NATIONAL POLICY ON TELECOMMUNICATIONS AND AUTOMATED INFORMATION SYSTEMS SECURITY
Document Type:
Collection:
Document Number (FOIA) /ESDN (CREST):
CIA-RDP87B01034R000700080010-0
Release Decision:
RIFPUB
Original Classification:
C
Document Page Count:
10
Document Creation Date:
December 20, 2016
Document Release Date:
November 1, 2007
Sequence Number:
10
Case Number:
Content Type:
REGULATION
File:
Attachment | Size |
---|---|
CIA-RDP87B01034R000700080010-0.pdf | 706.59 KB |
Body:
Approved For Release 2007/11/01 : CIA-RDP87BO1034R000700080010-0
CONFIDENTIAL
THE WHITE HOUSE 90078
WASHINGTON
Na.t.Loizat SecatLty Veci4 ion
Di. Lective Number.
NSA review completed
NATIONAL POLICY ON TELECOMMUNICATIONS
AND AUTOMATED INFORMATIOr1 SYSTEMS SECURITY (U)
Recent advances in microelectronics technology have stimulated
an unprecedented growth in the demand for telecommunications
and information processing services within the government and
throughout the private sector. As new technologies have been
applied, traditional distinctions between telecommunications
and automated information systems have begun to disappear.
Although this trend promises greatly improved efficiency and
effectiveness, it also poses significant security challenges.
Telecommunications and automated information processing systems-
are highly susceptible to interception, electronic penetration,-
and related forms of technical exploitation, as well as other
dimensions of the hostile intelligence threat. The technology
to exploit electronic systems is widespread and is used exten-
sively by foreign nations and can be employed, as well, by
terrorist groups and criminal elements. (C)
These systems process and communicate classified national
security information, other sensitive information concerning
vital interests of the United States, and the private or
proprietary information of US persons and businesses. Such
information, even if unclassified in isolation, often can
reveal highly classified and other sensitive information when
taken in aggregate. The compromise of this information,
especially to hostile intelligence services, does serious
damage to the United States and its interests. A comprehensive
and coordinated approach must be taken to protect the Nation's
telecommunications and automated information systems against
current and projected threats. This approach must include
mechanisms for formulating policy, for overseeing systems
security resourcet programs, and for coordinating and executing
technical activities. (C)
This Directive provides initial objectives, policies, and an
organizational structure to guide the conduct of national
activities directed towards safeguarding systems which process
or communicate sensitive information, establishes a mechanism
for policy development and assigns responsibilities for imple-
mentation. The structure proposed in this draft?.,seeks to
assure full participation and cooperation among the various
6-1
~':i' ~S
~Qt Y
- ~
.
CONFIDENTIAL
i
nn~ IF-1 nri iri 1r
nPr1 A c Approved For Release 2007/11/01 : CIA-RDP87BO1034R000700080010-0
OSD Review completed
t-UNZ it)LNTZAL - _, .. 2 . .
Approved For Release 2007/11/01: CIA-RDP87B01034R000700080010-0
existing centers of technical expertise throughout the Executive
Branch, to promote a coherent and coordinated defense against
the hostile intelligence threat, and to foster an appropriate
partnership between government and the private sector in
attaining these goals. It specifically recognizes the special
requirement for protection of intelligence sources and methods..
It is intended that the machinery established by this NSDD will
initially focus on those automated systems which are connected
to telecommunications transmission systems. (C)
1 Objectives. Security is a vital element of the
operational effectiveness of the national security activities
of the government and of military combat readiness. Assuring
the security of telecommunications and automated information
systems which process and communicate classified national
security information, other sensitive government information,
and certain private sector information is a key national
responsibility. i, therefore, direct that the Nation's capabili-
ties for securing telecommunications and automated information
systems against technical exploitation threats be maintained or
improved to provide for:
a. A reliable and continuing capability to assess'
threats and vulnerabilities, and to implement appropriate,
effective countermeasures.
