[Federal Register Volume 60, Number 124 (Wednesday, June 28, 1995)]
[Proposed Rules]
[Pages 33376-33383]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 95-15707]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Office of the Secretary
32 CFR Part 159a
Information Security Program Regulation
AGENCY: Department of Defense.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Defense proposes to issue this amendment to
accommodate Congressional language incorporated into the Fiscal Year
1994 Appropriations Act which specifies that new purchases of
combination locks for GSA-approved security containers, vault doors,
and secure rooms shall conform to Federal Specifications FF-L-2740 as
well as the findings and recommendations of a senior panel established
by the Deputy Secretary of Defense regarding physical security measures
required to adequately safeguard classified information in the
possession of DoD activities.
DATES: Comments must be received by August 28, 1995.
ADDRESSES: Forward comments to the Office of the Assistant Secretary of
Defense for Command, Control, Communications, and Intelligence, 6000
Defense Pentagon, Washington, DC 20301-6000.
FOR FURTHER INFORMATION CONTACT: Mr. W. Bell, OUSD(P), 703-695-2289.
SUPPLEMENTARY INFORMATION: It has been determined that this amendment
is not a significant regulatory action. It has also been determined
that this amendment is not subject to the Regulatory Flexibility Act
and does not impose any reporting or recordkeeping requirements under
the Paperwork Reduction Act of 1980.
List of Subjects in 32 CFR Part 159a
Classified information.
Accordingly, 32 CFR part 159a is proposed to be amended to read as
follows:
PART 159a--INFORMATION SECURITY PROGRAM REGULATION
1. The authority citation for part 159a continues to read as
follows:
Authority: E.O. 12356, 5 U.S.C. 301.
Sec. 159a.9 [Amended]
2. In Sec. 159a.9, paragraph(s), DoD Component, is amended by
removing ``Organization'' and adding in its place ``Chairman'', by
removing ``(OJCS)'' and by removing ``and Specified'' and adding in its
place ``Combatant''.
Sec. 159a.12 [Amended]
3. Section 159a.12 is amended in paragraph (c)(1)(i)(A) by removing
``Office of the Deputy Under Secretary of Defense (Policy),
(ODUSD(P)),'' and adding in its place ``Office of the Assistant
Secretary of Defense for Command, Control, Communications, and
Intelligence, (OASD(C3I))'', paragraph (c)(1)(i)(B) and (c)(1)(ii)(B)
by removing ``including Specified Commands'', paragraph (c)(1)(i)(B) by
removing ``wo'' and adding in its place ``who'', and paragraphs
(c)(1)(ii)(C) by removing ``OJCS'' and adding in its place ``Chairman
of the Joint Chiefs of Staff''.
Sec. 159a.26 [Amended]
4. Section 159a.26(e)(7) is amended by removing ``ASD(PA)'' and
adding in its place ``ATSD(PA)'' and removing ``OJCS'' and adding in
its place ``the Chairman of the Joint Chiefs of Staff''.
Sec. 159a.33 [Amended]
5. Section 159a.33(e)(2) is amended by removing ``7920.1'' and
adding in its place ``8120.1''.
Sec. 159a.35 [Amended]
6. Section 159a.35(g) is amended by adding ``O-'' before
``5230.22''.
7. Subpart F is revised to read as follows:
Subpart F--Safekeeping and Storage
Sec.
159a.37 Storage and storage equipment.
159a.38 Custodial precautions.
159a.39 Installation entry and exit inspection program.
Subpart F--Safekeeping and Storage
Sec. 159a.37 Storage and storage equipment.
(a) General policy. Classified information shall be secured under
conditions adequate to prevent access by unauthorized persons. The
requirements specified in this part represent acceptable security
standards. Exceptions to these requirements should be approved by the
responsible DoD Component Senior Information Security Authority. This
approval authority may be delegated to major commanders. Supplemental
or compensatory security measures must be implemented to compensate for
the inability to meet the baseline standard. DoD policy concerning the
use of force for the protection of classified information is specified
in DoD Directive 5210.56.\17\ Weapons or sensitive items such as funds,
jewels, precious metals or drugs shall not be stored in the same
container used to safeguard classified information. Security
requirements for Sensitive Compartmented Information Facilities (SCIFs)
are established by the Director of Central Intelligence. Current
holdings of classified material shall be reduced to the minimum
required for mission accomplishment.
\17\ See footnote 2 to Sec. 159a.3.
---------------------------------------------------------------------------
(b) Standards for storage equipment. The GSA establishes and
publishes minimum standards, specifications, and supply schedules for
containers, vault doors, alarm systems, and associated security devices
suitable for the storage and protection of classified information. DoD
Directive 3224.3 \18\ describes acquisition requirements for physical
[[Page 33377]] security equipment used within the Department of
Defense.
\18\ See footnote 2 to Sec. 159a.3.
---------------------------------------------------------------------------
(c) Storage of classified information. Classified information is to
be guarded or stored in a locked security container, vault, room, or
area, as follows:
(1) Top Secret. Top Secret information shall be stored in the
following:
(i) A GSA-approved security container or modular vault, in a vault;
or in the U.S., in a secure room if under U.S. Government control (see
appendix F to this part). Other rooms that were approved for the
storage of Top Secret in the U.S. may continue to be used. When located
in areas not under U.S. Government control, the storage container,
vault, or secure room must be protected by an intrusion detection
system or guarded when unoccupied. U.S. Government control means access
to the classified material is controlled by an appropriately cleared
U.S. Government civilian, military, or contractor employee. An
intrusion detection system (IDS) used for this purpose shall meet the
requirements of appendix G to this part. Security forces shall respond
to the alarmed location within 15 minutes from time of notification.
