DIRECTOR OF CENTRAL INTELLIGENCE SECURITY COMMITTEE COMPUTER SECURITY SUBCOMMITTEE

Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070009-0 Director of Central Intelligence Security Committee Computer Security Subcommittee 28 January 1985 DCISEC-CSS-M170 The one hundred and seventieth meeting of the DCI SECOM Computer Security Subcommittee was held on 15 January 1985 at the McLean, VA. Present at the meeting were the E xecutive Secretary NSA S. Karen ene ro , Department of State Mr. Robert Gra ytock, Department of Justice Mr. James Sche nken, U.S. Secret Service Mr. David Jone s, Department of Energy Mr. Lynn Culkowski, Air Force Ms. Sue Berg, Navy Mr. Robert B., ISSG Mr. Pat S., ISSG Mr. Edwar 9-- SSG SECOM Mr. ugene pperly, OSD 1. In the absence of the Chairman, the meeting was presided over by the Executive Secretary. The minutes of the previous meeting were reviewed, and some factual errors were pointed out. These will be corrected and the minutes redistributed. 2. The first topic discussed was that of the subcommittee's budget allocation from the SECOM. summarized the priorities, as derived from discussions at the previous meeting. These were, support to the Navy project on collection requirements ($40K), definition of guidelines on the use of personal computers ($30K), and security awareness programs ($30K). (It was noted that this is in excess of the $70K guidance originally received from the SECOM). The State member reported that, in response to the Chairman's request at the last meeting, she had spoken to Mr. Steinauer (NBS) about the possibility of his drafting a guideline on PC usage. She reported that Mr. Steinauer is available and is interested in such an effort. NBS is apparently already planning to do further work in this area, and such a task would fit in nicely with their current plans. Ms. Deneroff asked the Executive Secretary to contact Mr. Steinauer to discuss his proposal in NSA spaces (as a convenience to Mr. Steinauer). Several of the members present asked to be included in those discussions. 3. The next item discussed was the tasking from SECOM to the CSS to "justify its existence". provided some further illumination on the somewhat cryptic missive, explaining that the tasking was motivated by recent events, such as the issuance of NSDD-145, and the Ruth Davis project, which seem to Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070009-0  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070009-0 have confused traditionally understood areas of responsibility. He noted that at the recent SECOM meeting (14 Jan 85), as well as at the first NTISSC meeting, some of these questions have already begun to be resolved; specifically, the responsi DCI for protection of SCI and foreign intelligence. explained that the tasking resulted from a perceived controversy between the IHC and the SECOM. However, he felt that the confusion factors have been resolved. He stated that the IHC and the SECOM have agreed that the SECOM has the policy issuance responsibility for the DCI. felt, however, that the CSS should still respond to the tasking, indicating that we have reviewed the matter, and that the CSS still feels that its charter is sound. 4. A second tasking from the SECOM asked for a report on computer security activities which apply to the intelligence community. explained that the intent was to highlight those efforts w is uniquely contribute to the DCI's role. He stated that the efforts reported should include internally- oriented projects, as well as those which had application across Agency and community boundaries. Each membership was asked to summarize his/her organization's ongoing computer security efforts which are applicable to the protection of Intel information. These need not be community-wide efforts, although they may have wider applicability than just the local organization. These should be forwarded to Iby 8 February 1985. 5. The last item discussed was the re-write of DCID 1/16. The Executive Secretary reviewed the discussion of the previous meeting, noting that the consensus was that the document reflect consistency with existing guidance (e.g., the Trusted Computer System Evaluation Criteria). He reported that he and the NSA member had met to review the current draft DCID, with a view to eliminate recognized shortcomings, as well as to provide for the desired consistency. He provided a brief sketch of a proposed revised format for the document, as follows: - a policy statement, essentially unchanged from the current draft. - a regulatory section, which would include minimum standards (basically generic physical and procedural requirements), a definition of the five allowable modes (Dedicated through Multilevel), and the set of hardware/software, physical, and procedural requirements for each. - a Guidelines section, which would act as non-binding "hints to the Accreditor" as an aid in determining reasonable trade-offs, etc. in designing and developing systems. Such an approach, it was claimed, would provide system developers and accreditation authorities the flexibility of applying the modes without artificial restrictions, while providing sufficient guidance to allow them to make informed choices on sound Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070009-0  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070009-0 technical and security grounds. Thus, we could eliminate the need to define functional distinctions (as in the current draft), with the unavoidable ambiguity. The NSA member reported that she has begun to re-draft the document along these lines, and agreed to provide a finished draft for review. 6. The next meeting was set for 0930 on 19 February at the McLean, VA. Executive Secretary Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070009-0