home *** CD-ROM | disk | FTP | other *** search
Text File | 1997-01-24 | 75.1 KB | 1,748 lines |
-
- CSC-STD-004-85
-
-
-
-
-
-
-
- TECHNICAL RATIONAL BEHIND CSC-STD-003-85:
- COMPUTER SECURITY REQUIREMENTS
-
-
- GUIDANCE FOR APPLYING THE DEPARTMENT OF DEFENSE
- TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA
- IN SPECIFIC ENVIRONMENTS
-
-
-
-
-
-
-
-
- Approved for public release;
- distribution unlimited.
-
-
- 25 June 1985
-
-
-
-
-
- CSC-STD-004-85
- Library No. S-226,728
-
-
- FOREWORD
-
- This publication, Technical Rationale Behind CSC-STD-003-85: Computer Security
- Requirements--Guidance for Applying the Department of Defense Trusted Computer
- System Evaluation Criteria in Specific Environments, is being issued by the DoD
- Computer Security Center (DoDCSC) under the authority of and in accordance with
- DoD Directive 5215.1, "Computer Security Evaluation Center." This document
- presents background discussion and rationale for CSC-STD-003-85, Computer
- Security Requirements--Guidance for Applying the Department of Defense Trusted
- Computer System Evaluation Criteria in Specific Environments. The computer
- security requirements identify the minimum class of system required for a given
- risk index. System classes are those defined by CSC-STD-001-83, Department of
- Defense Trusted Computer System Evaluation Criteria, 15 August 1983. Risk index
- is defined as the disparity between the minimum clearance or authorization of
- system users and the maximum sensitivity of data processed by the system. This
- guidance is intended to be used in establishing minimum computer security
- requirements for the processing an-or storage and retrieval of sensitive or
- classified information by the Department of Defense whenever automatic data
- processing systems are employed. Point of contact concerning this publication is
- the Office of Standards and Products, Attention: Chief, Computer Security
- Standards.
-
-
- 25 June 1985
- Robert L. Brotzman
- Director
- DoD Computer Security Center
-
-
-
- ACKNOWLEDGMENTS
-
- Special recognition is extended to H. William Neugent and Ingrid M. Olson of
- the MITRE Corporation for performing in-depth analysis of DoD policies and
- procedures and for preparation of this document.
-
- Acknowledgment is given to the following for formulating the computer security
- requirements and the supporting technical and procedural rationale behind these
- requirements: Col Roger R. Schell, formerly DoDCSC, George F. Jelen, formerly
- DoDCSC, Daniel J. Edwards, Sheila L. Brand, and Stephen F. Barnett, DoDCSC.
-
- Acknowledgment is also given to the following for giving generously of their
- time and expertise in the review and critique of this document: CDR Robert
- Emery, OJCS, Dan Mechelke, 902nd Ml Gp, Mary Taylor, DAMI-CIC, Maj. Freeman,
- DAMI- CIC, Ralph Neeper, DAMI-CIC, Duane Fagg, NAVDAC, H. O. Lubbes, NAVELEX,
- Sue Berg, OPNAV, Susan Tominack, NAVDAC, Lt Linda Fischer, OPNAV, Eugene
- Epperly, ODUSD(P), Maj Grace Culver, USAF-SITT, Capt Mike Weidner, ASPO, Alfred
- W. Arsenault, DoDCSC, James P. Anderson, James P. Anderson & Co., and Dr.
- John Vasak, MITRE Corporation.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ii
-
-
- TABLE OF CONTENTS
- FOREWORD............................................................. i
- ACKNOWLEDGMENTS...................................................... ii
- LIST OF TABLES....................................................... iv
- 1.0 INTRODUCTION..................................................... 1
- 2.0 RISE INDEX....................................................... 5
- 3.0 COMPUTER SECURITY REQUIREMENTS FOR OPEN
- SECURITY ENVIRONMENTS............................................ 11
- 4.0 COMPUTER SECURITY REQUIREMENTS FOR CLOSED
- SECURITY ENVIRONMENTS............................................ 19
- APPENDIX A: SUMMARY OF CRITERIA...................................... 23
- APPENDIX B: DETAILED DESCRIPTION OF CLEARANCES
- AND DATA SENSITIVITIES.......................................... 27
- APPENDIX C: ENVIRONMENTAL TYPES...................................... 31
- GLOSSARY............................................................. 33
- ACRONYMS............................................................. 37
- REFERENCES........................................................... 39
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- iii
-
-
- LIST OF TABLES
- Table
- 1: Rating Scale for Minimum User Clearance......................... 6
- 2: Rating Scale for Maximum Data Sensitivity....................... 7
- 3: Security Risk Index Matrix...................................... 8
- 4: Computer Security Requirements for Open Security Environments... 12
- 5: Security Index Matrix for Open Security Environments............ 13
- 6: Computer Security Requirements for Closed Security Environments. 20
- 7: Security Index Matrix for Closed Security Environments.......... 21
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- iv
-
- 1.0 INTRODUCTION
- The purpose of this technical report is to present background discussion and
- rationale for Computer Security Requirements--Guidance for Applying the DoD
- Trusted Computer System Evaluation Criteria in Specific Environments(1)
- (henceforth referred to as the Computer Security Requirements). The
- requirements were prepared in compliance with responsibilities assigned to the
- Department of Defense (DoD) Computer Security Center (DoDCSC) under DoD
- Directive 5215.1, which tasks the DoDCSC to "establish and maintain technical
- standards and criteria for the evaluation of trusted computer systems."(2)
-
- DoD computer systems have stringent requirements for security. In the past,
- these requirements have been satisfied primarily through physical, personnel,
- and information security safeguards.(3) Recent advances in technology make it
- possible to place increasing trust in the computer system itself, thereby
- increasing security effectiveness and efficiency. In turn, the need has arisen
- for guidance on how this new technology should be used. There are two facets to
- this required guidance:
-
- a. Establishment of a metric for categorizing systems according to the
- security protection they provide.
-
- b. Identification of the minimum security protection required in
- different environments.
-
- The DoD Trusted Computer System Evaluation Criteria (henceforth referred to
- as the Criteria), developed by the DoDCSC, satisfy the first of these two
- requirements by categorizing computer systems into hierarchical security
- classes.(4) The Computer Security Requirements satisfy the second requirement
- by identifying the minimum classes appropriate for systems in different risk
- environments. They are to be used by system managers in applying the Criteria
- and thereby in selecting and specifying systems that have sufficient security
- protection for specific operational environments.
-
- Section 2 of this document discusses the risk index. Section 3 presents a
- discussion of the Computer Security Requirements for open security
- environments. Section 4 presents a discussion of the Computer Security
- Requirements for closed security environments. A summary of the Criteria is
- contained in Appendix A. Appendix B contains a detailed description of
- clearances and data sensitivities, and Appendix C describes the environmental
- types. A glossary provides definitions of many of the terms used in this
- document.
-
- 1.1 Scope and Applicability
-
- This section describes the scope and applicability for both this report and the
- Computer Security Requirements. The primary focus of both documents is on the
- technical aspects (e.g., hardware, software, configuration control) of computer
- security, although the two documents also address the relationship between
- computer security and physical, personnel, and information security. While
-
- 2
-
-
- communications and emanations security are important elements of system
- security, they are outside the scope of the two documents.
-
- Both documents apply to DoD computer systems that are entrusted with the
- protection of information, regardless of whether or not that information is
- classified, sensitive, national security-related, or any combination thereof.
- Furthermore, both documents can be applied throughout the DoD.(5,6,7,8,9)
-
- The two documents are concerned with protection against both disclosure and
- integrity violations. Integrity violations are of particular concern for
- sensitive unclassified information (e.g., financial data) as well as for some
- classified applications (e.g., missile guidance data).
