[National Security Directives - NSD]
************************************************************************ * Document from the CPSR Internet Library * * * * Ftp/Gopher/WAIS: cpsr.org email: listserv @ cpsr.org "help" * * For more information contact: cpsr@csli.stanford.edu 415-322-3778 * ************************************************************************ F90-876 F90-933 NATIONAL SECURITY COUNCIL F90-1159 F91-33C WASHINGTON, D.C., 20506 April 1, 1992 Dear Mr. Rotenberg: This is in further response to your Freedom of Information Act (FOIA) request of September 13, 1990, for "a copy of the revised National Security Decision Directive 145, signed by the President on July 5, 1990. This letter also responds to referrals from the Department of Defense, dated September 28, 1990, and November 20, 1990 (DoD case number 90-FOI-1584/m), of your request to that agency for the same document. The National Security Council (NSC) staff has completed its review of National Security Directive 42 and determined that a partial text version of the document may be released. The withheld portion of the document is properly classified under the provisions of Executive Order 12356 and, therefore, is exempt from disclosure under 5 U.S.C. 552 (b)(1). Furthermore, the NSC staff has determined that the release of the format of NSD 42 could cause damage to the national security, and, therefore, the format of this document is properly clas- sified under the provisions of Executive order 12356. The format of this document is also denied under 5 U.S.C. 552 (b)(1). A redacted copy of the partial text release is enclosed. You may appeal this denial by writing to the Executive Secretary, National Security Council, Washington, D.C. 20506, within sixty (60) days of the receipt of this letter. We appreciate your patience while we processed your request. Sincerely, /sig/ Steven D. Tilly Director Information Disclosure Enclosure: a/s Mr. Marc Rotenberg Computer Professionals for Social Responsibility 1025 Connecticut Avenue, N.W. Suite 1015 Washington, D.C. 20036 ----------------------------------------------------------------- UNCLASSIFIED July 5. 1990 National Policy for the Security of National Security Telecommunications and Information Systems Continuing advances in microelectronics technology have stimulated an unprecedented growth in the demand for and supply of telecommunications and information processing services within the government and throughout the private sector. As new technologies have been applied, traditional distinctions between telecommunications and information systems have begun to disappear. Although this trend promises greatly improved efficiency and effectiveness, it also poses significant security challenges. Telecommunications and information processing systems are highly susceptible to interception, unauthorized electronic access, and related forms of technical exploitation, as well as other dimensions of the foreign intelligence threat. The technology to exploit these electronic systems is widespread and is used extensively by foreign nations and can be employed, as well, by terrorist groups and criminal elements. A comprehensive and coordinated approach must be taken to protect the government's national security telecommunications and information systems (national security systems) against current and projected threats. This approach must include mechanisms for formulating policy, overseeing systems security resources programs, and coordinating and executing technical activities. This Directive establishes initial objectives of policies, and an organizational structure to guide the conduct of activities to secure national security systems from exploitation; establishes a mechanism for policy development and dissemination; and assigns responsibilities for implementation. It is intended to ensure full participation and cooperation among the various existing centers of technical expertise throughout the Executive branch, and to promote a coherent and coordinated defense against the foreign intelligence threat to these systems. This Directive recognizes the special requirements for protection of intelligence sources and methods. [1] ------------------------------------------------------------ 1. _Objectives_. Ensuring the security of national security systems is vitally important to the operational effectiveness of the national security activities of the government and to military combat readiness. I therefore, direct that the government's capabilities for securing national security systems against technical exploitation threats be maintained or, if inadequate, improved to provide for: a. Reliable and continuing assessment of threats and vulnerabilities, and implementation of appropriate effective countermeasures; b. A technical base within the U.S. Government to achieve this security, and initiatives with the private sector to maintain, complement, or enhance that government technical base and to ensure information systems security products are available to secure national security systems; and; c. Effective and efficient application of U.S. Government resources. 2. _Policies_. In support of these objectives the following policies are established: a. U.S. Government national security systems shall be secured by such means as are necessary to prevent compromises denials or exploitation; b. Federal agencies shall require that national security systems operated and maintained by U.S. Government contractors likewise be secured. 