peripheral Devices. Any device attached to the net- declassified upon observing the organization's respec-
work that can store, print, display, or enhance data (e.g., tive verification and review procedures.
disk and/or tape, printer and/or plotter, an optical scan-
ner, a video camera, a punched-card reader, a monitor, Secure Working Area. An accredited facility or area
that is used for handling, discussing and/or processing,
or card punch).
but not storage of SAP information.
Personal Computer System (PC). A PC is a system
based on a microprocessor and comprised of internal Security level. A clearance or classification and a set of
memory (ROMs and RAMs), input and/or output, and designators of special access approvals; i.e., a clearance
associated circuitry. It typically includes one or more and a set of designators of special access approval or a
read/write device(s) for removable magnetic storage classification and a set of such designators, the former
media (e.g., floppy diskettes, tape cassettes, hard disk applying to a user, the latter applying, for example, to a
cartridges), a keyboard, CRT or plasma display, and a computer object.
printer. It is easily transported and is primarily used on
desk tops for word processing, database management, or Security Policy. The set of laws, rules, and practices
engineering analysis applications. that regulate how an organization manages, protects,
and distributes sensitive information. A complete secu-
Program Access Request (PAR). A formal request rity policy will necessarily address many concerns
used to nominate an individual for Program access. beyond the scope of computers and communications.

A-3
 Security Profile. The approved aggregate of hardware/ System. An assembly of computer and/or communica-
software and administrative controls used to protect the tions hardware, software, and firmware configured for the
system. purpose of classifying, sorting, calculating, computing,
summarizing, transmitting and receiving, storing, and
Security Testing. A process used to determine that the retrieving data with a minimum of human intervention.
security features of a system are implemented as
designed and that they are adequate for a proposed Trigraph. (See Digraph and/or Trigraph.)
application environment. This process includes hands-
on functional testing, penetration testing, and verifica- Trojan Horse. A computer program with an apparently
tion. See also: Functional Testing, Penetration Testing, or actually useful function that contains additional (hid-
Verification. den) functions that surreptitiously exploit the legitimate
authorizations of the invoking process to the detriment
Sensitivity Label. A collection of information that rep- of security (for example, making a "blind copy" of a
resents the security level of an object and that describes sensitive file for the creator of the Trojan horse).
the sensitivity of the data in the object A sensitivity label
consists of a sensitivity level (classification and compart- Trusted Computer System. A system that employs
ments) and other required security markings (e.g., Code- sufficient hardware and software integrity measures to
words, handling caveats) to be used for labeling data. allow its use for processing simultaneously a range of
sensitive or classified information.
Sensitive Activities. Sensitive activities are special
access or Codeword programs, critical research and Trusted Path. A mechanism by which a person at a ter-
development efforts, operations or intelligence activi- minal can communicate directly with the trusted com-
ties, special plans, special activities, or sensitive support puting base. This mechanism can only be activated by
to the customer or customer contractors or clients. the person or the trusted computing base and cannot be
imitated by untrusted software.
Sensitive Compartmented Information (SCI). SCI
is classified information concerning or derived from Two-Person Integrity. A provision that prohibits one
intelligence sources and methods or analytical processes person from working alone.
that is required to be handled within a formal control
system established by Director of Central Intelligence. Unacknowledged Special Access Program. A SAP
with protective controls that ensures the existence of the
Sensitive Compartmented Information Facility Program is not acknowledged, affirmed, or made known
(SCIF). SCIF is an area, room(s), building installation to any person not authorized for such information. All
that is accredited to store, use, discuss, or electronically aspects (e.g., technical, operational, logistical, etc.) are
process Sensitive Compartmented Information (SCI). handled in an unacknowledged manner.
The standards and procedures for a SCIF are stated in
DCIDs 1/19 and 1/21. Users. Any person who interacts directly with an AIS
or a network system. This includes both those persons
Special Access Program Facility (SAPF). A specific who are authorized to interact with the system and those
physical space that has been formally accredited in writ- people who interact without authorization (e.g., active
ing by the cognizant PSO which satisfies the criteria for or passive wiretappers).
generating, safeguarding, handling, discussing, and stor-
ing CLASSIFIED and/or UNCLASSIFIED Program Vendor. The manufacturer or sellers of the AIS equip-
information, hardware, and materials. ment and/or software used on the special program.

