You are on page 1of 20

Headquarters USAAC Regulation 25-2

United States Army Accessions Command


90 Ingalls Road
Effective 30 April 2005
Fort Monroe, Virginia 23651-1065
8 April 2005

Information Management: Management of Subdisciplines

Information Assurance
For the Commander: States Army Accessions Command and its sub- are consistent with controlling law and regula-
ordinates automated information systems, to in- tion. Proponent may delegate the approval au-
ROBERT P. LENNOX clude contractors who operate Government- thority, in writing, to a division chief within the
Brigadier General, US Army owned or contractor-owned automated infor- proponent agency in the grade of GS-14.
Deputy Commanding General/Chief of Staff mation systems that process or store Acces-
sions Command information. Contractors who Army management control process. This
Official: process sensitive but unclassified information regulation contains management control provi-
on contractor-owned automated information sions in accordance with AR 11-2 but does not
ROGER H. BALABAN systems are governed by this regulation and identify key management controls that must be
Chief Information Officer the requirements in AR 25-2 if they connect to evaluated.
an Accessions Command automated informa-
History. This UPDATE publishes a new USAAC tion system and/or network system. All of the Supplementation. Supplementation of this
Reg 25-2, which is effective 30 April 2005. above must comply with all Department of De- regulation is prohibited.
fense and Department of the Army regulations
Summary. This regulation provides procedural, and Accessions Command requirements for ac- Suggested improvements. Users are in-
technical, administrative, and supplemental guid- cessing or utilizing Accessions Command au- vited to send comments and suggested im-
ance for all information systems, whether busi- tomated information systems. During mobiliza- provements on DA Form 2028 (Recommended
ness or tactical, used in the automatic acquisi- tion, deployment, or national emergency, this Changes to Publications and Blank Forms) di-
tion, storage, manipulation, management, move- regulation remains in effect without change. rectly to HQ USAAC, ATTN: ATAL-IS, 1307 3rd
ment, control, display, switching, interchange, Avenue, Fort Knox, KY 40121-2725.
transmission, or receipt of data. Proponent and exception authority. The
proponent of this regulation is the Chief Infor- Distribution. This regulation is available in elec-
Applicability. This regulation applies to any mation Officer. The proponent has the author- tronic media only and is available on the USAAC
agency and all personnel accessing the United ity to approve exceptions to this regulation that Homepage at http://www.usaac.army.mil.

Contents (Listed by paragraph number) Five phases of C&A • 5-2 ships.


Certification levels of effort • 5-3
Chapter 1 INFOSEC certification assistance • 5-4 1-2. References
Introduction For required and related publications and pre-
Purpose • 1-1 Chapter 6 scribed form see appendix A.
References • 1-2 Roles and Responsibilities
Explanation of abbreviations and terms • 1-3 Organizational responsibilities • 6-1 1-3. Explanation of abbreviations and
IA Program • 1-4 Individual responsibilities • 6-2 terms
Abbreviations and special terms used in this
Chapter 2 Appendix A. References regulation are explained in the glossary.
Policy
Properties of IA • 2-1 Glossary 1-4. IA Program
Information sensitivity categories • 2-2 a. The USAAC IA Program is designed to
Mission critical system categories • 2-3 Chapter 1 comply with the National, Department of De-
IA requirements • 2-4 Introduction fense (DOD), and Department of the Army (DA)
IA policies. These policies stipulate that secu-
Chapter 3 1-1. Purpose rity must be considered throughout the life cycle
Risk Management Approach This regulation introduces and summarizes the of ISs. Requirements derived from these poli-
General • 3-1 United States Army Accessions Command’s cies guide the development of products, tech-
Identification of assets • 3-2 (USAAC’s) approach to information assurance niques, and capabilities to satisfy USAAC IA
Threat assessment • 3-3 (IA). It applies to information systems (ISs) objectives and to promote the implementation of
Vulnerability assessment • 3-4 processing unclassified, sensitive but unclassi- innovative ISs technology. The USAAC IA Pro-
Measurement of risk • 3-5
fied (SBU), and classified information. By using gram has the following objectives:
this information, system planners and organi- (1) Employ efficient procedures and cost-
Chapter 4
zational managers (e.g., designated approving effective, information-based security features
Countermeasures to Risk
authority (DAA), information assurance program on all information technology (IT) resources pro-
General • 4-1
IA disciplines • 4-2 manager (IAPM), information assurance net- cured, developed, operated, maintained, or
Risk mitigation activities • 4-3 work manager (IANM), information assurance managed by USAAC organizational elements to
network officer, information assurance manag- protect the information on those resources.
Chapter 5 ers (IAMs), information assurance security of- (2) Protect the confidentiality, integrity, avail-
Certification and Accreditation Require- ficers (IASOs), system administrators (SAs), ability, authenticity, and nonrepudiation of infor-
ments and end users will have a common understand- mation and resources to the degree commen-
General • 5-1 ing of IA principles, concepts, and interrelation- surate with their value, as determined by the

UPDATE • USAAC Reg 25-2 1


required level of IA, classification or sensitivity Policy word file should be hidden from general users.
level, and the consequences of their exploita- Confidentiality is typically implemented using
tion or loss for a period required by the mission 2-1. Properties of IA several types of protection, including cryptog-
supported. a. Information and ISs must be properly man- raphy and access controls.
(3) Conduct an assessment of threats, iden- aged and protected as required by law, regula- e. Integrity.
tify the appropriate combination of safeguards tion, or directive. IA is a composite of the prop- (1) Integrity is the quality of an IS reflecting
from the IA disciplines, and apply an appropri- erties addressed in this chapter and the ser- the logical correctness and reliability of the op-
ate Department of Defense Information Tech- vices derived from them. When these proper- erating system, the logical completeness of the
nology Security Certification and Accreditation ties are associated with other criteria, specific hardware and software implementing the pro-
Process (DITSCAP) for each specific IS devel- information security services (or functions) are tection mechanisms.
oped by a program office and for each local site provided. For example, ensuring the integrity of (2) Integrity supports the assurance that in-
employing networks and deployed ISs. the information, which distinguishes one user formation collected, processed, stored, trans-
(4) Adopt a risk-based life cycle manage- from another, provides identification. Protec- ferred, displayed, and/or disseminated within a
ment approach in applying basic minimum uni- tion shall be achieved through the cost-effec- system will not be accidentally or maliciously
form standards for the protection of USAAC IT tive, risk-balanced use of the IA disciplines, manipulated, altered, and/or corrupted, usually
resources that produce, process, store, or based on the level of IA required. Facilitating via an access control mechanism.
transmit information. the management and protection of resources (3) Integrity functionality supports the ability
(5) Establish standardized IA training within requires the appropriate implementation of se- to detect information that has been altered, ei-
USAAC. curity measures to ensure adequate system ther unintentionally or maliciously. Integrity has
b. DA policy is that all information and ISs protection to support the IA properties identified traditionally focused in two areas, data integrity
shall be protected by the continuous employ- in this section. and system integrity.
ment of appropriate safeguards. This means b. All USAAC information and resources shall (a) Data integrity is the condition existing
that all USAAC ISs must provide some combi- be appropriately safeguarded at all times to sup- when data is unchanged from its source and
nation of confidentiality, integrity, availability, port its missions. Safeguards shall be applied has not been accidentally or maliciously modi-
authenticity, and nonrepudiation protection such that information and resources maintain fied, altered, or destroyed.
mechanisms or procedures. Therefore, ISs the appropriate level of confidentiality, integrity, (b) System integrity is the quality of an IS
must employ features to ensure that only au- availability, authenticity, and nonrepudiation when it performs its intended function in an un-
thorized users who require access may ac- based upon mission criticality, level of required impaired manner, free from deliberate or inad-
cess the information and/or resources when IA, and classification or sensitivity level of infor- vertent unauthorized manipulation of the sys-
required. mation entered, processed, stored, and/or trans- tem.
c. Army ISs process, store, and transfer large mitted. The safeguarding of information and ISs (c) Software integrity security functions may
quantities of information critical to its warfighting shall be accomplished through the employment also be used to protect software from undetec-
and support missions. Internetworking of of defensive layers that include the IA disci- ted and unauthorized modification, manipulation,
ISs has expanded rapidly in the last decade plines. and/or destruction. As with data, the software
and has resulted in newly integrated distributed c. To ensure its safeguards and systems may also have check sums or other integrity
networks with multiple worldwide uses. The compliance with all DOD and DA regulations the validation methods instituted to verify its integ-
information flow among these systems will con- following actions are required for contractors rity.
tinue to expand rapidly as systems are further operating, accessing, or utilizing automated in- f. Availability. Availability supports the as-
integrated under the Global Command and Con- formation systems (AISs) connected to a USAAC surance of timely, reliable access to data and
trol System architecture and connected via the AIS and/or network system. ISs for authorized users, and precludes denial
National Information Infrastructure and the De- (1) USAAC shall provide AISs and services of service or access. Accessibility and reliabil-
fense Information Infrastructure (DII) back- and/or IT necessary to perform the contract. ity of the system contribute to availability and
bones. (2) All statements of work (SOWs) shall provide assurance of continuity of operations.
d. The expected outcome of these IS ad- stipulate that USAAC provide the required AISs Availability-focused countermeasures protect
vances is universal access to any information and services for performance of the contract. against malicious logic and code, degraded ca-
as permitted by security access controls. These (3) All SOWs shall stipulate that contractors pabilities, and denial of service conditions.
advances in IS capabilities and information flow who operate Government-owned or contrac-
have also increased the vulnerability of DOD tor-owned AISs that process or store Army in- 2-2. Information sensitivity categories
ISs to exploitation by both accidental exposure formation on contractor-owned AISs are gov- a. Information is categorized by its sensitiv-
and malicious threat agents. erned by and must comply with DOD, DA, and ity to unauthorized disclosure, based on the ef-
e. The IA challenge, to protect information in USAAC IA regulations and requirements (to spe- fect on national security interests or other pub-
this new environment, has required a reorienta- cifically include personnel background surety lic interest concerns. To aid in the understand-
tion from stand-alone security approaches. The investigations). ing of its need for protection this regulation will
traditional, stand-alone, component-oriented (4) Should other requirements prohibit or only define two categories of sensitivity, classi-
approaches are being replaced with a fully inte- make it impractical for USAAC to provide re- fied and SBU. All USAAC ISs, regardless of
grated system security approach (i.e., a lay- quirements, as above, the SOW shall stipulate classification or sensitivity, shall implement ap-
ered defense strategy) that combines all IA dis- that the contractor must comply with all DOD propriate security mechanisms and procedures
ciplines, as well as user awareness and knowl- and DA regulations and USAAC requirements to ensure IA.
edge to handle information and operate ISs in a for accessing or utilizing Government AISs (to b. Classified. Classified to the appropriate
manner which supports IA. The focus of the specifically include personnel background surety level to protect against unauthorized disclosure
Army IA Program is to provide sufficient secu- investigations and system accreditations). in the interests of national security, depending
rity to reduce the risk to IS assets to acceptable d. Confidentiality. Confidentiality is assurance on the degree of damage to national security
levels. Therefore, the USAAC goal is to employ that information is not disclosed to unauthorized that the unauthorized disclosure would cause.
the necessary safeguards to reduce and main- persons, processes, or devices. It is not limited Levels of classification are Unclassified, Confi-
tain the risk to its IS assets to acceptable levels. to the protection of sensitive user information, dential, Secret, and Top Secret.
but includes protection of security-relevant sys- c. SBU information. Sensitive information is
Chapter 2 tem information. For example, a system’s pass- any information which the loss, misuse, unau-

