1. Purpose. The purpose of this instruction is to:
a. Implement references (a) and (b).
b. Set forth the policy and guidelines for the AIS security program which applies the policy and principles of AIS security related to computerbased systems.
2. Cancellation. NAVTELCOMINST 5239.1.
3. Scope. This instruction applies to:
a. Naval Computer and Telecommunications Command (NAVCOMTELCOM) headquarters, organizational components, and claimant activities. All AISs, personal computers (PCs), networks, and other computer resources that process and/or connect to long-haul telecommunications that process information up to and including Top Secret.
b. Government sponsored contractors who process government data on contractor owned or Government owned/controlled AISs, networks or computer resources on or off the NAVCOMTELCOM claimant premises.
c. All AISs, networks and computer resources designed, developed or procured by NAVCOMTELCOM and claimant activities.
a. Activities that operate AISs and networks which process classified data may do so only if accredited or granted Interim Authority to Operate (IATO) by the appropriate Designated Approving Authority (DAA) or Office of Primary Responsibility (OPR).
b. Commanding officers shall place emphasis on and ensure security requirements are implemented for AISs, networks and computer resources which are under their operational, developmental, or access control.
c. The use of AIS software acquired from private (non-government or noncontracted) or public domain sources is prohibited unless approved by the Automated Data Processing Security Officer (ADPSO) who has security responsibility for the cognizant system.
d. The use of AISs, networks, and computer resources is restricted to official business only.
e. The introduction and use of privatelyowned AIS devices to process official data/information is prohibited unless approved by the activity ADPSO.
f. The reproduction and application of copyrighted software must be accomplished under existing copyright laws.
5. Responsibilities. To ensure the requirements of reference (a) and NAVCOMTELCOM AIS security programs are developed, implemented and maintained, the following responsibilities and authority are assigned as indicated:
a. NAVCOMTELCOM Headquarters
(1) NAVCOMTELCOM is designated as the primary agent for the management, execution, and oversight of the NAVCOMTELCOM AIS security program.
(2) The ADPSO is appointed as the single focal point for operational AIS security program implementation matters and is assigned the following responsibilities:
(a) General management, administration, coordination, implementation, and monitoring of the AIS security program, including security analysis, risk management, security test and evaluation (ST&E), inspection, and security accreditation.
(b) Ensuring the policies and requirements of Department of Navy (DON) and this instruction are implemented, and that security operating procedures are prepared, issued, and maintained for NAVCOMTELCOM operated systems and networks.
(c) Ensuring the minimum AIS program requirements in Appendix A are implemented.
(d) Monitoring implementation of directives, procedures. Directing actions to remedy security deficiencies and/or enhance the AIS security posture.
(e) Taking action to ensure ADP Systems Security Officers (ADPSSOs), Network Security Officers (NSO), or other AIS security officers are identified and appointed for the headquarters and claimant activities. NAVCOMTELCOM ADPSO is authorized to communicate directly with the applicable DAAs regarding the application of the AIS security program and related matters, and is authorized to request activities to provide support as required for the accomplishment of the NAVCOMTELCOM AIS security program objectives.
(3) The Assistant Chiefs of Staff (ACOS) within NAVCOMTELCOM headquarters are responsible for ensuring compliance with AIS security concepts of this instruction, and other applicable security directives which apply to AISs, networks, and computer resources which are under their management. Included within this responsibility are:
(a) Identifying and appointing, in writing, an individual ADPSSO to act as a focal point for AIS security matters within their directorate.
(b) Ensuring the AIS security policies of this instruction and higher level authority AIS security policies are executed for AISs, networks, and computer resources under their operational, developmental, and acquisition control.
b. NAVCOMTELCOM Claimant Activities
(1) The commanding officer is normally the DAA for computer systems and networks operated by his/her facility. The commanding officer grants security accreditation of computer systems, personal computer (PCs), local area networks (LANs), and communications equipment, in addition to granting interim authority to operate such systems. Systems which process SIOP/ESI will be accredited by CNO. See Appendix A.
