DEPUTY SECRETARY DEFENSE IOIO DEFENSE PENTAGON WASHINGTON DC JUN 1 6 2000 MEMORANDUM FOR SECRETARIES OF THE MILITARY DEPARTMENTS CHAIRMAN OF THE JOINT CHIEFS OF STAFF UNDER SECRETARIES OF DEFENSE DIRECT OR DEFENSE RESEARCH AND ENGINEERING ASSISTANT SECRETARIES OF DEFENSE GENERAL COUNSEL OF THE DEPARTMENT OF DEFENSE INSPECTOR GENERAL OF THE DEPARTMENT OF DEFENSE DIRECTOR OPERATIONAL TEST AND EVALUATION - COMMANDERS OF THE COMBATANT COMMANDS ASSISTANTS TO THE SECRETARY OF DEFENSE DIRECT OR ADMINISTRATION AND MANAGEMENT DIRECT ORS OF THE DEFENSE AGENCIES DIRECTOR NATIONAL RECONNAISSANCE OFFICE DIRECTORS OF DOD FIELD ACTIVITIES CHIEF INFORMATION OFFICERS OF THE MILITARY DIRECT OR1 COMMAND CONTROL COMMUNICATIONS AND COMPUTER SYSTEMS JOINT STAFF CHIEF INFORMATION OFFICERS OF THE DEFENSE AGENCIES DIRECT OR INTELLIGENCE COMMUNITY MANAGEMENT STAFF INTELLIGENCE CHIEF MORMATION OFFICER SUBJECT Department of Defense Chief Information Of cer Guidance and Policy Memorandum No 15-3510 Department of Defense Global Information Grid Information Assurance In a memorandum Global Information Grid dated September 22 1999 the Department of Defer-rte DOD Chief InfonnatiOn Of cer C10 issued guidance on the definition and scope of the Global Information Grid GIG In essence the GIG is a globally interconnected end-to-end set of information capabilities associated processes and personnel for collecting processing storing disseminating and managing information on demand to warfightets policy makers and support personnel The Bob CIO's memorandum represented the first formal output of an initiative that began in December 1993 to develop policies on several aspects of information management including information technology management for the Department The initial thrust has been on the deTeIOpment of GIG policies and procedures for governance resources information assurance information dissemination management interoperability network management network operations enterprise computing u07251 100 The attached Guidance and Policy for GIG Information Assurance IA provides direction and assigns responsibilities for secure interoperable information capabilities that meet both war ghting and business needs It provides the framework for achieving LA by ensuring the availability of systems the integrity and con dentiality of information and the authentication and non-repudiation of electronic transactions The accompanying GIG IA Implementation Guidance provides details on the selection of appropriate security countermeasures required to secure the GIG architecture Some of the measures called for in the attached guidance and policy cannot be fully implemented immediately however the cyber threats and vulnerabilities to information technology are such that implementation should begin immediately where possible Subsequent guidance will establish nal dates for the completion of speci c measures These dates will take into account the urgency and priority of the IA need and the projected availability of adequate LA solutions Improved and timely GIG policies are the cornerstone to enabling change eliminating outdated ways of doing business implementing the spirit and intent of the Clinger-Cohen Act and other reform legislation and achieving our Information Superiority goals While the attached policy and guidance is effective immediately the C10 in coordination with the Director Administration-and Management will incorporateit into the Directive System within 180 days Please direct any questions to Mr Donald L Jones in the Of ce of the Director for Infrastructure and Information Assurance He can be reached at 703 614-6640 'or e-mail Rudy de Leon Attachments 6-8510 Guidance and Policy for Department of Defense Global Information Grid Information Assurance nso 031 References Chief Information Of cer C10 Guidance and Policy Memorandum No 8-3001- March 31 2000 - Global Information Grid Directive 5200 23 Security Requirements for Automated Information Systems March 21 1988 5200 28-M Security Manual January 1973 and Change 1 June 24 1979 Directive 05200 5 Communications Security COMSEC April 21 1990 DCID 613 Protecting Sensitive Compartmented Information Within Information Systems June 5 1999 I through see Enclosure 1 1 PURPOSE This guidance and policy establishes Department of Defense Global Information Grid GIG information assurance IA policy under reference aSsigns reaponsibilitie's and authorizes publication of implementation guidance to enable the secure exchange and use of information necessary to the execution of the mission This issuance speci cally establishes information system mission categories de nes levels of concern and corresponding levels of robustness and specifies requirements for their use and de nes and directs implementation of a defense-in-depth strategy for applying integrated layered protection of the DoD's information systems and networks It supplements Directive 5200 23 Manual 5200 28-M and Directive 05200 5 references and 2 APPLICABILITY AND SCOPE 2 1 This guidance and policy applies to 2 1 1 The Of ce of the Secretary of Defense the Military Departments the Chairman of the Joint Chiefs of Staff the Combatant Commands the Inspector General of the Department of Defense the Defense Agencies and eld activities hereafter referred to collectively as the Components 2 1 2 Information technology and its operation by BOB Intelligence Agencies Service intelligence elements and other intelligence activities engaged in direct support of Defense missions Global Information Grid implementation must comply with policy and responsibilities established herein and whenever applicable separate and coordinated Director of Central Intelligence DCI directives and Intelligence Community IC policy 2 1 3 All information technologies that are used to process store display or transmit information regardless of classi cation or sensitivity 6-8510 2 2 Additional measures may be required for the protection of foreign intelligence or counterintelligence information Single Integrated Operational Plan - Extremely Sensitive Infom'ration SIOP-ESI reference and Special Access Program SAP information reference on information systems and networks 2 3 This policy does not apply to information systems to which reference applies Sensitive Compartmented Information and Special access programs for intelligence under the purview of the DCI Policies and procedures for the protection of IC information contained in information systems not covered by reference shall be established through a process jointly determined between the CIO and the IC C10 3 Terms used in this issuance are de ned in National Security Telecommunications and Information Systems Security Instruction NSTISSI No 4009 reference or at Enclosure 2 4 POLICY It is policy that 4 1 The shall follow an enterprise-wide IA architectural overlay that is consistent with the overall Global Information Grid GIG Architecture and implements a defense-in-depth strategy to establish and maintain an overall acceptable IA posture across the GIG Protection mechanisms shall be applied such that information and information systems maintain the appropriate level of con dentiality integrity availability authentication and non-repudiation based on mission category classi cation or sensitivity of information handled processed stored displayed or transmitted by the system and need-to-know while maintaining required levels of interoperability A companion issuance Information Assurance Implementation Guidance provides details on the selection and implementation of protection mechanisms 4 2 All GIG information systems shall be assigned to a mission category mission critical mission support or administrative that re ects the type of information handled by the system relative to requirements for integrity including authentication and non- repudiation and availability services Mission categories will be determined by the functional domain owner or the responsible Component Head in consultation with the information producer The mission category of systems that handle information from multiple domains shall default to the highest category supported System mission categories functional domain and information producer are defined in Enclosure 2 De nitions 4 3 All GIG information systems shall employ protection mechanisms in accordance with the level of concern high medium or basic that satisfy corresponding criteria for high medium or basic levels of robustness Paragraph 5 of the Information Assurance Implementation Guidance provides an in-depth discussion of levels of robustness and detailed guidance on their application to IA solutions within the following guidelines 4 3 1 GIG information systems processing classi ed information as de ned by Regulation 5200 1-R reference are assigned a high level of concern Such systems shall employ only National Security Agency NSA certi ed high robustness IA 6-8510 products when the information transits public Inettvorks or the system or network handling the information is accessible by individuals who are not cleared for the classi ed information on the system 4 3 2 GIG information systems that meet the criteria of national security systems as delineated by Title 10 United States Code Section 2315 reference and process only unclassi ed information are assigned a medium level of concern and shall employ IA products that satisfy the requirements for at least medium robustness when the information transits public networks or the system or network handling the information is accessible by individuals who are not authorized to access the information on the system 4 3 3 GIG information systems processing sensitive information as de ned in section 20 of the National Institute of Standards and Technology Act Title 15 United States Code Section 278g-3 reference 10 are assigned a basic level of concern and shall employ IA products that satisfy the requirements for at least basicrobustness when the information transits public networks or the system or network handling the information is accessible by individuals who are not authorized to access the information on the system 4 3 4 GIG information systems that allow open uncontrolled access to information through publicly accessible web servers or unregulated access to and from the Internet shall employ mechanisms to ensure availability and protect the information from malicious tampering or destruction Such systems shall also be isolated from all other GIG systems The isolation may be physical or may be implemented by technical means such as an approved boundary protection product 4 4 The defense-in depth strategy shall be implemented using technical solutions where possible in order to 4 4 1 Ensure network and infrastructure services provide appropriate con dentiality link one-time passwords virtual private networks and defenses against denial of service attacks diversity routing table protection and planned degraded operation 4 4 2 Defend the perimeters of well-de ned information enclaves rewalls intrusion detection and a uniform policy on protocols allowed across perimeter boundaries 4 4 3 Provide appropriate degrees of protection to all computing environments internal hosts and applications 4 4 4 Make appropriate use of supporting IA infrastructures key management public key certi cates and directories 4 5 All GIG information systems and networks shall be certi ed and accredited in accordance with the Information Technology Security Certification and Accreditation Process DITSCAP Instruction 5200 40 reference 6-8510 4 6 All inter-connections of GIG information systems both internal and external - shall be managed to continuously minimize conununity risk and ensure that the protection of one system is not undermined by vulnerabilities of other interconnected systems Further 4 6 1 Interconnection of systems at the same classi cation level shall be managed so that mutual risk is minimized 4 6 2 Interconnections of systems operating at different classi cation levels shall be accomplished consistent with the philosophy of the Secret and Below Interoperability SABI process reference using criteria that have been approved by the C10 and where appropriate