SECURITY OF FEDERAL AUTOMATED INFORMATION SYSTEMS

CIRCULAR NO. A-71 Transmittal Memorandum No. 1 TO THE HEADS OF EXECUTIVE DEPARTMENTS AND ESTA$t.ISHMENTS SUBJECT: Security of Federal automated information systems 1. Purpose. This Transmittal Memorandum *to 0MB Circular No. A-71 dated March 6, 1965 promulgates policy and responsibilities for the development and implementation of computer security programs by executive branch departments and agencies. More specifically, It: a. Defines the division of responsibility for computer security between line operating agencies and the Department of Commerce, the General Services Administration, and the Civil Service Commission. b. Establishes requirements for the development of management controls to safeguard personal, proprietary and other sensitive data in automated systems. c. Establishes a requirement for agencies to implement a computer security program. and 'defines a minimum set of controls to be incorporated into each agency computer security program. d. Requires the Department of Commerce to develop and issue computer security standards and guidelines. e. Requires the General Services Administration to issue policies and regulations for the physical security of computer rooms consistent with standards and guidelines issued by the Department of Commerce; assure that agency procurement: requests for automated data processing equipment, software, and related services include security requirements; and assure that all procurements made by.,GSA meet the security requirements established by the User agency. f. Requires the Civil Service Commission to establish personnel security policies for Federal personnel associated ved For @12'@M0Cffff lMQMRNED tM (3b80023-4 OFFICE OF MANAGEMENT AND BUDGET WASHINGTON. D.C. 20503 (No. A-71) Approved For Release 2006/04/19 : CIA-RDP86-00674R000300080023-4  Sri tiiApprr ved F~e_sl8?se 20$P//1.~i:6 -F P86i993~i gAQW80 3-4 Federal computer systems, or having access to data in Federal computer systems. designed computer systems have resulted in improper payments, unnecessary purchases or' other improper actions. The policies and responsibilities for computer security of personal, proprietary or other sensitive data. Problems have been encountered in the misuse of computer and communications technology to perpetrate crime. In other cases, inadequate administrative practices along with poorly in regard to the risks associated with automated processing management: problems. Many public concerns have been raised dommunical ons technology to improve the effectiveness of, governmental programs has introduced a variety of new 2. Background, Increasing use of computer and established by this Transmittal Memorandum supplement policies currently contained in OMB Circular.No. A-71. .perform similar functions based on programmed criteria, with little human intervention. - applications which issue checks, requisition supplies or a. "/automated decisionmaking systems" are computer purposes of this memorandum: 3. Definitions. The following definitions apply for the response, back-up operations and post-disaster recovery. b. "Contingency plans" are plans for emergency c. "Security specifications" are a detailed description protection due to the risk and magnitude of loss or harm which could result from inadvertent or deliberate disclosure, alteration, or destruction of the data (e.g., personal data, proprietary data). of the safeguards required to protect.a sensitive; computer application. d. "Sensitive application" is a computer - application which requires a degree of protection because it processes sensitive data or because of the risk and magnitude of loss or harm that could result from improper operation or deliberate manipulation of the application (e.,g., automated decisionmaking systems). e. "Sensitive data" is data which requires a degree of 4. Responsibility of the heads of executive agencies.