IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

13 May 1992

DRAFT

IDA DOCUMENT D-967

INTEGRITY-ORIENTED CONTROL
OBJECTIVES: PROPOSED REVISIONS
TO THE TRUSTED COMPUTER SYSTEM
EVALUATION CRITERIA (TCSEC), DoD
5200.28-STD

Terry Mayfield

John M. Boone

Steven R. Welke

August 1991

This document is still subject to modification or withdrawal and therefore may not be
referenced in any publication. It also should not be duplicated.

Prepared for

National Security Agency

INSTITUTE FOR DEFENSE ANALYSES

1801 N. Beauregard Street, Alexandria, Virginia 22311

DRAFT

1. INTRODUCTION

1.1 PURPOSE

This document proposes new and revised versions of the control objectives contained in
the Trusted Computer System Evaluation Criteria (TCSEC), DoD 5200.28-STD [TCSEC
1985, pp. 57-63]. These modifications extend the existing control objective statements to
encompass the promotion and preservation of data and systems integrity. They are
intended to be used as a strawman to foster further research and debate aimed at
developing a new or revised set of product evaluation criteria that addresses integrity as
well as confidentiality.

1.2 BACKGROUND

Control objectives are the fundamental computer security requirements as they apply to
general purpose automated information systems (AISs). As such, they serve as guidance
to the development of more specific evaluation criteria. Evaluation criteria, in turn, are
intended to ``... (a) provide users with a yardstick with which to assess the degree of
trust that can be placed in computer systems for processing classified or other sensitive
information; (b) provide guidance to manufacturers as to what to build into their new
widely-available trusted commercial products in order to satisfy trust requirements for
sensitive applications; and (c) provide a basis for specifying security requirements in
acquisition specifications'' [TCSEC 1985, p. v].

Given the rather far reaching implications of evaluation criteria, it is vital that such
criteria be built upon a clear and complete foundation. The modified control objectives
presented in this document represent only one step towards that foundation. This step,
directed towards enhancing the set of control objectives to address the needs of integrity,
begins the enabling for the development of new criteria. However, the proposed control
objectives are not intended to be adopted without further research and debate to derive
the best possible foundation for further development work.

1.3 SCOPE

This document extends the integrity framework developed in [Mayfield 1991] and takes
another step in developing and evolving product criteria that include integrity. The
document only addresses control objectives; specific criteria addressing integrity
concerns remain as future work. The document is complementary to other ongoing
research work in the topic of integrity, e.g., the electronic forum for the development of
new formal models of integrity in preparation for The Computer Security Foundations
Workshop IV which was held in Franconia, New Hampshire, 18-20 June 1991. The
document assumes that the control objectives for confidentiality, as contained in the
TCSEC, are adequate for that purpose. Through the study of relevant policies, we have
come to believe that the control objectives need to extend to applications running on a
vendor's system product in order to adequately address boundaries of responsibility
and criteria for implementing protection controls. However, this study concentrates
primarily on control objectives from a systems perspective-the issues involved with
extending the control objectives to applications cannot be explored in depth until a
systems perspective has been established. We do not make use of a particular formal
model of integrity, but rather use some of the concepts developed and modeled by
various model authors to arrive at our specific version of each control objective.

We have purposefully tried to not depart radically from the TCSEC. Our thinking was
that it would be much more beneficial to show minimal changes while increasing
support to various integrity policies than to try and "reinvent the wheel." To some, these
changes may still seem too radical, to others they will be insufficient. We hope that in
both cases our proposals serve to enhance the debate.

The major policy documents, with respect to integrity in AISs, are listed in Table 1.1.
These documents are addressed individually in separate sections in Appendix A. Each
individual section devoted to a particular document contains (a) a brief overview of the
document, (b) a listing of selected source text from the document, (c) a cross-reference
from the source text to affected integrity control objectives, and (d) a commentary
section. The commentary section is, in essence, a set of interpretive notes about control
aspects of the source text. We developed them to partially confirm, from a policy point of
view, what we had discovered in [Mayfield 1991] through an analysis of various
integrity-supporting mechanisms about possible objectives for control.

These government documents provide policy and guidance for controlling and
protecting information. Their contents can be interpreted in at least three distinct ways:
(1) having direct applicability to the certification of an Agency's system as part of the
process of obtaining an accreditation for system operations, (2) having direct
applicability to general application subsystems as evaluated subsystem products, and
(3) having applicability across a wide range of applications wherein the protection
mechanisms might generally provided by the underlying computer system (i.e.,
hardware, operating system, and communications subsystems). While our control
objectives are directed at the third interpretation, the reader will find that we did not
similarly confine our commentary notes on the selected policy text contained in
Appendix A. Our intention in the latter was to take a much broader system perspective
and then selectively use the material in supporting the specific wording of our control
objective proposals.

TABLE 1.1. List of Policy Documents

POLICY DOCUMENT

TITLE

FEDERAL LAWS

Public Law 92-579

The Privacy Act of 1974

Public Law 101-508

Computer Matching and Privacy Protection Amendments of 1990

Public Law 96-511

The Paperwork Reduction Act of 1980

Public Law 97-255

Federal Manager's Financial Integrity Act of 1982

Public Law 97-86

DoD Authorization Act of 1982

Public Law 100-235

Computer Security Act of 1987

EXECUTIVE/LEGISLATIVE

OMB Circular No. A-127

Financial Management Systems

OMB Circular No. A-130

Management of Federal Information Resources

OMB Circular No. A-123

Internal Control Systems

OMB Bulletin No. 90-08

Guidance for Preparation of Security Plans for Federal Computer
Systems that Contain Sensitive Information

OMB IC Guidelines

Internal Control Guidelines

GAO Title II

GAO Policy and Procedures Manual for Guidance of Federal
Agencies-Title 2 - Accounting

DEPARTMENT OF DEFENSE

DoD Directive 5010.38

Internal Management Control Program

DoD Directive 5200.28

Security Requirements for Automated Information Systems

DoD Directive 7740.1

DoD Information Resource Management Program

DoD Guideline 7740.1-G

ADP Internal Control Guideline

DoD Directive 7750.5

Management and Control of Information Requirements

2. PROPOSED CONTROL OBJECTIVES

The proposed control objective revisions contain the following major elements: (1) an
introduction to the control objective, (2) the original and revised control objectives, and
(3) a discussion of issues and rationale for revising the control objective. The discussion
and supporting rationale are intended to be useful whether the original control
objectives are to be modified as we propose, or entirely new control objectives are to be
developed.

When broadening the scope of the TCSEC to include integrity, we must consider the
effect upon the existing control objectives. There are two basic considerations: (1)
whether integrity policies call for additional technical features to be included in the
control statements, and (2) whether the existing abstractions currently associated with
the statements of control are adequate, given the increased scope of protection. Each
factor could have a subsequent effect on the control objective. The requirement for
additional technical features would compel a modification to the control objective itself
and is reflected in the proposed revisions. Generalizing control abstractions would
require a change in the interpretation of the statements of control. These interpretation
changes are noted in the discussion section of each affected revision.

As stated in the TCSEC [1985, p. 71], ``There is a large body of policy laid down in the
form of Regulations, Directives, Office of Management and Budget (OMB) Circulars,

Presidential Executive Orders, and Laws that form the basis for the handling and
processing of Federal information in general and classified information specifically.'' We
follow the TCSEC's example and illustrate the relationship of pertinent integrity policy
to product evaluation criteria using excerpts from Federal laws and Executive,
Legislative, and Department of Defense (DoD) policy documents.

The set of policy statements and guidance that are related to integrity in automated
information systems (AISs) are discussed in Appendix A. The security policy to be
specified for a given system should be derivable from this set of policies in conjunction
with those already cited in the TCSEC. The policy statements of interest originate from
one of three sources: the Federal or Executive branches of government, or the DoD.

Federal law addressing issues of integrity in information processing is best interpreted
not only by examining the Acts of Congress but also their legislative histories, which
aids one in understanding the establishment or modification of law.

The Executive branch of government, in implementing the laws passed by Congress,
issues directives and broad guidance to departments and agencies. The most significant
of these OMB (policy) Circulars are summarized with respect to their effect on integrity.
The General Accounting Office (GAO) is tasked by Congress to provide auditing and
accountability services to the Legislative Branch of Government. In providing such
services GAO issues related guidelines and standards for the Federal government. These
guidelines and standards are cited as references in various policy statements included in
our study, and hence are relevant to those policies of interest.

The DoD has the responsibility for interpreting and implementing the policy issuances
from higher authority. This is done via DoD Directives, regulations, manuals and other
guidance formats. Each of these DoD policy issuances must be interpreted and
implemented by the DoD Components and Agencies.

2.1 SECURITY POLICY

In general, a security policy states what protection controls should be provided in the
administration or operational management of a set of valued resources. A security
policy may define the protection requirements in terms of perceived threats, risks, and/
or goals of an organization. Security policy from the highest levels of Government (e.g.,
Laws and Executive Orders) is put into force through its promulgation in subordinate
Agency or Component implementation directives. Each subsequent level refines the
implementation detail for protection. When these implementation details are carried out,
the policy is enforced. As the general policy statements are refined, the resulting
statements of specific requirements serve to drive product specifications for the design
and operation of policy enforcement mechanisms. Thus, ``a given system can only be
said to be secure with respect to its enforcement of some specific policy'' [TCSEC 1985, p.
59].

2.1.1 Original and Revised Security Policy Control Objectives

Original

A statement of intent with regard to control over access to and dissemination of
information, to be known as the security policy, must be precisely defined and
implemented for each system that is used to process sensitive information. The security
policy must accurately reflect the laws, regulations, and general policies from which it is
derived [TCSEC 1985, p. 59].

Revised

A set of statements of intent with regard to controls over computing resources and
information processing including origination, acquisition, access, use, maintenance,
dissemination, and disposal of information within computer systems, to be known
collectively as the security policy, must be precisely defined and implemented for each
system that is used to process classified and sensitive information. The security policy
must accurately reflect the laws, regulations, and general policies from which it is
derived.

2.1.2 Discussion

Automated information system security policy is a set of statements indicating the
protection controls that should be focused on computing resources and on how
information within computer systems is originated, acquired, accessed, used,
maintained, disseminated, or disposed. The current Security Policy control objective is
limited by the breadth and scope of the laws, regulations, and general policies from
which it is drawn, i.e., non-disclosure of classified and other sensitive information. To
extend the breadth and scope of the TCSEC Security Policy control objective to integrity,
one must first examine the regulations, policies, and/or laws that might be applicable.

Although existing policy [DoD 5200.28-D] states that safeguards for the preservation of
systems and data integrity shall be in place in DoD computers, implementing
regulations and manuals do not precisely define the means for providing these
safeguards. This is in contrast to the uniform system for safeguarding national security
information as prescribed by Executive Order 12356 [EO 12356], which specifically
assigns responsibility to promulgate implementing regulations for confidentiality
protection. This assignment of responsibility has led to well-defined regulations for
protection against unauthorized disclosure, (e.g., [DoD 5200.1-R]). There appear to be no
Executive Orders of equivalent weight and specificity for the direct establishment of
regulations for integrity, and thus regulations applicable to system or data integrity are
not as specific and well-defined.

There are Federal laws and policies which both directly and indirectly address integrity
issues. We assert both as being applicable to integrity protection. They address, in an
overlapping fashion, requirements for automated information security, information and
internal management, and internal controls. These laws and policies are individually
summarized in Appendix A. In addition to current TCSEC policy guidance on
confidentiality, the integrity requirements and guidelines provided by these laws and
policies should be used to shape the detailed security policy into a clear specification of
what must be done to preserve and promote both confidentiality and integrity.

The essence of these laws and policies with respect to information security pertains to
the definitions of sensitive government information and sensitive applications, and the
protection of sensitive information from loss, misuse, unauthorized access, or
modification. Specific to integrity, these laws and policies require that information must
be protected from unauthorized, unanticipated or unintentional modification including
the detection of such activities. Personnel, life support, safety critical and financial
transaction systems are cited as sensitivity examples. The laws and policies define
restrictions on the collection, use, and maintenance of information in Federal AISs,
including timeliness, accuracy, and completeness, and relevance to the agencies needs.
They require appropriate safeguards and individual accountability. The essence of the
laws and policies with respect to information and internal management pertains to the
definition of information and computer resources as assets that must be managed, and to
the establishment of management controls. These management controls include internal
management control procedures, general supervision, input/output and procedural
controls for information processing operations, system administration, information
resource management, training, responsibility assignments, resource allocation, and
vulnerability assessments.

The essence of laws and policies with respect to internal controls pertains to individual
competence, authorization, and accountability; data and application validation; data
completeness, accuracy, and timeliness; and auditability and other procedures to
maintain and to periodically determine the extent of conformance with legal and ethical
standards.

Several Federal laws, along with their implementing policies, mandate action to
preserve and promote data and systems integrity and considerably broaden the scope of
protection requirements over those requirements for confidentiality. The proposed
revision reflects these broader protection requirements by modifying the original TCSEC
version to allow a comprehensive coverage of controls. This modification preserves the
intent of the original objective with respect to control for confidentiality and allows for
the incorporation of additional controls for integrity.

The modification pluralizes the ``statement of intent'' and the term ``control'' to
recognize a wider variety of protection intents and controls and then collectively terms
them ``the security policy.'' Further, it removes the more narrowly focused words
``access to and dissemination of information'' from the original objective statement and
replaces those words with the phrase ``information processing including origination,
acquisition, access, use, maintenance, dissemination, and disposition of information
within computer systems.'' Each of these elements should have a precise statement of
enforcement requirements with the collective statement resulting in a consistent and
complete security policy.

2.2 MANDATORY CONTROL

Mandatory security is based on laws or regulations which establish the rules that must
be enforced and the designations of attributes to be used by these rules. Thus, it is often
referred to as ``rule-based'' security. In the TCSEC, mandatory security refers to the
enforcement of a set of access control rules that constrains an individual's access to
information on the basis of a comparison of attributes that designate an individual's
clearance and/or authorization to the information, the classification and/or sensitivity
designation of the information, and the form of access being mediated. In general,
system enforcement of mandatory policies either requires or can be satisfied by systems
that implement a partial ordering or mathematical lattice of such designations [TCSEC
1985, p. 60].

2.2.1 Original and Revised Mandatory Security Control Objectives

Original

Security policies defined for systems that are used to process classified or other
specifically categorized sensitive information must include provisions for the
enforcement of mandatory access control rules. That is, they must include a set of rules
for controlling access based directly on a comparison of the individual's clearance or
authorization for the information and the classification or sensitivity designation of the
information being sought and indirectly on considerations of physical and other
environmental factors of control. The mandatory access control rules must accurately
reflect the laws, regulations, and general policies from which they are derived.

Revised

Security policies defined for systems that are used to process classified or other
specifically categorized sensitive information must include provisions for the
enforcement of mandatory access control rules. That is, they must include a set of rules
for controlling access based directly on (1) a comparison of the individual`s clearance or
authorization for the information and the classification or sensitivity designation of the
information being sought, and/or (2) a comparison of the duty to be performed with the
duties mapped in the individual's current role, and indirectly on (3) considerations of
physical and other environmental factors of control. The mandatory access control rules
must accurately reflect the laws, regulations, and general policies from which they are
derived.

2.2.2 Discussion

Integrity protection requires that user actions be constrained by mandatory controls
beyond the traditional specification of a sensitivity label and a formal authorization that
form a ``confidentiality'' lattice. These additional constraints will be described in this
discussion.

It is Federal law that any information which could adversely affect the national interest
must be protected from loss, misuse, unauthorized access, and unauthorized
modification [CSA 1987]. It is also Federal law that ``internal accounting and
administrative controls... shall provide reasonable assurances that [resources] are
safeguarded against waste, loss, unauthorized use, or misappropriation'' [FMFIA 1982].
Federal and DoD policy reflect these protection requirements in their implementing
directives. For example, it is Federal policy that resources must be ``protected against
fraud, waste, mismanagement or misappropriation'' [OMB A-123, p. 1].

Separation of duties is a mandatory policy that has been implemented, particularly in
the commercial sector, to address fraud, misuse, etc. Separation of duties also is cited
explicitly as an internal control standard [GAO 1983] and is required in several Federal
and DoD policies. DoD's directive on its internal management control program, [DoD
5010.38-D], in discussing dependencies for internal control, provides rationale for this
mandatory policy. ``Internal control depends largely on the elimination of opportunities
to conceal errors or irregularities. This, in turn, depends on the assignment of work in
such a fashion that no one individual controls all phases of an activity or transaction''
[DoD 5010.38-D, Encl.3]. From this requirement to separate duties or phases of an
activity, we derive the need for implementing the concept of roles. To separate duties,
attributes must be identified that will allow duties to be categorized into different sets.
We define a duty to be an operation on an object, class of objects, or defined system
resource; it provides the binding for objects and operations. Each set of duties is mapped
to a role. Thus, a role is an encapsulation that defines which duties (i.e., manual or
automated operations on particular objects, classes of objects, or system resources) a user
possessing the designation of that role is allowed to perform (invoke). In essence, a role
conveys a ``privilege'' to perform a set of duties; it provides the binding for users,
operation, and objects. Roles aggregate users, duties aggregate objects and their
operations.

Where separation is required, two roles may have partially but not totally overlapping
duties; no single role can encompass all of the duties required to complete a sensitive
activity or transaction. Roles may be assigned as expressly permitted or denied, or they
may be enabled by a sequence of events performed by another role. Once the duties are
divided between different roles, the system or role administrator must ensure that a
single individual is not given multiple roles that would effectively allow that individual
to perform all duties required to process a sensitive transaction. For example, if duties A,
B, and C are required to perform a particular transaction, the system might assign duties
A and B to role 1 and duty C to role 2 to achieve separation of duties. But, in order to
maintain the separation, the system or role administrator must ensure that the same
individual is not assigned to both role 1 and role 2.

Roles must be registered in the system for all operations on objects, classes of objects,
and system resources. Newly created operations cannot be invoked without the
intervention of a system or human administrator to register the operation's associated
roles. Roles assigned to individuals must relate to roles assigned to operations according
to mandatory rules, (e.g., separation of duties must be enforced). These role designations
can provide partial ordering and dominance relations necessary for the mechanics of a
lattice.

DoD policy constrains the concept of separation of duties even further by requiring
``authorized [resource] access and [transaction] execution'' [DoD 5010.38-D, Encl.3].
From this mandatory policy requirement, we derive the joining together of the
(authorized) individual, in a specific role, executing a specified duty (i.e., operation), on
a specific resource (i.e., data object). By combining access to data with separation of
duties, the computer system must implement user-program-data bindings to control
which users can invoke which programs on particular data items. A model for achieving
user-program-data bindings is given in [Clark 1987, 1989]. Our approach is to use roles
and duties as the bindings. Lee [1988] discusses an alternative approach using roles in a
lattice to implement the Clark and Wilson model.

Mandatory controls address more than access control, they also address information
flow. Where the integrity issue of ``contamination'' of high quality information with low
quality information from low quality sources is a mandatory concern, the ability to
attribute subjects and objects with a designated quality grade will be required. Biba
[1977], in his integrity model, introduced the term integrity grade to designate
gradations of quality for subjects and objects. In essence, an integrity grade is a
determination of a subject or object's quality with respect to a defined standard. In this
respect, such a grade can be thought of as analogous to a classification or a sensitivity
label in the DoD scheme. These integrity designations also would provide partial
ordering and dominance relations necessary for the mechanics of a lattice structure.

DoD requirements for integrity grades for subjects are derivable from the statement that
``managers and employees shall have personal and professional integrity and shall
maintain a level of competence that allows them to accomplish their assigned duties...''
[DoD 5010.38-D, Encl.3]. This ``competency'' requirement implies some specific standard
of quality associated with an individual (e.g., a level of professional maturity). It further
implies that individuals not meeting a certain level of quality should not be allowed to
perform certain duties, because they may lack competence to successfully accomplish
such duties. Thus, we derive a mandatory requirement to characterize individuals, in
conjunction with their role specification, with a level of quality that reflects their ability
to carry out specified duties (e.g., apprentice, journeyman, master, supervisor).

Integrity grades for objects are not always directly derivable from formal standards or
policy, but often can be derived from experience. Here, we are concerned with attributes
of information that indicate the information's ``maturity'' (e.g., initial, preliminary, and
final versions) that convey a degree of effort placed into developing the information and
the results of that effort to a subjective or objective standard. In this case, the idea of
maturity recognizes that earlier versions of information may not have as high a
``quality'' as later versions. Similar attributes, some with specific standards such as
precision, accuracy, etc., can be addressed under the rubric of information quality.

Where contamination is an issue, a specific set of information flow rules must be
established. For example, a rule based on the competency of individuals might state that
information entered by an expert cannot be modified by a novice. A rule based on the
maturity of information (e.g., unedited version vs. final product version) might state that
the ``quality'' of the information increases only by progressing the information through
specific events (e.g., editing and formal review). It is through this event progression that
the effort put into the information's development is seen to produce measurable results
(e.g., edited and approved versions). As a further requirement, the information maturity
rule might state that a proper sequence of such events must be followed. To be
enforceable, these potential mandatory quality rules will require some form of integrity
grade designation implementation. The standards for such integrity designation
requirements have not been developed for widespread use, and attributing subjects and
objects with gradation designations may not be as straightforward for integrity policies
as was the case for confidentiality policies.

The additional comparisons added to the mandatory controls are seen to be vital in
preserving the integrity of systems and data. With these comparisons, we recognize that
there are at least two levels of mandatory control. The first level provides a reference
monitor which is invoked to meet the requirements of preventing disclosures of
classified information and/or preventing contamination of high quality information
with low quality information. Notice that although the same wording used in the
original control objective has been used in (1), it is interpreted to imply the extension of
integrity grades to prevent contamination. The second level provides mandatory
indirection between a user and system resources to enforce separation of duty as well as
control of object execution, modification, or manipulation. This second level of
mandatory control extends the notion of a reference monitor provided by the first level,
and provides more discrete control by binding the user authorization to a particular
action upon a particular object.

2.3 DISCRETIONARY CONTROL

The concept of discretionary control extends from the principle of ownership, providing
for user-controlled sharing that promotes the maximum efficiency of system data and
resource administration while retaining protection effectiveness. Efficiency is gained by
reducing central system administration and effectiveness is maintained by bounding an
individual's discretion. Thus, discretionary control is the administration of data and
resources by individuals who are provided with a set of explicit and/or implicit
privileges to operate on sets of those data and resources, and with the ability to grant or
deny (at their discretion) privileges for the data and resources under their control to
other individuals. Because it is related to explicitly identifying individuals, this form of
control often is termed identity-based control. The original Discretionary Security
control objective was derived from DoD confidentiality policy requiring each individual,
in addition to being cleared for access, to also have been determined by a competent
authority to have a need-to-know for particular items of information for the
performance of that individual's job. The concepts and mechanisms developed
originally to implement controlled sharing were employed to enforce need-to-know.

2.3.1 Original and Revised Discretionary Security Control Objectives

Original

Security policies defined for systems that are used to process classified or other sensitive
information must include provisions for the enforcement of discretionary access control
rules. That is, they must include a consistent set of rules for controlling and limiting
access based on identified individuals who have been determined to have a need-to-
know for the information [TCSEC 1985, p. 61].

Revised

Security policies defined for systems that are used to process classified or other sensitive
information must include provisions for the enforcement of discretionary control rules.
That is, they must include a consistent set of rules for controlling and limiting (1) access
based on identified individuals who have been determined to have a need-to-know for
the information, and (2) execution of duties based on identified roles and individuals
who have been determined to have a need-to-perform those duties.

2.3.2 Discussion

The wording of the existing control objective reflects its original focus. The term ``need-
to-know'' is relevant only to confidentiality, and has no essential bearing in terms of
integrity policies. It can be argued that beyond this single instance, the wording of the
existing control objective is general enough to apply to integrity protection. However,
although the term ``access'' is currently interpreted in the general sense for AIS security
[NCSC 1988, p. 3], in many regulations its meaning is strictly limited to confidentiality.
Examples of more narrow usage can be found in [DoD 5200.1-R] and the Privacy Act of
1974 [PA 1974]. Still, if the over-specificity of its terms were its only deficiency, the
existing control objective could serve the purposes of integrity with relatively minor
changes.

The restricted scope of the existing control objective also results in a more fundamental
flaw when considering integrity protection at a purely functional level. Because integrity
protection is concerned with the flow of information into an object, ``proper''
modifications can only be defined in terms of the particular code segment (e.g.,
program) which performs a modification. In particular, the code which manipulates an
object must do so by adhering to the object's format, at a minimum. Because functional
concerns require the binding of particular code to a particular object or class of objects
for integrity protection, it follows that ``privileges'' should not allow a less restrictive
binding. The generality implied by ``controlling and limiting access to... information,'' is
simply insufficient to convey the required degree of protection. This concept is
expressed through the definition of a duty, as discussed in Section 2.2.2, under
Mandatory Control.

One needs to consider the differences between the basic concerns of confidentiality and
integrity to understand why this additional degree of control is required. Confidentiality
protection is concerned with preventing the unauthorized flow of information from one
object to another. This flow is characterized essentially by one class of operation
performed by a system (i.e., ``read''). In terms of information flow, each and every
``read'' operation can be considered equivalent. Such a simplification is not possible for
integrity protection. The inward-directed information flow is, similar to confidentiality,
characterized by a single class of operation (i.e., ``write''). However, in contrast to the
apparent equivalence of all read operations, write operations are distinguished by the
context in which they are performed. For example, two programs, each performing a
series of write operations upon an object, may produce entirely different effects in terms
of the object's integrity. In this regard a ``write'' privilege, in giving a user the right to
modify an object in a very general manner, does not provide the correct level of
abstraction in specifying privileges in terms of integrity protection.

A relationship between mandatory and discretionary controls has been assumed in the
preceding discussion: the rules specifying what is allowable under mandatory controls
are expressed at the same level of abstraction at which discretionary controls are
applied. For instance, the Bell-La Padula model definition of allowable operations for
both mandatory and discretionary controls are equivalent sets (i.e., read, write, and
execute operations) [Bell 1975]. It should not be assumed that this equivalence relation
must always be present. It is possible for discretionary controls to exist in the absence of
mandatory controls. In such a case, an equivalence relation is neither possible nor
necessary. The converse case, where mandatory controls exist in the absence of
discretionary controls, is not explicitly excluded by the original TCSEC control
objectives, although it is excluded in the actual Criteria. However, it is likely that this
converse case may be more acceptable in practice for integrity protection than for
confidentiality protection, and subsequent evaluation criteria should address such a
possibility. In addition, we assert that whenever both mandatory and discretionary
protection is provided by a system, there must be an equivalence relation between
mandatory and discretionary control abstractions.

A consequence of this relationship is the complementary role in which mandatory and
discretionary controls provide comprehensive protection. If ``privileges'' are expressed
using identical abstractions, mandatory controls can enforce the context in which a
privilege is valid, while discretionary controls imply the permission to exercise the
privilege, given a valid context. One way of looking at this relationship is that
mandatory controls specify what is potentially allowed, while discretionary controls
specify what is intentionally allowed. The two sets of controls are complementary in that
access is dependent upon passing both mandatory and discretionary tests. This
complementing property can only exist if the operational classes at both the mandatory
and discretionary levels are equivalent, as discussed above. We assume that such a
complementing property between mandatory and discretionary controls for integrity
protection would be desirable, as has been the case for confidentiality protection. We
have discussed under the Mandatory Control (Section 2.2.2) the basic abstractions,
defined as roles and duties, which capture the necessary elements for integrity
protection.

