DIRECTOR OF CENTRAL INTELLIGENCE SECURITY COMMITTEE COMPUTER SECURITY SUBCOMMITTEE

Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 DIRECTOR OF CENTRAL INTELLIGENCE SECURITY COMMITTEE COMPUTER SECURITY SUBCOMMITTEE 20 May 1983 DCISEC-CSS-M154 1. The One Hundred and Fifty-Fourth meeting of the Computer Security Subcommittee was held on 17 May 1983 at the McLean, VA. The following people attended: Chairman Executive Secretary IA CIA Mr. Robert Graytock, Dept, of Justice Mr. David Jones, DoE NSA NSA r. ar Martz, Navy Mr. James Studer, Army Mr. Lynn Culkowski, Air Force Mr. Lynn McNulty, Dept. of State Mr. David Schenken, U.S. Secret Service Mr. Gene E r , OSD aff Chairman, SECOM SECOM IC Stafi: CIA (obsE~rver) 2. The meeting was visit Chairman of the DCI SECOM, and Inc., who has been contracted by e I Sta to review the structure, policy, and standards of com uter security across both the Intell and DoD who was introduced to the Subcommittee by described the project as it is presently envisioned. It will include five parallel efforts, as follows: (a) Policy - this would encompass "hand-shaking" agreements, such as MOU's between DaD and Intell., the definition of a standards-making and enforcement process, a:nd the revision of DCID 1/16. (b) Process - this area would address tl~e certification/accreditation process, how support is provided to the field, and the assignment of responsibilities. Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 (c) Vulnerability/Threat/Risk - to include both generic and specific (e.g., case studies) vulnerabilities; will also address the need to obtain support from the Executive and Legislative branches. (d) R&D - this aspect of the project will highlight R&D now being supported, push for more support for technology projects currently underway (e.g., DoDIIS, BLACKER), and identify technology which needs development. (e) Action Agenda - this portion of the task would result in the setting of priorities, identifying standards to be developed, and identifying a phased approach for coming into compliance with standards/policy documents. stated that she expected the project to be completed in approximately one year. However, she also noted that it would leave behind a legacy of an infrastructure as well as a five-year program and budget. 3. At the resumption of the regular business meeting, the Chairman stated his intent to have the Subcommittee support Dr. fully. He noted, however, that, at the present time, the Subcommittee was only being asked to present briefings to Dr. on the threat and the requirement for collection, and on t e status of the DCID 1/16 rewrite. These will be given by the Executive Secretary and the Chairman. 4. The Chairman pointed out tYiat, as a result of project being initiated, the IC Staff has ordered that t e rewrite of DCID 1/16 be put on hold. However, he has indicated to the SECOM his intention of completing the current efforts, at least insofar as capturing the results of the moist recent discussions/work/agreements. 5. The next item of business was a discussion of the Subcommittee's R&D projects for FY83. The Chairman noted that we are funded at a level of $250K. The three tasks discussed in detail were: (a) the Security Sign-On Device, installed at the Pentagon, with DIA as the COTR. The Chairman offerred a briefing and demonstration to whoever was interested in the device, which employs fingerprint identification technology; (b) the Wang Alliance study, being COTR'ed by both State and CIA. The CIA member indicated that the technical performance of the LANL contractors was good, but that he ha:~ been dissatisfied with the reports to date; Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 (c) the threat estimate effort, being pursued by the Navy. The Navy member reported that the IR's are currently being reviewed. 6. The Executive Secretary presented a briefing on the status of the DCID 1/16 rewrite. The briefing reviewed the issues and agreements which led up to the most recent draft, and briefly outlined the structure of that draft. The primary purpose of the briefing, however, was to propose a restructuring of the regulatory section to allow telecommunications systems to fit smoothly into an overall structure. The viewgraphs of the briefing, as well as the proposed rewrite are enclosed. The views expressed by the membership were supportive of the ideas presented, although the observers from the CIA Telecommunications office expressed some concern with the applicability of the terminology to telecommunications systems. 7. The next meeting of the Cornputer Security Subcommittee was set for Tuesday, 21 June 1983 at 0930 at Members are asked to be prepared with specific comments on the proposed restructure of the regulatory section of DCID 1/16. 8. We note here the retirement of Mr. James Studer, who has served the Army, the Community, and the Subcommittee loyally for many years. Those who count him as a friend are legion, and they will miss his participation, while wishing him well in his retirement. Executive Secretary Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 DCID 1 16 yPSterc7ay, Today and Tomorrow Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17 :CIA-RDP87T00623R000200070026-1 Current Document "Security of Foreign Intelligence iia a~utC1I'i'ic3tev -cryat`~m~ naiv il~t`rVr`Qr ~v:" Sanitized Copy Approved for Release 2010/11/17 :CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 Salient Characteristics Policy Statement - excluded telecommunications systems Regulation - defined three allowed modes of operation Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 Allowed Modes of Operation A. Dedicated ? System exclusively dedicated to, and controlled for, the processing of one particular type of intelligence information. ? All users cleared to the level of the information being processed. B. System High ? System operating with security measures commensurate with the highest classification and sensitivity of information being processed. ? All users cleared/access approved for all data in the system. Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 Allowed Modes of Operation (Con't) C. Compartmented ? System processes two or more type of SCI, or, one type of SCI with other than SCI. ? System access secured to at least TOP SECRET, but all users not necessarily formally authorized access to all types of SCI on the system. ? All users cleared at least TOP SECRET. Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 Deficiencies of Current DCID - Authorities/responsibilities not clear - Overly rigid - 3 and only 3 modes of operation underlying assumption too narrow ? No allowance for new technology No allowance for special environments - Telecommunications exception ? Confusing Apparently inconsistent Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 Goals of Re-Write - Better delineate responsibilities and authority - Address shared systems - Incorporate more fiexibiiiLy ? allow for variety of applications and environments - allow for engineering trade-offs ? allow for technical innovation ? allow for new modes - Incorporate telecommunications Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 ISSUES foreign intelligence vs. SCI mandatory vs. recommendations Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 Agreements 20 April 1982 mtg ? Scope is all foreign intelligence ? Modes should not be mandatory; identify minimum requirements for commonly encountered environments, but allow for engineering trade-offs ? Include an "expanded compartmented mode" - Identified an approach for dealing with telecommunications Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 Current Draft POlicy - Define protection goals - Define accreditation authority ? single agency system ? shared system - "concatenated" system - Define responsibilities - Administrative reports - No telecommunications exception Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 Regulation Define generic security requirements ? mandatory controls ? discretionary controls ? labelling = accountability ? continuous protection Prescribe minimum security requirements ? physical ? personnel ? administrative ? COMSEC ? TEMPEST Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 71 .. .. .. l , 4 ~ / n ~.n / 4 \ ncyuia\.ivia ~~.v,a ~.~ Define a set of security modes ? decd i~c~t'2d ? system high - compartmented ? expanded compartmented Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 Remaining Issue: Telecommunications - Problem is political - Not excluded, Not included Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 Current Status - graft to SECUri i r~eb iyu3 - SECOM decisions ? add teiecommunicatioris 5ec~i0i1 ? scope limited to SCI only further development Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17 :CIA-RDP87T00623R000200070026-1 e'i prvpVSed re-strUcturiiiy tv Svivc the telecomunications problem Sanitized Copy Approved for Release 2010/11/17 :CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 Define Five Modes of Operation Dedicated System High Compartmented Expanded Compartmented UiailTilted (I.@. ~ full m',:lti 1 c~~el ~ Distributed Among Three General Classes of ADP Environments User Class Data Sharing Class Process Sharing Class Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 Mode of Operation - Defines a set of protection measures (hardware/software, physical, personnel, administrative) Environment Class - Defines the functionality afforded to the users of the ADP system For each Environment Class, an allowable set of modes of operation Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 User Class The ADP System provides general programming capability. Allowable Modes - Dedicated Mode - System High Mode - Compartmented Mode Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 Data Sharing Class Does not provide software development facilities to the user; Does provide data sharing and data management services. Users allowed to read from, write to, alter, and manipulate globally-shared, system-maintained data. Allowable Modes - Dedicated Mode - System High Mode - Compartmented Mode - Expanded Compartmented Mode Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 Process Sharing Class ADP system provides the capability to execute pre-defined processes which run in user's behalf; Does not support general programming; Data not shareable at user's discretion. (e.g. Pure Comm. Processor, Transaction Processors, T?rminal Concentrator, security "filter") Allowable Modes - Dedicated Mode - System High Mode - Compartmented Mode - Expanded Compartmented Mode - Unlimited Mode Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 Unlimited Mode One or more types of SCI along with collateral (non-SCI) System access is provided to users of arbitrary clearance (incl. uncleared) System designed, engineered, and configured specifically to operate in Unlimited Mode. NFIB member involved in the decision to develop and implement system operation in the Unlimited Mode. All system software developed in controlled environment by cleared programmers. Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 ADVANTAGES - Telecommunications fits smoothly into an overall, consistent fra::ew,~ork - No need to allow nebulously-defined "engineering latitude" Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1  Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1 DISADVANTAGES Definitions not clear enough; need to Sanitized Copy Approved for Release 2010/11/17: CIA-RDP87T00623R000200070026-1