-. The head of each executive branch department and agency is- (No. A-71) Approved For Release 2006/04/19 : CIA-RDP86-00674R000300080023-4  General Services Administration the Department of Commerce, 1 responsibility each agency head shall establish policies and. procedures and assign responsibility for the development, implementation, and operation of an agency computer security program. The agency's computer security program shall be consistent with all Federal policies, procedures and standards issued by the office of Management and Budget, the as well as national security data. It also includes responsibility for assuring that automated processes operate effectively and accurately. In fulfilling this This includes responsibility for the establishment of physical, administrative and technical safeguards required to adequately protect personal, proprietary or other sensitive data not subject to national security regulations, all agency data whether processed in-house or commercially. Approved For Release 2006/04/19 : CIA-RDP86-00674R000300080023-4 responsible for assuring an adequate level of security for 0 ion. In consideration of and the Civil Service Commiss a minimum: practices, each agency's computer security program shall at problems w;nich have been identified in relation to existing a. Assign responsibility for the security of each processing and security matters. agency (e.g., government-owned contractor operated facilities), to a management official knowledgeable in data installations operated directly by or on behalf of the computer installation operated by the agency, including b. Establish personnel security policies for screening data in Federal computer systems. The level of screening required by these policies should vary from minimal checks to full background investigations commensurate with the sensitivity of the data to be handled and the risk and magnitude of loss or harm that could be caused by the individual. These policies should be established for government a,nd contractor personnel. Personnel security .policies for Federal employees shall be consistent with policies issued by the Civil Service Commission. c. Establish a management control process to assure that appropriate administrative, physical and technical safeguards are incorporated into all new computer applications and significant modifications to existing computer applications. This control process should evaluate the sensitivity of each application. For sensitive applications, particularly those which will process sensitive data or which will have a high potential for loss, all individuals participating in the design, operation or maintenance of Federal computer systems or having access to (No. A-71) Approved For Release 2006/04/19 : CIA-RDP86-00674R000300080023-4  Approved For Release 2006/04/19 : CIA-RDP86-00674R000300080023-4 .should, at a minimum, include policies and responsibilities for such as automated decisionmaking systems, specific controls (1) Defining and approving security specifications prior to programming the applications or changes. The views k and recommendations of the computer user organization, the computer installation and the individual responsible for the .security of the computer installation shall be sought and considered prior to the approval of the security ations for the application. (2;1 Conducting and approving design reviews and application systems tests prior to using the systems operationally. The objective of the design reviews should be to ascertain that the proposed design meets the approved security specifications. The objective of the system tests should be to verify that the planned administrative, meetss all applicable Federal policies, regulations and standards, and that the results of the test demonstrate that the security provisions are adequate for the application. the documented and approved system security specifications, official of the agency shall certify that the system meets of the agency. Upon completion of the system test, an results of the design review and system test shall be fully documented and maintained as a part of the official records operationally adequate prior to the use of the system. The physical and technical security requirements are d. Establish an agency program for conducting periodic proprietary or other sensitive data, or which have a high potential for financial loss, such, as automated decisionmaking applications. Audits or evaluations are to be conducted by an organization independent of the user organization and computer facility manager. Recertifications should be fully documented and maintained as a part of the official documents of the agency. Audits or evaluations and recertifications shall be performed at time intervals determined by the agency, commensurate with the sensitivity of information-processed and the risk and magnitude of loss or harm that could result from the