The PDF version 
Display Related Directives to this directive.
Display Reference Documents to this directive.
MANUAL
DOE M 205.1-4
Approved: 3-8-07
NATIONAL SECURITY SYSTEM MANUAL
1. PURPOSE. This Department of Energy (DOE) Manual provides requirements for the
implementation of the following:
a. Committee on National Security Systems Policy No. 6, National Policy on
Certification and Accreditation of National Security Systems;
b. National Security Telecommunications and Information System Security
Instruction No. 1000, National Information Assurance Certification and
Accreditation Process;
c. National Industrial Security Program Operating Manual; and
d. DOE cyber security program criteria for the implementation of management,
operational, and technical controls for DOE, including National Nuclear Security
Administration (NNSA), National Security Systems.
2. CANCELLATIONS. DOE M 471.2-2, Classified Information Systems Security Manual,
dated 8-3-99. Cancellation of a directive does not, by itself, modify or otherwise affect
any contractual obligation to comply with the directive. Contractor requirement
documents (CRDs) that have been incorporated into or attached to a contract remain in
effect until the contract is modified to either eliminate requirements that are no longer
applicable or substitute a new set of requirements.
3. APPLICABILITY.
a. All Departmental Elements. Except for the exclusions in paragraph 3c, this
Manual applies to Departmental elements that utilize National Security Systems
to collect, process, store, display, create, disseminate, or transmit information.
(Go to www.directives.doe.gov/pdfs/reftools/org-list.pdf for the current listing of
Departmental elements. This list automatically includes Departmental elements
created after the Manual is issued.)
The Administrator of the National Nuclear Security Administration (NNSA) will
assure that NNSA employees and contractors comply with their respective
responsibilities under this Manual. Nothing in this Manual will be construed to
interfere with the NNSA Administrator’s authority under section 3212(d) of
Public Law (P.L.) 106-65 to establish Administration specific policies, unless
disapproved by the Secretary.
b. DOE Contractors.
(1) Except for the exclusions in paragraph 3c, the Contractor Requirements
Document (CRD), Attachment 1, sets forth requirements of this Manual
that will apply to site/facility management contracts that include the CRD.
(2) This CRD must be included in all contracts that involve National Security
Systems that are used or operated by a contractor or other organization on
behalf of DOE, including NNSA, to collect, process, store, display, create,
disseminate, or transmit information.
(3) The heads of Departmental Elements are responsible for notifying
contracting officers of affected site/facility management contracts to
incorporate this directive into those contracts. Once notified, contracting
officers are responsible for incorporating the CRD into each affected
contract via the Laws, Regulations, and DOE Directives clause of the
contracts within 90 days.
(4) A violation of the provisions of the CRD relating to the safeguarding or
security of Restricted Data or other classified information may result in a
civil penalty pursuant to subsection a. of section 234B of the Atomic
Energy act of 1954 (42 U.S.C. 228b.). The procedures for assessment of
civil penalties are set forth in Title 10, Code of Federal Regulations
(CFR), Part 824, Procedural Rules for the Assessment of Civil Penalties
for Classified Information Security Violations, (10 CFR 824).
(5) As stated in DEAR clause 970, 5204-2, titled Laws, Regulations, and
DOE Directives, regardless of the performer of the work, site/facility
contractors with the CRD incorporated into their contracts are responsible
for compliance with the CRD. Affected site/facility management
contractors are responsible for flowing down the requirements of the CRD
to subcontracts at any tier to the extent necessary to ensure compliance
with the requirements. In doing so, contractors must not unnecessarily or
imprudently flow down requirements to subcontracts. That is, contractors
must both ensure that they and their subcontractors comply with the
requirements of this CRD and only incur costs that would be incurred by a
prudent person in the conduct of competitive business.
(6) This Manual does not automatically apply to other than site/facility
management contracts. Application of any of the requirements of this
Manual to other than site/facility management contracts will be
communicated as follows:
(a) Heads of Field Elements and Headquarters Departmental
Elements. Review procurement requests for new non-site/facility
management contracts that involve National Security Systems and
contain DEAR clause 952.204-2, Security Requirements. If
appropriate, ensure that the requirements of the CRD of this
Manual are included in the contract.
(b) Contracting Officers. Assist originators of procurement requests
who want to incorporate the requirements of the CRD of this
Manual in new non-site/facility management contracts, as
appropriate.
c. Exclusions. Consistent with the responsibilities identified in Executive Order
(E.O.) 12344, section 7, the Director, Naval Nuclear Propulsion Program will
ensure consistency throughout the joint Navy and DOE organization of the Naval
Nuclear Propulsion Program and will implement and oversee all requirements and
practices pertaining to this DOE Manual for activities under the Deputy
Administrator’s cognizance.
4. OBJECTIVES.
a. To ensure that Senior DOE Management Program Cyber Security Plans (PCSPs)
are consistent with and achieve the objectives of Executive Orders, National
Security Directives, Federal regulations, and national level policy.
b. To establish baseline requirements and assign responsibilities for protecting
information on National Security Systems.
5. IMPLEMENTATION. This Manual is effective 30 days after issuance. However, DOE
recognizes that this Manual cannot be implemented into Senior DOE Management
PCSPs overnight. DOE expects that Senior DOE Management shall implement the
criteria in this document within 90 days of its effective date. If Senior DOE Management
cannot implement all of the criteria by the scheduled milestone, Senior DOE
Management must establish a Plan of Actions and Milestones (POA&M) for
implementation of this Manual in their PCSP.
a. Senior DOE Management must develop, and issue to each operating unit, mission
oriented implementation policies for the criteria in this Manual. The Senior DOE
Management PCSPs must require their operating units to implement and maintain
at least the minimum requirements in this Manual for National Security Systems
within 120 days of the release of the PCSP. If an operating unit cannot
implement the requirements of this Manual, as documented in the PCSP, by the
scheduled milestone, the operating unit must establish a POA&M for
implementation of the PCSP requirements. Information systems designated as
Intelligence Systems are subject to the requirements of the Director of National
Intelligence and are therefore excluded from the requirements of this Manual.
b. Existing accredited national security systems shall remain accredited until
reaccreditation is required, either because the systems have passed the 3-year
accreditation expiration date or because of significant changes in the security
requirements of the information system. After implementation of this Manual,
reaccreditation must be in accordance with this Manual.
6. SUMMARY. This Manual is composed of two chapters that provide direction for the
characterization of information, risk management, and security controls to be
implemented for National Security Systems and the responsibilities for managing cyber
security. These chapters address mandatory procedures and management processes.
Chapter I describes the requirements for the protection of National Security Systems
based on the information groups. Chapter II describes the management responsibilities
for implementing the requirements of Chapter I.
7. DEFINITIONS. This section contains only those terms unique to this specific Manual.
Attachment 4 of DOE CIO Guidance CS-1, Management, Operations, and Technical
Controls Guidance includes definitions of terms in all DOE CIO Guides and Manuals.
a. Authenticated User. A user that has been properly identified and authenticated.
These are considered legitimate users of the information system.
b. Certifier. The Certification Agent and/ or the Designated Approving Authority
responsible for conducting a comprehensive assessment of the technical,
operational, and assurance controls in the information system.
c. System Owner. The manager or other official responsible for the procurement,
development, integration, modification, or operation and maintenance of the
information system.
8. REFERENCES.
a. Title XXXII of P.L. 106-65, National Nuclear Security Administration Act, as
amended, which established a separately organized agency within the Department
of Energy.
b. Title 44, United States Code, Chapter 35, Subchapter III, § 3547. National
security systems.
c. E.O. 13010, Critical Infrastructure Protection, as amended, dated July 15, 1996.
d. National Security Telecommunications and Information Systems Security
Committee Directive No. 500, Information Systems Security (INFOSEC)
Education, Training, and Awareness, dated 25 February 1993.
e. National Security Telecommunications and Information Systems Security
Committee Directive No. 501, National Training Program for Information
Systems Security (INFOSEC) Professionals, dated 16 November 1992.
f. National Security Telecommunications and Information Systems Security
Advisory Memorandum INFOSEC 1-99, The Insider Threat to U. S. Government
Information Systems, dated July 1999.
g. National Security Telecommunications and Information System Security
Instruction No. 1000, National Information Assurance Certification and
Accreditation Process, dated April 2000.
h. National Industrial Security Program Operating Manual, dated February 28, 2006.
9. CONTACT. Questions concerning this Manual should be addressed to the Office of the
Chief Information Officer at 202-586-0166.
BY ORDER OF THE SECRETARY OF ENERGY:
CLAY SELL
Deputy Secretary
CHAPTER I. REQUIREMENTS
1. INTRODUCTION. The DOE Under Secretaries (including the NNSA Administrator),
the Energy Information Administration (EIA), the Power Marketing Administrations
(PMAs), and DOE Chief Information Officer (CIO) (hereinafter referred to as Senior
DOE Management) may specify and implement supplemental requirements to address
specific risks, vulnerabilities, or threats not previously addressed or created in respect to
the DOE and alignment between their subordinate organizations and contractors
(hereafter called operating units), incorporating those requirements into their Program
Cyber Security Plan (PCSP), and ensuring that those requirements are incorporated into
contracts.
2. PROGRAM CYBER SECURITY PLANS.
a. Senior DOE Management.
PCSPs incorporating the requirements of this Manual must be developed as
required by DOE O 205.1A, Department of Energy Cyber Security Management
Program, dated 12-4-06, commensurate with the program-unique threats and risks
(in addition to those presented in the Departmental Cyber Security Threat
Statement and Risk Assessment).
b. Use of DOE CIO PCSP.
Heads of Departmental elements, including the Energy Information
Administration (EIA), with subordinate elements outside DOE Headquarters
facilities and who are not required by Order 205.1A to prepare a PCSP, may
use the DOE CIO PCSP or an extension of the DOE CIO PCSP, or develop a
PCSP unique to the element for those subordinate elements outside DOE
Headquarters.
c. Supplemental Requirements.