Special Program Document Control Center. The Virus. Malicious software. A form of Trojan horse that
component's activity assigned responsibility by the reproduces itself in other executable code.
ISSR for the management, control, and accounting of all
documents and magnetic media received or generated as Volatile Memory Components. Memory components
a result of the special program activity. that do not retain data after removal of all electrical
power sources and when reinserted into a similarly con-
Stand-Alone AIS. A stand-alone AIS may include figured AIS do not contain residual data.
desktop, laptop, and notebook personal computers, and
any other hand-held electronic device containing classi- Workstation. A high-performance, microprocessor-
fied information. Stand-alone AISs by definition are not based platform that uses specialized software applicable
connected to any LAN or other type of network. to the work environment.

A-4
 Appendix B
AIS Acronyms
Many computer security-related acronyms are used in this Supplement. These acronyms, after first being
defined, are used throughout this document to reduce its length. The acronyms used in this document are defined
below:

AIS Automated Information System

AISSP AIS S» urity Plan

CM Configuration Management
CCB Configuration Control Board
CPU Central Processing Unit
CRT Cathode Ray Tube (Monitor Screen Tube)
CSA Cognizant Security Agency (Customer)

DAC Discretionary Access Control

DCID Director of Central Intelligence Directive
DoD Department of Defense

E.O. Executive Order

EPROM Erasable Programmable Read-Only Memory
EAPROM Electrically Alterable Programmable Read-Only Memory
EEPROM Electrically Erasable Programmable Read-Only Memory

I/O Input and/or Output

ISSR Information System Security Representative

K Thousand (kilo)

LAN Local Area Network

LOGON Log On

MAC Mandatory Access Control

MODEM Modulator and/or Demodulator

NCSC National Computer Security Center

NSA National Security Agency

OMB Office of Management and Budget

PC Personal Computer (i.e., desktop, laptop, notebook, or hand-held computer)

PL Public Law
PROM Programmable Read-Only Memory

RAM Random Access Memory

ROM Read Only Memory

SAN Separately Accredited Network

SAP Special Access Program
SAPF Special Access Program Facility

B-l
SCI Sensitive Compartmented Information
STD Standard

TS Top Secret

USER ID User Identification

B-2
 Appendix C
AISSP Outline
This outline provides the basis for preparing an AIS Security Plan (AISSP). The annotated outline, with
prompts and instructions, will assist ISSRs in preparing a plan that includes necessary overviews, descriptions,
listings, and procedures. It will also assist in covering the requirements contained in this NISPOM Supplement.
In preparing the AISSP, any information that does not appropriately fit under a subtitle may be placed under a
main title. For example, a hardware list or references to a hardware list will be placed under the 4.0 AIS HARD-
WARE heading. For changes to an existing plan that do not require revision of the entire plan, provide name and
date of the plan to be modified, date of changes on each page, and cross reference to the plan's applicable para-
graph numbers. (For changes, only the change pages with the applicable plan name and date need to be sent to
the CSA.)

Table Of Contents
1.0 INTRODUCTION 4.3 Hardware Sanitization and Destruction

1.1 Administration 4.4 Hardware Transport and Release

1.2 Purpose and Scope 4.5 Hardware Control and Audit Trails

2.0 SAPF DESCRIPTION 5.0 AIS SOFTWARE

2.1 Physical Environment 5.1 Authorized Software

2.2 Floor Layout 5.2 Software Procedures

2.3 SAPF Access

6.0 DATA STORAGE MEDIA

3.0 AIS DESCRIPTION 6.1 Labeling and Storing Media

3.1 General Information 6.2 Media Sanitization and Destruction

3.2 Configuration and Connectivity 6.3 Media Transport and Release

3.3 User Access and Operation 6.4 Media Control

3.4 Audit Trail

7.0 AIS SECURITY AWARENESS

4.0 AIS HARDWARE

4.1 Labeling Hardware 8.0 GLOSSARY OF TERMS

4.2 Maintenance Procedures

C-l
 1.0 INTRODUCTION

This section will describe the purpose and scope of the AISSP. It may include any topic intended to help
the reader understand and appreciate the purpose of the AISSP. Pertinent background information may
also be presented to provide clarity.

