Documenting and Gaining Government Customer Approval for Processing, Storing, and Transmitting National Security Information

As mentioned earlier, many government customers require that they approve individual AIS or groups of similar AISs that will be used to process, store, display, and transmit national security information. However, this approval may be delegated to the corporate InfoSec leader, in this case, the IWC ISSO.

The approval is considered after reviewing the AIS InfoSec-related documentation in a format that they specify and which is usually stated in the contract. The documentation requirement can be very detailed or it can be general in nature, depending on the AIS and the government customer's requirements. The government customers using the government-approved document for that AIS written by the defense-industry-related corporation may then periodically inspect the AIS. Regardless of the format, what is of primary importance is that the InfoSec-related issues be addressed and documented. The following is an example describing the various InfoSec-related issues that may be addressed in documentation:

• Identification: Identify the specific AIS or AISs (if they are all identical, e.g. desktop computers, local area networks with workstations). This would include the make, model, serial number, physical location, and mode of operation of each AIS.

• Summary of System Usage: This section would include the level of national security information to be processed; any local and remote capabilities; hours of national security information processing; and the percentage of information on the AIS that is considered national security, classified information.

• AIS Hardware: The specific hardware must be identified and include a floor plan, schematic, disconnect methods if networked, and any switching devices for disabling the AIS.

• AIS Software: The name, type, and versions of the software and how they are safeguarded to ensure that they were not replaced with another version; this includes protection and defense software such as those used for access control or intrusion detection.

• Communications: This section would include the identification of the equipment and transmission lines, disconnect methods, configurations and interfaces, remote devices, protection procedures, and physical controls on the lines.

• Personnel: Their InfoSec responsibilities, controls to restrict access, visitor and maintenance personnel controls.

• Physical Controls: This section would include a description of the physical safeguards and characteristics, including any computer facilities and remote areas.

• General Access Controls: Described here would be how passwords were used, logon and logoff procedures, and how users with various national security clearances and NTK were segregated.

• AIS Operations: This section would describe how systems were started, used, and shut down, including how they were reconfigured if used at different times for different government programs.

• Information Storage, Protection Controls: This section would be used to describe how information was controlled, handled, marked, stored (using what type of accountability system), and declassified (e.g., the process used to downgrade information, such as from Secret to Restricted); and how the information will be destroyed when required. This section deals not only with the hard copies coming off the systems but also the electronic media used as storage devices.

• Audit Trails and Records: This section would be used to describe the various types of manual and automated audit trail programs and records that would be used. Included here would be samples of each, as well as their analysis processes.

• Emergency Plan: This section would describe the procedures to be used in the event of any emergency, including a security violation, system crash, or other emergencies that may be possible depending on the information environment.

Remember, the level of description and details documented would be based on the national security requirements as specified in the contract.