2.1. This Directive applies to the Office
of the Secretary of Defense (OSD), the Military Departments and the Military
Services within those Departments, the Joint Chiefs of Staff (JCS), the
Joint Staff, the Unified and Specified Commands, the Defense Agencies, the
DoD Field Activities, and such other offices, Agencies, activities, and
commands as may be established or designated by law, by the President, or by
the Secretary of Defense (hereafter referred to collectively as "DoD
2.2. This Directive applies to the following classes of
2.2.1. Classified information. Thereby,
supplementing DoD 5200.l-R (reference (b)) for such
information when contained in the AISs.
2.2.2. Sensitive unclassified information.
2.2.3. Unclassified information.
2.3. This Directive applies to all AISs including
stand-alone systems, communications systems, and computer network systems of
all sizes, whether digital, analog, or hybrid; associated peripheral devices
and software; process control computers; embedded computer systems;
communications switching computers; personal computers; intelligent
terminals; word processors; office automation systems; application and
operating system software; firmware; and other AIS technologies, as may be
2.4. This Directive, reference (b), and DoD Directive C-5200.5 (reference (c)) apply to transmission and communications media connecting components of
or to an AIS.
2.5. This Directive, DoD Directive S-5200.19 (reference (d)) , NACSI 5004 (reference (e)), and NACSI
5005 (reference (f)) apply
to the emanations security requirements of AISs.
2.6. This Directive and DCID No.1/16 (reference (g)) apply
to AISs processing foreign intelligence and/or counterintelligence
2.7. This Directive and SM-313-83 (reference (h)) apply
to AISs processing Single Integrated Operational Plan-Extremely Sensitive
2.8. This Directive and DoD Instruction 5215.2 (reference (i)) apply
to the reporting and dissemination of AIS technical vulnerabilities and
2.9. All AISs that handle classified, sensitive
unclassified, or unclassified information shall comply with the pertinent
requirements of this Directive. Unless otherwise required by the Designated
Approving Authority (DAA), AISs that meet any of the following conditions
shall be excluded from meeting policy subsections 4.5. through 4.7., below,
of this Directive:
2.9.1. AISs that are operated only in the dedicated
2.9.2. Personal computers, word processors, and
similar stand-alone AISs in which it technically is not feasible to
configure the equipment to support internal security controls. Such AISs
may be characterized as being single-state machines without a privileged
instruction set or memory lock features, and shall be operated only in the
2.9.3. An AIS that is embedded in a larger system
and is not removed easily, is without users, and normally receives input
from, or gives output only to, other parts of the system.
2.10. AIS networks must be examined on a
case-by-case basis for application of policy in this Directive. The DAA for the
network should obtain guidance through established command channels, from the
National Security Agency. (NSA), or where applicable, from the Defense
Intelligence Agency (DIA) on evaluation and accreditation (see enclosure E5).