application operating improperly, but shall be conducted at least every.three years. audits or evaluations and recertifying the adequdcy of the security safeguards of each operational sensitive application including those which process personal, e. Establish policies and responsibilities to assure that appropriate security requirements are included in (No. A-71) Approved For Release 2006/04/19 : CIA-RDP86-00674R000300080023-4  Approved For Release 2006/04/19 : CIA-RDP86-00674R000300080023-4 speciiicat:ions for the acquisition or operation of computer facilities, equipment, software packages, or related intended application and that they comply with current Federal computer security policies, procedures, standards and guidelines.: Services Administration. These requirements shall be reviewed and approved by the management official assignedt responsibility for security of the computer installation to be used. 'T'his individual must certify that the security requirements specified are reasonably sufficient for the services, whether procured by the agency or by the General f Assign responsibility for the conduct of periodic risk analyses for each computer installation operated by the agency,. including installations operated directly by or on .behalf of the agency. The objective of this risk analysis potential :Loss.. A risk analysis shall be performed: resources can effectively be distributed to minimize the .vulnerabilities at the installation so that security should be to provide a measure of the relative (1) Prior to the approval of design specifications or new computer installations. that time. (3) At periodic intervals of time established by the agency, commensurate with the sensitivity of the information processed by the installation, but not to exceed five years, if no risk analysis has been performed during information processed by the installation. changes shall be commensurate with the sensitivity of the physical facility, hardware or software at a computer installation. Agency criteria for defining significant (2) whenever there is a significant change to the g. Establish policies and responsibilities to assure that appropriate contingency plans are developed and maintained. The objective of these pl'ans should be to provide reasonable continuity of data processing support should events occur which prevent normal operations. These plans should be reviewed and tested at periodic intervals of time commensurate with the risk and magnitude of loss or harm which could result from disruption of data processing support. 5. Responsibility of the Department of Commerce. The Secretary of Commerce shall develop and issue standards and" (No. A-71) Approved For Release 2006/04/19 : CIA-RDP86-00674R000300080023-4  Each standard shall, at a minimum, identify: Approved For Release 2006/04/19 : CIA-RDP86-00674R000300080023-4 guidelines for. assuring security of automated information. Whether the standard is mandatory or voluntary. required to take. b. specific implementation actions which agencies are .be granted. standard and the conditions or criteria under which it may e. The procedure for agencies to obtain a waiver to the standard and evaluating its use. The time at which implementation is required. d A.process for monitoring implementation of each Commerce. with standards and guidelines issued by the Department of a. Issue policies and regulations for the physical Administrator of General Services shall: Responsibility of the General Services Administration. security of computer rooms in Federal buildings consistent .:equirements as a part of the agency request for delegation requirements. Other delegations. of procurement authority shall require specific agency certification of security certification programs or other so-called blanket delegations shall include- requirements for agency specifications and agency certification of security authority to agencies by the General Services Administration under mandatory programs, dollar threshold delegations, security requirements which have been certified by a responsible agency official. Delegations of procurement b. Assure that agency procurement requests for computers, software packages, and related services include of procurement authority. c. Assure that specifications for computer hardware, software, related services or the construction of computer facilities are consistent with standards and guidelines established