Organizations responsible for preparing PCSPs may specify and implement
supplemental Senior DOE Management organizational requirements to address
specific risks, vulnerabilities, or threats not previously addressed or created in
respect to the DOE incorporating those requirements into their PCSP. PCSPs
must include processes that allow operating units to specify and implement
controls that address local or system specific risks, vulnerabilities, or threats not
addressed by the PCSP.
d. System Security Plans.
(1) Each National Security System must be covered by a System Security
Plan (SSP).
(2) The technical, operational, and assurance controls that comprise the
minimum set of security controls for the system must be documented in
the SSP, including any additional implementation information for the
control. Any additional controls resulting from adjustments identified
during the risk management process must also be included in the SSP.
(3) The SSP must address how the system implements the minimum
technical, operational and assurance requirements identified in this
Manual. If the Consequence of Loss (CoL) for confidentiality, integrity
or availability has been increased by the Senior DOE Management or the
operating unit or there is a threat not identified in the DOE Cyber Threat
Statement, the SSP must describe the implementation of any additional
controls.
(4) Common security controls defined in the PCSP or operating unit cyber
security program can be technical (e.g., performed by a single system or
device in a network), operational (e.g. the same purging procedure
applies to all operating unit systems), or assurance (e.g. the same
configuration management process used for multiple systems). Common
security controls must be documented in at least one approved SSP
associated with an accredited information system. The certification and
accreditation of that system will verify that the control has been correctly
implemented and is effective. Use of the control(s) in other information
systems requires DAA-approved testing to validate correct
implementation of the control(s) in the new information system. Other
SSPs may reference that SSP for implementation documentation and
certification test results.
3. INFORMATION CHARACTERIZATION.
National security information is grouped (information group) based on sensitivity
(classification level, category, and need-to-know). The following paragraph describes
the information groups used by the DOE in increasing order of sensitivity (Top Secret
Restricted Data considered the most sensitive). National Security Systems must be
categorized based on the most sensitive information group they contain and the impact/
CoL if the confidentiality, integrity and/or availability of the information is lost. The
impact is determined through a CoL concept that ranks the perceived value of each
information group in terms of confidentiality, integrity, and availability. A DOE
evaluation has determined a minimum DOE CoL value for each information group.
a. Information Groups.
An information group contains all information types that require similar
protection or are similar in content or use. The DOE CIO has identified a
minimum set of national security information groups, not including SCI
information or information in special access programs. These information
groups have been used in assessing the risk to information and in defining the
minimum protection criteria for information systems containing each
information group. The information groups and sub-groups are:
(1) Confidential/Secret (C/S)—Information that is classified as Confidential
National Security Information, Confidential Formerly Restricted Data,
Confidential Restricted Data, Secret National Security Information, or
Secret Formerly Restricted Data and does not contain any nuclear
weapons data.
(2) Secret Restricted Data (SRD)—Information that is classified Secret
Restricted Data and does not contain any nuclear weapons data.
(3) Confidential Restricted Data, Sigmas 1 through 13 (CRD1-13)—
Information that is classified as Confidential and identified as Restricted
Data, Formerly Restricted Data, or is related to nuclear weapons contains
information that falls in at least one of the sigma categories 1 through 13
as described in DOE O 5610.2, Control of Weapon Data, and successors.
(4) Secret Restricted Data, Sigmas 1 through 13, 15 and 20 (SRD1-13, 15,
20)—Information that is classified as Secret and identified as Restricted
Data and is related to nuclear weapons and contains information that falls
within at least one of the sigma categories 1 through 13, 15 and 20 as
described in DOE O 5610.2, Control of Weapon Data, and successors.
(5) Secret Restricted Data, Sigma 14 (SRD14)—Information that is
classified as Secret and identified as Restricted Data or is related to
nuclear weapons and contains information that falls within the Sigma 14
category, as described in DOE O 5610.2, Control of Weapon Data, DOE
M 452.4-1A, Protection of Use Control Vulnerabilities and Design, and
DOE O 457.1, Nuclear Counterterrorism, respectively and their
successors.
(6) Top Secret (TS)—Information that is classified as Top Secret National
Security Information or Top Secret Formerly Restricted Data and does
not contain any nuclear weapons data.
(7) Top Secret Restricted Data (TSRD)—Nuclear Weapons information that
is classified Top Secret.
b. Consequence of Loss.
Table 1, Table 2, and Table 3 describe the criteria used to determine the CoL to
confidentiality, integrity, and availability for all information groups. Table 4
provides the results of the DOE evaluation of impact of loss for each national
security information group and represents the minimum CoL value for
confidentiality, integrity, and availability for each information group.
NOTE: SEE TABLES IN THE PDF
Table 1. Consequence of Loss of Confidentiality
Table 2. Consequence of Loss of Integrity
Table 3. Consequence of Loss of Availability
Table 4. Consequence of Loss of Confidentiality, Integrity, and Availability
4. RISK MANAGEMENT PROCESS.
The DOE Cyber Threat Statement identifies the threats to DOE information and
information systems and the DOE Cyber Risk Assessment provides an assessment
of the risks posed by the cyber threats. The DOE Cyber Threat Statement
provides an assessment of the threats to DOE (including NNSA) information and
information systems and the likelihood that a specified perpetrator will initiate
threat activities. The DOE Cyber Risk Assessment evaluates the likelihood of
threat activities against each information group and identifies the uncompensated
risk to the information group and system on which it resides. The risk
management process must be accomplished throughout the system lifecycle.
Each system must be categorized in order to identify the technical, operational,
and assurance controls that comprise the minimum set of security controls for the
system. Additional controls may be added (control adjustments) to implement
supplemental requirements identified as a result of enterprise, operating unit,
system, or data owner risk management reviews. The operating unit risk
management process must include the following methods to characterize the
system and implement and adjust the controls.
a. System Categorization.
The system categorization process consists of identifying the accreditation
boundary of the information system (hardware, firmware, software, and
connectivity), identifying each information group on information systems
within the boundary of the system and determining the highest CoL for
confidentiality for the system. The system can then be categorized using
the information group with the highest confidentiality CoL. The Protection
Index, see Table 4, is the index for selecting the technical, operational, and
assurance controls that comprise the minimum security criteria for the
system.
b. Controls Adjustment.
The Senior DOE Management PCSP must describe the process for
adjusting the minimum controls described in this Manual. The controls are
analyzed in light of any decision by Senior DOE Management, the
operating unit, or information system owner to increase the CoL,
identification of a threat not identified in the DOE Threat Statement,
and/or identification of a standard practice not identified in the control set
for a protection index. Additional controls above the minimum controls
described for the protection index should be based on changes in the CoL,
Threats, or standard practices.
5. SINGLE USER, STAND-ALONE INFORMATION SYSTEMS.
Extensive technical protection measures may be inappropriate and unnecessarily
expensive for single-user, stand-alone information systems. Information systems
that have one user at a time, but have more than one user with no sanitization
between users, are multi-user information systems and are to fully comply with
the requirements in this Manual implemented in the Senior DOE Management
PCSP. Senior DOE Management PCSPs are to establish the process for
determining which of the management, operational and technical controls
contained in this Manual are to be applied to stand-alone, single-user information
systems in the Senior DOE Management operating units.
6. TECHNICAL CONTROLS.
Technical controls rely on the information technology (IT) resource containing
the information. Technical controls are intended to be implemented within the
information system through means employing software, hardware, or firmware.
NOTES: The control identifier appears in the following tables to indicate that the
control listed on the left must be implemented for the protection index
across the top.
The parenthetical numbers following a control identifier in the table
associate additional control enhancement(s) required for the protection
indices; control enhancements identify applicable protection indices and
are described with the corresponding control statement. The additional
controls must be implemented in addition to the primary control.
Where bolded and italicized items are in the control statement, the PCSP
or SSP developer must provide the information identified in the
bracketed, italicized clause to describe the implementation.
a. Security Audit.
The PCSP must require each operating unit to implement the Security
Audit controls listed in Table 5 pertaining to the indicated Protection
Index for all national security systems under their responsibility. Security
auditing involves recognizing, recording, storing, and analyzing
information related to security-relevant activities. The audit records can
be used to determine which activities occurred and which user or process
was responsible for them. These controls address the recognizing,
recording, storing, and analyzing information related to security relevant
activities.
Table 5. Security Audit Controls
SEE THE PDF
AU-1 SECURITY ALARMS
The information system security controls shall include or exclude
auditable events from the set of audited events based on the user
identity and role and shall automatically alert the Information System
Security Officer (ISSO) and take [list of actions (e.g., automatically
lock out the system, isolate the system, no additional actions)] upon
detection of a potential security violation.
AU-2 AUDITABLE EVENTS
The information system shall provide the capability to compile audit
records from multiple components throughout the system into a system-
wide (logical or physical), time-correlated audit trail. The information
system shall provide the capability to manage the selection of events to
be audited by individual components of the system.
The information system security controls shall generate an audit record
of the following events:
* Start-up and shutdown of the audit functions
* Successful use of the user security attribute administration functions
* All attempted uses of the user security attribute administration
functions
* Identification of which user security attributes have been modified
* Successful and unsuccessful logons and logoffs
* Unsuccessful access to security relevant files including creating,
opening, closing, modifying, and deleting those files
* Changes in user authenticators
* Blocking or blacklisting user Ids, terminals, or access ports
* Denial of access for excessive logon attempts
* System accesses by privileged users
* Privileged activities at the system console (either physical or logical
consoles) and other system- level accesses by privileged users
* Starting and ending times for each access to the system
Control Enhancement (1): For PI-5 through PI-7, the information
system security controls shall generate an audit record of the creation,
deletion, or change of a security label. The information system shall be
able to include or exclude auditable events from the set of audited
events based on the subject sensitivity label; object sensitivity label;
and source host identity.
AU-3 AUDIT RECORD CONTENTS
The audit record for each event shall contain at least the date and time
of the event, type of event, user/role, object acted upon, and the
outcome (success or failure) of the event.
Control Enhancement (1): For PI-5 through PI-7, the information
system security controls shall record within each audit record for each
audit event the sensitivity labels of subject, object, or information
involved; and source host identity.
Control Enhancement (2): For PI-5 through PI-7, the information
system shall synchronize internal information system clocks at least
daily.
