AR 380-19 Information Systems Security


Section I

Administrative Assistant

automatic data processing

automated information system(s)

Automated Information System Security Assessment Program

Army Information Systems Security Program

Army Materiel Command

Assistant Secretary of the Army for Research, Development and Acquisition

Automatic Digital Network

battlefield automation systems

controlled cryptographic item

Commanding General

computer security

communications security

Counter-Signals Intelligence

CS (1,2,3)
Classified Sensitive (1,2,3)

Computer Security Center

Computer Security Technical Vulnerability Reporting Program

Certified TEMPEST Technical Authority

Department of the Army

Designated Accreditation Authority

Defense Communications Agency

Director, Central Intelligence Directive

Deputy Chief of Staff for Intelligence

Deputy Chief of Staff for Logistics

Deputy Chief of Staff for Operations and Plans

Defense Data Network

Data Encryption Standard

Defense Intelligence Agency

Defense Intelligence Agency Manual

Director of Information Systems for Command, Control, Communications, and Computers

Department of Defense

electronic security

Evaluated Products List

Endorsed for Unclassified Cryptographic Item

ferrous conduit distribution

Federal Information Processing Standards

for official use only

facility security profile

Facility TEMPEST Assessment/Risk Analysis

Hostile Intelligence Service

Headquarters, Department of the Army

Interconnected accredited AIS

Information mission area

United States Army Intelligence and Security Command

Intrusion-resistant cable

Information Systems Security

Information Systems Security Manager

Information Systems Security Officer

Information Systems Security Program Manager

Joint Chiefs of Staff

limited access authorization

Local National

major Army Command

Memorandum, Joint Chiefs of Staff

North Atlantic Treaty Organization

National Computer Security Center

National Information Security Assessment Center

National Institute of Standards and Technology

National Security Agency

network security officer

National Telecommunications and Information Systems Security Committee

operations security

protected distribution system

program executive officer

program manager/project manager/product manager

research, development, test and evaluation

special access program

sensitive compartmented information

sensitive compartmented information facility

standard form

Single Integrated Operational Plan-Extremely Sensitive Information

standing operating procedure

special security officer

single trusted system

telecommunications and automated information systems

terminal area security officer

TEMPEST control officer

Temporary Duty

U.S. Army Training and Doctrine Command

Top Secret

Unclassified Sensitive (1,2)

Information Systems Command

U.S. Army Information Systems Engineering Command

Warning Notice-Intelligence Sources or Methods Involved

Worldwide Military Command and Control System

Section II

For an AIS, a specific type of interaction between a subject and object that causes information to flow from one to the other. In COMSEC, the capability and opportunity to gain detailed knowledge or to alter information or material.

Access control
The process of limiting access to the resources of an automated information system only to authorized programs, processes, or other systems (in a network).

For an AIS, the property that enables activities on an automated information system to be traced to individuals who may then be held responsible for their actions. In COMSEC, the principle that an individual is responsible for the safety and security of COMSEC equipment, keying material, and information entrusted to his or her care, and is answerable to proper authority for the loss or misuse of that equipment or information.

A formal declaration by the DAA that the AIS is approved to operate in a particular security mode using a prescribed set of safeguards. Accreditation is the official management authorization by a designated accreditation authority for operation of an automated information system in a particular security mode, using a prescribed set of safeguards based on the certification process, as well as other management considerations. The accreditation statement affixes security responsibility with the DAA and shows that due care has been taken for security.

Accreditation authority
See Designated Accreditation Authority(DAA)

AIS security incident
An occurrence involving classified or unclassified-sensitive information being processed by an AIS where there may be a deviation from the requirements of the governing security regulations, or a compromise or unauthorized disclosure of the information occurred or was possible.

Approval to operate
A term which is synonymous with accreditation.

The independent review and examination of a system's records and activities to test for adequacy of the system's controls, to ensure compliance with established policy and operational procedures, or to recommend any needed changes in controls, policy, or procedures.

Audit trail
A chronological record of system activities sufficient to enable the reconstruction, reviewing, and examination of the sequence of environments and activities surrounding or leading to an operation, procedure, or event in a transaction from inception to final results.

To verify the identity of a user, device, or other entity in a computer system, or to verify the integrity of data that have been stored, transmitted, or otherwise exposed to possible unauthorized modification.

A security measure designed to protect a communications system against acceptance of fraudulent transmissions or simulation by establishing the validity of a transmission, message, or originator, or a means of verifying an individual's eligibility to receive specific categories of information.

Automanual system
Programmable, hand-held cryptographic equipment used to perform encoding and decoding functions.

Automated information systems
Any assembly of computer hardware, software, or firmware configured to collect, create, communicate, compute, disseminate, process, store, or control data or information in an electronic form. AIS include stand-alone computers, small computers, word processors, multi-user computers, terminals, and networks.

Automated information systems security
Measures and controls that protect an automated information system against denial of service and unauthorized (accidental or intentional) disclosure, modification, or destruction of automated information systems and data.

The state when data are in the place needed by the user, at the time user needs them, and in the form needed by the user.