(3) Appoint, in writing, an individual to be the activity's ADPSO for AIS security program matters. The activity's ADPSO should have direct access to the commanding officer and/or the commander of the activity. The activity ADPSO duties are defined in Appendix C.
6. AIS Security Program Elements. NAVCOMTELCOM DAAs and managers of AISs, networks, and computer resources must support and place an emphasis on the following elements:
a. Information Security. Ensure policies and procedures are implemented to identify, control, and protect information from unauthorized disclosure of data.
b. AIS/Computer Security. Responsible for ensuring technical and procedural methods are implemented to ensure an acceptable level of protection for AISs, networks, or other computer resources. Emphasis will be placed on the following:
(1) AIS Security Training and Awareness. All hands, civilian, military, and contractors should receive appropriate training and awareness information commensurate with their duties and responsibilities.
(2) Access Control. Technical controls, physical and procedural, must be put into place to ensure only authorized personnel with a needtoknow are allowed to gain access to and manipulate data.
(3) Security Features. Incorporate AIS security features in research and development projects.
(4) Audit. Newly developed systems must have appropriate audit features, both financial and security, built-in and protected from tampering throughout their life cycles.
(5) Vulnerability Reporting. DAAs must take the appropriate measures to prevent exploitation of vulnerabilities which have been identified in existing systems.
(6) Risk Assessment. Risk assessments should provide decision makers with the appropriate management tools to aid in securing systems with out undue administrative burden. Selecting an automated risk assessment method should be used to reduce the burden whenever feasible.
(7) Security Test and Evaluation (ST&E). All AISs shall be subject to a site and system specific ST&E. This is to ensure that the environmental and operational security requirements have been met. ST&E should be conducted when feasible by a third party approved by the DAA.
(8) Contingency Plans. Contingency plans must be developed for all systems essential to the performance of the mission. Contingency plans must be tested annually under realistic operational conditions.
(9) Analysis and Correction of Security Breaches and Service Failures. AIS centers should provide a method of feedback for actual operational problems to the system managers ensuring actions are taken promptly that will result in permanent improvements to the system.
c. Life Cycle Management (LCM). To ensure compliance with security policies, action shall be taken throughout the life cycle of AISs, networks, and other computer resources.
(1) Ensuring the early and continuous involvement of the OPRs, DAAs, security staff, and all users/data owners in defining and implementing security requirements of the system.
(2) Mandatory statements of security requirements will be included in the acquisition and procurement specifications for all AISs.
(3) Security will be built into the system whenever possible, to relieve the users of assessing and developing security for that system.
d. Communications Security. Preventive measures shall be taken to deny unauthorized persons access and/or information from telecommunications of AISs. Additionally, ensure the authenticity of such communications.
e. Personnel Security. All individuals shall be screened to ensure a level of trustworthiness commensurate with their duties.
f. Physical Security. Measures will be taken to safeguard personnel, prevent unauthorized access to equipment, installations, material, computer media, and documents. In addition, provide safeguards against espionage, sabotage, damage, and theft.
g. Emanations Security. All AISs must be in compliance with TEMPEST guidance provided in OPNAVINST C5510.93.
7. Terms. Glossary of terms are provided in Appendix D.
/s/K. L. LAUGHTON
Distribution: SNDL FG2 Naval Computer and Telecommunications Stations and NAVCOMMSTA Stockton FG4 Naval Computer and Telecommunications Activity, San Diego FG5 Radio Station (Jim Creek only) FG6 Naval Computer and Telecommunications Area Master Stations FG9 Chief, Navy-Marine Corps MARS FG13 Navy Resale Activities FL4 NARDAC (San Francisco only) FE4 Security Group Activity (ADAK only) FE6 DCMS C46A Naval Telecommunication Centers C46B NAVCOMM Detachments C46C Navy Radio transmitting Facility C46D Navy Radio Receiver Facility C46E Navy Link Station C46F NCTAMS LANT Detachments C46G CNCTC Resale Activity Detachments HQ Reserve Unit NAVTELSYSIC NAVEMSCEN
1. Program Foundation. In the development of an AIS security program the following are the basic rules to apply:
a. Each AIS, network or computer resource will be accredited to operate within the DAA approved set of security requirements. Standalone microcomputers may be grouped for accreditation purposes provided the physical security, personnel security, and environment are alike.
