Source document in MS Word: here

Joint DoDIIS/Cryptologic SCI Information Systems Security Standards

 

 

 


 

 

 

 

 

 

 


                                                                                   31 March 2001

Revision 2

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This Page Intentionally Blank

EXECUTIVE SUMMARY

(U) The policy of the U.S. Government is that all classified information must be appropriately safeguarded to assure the confidentiality, integrity, and availability of that information. This document provides procedural guidance for the protection, use, management, and dissemination of Sensitive Compartmented Information (SCI), and is applicable to the Department of Defense (DoD) to include DoD components and Government contractors who process SCI. The combination of security safeguards and procedures used for Information Systems (IS) shall assure compliance with DCID 6/3, NSA/CSS Manual 130-1 and DIAM 50-4. The JDCSISSS is a technical supplement to both the NSA/CSS Manual 130-1 and DIAM 50-4.

(U) The prime purpose of this document is to provide IS security implementation guidance relative to the management of SCI and the automated infrastructure used to process this information at the organizational level.

(U) Nothing in this document shall be construed to countermand or waive provisions of any Executive Order, National Policy, Department of Defense (DoD) Directive, or other provisions of regulatory policies or laws which are beyond the scope of authority of the Directors of the Defense Intelligence Agency (DIA) and the National Security Agency/Central Security Service (NSA/CSS).

 

TABLE OF CONTENTS

Paragraph

Executive Summary

 

Chapter 1--General Information

BACKGROUND................................................................................................................................................................. 1.1

POLICY................................................................................................................................................................................ 1.2

SCOPE AND APPLICABILITY....................................................................................................................................... 1.3

REFERENCES, ACRONYMS, AND DEFINITIONS..................................................................................................... 1.4

ROLES AND RESPONSIBILITIES.................................................................................................................................. 1.5

Principal Accrediting Authority (PAA)...................................................................................................................... 1.5.1

Data Owner...................................................................................................................................................................... 1.5.2

Designated Approving Authority (DAA).................................................................................................................. 1.5.3

DAA Representative (Rep)/Service Certifying Organization (SCO)....................................................................... 1.5.4

NSA/CSS Senior Information Systems Security Program Manager (SISSPM)..................................................... 1.5.5

Service Cryptologic Element (SCE) Information Systems Security Program Manager (ISSPM)........................ 1.5.6

Commander/Commanding Officer Responsibility...................................................................................................... 1.5.7

Information Systems Security Manager (ISSM)........................................................................................................ 1.5.8

Information Systems Security Officer (ISSO)............................................................................................................. 1.5.9

Program Management Office (PMO)/Program manager (PM)............................................................................... 1.5.10

Privileged Users (e.g., System Administrator (SA))................................................................................................ 1.5.11

General Users................................................................................................................................................................ 1.5.12

Prohibited Activities.................................................................................................................................................... 1.5.13

CONFIGURATION CONTROL BOARD (CCB) OVERSIGHT..................................................................................... 1.6

OTHER DOCUMENTATION SUPERSESSION............................................................................................................ 1.7

Chapter 2--Life Cycle Security

PURPOSE............................................................................................................................................................................ 2.1

SCOPE................................................................................................................................................................................. 2.2

PROCEDURES.................................................................................................................................................................... 2.3

Concepts Development Phase...................................................................................................................................... 2.3.1

IS Security Design....................................................................................................................................................... 2.3.1.1

Statement of Work (SOW) Requirements................................................................................................................ 2.3.1.2

Additional Documentation......................................................................................................................................... 2.3.1.3

Design Phase................................................................................................................................................................... 2.3.2

Levels-of-Concern....................................................................................................................................................... 2.3.2.1

Protection Levels......................................................................................................................................................... 2.3.2.2

Development Phase........................................................................................................................................................ 2.3.3

Test, Certification and Accreditation Phase............................................................................................................... 2.3.4

Time Line for Certification Activities........................................................................................................................ 2.3.4.1

Deployment and Operations Phase............................................................................................................................. 2.3.5

Recertification Phase...................................................................................................................................................... 2.3.6

Disposal Phase................................................................................................................................................................ 2.3.7

Chapter 3--Signals Intelligence (SIGINT) Systems Accreditation Process and Procedures

PURPOSE............................................................................................................................................................................ 3.1

SCOPE................................................................................................................................................................................. 3.2

DISCUSSION...................................................................................................................................................................... 3.3

Accreditation................................................................................................................................................................... 3.3.1

Configuration Management.......................................................................................................................................... 3.3.2

ACCREDITATION IN GENERAL................................................................................................................................... 3.4

Formal Accreditation...................................................................................................................................................... 3.4.1

Issuing Accreditation.................................................................................................................................................... 3.4.2

Reaccreditation............................................................................................................................................................... 3.4.3

Rescinding Accreditation.............................................................................................................................................. 3.4.4

Accreditation 3-Year Anniversary Review................................................................................................................. 3.4.5

Authorized Exemptions From Accreditation.............................................................................................................. 3.4.6

IS Approval-To-Operate................................................................................................................................................ 3.4.7

TEMPEST........................................................................................................................................................................ 3.4.8

ACCREDITATION PROCEDURES................................................................................................................................. 3.5

Accreditation Requests................................................................................................................................................. 3.5.1

Accreditation Requests Initiated at the Unit Level................................................................................................ 3.5.1.1

Accreditation Initiated Through Downward-Directed Programs......................................................................... 3.5.1.2

Accreditation at a Single-Service Site Including the Regional SIGINT Operation Centers............................. 3.5.1.3

Accreditation at a Multi-Service Site........................................................................................................................ 3.5.1.4

Operational Systems Under Control of the Commander/Commanding Officer............................................... 3.5.1.4.1

SCE Unique Systems Not Directly Supporting The Primary Mission.............................................................. 3.5.1.4.2

Assignment of a HSO at a Multi-Service Site...................................................................................................... 3.5.1.4.3

Accreditation by SCE Tenants Located at Non-SCE Interservice or Intercommand Sites.............................. 3.5.1.5

Submitting The System Security Plan (SSP)............................................................................................................... 3.5.2

Single Accreditation.................................................................................................................................................... 3.5.2.1

Type Accreditation..................................................................................................................................................... 3.5.2.2

Format and Content..................................................................................................................................................... 3.5.2.3

SSP and Database Classification.................................................................................................................................. 3.5.3

Database Classification.............................................................................................................................................. 3.5.3.1

SSP Classification........................................................................................................................................................ 3.5.3.2

Chapter 4--Department of Defense Intelligence Information Systems (DoDIIS) Site-Based Accreditation

PURPOSE............................................................................................................................................................................ 4.1

SCOPE................................................................................................................................................................................. 4.2

SYSTEM CERTIFICATION AND ACCREDITATION PROCEDURES..................................................................... 4.3

System Certification and Accreditation Compliance................................................................................................. 4.3.1