1.1 Security Administration.

Provide the name and date of this plan and indicate whether it is an original or revised plan.

Specify the cognizant Customer Program Office whose activity the AIS will support and the contract
number(s), if applicable.

Specify the Provider's name and address. Identify the location of the AIS equipment (including the
building and room numbers(s)).

Provide the names of the Provider's program manager, ISSR, alternate(s). Also provide their secure and
unsecure telephone numbers and their normal office hours.

Provide an organizational structure showing the name and title of all security management levels above
the ISSR.

Provide joint-use information if applicable.

1.2 Purpose and Scope.

The plan will describe how the Provider will manage the security of the system. Describe the purpose
and scope of this AIS.

2.0 SAPF DESCRIPTION.

This section will provide a physical overview of the AIS SAPF (including its surroundings) that is used
to secure the Customer's program activities. It will include information about the secure environment
required to protect the AIS equipment, software, media, and output.

2.1 Physical Environment.

State whether the SAPF is accredited or approved to process and store classified information, who
accredited or approved it, the security level, and when approved. State whether the SAPF is approved for
open or closed storage.

Specify whether the storage approval is for hard disk drives, diskettes, tapes, printouts, or other items.

State whether the approval includes unattended processing.

2.2 Floor Layout

Provide a floor plan showing the location of AIS equipment and any protected wire lines. (This may be
included in a referenced appendix.) The building and room number(s) will match the information pro-
vided in the hardware listing (see 4.0).

C-2
2.3 SAPF Access.

Describe procedures for controlling access to the AIS(s) to include: after hours access, personnel access
controls, and procedures for providing access to uncleared visitors (e.g., admitting, sanitizing area,
escorting).

2.4 TEMPEST.

If applicable, describe TEMPEST countermeasures.

3.0 AIS DESCRIPTION

This section will provide a detailed description of the system and describe its security features and
assurances.

Describe variances and exceptions.

3.1 General Information

Provide a system overview and description.

Specify clearance level, formal access (if appropriate), and need-to-know requirements that are being
supported.

Identify the data to be processed including classification levels, compartments, and special handling
restrictions that are relevant.

State the mode of operations.

Indicate the AIS's usage (in percent) that will be dedicated to the Customer's activity (e.g, periods pro-
cessing).

3.2 Configuration and Connectivity.

Specify whether the AIS is to operate as a stand-alone system, as a terminal connected to a mainframe,
or as a network.

Describe how the AIS or network is configured. If a network, specify whether it is a unified network or
interconnected network. Describe the security support structure and identify any specialized security
components and their role.

Identify and describe procedures for any connectivity to the AIS(s). Indicate whether the connections
are to be classified or unclassified systems.

Provide a simplified block diagram that shows the logical connectivity of the major components (this
may be shown on the floor layout if necessary-see 2.2). For AISs operating in the compartmented or
multilevel modes an information flow diagram will be provided.

If applicable, discuss the separations of classified and unclassified AISs within the SAPF.

Indicate whether the AIS is configured with removable or nonremovable hard disk drives.

C-3
 Describe the configuration management program. Describe the procedures to ensure changes to the AIS
require prior coordination with the ISSR.

33 User Access and Operation.

Describe the AIS operation start-up and shut-down (mode termination). Provide any unique equipment
clearing procedures.

Discuss all AIS user access control (e.g., log-on ID, passwords, file protection, etc.).

Identify the number of system users and the criteria used to determine privileged access.

If the mode is other than dedicated, discuss those mechanisms that implement DAC and MAC controls.

Discuss procedures for the assignment and distribution of passwords, their frequency of change, and the
granting of access to information and/or files.

Indicate whether AIS operation is required 24 hours per day.

Discuss procedures for after hours processing. State whether the AIS(s) are approved for unattended
processing.