formally coordinated with the IC CID 4 6 3 All connections to non-GIG information systems including foreign nation and contractor systems shall be accomplished in accordance with approved criteria and be coordinated with the IC C10 as appropriate 4 7 Interconnections of IC systems and systems shall be accomplished using a process jointly concurred CIO 4 8 Only COMSEC equipment acquired through NSA the centralized COMSEC acquisition authority or through SA designated agents shall be used to protect classi ed systems 4 9 All security related conunercial-off-the-shelf COTS hardware rmware and software components excluding modules required to protect GIG information systems including those used to protect Sensitive information shall be acquired in accordance with the guidance and schedule specified in the National Policy Governing the Acquisition of Information Assurance IA and IA-Enabled Information Technology IT Products reference relevant portions of which are quoted at Enclosure 3 All govemment-off the-shelf GOTS products of this nature shall be evaluated by NSA or in accordance with NSA approved processes 4 10 Public domain software products freeware shall not be used in GIG information systems unless an of cial requirement is established the product is assessed for information assurance impacts and approved for use by the responsible Designated Approving Authority DAA Access to GIG information systems shall be granted to individuals based on need-to-know and in accordance with Regulation 52002-11 reference for clearance special access and ADP category designation requirements and quali cations 4 12 Exchange of unclassi ed information between and its vendors and contractors requiring IA services using public key techniques will be accomplished through External Certi cate Authorities ECAs The ECAs will operate under a process which 6-8510 delivers a level of assurance that meets business and legal requirements as determined by the C10 in coordination with the Comptroller and the General Counsel 4 13 GIG information systems shall be monitored in order to detect isolate and react to intrusions disruption of services or other incidents that threaten the security of operations or information technology resources including internal misuse 4 14 All GIG information systems are subject to active penetrations and other forms of testing used to complement monitoring activities in accordance with DOD Directive 4640 6 reference and other applicable laws and regulations 4 15 Component General Counsel approved notice of privacy rights and security responsibilities shall be provided to all individuals attempting access to GIG information systems -- 4 16 Use of public key certi cates in GIG information systems shall be in accordance with the Donuinc key infrastructure policy reference and associated guidance 4 17 All DOD personnel and support contractors shall be trained and appropriately certi ed to perform the tasks associated with their designated responsibilities for safeguarding and operating GIG information systems in accordance with joint USD and ASD C31 guidance reference 4 13 Mobile code technologies shall be categorized and their use restricted in order to reduce the threat to GIG information systems posed by malicious code 4 19 Management of networks and management of IA operations Computer Network Defense shall be fully coordinated and eo located to the extent possible 5 W 5 1 The DOD Chief Information Of cer shall Ensure that this policy is implemented in the context of the GIG Architecture 5 12 Develop and promulgate additional DOD IA related policy and guidance on speci c topics in support of and consistent with this issuance defense-in-depth mobile code web sites monitoring and testing 5 1 3 Ensure that all GIG information systems are assigned to a mission category 5 1 4 Ensure the integration of IA initiatives with critical infrastructure protection reference sector liaisons 6-8510 5 1 5 Establish a formal coordination process with the IC C10 to ensure proper protection of 1C information within the 5 1 6 Manage the Defense-wide IA Program DIAP that shall 5 1 6 1 Provide for the planning coordination integration and oversight of all IA activities - 5 1 6 2 Establish and monitor IA readiness as an integral part of the mission readiness criteria 5 1 6 3 Maintain liaison with the of ce of the IC 310 to ensure continuous coordination of and IC IA activities and programs 5 1 7 Appoint Designated Approving Authorities DAAs for all new Enterprise-wide information systems and con rm DAAs for existing Enterprise-wide systems Global Command and Control System Defense Message System Defense Travel System 5 2 The Heads of Components shall 5 2 1 Develop and implement an IA program consistent with the GIG IA architectural overlay and the defense-in-depth strategy focusing on protection of Component-speci c information and systems sustaining base tactical C41 interfaces to weapon systems 5 2 2 Secure information systems and networks in accordance with the assigned level of concern by acquiring and employing IA solutions in accordance with reference 11 and the robustness policies described in the Information Assurance Implementation Guidance 5 2 3 Appoint Designated Approving Authorities DAAs and ensure they accredit each information system under their jurisdiction and implement IA solutions indicated by the results of the risk assessment process outlined in the DITSCAP reference to insure proper IA risk management and sustainment 5 2 4 Comply with established connection approval processes for all information systems connections and develop Memorandums of Agreement MOA with other Component Heads as appropriate for interconnection of information systems managed by multiple DAAs 5 2 5 Assign mission categories to Component-speci c systems 5 2 6 Identify and include IA requirements in the design acquisition installation operation upgrade or replacement of all system technologies and supporting infrastructures including sustaining base tactical and C41 interfaces to weapon systems 6-8510 5 2 7 Ensure that 1A awareness training education and professionalization are provided to all military and civilian personnel including contractors commensurate with their respective responsibilities for using operating administering and maintaining GIG information systems in accordance with reference 5 2 8 Share techniques technologies and lessons learned relating to IA with other Components 5 2 9 Provide for an 1A monitoring and tosting capability in accordance with Directive 4640 6 reference and applicable laws and regulations 5 2 10 Provide for-vulnerability mitigation and an incident response and reporting capability in order to 5 2 10 1 Take appropriate actions in response to IA vulnerability alert noti cations issued through the Information Assurance Vulnerability Alert IAVA Process reference 5 2 10 2 Report all systems security incidents in accordance with Chairman of the Joint Chiefs of Staff Instruction 6510 01B reference 5 2 10 3 Take action in response to information Operation Conditions INFOCONs as directed under reference 5 2 10 4 Take actions necessary to limit damage and restore effective service following a computer network attack CN A or computer network exploitation CNE 5 2 10 5 Collect and retain audit data to support forensics relating to misuse penetration reconstruction or other investigations 5 2 11 Comply with COMSEC instructions and regulations 5 2 12 Ensure that requirements to protect classi ed and sensitive unclassi ed information are placed in contracts and monitor contractors for compliance 5 2 13 Ensure that all COTS and GOTS components required for security functions excluding modules are acquired in accordance with the guidance and schedule speci ed in the National Policy Governing the Acquisition of Information Assurance IA and IA-enabled Products reference 5 2 14 Consult the IA Technical Framework IATF and published Common Criteria CC Protection Pro les for guidance regarding common classes of network and system attacks interoperability and compatibility with the strategy and IA solutions that should be considered to counter attacks 6-8510 5 2 15 Ensure that access to GIG information systems and to speci ed types of information intelligence proprietary under their jurisdiction is granted only on a need to know basis and that all personnel having access are appropriately cleared or quali ed under the provisions of Regulation 52002-11 reference 5 2 16 Ensure that implementations follow policy as stated in the policy reference and associated guidance 5 2 17 Ensure that appropriate warnings are provided to all individuals accessing Component owned or controlled information systems 5 2 18 Ensure coordination of management of IA operations CND with network management and co locate the two functions when possible 5 3 The 03D Principal Staff Assistants in addition to the responsibilities speci ed in paragraph 5 2 shall ensure that 1A requirements for information systems and functional applications developed under their cognizance are fully coordinated at the Component level 5 4 The Chairman Joint Chiefs of StaffI in addition to the responsibilities Speci ed in paragraph 5 2 shall 5 4 1 Ensure that Combatant Commanders incorporate appropriate IA elements in the generation of requirements for systems support to Joint and Combined operations 5 4 2 Validate requirements for non-DoD Department of State and foreign nation access to DoD-wide elements of the GIG prior to their submission to the appropriate connection approval process 5 5 The Comandgr JTF-QEQ under shall 5 5 1 Coordinate and direct DoD-wide computer network defense operations to include Actions necessary to the defense of computer systems and networks network patches rewall mics 5 5 1 2 Actions necessary to stop a computer network attack CNA or computer network exploitation CNE limit damage from such activities and coordinate the restoration of effective computer network service following a CNA or CNE 5 5 2 Declare changes in and issue INFOCONs in accordance with Chairman of the Joint Chiefs of Staff Memorandum Information Operations Condition reference 6-8510 5 6 The Director National Security Agenpj NSA in addition to responsibilities speci ed in paragraph 5 2 shall 5 6 1 Implement an IA intelligence capability responsive to requirements for the less DIA resPonsibilities 5 6 2 Assess the risk to IA technologies based on the threat to and vulnerability of such technologies 5 6 3 Serve as the focal point for INFOSEC in support of IA requirements to include protection mechanisms detection and monitoring response and recovery and IA assessment tools and techniques 5 6 4 Lend the development of the IA technical framework in support of the defense-in-depth strategy and provide engineering support and other technical assistance for its implementation within I 5 6 5 Establish and manage a program for the evaluation and validation testing of commercially developed IA products in categories directed by the C10 5 6 6 Certify modules that are used to protect classi ed information and approve modules that are used to protect unclassi ed information processed by national security systems as delineated by Title 10 United States Code Section 2315 reference 5 6 7 Serve as the focal point for the National Information Assurance Partnership NIAP Through the NIAP establish criteria and processes for evaluating and validating all security related COTS rmware and software components excluding modules required to protect GIG information systems 5 6 8 Coordinate activities of the National Security Incident Response Center NSIRC reference with other Components to integrate efforts into protection of the enterprise 5 6 9 Act as the centralized COMSEC acquisition authority 5 7 The Director Defense Intelligence Agency DIA in addition to the responsibilities speci ed in paragraph 5 2 shall 5 7 1 Provide nished intelligence on IA including threat assessments to Components 5 7 2 Develop implement and oversee an IA program for layered protection of the Intelligence Information System 6-8510 5 7 3 Manage the connection approval process for Joint Worldwide Intelligence