top grid
bmp header
gold tile
 
BMP Center of Excellence


Innovations in American Government
curve.gif DoDD 5200.28: Security Requirements for Automated Information Systems (AISs)
  
(Previous) Complete List of Guideline Documents (Next)

E3. ENCLOSURE 3

MINIMUM SECURITY REQUIREMENTS

E3.1.1. MINIMUM SECURITY REQUIREMENTS. The following minimum requirements shall be met through automated or manual means in a cost-effective manner and integrated fashion:

E3.1.1.1. Accountability. There shall be in place safeguards to ensure each person having access to an AIS may be held accountable for his or her actions on the AIS. There shall be an audit trail providing a documented history of DAIS use. The audit trail shall be of sufficient detail to reconstruct events in determining the cause or magnitude of compromise should a security violation or malfunction occur. To fulfill this requirement, the manual and/or automated audit trail shall document the following:

E3.1.1.1.1. The identity of each person and device having access to the AIS.

E3.1.1.1.2. The time of the access.

E3.1.1.1.3. User activity sufficient to ensure user actions are controlled and open to scrutiny.

E3.1.1.1.4. Activities that might modify, bypass, or negate safeguards controlled by the AIS.

E3.1.1.1.5. Security-relevant actions associated with periods processing or the changing of security levels or categories of information.

DAAs shall cause a review to be made of audit trails associated with the AIS(s) over which the DAAs have cognizance to determine an adequate retention period for the audit information. The decision to require an audit trail of user access to a stand-alone, single-user AIS (e.g., personal computer (PC), memory typewriter, drafting machine) should be left to the discretion of the DAA.

E3.1.1.2. Access. There shall be in place an access control policy for each AIS. It shall include features and/or procedures to enforce the access control policy of the information within the AIS. The identify of each user authorized access to the AIS shall be established positively before authorizing access.

E3.1.1.3. Security Training and Awareness. There shall be in place a security training and awareness program with training for the security needs of all persons accessing the AIS. The program shall ensure that all persons responsible for the AIS and/or information, therein, and all persons who access the AIS are aware of proper operational and security-related procedures and risks.

E3.1.1.4. Physical Controls. AIS hardware, software, and documentation, and all classified and sensitive unclassified data handled by the AIS shall be protected to prevent unauthorized (intentional or unintentional) disclosure, destruction, or modification (i.e., data integrity shall be maintained). The level of control and protection shall be commensurate with the maximum sensitivity of the information and shall provide the most restrictive control measures required by the data to be handled. This includes having personnel, physical, administrative, and configuration controls. Additionally, protection against denial of service of AIS resources (e.g., hardware, software, firmware, and information) shall be consistent with the sensitivity of the information handled by the AIS. Unclassified hardware, software, or documentation of an AIS shall be protected if access to such hardware, software, or documentation reveals classified information, or access provides information that may be used to eliminate, circumvent, or otherwise render ineffective the security safeguards for classified information. Software development and related activities (e.g., systems analysis) shall be controlled by physical controls (e.g., two-person control) and protected when it is determined that the software shall be used for handling classified or sensitive unclassified data.

E3.1.1.5. Marking. Classified and sensitive unclassified output shall be marked to accurately reflect the sensitivity of the information. Requirements for security classification and applicable markings for classified information are set forth in DoD 5200.1-R (reference (b)). The marking may be automated (i.e., the AIS has a feature that produces the markings) or may be done manually. Automated markings on output must not be relied on to be accurate, unless the security features and assurances of the AIS meet the requirements for a minimum security class B1 as specified in DoD 5200.28-STD (reference (k)). If B1 is not met, but automated controls are used, all output shall be protected at the highest classification level of the information handled by the AIS until manually reviewed by an authorized person to ensure that the output was marked accurately with the classification and caveats. All media (and containers) shall be marked and protected commensurate with the requirements for the highest security classification level and most restrictive category of the information ever stored until the media are declassified (e.g., degaussed or erased) using a DoD-approved methodology set forth in the DoD AIS Security Manual, DoD 5200.28-M (reference (t)), or unless the information is declassified or downgraded in accordance with reference (b).

E3.1.1.6. Least Privilege. The AIS shall function so that each user has access to all of the information to which the user is entitled (by virtue of clearance, formal access approval), but to no more. In the case of "need-to-know" for classified information, access must be essential for accomplishment of lawful and authorized Government purposes.

E3.1.1.7. Data Continuity. Each file or data collection in the AIS shall have an identifiable source throughout its life cycle. Its accessibility, maintenance, movement, and disposition shall be governed by security clearance, formal access approval, and need-to-know.

E3.1.1.8. Data Integrity. There shall be safeguards in place to detect and minimize inadvertent modification or destruction of data, and detect and prevent malicious destruction or modification of data.

E3.1.1.9. Contingency Planning. Contingency plans shall be developed and tested in accordance with OMB Circular No. A-130 (reference (j)) to ensure that AIS security controls function reliably and, if not, that adequate backup functions are in place to ensure that security functions are maintained continuously during interrupted service. If data is modified or destroyed, procedures must be in place to recover.

E3.1.1.10. Accreditation. Each AIS shall be accredited to operate in accordance with a DAA-approved set of security safeguards.

E3.1.1.11. Risk Management. There should be in place a risk management program to determine how much protection is required, how much exists, and the most economical way of providing the needed protection.