The madness of it all ...

machaon

12-04-01, 08:00 AM

The Dept. of Energy does a good job keeping classified info secret. If you do not believe me, check it out yourself.(LOL)

DEPARTMENT OF ENERGY

HEADQUARTERS

MASTER AUTOMATED INFORMATION
SYSTEMS SECURITY PLAN
September 1, 1996
Revision #2 01/15/97

Classified Automated Information System Security Site Manager Approval:

______________________________________________

Classified Information System Security Operations Manager Approval:

______________________________________________

Assistant Secretary for Human Resources and Administration
Office of the Chief Information Officer
Operations Group

(THIS PAGE INTENTIONALLY LEFT BLANK)

This plan implements the requirements of DOE O 471.2, Information Security Program dated 9/26/95, and DOE M 5639.6A-1, Manual of Security Requirements for the Classified Automated Information System Security Program dated 7/15/94, augments HQ Facilities Master Security Plan dated January 1995 with changes 1, 2, and 3 for the protection of classified information processed, stored, or produced on automated information systems (AIS) of the Department of Energy (DOE) Headquarters (HQ).
For the purpose of this security plan AIS and System are synonymous and include all of the following - as single-user systems (used by only one person at a time) being used in a stand-alone mode such as Personal Computers (PCs), Laptop Computers, or Notebook Computers hereafter referred to as Portable Personal Computers (PPCs), dedicated word processors, and as remote terminals connected via Secure Telephone Unit-III (STU-III) Secure Data Devices (SDDs) to the HQ IBM ES/9000 accredited host computer, as terminals connected to STU-III Secure Voice/Data Set (SV/DS) equipment for limited, nonscheduled transmittal of data.

Memory typewriters are not used at the HQ to process classified data, and are, therefore, omitted from this Master AIS Security Plan. Should the need arise to process classified information on memory typewriters, the Classified AIS Security Site Manager must first be contacted for guidance.

The Master AIS Security Plan has been approved for general use; however, it alone does not fully meet the requirements for an approved security plan and cannot be used as the sole basis to gain accreditation to process classified information.

Individual AIS operated under the authority of this plan will each be identified in one of the Attachment 5, Individual Security Plan, which details specific system characteristics not covered in one of the subsections of this plan. All of the requirements in the plan must be met. Any additions to or deviations from the requirements in this Master AIS Security Plan will be documented in sections V and VI of Attachment 5.

Each Individual Security Plan must be separately approved by the Classified Information System Security Officer (CSSO) and forwarded to the Classified Automated Information System Security Site Manager (CSSM) with certification that it meets the requirements of the Master AIS Security Plan. The CSSM will review the Individual Security Plan, verify the CSSO's certification, and accredit the system under the authority delegated by the Classified Information System Security Operations Manager (CSOM).

All reorganizations which result in changes of users and/or CSSO responsibilities must immediately be brought to the attention of the CSSM so that resulting actions necessary to update the Individual Security Plans can be developed.

The Master AIS Security Plan and Individual Security Plans specifically do not apply to mainframe host systems or local area network servers/controllers (It does, however apply to local area network nodes), or other multi-user AIS.
The following items are available for viewing and/or downloading from the HR Home Page on the World Wide Web at: < .hr .htm>
HQ DOE Master AIS Security Plan, with attachments.
Individual Attachments.
Software and Documentation for LASERSAN
ADP Security Plan for Dial-up Off-Site Remote Terminals connected to the DOE Headquarters Classified Mainframe Computer.
Connecting to the DOE Headquarters Classified Mainframe Instructions.

REFERENCES

DOE O 471.2, Information Security Program, dated 9/26/95.

DOE M 471.2-1, Manual for Classified Matter Protection and Control, dated 9/26/95.

DOE 1360.2B, Unclassified Computer Security Program, dated 5/18/92.

DOE 5300.2D, Telecommunications: Emission Security (TEMPEST), dated 5/18/92.

DOE 5300.3D, Telecommunications: Communications Security, dated 8/30/93.

DOE 5632.1C, Protection and Control of Safeguards and Security Interests, dated 7/15/94

DOE M 5632.1C-1, Manual for Protection and Control of Safeguards and Security Interests, dated 7/15/94.

DOE M 5639.6A-1, Manual of Security Requirements for the Classified Automated Information System Security Program, dated 7/15/94.

DOE/MA-0427, Computer Security Guide for Users, dated September 1990.

DOE Headquarters Classified Computer Security Program CSSO Guidelines, dated 3/31/92.

Headquarters Security Officer's STU-III Procedural Guide.

DOE HQ Facilities Master Security Plan, dated January 1995 with changes 1, 2, & 3.

SA-123 (NN-512.3) Memorandum, dated May 3, 1993, Subject: Protection of Combinations or Passwords.

NN-514 Memorandum, dated 10/11/95, Subject: Security Requirements for New and Emerging Office Technologies.

NN-514.2 Memorandum, dated 2/26/96, Subject: Deviation from the Headquarters Master Automated ISS Systems Security Plan for Automated Office Support Systems.

(THIS PAGE INTENTIONALLY LEFT BLANK)

TABLE OF CONTENTS

TITLE PAGE WITH APPROVAL SIGNATURES Intro-i
INTRODUCTION Intro-iii
REFERENCES Intro-v
TABLE OF CONTENTS Intro-vii

1. IDENTIFICATION AND LOCATION OF THE SYSTEM
1.1 Facility/Organization Name and Address
1.2 System Location
1.3 Accreditation Information

2. NAME, ORGANIZATION, MAIL STOP, AND PHONE NUMBER OF THE RESPONSIBLE SECURITY PERSONNEL
2.1 Classified Information System Security Operations Manager (CSOM)
2.2 Classified Information System Security Site Manager (CSSM)
2.3 Classified Information System Security Officer (CSSO)
2.4 User/Security Officer (U/SO)

3. NARRATIVE DESCRIPTION OF THE SYSTEM AND ACCESS RESTRICTIONS
3.1 Purpose of the System
3.2 Rules for Permitting/Denying Access to the AIS

4. STATEMENT OF THREAT

5. AIS SECURITY ENVIRONMENT
5.1 Protection Rating
5.2 Methods Used
5.3 Individual System Description
5.4 Modification Controls
5.5 Periods Processing
5.5.1 Classified PC Connected to a Unclassified LAN
5.5.2 Classified PC Connected to both a Classified LAN and an Unclassified LAN
5.6 Maintenance Swap Controls
5.7 Approved Mechanical Switch Boxes
6. PERSONNEL SECURITY
6.1 Clearance Verification
6.2 U/SOs' Responsibilities

7. PHYSICAL SECURITY
7.1 Building Access
7.2 Additional AIS Security Procedures
7.3 Security Areas for PCs, and PPCs
7.3.1 Vaults
7.3.2 Limited Areas/Exclusion Areas
7.4 Transporting Classified PPCs Outside Headquarters
7.5 AIS Placement and Control
7.5.1 PCs
7.5.2 PPCs
7.6 Peripheral Sharing
8 TELECOMMUNICATIONS SECURITY
8.1 Commercial Non-encrypting Modems
8.2 STU-III Secure Voice/Data Set (SV/DS)
8.3 STU-III Secure Data Device (SDD) Model 1900/1910
8.4 Emission Security
8.5 Wireless Communications (Infrared) Ports

9. SOFTWARE SECURITY
9.1 Access Control
9.2 Prohibited Software
9.3 Software Vulnerabilities
9.4 Trusted Copy Program (TRCOPY)

10. ADMINISTRATIVE SECURITY
10.1 Configuration Management
10.1.1 AIS Configuration Identification
10.1.2 AIS Configuration Control
10.1.3 AIS Configuration Status Accounting
10.1.4 AIS Configuration Auditing
10.2 Access Controls
10.3 Installation Control Procedures
10.4 Media Security
10.4.1 Marking of Removable Magnetic Media
10.4.1.1 Marking During Classified Sessions
10.4.1.2 Marking During Unclassified Sessions
10.4.2 Marking of Fixed Magnetic Media
10.4.3 Storage Containers (Disk Holders)
10.4.4 Personal Computer Monitors
10.4.5 Printouts
10.4.6 Printer Ribbons
10.4.6.1 Dot Matrix Printer Ribbons
10.4.6.2 All Other (Non-Dot Matrix) Printer Ribbons
10.4.7 Toner Cartridges
10.4.8 Color Printer-Color Transfer Rolls
10.4.9 Media Storage
10.4.10 Classified Software Protection
10.4.11 Magnetic Media Sanitization Procedures
10.4.12 Magnetic Media Clearing Procedures
10.4.13 Destruction Procedures
10.4.14 Document (or Media) Accountability
10.5 System Sanitization
10.5.1 All AIS
10.5.2 PPCs
10.5.3 Laser Printer Toner Cartridges
10.5.4 Color Printer-Color Transfer Rolls
10.6 Host Computer Access Controls
10.6.1 User Identification Code and Password Controls
10.6.1.1 HQ IBM Host
10.6.1.2 Other Accredited Hosts
10.6.2 Password Maintenance
10.6.3 IBM ES/9000 Host Computer Access Control Mechanisms (Implemented in Software)
10.6.4 IBM ES/9000 Host Computer Access Control Mechanism (Implemented in Hardware Via STU-III Encryption Devices)
10.7 Property Removal Authorization
10.7.1 Removal of Accredited PPCs
10.7.2 Removal for Repair
10.8 Analog Or Digital Audio Recording Capabilities Of AIS
10.9 New and Emerging Office Technology

11. WASTE, FRAUD, AND ABUSE
11.1 Definition and Reporting
11.2 Review of System Files by the CSSO
11.3 Unannounced Reviews by the CSSM
11.4 Recognition of Copyright and Licensing Agreements
11.5 Software Scan Program (SW-SCAN)

12. RISK ASSESSMENT
12.1 Threat Identification
12.2 Asset Identification
12.3 Summary of Qualitative Risk Assessment
13. TRAINING
13.1 CSSOs
13.2 AIS U/SOs
13.3 Computer Security-Trained Escorts

14. INCIDENT REPORTING
14.1 Incident Recognition by U/SO
14.2 Notification Procedures
14.3 Documentation and Review

15. CONTINGENCY PLANNING
15.1 Critical Resources
15.2 Non-Critical Resources

16. ESCORT PROCEDURES

17. INTERIM OPERATING PROCEDURES

18. REMOTE DIAGNOSTIC SERVICES

19. SYSTEM SECURITY TESTING

20. ACQUISITION SPECIFICATIONS

Attachement 1 -- ANNUAL AIS USER/SECURITY OFFICER ACKNOWLEDGEMENT OF COMPLIANCE RESPONSIBILITIES

Attachment 2 -- STU-III USER LOG FOR CLASSIFIED DATA PROCESSING

Attachment 3 -- WASTE, FRAUD, AND ABUSE REVIEW CHECKLIST FOR ACCREDITED DOS BASED PERSONAL COMPUTERS

Attachment 3M -- WASTE, FRAUD, AND ABUSE REVIEW CHECKLIST FOR ACCREDITED MACINTOSH PERSONAL COMPUTERS

Attachment 4 -- SECURITY REVIEW CHECKLIST FOR PERSONAL COMPUTER CERTIFICATION

Attachment 5 -- INDIVIDUAL PERSONAL COMPUTER SECURITY PLAN

Attachment 6 -- LABELING DISKETTES, REMOVABLE HARD DISKS, AND COMPACT DISC (CDs)

Attachment 7 -- ACCREDITED PORTABLE PERSONAL COMPUTER VALIDATION CARD

Attachment 8 -- STATEMENT OF SECURITY RISK

KEYWORD INDEX INDEX-1

(THIS PAGE INTENTIONALLY LEFT BLANK)

1. IDENTIFICATION AND LOCATION OF THE SYSTEM
1.1 Facility/Organization Name and Address

Headquarters
Germantown Forrestal
United States Department of Energy
and
U.S. Department of Energy
19901 Germantown Road 1000 Independence Avenue, S.W.
Germantown, Maryland 20874-1290 Washington, D.C. 20585

1.2 System Location

The specific location (where the system is installed) of each system is identified in the applicable Individual Security Plan (Attachment 5). The location specified for Portable Personal Computers (PPCs) is the room number where the PPC is stored when not being used.