-
- The recommendations of both this report and the Computer Security
- Requirements are stated in terms of classes from the Criteria. Embodied in each
- class and therefore encompassed within the scope of both documents are two
- types of requirements: assurance and feature requirements. Assurance
- requirements are those that contribute to confidence that the required features
- are present and that the system is functioning as intended. Examples of
- assurance requirements include modular design, penetration testing, formal
- verification, and trusted configuration management. Feature requirements
- encompass capabilities such as labeling, authentication, and auditing.
-
- 1.2 Security Operating Modes
-
- DoD computer security policy identifies several security operating modes, for
- which the following definitions are adapted:(10,11,12,13)
-
- a. Dedicated Security Mode--The mode of operation in which the system is
- specifically and exclusively dedicated to and controlled for the
- processing of one particular type or classification of information,
- either for fulltime operation or for a specified period of time.
-
- b. System High Security Mode--The mode of operation in which system
- hardware/software is only trusted to provide need-to-know protection
- between users. In this mode, the entire system, to include all
- components electrically and/or physically connected, must operate with
- security measures commensurate with the highest classification and
- sensitivity of the information being processed and/or stored. All
- system users in this environment must possess clearances and
- authorizations for all information contained in the system, and all
- system output must be clearly marked with the highest classification
- and all system caveats, until the information has been reviewed
- manually by an authorized individual to ensure appropriate
- classifications and caveats have been affixed.
-
- c. Multilevel Security Mode--The mode of operation which allows two or
- more classification levels of information to be processed
- simultaneously within the same system when some users are not cleared
- for all levels of information present.
- 3
-
-
- d. Controlled Mode--The mode of operation that is a type of multilevel
- security in which a more limited amount of trust is placed in the
- hardware/software base of the system, with resultant restrictions on
- the classification levels and clearance levels that may be supported.
-
- e. Compartmented Security Mode--The mode of operation which allows
- the system to process two or more types of compartmented information
- (information requiring a special authorization) or any one type of
- compartmented information with other than compartmented information.
- In this mode, system access is secured to at least the Top Secret (TS)
- level, but all system users need not necessarily be formally
- authorized access to all types of compartmented information being
- processed and/or stored in the system.
-
- In addition to these security operating modes, Service policies may define
- other modes of operation. For example, Office of the Chief of Naval Operations
- (OPNAV) Instruction 5239. IA defines Limited Access Mode for those systems in
- which the minimum user clearance is uncleared and the maximum data sensitivity
- is not classified but sensitive (6)
-
- 5
-
-
- 2.0 RISK INDEX
-
- The evaluation class appropriate for a system is dependent on the level of
- security risk inherent to that system. This inherent risk is referred to as
- that systems risk index. Risk index is defined as follows:
- The disparity between the minimum clearance or authorization of system
- users and the maximum sensitivity of data processed by a system.
-
- The Computer Security Requirements are based upon this risk index. Although
- there are other factors that can influence security risk, such as mission
- criticality, required denial of service protection, and threat severity, only
- the risk index is used to determine the minimum class of trusted systems to be
- employed, since it can be uniformly applied in the determination of security
- risk. The risk index for a system depends on the rating associated with the
- system's mimimum user clearance (Rmin) taken from Table 1 and the rating
- associated with the system's maximum data sensitivity (Rmax) taken from Table
-
- 2. The risk index is computed as follows:
-
- Case a. If Rmin is less than Rmax, then the risk index is determined by
- subtracting Rmin from Rmax.2
- Risk Index Rmax Rmin
-
- Case b. If Rmin is greater than or equal to Rmax, then
- 1, if there are categories on the system to which some users
- are not authorized access;
- Risk Index
- 0, otherwise (i.e., if there are no categories on the system or
- if all users are authorized access to all categories)
-
- Example: For a system with a minimum user clearance of Confidential and
- maximum data sensititivy of Secret (without categories), Rmin 2 and
- Rmax 3.
-
-
- 1 Since a clearance implicitly encompasses lower clearance levels (e.g., a
- Secret- cleared user has an implicit Confidential clearance), the phrase
- "minimum clearance...of system users" is more accurately stated as "maximum
- clearance of the least cleared system user." For simplicity, this document uses
- the former phrase.
-
- 2 There is one anomalous case in which this formula gives an incorrect result
- This is the case where the minimum clearance is Top Secret/Background
- Investigation and the maximum data sensitivity is Top Secret. According to
- the formula, this gives a risk index of l. In actuality, the risk index in this
- case is zero. The anomaly results because there are two "levels" of Top Secret
- clearance and only one level of Top Secret data.
-
- 6
-
-
-
-
- TABLE 1
-
- RATING SCALE FOR MINIMUM USER CLEARANCE1
-
-
-
-
-
- MINIMUM USER CLEARANCE RATING
-
- Uncleared (U) 0
-
- Not Cleared but Authorized Access to Sensitive Unclassified 1
- Information (N)
- Confidential (C) 2
- Secret(S) 3
- Top Secret (TS)/Current Background Investigation (BI) 4
- Top Secret (TS)/Current Special Background Investigation (SBI) 5
- One Category (1C) 6
- Multiple Categories (MC) 7
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1 See Appendix B for a detailed description of the terms listed
-
- 7
-
-
- TABLE 2
-
- RATING SCALE FOR MAXIMUM DATA SENSITIVITY
-
- MAXIMUM DATA
- SENSITIVITY
- RATINGS 2 RATING MAXIMUM DATA SENSITIVITY WITH
- WITHOUT (Rmax) CATEGORIES1
- CATEGORIES
- (Rmax)
-
- Unclassified (U) 0 Not Applicable3
- Not Classified but 1 N With One or More Categories 2
- Sensitives4
- Confidential (C) 2 C With One or More Categories 3
- Secret(S) 3 S With One or More Categories With No 4
- More Than One Category Containing
- Secret Data
- S With Two or More Categories Containing 5
- Secret Data
- Top Secret (TS) 55 TS With One or More Categories With No 6
- More Than One Category Containing
- Secret or Top Secret Data
- TS With Two or More Categories 7
- Containing Secret or Top Secret Data
-
-
-
- 1 The only categories of concern are those for which some users are not
- authorized access to the category. When counting the number of categories,
- count all categories regardless of the sensitivity level associated with the
- data. If a category is associated with more than one sensitivity level, it is
- only counted at the highest level.
-
- 2 Where the number of categories is large or where a highly sensitive category
- is involved, a higher rating might be warranted.
-
- 3 Since categories imply sensitivity of data and unclassified data is not
- sensitive, unclassified data by definition cannot contain categories.
-
- 4 N data includes financial, proprietary, privacy, and mission sensitive data.
- Some situations (e.g., those involving extremely large financial sums or
- critical mission sensitive data), may warrant a higher rating. The table
- prescribes minimum ratings
-
- 5 The rating increment between the Secret and Top Secret data sensitivity
- levels is greater than the increment between other adjacent levels. This
- difference derives from the fact that the loss of Top Secret data causes
- exceptionally grave damage to the national security, whereas the loss of Secret
- data causes only serious damage. (4)
-
- 8
-
-
- TABLE 3
- SECURITY RISK INDEX MATRIX
-
- Maximum Data Sensitivity
-
- U N C S TS 1C MC
-
- U 0 1 2 3 4 5 6
- N 0 0 1 2 4 5 6
- Minimum C 0 0 0 1 3 4 5
- Clearance S 0 0 0 0 2 3 4
- or
- Authorization TS(BI) 0 0 0 0 0 2 3
- of
- System Users TS(SBI) 0 0 0 0 0 1 2
- 1C 0 0 0 0 0 0 1
- MC 0 0 0 0 0 0 0
-
-
-
-
- U = Uncleared or Unclassified
- N = Not Cleared but Authorized Access to Sensitive Unclassified Information or
- Not Classified but Sensitive
- C = Confidential
- S = Secret
- TS = Top Secret
- TS(BI) = Top Secret (Background Investigation)
- TS(SBI) = Top Secret (Special Background Investigation)
- 1C = One Category
- MC = Multiple Categories
- 9
-
-
- In situations where the local environment indicates that additional risk
- factors are present, a larger risk index may be warranted. Table 2 and the
- above discussion show how the presence of nonhierarchical sensitivity
- categories such as NOFORN (Not Releasable to Foreign Nationals) and PROPIN
- (Caution- Proprietary Information Involved) influences the ratings.(14)
- Compartmented information is also encompassed by the term sensitivity
- categories as is information revealing sensitive intelligence sources and
- methods. A' subcategory (and a subcompartment) is considered to be independent
- from the category to which it is subsidiary.