Communications System IWICS elements of the DISN in accordance with the process determined under paragraph 4 7 above 5 8 The Director Defense Information Systems Agency DISA in addition to the responsibilities speci ed in paragraph 5 2 shall 5 8 1 Lead and implementation of a single IA strategy for defense-in-depth of the DoD-wide elements of the GIG based on the IATF 5 8 2 Establish connection requirements and manage connection approval processes for the long haul elements of the DISN the Secret Internet Protocol Router Network SIPRNET the Unclassi ed But Sensitive Internet Protocol Network NIPRNET and the DISN Video Services Global 5 8 3 Operate and maintain in coordination with the other Components a DoD-wide information system monitoring and incident response center 5 8 4 Coordinate with and support the JTF-CND through USSPACECOM 5 8 5 In coordination with the Joint Staff NSA and DIA as required maintain security accreditation of the DoD-wide elements of the information infrastructure 5 8 6 Coordinate the Information Assurance Vulnerability Alert JAVA Process reference 0 5 8 7 Maintain the DITSCAP reference for security certi cation and accreditation of component and contractor information technology systems 5 8 8 In coordination with other Components as required develop and provide baseline Do level IA training and awareness products n ii 5 5 8 9 Perform the connection approval process for contractors requiring access to the Defense Information Systems Network DISN 5 9 The Director Defense Security Service DSS in addition to the responsibilities speci ed in paragraph 5 2 shall 5 9 1 Monitor information system security practices of contractors processing classi ed information in accordance with Directive 5220 22M reference 5 9 2 Inspect COMSEC accounts as a part of regular industrial security inspections at contractor facilities 5 10 Each Designated Approving Authority BAA shall in 6-8510 5 10 1 Establish and maintain the security of all systems under their jurisdiction 5 10 2 Review and approve security safeguards and issue accreditation statements for each system under their jurisdiction based on the acceptability of the safeguards and compliance with the DITSCAP reference 5 10 3 Ensure that all required safeguards as speci ed in accreditation documentation are implemented and maintained 5 10 4 Identify security de ciencies and initiate appropriate action to achieve an acceptable security level as required 5 10 5 Ensure that Information Systems Security Managers ISSMs Information Systems Security O cers 15808 and Systems Administrators SAs are designated for all systems under their jurisdiction and that they receive the level of training necessary and appropriate certi cation to perform the tasks associated with their assigned responsibilities 5 10 6 Verify that data ownership is established for each system under their jurisdiction and that the system has been assigned to a mission category 5 10 7 Ensure that systems provide mechanisms for controlling access to speci c information intelligence proprietary based on mission and need-to-know determinations made by information producers 5 10 3 Ensure that a process for reporting security incidents and lessons learned is established 5 10 9 Be an employee of the U S Government 5 11 Each Information Systems Securig Manager ISSM shall 5 11 1 Serve as the focal point for policy and guidance on IA matters within their activity 5 11 2 Provide policy and program guidance to subordinate activities 5 12 Each Information Systems Sgug'ty gag 1550 shall 5 12 1 Ensure that systems for which they have cognizance are operated I used maintained and disposed of in accordance with the system accreditation package security policies and practices 11 6-8510 5 12 2 Within 1550 lines of authority enforce IA policies and safeguards on all personnel having access to the system for which the ISSO has cognizance 5 12 3 Ensure that users have the required security clearances authorization and need-to-know have been indoctrinated and are familiar with required security practices prior to being granted access to the system 5 12 4 Ensure that audit trails are reviewed periodically 5 12 5 Report all security incidents 5 12 6 Report on the IA posture of the information system as required by the BAA - 5 13 Each System Administrator SA shall 5 13 1 Work closely with the 1830 to ensure the system is used properly 5 13 2 Assist the 1330 in maintaining system con guration controls and need-to-lcnow information protection mechanisms 5 13 3 Advise the 1550 of security anomalies or integrity de ciencies 5 13 4 Administer when applicable user identi cation or authentication mechanisms of the system 5 3 5 Perform system backups software upgrades and system recovery including the secure storage and distribution of backups and upgrades 5 14 Each System User shall 5 14 1 Observe regulations and guidance governing the secure operation protection of passwords and authorized use of an information system 5 14 2 Immediately report all security incidents potential threats and suspected vulnerabilities to the appropriate ISSO or ISSM 6 EFFECTIVE DATE This policy is effective immediately In the event of con icts between this policy and other 1A related policy and guidance this issuance takes precedence Enclosures 3 1 References 2 De nitions 3 Policy Excerpt 12 6-8510 Encl 1 ENCLOSURE 1 REFERENCES SM-313-83 Safeguarding the Single Integrated Operational Plan May 10 1933 3 Directive 0-5205 Special Access Program SAP Policy January 13 1997 National Security Telecommunications and Information Systems Security InStruction N STISSI No 4009 rev 1 National Information Systems Security Glossary January 1999 Regulation 5200 1-R Information Security Program January 1997 - Title 10 United States Code Section 2315 Title 15 United States Code Section 278g-3 - 1 Instruction 5200 40 Information Technology Security Certi catibn and Accreditation Process December 30 1997 or Assistant Secretary of Defense for Command Control Communications and Intelligence Memorandum 'Secret and Below Interoperability March 20 National Security Telecommunications and Information Systems Security Policy N STISSP No 11 National Policy Governing the Acquisition of Information Assurance LA and IA-Enabled Information Technology Products January 2000 0 Regulation 52002-11 Personnel Security Program May 6 1992 Directive 4640 6 Communications Security COMSEC Monitoring and Recording June 26 1931 Deputy Secretary of Defense Memorandum Department of Defense Public Key Infrastructure May 6 1999 Under Secretary of Defense Personnel and Readiness and Assistant Secretary of Defense for Command Control Communications and Intelligence Joint Memorandum Information Assurance IA Training and Certi cation June 29 1998 Presidential Decision Directide SC 63 Subject Critical Infrastructure Protection May 22 1998 Deputy Secretary of Defense SECDEF Memorandum Department of Defense Information Assurance Vulnerability Alert IAVA December 30 1999 Chairman of the Joint Chiefs of Staff Instruction 6510 01B Defensive Information Operations Implementation 22 August 1997 waH 1 26-August 1998 Chairman of the Joint Chiefs of Staff Memorandum CM-510-99 Information Operations Condition 10 March 1999 National Security Telecommunications and Information Systems Security Directive N STISSD No 503 Incident Response and Vulnerability Reporting for National Security Systems August 30 1993 Directive 5220 22M National Industrial Security Program Operating Manual January 1995 and supplement February 1995 DCID 117 Security Controls on the Dissemination of Intelligence Information June 30 1998 - 13 6-3510 - and 2 ENCLOSURE 2 E2 1 Common omrating Environment The collection of standards speci cations and guidelines architecture de nitions software infrastructures reusable components application programming interfaces APIs runtime environment de nitions reference implementations and methodology that establishes an environment on which a system can be built The COE is the vehicle that assures interoperability through a reference implementation that provides identical implementation of common functions _It is important to realize that the COE is both a standard and an actual product DII COE E2 2 Community Risk A combination of 1 the likelihood that a threat will occur within an interacting population 2 the likelihood that a threat occurrence will result in an adverse impact to some or all members of that populace and 3 the severity of the resulting impact SABI Terms of Reference T E23 Connection Approval Authorization to link or join a system with an existing network SABI TOR E24 Cp ticality A measure of how important the correct and uninterrupted functioning of the system is to national security human life safety or the mission of the using organization the degree to which the system performs critical processing SABI Handbook E25 Defense-In- Depth The security approach whereby layers of IA solutions are used to establish an adequate IA posture Implementation of this strategy also recognizes that due to the highly interactive nature of the various systems and networks IA solutions must be considered within the context of the shared risk environment and that any single system cannot be adequately secured unless all interconnected systems are adequately secured 132 6 Information Technology Security Certi cation and Accreditation Process The standard approach for identifying information security requirements providing security solutions and managing information technology system security 5200 40 E23 Enclave An environment that is under the control of a single authority and has a homogeneous security policy including personnel and physical security Local and remote elements that access resources within an enclave must satisfy the policy of the enclave Enclaves can be speci c to an organization or a mission and may also contain multiple networks They may he logical such as an operational area network DAN or be based on physical location and proximity The enclave encompasses both the network layer and the host and applications layer l4 6-8510 E13 A procedure to convert plain rst into cipher text Within DOD there are three reasons to a Con dentiality To ensure that information is not made available or disclosed to unauthorized individuals entities or processes b Data Separation To ensure that information of different classifications sharing the same transport transmission media are not co-mingled c Privacy To ensure that information at the same classi cation level is kept separate based on need-tO-know 132 9 External Qerti cate Authority An agent that is trusted and authorized to create sign and issue certi cates to approved vendors and contractors for the purpose of enabling secure interoperability with DOD entities Operating requirements for ECAs must be approved by the DOD C10 in coordination with the DOD Comptroller and the OSD General Counsel DOD PKI Policy E2 10 Freewam Also known as free software Software that is free from licensing fees and has no restrictions on use it can be freely copied redistributed or modi ed E111 Euncrim Domain An identi able DOD functional mission area For purposes of this policy the functional domains are conunand and control space information operations weapon systems communications and broadcast navigation modeling and simulation logistics transportation health affairs personnel nancial services public works research and development and intelligence surveillance and reconnaissance ISR E112 Incident Detection and Resmng Capabilities The establishment of mechanisms and procedures to monitor information systems and networks detect rcport and document attempted or realized penetrations of those systems and networks and institute appropriate countermeasures or corrective actions E213 Information Assurance Information Operations 10 that protect and defend information and information systems by ensuring their availability integrity authentication con dentiality and non-repudiation This includes providing for restOIation of information systems by incorporating protection detection and reaction capabilities DODD 56600 1 E214 Information Assurance Vulnerabili