1.3 Accreditation Information

AIS at the HQ are individually accredited to process classified information up to, and including, the highest classification level and most restrictive category identified in Paragraph VI-3 of the applicable Individual Security Plan (Attachment 5). Accreditation of the system referred to in the Individual Security Plan is effective upon completion of the signature of the CSSM in Paragraph VI-3.

(THIS PAGE INTENTIONALLY LEFT BLANK)

2. NAME, ORGANIZATION, MAIL STOP, AND PHONE NUMBER OF THE RESPONSIBLE SECURITY PERSONNEL

2.1 Classified Information System Security Operations Manager (CSOM):

Jack L. Cowden, NN-514.2, GTN, (301) 903-9992

2.2 Classified Automated Information System Security Site Manager (CSSM):

John E. Staley, HR-441, GTN, (301) 903-4566

2.3 Classified Information System Security Officer (CSSO):
The name, organization, mail stop, and phone number of the assigned CSSO is provided in the applicable Individual Security Plan.

2.4 User/Security Officer (U/SO)

The U/SOs are the primary, responsible users of their assigned accredited system. As such, they are responsible for complying with all AIS security requirements that pertain to their assigned system. They are also responsible for remaining aware of and knowledgeable about their responsibilities in regard to classified AIS security. Further, they are accountable for their actions on accredited AIS, including their assigned system.

The name, organization, mail stop, and phone number of the U/SO is provided in the applicable Individual Security Plan.

(THIS PAGE INTENTIONALLY LEFT BLANK)

3. NARRATIVE DESCRIPTION OF THE AIS AND ACCESS RESTRICTIONS

3.1 Purpose of the System

The DOE is composed of organizations that encompass many diverse programmatic missions. These include, but are not limited to: design, development, and production of nuclear weapons; energy research and development; nuclear research and development; uranium enrichment; management of radioactive wastes; and marketing of hydroelectric power. AIS equipment provides the facility for the required work to be processed in a timely, cost-effective manner. PCs and PPCs are used for word processing, data bases, spreadsheets, graphics, and communications in an office environment to enhance DOE program management activities.

3.2 Rules for Permitting/Denying Access to the AIS

U/SOs are responsible for granting access privileges to their assigned AIS. All personnel that process classified information on AIS equipment will be cleared for the highest level and most restrictive category of classified information processed on the system.

During each given period of operation, a stand-alone AIS may be operated by a single U/SO who has the required "need-to-know" for all information contained on the system and controls all system resources at that specific time.
The specific administrative security controls implemented to deny access to uncleared personnel within the facility are listed in paragraph 10 Administrative Security.

(THIS PAGE INTENTIONALLY LEFT BLANK)

4. STATEMENT OF THREAT

No threats unique to this system exist that were not considered and are not mitigated by the requirements and countermeasures delineated in both DOE Order 471.2 and DOE Manual 5639.6A-1.

(THIS PAGE INTENTIONALLY LEFT BLANK)

5. AIS SECURITY ENVIRONMENT

5.1 Protection Rating

A Protection Index rating of 0 (zero) has been established for all systems (PCs and PPCs) operating in a single-user/stand-alone capacity with no connection to another computer. This is based on the fact that only one U/SO with the appropriate clearance level and required "need-to-know" is allowed access to an individual system at any given time in accordance with DOE O 471.2 and DOE M 5639.6A-1.

When connected to another computer (Host, LAN or another PC) (connection with a host or LAN is identified in Section III of the Individual Security Plan), the protection index of the system changes from an index of 0 (zero) to an index of 1 (one). This is because the U/SO of one connected system may not have a "need-to-know" for all information contained on the host or other connected system.

Any system (PC or PPC) with a protection index greater than 1 (one) must be accredited under a separate security plan.

5.2 Methods Used
The methods used to meet the above requirements will be described in paragraphs 6 through 10 of this Plan. All security measures identified in this Plan must be implemented. (All deviations must be identified in Section VI of Attachment 5. Any security measures implemented in addition to those mentioned in this plan must be identified in Section V of Attachment 5).

5.3 Individual System Description

Individual Security Plans describe each AIS and identify the level and amount of classified data to be processed. AIS equipment is included in each HQ organization's property accounting inventory. A risk review was conducted on the methods of assigning, distributing, installing, and supporting AIS software and hardware at the HQ. This risk review has shown that sufficient controls have been placed on each element of the procurement, storage, installation planning, installation, maintenance, and software support to minimize the risk of unauthorized targeting of specific hardware and software packages to classified areas. Since the risk of targeting specific systems to classified use has been determined to be low, an additional inventory of hardware and software in the AIS Security Plan is unnecessary. Each Individual Security Plan will, however, list the following information:

a. System Identification Number, as assigned by the CSSM.

b. Location (* see below)
Building, Room
Responsible organization, official

c. Hardware
Manufacturer of CPU

Model number of CPU

DOE Property Tag Number of CPU

* For PPCs, location will be the storage location. The building and number of the room where the equipment is stored when not being used.

d. Security Related Software and Communications Software
Developer

Product Name

Version Number
5.4 Modification Controls

The U/SO is responsible for bringing all planned system modifications to the attention of the CSSO at the earliest opportunity. All modifications planned for accredited AIS will be discussed with the CSSO prior to implementation. The CSSO will analyze the proposed modification to determine the expected impact on security caused by the changes and, if applicable, gain any approval required of the TEMPEST Coordinator, HR-433/GTN, or other security official. In addition, the Individual Security Plan must be updated to reflect the modification, and forwarded with appropriate attachments for certification and reaccreditation (See also, Paragraph 17 for applicability.)

5.5 Periods Processing

The term "periods processing" denotes the method of operation used at DOE HQ to allow accredited AIS to operate securely within sequential processing sessions of distinctly differing levels of information sensitivity (From NON-SENSITIVE UNCLASSIFIED up to, and including the highest processing level (based on classification and category) of information the system is accredited to process).

Periods processing provides the capability to either:

a. sequentially, have more than one user on a single-user accredited AIS with different levels of information or need-to-know; and/or;
b. sequentially, use an accredited AIS at more than one processing level;
c. transmit or receive different levels of information or need-to-know.
Only accredited PCs and PPCs with removable hard disks can perform periods processing. Accredited PCs with permanently fixed hard disk drives may not perform periods processing. PPCs will not be accredited to process classified information if they contain internal fixed hard disks. They must be equipped with removable hard disks.

Accredited PCs and PPCs employed in periods processing shall have separate sets of media, one for each level of classified and unclassified processing, including operating systems, utilities, and applications software. Classified removable hard disks may be shared only between U/SOs with common security clearances and need-to-know.

Accredited systems are sanitized in accordance with Paragraph 10.5 before making the transition from a processing session with higher classification/category to a processing session of lower classification/category. They are also sanitized between processing sessions when all U/SOs who have had access to the system since the last sanitization process have differing need-to-know restrictions than those U/SOs who are to be given subsequent access to the system.

Accredited PCs and PPCs with removable hard disks may be used to process data in a strictly unclassified environment only after the system has been sanitized to the unclassified level in accordance with procedures stated in Paragraph 10.5 of this Plan. During periods of processing in an unclassified mode, all data processed will be handled in accordance with the policy stated in DOE 1360.2B, Unclassified Computer Security Program, with the exception that all input and output magnetic media must be individually marked "UNCLASSIFIED" in accordance with procedures detailed in Paragraph 10.4 of this Plan. All other security controls (Physical, Administrative, Hardware/Software, Telecommunications, and Personnel) must comply with this Plan.

5.5.1 Classified PC Connected to an Unclassified LAN

Accredited PCs (approved to process classified information) may be connected to an unclassified LAN only when all of the conditions specified in this paragraph are met: The PC must not be configured with fixed hard disk drives. The PC must be configured to use removable hard disk drives. The user must have at a minimum two separate removable hard disk drives (one classified and one unclassified). The hard drives will be marked and stored as required in paragraph 10.4 of this plan. The PC must be configured to boot (load the operating system) from the removable hard drives. No LAN operating system software (i.e., lsl.com, ipx.odi, etc.) will be installed on the classified hard disk drive. Communication software (e.g., DOECOMM) may only be installed on the classified hard disk drive when the PC is approved to communicate with other classified computer systems via SDD.

An approved mechanical switching device, e.g. A/B Switch Box will be used as an interface and positive disconnect between the PC and the unclassified LAN connection. See paragraph 5.7 for a list of approved mechanical switch boxes. The A/B selector switch will be marked with an "Approved for Classified" sticker on the top or side where it can be easily seen. Additionally the switch will be marked to indicate "A" as "Unclassified" and "B" as "Classified". The A/B switch box will be configured in a manner that connects the unclassified LAN cable to the "A" connector port. The "B" port will not be connected.

Before processing CLASSIFIED information, the user must perform the following:

If an unclassified LAN session was/is in progress, the user must log off of the LAN, the unclassified hard disk drive must be removed, and the entire system, including peripherals powered down.

The A/B selector switch must be repositioned to the "B" position.

The classified removable hard disk drive will be placed in the hard drive receptacle (in the computer) and the computer will be powered on.