Bacic [1989], in addressing integrity as set forth in the Clark and Wilson Model [Clark
1987], suggests that discretionary controls for integrity are user-defined execution
controls. Bacic notes that these discretionary controls operate at the user level, provide
access only to executable objects, and are confined to a set of duties (i.e., the role) for an
individual as prescribed by mandatory controls. Bacic's discretionary execution controls
(DECs) complement his mandatory execution controls (MECs) and can be viewed as a
logical extension of discretionary access controls. They relate a user to a set of processes
(e.g., a program) that fulfills a set of duties which can only execute on particular sets of
data objects. We find that integrity protection can be provided only by addressing
discretionary concerns at these (more complex) levels of specification and abstraction.
However implemented, execution controls essentially define roles. As such, the
proposed control objective addresses the appropriate relationship between roles and
duties for discretionary integrity protection with the term ``need-to-perform.''

In addition to proposing changes to the existing control objective, we need to examine
the traditional abstractions associated with discretionary controls, in order to interpret
the subject in the context of integrity protection. The distinguishing feature of existing
discretionary controls is the capability they provide to allow an individual to control
access to resources, based on a ``principle of ownership.'' An ``owner'' (often the creator)
of a resource possesses a set of privileges over that resource, of which each may be
granted explicitly to other users. In some implementations, the ``grant'' privilege itself
may be conveyed to other users, either for singular privileges or for the entire set of
privileges inherent to the owner.

The principle of ownership must be generalized for integrity protection to embody role
administration. The administrator of a set of resources should not have the privileges
that the analogous ``owner'' of property has; rather, ownership should be considered a
special case of administration. The definitions for sensitive data and sensitive
application found in [OMB A-130, p. 52742] imply that an individual creating, using, or
maintaining sensitive resources should have strictly limited administrative rights to
those resources. For example, a user creating an object associated with sensitive
information or a sensitive application should not necessarily have the ability to destroy
that object at the user's discretion. Therefore, an AIS should support the ability to restrict
the set of default privileges associated with the administration of resources, on a per-
application basis. Additionally, an AIS should support the ability to designate
individuals (other than the creator) as having discretionary administrative control over a
particular resource or set of resources.

Similarly, an administrator of a set of resources should not, in general, be able to grant
privileges to other entities simply because he possesses such privileges. In other cases, it
may be appropriate for an administrative user to grant certain privileges to other users
which are unavailable to the administrator. This issue is related to a broader area of
concern: the control over propagation of privileges. A user receiving access to a resource
via discretionary controls should not, in general, be able to arbitrarily pass that privilege
on to other entities, nor to amplify the privilege in any way. Therefore, an AIS should
support measures to arbitrarily define which discretionary privileges are ``grantable''
and provide a means to prevent the (undesired) propagation of privileges, on a case-by-
case basis (i.e., per application).

These discretionary issues must be addressed through use of the same abstraction(s) in
which mandatory controls are expressed (i.e., roles). The role-implementing features of a
system must therefore address three different areas of functionality. The first area is the
definition of roles with respect to a set of processing resources. This set of resources can
be described as the domain to which the defined roles are applicable. The definition of
roles within a domain is an administrative function associated with mandatory policies.
Also, this definition must include the specification of which users are authorized to
operate within the defined domain. The second area which must be addressed is the
discretionary administration of the system-defined roles. Conceptually, this area
implements the ``ownership'' of roles, under which domain-specific roles can be
allocated or assigned. The third area which must be provided by the system is the
binding of a subject (i.e., a user-process pair) to only those actions defined by its
operational role.

Note that together these three areas of functionality provide an equivalence set between
mandatory and discretionary controls to provide complementary protection
mechanisms. The mandatory specification defines which resources, roles, and
individuals are available, and who has discretionary control over the assignment of
roles. The ``owner'' or role administrator of the domain assigns roles and resources to
individuals. For a user to operate within a role, that user must be specified through the
mandatory definition as being allowed to operate within that domain, and be assigned a
role and resources by the ``owner'' of the domain.

Clark and Wilson [Clark 1987, 1989] provide a set of extended access controls which
address some of the deficiencies associated with the traditional notion of discretionary
controls in providing integrity protection. In their model, access control is specified (via
``triples'') in terms of controlling accesses by identifiable segments of code (i.e., the
``transformation procedure'' or TP) to specified objects. This additional restriction is
similar to the type enforcement mechanisms of certain programming languages,
although it is applied at the system level. Thus, this feature of the model can be
considered to involve a finer specificity of control than contained in traditional DAC.
However, the notion of ``discretion'' in [Clark 1989] is distinct in that there is no explicit
mechanism by which (non-administrative) users can transfer privileges to others.
Although the concept of ``triples'' is identity based, triples are not discretionary but are,
in fact, mandatory.

This is not to say that extensions to the Clark and Wilson model could not address
discretion access controls, however. The set of all triples which apply to particular user-
object pairs is conceptually similar to our notion of a role definition.1 One can
hypothesize a privilege-granting TP in which the object acted upon is the specification of
privileges (i.e., a set of triples) for some other object. The triple specifying such a
privilege-granting TP would give the specified user the ability to control access to
particular objects under that user's administration, similar to the ability of owners to
alter an access control list in

----------------------------

1. Roles, for different implementations, might also be interpreted as either the set of
triples associated with a single object or those associated with a single user.

----------------------------

more traditional models. Thus, any particular subject may be an ``administrator'' with
respect to an arbitrary set of objects. This administrative user need not be privileged
with respect to the system, nor to other resources outside a particular administrative
domain. It may also be possible to construct arbitrary, discretionary control domains
(e.g., hierarchical, independent, or overlapping), while retaining the beneficial
extensions offered in the original Clark and Wilson model.

The proposed control objective revision recognizes that discretionary controls in support
of data and systems integrity require extensions to traditional access control.
Specifically, they require the ability of the user to specify-and the system to test for-the
identity and authorization of an individual and that individual's role, as well as specific
duties within the role that specify the functionality associated with the access. In essence,
the integrity revision constrains discretionary control to user operations on executable
objects. The term ``need-to-perform'' is intended to capture this essence of discretionary
control with respect to integrity, as discussed in the previous review of [Bacic 1989].
Such controls necessarily would be further constrained by mandatory controls.

2.4 MARKING CONTROL

Marking is the concept of designating or providing information attributes, (e.g.,
classification or sensitivity), each having a specified range of values, that can be used in
rule-based mechanisms to implement mandatory security policies. A clear implication of
mandatory controls is that the system must assure that the mandatory security
designations cannot be arbitrarily changed since such changes could permit individuals
to access information in unauthorized ways.

Marking control is necessary to ensure accurate and consistent internal rule-based
decision making and also necessary to ensure that, when the information is transformed
to an external representation, the marking conveys how the information is to be handled
in the external world. Since these attribute values, or labels, are key to decision making,
it is important that they remain essentially stable. Labels should be created and
maintained by the system, or installed and maintained by specified systems
administrators, and only changed in a well-defined manner so that a label continues to
be consistent with the sensitivity of the information that the label represents.

2.4.1 Original and Revised Marking Control Objectives

Original

Systems that are designed to enforce mandatory security policy must store and preserve
the integrity of classification or other sensitivity labels for all information. Labels
exported from the system must be accurate representations of the corresponding
internal sensitivity labels being exported [TCSEC 1985, p. 61].

Revised

Systems that are designed to enforce mandatory security policy must store and preserve
the integrity of classification, other sensitivity, or integrity labels for all information. The
labeling must be sufficient to implement rule-based checking of mandatory linkages
between subjects, data, and operations upon the data as required by the mandatory
control objective. Labels exported from the system must be accurate representations of
the corresponding internal labels being exported.

2.4.2 Discussion

Identification of attributes used in mandatory rule-based decisions are key to marking
requirements. Many of these attributes may be developed in the context of an
application rather than at the operating system level. It is important that the overall
protection system maintain the integrity of any labels required by the marking policy
even if the labels are developed at the application level.

The marking policy and specific marking requirements for handling classified
information to prevent unauthorized disclosure are well covered in the TCSEC.
Numerous policy documents are cited in the TCSEC with clear confidentiality marking
requirements. There are no similar ``clear'' statements in policy to convey the marking
requirements for integrity.

Given the integrity constraints described under the proposed mandatory control
objective, we can now derive marking requirements for integrity. From the mandatory
requirement for separation of duties, we derived the need to identify within the system a
set of roles, each with a unique set of duties. Roles themselves can be used as marking
designations, as can the duties they encapsulate. Each duty is mapped to specific system
operations on objects and resources. At some level of abstraction, separated duties may
be identified as either ``enabling'' or ``completing'' functions [Guttman 1991], and the
same individual should not have the ability to perform both in the same role. This
constraint may imply the requirement that certain objects carry an ``enabled'' label.

From the mandatory requirement to join together an individual, in a specific role,
executing a specified program on a specific data set, we derived the need to effectively
implement user-program-data bindings. Here, the options may be to use some variation
of Clark and Wilson ``triples'' [Clark 1987]. Variations could include labeling each
system operation with the set of roles established for manipulating the specified data set
(e.g., use of abstract data types (ADTs)), with each individual user or process being
linked to a specified set of ADTs. This set of rules acts as an access control list (ACL)
such that each individual user or process gains access only to specified operations. For
finer granularity, the set of roles also could be used as labels on individual data items
with the user or process gaining access to a specified operation on the specified date item
only if the user or process role matched a role on the data item's list of roles.

To prevent the contamination of high quality information with low quality information,
we derive a requirement to mark subjects (in conjunction with the use of roles) and
objects with a level of quality, or integrity grade. For subjects, the integrity grade should
reflect an individual's ability to carry out specified duties (e.g., apprentice, journeyman,
master, supervisor). For objects, the integrity grade should reflect the data's quality (e.g.,
initial draft, preliminary strawman, final prototype, final finished product). Such terms
again indicate a level of quality, maturity, or competence against some objective or
subjective standard.

The marking changes extend labeling to integrity attributes of information and require
labels to support the mandatory integrity linkages (i.e., separation of duties, user
program data bindings, and integrity grades) made in the mandatory control objective.

2.5 ACCOUNTABILITY CONTROL

The concept of holding an individual accountable for his actions is fundamental to
policy enforcement. Accountability can be defined, traditionally, as ``the property that
enables activities on a system to be traced to individuals who may then be held
responsible for their actions'' [NCSC 1988, p. 4]. The concept requires the ability to
continuously identify individuals with their actions and with those of their surrogates
within the system. To be effective, mandatory and discretionary security policies are
dependent upon a system's ability to adequately identify, authenticate, maintain
individuation, and account for those individuals to which access controls are applied.
The ability to record and review the (system-related) actions of individuals provides (1)
a deterrent to malicious actions, (2) a means to detect malicious actions or attempts, and
(3) the ability to undertake preventive measures when attacks are detected. Thus, the
concept further requires that a history of an individual's actions and the system's
reactions be continuously maintained and protected from unauthorized manipulation
for real-time or subsequent use in auditing analyses.

2.5.1 Original and Revised Accountability Control Objectives

Original

Systems that are used to process or handle classified or other sensitive information must
assure individual accountability whenever either a mandatory or discretionary security
policy is invoked. Furthermore, to assure accountability, the capability must exist for an
authorized and competent agent to access and evaluate accountability information by a
secure means, within a reasonable amount of time, and without undue difficulty
[TCSEC 1985, p. 62].

Revised

Systems that are used to process or handle classified or other sensitive information must
assure individual accountability whenever either a mandatory or discretionary security
policy is invoked. Systems must assure that the accountability for individual
performance of duties can be determined through an independent consistency check
between internal representations of information within the system and the external
information being represented. Systems must maintain the required degree of logical
consistency for duplicate, identically derived, and/or corresponding internal instances
of the same information throughout the existence of such information on the system.
Furthermore, to assure individual accountability, the capability must exist for an
authorized and competent agent to access and evaluate accountability information by a
secure means, within a reasonable amount of time, and without undue difficulty.

2.5.2 Discussion

It is the policy of the U.S. Government that agencies ``shall establish and maintain a cost-
effective system of internal controls to provide reasonable assurance that Government
resources are protected against fraud, waste, mismanagement, or misappropriation...''
[OMB A-123, p. 1].

DoD policy requires that each DoD component maintain accountability over their assets
and that they implement a comprehensive system for internal management control that
provides reasonable assurance: obligations and costs comply with applicable law; assets
are safeguarded against waste, loss, unauthorized use, and misappropriation; revenues
and expenditures applicable to DoD operations are recorded and accounted for properly
[DoD 5010.38-D, pp. 1-2].

AIS internal control is defined within DoD guidelines as ``the steps taken... and all the
methods and techniques used to safeguard AIS resources and provide reasonable
assurance of the accuracy and reliability of computer-based input, processing and
output; ensure the adherence to applicable laws, regulations and policies; and promote
the effectiveness, efficiency and economy of AIS operations and systems'' [DoD 7740.1-
G, p. 1-4]. The DoD guidelines include the following specific forms of application
control: authorized transactions, valid transactions, complete information, accurate
information, timely information, secure system and data, and auditable system.

Accountability is fundamental to internal control and, as such, is a vital aspect of
promoting and preserving systems and data integrity. Internal control adds another
dimension to accountability, the application dimension.

The TCSEC's original control objective appears sufficiently general to include the
specific requirements for integrity with respect to user activity on a system. However,
there is no stipulation for the assignment of responsibility for actions which need to be
performed and yet are not properly carried out. This ``deficiency'' of action may affect,
most characteristically, the internal and external consistency of the information
maintained by a system. In many applications, the concept of accountability may require
the synchronized comparison of internal information states with the external world the
information represents.

As a result of this increase in scope for accountability, additional functionality will be
required of systems conforming to this new control requirement. It would no longer be
enough for a system to passively monitor and record user access activity, and provide
the means to adequately review user access activity information. Instead, a system
would need to be able to enforce authorized actions with respect to ``valid'' objects,
where an object's validity is determined through some measure of its internal and
external consistency. This implies that a system would need to (1) define, specify, and
enforce valid state transitions for objects, or (2) dynamically validate an object's state.

Both of these notions are presented by Clark and Wilson in [Clark 1987]. In their
notation, an Integrity Verification Procedure (IVP) performs a dynamic check to
determine whether objects controlled under the system's integrity policy conform to its
specification, and a TP guarantees valid state-to-state transitions for controlled objects.
Thus, an IVP may verify that an object accurately reflects the current status of an
inventory item (external consistency), and a TP may guarantee that all copies of a
particular object are updated concurrently (internal consistency). Individuals are
directly linked to the execution of a TP or an IVP on a specific set of data.

The proposed changes to this control objective reflect an extension to traditional scope of
accountability. This revision is driven by internal management control policy
requirements which outline the need for application controls including the proper
correspondence between external information and the representation of that information
on a system (i.e., data). In essence, this correspondence cannot occur without the proper
recording of this external information and adequate reviewing procedures to verify that
system data is accurate. These procedures are at least partially external to the system,
and thus are best described as ``accountability'' control. Additionally, the individual's or
system's initiation, use, and maintenance of duplicate or redundant data raise integrity
issues with respect to accuracy, timeliness, and the effect of those attributes on the
internal (logical) representations of information. The procedures to properly constrain
these actions are policy driven and are, therefore, subject to accountability controls.

2.6 ASSURANCE CONTROL OBJECTIVE

The concept of assurance is concerned with the measures taken to guarantee that the
implementation of protection features is correct and that it properly enforces security
policies. A consideration for ``proper enforcement'' is whether the protection features
accomplish what they are designed to do, but nothing else (i.e., there are no unspecified
features implemented). The TCSEC defines two types of required assurance: life cycle
and operational. Life-cycle assurance deals with the management of system design,
development, and maintenance. In essence, lifecycle assurance provides confidence that
a system's protection features are themselves protected from attack throughout the
lifetime of the system. Life-cycle assurance includes the control of design changes and
the effect changes may have in enforcement of the defined security policies. Operational
assurance ``focuses on features and system architecture used to ensure that the security
policy is uncircumventably enforced during system operation'' [TCSEC 1985, p. 63].

2.6.1 Original and Revised Assurance Control Objectives

Original

Systems that are used to process or handle classified or other sensitive information must
be designed to guarantee correct and accurate interpretation of the security policy and
must not distort the intent of that policy. Assurance must be provided that correct
implementation and operation of the policy exists throughout the system's life-cycle
[TCSEC 1985, p. 63].

Revised

Systems that are used to pro cess or handle classified or other sensitive information must
be designed to guarantee correct and accurate interpretation of the security policies and
must not distort the intent of those policies. Assurance must be provided that correct
implementation and operation of the policy exists throughout the system's life-cycle.
Application subsystems used to process or handle classified or other sensitive
information must be designed, implemented, controlled, and operated in a manner
which provides assurance that the goals of both application-specific security policies and
system-wide security policies are met without circumvention.

2.6.2 Discussion

Although this control objective is sufficiently general to include the specific
requirements for integrity, it should be noted that integrity requirements may have a
different emphasis than confidentiality requirements. Because integrity dependencies
are more likely to be domain specific as opposed to system wide, the development and
introduction of any new application dealing with a particular (sensitive) data set will
need to be tightly controlled. The ``correct implementation and operation'' concerns
most likely will be interpretable primarily in the domain of the application. Thus,
assurance control needs to be extended from the current systems domain to each specific
application domain resident on the system.

The proposed assurance control objective recognizes that there exists the possibility of
multiple, application-specific security policies which may apply only to particular
subsets of resources within the system. Software residing within a particular application
domain should only extend the degree of control over resources, and should in no
manner nullify the degree of control required for all system resources or for resources
within a different application domain. Assurance must be provided that application and
system software meets the security policy objectives for both the system and the
application. The ``adequacy'' of this assurance must be determined strictly in terms of
the sensitivity of the application and resources within that domain.

2.7 FAULT TOLERANCE CONTROL

The concept of fault tolerance extends from the need to continue operations in the
presence of faults. As there are no guarantees of the absence of some form of fault, risk
reduction becomes the focus of this control. Tolerance is established through a robust
ability to detect and correct faults, and through a risk analysis that enables the setting of
thresholds to maintain an acceptable degree of processing robustness in degraded
operational modes.

Increasing complexity of systems yields an increase in the number of potential failure
points and places a greater demand for fault tolerant system implementations. Electronic
parts fail, waveforms get scrambled, magnetic properties of media deteriorate, etc. With
more complex computers being incorporated into more complex commercial and
military aircraft flight control systems, industrial controllers, space applications,
banking systems, etc., erroneous computer performance can be devastating to financial
records, environmental safety, national security, and even human life. Therefore, when
faced with potential failures in complex systems, fault tolerance plays an important part
in maintaining data and systems integrity.

2.7.1 Original and Revised Fault Tolerance Control Objectives

Original

[There is no original control objective for fault tolerance contained in the TCSEC.]

Revised

Systems that support safety or mission-critical applications must provide measures to
promote continued safe or correct operation, within defined tolerances, in the presence
of integrity failures. Systems must include provisions for detecting integrity failures,
even if those failures cannot be corrected, and provisions for correcting integrity failures
when possible. System designs must include provisions for identifying and classifying
potential integrity failures, determining the likelihood of such failures, and possible
outcomes of such failures.

2.7.2 Discussion

Fault tolerance essentially involves two parts. The first part is the detection of errors.
Detection is necessary for a system to determine when a failure has occurred. Detecting
errors that are corrected by the system is as essential as detecting failures that cannot be
corrected, since such failures may indicate a potential degradation of system
performance, or may indicate that the system is approaching a threshold at which errors
are no longer correctable.

The second part of fault tolerance is the attempted correction of errors. In addition to
simply detecting incorrect data, it is possible to use methods to correct errors in the data.
The simplest approach to error detection would be to provide a certain number of
redundant copies of the data, possibly by different channels, and then to compare these
when determining whether the data integrity has been violated. This approach can be
extended to error correction if it is possible to tell which of the redundant copies of the
data has not been altered. Various error correction methods give varying probabilities of
retrieving the original, unaltered data.

Applying the concept of fault tolerance is commonly associated with redundant
processing. Redundancy in computer systems is a risk-reducing concept that involves
the duplication of hardware, software, information, time, or other resources to detect the
failure of a single duplicate component and to continue to obtain correct results despite
the failure [Johnson 1989]. The same processing is performed by more than one process,
and the results are compared to ensure that they match. The need for redundancy varies
depending on the application. Redundant processing is commonly used in the
implementation of critical systems in which a need for high reliability exists.

In some situations, it is sufficient to shut down a system when a failure occurs and is
detected. This solution is not very efficient, but it may be the safest solution and at least
it eliminates incorrect operations by the system. In many other situations, however, it is
more important that the system continue to operate, even if the performance is
degraded. For example, it may be more important for communications to continue
during a time of war, even if many of the transmissions have to be ignored due to static,
jamming, etc. In addition, it is important to ensure that safety or mission-critical
applications that are time sensitive are guaranteed to execute within their time
limitations. For example, an order to ``attack at dawn'' is not useful if it is not delivered
until the next afternoon.

Systems that support safety or mission-critical applications must not only preserve
integrity to the extent possible, but also must continue to operate in a safe or correct
manner in the presence of integrity failures that result from unavoidable situations, such
as physical failures of equipment or media. Fault tolerance requirements define what is
meant by safe or correct operation, and the level of redundancy will vary depending on
these requirements. The system must detect when a failure has occurred before it can
take any action. Once a failure is detected, there may be enough redundancy for correct
operation to continue or it may be necessary to take action to correct the failure.

REFERENCE LIST

[1] Bacic 1989 - Bacic, E.M. 1989. Process Execution Controls as a Method for Ensuring
Integrity. In Report of the Invitational Workshop on Data Integrity, January 25-27,
1989, Gaithersburg, Maryland, B.2-1B.2-8. Gaithersburg, MD: National Institute of Stan-
dards and Technology. NIST Special Publication 500-168.

[2] Bell 1975 - Bell, D. and L. La Padula. 1975. Secure Computer System: Unified Exposi-
tion and Multics Interpretation. Bedford, MA: MITRE Corporation. MITRE Technical
Report 2997.

[3] Biba 1977 - Biba, K.J. 1977. Integrity Considerations for Secure Computer Systems.
Bedford, MA: MITRE Corporation. MITRE Technical Report 3135.

[4] Clark 1987 - Clark, D.D. and D.R. Wilson. 1987. A Comparison of Commercial and
Military Computer Security Policies. Proceedings of the IEEE Symposium on Security
and Privacy, April 27-29, Oakland, California, 184-194. Washington, D.C.: IEEE Com-
puter Society Press.

[5] Clark 1989 - Clark, D.D. and D.R. Wilson. 1989. Evolution of a Model for Computer In-
tegrity. In Report of the Invitational Workshop on Data Integrity, January 25-27, 1989,
Gaithersburg, Maryland, A.2-1A.2-13. Gaithersburg, MD: National Institute of Stan-
dards and Technology.

[6] CMPPA 1990 - U.S. Congress. Computer Matching and Privacy Protection Amend-
ments of 1990. Public Law 101-508. November 5, 1990. Washington, D.C.: U.S. Gov-
ernment Printing Service.

[7] CSA 1987 - U.S. Congress. House. Computer Security Act of 1987. Public Law 100-
235. January 8, 1988. H. R. 145. Washington, D.C.: U.S. Government Printing Service.

[8] DoD 5200.1-R - Department of Defense. 1986. Information Security Program Regula-
tion. DoD Regulation 5200.1-R. Washington, D.C.: U.S. Government Printing Office.

[9] DoD 5200.28-D - Department of Defense. 1988. Security Requirements for Automated
Information Systems (AISs). DoD Directive 5200.28-D. Washington, D.C.: U.S. Govern-
ment Printing Office.

[10] DoD 5200.28-M - Department of Defense. 1973. ADP Security Manual. DoD Manual
5200.28-M. Washington, D.C.: U.S. Government Printing Office.

[11] DoD 5010.38-D - Department of Defense. 14 April 1987. Internal Management Control
Program. DoD Directive 5010.38-D. Washington, D.C.: U.S. Government Printing Of-
fice.

[12] DoD 7740.1-D - Department of Defense. 20 June 1983. DoD Information Resources
Management Program. DoD Directive 7740.1-D. Washington, D.C.: U.S. Government
Printing Office.

[13] DoD 7740.1-G - Department of Defense. Office of the Assistant Secretary of Defense
(Comptroller). July 1988. ADP Internal Control Guideline. DoD Guideline 7740.1-G.
Washington, D.C.: U.S. Government Printing Office.

[14] DoD 7750.5-D - Department of Defense. 7 August 1986. Management and Control of In-
formation Requirements. DoD Directive 7750.1-D. Washington, D.C.: U.S. Government
Printing Office.

[15] DoDAA 1982 - U.S. Congress. Senate. Department of Defense Authorization Act, 1982.
Public Law 97-86. December 1, 1981. S. 815. Washington, D.C.: U.S. Government
Printing Service.

[16] EO 12356 - The White House. 2 April 1982. National Security Information. Executive
Order 12356. Washington, D.C.: U.S. Government Printing Office.

[17] FMFIA 1982 - U.S. Congress. House. Federal Managers' Financial Integrity Act of
1982. Public Law 97-255. September 8, 1982. H. R. 1526. Washington, D.C.: U.S. Gov-
ernment Printing Service.

[18] GAO 1983 - Government Accounting Office. 1 June 1983. Office of the Comptroller.
Standards for Internal Control in the Federal Government. Washington, D.C.: U.S. Gov-
ernment Printing Office.

[19] GAO Title 2 - Government Accounting Office. August 1987 (Revised May 1988). Of-
fice of Policy. GAO Policy and Procedures Manual for Guidance of Federal Agencies-
Title 2, Accounting. Washington, D.C.: U.S. Government Printing Office.

[20] Guttman 1991 - Guttman, Joshua. 4 March 1991. Private communication with authors.

[21] H. Rept. 100-153(I) - U.S. Congress. House. Committee on Science, Space, and Technol-
ogy. Legislative History of the Computer Security Act of 1987. June 11, 1987. House
Report No. 100-153(I). Washington, D.C.: U.S. Government Printing Service.

[22] Johnson 1989 - Johnson, Barry W. 1989. Design and Analysis of Fault-Tolerant Digital
Systems. Reading, MA: Addison-Wesley.

[23] Lee 1988 - Lee, Theodore M.P. 1988. Using Mandatory Integrity to Enforce ``Commer-
cial'' Security. In Proceedings of the IEEE Symposium on Security and Privacy, April
18-21, 1988, Oakland, California, 140-146. Washington, D.C.: IEEE Computer Society
Press.

[24] Mayfield 1991 - Mayfield, Terry, J. Eric Roskos, John M. Boone, Stephen R. Welke,
and Catherine W. McDonald. 1991. Integrity in Automated Information Systems. Alex-
andria, VA: Institute for Defense Analyses. IDA Paper P-2316.

[25] NCSC 1988 - National Computer Security Center (NCSC). 1988. Glossary of Computer
Security Terms. Washington, D.C.: U.S. Government Printing Office.

[26] OMB 1991 - Office of Management and Budget. 4 March 1991. ``Advance Notice of
Plans for Revision of OMB Circular A-130,'' in the Federal Register, Vol. 56, No. 42.,
pp. 9026-9028. Washington D.C.: U.S. Government Printing Office.

[27] OMB ICG - Office of Management and Budget. December 1982. Internal Control Guide-
lines: Guidelines for the Evaluation and Improvement of and Reporting on Internal Con-
trol Systems in the Federal Government. Washington, D.C.: U.S. Government Printing
Office.

