Section 1 presents fundamental computer security requirements and Section 5 presents the control objectives for Trusted Computer Systems. They are general requirements, useful and necessary, for the development of all secure systems. However, when designing systems that will be used to process classified or other sensitive information, functional requirements for meeting the Control Objectives become more specific. There is a large body of policy laid down in the form of Regulations, Directives, Presidential Executive Orders, and OMB Circulars that form the basis of the procedures for the handling and processing of Federal information in general and classified information specifically. This section presents pertinent excerpts from these policy statements and discusses their relationship to the Control Objectives. These excerpts are examples to illustrate the relationship of the policies to criteria and may not be complete.
A significant number of computer security policies and associated requirements have been promulgated by Federal government elements. The interested reader is referred to reference [ 36] which analyzes the need for trusted systems in the civilian agencies of the Federal government, as well as in state and local governments and in the private sector. This reference also details a number of relevant Federal statutes, policies and requirements not treated further below.
Security guidance for Federal automated information systems is provided by the Office of Management and Budget. Two specifically applicable Circulars have been issued. OMB Circular No. A-71, Transmittal Memorandum No. 1, Security of Federal Automated Information Systems, [ 30] directs each executive agency to establish and maintain a computer security program. It makes the head of each executive branch, department and agency responsible "for assuring an adequate level of security for all agency data whether processed in-house or commercially. This includes responsibility for the establishment of physical, administrative and technical safeguards required to adequately protect personal, proprietary or other sensitive data not subject to national security regulations, as well as national security data." [ 30, para. 4 p. 2]
OMB Circular No. A-123, Internal Control Systems, [ 31] issued to help eliminate fraud, waste, and abuse in government programs requires: (a) agency heads to issue internal control directives and assign responsibility, (b) managers to review programs for vulnerability, and (c) managers to perform periodic reviews to evaluate strengths and update controls. Soon after promulgation of OMB Circular A-123, the relationship of its internal control requirements to building secure computer systems was recognized. [ 4] While not stipulating computer controls specifically, the definition of Internal Controls in A-123 makes it clear that computer systems are to be included: [ 31, sec. 4.C]
Internal Controls
-- The plan of organization and all of the methods and
measures adopted within an agency to safeguard its resources, assure the
accuracy and reliability of its information, assure adherence to
applicable laws, regulations and policies, and promote operational
economy and efficiency.
The matter of classified national security information processed by ADP systems was one of the first areas given serious and extensive concern in computer security. The computer security policy documents promulgated as a result contain generally more specific and structured requirements than most, keyed in turn to an authoritative basis that itself provides a rather clearly articulated and structured information security policy. This basis, Executive Order 12356, National Security Information, sets forth requirements for the classification, declassification and safeguarding of "national security information" per se. [ 18]
Within the Department of Defense, these broad requirements are implemented and further specified primarily through two vehicles: 1) DoD Regulation 5200.1-R [ 10], which applies to all components of the DoD as such, and 2) DoD 5220.22-M, Industrial Security Manual for Safeguarding Classified Information [ 14] , which applies to contractors included within the Defense Industrial Security Program. Note that the latter transcends DoD as such, since it applies not only to any contractors handling classified information for any DoD component, but also to the contractors of eighteen other Federal organizations for whom the Secretary of Defense is authorized to act in rendering industrial security services. (See footnote (*) below.)
For ADP systems, these information security requirements are further amplified and specified in: 1) DoD Directive 5200.28 [ 11] and DoD Manual 5200.28-M [ 12], for DoD components; and 2) Section XIII of DoD 5220.22-M [ 14] for contractors. DoD Directive 5200.28, Security Requirements for Automatic Data Processing (ADP) Systems, stipulates: "Classified material contained in an ADP system shall be safeguarded by the continuous employment of protective features in the system's hardware and software design and configuration . . . ." [ 11, sec. IV] Furthermore, it is required that ADP systems that "process, store, or use classified data and produce classified information will, with reasonable dependability, prevent:
a. Deliberate or inadvertent access to classified material by unauthorized persons, and
b. Unauthorized manipulation of the computer and its associated peripheral devices." [ 11, sec. I B.3]
Requirements equivalent to these appear within DoD 5200.28-M [ 12] and in DoD 5220.22-M [ 14].