(ii) New purchases of combination locks for GSA-approved security
containers, vault doors and secure rooms shall conform to Federal
Specification FF-L-2740. Existing mechanical combination locks will not
be repaired. If they should fail, they will be replaced with locks
meeting FF-L-2740.
(iii) Under field conditions during military operations, the
commander may prescribe the measures deemed adequate to meet the
storage standard contained in paragraphs (a) and (b) of this section.
(iv) Protection of Top Secret outside the United States requires
application of one or more supplementary controls, i.e., continuous
guard or duty personnel, inspections of locked containers/vaults or an
alarm system.
(2) Secret and Confidential. Secret and Confidential information
shall be stored in the manner prescribed for Top Secret; or in secure
rooms that were approved for the storage of Secret or Confidential
material by the DoD Components prior to October 1, 1995. Until October
1, 2002, Secret and Confidential information may also be stored in
unapproved or obsolete steel filing cabinets having a built-in
combination lock or secured with a lockbar and approved combination
padlock in areas under U.S. Government control, or in areas not under
U.S. Government control provided the area is protected by an IDS or is
guarded when unoccupied. Where IDS is used to protect such information
it should meet the requirements of appendix G to this part. Security
forces shall respond to the alarmed location within 45 minutes from
time of notification.
(3) Specialized security equipment--(i) Military platforms or
classified munition items. The Heads of the DoD Components shall,
consistent with this part, delineate the appropriate security measures
required to protect classified information stored in containers on
military platforms or for classified minution items.
(ii) Special purpose containers. GSA-approved field safes and
special purpose one and two drawer light-weight security containers
approved by the GSA are used primarily for storage of classified
information in the field and in military platforms. Such containers
shall be securely fastened to the structure or under constant
surveillance to prevent their theft. Use of these containers in
ordinary office environmentas, or their procurement for this purpose,
must be approved by major commands or equivalents.
(iii) Map and plan files. GSA-approved map and plan files are
available for storage of odd-sized items such as computer media, maps,
charts, and classified equipment.
(iv) Modular vaults. GSA-approved modular vaults meeting Federal
Specification AA-V-2737 may be used to store classified information as
an alternative to vault requirements described in Appendix F to this
part.
(4) Replacement of combination locks. The mission and location of
the activity, the classification level and sensitivity of the
information, and the overall security posture of the activity
determines the priority for replacement of existing combination locks.
All system components and supplemental security measures including
electronic security systems (e.g., intrusion detection systems,
automated entry control subsystems, and video assessment subsystems),
and level of operations must be evaluated by the commander when
determining the priority for replacement of security equipemnt.
Appendix H to this part provides a matrix illustrating a prioritization
scheme for the replacement of existing combination locks on GSA-
approved security containers and vault doors. Priority 1 requires
immediate replacement.
(5) Storage of bulky material. Storage areas for bulky material
containing classified information may have access openings secured by
GSA-approved changeable combination padlocks (Federal Specification FF-
P-110 series) or high security key-operated padlocks (Military
Specification MIL-P-43607). Other security measures are required, in
accordance with paragraph (c)(1) of this section.
(i) The Heads of the DoD Components shall establish administrative
procedures for the control and accountability of keys and locks
whenever key-operated, high-security padlocks are utilized. The level
of protection provided such keys shall be equivalent to that afforded
the classified information being protected by the padlock.
(ii) 10 U.S.C. 1386 makes unauthorized possession of keys, key-
blanks, keyways or locks adopted by any part of the Department of
Defense for use in the protection of conventional arms, ammunition, or
explosives, special weapons, and classified equipment, a criminal
offense punishable by fine or imprisonment for up to 10 years, or both.
(d) Procurement of new storage equipment.--(1) New security storage
equipment shall be procured from those items listed on the GSA Federal
Supply Schedule. Exceptions may be made by the heads of the DoD
Components, with notification to the ASD(C31). Components should retain
and apply serviceable storage equipment made available as consequence
of draw downs, contractor turn-in of government furnished equipment, or
other events; promptly report excess containers to property disposal;
and fulfill requirements for added equipment through property disposal
when that is cost beneficial.
(2) Current holdings of classified material shall be reduced to the
minimum required for mission accomplishment.
(3) Nothing in this subpart shall be construed to modify existing
Federal supply class management assignments made under DoD Directive
5030.47 \19\
\19\ See footnote 2 to Sec. 159a.3.
---------------------------------------------------------------------------
(e) Equipment designations and combinations--(1) Numbering and
designating storage facilities. There will be no external mark
revealing the level of classified information authorized to be or
actually stored in a given contianer or vault. Priorities for emergency
evacuation and destruction will not be marked or posted on the exterior
of storage containers or vaults.
(2) Combinations to containers and vaults. (i) Changing.