b. AISs, networks and computer resources will be accredited by the appropriate DAA. The commanding officer will be the DAA for AISs under their purview. CNO will be the DAA for all SIOP/ESI systems. SIOP/ESI accreditations will be forwarded to CNO via COMNAVCOMTELCOM.
c. Commands having AISs without accreditation may request an Interim Authority to Operation (IATO) from the appropriate DAA not to exceed 1 year.
d. Accreditation or IATO will be granted by system or group of systems. The DAA may determine the most efficient method of grouping systems while maintaining system operability and ensuring security.
e. Accreditation will be renewed at least once every 3 years, or when changes occur in configuration, level of data processed, network, etc.
2. Security Implementation. As specified by SECNAV all computer resources that process or handle classified or sensitive unclassified information shall implement Class C2 functionality by the end of the 1992 calendar year. (Controlled Access Protection) as defined in DODDIR 5200.28STD.
a. Class C2 protection provides for discretionary access control, memory clearing before reuse, individual accountability and audit trails. Implementation of Class C2 security for all appropriate systems by established time frames may not be feasible if the required software technology is not available. Activities may request waivers under these conditions.
b. Personal Computers (PCs) will be protected by hardware, software and Security Operating Procedures (SOPs) to provide reasonable security until such time as effective C2 class protection becomes available for Pcs.
c. AISs which must meet higher level of trust in accordance with DODDIR 5200.28 STD must meet system certification. Project/program managers shall certify to the users and the DAA that systems security requirements have been satisfied. Additionally, specify any constraints on the system or its environment necessary to maintain the certification.
3. Program Requirements. The DON AIS Security Guidelines of December 1990, can be used for guidance in preparing documentation.
a. Program Planning
(1) Appoint an AIS security staff. See Appendix C for specific duties of AIS security staff members.
(2) Perform AIS security surveys to determine the total number and the various kinds of AIS equipment which must be accredited.
(3) Develop Activity Accreditation Schedule for all AISs.
b. Risk Management. DAAs will ensure a continuing risk management process is in effect to minimize the potential for unauthorized disclosure of sensitive information, modification, and destruction of assets which may result in denial of service. This program will address emergency procedures for media, networks and resources. The risk management program provides a means of determining how much protection is in place, how much is required, and an economical way of providing the protection needed.
(1) Risk assessments are conducted prior to design approval and in support of accreditation. They are updated when a significant change has taken place in the system, or once every 3 years.
(2) SOP should be put into place to ensure the necessary procedures are followed to help the security posture of computer systems.
(3) A contingency plan will be developed, tested and maintained to sustain continued performance of the mission support and mission critical functions. The contingency plans must include disaster recovery as well as continued operation plans. Detail and complexity will be based on the value and criticality of the system.
(4) Security Test and Evaluation (ST&E). ST&E must be performed for every AIS. This is a method of testing the countermeasures which have been put into place to ensure they are affective. The appropriate DAA will be responsible for the ST&E and the final accreditation. Guidance on preparation of ST&E can be found in the DON AIS Security Guidelines of December 1990.
c. Accreditation. When requesting accreditation from the appropriate DAA the following information must be assembled:
(1) Letter of request for accreditation.
(2) AIS security survey.
(3) Activity AIS security schedule.
(4) Risk assessment.
(5) Contingency plan.
1. Data classification. Classification of data is divided into three categories; Classified, Sensitive Unclassified, and Unclassified.
a. Classified. Classified information includes Confidential, Secret, Top Secret, SIOPESI, SCI, etc.
b. Sensitive Unclassified. Any information which is determined to be:
(1) Sensitive/Sensitive Business. Information which is unclassified but requires special protection of limited distribution protection by Federal law or by nature of subject matter. (For Official Use Only (FOUO))
(2) Privacy Act. Information pertaining to an individual including, but not limited to, education, qualification, individual's name, identifying numbers, symbols, fingerprints, voice prints, or photographs.
