DIRECTOR OF CENTRAL INTELLIGENCE SECURITY COMMITTEE COMPUTER SECURITY SUBCOMMITTEE

Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070015-3 DIRECTOR OF CENTRAL INTELLIGENCE SECURITY COMMITTEE COMPUTER SECURITY SUBCOMMITTEE October 1984 DCISEC-CSS-M167 1. The one hundred and sixty-seventh meeting of the Computer Security Subcommittee was held on 23 October at the McLean, VA. In attendance were: Mr. Mr. Ms IA, Chairman NSA, Executive Secretary Karen Deneroff, Dept of State NSA Robert Graytock, Dept. of Justice CIA James Schenken, U.S. Secret Service David Jones, Dept of Energy Martha Tnfferi, USAF SECOM Eugene Epperly, OSD 2. The first item discussed was the recently released NSDD-145, which established a National Telecommunications and Information Systems Security Committee (NTISSC) at the National level, responsible for both telecommunications/COMSEC and computer security. It further establishes the Director, NSA as the National Manager for Telecommunications and Information Systems Security, responsible to the Secretary of Defense as the Executive Agent. The Chairman reported that the implementing document was now in review, and felt that some of the issues that would be raised were: - the meaning and impact of the apparent requirement for the National Manager to provide legal guidance to the heads of Federal Departments and Agencies. - pre-ordination of chairmen on the various committees. - lack of provision for alternates. It was noted that the first meeting of the NTISSC is scheduled for 8 Nov 1984 (a copy of NSDD-145 is included with these minutes). 3. The next topic discussed was that of security requirements for personal computers. The Chairman reported that he has received tasking from the Chairman, SECOM, to develop a proposed policy statement on the subject of personal computers. The NSA member indicated that NSA was working toward an internal directive on this subject, to cover items such as handling of Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070015-3  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070015-3 magnetic disks, labeling, and attachment to hosts. During the discussion on this topic, it was agreed that the types of problems that needed to be addressed were: - passwords - audit trails - physical protection (ribbons, floppy disks, etc.) - attachment to hosts, networks - TEMPEST It was noted that NBS has been giving this area considerable attention over the last year or two, and the suggestion was made that we solicit their support. The State member agreed to contact NBS. The agreement reached was that the approach would be to produce guidelines on the use of PC's dealing with the types of issues listed above. The subcommittee agreed that this was a more useful (and achievable) end-product than a policy or directive document. 4. The activity under thel (contract was reviewed. It was reported that the safeguards paper is ready for publication, apparently via a "quick and dirty" coordination (i.e., it is likely the CSS will not have the opportunity to review and comment). It was not clear what the purpose of the paper is, although it was conjectured that the intent may be to have it appended to DCID 1/16. This resulted in a discussion of the scope of the safeguards paper, noting that it is a single slice from the Criteria, and was developed to apply to the "critical systems." Thus, it is not clear what meaning it would have as an appendix to the DCID. Further, and more significantly, it was pointed out that the CSS is responsible for DCID 1/16. Thus, the Subcommittee should review, and have the opportunity to comment upon, anything which is proposed as an addition or change to that document. The Chairman will send a letter to the Chairman, SECOM, emphasizing the policy issuance responsibility of the SECOM CSS, and pointing out that the independent issuance of the safeguards paper is in conflict with, and can be construed as a usurpation of, that authority. 5. The above discussion led to the topic of DCID 1/16. The Chairman stated that the SECOM desires to have work on the revision re-initiated. reviewed the discussion on this subject at a recent SECOM meeting, emphasizing SECOM the decision to reassert its policy issuance charter via publication of a revised DCID 1/16. As a first step in re-initiating the DCID 1/16 re-write it was agreed that the Executive Secretary would re-issue the last version of the draft proposed by the subcommittee. This is included as an enclosure to these minutes. Additionally, the Executive Secretary stated that he would review the minutes and report back to the Subcommittee on the agreements which had been reached about the goals and structure of the revision. Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070015-3  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070015-3 6. The next meetin was scheduled for 20 November at 0930 STAT at the Chairman expressed his desire to include a luncheon at the December meeting. Thusp that meeting was tentatively scheduled for Thursday, 20 December. STAT Executive Secretary Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070015-3