Combinations to security containers, vaults and secure rooms shall be
changed only by individuals having that responsibility and an
appropriate security clearance. Combinations shall be
changed: [[Page 33378]]
(A) When placed in use;
(B) Whenever an individual knowing the combination no longer
requires access;
(C) When the combination has been subject to possible compromise;
(D) At least once every two years; or
(E) When taken out of service. Built-in combination locks shall be
reset to the standard combination 50-25-50; combination padlocks shall
be reset to the standard combination 10-20-30.
(ii) Selecting combinations. Combinations for each lock shall be
unique to that lock and shall have no systematic relationship to other
combinations used within a specific office. Combination numbers shall
not be derived from numbers otherwise associated with the specific
office or its personnel. The number within a combination shall be
selected on a random basis without deliberate relationship of one to
the other except to provide appropriate variance to operate the lock
properly.
(iii) Classifying combinations. The combination of a container,
vault or secure room used for the storage of classified information
shall be assigned a security classification equal to the highest
category of the classified information stored therein. Any written
record of the combination shall be marked with the classification.
Declassification of combinations occurs at the time they are changed.
(iv) Recording storage facility data. A record shall be maintained
for each vault or secure room door, or container used for storage of
classified information, showing location of the door or container, and
the names, home addresses, and home telephone numbers of the
individuals having knowledge of the combination. Standard Form 700,
``Security Container Information,'' shall be used for this purpose.
(A) Part 1 of the SF 700, when completed, shall be placed in an
interior location in security cabinets and on vault or secure room
doors. To the extent practical, Part 1 shall be on the inside face of
the locking drawer of file cabinets, and on the inside surface of map
and plan cabinet and vault doors.
(B) SF 700, Parts 2 and 2A, shall be marked conspicuously on their
front with the highest level of classification and any special access
notice applicable to the information authorized for storage in the
container and will be stored in a security container other than the one
to which they apply.
(C) Internal security procedures shall provide for prompt
notification to the official responsible for the area if a container is
found unsecured and unattended or show evidence of unauthorized entry
attempt or SF 700 is inaccessible or not available.
(D) Listings of persons having knowledge of the combination shall
be continued as necessary on an attachment to Part 2.
(E) Dissemination. Access to the combination of a vault or
container used for the storage of classified information shall be
granted only to those individuals who are authorized access to the
classified information to be stored therein.
(3) Access controls. Entrances to secure rooms or areas should be
under visual control at all times during duty hours to preclude entry
by unauthorized personnel or equipped with electric, mechanical or
electromechanical access control devices to limit access during duty
hours. Appendix I to this part provides standards for these access
control devices; the use of automated systems described therein is
encouraged.
(f) Repair of damaged security containers. Neutralization of lock-
outs or repair of any damage that affects the integrity of a security
container approved for storage of classified information shall be
accomplished only by authorized persons who have been the subject of a
trustworthiness determination in accordance with 32 CFR part 154 and
are continuously escorted while so engaged.
(1) With the exception of frames bent through application of
extraordinary stress, a GSA-approved security container manufactured
prior to October 1991 (identified by a silver GSA label with black
lettering affixed to the exterior of the container) is considered to
have been restored to its original state of security integrity as
follows:
(i) All damaged or altered parts, for example, the locking drawer,
drawer head, or lock, are replaced; or
(ii) Has been drilled immediately adjacent to or through the dial
ring to neutralize a lockout, a replacement lock meeting FF-L-2740 is
used, and the drilled hole is repaired with a tapered, hardened tool-
steel pin, or a steel dowel, drill bit, or bearing with a diameter
slightly larger than the hole and of such length that when driven into
the hole there shall remain at each end of the rod a shallow recess not
less than \1/8\ inch nor more than \3/16\ inch deep to permit the
acceptance of substantial welds, and the rod is welded both on the
inside and outside surfaces. The outside of the drawer head must then
be puttied, sanded, and repainted in such a way that no visible
evidence of the hole or its repair remains on the outer surface.
(2) In the interests of cost efficiency, the procedures identified
in paragraph (f)(2)(1)(i) of this section should not be used for GSA-
approved security containers purchased after October 1991
(distinguished by a silver GSA label with red lettering affixed to the
outside of the container control drawer) until it is first determined
whether warranty protection still applies. To make this determination,
it will be necessary to contact the manufacturer and provide the serial
number and date of manufacture of the container. If the container is
under warranty, a lock-out will be neutralized using the procedures
described in the Naval Facilities Engineering Service Center (NFESC)
Technical Data Sheet (TDS) 2000-SHR.
(3) Unapproved modification or repair of security containers and
vault doors is considered a violation of the container's or door's
integrity and the GSA label shall be removed. Thereafter, they may not
be used to protect classified information except as otherwise
authorized in this part.
(g) Maintenance and operating inspections--(1) Maintenance. The
Heads of the DoD Components shall establish procedures concerning
maintenance of classified material security containers and vaults to
accomplish the following:
(i) Permit only those persons who have been the subject of a
trustworthiness determination in accordance with 32 CFR part 154 to
perform maintenance which affects the protective features of the
container or vault.
(ii) Require a record of all maintenance performed on a container
or vault be maintained by the using activity and retained with the
container or vault. The record shall reflect the operating problem
requiring maintenance, the date maintenance was performed, the name and
organization of the maintenance technician, the work accomplished, and
the activity official certifying the subsequent proper operation of the
container or vault. These records shall be retained for the service
life of the container or vault.