After completing classified processing, remove the classified hard disk drive, perform all required sanitization routines as specified in paragraph 10.5 of this plan, including turning off the power to the entire system and repositioning the selector switch to the "A" position. The user may now proceed to process unclassified information.
5.5.2 Classified PC Connected to both a Classified LAN and a Unclassified LAN

Accredited PCs (approved to process classified information) may be connected to both an unclassified LAN and a classified LAN only when all of the conditions specified in this paragraph are met: The PC must not be configured with fixed hard disk drives. The PC must be configured to use removable hard disk drives. The user must have at a minimum two separate removable hard disk drives, one to access the classified LAN and to use for stand-alone classified processing, and one to access the unclassified LAN and to use for stand-alone unclassified processing. The hard drives will be marked and stored as required in paragraph 10.4 of this plan. The PC must be configured to boot (load the operating system) from the removable hard drives and the PC's operating system must not allow for "Hot Swapping" (the removal of one drive and inserting another drive without interrupting LAN connectivity). This will (initially) be accomplished by signature packet selection. The hard drive signature packets (established by the LAN configuration file during boot-up) will be set at a value of "3" for the classified hard drive and a value of "0" for the unclassified hard drive.

An approved mechanical switching device will be used as an interface and positive disconnect between the PC and the LAN connections. See paragraph 5.7 for a list of approved mechanical switch boxes. The A/B selector switch will be marked with an "Approved for Classified" sticker on the top or side where it can be easily seen. Additionally the switch will be marked to indicate "A" as "Unclassified" and "B" as "Classified". The A/B switch box will be configured in a manner that connects the unclassified LAN cable to the "A" connector port, and the classified LAN cable to the "B" port.

Before processing CLASSIFIED information, the user must perform the following:

If an unclassified LAN session was/is in progress, the user must log off of the LAN, the unclassified hard disk drive must be removed, and the system powered down.

The A/B selector switch must be repositioned to the "B" position.

The classified removable hard disk drive will be placed in the hard drive receptacle (in the computer) and the computer will be powered on.

The user will follow established login procedures to access the classified LAN.

After completing classified processing, the user will remove the classified hard disk drive, perform all required sanitization routines as specified in paragraph 10.5 of this plan, including turning off the power to the entire system and repositioning the selector switch to the "A" position. The user may now proceed to process unclassified information.

5.6 Maintenance Swap Controls

Hardware and software systems occasionally suffer failure due to old age, manufacturing defects, and other - normally unforeseen - reasons. When failures occur, maintenance personnel normally replace the affected hardware or software items with like (same manufacturer, model, and version numbers) items in good repair, and the affected items are turned in for repair or replacement and returned to the supply stock. If like items in good repair are not available as "loaners" or replacements, then compatible items are sometimes used. If the item being replaced is the CPU, and the replacement is identical, the system does not have to be reaccredited, however the individual security plan (attachment 5) must be updated to show the DOE property number of the replacement CPU and a copy of the updated attachment 5 submitted to the CSSM with a note that the CPU has been replaced. If the affected item cannot be replaced with a like item, the U/SO must notify the CSSO, who must then gain reaccreditation of the "new" or "changed" system (Paragraph 17 may also be applicable).

5.7 Approved Mechanical Switch Boxes

The following mechanical switch boxes are currently approved for use with classified PCs: SW045A, QVSCA284-2, and SW046A-FFMFF.

6. PERSONNEL SECURITY

6.1 Clearance Verification

The security clearance level and "need-to-know" of any potential U/SO will be verified by the CSSO prior to granting the U/SO access to an accredited AIS. The CSSO will verify each U/SO's clearance level by checking his or her DOE Identification Badge.

Temporary use of an accredited stand-alone AIS by a person other than the assigned U/SO may be granted, only after the temporary user's clearance and AIS security-related training is verified by the assigned U/SO or CSSO. The U/SO or CSSO granting temporary access must ensure the temporary user is aware of the contents of the documents listed at paragraph 13.1 and has signed the Annual User/Security Officer Acknowledgement of Compliance Responsibilities Form (Attachment 1) cited in paragraph 13.2. Temporary use of an accredited AIS that is connected to a STU-III device may also be permitted, but only within the additional limitations and procedures documented in Section 2.0 of the Headquarters Security Officer's STU-III Procedural Guide.

Organizations must ensure that appropriately cleared and security-trained personnel are assigned to repair or support AIS in the classified environment, or that non-cleared maintenance personnel are escorted. The Office of Information Management, HR-4, provides only cleared personnel (cleared for the highest classification level and most restrictive category of information for which the AIS are accredited to process) to service and maintain accredited AIS without the need to be escorted. If an accredited AIS is maintained by an organization other than HR-4, the U/SO must include procedures in the Individual Security Plan for ensuring that maintenance and support personnel are appropriately trained and cleared - or describe the alternative methods employed to ensure the security of the system during maintenance or support activities.

6.2 U/SOs' Responsibilities

U/SOs will verify with the Data Owner (if someone other than the U/SO) and the CSSO that any personnel requesting access to their accredited AIS or information possess the proper security clearance and "need-to-know" commensurate with the highest classification level and most restrictive category of information processed on the AIS prior to granting access.

When a PPC is being used in a location within the Germantown or Forrestal buildings other than the primary or storage location, the U/SO will ensure that the security clearance and need-to-know of individuals in the immediate area where the processing is taking place is consistent with the classification level of the information being processed. Additionally, If the area where the PPC is being used is under the jurisdiction of another CSSO, approval to process must be obtained from that CSSO before processing can begin. The "Accredited Portable Computer Validation Card" Attachment 7, carried by the U/SO of PPCs will be used to provide evidence that the PPC is accredited for processing classified information.

Paragraph 7.4 provides guidance for US/Os who need to transport and use an accredited PPC to process classified information at a location other than the Germantown or Forrestal buildings.

The classified removable hard disk drive must be transported separately from the PPC in accordance with the requirements stated in the DOE Headquarters Facilities Master Security Plan, Chapter XI Classified Matter Protection and Control.

7. PHYSICAL SECURITY

7.1 Building Access

See the DOE HQ Facilities Master Security Plan, Chapter IV, Physical Protection Program for details on building access controls
7.2 Additional AIS Security Procedures

The following are additional security guidelines which are meant to supplement DOE Headquarters Facilities Master Security Plan, Chapter XI, Classified Matter Protection and Control (CMPC). This chapter contains exacting procedures to protect classified information. Individuals processing classified information must comply with Chapter XI:

(Note: Chapter XI outlines requirements for: Classifying, reviewing and releasing classified documents; storage of classified matter; protection of classified matter while in use; accountability; top secret accounts; reproduction; transmission of material; and destruction.)
Individuals accessing the classified media/system must be cleared to the level and category of information and have a verified need-to-know.
The AIS shall be sanitized in accordance with Paragraph 10.5, HQ Master AIS Security Plan.

Classified media must be stored in accordance with Para 3, Chapter XI, DOE Headquarters Facilities Master Security Plan.

A placard (DOE F DP/0018/1 or its multi-color, unnumbered replacement) depicting the processing classification level will be posted.

The video display and printed matter containing classified information will be oriented so that it cannot be seen from outside the security area, (i.e. door to the area will be closed, blinds closed if display screen can be seen from the windows). Limited or Exclusion areas sign will be posted on the outside of the door.

All personnel without a clearance and need-to-know commensurate to the system accreditation will be excluded from the immediate area where classified processing is taking place.

7.3 Security Areas for PCs and PPCs.

PCs and PPCs accredited to process classified information within the HQ complex (Germantown and Forrestal buildings) must be physically located within:

A vault or vault-type room authorized for the open storage and the processing of classified information; or,

Limited area A security area which is established for protection of classified matter where security officers or other internal controls can prevent access to classified matter by unauthorized persons; or

Exclusion area A security area which is established for protection of classified matter where mere presence in the area would normally result in access to classified information.

7.3.1 Vaults

Vaults or vault-type rooms are well defined in DOE 5632.1C and DOE M 5632.1C-1. Stand-alone PCs and PPCs located in these areas do not have to be attended when processing classified information. However, when PCs/terminals are connected to a classified network or other classified computers, they must be attended by personnel authorized to access the information on the network or the computer/terminal must be logged off the network.

7.3.2 Limited Areas/Exclusion Areas

The following procedures will be used to secure accredited PCs and PPCs within limited areas/Exclusion Areas:

When they are not attended by a person cleared to the level and category of system accreditation:

The AIS shall be sanitized as described in paragraph 10.5 and have all classified information (media) removed and stored in an approved security container as defined by DOE 5632.1C and DOE M 5632.1C-1.

The color transfer rolls shall be removed from color printers that use that technology and placed in an approved security container.

Crypto ignition keys shall be removed from STU-III SV/DSs and SDDs and stored on the terminal user's person or in an approved security container.

If multiple systems are located in a common area, and all the U/SOs assigned to these systems do not have a common need-to-know, then each U/SO is responsible for controlling physical and visual access to their system and sanitizing and securing his or her assigned system before leaving it unattended.

For exclusion areas the last U/SO to leave the area must lock the door and, if at the end of the work day, annotate the Security Container Check Sheet.

When the AIS located within those offices are being used to process classified information:

They must be attended by a U/SO with a clearance commensurate to the level of system accreditation and with a need-to-know for all of the information contained on the system.

A placard (DOE F DP/0018/1 or its multi-color, unnumbered replacement) depicting the classification level of the information being processed will be posted.

The video display and printed matter containing classified information will be oriented so that it cannot be seen from outside the exclusion area or the door to the area will be closed. An "EXCLUSION AREA" or "SECURITY AREA" sign will be posted on the outside of the door. Blinds will be closed if display screens can be seen from a window.

All personnel without a clearance and need-to-know commensurate to the system accreditation will be excluded from the immediate area where classified processing is taking place.

7.4 Transporting Classified PPCs Outside Headquarters

When there is the need to transport and use an accredited PPC to process classified information at a location other than the Germantown or Forrestal buildings the US/O must have the PPC accredited by the cognizant CSOM, i.e. the Rocky Flats CSOM must accredit a HQ PPC when that PPC is to be used to process classified information at Rocky Flats. The cognizant HSO must be consulted for specific requirements and guidance.

7.5 AIS Placement and Control

7.5.1 PCs

Once installed, accredited AIS equipment may not be moved from the room in which it was installed by anyone without the expressed permission of the CSSO. It must remain in the room where it was installed until its movement or reinstallation elsewhere is approved by the CSSO. The CSSM will provide the CSSO an "Approved For Classified" label that must be affixed to each peripheral and the main system cabinet of the accredited AIS prior to commencement of classified processing.