Discuss procedures for marking and controlling AIS printouts.

Discuss remote access and operations requiring specific approval by the CSA.

Discuss procedures for incident reporting.

3.4 Audit Trails.

If applicable, discuss the audit trails used to monitor user access and operation of the AIS and the infor-
mation that is recorded in the audit trail. State whether user access audit trails are manual or automatic.

Identify the individual who will review audit trails and how often.

Describe procedures for handling discrepancies found during audit trails reviews.

4.0 AIS HARDWARE

This section will describe the AIS hardware that supports the Customer's program. This section will pro-
vide a listing of the AIS hardware and procedures for its secure control, operation, and maintenance.

Provide a complete listing of the major hardware used to support the Customer's program activities. This
list may be in tabular form located either in this section or a referenced appendix. The following infor-
mation is required for all major AIS hardware: nomenclature, model, location (i.e., building/room num-
ber), and manufacturer.

Provide a description of any custom-built AIS hardware.

Indicate whether the AIS hardware has volatile or nonvolatile memory components. Specifically, iden-
tify components that are nonvolatile.

C-4
 If authorized, describe procedures for using portable devices for unclassified processing.

Identify the custodian(s) for AISs.

4.1 Labeling Hardware.

Describe how the AIS hardware will be labeled to identify its classification level (e.g., classified and
unclassified AISs collocated in the same secure area).

4.2 Maintenance Procedures.

Describe the maintenance and sanitization procedures to be used for maintenance or repair of defective
AIS hardware by inappropriately cleared personnel.

4.3 Hardware Sanitization and Destruction.

Describe the procedures or methods used to sanitize and or destroy AIS hardware (volatile or nonvola-
tile components).

4.4 Hardware Movement.

Describe the procedures or receipting methods used to release and transport the AIS hardware from the
SAPF.

Describe the procedures or receipting methods for temporarily or permanently relocating the AIS hard-
ware within the SAPF.

Describe the procedures for introducing hardware into the SAPF.

4.5 Hardware Control and Audit Trails.

Describe all AIS hardware maintenance logs, the information recorded on them, who is responsible for
reviewing them, and how often.

5.0 AIS SOFTWARE

This section will provide a listing of all the software that supports the Customer's program. It will also
provide procedures for protecting and using this software.

5.1 Authorized Software.

Provide a complete listing of all software used to support the Customer's program activities. This list
may be in tabular form and may be located either in the section or in a referenced appendix. The listing
will also include security software (e.g., audits software, anti-virus software), special-purpose software
(e.g., in-house, custom, commercial utilities), and operating system software. The following information
is required for AIS software: software name, version, manufacturer, and intended use or function.

C-5
 5.2 Software Procedures.

Indicate whether a separate unclassified version of the operating system software will be used for main-
tenance.

Describe the procedures for procuring and introducing new AIS software to support program activities.

Describe the procedures for evaluating AIS software for security impacts.

Describe procedures for protecting software from computer viruses and malicious code and for reporting
incidents.

6.0 DATA STORAGE MEDIA

This section provides a description of the types of data storage media to be used in the Customer's pro-
gram and their control.

6.1 Labeling and Storing Media.

Describe how the data storage media will be labeled (identify the classification level and contents).

Discuss how classified and unclassified data storage media is handled and secured in the SAPF (e.g.,
safes, vaults, locked desk).

6.2 Media Clearing, Sanitization, and Destruction.

Describe the procedures or methods used to clear, sanitize, and destroy the data storage media.

6.3 Media Movement.

Describe the procedures (or receipting methods) for moving data storage media into and out of the
SAPF.

Describe the procedures for copying, reviewing, and releasing information on data storage media.

6.4 Media Control.

Describe the method of controlling data storage media.

7.0 AIS SECURITY AWARENESS PROGRAM

Discuss the Provider's security awareness program.

Indicate that the AIS users are required to sign a statement acknowledging that they have been briefed
on the AIS security requirements and their responsibilities.