(iii) Refer any discovery of unauthorized tampering or modification
of a container or vault to the supporting counterintelligence
organization for investigation.
(iv) Provide a preventive maintenance program for containers and
vaults to detect and correct operating problems affecting their
security.
(2) Operating inspections. Containers and vaults shall be inspected
before being used, and periodically thereafter, and whoever discovered
open and unattended or evidence of actual or [[Page 33379]] attempted
unauthorized forced or covert entry is present to assure the presence
and proper operation of their protective security features before they
may continue in use to store classified material.
Sec. 159a.38 Custodial precautions.
(a) Responsibilities of custodians. Anyone who has been duly
authorized/appointed to maintain classified information is responsible
for its safekeeping, to include storing the material in approved
storage containers or facilities when it is not in use or under the
supervision of an authorized person.
(b) Residential storage arrangements. Only the Head of a DoD
Component, or single designee at the Component headquarters and major
command levels, may authorize removal of classified material from
designated working areas in off-duty hours, for work at home or
otherwise, provided that a GSA-approved security container is furnished
and appropriate regulations otherwise provide for the maximum
protection possible under the circumstances. Any such arrangements
approved before the effective date of this part shall be reevaluated
and, if continued approval is warranted, compliance with this paragraph
is necessary.
(c) Care during working hours. (1) Classified material removed from
storage shall be kept under constant surveillance by persons authorized
access and having a need to know thereto and, when not in use,
protected from unauthorized view of its classified contents until
returned to storage. Such protection shall be provided, as applicable,
by the material's unclassified cover or by an appropriate cover sheet.
Cover sheets shall be Standard Forms 703, 704 and 705 for,
respectively, Top Secret, Secret, and Confidential documents.
(2) Preliminary drafts, carbon sheets, plates, stencils,
stenographic notes, worksheets, computer and typewriter ribbons,
transfer medium and other items containing classified information shall
be safeguarded according to the level of classified information they
contain and shall be accordingly destroyed after they have served their
purpose. Transfer medium include drums, cartridges, belts, sheets,
memory, and other material in copiers, printers, facsimile and other
devices of items which receive or come in contact with classified
information.
(3) Destruction of personal computer printer or typewriter ribbons
from which classified information can be obtained shall be accomplished
in the manner prescribed for classified working papers of the same
classification. After the upper and lower sections have been cycled
through and overprinted five times in all ribbon or impact or typing
positions, fabric ribbons may be treated as unclassified regardless of
their previous classified use. Carbon and plastic ribbons and carbon
paper that have been used in the production of classified information
shall be destroyed in the manner prescribed for working papers of the
same classification after initial usage. However, any typewriter ribbon
that uses technology which enables the ribbon to be struck several
times in the same area before it moves to the next position may be
treated as unclassified.
(d) End-of-day security checks. The Heads of activities that
process or store classified information shall establish a system of
security checks at the close of each working day to ensure that the
area is secure. Standard Form 701, ``Activity Security Checklist,''
shall be used to record such checks. Standard Form 702. ``Security
Container Check Sheet,'' shall be used to record the use of all vaults,
secure rooms and containers used for the storage of classified
material.
(e) Emergency planning. (1) Plans shall be developed for the
protection, removal, or destruction of classified material in case of
fire, natural disaster, civil disturbance, terrorist activities, or
enemy action. Such plans shall establish detailed procedures and
responsibilities for the protection of classified material to ensure
that the material does not come into the possession of unauthorized
persons. These plans shall include the treatment of classified
information located in foreign countries. Emergency destruction
procedures are not needed for activities located inside the 50 states.
(2) These emergency planning procedures do not apply to material
related to COMSEC Planning for the emergency protection including
emergency destruction under no-notice conditions of classified COMSEC
material shall be developed in accordance with requirements of NACSI
4006.
(3) Emergency plans shall provide for the protection of classified
material in a manner that will minimize the risk of injury or loss of
life to personnel. In the case of fire or natural disaster, the
immediate placement of authorized personnel around the affected area,
preinstructed and trained to prevent the removal of classified material
by unauthorized personnel, is an acceptable means of protecting
classified material and reducing casualty risk. Such plans shall
provide for emergency destruction to preclude capture of classified
material when determined to be required in overseas locations.
(f) Telecommunications conversations. (1) Classifed information
shall not be discussed in telephone conversations except over approved
secure communications circuits, that is, cryptographically protected
circuits or protected distributions systems installed in accordance
with National COMSEC Instruction 4009.
(2) The Secure Telephone Unit-III (STU-III) is approved for
classified discussions within the limitations displayed by the STU-III.
The need-to-know must be established before discussing classified
information.
(3) Users of secure telephones shall assure that only persons with
appropriate clearance and need-to-know are within hearing range of
their conversation.
(g) Removal of classified storage and information processing
equipment. All classified storage containers and information processing
equipment shall be inspected by properly cleared personnel before
removal from protected areas or unauthorized persons are allowed access
to them. The inspection shall be accomplished to assure no classified
information remains within the equipment. Some examples of equipment
which shall be inspected are:
(1) Reproduction or facsimile machines and AIS components and other
office equipment used to process classified information.
(2) GSA-approved security containers, filing cabinets, or other
storage containers used for safeguarding classified information; and
(3) Other items of equipment that may inadvertently contain
classified information.
