SUMMARY of CHANGE AR 380-19 Information Systems Security This new regulation-- - Consolidates AR 380-380, AR 530-2, and AR 530-3. - Introduces the discipline of Information Systems Security (ISS) as an umbrella term covering the subdisciplines of computer security, communications security, electronic security, and control of compromising emanations (para 1-1). - Is used in conjunction with its confidential supplement, AR 380-19-1, Control of Compromising Emanations (U) (para 1-1). - Establishes the Deputy Chief of Staff for Intelligence (DCSINT) as the proponent for ISS policy and the Director of Information Systems for Command, Control, Communications, and Computers (DISC4) as the focal point for managing and implementing an ISS program in support of that policy (paras 1-4a and 1-4b). - Requires the use of cost-effective ISS measures to respond to the specific threats and vulnerabilities associated with each information system (para 1-5a). - Emphasizes the requirement to address security needs in the early stages of system development and throughout the system life cycle (para 1-5a). - Establishes the Army Information Systems Security Program and defines an ISS hierarchy to execute this program in the Army (para 1-6). - Establishes responsibilities of U.S. Army Information Systems Command to assist developers in identifying security requirements and U.S. Army Intelligence and Security Command to support operational systems under the U.S. Army Automated Information Systems Security Assessment Program (para 1-7). - Categorizes automated information systems (AIS) based on the sensitivity of the data processed (para 2-2a). - Defines the four authorized security modes of operation for all AIS: dedicated, systems high, partitioned, and multilevel (para 2-2b). - Details minimum security requirements for all AIS that process classified or unclassified-sensitive information (para 2-3a). - Requires all AIS that operate in the systems high security mode to achieve a C2 minimum level of trust as defined in DOD 5200.28-STD by 31 Dec 1992. Requires accreditation authorities of systems that operate in the partitioned or multilevel mode to establish a timetable for meeting the level of trust required by DOD 5200.28-STD (para 2-3b). - Provides minimum standards for generating and using passwords to control access to AIS (para 2-15). - Deletes the automated dataprocessing Personnel Security and Surety Program and establishes personnel security measures founded on security investigations required by AR 380-67 as well as a training and awareness program (paras 2-16 and 2-17). - Provides requirements for foreign national access to United States telecommunications and AIS (para 2-18). - Contains updated standards on clearing, purging, and declassifying AIS media (para 2-21). - Provides minimum security requirements for networks (para 2-23). - Provides security criteria for use of employee-owned computers and computers at off-site locations (para 2-25). - Establishes security requirements for laptop computers (para 2-27). - Updates reporting requirements for AIS security incidents and technical vulnerabilities (paras 2-28 and 2-29). - Contains revised policy direction for the U.S. Army Automated Information Systems Security Assessment Program, and documents the mission of the AIS Security Testing, Analysis, and Support Center (para 2-30). - Defines accreditation requirements for AIS (chap 3). - Establishes generic accreditation as a new concept authorized for use in accrediting systems within the Army (paras 3-1 and 3-2). - Introduces "operational accreditation" and emphasizes the grouping of AIS as a part of operational accreditation (paras 3-1 and 3-3). - Sets new accreditation authority levels (para 3-8). - Prescribes minimum security standards for classified and unclassified-sensitive information in telecommunications systems (chap 4). - Sets standards for approval of a protected distribution system for transmittal of classified information (para 4-6). - Contains policy on risk management methodology and provides steps necessary for a commander or manager to determine cost-effective countermeasures to apply against validated risks (chap 5). - Provides a format for accreditation packets for AIS (app C). Headquarters Army Regulation 380-19 Department of the Army Washington, DC 1 August 1990 Effective 4 September 1990 Security Information Systems Security This UPDATE printing publishes a new regulation that consolidates AR 380-380, AR 530-2, and AR 530-3. By Order of the Secretary of the Army: CARL E. VUONO General, United States Army Chief of Staff Official: MILTON H. HAMILTON Administrative Assistant to the Secretary of the Army Summary. This regulation is a consolidation of several regulations that cover the separate areas of communications security (COMSEC), computer security (COMPUSEC), and electronic security (ELSEC). It implements national and Department of Defense (DOD) guidance contained in DOD directives governing security for information in an electronic form, including DOD Directives 5200.28, 5200.5, and 5200.19 (when used in conjunction with a separately distributed classified supplement, AR 380-19-1). It also provides the Army's implementation of sections 1 through 8, Act of 8 January 1988, Public Law 100-235, U.S. Statute at Large 101, pp. 1724-1730, cited as Computer Security Act of 1987. This regulation introduces Information Systems Security (ISS) as a discipline which encompasses the subareas of COMSEC, COMPUSEC, control of compromising emanations (TEMPEST), and ELSEC. It defines the Army Information Systems Security Program and prescribes a structure for implementing that program. This regulation provides specific policy on accreditation of automated information systems and prescribes a timetable for these systems to meet a minimum trusted computer class per DOD 5200.28-STD. It also provides minimum security standards for transmitting classified and sensitive unclassified information. Applicability. This regulation applies to the Active Army, the Army National Guard, and the U.S. Army Reserve. It applies to contractors who operate Government-owned or -leased telecommunications and automated information systems (TAIS). Contractors who process unclassified-sensitive information on contractor-owned TAIS are not governed by this regulation, but must comply with sections 1 through 8, Act of 8 Jan 88, PL 100-235, 101 Stat 1724-1730. Internal control systems. This regulation is subject to the requirements of AR 11-2. It contains internal control provisions but does not contain checklists for conducting internal control reviews. These checklists appear in DA Circular 11-87-1. Supplementation. Supplementation of this regulation and establishment of command and local forms are prohibited without prior approval from H Q D A (DAMI-CIC), WASH DC 20310-1055. Interim changes. Interim changes to this regulation are not official unless they are authenticated by the Administrative Assistant to the Secretary of the Army. Users will destroy interim changes on their expiration dates unless sooner superseded or rescinded. Suggested improvements. The proponent agency of this regulation is the Office of the Deputy Chief of Staff for Intelligence Users are invited to send comments and suggested improvements on DA Form 2028 (Recommended Changes to Publications and Blank Forms) directly to H Q D A (DAMI-CIC), WASH DC 20310-1055. Mobilization status. During mobilization or national emergency, this regulation remains in effect without change. Distribution. Distribution of this publication is made in accordance with the requirements on DA Form 12-09-E, block number 2180, intended for command levels B, C, D, and E for Active Army, Army National Guard, and U.S. Army Reserve.