[28] OMB 90-08 - Office of Management and Budget. 9 July 1990. Guidance for Preparation
of Security Plans for Federal Computer Systems That Contain Sensitive Information.
OMB Bulletin No. 90-08. Washington, D.C.: U.S. Government Printing Service.

[29] OMB A-123 - Office of Management and Budget. 4 August 1986. OMB Circular No. A-
123, Revised. Internal Control Systems. Washington, D.C.: U.S. Government Printing
Service.

[30] OMB A-127 - Office of Management and Budget. 19 December 1984. OMB Circular
No. A-127. Financial Management Systems. Washington, D.C.: U.S. Government Print-
ing Service.

[31] OMB A-130 - Office of Management and Budget. 12 December 1985. OMB Circular
No. A-130. Management of Federal Information, in the Federal Register, Vol. 50, No.
247. Washington D.C.: U.S. Government Printing Office.

[32] PA 1974 - U.S. Congress. Senate. Privacy Act of 1974. Public Law 92-579. S. 3418.
Washington, D.C.: U.S. Government Printing Service.

[33] PRA 1980 - U.S. Congress. House. Paperwork Reduction Act of 1980. Public Law 96-
511. December 11, 1980. H. R. 6410. Washington, D.C.: U.S. Government Printing Ser-
vice.

[34] Russell 1991 - Russell, Deborah and G. T. Gangemi Sr. 1991. Computer Security Ba-
sics. Sebastopol, CA: O'Reilly & Associates, Inc.

[35] TCSEC 1985 - Department of Defense. 1985. DoD Trusted Computer System Evalua-
tion Criteria. DoD Standard 5200.28-STD. Washington, D.C.: U.S. Government Printing
Office.

ACRONYMS

ADP Automated Data Processing

ADT Abstract Data Type

AIS Automated Information System

DAA Designated Approval Authority

DAC Discretionary Access Control

DBMS Data Base Management System

DEC Discretionary Execution Control

DoD Department of Defense

EFT Electronic Funds Transfer

EPL Evaluated Products List

FIPS Federal Information Processing Standard

FMS Financial Management System

GAO General Accounting Office

IC Internal Control

IDA Institute for Defense Analyses

IG Inspector General

IMC Internal Management Control

IRM Information Retrieval Management (Program)

IVP Integrity Verification Procedure

MCP Management Control Plan

MEC Mandatory Execution Control

OMB Office of Management of Budget

NCSC National Computer Security Center

NIST National Institute of Standards and Technology

NSA National Security Agency

TCSEC Trusted Computer System Evaluation Criteria

TP Transformation Procedure

USC United States Code

APPENDIX A

A. SOURCE TEXT AND CROSS-REFERENCES

This Appendix contains a subsection for each policy document used in our formulation
of integrity-related control objectives. Each subsection is arranged in identical fashion.
First, a brief overview of the policy document is provided. This overview concentrates
on the AIS-integrity relevant aspects of the document rather than providing a
comprehensive summary. The overview is followed by a listing of ``Selected Source
Text'' (i.e., material quoted directly from the original document). Following the Selected
Source Text is a ``Cross-Reference'' section. The Cross-Reference section contains a table
indicating which statements from the Selected Source Text have affected our
formulation of (proposed) changes to the current TCSEC control objectives. In the table,
statement numbers from the Selected Source Text material are cross-referenced to each
current control objective by marking an ``X'' in the appropriate row-column intersection.
Each row is associated with a single section or statement from the Selected Source Text
while each column is associated with a single control objective.

The meaning associated for each ``X'' in the table (indicating a cross-reference) is that the
associated statement from the Source Text either (a) has implications for modifying the
original control objective, or (b) has implications for interpreting the proposed control
objective. Specific implications considered include the following:

· a new topic;

· a new viewpoint;

· suggests specific mechanisms, policies, or controls;

· demands interpretation;

· demands modification; and

· touches, influences, or constrains control.

Following the table is a list of comments (one for each ``X'' in the table) which provides
details for the implications of particular policy statements upon each control objective.
These comments represent notes made in analyzing the policy documents, and in
determining the adequacy of the original control objectives in light of the increased
scope of AIS security policy. The comments in this section are ``informal'' in the sense
that they were not written to stand independently, outside the context of the included
source text and related comments. In general, the comments do not attempt to address
each issue comprehensively, and some issues may not receive equal treatment in
different comments.

Some entries cross-referenced under the Security Policy heading are not further
specified under MAC, DAC, or Marking headings. These additional headings are left
blank whenever the security policy implications might be considered organization or
application specific and do not clearly indicate specific MAC, DAC, or Marking
ramifications, or particular technical implementations.

We have found that the topic of accountability should be generalized from its current
focus on ``user accountability'' as stated in the existing control objective. From the policy
documents we have studied, an expansion of the concept of accountability to include
user, organization, and general accountability concepts with respect to both applications
and systems would be useful. Our comments under specific Accountability cross-
references indicate such an expanded approach. Such an approach represents the
concept of a ``total sense'' of accountability (i.e., its most general meaning). As such,
some accountability features may in fact be external to a system. The exact placement
and nature of mechanisms is neither predetermined nor explicitly considered in our
comments.

In addition, we have assumed a similar generalization in addressing the topic of
assurance. In particular, we have found policy statements which address assurance (i.e.,
the ``trustedness'') of controls extending to (a) entities external to the traditional bounds
of AISs, and/or (b) to areas outside the traditional scope of protection mechanisms (e.g.,
application sub-systems).

Some material provided in the ``Selected Source Text'' does not have a cross-reference.
Such material was included if it provided valuable background, context, or general
information which might aid in understanding either the source text itself or related
comments. Additionally, in some instances the selected source text is formatted and/or
numbered slightly differently from the original; this was intended to clarify the
presentation of this material-care was taken not to misrepresent the intent or meaning of
the original material.

A.1 Privacy Act of 1974-Public Law 93-579

Public Law 93-579 requires the U.S. government to safeguard personal data processed
by federal agency computer systems. This Act also requires the government to provide
ways for individuals to find out what personal information is being recorded and to
correct inaccurate information. The Act spells out physical security procedures,
information management practices, and computer and network controls. This act also
mandated the creation of the Privacy Protection Study Commission [Russell 1991, p.
287].

This Act extends the responsibility for management and protection of information
resources to the area of privacy. The Act notes that the increasing use of computer and
information technology has greatly magnified the potential harm to individuals that can
occur from any collection, maintenance, use, or dissemination of personal information.
The Act requires the Federal agencies to issue appropriate administrative orders,
provide personnel sanctions, and establish appropriate technical and physical
safeguards to ensure the security of the information system and the confidentiality of the
data. The Act further requires that the information is as timely, complete, accurate, and
relevant to its intended use as possible, and that ``adequate safeguards'' to prevent
misuse are provided. Also required are administrative actions to keep account of the
employees, other individuals and organizations having access to the system or file, and
the disclosures and uses made of the information.

The Act requires that Federal agencies establish rules of conduct with regard to the
ethical and legal obligations in developing and operating a computerized data system
and in handling personal data, and take action to instruct all employees of such
obligations. As ``privacy'' is used in the Act, information management responsibility
includes the proper collection, maintenance, use, and dissemination of any information
which can be associated with a particular individual. The Act specifies that punitive
actions can be levied against the Government for failure to uphold these responsibilities.
We conclude that other factors which must be considered include (1) the moral
obligation of government officials to maintain the constitutional rights of its citizens, (2)
the adverse affect on government functioning in the absence of accurate information,
and (3) the penalties associated with adverse public opinion which are likely to result
from any breach of privacy as defined in the Act.

The following table contains selected sections of Public Law 93-579. The cross-reference
table and comments appear in the next section.

TABLE A-2. Privacy Act of 1974-Selected Source Text

Sec. 2(a) The Congress finds that-

(1) the privacy of an individual is directly affected by the collection, maintenance, use,
and dissemination of personal information by Federal agencies;

(2) the increasing use of computers and sophisticated information technology, while es-
sential to the efficient operations of the Government, has greatly magnified the harm to
individual privacy that can occur from any collection, maintenance, use, or dissemina-
tion of personal information;

(3) the opportunities for an individual to secure employment, insurance, and credit, and
his right to due process, and other legal protections are endangered by the misuse of cer-
tain information systems;

(4) the right to privacy is a personal and fundamental right protected by the Constitution
of the United States; and

(5) in order to protect the privacy of individuals identified in information systems main-
tained by Federal agencies, it is necessary and proper for the Congress to regulate the
collection, maintenance, use, and dissemination of information by such agencies.

Sec. 2(b) The purpose of this Act is to provide certain safeguards for an individual
against an invasion of personal privacy by requiring Federal agencies, except as
otherwise provided by law, to-

(1) permit an individual to determine what records pertaining to him are collected, main-
tained, used, or disseminated by such agencies;

(2) permit an individual to prevent records pertaining to him obtained by such agencies
for a particular purpose from being used or made available for another purpose without
his consent;

(3) permit an individual to gain access to information pertaining to him in Federal agen-
cy records, to have a copy made of all or any portion thereof, and to correct or amend
such records;

(4) collect, maintain, use, or disseminate any record of identifiable personal information
in a manner that assures that such action is for a necessary and lawful purpose, that the
information is current and accurate for its intended use, and that adequate safeguards are
provided to prevent misuse of such information;

(5) permit exemptions from the requirements with respect to records provided in this
Act only in those cases where there is an important public policy need for such exemp-
tion as has been determined by specific statutory authority; and

(6) be subject to civil suit for any damages which occur as a result of willful or inten-
tional action which violates any individual's rights under this Act.

A.1.1 Cross-References and Comments

TABLE A-3. Privacy Act of 1974-Cross-References

Section

Security Policy

MAC

DAC

Marking

Accountability

Assurance

Fault Tolerance

Sec.2(b)(1)

X

X

Sec.2(b)(2)

X

X

Sec.2(b)(3)

X

X

X

Sec.2(b)(4)

X

X

X

X

X

X

Sec.2(b)(5)

X

X

Sec.2(b)(6)

X

Sec.2(b)(1)

[Security Policy] The type(s) of information about a particular individual, represented as
records which are stored and processed by an agency, must be releasable to that individ-
ual. [Accountability] An agency is accountable for the accurate and timely response to
individuals requesting the types of privacy information collected, maintained, used, or
disseminated by that agency.

Sec.2(b)(2)

[Security Policy] The capability for an individual to restrict subsequent, additional uses
of personal information which was collected for a particular use is implied. [Accountabil-
ity] An appropriate history of the actual uses of personal information must be main-
tained.

Sec.2(b)(3)

[Security Policy] Individuals have to right to obtain copies of personal information held
by an agency. A process to correct or amend personal information must exist. [Accounta-
bility] All corrections and amendments of individual records should be auditable. [Assur-
ance] Appropriate controls on the correction and amendments process should exist.
These controls should include the validation of source data used in modifying a record.

Sec.2(b)(4)

[Security Policy] Safeguards must exist to prevent misuse of information. Federal agen-
cies are constrained to necessary and lawful purposes in collecting, maintaining, using,
or disseminating personal information. In addition to disclosure, privacy concerns in-
clude the acquisition, storage, and manipulation of information relating to individuals.
[MAC, DAC] Collection, maintenance, use, and dissemination of personal information
are subject to mandatory controls. [Marking] Information associated with a particular in-
dividual must be appropriately marked. [Accountability] The actual use of information
must be audited whenever such use does not comply with standing policies. [Assurance]
Information must be current and accurate with respect to its intended use.

Sec.2(b)(5)

[Security Policy] The capability to permit exemptions via override of normal controls is
required. Such exemptions may remain subject to other mandatory controls. For in-
stance, certain records about individuals held by the Internal Revenue Service may not,
under normal operating procedures, be accessed by the Federal Bureau of Investigation
(FBI); these records may become releasable to the FBI during the course of an investiga-
tion, but only after a valid warrant has been issued. [Accountability] Exemptions to nor-
mal operating policies may require auditing. The exemption categories listed by this Act
may each have unique auditing requirements.

Sec.2(b)(6)

[Accountability] An agency is held accountable for all its uses of personal information.
Individuals having administrative control over personal information must be held ac-
countable for their actions with respect to uses of that information.

A.2 Computer Matching and Privacy Protection Amendments of 1990-
Public Law 101-508

Public Law 101-508 provides protection against privacy violations due to information
matching policies of the Federal government [Russell 1991, p. 288]. This Act amends 5
USC 552a, the codified version of the Privacy Act of 1974. It sets forth requirements for
the independent verification of information about individuals produced by ``matching
programs,'' i.e., through automated techniques. The Act requires that such information
be verified before any adverse action-such as the denial of payment under a Federal
benefit program-is carried out. The essence of this law with respect to integrity-related
control objectives is to impose procedural controls on the modification of data. Also
specified in this Act are the notification requirements of an agency to an individual who
is subject to adverse action.

The following table contains selected sections of Public Law 101-508. The cross-reference
table and comments appear in the next section.

TABLE A-4. Computer Matching and Privacy Protection Amendments of 1990-Selected
Source Text

Sec. 7201. Computer Matching of Federal Benefits Information and Privacy Protection.

(b) Verification Requirements Amendment.-- (1) Subsection (p) of section 552a of title
5, United States Code, is amended to read as follows:

(p) Verification and Opportunity to Contest Findings.--

(1) In order to protect any individual whose records are used in a matching pro-
gram, no recipient agency, non-Federal agency, or source agency may suspend, ter-
minate, reduce, or make a final denial of any financial assistance or payment un-
der a Federal benefit program to such individual, or take other adverse action
against such individual, as a result of information produced by such matching pro-
gram, until--

(A) (i) the agency has independently verified the information; or (ii) the
Data Integrity Board of the agency, or in the case of a non-Federal agency
the Data Integrity Board of the source agency, determines in accordance
with guidance issued by the Director of the Office of Management and Budg-
et that-- (I) the information is limited to identification and amount of bene-
fits paid by the source agency under a Federal benefit program; and (II)
there is a high degree of confidence that the information provided to the re-
cipient agency is accurate;

(B) the individual receives a notice from the agency containing a statement
of its findings and informing the individual of the opportunity to contest
such findings; and

(C) (i) the expiration of any time period established for the program by stat-
ute or regulation for the individual to respond to that notice; or...

(2) Independent verification referred to in paragraph (1) requires investigation and
confirmation of specific information relating to an individual that is used as a ba-
sis for an adverse action against the individual, including where applicable investi-
gation and confirmation of--

(A) the amount of any asset or income involved;

(B) whether such individual actually has or had access to such asset or in-
come for such individual's own use; and

(C) the period or periods when the individual actually had such asset or in-
come.

(3) Notwithstanding paragraph (1), an agency may take any appropriate action oth-
erwise prohibited by such paragraph if the agency determines that the public
health or public safety may be adversely affected or significantly threatened during
any notice period required by such paragraph.

A.2.1 Cross-References and Comments

TABLE A-5. Computer Matching and Privacy Protection Amendments of 1990-Cross-
References

Section

Security Policy

MAC

DAC

Marking

Accountability

Assurance

Fault Tolerance

(p)(1)

X

(p)(1)(A)

X

(p)(1)(B-C)

X

X

(p)(2)(A-C)

X

(p)(3)

X

(p)(1)

[Security Policy] One may not directly modify data based on the results of automated
``matching programs.'' Procedural controls and control information are required to verify
information which forms the basis of an adverse action throughout the process of carry-
ing out the adverse action against an individual. May apply to application-specific securi-
ty policies, with some applications having unique requirements.

(p)(1)(A)

[Assurance] The information which forms the basis of an adverse action must either (i)
be independently verified or (ii) be limited in scope, with a high degree of confidence in
its accuracy.

(p)(1)(B-C)

[Marking] The capability to enable or disable transactions conferring benefits is implied.
Transaction of adverse action requires marking to indicate expiration of a grace period
and/or an individual's possible response (i.e., a pending challenge to decision). Transac-
tion of adverse action requires marking that individual has received notice. [Accountabil-
ity] Procedural controls must exist to ensure that no adverse action proceeds without
first meeting verification and/or control information requirements. The system must be
able to record and collate appropriate historical information related to benefits transac-
tions. The system must keep account of the initiation, length, and expiration of the grace
period.

(p)(2)(A-C)

[Assurance] Independent verification requires investigation and confirmation of specific
information which forms the basis of an adverse action.

(p)(3)

[Security Policy] Stated requirements are subject to exemption when considering addi-
tional policies (i.e., public health and public safety policies).

A.3 Paperwork Reduction Act of 1980-Public Law 96-511

Public Law 96-511 promotes the use of efficient office systems (e.g., electronic mail,
document storage, and electronic imaging systems) under the management of OMB
[Russell 1991, p. 279]. This Act simultaneously encourages the automation of
information services and adds responsibilities for the use of automation. Under this Act,
automation must be used to improve both services provided by, and management of,
Federal Agencies. Additionally, such automation must be cost effective (maximizing
usefulness of information while minimizing costs to collect, maintain, use, and
disseminate information) and supportive of ``uniform'' Federal information policies.

The following table contains selected sections of Public Law 96-511. The cross-reference
table and comments appear in the next section.

TABLE A-6. Paperwork Reduction Act of 1980-Selected Source Text

Sec.2.(a) Chapter 35 of title 44, United States Code, is amended to read as follows:

3501. Purpose The purpose of this chapter is-

(1) to minimize the Federal paperwork burden for individuals, small business,
State and local governments, and other persons;

(2) to minimize the cost to the Federal Government of collecting, maintaining, us-
ing, and disseminating information;

(3) to maximize the usefulness of information collected by the Federal Govern-
ment;

(4) to coordinate, integrate and, to the extent practicable and appropriate, make uni-
form Federal information policies and practices;

(5) to ensure that automatic data processing and telecommunications technologies
are acquired and used by the Federal Government in a manner which improves
service delivery and program management, increases productivity, reduces waste
and fraud, and, wherever practicable and appropriate, reduces the information
processing burden for the Federal Government and for persons who provide infor-
mation to the Federal Government; and

(6) to ensure that the collection, maintenance, use and dissemination of informa-
tion by the Federal Government is consistent with applicable laws relating to confi-
dentiality, including section 552a of title 5, United States Code, known as the Pri-
vacy Act.

3506. Federal agency responsibilities

(a) Each agency shall be responsible for carrying out its information management
activities in an efficient, effective, and economical manner, and for complying
with the information policies, principles, standards, and guidelines prescribed by
the Director.

A.3.1 Cross-References and Comments

TABLE A-7. Paperwork Reduction Act of 1980-Cross-References

Section

Security Policy

MAC

DAC

Marking

Accountability

Assurance

Fault Tolerance

3501(4)

X

3506(a)

X

X

3501(4)

[Security Policy] The essence of this law affects Security Policy in that its purpose is to
coordinate, integrate, and make uniform Federal information policies and practices. One
integration framework might include the information life cycle (e.g., origin or acquisi-
tion through final disposition). Factors to consider include cost effectiveness and risk re-
duction relating to information processing activities. Cost effectiveness is a function of
the cost of controls versus the degree of acceptable risk.

3506(a)

[Security Policy] Information management must be efficient, effective, and economical.
Minimizing the paperwork burden and associated costs of collecting, maintain, using,
and disseminating information are required. Automated systems are required to improve
service delivery, program management, productivity, and to reduce waste, fraud, and in-
formation processing burden. Confidentiality policies must also be enforced. Information
which is not useful should not be collected. Maximizing the usefulness of collected in-
formation is required. Information that is no longer useful should not be maintained. Sys-
tems are required to enforce integrated policies. This implies a significant effort must be
undertaken to address the overall system security policy, and in particular the issue
where different component policies might produce conflicts. [Accountability] Compli-
ance with multiple policies, standards, and guidelines is required.

A.4 Department of Defense Authorization Act of 1982-Public Law 97-86

The Warner Amendment to Public Law 97-86 exempts certain types of DoD
procurements from the Automatic Data Processing Equipment Act (Public Law 89-306,
also know as the Brooks Act). The exempted procurements includes those in which the
function, operation, or use of a particular piece of equipment or a service involves one or
more categories related to national security or military interests [Russell 1991, p. 280].

The following table contains selected sections of Public Law 97-86. The cross-reference
table and comments appear in the next section.

TABLE A-8. DoD Authorization Act of 1982-Selected Source Text

Sec. 908.(a)(1) Chapter 137 of title 10, United States Code, is amended by adding at the
end thereof the following new section:

2315. Law inapplicable to the procurement of automatic data processing equipment and
services for certain defense purposes

(a) Section 111 of the Federal Property and Administrative Services Act of 1949 (40
U.S.C. 795) is not applicable to the procurement by the Department of Defense of auto-
matic data processing equipment or services if the function, operation, or use of the
equipment or services-

(1) involves intelligence activities;

(2) involves cryptologic activities related to national security;

(3) involves the command and control of military forces;

(4) involves equipment that is an integral part of a weapon or weapons system; or

(5) subject to subsection (b), is critical to the direct fulfillment of military or intel-
ligence missions.

(b) Subsection (a)(5) does not include procurement of automatic data processing equip-
ment or services to be used for routine administrative and business applications (includ-
ing payroll, finance, logistics, and personnel management applications)...

A.4.1 Cross-References and Comments

TABLE A-9. DoD Authorization Act of 1982-Cross-References

Section

Security Policy

MAC

DAC

Marking

Accountability

Assurance

Fault Tolerance

2315(a)(1-5)

X

2315(b)

X

2315(a)(1-5)

[Security Policy] This Act excludes certain systems, during acquisition, from the applica-
tion of specific aspects of Federal law. The exclusions named in this Act, relating to the
procurement of automatic data processing (ADP) equipment or services, extend to most
of all the other Acts applying to Federal systems. Most of these exclusion categories re-
late to systems requiring secrecy and integrity protection. Simply having authorization to
be exempt does not make it a good practice to avoid a thorough analysis of a system's
protection needs. Each acquisition should address its protection needs through the formu-
lation and analysis of a systems security policy that will enable a more informed deci-
sion regarding invocation of this Act.

2315(b)

[Security Policy] Explicitly precludes from ``mission critical'' exemption many DoD
auto mated systems relating to routine administrative and business applications. There-
fore, many systems used within the DoD are subject to Federal laws.

A.5 Federal Managers' Financial Integrity Act of 1982-Public Law 97-255

This Act extends security policies into the realm of internal controls. Systems of internal
control are of interest when considering integrity in AISs because (a) primary
applications, which are the focus of traditional internal controls, are being automated to
greater degrees, and (b) internal control systems themselves are being automated to
greater degrees. Internal controls are usually associated with assets having ``value.''
Information within Federal AISs is readily termed a valuable asset according to [OMB
A-130]. This Act requires adherence to the Comptroller General's (GAO) Standards for
Internal Control in the Federal Government [GAO 1983], which are incorporated into
[GAO Title 2, App.II].

The following table contains selected sections of Public Law 97-255. The cross-reference
table and comments appear in the next section.

TABLE A-10. Federal Managers' Financial Integrity Act of 1982-Selected Source Text

Sec. 2. Section 113 of the Accounting and Auditing Act of 1950 (31 U.S.C. 66a) is
amended by adding at the end thereof the following new subsection:

(d)(1)(A) To ensure compliance with the requirements of subsection (a)(3) of this
section, internal accounting and administrative controls of each executive agency
shall be established in accordance with standards prescribed by the Comptroller
General, and shall provide reasonable assurance that-

(i) obligations and costs are in compliance with applicable law;

(ii) funds, property, and other assets are safeguarded against waste, loss, un-
authorized use, or misappropriation; and

(iii) revenues and expenditures applicable to agency operations are properly
recorded and accounted for to permit the preparation of accounts and reliable
financial and statistical reports and to maintain accountability over the assets.

(B) The standards prescribed by the Comptroller General under this paragraph
shall include standards to ensure the prompt resolution of all audit findings....

(3)... the head of each executive agency shall... prepare a statement-

(A) that the agency's systems of internal accounting and administrative con-
trol fully comply with the requirements of paragraph (1); or

(B) that such systems do not fully comply with such requirements.

(5) The statements and reports required by this subsection... shall also be made
available to the public, except that, in the case of any such statement or report con-
taining information which is-

(A) specifically prohibited from disclosure by any provision of law; or

(B) specifically required by Executive order to be kept secret in the interest
of national defense or the conduct of foreign affairs, such information shall
be deleted prior to the report or statement being made available to the public.

A.5.1 Cross-References and Comments

TABLE A-11. Federal Managers' Financial Integrity Act of 1982-Cross-References

Section

Security Policy

MAC

DAC

Marking

Accountability

Assurance

Fault Tolerance

(d)(1)(A)(i-iii)

X

X

X

X

X

X

(d)(1)(B)

X

(d)(3)

X

(d)(5)

X

X

X

X

X

(d)(1)(A)(i-iii)

[Security Policy] Legal compliance related to organizational obligations and costs (e.g.,
contracts, logistics, funds transfer, services, etc.) must be considered in the formulation
of Security Policy. Security policy must address waste, loss, unauthorized use, and mis-
appropriation in terms of both AIS assets as well as other assets, whenever these non-
AIS assets are either represented within or controlled via AISs. [MAC, DAC, Marking]
Because the control of ``unauthorized use'' is explicitly called for, authorization features
are required. [Accountability] Costs and obligations must be internally accounted for
within an organization to the level of a responsible individual acting within the scope of
his authority. [Assurance] Reasonable assurance is required.

(d)(1)(B)

[Accountability] Prompt resolution of audit findings requires specific features for AIS
systems. These may include audit reduction tools, real-time alerts, etc.

(d)(3)

[Assurance] The head of each executive agency is required to produce a report on the
state of that agency's internal control system.

(d)(5)

[Security Policy] Mandated disclosure of information is also subject to restrictions of na-
tional security and other (confidentiality) policies. [MAC, DAC, Marking] The overlap-
ping of confidentiality and integrity policy coverage has implications for MAC policy
with regard to information sanitation and downgrading of classified or sensitive informa-
tion. There are also implications for DAC policy with regard to the designated individu-
als performing these types of operations. [Accountability] Auditing of all downgrading
and sanitation activity shall be performed.

A.6 Computer Security Act of 1987-Public Law 100-235

Public Law 100-235 expands the definition of computer security protection and clarifies
the role of the (NBS now the National Institute of Standards and Technology) [Russell
1991, p. 283]. A primary function of this Act is to prescribe authority and assign
responsibilities for developing security standards and guidelines for Federal computer
systems. This Act has broadens the scope of applicability for security policies in three
areas: the range of resources, the type(s) of information, and the types of systems.

Significantly, this Act also increases types of computers under consideration as well as
the scope of information which must be protected. The Act defines computer systems
broadly and includes support services as an area which must be considered. This can be
interpreted to mean that effective controls must exist over AIS support systems and
personnel, as well as those individuals who operate the primary applications. The
traditional scope of information protection was increased as well. Previously, explicit
protection policy applied only to ``classified'' and ``specifically categorized sensitive''
information. This Act applies to a more encompassing term, ``sensitive information,''
which is defined in detail below.

The following table contains selected sections of Public Law 100-235. The cross-reference
table and comments appear in the next section.

TABLE A-12. Computer Security Act of 1987-Selected Source Text

Sec.2. Purpose.

(a) In General.-The Congress declares that improving the security and privacy of sensi-
tive information in Federal computer systems is in the public interest, and hereby creates
a means for establishing minimum acceptable security practices for such systems, with-
out limiting the scope of security measures already planned or in use.