AU-4 PROFILE BASED ANOMALY DETECTION
The information system security controls shall be able to maintain profiles
of systems usage, where an individual profile represents the historical
patterns of usage performed by single users and/or members of group
accounts and/or [profile target group(s) (e.g. users who share a group ID
or group account, users who operate under an assigned role, users of an
entire system or network node)].
Control Enhancement (1): For PI-5 through PI-7, the information system
shall employ automated mechanisms to integrate audit monitoring,
analysis, and reporting into an overall process for investigation and
response to suspicious activities. The information system shall employ
automated mechanisms to alert security personnel of [list of additional
inappropriate or unusual activities that are to result in alerts (e.g.,
Excessive login attempts across network; Access to privilege system files,
Exceeding data quotas/transfers, Creation of account; Privileged
account logged into multiple servers/ devices/applications; Attempts to
access unauthorized sites/computers/devices/objects; Unauthorized
shutdown/restart of system/device/application; Permission change for
user/file/application; Use of privileged commands; and Unauthorized
export from system to media)].
AU-5 COMPLEX ATTACK HEURISTICS
The information system security controls shall maintain an internal
representation of the event sequences of known intrusion scenarios and
signature events that may indicate a potential violation of information
system security; compare the signature events and event sequences
against a record of system activity; and alert security personnel and [list
of third parties (e.g., system owner, Alternate ISSO, network
administrator)] of a potential imminent violation of information system
security when system activity is found to match a signature event or
event sequence that indicates a potential violation of information
system security.
AU-6 AUDIT REVIEW
The information system security controls shall provide the ISSO and
authorized system administrators with the audit records and the capability
to read all audit information from the audit records in a manner suitable
for interpreting the information. Read access to the audit records shall be
prohibited to all other users. The information system security controls
shall provide the ability to perform searches, sorting, and ordering of audit
data based on user identity. Audit records shall be reviewed at least
weekly and retained for at least one year.
Control Enhancement (1): For PI-5 through PI-7, the information system
security controls shall provide the ability to perform searches, sorting, and
ordering of audit data based on subject sensitivity label, object sensitivity
label, and source host identity.
AU-7 GUARANTEES OF AUDIT DATA AVAILABILITY
The stored audit records shall be protected from unauthorized deletion,
prevent modification, and ensure that records already written (i.e. to
media) will be maintained when the audit storage is exhausted, the system
fails, or an attack occurs. An alarm (e.g. any clear indication that the pre-
defined limit has been exceeded) shall be generated and provided to the
ISSO and the authorized system administrator if the audit trail storage
exceeds 80% of capacity. The information system shall prevent auditable
events from being lost (e.g., deleted, overwritten, not recorded), except
those taken by the ISSO or authorized system administrator if the audit
trail has reached storage capacity.
Control Enhancement (1): For PI-5 through PI-7, the information system
shall cease operations if the audit trail has reached storage capacity. The
ISSO is the only person authorized to restart operations once sufficient
audit capacity is available.
b. Communication.
The PCSP must require each operating unit to implement the Communication
controls listed in Table 6 pertaining to the indicated protection index for all
national security systems under their responsibility. These controls address
assuring the identity of the originator and recipient of transmitted information.
Table 6. Communication Controls
SEE THE PDF
CO-1 PROOF OF ORIGIN
The information system security controls shall be able to generate
evidence of origin for transmitted [list of information types (e.g.,
Confidential/Secret, Secret RD, Confidential RD, Secret RD 1-13,
etc).at the request of the originator, recipient, ISSO, or [list of third
parties (e.g., system owner, ISSM, project management, etc.)] and
provide a capability to verify the evidence of origin of information to
the originator, recipient, or [list of third parties (e.g., system owner,
project management, etc.)] given [limitations on the evidence of
origin (e.g., access authorization, formal access authorization,
need-to-know, etc.)]. The information system security controls shall
be able to relate the identity of user, level/category of information
and [list of attributes (e.g., user ID, authorized, labels authorized,
permission attributes)] of the originator of the information and the
[list of information fields (e.g., header information, IP addresses,
etc.)] of the information to which the evidence applies.
CO-2 PROOF OF RECEIPT
The information system security controls shall be able to generate
evidence of receipt for received [list of information types (e.g.,
Confidential/Secret, Secret RD, Confidential RD, Secret RD 1-13,
etc) ] at the request of the originator, recipient, ISSO, or [list of third
parties (e.g., system owner, ISSM, project management, etc.)] and
provide a capability to verify the evidence of origin of information to
the originator, recipient, or [list of third parties (e.g., system owner,
project management, etc.)] given [limitations on the evidence of
origin (e.g., access authorization, formal access authorization,
need-to-know, etc.)]. The information system security controls shall
be able to relate the [list of attributes (e.g., user ID, authorized,
labels authorized, permission attributes))] of the recipient of the
information, and the [list of information fields (e.g., header
information, IP addresses, etc.)] of the information to which the
evidence applies.
c. Cryptographic Support.
The PCSP must require each operating unit to implement the Cryptographic
Support controls listed in Table 7 pertaining to the indicated protection index
for all national security systems under their responsibility. These controls
address the operational use and management of cryptographic keys when the
information system implements cryptographic functions.
Table 7. Cryptographic Support Controls
SEE THE PDF
CS-1 CRYPTOGRAPHIC KEY ESTABLISHMENT AND
MANAGEMENT
When cryptography is required and used within the information system
for other than telecommunications, the information system security
controls shall establish and manage cryptographic keys using automated
mechanisms with supporting procedures or manual procedures. The
requirements in DOE Manual 205.1-3, Telecommunications Security
Manual, must be implemented for telecommunications systems. If
cryptographic keys are not used, this should be stated in the SSP.
CS-2 CRYPTOGRAPHIC OPERATION
When cryptography is required and used within the information system
for other than telecommunications ,the information system security
controls shall perform [list of cryptographic operations (e.g., password
encryption, e-mail encryption, etc.)] in accordance with [specify the
cryptographic algorithms (e.g., AES, Triple-DES, etc.)] and [specify the
cryptographic key sizes] that meet [list of standards (e.g., FIPS 140-2,
etc.)]. The requirements in DOE M 205.1-3, Telecommunications
Security Manual, must be implemented for telecommunications
systems. If cryptographic keys are not used this should be stated in the
SSP.
d. User Data Protection.
The PCSP must require each operating unit to implement the User Data
Protection controls listed in Table 8 pertaining to the indicated protection index
for all national security systems under their responsibility. These controls
address user data within the information system, during import, export, and
storage as well as security attributes related to user data.
Table 8. User Data Protection Controls
SEE THE PDF
DP-1 COMPLETE ACCESS CONTROL
The information system security controls shall enforce the Discretionary
Access Control (DAC) security policy based on access authorization and
need-to-know on all subjects acting on behalf of users, all named objects,
and all operations among subjects and objects covered by the DAC
security policy. The DAC security policy shall apply to all operations
between any object and subject within the information system. Any
named object that is not controlled by the DAC security policy must be
justified in the SSP.
DP-2 SECURITY ATTRIBUTE BASED ACCESS CONTROL
The information system security controls shall enforce the DAC security
policy to objects based on the user identity and group memberships
associated with a subject; and the following access control attributes
associated with an object: [list access control attributes (e.g., identity of
users, subjects, or objects; time restrictions; group membership)]. The
access control attributes must provide the ability to associate allowed or
denied operations with one or more user identities; the ability to
associate allowed or denied operations with one or more group identities;
and defaults for allowed or denied operations.
In addition to the rules specified in DP-1, the information system security
controls shall enforce [a set of rules specifying the DAC policy] to
determine if an operation among controlled subjects and controlled
objects is allowed. For each operation, there shall be a DAC rule, or
rules, that use:
* The permission attributes where the user identity of the subject
matches a user identity specified in the access control attributes of
the object;
* The permission attributes where the group membership of the subject
matches a group identity specified in the access control attributes of
the object; and
* The default permission attributes specified in the access control
attributes of the object when neither a user identity nor group identity
matches.
The information system security controls shall explicitly authorize or
deny access of subjects to objects based on the [rules, based on security
attributes, which explicitly authorize or deny access of subjects to
objects (e.g., a specific privilege vector associated with a subject that
always grants or denies access to specific objects)].
In completing the rules above, the resulting mechanism must be able to
specify access rules that apply to at least any single user. The mechanism
must also support specifying access to the membership of at least any
single group. Specification of these rules must be covered under DP-2
and DP-3. The PCSP or SSP must list the attributes that are used by the
DAC policy for access decisions.
DP-3 BASIC DATA AUTHENTICATION
The information system security controls shall provide a capability to
generate evidence (e.g., cryptographic checksum, fingerprint, message
digest) that can be used as a guarantee of the validity of [list of objects or
information types (e.g., files, e-mail messages)] and shall provide user
or processes acting on behalf of users with the ability to verify evidence
of the validity of the indicated information.
DP-4 EXPORT OF USER DATA WITHOUT SECURITY ATTRIBUTES
The information system security controls shall enforce the Mandatory
Access Control (MAC) security policy and that devices used to export
data without security attributes cannot be used to export data with
security attributes unless the change in device state is performed
manually and is auditable when exporting unlabeled user data, controlled
under the MAC policy, outside the control of the information system.
Single-level Input/ Output devices and single-level communication
channels are not required to maintain the sensitivity labels of the
information they process.
When data is exported in human-readable or printable form, the
authorized administrator shall be able to specify the printable label that is
assigned to the sensitivity label associated with the data; each print job
shall be marked in accordance with DOE Classified Matter Protection
and Control (CMPC) requirements.
When data is exported on removable media, the media must be marked in
accordance with DOE CMPC requirements.
DP-5 EXPORT OF USER DATA WITH SECURITY ATTRIBUTES
The information system security controls shall enforce the Mandatory
Access Control (MAC) security policy when exporting labeled user data,
controlled under the MAC security policy when exporting, outside the
control of the information system by exporting the user data with the user
data’s associated security attributes. The information system security
controls shall ensure that the security attributes, when exported outside
the control of the information system, are unambiguously associated with
the exported user data and shall enforce the following rules when user
data is exported from the control of the information system:
* When data is exported in a human-readable or printable form the
authorized administrator shall be able to specify the printable label
that is assigned to the sensitivity label associated with the data; each
print job shall be marked in accordance with DOE CMPC
requirements.