3. _Implementation_. This Directive establishes an NSC Policy Coordinating Committee for National Security Telecommunications and Information Systems, an interagency group at the operating level, an executive agent and a national manager to implement these objectives and policies. 4. _National Security Council/Policy Coordinating Committee for National Security Telecommunications and Information Systems_. The National Security Council/Policy Coordinating Committee (PCC) for National Security Telecommunications, chaired by the Department of Defense, under the authority of National Security Directives I and 10f assumed the responsibility for the National security Telecommunications NSDD 97 Steering Group. By authority [2] of this Directive, the PCC for National Security Telecommunica- tions is renamed the PCC for National Security Telecommunications and Information Systems, and shall expand its authority to include the responsibilities to protect the government's national security telecommunications and information systems. When addressing issues concerning the security of national security telecommunications and information systems, the membership of the PCC shall be expanded to include representatives of the Secretary Of State, the Secretary of the Treasury, the Attorney General, the Secretary of Energy, the Secretary of Commerce, and the Director of Central Intelligence. The National Manager for National Security Telecommunications and Information Systems Security shall be invited as an observer. The Policy Coordinating Committee shall: a. Oversee the implementation of this Directive; b. Develop Policy recommendations and provide guidance to the operating level National Security Telecommunications and Information Systems Security Committee (NSTISSC); c. Review and resolve matters referred to it by the NSTISSC in fulfilling the responsibilities outlined in paragraph 5, below; - d. Be subject to the policies of the Director of Central Intelligence on matters pertaining to the protection of intelligence sources and methods; and, e. Recommend for Presidential approval additions or revisions to this Directive as national interests may require. 5. _The National Security Telecommunications and Information Systems Security Committee._ a. The NSTISSC is established to consider technical matters and develop operating policies, procedures, guidelines, instructions, and standards as necessary to implement provisions of this Directive. The Committee shall be chaired by the Assistant Secretary of Defense (Command, Control, Communications and Intelligence) and shall be composed of a voting representative of each of the following: [3] The Secretary of State The Secretary of the Treasury The Secretary of Defense The Attorney General The Secretary of Commerce The Secretary of Transportation The Secretary of Energy Director, Office of Management and Budget Assistant to the President for National Security Affairs Director of Central Intelligence Chairman of the Joint Chiefs of Staff Director, Federal Bureau of Investigation Director, Federal Emergency Management Agency Administrator, General Services Administration The Chief of Staff, United States Army The Chief of Naval Operations The Chief of Staff, United States Air Force Commandant, United States Marine Corps Director, National Security Agency Manager, National Communications System Director, Defense Intelligence Agency b. The NSTISSC shall: (1) Develop such specific operating policies, procedures, guidelines, instructions, standards, objectives, and priorities as may be required to implement this Directive; (2) Provide systems security guidance for national security systems to Executive departments and agencies; (3) Submit annually to the Executive Agent an evaluation of the security status of national security systems with respect to established objectives and priorities; (4) Approve the release of cryptologic national security systems technical security material, information, and techniques to foreign governments or international organizations. The concurrence of the Director of Central Intelligence shall be obtained with respect to those activities which he manages; [4] (5) Establish and maintain a national system for promulgating the operating policies, instructions, directives, and guidancet which may be issued pursuant to this Directive; (6) Establish permanent and temporary subcommittees as necessary to discharge its responsibilities; (7) Make recommendations to the PCC for NSTISSC membership and establish criteria and procedures for permanent observers from other departments or agencies affected by specific matters under deliberation, who may attend meetings upon invitation of the Chairman; and, (8) Interact, as necessary, with the National Communications System Committee of Principals established by Executive Order 12472 to ensure the coordinated execution of assigned responsibilities. c. The Committee shall have two subcommittees, one focusing on telecommunications security and one focusing an information systems security. The two subcommittees shall coordinate their actions and recommendations concerning implementation of protective measures, which shall combine and coordinate both areas where appropriate. d. The Committee shall have a permanent secretariat composed of personnel of the National Security Agency and such other personnel from Executive departments and agencies represented on the Committee as are requested by the Chairman. The National Security Agency shall provide facilities and support as required. Other Executive departments and agencies shall provide facilities and support as requested by the Chairman. 