7.5.2 PPCs

An accredited PPC may be assigned to an individual U/SO or may be assigned to a pool of portable computers for temporary assignment to users. Data files are to be encrypted using the DES or other approved encryption when they are stored to provide need-to-know protection. When PPCs are accredited an "Accredited Portable Computer Validation Card (Attachment 7)" is assigned to the individual unit. This card must be carried by the U/SO whenever the computer is in his/her possession. The "Approved for Classified" stickers are not used on PPCs.

7.6 Peripheral Sharing

Peripheral sharing between accredited systems and non-accredited systems constitutes a risk of unauthorized disclosure. Due to this risk, U/SOs must exercise extreme caution at all times to ensure that output from a shared device receives the proper security considerations.

Accredited systems may only share peripheral devices with non-accredited systems under the following circumstances:

a. All elements of the systems must be located in the same room and within the view of the U/SO of the accredited system.

b. Only printers, plotters, and scanners may be shared.

c. Only mechanically switched connection devices (e.g., A/B or X switch boxes) or temporary direct connect/disconnect cable may be used. Electronically switched devices (e.g., Logical Connection) are prohibited.

d. Before attaching an accredited system to a peripheral shared by a non-accredited system, the CSSO must ensure:
(1) that the Individual Security Plan for the accredited system identifies the intention to share peripherals with a non-accredited system;
(2) that Sections V and VI of the Individual Security Plan be updated to specify the conditions under which the two systems can share a peripheral without causing undue risk of disclosure; and,
(3) that the CSSM has approved the updated Individual Security Plan.

(THIS PAGE INTENTIONALLY LEFT BLANK)

8. TELECOMMUNICATIONS SECURITY

Each communications link used to support an accredited AIS is protected commensurate with the level of classification and category of the information for which the system is accredited. The protection features of each link are implemented in accordance with DOE 5300.3D, Telecommunications: Communications Security, and DOE 5300.2D, Telecommunications: Emission Security (TEMPEST).

The only dial-up, point-to-point communications authorized for use with classified information among accredited PCs, PPCs, and other automated information resources (e.g., host computers) are those provided by National Security Agency-approved encryption devices (e.g., KG-84s and the STU-III family of devices).

8.1 Commercial Non-encrypting Modems

The use of any internal or external modem, FAX/modem, or dial-up capable datapath unit to process unclassified information with an accredited PC or PPC represents a very high risk and is therefore prohibited except under the following circumstances.

If the U/SO of an accredited PC or PPC needs unclassified communications capability to perform their official duties and that service is either not available, is impractical, or otherwise cannot be accomplished through an unclassified LAN then a Statement of Security Risk (Attachment 8) must be executed. Additionally, section VI (Deviations from DOE HQ Master AIS Security Plan) of the Individual Personal Computer Security Plan (Attachment 5 must be completed and the system must be reaccredited.

Once Accredited, PCs and PPCs operating under the provisions above must adhere to the following procedures:

The modem and/or FAX/modem must only be used to process unclassified information;

Data communications software may only be installed on the unclassified removable hard disk drive, unless the system has an authorized connection to a STU-III device or an accredited classified LAN;

The modem or FAX/modem must be connected to the telephone line through an approved mechanical switching device (A/B switch) that provides a positive disconnect from the phone line when processing in the classified mode. The unclassified telephone line must be connected to the "A" side of the switch and nothing connected to the "B" side of the switch;

When processing unclassified information, all classified media must be removed from the PC or PPC and stored in an approved security container. The entire PC or PPC configuration must be sanitized by turning off power including removal of PPC batteries prior to turning the A/B switch to the position for unclassified processing;
The unclassified removable hard disk drive inserted into the PC or PPC and the system rebooted.

The following protection considerations apply in all cases of accredited AIS classified communications at the DOE HQ.

8.2 STU-III Secure Voice/Data Set (SV/DS)

These procedures outline the minimum requirements for use by an AIS of a STU-III SV/DS (the variety of models supporting both voice and data) as an encryption device for the limited, nonscheduled, point-to-point transmission of ad hoc data. Use of a STU-III SV/DS for the scheduled transmission of classified information is not covered by this plan. In such cases, the requirements of DOE M 5639.6A-1, relating to the accreditation of networks, must be met.

Section IV of Attachment 5 will be appropriately annotated and the system accredited by the CSSM prior to use. An "Approved for Classified" label must be affixed to the STU-III SV/DS prior to any classified data transmission.

To initiate secure data transmission, a valid Cryptographic Ignition Key must be locked into the STU-III SV/DS and confirmation of the secure mode must be received and indicated.

Properly cleared personnel with the proper "need-to-know" must be present at both terminals, during the entire period of interconnection. This ensures by visual verification that the proper classification level and identification information of the STU-III SV/DS display matches the classification of the data being transmitted and the recipient's need-to-know.

It is the responsibility of both sender and receiver to ensure that no data is transmitted that is of a higher classification level or more restrictive category than their highest common clearance/access level.

Removable hard disks in the AIS must be the same level of classification and category as the data to be processed. To prevent a higher classification of data being sent than is authorized, visual inspection of the data before transmission by the sender is mandatory.

A log (a blank example may be found at Attachment 2) will be used to show the use of the STU-III SV/DS with the AIS. The log will identify the distant end, time of use, level of classification, and the type of data transmitted and/or received.

8.3 STU-III Secure Data Device (SDD) Model 1900/1910

These procedures outline the minimum requirements for using SDDs as the primary means for protecting point-to-point communications between accredited AIS and the accredited HQ IBM ES/9000 host computer within the DOE HQ or in point to point operation with other devices external or internal to the HQ.

Installation, operation, maintenance, and removal of each SDD terminal will be in accordance with procedures presented in the STU-III Procedural Guide.

The Secure Access Control System (SACS) is implemented at each host-end SDD, providing a "good guy" list that ensures only authorized access from calling SDDs.
To initiate secure data transmission, a valid Cryptographic-Ignition Key must be properly inserted into the SDD and confirmation of the secure mode must be received and indicated before communications can proceed.

The U/SO may not leave the SDD unattended while it is in the secure mode of operation.

When not in use, the crypto-ignition key must be removed from the SDD and either carried on the user or stored in a repository authorized for the classification level of the SDD.

8.4 Emission Security

The CSSO ensures a pre-installation site survey is performed to ensure that the site is suitable for accredited system placement. Aperiodic checks are also performed by the CSSO and the CSSM to ensure continued compliance.

Classified AIS (the entire system, including peripheral devices) must be at least 6 inches from any part of an unclassified AIS (entire system, including peripheral devices) and at least 2 inches from unclassified transmission media (e.g., telephone lines, data lines, alarm lines, etc.)

In the situation where a classified PC shares a peripheral device (such as a printer) with a unclassified PC, both PCs must be separated from the shared device and each other by at least 6 inches.

The separation requirements specified above do not apply to AIS located in the Forrestal building rooms GA-301, the Emergency Operations Center, and the Communications Center. Separation requirements for these facilities are specified in the applicable TEMPEST Plan, maintained by the Headquarters TEMPEST Coordinator, HR-433. Consultation with the TEMPEST Coordinator should be effected for those systems planned for these areas.

8.5 Wireless Communications (Infrared Ports)

The use of wireless communications (infrared) ports found on most PPCs to interface with printers and other peripheral devices is strictly forbidden when processing classified information. These ports must be disabled on all accredited PPCs and peripherals by covering the window with a numbered security seal or physically removing the infrared transmitter.

9. SOFTWARE SECURITY

9.1 Access Control

AIS that do not have DOE-approved hardware and/or software security programs (i.e., the Watchdog or similar programs) installed rely exclusively on the administrative and physical security access controls contained in this plan.

9.2 Prohibited Software

Unauthorized software is prohibited on DOE AIS that are accredited to process classified information. Unauthorized software consists of:
any personal, commercial, shareware, or public domain software application, operating system, or utility software package that has not been introduced into the DOE HQ environment through procurement and distribution channels approved by HR-4, and that has not been approved for use on a specific accredited AIS by the assigned CSSO after testing.
any software that was not developed within a secure environment and that was not properly tested and approved for use on a specific accredited AIS by the assigned CSSO after testing.

The Windows terminal function must be disabled by deleting the program "TERMINAL.EXE" (in the accessory group) on all accredited personal computers (the classified removable hard disk).

E - Mail software (including the mail feature in WordPerfect) is prohibited (and must be removed if installed) on the classified removable hard disk for all accredited personal computers, except those connected to a classified LAN.

9.3 Software Vulnerabilities

Commercial off the shelf software (COTS) packages often contain features that are designed to save the user time and make their job easier. Occasionally, features designed to make a job easier may actually create vulnerabilities especially when classified or sensitive unclassified information is involved.The following are software features that present potential vulnerabilities and the safeguards that will mitigate those vulnerabilities.
The WordPerfect for Windows version 6.1 "Undo/Redo History" function is a potential security vulnerability. This function allows users to recall and undo changes or deletions made to a document during its creation. The number of sequential changes retained that can be undone is selectable by the document's author - the default being 10, but the author/editor may set it to as high as 300 retentions. WordPerfect makes this capability possible by storing the changes within the document. This is not readily apparent to the user. Therefore, a change that has been previously performed can then be recovered any time in the future by the author or any subsequent person who has been given the document. While this may be a very desirable feature during document creation and editing, there is the potential for unauthorized release of classified or sensitive unclassified information.

The Undo/Redo History function can be turned on and off. When turned off, deleted and changed text is not saved with the document. It is recommended that this option be disabled or set at the minimum level to minimize the threat of information compromise. The option must be disabled and the document saved prior to executing TRCOPY to migrate unclassified data from classified media. It should be kept in mind that this capability also exists in other versions of WorkPerfect and other user friendly software.

9.4 Trusted Copy Program (TRCOPY)

The Trusted Copy Program (TRCOPY) is designed for use in classified areas when the need exists to migrate an unclassified file from the classified environment of an accredited system to an unclassified environment.

TRCOPY provides safeguards to ensure that only the designated information is actually copied and that the target diskette contains only the intended information.

The diskette containing TRCOPY is not classified and will not become classified by using it to move unclassified files. If it is used to move classified files, the diskette will become classified and must be protected at the appropriate level.

TRCOPY operates under DOS, version 3.2 or later, on the IBM PC or compatible microcomputer.

It is the responsibility of the U/SO to ensure that the files being copied to the TRCOPY diskette do not contain any classified information. If this should occur, then the diskette must be marked, processed, protected, and destroyed according to the highest level and most restrictive category of the information it contains.

Copies of the Trusted Copy program and documentation may be acquired from the CSSM computer security support team 903-2106 or 903-0611 in Germantown or 586-5346 at the Forrestal building.

(THIS PAGE INTENTIONALLY LEFT BLANK)

10. ADMINISTRATIVE SECURITY

The following procedures have been established to ensure that all AIS within HQ facilities have adequate administrative controls to restrict access to the appropriate U/SOs and to ensure the protection of classified AIS assets.

