E3.1.1. MINIMUM SECURITY REQUIREMENTS. The following minimum requirements
shall be met through automated or manual means in a cost-effective manner
and integrated fashion:
E126.96.36.199. Accountability. There shall be in place safeguards to
ensure each person having access to an AIS may be held accountable for his
or her actions on the AIS. There shall be an audit trail providing a
documented history of DAIS use. The audit trail shall be of sufficient
detail to reconstruct events in determining the cause or magnitude of
compromise should a security violation or malfunction occur. To fulfill this
requirement, the manual and/or automated audit trail shall document the
E188.8.131.52.1. The identity of each person and device having access to the
E184.108.40.206.2. The time of the access.
E220.127.116.11.3. User activity sufficient to ensure user actions are
controlled and open to scrutiny.
E18.104.22.168.4. Activities that might modify, bypass, or negate safeguards
controlled by the AIS.
E22.214.171.124.5. Security-relevant actions associated with periods
processing or the changing of security levels or categories of
DAAs shall cause a review to be made of audit trails associated
with the AIS(s) over which the DAAs have cognizance to determine an adequate
retention period for the audit information. The decision to require an audit
trail of user access to a stand-alone, single-user AIS (e.g., personal
computer (PC), memory typewriter, drafting machine) should be left to the
discretion of the DAA.
E126.96.36.199. Access. There shall be in place an access
control policy for each AIS. It shall include features and/or procedures to
enforce the access control policy of the information within the AIS. The
identify of each user authorized access to the AIS shall be established
positively before authorizing access.
E188.8.131.52. Security Training and Awareness. There shall be
in place a security training and awareness program with training for the
security needs of all persons accessing the AIS. The program shall ensure
that all persons responsible for the AIS and/or information, therein, and
all persons who access the AIS are aware of proper operational and
security-related procedures and risks.
E184.108.40.206. Physical Controls. AIS hardware, software, and
documentation, and all classified and sensitive unclassified data handled by
the AIS shall be protected to prevent unauthorized (intentional or
unintentional) disclosure, destruction, or modification (i.e., data
integrity shall be maintained). The level of control and protection shall be
commensurate with the maximum sensitivity of the information and shall
provide the most restrictive control measures required by the data to be
handled. This includes having personnel, physical, administrative, and
configuration controls. Additionally, protection against denial of service
of AIS resources (e.g., hardware, software, firmware, and information) shall
be consistent with the sensitivity of the information handled by the AIS.
Unclassified hardware, software, or documentation of an AIS shall be
protected if access to such hardware, software, or documentation reveals
classified information, or access provides information that may be used to
eliminate, circumvent, or otherwise render ineffective the security
safeguards for classified information. Software development and related
activities (e.g., systems analysis) shall be controlled by physical controls
(e.g., two-person control) and protected when it is determined that the
software shall be used for handling classified or sensitive unclassified
E220.127.116.11. Marking. Classified and sensitive unclassified output shall be marked to accurately
reflect the sensitivity of the information. Requirements for security
classification and applicable markings for classified information are set forth
in DoD 5200.1-R (reference (b)). The marking
may be automated (i.e., the AIS has a feature that produces the markings) or may
be done manually. Automated markings on output must not be relied on to be
accurate, unless the security features and assurances of the AIS meet the
requirements for a minimum security class B1 as specified in DoD 5200.28-STD (reference (k)). If B1 is not met,
but automated controls are used, all output shall be protected at the highest
classification level of the information handled by the AIS until manually
reviewed by an authorized person to ensure that the output was marked accurately
with the classification and caveats. All media (and containers) shall be marked
and protected commensurate with the requirements for the highest security
classification level and most restrictive category of the information ever
stored until the media are declassified (e.g., degaussed or erased) using a
DoD-approved methodology set forth in the DoD AIS Security Manual, DoD 5200.28-M
(reference (t)), or unless the
information is declassified or downgraded in accordance with reference (b).
E18.104.22.168. Least Privilege. The AIS shall function so that
each user has access to all of the information to which the user is entitled
(by virtue of clearance, formal access approval), but to no more. In the
case of "need-to-know" for classified information, access must be essential
for accomplishment of lawful and authorized Government purposes.
E22.214.171.124. Data Continuity. Each file or data collection in
the AIS shall have an identifiable source throughout its life cycle. Its
accessibility, maintenance, movement, and disposition shall be governed by
security clearance, formal access approval, and need-to-know.
E126.96.36.199. Data Integrity. There shall be safeguards in
place to detect and minimize inadvertent modification or destruction of
data, and detect and prevent malicious destruction or modification of
E188.8.131.52. Contingency Planning. Contingency plans shall be developed and tested in accordance with
OMB Circular No. A-130 (reference
ensure that AIS security controls function reliably and, if not, that
adequate backup functions are in place to ensure that security functions are
maintained continuously during interrupted service. If data is modified or
destroyed, procedures must be in place to recover.
E184.108.40.206. Accreditation. Each AIS shall be accredited to
operate in accordance with a DAA-approved set of security safeguards.
E220.127.116.11. Risk Management. There should be in place a
risk management program to determine how much protection is required, how
much exists, and the most economical way of providing the needed