On December 5, 1995 the Office of the Assistant Secretary of Defense approved this ISL for publication.
This issue of the Industrial Security Letter (ISL) is in response to questions received regarding Chapter 8 of the NISPOM,"Automated Information System (AIS) Security"
Answer: DIS understood that the July 31st deadline established for implementation would be difficult for some contractors, impossible for others.
Therefore, contractors that have not yet implemented
NISPOM requirements, should develop an implementation schedule
consistent with the guidance provided in ISL 95L-1 or ask for a waiver pursuant
to paragraph 1-102c of the NISPOM. Your IS Rep and/or AIS Specialist
will assist you in developing a timetable for conversion.
Answer: AISSPs for previously accredited systems must be updated to incorporate substantive policy and procedural changes contained in the NISPOM.
However, it is not necessary to update or convert AISSPs simply to conform to the format at paragraph 8-202 of the NISPOM. The format of AISSPs is not of any particular significance to the Department of Defense. The arrangement of information within AISSPs should be determined by each Information Systems Security Representative (ISSR) based upon company needs.
Answer: Yes. Systems accredited (approved) under previous policy (the Industrial Security Manual) remain accredited and may continue to be used for processing classified information. There are no plans to summarily withdraw accreditations or to prohibit classified processing for AISs accredited under the ISM. However, it is important that contractors implement the requirements of the NISPOM in a timely manner. Systems being used for new contracts should be scheduled for conversion to the NI SPOM requirements as soon as possible.
Answer: As soon as you receive interim or final approval from DIS. Until you receive such approval, you should continue to use the previously approved procedures.
Answer: The standards and requirements of the NISPOM are designed in response to the general threat. When specific threat information known to the DoD exists, it will be conveyed to the facility FSO (usually by DIS) who will advise the ISSR as necessary.
Answer: No, the requirements of Chapter 8, specifically paragraph 8-300 (Physical Security) and paragraph 8-301 (Software Controls) apply throughout all phases of accreditation. "Processing" as discussed in paragraph 8-101 should be interpreted as "accredited to process."
Answer: Only one ISSR can be appointed by the contractor (each cleared facility). However, security custodians can be designated by the ISSR in facilities with multiple AISs or multiple classified shifts to act on behalf of the ISSR.
Answer: The interval for audit reviews is dependent upon the security mode and amount of classified information processed. The frequency of audit reviews should be mutually determined between the ISSR and DIS representatives, but as a general rule, these reviews should be weekly.
Answer: An MOA is required when there is an interconnection of 2 or more AISs having different accrediting authorities in order to stipulate the terms and conditions for the overall security of the network. The resulting network must be separately accredited by the Cognizant Security Agency (CSA), that is, the Department of Defense (DoD), the Department of Energy, the Central Intelligence Agency, or the Nuclear Regulatory Commission. If the DoD is the accrediting agency for all AISs proposed for the interconnected network, the DoD would be responsible for accrediting the resulting network of systems.
The DoD accrediting authority, normally the Defense Investigative Service, is responsible for the accreditation of the network jointly wit h all DoD components and non-DoD agencies that have separately accredited AISs proposed for the network.
Answer: The CSA is obligated to withdraw accreditation when a change is made to the AIS that could reasonably result in the compromise of classified information.
Answer: Self approval authority is only authorized for the dedicated mode. The ISSR may also approve changes to dedicated and system high mode AISs pursuant to paragraph 8-102b(17).
Answer: Any hardware, software or procedural change that the ISSR and/or the CSA determines will affect accredited security controls of the AIS.
Answer: As a practical matter, all major hardware/firmware configured for classified processing must be identified by nomenclature, model and manufacturer. All resident software used for classified and unclassified processing must be identified by software name, version, manufacturer, and intended use or function. The ISSR or designee is responsible for maintaining and keeping such information current.
Answer: The procedures or process used to install hardware or software.
Answer: Any receipts associated with the AIS, such as maintenance, from accreditation to final declassification.
Answer: The decision to require execution of an agreement is made by the ISSR.
Answer: Contractors may use physical, technical and/or administrative measures to control access to dedicated mode AISs; however, technical security controls are not required for dedicated mode AISs.
Answer: The audit logs identified in paragraph 8-303 are the only audit requirements for the dedicated mode.
Answer: No. Time lockouts were included in the NISPOM as a means of assisting the AIS user in protecting classified information. Under normal circumstances, AIS users should never leave their terminal unattended during classified processing. However, if necessary, time lockouts are available as part of the access control policy as long as their use is described in the AISSP.
Answer: No. Beginning at the system high mode, automated audit trails are required.
Answer: The methods discussed in the NISPOM are common practices; however, other methods meeting the intent of the requirements of user authentication are also acceptable.
Answer: All hardware and software must be examined before being used, regardless of the source.
Answer: As a general rule, yes. The ISSR should consult with appropriate contract and accreditation officials.
Answer: Uncleared contractor personnel are not allowed to be users or to access an AIS accredited to process classified information. Accordingly, the possibility of a policy exception would have to be considered by the CSA in coordination with the customer.
