AR 380-19 Information Systems Security

                             SUMMARY of CHANGE

AR 380-19
Information Systems Security

This new regulation--

    - Consolidates AR 380-380, AR 530-2, and AR 530-3.

    - Introduces the discipline of Information Systems Security (ISS) as an
umbrella  term covering the subdisciplines of computer security,
communications security,      electronic security, and control of
compromising emanations (para 1-1).

    - Is used in conjunction with its confidential supplement, AR 380-19-1,
Control of     Compromising Emanations (U) (para 1-1).

    - Establishes the Deputy Chief of Staff for Intelligence (DCSINT) as the
proponent      for ISS policy and the Director of Information Systems for
Command, Control, Communications, and Computers (DISC4) as the focal point
for managing and implementing an ISS program in support of that policy
(paras 1-4a and 1-4b).

    - Requires the use of cost-effective ISS measures to respond to the
specific  threats and vulnerabilities associated with each information
system (para 1-5a).

    - Emphasizes the requirement to address security needs in the early
stages of system development and throughout the system life cycle (para

    - Establishes the Army Information Systems Security Program and defines
an ISS hierarchy to execute this program in the Army (para 1-6).

    - Establishes responsibilities of U.S. Army Information Systems Command
to assist developers in identifying security requirements and U.S. Army
Intelligence and Security Command to support operational systems under the
U.S. Army Automated Information Systems Security Assessment Program (para

    - Categorizes automated information systems (AIS) based on the
sensitivity of the  data processed (para 2-2a).

    - Defines the four authorized security modes of operation for all AIS:
dedicated, systems high, partitioned, and multilevel (para 2-2b).

    - Details minimum security requirements for all AIS that process
classified or unclassified-sensitive information (para 2-3a).

    - Requires all AIS that operate in the systems high security mode to
achieve a C2 minimum level of trust as defined in DOD 5200.28-STD by 31 Dec
1992. Requires accreditation authorities of systems that operate in the
partitioned or multilevel mode to establish a timetable for meeting the
level of trust required by DOD 5200.28-STD (para 2-3b).

    - Provides minimum standards for generating and using passwords to
control access to AIS (para 2-15).

    - Deletes the automated dataprocessing Personnel Security and Surety
Program and establishes personnel security measures founded on security
investigations required by AR 380-67 as well as a training and awareness
program (paras 2-16 and 2-17).

    - Provides requirements for foreign national access to United States
telecommunications and AIS (para 2-18).

    - Contains updated standards on clearing, purging, and declassifying AIS
media (para 2-21).

    - Provides minimum security requirements for networks (para 2-23).

    - Provides security criteria for use of employee-owned computers and
computers      at off-site locations (para 2-25).

    - Establishes security requirements for laptop computers (para 2-27).

    - Updates reporting requirements for AIS security incidents and
technical      vulnerabilities (paras 2-28 and 2-29).

    - Contains revised policy direction for the U.S. Army Automated
Information    Systems Security Assessment Program, and documents the
mission of the AIS  Security Testing, Analysis, and Support Center (para

    - Defines accreditation requirements for AIS (chap 3).

    - Establishes generic accreditation as a new concept authorized for use
in   accrediting systems within the Army (paras 3-1 and 3-2).

    - Introduces "operational accreditation" and emphasizes the grouping of
AIS as a  part of operational accreditation (paras 3-1 and 3-3).

    - Sets new accreditation authority levels (para 3-8).

    - Prescribes minimum security standards for classified and
unclassified-sensitive information in telecommunications systems (chap 4).

    - Sets standards for approval of a protected distribution system for
transmittal of classified information (para 4-6).

    - Contains policy on risk management methodology and provides steps
necessary for a commander or manager to determine cost-effective
countermeasures to apply against validated risks (chap 5).

    - Provides a format for accreditation packets for AIS (app C).

Headquarters                                      Army Regulation 380-19
Department of the Army
Washington, DC
1 August 1990                                     Effective 4 September 1990


                       Information Systems Security

This UPDATE printing publishes a new regulation that consolidates AR
380-380, AR 530-2, and AR 530-3.

By Order of the Secretary of the Army:

General, United States Army
Chief of Staff


Administrative Assistant to the
Secretary of the Army

Summary. This regulation is a consolidation of several regulations that
cover the separate areas of communications security (COMSEC), computer
security (COMPUSEC), and electronic security (ELSEC). It implements national
and Department of Defense (DOD) guidance contained in DOD directives
governing security for information in an electronic form, including DOD
Directives 5200.28, 5200.5, and 5200.19 (when used in conjunction with a
separately distributed classified supplement, AR 380-19-1). It also provides
the Army's implementation of sections 1 through 8, Act of 8 January 1988,
Public Law 100-235, U.S. Statute at Large 101, pp. 1724-1730, cited as
Computer Security Act of 1987. This regulation introduces Information
Systems Security (ISS) as a discipline which encompasses the subareas of
COMSEC, COMPUSEC, control of compromising emanations (TEMPEST), and ELSEC.
It defines the Army Information Systems Security Program and prescribes a
structure for implementing that program. This regulation provides specific
policy on accreditation of automated information systems and prescribes a
timetable for these systems to meet a minimum trusted computer class per DOD
5200.28-STD. It also provides minimum security standards for transmitting
classified and sensitive unclassified information.

Applicability. This regulation applies to the Active Army, the Army National
Guard, and the U.S. Army Reserve. It applies to contractors who operate
Government-owned or -leased telecommunications and automated information
systems (TAIS). Contractors who process unclassified-sensitive information
on contractor-owned TAIS are not governed by this regulation, but must
comply with sections 1 through 8, Act of 8 Jan 88, PL 100-235, 101 Stat

Internal control systems. This regulation is subject to the requirements of
AR 11-2. It contains internal control provisions but does not contain
checklists for conducting internal control reviews. These checklists appear
in DA Circular 11-87-1.

Supplementation. Supplementation of this regulation and establishment of
command and local forms are prohibited without prior approval from H Q D A
(DAMI-CIC), WASH DC 20310-1055.

Interim changes. Interim changes to this regulation are not official unless
they are authenticated by the Administrative Assistant to the Secretary of
the Army. Users will destroy interim changes on their expiration dates
unless sooner superseded or rescinded.

Suggested improvements. The proponent agency of this regulation is the
Office of the Deputy Chief of Staff for Intelligence Users are invited to
send comments and suggested improvements on DA Form 2028 (Recommended
Changes to Publications and Blank Forms) directly to H Q D A (DAMI-CIC),
WASH DC 20310-1055.

Mobilization status. During mobilization or national emergency, this
regulation remains in effect without change.

Distribution. Distribution of this publication is made in accordance with
the requirements on DA Form 12-09-E, block number 2180, intended for command
levels B, C, D, and E for Active Army, Army National Guard, and U.S. Army