Alert The comprehensive distribution process for notifying CINCs Services and agencies CISIA about vulnerability alerts and countermeasures information The IAVA process requires CISIA receipt acknowledgment and provides specific time parameters for implementing appropriate countermeasures depending on the Criticality of the vulnerability JTF-CN CONOP E115 Inforrna' rati sC ii 1 INF ON The DIFOCONisacomprehensive defense posture and response based on the status of information systems military operations and intelligence assessments of adversary capabilities and intent The system 15 6-8510 presents a structured coordinated approach to defend against a computer network attack measures focus on computer network-based protective measures Each level re ects a defensive posture based on the risk of impact to military operations through the intentional disruption of friendly information systems INFOCON levels are NORMAL normal activity ALPHA increased risk of attack BRAVO speci c risk of attack CHARLIE limited attack and DELTA general attack Countermeasures at each level include preventive actions actions taken during an attack and damage conuolr'mitigating actions CJCS MEMO 10 March 1999 E216 Information Producer A person group or organization that creates updates distributes and retires information based on their authorizedfassigned missions and functions E217 Information System The entire infrastructure organization personnel and components for the collection processing storage transmission display dissemination and disposition of information NSTISSI No 4009 E118 Intelligence Community Information Sensitive Compartmented Information and any other intelligence information that is classi ed pursuant to section 1 5 c of Executive Order 12958 that also bears special intelligence information control markings as' required by DCID 1n Security Controls on the Dissemination of Intelligence Information E119 Layered Defense A combination of security services software and hardware infrastructures and processes which are implemented to achieve a required level of protection These mechanisms are additive in nature with the minimum protection being provided by the network and infrastructure layers E220 Level of Concern A rating assigned to an information system that indicates the extent to which protective measures techniques and procedures must be applied The has three levels of concern a High Information systems that require the most stringent protection measures and rigorous countermeasures b Medium Information systems that require layering of additional safeguards above the minimum standard Basic c Basic Information systems that require implementation of the minimum standard E221 Level of Robustness The characterization of the strength of a security function mechanism service or solution and the assurance or con dence that it is implemented and functioning correctly to support the level of concern assigned to a particular information system has threelevels of robustness a High Security services and mechanisms that provide the most stringent available protection and rigorous security countermeasures - - 16 6-8510 b Medium Security services and mechanisms that provide for layering of additional safeguards above the minimum Basic c Basic Security services and mechanisms that equate to good commercial practices 1-32 22 Mission Catcgopy Applicable to information systems the mission category re ects the importance of information relative to the achievement of goals and objectives particularly the war ghter s combat mission Mission categories are primarily used to determine requirements for availability and integrity services will have three mission categories a Mission Critical Systems handling information which is determined to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness Information in these systems must be absolutely accurate and available on demand may be classi ed information as well as sensitive and unclassi ed information b Mission Support Systems handling information that is important to the support of deployed and contingency forces The information must be absolutely accurate but can sustain minimal delay without seriously affecting operational readiness or mission effectiveness may be classi ed information but is more likely to be sensitive or unclassi ed - information c Administrative Systems handling information which is necessary for the conduct of day-to-day business but does not materially affect support to deployed or contingency forces in the short term may be classi ed information but is much more likely to be sensitive or unclassi ed information E223 Mobile Code Software modules obtained from remote systems transferred across a - network and then downloaded and executed on a local systems without explicit installation or execution by the recipient Malicious mobile code is designed employed distributed or activated with the intention of compromising the performance or security of information systems and computers increasing access to those systems disclosing unauthorized information corrupting information denying service or stealing resources E224 National Information Assurance Partnership NIAP1 A collaboration between the National Institute of Standards and Technology NIST and NSA to meet the security testing needs of both information technology producers and users The program is intended to foster the availability of objective measures and test methods for evaluating the quality of IT This de nition of Mission Critical is operationally focussed and differs from that in the Clinger-Cohen Act of 1996 as well as the one used for reporting to congress under Section 8121 of the FY 2000 Defense Appropriations Act both of which pertain to information technology procurement not information or mission assurance support to deployed forces 17 6-8510 security products and provide a sound and reliable basis for the evaluation comparison and selection of security products E225 National Security System Any telecommunications or information system operated by the Department of Defense the function operation or use of which 1 involves intelligence activities 2 involves activities related to national security 3 involves command and control of military forces 4 involves equipment that is an integral part of a weapon or weapon system or 5 is critical to the direct ful llment of military or intelligence missions but not including a system and equipment and services of a system that is to be used for routine administrative and business applications including payroll finance logistics and personnel management applications Title 10 U S C Section 2315 E226 Network Centric A holistic view of interconnected information systems and resources that encourages a broader approach to security management than a'component- based approach SABI TOR - E227 Qp_erating Environment The total environment in which an information system operates It includes the physical facility and controls procedural and administrative controls personnel controls clearance level of the least cleared user E228 Public Key Infrastructure An enterprise-wide service that supports digital signatures and other public key-based security mechanisms for functional domain programs including generation production distribution control and accounting of public key certi cates E229 Sensitive Information Sensitive information is any information the loss misuse or unauthorized access to or modi cation of could adversely affect the national interest or the conduct of Federal programs or the privacy to which individuals are entitled under section 552a of title 5 United States Code The Privacy Act but which has not been speci cally authorized under criteria established by executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy This includes information in routine payroll nance logistics and personnel management systems NOTE Certain information the disclosure of which would constitute an unwarranted invasion of personal privacy is exempt from mandatory disclosure under the Freedom of Information Act of 1974 E230 Sensitive Compartmented Information SCI Classi ed information concerning or derived from intelligence sources methods or analytical processes which is required to be handled within formal access control systems established by the Director of Central Intelligence DCID U19 E231 Secret and Below Interopgrabili SARI Initiative An ASD C31 directed JCS sponsored executed initiative to enhance Secret and Below Interoperability measure conununity risk and protect the GIG information systems infrastructure SABI Handbook 6-8510 Encl 3 ENCLOSURE 3 Excerpt from the National Policy Governing the Acquisition of Information Assurance IA and IA-Enahled IT Products SECTION I - POLICY 1 Information Assurance IA shall be considered as a requirement for all systems used to enter process store display or transmit national security information LA shall be achieved through the acquisition appropriate implementation of evaluated or validated Government Off-the Shelf or Commercial Off-the-Shelf COTS IA and IA-enabled Information Technology IT products These products should provide for the availability the systems ensure the integrity and con dentiality of information and the authentication and nan-repudiation of parties in electronic transactions 2 Effective 1 January 2001 preference shall be given to the acquisition of COTS IA and IA-enabled IT products to be used on systems entering processing storing or transmitting national Security information which have been evaluated and validated as appropriate in accordance with a The International Common Critena for Information Security Technology Evaluation Mutual Recognition Arrangement b The National Security Agency NSAyNau'onal Institute of Standards and Technology NIST National Information Assurance Partnership NIAP Evaluation and Validation Program or c The NIST Federal Information Processing Standard FIPS validation program The evaluationfvalidation of COTS IA and Ila-enabled IT products will be conducted by accredited commercial laboratories or the NIST 3 By I July 2002 the acquisition of all COTS IA and Lit enabled products to be used on the systems speci ed in paragraph 2 above shall be limited only to those which have been evaluated and validated in accordance with the criteria schemes or programs speci ed in subparagraphs 2 a through 2 c 4 The acquisition of all IA and IA-enabled products to be used on systems entering processing storing displaying or transmitting national security information shall be limited to products which have been evaluated by the NSA or in accordance with NSA- approved processes 19 6 3510 5 Normally a complementary combination of lAfIA-enabled products is needed to provide a complete security solution to a given environment Thus in addition to employing evaluated and validated IAJ'IA-enabled products a solution security analysis should be conducted as part of the certi cation and accreditation process in support of this NSA shall provide guidance regarding the appropriate combinations and implementation of GOTS and COTS IA and IA-enabled products 6 Subject to policy and guidance for non national security systems departments and agencies may wish to consider the acquisition and appropriate implementation of evaluated and validated COTS IA and IA-enabled IT products The use of these products may be appropriate for systems which process store display or transmit information that although not classi ed may be critical or essential to the conduct of organizational missions or for information or systems which may be associated with the operation andfor maintenance of critical infrastructures as de ned in Presidential Decision Directive No 63 Critical Infrastructures Protection SECTION II - RESPONSIBILITIES 7 Heads of U S Departments and Agencies are responsible for ensuring compliance with the requirements of this policy SECTION - EXEMPTIONS AND WAIVERS 8 COTS or GOTS IA and IA- enabled IT products acquired prior to the effective dates prescribed herein shall be exempt from the requirements of this policy Information systems in which those products are integrated should be operated with care