Answer: Use whatever procedures, processes, and/or physical or technical means necessary to effectively control access to the AIS during attended processing. Additional guidance regarding Restricted Areas is contained in Chapter 5, Section 3.
Answer: Individuals with contractor granted CONFIDENTIAL PCLs do not require escorts in an area where CONFIDENTIAL processing is taking place, provided the access limitations prescribed by paragraph 2-205 are not exceeded.
Answer: DoD strongly discourages the use of software derived from non-conventional sources because it is at greater risk for malicious code. However, the policy does not prohibit the use of such software, provided proper procedures to review the software prior to installation are documented in the AISSP and followed.
Answer: All software used for maintenance or diagnostics must be protected at the level of the accredited AIS. Exceptions for vendor supplied software on write-protected media may be permitted on a case-by-case basis by the CSA. When authorized, procedures for handling such software on write-protected media must be contained within the AISSP.
Answer: In general, the overall marking requirements of paragraph 4-200 apply. The media is marked as to its identification (4-202), its overall markings (4-203), and the classified by, downgraded to and/or declassified on lines (4-208).
Answer: For the dedicated and system high mode, it is the responsibility of the user to ensure that appropriate markings are affixed when classified information is reproduced or generated. For the compartmented and multilevel mode, security feature s of the AIS will automatically affix the appropriate markings.
Answer: As a general rule, only a random sampling would need to be verified when using an approved degausser. However, every sanitization action would require verification when using an approved overwrite utility.
Answer: Yes. The requirement to record the sanitization action is not classification dependent. It should be noted that paragraph 8-303a(4) requires sanitization records be maintained as part of the audit logs.
Answer: No. The contractor is responsible for retaining the latest 12 months of audit trail information for the CSA to review. This applies to both the security audit information (8-303) and the automated audit trail information identified under t he security features for the system high (8-208c), compartmented (8-211g) and multilevel (8-214a) mode.
Answer: Yes. Non-removable storage media can continue to be used to process classified information. If used, certain upgrading requirements (8-304a(4)), downgrading requirements (8-304b(2)) and declassification/sanitization requirements (8-302g) must be identified in the AISSP.
Answer: Yes, unless administrative and procedural measures are taken that eliminate or reduce duplicate copies. Contact your IS Rep or AIS Specialist for additional guidance.
Answer: Option "d" of the "Clearing and Sanitization Matrix" is referring only to sanitization for declassifying purposes. When downgrading (8-304b), TOP SECRET media can be sanitized (i.e., three-time overwrite).
Answer: As a general rule, yes. Contact your IS Rep or AIS Specialist for additional guidance.
Answer: No. However, when the logon password file is not encrypted, the AIS will need a strong access control policy. This will permit only authorized system administrators (e.g., ISSR) access to the non-encrypted passwords.
Answer: This paragraph is discussing "general" connection requirements for collocated classified and unclassified AISs. One-way connection is allowed under specific conditions, when addressed in the AISSP. Contact your IS Rep or AIS Specialist for additional guidance.
Answer: The enforcement of need-to-know within the context of paragraph 8-306 means simply that the company has an obligation to ensure that personnel who perform maintenance and diagnostic actions are limited to data, information, hardware, firmware, and software for which they are authorized.
Answer: A technically knowledgeable escort is preferred; however as a minimum, the escort must be sufficiently knowledgeable concerning the AISSP, established security policies and practices, and escorting procedures.
Answer: The dedicated copy of the system software shall never be used by uncleared personnel, maintenance or not. Even though system and/or maintenance software is not classified, both require control and protection at the level the AIS is accredited.
Answer: Maintenance and diagnostics functions performed within the contractor's facility is generally preferable because the possibility of greater control exists; however, those functions may be performed outside the facility at the discretion of the ISSR. The ISSR must decide what is most practical under a particular set of circumstances, and security is but one of many considerations which must be taken into account.
Answer: Yes, but in some cases the reintroduction of equipment must be approved by the ISSR while CSA approval is required in other cases. In addition, beginning at the system high mode, the equipment must be examined prior to reintroduction.
Answer: Only the ISSR and/or their security custodians can approve the use of maintenance equipment. This may be accomplished as part of the configuration management procedures, which include specific approval procedures and authorization requirements for the use of maintenance equipment and are described in the AISSP for each AIS.
Answer: The "Clearing and Sanitization Matrix" on page 8-3-5 discusses the technical requirements; the audit requirements are discussed in paragraph 8- 303a(1).
Answer: Paragraph 8-306i provides guidance on their use.
Answer: The manner in which SRAM is used during a classified session is critical in determining the appropriate option identified on page 8-3-5. In certain cases, information remains stationary within the SRAM during processing. In those cases, op tions "c and f" might be appropriate. But in other cases, information "flows" through the SRAM and option "g" might be most appropriate. Importantly, procedures for effectively clearing and sanitizing units with residual memory need to be coordinat ed with DIS AIS Specialists.
Answer: As a general rule, no.
Answer: The absence of transmission control standards
within Chapter 8 was an oversight. Pending coordination and publication
of an AIS transmission
control policy for inclusion in the NISPOM, contractors
under DoD security cognizance are requested to follow the standards
contained in paragraph 8-310
of the 1991 ISM.