NATIONAL POLICY ON TELECOMMUNICATIONS/AUTOMATED INFORMATION SYSTEMS SECURITY

NSA review completed NATIONAL SECURITY DECISION DIRECTIVE NO. Al.$ rg ,DO2 Acr NATIONAL POLICY ON TELECOMMUNICATIONS/AUTOMATED INFORMATION SYSTEMS SECURITY it is the responsibility of the ExecUtive Branch to properly safeguard information which concerns the national security and other vital interests of the United States, including government-held information which bears on the r ? individual rights or privacy of U.S. persons. Telecommunications and other information systems which handle such information in electronic form are inherently vulnerable to interception, unauthorized electronic access, and related means of technical exploitation. Assuring their security integrity is therefore a national responsibility. 1. Objectives. To fulfill these responsibilities, I. direct that the nation's capabilities for securing telecommunication and automated information systems against technical exploitation threats be developed, improved, and maintained as necessary to: a. Assure availability of an adequate technical base within both government and industry. b. Provide for reliable and continuing assessm'e'nt, of threats and vulnerabilities. national Approved For Release 2007/11/06: CIA-RDP87BO1034R000700070046-2 it %i L r J~ dj c. Support other existing policy objectives fora telecommunications and automated information resources. d. Ensure effective use of protection resources. rn P"! Approved For Release 2007/11/06: CIA-RDP87B01034R000700070046-2  Approved For Release 2007/11/06: CIA-RDP87BO1034R000700070046-2 :.A. ~ 2. Policy Elements. National policy for the protection of telecommunications and automated information systems shall.encompass the following elements: a. Systems which generate, store, process or transmit classified information in electrical form shall be sec-:-ed against exploitation. b. Systems similarly handling other government- derived information, the loss of which could adversely affect the national interest or the rights of U.S. persons, shall be protected commensurate with the risk of exploitation. c. Systems which handle non-government information of similar nature should be protected commensurate with the threat of exploitation. The Government shall take necessary steps to identify such systems. and information and formulate strategies and measures for. providing protection. The private sector shall be encouraged to undertake the application of such measures in the national interest. 3. Implementation.' a. A Systems Security Steering Group is hereby established to ensure a coordinated and effective national effort, and shall consist of the following: (1) The Assistant to the President for National Security Affairs, or his representative. (Chairman) (2) The Executive Agent for Communications Security/Executive Agent of the National Communications System:.; (NCS). Approved For Release 2007/11/06: CIA-RDP87BO1034R000700070046-2  Approved For Release 2007/11/06: CIA-RDP87B01034R000700070046-2 (3) The Director of Central Intelligence. (4) The Associate Director of the Office of Management and Budget (OMB) for National Security and International Affairs. b. The Director, National 'Security Agency (NSA) shall act as Executive Secretary to the Steering Group and shall be entitled to attend all meetings. c. The Steering Group shall: (1) Oversee the implementation of and provide guidance to the National Telecommunications and Information Systems Security Committee with respect to the objectives and policy elements stated herein. (2) Establish broad national objectives and priorities as may be required to implement this Directive. (3) Review and approve consolidated resources program and budget proposals, and other matters referred to it by the Executive Agent in fulfillment of responsibilities outlined in subparagraph (4) ,below. (4) Annually review, evaluate, and report to me the security status of national telecommunications and automated information systems with respect to established objectives and priorities. (5) Interact with the Steering Group on National Security Telecommunications and, through that Group, with the National Security Telecommunications Advisory Committee (NSTAC), to ensure that the objectives and policy elements of this Directive are addressed. Approved For Release 2007/11/06: CIA-RDP87B01034R000700070046-2  Approved For Release 2007/11/06: CIA-RDP87B01034R000700070046-2 (6) Designate the Chairman of the National Telecommunications and Information Systems Security Committee. (7) Recommend for Presidential approval additions or revisions to this Directive as national interests require. 4.' The National Telecommunications and Information Systems Security Committee. a. The National Telecommunications and Information Systems Security Committee (NTISSC) is hereby established and will operate under the direction of the Systems Security Steering Group to consider technical matters and develop operating policies as necessary to implement the provisions of this Directive. The Committee shall be composed of a representative of'each of the following: The Secretary of State The Secretary of The Treasury The Secretary of Energy .. 