and discretion and evaluatedfvalidated IA products and solutions considered as replacement upgrades at the earliest opportunity 9 Waivers to this policy may be granted by the NSTISSC on a case-by-case basis Requests for waivers including a justi cation and explanatory details shall be forwarded through the DIRNSA who shall provide appropriate recommendations for NSTISSC consideration Where time and circumstances may not allow for the full review and approval of the NSTISSC membership the Chairman of the NSTISSC is authorized to approve waivers to this policy which may be necessary to support U S Government operations which are time-sensitive or where U S lives may be at risk 20 IA 6-8510 - Implementation Global Information Grid Information Assurance Implementation Guidance 1 Purpose and Overview This issuance provides guidance on implementing Global Information Grid GIG Policy 6-8510 Department of Defense Information Assurance It addresses the selection of appropriate security countermeasures required to secure the GIG architecture It describes the defense-in-depth strategy in which layers of defense are used to achieve the security objectives It also points to the Information Assurance Technical Framework IATF which provides technical solutions and detailed implementation guidance for speci c situations 1 1 The guidance is divided into the following sections II Section 1 gives the purpose of the document describes the sections provides an overview of information assurance and shows how IA relates to the overall GIG initiative II Section 2 describes the operational environment and de nes and explains the purpose of mission categories 0 Section 3 addresses defense-in-depth discusses target environments for the three major IT focus areas networks enclaves and boundaries and the computing environment and the security management infrastructure and provides tables that describe high level objectives for securing each focus area II Section 4 discusses the threat and attack environment and provides a table of common threats and categories of attacks that may target various components of the IT environment networks enclaves hosts applications 0 Section 5 discusses levels of robustness for individual security services and mechanisms and how they relate to overall IA solutions I Section 6 addresses non-technical countermeasures including personnel physical and procedural security security training education and awareness marking and labeling incident reporting and response assessments and risk management 1 2 Information Assurance IA services provide security by ensuring the availability of the information system the integrity and con dentiality of information and the accountability and non-repudiation of parties in electronic transactions To the degree required these IA services must be employed for all information and systems in the both classi ed and unclassi ed and whether deemed mission critical mission support or administrative Further the majority of information systems are interconnected so that a security risk assumed by one entity is a risk shared by all those who are a part of the interconnected systems Security is needed not only for intra- CINC Service and Agency transactions but also for transactions among the components and with other US government departments allies and trading partners For these reasons a comprehensive common IA strategy becomes very important and all components must cooperate in its deveIOpment and implementation 1A 6-8510 Implementation 1 3 It is important to keep in mind that there are no cookboo solutions to appropriate IA Any speci c implementation is dependent upon an in-depth system security analysis and evaluation which must take into consideration all of the factors system mission category level of concern con dentiality requirements threat and operating environment in order to tailor an appropriate defense-in depth solution for the implementation Additional detail on security technologies that can satisfy defense-in- depth requirements may be found in the Information Assurance Technical Framework 1 IA 6 85 10 - Implementation 1 4 The need for securing information and systems against the full spectrum of cyber threats dictates the use of multiple IA solutions that address people technology and operations The fundamental strategy principle is that layers of IA solutions are needed to establish an adequate IA posture Implementation of this strategy also recognizes that due to the highly interactive nature of the various systems and networks any single system cannot be adequately secured unless all interconnected systems are adequately secured Thus an IA solution for any system must be considered within the context of the shared risk environment The defense-in-depth strategy is also predicated on a sound IA technical framework re ecting technical performance and best practice standards developed in conjunction with the IT industry Thus to the greatest extent possible the recommendations of the LATF will leverage emerging conunercial IA technology with available government In technology This guidance is structured in accordance with the defense-in-depth technical layers the network and infrastructure the enclave boundary the computing environment and the overarching security management infrastructure Figure 1 2 below depicts defense-in depth from technical operational and people related perspectives The primary focus of this guidance is the technical implementation however operational and personnel aspects are discussed in Section 6 Successful Mission Execution information Assurance Technology Operations - on Technology - Assessments Layers - Monitoring - Security Criteria - Intrusion Detection - lTi IA Acquisition - Warning - Risk Assessments - Response - Certification 8 - Reconstitution Accreditatlon - Training 1' Awareness Physical Security 0 Personnel Security System Security Administration latest Figure 1 2 Defense-in-Depth HHS-3510- Implementation 1 5 The document tree in Figure 1-3 below describes the overall GIG Information Assurance effort and shows the policy and guidance provided at different levels within the DOD As the user goes down through the layers of the tree the technical implementations more fully describe and support the capability to design security into systems during the development and acquisition processes Figure 1-3 GIG 1A Document Tree I GIG Policy GIG IA Potlcy and Implementatlon Guldanee GIG Architecture 4 Semen Protocols etc I I People - Technology Operations DITSCAP Supporting mm mm Bound External Kill Connections IA 6-8510 Implementation 2 Operational Environment and Mission Categories 2 1 Operational Environment The operates many systems that pass information on commercial network infrastructures between local enclaves Enclaves typically contain multiple local area networks LANs with computing assets such as workstations users printers servers and switching routing components which transmit process and store information and support necessary services such as intrusion detection and virus detection The wide area network WAN contains components such as routers and switches which direct the ow of information through the infrastructure The infrastructure contains the transmission components satellites microwave other RF spectrum ber etc most of it commercially leased to move information across the network employs the Internet and public switched telephone network backbones as well as the radio frequency spectrum for voice and data transmission Figure 2 1 represents today's operating environment from a high level networking perspective Detailed defense in depth layers are de ned in section 3 Nominal Enclave sun-n Dlrcetcry cumin-u Intrusion mm Bound-Ir I Inter Connections Server Detection Detection And wANs I locations I I 5hll'ld Protect-d Remote Access Applicant-n Application servers SumFlk'uf' T5 cu Fw SIPHHET was Fw sscasr H H centurion secure Remote Users Remote Users SBU EHCLAVE INE Merli- mam-u UNCLASSIFIED EHCLAVE aunt-u Internet Provlder Figure 2-1 Operational Environment IA 6-8510 - Implementation 2 2 Information transmitted processed or stored in the operational environment described above is currently hierarchically classi ed as Top Secret SCI Top Secret Secret Con dential Sensitive or Unclassi ed In addition information can be further tagged with a number of handling caveats 2 3 Mission Categories While the long standing hierarchical classi cation scheme is useful for identifying confidentiality needs it is not very useful in identifying needs for other IA services such as system availability integrity and authentication and nonrepudiation Thus in addition to classi cation information and systems within this environment need to be categorized as Mission Critical Mission Support or Administrative Mission categories provide the basis for determining the robustness requirements for availability and integrity services and are signi cant from both cost and operational perspectives They provide a means for prioritizing IT support and allocating resources based on needs for system availability and integrity services These categories are de ned as follows 2 3 1 Mission Critical These'systems handle information vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness Information in these systems must be absolutely -- accurate and-available-on-demand- may be classi ed sensitive or unclassi ed - information 2 3 2 Mission Support These systems handle information important to the support of deployed and contingency forces Information on these systems must be accurate but can sustain minimal delays without seriously affecting operational readiness or mission effectiveness may be classi ed information but is more likely to be sensitive or unclassi ed information 2 3 3 Administrative These systems handle information which is necessary for the conduct of dayvto day business but does not materially affect support to deployed or contingency forces in the short term may be classi ed but is usually sensitive or unclassi ed It is recognized that this information may be recreated if the need arises IA 6-3510 - Implementation Defense in Depth The concept of defense-in-depth was presented in the overview section of this document This section describes the four focus areas of defense-in-depth discusses target environments and proposes objectives for assurance of each focus area Defend the Network Networks and their supporting infrastructures include large transport networks and other transmission and switching capabilities They include operational area networks DANS metropolitan area networks MANs campus area networks CANS and local area networks LAN extending coverage from broad communities to local bases Figure 3-1 depicts a high level view of defense of the network with suggested placement for information assurance components and mechanisms Table 3-1 lists high level objectives for defending the network and infrastructure and should be used to de ne solutions sets in the architecture framework The target environment for network defense includes data voice wireless cellular paging and tactical networks that support both the operational and strategic missions These networks can be DOD owned and operated both service and transport or leased services transport layer DOD Unclassi ed Networks Wireless Data veree a Tactical - mm Rm Domain Name Sewer in-line Nehvorlt or Directory 1 I Bumdaryl roteclion c g firewalls ms Figure 3-1 Defend the Network IA 6-8510 - Implementation Objectives for Networks Ensure that systems and networks follow a consistent architecture Ensure that all data within the Enterprise is protected in accordance with its classi cation and mission criticality Ensure that mission critical and mission support networks are protected against denial of service Ensure that networks are visible for IA management and monitoring purposes Provide the ability to protect from react to and restore operations after an intrusion or other catastrophic event Ensure that the infrastructure does not con ict with other and enterprise networks or systems Table 3-1 Objectives for Network Defense 1A 6-8510 - Implementation 3 2 Defend the Enclave Boundary