OCR of the Document

View the Document >>

Ronald Reagan, National Security Decision Directive 145, "National Policy on Telecommunications and Automated Information Systems Security," Confidential.

THE WHITE HOUSE UNCLASSIFIED WASHINGTON Sep t e mber 17 1984 National Vi ective Secu ity Numbe V ci icn 145 NATIONAL POLICY ON TELECO -l - UNICATIO S AND AUTOMATED INFORMATION SYSTE 1S SECURITY U Recent advances in microelectronics technology have st i mulated an unprecedented growth in the supply of telecorr unications and information processing services within the goverrnent and throughout the private sector As new technologies have been applied traditional distinctions between teleco unications and automated information systems have begun to disappear Although this trend promises greatly improved efficiency and effectiveness it also poses significant security challenges Telecorr unications and auto ated information processing s y stems are highly susce p tible to interception unauthor i z e d electronic access and related forw s of technical exploitation as well as other dimensions of the hostile intelligence threat The technology to exploit th e se electronic systems is widespread and is used extensively by foreign ations and can be e mployed as ell by terrorist groups and criminal elements Gov ernrr ent systems as well as those hich process the private or proprietary information of US persons and businesses can become targets for foreign exploitation U Within the government these syste ms process and communicate classified national security information and other sensitive information concerning the vital interests of the United States Such information even if unclassified in isolation often can reveal highly classified and other sensitive information when taken in aggregate The compromise of this information especially to hostile intelligence services dces serious damage to the United States and its national security interests A comprehensive and coordinated approach must be taken to protect the government's telecommunications and automated information systems against current and projected threats This approach must include mechanisms for f o rmulating policy for overseeing systems security resources programs and for coordinating and executing technical activities U This Directive Provides initial objectives policies and an organizational structure to guide the conduct of national activities directed toward safeguarding systems which process or communicate sensitive information from hostile exploitation establishes a mechanism for policy development and assigns J J UN Ur i§SlFMb CLASSiFfEC la J tu f - Dec aS5 lied ' Re easej on a'IJ JA ur de P•ov icr s ot E J 1L2 -- - by s T1ilty Nali0nai Sec rity c •i responsibilities for implementation It is intended to assure full participation and cooperation among the various existing centers of technical expertise throughout the Executive Branch to promote a coherent and coordinated defense against the hostile intelligence threat to these systems and to foster an appropriate partnership between government and the private sector in attaining these goals · This Directive specifically recognizes the special requirements for protection of intelligence sources and methods It is intended that the mechanisms established by this Directive will initially focus on those automated information systems which are connected to telecommunications transmission systems U 1 Objectives Security is a vital element of the operational effectiveness of the national security activities of the government and of military combat readiness Assuring the security of telecorrmunications and automated information systems which process and corrmunicate classified national security information and other sensitive government national security information and offering assistance in the protection of certain private sector information are key national responsibilities I therefore direct that the government's capabilities for securing teleco munications and automated information systems against technical exploitation threats be maintained or improved to provide for a A reliable and continuing capability to assess threats and v ulnerabilities and to i mplement appropriate effective countermeasures b A superior technical base within the goverr ment to achieve this security and support for a superior technical base within the private sector in areas which c omplement and enhance sovernment capabilities c A more effective a·pplication of government resources and encouragement of private sector security initiatives d Support and enhancement of other policy objectives for national telecommunications and automated inforr - ation systems U 2 Policies In support of these objectives the following pollcies are established a Systems which generate store process transfer or communicate classified information in electrical form shall be secured by such means as are necessary to prevent compromise or exploitation b Systems handling other sensitive but unclassified government or government-derived information the loss of which could adversely affect the national security interest UNCLASSfFIEt tf1F· 1 1_ I' CLASSlFIED shall be protected in proportion to the threat of exploitation and the associated potential damage to the national security c The govern ent shall encourage advise and where appropriate assist the private sector to identify systems which handle sensitive non-government information the loss of which could adversely affect the national security determine the threat to and vulnerability of these systems and formulate strategies and measures for providing protection in proportion to the threat of exploitation and the associated potential damage Information and advice from the pers·pective of the private sector will be sought with respect to implementation of this policy In cases where implementation of