b. A superior technical base within the government
to achieve this security, and a superior technical base within
the private sector in areas which complement and enhance
government capabilities.
c. ..A more effective application of government and
private resources.
d. Support and enhancement of other policy objec-
tives for national telecommunications and automated information
systems. (U)
2. Policies.' In support of these objectives, the
following policies are established:
a. Systems which generate, store, process, transfer
or communicate classified information in electrical form shall
be secure or -protected by such means as are necessary to
prevent compromise and exploitation.
b. Systems handling other sensitive, but unclassi-
fied, government or government-derived information, the loss of
which could-adversely affect the national interest or the
rights of us persons, shall be protected in proportion to the
threat of exploitation and the associated potential damage to
the national interest.
0FY_2_
_____ Or_IES
CONFIDENTIAL /4 / 4
Approved For Release 2007/11/01: CIA-RDP87B01034R000700080010-0
CONFIDE ?'TT AT LUH ir~LJ~. R t 1HI ht ~
Approved For Release 2007/11/01 : CIA-RDP87B01034R000700080010-0
c. The government shall work with the private
sector to identify systems which handle sensitive non-government
information, the loss of which could adversely affect the
national interest or the rights of US persons; determine the
threat-to, and vulnerability of, these systems; and formulate
strategies and measures for providing protection in proportion
to the threat of exploitation and the associated potential
damage. Information and advice from the perspective of the
private sector will be sought with respect to implementation of
this policy. in cases where implementation of security measures
to non-governmental systems would be in the national interest,
the private sector shall be encouraged and assisted in under-
taking the application of such measures.
d. Efforts and programs begun under PI)-24 which
support these policies shall continue. (U)
3. implementation. This Directive establishes a senior
level steering group; an interagency group at the operating
level; an executive agent and a national manager to implement
these objectives and policies. (U)
4. 'Systems Security Steering Group,
a. A Systems Security Steering Group consisting of-
the Secretary of State, the Secretary of the Treasury, the
Secretary of Defense, the Director of the Office of Management
and Budget, the Director of Central Intelligence, and chaired
by the Assistant to the President for National Security Affairs
is established. The Steering Group shall:
(1) Oversee this Directive and ensure its
implementation. it shall provide guidance to the Executive
Agent and National Manager with respect to the activities
undertaken by them in implementing this Directive.
(2) Monitor the activities of the operating
level National Telecommunications and Information Systems
Security Committee and provide guidance for its activities in.
accordance with the objectives and policies contained in this
Directive.
- (3)- Review and evaluate the security status of
those national telecommunications and automated information
systems that handle classified or sensitive information with
respect to established objectives and priorities, and report
findings and recommendations through the National Security
Council to the President.
(4) Review and approve consolidated resources
program and budget proposals, and other matters referred to it
by the Executive Agent in fulfilling the responsibilities
outlined in paragraph 6. below.
CONFII: -__ _ _
Approved For Release 2007/11/01: CIA-RDP87BO1034R000700080010-0
CONFIDENTIAL I I InL )
Approved For Release 2007/11/01 CIA-RDP87B01034R000700080010-0
(5) On matters pertaining to the protection of
intelligence sources and methods be guided by the policies of
the Director of Central Intelligence.
(6) Interact with the Steering Group on National
Security Telecommunications to ensure that the objectives and
policies of this Directive and NSDD-97, National Security
Telecommunications Policy, are addressed in a coordinated
manner.
(7) Recommend for Presidential approval addi-
tions or revisions to this Directive as national interests may
require. (U)
b. The National Manager for Telecommunications and
Information Systems Security shall function as executive
secretary to the Steering Group. (U)
5. The National Telecommunications and Information
Systems Security Committee.
a. The National Telecommunications and Information
Systems Security Committee (NTISSC) is established to operate
under the direction of the Steering Group to consider technical-
matters and develop operating policies as necessary to imple-
ment the provisions of this Directive. The Committee shall be
chaired by a representative of the Secretary of Defense and.