A restrictive label that has been applied to classified or unclassified data to increase the protection of the data by further restricting access to it. Individuals are granted access to special category information only after being granted formal access authorization.

Central computer facility
One or more computers with their peripheral and storage units, central processing units, and communications equipment in a single controlled area. Central computer facilities are those areas where computers, other than personal computers, are housed to provide necessary environmental, physical, or other controls.

The comprehensive evaluation of the technical and nontechnical security features of an automated information system, and other safeguards made in support of the accreditation process, that establish the extent to which a particular design and implementation meet a specified set of security requirements.

Classified defense information
Official information regarding the national security that has been designated "top secret," "secret," or "confidential" according to Executive Order 12356.

Clearing (magnetic media)
A procedure used to erase or overwrite classified or unclassified-sensitive information stored on magnetic medium. Clearing allows reuse of the medium at the same classification level, but does not produce declassified medium.

Commercial COMSEC Endorsement Program (CCEP)
A program in which cryptographic subsystems and telecommunications equipment using embedded cryptography are developed, produced, and marketed under formal agreements between individual commercial vendors and the National Security Agency.

Communications deception
Deliberate transmission, retransmission, or alteration of communications to mislead an adversary in interpretation of the communications.

Communications security (COMSEC)
Measures taken to deny unauthorized persons information derived from telecommunications of the U.S. Government concerning national security, and to ensure the authenticity of such telecommunications.

Compromising emanations
Unintentional intelligence-bearing signals that, if intercepted and analyzed, disclose the information transmission received, handled, or otherwise processed by any information processing equipment.

A machine capable of accepting data, performing calculations on, or otherwise manipulating that data, storing it, and producing new data.

Computer facility
Physical resources that include structures or parts of structures that support or house computer resources. The physical area where the equipment is located.

Computer security
See automated information systems security.

The concept of protecting data from unauthorized disclosure.

Configuration control
The process of controlling modifications to a system's hardware, firmware, software, and documentation that provides sufficient assurance that the system is protected against the introduction of improper modifications before, during, and after system implementation.

Controlled access protection
Access control through log-in procedures, audit of security-relevant events, and resource isolation. Controlled access protection is normally associated with class C2 systems.

Controlled cryptographic item
An unclassified but controlled secure telecommunications or automated information-handling equipment and associated crytographic assembly, component, or other hardware or firmware item that performs a critical COMSEC or COMSEC-ancillary function.

Equipment that embodies a cryptographic logic.

Pertaining to, or concerned with, cryptography.

The principles, means, and methods for rendering plain information unintelligible and for restoring such information to intelligible form.

The science and activities which deal with hidden, disguised, or encrypted communications.

The associated items of COMSEC material used as a unit to provide a single means of encryption or decryption.

Data security
The protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure.

Declassification (of magnetic storage media)
An administrative procedure resulting in a determination that classified information formerly stored on a magnetic medium has been removed or overwritten sufficiently to permit reuse in an unclassified environment.

Dedicated security mode
A mode of operation wherein all users of the AIS possess the required personnel security clearance or authorization, formal access approval (if required), and need-to-know for all data processed by the AIS. Processing in this mode may be full-time or for specific periods of time.

To reduce magnetic flux density to zero by applying a reverse magnetizing field.

Denial of service
Action or actions which prevent any part of a TAIS from functioning according to its intended purpose.

Designated accreditation authority
A senior management official who has the authority and responsibility to decide to accept or reject the security safeguards prescribed for an automated information system, and who may be responsible for issuing an accreditation statement or certificate that records the decision to accept those safeguards for his or her department, agency, or Service.

DOD trusted computer system evaluation criteria
A uniform set of basic requirements and evaluation classes for assessing the effectiveness of hardware and software security controls built into automated information systems (developed by the National Computer Security Center and published as DOD 5200.28-STD).

Electronic security
The protection afforded by all measures designed to deny unauthorized persons information of value that might be derived from the interception and analysis of noncommunications electromagnetic radiations, such as radar.

Embedded cryptography
Cryptography incorporated within an equipment or system whose basic function is not cryptographic.

Embedded system
A system that performs or controls a function, either in whole or in part, as an integral element of a larger system or subsystem.

Emission security
The protection resulting from all measures taken to deny unauthorized persons information of value that might be derived from intercept and analysis of compromising emanations from cryptoequipment, automated information systems, and telecommunications systems.

Evaluated Products List
A list of equipment, hardware, software, and firmware that has been evaluated against, and found to be in technical compliance at a particular level of trust, with the DOD Trusted Computer System Evaluation Criteria by the National Computer Security Center.

Software permanently stored in a hardware device that allows reading and executing the software, but not writing or modifying it.

Foreign national employees
Non-U.S. citizens who normally reside in the country where employed, though they may not be citizens of that country, and who are employed by the U.S. Government and the Department of the Army.

Formal access approval
Documented approval to allow access to a particular category of information.

Information systems security
A composite of means to protect telecommunications systems and automated information systems, and the information they process.

The degree of protection for data from intentional or unintentional alteration or misuse.