8.0 GLOSSARY OF TERMS

C-6
 Appendix D
AIS Certification and Accreditation
A. CERTIFICATION

The ISSR, working jointly with the Customer, is responsible for coordinating and supporting the certification process.
The ISSR is responsible for certifying, or coordinating the certification of, the AIS or network. Certification, which is
a prerequisite for accreditation, is accomplished as follows:

1. Identify operational requirements, define the Mode of Operation, and identify applicable security requirements,
in accordance with this document and applicable documents referenced herein.

2. Conduct a Risk Management Review to identify risks and needed countermeasures and specify additional secu-
rity requirements (countermeasures) based on the review.

3. Prepare an AISSP. Refine the plan throughout the certification process.

4. Conduct a test and inspection to establish the extent to which the AIS performs the security functions needed to
support the mode of operation and security policy for the system as outlined in the AISSR The Customer will
require a written certification report.

5. Operating in the compartmented or multilevel mode requires the development of an A/5 Technical Evaluation
Plan. After Customer concurrence, accomplish testing as described herein. AIS security testing provides assur-
ance to the Customer that the subject AIS(s) or network(s) meets the security requirements for operating in the
compartmented or multilevel mode. Such testing is a prerequisite for Customer accreditation.

a. Coordination Scheduling and Testing. The security test may be jointly conducted by the Provider and the Cus-
tomer.

b.Testing Prerequisite. The Provider-developed AIS Technical Evaluation Test Plan will be coordinated and/or
approved by the customer.

B. ACCREDITATION

Accreditation is the Customer's authorization and approval for an AIS or network to process sensitive data in an oper-
ational environment. The Customer bases the accreditation on the results of the certification process. Following certi-
fication, the Customer reviews the risk assessment, employed safeguards, vulnerabilities, and statement of level of
risk and makes the accreditation decision to accept risk and grant approval to operate; grant interim approval to oper-
ate (IATO) and fix deficiencies; or to shut-down, fix deficiencies, and recertify.

D-l
 Appendix E
References
1. U.S. Government Publications

OMB Circular Management of Federal Information Resources

A-130 Appendix III, Security of Federal AISs

PL-99-474 Computer Fraud and Abuse Act of 1986

PL-100-235 Computer Security Act of 1987

EO 12333 United States Intelligence Activities

EO 12356 National Security Information

EO 12829 National Industrial Security Program

2. National Telecommunications & Information Systems Security (NTISS) Publications

COMPUSEC/1-87 Security Guideline

NTISSAM Advisory Memorandum on Office Automation

NTISSI 300 National Policy on Control of Compromising Emanations

NTISSI 7000 TEMPEST Countermeasures for Facilities

NTISSIC 4009 National Information Systems Security (INFOSEC) Glossary

NACSIM 5000 TEMPEST Fundamentals

NACSIM 5201 TEMPEST Guidelines for Equipment/System Design Standard

NACSIM 5203 Guidelines for Facility Design and Red/Black Installation

NACSIM 7002 COMSEC Guidance for ADP Systems

3. National Computer Security Center (NCSC) Publications (The Rainbow Series)

NCSC-WA-002-85 Personal Computer Security Considerations

NCSC-TG-001 A Guide to Understanding Audit in Trusted Systems [Tan Book]

NCSC-TG-002 Trusted Product Evaluation - A Guide for Vendors [Bright Blue Book]

NCSC-TG-003 A Guide to Understanding Discretionary Access Control in Trusted Systems

[Orange Book]

NCSC-TG-004 Glossary of Computer Security Terms [Aqua Book]

E-l
NCSC-TG-005 Trusted Network Interpretation [Red Book]

NCSC-TG-006 A Guide to Understanding Configuration Management in Trusted Systems [Orange

Book]

NCSC-TG-007 A Guide to Understanding Design Documentation in Trusted Systems [Burgundy

Book]

NCSC-TG-008 A Guide to Understanding Trusted Distribution in Trusted Systems [Lavender

Book]

NCSC-TG-009 Computer Security Subsystem Interpretation of the Trusted Computer System

Evaluation Criteria [Venice Blue Book]

NCSC-TG-011 Trusted Network Interpretation Environments Guideline-Guidance for Applying

the Trusted Network Interpretation [Red Book]