2 UPDATE • USAAC Reg 25-2


thorized access to, or modification of could ad- vulnerability, and system interconnectivity. mable read-only memory.
versely affect the national interest, the conduct (3) Transfer. Information in the transmis-
of Federal programs, or the privacy of DOD Chapter 3 sion state is being sent from one component to
personnel, but that has not been specifically Risk Management Approach another. These components could be proces-
authorized to be kept classified. Unclassified sors, networks, or auxiliary devices such as
national security information, Privacy Act data, 3-1. General transducers, printers, and storage devices.
personal information (such as medical records, a. Protection of IT resources requires a bal- c. The goal of the USAAC IA Program to pro-
fitness reports, and performance evaluations), anced, risk-based approach, managing the re- tect information applies regardless of its state.
proprietary data, source selection data, and op- quirements of the system or resources with a d. Hardware. To protect the information that
erational or mission information is considered cost-effective application of technical and non- is collected, processed, stored, transferred, dis-
sensitive information. technical security disciplines and technologies played, and/or disseminated by an IS, it is nec-
to identify, measure, control, and minimize se- essary to protect the hardware performing these
2-3. Mission critical system categories curity risks to a level commensurate with the functions. If unauthorized persons are able to
a. Assessing the security requirements of value of the assets protected. gain access to the hardware, such as the cen-
any IS for IA properties requires a determina- b. Formal risk assessments for USAAC ISs tral processing unit or disk drives (internal or
tion of the criticality of the system to the and resources may be tailored, at the direction floppy disks), they could make unauthorized
organization’s mission, particularly the of the DAA, to the criticality and level of the IA changes that might cause the hardware to:
warfighter’s combat mission. Two categories threat. The Army IA Program is a fully inte- (1) Allow unauthorized disclosure of the in-
of criticality are defined, although an IS may grated system security approach that helps re- formation by writing the information to another
have components that fit in both categories. duce security risk in ISs. The integrated IA file that could later be retrieved.
b. Administrative. Systems handling infor- approach includes: (2) Allow unauthorized modification of the in-
mation that is necessary for the conduct of the (1) Identification of all resources that sup- formation that would send incorrect information
day-to-day business, but does not materially port a system’s ability to collect, process, store, to a recipient.
affect support to the USAAC mission to, “field transmit, display, and/or disseminate informa- (3) Create a denial-of-service situation that
the force - from first handshake to first unit as- tion. would prevent authorized users from gaining
signed.” (2) The identification of threats that may ex- access to the information required to perform
c. Mission support. Systems handling infor- ploit a system security weakness or threat that their duties.
mation that is important to the support of the make a system vulnerable, need to assessed e. Software. A system’s software (including
USAAC mission to, “field the force - from first to determine how IA can reduce risks to USAAC firmware) must be protected to ensure the in-
handshake to first unit assigned.” Information information and resources. tegrity of the designed security mechanisms
determined to be vital to mission effectiveness (3) Measurement of risk, a combination of and the information being collected, processed,
in terms of content and timeliness. (Information the likelihood and the cost associated with ex- stored, transferred, disseminated, and/or dis-
must be accurate, but can sustain minimal de- ploitation. The likelihood of exploitation increases played. Software needs to be protected during
lay without seriously affecting mission effective- as the motivation, knowledge, skills, and abili- development, while it is being distributed to the
ness.) Mission support may include systems in ties of a potential threat agent increase. The system, and during operational:
direct support of systems that, if not functional, cost of exploitation increases based on the as- (1) Development. Ensure that unintentional
would preclude USAAC from conducting the full sessed value of the information, impact on mis- errors or malicious software are not introduced
spectrum of its missions. sion, and the loss of resources or access to during software development and ensure ad-
data systems associated with unauthorized dis- equate protective features are engineered into
2-4. IA requirements closure, destruction, or modification of data. the design to protect system software and data
a. The types of IA protective measures, tech- during product operations.
niques, and procedures needed for a system 3-2. Identification of assets (2) Distribution. Ensure that software sent
shall be determined based on both information a. Achieving IA Program objectives requires from a facility, agency, or manufacturer to
sensitivity and mission criticality. In general, identification of system resources and their vul- USAAC or from USAAC to any of its systems
higher levels of assurance are required for nerabilities to specific threats. In reviewing a arrives at the system unchanged.
higher levels of system criticality and informa- system’s IA posture, information, hardware, soft- (3) Operational use. Ensure that uninten-
tion sensitivity. The specific combination of ware, communications, and personnel docu- tional errors or malicious software are not intro-
measures to reduce risk shall be based on the mentation resources should be considered. duced into the system.
analysis of threats and vulnerabilities, including These resources provide the capabilities for a (4) Software that needs to be protected in-
system interconnectivity, and specific assur- system to collect, process, store, transfer, dis- cludes operating systems, system utilities, and
ance needs as determined by the appropriate play, and disseminate information. Each re- application programs. Essentially, any software
DAA, who will apply the principles of risk man- source should be considered in relation to the that has the ability to access the information
agement. This requires a systematic process system’s operation mission and threats. must be protected to ensure that it performs
that identifies assets, threats, vulnerabilities, and b. Information. The value of information to only authorized actions on the information. Any
risks to the system and selects risk mitigation direct and indirect users is measured by its im- unauthorized changes to the software could
approaches and countermeasures appropriate pact and/or use in terms of life, safety, mission, have the same results as those caused by
to the level of criticality and sensitivity of the money, etc. The application of IA, based upon changes to the hardware described in d above.
system. its value, ensures that information is protected f. Communications. For an IS to be of value,
b. The purpose of the certification and ac- from unauthorized disclosure or modification and users need to be able to communicate with the
creditation (C&A) process is to determine is available when needed. Information in a sys- system and transfer information to other users
whether the safeguards selected and imple- tem exists in one of three states: and other systems. The communication path
mented for an IS are adequate to protect the (1) Processing. Information in the process- itself must prevent unauthorized access to the
information and the system. This process fol- ing state is being manipulated by the IS. protected information and resources. The
lows the guidance provided in DODI 5200.40. (2) Storage. Information in the storage state user’s workstation may connect directly to a
DITSCAP activities are tailored to the specific is being maintained by the IS on storage de- system through a modem or via a network (ei-
requirements of the DAA and the consider- vices such as a register, memory, disk, tape, ther local area network or wide area network
ations of mission criticality, sensitivity, risks, threats, compact disk-read only memory, or program- (WAN)). Regardless of the specific mecha-