Information (usually a sequence of random binary digits) used initially to set up (and periodically to change) the operations performed in a cryptoequipment for encrypting or decrypting electronic signals, for determining electronic countermeasure patterns (frequency hopping or spread spectrum), or for producing other keys.

Key management
The process by which a key is generated, stored, protected, transferred, loaded, used, and destroyed.

Machine cryptosystem
A cryptosystem in which the cryptographic processes are performed by cryptoequipment.

A computer system characterized by dedicated operators (beyond the system users); high capacity, distinct storage devices; special environmental considerations; and an identifiable computer room or complex.

Malicious software
Software that is intentionally introduced in a system to cause harm.

Manual cryptosystem
A cryptosystem in which the cryptographic processes are performed manually without the use of cryptoequipment or auto-manual devices.

Multilevel security mode
A mode of operation wherein not all users of the AIS possess the required personnel security clearance for all data being processed by the AIS.

The necessity for access to, knowledge of, or possession of specific information required to carry out official duties.

Communications medium and all components attached to that medium whose function is the transfer of information. Components may include AIS, packet switches, telecommunications controllers, key distribution centers, and technical control devices.

Noncommunications emitter
Any device which radiates electromagnetic energy for purposes other than communicating (for example, radars, navigational aids, and laser range finders). A noncommunication emitter may include features normally associated with computers, in which case it must also meet the requirements for an AIS.

Partitioned security mode
A mode of operation wherein all users of the AIS possess the required personnel security clearance or authorization, but not necessarily formal access approval and need-to-know for all information handled by the AIS. For systems processing CS1 data, this mode is equivalent to the compartmented mode defined in DCID 1/16.

A protected or private string of characters used to authenticate an identity.

Periods processing
The processing in an automated information system of various levels of sensitive information at distinctly different times, with the system being properly declassified between periods.

Protected distribution system (PDS)
A wireline or fiber-optics system which includes adequate acoustic, electrical, electromagnetic, and physical safeguards to permit its use for the unencrypted transmission of classified information.

Purging (magnetic media)
A procedure used to totally and unequivocally erase or overwrite all information stored on magnetic media. Purging is one prerequisite to declassification of magnetic media.

Remote terminal
A terminal which is not in the immediate vicinity of the AIS it accesses.

The probability that a particular threat will exploit a particular vulnerability of an automated information system or telecommunications system.

Risk assessment
The process of identifying security based on an analysis of threats to and vulnerabilities of systems, determining the magnitude of those risks, and incorporating measures needed to safeguard against them.

Risk management
The application of managerial techniques concerned with the identification, measurement, control, and minimization of uncertain events.

Small computer
A small general-purpose computer design to support a single user at a time. Disk drives, printers, and other equipment associated with the small computer are considered part of the small computer.

Stand alone computer
An automated information system that is physically and electrically isolated from all other automated information systems.

Systems high security mode
A mode of operation wherein all users of the AIS possess the required personnel security clearance of authorization, but not necessarily a need-to-know, for all data handled by the AIS. If the AIS processes formal categories of information, all users must have formal access approval.

Technical vulnerability
A hardware, firmware, communication, or software weakness which leaves a computer processing system open for potential exploitation or damage, either externally or internally, resulting in risk for the owner, user, or manager of the system.

The preparation, transmission, communication, or related processing of information (writing, images, sounds, or other data) by electrical, electromagnetic, electro-mechanical, electro-optical, or electronic means.

Telecommunications and automated information systems
This term in this regulation indicates that a statement applies to both AIS and telecommunications systems.

Telecommunications system
Any system which transmits, receives, or otherwise communicates information by electrical, electromagnetic, electro-mechanical, or electro-optical means. A telecommunications system may include features normally associated with computers, in which case it must also meet the requirements for an AIS.

The investigation, study, and control of compromising emanations from electrical and electronic equipment. TEMPEST is often used as a synonym for compromising emanations, as in "TEMPEST test" or "TEMPEST inspection."

Any device which is used to access an AIS, including "dumb" terminals, which only function to access another AIS, as well as personal computers or other sophisticated AIS which may access other AIS as one of their functions.

Any capability, circumstance, or event with the potential to cause harm to a TAIS in the form of destruction, unauthorized disclosure, modification of data, or denial of service.

Threat agent
A means or method used to exploit a vulnerability in a system, operation, or facility.

Transmission security
The component of COMSEC that consists of all measures designed to protect transmissions from interception and exploitation by means other than cryptoanalysis.

Unclassified-sensitive information
Any unclassified information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under the Privacy act.

Persons or processes accessing an automated information system either by direct connections (that is, via terminals) or indirect connections (that is, preparing input or receiving output from the system without a review for classification or content by a responsible individual). Also, an individual who is required to use COMSEC material in the performance of his or her duties and who is responsible for safeguarding that COMSEC material.

A weakness in a TAIS or cryptographic system (or system security procedures, hardware design, internal controls, and so forth) that could be exploited to gain unauthorized access to classified or sensitive information, impact system availability, or affect data integrity.