(h) Classified discussions, meetings and conferences. Security
requirements and procedures governing disclosure of classified
information at conferences, symposia, conventions, and similar
meetings, and those governing the sponsorship and attendance of U.S.
and foreign personnel at such meetings, are set forth in DoD Directive
5200.12,\20\ DoD Instruction 5230.20,\21\ DoD 5220.22-R,\22\ and DoD
5220.22-M.\23\
\20\ See footnote 2 to Sec. 159a.3.
\21\ See footnote 2 to Sec. 159a.3.
\22\ See footnote 2 to Sec. 159a.3.
\23\ See footnote 3 to Sec. 159a.3.
---------------------------------------------------------------------------
(i) Safeguarding of U.S. classified information located in foreign
countries. Except for classified information that has been authorized
for release to a foreign government or international
[[Page 33380]] organization pursuant to DoD Directive 5230.11 \24\ and
is under the security control of such government or organization, the
retention of U.S. classified material in foreign countries may be
authorized only when that material is necessary to satisfy specific
U.S. Government requirements. This includes classified material
temporarily transferred into a foreign country through U.S. Government
personnel authorized to escort or handcarry such material pursuant to
Sec. 159a.59, as applicable. Whether permanently or temporarily
retained, the classified materials shall be stored under U.S.
Government control, as follows. See Sec. 159a.37(c) additional guidance
on Top Secret information.
\24\ See footnote 2 to Sec. 159a.3.
---------------------------------------------------------------------------
(1) At a U.S. military installation, or a location where the United
States enjoys extraterritorial status, such as an embassy or consulate.
(2) At a U.S. Government activity located in a building used
exclusively by U.S. Government tenants, if the building is under 24-
hour control by U.S. Government personnel.
(3) At a U.S. Government activity located in a building not used
exclusively by U.S. Government tenants nor under host-government
control, provided the classified material is stored in security
containers approved by the GSA and is placed under 24-hour control by
U.S. Government personnel.
(4) At a U.S. Government activity located in a building not used
exclusively by U.S. Government tenants, but which is under host-
government control, provided the classified material is stored in GSA-
approved security containers that are further secured in a locked room
or area to which only U.S. personnel have access.
(5) When host government and U.S. personnel are collocated, U.S.
classified material that has not been authorized for release to the
host government under DoD Directive 5230.11, shall, be segregated from
releasable classified material to facilitate physical control and
prevent inadvertent compromise. U.S. classified material that is
releasable to the host country need not be subject to the 24-hour U.S.
control requirement provided the host government exercises its own
control measures over the pertinent areas or containers during nonduty
hours.
(6) Foreign nationals shall be escorted while in areas where
nonreleasable U.S. classified material is handled or stored. When
required by operational necessity, foreign nationals may be permitted,
during duty hours unescorted entry to such areas provided the
nonreleasable information is properly stored or is under the direct
personal supervision and control of cleared U.S. personnel who can
prevent unauthorized access.
(7) Under field conditions during military operations, the
commander may prescribe the measures deemed adequate to protect
classified material.
(j) Non-COMSEC classified information processing equipment. The
Department of Defense has a variety of non-COMSEC approved equipment to
process classified information. This includes copiers, fascimile
machines, printers, scanners, cameras, printers for AISs, AISs,
electronic typewriters, and other word processing systems among others.
Because much of this equipment has known security vulnerabilities, its
use can cause unauthorized disclosure.
(1) Activities must identify those features, parts, or functions of
equipment used to process classified information which may retain all
or part of the information. Activity security procedures must prescribe
safeguards to:
(i) Prevent unauthorized access to that information.
(ii) Replace and destroy equipment parts as classified material
when the information cannot be removed from them. Alternatively, the
equipment may be designated as ``classified'' and protected at least at
the retained information's classification level.
(2) Activities will select equipment that performs the needed
function and presents the lowest acceptable risk to the classified
information the equipment processes.
(3) Activities will comply with guidance on security
vulnerabilities issued by appropriate authority and must report
equipment problems and failures.
(k) Reporting equipment problems and vulnerabilities. (1) The
equipment that the Department of Defense uses to safeguard, destroy or
process classified information can fail to function properly or
otherwise perform in a way that threatens that information. When that
occurs, responsible individuals within the using activities must
promptly:
(i) Restore the protection to the information.
(ii) Report the incident to their Component security office. Such
report shall:
(A) Be classified or transmitted by secure means, as warranted by
the nature of the problem.
(B) Describe the problem; the equipment's type, manufacturer, and
any serial number; the number of equipment units involved; and any
means found to overcome the problem.
(C) Be in addition to those made to logistics, supply, or
contracting offices, or those made in reporting security violations.
(2) Component security offices receiving such reports shall assess
the impact on other Component activities and advise them accordingly.
They shall also promptly send a copy of the initial and any subsequent
reports to the Director, Counterintelligence and Security Programs,
ODASD(I&S), OASD(C3I). They shall include their assessment of the
impact and a summery of the related Component actions.
(3) Problems or vulnerabilities with COMSEC equipment and
controlled Cryptographic Items shall be reported as prescribed by the
controlling COMSEC authorities rather than under this paragraph. The
COMSEC authority shall promptly coordinate these reports and correcting
actions with the Director, Counterintelligence and Security Programs,
OASD(C3I), when the problems or vulnerabilities are common to all such
equipment.