(3) Financial. Information consisting of payroll, supplies, minor property, or plant property which requires protection against waste, fraud, and abuse.
(4) Proprietary/Privileged. Information requiring protection which is not common knowledge to the public, i.e., a limited rights agreement, exclusive property of a civilian corporation, equipment being evaluated by the government, contract information (i.e., awarding of contracts).
c. Unclassified. Information which does not fall into categories mentioned in 1a. and 1b.
2. Security Mode. Security mode is useful for categorizing AISs into groups based on the classification of information being processed and the clearance level of employees using the AIS.
a. Dedicated Security Mode. A mode of operation wherein all users have the clearance or authorization and needtoknow for all data handled by the AIS. If the AIS processes special access information, all users require formal access approval. In this mode, an AIS may handle a single classification level and/or category of information or a range of classification level and/or categories.
b. Multilevel Security Mode. A mode of operation that allows two or more classification levels of information to be processed simultaneously within the same system when not all users have a clearance or formal access approval of all data handled by the AIS.
c. Partitioned Security Mode. A mode of operation wherein all personnel have the clearance, but not necessarily formal access approval and needtoknow, for all information handled by the AIS.
d. System High Security Mode. A mode of operation wherein all users having access to the AIS process have a security clearance or authorization, but not necessarily a needtoknow, for all data handled by the AIS. If the AIS processes special access information, all users must have formal access approval.
3. Physical Control
a. Positive physical access controls must be established in order to prevent entry by unauthorized personnel into the AIS facility.
b. Physical access to data files and media libraries should be restricted to individuals who require access in the performance of their official duties.
c. The effects of natural disasters, such as fire and floods, will be minimized to the extent economically feasible by the use of the detection equipment, extinguishing systems, and well conceived and tested emergency plans.
d. Building or facilities selected or designed to house computer equipment will have sufficient structural integrity to provide effective physical security at a reasonable cost.
4. User Access. An AIS, network or other computer resource must function in accordance with the "least privilege" principle (as defined in DODDIR 5200.28STD "Orange Book") so that each user is granted access to only the information to which the user is entitled by virtue of security clearance, of formal access approval, and only the resources necessary to perform assigned functions. In the absence of a specific positive grant of access, user access defaults to no access.
5. Individual Accountability
a. Access to data files and media should be restricted to personnel who require such access in the official performance of their duties.
b. Audit trails must be monitored within reasonable time frame (i.e., daily, biweekly, and weekly).
c. User access lists must be maintained for large application systems. Users who leave the command shall be removed from the access list within 3 working days.
d. Perform routine backups and maintain an inventory for recovery of AISs.
e. Systems which require passwords will comply with the requirements of CSCSTD00285.
6. Data Integrity. Assurances must be in place to protect the data being processed. Such as:
a. Audit Trails. Audit trails should be used whenever possible so the change content and authority can be tracked back to source documents. The audit trail must be reviewed on a timely basis by the appropriate authority.
b. Backups. The more frequently data is backed up, the greater reliability that data can be recovered. Backups should be stored offsite, when possible, for data recovery if a natural disaster should occur.
c. Data Access. Access must be limited to all AISs. Access allowed will depend on the sensitivity of the data involved and will be controlled by log on identification, data password, and access type allowed.
d. Password. Apply the following guidance:
(1) Passwords should be randomly selected, not obvious repetitive patterns, birth dates, etc., and no less than six different alphanumeric characters.
(2) Passwords should be controlled and changed so that all persons having passwords are authorized and known to the sponsor.
(3) Change passwords if it is known or suspected it was inadvertently disclosed during authorized activity.
(4) Do not change in the event of known or suspected misuse until the ADPSO is notified and directs the change.
a. Data. All humanreadable output must be marked to the highest classification. If the AIS does not have the capability of marking the output, then this must be accomplished manually. Automated markings are not considered reliable unless the AIS meets a B1 security class.
b. Magnetic Media
(1) Color coded labels and/or disks in accordance with OPNAV 5510.1H will be used to distinguish the classification of all media.
