REPORT ON COMPUTER SECURITY RESOURCES

Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070022-5 GMC File: -estroy: Return to~/:II~~ Remarks: GGC' " S ro),4 - Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070022-5  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070022-5 mvvrn -vci . T_!Zt NS,L-A-711, Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070022-5  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070022-5 n e Arl i. Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070022-5  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070022-5 DIRECTOR OF CENTRAL INTELLIGENCE SECURITY COMMITTEE COMPUTER SECURITY SUBCOMMITTEE 5 Nov. 1983 DCISEC-CSS-M158 1. The One Hundred and Fifty-Eighth meeting of the Computer Security Subcommittee was held on 18 October 1983 at McLean, VA., and was attended by the following persons: Exe Mr. Carl Martz, Navy Ms. Sue Berg, Navy Mr. Robert Graytock, Dept. of Justice Mr. Gene Epperly, OSD SECOM Staff , SECOM staff CIA (observer) cutive Secretary CIA CIA NSA r. Ralph Neeper, Army 2. provided a summary of the SECOM Seminar held in Va during t e week of 10 October 1983. Considerable time was spent discussing computer security, with the discussions primarily focused on. the activities initiated by Dr. Linder her contract. The safeguards for critical systems effort was also a topic of discussion at the seminar. The point of this activity is to engineer and apply, to "critical systems", a set of fixes. Each Intelligence Community agency was requested to nominate a set of its critical systems. A determination will be made as to whether any of the systems have deficiencies and, if so, what the retrofit costs will be. The list of "critical systems" is presently before the Deputy DCI, Mr. McMahon. via the Consolidated Computer Security Program (CCSP), had been very thorough. Since the R&D submission to the SECOM was intended to reflect desired but unfunded programs, the submission was not extensive. It was later noted that there is no intelligence analysis activity funded as a community activity. This will be presented to Dr. Davis as a proposed fy 85 item. $350k will be added to the R&D program to support the production of threat data. noted that the DoD planning and budgeting for computer security, reflect R&D which is desired, but currently unfunded. The SECOM received a briefing, as requested byl Ion required computer security R&D. This submission was intended to Also discussed were the individual subcommittee budgets, the point Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070022-5  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070022-5 being made to the SECOM that these funds represented critical seed money which is used to initiate programs which might otherwise never see the light of day. It was noted during the discussions that several programs which have benefitted from such seed money have subsequently been picked up, supported, and augmented by the sponsoring Department or Agency (e.g., the IR review program being run by the Navy member). 3. As a result of the above discussions, I I reviewed the currently proposed DoD R&D program. Enclosure 1 shows those R&D programs (CCSP + individual Agencies) already funded. She pointed out that no money was being requested for these programs, but that support for them was needed during the budget cycle. Enclosure 2 shows those programs which are currently unfunded, and thus could be supported with funds. She also pointed out that DoD had proposed $9.4M over guidance, which is being strongly supported by the SECDEF. 4. The Navy member reported on the IR review project, indicating that the $70K of Navy fy 83 funds that were being sought were lost. He is currently requesting $40K of fy 84 funds from both the Navy and the SECOM. He reported that he was also offerred support and funding from the NSA COMSEC organization. 5. of the SECOM staff, distributed a new proposal for the rewrite of DCID 1/16. The paper represents the policy section, and will ultimately be accompanied by a regulation. pointed out that the new document is not organized along the "modes of operation" of the current DCID. Rather, it is structured such that decisions are made based upon where a system falls along each of the three axes of user clearance range, data classification range, and need-to-know range. Since this document had not been previously seen by the Subcommittee, there was little discussion of the contents. The membership was asked to have reviewed it and have comments prepared by the next meeting. also claimed that, by direction, all DCID's will be classified SECRET, which is contrary to the Subcommittee's previous guidance. 6. I lannounced his retirement from government service; he will be replaced on the Subcommitte by next meeting was set for 0930 on November 22 at Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070022-5  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070022-5 REPORT ON COMPUTER SECURITY RESOURCES 1. Reference SECOM-D-16S, Subject FY 85 Computer Security Program, dated 8 August 1983. 2. Responses to the Reference were sorted according to the six general areas identified by the Chairman, (SECOM-D-161, dated 1 August 19S3). A summary of the major funded efforts is contained in Enclosure I. The submissions fall into two categories: by DoD Components (Army, Navy, Air Force, DIA, NSA) and by the other Intelligence Agencies (CIA, State, FBI, DOE). 3. It should be noted that almost all of the DoD Components' submissions are part of the Consolidated Computer Security Program (CCSP). At present the CCSP is funded at the FYDP level for FY1985. An overguidance of $9.4M has been requested and is being favorably considered by the Secretary of Defense. This increase will support almost all of the "unfunded" tasks identified by the DoD Components. Enclosure 2 identifies the remaining tasks for which additional funds could be sought and the rationale for this recommendation. 4. The unfunded submissions from the other Intelligence 'Agencies were examined in light of the CCSP. Those tasks for which additional funds could be sought and the rationale for this recommendation are contained in Enclosure 2, also. 5. While the Reference did not limit the resources requirements to R&D tasks, there were no additional funds requested specifically for O&M or Procurements. There is consensus that more resources, both qualified people and dollars, are required to adequately administer the computer security programs of the member agencies. Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070022-5  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070022-5 The totals for six subject areas are listed as an example of the magnitude and apportionment of the budget. Individual project descriptions are available if you are interested. 1. POLICY AND STANDARDS DEVELOPMENT 2. THREAT INTELLIGENCE COLLECTION AND ANALYSIS .4. DATA AND MEDIA CON=?-! TROL R&D 6. TRAINING AND PERSONNEL DEVELOPMENT *Budget for these years not known. Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070022-5  STAT Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070022-5 Next 6 Page(s) In Document Denied Iq Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070022-5