security measures to non-governmental systems would be in the national security interest the private sector shall be encouraged advised and where appropriate assisted in undertaking the application of such measures d Efforts and programs begun under PD-24 which support these policies shall be continued U 3 Implementation This Directive est a blishes a senior level steer1ng group an interagency group at the operating level an executive agent and a national anager to implement these objectives and policies U 4 Systems Security Steering Group a A Systems Security Steering Group consisting of the Secretary of State the Secretary of the Treasury the Secretary of Defense the Attorney General the Director of the Office of Management and Budget the Director of Central Intelligence and chaired by the Assistant to the President for National Security Affairs is established The Steering Group shall 1 Oversee this Directive and ensure its implementation It shall provide guidance to the Executive Agent and through him to the National Manager with respect to the activities undertaken to implement this Directive 2 Monitor the activities of the operating level National Telecommunications and Information Systems Security Corr ittee and provide guidance for its activities in accordance with the objectives and policies contained in this Directive 3 Review and evaluate the security status of those telecommunications and automated information systems that handle classified or sensitive government or government-derived information with respect to established objectives and priorities and report findings and recorr endations through the National Security Council to the President ' - oo o · • - - - - · _t'· - v lt --p wl _ 4 Review consolidated resources program and budget proposals for telecommunications systems security including the COt- SEC Resources Program for the VS Government and provide recorrrrendations to O lli for tte normal budget review process 5 Review in aggregate the program and budget proposals for the security of automated information systems of the departments and agencies of the government 6 Review and approve matters referred to it by the Executive Agent in fulfilling the responsibilities outlined in paragraph 6 below 7 On matters pertaining to the protection of intelligence sources and methods be guided by the policies of the Director of Central Intelligence 8 Interact with the Steering Group on National Security Telecor unications to ensure that the objectives and policies of this Directive and NSDD-97 National Security TelecorrJnunications Policy are addressed in a coordinated manner 9 RecorrJ1lend for Presidential approval additions or revisions to this Directive as national interests may require 10 Identify categories of sensitive non-government information the loss of V 'hich could adversely affect the national security interest and recommend steps to protect such information U b The National Manager for Telecommunications and Information Systems Security shall function as executive secretary to the Steering Group · U 5 The National TelecorrJ1lunications and Information Systems Secur1ty Comm1ttee a The National Telecommunications and Information Systems Security Committee NTISSC is established to operate under the direction of the Steering Group to consider technical matters and develop operating policies as necessary to imple- · ment the provisions of this Directive The Committee shall be chaired by the Assistant Secretary of Defense Command Control CorrJ1lunications and Intelligence and shall be composed of a voting representative of each me ber of the Steering Group and of each of the following The Secretary of Commerce The Secretary of Transportation The Secretary of Energy CON £ E ED • G'I J t · · ·- -·s st'IED Chairman Joint Chiefs of Staff Administrator General Services Ad r 1inistration Director Federal Bureau of Investigation Director Federal Emergency anagenent Agency The Chief of Staff United States Army The Chief of Naval Operations The Chief of Staff United States Air Force Cornmandan t United States 1- ar ine Corps Director Defense Intelligence Agency Director National Security Agency Manager National Communications System U b The Corrmittee shall 1 Develop such specific operating policies objectives and priorities as may be required to implement this Directive 2 Provide teleco 1unication and automated information systems security guidance to the departments and agencies of the government 3 Submit annually to the Steering Group an evaluation of the status of national telecorr unications and automated information systems security with respect to established objectives and priorities 4 Identify systems which handle sensitive non-government information the loss and exploitation of which could adversely affect the national security interest for the purpose of encouraging advising and where appropriate assisting the private sector in applying security measures 5 Approve the release of sensitive systems technical security material information and techniques to foreign governments or international organizations with the concurrence of the Director of Central Intelligence for those activities which he manages 6 Establish and maintain a national system for promulgating the operating policies directives and guidance which may be issued pursuant to this Directive 7 Establish permanent and temporary subcommittees as necessary to discharge its responsibilities 8 1-1ake recommendations to the Steering Group on Committee membership and establish criteria and procedures for permanent observers from other departrr ents o agencies affected by specific matters under deliberation who may attend eetings upon invitation of the Chairman 9 Interact with the National Communications System Committee of Principals established by Executive Order UNCLASS FIED • CQt l fl DENT l AL _ - - · - ' -rf · · - ·' ' - _ee