Welcome to NYCU CSIT Mirror site

Orange Book Parts I and II: THE CRITERIA and RATIONALE AND GUIDELINES: THE RELATIONSHIP BETWEEN POLICY AND THE CRITERIA Previous Next Table of Contents

7. THE RELATIONSHIP BETWEEN POLICY AND THE CRITERIA

Section 1 presents fundamental computer security requirements and Section 5 presents the control objectives for Trusted Computer Systems. They are general requirements, useful and necessary, for the development of all secure systems. However, when designing systems that will be used to process classified or other sensitive information, functional requirements for meeting the Control Objectives become more specific. There is a large body of policy laid down in the form of Regulations, Directives, Presidential Executive Orders, and OMB Circulars that form the basis of the procedures for the handling and processing of Federal information in general and classified information specifically. This section presents pertinent excerpts from these policy statements and discusses their relationship to the Control Objectives. These excerpts are examples to illustrate the relationship of the policies to criteria and may not be complete.

7.1 ESTABLISHED FEDERAL POLICIES

A significant number of computer security policies and associated requirements have been promulgated by Federal government elements. The interested reader is referred to reference [ 36] which analyzes the need for trusted systems in the civilian agencies of the Federal government, as well as in state and local governments and in the private sector. This reference also details a number of relevant Federal statutes, policies and requirements not treated further below.

Security guidance for Federal automated information systems is provided by the Office of Management and Budget. Two specifically applicable Circulars have been issued. OMB Circular No. A-71, Transmittal Memorandum No. 1, Security of Federal Automated Information Systems, [ 30] directs each executive agency to establish and maintain a computer security program. It makes the head of each executive branch, department and agency responsible "for assuring an adequate level of security for all agency data whether processed in-house or commercially. This includes responsibility for the establishment of physical, administrative and technical safeguards required to adequately protect personal, proprietary or other sensitive data not subject to national security regulations, as well as national security data." [ 30, para. 4 p. 2]

OMB Circular No. A-123, Internal Control Systems, [ 31] issued to help eliminate fraud, waste, and abuse in government programs requires: (a) agency heads to issue internal control directives and assign responsibility, (b) managers to review programs for vulnerability, and (c) managers to perform periodic reviews to evaluate strengths and update controls. Soon after promulgation of OMB Circular A-123, the relationship of its internal control requirements to building secure computer systems was recognized. [ 4] While not stipulating computer controls specifically, the definition of Internal Controls in A-123 makes it clear that computer systems are to be included: [ 31, sec. 4.C]

Internal Controls -- The plan of organization and all of the methods and measures adopted within an agency to safeguard its resources, assure the accuracy and reliability of its information, assure adherence to applicable laws, regulations and policies, and promote operational economy and efficiency.

The matter of classified national security information processed by ADP systems was one of the first areas given serious and extensive concern in computer security. The computer security policy documents promulgated as a result contain generally more specific and structured requirements than most, keyed in turn to an authoritative basis that itself provides a rather clearly articulated and structured information security policy. This basis, Executive Order 12356, National Security Information, sets forth requirements for the classification, declassification and safeguarding of "national security information" per se. [ 18]

7.2 DOD POLICIES

Within the Department of Defense, these broad requirements are implemented and further specified primarily through two vehicles: 1) DoD Regulation 5200.1-R [ 10], which applies to all components of the DoD as such, and 2) DoD 5220.22-M, Industrial Security Manual for Safeguarding Classified Information [ 14] , which applies to contractors included within the Defense Industrial Security Program. Note that the latter transcends DoD as such, since it applies not only to any contractors handling classified information for any DoD component, but also to the contractors of eighteen other Federal organizations for whom the Secretary of Defense is authorized to act in rendering industrial security services. (See footnote (*) below.)