* When data is exported on removable media, the media must be
marked and protected in accordance with DOE CPMC requirements.
* Devices used to export data with security attributes cannot be used to
export data without security attributes unless the change in device
state is performed manually and is auditable.
* Devices used to export data with security attributes shall completely
and unambiguously associate the security attributes with the
corresponding data.
DP-6 SUBSET INFORMATION FLOW CONTROL
The information system security controls shall enforce access control
policy based on protection index.
Control Enhancement (1): For PI-1 through PI-4, the DAC security
policy shall be enforced on [list of subjects (e.g., users, machines,
processes), information (e.g., email, files, specified network protocols),
and operations that cause controlled information to flow to and from
controlled subjects covered by DAC].
Control Enhancement (2): For PI-5 through PI-7, the MAC security
policy shall be enforced on [list of subjects (e.g., users, machines,
processes), information (e.g., email, files, specified network protocols),
and operations that cause controlled information to flow to and from
controlled subjects covered by MAC].
DP-7 SIMPLE SECURITY ATTRIBUTES
The information system security controls shall enforce the DAC security
policy based on the following types of subject and information security
attributes: [list the minimum number and type of security attributes
(e.g., user ID, group ID, file permission bits)]. The information system
security controls shall permit an information flow between a controlled
subject and controlled information via a controlled operation if the
security attribute-based relationship between the subject and object
holds. The information system security controls may explicitly authorize
or deny an information flow based on security attribute-based
relationship between the subject and the object.
DP-8 HIERARCHICAL SECURITY ATTRIBUTES
The information system security controls shall enforce MAC security
policy based on the sensitivity label of the subject and sensitivity label of
the object containing the information. The sensitivity label of subjects and
objects shall consist of a hierarchical level and a set of non- hierarchical
categories. The information system security controls may explicitly
authorize or deny an information flow based on [rules, based on security
attributes, which explicitly authorize or deny information flows].
The information system security controls shall permit an information flow
between a controlled subject and controlled information via a controlled
operation, based on the ordering relationships between security attributes.
* If the sensitivity label of the subject (e.g., DOE Q clearance with
additional Sigma authorizations) is greater than or equal to the
sensitivity label of the object, then the flow of information from the
object to the subject is permitted (a read operation);
* If the sensitivity label of the object is greater than or equal to the
sensitivity label of the subject; then the flow of information from the
subject to the object is permitted (a write operation); or
* If the sensitivity label of subject A is greater than or equal to the
sensitivity label of subject B; then the flow of information from
subject B to subject A is permitted. The information system security
controls may explicitly authorize or deny an information flow based
on [rules, based on security attributes, which explicitly authorize or
deny information flows].
* The information system security controls may explicitly authorize or
deny an information flow based on [rules, based on security
attributes, which explicitly authorize or deny information flows].
DP-9 IMPORT OF USER DATA WITHOUT SECURITY ATTRIBUTES
When importing data from outside the control of the information system
(via authorized means, such as removable media or document scanner),
the information system security controls shall enforce the DAC security
policy regardless of the security attributes associated with the data.
Control Enhancement (1): For PI-5 through PI-7, the information system
security controls shall enforce the MAC security policy when importing
user data, controlled under the MAC security policy, from outside of the
control of the information system. Devices used to import user data,
controlled under MAC security policy, without security attributes cannot
be used to import data with security attributes unless the change in device
state is performed manually and is auditable. Security attributes shall be
assigned to data upon import to the information system.
DP-10 IMPORT OF USER DATA WITH SECURITY ATTRIBUTES
The information system security controls shall enforce the MAC security
policy; wherein sensitivity labels consist of a hierarchical level and set of
non-hierarchical categories when importing labeled user data from outside
the control of the information system. The information system security
controls shall ensure that the protocol used provides for the unambiguous
association between security attributes and the labeled user data received
and that interpretation of the security attributes of the imported labeled
user data is as intended by the source of the user data. The information
system security controls shall use the security attributes associated with
the imported labeled user data and shall enforce the following rules when
user data is imported from the control of the information system:
* Devices used to import data with security attributes cannot be used to
import data without security attributes unless the change in device
state is performed manually and is auditable.
* Devices used to import data with security attributes shall completely
and unambiguously associate the security attributes with the
corresponding data.
DP-11 FULL RESIDUAL INFORMATION PROTECTION
The information system security controls shall ensure that any previous
information content of a resource is made unavailable upon the allocation
of the resource.
Control Enhancement (1): For PI-5 through PI-7, the information systems
security controls shall ensure that any previous information content of a
resource is made unavailable upon the allocation of the resource to all
subjects.
DP-12 STORED DATA INTEGRITY MONITORING AND ACTION
The information system security controls shall monitor user data stored
within the control of the information system for unauthorized modification
and unauthorized deletion on all objects, based on the following [user
data attributes]:
* When storing data to persistent storage, the information system shall
make use of the underlying error detection/correction mechanisms of the
media, and will detect and report failures on re-read.
* Where a particular persistent storage device does not innately provide an
effective correction facility, the information system shall store data in
such a way as to independently compute and validate an appropriate
error detection check.
Upon detection of a data integrity error, the information system security
control shall enter a description of the error in the audit log and issue an
alarm.
e. Identification and Authentication.
The PCSP must require each operating unit to implement the User Data Protection
controls listed in Table 9 pertaining to the indicated protection index for all national
security systems under their responsibility. These controls address the ability of the
information system to establish and verify a claimed user identity and its associated
security attributes.
Table 9. Identification and Authentication Controls
SEE THE PDF
IA-1 AUTHENTICATION FAILURE HANDLING
The information system security controls shall detect when no more
than five (5) consecutive unsuccessful authentication attempts occur
related to the last successful session authentication for the indicated
user. When the defined number of unsuccessful authentication
attempts has been met or surpassed, the information system security
controls shall inform the system administrator and disable the user
account until it is unlocked by the administrator.
IA-2 USER ATTRIBUTE DEFINITION
The information system security controls shall maintain the security
attributes of user identifier, group memberships, authentication data,
and security-relevant role for individual users.
Control Enhancement (1): For PI-5 through PI-7, the information
system security controls shall maintain the security attribute of
security clearances and formal access approvals for the individual
users.
IA-3 VERIFICATION OF SECRETS
The information system security controls shall provide a mechanism
to verify that secrets meet at least two-factor strong authentication
mechanisms prior to granting access to systems and the information
and resources managed by that system.
IA-4 TIMING OF AUTHENTICATION
The information system security controls shall allow [list of
information system security controls mediated actions (e.g., no
actions)] on behalf of the user to be performed before the user is
authenticated. However, each user shall be successfully authenticated
before allowing any other information system security controls
mediated actions.
IA-5 MULTIPLE AUTHENTICATION MECHANISMS
The information system security controls may provide [list of
multiple authentication mechanisms (e.g., passwords; fingerprints;
or smart cards)] to support user authentication. Information system
security controls shall authenticate any user’s claimed identity
according to the [list the rules describing how the multiple
authentication mechanisms provide authentication (e.g., the user
must provide both a valid password and a fingerprint associated
with the user identifier; or the user must provide a password and a
smart card assigned to the user identifier)].
IA-6 RE-AUTHENTICATION
The information system security controls shall require re-authentication of
the user under the conditions of unlocking as a result of locking.
IA-7 PROTECTED AUTHENTICATION FEEDBACK
The information system obscures feedback of authentication information
during the authentication process to protect the information from possible
exploitation/use by unauthorized individuals.
Note: Obscured feedback implies the information system security control
does not produce a visible display of any authentication data entered
by a user, such as through a keyboard (e. g., echo the password on
the terminal). It is acceptable that some indication of progress be
returned instead, such as a “period or an asterisk” returned for each
character sent.
IA-8 TIMING OF IDENTIFICATION
The information system security controls shall allow [list of information
system security controls mediated actions (e.g., no actions)] on behalf of
the user to be performed before the user is identified.
IA-9 USER IDENTIFICATION BEFORE ANY ACTION
The information system security controls shall require each user to
identify itself before allowing any other information system security
controls mediated actions on behalf of that user.
IA-10 USER-SUBJECT DAC BINDING
The information system security controls shall associate the following
user security attributes with subjects acting on behalf of that user: the user
identity that is associated with auditable events; the user identity or
identities that are used to enforce the DAC security policy; and the group
membership or memberships used to enforce the DAC security policy.
IA-11 USER-SUBJECT MAC BINDING
The information system security controls shall associate the user security
attribute of sensitivity label, consisting of a hierarchical level and a set of
non-hierarchical categories, used to enforce the MAC security policy
which with subjects acting on behalf of that user. The information system
security controls shall enforce the following additional rule on the initial
association of user security attributes with subjects acting on behalf of that
user: the sensitivity label associated with a subject shall be within the
clearance range, and the clearance level and formal access approvals of
the user.
f. Security Management.
The PCSP must require each operating unit to implement the Security
Management controls listed in Table 10 pertaining to the indicated protection
index for all national security systems under their responsibility. These controls
address management of security attributes, information system security controls
data and functions, and different management roles and their interaction.
Table 10. Security Management Controls
SEE THE PDF
MT-1 MANAGEMENT OF SECURITY FUNCTIONS BEHAVIOR
The information system security controls shall restrict the ability to
determine or modify the behavior of, disable, and enable the functions [list
of security functions (e.g., management functions that relate to access
control, accountability and authentication controls, controls over
availability)] to ISSOs and authorized system administrators.
MT-2 MANAGEMENT OF SECURITY ATTRIBUTES
The information system security controls shall enforce the DAC security
policy to restrict the ability to modify the security attributes [list of access
control attributes (e.g., the groups to which a user belongs and the
rights, such as read, write, and execute belonging to a role or user.)].
The information system security controls shall ensure that only SSP-
defined values are accepted for security attributes. The PCSP or SSP must
state the components of the access rights that may be modified, must state
any restrictions that may exist for a type of authorized user, and the
components of the access rights that the user is allowed to modify. The
ability to modify access rights must be restricted in that a user having
access rights to a named object does not have the ability to modify those
access rights unless granted the right to do so.