10.1 Configuration Management

Configuration management procedures are used to ensure that development and changes to an AIS take place in an identifiable and controlled manner.

The following four specific aspects of configuration management are used to provide assurance that modifications in the environment of the AIS do not adversely affect the security of that system.

10.1.1 AIS Configuration Identification
Configuration identification employs the identification of system components and documentation that supports security control procedures. In the Master AIS Security Plan, requirements stipulate the necessary controls that will be used. Attachment 5, Individual Security Plan, provides the necessary support documentation. The following criteria is either in the Master AIS Security Plan or will be identified in the attachment 5, thereby establishing a system baseline to be used as a reference.

Security control procedures, e.g., Personnel, Physical, Telecommunications, Software, Administrative.
Modification control procedures.
System-specific design documentation.
Major Equipment Component Identification, Attachment 5.
Equipment Configuration, Attachment 5.
CSSO Certification date, Attachment 5.
CSSM Accreditation date, Attachment 5.
10.1.2 AIS Configuration Control
The task of configuration control is performed by subjecting system components and documentation to a review and approval process within the computer security organization. Configuration control is implemented by the Modification Controls, paragraph 5.4. Modification controls identify the procedures used to evaluate, coordinate, and submit for approval requests for AIS modifications.

10.1.3 AIS Configuration Status Accounting

Status accounting is possible through both manual and online systems. The U/SO and CSSO account for the requirements defined in paragraph 10.1.1 by means of the documentation required by this plan. The CSSM monitors the accreditation process and maintains accreditation files.

10.1.4 AIS Configuration Auditing

Configuration auditing is accomplished via the review processes embodied in the Classified AIS Security Program life cycle. Initially, the CSSO conducts an assurance review before recommending the system for certification. The CSSO also has the authority to exercise security oversight, at any time, AIS within his/her responsibility to ensure that all control procedures identified in the Master AIS Security Plan are used. The CSSM provides oversight on security control procedures by providing the initial certification review and through periodic program compliance reviews. This continual auditing program assures that criteria stated in AIS configuration identification are met.

10.2 Access Controls

Physical access control procedures are identified in paragraph 7, Physical Security.

Most, if not all 386/486 based personal computers have the ability to set "Power On" and "Keyboard" passwords. These features are easily defeated by knowledgeable operators. These specific types of "password" should only be relied upon to provide a minimal added layer of security for the AIS and should only be used in conjunction with other approved physical security safeguards when the AIS is not attended.

PPCs may be used in any limited area, however they cannot be left unattended. When unattended, PPCs must have the removable classified hard disks removed and stored in an approved security container, and the PPC must be sanitized by not only turning off the power switch, but the battery must also be removed.
Because PPCs are not permanently installed, special care must be exercised when processing classified information. The following precautions must be taken:

Orient the computer where the screen and any printed material cannot be viewed by uncleared individuals.
Maintain proper separation from other electronic devices, telephones, and electrical equipment.

Post a "Classified Processing Do Not Enter" sign on the door to the room and close it.

10.3 Installation Control Procedures
Control is applied at various checkpoints prior to the installation of an AIS earmarked for classified processing. AIS equipment received at DOE from the manufacturers is immediately controlled and securely stored. Those items of equipment to be used for classified processing are selected at random from the store of existing stocks immediately prior to installation. This practice precludes the equipment from being targeted specifically for a classified installation until the last possible moment before the installation process.

10.4 Media Security

Access to AIS storage media (i.e., magnetic disks or tapes, compact disks (CD ROM), paper, or printer ribbons) containing classified data will be restricted to individuals possessing the appropriate DOE clearance and approved need-to-know.

10.4.1 Marking of Removable Magnetic Media

10.4.1.1 Marking During Classified Sessions

The following marking and handling requirements do not apply to unclassified compact discs used in systems with read only CD drives. Unclassified CDs used in read only CD drives remain unclassified even after being used during a classified processing session.

Prior to beginning a classified processing session on an accredited AIS, all removable magnetic media to be used during the session will be appropriately labeled for protection. Standard Form SF 709 ("CLASSIFIED" label) is no longer allowed per DOE M 5639.6A-1. Any storage medium currently labeled with SF 709 must be immediately reviewed and marked with the appropriate classification level and category. The appropriate classification label (examples are shown at Attachment 6, Labeling Diskettes) will be placed in the top right corner of 5 1/4-inch diskettes. If known, the highest classification and most restrictive category of data stored on the magnetic media may be identified on the first line of Standard Form (SF) 711, Data Descriptor Label (optional), or if SF-711 is not used, the category must be entered on the classification label. Standard Form (SF) 711, Data Descriptor Label, may either be placed in the top-left corner, or on the left side under the manufacturer's label. All classified 3 1/2-inch diskettes may have SF 711 or equivalent placed in the center of the diskette label area with the appropriate classification label directly below (the excess is folded around the edge).

The marking and handling requirements for removable magnetic media do apply to systems with recordable CD drives.

Removable hard disks will be labeled in the same manner as 3 1/2-inch diskettes. Diskette folders and removable hard disk containers will be marked at the top and bottom, front and back, with the appropriate classification of data stored on the enclosed magnetic media. Most restrictive category markings will be placed in the lower left corner of the folder. Only properly labeled removable hard disks and diskettes are used to store or process classified data files. If a label is placed on the disk or folder to identify the individual documents contained on the disk, the appropriate portion marking designator will be placed parenthetically after the title of the document it governs.

All Classified Compact Disc (CD) must be physically marked on both sides with the appropriate classification and category. These markings are placed on the hub of the CD, which is a narrow blank space adjacent to the center hole. See illustration in attachment 6. One technique is to use a silk screening method that permanently marks the disk, another option is to use a classification stamp with permanent indelible ink that won't rub off.

Warning: do NOT put any markings on the recording surface portion of the disc.
Also, certain types of ink may cause damage to the surface of a CD. Users may want to test mark a blank CD before using an untried marking device on a CD containing information.

10.4.1.2 Marking During Unclassified Sessions

Prior to being inserted into a sanitized, accredited AIS during unclassified processing sessions, unclassified magnetic media will be labeled with SF 710 ("UNCLASSIFIED" label). In addition, unclassified magnetic media known to contain sensitive information will be appropriately marked.

10.4.2 Marking of Fixed Magnetic Media

PCs with fixed internal hard disk drives (must be permanently located in a vault approved for the open storage of classified information.) will have marked on the front of each system the highest classification level and most restrictive category of data for which the system is accredited to process. PPCs with fixed internal hard disk drives may NOT be used to process classified information.

10.4.3 Storage Containers (Disk Holders)

Disk file folders or boxes, including those for compact disc will be marked in accordance with paragraph 10.4.1, above, similar to files or folders containing classified information.

10.4.4 Personal Computer Monitors

During classified processing sessions, colored classification marking signs or DOE/DP-0018/1, Department of Energy Computer/Terminal Sensitive Data Warning Signs (sometimes referred to as a security flip-chart or tent sign) identifying the highest classification level and most restrictive category of information the AIS is accredited to process will be prominently displayed.

10.4.5 Printouts

Specific guidance for reviewing, handling, storing and marking can be found in Chapter XI, paragraphs 2 through 6 of the DOE HQ Facilities Master Security Plan.

10.4.6 Printer Ribbons

10.4.6.1 Dot Matrix Printer Ribbons

All dot matrix printer ribbons must, however, be destroyed as classified scrap in the manner described in paragraph 10.4.13, below.

Multiple-strike printer ribbons used in dot matrix printers during classified processing are exempted from security labeling. Multiple-strike dot matrix printer ribbons may remain in the printer (do not have to be stored in a safe) at all times, as long as the printer remains in a limited area within the Germantown or Forrestal buildings of the HQ.

Single-strike ribbons used in dot matrix printers during classified processing are not exempted from security labeling--they must be labeled with the highest classification and most restrictive category of the data they are used to process. Single-strike (e.g., carbon film) ribbons must be removed from the printer and stored in a safe when not in use or when the system is unattended or being used in an unclassified mode.

10.4.6.2 All Other (Non-Dot Matrix) Printer Ribbons

Non-dot matrix printer ribbons used in classified processing sessions will be marked with the highest classification level and most restrictive category of information for which the AIS is accredited to process. Non-dot matrix printer ribbons used during unclassified processing sessions (on sanitized AIS that have been accredited for classified processing) will be marked with "UNCLASSIFIED" or "SENSITIVE UNCLASSIFIED," as the case may be.

10.4.7 Toner Cartridges

(Sanitized) toner cartridges may be left in laser printers until they are depleted without being marked with a classification label. Depleted toner cartridges that have been sanitized in accordance with the procedures stated in Paragraph 10.5.3 need not be marked as long as they have been sanitized and will be returned to non-cleared sources for reloading.

10.4.8 Color Printer - Color Transfer Rolls

Some color printers use a color transfer roll in place of a ribbon or toner cartridge. Once used the information that has been printed can be read on the roll. For this reason separate rolls must be used during classified and unclassified operations. The roll used for classified information must be marked and protected as specified for single strike (carbon film) ribbons (see paragraph 10.4.6.1, above). When the classified roll is depleted and replaced it must be destroyed appropriately (see paragraph 10.4.13, below).

10.4.9 Media Storage

All classified removable media, when not being used by the system (i.e., diskette/removable hard disk, CDs, ribbon(s), hard copy reports, etc.), will be stored in a security container that is approved for the highest classification level and most restrictive category of data stored on the media.

10.4.10 Classified Software Protection

Media containing the operating and software systems used for classified processing sessions will be labeled and protected as appropriate for the highest level of classification and most restrictive category of information for which the AIS is accredited to process. When the accredited AIS is used for periods processing (for alternating classified and unclassified sessions), separate software systems must be maintained on separate media (removable hard drive, diskette, etc.); a classified version for use during classified sessions and an unclassified version for use during unclassified sessions.

10.4.11 Magnetic Media Sanitization Procedures

Sanitization refers to the elimination of classified information from (declassification of) magnetic media to permit the reuse of the media at a lower classification level or to permit the release to uncleared personnel or personnel who do not possess the proper information access authorizations.

There is currently no acceptable method for sanitizing magnetic media. Magnetic media that is unusable or no longer needed must be destroyed using the destruction procedures cited in paragraph 10.4.13. Magnetic media should be "cleared" before being released to the destruction process. Clearing procedures follow in the next paragraph.

10.4.12 Magnetic Media Clearing Procedures

"Clearing" magnetic media refers to a procedure by which classified information recorded on the media is removed, but the totality of declassification is lacking. Clearing is a procedure used when the magnetic media will continue to be safe-guarded within the controlled environment. Magnetic media will be cleared by overwriting the media a minimum of one time with any one character. Verification of the overwrite process may be accomplished by random reread of the overwritten information to determine that only the overwrite character can be recovered.