-
- Table 3 presents a matrix summarizing the risk' indices corresponding to the
- various clearance/sensitivity pairings. For simplicity no categories are
- associated with the maximum data sensitivity levels below Top Secret.
- 11
-
-
- 3.0 COMPUTER SECURITY REQUIREMENTS FOR OPEN
- SECURITY ENVIRONMENTS
-
-
- This section discusses the application of the Computer Security Requirements to
- systems in open security environments. An open security environment is one in
- which system applications are not adequately protected against the insertion of
- malicious logic. Appendix C describes malicious logic and the open security
- environment in more detail.
-
- 3.1 Recommended Classes
-
- Table 4 presents the minimim evaluation class identified in the Computer
- Security Requirements for different risk indices in an open security
- environment. Table 5 illustrates the impact of the requirements on individual
- minimum clearance/maximum data sensitivity pairings, where no categories are
- associated with maximum data sensitivity below Top Secret. The minimum
- evaluation class is determined by finding the matrix entry corresponding to the
- minimum clearance or authorization of system users and the maximum sensitivity
- of data processed by the system.
-
- Example: If the minimum clearance of system users is Secret and the
- maximum sensitivity of data processed is Top Secret (with no categories),
- then the risk index is 2 and a class B2 system is required.
-
- The classes identified are minimum values. Environmental characteristics must
- be examined to determine whether a higher class is warranted. Factors that
- might argue for a higher evaluation class include the following:
-
- a. High volume of information at the maximum data sensitivity.
-
- b. Large number of users with minimum clearance.
-
- Both of these factors are often present in networks.
-
- The guidance embodied in the Computer Security Requirements is best used during
- system requirements definition to determine which class of trusted system is
- required given the risk index envisioned for a specific environment. They are
- also of use in determining which choices are feasible given either the maximum
- sensitivity of data to be processed or minimum user clearance or authorization
- requirements. The Computer Security Requirements can also be used in a security
- evaluation to determine whether system safeguards are sufficient.
-
- 3.2 Risk index and Operational Modes
-
- Situations with a risk index of zero encompass systems operating in system high
- or dedicated mode. Systems operating in dedicated mode--in which all users
- have both the clearance and the need-to-know for all information in the
- system--do not need to rely on hardware and software protection measures for
- security.(10) Therefore, no minimum level of trust is prescribed. However,
- because of the integrity and denial of service requirements of many systems,
- additional protective features may be warranted.
-
- 12
-
-
-
-
- TABLE 4
-
- COMPUTER SECURITY REQUIREMENTS FOR OPEN SECURITY
- ENVIRONMENTS
-
-
- RISK INDEX SECURITY OPERATING MINIMUM CRITERIA
- MODE CLASS1
-
- 0 Dedicated No Prescribed
- Minimum2
- 0 System High C23
- 1 Limited Access, Controlled, B14
- Compartmented, Multilevel
- 2 Limited Access, Controlled, B2
- Compartmented, Multilevel
- 3 Controlled, Multilevel B3
- 4 Multilevel A1
- 5 Multilevel *
- 6 Multilevel *
- 7 Multilevel *
-
-
-
-
- 1 The asterisk (*) indicates that computer protection for environments with
- that risk index are considered to be beyond the state of current technology.
- Such environments must augment technical protection with personnel or
- administrative security safeguards.
-
- 2 Although there is no prescribed minimum, the integrity and denial of service
- requirements of many systems warrant at least class C1 protection.
-
- 3 If the system processes sensitive or classified data, at least a class C2
- system is required. If the system does not process sensitive or classified
- data, a class C1 system is sufficient.
-
- 4 Where a system processes classified or compartmented data and some users do
- not have at least a Confidential clearance, or when there are more than two
- types of compartmented information being processed, at least a class B2 system
- is required.
- 13
-
-
- TABLE 5
-
- SECURITY INDEX MATRIX FOR OPEN SECURITY ENVIRONMENTS1
-
-
- Maximum Data Sensitivity
-
- U N C S TS 1C 1M
-
- U C1 B1 B2 B3 * * *
- Minimum N C1 C2 B2 B2 A1 * *
- Clearance or C C1 C2 C2 B1 B3 A1 *
- Author-
- ization S C1 C2 C2 C2 B2 B3 A1
- of System
- Users TS(BI) C1 C2 C2 C2 C2 B2 B3
-
- TS(SBI) C1 C2 C2 C2 C2 B1 B2
- 1C C1 C2 C2 C2 C2 C22 B13
- MC C1 C2 C2 C2 C2 C22 C22
-
-
- 1 Environments for which either C1 or C2 is given are for systems that operate
- in system high mode. No minimum level of trust is prescribed for systems that
- operate in dedicated mode. Categories are ignored in the matrix, except for
- their inclusion at the TS level.
-
- 2 It is assumed that all users are authorized access to all categories present
- in the system. If some users are not authorized for all categories, then a
- class B1 system or higher is required.
-
- 3 Where there are more than two categories, at least a class B2 system is
- required.
-
- U = Uncleared or Unclassified
- N = Not Cleared but Authorized Access to Sensitive Unclassified Information or
- Not Classified but Sensitive
- C = Confidential
- S = Secret
- TS = Top Secret
- TS(BI) = Top Secret (Background Investigation)
- TS(SBI) = Top Secret (Special Background Investigation)
- 1C = One Category
- MC = Multiple Category
- 14
-
-
-
-
-
- In system high mode, all users have sufficent security clearances and category
- authorizations for all data, but some users do not have a need-to-know for all
- information in the system.(10) Systems that operate in system high mode thus
- are relied on to protect information from users who do not have the appropriate
- need-to-know. Where classified or sensitive unclassified data is involved, no
- less than a class C2 system is allowable due to the need for individual
- accountability.
-
- In accordance with policy, individual accountability requires that individual
- system users be uniquely identified and an automated audit trail kept of their
- actions. Class C2 systems are the lowest in the hierarchy of trusted systems
- to provide individual accountability and are therefore required where sensitive
- or classified data is involved. The only case where no sensitive or classified
- data is involved is the case in which the maximum sensitivity of data is
- unclassified. In this case, hardware and software controls are still required
- to allow users to protect project or private information and to keep other
- users from accidentally reading or destroying their data. However, since there
- is no officially sensitive data involved, individual accountability is not
- required and a class C1 system suffices. In system high mode sensitivity
- labels are not required for making access control decisions. In this mode
- access is based on the need-to-know, which is based on permissions (e.g., group
- A has access to file A), not on sensitivity labels. The type of access control
- used to provide need-to-know protection is called discretionary access control.
- It is defined as a means of restricting access to objects based on the identity
- of subjects and/or groups to which the subjects belong. All systems above
- Division D provide discretionary access control mechanisms. These mechanisms
- are more finely grained in class C2 systems than in Class C1 systems in that
- they provide the capability of including or excluding access to the granularity
- of a single user. Division C systems (C1 and C2) do not possess the capability
- to provide trusted labels on output. Therefore, output from these systems must
- be labeled at the system high level and manually reviewed by a responsible
- individual to determine the correct sensitivity prior to release beyond the
- perimeter of the system high protections of the system.(10)
-
- Environments with a risk index of 1 or higher encompass systems operating in
- controlled, compartmented, and multilevel modes. These environments require
- mandatory access control, which is the type of access control used to provide
- protection based on sensitivity labels. It is defined as a means of
- restricting access to objects based on the sensitivity (as represented by a
- label) of the information contained in the objects and the formal clearance or
- authorization of subjects to access information of such sensitivity. Division
- B and A systems provide mandatory access control, and are therefore required
- for all environments with risk indices of 1 or greater.