UPDATE • USAAC Reg 25-2 3


nism used to communicate with the IS, it is es- A threat agent can range from an individual to a adverse impact and assesses the severity of
sential that the user be assured that information nation state seeking to disclose, modify, and/or the adverse impact. Determining that the mea-
can be transmitted when required, with confi- deny information and/or resources. Recent sured risk for an IS is acceptable is the final
dentiality and data integrity ensured. trends in identifying threats have indicated the factor in determining if a system may be used
g. Personnel. Personnel are critical to the greatest threat to DOD ISs is from an autho- operationally. A risk determination is required
correct operation of ISs. System and security rized source (i.e., the insider). The motivation because it is nearly impossible to completely
administrators ensure that the system is con- of the threat agent can range from pure curios- correct all vulnerabilities associated with an IS.
figured and working properly and establish and ity (i.e., “Can I get away with this?”) to a nation c. The risk assessment will indicate what the
define ISs operational and security policy and state attempting to produce an unauthorized vulnerabilities are, determine the likelihood that
procedures. Supervisors and managers en- transfer of classified information and/or tech- threats will exploit a given vulnerability based on
sure that the user has the appropriate system nology. knowledge, technologies, resources, probabil-
access to perform his or her duties and to moni- c. In the measurement of risk, the USAAC IA ity of detection, and the payoff, and predict the
tor user compliance with operational and secu- Program is focused on those threats that result potential impact to the system if the vulnerability
rity policy and procedures. Users both receive from human agency, whether intentional or in- is exploited. Given all the factors in the risk
the system information and use the system to advertent. Unless availability is a highly critical equation and the cost of implementing counter-
perform their duties. User error, improper use, assurance property of the IS, protection against measures, a determination may be made that
and/or intentional misuse of the system by any normal service interruptions and preparation for the risk potential of a given vulnerability is not
of the personnel may result in disclosure, unau- natural disasters is the purview of continuity of worth the cost of correcting or implementing a
thorized modification, and/or denial of service operations planning and disaster recovery plan- countermeasure.
through degradation of the information or the ning.
system itself. All of the personnel working with Chapter 4
the system must be trained in system opera- 3-4. Vulnerability assessment Countermeasures to Risk
tions and be aware of general security threats a. NSTISSI 4009 defines vulnerability as a
to ensure effective and secure use of the sys- weakness in an IS, cryptographic system, or 4-1. General
tem and its information. All personnel working components (e.g., system security procedures, To mitigate the risks associated with operating
with the system must receive an initial IA secu- hardware design, and internal controls) that an IS and to ensure the confidentiality, integrity,
rity briefing, have the appropriate completed could be exploited. Vulnerabilities of an IS are availability, authenticity, and nonrepudiation of
background surety investigation, least privilege identified through demonstration, inspection, and/ the information and/or resources, IA counter-
access, job and mission requirement, and the or analysis. Demonstration, inspection, and measures and sound security engineering need
need to know to process, store, and/or transfer analysis activities occur throughout the life cycle to be implemented. The information below intro-
the information. of the IS. These activities begin early in the IS’s duces the IA disciplines and activities that can
h. Documentation. Documentation that de- development cycle through analysis of the sys- be used to implement appropriate countermea-
scribes the hardware and software of the IS is tem description documents to aid in the identifi- sures to the identified measurement of risk.
critical to its proper operation and maintenance. cation of appropriate countermeasures. Vul-
Documentation supporting the hardware and nerability assessment occurs throughout the 4-2. IA disciplines
software is necessary to: design and development. Vulnerability assess- a. Required levels of IA shall be achieved via
(1) Describe the system’s security features. ment also occurs during the operational life of a layered defense strategy, incorporating ap-
(2) Maintain the system in its current opera- the IS to determine the current security pos- propriate safeguards. Both technical and non-
tional state. ture. The weakness of an IS can be conve- technical security measures can assist in miti-
(3) Recreate the system if critical assets are niently categorized as either technical or non- gating risk, and as such, shall be integrated into
destroyed and an alternate measure must be technical in nature. a cohesive program with the objective of pro-
used. b. Technical vulnerability. Technical attacks tecting information and ISs. Appropriate coun-
(4) Describe the risk associated with oper- are those that can be perpetrated by circum- termeasures provided by these disciplines shall
ating the system and plan improvements to the venting or nullifying hardware and/or software be applied to each USAAC IS and site security
system, including security improvements, as protection mechanisms, rather than by subvert- policy, through an assessment of the capability,
technology permits. ing system personnel or other users. The weak- probability, and motivation of a threat agent and
ness in the hardware and/or software protec- the risk resulting from unauthorized disclosure,
3-3. Threat assessment tion mechanism is the technical vulnerability that alteration, or nonavailability of information or re-
a. NSTISSI 4009 defines threats as any cir- can be exploited by a threat. sources to the mission. Information entered,
cumstances or events with the potential to cause c. Nontechnical vulnerability. Nontechnical processed, stored, or transmitted shall not ex-
harm to an IS in the form of disclosure, adverse vulnerabilities are those weaknesses in policy, ceed the approved classification or sensitivity
modification of data, and/or denial of services. procedures, personnel, and physical security level for the system or network. Use of the IA
Threats are those circumstances with the po- that can be exploited to gain access to pro- disciplines shall be carefully managed, regu-
tential to disrupt a system’s confidentiality, in- tected information and/or resources. larly reviewed, and continuously monitored
tegrity, availability, authenticity, and/or throughout the life cycle of IT resources.
nonrepudiation properties. The following are 3-5. Measurement of risk b. Technology can be implemented in hard-
examples of prominent systemic threats: a. Risk is the probability that a particular threat ware or software components. A technical IA
(1) Browsing. will exploit a particular vulnerability of the IS. discipline could be as simple as a user identifi-
(2) Misuse. Risk probability is a measurement of the sys- cation and password used by the operating sys-
(3) Penetration. tem vulnerabilities and motivation to exploit the tem or as complex as a smart card used for
(4) System flaws. vulnerability. Motivation is based upon the threat identification and authentication of a user. Typi-
(5) Component failure. agent’s capabilities to exploit the vulnerability cally, technology measures are thought of as
(6) Tampering. through current knowledge, skills, or abilities, supporting information security (INFOSEC),
(7) Eavesdropping. likelihood of being detected, and the value of the (communications security (COMSEC) and com-
(8) Message stream modification. information and/or resource to be acquired. puter security (COMPUSEC)).
(9) Denial of telecommunications. b. Risk also includes an analysis of the like- c. Policy and procedures are vital IA mea-
b. A threat agent must initiate these threats. lihood that a threat occurrence will result in an sures. A strong, enforced security policy pro-

4 UPDATE • USAAC Reg 25-2


vides the basis for all system security. Like- and/or software solutions, shall be employed as their assigned duties. Initial IA awareness in-
wise, strong procedures that are followed, and appropriate. doctrination and annual IA security awareness
thorough security education, training, and aware- (3) Emanations security. updates shall be provided to all military, civilian,
ness complement the technical disciplines. Pro- (a) Electronic communications can produce and contractor personnel who access, man-
cedures and training help ensure that technol- unintentional, intelligence-bearing emanations age, or use USAAC IT resources in any system
ogy is used correctly. Procedures and training that, if intercepted and analyzed, may disclose life-cycle phase. In addition, all individuals as-
can also ensure that security mechanisms not information transmitted, received, handled, or signed, performing, or designated as INFOSEC
addressed by technology are addressed otherwise processed. professionals shall receive basic and system
through other measures. For example, proce- (b) Any USAAC requirements for TEMPEST specific training commensurate with assigned
dures may be in place to ensure that only au- countermeasures shall be employed in propor- duties and responsibilities and recurring, re-
thorized personnel have physical access to a tion to the threat of exploitation and the associ- fresher or follow-on training annually to maintain
workstation connected to an IS. Other proce- ated potential damage to national security, as their skills and proficiencies.
dural measures may include a requirement for recommended by a DA certified TEMPEST tech-
alphanumeric passwords of a minimum size and nical authority which provides specific objec- 4-3. Risk mitigation activities
frequent password changes. tives for reducing or eliminating unintentional a. IA encompasses more than INFOSEC,
d. Policy and procedure measures are not emanations. but INFOSEC is at the heart of protecting USAAC
likely to be effective if involved personnel do not (4) Personnel security. Personnel security information assets. INFOSEC includes active,
know they exist or how they are used. Training provides a level of assurance that an individual’s passive, and reactive measures to prevent,
and awareness measures must be in place so access to USAAC information and resources is deter, limit, and detect internal and external se-
that all IS users know the technology measures based on the person’s loyalty, reliability, and curity violations and reduce vulnerabilities. The
in place and the policies and procedures that trustworthiness, such that the person can be activities listed here include both procedural and
must be followed. Effective training and aware- entrusted to perform their duties. Based on technical safeguards; encompass multiple di-
ness measures will ensure that all personnel assigned duties and need to know, personnel mensions of IA disciplines listed above; and
associated with the use, maintenance, and op- accessing USAAC AIS shall undergo an appro- should be considered essential components of
eration of an IS are aware of the technical and priate background check as directed by AR 25- any INFOSEC posture.
procedural security measures that are in place 2. Individuals shall not be granted a clearance b. System security authorization agreement
to protect the information. System administra- for access to information classified higher than (SSAA). The approach to the C&A process is
tors need to be trained to configure the system needed to accomplish their assigned duties. documented in the SSAA, a formal agreement
and options correctly so that the information Access by non-US citizens, foreign nationals, between the DAA, Certification Authority (CA),
and system resources are provided the neces- or representatives of foreign entities shall be user or site representative, and program man-
sary protection. Users need to be trained in the governed and provided in accordance with AR ager (PM). Used throughout the C&A life-cycle
correct use of the security measures. 380-67. phases, the SSAA documents decisions, speci-
e. Additionally, an awareness program helps (5) Physical security. Physical security is fies IA requirements, documents required level
ensure that all personnel associated with the the action taken to protect USAAC IT resources of C&A, identifies possible solutions, and docu-
use, maintenance, and operation of an IS are (e.g., equipment, electronic media, and docu- ments operational system security. The SSAA
aware of the general threats that are applicable ments) from damage, loss, theft, or unautho- consolidates security-related documentation
to the system and the measures required to rized physical access. Commanders, direc- into one document and may be tailored as ap-
mitigate the threats. An awareness program tors, and/or supervisors and managers are re- propriate. An SSAA shall be developed for each
can be one method to ensure that all personnel sponsible for ensuring the physical security site or system being accredited.
who work with the IS understand INFOSEC posture is accurately assessed and security c. Policy, standards, and procedures.
policy and procedures. resources are appropriate to protect USAAC (1) As part of the C&A process, an informa-
f. An active training and awareness program information and resources. tion system security policy shall be developed
shall be incorporated at USAAC that includes all (6) Procedural security. Procedural secu- and maintained for each IS. The information
levels of system interaction (i.e., SAs, IA per- rity, including operations security measures, can system security policy shall identify the secu-
sonnel, IT users, etc.,) for its various IT sys- provide an alternative to technical security means rity requirements, objectives, and policies imple-
tems. when risk analysis indicates the use of proce- mented to safeguard the site or system in a
g. IA disciplines emcompass: dures does not increase the overall risk to a prescribed operational configuration.
(1) COMSEC. COMSEC provides protec- system or network. Procedural security pro- (2) Failure to implement sound security pro-
tion through measures designed to deny unau- vides the necessary actions, controls, pro- cedures during system design may compro-
thorized individuals information that might be de- cesses, and plans to ensure operation of a sys- mise the effectiveness of other security mecha-
rived from the possession and study of com- tem or network within an accredited security nisms, such as packet filtering routers and
munications. National Security Agency (NSA) posture, and is site and task dependent. Site firewalls. Although it may appear that appropri-
approved COMSEC products, techniques, and security procedures shall be developed to ate security features have been incorporated at
protected services shall be used, as required, supplement the security features of the hard- the individual system level, unanticipated vul-
to secure USAAC communications. Products ware, software, and firmware of IT resources, nerabilities may surface when operating with
validated by the National Institute of Standards to include such standardized processes as user other systems over shared communication links.
Technology or NSA shall protect sensitive in- access control, media labeling, and material The DAA must consider the inherent risk of op-
formation. Virtual private networking techniques, marking and handling. erating less secure systems inside a secure
incorporating commercial-off-the-shelf or Gov- (7) Security Education, Training, and Aware- enclave. To the extent possible, legacy sys-
ernment-off-the-shelf products are also avail- ness Program (SETAP). The goal of SETAP is tems shall employ system security standards
able, and shall be incorporated as appropriate. to develop fundamental habits of security such that support appropriate security protocols within
(2) COMPUSEC. COMPUSEC provides IA that proper discretion is ingrained in the secu- a secure enclave. Modifications to legacy sys-
through measures designed to obstruct delib- rity and conduct of duties for USAAC IT re- tems should prioritize incorporation of common
erate or inadvertent disclosure, modification, un- sources. Commanders, directors, and/or su- security procedures and products to improve
authorized use, loss of information, or denial of pervisors and managers shall ensure every in- their overall security postures. Those legacy
service to users. COMPUSEC technical mea- dividual under their cognizance receives the ap- systems with unsecured security implementa-
sures, applied via a combination of hardware propriate level of SETAP commensurate with tions should be placed outside the secure en-