Control Enhancement (1): For PI-5 through PI-7, the information system
security controls shall enforce the MAC security policy to restrict the
ability to modify the security attributes sensitivity label associated with an
object to the ISSO and users authorized by the ISSO. The information
system must immediately notify the user of each change in the security
level or compartment associated with that user during an interactive
session.
MT-3 STATIC ATTRIBUTE INITIALIZATION
The information system security controls shall enforce the DAC security
policy to provide restrictive default values for security attributes that are
used to enforce the DAC security policy.
Control Enhancement (1): For PI-5 through PI-7, the information system
security controls shall enforce the MAC security policy to provide
restrictive default values for security attributes that are used to enforce the
MAC security policy.
The information system security controls shall allow the ISSO and users
authorized by the ISSO to specify alternative initial values to override the
default values when an object or information is created.
MT-4 MANAGEMENT OF SECURITY DATA
The information system security controls shall restrict the ability to create,
delete, and clear the audit trail and to modify and observe the set of
audited events to ISSOs and authorized system administrators. The
information system security controls shall restrict the ability to initialize
the authentication data and initialize and modify the user security
attributes, other than authentication data, to authorized system
administrators. The information system security controls shall restrict the
ability to modify the authentication data to authorized system
administrators and those users explicitly authorized to modify their own
authentication data (e.g., passwords).
Control Enhancement (1): For PI-5 through PI-7, the information system
security controls shall restrict the ability to modify the information system
and object representation of time to ISSOs and authorized system
administrators.
MT-5 REVOCATION
The information system security controls shall restrict the ability to revoke
security attributes associated with the users within the information
system’s control to the ISSO and authorized system administrators. The
information system security controls shall enforce the immediate
revocation of security-relevant authorizations (e.g., next login, next
attempt to open the file, within a fixed time). Upon revocation of security-
relevant authorizations (e.g., disable subject) the system must [list of
authorized actions (e.g., reassign ownership of objects, disable access to
objects)] to ensure control of objects owned by subject. The information
system security controls shall restrict the ability to revoke the security
attributes associated with objects within the information system’s control
to users authorized to modify the security attributes by DAC or MAC
security policies. The information system security controls shall enforce
the access rights associated with an object when an access check is made.
Control Enhancement (1): For PI-5 through PI-7, the rules of the MAC
security policy (DP-6) are enforced on all future operations.
MT-6 RESTRICTIONS ON SECURITY ROLES
The information system security controls shall be able to associate users
with roles and shall maintain the roles of ISSO, authorized system
administrator, and users explicitly authorized by the DAC security policy
to modify object security attributes and their own authentication data (e.g.,
passwords). The information system security controls shall ensure that the
conditions of [list conditions for the different roles (e.g., least privilege for
each use to perform the assigned role; a user assigned as an ISSO cannot
also be assigned the system administrator role and vice versa)] are
satisfied.
Control Enhancement (1): For PI-5 through PI-7, the information system
security controls shall also maintain the role of users authorized by the
MAC security policy to modify object security attributes.
g. Protection of the Information System Control Data.
The PCSP must require each operating unit to implement the Protection of the
Information System Security Control Data listed in Table 11 pertaining to the
indicated protection index for all national security systems under their
responsibility. These controls ensure the mechanisms that provide the integrity
and security functions of the information system security controls operate as
designed. The focus is on information system control data protection rather than
user data protection.
Table 11. Protection of the Information System Security Controls
SEE THE PDF
PT-1 INFORMATION SYSTEM SECURITY CONTROL TESTING
The information system controls shall run a suite of self-tests (e.g.,
hardware page protection, sample communications across a network to
ensure receipt, and verifying the behavior of specific controls) during
initial start-up, periodically during normal operation, or at the request of
the authorized user and [list other conditions under which self test
should occur (e.g., recovery from failed condition/event)] to
demonstrate the correct operation of the information system security
controls.
PT-2 INFORMATION SYSTEM SECURITY CONTROL DATA
TRANSMISSION
The information system security controls shall protect all information
system security control data transmitted from the information system to a
remote trusted IT product from unauthorized disclosure during
transmission.
Control Enhancement (1): For PI-5 through PI-7, the information system
security controls shall protect information system security control data
from disclosure when it is transmitted between separate parts
(components) of the information system.
PT-3 INFORMATION SYSTEM RECOVERY
The organization employs manual or automated mechanisms with
supporting procedures to allow the information system to be recovered
and reconstituted to a known secure state after a disruption or failure.
PT-4 REPLAY DETECTION
The information system security controls shall detect replay for [list of
identified entities (e.g., messages, service requests, service responses,
and user sessions)] and shall perform [list of specific actions (e.g.,
ignoring the replayed entity, requesting confirmation of the entity from
the identified source, and terminating the subject from which the
re-played entity originated)] when replay is detected.
PT-5 NON-BYPASSABILITY OF THE SECURITY POLICY
The information system security controls shall ensure that the
information system security policy enforcement functions are invoked
and succeed before each function within the information system’s control
is allowed to proceed.
PT-6 DOMAIN SEPARATION
The un-isolated portion of the information system security controls shall
maintain a security domain for its own execution that protects it from
interference and tampering by untrusted subjects and shall enforce
separation between the security domains of subjects under the control of
the information system.
The information system security controls shall maintain the part of the
information system security controls related to the DAC security policy
in a security domain for their own execution that protects them from
interference and tampering by the remainder of the information system’s
controls and by subjects untrusted with respect to those DAC security
policy.
Control Enhancement (1): For PI-5 through PI-7, the information system
security controls shall maintain the part of the information system
security controls related to the DAC and MAC security policies in a
security domain for their own execution that protects them from
interference and tampering by the remainder of the information system
security controls and by subjects untrusted with respect to those DAC or
MAC security policies.
PT-7 RELIABLE TIME STAMPS
The information system security controls shall be able to provide reliable
time stamps for its own use.
PT-8 FAIL SECURE
The information system shall fail to a "secure" state, defined in the SSP,
in which the security functions of the data are consistent and the security
functions continue correct enforcement of the security policy. The SSP
shall also specify those situations in which audit is desired and feasible
from the "secure" state.
Failures in the security function may include "hard" failures, which
indicate an equipment malfunction and may require maintenance, service
or repair of the security function. Failures in the security function may
also include recoverable "soft" failures (e.g., failure of the integrity of
information system security control data, initialization or resetting of the
security function, etc.).
h. Resource Utilization.
The PCSP must require each operating unit to implement the Resource
Utilization controls listed in Table 12 pertaining to the indicated protection
index for all national security systems under their responsibility. These controls
support the availability of required resources.
Table 12. Resource Utilization Controls
SEE THE PDF
RU-1 QUOTAS
The information system security controls shall enforce maximum quotas
of [list of controlled resources (e.g., file servers, disk drives, print
spoolers, etc.)] that an individual user, defined group of users, subjects
can use simultaneously and/or over a specified period of time.
Control Enhancement (1): For PI-4 through PI-7, the information system
security controls shall enforce minimum quotas of [list of controlled
resources (e.g., file servers, disk drives, print spoolers, etc.)] that an
individual user, defined group of users, or subjects can use simultaneously
and/or over a specified period of time.
i. Information System Access.
The PCSP must require each operating unit to implement the Information System
Access Controls listed in Table 13 pertaining to the indicated protection index for
all national security systems under their responsibility. These controls are used to
control the establishment of a user’s session.
Table 13. Information System Access Controls
SEE THE PDF
SA-1 CONCURRENT SESSIONS LIMITATIONS
The information system security controls the number of concurrent
sessions for any user to [Assignment: organization-defined number of
sessions].
SA-2 SESSION LOCKING AND TERMINATION
The information system security controls prevents further access to
the system by initiating a session lock after [Assignment:
organization-defined time period (e.g., 15 minutes) of inactivity]
and the session lock remains in effect until the user reestablishes
access using appropriate identification and authentication procedures.
The information system automatically terminates a remote session
after [Assignment: organization-defined time period (e.g., 15
minutes after session lock period initiates)] of inactivity.
SA-3 DEFAULT ACCESS BANNERS
The information system displays an approved, system use notification
message before granting system access informing potential users: (i)
that the user is accessing a Department of Energy (DOE) computer
system. DOE computer systems are provided for the processing of
official U.S. Government information only. All data contained within
DOE computer systems is owned by the DOE, and (ii) that system
usage may be audited, intercepted, monitored, recorded, read, copied,
or captured in any manner and disclosed in any manner, by
authorized personnel. (See EN-12 for the sample warning text.)
The notification message and remains on the screen until the user
takes explicit actions to log on to the information system.
SA-4 INFORMATION SYSTEM ACCESS HISTORY
The information system notifies the user, upon successful logon, of
the date and time of the last logon, and the number of unsuccessful
logon attempts since the last successful logon.
SA- 5 DENY SESSION ESTABLISHMENT
The information system security controls shall be able to deny
session establishment based on [list attributes (e.g., user's identity,
clearance level, integrity level, membership in a role)].
j. Trusted Path/Channels.
The PCSP must require each operating unit to implement the Trusted
Path/Channels controls listed in Table 14 pertaining to the indicated
protection indices for all national security systems under their responsibility.
These controls are used to provide secure communication path between users
and the information system security controls and a trusted channel between
the information system security controls and other trusted IT products.
Table 14. Trusted Path/Channels Controls
SEE THE PDF
TP-1 TRUSTED PATH
The information system security controls shall provide a communication
path between itself and remote users that is logically distinct from other
communication paths and provides assured identification of its end points
and protection of the communicated data from modification or disclosure.
The information system security controls shall require the use of the
trusted path for initial user authentication and [other services for which
trusted path is required (e.g., transmission authorizations,
authentication to resources, etc.)] and shall permit the information system
security controls, local users, or remote users to initiate communication
via the trusted path.
7. OPERATIONAL CONTROLS.
The PCSP must require each operating unit to implement the Operational Controls listed
in Table 15 pertaining to the indicated protection index for all national security systems
under their responsibility. Operational controls are intended to be implemented within the
environment in which the information system resides through processes, procedures, or
other information systems. Operational controls were constructed for those objectives
that rely on physical protection and security processes and for those objectives that are
solely security operational issues.