tE-tnrt TlAt _ NCLASSiFIED 12472 to ensure the coordinated execution of assigned responsibilities U c The Commit tee shall have tv o subcor c lli t tees one focusing on telecorr unications security and one focusing on automated information systems security The two subcomm ttees shall interact closely and any recommendations concerning· impleffientation of protective ffieasures shall combine and coordinate both areas where appropriate while considering any differences in the level of maturity of the technologies to support such implementation However the level of mattirity of one technology shall not impede implementation in other areas which are deemed feasible and important U d The Committee shall have a permanent secretariat composed of personnel of the National Security Agency and such other personnel from departments and agencies represented on the Committee as are requested by the Chairman The National Security Agency shall provide facilities and support as required Other departments and agencies shall provide facilities and support as requested by the Chairman U 6 The Executive Agent of the Government for Telecommunications and Information Systems Security The Secretary of Defense is the Executive Agent of the Government for Corr unications Security under authority of Executive Order 12333 By authority of this Directive he shall serve an expanded role as Executive Agent of the Governrr ent for Telecommunications and Automated Information Systems Security and shall be responsible for implementing under his signature the policies developed by the NTISSC In this capacity he shall act in accordance with policies and procedures established by the Steering Group and the NTISSC to a Ensure the development in conjunction with NTISSC member departments and agencies of plans and programs to fulfill the objectives of this Directive including the development of necessary security architectures b Procure for and provide to departments and agencies of the government and where appropriate to private institutions including government contractors and foreign governments technical security material other technical assistance and other related services of corr on concern as required to accomplish the objectives of this Directive c Approve and provide minimum security standards and doctrine consistent with provisions of the Directive d Conduct approve or endorse research and development of techniques and equipment for telecorr unications and automated information systems security for national security information UNCLASS FiED e Operate or coordinate the efforts of government technical centers related to telecor unications and automated information systems security f Review and assess for the Steering Group the proposed teleconununications systems security programs and budgets for the departments and agencies of the government for each fiscal year and recorr end alternatives where appropriate The views of all affected departments and agencies shall be fully expressed to the Steering Group g Review for the Steering Group the aggregated automated information systems security program and budget recommendations of the departments and agencies of the US Government for each fiscal year U 7 The National Manager for Telecommunications Security and Automated Information Systems Security The Director National Security Agency is designated the National Manager for TelecorrJ11 unications and Automated Information Systems Security and is responsible to the Secretary of Defense as Executive Agent for carrying out the foregoing responsibilities In fulfilling these responsibilities the National anager shall have authority in the name of the Executive Agent to a Examine government teleco unications systems and automated information systems and evaluate their vulnerability to hostile interception and exploitation Any such activities including those involving monitoring of official telecommunications shall be conducted in strict compliance with law Executive Orders and applicable Presidential Directives No monitoring shall be performed without advising the heads of the agencies departments or services concerned b Act as the governm nt focal point for cryptography telecommunications systems security and automated information systems security c Conduct approve or endorse research and development of techniques and equipment for telecommunications and automated information systems security for national security information d Review and approve all standards techniques systems and equipment$ for telecommunications and automated information systems security e Conduct foreign communications security liaison including agreements with foreign governments and with international and private organizations for telecommunications and automated information systems security except for those foreign intelligence relationships conducted for intelligence purposes by the Director of Central Intelligence Agreements shall be coordinated with affected departments and agencies UC II ill lliw0 ·- ''I ·-'r o n f -· r ''ci '-6- r c r f Operate such printing and fabrication facilities as may be required to perform critical functions related to the provision of cryptographic and other technical security material or services g Assess the overall security posture and disseminate information on hostile threats to telecommunications and automated information systems security h Operate a central technical center to evaluate and certify the security of telecommunications systems ·a nd automated information systems i Prescribe the minimum standards ethods and procedures for protecting cryptographic and other sensitive technical security material techniques and information j Review and assess annually the telecommunications systems security programs and budgets of the departments and agencies of the government and recommend alternatives where appropriate for