DoD Directove 5200.28 provides the security requirements for ADP systems. For some types of information, such as Sensitive Compartmented Information (SCI), DoD Directive 5200.28 states that other minimum security requirements also apply. These minima are found in DCID l/l6 (new reference number 5) which is implemented in DIAM 50-4 (new reference number 6) for DoD and DoD contractor ADP systems.
From requirements imposed by these regulations, directives and circulars, the three components of the Security Policy Control Objective, i.e., Mandatory and Discretionary Security and Marking, as well as the Accountability and Assurance Control Objectives, can be functionally defined for DoD applications. The following discussion provides further specificity in Policy for these Control Objectives.
(*) i.e., NASA, Commerce Department, GSA, State Department, Small Business Administration, National Science Foundation, Treasury Department, Transportation Department, Interior Department, Agriculture Department, U.S. Information Agency, Labor Department, Environmental Protection Agency, Justice Department, U.S. Arms Control and Disarmament Agency, Federal Emergency Management Agency, Federal Reserve System, and U.S. General Accounting Office.
The control objective for marking is: Systems that are designed to enforce a mandatory security policy must store and preserve the integrity of classification or other sensitivity labels for all information. Labels exported from the system must be accurate representations of the corresonding internal sensitivity labels being exported.
DoD 5220.22-M, Industrial Security Manual for Safeguarding Classified Information, explains in paragraph 11 the reasons for marking information: [ 14]
"a. General. Classification designation by physical
marking, notation or other means serves to warn and to
inform the holder what degree of protection against
unauthorized disclosure is reqired for that information
or material."
Marking requirements are given in a number of policy statements.
(Sections 1.5.a and 1.5.a.1) requires that classification markings "shall be shown on the face of all classified documents, or clearly associated with other forms of classified information in a manner appropriate to the medium involved." [ 18]
(Section 1-500) requires that: ". . . information or material that requires protection against unauthorized disclosure in the interest of national security shall be classified in one of three designations, namely: 'Top Secret,' 'Secret' or 'Confidential.'" [ 10] (By extension, for use in computer processing, the unofficial designation "Unclassified" is used to indicate information that does not fall under one of the other three designations of classified information.)
(Section 4-304b) requires that: "ADP systems and word processing systems employing such media shall provide for internal classification marking to assure that classified information contained therein that is reproduced or generated, will bear applicable classification and associated markings." (This regulation provides for the exemption of certain existing systems where "internal classification and applicable associated markings cannot be implemented without extensive system modifications." [ 10] However, it is clear that future DoD ADP systems must be able to provide applicable and accurate labels for classified and other sensitive information.)
(Section IV, 4-305d) requires the following: "Security Labels - All classified material accessible by or within the ADP system shall be identified as to its security classification and access or dissemination limitations, and all output of the ADP system shall be appropriately marked." [ 12]
The control objective for mandatory security is: Security policies defined for systems that are used to process classified or other specifically categorized sensitive information must include provisions for the enforcement of mandatory access control rules. That is, they must include a set of rules for controlling access based directly on a comparison of the individual's clearance or authorization for the information and the classification or sensitivity designation of the information being sought, and indirectly on considerations of physical and other environmental factors of control. The mandatory access control rules must accurately reflect the laws, regulations, and general policies from which they are derived.
There are a number of policy statements that are related to mandatory security.
(Section 4.1.a) states that "a person is eligible for access to classified information provided that a determination of trustworthiness has been made by agency heads or designated officials and provided that such access is essential to the accomplishment of lawful and authorized Government purposes." [ 18]
(Chapter I, Section 3) defines a Special Access Program as "any program imposing 'need-to-know' or access controls beyond those normally provided for access to Confidential, Secret, or Top Secret information. Such a program includes, but is not limited to, special clearance, adjudication, or investigative requirements, special designation of officials authorized to determine 'need-to-know', or special lists of persons determined to have a 'need-to- know.'" [ 10, para. 1-328] This passage distinguishes between a 'discretionary' determination of need-to-know and formal need-to-know which is implemented through Special Access Programs. DoD Regulation 5200.1-R, paragraph 7-100 describes general requirements for trustworthiness (clearance) and need-to-know, and states that the individual with possession, knowledge or control of classified information has final responsibility for determining if conditions for access have been met. This regulation further stipulates that "no one has a right to have access to classified information solely by virtue of rank or position." [ 10, para. 7-100] )
(Section II 2-100) states that, "Personnel who develop, test (debug), maintain, or use programs which are classified or which will be used to access or develop classified material shall have a personnel security clearance and an access authorization (need-to-know), as appropriate for the highest classified and most restrictive category of classified material which they will access under system constraints." [ 12]
(Paragaph 3a) defines access as "the ability and opportunity to obtain knowledge of classified information. An individual, in fact, may have access to classified information by being in a place where such information is kept, if the security measures which are in force do not prevent him from gaining knowledge of the classified information." [ 14]
The above mentioned Executive Order, Manual, Directives and Regulations clearly imply that a trusted computer system must assure that the classification labels associated with sensitive data cannot be arbitrarily changed, since this could permit individuals who lack the appropriate clearance to access classified information. Also implied is the requirement that a trusted computer system must control the flow of information so that data from a higher classification cannot be placed in a storage object of lower classification unless its "downgrading" has been authorized.