(b) Specific Purposes.-The purposes of this Act are-

(1) by amending the Act of March 3, 1901, to assign to the National Bureau of
Standards responsibility for developing standards and guidelines for Federal com-
puter systems, including responsibility for developing standards and guidelines
needed to assure the cost-effective security and privacy of sensitive information in
Federal computer systems, drawing on the technical advice and assistance (includ-
ing work products) of the National Security Agency, where appropriate;

(2) to provide for promulgation of such standards and guidelines by amending sec-
tion 111(d) of the Federal Property and Administrative Services Act of 1949;

(3) to require establishment of security plans by all operators of Federal computer

(4) to require mandatory periodic training for all persons involved in management,
use, or operation of Federal computer systems that contain sensitive information.

Sec.3. Establishment of Computer Standards Program.

The Act of March 3, 1901 (15 U.S.C. 271-278h), is amended-

(2)... by inserting... ``Sec.20''

(d) As used in this section-

(1) the term ``computer system''-

(A) means any equipment or interconnected system or subsystems of
equipment that is used in the automatic acquisition, storage, manipula-
tion, management, movement, control, display, switching, interchange,
transmission, or reception, of data or information; and

(B) includes-

(i) computers;

(ii) ancillary equipment;

(iii) software, firmware, and similar procedures;

(iv) services, including support services; and

(iv) related resources as defined by regulations issued by the Ad-
ministrator for General Services . . .

(4) the term `sensitive information' means any information, the loss, misuse,
or unauthorized access to or modification of which could adversely affect the
national interest or the conduct of Federal programs, or the privacy to which
individuals are entitled . . . , but which has not been specifically authorized
under criteria established by an Executive Order or an Act of Congress to be
kept secret in the interest of national defense or foreign policy;

Legislative History [The Legislative History of the Computer Security Act of 1987 [H.
Rept. 100-153(I), p. 24] gives examples of that which should be considered ``sensitive
information:''

. . . information which if modified, destroyed or disclosed in an unauthorized
manner could cause:

Loss of life;

Loss of property or funds by unlawful means;

Violation of personal privacy or civil rights;

Gaining of an unfair commercial advantage;

Loss of advanced technology, useful to a competitor; or

Disclosure of proprietary information entrusted to the government.]

Sec.5. Amendment to Brooks Act.

Section 111(d) of the Federal Property and Administrative Services Act of 1949 (40
U.S.C. 759(d)) is amended to read as follows:

(d)(1) The Secretary of Commerce shall, on the basis of standards and guidelines
developed by the [National Institute of Standards and Technology] . . . promulgate
standards and guidelines pertaining to Federal computer systems, making such
standards compulsory and binding to the extent to which the Secretary determines
necessary to improve the efficiency of operation or security and privacy of Federal
computer systems. . . .

(d)(2) The head of a Federal agency may employ standards for the cost-effective
security and privacy of sensitive information in a Federal computer system within
or under the supervision of that agency that are more stringent than the standards
promulgated by the Secretary of Commerce, if such standards contain, at a mini-
mum, the provisions of those applicable standards made compulsory and binding
by the Secretary of Commerce.

(d)(4) The Administrator shall revise the Federal information resources manage-
ment regulations . . . to be consistent with the standards and guidelines promulgat-
ed by the Secretary of Commerce.

Sec.6. Additional Responsibilities for Computer Systems Security and Privacy.

(a) Identification of Systems That Contain Sensitive Information.- . . . each Feder-
al agency shall identify each Federal computer system, and system under develop-
ment, which is within or under the supervision of that agency and which contains
sensitive information.

(b) Security Plan.- . . . each agency shall, consistent with the standards, guidelines,
policies, and regulations prescribed pursuant to section 111(d) of the Federal Prop-
erty and Administrative Services Act of 1949, establish a plan for the security and
privacy of each Federal computer system identified by that agency pursuant to sub-
section (a) that is commensurate with the risk and magnitude of the harm resulting
from the loss, misuse, or unauthorized access to or modification of the information
contained in such system. . . .

A.6.1 Cross-References and Comments

TABLE A-13. Computer Security Act of 1987-Cross-References

Section

Security Policy

MAC

DAC

Marking

Accountability

Assurance

Fault Tolerance

Sec.3(2)(d)(1)

X

Sec.3(2)(d)(4)

X

X

X

X

Sec.3(Leg.His.)

X

X

X

Sec.5(d)(1,2,4)

X

Sec.6(a-b)

X

Sec.3(2)(d)(1)

[Security Policy] This Act applies to ``computer systems,'' a range of resources includ-
ing equipment, software, services, and related resources. This implies an increased scope
of system Security Policies with regard to the range of applicable resources.

Sec.3(2)(d)(4)

[Security Policy] By defining the type of applicable information, this Act explicitly in-
creases the scope of the Security Policy-in particular, the systems containing ``sensitive
information'' must provide protection for that information. [MAC, DAC, Marking] Be-
cause the control of ``unauthorized use'' is explicitly called for, authorization features
are required.

Sec.3(Leg.His.)

[Security Policy, Assurance, Fault Tolerance] The considerations for ``loss of life'' great-
ly increases the scope of systems which are applicable under this Act. The inclusion of
computer systems which control machinery or processes also has important implications
for the scope of the Security Policy. In particular, the inclusion of safety-critical systems
is implied, although there is currently a lack of explicit policy statements in this area.

Sec.5(d)(1,2,4)

[Security Policy] The Act contains details relevant to the formulation of individual (agen-
cy) Security Policies. These show that the agencies involved might have to prescribe
and integrate different security policies and standards to meet their unique needs.

Sec.6(a-b)

[Security Policy] All systems identified as containing sensitive information are subject
to Security Policy requirements. An organization (agency) must develop individual secu-
rity plans for computer systems containing ``sensitive information.'' These plans may
provide greater insight into Security Policy needs.

A.7 OMB Circular No. A-127-Financial Management Systems

OMB Circular No. A-127 establishes a program to assure the integrity of Federal
financial management systems (FMSs) by prescribing policies and procedures for
executive departments and agencies. Financial management systems are of interest
primarily because the control of revenue, expenditure, funds, property, and other assets
are often-either partially or totally-implemented via AISs. Therefore, policy related to
FMSs must be effectively enforced on these related AISs.

There are five particular control areas for FMSs called for under this Circular [OMB A-
127, p. 4]: FMS operations, FMS integrity, support for budgets, support for management,
and full financial disclosure. Each of these areas has specific implications for integrity
when considering (possible) automated features of an FMS.

The most demanding and significant implications for AIS integrity fall under the area of
FMS operations. Specific objectives for FMS operations address the areas of usefulness,
timeliness, reliability and completeness, comparability and consistency, and efficiency
and economy. The use of automated systems to help achieve these objectives is explicitly
called for [OMB A-127, p. 4].

Any particular executive department or agency may have unique requirements for one
or more of the preceding control areas or FMS control objectives. The importance of this
Circular is not in calling out specific, detailed requirements, but in recognizing specific
areas in which controls must exist to enforce financial management policies. These areas
must be addressed by AIS integrity policies on automated implementations of FMSs.
This Circular has implications for both system and application-oriented security policies.

The following table contains selected sections of OMB Circular No. A-127. The cross-
reference table and comments appear in the next section.

TABLE A-14. OMB Circular No. A-127-Selected Source Text

1. Purpose. This Circular prescribes policies and procedures to be followed by executive
departments and agencies in developing, operating, evaluating, and reporting on finan-
cial management systems.

2. Background. The Budget and Accounting Procedures Act of 1950, the Federal Manag-
ers' Financial Integrity Act, and related legislation . . . provide that:

-- Establishing and maintaining systems of accounting and reporting is the respon-
sibility of the executive branch.

-- Agency systems shall provide for:

· complete disclosure of the financial results of the activities of the agency,

· adequate financial information for agency management and for formulation
and execution of the budget,

· effective control over revenue, expenditure, funds, property, and other assets.

3. Policy. The financial management system of each agency shall meet the objectives set
forth in Section 6 of this Circular. These objectives are intended to establish a frame-
work for complying with applicable law, appropriate budget and accounting principles
and standards, Treasury reporting requirements, and the best contemporary financial
practice. Systems developed and operated under this Circular shall be the source for fi-
nancial information used in the budget, Treasury financial statements, financial reports
to the Congress, and other financial reports.

Agencies shall establish and maintain a single, integrated financial management system,
which may be supplemented by subsidiary systems. Data needed in this system and oth-
er agency systems shall be entered only once and transferred automatically to appropri-
ate accounts or other parts of the system or systems. New or substantially revised sys-
tems shall be developed on an inter-agency basis and designed to meet the needs of all
participating agencies. Funds shall be expended only for systems that meet the require-
ments of this Circular.

6. Financial Management System Objectives. The following objectives shall be met by
the agency financial management system in complying with applicable law and appropri-
ate guidance of GAO, Treasury, and OMB. . . .

a. Systems operations -- the agency financial management system shall use the
best of acceptably priced, contemporary technology -- including automated data en-
try and edit, data management, data base dictionaries, electronic communications
between systems, flexible report formats, and controlled access to data bases by
personal computers and other means -- to achieve the following objectives.

(1) Usefulness -- financial management data shall be gathered and processed
only where necessary to meet specific internal management needs or external
requirements. Reports shall be tailored to specific user needs and if report us-
ages does not justify cost, reports shall be terminated. Usefulness shall be de-
termined in part through consultation with users as part of the reviews re-
quired by Section 7b of this Circular. (2) Timeliness -- financial manage-
ment data shall be recorded as soon as practicable after the occurrence of the
event, and relevant preliminary data shall be made available to managers by
the fifth working day following the end of the reporting period. Other stand-
ards of timeliness may be established where the agency has inventoried re-
ports and set specific standards, with user participation. Final, corrected data
shall be available in time to meet external reporting requirements.

(3) Reliability and completeness -- financial management information shall
be reasonably complete and accurate, shall be verifiable and ordinarily be
drawn from the official records and systems, and shall be no more detailed
than necessary to meet the needs of management and external requirements.

(4) Comparability and consistency -- financial management data shall be re-
corded and reported in the same manner throughout the agency, using uni-
form definitions. Accounting shall be synchronized with budgeting. Consist-
ency over time shall be maintained. New and revised systems shall adopt
common, existing definitions and classifications.

(5) Efficiency and economy -- the agency financial management system shall
be designed and operated with reasonable total costs and transaction costs, in
accordance with OMB guidelines. Financial systems which are excessively
costly shall be identified and phased out. This shall be accomplished through
installation of effective systems of planning and evaluation, sharing of data,
elimination of overlap and duplication, and use of the best contemporary
technology, including commercially available packages with proven success
in other agencies or the private sector.

b. Systems integrity -- the agency financial management system shall feature rea-
sonable controls designed, operated, and evaluated in accordance with OMB Circu-
lar A-123, Internal Control Systems, and A-71 [rescinded by A-130], Responsibili-
ties for the Administration and Management of Automatic Data Processing Facili-
ties.

c. Support for budgets -- financial management data shall be recorded, stored, and
reported to facilitate budget preparation, analysis, and execution. Data shall be clas-
sified uniformly and that classification, at a minimum, shall be at a level of detail
that directly supports execution of enacted budgets and formulation of proposed
budgets, without excessive aggregation or disaggregation. . . .

d. Support for management -- data shall be recorded and reported in a manner to
facilitate carrying out the responsibilities of both program and administrative man-
agers. The agency financial management system shall provide for a coherent, time-
ly, and accurate financial management data base. It should be supplemented as nec-
essary to meet agency management and Executive Office requirements for adminis-
trative data, such as the Financial and Administrative Management Information
System 1. . . .

e. Full financial disclosure -- financial management data shall be recorded, and re-
ported as specifically required by OMB or Treasury, to provide for full financial
disclosure and accountability in accordance with appropriate budget and account-
ing principles and standards. . . .

A.7.1 Cross-References and Comments

TABLE A-15. OMB Circular No. A-127-Cross-References

Section

Security Policy

MAC

DAC

Marking

Accountability

Assurance

Fault Tolerance

3

X

X

X

X

6(a)

X

X

X

X

X

X

6(a)(1)

X

X

6(a)(2)

X

X

X

6(a)(3)

X

X

X

6(a)(4)

X

6(a)(5)

X

X

6(b)

X

X

6(c)

X

6(d)

X

X

X

6(e)

X

X

X

3

[Security Policy, Accountability] AIS portions of financial management systems must
comply with applicable law, budget and accounting principles and standards, Treasury
reporting requirements, and the best contemporary financial practice. A specific adminis-
trative policy is cited in regard to data handling and security controls. [Assurance, Fault
Tolerance] The single point-of-entry requirement for input of data to the system, specify-
ing automatic transfer of data to required locations, implies rigorous administrative and
reliability features.

6(a)

[Security Policy] The use of AISs to implement financial management systems is explic-
itly called for. Controlled access to data bases is required. [MAC, DAC, Marking] Pro-
viding controlled access implies that these control objectives will be affected. [Accounta-
bility] This is implied when access control is required. [Assurance] Particular automated
features called for implies the need for assurance measures with rigor defined by accept-
able risk and reasonable cost as well as the need for a thorough risk analysis.

6(a)(1)

[Security Policy] Financial management data shall be gathered and processed only
where necessary to meet specific internal management needs or external requirements.
[Accountability] Reports are tailored to specific user needs.

6(a)(2)

[Security Policy, Accountability] Financial management data shall be recorded as soon
as possible and made available in a timely manner. Specific standards of timeliness may
be established. This implies the need for internal timing attributes and control policies re-
lated to timing. [Assurance] Corrected data shall be available in time to meet external re-
porting requirements.

6(a)(3)

[Security Policy] Financial management information shall be reasonably complete and
accurate. This implies specifications for completeness and accuracy that can be moni-
tored and reacted to when the specified attributes or attribute values do not meet speci-
fied thresholds. [Accountability] Further, it implies identified responsibility for all ac-
tions taken on the specified information. Accountability is also implied by the verifica-
tion requirement. [Assurance] That information should be verifiable implies reconciling
transactions with starting and ending totals, dual-entry accounting, or external ``safety
paper'' (e.g., checks, withdrawal slips, and/or deposit slips).

6(a)(4)

[Security Policy] Uniform system definitions (process and data) for related systems are
required. Consistency of financial management data over time is required. Synchronized
functions (e.g., accounting and budgeting) are required.

6(a)(5)

[Security Policy, Assurance] Operational costs must be reasonable and in accordance
with OMB guidelines. Effective planning and evaluation, sharing of data, elimination of
duplication, and the use of the best contemporary technology is required. This implies
that a thorough risk analysis must be performed to ascertain protection requirements.

6(b)

[Security Policy, Assurance] AIS portions of financial management systems must feature
reasonable controls designed, operated, and evaluated in accordance with OMB policy.
Again, the implication for a thorough risk analysis for protection controls is established
by the use of the term ``reasonable.''

6(c)

[Security Policy] Uniform system of data categorization is required. The budget process
shall be supported. Excessive aggregation or disaggregation is not acceptable. This is an
application-specific security policy issue.

6(d)

[Security Policy, Accountability, Assurance] Data shall be recorded and reported in a
manner to facilitate carrying out the responsibilities of managers. The financial manage-
ment system shall be coherent, timely, and accurate.

6(e)

[Security Policy, Accountability] Financial management data shall be recorded. Reports
shall provide full financial disclosure and accountability in accordance with appropriate
budget and accounting principles and standards. [Assurance] Accuracy and completeness
of data being disclosed has implications for assurance.

A.8 OMB Circular No. A-130-Management of Federal Information Re-
sources

OMB Circular No. A-130 establishes requirements for effective and efficient
management of federal information resources. This Circular requires all agency
information systems to provide a level of security commensurate with the sensitivity of
the information, the risk of its unauthorized access, and the harm that could result from
improper access. It also requires all agencies to establish security programs to safeguard
the sensitive information that they process [Russell 1991, p. 282]. As such, it sets forth
policy regarding information management within Federal agencies that bear directly on
the protection issues of confidentiality, integrity, and availability. That these issues are
intended to be within the scope of this Circular is explicitly stated in Appendix IV [p.
52749]:

Security of information systems means both the protection of information while it is
within the systems and also the assurance that the systems do exactly what they are sup-
posed to do and nothing more. Information system security entails management controls
to ensure the integrity of operations including such matters as proper access to the infor-
mation in the systems and proper handling of input and output. In this sense, security of
information is first and foremost a management issue and only secondly a technical prob-
lem of computer security. . . . Protecting personal, proprietary, and other sensitive data
from unauthorized access or misuse; detecting and preventing computer related fraud
and abuse; and assuring continuity of operations of major information systems in the
event of emergency related disruptions are increasingly serious policy issues. . . .

The Paperwork Reduction Act of 1980 establishes a broad mandate for efficient,
effective, and economical performance of information activities by agencies. Circular
No. A-130 implements OMB authority under the 1980 Act with respect to general
information policy, records management, privacy, and Federal automatic data
processing and telecommunications. In addition, it also implements sections of the
Privacy Act of 1974 as well as other Federal Laws and Executive policy statements.

Circular No. A-130 revises and consolidates policy and procedures in five previous OMB
directives, which were rescinded through this Circular. One reason for issuing this
Circular was OMB's determination that it was important to distinguish the statement of
policies from the procedures for implementing those policies. As a result, the main body
of the Circular is a statement of basic considerations and assumptions, policies, and
responsibility assignments. Appendices I, II, and III to the Circular consist of procedures
for implementing various policies. These Appendices have the same prescriptive force
as the Circular itself, and hence, were included in the extraction of Selected Source Text,
below. Appendix IV to the Circular is an explanatory document, and was used in our
analysis of the Source Text.

Appendix III of this Circular, together with OMB Circular No. A-123 (Internal Control
Systems), provide the evaluation and reporting requirements for the systems integrity
objective contained in OMB Circular No. A-127 (Financial Management Systems).

Due to a similar treatment of the subject, this Circular [App.III, Sec.(2)(c)] appears to be
the source of the definition of ``sensitive information'' used in The Computer Security
Act of 1987. Significantly, the Circular [App.III, manner which has particular
significance for policy related to safety-critical systems.

This Circular is undergoing revision with a version available for public comment
expected in the near future. Although the exact changes to be incorporated in revision
have not been determined, the available information indicates that the major focus of
change will be on policy regarding public access to agency information holdings and the
dissemination of electronic information products to Federal depository libraries. Also
incorporated will be changes called for by legislation passed since the 1985 publication
of this Circular. OMB plans call for work on the revised Circular to continue through
1992 [OMB 1991, p. 9026].

The following table contains selected sections of OMB Circular No. A-130. The cross-
reference table and comments appear in the next section.

TABLE A-16. OMB Circular No. A-130-Selected Source Text

7. Basic Considerations and Assumptions:

b. Government information is a valuable national resource. It provides citizens
with knowledge of their government, society, and economy-past, present, and fu-
ture; is a means to ensure the accountability of government; is vital to the healthy
performance of the economy; is an essential tool for managing the government's
operations; and is itself a commodity often with economic value in the market-
place.

c. The free flow of information from the government to its citizens and vice versa
is essential to a democratic society. It is also essential that the government mini-
mize the Federal paperwork burden on the public, minimize the cost of its informa-
tion activities, and maximize the usefulness of government information.

d. In order to minimize the cost and maximize the usefulness of government infor-
mation activities, the expected public and private benefits derived from govern-
ment information, insofar as they are calculable, should exceed the public and pri-
vate costs of the information.

f. The use of up-to-date information technology offers opportunities to improve the
management of government programs, and access to, and dissemination of, govern-
ment information. . . .

8. Policies

a. Information Management. Agencies shall:

(1) Create or collect only that information necessary for the proper performance of
agency functions and that has practical utility, and only after planning for its
processing, transmission, dissemination, use, storage, and disposition; (2) Seek to
satisfy new information needs through legally authorized inter-agency or intergov-
ernmental sharing of information, or through commercial sources, where appropri-
ate, before creating or collecting new information;

(3) Limit the collection of individually identifiable information and proprietary in-
formation to that which is legally authorized and necessary for the proper perform-
ance of agency functions;

(4) Maintain and protect individually identifiable information and proprietary infor-
mation in a manner that precludes:

(a) Unwarranted intrusion upon personal privacy (see Appendix I); and

(b) Violation of confidentiality;

(5) Provide individuals with access to, and the ability to amend errors in, systems
of records, consistent with the Privacy Act;

(6) Provide public access to government information, consistent with the Freedom
of Information Act.

(7) Ensure that agency personnel are trained to safeguard information resources.

(8) Disseminate information, as required by law, describing agency organization,
activities, programs, meetings, systems of records, and other information holdings,
and how the public may gain access to agency information resources;

(9) Disseminate such information products and services as are:

(a) Specifically required by law; or

(b) Necessary for the proper performance of agency functions, . . .

(10) Disseminate significant new, or terminate significant existing, information
products and services only after providing adequate notice to the public;

(11) Disseminate such government information products and services:

(a) In a manner that ensures . . . the public . . . have a reasonable ability to
acquire the information;

(b) In a manner most cost effective for the government, . . .

(c) So as to recover costs of disseminating the products or services . . .

(12) Establish procedures for:

(a) Reviewing periodically the continued need for and manner of dissemina-
tion of the agency's information products or services; and

(b) Ensuring that government publications are made available to depository
libraries as required by law.

b. Information Systems and Information Technology Management. Agencies shall:

(1) Establish multi-year strategic planning processes for acquiring and operating in-
formation technology that meet program and mission needs, reflect budget con-
straints, and form the bases for their budget requests;

(2) Establish systems of management control that document the requirements that
each major information system is intended to serve; and provide for periodic re-
view of those requirements over the life of the system . . .

(3) Make the official whose program an information system supports responsible
and accountable for the products of that system;

(4) Meet information processing needs through inter-agency sharing and from com-
mercial sources, when it is cost effective, before acquiring new information
processing capacity;

(5) Share available information processing capacity with other agencies to the ex-
tent practicable and legally permissible;

(6) Acquire information technology in a competitive manner that minimizes total
life cycle costs;

(7) Ensure that existing and planned major information systems do not unnecessari-
ly duplicate information systems . . .

(8) Acquire off-the-shelf software . . . unless the cost effectiveness of developing
custom software is clear and has been documented;

(9) Acquire or develop information systems in a manner that facilitates necessary
compatibility;

(10) Assure that information systems operate effectively and accurately;

(11) Establish a level of security for all agency information systems commensurate
with the sensitivity of the information and the risk and magnitude of loss or harm
that could result from improper operation of the information systems (See Appen-
dix III);

(12) Assure that only authorized personnel have access to information systems;

(13) Plan to provide information systems with reasonable continuity of support
should their normal operations be disrupted in an emergency;

(14) Use Federal Information Processing and Telecommunications Standards ex-
cept where it can be demonstrated that the costs of using a standard exceed the
benefits or the standard will impede the agency in accomplishing its mission;

(15) Not require program managers to use specific information technology facili-
ties or services unless it is clear and convincingly documented, subject to periodic
review, that such use is the most cost effective method for meeting program re-
quirements.

(16) Account for the full costs of operating information technology facilities and
recover such costs from government users . . .

(17) Not prescribe Federal information system requirements that unduly restrict the
prerogatives of heads of State and local government units;

(18) Seek opportunities to improve the operation of government programs or to re-
alize savings for the government and the public through the application of up-to-
date information technology to government information activities.

Appendix I to OMB Circular No. A-130-Federal Agency Responsibilities for Maintain-
ing Records About Individuals

4. Reporting Requirements.

b. New and Altered System Reports. . . .

(1) Altered System of Records. . . . The following changes are those for which a
report is required:

(b) A change that expands the types or categories of information maintained.
For example, a personnel file that has been expanded to include medical
records would require a report.

(c) A change that alters the purpose for which the information is used.

Appendix II to OMB Circular No. A-130-Cost Accounting, Cost Recovery, and Inter-
agency Sharing of Information Technology Facilities)

Supplemental Information.

Several commentators believed that requiring full costs to be recovered from all users
within an agency would not be cost effective. OMB disagreed with this viewpoint and
retained the draft Circular's formulation. Viable management of a large information tech-
nological facility requires that managers know the amount of resources devoted to each
user when providing services. Furthermore, effective management of the use of informa-
tion technology requires that the user have responsibility for and control over the re-
sources consumed by use of the facility. . . .

Appendix III to OMB Circular No. A-130-Security of Federal

Automated Information Systems

1. Purpose. This Appendix establishes a minimum set of controls to be included in Fed-
eral automated information systems security programs; assigns responsibilities for the se-
curity of agency automated information systems; and clarifies the relationship between
such agency security programs and internal control systems established in accordance
with OMB Circular A-123, Internal Control Systems. The Appendix revises procedures
formerly contained in Transmittal Memorandum No. 1 to OMB Circular No. A-71, now
rescinded, and incorporates responsibilities from applicable national security directives.

2. Definitions.

c. The term ``sensitive data'' means data that require protection due to the risk and
magnitude of loss or harm that could result from inadvertent or deliberate disclo-
sure, alteration, or destruction of the data. The term includes data whose improper
use or disclosure could adversely affect the ability of an agency to accomplish its
mission, proprietary data, records about individuals requiring protection under the
Privacy Act, and data not releasable under the Freedom of Information Act.

d. The term ``sensitive application'' means an application of information technolo-
gy that requires protection because it processes sensitive data, or because of the
risk and magnitude of loss or harm that could result from improper operation or de-
liberate manipulation of the application.

3. Automated Information Systems Security Programs. Agencies

shall assure an adequate level of security for all agency automated information systems,
whether maintained in-house or commercially. Specifically, agencies shall:

- Assure that automated information systems operate effectively and accurately;

- Assure that there are appropriate technical, personnel, administrative, environ-
mental, and telecommunications safeguards in automated information systems; and

- Assure the continuity of operation of automated information systems that support
critical agency functions.

Agencies shall implement and maintain an automated information systems security
program, including the preparation of policies, standards, and procedures. This pro-
gram will be consistent with government-wide policies, procedures, and standards
issued by the Office of Management and Budget, the Department of Commerce,
the Department of Defense, the General Services Administration, and the Office of
Personnel Management. Agency programs shall incorporate additional require-
ments for securing national security information in accordance with appropriate na-
tional security directives. Agency programs shall, at a minimum, include four pri-
mary elements: applications security, personnel security, information technology in-
stallation security, and security awareness and training.

a. Applications Security.

(1) Management Control Process and Sensitivity Evaluation. Agencies shall
establish a management control process to assure that appropriate administra-
tive, physical, and technical safeguards are incorporated into all new applica-
tions, and into significant modifications to existing applications. Manage-
ment officials who are the primary users of applications should evaluate the
sensitivity of new or existing applications being substantially modified. For
those applications considered sensitive, the management control process
shall, at a minimum, include security specifications and design reviews and
systems tests. . . .

(2) Periodic Review and Re-certification. . . . Audits or reviews shall evalu-
ate the adequacy of implemented safeguards, assure they are functioning
properly, identify vulnerabilities that could heighten threats to sensitive data
or valuable resources, and assist with the implementation of new safeguards
where required. . . .

A.8.1 Cross-References and Comments

TABLE A-17. OMB Circular No. A-130-Cross-References

Section

Security Policy

MAC

DAC

Marking

Accountability

Assurance

Fault Tolerance

8(a)(1)

X

X

X

8(a)(2)

X

X

X

X

X

8(a)(3)

X

8(a)(4)

X

8(a)(5)

X

X

X

8(a)(6)

X

8(a)(7)

X

X

8(a)(8-11)

X

8(a)(12)

X

X

8(b)(1)

X

8(b)(2)

X

8(b)(3)

X

8(b)(4-5)

X

8(b)(6)

X

8(b)(8)

X

X

8(b)(9)

X

8(b)(11)

X

X

8(b)(12)

X

X

X

X

X

X

8(b)(13)

X

X

X

8(b)(15)

X

X

App.I(4)

X

App.II(Sup.Info.)