UPDATE • USAAC Reg 25-2 5


clave or in a separate “safe” zone if they pose of unsecured solutions and the improper imple- (2) Incident reporting. USAAC shall promptly
significant security risks to other information mentation of secure solutions can introduce report incidents that threaten DOD information
resources protected within the enclave. vulnerabilities that require mitigation. and resources to the ACERT. This reporting
(3) Consistent, clearly documented operat- (2) Requirements for secret and below mul- requirement does not preclude commanders
ing procedures for both system configuration tilevel interoperability shall be validated in ac- from establishing parallel reporting requirements
and operational use are key to ensuring IA. cordance with Assistant Secretary of Defense within their assigned area of operations nor does
Procedures should define deployment of the Memo, Secret and Below Interoperability, and it alleviate or replace any additional reporting
system, system configuration, day-to-day op- acceptable solutions, employing approved prod- requirements established by the chain of com-
erations for both the SA and user, as well as ucts, shall be engineered. mand. The following types of incidents shall be
how to respond to real or perceived attempts to (3) All systems that share information be- reported:
violate system security. All USAAC ISs and tween different classification or security levels (a) Computer intrusions. Unauthorized ac-
networks shall include written standing operat- shall be specifically documented in the SSAA cess to data or to an IS.
ing procedures, which are routinely updated and and accredited by the appropriate DAA prior to (b) Attempted intrusions. Unauthorized, un-
tailored to reflect changes in the operational en- operation. successful attempts to access data or an AIS.
vironment. g. Contingency planning. Given the de- (c) Denial of service attacks. Actions which
d. Configuration management. pendencies of today’s operations on IT re- prevent any part of an AIS from functioning in
(1) Configuration management identifies, sources, all USAAC systems must be pre- accordance with its intended purpose, to include
controls, accounts for, and audits all changes pared for worst-case contingencies in the event any action which causes the unauthorized de-
made to a site or IS during its design, develop- of the nonavailability of ISs and resources or struction, modification, or delay of service.
ment, and operational life cycle. Proper con- denial of service conditions. System and net- (d) Malicious logic. Hardware, software, or
figuration management can substantially reduce work design should incorporate redundancy and firmware that is intentionally included in an IS for
and sometimes eliminate the need for costly data backup in accordance with the level of IA an unauthorized purpose, such as a virus or
complete reaccreditation. Appropriate levels of required. Contingency plans shall be developed Trojan horse.
configuration management shall be established and tested to prepare for emergency response, (e) Probes. Any unauthorized attempt to
to maintain the accredited security posture. Each backup operations, and post-disaster recov- gather information about an AIS or its users
change or modification to an IS or site configu- ery. At a minimum, contingency planning shall online.
ration shall assess the security impact of such address reconstitution for the loss of process- (3) ACERT advisories. ACERT issues peri-
a change against the security requirements and ing, storage, or transmitting of information. odic advisories summarizing and highlighting
the accreditation conditions issued by the DAA. h. Security incident procedures. In addition computer incidents. USAAC system, site, and
(2) Official business shall normally be con- to protective measures designed into ISs and IT PMs shall review all ACERT advisories and
ducted using Government-owned resources. architectures, sites should have a structured ensure appropriate action to implement IA pro-
Policies and procedures shall be established ability to audit, detect, isolate, and react to intru- tections against vulnerabilities reported in the
controlling the use of personal hardware and sions, service disruptions, and incidents that advisories.
software, to include the use of antivirus soft- threaten the security of USAAC operations. (4) COMSEC material incident response. In-
ware. Processing of classified information us- i. Consent to monitoring. All individuals at- cidents involving the compromise or the sus-
ing personally-owned hardware and software is tempting access to USAAC ISs shall be pro- pected compromise of COMSEC material or in-
specifically prohibited. USAAC personnel shall vided sufficient notice that use of official DOD cidents that warrant further investigation shall
not use personally-owned IT resources to con- ISs or networks constitutes consent to monitor- be reported in accordance with procedures es-
duct official business without specific, case by ing. Adequate warning shall be provided by tablished in DOD and DA IA publications.
case, prior written authorization of the DAA, who clearly displaying the legally-approved DOD l. Vulnerability assessments. Assistance is
shall ensure appropriate security procedures warning banner. At a minimum, the DOD warn- available to assess and improve the IA posture,
against viruses and for protection of sensitive ing banner shall be displayed to the user upon by identifying vulnerabilities in an operational
information. The appropriate security proce- initial entry or login to system, network, local, environment and validating a particular site’s
dures shall be identified within the contract for and remote resources. Acceptance of the ban- overall security posture and degree of system
handling and disposal of information and IT re- ner-warning screen shall constitute consent to integration. Requests for IA assistance visits
sources. Software that is personally procured, monitoring. The approved warning banner is should be forwarded to the DAA or IAPM.
developed, or obtained as “public domain” or available in AR 380-53 and AR 25-2, which also m. IA assistance visits. USAAC will provide
“shareware,” shall not be installed on Govern- provides additional information and guidance on for the availability of IA assistance visits de-
ment-owned systems without the IAM’s, IASO’s, monitoring. signed to provide assistance in the identification
and/or SA’s evaluation for compatibility, correct j. Network management tools. Network man- and subsequent safeguarding of IS vulnerabili-
operation, and absence of viruses. agement tools that detect, isolate, and react to ties.
e. Acquisition management. USAAC shall intrusions, disruption of services, or incidents n. ISs infrastructure interconnections. Net-
apply appropriate resources to ensure cost- that threaten the security of USAAC IT resources worked ISs may incur additional risks because
effective IA measures are incorporated in each shall be used. of the exposure of their data and resources to a
acquisition program. Army PMs are respon- k. Army computer emergency response. larger community of users. Assessing benefits
sible for the accomplishment of all activities and (1) The Army Computer Emergency Re- and risks of internetworking, as compared with
tasks associated with security certification lead- sponse Team (ACERT) serves as the Army’s the costs to mitigate and control risks, is re-
ing to accreditation of the system under their primary computer incident response capability quired as part of the overall vulnerability analy-
developmental responsibility. The security test to provide assistance in identifying, assessing, sis. Decisions to maintain connections to other
and evaluation plan shall also specifically ad- containing, and countering incidents that networks should be made with awareness of
dress system security certification testing plans threaten ISs and networks. USAAC will col- the lack of control over the security safeguards
and requirements. laborate and coordinate ACERT efforts and with in use by other network infrastructures. Use of
f. Multilevel security, multiple security levels, other Government and commercial activities to products that have been certified under FIPS
and interoperability. identify, assess, contain, and counter the im- Pub 140-2 is encouraged, both to reduce the
(1) USAAC operational missions may require pact of computer incidents on national security burden of additional certification and to provide
interoperability between ISs operating at differ- communications and ISs, and to minimize or incentive for industry to provide products that
ent classification or security levels. Application eliminate identified vulnerabilities. comply with the standards.