Sec. 159a.39 Installation entry and exit inspection program.
(a) Policy. Commanders shall prescribe procedures for inspecting
persons, their property and vehicles at entry and exit points of
installations or at designated secure areas within an installation and
for search of persons and their possessions while on an installation.
(1) This shall include determination of whether inspections are
randomly conducted or mandatory for all, and shall prescribe procedures
to ensure the safeguarding of classified information.
(2) Examinations of individuals and their possessions while on the
installation for the primary purpose of obtaining evidence is
classified as a ``search'' under the fourth amendment and separate
guidance regarding the conduct of these searches shall be issued.
(3) All procedures shall be reviewed for legal sufficiency by the
general counsel or legal advisor before issuance. These procedures
shall require Commanders to consult with their servicing Judge Advocate
or other legal advisor before authorizing gate inspections.
(b) [Reserved]
Appendix C to Part 159a [Amended]
7. Appendix C to Part 159a, paragraphs 1.a. and 2.a., paragraphs
2.b.(d)(4), introductory text, and 2.b.(d)(5)(b) paragraph c.(4)(b),
and paragraphs 4.a. and 4.c. are amended by [[Page 33381]] adding
``Chairman of the'' before ``Joint Chiefs of Staff''
8. Appendices F through I to part 159a are added as follows:
Appendix F to Part 159a--Vault and Secure Room Construction Standards
1. Vault
a. Floor and Walls. Eight inches of concrete reinforced to meet
current structural standards. Walls are to extend to the underside
of the roof slab above.
b. Roof. Monolithic reinforced concrete slab of thickness to be
determined by structural requirements, but not less than the floor
and walls.
c. Ceiling. The roof or ceiling must be reinforced concrete of a
thickness to be determined by structural requirements, but not less
than the floors and walls.
d. Vault door and frame unit should conform to Federal
Specification AA-D-2757 Class 8 vault door, or Federal Specification
AA-D-600 Class 5 vault door.
2. Secure Room
a. The walls, floor, and roof construction of secure rooms must
be of permanent construction materials; i.e., plaster, gypsum
wallboard, metal panels, hardboard, wood, plywood, or other
materials offering resistance to, and evidence of unauthorized entry
into the area. Walls shall be extended to the true ceiling and
attached with permanent construction materials, wire mesh or 18
gauge expanded steel screen.
b. Ceiling. The ceilings shall be constructed of plaster,
gypsum, wallboard material, hardwood, or any other acceptable
material.
c. Doors. The access door to the room shall be substantially
constructed of wood or metal. The hinge pins of outswing doors shall
be peened, brazed, or spot welded to prevent removal. Door should be
equipped with a built-in GSA-approved combination lock meeting
Federal Specification FF-L-2740.
d. Windows. Windows which are less than 18 feet above the ground
measured from the bottom of the window, or are easily accessible by
means of objects directly beneath the windows, shall be constructed
from or covered with materials which will provide protection from
forced entry. The protection provided to the windows need be no
stronger than the strength of the contiguous walls.
e. Openings. Utility openings such as ducts and vents should be
kept at less than man-passable (96 square inches) opening. Openings
larger than 96 square inches will be hardened in accordance with
Military Handbook 1013/1A.
Appendix G to Part 159a--IDS Standards
1. An IDS must detect an unauthorized penetration in the secured
area. An IDS complements other physical security measures and
consists of the following:
a. Intrusion Detection Equipment (IDE).
b. Security forces.
c. Operating procedures.
2. System functions.
a. IDS components operate as a system with the following four
distinct phases:
(1) Detection.
(2) Communications.
(3) Assessment.
(4) Response.
b. These elements are equally important, and none can be
eliminated if an IDS is to provide an acceptable degree of
protection.
(1) Detection: The detection phase begins as soon as a detector
or sensor reacts to stimuli it is designed to detect. The sensor
alarm condition is then transmitted over cabling located within the
protected area to the Premise Control Unit (PCU). The PCU may
service many sensors. The PCU and the sensors it serves comprise a
``zone'' at the monitor station. This shall be used as the
definition of an alarmed zone for purposes of this part.
(2) Reporting: The PCU receives signals from all sensors in a
protected area and incorporates these signals into a communication
scheme. Another signal is added to the communication for supervision
to prevent compromise of the communication scheme. This supervised
signal is intended to disguise the information and protect the IDS
against tampering or injection of false information by an intruder.
The supervised signal is sent by the PCU through the transmission
link to the monitor station. Inside the monitor station either a
dedicated panel or central processor monitors information from the
PCU signals. When an alarm occurs, an annunciator generates an
audible and visible alert to security personnel. Alarms result
normally from intrusion, tampering, component failure, or system
power failure.
(3) Assessment: The assessment period is the first phrase that
requires human interaction. When alarm conditions occur, the
operator assesses the situation and dispatches the response force.
(4) Response: The response phase begins as soon as the operator
assesses an alarm condition. A response force must immediately
respond to all alarms. The response phase must also determine the
precise nature of the alarm and take all measures necessary to
safeguard the secure area.