6. The Executive Aaent of the Government for National Security Telecommunications and information Systems Security. a. Consistent with the authority for communications security given the Secretary of Defense in Executive Order 12333, the Secretary of Defense shall serve as Executive Agent of the Government for National Security Telecommunications and Information Systems Security and shall be responsible for implementing, under his signature, policies and procedures to: (1) Ensure the development, in conjunction with Committee member departments and agencies of plans and programs to fulfill the objectives of this Directive, including the development of necessary security architectures; (2) Procure for and provide to Executive departments and agencies and, where appropriate, to government contractors and foreign governments, consistent with the laws of the United States such technical security material, other technical assistance, and other related services of common concern as required to accomplish the objectives of this Directive; (3) Approve and provide minimum security standards and doctrine for systems subject to this Directive; (U) (4) Conducts approve, or endorse research and development of techniques and equipment to secure national security systems; and, (5) Operate, or coordinate the efforts, of U.S. Government technical centers related to national security telecommunications and information systems security. b. The Executive Agent shall review and assess the National Manager's recommendations on the proposed national security telecommunications and information systems security programs and budgets for the Executive departments and agencies. Where appropriate, alternative systems security recommendations will be provided to agency heads, to National Security Council Committees and to the OMB. In addition, the Executive Agent shall submit, annually, the security status of national security systems with respect to established objectives and priorities through the National Security Council to the President. 7. _The National Manager for National Security Telecommunications and Information Systems Security_. The Director, National Security Agency, is designated the National Manager for National Security Telecommunications and Information Systems Security and is responsible to the Secretary of Defense as Executive Agent for carrying out the foregoing responsibilities. In fulfilling these responsibilities the National Manager shall: [6] a. Examine U.S. Government national security systems and evaluate their vulnerability to foreign interception and exploitation. Any such activities, including those involving monitoring of official telecommunications, shall be conducted in strict compliance with law, Executive Order and implementing procedures, and applicable Presidential directive. No monitoring shall be performed without advising the heads of the agencies, departments, or services concerned; b. Act as the U.S. Government focal point for cryptography, telecommunications systems security, and information systems security for national security systems; C. Conduct, approve, or endorse research and development of techniques and equipment to secure national security systems; d. Review and approve all standards, techniques, systems, and equipment related to the security of national security systems; e. Conduct foreign computer security and communications security liaison, including entering into agreements with foreign governments and with international and private organizations regarding national security systems, except for those foreign intelligence relationships conducted for intelligence purposes by the Director of Central Intelligence. Any such agreements shall be coordinated with affected departments and agencies; f. Operate such printing and fabrication facilities as may be required to perform critical functions related to the provisions of cryptographic and other technical security material or services; g. Assess the overall security posture of and disseminate information on threats to and vulnerabilities of national security systems; h. Operate a central technical center to evaluate and certify the security of national security telecommunications and information systems; [7] i. Prescribe the minimum standards, methods and procedures for protecting cryptographic and other technical security material, techniques, and information related to national security systems; j. Review and assess annually the national security telecommunications systems security programs and budgets of Executive departments and agencies of the U.S. Government, and recommend alternatives, where appropriate, for the Executive Agent; k. Review annually the aggregated national security information systems security program and budget recommendations of the Executive departments and agencies of the U.S. Government for the Executive Agent; l. Request from the heads of Executive departments and agencies such information and technical support as may be needed to discharge the responsibilities assigned herein; m. Coordinate with the National Institute for Standards and Technology in accordance with the provisions of the Computer Security Act of 1987 (P.L. 100-235); and n. Enter into agreements for the procurement of technical-security material and other equipment, and their provision to Executive departments and agencies, where appropriate, to government contractors, and foreign governments. 