X

X

App.III(2)(c)

X

X

X

X

X

App.III(2)(d)

X

X

X

X

X

App.III(3)

X

App.III(3)(a)(1-2)

X

8(a)(1)

[Security Policy] Each phase of the information life cycle (e.g., origin or acquisition
through final disposition). should be considered in formulating the Security Policy. Only
information necessary for proper performance of agency functions, and that has practical
utility shall be created or collected. Practical utility includes characteristics ``pertaining
to the quality of information such as accuracy, adequacy, and reliability.'' In the case of
general purpose statistics or record keeping, practical utility means that ``actual uses can
be demonstrated . . .'' [OMB A-130, p. 52746]. Execution authority is derived from the
required, approved plans for the processing, transmission, dissemination, use, storage,
and disposition of necessary information. The delegation of authority and allocation of
resource responsibilities shall be performed for each aspect of the information life cycle.
[Accountability] This implies that individuals should be held accountable to performing
within the scope of their authority. [Assurance] The documentation of required planning
may be used as an assurance measure.

8(a)(2)

[Security Policy] This implies that the Security Policy must address the protection of
shared information. Sharing should be done under the concept of ``due care'' (i.e., protec-
tion commensurate with the risk and magnitude of loss). [MAC, DAC, Marking] The es-
tablishment of information sharing agreements must include confirmation that the receiv-
ing Agency can mark and protect the shared information as required by the providing
Agency. If such protection is not possible, then the providing Agency must determine
the need to desensitize the information to the degree commensurate with the maximum
protection capabilities of the receiving Agency prior to actual sharing. [Accountability]
The receiving Agency should be accountable for the protection of any shared informa-
tion it receives. The providing Agency is accountable for the sharing of sensitive infor-
mation for which the receiving Agency does not have the capabilities to protect.

8(a)(3)

[Security Policy] The collection of individually identifiable and proprietary information
must be limited to that which is legally authorized and necessary for agency functions.

8(a)(4)

[Security Policy] Confidentiality requirements must be addressed in the Security Policy.

8(a)(5)

[Security Policy] Providing a process for individuals to gain access to personal informa-
tion is required. [Accountability, Assurance] An amendment and error correcting process
for private information must exist.

8(a)(6)

[Security Policy] Providing a process for public access may be required. This process
shall be consistent with Freedom of Information Act requirements and exemptions.

8(a)(7)

[Accountability] This implies that individuals shall be held accountable for adhering to
doctrine and procedures in which they have been trained. [Assurance] Security training
and documentation in support of security training is required. Such documentation
should cover the information life cycle processes, safeguards employed, and individual
responsibilities.

8(a)(8-11)

[Security Policy] Dissemination of information on Agency information life cycle process-
es is required, as required under applicable laws or other relevant policies.

8(a)(12)

[Accountability] Procedures for periodic reviews of information life cycle processes are
required. [Assurance] Assurance of compliance to laws for dissemination is required.

8(b)(1)

[Accountability] Technical protection of information as a part of program and mission
needs must be planned for, taking into account budget constraints. The Paperwork Re-
duction Act requires that OMB: ``promote the use of the technology to improve govern-
mental efficiency and effectiveness. . . .''

8(b)(2)

[Assurance] Information systems requirements documentation is necessary. Periodic re-
views are required.

8(b)(3)

[Accountability] Overall information product accountability is user based. Specific ac-
countability for information products is established at the supported program official.

8(b)(4-5)

[Security Policy] Requirements for the sharing of information are outlined. Specific
Agency policies regarding information sharing should be established.

8(b)(6)

[Assurance] Total life cycle costs must be considered in protection technology acquisi-
tion. This should be coupled to the Agency risk assessment.

8(b)(8)

[Security Policy] The use (in terms of trustedness) of commercial, off-the-shelf software
must be reflected in the Security Policy. [Assurance] ``Trustedness'' implies that process
for evaluation of the vulnerabilities of commercial, off-the-shelf software should be es-
tablished. The evaluated software must be placed under configuration management once
it is accepted.

8(b)(9)

[Assurance] Necessary compatibility is considered because ``compatibility among infor-
mation systems has . . . emerged as a significant information resources management
problem . . .'' [OMB A-130, p. 52749]. Necessary compatibility for integrity protection
is required.

8(b)(11)

[Security Policy, Assurance] Security features must be adequate for protection with re-
gards to the sensitivity of the information and/or application as determined by the Agen-
cy risk assessment.

8(b)(12)

[Security Policy, MAC, DAC, Marking, Accountability, Assurance] Authorized access
to information systems must be assured. This implies an extension of authorized access
to specific information.

8(b)(13)

[Security Policy, Fault Tolerance] Reasonable continuity of support shall be provided
for information systems. [Assurance] Contingencies should not only be planned for but
also routinely exercised whenever practicable.

8(b)(15)

[Security Policy] This implies a thorough risk assessment has been conducted and that
specific protection policy enforcement needs have been identified as being both required
and cost effective. [Assurance] Periodic reviews are required.

App.I(4)

[Accountability] Changes to types or categories of information being maintained, or the
purposes to which information is being put to use, must be reported.

App.II Sup.Info.

[Security Policy] A user has control over assigned resources. [Accountability] A manag-
er must know the amount of resources consumed by each user. A user is responsible for
assigned resources.

App.III(2)(c)

[Security Policy] Defines the type of information applicable under this Circular. Indi-
cates an increased scope of Security Policy-in particular, the systems containing ``sensi-
tive information'' must be protected. [MAC, DAC] Because the control of ``unauthorized
use'' is explicitly called for, authorization features are required. [Marking] ``Sensitive in-
formation'' must be identifiable. [Accountability] Authorization implies the requirement
for accountability for acting within the scope of authority.

App.III(2)(d)

[Security Policy] Defines the type of application applicable under this Circular. The as-
sessment of risk, loss, or harm resulting from improper operation or deliberate manipula-
tion of an application should be applied to all applications, including embedded applica-
tion or control systems, in order to determine their ``sensitivity.'' [MAC, DAC] Because
the control of ``improper operation'' or ``deliberate manipulation'' is explicitly called for,
authorization features are required. [Marking] ``Sensitive applications'' must be identifia-
ble. [Accountability] Authorization implies the requirement for accountability for acting
within the scope of authority.

App.III(3)

[Security Policy] Requires the preparation and maintenance of security policies, stand-
ards, and procedures. Outlines basic considerations and the sources of policy for security
programs.

App.III (3)(a)(1-2)

[Assurance] Agencies shall assure that appropriate safeguards are incorporated into all
new or modified applications. The adequacy of implemented safeguards shall be evaluat-
ed and vulnerabilities identified. Periodic reviews are required.

A.9 OMB Circular No. A-123-Internal Control Systems

OMB Circular No. A-123 directs agency heads and managers to set up management
plans and to take responsibility for eliminating fraud, waste, and abuse in government
programs. The aim of this program is to establish confidence and accountability in the
protection of Federal operations [Russell 1991, p. 279].

Internal controls are of significance primarily because of the increasing use of
automation for both the major applications and the internal control systems of
government programs. The Budget and Accounting Act of 1950 sets forth the
requirement for each department and agency to establish and maintain adequate
systems of internal control. The Federal Managers' Financial Integrity Act amended this
earlier Act, adding requirements for (a) the development of internal accounting and
administrative control standards by the General Accounting Office, (b) annual
evaluations of internal accounting and administrative control systems in accordance
with guidelines established by OMB, and (c) annual statements on the status of the
agency's system of internal controls. AISs which are integral to internal control systems
must adhere to the standards and guidelines prescribed in this Circular.

The following table contains selected sections of OMB Circular No. A-123. The cross-
reference table and comments appear in the next section.

TABLE A-18. OMB Circular No. A-123-Selected Source Text

1. Purpose. This circular prescribes policies and procedures to be followed by executive
departments and agencies in establishing, maintaining, evaluating, improving, and report-
ing on internal controls in their program and administrative activities.

4. Policy. Agencies shall establish and maintain a cost effective system of internal con-
trols to provide reasonable assurance that Government resources are protected against
fraud, waste, mismanagement or misappropriation and that both existing and new pro-
gram and administrative activities are effectively and efficiently managed to achieve the
goals of the agency. The system shall comply with the Integrity Act and the internal con-
trol standards developed by the General Accounting Office and implemented by this cir-
cular. All levels of management shall be involved in ensuring the adequacy of controls.
Internal control does not encompass such matters as statutory development or interpreta-
tion, determination of program need, resource allocation, rule-making, or other discre-
tionary policy-making processes in an agency.

7. Objectives of Internal Control. The objectives of internal control apply to all program
and administrative activities. Internal control systems are to provide management with
reasonable assurance that:

a. Obligations and costs comply with applicable law.

b. Assets are safeguarded against waste, loss, unauthorized use, and misappropria-
tion.

c. Revenues and expenditures applicable to agency operations are recorded and ac-
counted for properly so that accounts and reliable financial and statistical reports
may be prepared and accountability of the assets may be maintained.

d. Programs are efficiently and effectively carried out in accordance with applica-
ble law and management policy.

8. Required Agency Actions. Each agency shall meet the following requirements in a
cost-effective manner.

a. Maintain a current internal control directive assigning management responsibili-
ty for internal controls in accordance with this circular and the [OMB] Internal
Control Guidelines with the following provisions. Provide for coordination on in-
ternal control matters among the designated internal control official, heads of agen-
cy components, program managers and staffs, and the IG [Inspector General] of-
fice or its equivalent. Establish administrative procedures to enforce the intended
functioning of internal controls. . . .

b. Develop a Management Control Plan (MCP) or plans to be updated annually.
The primary purpose of an MCP is to identify component inventory, to show risk
rating of component (high, medium, low), and to provide for necessary evaluations
over a five-year period. Material weaknesses and other areas of management con-
cern may also be monitored through the plan. High risk components and material
weaknesses must be acted upon during the first year of the plan. The plan should
be based upon the schedule of actions in each major component, and identify the
senior managers responsible. Management should utilize the plan for monitoring
progress and ensuring that planned actions are in fact taken. MCP's are intended to
be part of each agency's overall planning process and at a minimum should be
linked to activities under [OMB Circulars] A-127 and A-130. . . .

c. Make risk assessments to identify potential risks in agency operations which re-
quire corrective action or further investigation through internal control evaluations
or other actions. These may follow the vulnerability assessment procedures in the
[OMB] Internal Control Guidelines or may be based on a systematic review build-
ing on management's knowledge, information obtained from management report-
ing systems, previous risk assessments, audits, etc. . . . Risk assessment on new or
substantially revised programs should occur as part of planning for implementation
and the results reflected in the MCP. Risk assessments are to be considered as part
of developing the MCP.

d. Make internal control evaluations using the procedures in the [OMB] Internal
Control Guidelines or alternative reviews to determine whether the internal control
system is effective and is operating in compliance with the Integrity Act and this
circular. These reviews should identify internal controls that need to be strength-
ened or streamlined. The composite of all information that management relies
upon to judge their systems effectiveness must include information on the results
of tests of their operating internal control systems

e. Implement corrective actions identified by agency internal control evaluation ef-
forts on a timely basis. A formal follow-up system should be established that
records and tracks recommendations and projected action dates, and monitors
whether the changes are made as scheduled. The tracking systems should be made
part of broader agency management reporting systems whenever feasible.

A.9.1 Cross-References and Comments

TABLE A-19. OMB Circular No. A-123-Cross-References

Section

Security Policy

MAC

DAC

Marking

Accountability

Assurance

Fault Tolerance

4

X

X

X

X

X

X

7(a)

X

X

7(b)

X

7(c)

X

8(a)

X

X

X

8(b)

X

X

X

8(c)

X

X

8(d)

X

X

8(e)

X

X

4

[Security Policy, MAC, DAC, Marking] An internal control system shall protect against
fraud, waste, mismanagement, and misappropriation. Implementation of internal control
systems must be in accordance with GAO standards. Efficient and effective management
of program activities implies the implementation of abstractions to bind users with ac-
tions (roles) and actions with appropriate object types (duties). This implies both sys-
tems and application-specific security policies. [Accountability, Assurance] Program and
administrative activities must be effective and efficient. Reasonable assurance is required.

7(a)

[Security Policy] Applicable laws related to obligations and costs must be addressed.
[Accountability] Obligations and costs must be adequately recorded and reported.

7(b)

[Security Policy] AIS resources which represent program assets must be safeguarded
against waste, loss, unauthorized use, and misappropriation.

7(c)

[Accountability] Operational revenue and expenditures must be recorded and reported.

8(a)

[Security Policy] Each agency shall maintain a current directive which implements inter-
nal control policy in accordance with this Circular and OMB guidelines. [Accountabili-
ty] Coordination with other entities is required. [Assurance] Administrative procedures
to enforce internal controls must be established. The implication that some of these pro-
cedures may be implemented (either partially or totally) within AISs requires that all pro-
cedures should be well-documented and that agency personnel must be trained properly
to carry them out.

8(b)

[Security Policy, Accountability] Development and maintenance of a Management Con-
trol Plan is required. Component inventories must be established. Monitoring of weak-
nesses implies features for tracking and reporting. [Assurance] Evaluation and risk rat-
ing of internal controls is required.

8(c)

[Accountability, Assurance] Risk assessments for agency operations is required. Risk as-
sessments may require follow-on, corrective actions.

8(d)

[Accountability] This implies that responsibilities for internal control systems have been
established and that the responsible individuals shall be held accountable for the proper
functioning of those systems. [Assurance] Internal control evaluations are required. Iden-
tification of weaknesses is required. Results of tests must be relied upon for manage-
ment to judge systems' effectiveness.

8(e)

[Accountability, Assurance] Corrective actions must be implemented on a timely basis.
Recording and monitoring of identified corrective actions is required.

A.10 OMB Bulletin No. 90-08-Guidance for Preparation of Security Plans
for Federal Computer Systems that Contain Sensitive Information

This Bulletin provides guidance for computer security planning activities required
under the Computer Security Act of 1987. The Bulletin does not apply to systems that
contain classified information, systems involving intelligence activities, cryptologic
activities related to national security, or direct command and control of military forces.
The Bulletin also does not apply to equipment that (a) is integral to a weapons system,
(b) is used in the direct fulfillment of military or intelligence missions, or (c) to mixed
classified and unclassified systems, if such systems are always operated under rules for
protecting classified information.

Computer security planning is intended to improve protection of information and other
information processing resources. In order to be adequate for the protection of resources,
computer security plans must address the areas of loss, misuse, unauthorized access or
modification, unavailability, and undetected activities. The controls to be addressed by
computer security planning described in this Bulletin address both major applications
and general support systems. These controls are derived from requirements and
guidance in the Computer Security Act of 1987, OMB Circular No. A-130, and applicable
Federal Information Processing Standards (FIPS) and Special Publications produced by
NIST.

The following table contains selected sections of OMB Bulletin No. 90-08. The cross-
reference table and comments appear in the next section.

TABLE A-20. OMB Bulletin No. 90-08-Selected Source Text

1. Purpose. The purpose of this Bulletin is to provide guidance to Federal agencies on
computer security planning activities required by the Computer Security Act of 1987.
This Bulletin supersedes OMB Bulletin No. 88-18, Guidance for Preparation and Sub-
mission of Security Plans for Federal Computer Systems Containing Sensitive Informa-
tion (July 6, 1988).

3. Objectives of the Security Planning Process. The security planning process is de-
signed to reduce the risk and magnitude of harm that could result from the loss, misuses
or unauthorized access to or modification of information in Federal computer systems. .
. .

6. Action Required.

a. Every agency must implement security plans for systems which contain sensi-
tive information, incorporating appropriate advice and comment from NIST/NSA.

b. Every agency must prepare a new computer security plan for each system that
contains sensitive information, if:

(1) the system is new or significantly modified; or

(2) a plan for the system was not previously sent to NIST/NSA for advice
and comment (particular emphasis should be on contractor, State, and local
systems operated on behalf of the agency to perform a Federal function); or

(3) staff members of NIST/NSA advised the agency they were unable to pro-
vide advice and comment on the previous plan for the system.

c. Every agency must establish a process to ensure that independent advice and
comment on each plan developed in accordance with Section 6.b, above, is provid-
ed. Such advice and comment should be provided prior to developing a new sys-
tem or significantly modifying an existing system.

d. Every agency must ensure that security plans incorporate appropriate internal
control corrective actions identified pursuant to OMB Circular No. A-123.

e. Every agency must prepare materials as described in Section 8, meet with
OMB, NIST, and NSA staff as described in Section 7, and work with NIST and
NSA to improve agency computer security.

7. Assistance Visits.

a. Agencies will be scheduled for visits by OMB, NIST, and NSA staff.

b. Among the items to be discussed will be:

(1) The completeness of identification of sensitive computer systems;

(2) The quality, scope, and thoroughness of security plans;

(3) Any internal control weaknesses identified pursuant to OMB Circular
No. A-123 related to computer systems, and plans for addressing those weak-
nesses;

(4) For agencies subject to OMB Bulletin No. 89-17, ``Federal Information
Systems and Technology Planning'' their response to that Bulletin;

(5) Material available in accordance with Section 8, below.

c. Agencies should also be prepared to discuss the approach that is being taken to
ensure that computer security plans for new or modified computer systems are pre-
pared and reviewed.

8. Material for Meetings. Agencies should, at a minimum, have the following informa-
tion available:

a. agency-wide computer security policies and a summary of agency computer se-
curity procedures, standards, and requirements;

b. agency assignment of responsibilities for implementation and operation of the
security program;

c. the agency management plan for ensuring implementation of system computer
security plans that includes a description of:

(1) the involvement of agency management,

(2) how computer security plans are being integrated into information re-
sources management plans,

(3) the approach for ensuring that funds, personnel and equipment are
planned for and budgeted, and

(4) the implementation schedule;

d. the method used to identify the agency's sensitive systems;

e. any know agency needs for guidance or assistance.

Appendix A-Instructions for Preparing System Security Plans

I. System Identification

This section of the plan contains basic identifying information about the system.

C. System Category - Categorize each system as either a major application, or as a
general support system, in line with the primary management responsibility for the
system.

Major application. These are systems that perform clearly defined functions
for which there are readily identifiable security considerations and needs.
Such a system might actually comprise many individual application pro-
grams and hardware, software, and telecommunications components.

General support system. These consist of hardware and software that provide
general ADP or network support for a variety of users and applications. Indi-
vidual applications may be less easily distinguishable than in the previous
category, but such applications may contain sensitive information. Even if
none of the individual applications are sensitive, however, the support sys-
tem itself may be considered sensitive if overall, the aggregate of applica-
tions and support provided are critical to the mission of the agency.

II. Sensitivity of Information Handled

This section should provide a description of the types of information handled by the sys-
tem and thus provide the basis for the system's security requirements. It should contain
the following information:

A. Applicable Laws or Regulations Affecting the System . . .

B. General Description of Information Sensitivity - The purpose of this section is
to indicate the type and relative importance of protection needed for the identified
system. A system may need protection for one or more of the following reasons:

Confidentiality - The system contains information that requires protection
from unauthorized disclosure. Examples: timed dissemination (e.g., crop re-
port data), personal data (covered by Privacy Act), proprietary business infor-
mation.

Integrity - The system contains information which must be protected from au-
thorized, unanticipated or unintentional modification, including the detection
of such activities. Examples: systems critical to safety or life support, finan-
cial transaction systems.

Availability - The system contains information or provides services which
must be available on a timely basis to meet mission requirements or to avoid
substantial losses. Examples: air traffic control, economic indicators, or hurri-
cane forecasting.

III. System Security Measures

C. Security Control Measures - Two sets of controls are discussed on subsequent
pages - one for Major Applications and the other for General Support Systems . . .

E. Security Controls Measures for Major Applications

1. Management Controls - overall management controls of the application
system.

a. Assignment of Security Responsibility - Responsibility for the securi-
ty of the application should be assigned.

b. Personnel Screening - Personnel security policies and procedures
should be in place and working to limit access to and processing with-
in the application system to those with a need for such access. Where
appropriate, the duties of those with access should be separated. Addi-
tionally, requirements such as screening individuals with access to the
application as well as those participating in the design, development,
operation, or maintenance of it may be used.

2. Development/Implementation Controls - procedures to assure protection is
built into the system, especially during system development.

a. Security Specification - Appropriate technical, administrative, physi-
cal, and personnel security requirements should be specified for the ap-
plication. . . .

b. Design Review and Testing . . .

c. Certification - Prior to the application being put into operation, and
agency official should certify that the application meets all applicable
Federal policies, regulations, and standards, and that the protection
measures appear adequate. . . .

3. Operational Controls - day-to-day procedures and mechanisms to protect
operational application systems (or planned applications when they become
operational). . . .

a. Physical & Environmental Protection . . .

b. Production, I/O Controls - Controls over the proper handling,
processing, storage, and disposal of input and output data and media,
as well as access controls (such as labeling and distribution proce-
dures) on the data and media. . . .

c. Emergency, Backup, and Contingency Planning . . .

d. Audit and Variance Detection - Controls which allow management
to conduct an independent review or records and activities to test the
adequacy of controls, and to detect and react to departures from estab-
lished policies, rules, and procedures. Variance detection for an applica-
tion checks for anomalies in such things as the numbers and types of
transactions, volume and dollar thresholds, and other deviations from
standard activity profiles.

e. Application Software Maintenance Controls - Controls used to moni-
tor the installation of the updates to application software to ensure that
the software functions as expected and that an historical record is main-
tained of application system changes. Such controls also help to ensure
that only authorized software is allowed on the systems. These controls
may include software configuration policy that grants managerial ap-
proval to modifications, then documents the changes. They may also in-
clude some products used for ``virus'' protection.

f. Documentation . . .

4. Security Awareness and Training . . .

5. Technical Controls - hardware and software controls used to provide auto-
mated and/or facilitate manual protection. Normally these types of controls
are coordinated with the network and/or data center manager.

a. User Identification and Authentication - Controls used to identify or
verify the eligibility of a station, originator, or individual to access spe-
cific categories of information, to perform an activity, or to verify the
integrity of data that have been stored, transmitted, or otherwise ex-
posed to possible unauthorized modification. Such controls include the
use of passwords, tokens, biometrics or other personal mechanisms to
authenticate identity.

b. Authorization/Access Controls - Hardware or software features that
are designed to permit only authorized access to or within the applica-
tion, to restrict users to authorized transactions and functions, and/or to
detect unauthorized activities (e.g., access control lists).

c. Data Integrity/Validation Controls - Controls used to protect data
from accidental or malicious alteration or destruction, and provide as-
surance to the user that the data meets an expectation about its quality
(e.g., [electronic funds transfer] EFT message authentication). Valida-
tion controls refer to tests and evaluations used to determine compli-
ance with security specification and requirements.

d. Audit Trails and Journaling - Controls that provide a transaction
monitoring capability with a chronological record of application activi-
ties. This enables reconstruction of a transaction from its inception to
final results-including any modification of files.

F. Security Controls Measures for General Support Systems

1. Management Controls - overall management controls of the general sup-
port system.

a. Assignment of Security Responsibility . . .

b. Risk analysis . . .

c. Personnel Screening - Personnel security policies and procedures
should be in place and working to control access to and within the sup-
port system to assure that only those with a need for access have it.
Such policies and procedures may include requirements for screening
individuals involved in the operation, management, security, design,
programming, or maintenance of the system.

2. Acquisition/Development/Installation Controls - procedures to assure that
protection is built into the system.

a. Acquisition Specifications - Appropriate technical, administrative,
physical, and personnel security requirements are to be included in
specifications for the acquisition or operation of information technolo-
gy installations, equipment, software, and related services.

b. Accreditation/Certification . . .

3. Operational Controls - day-to-day procedures and mechanisms to protect
operational systems.

a. Physical & Environmental Protection . . .

b. Production, I/O Controls - Controls over the handling, processing,
storage, and disposal of input and output from the support system (e.g.,
controlled or locked output boxes, tape or data screening, etc.).

c. Emergency, Backup, and Contingency Planning . . .

d. Audit and Variance Detection . . .

e. Hardware and System Software Maintenance Controls . . .

f. Documentation . . .

4. Security Awareness and Training . . .

5. Technical Controls - hardware and software controls to protect the general
support systems from unauthorized access or misuse, to facilitate detection
of security violations, and to support security requirements for associated ap-
plications.

a. User Identification and Authentication - Controls used to verify the
identity of a station, originator, or individual prior to allowing access
to the system, or specific categories of information within the system. .
. .

b. Authorization/Access Controls - Hardware or software features used
to detect and/or permit only authorized access to or within the system
(e.g., the use of access lists). Includes controls to restrict access to the
operating system, limits on access to programming resources, and con-
trols to support security policies of associated applications.

c. Integrity Controls - Controls used to protect the operating system, ap-
plications and information in the system from accidental or malicious
alteration or destruction, and provide assurance to users that data has
not been altered (e.g., message authentication). . . .

d. Audit Trail Mechanisms . . .

e. Confidentiality Controls . . .

A.10.1 Cross-References and Comments

TABLE A-21. OMB Bulletin No. 90-08-Cross-References

Section

Security Policy

MAC

DAC

Marking

Accountability

Assurance

Fault Tolerance

App.A(I)(C)

X

App.A(II)(A-B)

X

App.A(III)(E)(1-5)

X

X

X

X

X

X

X

App.A(III)(F)(1-5)

X

X

X

X

X

X

X

App.A(I)(C)

[Security Policy] In general, any particular AIS may provide (partial or total) automa-
tion of a major application while at the same time serving as a general support system.
For example, a logistics DBMS [data base management system] might be considered to
be a major application, and hence represents the automation of a major service provided
by a component. At the same time, the AIS(s) on which the DBMS resides may provide
various applications which support the functioning of that component itself, such as a
payroll or other management system. At a minimum, the operation system of AIS can
be considered as providing general support. Thus, such an AIS would be called upon to
support (possibly) diverse protection policies. The Security Policy must represent an inte-
gration of protection policies associated with both the major applications and the general
support systems provided by the AIS.

App.A

(II)(A-B)

[Security Policy] The general scope of the type of information to be protected under sys-
tem security policies is defined. The availability are explicitly included. Other control ob-
jectives are affected by these concerns. Notably, fault tolerance and assurance for safety-
critical systems are implied.

App.A

(III)(E)(1-5)

[Security Policy, MAC, DAC, Marking, Accountability, Assurance, Fault Tolerance]
This section outlines a variety of computer security controls (e.g., management, develop-
ment, operational, and technical) which apply to major application subsystems. In gener-
al, control systems extend beyond the boundaries of automated systems. However, in
many cases, support for or enforcement of necessary controls can be generalized and in-
tegrated into an AIS via automated mechanisms. Significantly, these controls are analo-
gous to those traditionally associated with, and provided by, operating systems-yet con-
trol requirements may be unique on an application-by-application basis. This may imply
an increased functionality over current AIS security kernel designs to allow for the en-
forcement of multiple, independent security policies. All control objectives are affected.

App.A

(III)(F)(1-5)

[Security Policy, MAC, DAC, Marking, Accountability, Assurance, Fault Tolerance]
This section outlines a variety of computer security controls which are associated with
the traditional notion of a system. These controls essentially apply to the enforcement of
a system-wide security policy. However, under the Computer Security Act of 1987, sen-
sitive information must now be taken into account. Also, the requirements associated
with major applications must also be incorporated. Hence, all control objectives are af-
fected.