An enclave boundary exists at the point of connection for a LAN or similar network to the service layer Figure 3-2 depicts a high level view of defend the enclave boundary with suggested placement of IA components and mechanisms rewalls and guards Table 3-2 lists the high level objectives for enclave boundary protection and should be used when designing implementing or integrating an information technology solution that provides enclave boundary protection Enclave boundary target environments include service layer networks including modem connections classi ed LAN within classi ed WANs g tunneling information within the use of virtual private networks on service layer providers remote enclaves including remote LANs or systems laptops that may be connected remotely to different service networks g Joint Task Force deployments and high-low transfer and low-to-high transfer Lenard rm Di Boundary Hotec on Villa Tactical I tad ll-twang ms Gum Client Figure 3-2 Defend the Enclave Boundary Implementation Objectives for the Enclave Boundary Ensure that physical and logical enclaves are adequately protected Enable dynamic throttling of services due to change in risk posture resulting from changing Ensure that systems and networks within protected enclaves maintain acceptable availability and are adequately defended against denial or service intrusions Defend against the unauthorized modification or disclosure of data sent outside enclave boundaries Provide boundary defenses for those systems within the enclave that cannot defend themselves due to technical or con guration problems Provide a risk-managed means of selectively allowing essential information to ow across the enclave boundary Provide protection against systems and data within the protected enclave being undermined by external systems or forces Provide strong authentication of users sending or receiving information from outside their enclave Table 3-2 Objectives for Enclave Boundary Defense 10 IA 6-8510 - Implementation 3 3 Defend the Computing Environment Defense of the computing environment is focused on servers and workstations to include the applications installed on them and the supporting services such intrusion detection which are necessary for the operations of the network An application is any software written to run on a host and may include portions of the operating system Figure 3-3 depicts a high level view of defend the computing environment Each computing environment user workstation server within the enclave requires a minimum of basic protection Table 3-3 lists high level objectives for computing environment protection The computing environment includes the end user workstation both desktop and laptop including peripheral devices servers including web application and le servers applications such as intrusion detection e-mail web access control and the operating system Enclave i i i Bum Freudian Figure 3-3 Defend the Computing Environment 11 IA 6-8510 - Implementation Objectives for Computing Environment Ensure that hosts and applications are adequately defended against denial of service unauthorized disclosure and modi cation of data Ensure the con dentiality and integrity of data processed by the host or application whether both internal and external to the enclave Defend against the unauthorized use of a host or application Ensure that hosts follow secure con guration guidelines and have all appropriate patches applied Maintain configuration management of all hosts to track patches and system con guration changes Ensure that a variety of applications can be readily integrated with no reduction in security to meet the needs of a Joint Task Force - Ensure adequate defenses against subversive acts of trusted people and systems both internal and external - Table 3-3 Objectives for Defense of the Computing Environment 12 IA 6 8510 - Implementation 3 4 Establish Supporting Infrastructures Supporting infrastructures provide the foundation upon which IA mechanisms are used in the network enclave and computing environments for securely managing the system and providing security enabled services The two primary supporting infrastructures are 1 key management and 2 detect and respond Table 3-4 lists objectives for supporting infrastructures Supporting infrastructures provide security services for networks weapons identify friend or foe nuclear command and control systems end-user workstations servers for web applications and les and single-use infrastructure machines g higher level DNS servers higher-level directory servers These services apply to both classi ed and unclassified enclaves Objectives for Supporting Infrastructures 0 Provide a infrastructure that supports key privilege and certi cate management and that enables positive identi cation of individuals utilizing network services - Provide an intrusion detection reporting analysis assessment and response infrastructure that enables rapid detection and reaction to intrusions and other anomalousevents and-that enables - operational situation awareness I Plan execution and reporting requirements for contingencies and reconstitution Table 3-4 Objectives for Supporting Infrastructure Capabilities 3 4 1 Key Management Infrastructure The key management infrastructure provides a common uni ed process for the secure creation distribution and management of the products such as asymmetric keys PKI and traditional symmetric keys EKMS that enable security services for the network enclave and computing environment Figures 3-4 and 3-5 depict high level views of the future key management infrastructure architecture and services KMI-enabled security services such as identi cation and authentication access control integrity non- repudiation and con dentiality become increasingly critical as the Department incorporates IA into its electronic systems Key management provides the common roles and interface processes required to support IA See documentation 13 IA 6-3510 - Implementation Generation Service -Managemem Services -Delivery Saviour -Rael for -Policnyoctn'ne -Evalnuien eni u un -Wu dwide -Redundant I Highly Automated Sewers - 1hinCliem Wuhmians Figure 3 4 Key Management Infrastructure Uni ed KMI Services HARM BIG 5 Wiley Hun-1m XJOPeu- uae Typelpubliexey um Equipment unanswe- Delia-1m 4 mum Figure 3-5 Key Management Roles and Processes 14 1A 6-8510 - Implementation 3 4 2 Detect and Respond The cyber battlespace is highly uid with operational agility critical to effective defense The detection reporting and response infrastructure enables rapid detection and reaction to intrusions and enables operational situation awareness and response in support of missions Local infrastructures support local operations and feed regional and DoD-wide infrastructures so that can react quickly regardless of the scale of the intrusion Figure 3-6 depicts a high level view of the Detect and Respond process Diagnosis and Resolution and Figure 3-6 Detect and Respond Process 4 Threats and Attacks Threat is de ned as any circumstance or event with the potential to cause harm to an information system in the form of destruction disclosure modi cation of data or denial of service Threats may vary based on the motivations and capabilities of adversaries Threat should be considered from a mission viewpoint as well as from an information processing perspective Threats must be de ned in terms of the threat environment in which the mission will be accomplished Attack is generally de ned as an attempt to gain unauthorized access to an information system s services resources or information or the attempt to compromise an information system s integrity availability or con dentiality Factors to consider when determining the threat to a particular solution include types of attacks level of access risk tolerance expertise and resources available to the adversary Attacks can also take many forms They can include malicious attacks virus worm Trojan horse masquerading unintentional attacks malfunction human error and physical attacks re water battle damage 15 IA 6-8510 - Implementation power loss Analysis of potential threats and the countermeasures required to maintain the appropriate con dentiality integrity and availability of the information is required to de ne the best practices to mitigate risk and support defense-in-depth Table 4-1 provides common threat considerations and Table 4 2 provides categories of attacks All these factors should be considered when designing a system Common Threat Considerations Insider intrusions - both human error and malicious Network based attacks both systematic and random Jamming of networks both malicious and inadvertent Flooding Theft of service Disruption of network management communications and services Unauthorized access to network operations and management Unauthorized intrusions by remote operators Malicious software developers and software Malicious hardware developers and hardware I#Gvenan--by-adversaries Unauthorized access by others with physical access Table 4-1 Common Threat Considerations - Passive Intercept Attacks include traf c analysis monitoring of unprotected communications weakly traf c and capturing identi cation numbers and passwords Passive intercept of network operations can give adversaries indications and warnings of impending actions I Network-Based Attacks include attempts to circumvent or break security features introduce malicious code or to steal or modify information These include attacks mounted against a network backbone exploitation of information in transit electronic penetrations into an enclave or attacks on an authorized remote user when she attempts to connect to an enclave - Close-in Network-Based Attacks attempt to execute network-based attacks to penetrate an enclave's protection where the adversary gains access at a point inside the network and infrastructure protection boundary an Insider Attacks are performed by individuals who are authorized physical access to the system or network or have authorized electronic access to that system or network Malicious insiders have the intent to eavesdrop steal or damage information or to deny access to other authorized users Non-malicious attacks typically resulting from carelessness or lack of knowledge are also considered threats since their actions may have security consequences - HardwareISol tware Distribution Attacks focus on the malicious modi cation of hardware or software at the factory or modi cation or substitution during distribution Table 4-2 Categories of Attacks 16 IA 6-8510 - Implementation 5 Levels of Robustness 5 1 Robustness describes the strength of mechanism the strength of a algorithm and design assurance con dence measures taken to ensure proper mechanism implementation for a technical IA solution Technical IA solutions in the defense-in depth strategy will be at one of three de ned levels of robustness high medium or basic corresponding to the level of concern assigned to the system Designating levels indicates a degree of robustness of the solution Evaluation Assurance Level EAL levels de ned in the International Common Criteria and classes of certi cates de ned in the Certi cate Policy indicate a degree of con dence in the security attributes of the products they reiate to As security mechanisms improve over the years the robustness of security products should also improve and more robust products can be incorporated in security solutions The more robust a particular security attribute is the greater the level of protection it provides to the security services it supports Assigning levels of robustness for integrity availability and con dentiality for all information systems is another means for ensuring the most cost effective and best use of IA solutions including COTS solutions When implementing IA solutions they will be at a designated robustness level commensurate with the level of concern except where noted It is also possible to use non-technical measures to achieve protection and protection of a network can be used to provide con dentiality In these cases the technical solution requirement may be reduced or eliminated The three levels of robustness discussed below