(2) Secret and above media must be assigned control numbers and controlled by the activity.
(3) Magnetic media will be stored each night and provided protection to prevent data loss.
(4) Removable media which can be secured is encouraged for classified systems. Fixed internal hard disks should be avoided for classified processing. However, if removable media cannot be used, ensure proper physical and personnel security guidelines are implemented to the level of data being processed.
(5) Releasing Media to Unsecured Area. The DAA is responsible for ensuring the proper procedures are in place for magnetic media removal. When multiple levels of classified materials are processed, the activity DAA is responsible for ensuring inadvertent disclosure does not occur. If classified media must be removed, then the proper procedures shall be followed in accordance with NSCSTG025 Version2. Repair contractors should be cleared, the activity must ensure that media being used by the contractor is copyrighted and that Government files are not downloaded and removed from facility.
(6) Degaussing/Clearing. The following are current procedures:
(a) Sensitive Unclassified. Media which has been used from sensitive unclassified information will be formatted/erased before released/ reused.
(b) Downgrading. Classified floppy disks and magnetic hard disks can be degaussed with an approved degausser. Approved degaussers appear on the evaluated products list in the Information Systems Security Products and Service Catalog. In addition, classified hard disks can be downgraded by the overwrite procedures outlined in NCSCTG025 Version-2.
(c) Unusable Disks. Disks which have been rendered unusable must be destroyed. When an approved degausser is not available; floppy disks may be cut in half and placed in a burn bag. To purge hard drives, a type 1 degausser and hand-held magnets are used. If hand-held magnets are used, the magnet must be placed almost in direct contact with the disk. (See NCSC-TG-025 Version-2).
8. Operational Data. All data must be identified by its classification or sensitivity before being stored onto an AIS or network. Approval must be obtained from the data owner where appropriate.
9. Internal Security Mechanisms. When an AIS system becomes operational, software and files which provide internal security controls, passwords, and audit trails shall be safeguarded at the highest level data contained in the AIS. Access to internal security mechanisms will be controlled on a strict needtoknow basis.
10. Access Warning. An unauthorized access warning shall be displayed on all visual display devices (i.e., Cathode Ray Tubes (CRTs)) upon system startup, log on, or connection of all computer systems (local or remote). AISs and components which operate in dedicated or system high security mode should use printed labels to identify the highest level processed.
11. Public Disclosure. Prior to public disclosures of limitation, vulnerabilities, or capabilities, AISs must be in compliance with SECNAVINST 5720.44A and OPNAVINST 5510.1H.
12. Malicious Code. Procedures shall be in place to prevent malicious code.
a. Use only copyrighted software purchased by your activity.
b. When possible use standalone systems for downloading software from networks, bulletin boards, etc.
c. Use of software from bulletin boards is discouraged. If this software is used, test the software downloaded from bulletin boards by using it in a standalone environment, using anti-viral software, or other utility programs to ensure the software is clean. A high risk is involved with this type of software.
d. Remove disgruntled employees from access list of AISs to eliminate damage they might impose.
e. Message centers are required to virus scan all incoming disks. All users are encouraged to perform virus scanning on all disk media.
13. Privately Owned Resources. Use of privately owned or leased personal computers, microcomputers or public data networks to conduct official business is allowed only with prior written authorization of the cognizant DAA. Privately owned computers will not be used to process classified data.
14. Encryption. Type 1 encryption must be used when processing classified information. Encryption methods, standards and devices used to protect classified data being processed on AISs and networks must be in accordance with NSA guidance.
15. Interoperability. Security measures for systems connected to other systems via networks or long-haul communications will employ those security solutions/technology which will provide the optimum amount of integrity to satisfy the security requirements. This will be accomplished to the maximum extent feasible.
16. Communications Security. Cryptographic techniques and measures taken to deny unauthorized persons information derived from telecommunications of U.S. Government related to national security and to ensure the authenticity of any such communication.