11 The Secretary of Transportation The Attorney General The Secretary of Commerce The Director, Office of Management and Budge The Chief of Staff, United States Army The Chief of Naval Operations The Chief of Staff, United States Air Force The Chairman, Joint Chiefs of Staff Approved For Release 2007/11/06: CIA-RDP87B01034R000700070046-2  Approved For Release 2007/11/06: CIA-RDP87BO1034R000700070046-2 ....a' i. ~.. "Y it ^ The Director, Central Intelligence Agency The Director, Federal Emergency Management ,agency The Administrator, General Services Administration The Manager, National Communications System The Director, National Security Agency b. The Committee shall: (1) Develop such specific operating policies, objectives, and priorities as may be required to implement thi:.. Directive. (2) Submit to the Systems Security Steering Group an annual evaluation of the status of national telecommunications and information resources security with respect to established objectives and priorities. (3) Administer matters pertaining to the release of sensitive security information, techniques, and materials to foreign governments or international organization;;. (4) Establish and maintain a national issuance system for promulgating the operating policies, directives and guidance which may be issued pursuant to this Directive. (5) .Establish permanent and temporary subcommittees as necessary to discharge its responsibilities. c. The Committee shall make recommendations to t'te Approved For Release 2007/11/06: CIA-RDP87BO1034R000700070046-2  Approved For Release 2007/11/06: CIA-RDP87B01034R000700070046-2 Steering Group on Committee membership, and may establish criteria and procedures for permanent observers. Representatives of other departments or agencies affected by specific matters under deliberation will attend upon invitation of the Chairman. d. The Committee shall have a permanent secretariat composed of personnel of the National Security Agency. The secretariat may be augmented as necessary by personnel provided by the Departments and Agencies represented on the Board in response to the Chairman's request. The National Security Agency shall provide facilities and support as required. 3. The Executive Agent of the Government for Communications Security. The Secretary of Defense is the Executive Agent of the Government for Communications Security. In this capacity ne shall serve an expanded role to act within policies and procedures established by the'Systems Security Steering Group. and the NISSC to: a. Ensure the development, in conjunction with WISSC member Departments and Agencies, of plans to fulfill the objectives of this Directive, including the formulation necessary security -architectures.. b. Fulfill requirements of the Federal GoVernment for technical security material and related services. Approved For Release 2007/11/06: CIA-RDP87B01034R000700070046-2  Approved For Release 2007/11/06: CIA-RDP87B01034R000700070046-2 c.. Provide or approve security standards and doctrine. d. Conduct or approve research and development of security techniques and equipment. e. Operate or coordinate the efforts of Government technical centers related to telecommunications and automated information systems security. f. Develop and submit to, the Steering Group and the Congress a proposed National Telcommunications and Information Systems Security Program budget for each fiscal 6. The Director, National Security Aciency. The Director, National Security Agency is responsible for executing the foregoing responsibilities of th!c Secretary of Defense as Executive Agent. In fulfilling these reponsiblities he shall have authority to: Empiri.cally_e.xamine federal.. telecommunications and associated electronic information handling systems and evaluate their vulnerability to hostile interception and exploitation. Any such activities, including those involving monitoring of official telecommunications; shall be conducted in strict compliance with the law and other .applicable directives. b. Act as the single government focal point for all matters related to cryptography to include; conducting Approved For Release 2007/11/06: CIA-RDP87B01034R000700070046-2  Approved For Release 2007/11/06: CIA-RDP87B01034R000700070046-2 research and development; prescribing or approving all standards, techniques, systems and equipments; and conducting liaison with foreign governments, international organizations, and private institutions. c. Operate such industrial facilities as may be required to perform critical functions related to the provision of cryptographic and other sensitive security materials or services. d. Operate a central technical center(s) to assess and disseminate information on hostile threats to national telecommunications and information systems security. e. Operate a central technical center(s) to evaluate the security of telecommunications systems, computer systems and data networks, and to conduct or sponsor research and development of security techniques. f. Prescribe the control systems and standards for protecting cryptographic and other sensitive security material, techniques, and information. Request from the heads of Federal departments and agencies such information as he may need to discharge responsibilities assigned herein, 7. The Director of Central Intelligence shall indentify to the 14ISSC and the Director, NSA, as appropriate, any unique handling requirements associated with the protection of sensitive compartmented intelligence. Approved For Release 2007/11/06: CIA-RDP87B01034R000700070046-2  Approved For Release 2007/11/06: CIA-RDP87BO1034R000700070046-2 8. The Secretary of Commerce, through the Director, National Bureau of Standards, shall issue such standards for the security of telecommunications and other electronic information resources as the Director, NSA may approve and authorize for public release in accordance with authorities assigned herein. 