-
- The need for internal labeling has a basis in policy, in that DoD Regulation
- 5200.1-R requires computer systems that process sensitive or classified data to
- provide internal classification markings.(3) Other requirements also exist.
-
- Example: The DCID entitled "Security Controls on the Dissemination of
- Intelligence Information" requires that security control markings be
- 15
-
-
- "associated (in full or abbreviated form) with data stored or processed in
- automatic data processing systems."(14)
-
- Sensitivity labeling is also required for sensitive unclassified data.(15,16)
-
- Example: Data protected by Freedom of Information (FOI) Act exemptions
- must be labeled as being "exempt from mandatory disclosure under the FOI
- Act."(15)
-
- This example illustrates not only the need for labeling but also the fact that
- the purpose of FOI Act exemptions is to provide access control protection for
- sensitive data. In summary, it is a required administrative security practice
- that classified and unclassified sensitive information be labeled and
- controlled based on the labels. It follows that prudent computer security
- practice requires similar labeling and mandatory access control.
-
- The minimum class recommended for environments requiring mandatory access
- control is class B1, since class B1 systems are the lowest in the hierarchy of
- trusted systems to provide mandatory access control.
-
- Example: Where no categories are involved, systems with minimum
- clearance/maximum data sensitivity pairings of U/N and C/S have a risk
- index of 1 and thus require at least a class B1 system.
-
- Some systems that operate in system high mode use mandatory access control for
- added protection within the system high environment, even though the controls
- are not relied upon to properly label and protect data passing out of the
- system high environment. There has also been a recommendation that mandatory
- access controls (i.e., class B1 or higher systems) be used whenever data at two
- or more sensitivity levels is being processed, even if everyone is fully
- cleared, in order to reduce the likelihood of mixing data from files of higher
- sensitivity with data of files of lower sensitivity and releasing the data at
- the lower sensitivity.(17) These points reaffirm the fact that the classes
- identified in the requirements are minimum values.
-
- This report emphasizes that output from a system operating in system high mode
- must be stamped with the sensitivity and category labels of the most sensitive
- data in the system until the data is examined by a responsible individual and
- its true sensitivity level and category are determined. If a system can only
- be trusted for system high operation, its labels cannot be assumed to
- accurately reflect data sensitivity. The use of division B or A systems does
- not necessarily solve this problem.
-
- Example: Take the case of a system in an open security environment that
- processes data classified up to Secret and supports some users who have
- only Confidential clearances. According to the requirements, such a
- situation represents a risk index of 1 and thus requires a class B1
- system. Some of the reports produced by the system might be unclassified.
- Nevertheless, such a report cannot be forwarded to uncleared people until
- the report is examined and its contents determined to be unclassified.
- Without the existence of such a review, the recipient becomes an indirect
- user and the risk index becomes 3. A class B1 system no longer provides
- 16
-
-
- adequate data protection. Therefore, even though the system is trusted to
- properly label and segregate Confidential and Secret data, it is not
- simultaneously trusted to properly label and segregate unclassified data.
-
- Systems with a risk index of 2 require more trust than can be placed in a class
- B1 system. Where no categories are involved, class B2 systems are the minimum
- required for minimum clearance/maximum data sensitivity pairings such as U/C,
- N/S and S/TS, all of which have a risk index of 2. Class B2 systems have
- several characteristics that justify this increased trust:
-
- a. The Trusted Computing Base (TCB) is carefully structured into
- protection-critical and nonprotection-critical elements. The TCB
- interface is well defined, and the TCB design and implementation
- enable it to be subjected to more thorough testing and more complete
- review.
-
- b. The TCB is based on a clearly defined and documented formal security
- policy model that requires the discretionary and mandatory access
- control enforcement found in class B1 systems to be extended to all
- subjects and objects in the system. That is, security rules are more
- rigorously defined and have a greater influence on system design.
-
- c. Authentication mechanisms are strengthened, making it more difficult
- for a malicious user or malicious software to improperly intervene in
- the login process.
-
- d. Stringent configuration management controls are imposed for life-cycle
- assurance.
-
- e. Covert channels are addressed to defend against their exploitation by
- malicious software.(18) A covert channel is a communication channel
- that violates the system's security policy.
-
- Because of these and other characteristics, class B2 systems are relatively
- resistant to penetration. A risk index of 3, however, requires greater
- resistance to penetration. Class B3 systems are highly resistant to
- penetration and are the minimum required for situations with a risk index of 3
- such as those with minimum clearance/maximum data sensitivity pairings of U/S,
- C/TS, S/TS with one category, and TS(BI)/TS with multiple categories.
- Characteristics that distinguish class B3 from class B2 systems include the
- following:
-
- a. The TCB must satisfy the reference monitor requirements that it
- mediate all accesses of subjects to objects, be tamperproof, and be
- small enough to be subjected to analysis and tests. Much effort is
- thus spent on minimizing TCB complexity.
-
- b. Enhancements are made to system audit mechanisms and system
- recovery procedures.
-
- c. Security management functions are performed by a security
- administrator rather than a system administrator.
- 17
-
-
- While several new features have been added to class B3 systems, the major
- distinction between class B2 and class B3 systems is the increased trust that
- can be placed in the TCB of a class B3 system. The most trustworthy systems
- defined by the Criteria are class Al systems. Class Al systems can be used for
- situations with a risk index of 4, such as the following minimum
- clearance/maximum data sensitivity pairings: N/TS, C/TS with one category, and
- S/TS with multiple categories. Class Al systems are functionally equivalent to
- those in class B3 in that no additional architectural features or policy
- requirements are added. The distinguishing characteristic of systems in this
- class is the analysis derived from formal design specification and verification
- techniques and the resulting high degree of assurance that the TCB is correctly
- implemented. In addition, more stringent configuration management is required
- and procedures are established for securely distributing the system to sites.
-
- The capability to support systems in open security environments with a risk
- index of 5 or greater is considered to be beyond the state-of-the-art. For
- example, technology today does not provide adequate security protection for an
- open environment with uncleared users and Top Secret data. Such environments
- must rely on physical, personnel, or information security solutions or on such
- technical approaches as periods processing.
- 19
-
-
-
-
- 4.0 COMPUTER SECURITY REQUIREMENTS FOR CLOSED
- SECURITY ENVIRONMENTS
-
-
- This section discusses the application of the Computer Security Requirements to
- systems in closed security environments. A closed security environment is one
- in which system applications are adequately protected against the insertion of
- malicious logic. Appendix C describes the closed security environment in more
- detail. The main threat to the TCB from applications in this environment is
- not malicious logic, but logic containing unintentional errors that might be
- exploited for malicious purposes. As system quality reaches class B2, the
- threat from logic containing unintentional errors is substantially reduced.
- This reduction permits the placement of increased trust in class B2 systems due
- to (1) the increased attention that B2 systems give to the interface between
- the application programs and the operating system, (2) the formation of a more
- centralized TCB, and (3) the elimination of penetration flaws. Nevertheless,
- the evaluation class of B1 assigned for open security environments cannot be
- reduced to a class C1 or C2 in closed security environments because of the
- requirement for mandatory access controls.
-
- Table 6 presents the minimum evaluation class identified in the Computer
- Security Requirements for different risk indices in a closed security
- environment. The principal difference between the requirements for the open
- and closed environments is that in closed environments class B2 systems are
- trusted to provide sufficient protection for a greater risk index. As a
- result, environments are supportable that were not supportable in open
- situations (e.g., uncleared user on a system processing Top Secret data).
