October 25 1982 NUMBER 5215 1 Department of Defense Directive SUBJECT Computer Security Evaluation Center References 3 Directive 5200 28 Security Requirements for Automatic Data Processing ADP Systems December 18 1972 Security anual January 1973 authorized by reference OMB Circular No A-71 Transmittal Memorandum No 1 Security of Federal Automated Information Systems July 27 1978 through see enclosure 1 A PURPOSE This Directive establishes the Computer Security Evaluation Center CSEC provides policy and assigns responsibilities for the technical evaluation of computer system and network security and related technical research B APPLICABILITY AND SCOPE 1 This Directive applies to the Office of the Secretary of Defense OSD the Military Departments the Organization of the Joint Chiefs of Staff the Unified and Specified Commands and the Defense Agencies hereafter referred to as Components 2 Its provisions govern the conduct of trusted computer system evaluation and technical research activities within the Department of Defense in support of overall computer system security evaluation and approval responsibilities assigned to the Components under references Directives 5220 22 and 5400 11 ref- erences and C DEFINITIONS 1 Sensitive Classified Information Sensitive information as defined in reference and classified information as defined in 5200 1-R reference 2 A Trusted Computer System Employs sufficient hardware and software integrity measures to allow its use for processing simul- taneously a range of sensitive or classified information Oct 25 82 5215 1 governments the North Atlantic Treaty Organization NATO and to the extent permitted industry in trusted computer system evaluation policy matters Enter into agreements if appropriate consistent with National Disclosure Policy reference with other government agencies foreign governments and NATO d Establish an information exchange forum on computer security matters among Components 2 The Director National Security Agency NSA in cooperation with the shall a Establish and operate the CSEC as a separate and unique entity within the NSA b Program and budget for CCSP support resources under procedures prescribed for the planning programing and budgeting processes but excluding National Foreign Intelligence Program funds controlled by the Director of Central Intelligence DCI under E 0 12333 reference c Appoint a Director to manage the CSEC who shall 1 Establish and maintain technical standards and criteria for the evaluation of trusted computer systems that can be incorporated readily into the Component life-cycle management process Directives 7920 1 5000 29 5000 1 5000 2 references Provide assistance to the Components in the application of the technical standards and criteria 2 Conduct evaluations of selected industry and government- developed trusted computer systems against these criteria Request for evaluation of government-developed computer systems will be from the Component respon- sible for the security of the system to be evaluated 3 Maintain and publish an EPL of the selected industry and government-developed trusted computer systems that is suitable for use by the Components 4 Conduct and sponsor for trusted computer systems and for computer security evaluation and verification methods and techniques 5 Provide assistance to the Components by conducting evalu- tions of selected and contractor trusted computer systems in response to requests from the Component responsible for the security of the computer system to be evaluated 6 Serve as the focal point for technical matters concerning the use of trusted computer systems for the protection of sensitive and classified information and in conjunction with Component computer security test and evaluation activities provide technical advice to the Components 7 Sponsor Component cooperative efforts public seminars and workshops for the purpose of technology transfer 1 In Oct 25 82 5215 1 Encl 1 REFERENCES continued DOD Directive 5220 22 Industrial Security Program December 8 1980 000 Directive 5400 11 Department of Defense Privacy Program June 9 1982 D00 5200 1-R Information Security Program Regulation August 1982 authorized by DOE Directive 5200 1 Information Security Program June 7 1982 Instruction 5230 17 Procedures and Standards for Disclosure of Military Information to Foreign Activities August 17 1979 Executive Order 12333 United States Intelligence Activities December 4 1981 000 Directive 7920 1 Life Cycle Management of Automated Information Systems October 17 1978 Directive 7200 1 Administrative Control of Appropriations November 15 1978 Directive 5000 29 Management of Computer Resources in Major Defense Systems April 26 1976 D00 Directive 5000 1 Major Systems Acquisition March 9 1982 Directive 5000 2 Major Systems Acquisition Process March 19 1980 Oct 25 82 5215 1 Encl 2 PROCEDURES FOR CONSOLIDATED TECHNICAL RESEARCH This establishes the procedures for developing the generic computer security portion of the CCSP as defined in subsection C 3 of this Directive Portions of the CCSP relating solely to the operations of the CSEC are not included in this summary 1 Under paragraph F 2 b of this Directive the Director NSA shall issue a data call for each fiscal year to the Components for the CCSP The data call shall request identification of major tasks and milestones for that fiscal year 2 Components shall submit to NSA their proposed projects for generic computer security in the format prescribed This shall include a program- quality technical description cost estimates and recommendation for the execution responsibility namely the submitting Component another Component or the CSEC The CSEC similarly shall prepare its own proposals 3 The CSEC shall convene the technical review group TRG composed of an identified principal from each Component with participation by the working level engineering scientific communications and data processing personnel of Components and the CSEC The purpose and function of this group is to review the Component submissions for redundancies completeness and resource requirements and to determine initial priorities The TRG deliberations are directed toward an understanding and agreement among all principals of the nature and scope of the proposed CCSP research and development projects 4 The CSEC shall compile the TRG-reviewed projects and provide the Components a copy of the draft program for review and comment 5 The Director CSEC shall chair the program working group PWG which is composed of a principal from each Component The function of the PWG is to review and refine the priorities for the generic security portion of the CCSP under published OSD guidance The PWG shall recommend the generic computer security program to the Director NSA The CSEC shall prepare the draft consolidated computer security program and provide the Components a copy for review and comment 6 The Director NSA shall chair the program manager's review group PMRG consisting of representatives from Components including the Deputy Assistant Secretary of Defense Communications Command Control and Intelligence and the Deputy Assistant Secretary of Defense Research and Advanced Technology as members with additional observers as appropriate A formal briefing on the overall CCSP shall be presented to the Director and this group 7 The Director NSA shall approve the CCSP after considering the changes or modifications suggested by this review group This shall constitute the basis for the CCSP portion of the NSA Program Objectives Memorandum POM submission