The term discretionary security refers to a computer system's ability to control information on an individual basis. It stems from the fact that even though an individual has all the formal clearances for access to specific classified information, each individual's access to information must be based on a demonstrated need-to-know. Because of this, it must be made clear that this requirement is not discretionary in a "take it or leave it" sense. The directives and regulations are explicit in stating that the need-to-know test must be satisfied before access can be granted to the classified information. The control objective for discretionary security is: Security policies defined for systems that are used to process classified or other sensitive information must include provisions for the enforcement of discretionary access control rules. That is, they must include a consistent set of rules for controlling and limiting access based on identified individuals who have been determined to have a need-to-know for the information.
(Paragraph 7-100) In addition to excerpts already provided that touch on need-to- know, this section of the regulation stresses the need- to-know principle when it states "no person may have access to classified information unless . . . access is necessary for the performance of official duties." [ 10]
(Section III 20.a) states that "an individual shall be permitted to have access to classified information only . . . when the contractor determines that access is necessary in the performance of tasks or services essential to the fulfillment of a contract or program, i.e., the individual has a need-to-know." [ 14]
The control objective for accountability is: "Systems that are used to process or handle classified or other sensitive information must assure individual accountability whenever either a mandatory or discretionary security policy is invoked. Furthermore, to assure accountability the capability must exist for an authorized and competent agent to access and evaluate accountability information by a secure means, within a reasonable amount of time, and without undue difficulty.
This control objective is supported by the following citations:
(Section VI.A.1) states: "Each user's identity shall be positively established, and his access to the system, and his activity in the system (including material accessed and actions taken) controlled and open to scrutiny." [ 11]
(Paragraph 5-100) states: "An audit log or file (manual, machine, or a combination of both) shall be maintained as a history of the use of the ADP System to permit a regular security review of system activity. (e.g., The log should record security related transactions, including each access to a classified file and the nature of the access, e.g., logins, production of accountable classified outputs, and creation of new classified files. Each classified file successfully accessed (regardless of the number of individual references) during each 'job' or 'interactive session' should also be recorded in the audit log. Much of the material in this log may also be required to assure that the system preserves information entrusted to it.)" [ 12]
(Paragraph IV 4-305f) states: "Where needed to assure control of access and individual accountability, each user or specific group of users shall be identified to the ADP System by appropriate administrative or hardware/software measures. Such identification measures must be in sufficient detail to enable the ADP System to provide the user only that material which he is authorized." [ 12]
(Section I 1-102b) states: [ 129]
Component's Designated Approving Authorities, or their designees
for this purpose . . . will assure:
. . . . . . . . . . . . . . . . .
(4) Maintenance of documentation on operating systems (O/S)
and all modifications thereto, and its retention for a
sufficient period of time to enable tracing of security-
related defects to their point of origin or inclusion in the
system.
. . . . . . . . . . . . . . . . .
(6) Establishment of procedures to discover, recover,
handle, and dispose of classified material improperly
disclosed through system malfunction or personnel action.
(7) Proper disposition and correction of security
deficiencies in all approved ADP Systems, and the effective
use and disposition of system housekeeping or audit records,
records of security violations or security-related system
malfunctions, and records of tests of the security features
of an ADP System."