17. Network/Communications Links. Communication circuits will be secure per the communications security program. AISs handling plain text classified will be installed in an approved Protected Distribution System (PDS). For accreditation purposes, a network shall be treated as: (1) an interconnection of an accredited AIS (which may be a network) or (2) a single distributed system.
18. Emanation Security. AISs and networks will comply with the emanations security (TEMPEST) requirements in OPNAVINST C5510.93.
19. Security Levels. As specified by the SECNAVINST 5239.2 and NAVSO P-5239-15 all AISs, networks and computer resources must meet a minimum of C2 functionality as described by the DODDIR 5200.28STD. Software and hardware security requirements should be determined in accordance with DODDIR 5200.28STD.
1. ADP Security Officer (ADPSO). The activity ADPSO will perform the following duties:
a. Develop and implement a Plan of Action and Milestones (POA&M) for accreditation of all AISs. Updates to the POA&M will be published at least semiannually.
b. Ensure the appropriate AIS security requirements are met by coordinating the command's Risk Management Program, Security Test and Evaluation (ST&E) process, and contingency planning process.
c. Coordinate with the activity Security Manager on matters concerning AIS security. Ensure all computer security incidents or violations are reported, documented, and investigated.
d. Review requests for accreditation and forward technical comments to the DAA.
e. Provide the staff with AIS security training on a yearly basis (minimal) or as needed.
f. Ensure an applicable number of ADPSSOs, NSOs, and other AIS security officials are appointed and trained. Specific duties and responsibilities of AIS security staff are outlined in Appendix C.
2. Network Security Officer (NSO). The NSO will be appointed for major networks which cross Unit Identification Codes (UICs). This appointment will be in writing by the activity commanding officer. The NSO will:
a. Ensure AIS security requirements are included in the network design and individual nodes also comply with the requirements prior to interfacing with the network. The security requirements will be agreed to in writing by the DAA and implemented before the node is connected to the network. Networks having multiple service members will be accredited jointly. Network accreditation will be based on the prior accreditation of each network node.
b. Promulgate the standard security procedures for network operations.
c. Ensure security measures and procedures used at network nodes fully support the security integrity of the network.
d. Serve as a liaison with all ADPSSOs in the network.
e. Ensure the network is protected at the level dictated by the highest level of data on the network.
f. Maintain a current inventory of all network hardware, software and systems for use in configuration management.
g. Report all security incidents to the ADPSO.
h. Assist the ADPSO in implementing a comprehensive AIS security program.
3. ADP System Security Officer (ADPSSO). The ADPSSO will execute an AIS Security Program and be responsive to operational requirements. The ADPSSO will:
a. Be the focal point for all security matters for the AISs assigned.
b. Execute the AIS security program as it applies to the assigned computer systems including preparing and submitting the accreditation support documentation.
c. Maintain an inventory of all AIS hardware, implemented system software releases, and major application software.
d. Monitor system activity, including identification of the levels and types of data handled by the computer systems, assignment of passwords, review of audit trails, outputs, etc., to ensure compliance with security directives and procedures.
e. Maintain liaison with remote facilities served by the computer system to ensure compliance with applicable security requirements including designation of a Terminal Areas Security Officer (TASO).
f. Conduct and document a risk assessment.
g. Implement appropriate safeguards required by directive or determined to be cost effective.
h. Assist the ADPSO in implementing a comprehensive AIS security program.
i. Develop and test annually the computer systems Contingency Plan.
4. Terminal Area Security Officer (TASO). The TASO will enforce all security requirements designated by the ADPSSO for remote terminal areas. The TASO will:
a. Be the focal point for all security matters for the assigned terminal(s).
b. Assist the ADPSSO in implementing a comprehensive computer security program.
c. Report computer security incidents to the ADPSSO.
ACCREDITATION: The formal management authorization for operation of a specific application of an AIS, network or computer resource, based on the results of a security certification and risk assessment. It is a formal decision by the Designated Approving Authority (DAA) that a system is approved to operate in a particular security environment meeting a prescribed set of security requirements.