Cleared magnetic media may be reused or released for destruction; however, it will be marked and controlled at the level of the highest classification of data ever recorded.

The programs "CLRDSK.EXE," "CLRDSKC.EXE," and "CLRDISK.COM," previously used to clear magnetic media are no longer approved for use at DOE Headquarters.

The approved method to accomplish magnetic media clearing now uses Norton utilities for DOS (version 5.0 or higher) "WIPEINFO". This utility program offers much more flexibility than the CLRDSK programs. Options are available that allow either the entire disk to be cleared, specific files on the disk, the unused portions of disks, or the slack area of a disk. Another option is "Wipe Methods". There are two choices. FAST WIPE and GOVERNMENT WIPE. FAST WIPE satisfies the minimum DOE HQ requirements. Government wipe provides additional assurance by writing 0s (zeros) followed by 1s (ones) 3 times, then writing the character with the decimal value 246 one time. For more information on the WIPEINFO utility consult your technical support personnel, or the computer security support team 903-2106 or 903-0611 in Germantown or 586-5346 at the Forrestal building.

10.4.13 Destruction Procedures
Specific destruction procedures can be found in chapter XI of the DOE Headquarters Facilities Master Security Plan.

10.4.14 Document (or Media) Accountability

The definition for "documents" includes "AIS input and contents of equipment and/or media, including memory, punch cards, tapes, diskettes, removable hard disk drives, CD ROM, and visual displays."

Magnetic media which is used in a sanitized, accredited computer when it is operating in the unclassified mode (the removable hard disk drive marked Unclassified is in the system) does not have to be placed in an accountability system.

Removable magnetic media will be appropriately labeled as described in Paragraph 10.4.1, above. The space marked "Control:" on the optional SF 711, Data Descriptor Label, will contain the accountability control number for the diskette, if applicable. If SF 711 is not used, the control number will be written on the Standard Form classification label. Once magnetic media is appropriately marked with Secret labels, it will be entered into the accountable document inventory file, if applicable, maintained by the CSSO or classified document custodian.

Accountable documents/media that are to be destroyed in accordance with procedures stated in Paragraph 10.4.13, will be annotated on DOE F 5635.9, "Record of Destruction."

10.5 System Sanitization

The accredited AIS including all peripheral devices must be sanitized:

before being left unattended, see paragraph 12.3

during periods processing:

when ramping down from a session of higher level classification/category to a session of lower level classification/category.
before being used by another U/SO who doesn't possess the same need-to-know.

Before being repaired or sent off-site for repair by uncleared hardware technicians.

10.5.1 All AIS

To sanitize the system, all media will be removed and stored in accordance with classified media storing specifications. System memory (to include the printer buffer and the buffers of any other peripheral devices) will be sanitized or purged of classified information (This is accomplished by turning off the power for the entire system including all connected peripheral devices and battery backup (if present on anything but clock-function chips or other printed circuit boards) for at least one minute). The system must then be rebooted with a separate copy of the software system that has been reserved for use during unclassified processing sessions only.

10.5.2 PPCs

In addition to turning off external power (see 10.5.1 above), PPCs also must have the battery or power pack removed in order to sanitize memory.

10.5.3 Laser Printer Toner Cartridges

For AIS connected to a Laser printer at least five pages of unclassified information will be printed to sanitize and clear classified residual information associated with the toner cartridge. The program LASERSAN.EXE, written and distributed by the CSSM to U/SOs through their CSSO, should be run to sanitize classified laser printers connected to MS-DOS-based computer systems. LASERSAN.EXE, when executed, generates five pages of printed, unclassified information to sanitize any residual data in the laser printer toner cartridge and provides on-screen instructions to the U/SO for completing the sanitization of the printer and computer system by turning off power for at least one minute. Because LASERSAN generates a set series of characters (starting with a random character and excluding spaces and solid black), a distinct pattern of unclassified characters is printed on each of the five pages. These pages are then visually reviewed by the U/SO to verify the absence of classified residual data on each of the five printed pages. If they contain classified information, they will be destroyed in accordance with the highest classification level and most restrictive category of data for which the AIS is accredited to process and the process will be repeated.

In the event LASERSAN.EXE is not appropriate, the "TEST/FONT" function key on the main control panel of the laser printer can be used to produce these five pages (To print a "test" page, first press the "ON LINE" button once to switch the printer off line, then press the TEST/FONT button five times, once for each page of output. Finally, turn the printer off for at least one minute to clear any residual memory). These five pages will be reviewed to verify that they do not contain classified information before being destroyed as unclassified trash. If they contain classified information, they will be destroyed in accordance with the highest classification level and most restrictive category of data for which the AIS is accredited to process and the process will be repeated.

Once sanitized, the laser printer toner cartridge may be released to unclassified channels for replenishment.
Copies of the LASERSAN program may be acquired from the computer security support team 903-2106 or 903-0611 in Germantown or 586-5346 at the Forrestal building. The LASERSAN program and documentation may also be downloaded from the HR Home Page, whose URL is <http://www.hr.doe.gov/compsec/compsec.htm>.

10.5.4 Color Printer - Color Transfer Rolls

To sanitize color printers that use the color transfer rolls, in addition to turning off the power to the printer, the transfer roll must be removed, marked with the proper security classification level, and stored in an approved security container.

10.6 Host Computer Access Controls

U/SOs of AIS must use a valid user identification code (Userid) and password to authenticate their privilege to access an accredited host.

U/SOs that require access to the HQ mainframe applications must first apply for issuance of userid and passwords by submitting DOE-F-1450.5, Request for Timesharing Services and LOGON ID and DOE-F-1450.5A, Certification of Timesharing LOGON ID Owner Responsibilities, through their office management, and through the application system owner (Data Owner), to the Team Leader, Germantown Integrated Services Team, HR-441.

U/SOs that require access to LANs or other hosts must follow the application procedures for those computer resources.

10.6.1 User Identification Code and Password Controls.

10.6.1.1 HQ IBM Host

AIS connected to the IBM ES/9000 host computer must be identified and authenticated through the use of userids' and passwords. Security on the host mainframe is highly

dependent on the proper protection of the passwords used to access them. Password management is the responsibility of the mainframe CSSO. Password protection is the responsibility of the U/SO. Procedures for protecting passwords are described below. Initial passwords are machine-generated and issued to the new U/SO with the approval of the organizational CSSO, the mainframe CSSO, and the CSSM. The first time the U/SO logs on to the host system with the issued password, the U/SO is forced by the system to generate a new machine-generated password. This new password is known to no one other than the receiving U/SO. Under no circumstances may U/SOs create their own password. Passwords recorded by the U/SO shall be protected and marked in accordance with the procedures stated in the SA-123 (NN-512.3) Memorandum of May 3, 1993, regarding Protection of Combinations or Passwords.

Under no circumstances may a password be shared with or disclosed to any other individual. No U/SO should be knowledgeable of another U/SO's password. If a password is compromised, or a compromise is suspected, notify the CSSO or the CSSM immediately.

The System Administrator, HR-441, monitors password usage on a daily basis to reconcile access violation attempts and suspended or canceled userid and passwords.

If reinstatement is required (e.g., forgotten password), notify the System Administrator, HR-441.

10.6.1.2 Other Accredited Hosts

For reinstatement on other accredited hosts, follow procedures approved for that particular system.

10.6.2 Password Maintenance

U/SOs are to notify the application owner and the System Administrator, HR-441, when the U/SO no longer requires the need for access to the HQ IBM host (i.e., when changing jobs, organizations, etc.) so that userid and password will be suspended. For other accredited hosts, follow their notification procedures.

Use of passwords will conform to the guidance in DOE M 5639.6A-1, Attachment IX-2, Password Management.

U/SOs will change their passwords in accordance with the host procedures.

10.6.3 IBM ES/9000 Host Computer Access Control Mechanisms (Implemented in Software)

The add-on software security package, Access Control Facility 2 (ACF2), controls access to the accredited IBM ES/9000 host computer applications through the use of user identification codes and passwords. Before a U/SO can access this mainframe, the application system owner (Data Owner) must attest to the appropriateness of this U/SO's access and need to know in a request to the ACF2 system administrator. Through ACF2, the system administrator defines access levels down to the mini-disk level. ACF2 provides object protection and all passwords are stored in a one-way encrypted password file. Through ACF2, the system administrator controls access by terminal and/or port identification. Terminals and ports are logically disconnected based on terminal/port ID number, date, and time.

10.6.4 IBM ES/9000 Host Computer Access Control Mechanism (Implemented in Hardware Via STU-III Encryption Devices)

Hardware-oriented access control devices have been installed at the HQ in the form of National Security Agency-approved encryption devices (STU-III SDD Model 1900/1910) at each end of the communications lines that connect accredited AIS to the accredited host computer. Each SDD is placed into a secure mode by the insertion and turning of a pre-approved and programmed crypto-ignition key device into the SDD terminal. In reverse, sanitization is performed by turning the crypto-ignition key in the opposite direction and removing it from the SDD terminal.

The crypto-ignition key must be physically removed from the SDD before the accredited AIS can be sanitized/declassified and may not be inserted into the SDD during an unclassified session.

The responsible user of the crypto-ignition key, who is also the U/SO of the AIS, is required to be cognizant of the location and status of the crypto-ignition key at all times. This may be accomplished by the user carrying the crypto-ignition key on his or her person when the crypto-ignition key is not physically inserted in the terminal during a classified session or placing it in an approved security container.

All host-end SDDs used at DOE will utilize the Secure Access Control System (SACS), otherwise known as a "Good Guy" list. This system ensures that only the holders of authorized crypto-ignition keys and SDD terminals can access the SDDs physically connected to the accredited mainframe host computer. It further assures (since only host-end SDDs have the AUTO-ANSWER feature turned on) that terminal-end SDDs prevent access of the terminal AIS by other remote devices.

10.7 Property Removal Authorization

A properly completed and approved DOE Property Pass must be presented to the security guard before exiting a HQ complex building with any Government/DOE piece of AIS equipment, diskettes, magnetic cartridges, or removable hard drive cartridges, unless specifically exempted from the requirement by written authority. Classified magnetic media can only be removed from the HQ complex by a person who has specific authority to hand-carry classified matter in accordance with Chapter XI, Paragraph 10 of the DOE HQ Facilities Master Security Plan.

10.7.1 Removal of Accredited PPCs

Before an accredited PPC can be removed from the Headquarters complex for use to process classified information, the cognizant HSO must be consulted for requirements in addition to the ones specified in paragraph 10.7 above. Also see paragraph 7.1.5.