6 UPDATE • USAAC Reg 25-2


(1) DII. USAAC’s connections to the DII (in- ing a Publicly Accessible Department of De- (7) Mobile computing. Mobile computing
cluding the Unclassified but Sensitive Internet fense Web Information Service. poses issues of physical security, as well as
Protocol Router Network (NIPRNET) and Se- (f) All files downloaded or received over a remote access. Appropriate physical security
cret Internet Protocol Router Network WAN shall be virus checked, using the com- measures shall be employed to protect the mo-
(SIPRNET)) shall be coordinated in accordance mand standard antivirus software with current bile hardware, software, and data contained
with established Defense Information Systems virus definition files, prior to placing on a local therein, or data accessible via the mobile hard-
Agency requirements. Appropriate protections workstation drive. Unless specifically autho- ware, commensurate with the classification or
shall be employed in a Defense in Depth ap- rized in the SSAA, files shall not normally be sensitivity level of the data and systems involved.
proach to protect the associated data and sys- downloaded directly to a network or shared drive. Specific safeguards, such as approved encryp-
tems. (g) Each Web index page shall have a des- tion mechanisms, should be employed to pro-
(2) National Information Infrastructure. ignated author or maintainer, responsible for the tect information in the event the mobile hard-
USAAC’s systems that connect directly to non- content and appearance of the page. That ware falls into unauthorized control.
DOD infrastructures, such as the Internet, shall individual’s name, organizational code, organi- (8) Encryption. Encryption, when used cor-
apply appropriate security technologies, to spe- zational telephone number, e-mail address, and rectly, can protect the security and classifica-
cifically include a firewall, to protect IT resources date of last revision shall be included in the source tion of data during transmission and storage.
from unauthorized external activities. code for that page. Encryption can be employed at either the net-
(3) Remote control and management. Re- (h) Web sites hosted by commercial Internet work level or the application level. There are
mote control or remote management software service providers shall not normally be used for numerous Government and commercial alter-
protocols that are used across these bound- official purposes due to the inability to identify natives for employing encryption techniques.
aries shall be discontinued except via approved and directly control any implemented security To ensure security and interoperability when
access assurance means, such as strong au- measures. This policy does not preclude using encryption, the USAAC IA Office shall be
thentication (e.g., one-time passwords or X.509 USAAC from contracting with a commercial or- contacted for guidance prior to system design
certificates). ganization to establish and host a Web site if and for approval prior to employment.
(4) Web site operations. USAAC’s informa- appropriate security measures are maintained (9) Certificate management. Properly em-
tion servers and services established and main- by the commercial organization contracted to ployed public key based security mechanisms
tained on WANs (such as the Internet, provide this service. Outsourcing web services provide a good means to protect USAAC ISs
NIPRNET, and SIPRNET), including World Wide does not relieve the command of the responsi- from unauthorized access and to provide ac-
Web sites, must support legitimate, mission-re- bility to accredit the system. cess control to system resources. Only ap-
lated activities and be consistent with prudent (5) Firewalls. Firewalls are security prod- proved workstations shall be used for certifi-
operational and security considerations. The goal ucts that control the flow of traffic between net- cate establishment and management services.
is to provide maximum availability at acceptable works and offer security protections such as Requirements for public key based digital sig-
levels of risk, with sufficient access and secu- packet filtering, application proxying, access nature and encryption services shall be imple-
rity controls. control, and stateful inspection. Firewall pro- mented to ensure compliance with the DOD
(a) Classified information shall not be posted tection may be achieved via a specifically de- public key infrastructure policy as mandated in
on publicly accessible web servers. Access to signed product, or through inherent capabilities Deputy Secretary of Defense memo U07287/
classified or SBU information via the SIPRNET within existing resources. Mere presence of a 99 dated 6 May 1999, the PKI Roadmap for the
or NIPRNET shall be controlled by strong au- firewall does not ensure protection. The firewall DOD, and supporting DA guidance.
thentication or encryption. must be configured correctly, based on the tech- (10) Virus and malicious code protection.
(b) Internet web servers shall be hosted nical architecture of the operating environment (a) The threat of attack from computer virus
within a separately protected demilitarized zone and the overall security architecture, with suffi- or other malicious code, both deliberate and in-
(DMZ). A DMZ is a dedicated network segment cient access and security controls, policies, and advertent, is significant. Successful virus pre-
used to separate public services (such as e- procedures to protect information from unau- vention incorporates technical, policy, and pro-
mail or web servers) from internal services. It thorized internal or external compromise. cedural elements. All USAAC’s ISs and net-
should be protected by a different firewall than Firewall selection, engineering, configuration, works shall use antivirus software to intercept
the internal network segment, or a separate in- and operation shall be in accordance with the viruses before they can establish themselves.
terface on the existing firewall. If neither option Command Chief Information Officer’s guidance. The command shall develop and implement lo-
is available, the DMZ should be outside the (6) Remote access. Uncontrolled and cal policy and procedures to support effective
firewall. USAAC shall only use Internet web- nonsecure remote access to USAAC ISs and employment of antivirus software.
hosting services provided by a centralized Net- networks may bypass other system security (b) As the nature of the threat from virus
work Operations Center. Intranet and Extranet measures. Sites with either dial-up or WAN software constantly changes, sites shall ensure
web services shall be protected with appropri- remote access capability shall have adequate that antivirus software profiles are updated fre-
ate access controls. access controls and authentication procedures, quently and on a routine basis. DOD licensed
(c) Web servers connected to a WAN shall commensurate with the classification or sensi- antivirus software is available free to all USAAC
be specifically included and addressed in the tivity level of the data and systems involved. activities, and may be downloaded from the IA
site SSAA. Authentication procedures should verify the iden- Web site (http://usarec.army.mil/im/SIO/IA/
(d) Prior to final accreditation, appropriate tity of the user, as well as control access to index.html). This software is also authorized
procedures and mechanisms shall be estab- specific systems and data. The NSA, Defense for, and should be installed on, personal com-
lished to ensure prompt detection of unautho- Information Systems Agency, and Chief Infor- puters, privately owned by DOD personnel, used
rized access or modification to web servers mation Officer provide guidance on the use of for official business.
and services, as well as contingency plans to sophisticated access control mechanisms be- (11) Data management. The increasing re-
ensure prompt restoration of capability as re- yond simple password access control, such as liance on distributed, interconnected ISs negates
quired. one-time passwords, X.509 certificates, or au- many of the data protection mechanisms built
(e) Each publicly accessible web informa- thentication tokens. The legally approved DOD into traditional contained “system high” networks
tion service shall provide a privacy and security warning banner, available on the USAAC IA Web and requires additional safeguards to protect
notice to users upon initial access to the Web site, shall be displayed at the network and sys- USAAC information from both unauthorized us-
site in accordance with Office of the Secretary tem level upon establishment of each remote ers and from authorized users without a need to
of Defense Policy for Establishing and Maintain- access session. know. Data processed, transmitted, and stored

UPDATE • USAAC Reg 25-2 7


on USAAC’s ISs shall be protected to the ap- Chapter 5 (b) Risk assessment. Process of analyzing
propriate level of classification or sensitivity and Certification and Accreditation Require- threats to and vulnerabilities of an IS and the
required level of IA. ments potential impact the loss of information or capa-
o. Data marking. Electronic data and files bilities of a system would have on national se-
shall be marked to reflect the appropriate clas- 5-1. General curity. The resulting analysis is used as a basis
sification or sensitivity. At a minimum, all elec- All USAAC’s ISs, as well as sites employing IT for identifying appropriate and cost-effective
tronic information in the form of documents, im- resources at the local level, shall be accredited countermeasures.
ages, or other human-viewable format, regard- for operation. Site accreditation should include (c) Certification test and evaluation. Soft-
less of location, shall include plain-text mark- the aggregate of all ISs, networks, and other ware and hardware security tests conducted
ings indicating classification or sensitivity, as resources used to support mission accomplish- during development of an IS. The purpose of
would be required if they were hard-copy prod- ment. ISs developed or procured by a program these tests is to verify the technical security
ucts. office shall be accredited at the system and site requirements have been correctly and com-
p. Data release. Data, both physical (e.g., level prior to deployment. Accreditation shall be pletely implemented into the system.
hard copy) and electronic (e.g., floppy disks, achieved through the DOD C&A process as (3) The second part, which assesses the
web pages), shall be released in accordance described in DODI 5200.40 and AR 25-2. Imple- nontechnical security features, establishes the
with established DA data release procedures. mentation of the C&A process may be tailored extent to which a particular implementation
q. Data access. Appropriate procedures for to fit the size and complexity of the system and meets a set of specified security requirements.
establishing and disestablishing access and the required level of IA. Key participants in the This assessment is against a product imple-
authentication shall be based on need to know C&A process include the IAPM, the DAA, the mented in an operational environment and is
and the classification or sensitivity level of the CA, and the system’s IA officer. called “Operational Site Certification.” This is a
information. Authentication and access control a. Certification. statement by the local authority certifying that
may be enforced by the operating system or (1) Certification is the comprehensive evalu- the system has been installed in an approved
through encryption techniques. ation of the technical and nontechnical security configuration and in an environment that satis-
r. Passwords. Passwords are one of the features of an IS and other safeguards, made in fies nontechnical INFOSEC measures. The
simplest, most effective security measures, but support of the accreditation process, to estab- operational site certification statement is made
are often the first target of intruders. Pass- lish the extent to which a particular design and based upon the results of security test and evalu-
words shall be managed in accordance with the implementation meets a set of specified secu- ation. It is the formal examination and analysis
below guidelines and tailored to the appropriate rity requirements. DOD has tailored the certifi- of the safeguards required to protect an IS, as
level of protection required. cation process that supports this definition of they have been applied in an operational envi-
(1) When passwords are the single authen- certification. Certification is a two-part process ronment, to determine the security posture of
tication credential, they shall be a minimum of covering the definition, verification, and valida- that system.
eight characters in length, consist of a mixture tion phases of the C&A process. b. Accreditation.
of alphanumeric characters (i.e., a-z, A-Z, and (a) A comprehensive evaluation of the tech- (1) Accreditation includes a formal declara-
0-9), and avoid the use of names and dictionary nical security features of an IS to establish the tion by a DAA that a site or an IS is approved to
words. Legacy systems constrained by sys- extent to which a particular design meets a set operate in a prescribed operational configura-
tem design may be exempt from the eight-char- of specified security requirements. tion using a defined set of safeguards and coun-
acter minimum password length requirement, (b) A comprehensive evaluation of the non- termeasures against stated threats and vulner-
with the approval of the DAA. technical security features of an IS to establish abilities. DAA responsibility for ISs developed
(2) SAs should use available tools to evalu- the extent to which a particular implementation or procured shall be assigned in accordance
ate the strength of passwords under their con- meets a set of specified security requirements. with AR 25-2.
trol. (2) The first part, which assesses the tech- (2) After the system has been certified, but
(3) Accounts shall not be issued with default nical security features, establishes the extent before it can be placed into operation, the risks
passwords (e.g., “password”). Default pass- to which the developed IS (the target of evalua- associated with operating the system must be
words at the system or network administrator tion) has applied the INFOSEC measures of assessed. The DAA participates in the devel-
level shall be changed to a site unique pass- COMPUSEC, COMSEC, and Emanations se- opment of and performs the final review of the
word upon system installation, and verified prior curity. This assessment is against a developed SSAA (as explained below) and accredits or
to final system accreditation. product. This effort can be performed once, denies accreditation for the operation of the sys-
(4) Access to password files shall be appro- independent of a specific implementation, and tem.
priately protected from unauthorized users. the results reused many times. The CA states (3) The set of safeguards discussed in the
(5) For systems with automated password that a comprehensive evaluation of the techni- definition of accreditation are those traced back
administration capability password change shall cal security features of an IS has been con- into the objectives of the IS security policy and
be system forced semiannually, at a minimum. ducted and establishes the extent to which a validated through certification.
All other systems shall incorporate user training particular design meets a set of specified secu- (4) The SSAA certifies the INFOSEC require-
to advise users to change passwords semian- rity requirements. This certification activity in- ments that are designed and implemented into
nually, at a minimum. AR 25-2 and CSC-STD- cludes reviewing design documentation, per- the IS and an assessment of the risk of operat-
002-85 provide additional information on pass- forming design level risk assessments (used to ing the IS after all of the INFOSEC measures
word usage. determine compliance with a stated IS security are put into place. The accreditation process is
s. Account management. SAs shall monitor policy), and conducting certification test and a risk management approach whose final ac-
user account inactivity and establish procedures evaluation. tion is to document the residual risk of operating
for investigating, deactivating, and eliminating (a) Design documentation. Set of docu- an IS. Residual risk is that portion of the risk
accounts that do not show activity over time. ments, required for the evaluation criteria for IT, remaining after security measures have been
For example, deactivate accounts with no ac- whose primary purpose is to define and de- applied.
tivity for over 30 days, and investigate and elimi- scribe the properties of a system. Design docu- (5) Upon completion of the accreditation pro-
nate accounts with no activity for over 90 days. mentation provides an explanation of how the cess, the DAA may take one of the following
Applicability and associated privileges of all de- security policy of a system is translated into a four actions:
fault accounts shall be validated and deactivated, technical solution via the security functions of (a) Accredit the system to process informa-
as appropriate, prior to system accreditation. the hardware, software, and/or firmware. tion in the given operational environment.