3. Use of IDS
a. As determined by the commander all areas that reasonably
afford access to the container, or where classified data is stored
should be protected by IDS unless continually occupied. Prior to the
installation of an IDS, commanders shall consider the threat,
vulnerabilities, in-depth security measures and shall perform a risk
analysis.
b. Acceptability of Equipment: All IDE must be UL-listed (or
equivalent) and approved by the DoD Component or government
contractor. Government installed, maintained, or furnished systems
are acceptable.
4. Equipment
a. Transmission Line Security: When the transmission line leaves
the facility and traverses an uncontrolled area, Class I or Class II
line supervision shall be used.
(1) Class I: Class I line security is achieved through the use
of DES or an algorithm based on the cypher feedback or cypher block
chaining mode of encryption. Certification by NIST or another
independent testing laboratory is required.
(2) Class II: Class II line supervision refers to systems in
which the transmission is based on pseudo random generated tones or
digital encoding using an interrogation and response scheme
throughout the entire communication, or UL Class AA line
supervision. The signal shall not repeat itself within a minimum 6
month period. Class II security shall be impervious to compromise
using resistance, voltage, current, or signal substitution
techniques.
b. Internal Cabling: The cabling between the sensors and the PCU
should be dedicated to IDE and must comply with national and local
code standards.
c. Entry Control Systems: If an entry control system is
integrated into an IDS, reports from the automated entry control
system should be subordinate in priority to reports from intrusion
alarms.
d. Maintenance Mode: When an alarm zone is placed in the
maintenance mode, this condition shall be signaled to the monitor
station. This signal must appear as an alarm or maintenance message
at the monitor station and the IDS shall not be securable while in
the maintenance mode. The alarm or message must be continually
visible at the monitor station throughout the period of maintenance.
A standard operating procedure must be established to address
appropriate actions when maintenance access is indicated at the
panel. All maintenance periods shall be archived in the system. A
self-test feature shall be limited to one second per occurrence.
e. Annunciation of Shunting or Masking Condition: Shunting or
masking of any internal zone or sensor must be appropriately logged
or recorded in archive. A shunted or masked internal zone or sensor
must be displayed as such at the monitor station throughout the
period the condition exists whenever there is a survey of zones or
sensors.
f. Indications of alarm status shall be revealed at the
monitoring station and optionally within the confines of the secure
area.
g. Power Supplies: Primary power of all IDE shall be commercial
AC or DC power. In the event of commercial power failure at the
protected area or monitor station, the equipment shall change power
sources without causing an alarm indication.
(1). Emergency Power. Emergency power shall consist of a
protected independent backup power source that provides a minimum of
4 hours operating power battery and/or generator power. When
batteries are used for emergency power, they shall be maintained at
full charge by automatic charging circuits. The manufacturer's
periodic maintenance schedule shall be followed and results
documented.
(2) Power Source and Failure Indication: An illuminated
indication shall exist at the PCU of the power source in use (AC or
DC). Equipment at the monitor station shall indicate a failure in
power source, a change in power source, and the location of the
failure or change.
h. Component Tamper Protection: IDE components located inside or
outside the secure area should be evaluated for a tamper protection
requirement. If access to a [[Page 33382]] junction box or
controller will enable an unauthorized modification, tamper
protection should be provided.
5. System Requirements
a. Independent Equipment. When many alarmed areas are protected
by one monitor station, secure room zones must be clearly
distinguishable from the other zones to facilitate a priority
response. All sensors shall be installed within the protected area.
b. Access and/or Secure Switch and PCU: No capability should
exist to allow changing the access status of the IDS from a location
outside the protected area. All PCUs must be located inside the
secure area and should be located near the entrance. Assigned
personnel should initiate all changes in access and secure status.
Operation of the PCU may be restricted by use of a device or
procedure that verifies authorized use. In the secure mode, any
unauthorized entry into the space shall cause an alarm to be
transmitted to the monitor station.
c. Motion Detection Protection: Secure areas that reasonably
afford access to the container or where classified data is stored
should be protected with motion detection sensors; e.g., ultrasonic
and passive infrared. Use of dual technology is authorized when one
technology transmits an alarm condition independent from the other
technology. A failed detector shall cause an immediate and
continuous alarm condition.
d. Protection of Perimeter Doors: Each perimeter door shall be
protected by a balanced magnetic switch (BMS) that meets the
standards of UL 634.
e. Windows: All readily accessible windows (within 18 feet of
ground level) shall be protected by an IDS, either independently or
by the motion detection sensors in the space.
f. IDS Requirements for Continuous Operations Facilities: A
continuous operations facility may not require an IDS. This type of
secure area should be equipped with an alerting system if the
occupants cannot observe all potential entrances into the room.
Duress devices may also be required.
g. False and/or Nuisance Alarm: Any alarm signal transmitted in
the absence of detected intrusion or identified as a nuisance alarm
is a false alarm. A nuisance alarm is the activation of an alarm
sensor by some influence for which the sensor was designed but which
is not related to an intrusion attempt. All alarms shall be
investigated and the results documented. The maintenance program for
the IDS should ensure that incidents of false alarms should not
exceed 1 in a period of 30 days per zone.
6. Personnel
a. IDS Installation and Maintenance Personnel: Alarm
installation and maintenance should be accomplished by U.S. citizens
who have been subjected to a trustworthiness determination in
accordance with 32 CFR part 154.
b. Monitor Station Staffing: The monitor station should be
supervised continuously by U.S. citizens who have been subjected to
a trustworthiness determination in accordance with 32 CFR part 154.