- Table 7 illustrates the requirements' impact on individual minimum
- clearance/maximum data sensitivity pairings.
- 20
-
-
-
-
- TABLE 6
-
- COMPUTER SECURITY REQUIREMENTS FOR CLOSED SECURITY
- ENVIRONMENTS
-
-
-
-
-
- RISK INDEX SECURITY OPERATING MINIMUM CRITERIA
- MODE CLASS1
-
- 0 Dedicated No Prescribed
- Minimum 2
- 0 System High C23
- 1 Limited Access, Controlled, B14
- Compartmented, Multilevel
- 2 Limited Access, Controlled B2
- Compartmented, Multilevel
- 3 Controlled, Multilevel B2
- 4 Multilevel B3
- 5 Multilevel A1
- 6 Multilevel *
- 7 Multilevel *
-
-
-
-
-
- 1 The asterisk (*) indicates that computer protection for environments with
- that risk index are considered to be beyond the state of current technology.
- Such environments must augment technical protection with physical, personnel,
- and/or administrative safeguards.
-
- 2 Although there is no prescribed minimum, the integrity and denial of service
- requirements of many systems warrant at least class C1 protection.
-
- 3 If the system processes sensitive or classified data, at least a class C2
- system is required. If the system does not process sensitive or classified
- data, a class C1 system is sufficient.
-
- -Where a system processes classified or compartmented data and some users do
- not have at least a Confidential clearance, at least a class B2 system is
- required.
- 21
-
-
- TABLE 7
- SECURITY INDEX MATRIX FOR CLOSED SECURITY ENVIRONMENTS1
-
- Maximum Data Sensitivity
-
- U N C S TS 1C MC
-
- U C1 B1 B2 B2 A1 * *
- Minimum N C1 C2 B1 B2 B3 A1 *
- Clearance or C C1 C2 C2 B1 B2 B3 A1
- Author- S C1 C2 C2 C2 B2 B2 B3
- ization TS(BI) C1 C2 C2 C2 C2 B2 B2
- of System TS(SBI) C1 C2 C2 C2 C2 B1 B2
- Users 1C C1 C2 C2 C2 C2 C22 B13
- MC C1 C2 C2 C2 C2 C22 C22
-
-
-
-
- 1 Environments for which either C1 or C2 is given are for systems that operate
- in system high mode. There is no prescribed minimum level of trust for systems
- that operate in dedicated mode. Categories are ignored in the matrix, except
- for their inclusion at the TS level.
-
- 2 It is assumed that all users are authorized access to all categories on the
- system. If some users are not authorized for all categories, then a class B1
- system or higher is required.
-
- 3 Where there are more than two categories, at least a class B2 system is
- required.
-
- U = Uncleared or Unclassified
- N = Not Cleared but Authorized Access to Sensitive UnclassiFied Information or
- Not Classified but Sensitive
- C = Confidential
- S = Secret
- TS = Top Secret
- TS(BI) = Top Secret (Background Investigation)
- TS (SBI) = Top Secret (Special Background Investigation)
- 1C = One Category
- MC = Multiple Categories
- 23
-
-
-
- APPENDIX A
-
- SUMMARY OF CRITERIA The DoD Trusted Computer System Evaluation
- Criteria(4) provides a basis for specifying security requirements and a metric
- with which to evaluate the degree of trust that can be placed in a computer
- system. These criteria are hierarchically ordered into a series of evaluation
- classes where each class embodies an increasing amount of trust. A summary of
- each evaluation class is presented in this appendix. This summary should not
- be used in place of the Criteria. The evaluation criteria are based on six
- fundamental security requirements that deal with controlling access to
- information. These requirements can be summarized as follows:
-
- a. Security policy--There must be an explicit and well-defined security
- policy enforced by the system.
-
- b. Marking--Access control labels must be associated with objects.
-
- c. Identification--Individual subjects must be identified.
-
- d. Accountability--Audit information must be selectively kept and
- protected so that actions affecting security can be traced to the
- responsible party.
-
- e. Assurance--The computer system must contain hardware and software
- mechanisms that can be evaluated independently to provide sufficient
- assurance that the system enforces the security policy.
-
- f. Continuous protection--The trusted mechanisms that enforce the
- security policy must be protected continuously against tampering and
- unauthorized changes.
-
- The evaluation criteria are divided into four divisions--D, C, B, and A;
- divisions C, B, and A are further subdivided into classes. Division D
- represents minimal protection, and class A1 is the most trustworthy and
- desirable from a computer security point of view.
-
- The following overviews are excerpts from the Criteria:
-
- Division D: Minimal Protection. This division contains only one class. It is
- reserved for those systems that have been evaluated but fail to meet the
- requirements for a higher evaluation class.
-
- Division C: Discretionary Protection. Classes in this division provide for
- discretionary (need-to-know) protection and accountability of subjects and the
- actions they initiate, through inclusion of audit capabilities.
- 24
-
-
- Class C1: Discretionary Security Protection. The TCB of class C1 systems
- nominally satisfies the discretionary security requirements by providing
- separation of users and data. It incorporates some form of, credible controls
- capable of enforcing access limitations on an individual basis, i.e.,
- ostensibly suitable for allowing users to be able to protect project or private
- information and to keep other users from accidentally reading or destroying
- their data. The class C I environment is expected to be one of cooperating
- users processing data at the same level(s) of sensitivity.
-
- Class C2: Controlled Access Protection. Systems in this class enforce a
- more finely grained discretionary access control than class C1 systems, making
- users individually accountable for their actions through logic procedures,
- auditing of security-relevant events, and resources encapsulation.
-
- Division B: Mandatory Protection. The notion of a TCB that preserves the
- integrity of sensitivity labels and uses them to enforce a set of mandatory
- access control rules is a major requirement in this division. Systems in this
- division must carry the sensitivity labels with major data structures in the
- system. The system developer also provides the security policy model on which
- the TCB is based and furnishes a specification of the TCB. Evidence must be
- provided to demonstrate that the reference monitor concept has been
- implemented.
-
- Class B1: Labeled Security Protection. Class B1 systems require all the
- features required for class C2. In addition, an informal statement of the
- security policy model, data labeling, and mandatory access control over named
- subjects and objects must be present. The capability must exist for accurately
- labeling exported information. Any flaws identified by testing must be removed.
-
- Class B2: Structured Protection. In class B2 systems, the TCB is based on
- a clearly defined and documented formal security policy model that requires the
- discretionary and mandatory access control enforcement found in B1 systems be
- extended to all subjects and objects in the system. In addition, covert
- channels are addressed. The TCB must be carefully structured into
- protection-critical and nonprotection-critical elements. The TCB interface is
- well defined and the TCB design and implementation enable it to be subjected to
- more thorough testing and more complete review. Authentication mechanisms are
- strengthened, trusted facility management is provided in the form of support
- for systems administrator and operator functions, and stringent configuration
- management controls are imposed. The system is relatively resistant to
- penetration.
-
- Class B3: Security Domains. The class B3 TCB must satisfy the reference
- monitor requirements that it mediate all accesses of subjects to objects, be
- tamperproof, and be small enough to be subjected to analysis and tests. To this
- end, the TCB is structured to exclude code not essential to security policy
- enforcement, with significant software engineering during TCB design and
- implementation directed toward minimizing its complexity. A security
- administrator is supported, audit mechanisms are expanded to signal security-
- relevant events, and system recovery procedures are required. The system is
- highly resistant to penetration.
-
- Division A: Verified Protection. This division is characterized by the use
- of formal security verification methods to assure that the mandatory and
- 25
-
-
- discretionary security controls employed in the system can effectively protect
- the classified and other sensitive information stored or processed by the
- system. Extensive documentation is required to demonstrate that the TCB meets
- the security requirements in all aspects of design, development, and
- implementation.