For ADP systems, these information security requirements are further amplified and specified in: 1) DoD Directive 5200.28 [ 11] and DoD Manual 5200.28-M [ 12], for DoD components; and 2) Section XIII of DoD 5220.22-M [ 14] for contractors. DoD Directive 5200.28, Security Requirements for Automatic Data Processing (ADP) Systems, stipulates: "Classified material contained in an ADP system shall be safeguarded by the continuous employment of protective features in the system's hardware and software design and configuration . . . ." [ 11, sec. IV] Furthermore, it is required that ADP systems that "process, store, or use classified data and produce classified information will, with reasonable dependability, prevent:

a. Deliberate or inadvertent access to classified material by unauthorized persons, and

b. Unauthorized manipulation of the computer and its associated peripheral devices." [ 11, sec. I B.3]

Requirements equivalent to these appear within DoD 5200.28-M [ 12] and in DoD 5220.22-M [ 14].

DoD Directove 5200.28 provides the security requirements for ADP systems. For some types of information, such as Sensitive Compartmented Information (SCI), DoD Directive 5200.28 states that other minimum security requirements also apply. These minima are found in DCID l/l6 (new reference number 5) which is implemented in DIAM 50-4 (new reference number 6) for DoD and DoD contractor ADP systems.

From requirements imposed by these regulations, directives and circulars, the three components of the Security Policy Control Objective, i.e., Mandatory and Discretionary Security and Marking, as well as the Accountability and Assurance Control Objectives, can be functionally defined for DoD applications. The following discussion provides further specificity in Policy for these Control Objectives.

Federal agencies footnote

(*) i.e., NASA, Commerce Department, GSA, State Department, Small Business Administration, National Science Foundation, Treasury Department, Transportation Department, Interior Department, Agriculture Department, U.S. Information Agency, Labor Department, Environmental Protection Agency, Justice Department, U.S. Arms Control and Disarmament Agency, Federal Emergency Management Agency, Federal Reserve System, and U.S. General Accounting Office.

7.3 CRITERIA CONTROL OBJECTIVE FOR SECURITY POLICY

Marking

The control objective for marking is: Systems that are designed to enforce a mandatory security policy must store and preserve the integrity of classification or other sensitivity labels for all information. Labels exported from the system must be accurate representations of the corresonding internal sensitivity labels being exported.

DoD 5220.22-M, Industrial Security Manual for Safeguarding Classified Information, explains in paragraph 11 the reasons for marking information: [ 14]

"a. General. Classification designation by physical marking, notation or other means serves to warn and to inform the holder what degree of protection against unauthorized disclosure is reqired for that information or material."

Marking requirements are given in a number of policy statements.

Executive Order 12356

(Sections 1.5.a and 1.5.a.1) requires that classification markings "shall be shown on the face of all classified documents, or clearly associated with other forms of classified information in a manner appropriate to the medium involved." [ 18]

DoD Regulation 5200.1-R

(Section 1-500) requires that: ". . . information or material that requires protection against unauthorized disclosure in the interest of national security shall be classified in one of three designations, namely: 'Top Secret,' 'Secret' or 'Confidential.'" [ 10] (By extension, for use in computer processing, the unofficial designation "Unclassified" is used to indicate information that does not fall under one of the other three designations of classified information.)

DoD Regulation 5200.1-R

(Section 4-304b) requires that: "ADP systems and word processing systems employing such media shall provide for internal classification marking to assure that classified information contained therein that is reproduced or generated, will bear applicable classification and associated markings." (This regulation provides for the exemption of certain existing systems where "internal classification and applicable associated markings cannot be implemented without extensive system modifications." [ 10] However, it is clear that future DoD ADP systems must be able to provide applicable and accurate labels for classified and other sensitive information.)

DoD Manual 5200.28-M

(Section IV, 4-305d) requires the following: "Security Labels - All classified material accessible by or within the ADP system shall be identified as to its security classification and access or dissemination limitations, and all output of the ADP system shall be appropriately marked." [ 12]

Mandatory Security

The control objective for mandatory security is: Security policies defined for systems that are used to process classified or other specifically categorized sensitive information must include provisions for the enforcement of mandatory access control rules. That is, they must include a set of rules for controlling access based directly on a comparison of the individual's clearance or authorization for the information and the classification or sensitivity designation of the information being sought, and indirectly on considerations of physical and other environmental factors of control. The mandatory access control rules must accurately reflect the laws, regulations, and general policies from which they are derived.

