AR 380-19 Information Systems Security


Chapter 2

Computer Security

Section 1
General Policy

2-1. Overview

2-2. System sensitivity designation and mode of operation

2-3. Minimum requirements

Section II
Software Security

2-4. Software controls

2-5. Database management systems

2-6. Software security packages

2-7. Software design and test

Section III
Hardware Security

2-8. Hardware-based security controls

2-9. Maintenance personnel

Section IV
Physical Security

2-10. Security objectives and safeguards

2-11. Location and construction standards of a central computer complex

Site selection is a key factor in the establishment and maintenance of a secure operating environment. Ideally, any location selected to house an automated system would support an effective physical security system. Architectural design is an equally important aspect of the site selection and security relationship. Physical provisions for restricting access should be incorporated into the initial design. While it is not practical to establish firm Army-wide standards governing the location of such systems, the factors below will be considered and will be implemented in the site selection process when appropriate and feasible.

2-12. Mainframe computer equipment room standards

2-13. Physical security standards for small computers and other automated information systems

Section V
Procedural Security

2-14. Reporting and accountability

2-15. Password control

Section VI
Personnel Security

2-16. Training and awareness program

All personnel who manage, design, develop, maintain, or operate AIS will undergo a training and awareness program consisting of-

2-17. Personnel security standards

2-18. Foreign national employees

Section VII
Automated Information System Media

2-19. Protection requirements

2-20. Labeling and marking media

2-21. Clearing, purging, declassifying, and destroying media

2-22. Nonremovable storage media

Section VIII
Network Security

2-23. Two views of a network

Section IX
Miscellaneous Provisions

2-24. Remote devices

2-25. Employee-owned and off-site processing

2-26. Tactical or battlefield automation systems (BAS)

2-27. Laptop or portable automated information systems

2-28. Automated information system security incidents

2-29. Technical vulnerability reporting (RCS: NSA/CSS 1057)

The Computer Security Technical Vulnerability Reporting Program (CSTVRP) provides for the collection, consolidation, analysis, reporting, or notification of generic technical vulnerabilities and corrective measures in support of the DOD computer security requirements. The program focuses on technical vulnerabilities in commercially available hardware, firmware, and software products acquired by the DOD and those altered commercial products supporting standard military applications. Research prototypes, preproduction commercial products, and site-specific vulnerabilities are specifically excluded from this program.

2-30. U.S. Army Automated Information Systems Security Assessment Program (AISSAP)

INSCOM manages and implements the AISSAP. This program includes teams available to visit Army and selected DOD and contractor-operated facilities to provide technical advice and assistance on AIS security as well as an AIS Security Testing, Analysis, and Support Center.