8 UPDATE • USAAC Reg 25-2


(b) Issue an interim authority to operate acceptable level of risk. The validation phase of information required to make an informed
(IATO). An IATO is issued when the DAA de- ends with an approval to operate in an accred- accreditation decision. The certification level of
termines that changes must be made to the ited security posture (i.e., accreditation). effort provides a uniform baseline for applica-
system or its environment, but the system will d. IATO. When it is necessary for a site or tion of the INFOSEC C&A process on ISs with
be allowed to operate in the interim. An IATO an IS to become operational before the residual similar characteristics.
may not exceed 1 year. risk can be fully determined, an IATO may be b. The specific level of effort and documen-
(c) Reject accreditation and recommend en- issued by the DAA, for a period not to exceed 1 tation for certifying a system is at the discretion
hancements that will lead to accreditation. year. All available certification evidence nor- of the DAA, based on specific factors that may
(d) Reject accreditation because of inherent mally considered for full accreditation shall be increase or decrease the degree of certification
security deficiencies and provide rationale. provided to assist in determination of the IATO. testing, analysis, and documentation required.
(6) Accreditation must be reviewed when The IATO shall stipulate the remaining require- These factors include the degree of intercon-
changes are made to system functionality, ar- ments to achieve accreditation. nection with other systems, the life expectancy
chitecture, interfaces, information processed, e. Postaccreditation. The postaccreditation of the system, and the cost of achieving the full
environment, and user communities because phase monitors the operational site or IS to en- level of effort associated with the certification.
these changes may increase the risk to the sure the accepted level of risk is maintained For example, a system with no system inter-
system. throughout the life cycle, to include changes in connections, limited life expectancy, and high
threat conditions, the application of new require- cost to certify should not require the same level
5-2. Five phases of C&A ments, or changes to system configuration. of effort as one with multiple interconnections,
The C&A process is divided into five life-cycle Accredited sites and ISs shall be subject to pe- longer life expectancy, or lower cost to certify.
phases: riodic compliance reviews, as required by the Table 5-1 is provided as general guidance to aid
a. Definition. During the definition phase, DAA and specified in the SSAA. Specific timing the determination of the level of effort that should
system mission and architecture are docu- and activities required for reaccreditation shall be applied to conducting the certification pro-
mented, potential threats and security require- depend on the degree of change to the security cess.
ments are identified, the DAA and CA are iden- posture of the site or system. A system must c. Administrative checklist level of effort. This
tified, and an overall approach to the certifica- be reaccredited when significant changes have level of effort requires documenting the status
tion process is developed. occurred or every 3 years, whichever comes of IA requirements and the technical, physical,
b. Verification. During the verification phase, first. and administrative safeguards as implemented.
security activities are developed to verify com- USAAC Form 106 (Security Requirements
pliance with the identified security requirements. 5-3. Certification levels of effort Checklist) should be used (see sample at fig 5-
c. Validation. During the validation phase, a. The certification level of effort indirectly 1) (for relatively simple IT systems, many items
the integrated system or site is validated in the determines the amount of resources that will be in the checklist may not be applicable).
designated operating environment against an expended on providing the DAA with the amount d. Basic certification level of effort. Basic

Table 5-1
Certification levels

Level Explanation

Administrative Checklist The administrative checklist certification is the simplest certification to conduct. It involves completion of a
minimum security checklist, which includes verification that procedures for proper operation are established,
documented, approved, and followed. Minimal evidence is required for this type of certification.

Basic Assurance The basic assurance certification is more extensive than Level A, and begins with completing the Level A
checklist. The amount of documentation required and the resources devoted should be low. The focus of this type
of certification is INFOSEC functionality (auditing, access control, identification, and authentication). Some docu-
mentary and test evidence is required for this type of certification.

Medium Assurance The medium assurance certification is more detailed and complex and requires more resources. This type of
certification is generally used for systems that require a higher degree of assurance, have a greater level of risk,
and/or are more complex. The focus of this type of certification is also on INFOSEC functionality. However, more
extensive documentary and test evidence is required to show that the system meets the security requirements.

The high assurance certification is the most detailed and complex and generally requires a great deal of re-
High Assurance sources. This type of certification is used for systems that require the highest degree of assurance and may have
a high level of threats and/or vulnerabilities. The focus of this type of certification is INFOSEC functionality and
assurance. Extensive evidence, generally found in the system design and test documentation, is required for this
type of certification.

certification level of effort includes development from the basic IA level of effort and any addi- f. High certification level of effort. High certi-
of an SSAA, concept of operations, IS security tional documents negotiated with the DAA. fication level of effort includes addressing all of
policy, network topology map, and residual risk These would normally include a more detailed the task activities and documentation require-
assessment. evaluation of the system’s development and life- ments addressed in DITSCAP. This level of
e. Medium certification level of effort. Me- cycle maintenance process and the safeguards effort adds a more exhaustive evaluation of the
dium certification level of effort includes those to the integrity of system content throughout the internal functionality of elements of the system,
task activities and documentation requirements life cycle. such as the operating system, applications, utili-

UPDATE • USAAC Reg 25-2 9


ties, and system interfaces. The ISs that are are responsible for specific terminal, office, or
characteristic of this level of effort are those work areas that are connected to the system.
that are centrally procured and involve separa-
tion and protection of information at different clas-
sification levels or compartments.

5-4. INFOSEC certification assistance


Anyone can conduct the C&A process. These
certification agents primarily focus on medium
and high IA level certification efforts, whereas
basic IA level of effort can be conducted by the
INFOSEC personnel at the local site with guid-
ance from the identified certification agents. The
certification agents can and will assist the local
sites in achieving their basic IA level C&A.

Chapter 6
Roles and Responsibilities

6-1. Organizational responsibilities


a. IA responsibilities are assigned to organi-
zations and individuals within USAAC.
b. The Information Support Activity is respon-
sible for ensuring the Army IA Program is imple-
mented within USAAC in full compliance with
DOD and DA regulations.

6-2. Individual responsibilities


The individual roles and associated responsi-
bilities are located in AR 25-2. Roles and abbre-
viated responsibilities are:
a. DAA. The DAA is the management official
who determines whether an IS can be operated
with the known level of risk by accepting re-
sponsibility for that risk. The accreditation deci-
sion of the DAA is based on the operational
need for and the threats to the system. The
DAA must make an accreditation decision based
on a trade-off between the operational need and
the criticality of the system (and its information)
against the risks posed by the known threats.
b. IAPM. The IAPM establishes and main-
tains the command’s IA Program.
c. IANM. The IANM serves as the alternate
IAPM and provides direct support to the IAPM
on matters of Computer Network Defense and
the command’s IA Program.
d. IAM. The IAM is the IAPM’s technical se-
curity advisor. The IAPM will rely on this indi-
vidual in establishing and maintaining the
command’s IA Program. The IAM is respon-
sible for a specific grouping of systems or sites.
e. IASO. The IASO is the IAM’s technical
security advisor. An IASO is appointed for indi-
vidual systems or for a specific area or site
managed by the IAM. IASOs are responsible
for ensuring that appropriate technical and pro-
cedural measures are established for their sys-
tems or areas. These measures include a train-
ing and awareness program; access control to
the hardware, software, and data; auditing user
actions; system accreditation, a risk manage-
ment program; and an adequate contingency
plan.
f. Local information assurance security of-
ficer (LIASO). The LIASO assists the IASOs in
performing their duties. Typically, the LIASOs

10 UPDATE • USAAC Reg 25-2


SECURITY REQUIREMENTS CHECKLIST
(For use of this form see USAAC Reg 25-2)

COMPLIANCE
SECURITY REQUIREMENT GUIDANCE
MET NOT MET NA
Rules of behavior for system and application use shall be established. The rules
should clearly delineate responsibilities of and expectations for all individuals with
access to the system.
An information assurance security officer shall be assigned for each system with
responsibility for security in writing, and be trained in the technology used in the
system and in providing security for such technology.

The information assurance security officer shall obtain and maintain certification.

CONFIGURATION MANAGEMENT MET NOT MET NA

A system configuration management plan shall be developed for all system


components.

Users are prohibited from installing freeware, shareware, or public software on the
system without appropriate administrative oversight.

Software acquired through other than the appropriate procurement channels must
be scanned for malicious code.

Procedures shall be established to ensure the correct versions of the hardware,


software, firmware, and documentation are installed and available.

The distribution of security-related software, hardware, and firmware is properly


controlled.

Users are prohibited from installing freeware, shareware, or public software on the
system without appropriate administrative oversight.

Security software (e.g., firewalls, guards) and security-related software patches


are not made operational until successful testing by the appropriate organization is
conducted.

All security-related alert recommendations (e.g., from the Army Computer


Emergency Response Team) are followed as soon as possible.

MEDIA CONTROL MET NOT MET NA


Backup media shall be properly labeled with sufficient information (e.g., type of
data, date of creation).

When equipment or media are reused by a new user group, the storage media and
nonvolatile memory devices must be cleared.