There are a number of policy statements that are related to mandatory security.

Executive Order 12356

(Section 4.1.a) states that "a person is eligible for access to classified information provided that a determination of trustworthiness has been made by agency heads or designated officials and provided that such access is essential to the accomplishment of lawful and authorized Government purposes." [ 18]

DoD Regulation 5200.1-R

(Chapter I, Section 3) defines a Special Access Program as "any program imposing 'need-to-know' or access controls beyond those normally provided for access to Confidential, Secret, or Top Secret information. Such a program includes, but is not limited to, special clearance, adjudication, or investigative requirements, special designation of officials authorized to determine 'need-to-know', or special lists of persons determined to have a 'need-to- know.'" [ 10, para. 1-328] This passage distinguishes between a 'discretionary' determination of need-to-know and formal need-to-know which is implemented through Special Access Programs. DoD Regulation 5200.1-R, paragraph 7-100 describes general requirements for trustworthiness (clearance) and need-to-know, and states that the individual with possession, knowledge or control of classified information has final responsibility for determining if conditions for access have been met. This regulation further stipulates that "no one has a right to have access to classified information solely by virtue of rank or position." [ 10, para. 7-100] )

DoD Manual 5200.28-M

(Section II 2-100) states that, "Personnel who develop, test (debug), maintain, or use programs which are classified or which will be used to access or develop classified material shall have a personnel security clearance and an access authorization (need-to-know), as appropriate for the highest classified and most restrictive category of classified material which they will access under system constraints." [ 12]

DoD Manual 5220.22-M

(Paragaph 3a) defines access as "the ability and opportunity to obtain knowledge of classified information. An individual, in fact, may have access to classified information by being in a place where such information is kept, if the security measures which are in force do not prevent him from gaining knowledge of the classified information." [ 14]

The above mentioned Executive Order, Manual, Directives and Regulations clearly imply that a trusted computer system must assure that the classification labels associated with sensitive data cannot be arbitrarily changed, since this could permit individuals who lack the appropriate clearance to access classified information. Also implied is the requirement that a trusted computer system must control the flow of information so that data from a higher classification cannot be placed in a storage object of lower classification unless its "downgrading" has been authorized.

Discretionary Security

The term discretionary security refers to a computer system's ability to control information on an individual basis. It stems from the fact that even though an individual has all the formal clearances for access to specific classified information, each individual's access to information must be based on a demonstrated need-to-know. Because of this, it must be made clear that this requirement is not discretionary in a "take it or leave it" sense. The directives and regulations are explicit in stating that the need-to-know test must be satisfied before access can be granted to the classified information. The control objective for discretionary security is: Security policies defined for systems that are used to process classified or other sensitive information must include provisions for the enforcement of discretionary access control rules. That is, they must include a consistent set of rules for controlling and limiting access based on identified individuals who have been determined to have a need-to-know for the information.

DoD Regulation 5200.1-R

(Paragraph 7-100) In addition to excerpts already provided that touch on need-to- know, this section of the regulation stresses the need- to-know principle when it states "no person may have access to classified information unless . . . access is necessary for the performance of official duties." [ 10]

Also, DoD Manual 5220.22-M

(Section III 20.a) states that "an individual shall be permitted to have access to classified information only . . . when the contractor determines that access is necessary in the performance of tasks or services essential to the fulfillment of a contract or program, i.e., the individual has a need-to-know." [ 14]

7.4 CRITERIA CONTROL OBJECTIVE FOR ACCOUNTABILITY

The control objective for accountability is: "Systems that are used to process or handle classified or other sensitive information must assure individual accountability whenever either a mandatory or discretionary security policy is invoked. Furthermore, to assure accountability the capability must exist for an authorized and competent agent to access and evaluate accountability information by a secure means, within a reasonable amount of time, and without undue difficulty.