8. _The Heads of Executive Departments and Agencies shall_: a. Be responsible for achieving and maintaining secure national security systems within their departments or agencies; b. Ensure that policies, procedures, guidelines, instructions, and standards issued pursuant to this Directive are implemented within their departments or agencies; and c. Provide to the NSTISSC, the Executive Agent, and the National Manager, as appropriate, such information as may be required to discharge responsibilities assigned herein, consistent with relevant law, Executive Order, and Presidential directive. [8] 9. _Additional Responsibilities_. The Director, Office of Management and Budget, shall: a. Specify data to be provided during the annual budget review by Executive departments and agencies on program and budgets relating to security of their national security systems; b. Consolidate and provide such data to the National Manager via the Executive Agent; and C. Review for consistency with this Directive, and amend as appropriate, OMB policies and regulations which may pertain to the subject matter herein. 10. _Nothing in this Directive shall_: a. Alter or supersede the existing authorities of the Director of Central Intelligence; b. Authorize the Committee, the Executive Agent, or the National Manager authority to examine the facilities of other Executive departments and agencies without approval of the head of such department or agency, nor to request or collect information concerning their operation for any purpose not provided for herein; c. Amend or contravene the provisions of existing law, Executive Order, or Presidential directive which pertain to the protection of sensitive information, to the protection of national security information, to the privacy aspects or financial management of information systems or to the administrative requirements for safeguarding such resources against fraud, waste, and abuse; d. Provide authority to issue policies, procedure, guidelines, instructions, standards, or priorities or operate programs concerning security of systems other than national security systems; e. Be intended to establish additional review processes for the procurement of information processing systems; f. Alter or rescind policies or programs begun under PD-24 or NSDD-145 that may be pertinent to national security systems. Policies or programs retained pursuant to this provision shall not be construed to apply to systems within the purview of the Computer Security Act of 1987 (PL100-235); or [9] [Approximately 2 paragraphs of material redacted] 11. For the purposes of this Directive the following terms shall have the meanings indicated: a. _Telecommunications_ means the preparation transmission, communications or related processing of information (writing, images, sounds or other data) by electrical, electromagnetic, electromechanical, electro-optical, or electronic means; b. _Information Systems_ means any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition storage manipulation, management, movement, control, display, switching interchange, transmission, or reception of data and includes computer software, firmware, and hardware; c. _Telecommunications and Information Systems Security_ means protection afforded to telecommunications and information systems in order to prevent exploitation through interception, unauthorized electronic access, or related technical intelligence threats, and to ensure authenticity. Such protection results from the application of security measures (including cryptosecurity, transmission security, emission security, and computer security) to systems which generate, store process transfer, or communicate information of use to an adversary, and also includes the physical protection of technical security material and technical security information; d. _Technical security_ material means equipment components, devices, and associated documentation or other media which pertain to cryptographic or to the securing of telecommunications and information systems; e. _National security systems_ are those telecommunications and information systems operated by the U.S. Government, its contractors, or agents that contain classified information or, as set forth in 10 U.S.C. Section 2315, that involves intelligence activities involves cryptologic activities related to national security, involves command and control Of military forces, involves equipment that is an integral part of a weapon or weapon system, or involves equipment that is critical to the direct fulfillment of military or intelligence missions. 12. Except for ongoing telecommunications protection activities mandated by and pursuant to PD-24 and NSDD-145, NSDD-145 is hereby rescinded. [Documents obtained by Computer Professionals for Social Responsibility under the Freedom of Information Act, April 1992. For more information on CPSR's work on cryptography and computer security, contact David Banisar ( banisar @ washofc.cpsr.org ) or (202) 544-9240. For general information on CPSR, contact cpsr@csli.stanford.edu , Ph. (415) 322-3778.]