A.11 [OMB] Internal Control Guidelines

The Federal Managers' Financial Integrity Act requires sets forth requirements for
internal accounting and administrative controls within Executive agencies, and requires
that OMB establish-in consultation with the Comptroller General of the United States-
guidelines for the evaluation of these controls. This document embodies the guidelines
required to be developed by OMB under this Act.

The following table contains selected sections of the Guidelines. The cross-reference
table and comments appear in the next section. Some of the numbering below does not
occur in the original source text-it is included to aid in the clarity of cross-referenced
comments. Because of the comprehensive nature of these guidelines, only brief examples
related to AIS security will be highlighted and commented upon. The Guidelines should
be consulted for required details.

TABLE A-22. [OMB] Internal Control Guidelines-Selected Source Text

Chapter IV - Vulnerability Assessments

Analysis of General Control Environment

Several factors determine the general control environment, including the following . . . :

· ADP [Automated Data Processing] Consideration - When utilized, an awareness of
the strengths and exposures inherent in a system that uses ADP and the existence
of appropriate controls. . . .

Chapter V - Internal Control Reviews

Identification of the Event Cycles

Event cycles are the processes used to initiate and perform related activities, create the
necessary documentation, and gather and report related data. In other words, an event cy-
cle is a series of steps taken to get something done. Each program and administrative
function performed within an agency or agency component contains one or more event
cycles. For example, an entitlement program could contain the following event cycles:
information gathering and verification, eligibility determination, information processing
and record keeping, payment, and monitoring. The event cycles for an administrative
function could include payroll, procurement of supplies and materials, correspondence
handling, etc. (Appendices B and B-1 present event cycles commonly found in Federal
Government agencies. The General Accounting Office, professional associations, and pri-
vate organizations also publish lists of common event cycles). . . .

Evaluation of the Internal Controls within the Event Cycle

. . . The manner in which this is done is to:

· Ascertain the control objective for the event cycle. . .

· Examine the documentation and ascertain whether appropriate internal control tech-
niques are in place to enable the control objective to be met in an efficient and ef-
fective manner. Internal control techniques are the processes or documents that en-
able the control objective to be achieved. . . .

· Identify whether there are any internal control techniques that are excessive, . . .

Glossary

Assessable Unit - A program or administrative function or subdivision thereof
which is to be the subject of a vulnerability assessment.

Control Objective - A desired goal or condition for a specific event cycle that re-
flects the application of the overall objectives of internal control to that specific cy-
cle.

Event Cycle - The processes used to initiate and perform related activities, create
the necessary documentation, and gather and report related data.

Inherent Risk - The inherent potential for waste, loss, unauthorized use, or misap-
propriation due to the nature of an activity itself.

Internal Control - The steps that an agency takes to provide reasonable assurance
that obligations and costs are in compliance with applicable law; funds, property,
and other assets are safeguarded against waste, loss, unauthorized use, or misappro-
priation; and revenues and expenditures applicable to agency operations are proper-
ly recorded and accounted for to permit the preparation of accounts and reliable fi-
nancial and statistical reports and to maintain accountability over the assets.

Internal Control System - The sum of the organization's methods and measures
used to achieve the objectives of internal control.

Internal Control Technique - A process or document that is being relied on to effi-
ciently and effectively accomplish a control objective and thus help safeguard an
activity from waste, loss, unauthorized use, or misappropriation.

Appendix B - Common Event Cycles and Suggested Control Objectives in Federal Agen-
cies

This appendix presents a list of event cycles commonly found in Federal agencies and
agency components. Also included are certain types of assets that are highly susceptible
to loss and for which controls are vital, e.g., cash, materials and supplies. Finally, the
list provides suggested control objectives for each event cycle/type of asset. . . .

[In addition to the AIS-specific event cycle examples listed below, other common event
cycles address such areas as Operations, Internal Management and Administration, and
Assets and Liabilities. We have included source text dealing with Information Process-
ing and Reporting because these event cycles are directly related to all aspects of auto-
mated processing. However, in general, many of the other common event cycles and sug-
gested control objectives cited in this section will need to be considered in formulating
AIS Security Policy.]

III. Information Processing and Reporting Cycles

A. Information Collection

The primary internal control objectives normally associated with information
collection are the following:

(1) Information collected is meaningful and useful.

(2) Information collected is reliable.

(3) Information is arranged in an orderly fashion.

(4) Information is maintained on a current basis.

B. Records Maintenance

The primary internal control objectives normally associated with records
maintenance are the following:

(1) Records are readily available.

(2) Records are adequately protected.

(3) Only necessary records are retained.

C. Automatic Data Processing

The primary internal control objectives normally associated with automatic
data processing are the following:

(1) Proper authorization of transaction inputs, adequate edit checks, and nec-
essary safeguards of sensitive input forms to insure accurate, proper, com-
plete and timely entry of information.

(2) Data is safeguarded to prevent unauthorized access, improper changes, or
loss.

(3) Appropriate controls exist to detect unauthorized use of the system.

(4) Outputs produced accurately, completely and timely.

A.11.1 Cross-References and Comments

TABLE A-23. [OMB] Internal Control Guidelines-Cross-References

Section

Security
Policy

MAC

DAC

Marking

Accountability

Assurance

Fault
Tolerance

Chapter V

X

App.B(III)(A)(1-4)

X

X

App.B(III)(B)(1-3)

X

X

X

App.B(III)(C)(1-4)

X

Chapter V

[Security Policy] The protection requirements of each event cycle in the internal control
environment shall be specified, and such specifications shall be generally reflected in
the overall Security Policy.

App.B

(III)(A)(1-4)

[Accountability] Collected information must be maintained on a current basis and ar-
ranged in an orderly fashion. [Assurance] Collected information must be meaningful,
useful, and reliable.

App.B

(III)(B)(1-3)

[Security Policy] Only necessary records can be retained. Records must be available and
adequately protected. [Accountability] Each Agency shall establish responsibilities for
record administration. The accountable individuals shall ensure that records acquisition,
maintenance, and disposition conform to applicable laws and policy. [Assurance] Period-
ic review of records administration shall be conducted.

App.B(III)(C)

[Security Policy] An outline of internal control objectives normally associated with auto-
mated systems is presented. These internal control objectives should be reflected in each
Agency and should be enforceable through Security Policy implementation mechanisms.

A.12 GAO Policy and Procedures Manual for Guidance of Federal Agen-
cies-Title 2 - Accounting

The Federal Managers' Financial Integrity Act requires sets forth requirements for
internal accounting and administrative controls within Executive agencies, and requires
that OMB establish-in consultation with the Comptroller General of the GAO-guidelines
for the evaluation of these controls. This document embodies the GAO guidelines and
standards required under this Act.

The following table contains selected sections of the Manual. The cross-reference table
and comments appear in the next section. Some of the numbering below does not occur
in the original source text-it is included to aid in the clarity of cross-referenced
comments. Because of the comprehensive nature of these guidelines, only brief examples
related to AIS security will be highlighted and commented upon. The Manual should be
consulted for required details.

TABLE A-24. GAO Policy and Procedures Manual, Title 2 - Accounting-Selected Source
Text

Appendix II-[Comptroller General's] Standards for Internal Control in the Federal Gov-
ernment

The internal control standards define the minimum level of quality acceptable for inter-
nal control systems in operation and constitute the criteria against which systems are to
be evaluated. These internal control standards apply to all operations and administrative
functions but are not intended to limit or interfere with duly granted authority related to
development of legislation, rule-making, or other discretionary policy-making in an agen-
cy.

A. General Standards

1. Reasonable Assurance. Internal control systems are to provide reasonable assur-
ance that the objectives of the systems will be accomplished.

2. Supportive Attitude. Managers and employees are to maintain and demonstrate
a positive and supportive attitude toward internal controls at all times.

3. Competent Personnel. Managers and employees are to have personal and profes-
sional integrity and are to maintain a level of competence that allows them to ac-
complish their assigned duties, as well as understand the importance of developing
and implementing good internal controls.

4. Control Objectives. Internal controls objectives are to be identified or developed
for each agency activity and are to be logical, applicable, and reasonably complete.

5. Control Techniques.

Internal control techniques are to be effective and efficient in accomplishing their
internal control objectives.

B. Specific Standards

1. Documentation. Internal control systems and all transactions and other signifi-
cant events are to be clearly documented, and the documentation is to be readily
available for examination.

2. Recording of Transactions and Events. Transactions and other significant events
are to be promptly recorded and properly classified.

3. Execution of Transactions and Events. Transactions and other significant events
are to be authorized and executed only by persons acting within the scope of their
authority.

4. Separation of Duties. Key duties and responsibilities in authorizing, processing,
recording, and reviewing transactions should be separated among individuals.

5. Supervision. Qualified and continuous supervision is to be provided to ensure
that internal control objectives are achieved.

6. Access to and Accountability for Resources. Access to resources and records is
to be limited to authorized individuals, and accountability for the custody and use
of resources is to be assigned and maintained. Periodic comparison shall be made
of the resources with the recorded accountability to determine whether the two
agree. The frequency of the comparison shall be a function of the vulnerability of
the asset.

C. Audit Resolution Standard

Prompt Resolution of Audit Findings.

Managers are to (1) promptly evaluate findings and recommendations reported by
auditors, (2) determine proper actions in response to audit findings and recommen-
dations, and (3) complete, within established time frames, all actions that correct
or otherwise resolve the matters brought to management's attention.

D. Explanation of General Standards

4. Control Objectives

This standard requires that objectives be tailored to an agency's operations.
All operations of an agency can generally be grouped into one or more cate-
gories called cycles. Cycles comprise all specific activities (such as identify-
ing, classifying, recording, and reporting information) required to process a
particular transaction or event. . . . Agency management cycles cover the
overall policy and planning, organization, data processing, and audit func-
tions. . . .

5. Control Techniques

Internal control techniques are the mechanisms by which control objectives
are achieved. Techniques include, but are not limited to, such things as spe-
cific policies, procedures, plans of organization (including separation of du-
ties), and physical arrangements (such as locks and fire alarms). This stand-
ard requires that internal control techniques continually provide a high de-
gree of assurance that the internal control objectives are being achieved. . . .

E. Explanation of Specific Standards

1. Documentation

This standard requires written evidence of (1) an agency's internal control ob-
jectives and techniques and accountability systems and (2) all pertinent as-
pects of transactions and other significant events of an agency. Also, the doc-
umentation must be available as well as easily accessible for examination. . .

2. Recording of Transactions and Events

Transactions must be promptly recorded if pertinent information is to main-
tain its relevance and value to management in controlling operations and
making decisions. This standard applies to (1) the entire process or life cycle
of a transaction or event and includes the initiation and authorization, (2) all
aspects of the transaction while in process, and (3) its final classification in
summary records. Proper classification of transactions and events is the or-
ganization and format of information on summary records from which re-
ports are statements are prepared.

3. Execution of Transactions and Events

This standard deals with management's decision to exchange, transfer, use,
or commit resources for specified purpose under specific conditions. It is the
principal means of assuring that only valid transactions and other events are
entered into. Authorization should be clearly communicated to managers and
employees and should include the specific conditions and terms under which
authorizations are to be made. Conforming to the terms of an authorization
means that employees are carrying out their assigned duties in accordance
with directives and within the limitations established by management.

4. Separation of Duties

To reduce the risk of error, waste, or wrongful acts or to reduce the risk of
them going undetected, no one individual should control all key aspects of a
transaction or event. Rather, duties and responsibilities should be assigned
systematically to a number of individuals to ensure that effective checks and
balances exits. Key duties include authorizing, approving, and recording
transactions; issuing and receiving assets; making payments; and reviewing
or auditing transactions. Collusion, however, can reduce or destroy the effec-
tiveness of this internal control standard.

5. Supervision

This standard requires supervisors to continuously review and approve the as-
signed work of their staff. . . .

6. Access To and Accountability For Resources The basic concept behind restrict-
ing access to resources is to help reduce the risk of unauthorized use, loss to the
Government, and to help achieve the directives of management. However, restrict-
ing access to resources depends upon the vulnerability of the resource and the per-
ceived risk of loss, both of which should be periodically assessed. . . .

Appendix III-Accounting System Standards

A. Introduction

. . . The standards contained in this appendix apply to all manual and/or automated
systems of accounting and related internal controls that are operating or are under
development or major revision, in all departments, agencies, or instrumentalities in
the executive branch . . .

B. Accounting System Structure and Operation

. . . Within each department or agency, the account structure (general ledger and
subsidiary accounts), definitions, and data elements must be standardized to ensure
consistency, uniformity, and efficiency in accounting treatment, classification, and
reporting. Furthermore, the procedures for capturing, classifying, communicating,
processing, and storing data and transactions must be uniform (or translatable
among the various subsystems or segments of the system, as necessary). . . . De-
partment or agency accounting systems must include reasonable safeguards and
controls to ensure data integrity and to protect against the loss of the system's abili-
ty to function. . . . Agencies must periodically review their accounting systems to
ensure that the system, along with its controls and security features, continues to
perform as intended, meet user needs, and conform to applicable laws and account-
ing standards. . . .

1. Structure of the Accounting System.

. . . the systems must be structured in a way that ensures the proper gather-
ing, recording, storing, processing, communicating, and consistent reporting
[of information] . . .

Accounting information is most useful when organized by project or pro-
gram, responsibility center, activity, object class of expenditure, organization-
al unit, appropriation, etc. Systems should be capable of responding to re-
quirements for information along these various dimensions. . . .

2. Accounting Processing and Procedures

a. Support for Transactions

A fundamental requirement for any viable accounting system is that
the financial transactions for which the system must account be ade-
quately supported with pertinent documents and source records. These
transactions, and any subsequent adjustments, should be authorized and
executed in accordance with management criteria by personnel acting
within the scope of their authority. . . . These transactions should be re-
corded in the accounts promptly and accurately . . . Thus, information
should be captured in the accounting records simultaneously with or
immediately following the event that gave rise to the transaction.

All transactions, including those which are computer-generated and
computer-processed, must be referenced to individual source records.
Referencing must be done in a manner that enables tracing or replicat-
ing a transaction from its source to the resulting record or report, and
from the resulting record or report to the source, or by tracing indirect-
ly . . .

In the case of computer-generated transactions, verification of amounts
recorded or reported requires (a) reviews of systems documentation,
such as edit routines and decision criteria in program listings, to gain
an understanding of the events which generate transactions, and (b) ref-
erence to master files, data base records, detailed listings of computer
media work files, or input transactions which trigger the computer-gen-
erated transactions.

b. Reconciliation

General ledger balances must be reconciled with subsidiary accounts
and records, either manually or by the computer, in a timely manner.
Regularly scheduled reconciliation . . . helps to substantiate and main-
tain the accuracy of account postings and balances . . .

c. Transaction Processing/Production Control

Agency accounting systems, whether automated or manual, must con-
tain internal controls which operate to prevent, detect, and correct er-
rors and irregularities which may occur anywhere in the chain of
events from transaction authorization to issuance of reports. The con-
trols can be generally thought of as covering the functions of transac-
tion authorization and approval, data preparation and validation, input,
communications, processing, storage, output, error resolution and re-en-
try of data, and file or data base quality maintenance. . . .

In automated systems, controls are usually classified as ``general'' or
``application-specific'' controls. General controls are those that affect
the agency's data processing operations across-the-board . . . Applica-
tion-specific controls are those related to a particular activity or subsys-
tem, such as requirements that payroll transactions can be entered only
at certain terminals. Typically, application controls are considered in
terms of input, processing, and output.

Input controls should detect unauthorized, incomplete, duplicate, or
otherwise erroneous transactions and ensure they are controlled until
corrected. Processing controls should provide reasonable assurance that
all transactions have been processed and that the application processing
was correct, using correct file data, operator procedures, and process-
ing logic. Output controls provide reasonable assurance that the output
is complete, correct, and distributed only to authorized users.

Closely related to controls over input, processing, and output are con-
trols over data communication and data storage and retrieval. Data com-
munication controls help ensure that the integrity and confidentiality of
messages (data) transmitted by communication lines . . . are main-
tained. In addition, data storage and retrieval controls help to ensure
that the files are protected from loss, destruction, and unauthorized
changes, and that only the correct and latest version of data and pro-
gram files are used during processing. . . .

While the particular procedures and records used to effect these con-
trols are left to each agency, agency systems (whether automated or
manual) should include internal controls, where appropriate, that pre-
vent or detect the following kinds of situation:

-- failure to record a transaction,

-- incorrect or incomplete recording of a transaction,

-- duplicate recording of a transaction,

-- loss of a transaction document in handling,

-- incorrect entry of data at a terminal,

-- processing of unauthorized or incorrect data,

-- directly changing account/master file/data base records without
an authorized transaction,

-- use of a superseded or test version of a program rather that the
current production version,

-- use of a wrong file or record in processing,

-- unauthorized file maintenance transactions (which have a finan-
cial impact),

-- use of an incorrect value in internal tables,

-- incorrect default value,

-- input of incorrect program parameters,

-- unauthorized use of programs which bypass normal program
controls and edits,

-- incorrect or incomplete processing logic,

-- abnormal interruption of the application processing run,

-- destruction of part or all of a file during processing,

-- data base errors,

-- out-of-balance conditions, and

-- data errors caused during data transfer between interfacing sys-
tems.

Since most transactions . . . can be heavily automated . . . initial and
periodic testing of the adequacy and accuracy of the transaction
processing software is necessary . . .

d. Error Handling

Systems must provide procedures for control over errors to ensure that,
once errors are detected, (1) corrections are made in a timely manner
and re-entered into the appropriate processing cycle, (2) corrections are
made only once, and (3) the correction itself is validated.

The disposition of erroneous transactions depends on the type of trans-
action, the data item in error, or other control considerations. The possi-
bilities include (1) the entire transaction is rejected and returned to its
originator for correction and re-submission, or (2) the transaction is
held in a suspense file . . . Procedures should be established for periodi-
cally analyzing reasons for errors and rejected transactions by type and
source so that management may ensure that appropriate corrective ac-
tion is taken.

e. Control Over Output

Output distribution should be controlled to ensure that only properly au-
thorized personnel receive reports or other output. Prior to distribution,
output should be checked for such things as completeness, agreement
of control totals, proper labeling, and appropriate number of copies. If
feasible, a cross-check with output from related programs should be
done. . . .

f. Verifying File Data

The correctness or integrity of file data depends on the quality of the
original file and the quality of subsequent processing affecting that file.
Since data quality can deteriorate over time, systems should provide
maintenance procedures to help ensure the continuing quality of files.
Methods for maintaining file quality include the scanning of file con-
tents by a computer program which reviews data items against criteria
similar to those used during validation of input data. . . .

g. System Security and Integrity

To help ensure continued and authorized processing and protection of
information, systems must include procedures and controls which pro-
tect hardware, software, data, and documentation from physical dam-
age . . . and from unauthorized access whether inadvertent or deliber-
ate. . . .

The integrity and confidentiality of the system's data and software
must also be protected from accidental or malicious modification, de-
struction, or unauthorized disclosure. . . . Therefore, controls over per-
sonnel selection, placement, job rotation, and vacation requirements for
critical or sensitive positions are important. In addition, the agency
must ensure continuing availability of information processing by pro-
viding backup, recovery, and retention procedures encompassing hard-
ware, personnel, supplies, software, data, and vital documentation. . . .

3. Accounting System Maintenance

Agency accounting systems are dynamic. They are subject to changing re-
quirements throughout their useful lives due to changes in related technolo-
gy, agency programs, funding, personnel, etc. Reaction to changing require-
ments as well as the activities which carry out day-to-day operations can be
termed system maintenance. Management should have sufficient involvement
to ensure that despite such changes, the system's stability is maintained. Sta-
bility of the system, in one context, exists when the computer software has
been debugged and performs as intended. In a second context, it is main-
tained when successful application of management policies and procedures
for control of changes in application software, improved compilers, changes
in hardware, and training . . . operate to protect against communication prob-
lems, data entry failures, and user negligence. . . .

Procedures for controlling changes should require rigorous analysis of re-
quested changes. Formally approved and documented change procedures
help to protect against fraudulent or otherwise unauthorized changes . . .

4. Accounting System Reviews and Evaluations

Another consequence of the dynamic nature of accounting systems is the
need for periodic reviews and tests of their operations. These are critical to
ensure that the system and its controls and security features continue to meet
user needs, perform as intended, and conform with applicable accounting
standards. . . .

Tests should be designed to disclose whether valid transactions are processed
properly and whether the system rejects invalid transactions. The tests should
cover the entire flow of transactions from initial authorization through
processing, posting to the accounts, and reporting. . . .

Agencies will need to exercise judgment in determining which tests would
be appropriate for their systems. Also, agencies may adopt evaluation poli-
cies which provide for more comprehensive evaluations on some cyclical ba-
sis. . . .

A.12.1 Cross-References and Comments

TABLE A-25. GAO Policy and Procedures Manual, Title 2 - Accounting-Cross-References

Section

Security Policy

MAC

DAC

Marking

Accountability

Assurance

Fault Tolerance

II-A(1-5)

X

X

X

X

X

II-B(1-6)

X

X

X

X

X

X

II-C

X

II-D(4-5)

X

X

X

X

X

II-E(1)

X

II-E(2)

X

II-E(3)

X

X

X

X

II-E(4)

X

X

X

X

II-E(5)

X

II-E(6)

X

X

X

X

X

X

III-B

X

X

X

X

X

III-B(1)

X

III-B(2)(a)

X

X

X

III-B(2)(b)

X

X

III-B(2)(c)

X

X

X

III-B(2)(d)

X

X

X

III-B(2)(e)

X

X

X

III-B(2)(f)

X

X

X

III-B(2)(g)

X

X

X

X

III-B(3)

X

III-B(4)

X

II-A(1-5)

[Security Policy] These general standards for internal control should be reflected in the
security policy. In particular, specific control objectives are to be identified and enforc-
ing control techniques are to be applied. Logical, applicable, and reasonably complete
control objectives must be identified or developed. Internal control techniques are to be
effective and efficient. [MAC, DAC, Marking] A key aspect of these standards is the re-
quirement for competence in performing assigned duties. Personnel should be identified
with levels of competence that reflect the expectations one has for their performance
and accountability. This implies that system support must exist to provide separation of
levels of competency. Implementation of the abstractions of ``roles'' and ``duties'' may
suffice in providing such support. [Assurance] Internal controls are designed to provide
assurance for the proper operations of the system. Reasonable assurance should be de-
fined in terms of cost effectiveness.

II-B(1-6)

[Security Policy] These specific standards for internal control should be reflected in the
security policy. In particular (a) the requirements for transaction or event-execution au-
thorization, (b) controls to ensure that individuals are only acting within the scope of
their authority, (c) separation of duties and responsibilities among individuals, and (d)
the requirement for qualified and continuous supervision-should be incorporated into the
security policy. [MAC, DAC, Marking] In order to separate the key duties and responsi-
bilities of individuals, those duties must be identified and bound to objects upon which
transactions can be authorized, processed, recorded, or reviewed. These identifying mark-
ings should be sufficient to ensure the intent of separation is enforced. The implementa-
tion of ``roles'' and ``duties'' via typing mechanisms may suffice in providing such sup-
port. [Accountability] The recording of specified actions for which individuals are to be
held accountable should be accomplished on a continuous basis. The recorded account
shall be periodically reconciled and shall be compared to the external entities that the ac-
count represents. The periodicity of such comparison shall be a function of the vulnera-
bility of the external entities. [Assurance] Documentation of sensitive events is required
to provide assurance that all such events have been identified, and to assure that proper
controls exist and can be properly applied before, during, and/or after the execution of
such events.

II-C

[Accountability] The need to evaluate audit data and act on the evaluation findings
promptly is specified and the requirement to set time bounds on resolving audit issues is
established.

II-D(4-5) [Security Policy, MAC, DAC, Marking] An agency must be able to (a) identi-
fy and group related activities into specific categories, and (b) specify control objectives
for the (event) cycles characterized by those categories. Control techniques must be im-
plemented to realize the control objectives. Implementation of the abstractions of
``roles'' and ``duties'' enable a system to group related activities and resources, and also
provide support for policy enforcement. [Assurance] A high degree of assurance that
control objectives are being met is required.

II-E(1)

[Assurance] The existence of sensitive information or sensitive applications must be de-
termined and documented. Documentation is to be readily available.

II-E(2)

[Accountability] Transactions and other significant events must be promptly recorded
and classified.

II-E(3)

[Security Policy, MAC, DAC, Marking] It is implied that system support must exist to
provide separation of areas of authority. Implementation of the abstractions of ``roles''
and ``duties'' provides such support.

II-E(4)

[Security Policy, MAC, DAC, Marking] Key duties and responsibilities must be separat-
ed among individuals. The systematic assignment of duties and responsibilities is re-
quired. The implementation of the abstractions of ``roles'' and ``duties'' provides support
for separating mechanisms for authorizing, processing, recording, and reviewing of trans-
actions in a systematic manner.

II-E(5)

[Assurance] Qualified and continuous supervision is to be provided.

II-E(6)

[Security Policy, MAC, DAC, Marking] Access to resources is to be limited to author-
ized individuals. Implementation of the abstractions of ``roles'' and ``duties'' provides
support for constraining authorization as well as constraining access. [Accountability]
Accountability for the custody and use of resources is to be assigned and maintained.
[Assurance] Periodic verification of recorded accountability with reality must be made.

III-B

[Security Policy, MAC, DAC, Marking] Standardization of definitions and data elements
is required. Implementation of the abstractions of ``roles'' and ``duties'' provides stand-
ardization capabilities. Control procedures must be uniform. [Assurance] Reasonable
safeguards and periodic reviews are required.

III-B(1)

[Assurance] Structure of the system must ensure proper and consistent controls are possi-
ble. Implementation of the abstractions of ``roles'' and ``duties'' provides one approach
to such structuring.

III-B(2)(a)

[Security Policy] Transactions should be authorized and executed in accordance with
management criteria. Transactions should be recorded promptly and accurately. [Ac-
countability, Assurance] Referencing and tracing requirements are outlined. These re-
quirements imply that where automated transactions replace the source documents or
``safety paper,'' concepts such as digital signatures, non-repudiation, assured service,
fault tolerance, error control, etc., must be considered. Verification of recorded values is
required.

III-B(2)(b)

[Accountability, Assurance] Balances must be reconciled with subsidiary accounts and
records. Accuracy must be substantiated and maintained.

III-B(2)(c)

[Security Policy] The requirement to address application-specific security policy con-
cerns is cited. A large number of representative situations in which controls are required
are cited. Preventive and/or detective controls are required for these situations. [Assur-
ance, Fault Tolerance] Controls to ensure fault detection and/or fault tolerant input,
processing, and output are required. Reasonable assurance that input, processing, and
output events are adequately controlled is required. Reliable communication and reliable
file storage are required.

III-B(2)(d)

[Security Policy] The security policy must address how transaction errors are to be han-
dled. In particular, it must address whether errors abort the transaction completely or
whether fault detective and/or fault tolerant mechanisms can or should be employed. Er-
rors should be detected as close as possible or practicable to their injection into the sys-
tem, and must be resolved in a timely manner. [Assurance, Fault Tolerance] Error correc-
tion must take place only once and the correction itself must be validated.

III-B(2)(e)

[Security Policy] Output should be distributed only to authorized personnel. [Marking]
Output media should be properly labeled to reflect sensitivity, distribution restrictions,
copy numbers, etc. [Assurance] Verification of output is required, if feasible.