NOTE: The control identifier appears in the following tables to indicate that the control
listed on the left must be implemented for the protection index across the top. The
parenthetical numbers represent additional control enhancement described in the control
statement. Where bolded and italicized items are listed in the control statement, the PCSP
or SSP developer must provide the information identified in the italicized clause to
describe the implementation.
Table 15. Operational Controls
SEE THE PDF
EN-1 MALICIOUS ACCESS
Information system security controls shall be implemented to detect, deter,
and respond to malicious actions by authenticated users.
EN-2 MANAGEMENT OF USER IDENTIFIERS AND
AUTHENTICATORS
Authentication credentials shall be protected from unauthorized access
during creation, use, and handling. Authenticated user information system
access shall be disabled when the user leaves the sponsoring organization,
Access Authorization is terminated, loses authorized access (for cause,
changes in organization, etc), or upon information system detection of
attempts to bypass security. Prior to reuse of an authenticated user
identifier, all previous access rights and privileges (including file accesses
for that user identifier) shall be removed from the information system.
Authenticated user access, contact information, rights, and privileges, to
include sponsor, Access Authorization, need-to-know, means for off line
contact, mailing address, shall be validated annually.
EN-3 INFORMATION AVAILABILITY
Capabilities and resources shall be provided to allow the information
system user to perform data backup at the user’s discretion. User and
information system data shall be available, or restorable, to meet mission
availability requirements. Periodic checking of backup inventory and
testing of the ability to restore information shall be accomplished to
validate mission availability requirements are met. The organization shall
conduct backups of user-level and system-level information (including
system state information) contained in the information system
[Assignment: organization-defined frequency].
EN-4 PURGING
The information system components and removable media shall be purged
before the items can be reused in another system environment with the
same or different accreditation level as the original system components or
removable media.
All information system components and removable media shall be purged,
using Senior DOE Management approved procedures, prior to release for
use at a lower classification level, at a lower level of consequence, or
outside the information system boundary.
EN-5 COVERT CHANNELS
The information system must be reviewed to identify obvious covert
channels.
EN-6 HARDWARE AND SOFTWARE EXAMINATION
Information system hardware and software components shall be examined
for security impacts to the information system before use.
Control Enhancement (1): For PI-4 through PI-7, information system
hardware components shall be examined to validate the chip sets and
boards are from the manufacturer before use. Information system software
components shall be examined and tested to determine if the software
conforms to security relevant controls as documented by the system owner
and contains no malicious code before use.
Control Enhancement (2): For PI-5 through PI-7, information system
hardware components shall be examined by manufacturer diagnostics to
confirm the information system chip sets and boards function as expected
before use. Information system software components shall be examined
and tested to determine if controls can be bypassed before use.
EN-7 FORENSICS
Procedures shall be established and documented to ensure the
identification, collection, and preservation of data (at the system and
network level) needed to analyze and reconstruct events resulting from
penetration attempts, penetrations, and on-going cyber attacks and/ or
failures.
EN-8 INTRUSION DETECTION
The site and network (when applicable) environment shall provide the
ability to detect (i.e., using methods readily available on the Internet to
attack known vulnerabilities) and sophisticated attacks on the network,
network components, and hosts from inside or outside the site, including
measures to detect and respond to unauthorized attempts to penetrate or
deny use.
EN-9 INFORMATION SYSTEM INTERFACE
The information system monitors and controls communications at the
external boundary of the information system and at key internal
boundaries within the system.
The organization implements a managed interface (boundary protection
devices in an effective security architecture) with any external connection,
implementing controls appropriate to the required protection of the
confidentiality and integrity of the information being transmitted. The
information system denies information flow by default and allows
information flow by exception (i.e., deny all, permit by exception). The
organization prevents the unauthorized release of information outside of
the information system boundary or any unauthorized communication
through the information system boundary when there is an operational
failure of the boundary protection mechanisms.
EN-10 MARKING
Each information system, visual display, and output device shall be
marked in accordance with DOE Manual 470.4-4, Section 2.
EN-11 INTERCONNECTED ENVIRONMENT
The information system must provide the ability to specify and manage
user access rights to the information system and data resources (i.e. access
authorization through the network), supporting the organization’s security
policy for access control.
EN-12 USER NOTIFICATION
All users shall be notified that they are subject to being monitored,
recorded, and audited through the use of the following approved
warning text.
**WARNING**WARNING**WARNING**WARNING**
This is a Department of Energy (DOE) computer system. DOE computer
systems are provided for the processing of official U.S. Government
information only. All data contained within DOE computer systems is
owned by the DOE, and may be audited, intercepted, recorded, read,
copied, or captured in any manner and disclosed in any manner, by
authorized personnel. THERE IS NO RIGHT OF PRIVACY IN THIS
SYSTEM. System personnel may disclose any potential evidence of crime
found on DOE computer systems to appropriate authorities. USE OF
THIS SYSTEM BY ANY USER, AUTHORIZED OR
UNAUTHORIZED, CONSTITUTES CONSENT TO THIS AUDITING,
INTERCEPTION, RECORDING, READING, COPYING, CAPTURING,
and DISCLOSURE OF COMPUTER ACTIVITY.
**WARNING**WARNING**WARNING**WARNING**
Explicit acknowledgement of the warning by the user is required before
granting the user access to system resources.
EN-13 NEED-TO-KNOW
Prior to their first access to information, each user’s need-to-know shall be
formally authorized by management, the data owner, or the data-steward.
EN-14 PHYSICAL SECURITY
Access controls shall ensure that personnel granted unescorted physical
access to the information, the information system, or human readable
media have the appropriate access authorization, formal access approval,
and need-to-know. Physical attack, which might compromise security, on
those parts of the information system critical to security shall be deterred
and detected.
EN-15 PHYSICAL ACCESS PROTECTION
The information system shall be protected by being constantly attended
and under the control of a person that possesses proper access
authorization, formal access approval, and need-to-know, or by physical
protection, as prescribed for the classification level and category of the
information, to restrict access to those with appropriate clearance, formal
access approvals, and need-to-know.
The information system shall be protected by default setting of
disabled/closed, with all ports and/or devices capable of writing to
removable or external media being protected from unauthorized
modification or use by [describe software and/or hardware means used
to prevent unauthorized use or modification of all ports and/or devices
capable of writing to removable or external media (e.g., software such as
Sanctuary, etc.)]. When this protection is implemented by software, the
named object must be listed in DP-1 and access control rules described in
DP-2.
EN-16 ENVIRONMENTAL PROTECTION
The information system environment shall be capable of physically
protecting the information system and components stored in a remote
location by signaling the occurrence of fire, flood, power loss, and
environmental control failures that might adversely affect information
system operations.
EN-17 INFORMATION PROTECTION
Information protection shall be required whenever national security
information is to be transmitted through components or areas where
individuals not authorized to have access to the information may have
unescorted physical or uncontrolled electronic access to the information or
communications media. One or more of the following methods approved
through the Senior DOE Management PCSP for the level and category of
information must be used to protect the information in transit [i.e.,
information distributed only within an area approved for open storage of
the information; National Security Agency (NSA) approved Type I
encryption mechanisms; DOE approved encryption mechanisms; or
DOE approved Protected Transmission Systems].
EN-18 SYSTEM RECOVERY
All remote terminal access must be monitored and controlled when used
for system recovery operations.
EN-19 MEDIA AND COMPONENT REVIEW
All media (paper, disks, zip drives, removable disk drives, etc.) shall be
reviewed by an authorized derivative classifier for sensitivity and properly
marked before release outside the system boundary.
EN-20 USER ACCESS RIGHTS AND PRIVILEGES
Each user’s access rights and privileges shall be based on the least
privilege principle and authorized by the ISSO or user(s) authorized by the
ISSO prior to the user's first access to the information system.
EN-21 SECURITY ROLES
The same person must not perform the functions of the ISSO and the
system administrator. Other roles involved with security administration,
such as DBMS administration, must not performed by the same people
performing the ISSO and system administrator roles.
EN-22 TWO-PERSON RULE
The ISSO and system administrator shall be present when audit
parameters or audit file contents are modified.
EN-23 USER TRAINING
All authenticated users shall be trained to understand applicable
information system use policies, the approved use of the information
system, the vulnerabilities inherent in the operation of the information
system, and their cyber security responsibilities.
EN-24 USER CLEARANCE
All users (including privileged users) shall possess a current Access
Authorization prior to their first access to the information system.
Control Enhancement (1): For PI-1 and PI-3, all users shall, at a
minimum, possess a current "L" Access Authorization.
Control Enhancement (2): For PI-2 and PI-4 through PI-7, all users shall,
at a minimum, possess a current "Q" Access Authorization.
EN-25 NATIONAL SECURITY SYSTEM WORKSTATIONS
Workstations shall be prohibited from reading from, or writing to,
removable media without appropriate security controls, including system-
level intervention to permit unique read/write events. The security
controls and unique read/write events shall be documented in the security
plan. Additionally, diskless workstations not located within an area
approved for “open storage” of classified information shall not contain
non-volatile memory (other than simple BIOS).
8. ASSURANCE CONTROLS.
Assurance controls are intended to be implemented through: (1) actions taken by system
owners (developers and implementers) of security controls to use state-of-the-practice
design, development, and implementation techniques and methods; and (2) actions taken
by security control certifiers during the Certification and Accreditation (C&A) process to
determine the extent to which the controls are implemented correctly, operating as
intended, and producing the desired outcome with respect to meeting the security
requirements for the system. Assurance considerations related to developers and
implementers of security controls are addressed in this Manual. The assurance
philosophy is to provide assurance based upon an evaluation (active investigation) of the
information system by checking the validity of the documentation and the resulting
information system by certifiers with increasing emphasis on scope, depth, and rigor.
NOTE: The control identifier appears in the following tables to indicate that the control
listed on the left must be implemented for the protection index across the top. The
parenthetical numbers represent additional control enhancement described in the control
statements.
a. Configuration Management.