-
- Class A1: Verified Design. Systems in class A1 are functionally equivalent
- to those in class B3 in that no additional architectural features or policy
- requirements have been added. The distinguishing feature of systems in this
- class is the analysis derived from formal design specification and verification
- techniques and the resulting high degree of assurance that the TCB is correctly
- implemented. This assurance is developmental in nature starting with a formal
- model of security policy and a formal top-level specification (FTLS) of the
- design. In keeping with the extensive design and development analysis of the
- TCB required of systems in class A1, more stringent configuration management is
- required and procedures are established for securely distributing the system to
- sites. A system security administrator is supported.
- 27
-
-
-
- APPENDIX B
-
- DETAILED DESCRIPTION OF CLEARANCES AND DATA
- SENSITIVITIES
- This appendix describes in detail the clearances and data sensitivities (e.g.,
- classification) introduced in the body of the report.
-
- B.1 Clearances
-
- This section defines increasing levels of clearance or authorization of system
- users. System users include not only those users with direct connections to the
- system but also those users without direct connections who might receive output
- or generate input that is not reliably reviewed for classification by a
- responsible
- individual.
-
- a. Uncleared (U)--Personnel with no clearance or authorization.
- Permitted access to any information for which there are no specified
- controls, such as openly published information.
-
- b. Unclassified Information (N)--Personnel who are authorized access to
- sensitive unclassified (e.g., For Official Use Only (FOUO)) information,
- either by an explicit official authorization or by an implicit
- authorization derived from official assignments or responsibilities.(15)
-
- c. Confidential Clearance (C)--Requires U.S. citizenship and typically
- some limited records checking.(19) In some cases, a National Agency
- Check (NAC) is required (e.g., for U.S. citizens employed by colleges or
- universities).(20)
-
- d. Secret Clearance (S)--Typically requires a NAC, which consists of
- searching the Federal Bureau of Investigation fingerprint and
- investigative files and the Defense Central Index of Investigations.(19)
- In some cases, further investigation is required.
-
- e. Top Secret Clearance based on a current Background Investigation
- (TS(BI))--Requires an investigation that consists of a NAC, personal
- contacts, record searches, and written inquiries. A B1 typically
- includes an investigation extending back 5 years, often with a spot
- check investigation extending back 15 years.(19)
-
- f. Top Secret Clearance based on a current Special Background
- Investigation (TS(SBI))--Requires an investigation that, in addition to
- the investigation for a B1, includes additional checks on the subject's
- immediate family (if foreign born) and spouse and neighborhood
- investigations to verify each of the subject's former residences in the
- United States where he resided six months or more. An SBI typically
- includes an investigation extending back 15 years.(19)
- 28
-
-
- g. One category (1C)1 - In addition to a TS(SBI) clearance, written
- authorization for access to one category of information is required.
- Authorizations are the access rights granted to a user by a responsible
- individual (e.g., security officer).
-
- h. Multiple categories (MC)' - In addition to TS(SBI) clearance, written
- authorization for access to multiple categories of information is
- required.
-
- The extent of investigation required for a particular clearance varies based
- both on the background of the individual under investigation and on derogatory
- or questionable information disclosed during the investigation. Identical
- clearances are assumed to be equivalent, however, despite differences in the
- amount of investigation peformed.
-
- Individuals from non-DoD agencies might be issued DoD clearances if the
- clearance obtained in their agency can be equated to a DoD clearance. For
- example, the "Q" and "L" clearances granted by both the Department of Energy
- and the Nuclear Regulatory Commission are considered acceptable for issuance of
- a DoD industrial personnel security clearance.(20) The "Q" clearance is
- considered an authoritative basis for a DoD Top Secret clearance (based on a
- B1) and the "L" clearance is considered an authoritative basis for a DoD Secret
- clearance.(20)
-
- Foreign individuals might be granted access to classified U.S. information
- although they do not have a U.S. clearance. Access to classified information
- by foreign nationals, foreign governments, international organizations, and
- immigrant aliens is addressed by National Disclosure Policy, DoD Directive
- 5230.11, and DoD Regulation 5200.I-R.(3,21,22) The minimum user clearance
- rating table applies in such cases if the foreign clearance can be equated to
- one of the clearance or authorization levels in the table.
-
- B.2 Data Sensitivities
-
- Increasing levels of data sensitivity are defined as follows:
-
- a. Unclassified (U)--Data that is not sensitive or classified: publicly
- releasable information within a computer system. Note that such data
- might still require discretionary access controls to protect it from
- accidental destruction.
-
- b. Not Classified but Sensitive (N)--Unclassified but sensitive data. Much
- of this is FOUO data, which is that unclassified data that is exempt
- from release under the Freedom of Information Act.(15) This includes
- data such as the following:
-
- I. Manuals for DoD investigators or auditors.
-
-
- 1 These are actually authorizations rather than clearance levels, but they are
- included here to emphasize their importance.
- 29
-
-
- 2. Examination questions and answers used in determination of the
- qualification of candidates for employment or promotion.
-
- 3. Data that a statute specifically exempts from disclosure, such as
- Patent Secrecy data.(23)
-
- 4. Data containing trade secrets or commercial or financial
- information.
-
- 5. Data containing internal advice or recommendations that reflect
- the decision-making process of an agency.(24)
-
- 6. Data in personnel, medical, or other files that, if disclosed, would
- result in an invasion of personal privacy.(25)
-
- 7. Investigative records.
-
- DoD Directive 5400.7 prohibits any material other than that cited
- in FOI Act exemptions from being considered or marked
- FOUO.(15) One other form of unclassified sensitive data is that
- pertaining to unclassified technology with military application.(16)
- This refers primarily to documents that are controlled under the
- Scientific and Technical Information Program or acquired under
- the Defense Technical Data Management Program.(26,27) In
- addition to specific requirements for protection of particular forms
- of unclassified sensitive data, there are two general mandates. The
- first is Title 18, U.S. Code 1905, which makes it unlawful for any
- office or employee of the U.S. Government to disclose information
- of an official nature except as provided by law, including when such
- information is in the form of data handled by computer
- systems.(28) Official data is data that is owned by, produced by or
- for, or is under the control of the DoD. The second is Office of
- Management and Budget (OMB) Circular A-71, Transmittal
- Memorandum Number I, which establishes requirements for
- Federal agencies to protect sensitive data.(30)
-
- c. Confidential (C)--Applied to information, the unauthorized disclosure of
- which reasonably could be expected to cause damage to the national
- security.(3)
-
- d. Secret (S)--Applied to information, the unauthorized disclosure of which
- reasonably could be expected to cause serious damage to the national
- security.(3)
-
- e. Top Secret (TS)--Applied to information, the unauthorized disclosure of
- which reasonably could be expected to cause exceptionally grave
- damage to the national security.(3)
- 30
-
-
- f. One Category (1C)2--Applied to Top Secret Special Intelligence
- information (e.g., Sensitive Compartmented Information (SCI) or
- operational information (e.g., Single Integrated Operational
- Plan/Extremely Sensitive Information (SIOP/ESI)) that requires
- special controls for restrictive handling.(3) Access to such
- information requires authorization by the office responsible for the
- particular compartment. Compartments also exist at the C and 5 levels
- (see the discussion below).
-
- g. Multiple Categories (MC)2--Applied to Top Secret Special Intelligence
- or operational information that requires special controls for
- restrictive handling. This sensitivity level differs from the 1C level
- only in that there are multiple compartments involved. The number can
- vary from two to many, with corresponding increases in the risk
- involved.