ASSET: Any software, data, hardware, administrative, physical, communications, or personnel resource within an automated information system or network.
AUTOMATED INFORMATION SYSTEM (AIS): An assembly of computer hardware, software, and/or firmware configured to collect, create, communicate, compute, disseminate, process, store and/or control data or information.
CERTIFICATION: The formal statement made in support of the accreditation process, which establishes the extent that a specific application of an AIS, network or computer resource meets a set of specific technical security requirements.
COMPROMISING EMANATIONS: Unintentional relay of intelligence bearing signals which, if intercepted and analyzed, disclosed the classified information transmitted, received, handled or otherwise processed by any information processing equipment. TEMPEST is an unclassified name referring to investigations and studies of compromising emanations.
COMPUTER SECURITY: Measures required to protect against unauthorized (accidental or intentional) disclosure, modification, or destruction of AISs, networks, and computer resources or denial of service to process data. It includes consideration of all hardware and software functions, characteristics, and/or features; operational procedures, accountability procedures, and access controls at the central computer facility, remote devices; and personnel and communications controls needed to provide an acceptable level of risk for the AIS or network and for the data or information contained therein.
CONTINGENCY PLAN: A plan for emergency response, backup operations, and postdisaster recovery, maintained by an activity as a part of its security program. A comprehensive statement of all the planned actions to be taken before, during and after a disaster or emergency condition including documented, tested procedures which will ensure the availability of critical computer resources which will facilitate maintaining the continuity of operations in an emergency situation.
DATA INTEGRITY: The state that exists when data is unchanged from its source and has not been subjected to accidental or malicious modification, unauthorized disclosure or destruction.
DESIGNATED APPROVING AUTHORITY (DAA): The official who has the authority to decide that an AIS, network or computer resource may operate based on an acceptable level of risk considering the operational need for, and threats to, the system; and who is responsible for issuing an accreditation statement that records the decision.
DENIAL OF SERVICE: Action or actions that result in the inability of an AIS or any essential part to perform its designated mission, each by loss or degradation of operational capability.
LONGHAUL TELECOMMUNICATIONS: Networks spanning long geographic distances usually connected by telephone lines or satellite radio bands. Specifically, leased and governmentfurnished circuits or facilities that comprise Defense Communications Systems (DCS) and leased private line circuits for which mileage cost is charged as full air mile increments or cross tariff boundaries. Also includes services that cross local access and transport area boundaries.
NETWORK: The interconnection of two or more independent AIS components that provide for the transfer or sharing of computer system assets. It is composed of the communications medium and all components attached to the medium whose responsibility is the transfer of information. Such components may include AISs, packet switches, telecommunications controllers, key distribution centers and technical control devices.
RISK MANAGEMENT: A process through which undesirable events can be identified, measured, controlled and prevented to effectively minimize their impact or frequency of occurrence. The fundamental element of risk management is the identification of the security posture, i.e., the characteristics of the functional environment from a security perspective. Risk management identifies the impact of events on the security posture and determines whether or not such impact is acceptable and, if not acceptable, provides for corrective action. Risk management, ST&E and contingency planning are parts of the risk management process.
SAFEGUARDS: Any action, device, procedure, technique or other measure that reduces the vulnerability of a system.
SENSITIVE UNCLASSIFIED INFORMATION: Any information which the loss, misuse or unauthorized access to or modification of could adversely affect the U.S. national interest, the conduct of Department of the Navy programs or the privacy of Department of the Navy personnel (e.g., Freedom of Information Act (FOIA), exempt information and information whose distribution is limited by OPNAVINST 5510.161, Withholding of Unclassified Technical Data from Public Disclosure); including any information so identified and marked by authority of the head of any U.S. Government department or agency.
VIRUS: Code that covertly replicates itself onto previously uncontaminated
media without initiation by the operator or authorized users. Replication
usually occurs during copying of files to magnetic media, or during
computer to computer communications. The code usually contains malicious
logic that is triggered by some predetermined event. When triggered, the
code then takes a hostile action against host computer systems.