shall be composed of a non-voting representative of each member
of the Steering Group and a voting representative of each of
the following:
The Secretary of State
The Secretary of the Treasury
The Attorney General
The Secretary of Commerce
The Secretary of Transportation
The Secretary of Energy
The Director of Central Intelligence
Chairman, Joint Chiefs of Staff
Administrator, General Services Administration
Director, Federal Bureau of Investigation
Director, Federal Emergency Management Agency
The Chief of Staff, United States Army
The Chief of Naval Operations
The Chief of Staff, United States Air Force
Commandant, United States Marine Corps
Director, National Security Agency
Manager, National Communications System (U)
b. The Committee shall:
(1) Develop such specific operating policies,
objectives, and priorities as may be required to implement this
Directive.
Co ri%Y.OF c!
CONFIDENTTAl. "
Approved For Release 2007/11/01: CIA-RDP87BO1034R000700080010-0
1Iif\U-IIII-tlI(AI
CONFIG Approved For Release 2007/11/01 CIA-RDP87BO1034R000700080010-0
,A I kq r..A vmT
(2) Submit annually to the Steering Group an
evaluation of the status of national telecommunications and
automated information systems security with respect to estab-
lished objectives and priorities.
(3) Approve the release of sensitive systems
security information, techniques and materials to foreign
goverr..rnents or international organizations (except in intelli-
gence activities managed by the Director of Central Intelligence).
(4) Establish and maintain a national system
for promulgating the operating policies, directives, and
guidance which may be issued. pursuant to this Directive.
(5) Establish permanent and temporary subcom-
mittees as necessary to discharge its responsibilities.
(6) Make recommendations to the Steering Group
on Committee membership and establish criteria and procedures
for permanent observers from other departments or agencies
affected by specific matters under deliberation, who may attend
meetings upon invitation of the Chairman. (U)
co The Committee shall have two subcommittees, one
focusing on telecommunications security and one focusing on
automated information systems security.. The two subcommittees
shall interact closely and any recommendations concerning
implementation of protective measures shall combine and coordi-
nate both areas where appropriate while considering any differences
in the level of maturity of the technologies to support such
implementations. However, the level of maturity of one tech-
nology shall not impede implementation in other areas which are
deemed feasible and important. (U)
d. The Committee shall have a permanent secretariat
composed of personnel of the National Security Agency and such
other personnel from departments and agencies represented on
the Committee as are requested by the Chairman. The National
Security Agency shall provide facilities and support as required.
Other departments and agencies shall provide facilities and
support as requested by the Chairman. (U)
6. The Executive Agent of the Government for
Telecommunications and Information Systems Securitj. The
Secretary of Defense is the Executive Agent of the Government
for Communications Security under authority of Executive
Order 12333. By authority of this Directive he shall serve an
expanded role as Executive Agent of the Government for Telecommuni-
cations and Information Systems Security and shall be responsible
for implementing, under his signature, the policies developed
by the NTISSC. In this capacity he shall act in accordance
with policies and procedures established by the Steering Group
and the NTISSC to:
;r0- Y-2 -0F / c
Approved For Release 2007/11/01 : CIA-RDP87BO1034R000700080010-0
n ! rte:! # y F z
Approved For Release 2007/11/01 : CIA-RDP87B01034R000700080010-0 `'t6
a. Ensure the development, in conjunction with the
National Manager and with NTISSC member departments and agencies,
of plans and programs to fulfill the- objectives of this Directive,
including the formulation of necessary security architectures.
b. Fulfill requirements of the government for
technical security material and related services.
c. Approve and provide minimum security standards
and doctrine.
d. Conduct, approve, or endorse research and
development of security techniques and equipment.
e. Operate, or coordinate the efforts of, govern-
ment technical centers related to telecommunications and
automated information systems security.
f. Procure for and provide to government agencies,
and, where appropriate, to private institutions (including
government contractors) and foreign governments, equipment and
other materials as required to accomplish the objectives of
this Directive.
g. Develop and submit to the Steering Group a
proposed National Telecommunications.and Information Systems---
Security Program budget for each fiscal year, including funds
for the procurement and provision of'equipment and materials.