by the Secretary of Commerce. d. Assure that computer equipment, software, computer room construction, guard or custodial services, tt ecommuni,cations services, and any other related services procured by the General Services Administration meet the security requirements established by the user agency and are (No. A-71) Approved For Release 2006/04/19 : CIA-RDP86-00674R000300080023-4  Approved For Release 2006/04/19 : CIA-RDP86-00674R000300080023-4 related /SDP services acquired by the General Services Administration in anticipation of future agency requirements shall include security safeguards which are consistent with mandatory standards established by the Secretary of Commerce. issued by OMB, the Civil Service Commission and the Department: of Commerce. Computer equipment, software, or consistent with other applicable policies and standards personnel security policies for Federal personnel associated 'with "the 'de"sign, operation or maintenance of Federal computer systems, or having access to data in Federal Chairman' of the Civil Service Comm ssion shall establish 7. Respor,lsibility of the Civil Service Commission. The computer systems. These policies should emphasize personnel. requirements to adequately protect personal, proprietary or Transmittal Memorandum, each executive branch department and agency shall submit to OMB 'plans and associated resource estimate:; for implementing a security program consistent with the policies specified herein. 9. I gu:Lries. Questions regarding this memorandum should Vie-,,,,'.,.addressed' to the Information Systems Policy Division (202) 395-4814. fulfilling the responsibilities specifically assigned in this memorandum. Within 120 days of the issuance of this Services Administration and Civil Service Commission shall submit to QMB plans and associated resource estimates for 8. Reports. Within 60 days of the issuance of this Transmittal Memorandum, the Department of Commerce, General normal reemployment screening procedures to full background ;investigations. .and the risk and magnitude of loss or harm that could be caused by the individual. The checks may range from merely for personnel checks imposed by these policies should vary commensurate with the sensitivity of the data to be handled not subject to national security regulations. Requirements other sensitive data as well as other sensitive applications y C mes T. McIntyre, Jr. Director (No. A-71) Approved For Release 2006/04/19 : CIA-RDP86-00674R000300080023-4  1'I'17,P 44 . 113I3IIC PItlfIlTINCI ANT) l) '(viii\1FN'I'S I'aA'.,? N O l ute>sc,~tt troXXe~td lForvRelease922006/a0,1/t,19 : CIAGRQp86-00674R000300080023-4 titAttera poral of rec(,:rls of ti iporaty v,(Inw, and (3) ccttn- regarding of rrra(du, etc. pliance ',,11th lhu I)roytalon'; of s,eltI(ois :392-,196. 397-401 I tills 1104. iu1,l Ile tr,:nh,tlon.s Isr,.led thereunder, (c) 3lorugc, p ion 17 dug, algid ?+ i 7 i log at recut 1117. Whenever tle head of a 1,c(lvial agia y deter- mines that }sub:,tuutlal economics pr tnit.leosed oper- ating efrieient'y Co i be tef14'uttd Ihtfeby, he shall pro- vide for the alut,tge, proce.,xtttic, and; servicing of records that are appioprhttl' Iberetor?In a records center muluittthsed and r.Itrralcil by Litt?Admitttstra- toror, when aplts;rveal by tilt' Adtntnt:nI Our, In such it (tenter ntitintuii 4.d t, ttl I'i 'i at,'(1 I;', ; the head of st:'h Federal a);( ^Icy. (d) t'eltiIi(lttIon, and 4)1410 l1I II', i,, I trattnferrcd rcr?t&, any rttb:iti of the Oov('rtt;ul o! \ I,? l" t(ulhurt:,ed to (erlbrv it) facts on ttl( basis ,f ii olds In ills clis tody, I:' autl, rls,e,t to eelttft In hie(>.ott the basis of terottis Il tt have own Itnl, f, r,o- ,I tit hltn or its Ptelltcrswtts to ib Adnlh11,1,,it, all Ina' auto be the Ali lItlISttulur II c,'tillx in in ?IC b"innke altnll'dst,it Livr dt'tIII lilt ,:ill lolt,') iIt lilt Ii,..i ; of t,'is,, d'. 7,1itnsfcli,ii to IIt. Rdotint'tl it ,, ;:,?Galtilatnn(iutt? [illy trthel` plum isi 'I I.' ut I,) w (e) iSa(ekuat04. The head of each 1? t Oral oiu'te' ?t),til est.,tt)1,sh such 871fti iuttds ogit-n?t I0*' n-itt 14x3 of li of rec.. ords as he it dl delet huoc' to hr u,, ?1'' ; Iry and as may be r(?quii d by re(t AM 1, ,, of tits Athnhdtitrat or Stich srcfegunrds shall iticIil ie mahillt:.It known to all ofllcials'and ciup1e ees if Ilt,~ aauf1ey ill that no records lit Lite rust -di, of IIt' ,1 t'l 'v arc to be alienated of le'.ttoy'Iid 1'?;14.;,1 i;t uc,'ur,hlllce wait the pr' ilsuilt:, of ?.rrtlnn Min :1711 and :;78 ;180 of 1711.5 1111?', nf:.l 121 the pi 1;(.ills 1t.e,I:1('I I;', low `or the tittle vfttl ! I'nttlval I- 1 5,.1:1 ,I .r, rII hi' (f) linlt,wfntteulnvnl,dcnttu,(Ito etc. 