NCSC-TG-013 Rating Maintenance Phase Program Document [Pink Book]

NCSC-TG-014 Guidelines for Formal Verification Systems [Purple Book]

NCSC-TG-015 A Guide to Understanding Trusted Facility Management [Brown Book]

NCSC-TG-017 A Guide to Understanding Identification and Authentication in Trusted Systems

[Lt. Blue Book]

NCSC-TG-018 A Guide to Understanding Object Reuse in Trusted Systems [Lt. Blue Book]

NCSC-TG-019 Trusted Product Evaluation Questionnaire [Blue Book]

NCSC-TG-020A Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access Control
List Features for the UNIX System [Gray Book]

NCSC-TG-021 Trusted Database Management System Interpretation [Lavender Book]

NCSC-TG-022 A Guide to Understanding Trusted Recovery [Yellow Book]

NCSC-TG-025 A Guide to Understanding Data Remanence in Automated Information Systems

[Green Book]

NCSC-TG-026 A Guide to Writing the Security Features User's Guide for Trusted Systems [Peach
Book]

NCSC-TG-027 A Guide to Understanding Information System Security Officer Responsibilities

for Automated Information Systems [Turquoise Book]

NCSC-TG-028 Assessing Controlled Access Protection [Violet Book]

NCSC C-Technical Computer Viruses: Prevention, Detection, and Treatment Report-001

NCSC C-Technical Integrity in Automated Information Systems (Sept. 91) Report 79-91

NCSC C-Technical The Design and Evaluation of INFOSEC Systems: The Report 32-92 Computer
Security Contribution to the Composition Discussion

E-2
4. Department of Defense Publications

NSA/CSS Media Declassification and Destruction Manual

Manual 130-2 Contractor Guidelines for AIS Processing of NSA SCI

DoD 5200.28-M Automated Information System Security Manual

DoD 5200.28 DoD Trusted Computer System Evaluation Criteria

DoD 5220.22-M National Industrial Security Program Operating Manual

CSC-STD-002-85 DoD Password Management Guidelines [Green Book]

CSC-STD-003-85 Guidance for Applying the DoD Trusted Computer System Evaluation Criteria in
Specific Environments [Yellow Book]

CSC-STD-004-85 Technical Rationale Behind CSC-STD-003-85:Computer Security Requirements

[Yellow Book]

CSC-STD-005-85 DoD Magnetic Remanence Security Guideline [NSA] Information Systems

Security Products and Services Catalogue

NSA/CSS Section 5, Degaussing Level Performance Test Procedures Spec. L14-4-A55

5. Director of Central Intelligence Directives

DCID 1/7 Security Controls on the Dissemination of Intelligence Information, [For Official
Use Only]

DCID 1/14 Minimum Personnel Security Standards and Procedures Governing Eligibility for
Access to Sensitive Compartmented Information [Unclassified]

DCID 1/16 Security Policy for Uniform Protection of Intelligence Processed in Automated
Information Systems and Networks [SECRET]

DCID 1/16 Security Manual for Uniform Protection of Intelligence (Supplement) Processed in
Automated Information Systems and Networks [SECRET] (Supplement to DCID
1/16)

DCID 1/19 DCI Security Policy Manual for SCI Control Systems [UNCLASSIFIED]

DCID 1/20 Security Policy Concerning Travel and Assignment of Personnel With Access to
Sensitive Compartmented Information (SCI) [UNCLASSIFIED]

DCID 1/21 Manual for Physical Security Standards for Sensitive Compartmented Information
Facilities (SCIFs) [For Official Use Only]

DCID 1/22 Technical Surveillance Countermeasures [CONFIDENTIAL]

DCID 3/14-1 Information Handling Committee [Unclassified]

DCID 3/14-5 Annex B, Intelligence Community Standards for Security Labeling of Removable
ADP Storage Media [Unclassified]

E-3
6. Legislation, Directive, and Standards

Atomic Energy Act of 1954, as amended

National Security Act of 1947

National Security Decision Directive 298, "Operations Security"

Telephone Security Group standards

E-4