This control objective is supported by the following citations:

DoD Directive 5200.28

(Section VI.A.1) states: "Each user's identity shall be positively established, and his access to the system, and his activity in the system (including material accessed and actions taken) controlled and open to scrutiny." [ 11]

DoD Manual 5200.28-M

(Paragraph 5-100) states: "An audit log or file (manual, machine, or a combination of both) shall be maintained as a history of the use of the ADP System to permit a regular security review of system activity. (e.g., The log should record security related transactions, including each access to a classified file and the nature of the access, e.g., logins, production of accountable classified outputs, and creation of new classified files. Each classified file successfully accessed (regardless of the number of individual references) during each 'job' or 'interactive session' should also be recorded in the audit log. Much of the material in this log may also be required to assure that the system preserves information entrusted to it.)" [ 12]

DoD Manual 5200.28-M

(Paragraph IV 4-305f) states: "Where needed to assure control of access and individual accountability, each user or specific group of users shall be identified to the ADP System by appropriate administrative or hardware/software measures. Such identification measures must be in sufficient detail to enable the ADP System to provide the user only that material which he is authorized." [ 12]

DoD Manual 5200.28-M

(Section I 1-102b) states: [ 129]

Component's Designated Approving Authorities, or their designees
for this purpose .  .  .  will assure:

           .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .

     (4) Maintenance of documentation on operating systems (O/S)
     and all modifications thereto, and its retention for a
     sufficient period of time to enable tracing of security-
     related defects to their point of origin or inclusion in the
     system.

           .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .

     (6) Establishment of procedures to discover, recover,
     handle, and dispose of classified material improperly
     disclosed through system malfunction or personnel action.

     (7) Proper disposition and correction of security
     deficiencies in all approved ADP Systems, and the effective
     use and disposition of system housekeeping or audit records,
     records of security violations or security-related system
     malfunctions, and records of tests of the security features
     of an ADP System."

DoD Manual 5220.22-M

(Paragraph 111) on audit Trails states:

a. The general security requirement for any ADP system audit trail is that it provide a documented history of the use of the system. An approved audit trail will permit review of classified system activity and will provide a detailed activity record to facilitate reconstruction of events to determine the magnitude of compromise (if any) should a security malfunction occur. To fulfill this basic requirement, audit trail systems, manual, automated or a combination of both must document significant events occurring in the following areas of concern: (i) preparation of input data and dissemination of output data (i.e., reportable interactivity between users and system support personnel), (ii) activity involved within an ADP environment (e.g., ADP support personnel modification of security and related controls), and (iii) internal machine activity.

b. The audit trail for an ADP system approved to process classified information must be based on the above three areas and may be stylized to the particular system. All systems approved for classified processing should contain most if not all of the audit trail records listed below. The contractor's SPP documentation must identify and describe those applicable:

  • 1. Personnel access;
  • 2. Unauthorized and surreptitious entry into the central computer facility or remote terminal areas;
  • 3. Start/stop time of classified processing indicating pertinent systems security initiation and termination events (e.g., upgrading/downgrading actions pursuant to paragraph 107);
  • 4. All functions initiated by ADP system console operators;
  • 5. Disconnects of remote terminals and peripheral devices (paragraph 107c);
  • 6. Log-on and log-off user activity;
  • 7. Unauthorized attempts to access files or programs, as well as all open, close, create, and file destroy actions;
  • 8. Program aborts and anomalies including identification information (i.e., user/program name, time and location of incident, etc.);
  • 9. System hardware additions, deletions and maintenance actions;
  • 10. Generations and modifications affecting the security features of the system software.