The PCSP must require each operating unit to implement the Configuration
Management assurance controls listed in Table 16 pertaining to the indicated
protection index for all national security systems under their responsibility. These
controls are used to ensure the integrity of the information system is preserved by
requiring discipline and control in the process of refinement and modification of
the information system and other related information. Configuration Management
provides assurance that the information system and documentation used to
evaluate the information system reflect the same requirements.
Table 16. Configuration Management Controls
SEE THE PDF
CM-1 CONFIGURATION MANAGEMENT SYSTEM
The system owner shall provide a reference identifier for the
information system, use a Configuration Management (CM) system,
and provide CM documentation.
The reference identifier for the information system shall be unique to each
version of the information system and the information system shall be
labeled with its reference. The CM system shall uniquely identify all
configuration items. The CM documentation shall include a configuration
list that describes the configuration items that comprise the information
system and the method used to uniquely identify the configuration items.
The certifier, during the C&A process, shall confirm that the
documentation provided meets all the requirements for content.
The CM documentation shall include a CM plan that describes how the
CM system is used. The CM system shall provide measures such that only
authorized changes are made to configuration items. The C&A process
shall demonstrate that the CM system is operating in accordance with the
plan and documentation shows that all configuration items have been and
are being effectively maintained under the CM system.
Control Enhancement (1): For PI-4 through PI-7, the CM documentation
shall include an acceptance plan that describes the procedures used to
accept modified or newly created configuration items. The CM system
shall support the generation of the information system, provide an
automated means by which only authorized changes are made to the
information system and CM implementation representation, and describe
the automated tools used in the CM system.
CM-2 CONFIGURATION MANAGEMENT DOCUMENTATION
The system owner shall provide CM documentation. The CM
documentation shall show that the CM system, as a minimum, tracks the
following: The information system implementation representation, design
documentation, functional and security test documentation, user
documentation, administrator documentation, and CM documentation
(e.g., version and change log). The CM documentation shall describe how
the configuration items are tracked by the CM system.
The certifier, during the C&A process, shall confirm that the
documentation provided meets all the requirements for the content.
Control Enhancement (1): For PI-4 through PI-7, the CM documentation
shall show that the CM system tracks security flaws.
b. Delivery and Operations.
The PCSP must require each operating unit to implement the Delivery and
Operations assurance controls listed in Table 17 pertaining to the indicated
protection index for all national security systems under their responsibility.
These controls are used to define the measures, procedures, and standards
concerned with secure delivery, installation, and operational use of the
information system ensuring that the security protection offered by the
information system is not compromised during transfer, installation, start-up,
and operation.
Table 17. Delivery and Operations Controls
SEE THE PDF
DO-1 DELIVERY PROCEDURES
The system owner shall document procedures for delivery of the
information system or parts of it to the user and shall use the delivery
procedures. The delivery documentation shall describe all procedures
that are necessary to maintain security when distributing versions of
the information system or updates to the user’s site.
The certifier, during the C&A process, shall confirm that the
documentation provided meets all the requirements for the content.
DO-2 INSTALLATION, GENERATION, AND STARTUP
PROCEDURES
The system owner shall document procedures necessary for the secure
installation, generation, and startup of the information system. The
documentation shall describe the steps necessary for secure
installation, generation, and start-up of the information system. The
documentation shall confirm that the information provided meets all
requirements for content.
The certifier, during the C&A process, shall determine that the
installation, generation and startup procedures result in a secure
configuration.
Note: The required documentation depends on the way that the
information system is generated and installed. For example, the
generation of the information system from source code may be done at
the development site, in which case the required documentation would
be considered part of the design documentation. If some part of the
information system generation is done by the system administrator, it
would be part of the administrative guidance. Similar circumstances
would apply to both installation and startup procedures.
c. Development.
The PCSP must require each operating unit to implement the Development
assurance controls listed in Table 18 pertaining to the indicated protection
index for all national security systems under their responsibility. These
controls are used to define the information system security controls at various
levels of detail and provide information to help the certifier determine
whether the controls have been properly implemented.
Table 18. Development Controls
SEE THE PDF
DV- 1 CORRESPONDENCE DEMONSTRATION
The system owner shall provide a functional specification for systems
other than Commercial Off-the-Shelf (COTS) software. The functional
specification shall provide the high-level design. The system owner
shall provide the high-level design (HLD) of the information system
security controls. The HLD shall be internally consistent; shall describe
the structure of the information system security controls in terms of
subsystems; shall describe the security functionality provided by each
subsystem of the information system security controls; shall identify
any underlying hardware, firmware, and / or software required by the
information system security controls with a presentation of the
functions provided by the supporting protection mechanisms
implemented in that hardware, firmware, or software; shall identify all
interfaces to the subsystems of the information system security controls;
and shall identify which of the interfaces to the subsystems of the
information system security controls are externally visible.
The certifier, during the C&A process, shall confirm that the
documentation provided meets all the requirements for content, shall
determine that the functional specification is an accurate and complete
representation of the information system security functional
requirements, and determine that the high-level design is an accurate
and complete description of the information system security functional
requirements.
Control Enhancement (1): For PI-3 through PI-7, the HLD shall
describe the purpose and method of use of all interfaces to the
subsystems of the information system security controls, providing
details of effects, exceptions, and error messages, as appropriate and
shall describe the separation of the information system into security
control-enforcing components and other subsystems.
DV-2 IMPLEMENTATION OF THE INFORMATION SYSTEM
CONTROLS
The system owner shall provide the implementation representation for a
selected subset of the information system security controls. The
implementation representation shall unambiguously define the
information system security controls to a level of detail such that the
information system security controls can be generated without further
design decisions. The implementation representation shall be internally
consistent.
The certifier, during the C&A process, shall confirm that the
documentation provided meets all requirements for the content and
presentation of evidence and determine that the least abstract
information system security controls representation provided is an
accurate and complete instantiation of the information system security
functional requirements.
DV-3 INFORMATION SYSTEM SECURITY POLICY MODEL
The system owner shall provide an information system security policy
model. The system owner shall demonstrate correspondence between
the functional specification and the information system security policy
model. The information system security policy model shall describe the
rules and characteristics of all policies of the information system
security policy that can be modeled and include a rationale that
demonstrates that it is consistent and complete with respect to all
policies of the information system security policy that can be modeled.
The demonstration of correspondence between the information system
security policy model and the functional specification shall show that
all of the security functions in the functional specification are consistent
and complete with respect to the information system security policy
model.
The certifier, during the C&A process, shall confirm that the
documentation provided meets all requirements for the content.
d. Guidance Documents.
The PCSP must require each operating unit to implement the Guidance
Documents assurance controls listed in Table 19 pertaining to the indicated
protection index for all national security systems under their responsibility.
These controls are used to provide guidance to the system administrator and
user for the secure operation of the information system that is understandable
and complete.
Table 19. Guidance Documents Controls
SEE THE PDF
GD-1 ADMINISTRATOR GUIDANCE
The system owner shall provide administrator guidance to system
administrative personnel. The administrator guidance shall describe the
administrative functions and interfaces available to the administrator of
the information system; shall describe how to administer the
information system in a secure manner; shall contain warnings about
functions and privileges that should be controlled in a secure processing
environment; shall describe all assumptions regarding user behavior
that are relevant to secure operation of the information system; shall
describe all security parameters under the control of the administrator,
indicating secure values as appropriate; shall describe each type of
security relevant event relative to the administrative function that needs
to be performed, including changing the security characteristics of
entities under the control of the information system security controls;
shall describe and be consistent with all other documentation supplied
for evaluation; and shall describe all security requirements for the IT
environment that are relevant to the administrator.
The certifier, during the C&A process, shall confirm that the
documentation provided meets all requirements for the content.
GD-2 USER GUIDANCE
The system owner shall provide user guidance. The user guidance shall
describe the functions and interfaces available to the non-administrative
users of the information system; shall describe the use of user-
accessible security functions provided by the information system; shall
contain warnings about user accessible functions and privileges that
should be controlled in a secure processing environment; shall clearly
present all user responsibilities necessary for the secure operation of the
information system, including those related to assumptions regarding
user behavior found in the statement of the information system security
environment; shall be consistent with all other documentation supplied
for evaluation; and shall describe all security requirements for the IT
environment that are relevant to the user.
The certifier, during the C&A process, shall confirm that the
documentation provided meets all requirements for the content.
e. Life Cycle Support.
The PCSP must require each operating unit to implement the Life Cycle
Support assurance controls listed in Table 20 pertaining to the indicated
protection index for all national security systems under their responsibility.
These controls are used to provide a well defined life-cycle model for the steps
of the information system development, including flaw remediation procedures
and policies, correct use of tools and techniques and the security measures used
to protect the development environment.
Table 20. Life Cycle Support Controls
SEE THE PDF
LC-1 IDENTIFICATION OF SECURITY MEASURES
The system owner shall produce development security documentation.
The development security documentation shall describe all physical,
procedural, personnel, and other security measures that are necessary
to protect the confidentiality and integrity of the information system
design and implementation in its development environment and shall
provide evidence that these security measures are followed during the
development and maintenance of the information system.
The certifier, during the C&A process, shall confirm that the
documentation provided meets all requirements for the content and
shall confirm that the security measures are being applied.
LC-2 FLAW REMEDIATION
Flaws in hardware or software may adversely affect the
confidentiality, availability, or integrity of national security
information. Flaws may be identified through a variety of means, such
as vendor notifications, vulnerability analysis, or certification testing.
The system owner shall document the flaw remediation procedures.
The flaw remediation procedures documentation shall describe the
procedures used to track all reported security flaws in each release of
the information system and shall describe the methods used to provide
flaw information, corrections, and guidance on corrective actions to
information system users. The flaw remediation procedures shall
require that a description of the nature and effect of each security flaw
be provided as well as the status of finding a correction to the flaw and
shall require that corrective actions be identified for each of the
security flaws.
The certifier, during the C&A process, shall confirm that the
documentation provided meets all requirements for the content.