10.7.2 Removal for Repair

Before removing an accredited PC, PPC, or peripheral device from the room where it is installed for off-site repair all "Approved for Classified" stickers or other markings that indicate use to process classified information must be removed.

10.8 Analog or Digital Audio/Video Recording Capabilities of AIS

Microphones/Video Cameras in computers used in areas designated for classified or sensitive unclassified discussion must be disabled. Any exceptions to this policy that are needed to support extenuating conditions, (e.g., physically challenged) and then only with the employment of additional safeguards (e.g., soundproofing, etc.), will only be granted after the user first obtains a deviation in accordance with Paragraph 4.f. DOE 470.1, Safeguards and Security Program, paragraph dated 9/28/95 and then approval by the Classified AIS Security Site Manager prior to enabling.

10.9 New and Emerging Office Technology

Some recently developed peripheral devices used with personal computers such as multi-function printers (i.e printers that can operate as FAX, optical scanners, as well as printers, internal and external modems that have voice capability) present a significant vulnerability in equipment to be used to process classified information. Many of these devices are equipped with internal secondary memory that is used to store information for diagnostic purposes to allow service technicians to quickly resolve problems. Another technology in wide use with PPCs is the wireless or infrared communications port used to interface with printers and other peripheral devices equipped with that technology. Wireless technology cannot be used when processing classified information. Before any equipment with these types of features can be used with an accredited AIS a deviation must be acquired in accordance with Paragraph 4.f DOE 470.1. See attachment 8.

11. WASTE, FRAUD, AND ABUSE

11.1 Definition and Reporting

Incidents of waste, fraud, and abuse are to be reported in accordance with paragraph 14. The definitions are as follows:

Waste - Misuse of computer time (i.e., games, private use, use of unauthorized software), or resources, whether intentional or not.
Fraud - Illegal activities, including misrepresentation, personal gain, copyright violations.
Abuse - Intentional alteration or destruction of software, hardware, or information.
11.2 Review of System Files by the CSSO

A random sampling of files (100 percent of the files found on 10 percent of the systems assigned the CSSO is required) is to be reviewed and documented at least semiannually by the CSSO. Attachment 3A, Waste Fraud and Abuse Review Checklist for Accredited DOS Based Systems (applies only to Microsoft/IBM Disk Operating System-based systems, Attachment 3B applies to Macintosh systems), are provided for the CSSO's use in this purpose. This documentation is required to list the files reviewed, identify any corrective and follow-up action found to be necessary, and certify that the AIS contain only legitimate government information, programs, and proprietary software (authorized and licensed to the specific AIS). This documentation is to be retained by the CSSO for one year.

Given the condition of a single system with the CSSO as the user, no Waste, Fraud, and Abuse or Compliance Reviews are required of the CSSO--random reviews conducted by the CSSM will suffice.

11.3 Unannounced Reviews by the CSSM

During program compliance reviews, the CSSM reviews all evidence of the waste, fraud, and abuse checks that have been performed by the CSSO during the period prior to the review. Random, aperiodic reviews of program and data files on selected systems are also performed and documented by the CSSM. These reviews are unannounced.
11.4 Recognition of Copyrights and Licensing Agreements

Each HQ Element shall ensure compliance with licensing agreements for software packages used on accredited AIS within their respective organization. Documentation of this compliance shall be maintained within the HQ Element and will be reviewed by the CSSM during (re)accreditation and other Classified Computer Security Program reviews.

U/SOs must recognize and respect the copyright protection and licensing agreements applicable to commercially available software packages, and use the software accordingly. Copyright and licensing infringements are violations of Federal law.

11.5 Software Scan Program (SW-SCAN)

SW-SCAN is a software program developed by Battelle Memorial Institute who operate the Pacific Northwest Laboratory for the DOE. The program was developed for the purpose of monitoring compliance with commercial software licensing agreement requirements. SW-SCAN is itself copyrighted by Battelle. DOE Headquarters has been granted use of the program to monitor software licensing compliance. Copies of SW-SCAN may be obtained from the CSSM computer security support team 903-2106 or 903-0611 in Germantown or 586-5346 at the Forrestal building.

12. RISK ASSESSMENT

A qualitative risk assessment has been performed for AIS at the Germantown and Forrestal facilities. This assessment is general in nature because it encompasses all AIS within these facilities. The level of protection provided each AIS is based on the U/SOs knowledge of the security procedures detailed in this plan.

12.1 Threat Identification

The following table (continued on next page) identifies some specific threats to accredited AIS, their probability of occurrence rating (i.e., Low, Moderate, High), the impact of an occurrence, and implemented countermeasures.

THREAT PROB IMPACT COUNTERMEASURE Fire Low High Fire extinguishers, some areas protected by fire suppression systems. Power Disturbances Low Low Systems protected by surge protection devices Power Outages High Low U/SOs are required to backup data on a regular basis. Water Damage Low Low Construction of building and placement of AIS negates water damage. Malicious Authorized U/SOs Low Low All U/SOs processing classified have security clearances and have been trained in the protection of classified information and the systems that process classified information. Covert Action Low Low Building guards, visitor controls, and use of approved safes for document, removable magnetic media, and ribbon storage. Limited Security Areas with electronic and combination locks control access. Hardware and software procurement, installation, and support cannot be targeted to accredited AIS. Casual Visitors Low Low Posted signs for classified processing, room divider around accredited systems in some rooms, visitor controls, magnetic media removed during non-use periods, 3-way combination locks and limited security areas control access. Emanation Low Low Use of TEMPEST-protected or other DOE-approved low-emanation equipment. Natural Hazards Low Low Inherently secure/safe building. System Abuse Low Low Monitoring by supervisor and the CSSO. Personnel security briefings. Regular Waste, Fraud, and Abuse surveys. Physical Damage to Portable PCs High Low Portability of laptop computers make them vulnerable to damage from being dropped. Padded carrying cases and removable hard disks reduce the risks substantially. Theft of Portable PCs Moderate High Portable PCs are vulnerable to theft. This threat is reduced by encrypting the files on the removable hard disks and diskettes, storing PPCs and removable magnetic media in approved security containers, and user vigilance.

12.2 Asset Identification
All items of AIS equipment and operating systems software are considered low value assets. Each equipment and operating system asset will be identified in the Individual Security Plan. The information files (to include such files as data, query routines, or application software) processed on these systems may be of higher value; therefore, U/SOs have been cautioned to protect their information investment by performing regular backups and storing them at a prudently safe distance from their primary working copy.

12.3 Summary of Qualitative Risk Assessment

The qualitative threat identification chart, paragraph 12.1, depicts the risk management technique used to identify and counter all known and potential threats. Based on the analyses of these threats and the fact that all classified processing is performed within DOE Security Areas, the protection mechanisms implemented for these areas are deemed sufficient for the low value assets covered by this plan. Except for AIS located in vaults approved for open storage of classified information, see Chapter II of DOE M 471.2-1 Manual for Classified Matter Protection and Control for specific guidance on the control of all classified media. All classified media must be controlled (if necessary) by document-accountability procedures. The protection mechanisms implemented within the Security Areas for the protection of documents have been evaluated by the CSSM and deemed sufficient for the protection of the information processed. A risk assessment conducted of the AIS procurement, installation, support functions, processes, and procedures indicated a low risk associated with the threat of targeting specific hardware or software for covert action.

13. TRAINING

13.1 CSSOs

All CSSOs are required to attend the CSSO Training Class provided by the CSSM. As a minimum, the CSSOs will provide the following instructional material to each U/SO.

Master AIS Security Plan. The CSSO and U/SO must retain a copy of the currently approved Master AIS Security Plan for AIS at their respective systems. These copies may be maintained in an electronic format (as a data file), in lieu of maintaining a printed copy. Electronic copies of the Plan and its attachments (blank forms) may be obtained by calling the CSSM.

DOE/MA-0427, "Computer Security Guide For Users."
Personal Computer Security Quick Reference Guide.

13.2 U/SOs

All classified AIS U/SOs are responsible for reading the documents cited above. Personnel who receive a userid for the mainframe will receive training through the automated security briefing resident on the system. A PC-DOS based version of the automated security briefing is installed on the individual AIS as a part of the initial software loading by the Microsystems Support personnel. This PC version steps the U/SO through standard security procedures for the protection of their systems.

Each responsible U/SO will read the Master AIS Security Plan for AIS annually. The responsible U/SO will, also annually, sign Attachment 1, Annual AIS User/Security Officer Acknowledgment of Compliance Responsibilities, accepting responsibility for the security of their assigned AIS.

Every DOE and DOE Contractor Employee at the HQ has been issued a copy of DOE/MA-0427, Computer Security Guide for Users. This guide discusses personnel, software, physical, telecommunications, and administrative security for HQ AIS.

13.3 Computer Security-Trained Escorts.

To qualify as a computer security-trained escort, the candidate must have received all the training listed in the previous paragraph for U/SOs and must have attended a viewing of the DOE-produced video "The Outsider."

(THIS PAGE INTENTIONALLY LEFT BLANK)

14. INCIDENT REPORTING

In order to thwart deliberate and/or malicious acts (i.e., equipment tampering, Trojan horses, virus programs) directed at AIS, all personnel utilizing DOE AIS resources will observe the following procedures for reporting any perceived attacks. Also, any occurrence of a security infraction or of waste, fraud, and abuse, as defined in paragraph 11 above, will be reported using the procedures below. These procedures will permit each U/SO to properly report potentially damaging incidents. By initiating the following actions in a timely manner, U/SOs may assist in controlling and limiting the damage that may be caused by an incident.

14.1 Incident Recognition by U/SO

Upon noticing or suspecting unusual or uncharacteristic performance from your system, suspend processing on the affected system. Attempts to determine the cause through use of the system may distort or destroy any evidence investigators might need to identify and/or correct the situation.

14.2 Notification Procedures

U/SOs are to immediately notify, through secure means (e.g., face-to-face, encrypted voice), the responsible CSSO (and/or Alternate CSSO) of the affected system concerning the possibility of a successful threat occurrence. This will allow the CSSO to immediately begin a preliminary inquiry and notify other potential targets, thereby limiting further potential damage. If the CSSO or Alternate is not readily available, call the CSSM. During non-business hours, if the incident involves the HQ mainframe the U/SO should call the CSSO on duty at the Computer Center in Germantown (3-4437). Minor incidents associated with the use of AIS (generally those whose adverse impact can be contained within the authority and responsibility of the CSSO) need not be reported to the CSSM, but are to be documented, investigated, and resolved by the CSSO.

Incidents whose scope and adverse impact extend beyond the authority and responsibility of the CSSO (e.g., LAN or mainframe connectivity is involved) are to be communicated to the CSSM as soon as practical. The intent is to coordinate efforts to limit the potential damage which could be incurred.