are based on the robustness strategy presented in the IATF It should be noted that today s technology could support development of more stringent protection and rigorous security countermeasures however development costs would far exceed acceptable budget limits Therefore the term high robustness used here is relative to the other levels of robustness including those of the IATF robustness strategy and does not indicate the be5t that could be developed in an unrestrained environment The three levels of technical robustness solutions are described in the following sub- paragraphs 5 1 1 High robustness security services and mechanisms provide the most stringent protection and rigorous security countermeasures High robustness solutions require all of the following - NSA-certi ed Type 1 algorithms and implementation for key exchange digital signature and hash - NSA Type 1 authenticated access control digital signature public key based challengelresponse identi cation and authentication I Key Management - For symmetric key NSA-approved key management production control and distribution - For asymmetric key Class 5 PKI certi cates and hardware security tokens that protect the user s private key and implementation 17 IA 6-8510 - Implementation 0 High assurance security design such as speci ed by NSA or the International Common Criteria CC at a minimum an Evaluated Assurance Level EAL greater than 4 I Products evaluated and certi ed by NSA 5 1 2 Medium robustness security services and mechanisms provide for additional safeguards above the minimum Medium robustness solutions require at a minimum all of the following I NIST FIPS validated algorithms and implementation for key exchange digital signature and hash see algorithms at Table 5-4 I NIST authenticated access control digital signature - public key based challengefresponse identi cation and authentication I Key Management - For symmetric key NSA-approved key management production control and distribution - For asymmetric key Class 4 PKI certi cates and hardware security tokens that'protect' re'users private key Good assurance security design such as speci ed in CC as EAL3 or greater Solutions evaluated and validated under the Common Criteria Evaluation validation scheme or NSA Solutions for National Security Systems approved by NSA 5 1 3 Basic robustness solutions are equivalent to good commercial practice Basic robustness require at a minimum all of the following NIST FIPS validated algorithms and implementation for key exchange digital signature and hash see algorithms at Table 5-4 I Authenticated access control digital signature public key based challengefresponse identification and authentication or pre-placed keying material 0 Key Management - For symmetric key NIST approved key management production control and distribution - For asymmetric key Class 3 PKI certi cates or pro-placed keying material See reference for policy on migration to Class 4 certi cates and software tokens private keys held in software on the user's workstation CC EAL 1 or greater assurance Solutions evaluated and validated under the NIAP Common Criteria Evaluation Validation Scheme or NSA 18 IA 6-8510 - Implementation 5 2 While paragraph focuses on the robustness of individual security services and mechanisms the robustness of a network solution must be considered in the context of defense-in-depth see section 3 and the threat environment in which the system operates For instance a system operating on a protected backbone between secure enclaves may not require additional mechanisms for authentication and access control In addition if conununity of interest separation is provided through it will require less robust solutions 5 3 The tables below are tools for use in a disciplined system security engineering approach for building or replacing systems They cover the major defense in depth areas but are not all-inclusive for every system requirement and should not be used as a substitute for good systems security engineering The robustness indicated is the minimum that should be considered for the defense in depth application in the environment listed However more robust solutions should always be considered during the in-depth security analysis of system requirements In addition as information assurance technology improves and systems are replaced or upgraded higher robustness solutions should always be considered 5 3 1 Availability ensures that the resources and data are in place at the time and in the-form needed-by the user Availability can be enhanced by access control which limits access to authorized users only Integrity ensures that data has not been altered or destroyed and is achieved through the use of digital signatures or keyed hash schemes Non-repudiation provides the ability to prove to a third party that an entity did indeed participate in a communication Non-repudiation is provided by the authenticating characteristics of digital signatures Minimum robustness requirements for availability integrity and non-repudiation are shown in Table 5-1 Security Service Level of Conceranobustness Big I Medium Essie Availability Mission Critical over 1 Mission support and an Administrative over any network network 2 Mission Critical over an network Integrity Non- - - 1 Mission Critical 1 Mission Critical over an repudiation - over an network network 2 Mission support and 2 Network Administrative over any Management network commands over an 3 Network Management network commands over an network Table 5-1 security Services Robustness 19 IA 6-8510 - Implementation 5 3 2 Access Control is used to limit access to networked resources hardware and software and data stored and communicated The main elements of access control are identi cation and authentication 18m and authorization Passwords tokens and certi cates are used to achieve authenticated access control Table 5-2 gives examples of minimum robustness requirements for access control mechanisms in particular situations Defense in Depth Application Level of ConcerniRobustness examples for Access Control andl'or or not Physically Isolated Physically isolated I - Network Network Defend the Network Access to Network Basic Medium Management Centers and all Network commands to managed GIG components routers switches as well as inter element commands geg router table propagation I Defend the Enclave All interconnections between Medium The level Medium The level Enclaves or LANs operating at - of robustness for this of robustness for this different classi cation levels g case which is also case which is also TS to Secret Secret to Unclassi ed know as a high know as a high or between U S and foreign nation assurance guard is assurance guard is systems or networks will only be medium however medium however through a well-de ned and additional design additional design controlled gateway NOTE assurance is required assurance is required Connection between different and must have an and must have an EAL classi cation levels allow lower EAL greater than 4 greater than 4 classi ed or unclassi ed data from the higher classi ed system to be moved to the lower classi ed or unclassi ed system unclassi ed data on a secret system to an unclassi ed system In addition unclassi ed data from an unclassi ed system can be moved to a classi ed system with the use of a well-de ned and controlled gateway 20 IA 6-8510 - Itnplementation All boundaries between Enclaves at Basic Basic- for mission the same sensitivity level and the support and WAN will be protected - administrative information Medium- for Mission critical - NOTE All gateways at boundaries 7 between Enclaves and WAN will contain an intrusion detection 4 attack sensing and warning capability All interconnections between Enclaves or LANs operating at different classi cation levels should be designed and analyzed to reduce covert channels Defend the Computing andfor or not Environment Physically Isolated Physically isolated Network Network wIis_er_I ogon to a workstation to gain Basic sic access to network resources User access to servers Web Basic Medium servers database servers le servers or other components storing Special Compartmented Special Access or other Mission Critical information will use authenticated access User accesses to servers Web Basic Basic a servers database servers file servers or other components storing - mission support or administrative will use authenticated access All Network Management control Basic I Medium commands to managed GIG components routers switches as well as inter-element commands router table propagation in the Enclave will employ authentication All Mission Critical Mission Basic Basic for mission Support and Administrative support and transactions to include individual administrative non-organizational e-mail and e- information conuneree will be secured with a Medium- for Mission digital signature Critical information Table 5-2 Access Control Robustness Examples 21 IA 6-8510 - - implementation 5 3 3 is a procedure to convert plain text into cipher text Within DOD it is used for purposes of Qon dgnti itg To ensure that information is not made available or disclosed to unauthorized individuals entities or processes 5 3 3 2 Data Separa gg To ensure that information of different classi cations sharing the same transport transmission media are not co-mingled 5 3 3 3 Privacy To ensure that information at the same classi cation level is kept separate based on need-to-know 5 3 4 Table 53 provides robustness guidance for data robustness Note that when information is for the purposes of data separation or privacy it is always tunneled through a network that is also for con dentiality Minimum Robustness Purpose of Data classification 1' Network 'b tl'orithm Con dentiality TS through Secret I gh TS through Commercial High Secret throqu Commercial Unclassi ed Sensitive through Basic Commercial Data Separation Secret through TS Medium throqu TS Medium through Secret - Medium Privacy TS through TS Basic Secret through Secret - Basie Unclassi ed through Unclassi ed Basic Sensitive Table 5-3 Data Robustn 22 IA 6-3510 - Implementation 5 3 5 functions include hash signature and key exchange algorithms These algorithms are used to protect the con dentiality andior integrity of information Table 5-4 lists currently available algorithms It includes algorithms that are often encountered in commercial products primarily for reference purposes The number of bits or the length of the key used in the algorithm and the design assurance of the algorithm are directly related to its robustness and will determine whether the NIST certi ed algorithms listed in Table 5-4 are basic or medium robustness Within the Department of Defense only NSA or NIST certi ed algorithms may be used unless otherwise authorized See Chapter 4 of the IATF for a detailed description of algorithm robustness NSA Certi ed High Robustness NIST Certi ed BasiclMediurn Robustness Algorithn'i Commercially Available Reference RC4 AEA Contact NSA Algorithm RC5 IDEA SKIPJACK Blow sh Hash Algorithm MDS SEA 1 Contact NSA New standards as New standards as available available Signature RSA DSA - Contact NSA Algorithm EDSA Key RSA KEA Contact NSA Algorithm DH AEA- Advanced Algorithm IDEA- International Data DES- Digital Standard Algorithm DH- Dif etHellman KEA- Key Algorithm DSA- Digital Signature Algorithm MDS- Message Digest 5 EDSA- Elliptic Digital Signature Algorithm RSA- Hash- One way mathematical gperation Secure Hash Algorithm - BDES is currently recognized as a de facto standard but has not been NIST Certi ed Table 5-4 Algorithm Robustness Examples IA 6-8510 - Implementation 6 Non Technical Countenneasures The defense in depth strategy relies on both technical and non-technical countermeasures as equal elements to establish and maintain an acceptable IA posture across the Non-technical countermeasures are discussed below 6 1 Personnel Security Personnel security is an integral part of the overall Information Assurance program Speci c requirements for personnel assigned to Information Assurance jobs can be found in Regulation 5200 2R Personnel Security Program 6 2 Physical Security Physical Security is the