Hard disks are cleared of sensitive information before being submitted for
servicing.

All magnetic media used to store sensitive unclassified information are cleared or
destroyed when no longer needed.

Purging and destruction methods for media must be approved in writing.

IDENTIFICATION AND AUTHENTICATION MET NOT MET NA


The system employs a method to identify uniquely all users of the system before
allowing the users to perform any actions on the system and to maintain their
identity throughout their active sessions on the system.
The system provides or incorporates a mechanism for authentication management
and the authentication data are protected to prevent unauthorized or inadvertent
access.

The system is able to provide hardware identification of remote terminals and


personal computers.

Logon identifications must be uniquely identifiable.

The automated information system shall lock out an interactive session after an
interval of user inactivity not to exceed 30 minutes.

USAAC Form 106, 1 Apr 2005 V1.00

Figure 5-1. Sample of a completed USAAC Form 106


UPDATE • USAAC Reg 25-2 11
User access shall be prohibited after a specific number of invalid login attempts
(i.e., three times).

Null passwords are not accepted.

Passwords are not reusable by the same individual for a period of six password
change iterations.

Protected system resources are only available to users after successful completion
of identification and authentication.

Each data object in the system has an identifiable source (i.e., owner) throughout
its life cycle.
All dial-up access to sensitive but unclassified automated information systems and
telecommunications networks shall be protected with security measures that
provide explicit user identification and authentication and audit trails.

Passwords are blotted out when entered.

ACCESS CONTROL MET NOT MET NA

The principle of least privilege is used in allowing access to the system services.

All personnel associated with the system have the appropriate personnel security
background investigation prior to being provided access to the system.

The system provides for the extraction of any data contained in its databases
about an individual, in response to a request by that individual or his or her
representative, when required by the Privacy Act.

The system provides a mechanism for user-initiated locking of interactive sessions.

The system provides a mechanism to limit the privilege a user may obtain based
on means of access or port of entry.

Before initiating the system logon procedure, the system displays an advisory
warning message to the user.

The system ensures that a user is not able to access the prior contents of a
resource that has been allocated to that user by the system.

Access to the audit data is strictly limited.

The system, if connected to other networks, provides insulation (e.g., firewalls) to


prevent unintended and/or unauthorized access from the Internet by "back-end"
users.

Procedures and mechanisms are in place to protect against threats from connected
networks operating at a lower security level than that of the local subscriber
environment.

The equipment's operating system has built-in protection to prevent bypassing of


security and the unauthorized access to data.

The system software restricts individual access to only the files and data for
which the user is authorized.

Approval to enter data is obtained from the data owner, where applicable, and is
authorized by management for entry.

When an individual who has been granted access to an automated information


system no longer requires access privileges, the individual's identification,
passwords, and other access controls shall be immediately removed from all
systems.

Only necessary network services shall be run on servers.

The system is configured to protect resources from unauthorized access.

AUDIT MET NOT MET NA


The system provides or incorporates an audit mechanism that maintains individual
accountability of a subject's access to the objects the system protects.
The system provides or incorporates a mechanism for audit analysis. Audit trails
are sufficient to identify individuals associated with security events.
USAAC Form 106, 1 Apr 2005 Page 2 of 8

Figure 5-1. Sample of a completed USAAC Form 106 (Continued)


12 UPDATE • USAAC Reg 25-2
The system provides other audit options for use when the standard audit
mechanism is unable to record events.

The duration of storage of audit data is adequate to ensure recognition of security


incidents and subsequent analysis of their occurrence, and will be a minimum of
30 days.

Auditable security events include, at a minimum:


Use of identification and authentication mechanisms.
Use of privilege mechanisms.
Introduction of "objects" into a user's address space.
Deletion of "objects."
Actions taken by security personnel and systems administrators.

For each recorded event, the audit trail includes the following information:
Date and time of the event.
Unique-user identification.
Type of event.
Success or failure of the event.
Terminal identification.

Auditing is enabled.

Critical system directories are audited.

INTEGRITY MET NOT MET NA


All parts of the system (hardware, software, firmware, processes, data, and
documentation) are protected in a verifiable manner against tampering, loss, or
destruction throughout their lifetime.

Virus prevention measures commensurate with the level of risk identified in the
risk analysis shall be employed to protect the integrity of the software and data.

GUIDANCE MET NOT MET NA


No data is introduced into a system without designation of the classification or
sensitivity of the data.

All critical or sensitive applications are properly identified.

AVAILABILITY OF SERVICE MET NOT MET NA

Information in the system is available when needed.

The system provides a mechanism for controlling and managing consumption of


disk space.

Preventative maintenance is performed on a schedule comparable to that


recommended by the equipment's manufacturer.

The system provides a mechanism to support software and data backup and
restoration. The mechanism incorporates synchronization points and allows
recovery after a system failure or other discontinuity without a security
compromise.
INCIDENT RESPONSE MET NOT MET NA
Agencies review the susceptibility of their programs and functions to waste, loss,
unauthorized use, and misappropriation. This review includes vulnerability
assessments and equivalent reviews, such as audits.
The system actively prevents infection of malicious code by only allowing the
installation and use of authorized software that is free of malicious code, and by
executing effective antiviral software on all software on the system upon
installation of any software and on the entire system at least on a quarterly basis.

The system has the capability to identify and record unauthorized attempts to gain
access.

Whenever a virus infection is detected, it should be reported to the information


assurance security officer.

Controls exist to detect and/or prevent covert penetration attempts.

FIREWALLS MET NOT MET NA


The firewall is configured to deny unauthorized access to all protected
components.
USAAC Form 106, 1 Apr 2005 Page 3 of 8

Figure 5-1. Sample of a completed USAAC Form 106 (Continued)


UPDATE • USAAC Reg 25-2 13
Administrative access to the firewall from other than the console only occurs after
successful strong authentication.

The firewall configuration explicitly states the host and network Internet protocol
addresses for which access is allowed.

The firewall is capable of being configured to dynamically deny access to Internet


protocol addresses based on anomalous behavior such as network flooding.

The firewall is capable of being configured to selectively manage traffic priority


based on host or network Internet protocol addresses during high-traffic periods.

Firewall proxies are configured to deny access unless explicitly configured


otherwise.

Specific proxy capabilities (e.g., a file transfer protocol pull) are explicitly defined
and include the appropriate access controls.

FACILITY ACCESS CONTROLS MET NOT MET NA


The facility housing computer equipment shall provide physical security
mechanisms to restrict access.

The facility shall maintain an access roster at each facility entry point.

The facility shall maintain a cleared visitor roster or file of current visitation request
forms.

Positive personnel identification measures (e.g., badge system, fingerprints) shall


be in place.
All uncleared personnel granted facility access must be properly escorted and
restricted to those areas necessary to complete their tasks. Sensitive information
must be protected from unauthorized disclosure to such persons.

The information assurance security officer shall ensure that network interfaces
(hardware connections) in the terminal area are physically protected as required to
achieve a level of protection adequate to prevent disruption resulting from
accidental causes.

Sensitive information must be processed, stored, or transmitted in spaces that are


under exclusive control while operational.

All terminal areas shall be physically secured at the end of the day.

Access to the computer center, server, cable closets, etc., shall be limited to
personnel who have a justifiable need for access.

When combination locks are used to control access to the computer resources,
those locks shall be changed periodically and after the termination or reassignment
of any employee.

When keys are used to control facility access, those keys shall be changed
periodically and after the termination and/or reassignment of any employees.

Keys shall be formally signed out.

ENVIRONMENTAL CONTROLS MET NOT MET NA


An uninterruptible power supply shall be provided to prevent loss of data during
power interruptions.

An emergency power switch shall be in place in the computer center and clearly
marked.

Security devices that limit the amount of damage caused by environmental


disasters (e.g., fire and flood) shall exist in the computer areas (e.g., smoke and
water detectors, fire extinguishers, sprinklers).

The fire detection system shall be tested periodically.

SOFTWARE AND DATA SECURITY MET NOT MET NA

Only necessary trust relationships exist with other domains.

Access to all shared folders is restricted.

USAAC Form 106, 1 Apr 2005 Page 4 of 8

Figure 5-1. Sample of a completed USAAC Form 106 (Continued)


14 UPDATE • USAAC Reg 25-2
Proprietary software is protected against compromise.

Software is scanned for viruses before being introduced to the system.

DESIGNATED APPROVING AUTHORITY MET NOT MET NA


A designated approving authority is designated as responsible for the overall
security of the connected systems.

CERTIFIER MET NOT MET NA


A certifier conducts a comprehensive evaluation of the technical and nontechnical
security features of the connected systems to establish the extent to which the
design and implementation meet the set of specified security requirements (e.g.,
the security policy).
ADMINISTRATOR MET NOT MET NA
Security and system administrators ensure that the system security policy, as
established by the designated approving authority, is implemented.

System administrators are certified.

REQUIREMENTS ANALYSIS MET NOT MET NA


An analysis is performed to identify all security requirements for the entire life
cycle of the system.

System boundaries and interfaces are defined to maximize the security of the
system and minimize the threat from external sources.

RISK MANAGEMENT MET NOT MET NA


A risk management program, approved by the designated approving authority,
determines the most economical way of providing a reasonable assurance of
information security protection.

A program exists to periodically identify, measure, control, and minimize uncertain


events affecting system resources.

SYSTEM DEVELOPMENT MET NOT MET NA


For any system that will handle sensitive unclassified or unclassified data, the
entire system development life cycle is controlled to ensure its integrity at all
levels, including the use of "best commercial practices."
TESTING MET NOT MET NA
Before a new or modified automated information system is placed into production,
its controls are tested to prove that they operate as intended and to ensure the
established minimum security requirements are met.
TRAINING AND AWARENESS MET NOT MET NA
If passwords are selected as the authentication mechanism for the system, users
must be briefed on the following at the time of password issuance:
Password classification and exclusiveness.
Measures to safeguard "sensitive" passwords.
Prohibitions against disclosing passwords to other personnel.
Responsibilities for notifying the information assurance security officer of
password misuse.
Password change procedures.

