MORI DOCID 504374 APPROVED FOR RELEASE - DATE JAN 200l SE DCID 1 16-1 REI DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE 1 16' I SECURITY POLICY FOR UNIFORM PROTECTION or INTELLIGENCE PROCESSED IN AUTOMATED INFORMATION SYSTEMS AND NETWORKS U Effective 19 iuly 1988 Pursuant to the statutory authority and responsibilities assigned to the Director of Central Intelligence for the protection of intelligence sources and methods in Section 102 of the National Security Act of 1947 Executive Orders 12333 and 12356 and National Security Decision Directive 145 policies and procedures are herewith established for the security of classi ed intelligence processed communicated or stored in automated information systems A155 and networks U This directive applies to all US Government organizations their commercial contractors and Allied governments that utilize A155 and networks to process store and transmit US for- eign intelligence and counterintelligence information hereafter referred to as intelligence that has been classified pursuant to Executive Order 12356 or successor order ' U I General Policy Guidance U a Policy Objectives The purpose of this directive is to establish long-term year 2000 goals and near-term year 1992 requirements intended to improve the security of US intelligence processed in A185 and networks with respect to its pos- sible compromise 1 due to penetration by hostile intelligence services 2 by otherwise legitimate users who gain access to data or processes for which they are not authorized or 3 as a result of inadequate security design implementation or operation The directive also assigns policy execution roles and responsibilities and establishes a procedural framework within which they are to be implemented Speci c guidance is in the Security Manual for Uniform Protection of Intelligence Processed in Automated Information Systems and Networks Security Manual a supplement to this directive Additional security measures may be established by the accrediting authority if deemed appropriate Such measures should also be in accordance with other DCIDs listed in references 9 to 13 in Annex A of the Security Manual The provisions contained in the Security Manual have the same force as this directive U b Trusted Systems The criteria for characterizing the technical level of trust standards of technical security protection to be met by AISS processing intelli- gence are those set forth in Department of Defense publication 5200 28-STD December 1985 Department of Defense Trusted Computer System Evaluation Criteria 3 These criteria for trusted systems establish levels of trust that represent a relative measure of an AIS's ability to protect sensitive information A level of trust is not based solely on the presence of protection mechanisms in an AIS This directive supencdes DCID 1 16 e 'ective 4 January 1983 U Foreign intelligence and counterintelligeoce have the meanings assigned to them in Executive Order 12332 or succesor order intelligence includes sensitive compartmenterl information special access programs for intelligence and other intelligence that involves sensitive sources or methods sometimes referred to as collateral Intelligence that Is or should be marked WNINTEL intelligence that identi es or would reasonably permit identi cation of a source or method susceptible to countermeasures that could nullily or reduce its e 'ectiveness U Modi cations to this standard by BOB shall be reviewed b the prior to inclusion in this directive U 55C 2m APPROVED FOR RELEASE - MORI DOCID 504374 DATE JAN 2001 SEC REL DCID The mode of Operation of a network is determined by the extent to which it must reliably separate intelligence transmitted through it by A155 or other attached networks This is determined by the classi cation s and type s of intelligence the network must keep separate during transmission U 3 Accreditation Authority and Responsibility U a De nition Accreditation is the of cial management authorization to operate an AIS or network 1 in a particular security mode 2 with a prescribed set of ad- ministrative environmental and technical security safeguards 3 against a de ned threat and with stated vulnerabilities and countermeasures 4 in a given operational environment 5 under a stated operational concept 6 with stated interconnections to other AISs or networks and 7 at an acceptable level of risk for which the accrediting authority has formally assumed responsibility The accredit- ing authority formally accepts security responsibility for the operation of an AIS or network and o cially declares that a speci ed AIS or network will adequately protect intelligence against compromise destruction or unauthorized alteration through the continuous employment of safeguards including administrative procedural physical personnel communications security emanations security and computer-based hardware rmware software controls The accredita- tion statement a xes security responsibility with the acerediting authority and shows that due care has been taken for security in accordance with references 9-13 in Annex A of the Security Manual U thill mun members with principal accrediting authority under this directive are The DDCI DIRNSA Intel Div SASITrensunr The DCI is also the head of CIA U SE ET MORI DOCID 504374 APPROVED FOR RELEASE - DATE JAN 2301 sec DCID 1 16-4 REL UK mum villi-i - c NFIB members shall establish and maintain within their agencies formal auto- mated information system and network security programs and require similar programs to be operated by agencies and components to which accrediting i authority is delegated The Director Defense Intelligence Agency shall be responsible for accreditation of the The Director National Security Agency shall be responsible for accreditation of the Community On-Line Intelligence System COINS U 1 - d Where an AIS or network substantially involves more than one principal accrediting authority one shall be designated the accrediting authority by mutual agreement or if necessary by the Director of Central Intelligence An AIS or network processing intelligence operated by an organization that is not part of the National Foreign Intelligence Program shall be jointly accredited by its sponsor and the most appropriate principal accrediting authority or an appropriately authorized designee For example the Worldwide Military Command and Control System AISs require joint accreditation if they process intelligence contained within the scope of this directive intelligence that j identi es or would reasonably permit identi cation of a source or method susceptible to countermeasures that could nullin or reduce its effectiveness U e Principal accrediting authorities shall provide for the maintenance of complete records concerning the accreditation status of A185 and networks within their purview and issue reports and noti cations as speci ed in Chapter of the Security Manual U mum g The Intelligence Community Staff shall act for the Director of Central Intelli- gence in matters pertaining to the administration of this directive U 4 Exclusions U a US national telecommunications systems eg AUTODIN DDN DTS including technical control centers related thereto which are accredited in accordance with national telecommunications policies are not within the scope of this directive U b 'The may authorize further delegation of accreditation authority for multilevel and compartmented mode systems in speci c cases upon application U ibid SE MORI DOCID 504374 APPROVED FOR RELEASE - DATE JAN 2001 seca' ocno REL Fll l ll c Nothing in these provisions or in the Security Manual supersedes requirements under the Atomic Energy Act of 1954 as amended Section Public Law 585 on the control use and dissemination of Restricted Data or Formerly Restricted Data or requirements regarding Communications Security COMSEC related material as established by or under existing statutes or successors directives or Presidential policy U Supplement Security Manual for Uniform Protection of Intelligence Processed in Automated Information Systems and Networks SEC