(Paragraph 111) on audit Trails states:
a. The general security requirement for any ADP system audit trail is that it provide a documented history of the use of the system. An approved audit trail will permit review of classified system activity and will provide a detailed activity record to facilitate reconstruction of events to determine the magnitude of compromise (if any) should a security malfunction occur. To fulfill this basic requirement, audit trail systems, manual, automated or a combination of both must document significant events occurring in the following areas of concern: (i) preparation of input data and dissemination of output data (i.e., reportable interactivity between users and system support personnel), (ii) activity involved within an ADP environment (e.g., ADP support personnel modification of security and related controls), and (iii) internal machine activity.
b. The audit trail for an ADP system approved to process classified information must be based on the above three areas and may be stylized to the particular system. All systems approved for classified processing should contain most if not all of the audit trail records listed below. The contractor's SPP documentation must identify and describe those applicable:
c. The ADP system security supervisor or designee shall review the audit trail logs at least weekly to assure that all pertinent activity is properly recorded and that appropriate action has been taken to correct any anomaly. The majority of ADP systems in use today can develop audit trail systems in accord with the above; however, special systems such as weapons, communications, communications security, and tactical data exchange and display systems, may not be able to comply with all aspects of the above and may require individualized consideration by the cognizant security office.
d. Audit trail records shall be retained for a period of one inspection cycle." [ 14]
The control objective for assurance is: "Systems that are used to process or handle classified or other sensitive information must be designed to guarantee correct and accurate interpretation of the security policy and must not distort the intent of that policy. Assurance must be provided that correct implementation and operation of the policy exists throughout the system's life-cycle."
A basis for this objective can be found in the following sections of DoD Directive 5200.28:
(IV.B.1) stipulates: "Generally, security of an ADP system is most effective and economical if the system is designed originally to provide it. Each Department of Defense Component undertaking design of an ADP system which is expected to process, store, use, or produce classified material shall: From the beginning of the design process, consider the security policies, concepts, and measures prescribed in this Directive." [ 11]
(IV.C.5.a) states: "Provision may be made to permit adjustment of ADP system area controls to the level of protection required for the classification category and type(s) of material actually being handled by the system, provided change procedures are developed and implemented which will prevent both the unauthorized access to classified material handled by the system and the unauthorized manipulation of the system and its components. Particular attention shall be given to the continuous protection of automated system security measures, techniques and procedures when the personnel security clearance level of users having access to the system changes." [ 118]
(VI.A.2) states: "Environmental Control. The ADP System shall be externally protected to minimize the likelihood of unauthorized access to system entry points, access to classified information in the system, or damage to the system." [ 11]
(Section I 1-102b) states [ 12]:
Component's Designated Approving Authorities, or their
designees for this purpose . . . will assure:
. . . . . . . . . . . . .
(5) Supervision, monitoring, and testing, as
appropriate, of changes in an approved ADP System
which could affect the security features of the
system, so that a secure system is maintained.
. . . . . . . . . . . . .
(7) Proper disposition and correction of security
deficiencies in all approved ADP Systems, and the
effective use and disposition of system housekeeping
or audit records, records of security violations or
security-related system malfunctions, and records of
tests of the security features of an ADP System.
(8) Conduct of competent system ST&E, timely
review of system ST&E reports, and correction of
deficiencies needed to support conditional or final
approval or disapproval of an ADP System for the
processing of classified information.
(9) Establishment, where appropriate, of a
central ST&E coordination point for the
maintenance of records of selected techniques,
procedures, standards, and tests used in the testing
and evaluation of security features of ADP Systems
which may be suitable for validation and use by other
Department of Defense Components.
(Section XIII 103a) requires: "the initial approval, in writing, of the cognizant security office prior to processing any classified information in an ADP system. This section requires reapproval by the cognizant security office for major system modifications made subsequent to initial approval. Reapprovals will be required because of (i) major changes in personnel access requirements, (ii) relocation or structural modification of the central computer facility, (iii) additions, deletions or changes to main frame, storage or input/output devices, (iv) system software changes impacting security protection features, (v) any change in clearance, declassification, audit trail or hardware/software maintenance procedures, and (vi) other system changes as determined by the cognizant security office." [ 14]
A major component of assurance, life-cycle assurance, as described in DoD Directive 7920.1, is concerned with testing ADP systems both in the development phase as well as during operation [ 1710]. DoD Directive 5215.1 (Section F.2.C.(2)) requires "evaluations of selected industry and government-developed trusted computer systems against these criteria." [ 1310]