STATUS REPORT ON PLANNED SECURITY ENHANCEMENTS FOR THE INR INFORMATION HANDLING SYSTEM

Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100170041-8 Next 1 Page(s) In Document Denied Q0' Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100170041-8  Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100170041-8 ? I _ u nitea States uepartment oz otate ,ol Washington, D. C. 20520 September 26, 1985 TO: Vice Admiral E.R. Burkhalter Jr. Director Intelligence Community Staff FROM: Lynn McNu Director Information Systems Security Office SUBJECT: Status Report on Planned Security Enhancements for the INR Information Handling System This memorandum is in response to the IC staff request for information on the Department's planned used of FY-86 COMPUSEC funds to correct security deficiencies identified during the review of the INR Information Handling System. By the end of Fiscal Year 1986, I am confident that the Department of State will be in substantial compliance with the DCI's security requirements for Critical Systems. This will be directly attributable to the infusion of COMPUSEC resources that will be applied to correct identified security deficiencies; as well as providing the ability to accomplish security planning for INR's long term information system requirements. The Department's plan for implementing the COMPUSEC requirements are discussed in the following paragraphs. The attachment to this memorandum contains an enumeration of how the COMPUSEC funds will be allocated to correct security deficiencies for the INR system. You will note that the priority for the utilization of COMPUSEC resources has been allocated to correcting security deficiencies for the existing INR system. 1. Termination of the link between the INR System and the IBM system. Agreement between all elements of the Department, as well as with the IC Staff, has been reached on how to effect the disconnect. A project staff is being assembled. To begin writing the software required to index CIA and NSA intelligence reports on the existing INR system. The FY-85 funds provided by the IC Staff will permit the completion of this phase of the disconnect project. It is anticipated that this project will be accomplished not later than March 31, 1986. LOGGED 27SEP1985. Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100170041-8 MEMORANDUM  Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100170041-8 SECRET 2,.. ,:,Security Upgrade of the Central Processing Units. The implementation of the approved ? disconnect solution will result in a temporary reduction of functionality available to INR analysts. To correct this loss of capability it will be necessary to upgrade the INR computer systems. The ISS re-accreditation study, currently underway, indicates that the INR system is operating in a Compartmented mode, not a System High mode. The Compartmented mode more closely reflects the true INR operating environment. Therefore, the next INR computer system must possess the security capabilities to support this mode of operation. COMPUSEC funds will be spent to enable INR to utilize DEC VAX 11/785 systems. The VAX operating system, VMS, is being enhanced to meet the Trusted Computer System Criteria. The conversion from PDP 11/70 to VAX 11/785 systems will enable the Department to utilize an operating system with greater security controls. It will also permit the Department to take advantage of all future enhancements made to the VMS operating system as a result of DEC's continuing relationship with the DOD Computer Security Center. The figures provided in the attachment for this element include VAX specific training for Departmental personnel. 3. Security Re-accreditation of the Existing INR System. The Department's computer security element, the Information Systems Security Office (ISS) is currently conducting a re-accreditation study of the existing INR system. This effort will also include a security test, analysis, and evaluation of the reconfigured INR system. The lack of a currently valid accreditation, as required by the DCI's computer security directive, was one of the major deficiencies cited by the COMPUSEC reports. We plan to obtain the necessary consultant support to finish the project early in the second quarter of FY-86 (using FY-86 COMPUSEC resources). The results of this study will be submitted to the Director of INR for accreditation action to bring the Department into compliance with the annual accreditation requirement specified in the Critical System Supplement to DCID 1/16. SECRET Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100170041-8  Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100170041-8 4. Security Upgrade of the Departmental Computer Facility Housing the INR computer system. Using FY-86 COMPUSEC resources various physical and procedural security enhancement will be implemented to meet the recommendations of the COMPUSEC Report and the ISS re-accreditation study. These improvements will strengthen access controls to the INR portion of the computer room. 5. Development of Short Term and Long Term Security Plans. Contractor assistance will be utilized to develop short term and long term INR ADP security plans. The short term plan will cover the 1985-87 INR computer environment. The long term plan will provide the security framework for the future INR major system upgrade tasks projected for 1988. 6. Enhanced Security Management for the INR System and the Department's Central Computer Facility. Using the additional staff resources provided by the COMPUSEC supplemental, the Information Systems Security Office will establish an aggressive security management program for the INR system and the Department's computer facility which houses the INR computer equipment. This will include a daily review of audit trail information, improved password management, and enhanced monitoring of personnel access controls to the INR computer complex. 7. Procurement of Microcomputer Security Enhancement Devices. INR will use TEMPEST approved microcomputers as attached workstations to their dedicated computer system. These microcomputers will be retrofitted with supplemental security devices, probably a board that incorporates a higher level encryption capability. These devices will enhance the protection of SCI material in the analyst areas of INR. 8. Development of a Security Education Module for Users and Operators of the INR System. The Department's Information Systems Security Office will undertake to develop innovative and state-of-the-art security education modules for all personnel involved in the operation and use of the INR system. We hope to take advantage of developments in computer assisted instruction and other technologies to assure that relevant and interesting materials are presented to INR employees. SECRET Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100170041-8  Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100170041-8 I believe that all of these projects can be accomplished for approximately one million dollars. The Department proposes to use the remaining to conduct a counterintelligence vulnerability analysis of the information contained in the data files of the Paris Regional Administrative Management Center. This facility provides payroll, disbursing and allotment accounting services to most civilian elements of the US Government located in 97 countries in Europe, the Middle East, and Africa. This facility is staffed by approximately 6 Americans and 150 Foreign Service Nationals (FSNs). These FSNs occupy all of the critical data processing positions - operations director, systems and application programmer, equipment operators, and media librarian. The basic question that this study would seek to address is whether or not there is any information processed at this facility which by itself or in the aggregate is of value to a hostile intelligence service. The automation of this basic information from 97 US embassies and consulates facilitates the task of analyzing this mass of This study project deserves your support as part of the COMPUSEC project. SECRET Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100170041-8  Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100170041-8 SECRET ALLOCATION OF FY-86 COMPUSEC RESOURCES 1. Disconnect of INR and IBM system-(will be accomplished with available FY-85 funds) 2. Security Upgrade of INR Central Processing Units 600,000 3. Contractor Assistance required to complete 1986 & 1987 Security Re-acreditations of the INR Computer System 100,000 4. Security Upgrades to the Computer Facility Housing the INR Systems 5. Development of Short and Long Term Security Plans 125,000 75,000 6. Enhanced Security Management of the INR Computer System and Computer Facility. (Will only require additional personal resources) 7. Microcomputer Security Enhancement Devices 8. Security Education Module 9. RAMC Analysis Project 25,000 75,000 300,000 Total 1,300,000 SECRET Sanitized Copy Approved for Release 2011/03/03: CIA-RDP89B01354R000100170041-8