III-B(2)(f)

[Security Policy] Appropriate standards of quality must be specified against which quali-
ty attributes of data can be assessed. Timing aspects with respect to data quality must be
addressed in the security policy. For example, the frequency of updates, allowable lag
time from input to processing, and the serialization of data and events must be ad-
dressed. [Marking] Time sensitivities must be represented in the system as an attribute
of data objects. [Assurance] Maintenance procedures to help ensure the continuing quali-
ty of files is required. Conformance to quality standards must be ensured. This implies
verification of internal values and attributes with external facts via periodic reviews and
reconciliation.

III-B(2)(g)

[Security Policy, MAC, DAC, Marking] A system's data and software must be protected
from accidental or malicious modification, destruction, and unauthorized disclosure. Con-
trols over personnel and job assignment are required. Issues such as rotation of duties,
authorization overrides, and temporary authorization must be considered. Implementa-
tion of the abstractions of ``roles'' and ``duties'' provides support for such features.

III-B(3)

[Assurance] A well-disciplined configuration management and version control system is
required. Procedures for controlling changes to systems require rigorous analysis and
documented and formally-approved change procedures.

III-B(4)

[Assurance] Periodic reviews are required. These reviews are directed towards determin-
ing whether a system and its controls and security features meet user needs, perform as
intended, and conforms to standards. Functional testing of control features must extend
to application subsystems. Control objective testability is implied.

A.13 DoD Directive 5010.38-Internal Management Control Program

This directive establishes the DoD program for Internal Management Control (IMC),
incorporating guidance under 31 U.S.C. 3512 (also referred to as PL 97-255, Federal
Managers' Financial Integrity Act of 1982); OMB Circular A-123 (Internal Control
System); OMB Guidelines for the Evaluation and Improvement of and Reporting on
Internal Control Systems in the Federal Government; and GAO Standards for Internal
Control in the Federal Government. This Directive provides policy, prescribes
procedures, and assigns responsibilities.

DoD internal management control (IMC) is ``the plan of organization, methods, and
procedures adopted by management to provide reasonable assurance that the objectives
of [FMFIA 1982] are met'' [DoD 5010.38-D, Encl.2(7)]. IMC is intended to safeguard
resources, assure the accuracy and reliability of information, assure adherence to
applicable laws, regulations, and policies, and promote operational economy and
efficiency. IMC systems are not separate from, but are integral to, systems used to
operate programs and functions. As such, IMC within the DoD is equivalent to the more
prevalent term ``internal controls.''

The following table contains selected sections of DoD Directive 5010.38. The cross-
reference table and comments appear in the next section.

TABLE A-26. DoD Directive 5010.38-Selected Source Text

A. Re-issuance and Purpose

1. This Directive reissues [DoD 5010.38-D of July 16, 1984] to:

a. Establish the DoD program for Internal Management Control (IMC).

b. Incorporate guidance under references [FMFIA 1982], [OMB A-123], . . .
, and [GAO 1983].

c. Provide policy, prescribe procedures, and assign responsibilities.

D. Policy

1. Each DoD Component shall implement a comprehensive system for IMC that
provides reasonable assurance that:

a. Obligations and costs comply with applicable law.

b. Assets are safeguarded against waste, loss, unauthorized use, and misap-
propriation.

c. Revenues and expenditures applicable to DoD operations are recorded and
accounted for properly to permit the preparation of accounts and reliable fi-
nancial and statistical reports, and to maintain accountability over the assets.

d. Programs and administrative functions are efficiently and effectively car-
ried out in accordance with applicable law and management policy.

e. IMC systems emphasize prevention of waste, fraud mismanagement, and
timely correction of specific weakness.

Enclosure 2. Definitions

5. Event Cycle. A series of steps taken to get something done. Any program or
function performed within an organization contains such processes used to start
and perform related activities, create necessary documentation, and gather and re-
port related data.

15. Material Weakness. Specific instances of noncompliance with the FMFIA of
sufficient importance to be reported to the next higher level of management. Such
weakness significantly impairs the fulfillment of a DoD Component's mission; de-
prives the public of needed services; violates statutory of regulatory requirements;
significantly weakens safeguards against fraud, waste, or mismanagement of funds,
property. or other assets; or results in a conflict or interest. (See enclosure 4 for
further information.)

Enclosure 4. Guidance in Applying the Definition of Material Weakness

B. Discussion of Material Weakness Definition . . .

1. A material weakness in DoD's system of internal management controls
may be due to lack of an applicable control, or more frequently, inadequate
compliance with existing controls. These controls deal with all program and
administrative functions; they are not limited to financial or accounting mat-
ters. . . .

2. In addition to the basic characteristics of a material weakness described in
sections A. and B., above, the final determination to categorize an internal
control weakness as material results from management judgment about the
relative impact of the weakness. For example, scoring each of the following
considerations as ``significant'' or ``insignificant'' might help a manager in de-
termining whether the absence of or noncompliance with a control is a mate-
rial weakness.

a. Actual or potential loss or resources.

b. Sensitivity of the resources involved.

c. Magnitude of funds, property, or other resources involved.

d. Frequency of actual and/or potential loss.

e. Current or probable media interest (adverse publicity).

f. Current or probable Congressional interest (adverse publicity).

g. Unreliable information causing unsound management decisions.

h. Diminished credibility or reputation of management.

i. Impaired fulfillment of essential mission.

j. Violation of statutory or regulatory requirements.

k. Impact on information security.

l. Deprived the public of needed Government services.

A.13.1 Cross-References and Comments

TABLE A-27. DoD Directive 5010.38-Cross-References

Section

Security Policy

MAC

DAC

Marking

Accountability

Assurance

Fault Tolerance

D(1)(a-e)

X

Encl.4(B)(1)

X

Encl.4(B)(2)(a-l)

X

D(1)(a-e)

[Security Policy] Policies and guidance stipulated under [FMFIA 1982], [OMB A-123],
and [GAO 1983, GAO Title 2, App.II] are promulgated to DoD components.

Encl.4(B)(1)

[Security Policy] This broadens the scope of controls to include all programs and admin-
istrative functions.

Encl.4(B)(2)(a-l)

[Security Policy] All of these categories have some effect on the degree of integrity
which needs to be provided by information systems which are directly involved with pri-
mary functions, or support those functions. Some of these include ways in which the
``value'' of information can be determined in non-monetary ways. Material weakness,
such as those cited, provide specific effects of system failure or non-compliance with
policy. The controls implementing a policy should be examined for specific weaknesses
that might be presented should a control failure occur in an event cycle. ``Material weak-
ness'' was previously defined in Encl.2(15) of the Selected Source Text.

A.14 DoD Directive 5200.28-Security Requirements for Automated Informa-
tion Systems

This Directive establishes uniform policy for protecting classified data that is stored,
processed, used, communicated, displayed, or disseminated via AISs. In addition, this
Directive provides for the application of access and distribution controls for classified
data beyond those required by security classification. A stated objective of this Directive
is to establish that the reliability, integrity, and operation of AISs are enhanced by the
imposition of controls which satisfy classification requirements. Significantly, this
Directive states that increased AIS reliability and integrity features are necessary for (a)
the dependable enforcement of confidentiality policy for classified information, and (b)
the prevention of unauthorized manipulation of computers and peripherals.

The following table contains selected sections of DoD Directive 5200.28. The cross-
reference table and comments appear in the next section.

TABLE A-28. DoD Directive 5200.28-Selected Source Text

D. Policy

It is DoD policy that:

1. Classified information and sensitive unclassified information shall be safeguard-
ed at all times while in AISs. Safeguards shall be applied so that such information
is accessed only by authorized persons, is used only for its intended purpose, re-
tains its content integrity, and is marked properly as required. When classified in-
formation is involved, the information security requirements in [DoD 5200.1-R]
shall be met.

2. Unclassified information while in AISs shall be safeguarded against tampering,
loss, and destruction and shall be available when needed. . . . Suggested safe-
guards for unclassified information are in OMB Circular No. A-130, and include
applicable . . . controls.

3. The safeguarding of information and AIS resources (against sabotage, tamper-
ing, denial of service, espionage, fraud, misappropriation, misuse, or release to un-
authorized persons) shall be accomplished through the continuous employment of
safeguards . . . .

4. The mix of safeguards selected . . . shall ensure the AIS meets the minimum re-
quirements as set forth in enclosure 3 [see below]. . . .

5. Computer security features of commercially produced products and Government-
developed or -derived products shall be evaluated (as requested) for designation as
trusted computer products for inclusion on the Evaluated Products List (EPL).
Evaluated products shall be designated as meeting security criteria maintained by
the National Computer Security Center (NCSC) . . . described in DoD 5200.28-
STD [TCSEC 1985].

Enclosure 3. Minimum Security Requirements

A. Minimum Security Requirements. The following minimum requirements shall be met
through automated or manual means in a cost-effective manner and integrated fashion:

1. Accountability.There shall be in place safeguards to ensure each person having
access to an AIS may be held accountable for his or her actions on the AIS. There
shall be an audit trail providing a documented history of AIS use. The audit trail
shall be of sufficient detail to reconstruct events in determining the cause or magni-
tude of compromise should a security violation or malfunction occur. To fulfill
this requirement, the manual and/or automated audit trail shall document the fol-
lowing:

a. The identity of each person and device having access to the AIS.

b. The time of the access.

c. User activity sufficient to ensure user actions are controlled and open to
scrutiny.

d. Activities that might modify, bypass, or negate safeguards controlled by
the AIS.

e. Security relevant actions associated with periods processing or the chang-
ing of security levels or categories of information.

DAAs [Designated Approval Authorities] shall cause a review to be made of
audit trails associated with the AIS(s) over which the DAAs have cognizance
to determine an adequate retention period for the audit information. The deci-
sion to require an audit trail of user access to a stand-alone, single-user AIS
(e.g., personal computer (PC), memory typewriter, drafting machine) should
be left to the discretion of the DAA.

2. Access. There shall be in place and access control policy for each AIS. It shall
include features and/or procedures to enforce the access control policy of the infor-
mation within the AIS. The identity of each user authorized access to the AIS
shall be established positively before authorizing access.

3. Security Awareness and Training. There shall be in place a security training and
awareness program with training for the security needs of all persons accessing the
AIS. The program shall ensure that all persons responsible for the AIS and/or in-
formation, therein, and all persons who access the AIS are aware of proper opera-
tional and security-related procedures and risks.

4. Physical Controls. AIS hardware, software, and documentation, and all classi-
fied and sensitive unclassified data handled by the AIS shall be protected to pre-
vent unauthorized (intentional or unintentional) disclosure, destruction, or modifica-
tion (i.e., data integrity shall be maintained). The level of control and protection
shall be commensurate with the maximum sensitivity of the information and shall
provide the most restrictive control measures required by the data to be handled.
This includes having personnel, physical, administrative, and configuration con-
trols. Additionally, protection against denial of service of AIS resources (e.g., hard-
ware, software, firmware, and information) shall be consistent with the sensitivity
of the information handled by the AIS. Unclassified hardware, software, or docu-
mentation of an AIS shall be protected if access to such hardware, software, or
documentation reveals classified information, or access provides information that
may be used to eliminate, circumvent, or otherwise render ineffective the security
safeguards for classified information. Software development and related activities
(e.g., systems analysis) shall be controlled by physical controls (e.g., two-person
control) and protected when it is determined that the software shall be used for
handling classified or sensitive unclassified data.

5. Marking. Classified and sensitive unclassified output shall be marked to accu-
rately reflect the sensitivity of the information. Requirements for security classifica-
tion and applicable marking for classified information are set forth in [DoD 5200.1-
R]. The marking may be automated (i.e., the AIS has a feature that produces the
markings) or may be done manually. Automated markings on output must not be
relied on to be accurate, unless the security features and assurances of the AIS
meet the requirements for a minimum security class B1 as specified in DoD
5200.28-STD [TCSEC 1985]. If B1 is not met, but automated controls are used,
all output shall be protected at the highest classification level of the information
handled by the AIS until manually reviewed by an authorized person to ensure
that the output was marked accurately with the classification and caveats. All me-
dia (and containers) shall be marked and protected commensurate with the require-
ments for the highest security classification level and most restrictive category of
the information ever stored until the media are declassified (e.g., degaussed or
erased) using a DoD-approved methodology set forth in the DoD AIS Security
Manual [DoD 5200.28-M], on unless the information is declassified or downgrad-
ed in accordance with [DoD 5200.1-R].

6. Least Privilege. The AIS shall function so that each user has access to all of the
information to which the user is entitled (by virtue of clearance, formal access ap-
proval), but to no more. In the case of ``need-to-know'' for classified information,
access must be essential for accomplishment of lawful and authorized Government
purposes.

7. Data Continuity. Each file or data collection in the AIS shall have an identifia-
ble source throughout its life cycle. Its accessibility, maintenance, movement, and
disposition shall be governed by security clearance, formal access approval, and
need-to-know.

8. Data Integrity. There shall be safeguards in place to detect and minimize inad-
vertent modification or destruction of data, and detect and prevent malicious de-
struction or modification of data.

9. Contingency Planning. Contingency plans shall be developed and tested in ac-
cordance with OMB Circular No. A-130 [OMB A-130] to ensure that AIS security
controls function reliably and, if not, that adequate backup functions are in place
to ensure that security functions are maintained continuously during interrupted
service. If data is modified or destroyed, procedures must be in place to recover.

10. Accreditation. Each AIS shall be accredited to operate in accordance with a
DAA-approved set of security safeguards.

11. Risk Management. There should be in place a risk management program to de-
termine how much protection is required, how much exists, and the most economi-
cal way of providing the needed protection.

A.14.1 Cross-References and Comments

TABLE A-29. DoD Directive 5200.28-Cross-References

Section

Security Policy

MAC

DAC

Marking

Accountability

Assurance

Fault Tolerance

D(1)

X

X

D(2)

X

X

X

D(3)

X

X

X

D(4)

X

X

X

X

X

D(5)

X

Encl.3(A)(1-11)

X

D(1)

[Security Policy] Classified information must only be used for its intended purpose and
must retain its content integrity. Hence, arbitrary operations outside the scope of an indi-
vidual's authority on instances of classified data should not be allowed. [Marking] This
further implies that the information must be identified in terms of state attributes which
allow judgement to be made as to the retention of content integrity.

D(2)

[Security Policy] In general, unclassified information is to be considered an asset and
should be protected from tampering, loss, and destruction. [Assurance, Fault Tolerance]
Information shall be available when needed.

D(3)

[Security Policy] AIS resources, including classified and unclassified systems and infor-
mation, must be protected from unauthorized modifications. The prevention of fraud im-
plies that controls shall exist to limit actions of authorized users. [Assurance, Fault Toler-
ance] Protection of systems and information must be continuous.

D(4)

[Security Policy] The minimum requirements for data integrity includes safeguards to de-
tect and minimize erroneous modifications, and to detect and prevent malicious modifica-
tions. A risk reduction policy is called for in minimizing possible damage. [MAC, DAC,
Marking] Prevention of malicious modifications implies controls on authorization. [Ac-
countability] The detection of erroneous and malicious modifications is called for.

D(5)

[Assurance] Trusted systems shall be used in the protection of information.

Encl.3(A)(1-11)

[Security Policy] The minimum security requirements for AISs are specified.

A.15 DoD Directive 7740.1-DoD Information Resources Management Pro-
gram

This Directive implements the policies stated in Public Law 96-511, Paperwork
Reduction Act of 1980 and establishes the DoD Information Resources Management
(IRM) Program. IRM is defined as ``the policy, action, or procedure concerning
information (both automated and non-automated) that management establishes to serve
the overall current and future needs of the organization. IRM policy and procedures
address such areas as availability, timeliness, accuracy, integrity, privacy, security,
auditability, ownership, use, and cost-effectiveness of information'' [DoD 7740.1-D,
Encl.2(3)]. A list of DoD policy issuances related to these functions is included in DoD
Directive 7740.1 [Encl.1]. However, because this Directive was issued in 1983, some of
these policy issuances are either dated or have been superseded. This Directive applies
to DoD information management activities including such areas as information
technology, data elements, information collection, privacy of records, information
security, statistical activities, forms, reports, and records.

The following table contains selected sections of DoD Directive 7740.1, used for cross-
referencing the source material and the affected control objectives. The cross-reference
table and comments appear in the next section.

TABLE A-30. DoD Directive 7740.1-Selected Source Text

A. Purpose

This Directive:

1. Establishes the DoD Information Resources Management (IRM) Program to pro-
mote coordinated and integrated information management functions and imple-
ments [PRA 1980].

B. Applicability and Scope

2. Its provisions cover the information management activities of information tech-
nology, data elements, information collection, privacy of records, information secu-
rity, statistical activities, forms, reports, and records. . . .

3. Its provisions cover the management of information within the Department of
Defense, as well as information provided to and received from government agen-
cies and information received from the public.

D. Policy

It is the policy of the Department of Defense to implement IRM aggressively in
ways that enhance mission performance through the effective, economic acquisi-
tion and use of information.

E. Procedures

In achieving the above policy, it is necessary that efforts be directed toward proce-
dures that are designed to:

1. Support DoD operations and decision making with information that sufficiently
meets the need in terms of availability, accuracy, timeliness, and general quality.

2. Provide for the economic and effective acquisition of information resources em-
phasizing maximum practicable competition and lowest total overall cost consist-
ent with mission requirements.

3. Structure information systems in ways that encourage horizontal, as well as ver-
tical, sharing of information within the Department of Defense, with other govern-
ment agencies, and with allied nations, consistent with security and privacy require-
ments.

4. Ensure that information planning becomes an integral part of the management
process at all levels.

5. Require user responsibility and accountability in the development of effective in-
formation systems.

6. Manage information, information technology, and information systems using a
disciplined approach from inception through acquisition and use until discontinu-
ance.

7. Use regular reviews and evaluations to identify opportunities for improvement,
to increase the usefulness of information, to reduce the cost of information activi-
ties, and, in general, to further DoD IRM Program goals and objectives.

8. Create a broad awareness of IRM concepts and practices and provide necessary
training.

9. Organize and integrate information management functions to accomplish mis-
sion goals.

10. Collect information that is non-duplicative and that supports essential needs in
a cost-effective manner.

11. Establish and maintain effective working relationships within the Department
of Defense and with Congress and the federal central management agencies, such
as the Office of Management and Budget (OMB), the General Services Administra-
tion (GSA), and the General Accounting Office, with respect to IRM matters.

12. Encourage users and information managers to plan effectively for the sustaina-
bility and readiness of information resources in both peacetime and wartime condi-
tions.

A.15.1 Cross-References and Comments

TABLE A-31. DoD Directive 7740.1-Cross-References

Section

Security Policy

MAC

DAC

Marking

Accountability

Assurance

Fault Tolerance

D

X

E(1)

X

X

X

X

E(3)

X

X

X

X

X

E(5)

X

X

E(6)

X

X

E(7)

X

X

E(8)

X

X

E(10)

X

X

E(12)

X

X

D

[Security Policy] Information acquisition and use must be effective, economic, and must
serve to enhance mission performance.

E(1)

[Security Policy] Operations and decision making must be supported by information sys-
tems. Requirements for information accuracy, timeliness, and quality imply the need to
implement system features that control these attributes in accordance with specified poli-
cy. [Marking] The control of these attributes may require marking of data objects to sup-
port implementation. [Assurance] The effectiveness of the control features in maintain-
ing these attributes within specifications shall be assessed. [Fault Tolerance] The require-
ment for information availability implies fault tolerant features.

E(3)

[Security Policy] The Security Policy must address the horizontal and vertical sharing of
information. [MAC, DAC] The requirement for both vertical and horizontal sharing of
information implies the need for access control features. The simultaneous sharing of in-
formation between vertical and horizontal DoD components may require a more rigor-
ous specification of authorization, as is represented by the abstractions of ``roles'' and
``duties.'' [Marking] The establishment of information sharing agreements must include
confirmation that the receiving DoD component can mark and protect the shared infor-
mation as required by the providing component. If such protection is not possible, then
the providing component must determine the need to desensitize the information to the
degree commensurate with the maximum protection capabilities of the receiving compo-
nent prior to actual sharing. [Accountability] The receiving component should be ac-
countable for the protection of any shared information it receives. The providing compo-
nent is accountable for the sharing of sensitive information for which the receiving com-
ponent does not have the capabilities to protect.

E(5)

[Security Policy] Information systems which are developed by DoD components must
be effective relative to specific mission requirements. [Accountability] Individuals in-
volved in the development (and maintenance) of information systems are to be held ac-
countable for the effectiveness of those systems.

E(6)

[Security Policy] Systems, information technology, and information must be managed
with discipline throughout their respective life cycles. [Assurance] Measures must be im-
plemented to assure that proper controls exist throughout the life cycle of all informa-
tion resources.

E(7)

[Security Policy, Assurance] Continuous improvement in information life cycle manage-
ment is required. Review and evaluation processes must be integrated into life cycle
management to enable the identification of improvement opportunities. Review and eval-
uation processes are essential to ensure that overall goals and objectives associated with
information systems are being met.

E(8)

[Security Policy] Security training must be integrated into information life cycle manage-
ment. [Assurance] Training is an essential assurance measure.

E(10)

[Security Policy] Specific component policies regarding information sharing and elimina-
tion of duplication should be established. [Assurance] Cost effectiveness can only be de-
termined by weighing the benefits of sharing data against the associated risks and the
costs incurred in countering those risks. This implies that a thorough risk analysis must
be performed.

E(12)

[Security Policy] Plans for the sustainability and readiness of information resources are
required. [Assurance] Contingencies should not only be planned for but also routinely
exercised whenever practicable.

A.16 DoD 7740.1-G-DoD ADP Internal Control Guideline

This Guideline incorporates the provisions of the Federal Managers' Financial Integrity
Act and OMB Circulars A-123, A-127, and A-130, and provides guidance on
implementing DoD Directives 5010.38, 7740.1, and 5200.28. It incorporates the ``Model
Framework for Management Control over Automated Information Systems,'' developed
by the President's Council on Management Improvement and the President's Council on
Integrity and Efficiency. This document provides guidance for implementing an AIS
internal control program and is issued under the authority of DoD Directive 7740.1, DoD
Information Resources Management Program. The Guideline [DoD 7740.1-G, p. 1-4]
provides the following definition of AIS internal control for the Department of Defense:

The steps taken within each DoD program and administrative function consisting of the
plan of organization and all of the methods and techniques used to safeguard AIS re-
sources and provide reasonable assurance of the accuracy and reliability of computer-
based input, processing and output; ensure the adherence to applicable laws, regulations
and policies; and promote the effectiveness, efficiency and economy of AIS operations
and systems.

The Guideline provides general guidance which can be tailored to meet the specific
requirements under the Internal Management Control Program, a mandatory program
for all DoD Components. However, compliance to the program under this Guideline
must be comprehensive, addressing all relevant sections. This document is intended to
(1) assist managers, users, and developers in conducting risk assessments, (2) provide a
framework for management control efforts, and (3) serve as a reference for AIS control
techniques. Table 3.1 of the Guideline contains a set of 55 system control requirements
cross-referenced with the most important of the policy documents. This table is
reproduced in Appendix B of this document.

The following table contains selected sections of the Guideline. Because of its
comprehensive nature, only a small portion of the Guideline is included. The Guideline
should be consulted for required details. The cross-reference table and comments appear
in the next section.

TABLE A-32. DoD Guideline 7740.1-G-Selected Source Text

Chapter 1 Introduction

A. Background

1. The Department of Defense (DoD) depends increasingly on automated informa-
tion systems (AISs). . . . These systems are vulnerable to fraud, waste, and abuse.
A few examples include:

· unauthorized access and disclosure of classified, privacy, and proprietary
records and/or data,

· diversion of payments to unauthorized parties,

· use of computers for personal matters, and

· disruption and loss of computerized records and/or transactions.

D. Objectives of the Guideline

There are six (6) basic objectives:

1. Assist AIS managers and users in understanding their responsibilities and re-
quirements to develop AIS internal management controls as required by OMB Cir-
cular A-123 and by the current DoD Directive 5010.38, DoD Directive 7740.1,
and DoD Directive 5200.28 . . .

2. Provide a vehicle for the education and training of managers so they may have
a working understanding of AIS internal management controls.

3. Notify components of a requirement for a 5-year Management Control Plan
(MCP) to be developed annually.

4. Delineate responsibilities for managers in either monitoring large AIS systems
and assets or conducting internal control reviews and alternative review, such as in-
ternal audits, inspections, investigations, studies, and computer security reviews.

5. Help to ensure that internal controls receive appropriate attention, emphasis, and
resources in the automated information system life cycle, to include development,
modification, operation and records management concerns.

6. Show managers how to protect their operations by providing AIS internal con-
trol techniques and procedures for conducting risk assessments.

Chapter 2 - System Controls Conceptual Framework

A. Introduction

1. This chapter presents a conceptual framework for instituting and maintaining in-
formation system controls. The control framework consists of three elements:

a. Control requirements - the terms used to explain why controls are needed
and/or what their implementation is expected to achieve.

b. Selection and use of control techniques - the definition, selection, and use
of control techniques to satisfy the requirements specified.

c. Areas of control - the terms used to describe how and where control tech-
niques are applied to satisfy basic control requirements.

3. Most control-related activities have traditionally centered on internal control re-
views, risk assessments, and audits of existing automated systems and processes.
While these types of review are needed, they do not necessarily ensure that ade-
quate management controls are built into current and future systems. . . .

4. Fundamentally, automated information systems are developed to support manag-
ers to effectively fulfill their responsibilities. In the Federal Government, automat-
ed information systems perform a wide range of functions that include: making
benefit payments; collecting receivables; and recording and accounting for obliga-
tions, costs, revenues, and expenses. In many cases, these kinds of functions are al-
most completely dependent on automated information systems, thereby creating
many new concerns and risks for management. . . .

5. To address these concerns, managers who operate or use ADP systems should
take actions to eliminate or at least reduce the risks to acceptable levels. All such
actions taken to reduce risks are referred to as ``control techniques'' or, more com-
monly, ``controls.'' The underlying requirement of control over an automated infor-
mation system is to provide reasonable assurance that the information processed
by the system is reliable and properly safeguarded.

6. Management oversees and effects the development, implementation, and use of
automated information systems through a variety of mechanisms, including stand-
ards, budget and procurement review and authorization, and personnel hiring prac-
tices. While existing mechanisms have worked with varying success to ensure that
systems support an organization's mission, they have not always provided reasona-
ble assurance that a system is safe. Systems may improve accuracy, increase pro-
ductivity, or speed service but at the same time be subject to fraud, waste, and
abuse.

B. System Control Requirements

1. Control requirements are established to address a known vulnerability or pro-
mote reliability or security of a system. They can be based on management experi-
ence, vulnerability assessments, other reviews, and/or common sense. Regardless
of why established, control requirements should be as specific as possible and stat-
ed in clear, understandable terms.

2. Four categories of control requirements surfaced in an analysis of the provisions
of the system control directives . . . These are application controls, general con-
trols, administrative controls, and required system functions. While the ongoing
discussion deals with these four categories of control requirements, it should be
recognized here that the operational implementation of a controls program will in-
volve a refining of these requirements into sub-requirements or control objectives.
[See Appendix B of this document].

3. The first category, application controls, are those that help assure that informa-
tion processed is authorized, valid, complete, accurate, and timely. It also contains
requirements that ensure that the system is secure and that an audit trail exists.

4. Compliance with the requirements for application controls has proved the most
elusive for management to meet. Requirement terminology varies among the many
directives, but the intent is the same in all.

5. Three principles are important to note:

a. How information should be handled, once its sensitivity and/or classifica-
tion has been determined, is fairly well established by the regulating agency.

b. The determination of the classification levels for systems and data is a
management responsibility of the sponsoring agency.

c. Once the classification levels are determined by management, the determi-
nations should be systematically applied, and management should be aware
of any exceptions.