-
- Data sensitivity groupings are not limited to the hierarchical levels discussed
- in Section B.2. Nonhierarchical sensitivity categories such as NOFORN and
- PROPIN are also used.(14) Compartmented information is also included under the
- term sensitivity categories, as is information revealing sensitive intelligence
- sources and methods. Other sources of sensitivity categories include (a) the
- Atomic Energy Act of 1954, (b) procedures based on International Treaty
- requirements, and (c) programs for the collection of foreign intelligence or
- under the jurisdiction of the National Foreign Intelligence Advisory Board or
- the National Communications Security Subcommittee.(11,32,33,34,35) Such
- nonhierarchical sensitivity categories can occur at each hierarchical
- sensitivity level.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 2 These are actually categories rather than classification levels. They are
- included here to emphasize their importance.
- 31
-
-
-
- APPENDIX C
-
- ENVIRONMENTAL TYPES The amount of computer security required in a
- system depends not only on the risk index (Section 2) but also on the nature of
- the environment. The two environmental types of systems defined in this
- document are based on whether the applications that are processed by the TCB
- are adequately protected against the insertion of malicious logic. A system
- whose applications are not adequately protected is referred to as being in an
- open environment. If the applications are adequately protected, the system is
- in a closed environment. The presumption is that systems in open environments
- are more likely to have malicious application than systems in closed
- environments. Most systems are in open environments.
-
- Before defining the two environmental categories in more detail, it is
- necessary to define several terms.
-
- a. Environment. The aggregate of external circumstances, conditions,
- and objects that affect the development, operation, and maintenance of
- a system.
-
- b. Application. Those portions of a system, including portions of the
- operating system, that are not responsible for enforcing the systems
- security policy.
-
- c. Malicious Logic. Hardware, software, or firmware that is intentionally
- included for the purpose of causing loss or harm (e.g., Trojan horses).
-
- d. Configuration Control. Management of changes made to a system's
- hardware, software, firmware, and documentation throughout the
- development and operational life of the system.
-
- C.1 Open Security Environment
-
- Based on these definitions, an open security environment includes those systems
- in which either of the following conditions holds true:
-
- a. Application developers (including maintainers) do not have sufficient
- clearance (or authorization) to provide an acceptable presumption that
- they have not introduced malicious logic. Sufficient clearance is
- defined as follows: where the maximum classification of data to be
- processed is Confidential or below, developers are cleared and
- authorized to the same level as the most sensitive data; where the
- maximum classification of data to be processed is Secret or above,
- developers have at least a Secret clearance.
-
- b. Configuration control does not provide sufficient assurance that
- applications are protected against the introduction of malicious logic
- prior to or during the operation of system applications.
- 32
-
-
- Configuration control, by the broad definition above, encompasses all factors
- associated with the management of changes to a system. For example, it
- includes the factor that the application's user interface might present a
- sufficiently extensive set of user capabilities such that the user cannot be
- prevented from entering malicious logic through the interface itself.
-
- In an open security environment, the malicious application logic that is
- assumed to be present can attack the TCB in two ways. First, it can attempt to
- thwart TCB controls and thereby "penetrate" the system. Secondly, it can
- exploit covert channels that might exist in the TCB. This distinction is
- important in understanding the threat and how it is addressed by the features
- and assurances in the Criteria.
-
- C.2 Closed Security Environment
-
- A closed security environment includes those systems in which both of the
- following conditions hold true:
-
- a. Applications developers (including maintainers) have sufficient
- clearances and authorizations to provide an acceptable presumption
- that they have not introduced malicious logic.
-
- b. Configuration control provides sufficient assurance that applications
- are protected against the introduction of malicious logic prior to and
- during the operation of system applications.
-
- Clearances are required for assurance against malicious applications logic
- because there are few other tools for assessing the security-relevant behavior
- of application hardware and software. On the other hand, several assurance
- requirements from the Criteria help to provide confidence that the TCB does not
- contain malicious logic. These assurance requirements include extensive
- functional testing, penetration testing, and correspondence mapping between a
- security model and the design. Application logic typically does not have such
- stringent assurance requirements. Indeed, typically it is not practical to
- build all application software to the same standards of quality required for
- security software.
-
- The configuration control condition implicitly includes the requirement that
- users be provided a sufficiently limited set of capabilities to pose an
- acceptably low risk of entering malicious logic. Examples of systems with such
- restricted interfaces might include those that offer no data sharing services
- and permit the user only to execute predefined processes that run on his
- behalf, such as message handlers, transaction processors, and security
- "filters" or "guards."
- 33
-
-
-
- GLOSSARY
- For additional definitions, refer to the Glossary in the DoD Trusted Computer
- System Evaluation Criteria.(4)
-
- Application
- Those portions of a system, including portions of the operating system, that
- are not responsible for enforcing the security policy.
-
- Category
- A grouping of classified or unclassified but sensitive information, to which
- an additional restrictive label is applied (e.g., proprietary, compartmented
- information).
-
- Classification
- A determination that information requires, in the interest of national
- security, a specific degree of protection against unauthorized disclosure
- together with a designation signifying that such a determination has been
- made. (Adapted from DoD Regulation 5200.I-R.)(3) Data classification is
- used along with categories in the calculation of risk index.
-
- Closed Security Environment
- An environment that includes those systems in which both of the following
- conditions hold true:
-
- a. Application developers (including maintainers) have sufficient
- clearances and authorizations to provide an acceptable presumption
- that they have not introduced malicious logic. Sufficient clearance is
- defined as follows: where the maximum classification of data to be
- processed is Confidential or below, developers are cleared and
- authorized to the same level as the most sensitive data; where the
- maximum classification of data to be processed is Secret or above,
- developers have at least a Secret clearance.
-
- b. Configuration control provides sufficient assurance that applications
- are protected against the introduction of malicious logic prior to and
- during operation of system applications.
-
- Compartmented Information
- Any information for which the responsible Office of Primary Interest (OPI)
- requires an individual needing access to that information to possess a
- special authorization.
-
- Configuration Control
- Management of changes made to a system's hardware, software, firmware,
- and documentation throughout the developmental and operational life of
- the system.
-
- Covert Channel
- A communications channel that allows a process to transfer information in
- a manner that violates the system's security policy.(4)
- 34
-
-
- Discretionary Access Control
- A means of restricting access to objects based on the identity of subjects
- and/or groups to which they belong. The controls are discretionary in the
- sense that a subject with a certain access permission is capable of passing
- that permission (perhaps indirectly) on to any other subject.(4)
-
- Environment
- The aggregate of external circumstances, conditions, and objects that affect
- the development, operation, and maintenance of a system. (See Open
- Security Environment and Closed Security Environment.)
-
- Label
- Apiece of information that represents the security level of an object and
- that describes the sensitivity of the information in the object.
-
- Malicious Logic
- Hardware, software, or firmware that is intentionally included in a system
- for the purpose of causing loss or harm.
-
- Mandatory Access Control
- A means of restricting access to objects based on the sensitivity (as
- represented by a label) of the information contained in the objects and the
- formal authorization (i.e., clearance) of subjects to access information of
- such sensitivity.(4)
-
- Need-To-Know
- A determination made by the processor of sensitive information that a
- prospective recipient, in the interest of national security, has a
- requirement for access to, knowledge of, or possession of the sensitive
- information in order to perform official tasks or services. (Adapted from
- DoD Regulation 5220.22-R.)(20)
-
- Open Security Environment
- An environment that includes those systems in which one of the following
- conditions holds true:
-
- a. Application developers (including maintainers) do not have sufficient
- clearance or authorization to provide an acceptable presumption that
- they have not introduced malicious logic. (See the definition of Closed
- Security Environment for an explanation of sufficient clearance.)
- b. Configuration control does not provide sufficient assurance that
- applications are protected against the introduction of malicious logic
- prior to and during the operation of system applications.
-
- Risk Index
- The disparity between the minimum clearance or authorization of system
- users and the maximum classification of data processed by the system.