(U)
7. The National Manager for Telecommunications security
and Information S stems Security. The Director, Nations
Security Agency is designated the National Manager for Telecommuni-
cations and Information Systems Security and is responsible for
carrying out the foregoing responsibilities of the Secretary of
Defenre as Executive Agent. in fulfilling these responsibilities
the Director, National Security Agency shall have authority to:
a. Examine government telecommunications systems
and automated information systems and evaluate their vulner-
ability to hostile interception and exploitation. Any such
activities, including those involving monitoring of official
telecommunications,, shall be conducted in,strict compliance
with law, Executive orders and applicable Presidential Directives.
b. Act as the government focal point for all
matters concerning cryptography, communications security, and
the security of automated information systems. Responsibili-
ties for protecting sensitive national security related government
or government-derived information shall include conducting,
approving, or endorsing all research and development of security
means; reviewing and approving all standards, techniques,
systems and equipments for security protection; and conducting
liaison, including agreements, with foreign governments,
CONFIDENTIAL
flNflflPJTI A I
-' 1.4
Approved For Release 2007/11/01 : CIA-RDP87B01034R000700080010-0
I Y FMM_ . @,M
Approved For Release 2007/11/01 : CIA-RDP87BO1034R000700080010-0 0
international and private organizations, for security protection
means.
c. Operate such printing and fabrication facilities
as may be required to perform critical functions; related to the
provision of cryptographic and other sensitive technical
security materials or services.'
d. Operate a central technical ceziter to assess and
disseminate information on hostile threats to national tele-
,communications and automated information systems security and
to assess the overall security, posture.
e. Operate a central technical center to evaluate
and certify the.security of telecommunications systems, and
automated information systems, and to conduct or sponsor
research and development of security techniques.
f. Prescribe the minimum standards, methods and
procedures for protecting cryptographic and other sensitive
technical security material, techniques, and information.
.g. Review annually the systems security program and
resources requirements of the departments and agencies of the
government, and prepare consolidated National Telecommunications
and Automated Information Systems security program budget
recommendations.
h. Request from the heads of departments and
agencies such information and technical support as he may need
to discharge the responsibilities assigned herein.
i. Enter into agreements for the procurement of
technical security material and other equipment, and their
provision to government agencies and, where appropriate, to
private organizations (including government contractors) and
foreign governments. (U)
8. The Heads of Federal Departments and Agencies shall:
a. Be responsible for achieving and maintaining an
acceptable security posture for telecommunications and automated
information systems within their departments or agencies.
b. Ensure that the policies, standards and doctrines
issued pursuant to this Directive are implemented within their
departments or agencies.
co Provide to the Systems Security Steering Group,
the NTISSC, the Secretary of Defense as Executive Agent, and
the Director, National Security Agency as National manager, as
appropriate, such-information as may be required to discharge
responsibilities assigned herein, consistent with relevant law,
Executive Order, and Presidential Directives. (U)
CONFIDENTIAL rn inri``ri A I r,'
Approved For Release 2007/11/01 : CIA-RDP87BO1034R000700080010-0
VJ' ham, IL
Approved For Release 2007/11/01 : CIA-RDP87BO1034R000700080010-0
9. Additional Res onsibilitie.s.
a. The Secretary of Commerce, through the Director,
National Bureau of Standards, shall issue for public use such
Federal Information Processing Standards for the security of
information in automated information systems as the Director,
National--Security Agency may approve. The Manager, National
Communications System, through the Administrator,, General
Services Administration, shall develop and issue for public use
such Federal Telecommunications Standards for the security of
information in telecommunications systems, as the Director,
National Security Agency may approve. Such standards, while
legally applicable only to Federal Departments and Agencies,
will be structured to facilitate their adoption as voluntary
American National Standards as a means of encouraging their use
by the private sector.
b. The Director, Office of Management and Budget
shall review for consistency with this Directive, and amend as
appropriate, OMB Circular A-71 (Transmittal Memorandum No. 1),
OMB Circular A-76, as amended, and other OMB policies and
regulations which may pertain to the subject matter herein.