6. What the third principle means is that sensitive data in a computer data base
should have the same classification as they are given in a hard copy publication.
Most processes (accounting or otherwise) consist of both manual and automated
portions. Reviews of the process should assess the totality of the process compo-
nents affected, not just a portion of the affected components. Further, management
must be aware that increases in security are almost always accompanied by increas-
es in cost, although some security measures can be implemented with little effort.
Management must be aware of situations when resources are insufficient to pro-
vide the level of protection required, because it is management that must accept
the risk of loss and/or disclosure. Because of the terminology and technical com-
plexities of automated processes, the evidence suggests that managers often dele-
gate these critical decisions to their program and/or technical staff. It is of para-
mount importance that managers fully understand the need for controls, the re-
source implications of controls, and the risks associated with inadequate controls.
These are management's responsibilities and cannot be delegated.

7. The second category, general controls such as cost-benefit analysis and certifica-
tion, are quantifiable and require a product to be created for management review
and/or acceptance. These tools are essential to good management in the develop-
ment and operation of systems by facility managers, users, systems analysts, and
computer programmers. Another essential tool which should be applied by all man-
agers and users is agency record and disposition schedules.

8. The third category, administrative controls such as supportive attitudes or com-
petent personnel, are generally difficult to quantify and have not resulted in the
past in tangible work products within automated information systems.

9. Many of the requirements have become standard operation procedures in some
Federal Agencies, with considerable guidance provided on how they should be met.

10. The last category of control requirements, required systems functions, consists
of mandated features that must be designed and built into a system, such as a par-
ticular access capability.

C. Selection and Use of Control Techniques

1. Control techniques are procedures used to meet control requirements. Control
techniques employed might be preventive, detective, corrective, or a combination
of the three . . .

2. The selection of a control technique should, in most cases, be a group decision
to ensure that it is feasible for the entire system, is understood by all affected, and
comprehensively meets the organization's control requirements. . . .

3. Further, the control selected must be cost-effective. . . . Controls that require
manpower, such as integrity reviews of transactions, can be costly and require a
cost-benefits analysis. This analysis becomes part of the controls documentation.
Decisions on some controls may also require detailed knowledge of controls al-
ready in place. This is especially true of routine controls, such as access controls.
The composition of current access controls may greatly affect the design of any ad-
ditional access controls being contemplated for a particular system.

4. The installation of controls must be accompanied by an effort to provide assur-
ance that the control operates as initially intended. Testing is needed before the
control is implemented, as well as later, to be sure it still fulfills the control re-
quirement. Ongoing reviews might be a part of a management initiative. . . .

5. The controls selected and implemented must have certain characteristics to en-
sure that they are effective. They must be:

a. Clear in purpose - If not understood, controls may not be used and if they
do not have a clear purpose or address a known vulnerability, they are of lit-
tle or no value.

b. Coordinated - Developed in partnership by personnel knowledgeable
about the application, process, computer systems, and control techniques. It
is unlikely that effective, feasible controls can be selected and implemented
unilaterally by, for example, a user, a system analyst, a programmer, or an
auditor.

c. Cost-effective - The cost of the control should not, in general, exceed the
expected benefits. Stated another way, there should be reasonable assurance
that the system is protected from a known risk. If total assurance of control
were possible, it would probably be prohibitively expensive. . . .

d. Documented - The documentation process should be simple, understanda-
ble, clearly link risks to controls, and provide management with assurance
that all reasonable controls are in place. Without some form of documenta-
tion, there is no assurance that all known vulnerabilities are addressed or that
controls are in place.

e. Tested and reviewed - There must be assurance that the controls function
as originally intended. This assurance is needed when the systems first be-
comes operational and also during ongoing operation. Initial controls testing
should normally be done when all other aspects of the system are tested. On-
going testing and review might be done as part of a general system review,
and internal control review, an audit, or other management initiative.

f. Manageable - Management must have the means to change, delete, evalu-
ate cost, upgrade, or review the system of controls under its purview.

D. Areas of Control

1. Automated information systems typically encompass data files, computer pro-
grams, and equipment, all of which may affect controls in some way. Part of the
problem in dealing with controls is the wide variability in how systems are de-
fined. If there was uniformity in definitions, then control techniques could be ap-
plied, evaluated, and cataloged more easily.

2. The five control areas listed below are the basic control requirements. . . .

a. Input - includes the records (also referred to as either manual data or trans-
actions) to be processed by the system, and the associated processes from
origination to the computer.

b. Output - includes the records and reports produced by the system, and the
associated manual processes from the computer to the user.

c. Processing - includes all computer processing to receive the input and
store and/or otherwise manipulate the input to produce output.

d. Storage - includes all computer program code and/or instructions and data
files.

e. Communications - includes the transmission of data and/or information ei-
ther between sites or between peripherals at a site.

3. Viewing a system in its pieces makes it easier to set specific control require-
ments and select control techniques. It is important to retain a system's perspec-
tive, to avoid over-control, and to deal with system-wide issues. The following sys-
tem-wide control issues need to be considered:

a. Control techniques in one control area may lessen the need for controls in
another control area; for instance, tight controls over data files may negate
the need for some communication controls.

b. Some aspects of a system may require special system-wide attention; e.g.,
a highly sensitive sub-file may require tight controls during inputting, stor-
age, or outputting.

4. This perspective should be the responsibility of individuals or a group that is in-
volved in all aspects of the system. A user group or a controls specialist assigned
to the project might be assigned controls responsibility.

5. In general, the framework proposes that control techniques be applied to de-
fined control areas to fulfill control requirements . . .

A.16.1 Cross-References and Comments

TABLE A-33. DoD Guideline 7740.1-G-Cross-References

Section

Security Policy

MAC

DAC

Marking

Accountability

Assurance

Fault Tolerance

Chap.2(B)(1)

X

Chap.2(B)(2)

X

Chap.2(B)(3)

X

X

X

X

X

Chap.2(B)(5)

X

X

Chap.2(B)(5)(c)

X

X

Chap.2(B)(6)

X

X

X

Chap.2(B)(8)

X

X

X

X

Chap.2(B)(9)

X

Chap.2(B)(10)

X

X

X

Chap.2(C)(1)

X

Chap.2(C)(2)

X

Chap.2(C)(3)

X

Chap.2(C)(4)

X

Chap.2(C)(5)(a-f)

X

Chap.2(D)(1)

X

Chap.2(D)(2)(a-e)

X

Chap.2(D)(3)(a-b)

X

Chap.2(D)(4)

X

Chap.2(B)(1)

[Security Policy] A security policy serves as the set of basic requirement statements
which must address vulnerabilities and promote security, reliability, and safety. Specific
control requirements must be developed for each appropriate facet (i.e., security, reliabil-
ity, safety, and known vulnerabilities) and must be clearly stated.

Chap.2(B)(2)

[Security Policy] Control requirements must address each of the four cited categories.
Of these, application controls and required systems functions are of paramount concern
in terms of (a) specification of intent, (b) specification of explicit constraints, and (c)
specification of control area.

Chap.2(B)(3) [Security Policy] Application-specific control requirements must address
the authorization, validity, completeness, accuracy, and timeliness of information
processing. [MAC, DAC, Marking] Requirements for authorization imply access control
features. [Accountability] Auditing of access controls for accountability is required by
authorization requirements.

Chap.2(B)(5)

[Security Policy] The protection of information may have mandatory control compo-
nents imposed by law, an external regulatory agency, and/or a higher authority within an
organization. The security policy must reflect this imposed requirement. [MAC] The ap-
plication of the security policy must ensure that the mandatory access control compo-
nent is consistent with the specification in the policy requirement.

Chap.2(B)(5)(c)

[Accountability] Audit and/or other accountability features are required to keep manage-
ment aware of exceptions to established policies. [Assurance] Systematic application of
controls implies that the totality of controls, including those resident in AISs, must be
considered in determining the scope of protection. Assurance techniques can be used to
make management aware of any exceptions in the systematic application of controls.

Chap.2(B)(6)

[Security Policy] Management must be aware of the cost-benefit tradeoffs in providing
protection and control features. This implies a thorough and comprehensive risk assess-
ment process. [Marking] Information within AISs must be marked with attributes which
reflect the same categorization (and implying the same controls) as those associated with
external hard copies of that information. [Assurance] Reviews must consider the totality
of process components.

Chap.2(B)(8)

[Security Policy] The issue of identifying competency of personnel, albeit difficult, is
one that is significant for integrity. In identifying competency levels, the initial proce-
dure should be to objectively separate specific duties into roles, to which individuals can
be assigned. Thus, role and duty specifications form an objective basis of competency,
while actual assignment of roles can be based on management's subjective opinion.
[MAC, DAC] The mandatory and discretionary aspects of the use of roles and duties,
coupled with data object attributes, serve as a basis for object access or process execu-
tion, enabling enforcement of competency-related policies. [Marking] Attributes of both
subjects and objects must be available either through system-enforced marking or as an
inherent part of a subject or object to enable such controls.

Chap.2(B)(9)

[Security Policy] Many standard operating procedures that contain acceptable controls in
manual environments will not necessarily be acceptable in an automated environment.
As more functionality becomes integrated into computer systems, new controls for stand-
ard automated operating procedures will be required. This will result in a much richer
set of security policy and ensuing controls the those conceived for confidentiality.

Chap.2(B)(10)

[Security Policy, Assurance, Fault Tolerance] Required systems functions must be con-
sidered in formulating the security policy. This implies assurance and fault tolerance fea-
tures for some applications. The mandatory aspects of a security policy which must be
enforced by system-provided mechanisms must be identified and determined to be a con-
sistent (i.e., non-conflicting) set of requirements. Where conflicts arise, alternatives to
system-provided mechanisms must be employed until the conflicts are resolved. In em-
ploying these alternative controls, the intent of the initial requirements set must be met.

Chap.2(C)(1)

[Security Policy] Prevention, detection, and correction are all valid techniques for ad-
dressing threats to protected resources. An appropriate choice of mechanisms employing
a particular type of technique, or a combination of techniques, must be made for protect-
ed resources.

Chap.2(C)(2)

[Assurance] The feasibility, understandability, and comprehensiveness of selected con-
trol techniques must be considered. This implies ``economy of mechanism'' to enforce
overlapping aspects of controls.

Chap.2(C)(3)

[Assurance] Risk assessments, the notion of ``due care,'' the notion of ``economy of
mechanism,'' and engineering trade-offs are implied by the requirement for cost-effective-
ness.

Chap.2(C)(4)

[Assurance] An effort (e.g., testing) must be made to ensure selected control techniques
operate as intended. The degree of effort should reflect the sensitivity of the information
or application in which the controls are intended to protect. Facility management proce-
dures for installing and maintaining controls will be required.

Chap.2

(C)(5)(a-f)

[Assurance] A variety of Assurance features are listed to ensure the effectiveness of se-
lected control techniques.

Chap.2(D)(1)

[Security Policy] The security policy must address, in clear and precise terms, the scope
of resources which are applicable. Uniform terms should be used where possible.

Chap.2

(D)(2)(a-e)

[Security Policy] The Security Policy must address each of the five control areas which
are applicable (input, output, processing, storage, and communications).

Chap.2

(D)(3)(a-b)

[Assurance] Assurance issues are raised by the integration of different controls and the
dependence of controls upon other controls. System design should address these issues.

Chap.2(D)(4)

[Assurance] Responsibility should be assigned to address system-wide controls.

A.17 DoD Directive 7750.5-Management and Control of Information Re-
quirements

This Directive implements the policies stated in DoD Directive 7740.1, DOD Information
Resources Management Program and Public Law 96-511, Paperwork Reduction Act of
1980. Specifically, this Directive specifies administrative policies related to information
requirements. This Directive applies to all internal, interagency, and public reporting
DoD information requirements. All information systems and techniques for collecting,
recording, maintaining, and disseminating information are included under its provision
unless exempted under Public Law 96-511.

The following table contains selected sections of DoD Directive 7750.5. The cross-
reference table and comments appear in the next section.

TABLE A-34. DoD Directive 7750.5-Selected Source Text

A. Purpose

1. This Directive prescribes policies for the management and control of informa-
tion requirements. It also implements those policies in [DoD 7740.1-D] and [PRA
1980] concerning the licensing of reporting requirements internal and external to
the Department of Defense and the development of an Information Collection
Budget. . . .

D. Policy

1. Ensuring that sufficient information is available to achieve military effective-
ness and management efficiency is a basic command and management responsibili-
ty. As a fundamental policy, however, the burden associated with the collection
and reporting of this information must be controlled and minimized. The manage-
ment of reports internally prescribed by the DoD component must include provi-
sions for setting annual goals, consistent with critical mission needs, to reduce the
number or frequency or reports.

2. The central ingredient in information management is the user's responsibility
and accountability for assuring that information requirements are valid, accurate,
and essential to the mission of the user's organization.

a. These requirements should be examined to avoid both duplication and un-
necessary generation of data. Because the creation or collection of informa-
tion requires the allocation of scarce resources, the user must first ascertain
that the required data are not already available from other sources.

b. Statistical sampling techniques and information technology should be em-
phasized as approaches for minimizing reporting workloads.

c. In the development and operational life cycle of an automated information
system, care shall be taken to assure that information needs are clearly identi-
fied and that reports to be generated by the automated system represent cost
effective use of resources, as required by DoD Directive 7920.1 [Life Cycle
Management of Automated Information Systems]

A.17.1 Cross-References and Comments

TABLE A-35. DoD Directive 7750.5-Cross-References

Section

Security Policy

MAC

DAC

Marking

Accountability

Assurance

Fault Tolerance

D(1)

X

D(2)

X

X

D(2)(a)

X

X

D(2)(b)

X

D(2)(c)

X

X

D(1)

[Security Policy] The sufficiency of information resources to achieve military effective-
ness and management efficiency must be addressed. In addition to the concept of suffi-
ciency, the burden associated with collecting and reporting information must be control-
led and minimized.

D(2)

[Security Policy, Accountability] This policy statement supports the position that individ-
uals are ultimately responsible for the information processing resources under their ad-
ministration. Information processing resources and activities must be valid, accurate, and
essential to the mission needs of the DoD component. This implies similar quality at-
tributes for the operational aspects (e.g., data and processing properties) of the informa-
tion resources which are used to fulfill component information requirements.

D(2)(a)

[Security Policy] The control of duplication and unnecessary generation of data is re-
quired. [Accountability] The user must ascertain that required information is not availa-
ble by other means.

D(2)(b)

[Accountability] The minimization of reporting workload is required. The use of infor-
mation technology to achieve this goal is explicitly mentioned.

D(2)(c)

[Security Policy, Accountability] The information needs of the DoD component must be
identified and supporting AISs must be capable of meeting those needs. Reports generat-
ed by AISs must be cost effective.

APPENDIX B

B. POLICY CROSS-REFERENCE

The table appearing in this Appendix is a reproduction of Table 3.1 from the Department
of Defense ADP Internal Control Guideline [DoD 7740.1-G]. This table ``provides a
listing of 55 control requirements cross-referenced to the major control objectives . . .''
[DoD 7740.1-G, p. 3-6]. Although this table does not provide cross-references for all of
the policy statements used in this document, it does include the following:

· OMB Circular No. A-123, Internal Control Systems [OMB A-123];

· Internal Control Guidelines [OMB ICG];

· OMB Circular No. A-127, Financial Management Systems [OMB A-127];

· OMB Circular No. A-130, Management of Federal Information Resources [OMB A-
130];

· GAO Policy and Procedures Manual for Guidance of Federal Agencies-Title 2 - Ac-
counting [GAO Title II];

· Privacy Act of 1974 [PA 1974];

· Federal Managers' Financial Integrity Act of 1982 [FMFIA 1982];

· DoD Directive 5010.38, Internal Management Control Program [DoD 5010.38-D];

· DoD Directive 7740.1, DoD Information Resources Management Program [DoD 7740.1-
D].

A set of 55 control requirements applying to the internal control of DoD components
were derived from these seven documents. The table cross-references each control
objective with the particular document(s) from which it was derived. The table contains
a brief statement of each control requirement, while the full wording appears in a list
following the table (also reproduced from [DoD 7740.1-G]). Four categories of
requirements are cited: Application Controls, General Controls, Administrative
Controls, and Required Systems Functions. Especially significant when considering
integrity in AISs are those requirements listed under Application Controls and Required
Systems Functions.

TABLE B-36. Summary of Control Requirements [DoD 7740.1-G]

Summary table of control objectives cross-referenced to the major control directives.

Line No.- Requirements

A-123

OMB IC

A-127

A-130

GAO Title II

FMFIA

Privacy Act

DoD IMCP

DoD IRMP

APPLICATION
CONTROLS

1. Transactions are
authorized

X

X

X

X

X

2. Transactions are valid

X

X

X

X

X

3. Information is complete

X

X

X

X

X

X

X

4. Information is accurate

X

X

X

X

X

X

X

X

5. Information is timely

X

X

X

X

X

X

X

6. System and data are
secure

X

X

X

X

7. System is auditable

X

X

GENERAL CONTROLS

8. System controls exist

X

X

9. 5-yr. system plan
developed

X

X

X

X

10. Contingency/disaster
plan

X

X

X

11. Vulnerability
assessment

X

X

X

X

12. Cost/benefit analysis

X

X

13. Reasonable assurance

X

X

X

X

X

X

X

14. Control objectives
defined

X

X

X

X

15. Control techniques
selected

X

X

X

X

16. Security reqs.
adequacy

X

17. Security specs. exist

X

X

X

18. Security specs.
adequacy

X

19. System design
approved

X

X

20. Controls documented

X

X

X

21. System
documentation exists

X

22. System contingency
plan

X

X

23. Controls tested

X

X

24. System test conducted

X

25. Test results
documented

X

X

26. System certified

X

27. Controls review
performed

X

X

X

X

X

28. Periodic reviews

X

X

X

X

X

29. Periodic risk
assessments

X

X

X

30. Corrective action/
audit

X

X

X

X

31. Internal controls
report

X

X

X

X

32. Accounting systems
report

X

X

X

33. Annual report to
President

X

X

X

X

X

X

ADMIN. CONTROLS

34. Org. responsibility
fixed

X

X

X

35. Separation of duty
exists

X

X

X

X

36. Supervision is
provided

X

X

X

X

37. Supportive attitude
exists

X

X

X

X

38. Personnel are
competent

X

X

X

X

39. Security training
program

X

X

40. Written policies/
procedures

X

X

X

X

X

41. Personnel security
policies

X

X

42. Ind. responsibilities
fixed

X

X

X

X

X

X

43. Accountability
assigned

X

X

X

X

X

X

X

44. Record retention
procedures

X

X

45. Release of information

X

X

X

REQ. SYSTEM
FUNCTIONS

46. System is efficient

X

X

X

47. System operation
economical

X

X

48. System is effective

X

X

X

49. System supports
management

X

X

X

50. System supports
budget

X

X

X

51. Comparability/
consistency

X

X

52. Information useful/
relevant

X

X

X

X

X

53. System provides
disclosure

X

X

X

54. Individual access
allowed

X

X

X

55. Network compatibility

X

B.1 Requirements List

The following list of requirements correspond with the summaries appearing in the first
column of the preceding table.

Application Controls

1. Transactions are authorized - the information entered into the system must be author-
ized by management for entry.

2. Transactions are valid - the information system must process only data that represent
legitimate events.

3. Information is complete - all valid data, and only those data, are to be processed by
the information system.

4. Information is accurate - data must be free from error during all phases of processing,
within defined levels of tolerance.

5. Information is timely - data must reflect the correct cycle, version, or period for the
processing being performed. Financial management data shall be recorded as soon as
practical after the occurrence of the event, and relevant preliminary data shall be made
available promptly to managers after the end of the reporting period.

6. System and data are secure - the data files, computer program, and equipment must
be secure from unauthorized and accidental changes, unauthorized disclosure and use,
and physical destruction. Detective and corrective controls may also apply depending on
the sensitivity and/or classification of the data.

7. System is auditable - an information trail must exist that establishes individual ac-
countability for transactions and permits an analysis of breakdowns in the system and
other anomalies.

General Controls

8. System controls exist - for each information system, the controls system should en-
sure that appropriate safeguards are incorporated into the systems, tested before imple-
mentation, and tested periodically after implementation.

9. Five-year system plan developed - a plan featuring specific milestones with obligation
and outlay estimates for every system of the agency (both current and under develop-
ment).

10. Contingency plan and/or disaster recovery plan exists - agencies shall develop, main-
tain, and test disaster recovery and continuity of operations plans for their data center(s).
The plan's objective is to provide reasonable continuity of data processing support if nor-
mal operations are prevented.

11. Vulnerability assessment conducted - a review of the susceptibility of a program or
function to waste, loss, unauthorized use, or misappropriation. Includes both vulnerabili-
ty assessments or their equivalents, such as an audit.

12. Cost-benefit analysis exists - a review to determine and compare the benefits of the
proposed system against the cost of developing and operating the current system. Only
those proposals where the expected benefits exceed the estimated costs by 10 percent
should be considered for development, unless otherwise specifically required by statute.

13. Reasonable assurance applied - reasonable assurance equates to a satisfactory level
of confidence, based on management's judgment of the cost-benefits of the controls ver-
sus the recognized risks. (Practically, it is recognized that it is not cost-effective to attain
100 percent assurance.)

14. Control objectives defined - goals established to address a known vulnerability or
promote reliability or security of a system.

15. Control techniques selected - methods to satisfy one or more control objectives by
preventing, detecting, and/or correcting undesired events. More commonly referred to as
"controls."

16. Adequacy of security requirements determined - agencies administrative, physical,
and personnel security requirements are included in specifications for the acquisition or
operation of facilities, equipment, or software.

17. Security specifications exist - internal control and security objectives must be stated
as design specifications and approved by management before development (program-
ming) of the application system can begin.

18. Adequacy of security specifications determined - proof that the design specifications
satisfy control objectives must be presented to management to authorize computer pro-
gram development and/or modification (programming).

19. System design approved - before development (programming) of the system is au-
thorized, management must be assured that the system design satisfies the user's require-
ments and incorporates the control requirements. The design review must be document-
ed and be available for examination.

20. Controls documented - internal control systems, including all transactions and signifi-
cant events, are to be clearly documented and be readily available for examination.

21. System documentation exists - documentation that must reflect the current state of
the system as it is being operated. The documentation must be sufficient to ensure effec-
tive operation by users and system maintenance by programmers.

22. System contingency plan exists - plans must be developed, documented, and tested
to ensure that users of the system can continue to perform essential functions in the
event their information technology support is interrupted. The plan should also be con-
sistent with the agency-wide disaster recovery plan.

23. Controls tested - before a new or modified system is placed into production status,
the controls should be tested to prove that the controls operate as intended. The test re-
sults should be documented and sent to management for approval to implement the sys-
tem.

24. System test conducted - before implementation of the system is authorized, evidence
that the system operates as intended must be presented to management. This evidence
must also include the results of controls testing. The test results must be documented
and available for examination.

25. Test results documented - the documentation should demonstrate that the control and
functionality requirements operate as intended.

26. System certified prior to implementation - before a system can be implemented, an
agency official shall certify that the system meets all applicable Federal policies, regula-
tions, and standards, as well as state that test results demonstrate that installed controls
are adequate for examination.

27. Controls review performed - periodically, the controls of each system must be tested
to determine if the controls still function as intended. The results of these tests must be
documented and available for examination.

28. Periodic reviews and re-certifications are conducted at least every 3 years, agencies
shall review applications and re-certify the adequacy of the safeguards. The re-certifica-
tions shall be documented and be available for review.

29. Periodic risk assessments are conducted - agencies shall conduct periodic risk assess-
ments at each data center to provide a measure of the relative vulnerabilities and threats
to the data center so that security resources can be effectively distributed to minimize po-
tential loss.

30. Corrective action taken; audit findings resolved promptly - managers are to promptly
evaluate audit findings and recommendations, determine proper corrective actions, and
complete those actions.

31. Annual report on internal controls prepared - yearly, each agency must determine
proper if its systems of internal controls are in compliance with the Comptroller Gener-
al's standards.

32. Annual report on accounting systems prepared - yearly, each agency must determine
if its accounting systems are in compliance with the Comptroller General's standards.

33. Annual reports to President sent - the head of each agency must sign both annual re-
ports and transmit them to both the President and Congress.

Administrative Controls

34. Organizational responsibility is affixed - the assignment of responsibilities for plan-
ning, directing and controlling the controls evaluation process for the agency and/or seg-
ment is specified. The programs and functions conducted in each of the components
have also been specified. The programs and functions conducted in each of the compo-
nents have also been specified.

35. Separation of duties exists - key duties and responsibilities in authorizing, process-
ing, recording, and reviewing transactions should be separated among individuals.

36. Supervision is provided - qualified and continuous supervision is to be provided to
ensure that control requirements are met.

37. Supportive attitudes exist - managers and employees are to maintain and demon-
strate a positive and supportive attitude toward controls at all times.

38. Personnel are competent - manager and employees are to have personnel and profes-
sional integrity and are to maintain a level of competence that allow them to accomplish
their assigned duties, as well as understand the importance of developing and implement-
ing good controls.

39. Security training program exists - agencies shall establish a security awareness and
training program so that agency and contractor personnel involved with information sys-
tems are aware of their security responsibilities and know how to fulfill them.

40. Written policies and procedures exist - each agency shall establish administrative
procedures to enforce the intended functioning of controls, including provisions that per-
formance appraisals reflect execution of control-related responsibilities.

41. Personnel security policies exist - each agency should establish and manage person-
nel security procedures, including requirements for screening agency and contractor per-
sonnel designing, developing, operating, maintaining, or using the system. The level of
screening depends on the sensitivity and/or classification of the system data.

42. Individual responsibilities are affixed - assignments or responsibility should be made
for internal controls, accounting systems, and data center security on an 43. Custody and/
or accountability assigned - the official whose function is supported by an information
system is responsible and accountable for the products of the information system is re-
sponsible and accountable for the products of the information system.

44. Record disposition procedures exist - each agency must establish approved records
disposition schedules which identify permanent data files and ensure their transfer to the
National Archives and Record Administration.

45. Release of information provided for - each agency must have procedures in place so
that information can be extracted from systems to meet requests made under the Privacy
Act and Freedom of Information Act.

Required System Functions

46. An analysis of the ratio of outputs to inputs evaluated against an acceptable standard.

47. System operation is economical - uneconomical systems must be identified and
phased out.

48. System is effective - periodically, each system should be reviewed to determine if
the system still meets organizational needs.

49. System supports management - data shall be recorded and reported in a manner to fa-
cilitate carrying out the responsibilities of both program and administrative managers.

50. System supports budget - financial management data shall be recorded, stored, and
reported to facilitate budget preparation, analysis, and execution.

51. Comparability and/or consistency provided for - financial management data shall be
recorded and reported in the same manner throughout the agency, using uniform defini-
tions that are synchronized with budgeting and used consistently for each reporting peri-
od.

52. Information is useful and/or relevant - data capture and reports shall be tailored to
specific user needs, and if usage does not justify costs, data or reports shall be terminat-
ed.

53. System provides full disclosure - data shall be recorded and reported to provide us-
ers of the data with complete information about the subject of the report per OMB,
Treasury, and Privacy Act standards.

54. Individual access allowed - systems must be able to extract any data contained in the
data base about individuals to meet requests to see the data by that individual or his/her
representative when required by the Privacy Act.

55. Network compatibility exists - any systems developed or acquired must be interoper-
able with any existing system that will be linked to the new system.