Individuals assigned primary responsibility for performing critical functions in


support of the automated information system (e.g., system administration,
security administration, system operations, programming) should have trained
alternates who can perform these functions in the event the individual assigned
primary responsibility is unavailable.
Agency's training practices shall be reviewed biennially to ensure that all agency
personnel are familiar with requirements of the Privacy Act, with the agency's
implementing regulation, and with special requirements of their specific jobs.

A security awareness training plan is in place and in use.

All information assurance and system administrator personnel have attended


training required for security certification.
CONTINGENCY PLANS MET NOT MET NA
The approved contingency plan shall be periodically tested.

USAAC Form 106, 1 Apr 2005 Page 5 of 8

Figure 5-1. Sample of a completed USAAC Form 106 (Continued)


UPDATE • USAAC Reg 25-2 15
The system has a tested contingency plan addressing full system restoration.

Another system can be used to avoid interruption of important processing if the


system were destroyed or in need of repair.

Backups are made of critical applications on a regular basis.

Backups are stored offsite and the security posture of the offsite location is
adequate for their storage.
Current contingency plans exist for the system that cover all anticipated
emergencies, backups, and disaster recovery.
A current, tested, system emergency action plan exists and assigns clear
responsibilities for actions to be taken during the emergency. These actions are
listed in priority order. The emergency action plan is tested frequently.

A system backup plan exists that:


Identifies critical and vital files that must be backed up, including how the
media containing those files are to be marked.
Identifies essential documentation that must be available in the event the
primary processing site is unavailable.
Establishes the frequency of backups and rotation schedule of the backup
media.
Provides for offsite storage of the backed up media and essential
documentation.
Contains information relating to security of the backed up media, including
its security while being transported to and from the offsite location.
Contains information regarding a backup computer facility.

A disaster recovery plan exists that:


Establishes evaluation criteria for determining the extent of disruption of
functions and operations.
Identifies backup processing sites.
Covers the safeguarding or destruction of sensitive unclassified information
in the event that the primary site must be evacuated.
Provides detailed plans for the movement of personnel and the backup media
and documentation to the backup processing site.
Provides guidance for testing the plan.

The contingency plan has been tested in the last year and has the following
characteristics:
Deals with less than catastrophic occurrences as well as major catastrophic
events.
Clearly and unambiguously assigns responsibilities.
Clearly outlines the amount of downtime that can be tolerated before disaster
is declared.
The system has adequate capability to recognize and contain incidental
releases of sensitive unclassified or unclassified information on to inappropriate
or incorrect network or system.

PERSONNEL SECURITY MET NOT MET NA


All personnel associated with the system are subject to a personnel security
background investigation and have appropriate clearance for the data and systems
accessed.

A list is maintained of all persons who have access to the areas where the
systems are located, and the list shows the level of access of each individual and
is kept current at all times.
All personnel having unescorted privileges to the systems areas possess a
clearance or access authorization equal to or higher than the highest classification
of all categories of information on the systems.

Maintenance and cleaning personnel are cleared, or if uncleared, are escorted.

All personnel receive appropriate security briefings upon arrival and before
beginning their assigned duties.
Passwords are changed or deleted for individuals when:
Their access is withdrawn for any reason.
There has been a compromise or suspected compromise of the password.
A maximum of 6 months has elapsed since the last change.

Corrective action has been taken for all security violations reported within the past
year.
Upon termination of job function, access is removed, personnel are debriefed,
required to return all material related to operations, and required to execute a
security termination statement.
USAAC Form 106, 1 Apr 2005 Page 6 of 8

Figure 5-1. Sample of a completed USAAC Form 106 (Continued)


16 UPDATE • USAAC Reg 25-2
PHYSICAL SECURITY MET NOT MET NA
All removable media are controlled at the highest classification level or sensitivity
and criticality category of information on the media.

Unencrypted sensitive unclassified lines do not exist, or if they do, continual


surveillance and protection are provided.

Access to the system patch panel is controlled.

Access to equipment locations is controlled during working hours and after


working hours.

An individual cannot gain access to the system's working areas during or after
working hours without detection.

A log is maintained of all personnel who enter or leave the building after normal
duty hours, and the log indicates the specific workspaces accessed.

The facility is equipped with a fire, smoke detection, suppression, and alarm
system that is tested periodically.

A media library exists and is protected against unauthorized access.

Positive security controls are maintained over all components of the system at all
times.
ADMINISTRATIVE (PROCEDURAL) SECURITY MET NOT MET NA
Power distribution panels and circuit breaker panels are clearly marked to indicate
which switches control each outlet or piece of equipment.

A log is maintained of all hardware servicing and modifications.

Access to programs and software applications are restricted on a need-to-know


basis.

All items of hardware are adequately identified and an inventory is kept.

Passwords are disclosed only to their intended users.

An inventory is maintained of all system software that also records the software's
location.

Procedures exist to recover a deleted data file.

Memorandums of understanding exist for all site installation communications.

Controls exist to ensure that data submitted for input originated from an approved
source.

All auto-answer modems used are specifically approved by the designated


approving authority.
EMANATIONS SECURITY MET NOT MET NA

A TEMPEST Countermeasure Review has been submitted, as applicable.

POLICY DOCUMENTATION MET NOT MET NA


An explicit and well-defined security policy is enforced by the system. The
security policy of the system establishes goals for safeguarding the confidentiality,
integrity, and availability of all components of and data handled by the system and
procedures for attaining those goals.
The personnel security policy of the system ensures that all personnel responsible
for the design, development, operation, maintenance, or administration are
qualified.

A security analysis is part of the system's documentation.

The security architecture is part of the system's documentation.

A risk assessment is part of the system's documentation.

USAAC Form 106, 1 Apr 2005 Page 7 of 8

Figure 5-1. Sample of a completed USAAC Form 106 (Continued)


UPDATE • USAAC Reg 25-2 17
System security standing operating procedures is part of the system's
documentation.

The system's interface specification describes the security required for both
internal and external interfaces of the system.

The system's security test and evaluation plan fully describes how the security
features of the system will be tested.
CERTIFICATION AND ACCREDITATION PACKAGE MET NOT MET NA

Documentation proves that the security specification, design, and implementation


of the system are sufficient to fulfill the security policies of the system.
Accreditation of the system under consideration includes a memorandum of
agreement involving all other systems under another designated approving
authority directly connected to the system under consideration.

The certification and accreditation package is updated at least every 3 years.

The accreditation of the system is supported by a certification plan, an evaluation


of security safeguards, a risk assessment of the system in its operational
environment, and a certification report.

REMARKS:

USAAC Form 106, 1 Apr 2005 Page 8 of 8


Figure 5-1. Sample of a completed USAAC Form 106 (Continued)
18 UPDATE • USAAC Reg 25-2
Appendix A Section III
References Prescribed Form

Section I USAAC Form 106


Required Publications Security Requirements Checklist. (Prescribed
in para 5-3c.)
AR 25-2
Information Assurance. (Cited in paras 4-2g(4),
4-3i, 4-3r(5), 5-1, 5-1b(1), and 6-2.) (www.usapa.
army.mil)

AR 380-53
Information Systems Security Monitoring. (Cited
in para 4-3i.) (www.usapa.army.mil)

AR 380-67
Department of the Army Personnel Security
Program (Cited in para 4-2g(4).) (www.usapa.
army.mil)

CSC-STD-002-85
Department of Defense Password Management
Guideline. (Cited in para 4-3r(5).) (www.radium.
ncsc.mil/tpep/library/rainbow/CSC-STD-002-
85.pdf)

DODI 5200.40
DOD Information Technology Security Certifi-
cation and Accreditation Process (DITSCAP).
(Cited in paras 2-4b and 5-1a.) (www.dtic.mil/
whs/directives)

FIPS Pub 140-2


Security Requirements for Crypographic Mod-
ules. (Cited in para 4-3n.) (www.itl.nist.gov/
fipspubs)

NSTISSI 4009
National Information Systems Security
(INFOSEC) Glossary. (Cited in paras 3-3a and
3-4a.) (www.dss.mil/infoas)

Section II
Related Publications

AR 25-1
Army Knowledge Management and Information
Technology Management. (www.usapa.army.
mil)

AR 25-55
The Department of the Army Freedom of Infor-
mation Act Program. (www.usapa.army.mil)

AR 380-5
Department of the Army Information Security
Program. (www.usapa.army.mil)

FM 3-13
Information Operations: Doctrine, Tactics,
Techniques, and Procedures. (www.tradoc.
army.mil)

JCS Pub 3-13


Joint Doctrine for Information Operations.
(www.dtic.mil/doctrine/s_index.html)

UPDATE • USAAC Reg 25-2 19


Glossary IT
information technology
Section I
Abbreviations LIASO
local information assurance security officer
ACERT
Army Computer Emergency Response Team NIPRNET
Unclassified but Sensitive Internet Protocol
AIS Router Network
automated information system
NSA
CA National Security Agency
Certification Authority
PM
C&A program manager
certification and accreditation
SA
COMPUSEC system administrator
computer security
SBU
COMSEC sensitive but unclassified
communications security
SETAP
DA Security Education, Training, and Awareness
Department of the Army Program

DAA SIPRNET
designated approving authority Secret Internet Protocol Router Network

DII SOW
Defense Information Infrastructure statement of work

DITSCAP SSAA
Department of Defense Information Technol- system security authorization agreement
ogy Security Certification and Accreditation Pro-
cess USAAC
United States Army Accessions Command
DMZ
demilitarized zone WAN
wide area network
DOD
Department of Defense Section II
Te r m s
IA NOTE: These terms are taken from JCS Pub
information assurance 3-13.

IAM information assurance


information assurance manager Information operations that protect and defend
information systems by ensuring their availabil-
IANM ity, integrity, authentication, confidentiality, and
information assurance network manager nonrepudiation. This includes providing for res-
toration of information systems by incorporat-
IAPM ing protection, detection, and reaction capabili-
information assurance program manager ties.

IASO information system


information assurance security officer The entire infrastructure, organization, person-
nel, and components that collect, process, store,
IATO transmit, display, disseminate, and act on infor-
interim authority to operate mation.

INFOSEC
information security

IS
information system

20 UPDATE • USAAC Reg 25-2