10. Nothing in this Directive:
a. Alters the existing authorities of the Director
of Central Intelligence, including his responsibility to act as
Executive Agent of the Government for technical security
countermeasures (TSCM).
b. Provides the NTISSC, the Secretary of Defense,
or the Director, National Security Agency authority to examine
the facilities of other departments and agencies without
approval of the head of such department or agency, nor to
request or collect information concerning their operation for
purposes not provided for herein.
c. Amends or contravenes the provisions of existing
law, Executive orders, or Presidential Directives which pertain
to the privacy- aspects or financial management of automated
information systems or to the administrative requirements for
safeguarding such resources against fraud,. abuse, and waste.
d. Is intended to establish additional review
processes for the procurement of automated information processing
systems. (U)
11. For the purposes of this Directive, the following
terms shall have the meanings indicated.
a. Telecommunications means the preparation,
transmission, communication or related processing of
CONFIDENTIAL
C~
col, `'-~-OF_C
nicincMTI Af
12 /1
Approved For Release 2007/11/01 CIA-RDP87BO1034R000700080010-0
CONFIDENTIAL - 9 _ r% , h
Approved For Release 2007/11/01: CIA-RDP87BO1034R000700080010-0
information by electrical, electromagnetic, electromechnical,
or electro-optical means.
b. Automated Information Systems means systems
which create, prepare, or manipulate n ormation in electronic
form for purposes other than- telecommunication, and includes
computers, word processing systems, other electronic informa-
tion handling systems, and associated equipment.
C., Telecommunications and Automated Information
S stems Security means protection afforded to telecommunica-
tions and automated information systems, in order to prevent
exploitation through .interception, unauthorized electronic
access, or related technical intelligence threats, and to
ensure authenticity. Such protection results from the applica-
tion of security measures (including cryptosecurity, transmission
security, emission security, and computer security) to systems
which generate, store, process, transfer, or communicate
information of use to an adversary, and also includes the
physical protection of sensitive technical security material
and the protection of sensitive technical security information.
d. Technical security material means equipment,
components, devices, and associated documentation or other
media which pertain to cryptography, or to the securing of
telecommunications and automates information processing systems.
12. The Interagency Committee on Foreign Real Estate
Acquisitions (ICREA) in the United States established under
PD-24 shall be reconstituted under the chairmanship of the
Director, Office of Foreign Missions, Department of State, with
representation from the Department of Defense, the Department
of Justice/Federal Bureau of Investigation, the Director of
Central Intelligence, the National Security Rgency, and the
Assistant to the President for National Security Affairs. The
ICREA, with advice from the Department of State's Reciprocity
Policy Committee, shall provide policy guidance for implementation
by the Office of Foreign Missions or other appropriate organi-
zations on proposals for foreign real estate acquisitions by
lease or purchase, that present a threat to US telecommunica-
tions and automated information systems security or are of-
counterintelligence interest. (U)
(U)
13. The functions of the PD-24 Interagency Group for
Telecommunications Protection and the National Communications
Security Committee (NCSC) are subsumed by the Systems Security
Steering Group and the NTISSC, respectively. The policies
established under the authority of the PD-24 Interagency Group
or the NCSC, which have not been superseded by this Directive,
shall remain in effect until modified or rescinded by the
Steering Group or -the NTISSC, respectively. (U)
~c? L
Approved For Release 2007/11/01: CIA-RDP87BO1034R000700080010-0
Approved For Release 2007/11/01 : CIA-RDP87BO1034R000700080010-0
14. Except for ongoing telecommunications protection
activities mandated by and begun under PD/NSC-24, that Direc-
tive is hereby superseded and cancelled. (U)
CONFIDENTIAL
61
.co v--1--oE CO iES
CONFIDENTIAL 6~~
Approved For Release 2007/11/01 : CIA-RDP87BO1034R000700080010-0