action taken to protect information technology resources g installations personnel equipment electronic media documents etc from damage loss theft or unauthorized physical access Speci c guidance can be found in Regulation 5200 8 Security of Military Installations and Resources 6 3 Procedural Security Procedural Security is an integral part of the overall Information Assurance environment and supports the concepts of defense-in-depth Procedural security measures both and-can provide alternatives to technical security means when risk analysis indicates the use of procedures does not increase the overall risk to a system or network Procedural Security provides the necessary actions controls processes and plans to ensure continuous operation of a system or network within an accredited security posture and is site and - task dependent Site security procedures shall be developed to supplement the security features of the hardware software and rmware of information technology resources to include such standardized processes as security training user access control media labeling and classi ed material handling 6 4 - Security Training Education and Certi cation Security education training and awareness are essential to a successful IA program Employees who are informed of applicable organizational policies and procedures can be expected to act effectively to ensure the security of system resources General users require different training than those employees with specialized-responsibilities Minimum IA training requirements to support defense-in-depth can be found in joint USD and ASD guidance 6 5 Marking and Labeling 6 5 1 Storage Media Information storage media used in a classi ed information system is classi ed at the level of that information system Information storage media will have external labels indicating the security classification of the information and applicable associated security markings such as handling caveats and dissemination control labels 1830 s and shall identify the removable storage media to be used with a system 1A 6-8510 - Implementation 6 5 1 1 Removable media shall be marked physically controlled and safeguarded in the manner prescribed for the highest classi cation level ever recorded on it until destroyed or sanitized using approved processes 6 5 1 2 Non-removable information storage media shall bear external labels indicating the security classi cation of the information and applicable associated security markings such as handling caveats and dissemination control labels Ifit is dif cult to mark the non-removable media itself the labels described below may be placed in a readily visible position on the cabinet enclosing the media 6 5 2 Marking Hardware Components Ptocedures shall be implemented to ensure that all components of an IS including inputloutput devices that retain information terminals standalone microprocessors and word processors used as terminals bear a conspicuous external label This label shall state the highest classi cation level and most restrictive classi cation category of the information accessible to the component in the IS This labeling may consist of permanent markings on the component or a sign placed on the terminal 6 5 3 Marking Human-Readable Output 6 5 3 1 l-lumamreadable output shall be marked appropriately on each human-readable page screen or equivalent the proper classi cation must appear on each classi ed micro che and on each page of text on the che 6 5 3 2 Warning Notices All individuals attempting access to information systems shall be provided suf cient notice that use of of cial DOD information systems or networks constitutes consent to monitoring Adequate warning shall be provided by clearly displaying a legally approved warning notice At a minimum the warning banners on computer systems shall be displayed to the user upon initial enuy ogin to system network local and remote resources Acceptance of the banner warning screen shall constitute consent to monitoring 6 6 Standard Operating Procedures Consistent clearly documented operating procedures for both system con guration and operational use are key to ensuring information assurance Procedures should de ne deployment of the system system con guration day to day operations for both the system administrator and user as well as how to respond to real or perceived attempts to violate system security All DOD information systems and networks shall include written standard operating procedures which are routinely updated and tailored to re ect changes in the operational environment 6 7 Incident Reporting and Response In addition to protective measures designed into information systems and architectures sites should have a structured ability to audit detect isolate and react to intrusions service disruptions and incidents that threaten the security of operations IA 6-8510 - Iniplementation 6 7 1 Incident Reporting All organizations shall report incidents via their appropriate chain of command Types of incidents that will be reported include 6 7 1 1 Intrusion Unauthorized access to an information system 6 7 1 2 Denial of Service Attacks Actions which prevent any part of an automated information system from functioning in accordance with its intended purpose to include any action which causes the unauthorized destruction modification or delay of service - 6 7 1 3 Malicious Logic Hardware software or rmware that is intentionally included in an information system for an unauthorized purpose such as a virus or Trojan horse 6 7 1 4 Probe In information operations any attempt to gather information about an automated information system or its users online 6 7 2 Computer Incident Response In accordance with Concept of Operations dated December 1998 the ITF CND serves as the primary computer incident response capability to provide assistance in identifying assessing containing and countering incidents that threaten information systems and networks The JTF CND will collaborate and coordinate efforts with other Government and commercial activities to identify assess contain and counter the impact of computer incidents on national security communications and information systems and to minimize or eliminate identi ed vulnerabilities 6 7 3 COMSEC Material Incident Reporting Incidents involving the compromise or the suspected compromise of COMSEC material or incidents that warrant further investigation shall be reported in accordance with NSTISSI 4005 Safeguarding - Communications Security COMSEC Facilities and Materials dated August 1997 6 8 Assessments 6 8 1 Vulnerability Assessments Vulnerability assessments identify vulnerabilities in an operational environment and validate a particular site s overall security posture and degree of system integration and usually provide recommendations on ways to address shortcomings Types of assessments include but are not limited to 6 8 1 1 Monitoring Monitoring is an on-line assessment to better understand the vulnerability of systems 6 3 1 2 On-Line Surveys On-line surveys conducted by Services and Defense agencies help commands identify vulnerabilities on assigned and joint systems IA 6-8510 - Implementation 6 8 2 Commands may request more detailed on-site assistance on- site assessments and ISSE surveys to better understand their vulnerabilities 6 8 3 Red Team Operations Red Team operations may be employed to validate existing IA protections and to exercise standard operating procedures and tactics to evaluate vulnerabilities 6 9 Risk Management Risk management is the discipline of identifying and measuring security risks associated with an information system and controlling and reducing those risks to an acceptable level The goal of risk management is to invest organizational resources to mitigate security risks in- a cost effective manner while enabling timely and effective mission accomplishment Risk management is an important aspect of information assurance and defense-in-depth 6 9 2 The risk management process identi es assets to be protectedI potential threats and vulnerabilities and countermeasures and safeguards that can eliminate vulnerabilities or reduce them to levels acceptable-for IS accreditation Risk management is based on careful identi cation and evaluation of the threats and - vulnerabilities that apply to a-given IS and its operational environment 6 9 3 Risk management is relevant to the entire life cycle of an IS During IS development security countermeasures are chosen During IS implementation and operation the effectiveness of inwplace countermeasures is recon rmed and the effect of current threat conditions on system security is assessed to determine if additional countermeasures are needed to sustain the accredited security In scheduling risk management activities and designating resources careful consideration should be given to Certi cation and Accreditation CM goals and milestones Associated risks can then be assessed and corrective action taken for unacceptable risks Risk management requires the routine tracking and evaluation of the security state of an IS The risk management process includes 6 9 3 1 Analysis of the threats to and vulnerabilities of an information system as well as of the potential impact that losing the system s information or capabilities would have on national security This analysis forms a basis for identifying appropriate and cost-effective countermeasures 6 9 3 2 Risk mitigation Analysis of trade-offs among alternative sets of possible safeguards 6 9 3 3 Residual risk determination Identi cation of the risk remaining after applying safeguards 27 IA 6-8510 - Implementation 6 9 3 4 Acceptable level of risk iudicious and carefully considered assessment by the appropriate DAA that the residual risk inherent in operating the IS after implementing all proposed security features is acceptable 6 9 3 5 A reactive or responsive risk management process To facilitate investigation of and response to incidents 6 9 4 The risk management process applies to all layers of the defense in- depth strategy and the transition points between defense in-depth layers Interconnected systems pose risks that must be mitigated in part by further management processes 6 9 4 1 Con guration Management Con guration management identi es controls accounts for and audits all changes made to a site or information system during its design development and operational life cycle Proper con guration management can substantially reduce and sometimes eliminate the need for costly complete re-accreditation Appropriate levels of con guration management shall be established to maintain the accredited security posture The security impact of each change or modi cation to an information system or site con guration shall be assessed against the security requirements and the accreditation conditions issued by the DAA 6 9 4 2 Data anagement The increasing reliance on distributed interconnected information systems negates many of the data protection mechanisms built in to traditional system high networks and requires additional safeguards to protect information from both unauthorized users and from authorized users without a need to know 6 9 4 3 Requirements Management For speci c systems security requirements for passwords marking guidance and implementation account - management and operating systems security requirements please refer to the Defense Information Infrastructure Common Operating Environment DII COE Software Requirements Speci cation for security version 4 0 dated 20 October 1998 6 10 System Security Policy An Information System Security Policy ISSP shall be developed and maintained for every organization employing information technology resources and for each information system used within the The ISSP shall identify the security requirements objectives and policies implemented to safeguard the site or system in a prescribed operational con guration to include requirements for system redundancy and data backup and risk management decisions Contingency plans will be developed and tested to prepare for emergency response backup operations and postsdisaster recovery This policy document will become part of the SSAA required by the DISTCAP 28