The system owner shall establish a procedure for accepting and acting
upon user reports of security flaws and requests for correction of those
flaws and shall provide flaw remediation guidance addressed to
information system users. The flaw remediation procedures
documentation shall describe a means by which the system owner
receives from information system users’ reports and enquiries of
suspected security flaws in the information system. The procedures for
processing reported security flaws shall ensure that any reported flaws
are corrected and the correction issued to information system users and
shall provide safeguards that any corrections to these security flaws do
not introduce any new flaws. The flaw remediation guidance shall
describe a means by which information system users report to the
system owner any suspected security flaws in the information system
and a means for verification that suspected security flaws are
addressed.
Control Enhancement (1): For PI-4 through PI-7, the system owner
shall designate one or more specific points of contact for user reports
and inquiries about security issues involving the information system.
The flaw remediation procedures shall include a procedure requiring
timely responses for the automatic distribution of security flaw reports
and the associated corrections to registered users who might be
affected by the security flaw. The flaw remediation guidance shall
describe a means by which information system users may register with
the system owner, to be eligible to receive security flaw reports and
corrections. The flaw remediation guidance shall identify the specific
points of contact for all reports and inquiries about security issues
involving the information system.
LC-3 DEFINED LIFE CYCLE MODEL
The system owner shall establish a life-cycle model to be used in the
development and maintenance of the information system and shall
provide life-cycle definition documentation. The life-cycle definition
documentation shall describe the model used to develop and maintain
the information system and the life-cycle model shall provide for the
necessary control over the development and maintenance of the
information system.
The certifier, during the C&A process, shall confirm that the
documentation provided meets all requirements for the content.
f. Tests.
The PCSP must require each operating unit to implement the Tests assurance
controls listed in Table 21 pertaining to the indicated protection index for all
national security systems under their responsibility. These controls are used to
demonstrate that the information system security controls satisfies the
information system security functional requirements.
Table 21. Tests Controls
SEE THE PDF
TE-1 TEST COVERAGE
The system owner shall provide evidence of the test coverage. The
evidence of test coverage shall show the correspondence between the
test identified in the test documentation and the information system
security controls as described in the functional specification.
The certifier, during the C&A process, shall confirm that the
documentation provided meets all requirements for the content.
Control Enhancement (1): For PI-3 through PI-7, the system owner
shall provide an analysis of test coverage. The analysis of test
coverage shall demonstrate the correspondence between the test
identified in the test documentation and the information system
security controls as described in the functional specification and
between the information system security controls as described in the
functional specification and the tests identified in the test
documentation is complete.
TE- 2 TESTING
The system owner shall test the information system security controls
and document the results. The system owner shall provide test
documentation that consists of test plans, test procedure descriptions,
expected test results, and the actual test results. The test plans shall
identify the security controls to be tested and describe the goal of the
tests to be performed. The test procedures shall identify the test to be
performed and describe the scenarios for testing each security
function. The scenarios shall include any ordering dependencies on the
results of other tests. The expected test results shall show the
anticipated outputs from a successful execution of the tests.
The test results from the system owner execution of the tests shall
demonstrate that each tested security control behaved as specified. The
system owner shall provide a suitable information system for testing and
shall provide an equivalent set of resources to those that were used in the
system owner’s functional testing of the information system security
controls.
The certifier, during the C&A process, shall confirm that the
documentation provided meets all requirements for the content, shall
select and test a subset of the information system security controls as
appropriate to confirm that the information system operates as
specified, and shall execute a sample of tests in the test documentation
to verify the system owner test results.
Control Enhancement (1): For PI-3 through PI-7, the system owner
shall provide the analysis of the depth of testing. The depth analysis
shall demonstrate that the tests identified in the test documentation are
sufficient to demonstrate that the information system security controls
operates in accordance with its high-level design.
g. Vulnerability Assessment.
The PCSP must require each operating unit to implement the Vulnerability
Assessment assurance controls listed in Table 22 pertaining to the indicated
protection index for all national security systems under their responsibility.
These controls are used to identify exploitable vulnerabilities introduced in
development, operation, misuse, or incorrect configuration of the information
system.
Table 22. Vulnerability Assessment Controls
SEE THE PDF
VA-1 VULNERABILITY ANALYSIS
The system owner shall perform and document an analysis of the
information system deliverables searching for obvious ways in which a
user can violate the information system security policy. The system owner
shall document the disposition of the obvious vulnerabilities and the
documentation shall show, for all identified vulnerabilities, that the
vulnerability cannot be exploited in the intended environment for the
information system.
The certifier, during the C&A process, shall confirm that the
documentation provided meets all requirements for the content and shall
conduct penetration testing, building on the system owner vulnerability
analysis, to ensure obvious vulnerabilities have been addressed.
For PI-4 through PI-7, the system owner shall document the disposition of
identified vulnerabilities. The documentation shall justify that the
information system, with the identified vulnerabilities, is resistant to
obvious penetration attacks.
Control Enhancement (1): The certifier, during the C&A process, shall
perform an independent vulnerabilities analysis; shall perform
independent penetration testing based on the independent vulnerability
analysis to determine the exploitability of additional identified
vulnerabilities in the intended environment; and shall determine that the
information system is resistant to penetration attacks performed by an
attacker possessing a low attack potential.
Note: The certifier should consider the following with respect to the
search for obvious flaws:
* Dependencies among functional components and potential
inconsistencies in the strength of function among independent
functions.
* Potential inconsistencies between the information system security
policy and the functional specification.
* Potential gaps or inconsistencies in the HLD and potentially invalid
assumptions about supporting hardware, software, or firmware
required by the information system security controls.
* Potential gaps in the administrator guidance that enable the
administrator to fail: a) to make effective use of information system
security controls, b) to understands or take actions that need to be
performed, c) to install and / or configure the information system
correctly, and d) to avoid unintended interactions among security
functions. In particular, failure to describe all security parameters
under the administrator’s control and the effects of settings of those
parameters.
* Potential gaps in user guidance that enable the user to fail to control
functions and privileges as required maintaining a secure processing
environment. Potential presence in the user guidance of information
that facilitates exploitation of vulnerabilities.
* Open literature (e.g., CERT advisories, bug-trac mailing lists, etc.)
which contain information on vulnerabilities on the information
system security controls should be consulted.
VA-2 EXAMINATION OF GUIDANCE
The system owner shall provide guidance documentation. The guidance
documentation shall identify all possible modes of operation of the
information system (including operation following failure or operational
error), their consequences and implications for maintaining secure
operations. The guidance documentation shall be complete, clear,
consistent, and reasonable; shall list all assumptions about the intended
environment; and list all requirements for external security measures
(including external procedural, physical and personnel controls).
The certifier, during the C&A process, shall confirm that the
documentation provided meets all requirements for content, shall repeat
all configuration and installation procedures to confirm that the
information system can be configured and used securely using only the
supplied guidance documentation, and shall determine that the use of the
guidance documentation allows all insecure states to be detected.
Control Enhancement (1): For PI-4 through PI-7, the system owner shall
document an analysis of the guidance documentation that demonstrates the
guidance documentation is complete.
The certifier, during the C&A process, shall confirm that the analysis
documentation shows that guidance is provided for secure operation in all
modes of operation of the information system.
CHAPTER II. RESPONSIBILITIES
Senior DOE Management is responsible for ensuring the implementation of the DOE Cyber
Security Program, this Manual, and the respective PCSPs under their purview.
1. DOE UNDER SECRETARIES, INCLUDING THE NNSA ADMINISTRATOR.
a. Develop PCSPs that incorporate FISMA security and reporting requirements, the
requirements of this Manual and comply with the requirements in DOE CIO
Cyber Security Technical and Management Requirement documents as they apply
to national security data and information systems within DOE, including NNSA;
and ensure that the operating units implement PCSPs on National Security
Systems.
b. Determine, assess, and document program-unique threats and risks (in addition to
those presented in the Departmental Cyber Security Threat Statement and Risk
Assessment).
c. Notify the Contracting Officers to incorporate the CRD into affected contracts.
2. HEADS OF DEPARTMENTAL ELEMENTS (OTHER THAN UNDER
SECRETARIES, INCLUDING THE NNSA ADMINISTRATOR).
a. Develop PCSPs that incorporate FISMA security and reporting requirements, the
requirements of this Manual and comply with the requirements in DOE CIO
Cyber Security Technical and Management Requirement documents as they apply
to national security data and information systems within DOE, including NNSA,
or are incorporated into an extension of the DOE OCIO PCSP; and ensue that the
operating units implement those requirements on National Security Systems.
b. Determine, assess, and document program-unique threats and risks
(in addition to those presented in the Departmental Cyber Security Threat
Statement and Risk Assessment).
c. Notify the Contracting Officers to incorporate the CRD into affected contracts.
3. OFFICE OF THE CHIEF INFORMATION OFFICER.
a. Review this Manual, at least annually, and update as necessary.
b. Develop a PCSP that incorporates FISMA security and reporting requirements,
the requirements of this Manual and comply with the requirements in DOE CIO
Cyber Security Technical and Management Requirement documents as they apply
to national security data and information systems within DOE, including NNSA;
and ensure that the operating units implement the PCSPs on National Security
Systems.
c. Determine, assess, and document program-unique threats and risks (in addition to
those presented in the Departmental Cyber Security Threat Statement and Risk
Assessment).
d. Notify the Contracting Officers to incorporate the CRD into affected contracts.
4. CONTRACTING OFFICER.
a. Once notified of contractor applicability, incorporate the CRD into affected
contracts.
b. Assisting in incorporating the CRD in new contracts when notified of the
applicability.
ATTACHMENT 1
CONTRACTOR REQUIREMENTS DOCUMENT
DOE M 205.1-4, National Security System Manual
This Contractor Requirements Document (CRD) establishes the requirements for Department of
Energy (DOE) contractors whose contracts involve National Security Systems that collect,
process, store, display, create, disseminate, or transmit information.
Regardless of the performer of the work, the contractor is responsible for complying with the
requirements of this CRD. The contractor is responsible for flowing down the requirements of
this CRD to subcontractors at any tier to the extent necessary to ensure the contractor’s
compliance with the requirements.
The contractor must implement and comply with the applicable Program Cyber Security Plan
(PCSP), as provided by Senior DOE Management, for all cyber security activities involving
National Security Systems; compliance with the PCSP is monitored by Senior DOE
Management.