14.3 Documentation and Review

After incident notification, the U/SO will annotate the following information, if known, for use by security personnel.

a. Time of Occurrence
b. Source of Problem (e.g., imported software, diskette/hard disk drive, etc.)
c. Nature of the Incident - explain what happened prior to and during the occurrence.
d. The U/SO should review Chapter VI, Headquarters Incident Reporting Procedures, in the CSSO Guidelines for more guidance.

15. CONTINGENCY PLANNING

In general, AIS equipment assets are low cost, easily replaceable items. However, contingency planning is addressed for all systems that process classified information, as follows.

15.1 Critical Resources

It is the responsibility of the U/SO to identify any hardware configuration or software system that is considered critical for the successful completion of the DOE mission. If a system is designated as critical, backup procedures and matching system configurations must be identified in writing to ensure continuity of operations. Additional procedures, specific to the critical system, will be identified in the Individual Security Plan for the critical system. These procedures must be tested annually. All AIS identified as critical will be backed up by the U/SO once a week, at a minimum, and the backup media will be stored at an alternate location that is reasonably distant from the primary processing and information storage site.
15.2 Non-Critical Resources

All non-critical systems will be backed up by the U/SO on a regular basis to assure a continuity of the operations that support the conduct of the DOE mission.

(THIS PAGE INTENTIONALLY LEFT BLANK)

16. ESCORT PROCEDURES
Visitors (cleared, but without a need-to-know, or uncleared) to office areas where accredited AIS are present must be escorted in accordance with DOE Headquarters Facilities Master Security Plan and may not be permitted physical access to accredited AIS or to view classified information. In addition, escorts for visitors who are going to have access to the inside of an accredited computer (uncleared repair technician) must be computer security-trained in accordance with paragraph 13.3 of this plan.

(THIS PAGE INTENTIONALLY LEFT BLANK)

17. INTERIM OPERATING PROCEDURES
The following procedures govern the operations of accredited AIS in the interim periods during updates or changes to their environment. The environment of an accredited AIS encompasses those items of hardware and software listed in Attachment 5; the location of the AIS; the assigned U/SO; and, the approved security controls in place at the time of the current accreditation.

Interim reaccreditation is granted for a period of 15 work days only for those systems previously accredited and only under the following conditions:

U/SO Changes,
Hardware replacement with similar equipment,
Software changes, or
System relocations.

Interim accreditation begins when the change is effected (e.g., hardware has been reinstalled at the new location).

If not reaccredited in these 15 work days, the system will be considered unaccredited and will only be authorized to process unclassified information.

(THIS PAGE INTENTIONALLY LEFT BLANK)

18. REMOTE DIAGNOSTIC SERVICES
Remote diagnostic services are not permitted on accredited systems.

(THIS PAGE INTENTIONALLY LEFT BLANK)

19. SYSTEM SECURITY TESTING
Each AIS installation is separately accredited and, as a part of the accreditation process, is reviewed for compliance with this Master AIS Security Plan and its associated Individual Security Plan. Attachment 4 presents a brief security compliance checklist that is used as an aid in the compliance review process. The accrediting official has determined that compliance reviews adequately test the security implemented for each.

(THIS PAGE INTENTIONALLY LEFT BLANK)

20. ACQUISITION SPECIFICATION
DOE and DOE Contractor organizations shall ensure that appropriate technical, administrative, physical, and personnel security requirements are included in specifications for the acquisition of hardware, software, or related services to be utilized in a classified environment. The CSSM will be included in the planning process for any new hardware or software procurement or developments that apply to classified in the DOE HQ environment.

(THIS PAGE INTENTIONALLY LEFT BLANK)

Attachment 1
ANNUAL AIS USER/SECURITY OFFICER
ACKNOWLEDGEMENT OF COMPLIANCE RESPONSIBILITIES
U/SO's Initials
1. _____ I have read the Master AIS Security Plan and am familiar with its contents. I have also read DOE/MA-0427, Computer Security Guide for Users, and the Personal Computer Security Quick Reference Guide.

2. _____ I am aware of my responsibility for knowing what constitutes a security infraction and the procedures for responding to an infraction.

3. _____ I am aware of my responsibility for reporting any incidents of data intrusion or other security-related events to the Classified Computer System Security Officer (CSSO) in accordance with current DOE and local policy.

4. _____ I am aware that, when the system is to be left unattended, accredited systems must be sanitized, and that classified computer media, such as removable hard drives, diskettes, compact disc (CD ROM), cassettes, single-strike printer ribbons, and printed output must be locked in a DOE approved security container.

5. _____ I am aware that individual userids and passwords must be unique, are intended only for the assigned user, and may not be shared with anyone else. I am responsible for protecting passwords and records of passwords used with classified AIS at the highest level and most restrictive category approved for the AIS.

6. _____ I am aware that users of classified systems are to prevent (to the extent possible) unauthorized persons from entering the work area during classified processing and that the AIS must be positioned so that it cannot be viewed from outside the processing area (i.e., in view from open doors or uncovered windows). I am further aware that users must logoff of classified AIS and remove and properly store all media prior to leaving the system unattended.

7. _____ I am aware that all data should be backed up periodically to preclude the need for extensive reconstruction of files following a system failure or emergency. I am also aware that, ideally, these files should be stored in a separate remote location.

8. _____ I am aware that classified media and printed output and their covers or containers must bear appropriate classification markings that indicate the highest level of data contained therein. I am further aware of my responsibility to follow Document (or Media) Accountability Procedures located in Paragraph 10.4.14 of the Master AIS Security Plan .

9. _____ I am aware that removable hard drives, diskettes, CD ROM, cassettes, tapes, toner cartridges, printed output, and printer ribbons used for classified processing must be sanitized, declassified, and/or destroyed according to the policies, practices, and procedures listed in Paragraph 10.4 of the Master AIS Security Plan.

10. _____ I am aware of and will comply with the procedures specified in the Master AIS Security Plan sections 5.5.1 & 5.5.2 regarding system sanitization and proper transition between LAN connections and stand-alone processing.

11. _____ I am aware of my responsibility to continually improve security. Through my daily interaction with a system, I am able to detect weaknesses and vulnerabilities within the system. I will make a conscientious effort to express ideas on enhancing security to the designated Classified AIS Security Officer.

12. _____ I am aware that, as a U/SO of Department of Energy systems, I must ensure that the equipment is used only for job related processing and that all other uses are prohibited. I am aware that I am subject to periodic review for compliance and audit for waste, fraud, and abuse by the CSSO, CSSM, and other internal and external auditing agencies (i.e., IG, GAO, etc.).

13. _____ I am aware that electronic equipment, antennas, etc., may not be placed in the immediate proximity of the classified AIS without being listed and approved by the CSSM in the Individual AIS Security Plan. I am also aware that any modifications to the AIS, either in addition to or deletion of hardware or software, may not be performed without the prior approval of the CSSO.

14. _____ I am aware that only DOE-authorized software may be used on an accredited AIS. I will abide by any licensing agreements applicable and am aware that any software copyright and licensing infringements are violations of Federal law.

* In addition to the statements above, users of portable personal computers must attest to statements 15 through 22.

15. _____ I am aware that before I can use a PPC to process classified information in an area at the Germantown or Forrestal buildings, but outside the jurisdiction of my CSSO, I must have the approval of the CSSO who has jurisdiction over the area.

16. _____ I am aware that before I can use a PPC at a facility other than the Germantown or Forrestal buildings, the PPC must be accredited by the Designated Accrediting Authority (DAA) for the facility I am visiting.

17. _____ I am aware that classified removable hard disk must be transported separately from the portable computer in accordance with the requirements stated in the DOE Headquarters Facilities Master Security Plan, Chapter XI Classified Matter Protection and Control.

18. _____ I am aware that portable computers may not be used to process classified information except in (1)an approved vault or vault-type room, (2) a limited area, or (3) an exclusion area.

19. _____ I am aware that classified documents must be encrypted when stored on magnetic media to provide need-to-know protection.

20. _____ I am aware that I must carry the Computer Validation Card for the PPC assigned to me when ever the PPC is in my possession.

21. _____ I am aware that I must turn off all electrical power sources including physical removal of the battery in order to sanitize the PPC.

22. _____ I am aware that PPCs are highly vulnerable to theft and must be given appropriate protection when in my possession, especially in public places.

I have read the above statements and understand my responsibilities for protecting classified systems and information as indicated by my initials. I am aware that I am required to review, initial, and resign this form annually no later than the anniversary date as indicated next to my signature below.

U/SO: ____________________________________________ __________________________________________ ____/____/____
Printed Name Signature Date

Instructions

The purpose of this form is to provide a documented means of insuring that each U/SO is aware of his/her responsibilities for processing classified information on an AIS.

This form contains a series of statements, for which the U/SO will initial each to indicate that he/she understands and acknowledges his/her responsibilities. This will be done annually (not later than 1 year from the date signed on the previous form) by each U/SO to provide a refresher to the U/SO of his/her responsibilities. After the U/SO has completed this form (all the statements are initialed) and the CSSO is confident that the U/SO understands his/her responsibilities, then the CSSO may allow the U/SO to perform classified processing on an accredited AIS. This form is not required to be submitted with the accreditation/reaccreditation package to the CSSM, but will be reviewed by the CSSM representative when a site or compliance review is held. The CSSO will retain the original of this form until replaced by the next annual form completion and provide a copy of same to the U/SO for reference purposes.

Attachment 2
STU-III SV/DS User Log for Classified Data Processing

Location: __________ Room No.: __________ STU-III Serial No.: __________
(GTN, FORS)

DATE TIME OF USE DISTANT END NAME AND LOCATION CLASSIFICATION LEVEL CATEGORY TRANSMITTED/ RECEIVED USER SIGNATURE STU-III SV/DS User Log for Classified Data Processing - Instructions

This attachment demonstrates the form used to log users utilizing a STU-III SV/DS to transmit classified data processing. This form records the room and building location of the STU-III as well as the serial number of the STU-III. Each user must record the date and time of use, the name and location of the distant end, the level of classification, category, whether it was transmitted or received, and the user signature.

Attachment 3
WASTE, FRAUD, AND ABUSE REVIEW
CHECKLIST FOR ACCREDITED
DOS BASED PERSONAL COMPUTERS

SYSTEM ID: HQ-_______(Assigned by CSSM)
DOE NO._______________
DATE:______/______/______

ORGANIZATION:____________________________ EQUIP:_______________________

LOCATION: BUILDING______________________ ROOM NO. ____________________

U/SO: NAME:________________________________________ SIGNATURE:______________________________________

CSSO: NAME:_______________________________________ SIGNATURE:______________________________________

Reviewed BY: _____________________________________ SIGNATURE:______