'pile h' arl'of each III (it till St;( nJajil 11-dilly the Administi atc:r of any ;u l 1111, inll,ct IIn{ , or threat- ened urt:a',t'fnl i'cm'rval. drt11olug, aitrlatlon, or Cie- structiori of records In I be L:u::I- "ly of the agency of which Ile i': the hrod that : 10111 C ,nor , his atten- tion, and with the assistni ' of Iflu rt' ibghtfstrator shall in ,tie action tI:Iotiglt lilt, All unl'y General for the 1ellu%cry of tecords In, ttosv In has reason to belle', ' have bccn ultiovt buds r,'t,1 ,ve f from his Agency, ( r from any uttl'r t'edrral agency whose rtc- orda have bet 11 Irannfet it 11? hi'' 11', ' ?ustody, (g) Authllrity of t'oatptlallot C. a, t ! Nuthttt 1p1 ecti'tts,92 3911 Itli it11fthis title shall be sons' rur'tt a': Ilntll inc m c ' n ul l`.t.': ity of the Contptroit('r 1 i'i' ttl of the ltolt, t 'tl,t - will re- spect to l',''io [Sing I", ,,5 :ii i ,,; ,i' I' 011 1)1.5, and prOCI''Iurrs. a Icsra'ninlt lilt Ii' ~ 1' of :uI- h (-ttIg and d 1'i(tih114 ufll' rt. f 1 rlrah I, not' ttt''ir accounts r r ehttletucttt by lilt tmooh An auuttlig Clfticc. Ihilic :io, 19411, rh 'lilt Iilit' C, 4 500, as addI d Hc't1t. 5.191101 1149. 1 6 it ' , 61 )t 1 583, and intrude l F'i'b 5. I964. Pill) I tn,-;' 71t Stilt 8 1 Amirmu ttuis rt)ri+4--85 ,=,e, (U) Pill). r 1115 t,I ,.IiIi uutttorl:u- tlon Ia' A(itr'.ta1 drat?r to ezt0iy Li~ t i,t I II:,,;_n ndlntatn- ttrRilvn ttet.rrlol ttloi a''u.si t:,ii I,, ('II 1, ni01 Nutwltll 1:1101n,, I,ny othrr Inl;vislon of the Fed- (rut l'r?Is't I , and A,liuiol,trntl to 1317' ric(' i Act of 1:141), a:; anlCn(:r'1. ; hC A,inllllI trator :;111111 huvt' final tult.hnrity in ail nloltel 1111?Ivilit; tits ''rtduct, of surveys of 0':v- nntcnt records, and emit Lionl nlalnl,'n,. 101 ul o:af;eni,'nt and (Iipo,td piac- flees lu II'r,irtltl a, . u,?II,. iat)110 111, -u ;,'( 't-ns :if)- and 3" of Ill hth nn't the n'pltnu nlatlon of rrcumntl'nltut'-1 im, rd ,it r:Ch ',utvey:' : Anl' 213. I?54. ell 9:30 eh III, $ 1101 fib Stitt. 81t; I ,,f 1040. II' , I IIt, a,,,t , ' I I(, ? P,IhIIr C,101 n, I IA XT 'It n n till' I''4' f hP- h" ptor, rhapt.t- 1; C ?r 1?'t'.. it 1, ,t r., a ,ni,Pnt (141 ', d I'11r -1, 1. 1'111111'' I StuI' i;;,, 1I'l.n.litill~', " 1 II ,i., 'i J ,ult nv , Intrl I tl:e' P?Irr+' I',uln'ily s' I A -li- l?I 1 , 'ilv~? :a lvl?n Ail If 1019 I'ut ?f Ivl,I a ''I ' I , I1I?, 1-1 (,-1 'I 11?? P?, L?I?1 It uI 'r wI,i, 1, I,. , 's .r ,I..? I'it',,,I Aln,ln l?IU,'1 ?'(,1It... 1,1 1 I949, uu,l 'vi, , ,. Iii'd III I4' 'Ii?1?t ,I, I?' 3',11 4111 I'r Ii:,n W;,. ('0' ,rhllu? It t :I 1; !i'i. n I `;L :,t '111.1,7 unit, under -r, tk,n 3g'! .( tale h Ill' 13111. .4 hi, nl - 411111 ,i?U alion. (It) Arceplnnrr ul 1, -'d + for histuri,-al prI'-t? , atioa. 'till Adm'r.tl Won .vi,rn,'vl'r It appear:, to [tint to he It, We htlbilr No," I t?, authorized--. ' 1 I t,, at," x111 h'1' Itrtxr.,lt, ith the National At '11154', of ihr I'I II, `itules the yecncds of any F(',irrtll ukrur} ,'I . t :hr ('0111 ,IS;; of flip tTjj,jj :states that ;111' 1x the Atchivi.,,L it have cuillrit't I I:1 t ,;I,:,l of tht'r ladle lIo v. III 141 7 their r,>nlinlil I I I, +' t?li?o l' thr Uoiled tilntes (4ovrt'iltll' 111 . ,.!) to dire, I al?1 '''JIV I Uu' tlan.,;rv'. 'o tile National Atrhltl'', of tti' iJnift'li it.at.e,: of any ret'or(I" of a' Th' l'rsl 111:1174.1 that have been In nxiste'nCI for n,ll'' l1, n fIttI, v(ar': and thut t're drtertnlnld by H t '' i,('t,ivO,l to Nap hutllctcnt his- lorlcr(l III otl:r, , alnr '. 4ui'I 1nt their cotILil ued prt'se:talian by 1he? 1'uited Buttes C,overn4i001, unlr:, the hr;(,i of lilt' a};rtc' which has CtiStltdy of thrill snail (r? t,1', :, '.trithlt; to the Admints- 1100111' that thrS' ', 0 1 he i 'bOlt,ii in 14 Cu.4to(iv fur nNe III tl,r r,tt.tl t't ?f the I4yil,la1 r:t,lil.t 1)11,1 't -'',,'f tLr :alit', alf, nry ,:it to dhri-t I 1,1 I'fret, with f.hr ttapraval (It lilt' head ?f ill(' , 11, matt :g ag,ttcy IN' it the exlstlllCI o1 'r11 I' If . (y' . hall hn'. )' Steed L('It11i u::lt'rt, theft with tl r I'.tlHtoval of hi'; :,t,rressor to fui;Cltoll If nut1 11'lI111,1, of rectt,t:ILp,',Ited Ior apl,;,tv, (I II.1 (h :),)sit I with the Nat' -?a! , 1111IS if Ihr 1!nr t,,1 tat