9. The Director, Office of Management and Budget shall review for consistency with this Directive, and amend as appropriate, OMB Ciyrculars A-71 (Transmittal Memorandum No. 1), 0MB Circular A-76 as amended, and other OMB policies and regulations which may pertain to the subject matter herein. 10. The Heads of Federal Departments and Agencies a. Conform with any policies, standards and doctrines issued by proper. authority pursuant to this Directiv.:. b. -Provide to the Systems Security Steering Grout,, the NISSC, ,the Secretary of Defense as Executive Agent, and th. Director, National Security Agency such information as they ma;,' require to discharge responsibilities assigned herein. 11. Nothing in this Directive shall: a. 'Alter the existing authorities of the Directo of Central Intelligence for the overall direction, coordination and supervision of intelligence matters, nor his responsibility to act as' Executive Ager}t of the. Government for technical security countermeasures (TSCM) against bugging, eavesdropping and related forms of surveillance. Approved For Release 2007/11/06: CIA-RDP87B01034R000700070046-2  Approved For Release 2007/11/06: CIA-RDP87B01034R000700070046-2 b. Give the the NISSC, the Secretary of Defense, or the Director, National Security Agency authority to inspect the personnel, facilities, or internal operations of other departments and agencies without their,'approval. This provision does not constrain the authority of the Director, NSA to monitor telecommunications or, the emissions of other electronic information systems consistent with paragraph ll.a., above. c. Amend or contravene the provisions of other, existing directives which may pertain to the financial management of automated information resources or to the administrative requirements for safeguarding such resources against fraud, abuse, and waste. 12. For the purposes of this Directive, the followin:j terms shall have the meanings indicated. a. Telecommunications means the creation, preparation, manipulation, transmission, communication or related processing of information by electrical, electromagnetic, electromechanical, or electro-optical means. b. Automated Information Systems means systems which create, prepare, manipulate or process information in electronic form for purposes other than. telecommunication, and includes computers, word processing systems and associated equipment. c. Telecommunications and Information Systems Security means protection afforded to telecommunications, 10 Approved For Release 2007/11/06: CIA-RDP87BO1034R000700070046-2  Approved For Release 2007/11/06: CIA-RDP87BO1034R000700070046-2 automated information systems, and other electronic information handling systems in order to prevent exploitation through interception, unauthorized.electronic access, or related technical intelligence threats, 6and to.ensure authenticity. Such protection results from the application of security measures (including cryptosecurity, transmission security, emission security, and computer security) to systems which generate, handle, or process information of'use to an adversary, and also includes physical protection of sensitive security resources and materials. 13. PD/NSC-24 is hereby superseded, fi-N C) Ali' Approved For Release 2007/11/06: CIA-RDP87B01034R000700070046-2  Approved For Release 2007/11/06: CIA-RDP87BO1034R000700070046-2 ROUTING AND RECORD SHEET SUBJECT, (Optional) Revision of PD/NSC-24 FROM: EXTENSION NO. D/ CO DATE 7 September 1983 TO: (Officer designation, room number, and Wildin ) DATE OFFICER'S COMMENTS (Number each comment to show from whom g INITIALS to whom. Draw a line across column after each comment.) RECEIVED FORWARDED 1. DDCI John, s. NSC staffer Ken de Graffenreid Convened a small it k e ing group to rewr wor 3. Presidential Directive/NSC-24 (Telecommunications Protection 16 b d d N , er ovem ate Policy, 4. 1977). The working group is made up of National Communi- i C ttee omm cations Security s. staffers from DoD, NSA, Office of Secretary of Defens d CIA Commerce, Treasury an . a. The Agency representative who was invited to.participate is from the Commun i - S 7. cations Security Division. The first meeting of the working group was held at the e. BOB on 29 August.. An NSA prepared draft was distribute to th.e members of the working 9. group for reiriew and comments A second meeting was held on a ttached 6 September when the 10. draft was distributed. This inclusion of Auto- 11. mated Information Systems in the proposed draft signifi- cantly changes the .scope of 12. th.e PD/NSDD, and the role of NSA vis-a-vis the original PD is controversial and .being 13. staffed within the Agency. ,~. I' wanted'-you to. be aware of this effort to avoid a repeat 14. of the promulgation of NSDD-9.7 National Security Telecommunications Policy 15. without adequate coordination by affected Departments/ Agencies. , T AT FOR 1-79M 610 USEEDITION/REVIOUSS Approved For Release 2007/11/06: CIA-RDP87B01034R000700070046-2