the Executive Agent and the Steering Group k Review annually the aggregated automated information syste s security program and budget recommendations of the departments and agencies of the US Govern ent for the Executive Agent and the Steering Group 1 Request from the heads of departDents and agencies such information and technical support as may be needed to discharge the responsibilities assigned herein m Enter into agreements for the procurement of technical security material and other equipment and their provision to government agencies ·and where appropriate to private organizations including government contractors and foreign governments U 8 The Heads of Federal Departments and Agencies shall a Be responsible for achieving and maintaining a secure posture for telecommunications and automated information systems within their departments or agencies b Ensure that the policies standards and doctrines issued pursuant to this Directive are i plemented within their departments or agencies c Provide to the Systems Security Steering Group the NTISSC Executi e Agent and the National Manager as appropriate such information as may be required to discharge responslbilities assigned herein consistent with relevant law Executive Order and Presidential Directives U 9 Additional Responsibilities a The Secretary of Commerce through the Director National Bureau of Standards shall issue for public use such Federal Information Processing Standards for the security of information in automated information syste s as the Steering Group may approve The Manager National Communications System through the Administrator General Services Administration shall develop and issue for public use such Federal Telecommunications Standards for the security of information in telecommunications systems as the National Manager may approve Such standards while legally applicable only to Federal Departments and Agencies shall be structured to facilitate their adoption as voluntary American National Standards as a means of encouraging their use by the private sector b The Director Office of Management and Budget shall 1 Specify data to be provided during the annual budget review by the departments and agencies on programs and budgets relating to telecorr unications systems security and automated information systems security of the departments and agencies of the government 2 Consolidate and provide such data to the National Manager via the Executive Agent 3 Revie for consistency with this Directive and amend as appropriate OMB Circular A-71 Transmittal Memorandum No 1 OMB Circular A-76 as amended and other OMB policies and regulations which may pertain to the subject matter · herein U 10 Nothing in this Directive a Alters the existing authorities of the Director of Central Intelligence including his responsibility to act as Executive Agent of the Government for technical security countermeasures TSCM b Provides the NTISSC the Executive Agent or the National Manager authority to examine the facilities of other · departments and agencies without approval of the head of such department or agency nor to request or collect information concerning their operation for any purpose not provided for herein c Amends or contravenes the provisions of existing law Executive Orders or Presidential Directives which pertain to the privacy aspects or financial management of automated information systems or to the administrative requirements for safeguarding such resources against fraud abuse and waste - r · ·-- --- - ---- Is inten ded to e s t3blis h a d it ic a l revie w d proc esse s for the procure c nt of aut o rated inf o r3t i on process i ng sys ems U 11 Fo r the purposes of t his Directive t erm s s hall have th e mea n ings indic a ted t e fo ll ow i g a Tel ecommunications mean s the preparation transmission communication or r e lat e d pro cess ing of inf orma tion by electrical electromagnetic electroffiechnical or electro-optical means b Automated Inf ormation Syste s reans systems whi c h create prepare or manip ulate information in e l ectronic form for purp ose s other than te l ecoiT u nicati o n and includes computers word processing systems othe r e l ectronic informa tion h a ndl i ng systems and associa ted equipment c Tel ecoiT u nications a nd Au t orr·ated Infor r at ion Sy sterns Security me ans protect ion afforded to t e 1 eco r uru n ica t1ons and aut o a t ed infor ma ti on syste ms in order to prevent exploitatio n through int e rce p t i o n unauthorized electronic acces s o r related te ch nical intelligence th r e 2ts and to ensure authenticit y Such pr o t e ction resu lts rom the applica tion of secu r ity measures inc l udi ng cryptosecurity trans mission security emission sec urity an d comp ute r secur it y to sy stems which senerate store process tr ansfe r or comm unicate i nforma ti on of use to a n adversa ry and a l so i nc l ude s the physica l protection of s e nsi ti ve te c hnical secu rity materia l and sensitive technica l security information d T ec hn ical secur ity mate rial means equipme nt components devices and associated documentation or other media which pertain to cryptography or to the securi ng of te 1 e comm unica tions a nd au torna t e d infor ma tion s y sterns U 13 The functions of the Int eragenc y GroJp for Telecorn - - unications Protection a nd the Na ti o nal Commu ni ca tions Security Conmittee NCSC as established uncer ro-24 are subsumed by the SystQms Security Steering Group and the NTISSC respectively The policies established uncer the authority of the Interagency Group or the KCSC which hQve not been superseded by this Directive shall remain in effect until modified or rescinded by the Steering Group or the NTISSCJ respectively U 14 Except for ongoing telecommunications protection activities mandated by and pursuant to PD NSC-24 that Directive is hereby superseded and cancelled U