-
- Sensitive Information
- Information that, as determined by a competent authority, must be
- protected because its unauthorized disclosure, alteration, loss, or
- 35
-
-
- destruction will at least cause perceivable damage to someone or
- something.(4)
-
- System
- An assembly of computer hardware, software, and firmware configured for
- the purpose of classifying, sorting, calculating, computing, summarizing,
- transmitting and receiving, storing and retrieving data with a minimum of
- human intervention.
-
- System Users
- Users with direct connections to the system and also those individuals
- without direct connections who receive output or generate input that is
- not reliably reviewed for classification by a responsible individual. The
- clearance of system users is used in the calculation of the risk index.
- 37
-
-
-
- ACRONYMS
- A1 An evaluation class requiring a verified design
- ADP Automated Data Processing
- ADPS Automated Data Processing System
- AFSC Air Force Systems Command
-
- B1 An Evaluation class requiring labeled security protection
- B2 An Evaluation class requiring structured protection
- B3 An evaluation class requiring security domains
- BI Background Investigation
-
- C Confidential
- C1 An evaluation class requiring discretionary access protection
- C2 An evaluation class requiring controlled access protection
- CI Compartmented Information
- CSC Computer Security Center
- COMINT Communications Intelligence
-
- DCI Director of Central Intelligence
- DCID Director of Central Intelligence Directive
- DIAM Defense Intelligence Agency Manual
- DIS Defense Investigative Service
- DoD Department of Defense
- DoDCSC Department of Defense Computer Security Center
-
- ESD Electronic Systems Division
-
- FOI Freedom of Information
- FOUO For Official Use Only
- FTLS Formal Top-Level Specification
-
- IEEE Institute of Electrical and Electronics Engineers
-
- L A personnel security clearance granted by the Department of Energy
- and the Nuclear Regulatory Commission
-
- MC Multiple Compartments
-
- N Not Cleared but Authorized Access to Sensitive Unclassified
- Information or Not Classified but Sensitive
- NAC National Agency Check
- NATO North Atlantic Treaty Organization
- NOFORN Not Releasable to Foreign Nationals
- NSA National Security Agency
- NSA/CSS National Security Agency/Central Security Service
- NTIS National Technical Information Service
-
- OMB Office of Management and Budget
- OPI Office of Primary Interest
- OPNAV Office of the Chief of Naval Operations
- OSD Office of the Secretary of Defense
-
- PRO PIN Caution--Proprietary Information Involved
- 38
-
-
-
- Q A personnel security clearance granted by the Department of Energy
- and the Nuclear Regulatory Commission
-
- S Secret
- SBI Special Background Investigation
- SCI Sensitive Compartmented Information
- SIOP Single Integrated Operational Plan
- SIOP-ESI Single Integrated Operational Plan--Extremely Sensitive Information
- SM Staff Memorandum
- STD Standard
-
- TCB Trusted Computing Base
- TS Top Secret
-
- U Uncleared or Unclassified
- U.S. United States
-
- IC One Compartment
- 39
-
-
-
- REFERENCES
- 1. DoD Computer Security Center, Computer Security Requirements --
- Guidance for Applying the Department of Defense Trusted Computer
- System Evaluation Criteria in Specific Environments, CSC-STD-003-85, 25
- June 1985.
-
- 2. DoD Directive 5215.1, "Computer Security Evaluation Center," 25 October
- 1982.
-
- 3. DoD Regulation 5200.1-R, Information Security Program Regulation,
- August 1982.
-
- 4. DoD Computer Security Center, DoD Trusted Computer System Evaluation
- Criteria, CSC-STD-001-83, IS August 1983.
-
- 5. Army Regulation 380-380, Automated Systems Security, IS June 1979.
-
- 6. Office of the Chief of Naval Operations (OPNAV) Instruction 5239. IA
- "Department of the Navy Automatic Data Processing Security Program," 3'
- August 1982.
-
- 7. Air Force Regulation 205-16, Automated Data Processing System (ADPS)
- Security Policy, Procedures, and Responsibilities, I August 1984.
-
- 8. Marine Corps Order P5510.14, Marine Corps Automatic Data Processing
- (ADP) Security Manual, 4 November 1982.
-
- 9. DoD Directive 5220.22, "DoD Industrial Security Program," 8 December
- 1980.
-
- 10. DoD Directive 5200.28, "Security Requirements for Automatic Data
- Processing Systems," 29 April 1978.
-
- 11. DoD Manual 5200.28-M, ADP Security Manual - Techniques and
- Procedures for Implementing, Deactivating, Testing, and Evaluating
- Secure Resource-Sharing ADP Systems, 25 June 1979.
-
- 12. Defense Intelligence Agency Manual (DIAM) 50-4, "Security of
- Compartmented Computer Operations (U)," 24 June 1980,
- CONFIDENTIAL.
-
- 13. National Security Agency/Central Security Service (NSA/CSS) Directive
- 10-27, "Security Requirements for Automatic Data Processing (ADP)
- Systems," 29 March 1984.
-
- 14. Director of Central Intelligence Directive (DCID), "Security Controls on
- the Dissemination of Intelligence Information (U)," 7 January 1984,
- CONFIDENTIAL.
- 40
-
-
- 15. DoD Directive 5400.7, "DoD Freedom of Information Act Program," 24
- April 1980.
-
- 16. Office of the Secretary of Defense (OSD) Memorandum, "Control of
- Unclassified Technology with Military Application," 18 October 1983.
-
- 17. Anderson, James P., "An Approach to Identification of Minimum TCB
- Requirements for Various Threat/Risk Environments," Proceedings of the
- 1983 IEEE Symposium on Security and Privacy, 24-27 April 1983.
-
- 18. Schell, Roger R., "Evaluating Security Properties of Systems," Proceedings
- of the IEEE Symposium on Security and Privacy, 24-27 April 1983.
-
- 19. Defense Investigative Service (DIS) Manual 20-1, Manual for Personnel
- Security Investigations, 30 January 1981.
-
- 20. DoD Regulation 5220.22-R, Industrial Security Regulation, January 1983.
-
- 21. National Disclosure Policy - I, 9 September 1981.
-
- 22. DoD Directive 5230.11, "Disclosure of Classified Military Information to
- Foreign Governments and International Organizations," 31 December
- 1976.
-
- 23. Title 35, United States Code, Section 181-188, "Patent Secrecy."
-
- 24. Title 5, United States Code, Section 551, "Administrative Procedures Act."
-
- 25. DoD Directive 5400.11, "Department of Defense Privacy Program," 9 June
- 1982.
-
- 26. DoD Directive 5100.36, "Defense Scientific and Technical Information
- Program," 2 October 1981.
-
- 27. DoD Directive 5010.12, "Management of Technical Data," 5 December
- 1968.
-
- 28. Title 18, United States Code, Section 1905, "Disclosure of Confidential
- Information Generally."
-
- 29. DoD Directive 5200.1, "DoD Information Security Program," 7 June 1982.
-
- 30. Office of Management and Budget (OMB) Circular No. A-71, Transmittal
- Memorandum No. I, "Security of Federal Automated Information Systems,
- 27 July 1978.
-
- 31. Joint Chiefs of Staff (JCS) Staff Memorandum (SM) 313-83, Safeguarding
- the Single Integrated Operational Plan (SIOP) (U), 10 May 1983, SECRET.
-
-
- 41
-
- 32. "Security Policy on Intelligence Information in Automated Systems and
- Networks (U)," Promulgated by the DCI, 4 January 1983, CONFIDENTIAL.
-
- 33. Director of Central Intelligence Computer Security Manual (U), Prepared
- for the DCI by the Security Committee, 4 January 1983, CONFIDENTIAL.
-
- 34. DoD Directive 5210.2, "Access to and Dissemination of Restricted Data," 12
- January 1978.
-
- 35. DoD Instruction C-5210.21, "Implementation of NATO Security Procedure
- (U)," 17 December 1973, CONFIDENTIAL.
-
-