c. The ADP system security supervisor or designee shall review the audit trail logs at least weekly to assure that all pertinent activity is properly recorded and that appropriate action has been taken to correct any anomaly. The majority of ADP systems in use today can develop audit trail systems in accord with the above; however, special systems such as weapons, communications, communications security, and tactical data exchange and display systems, may not be able to comply with all aspects of the above and may require individualized consideration by the cognizant security office.

d. Audit trail records shall be retained for a period of one inspection cycle." [ 14]

7.5 CRITERIA CONTROL OBJECTIVE FOR ASSURANCE

The control objective for assurance is: "Systems that are used to process or handle classified or other sensitive information must be designed to guarantee correct and accurate interpretation of the security policy and must not distort the intent of that policy. Assurance must be provided that correct implementation and operation of the policy exists throughout the system's life-cycle."

A basis for this objective can be found in the following sections of DoD Directive 5200.28:

DoD Directive 5200.28

(IV.B.1) stipulates: "Generally, security of an ADP system is most effective and economical if the system is designed originally to provide it. Each Department of Defense Component undertaking design of an ADP system which is expected to process, store, use, or produce classified material shall: From the beginning of the design process, consider the security policies, concepts, and measures prescribed in this Directive." [ 11]

DoD Directive 5200.28

(IV.C.5.a) states: "Provision may be made to permit adjustment of ADP system area controls to the level of protection required for the classification category and type(s) of material actually being handled by the system, provided change procedures are developed and implemented which will prevent both the unauthorized access to classified material handled by the system and the unauthorized manipulation of the system and its components. Particular attention shall be given to the continuous protection of automated system security measures, techniques and procedures when the personnel security clearance level of users having access to the system changes." [ 118]

DoD Directive 5200.28

(VI.A.2) states: "Environmental Control. The ADP System shall be externally protected to minimize the likelihood of unauthorized access to system entry points, access to classified information in the system, or damage to the system." [ 11]

DoD Manual 5200.28-M

(Section I 1-102b) states [ 12]:

Component's Designated Approving Authorities, or their
designees for this purpose .  .  .  will assure:

             .  .  .  .  .  .  .  .  .  .  .  .  .

         (5) Supervision, monitoring, and testing, as
     appropriate, of changes in an approved ADP System
     which could affect the security features of the
     system, so that a secure system is maintained.

             .  .  .  .  .  .  .  .  .  .  .  .  .

         (7) Proper disposition and correction of security
     deficiencies in all approved ADP Systems, and the
     effective use and disposition of system housekeeping
     or audit records, records of security violations or
     security-related system malfunctions, and records of
     tests of the security features of an ADP System.

         (8) Conduct of competent system ST&E, timely
     review of system ST&E reports, and correction of
     deficiencies needed to support conditional or final
     approval or disapproval of an ADP System for the
     processing of classified information.

         (9) Establishment, where appropriate, of a
     central ST&E coordination point for the
     maintenance of records of selected techniques,
     procedures, standards, and tests used in the testing
     and evaluation of security features of ADP Systems
     which may be suitable for validation and use by other
     Department of Defense Components.

DoD Manual 5220.22-M

(Section XIII 103a) requires: "the initial approval, in writing, of the cognizant security office prior to processing any classified information in an ADP system. This section requires reapproval by the cognizant security office for major system modifications made subsequent to initial approval. Reapprovals will be required because of (i) major changes in personnel access requirements, (ii) relocation or structural modification of the central computer facility, (iii) additions, deletions or changes to main frame, storage or input/output devices, (iv) system software changes impacting security protection features, (v) any change in clearance, declassification, audit trail or hardware/software maintenance procedures, and (vi) other system changes as determined by the cognizant security office." [ 14]

A major component of assurance, life-cycle assurance, as described in DoD Directive 7920.1, is concerned with testing ADP systems both in the development phase as well as during operation [ 1710]. DoD Directive 5215.1 (Section F.2.C.(2)) requires "evaluations of selected industry and government-developed trusted computer systems against these criteria." [ 1310]


Previous Next Table of Contents