Appendix H to Part 159a--Priority for Replacement
Priorities range from 1 to 4, with 1 being the highest and 4 the
lowest.
Lock Replacement Priorities in the United States and its Territories
------------------------------------------------------------------------
Item TS/SAP TS S/SAP S-C
------------------------------------------------------------------------
Vault Doors......... 1 1 3 4
Containers (A) \1\.. 3 4 4 4
Containers (B) \2\.. 1 1 1 2
Crypto.............. 1 1 2 2
------------------------------------------------------------------------
Lock Replacement Priorities Outside the United States and its
Territories
------------------------------------------------------------------------
Item TS/SAP TS S/SAP S-C
------------------------------------------------------------------------
Vault Doors......... 1 1 2 2
Containers (A) \1\.. 2 2 3 3
Containers (B) \2\.. 1 1 1 2
Crypto.............. 1 1 2 2
High Risk Areas..... 1 1 1 1
------------------------------------------------------------------------
\1\ A--Located in a controlled environment where the Department of
Defense has the authority to prevent unauthorized disclosure of
classified information. The Government may control or deny access to
the space, post guards, require identification, challenge presence,
inspect packages, program elevators, or take other reasonable measures
necessary to deny unauthorized access.
\2\ B--Located in an uncontrolled area without perimeter security
measures.
Appendix I to Part 159a--Access Controls
1. Access Controls: The perimeter entrance should be under
visual control at all times during working hours to preclude entry
by unauthorized personnel. This may be accomplished by several
methods (e.g., employee work station, guard, and CCTV). Regardless
of the method utilized, an access control system shall be used on
the entrance. Uncleared persons are to be escorted within the
facility by a cleared person who is familiar with the security
procedures at the facility.
a. Automated Entry Control Systems: An automated entry control
system may be used to control admittance during working hours
instead of visual control, if it meets the criteria stated below.
The automated entry control system must identify an individual
authenticate that person's authority to enter the area through the
use of an identification (ID) badge or card, and number or by
personal identity verification. Exist should also be recorded.
(1) ID Badges or Key Cards. The ID badge or key card must use
embedded sensors, integrated circuits, magnetic stripes or other
means of encoding data that identifies the facility and the
individual to whom the card is issued.
(2) Personal Identity Verification. Personel identity
verification (biometrics device) identifies the individual
requesting access by some unique personal characteristic, such as:
(a) Fingerprinting
(b) Hand Geometry
(c) Handwriting
(d) Retina
(e) Voice recognition. A biometrics device may be required for
access to most sensitive information.
2. In conjunction with subparagraph 1.a(2)(a), above, a personal
identification number (PIN) may be required. The PIN must be
separately entered into the system by each individual using a keypad
device and shall consist of four or more digits, randomly selected,
with no known or logical association with the individual. The PIN
must be changed when it is believed to have been compromised or
subjected to compromise.
3. Authentication of the individual's authorization to enter the
area must be accomplished within the system by the inputs from the
ID badge and/or card or the personal identity verification device or
the keypad with an electronic data base of individuals authorized
into the area. A procedure must be established for removal of the
individual's authorization to enter the area upon reassignment,
transfer or termination, or when the individual's access is
suspended, revoked, or downgraded to a level lower than required.
4. Protection must be established and continuously maintained
for all devices and/ [[Page 33383]] or equipment that constitute the
system. The level of protection may vary depending on the type of
devices and/or equipment being protected with the basic intent of
utilizing the security controls already in effect within the
facility.
a. Location where authorization data, card encoded data, and
personal identification or verification data is input, stored, or
recorded must be protected.
b. Card readers, keypads, communication, or interface devices
located outside the entrance to a controlled area shall have tamper
resistant enclosures, and be securely fastened to a wall or other
structure. Control panels located within a controlled area shall
require only a minimal degree of physical security protection
sufficient to preclude unauthorized access to the mechanism.
c. Keypad devices shall be designed or installed in such a
manner that an unauthorized person in the immediate vicinity cannot
observe the selection of input numbers.
d. Systems that utilize transmission lines to carry access
authorizations, personal identification, or verification data
between devices/equipment located outside the controlled area shall
have line supervision.
e. Electric strikes used in access control systems shall be
heavy duty industrial grade.
5. Access to records and information concerning encoded ID data
and PINs shall be restricted. Access to identification or
authorization data, operating system software or any identifying
data associated with the access control system shall be limited to
the fewest number personnel as possible. Such data or software shall
be kept secure when unattended.
6. Records shall be maintained reflecting active assignment of
ID badge and/or card, PIN, level of access, access, and similar
system-related records. Records concerning personnel removed form
the system shall be retained for 90 days. Records of entries shall
be retained for at least 90 days or until investigations of system
violations and incidents have been successfully resolved and
recorded.
7. Personnel entering or leaving an area shall be require to
immediately secure the entrance or exit point. Authorized personnel
who permit another individual to enter the area are responsible for
confirming the individual's access and need-to-know. The Heads of
the DOD components may approve the use of standardized AECS, which
meet the following criteria:
a. For a Level 1 key card system, the AECS must provide a 0.95
probability of granting access to an authorized user providing the
proper identifying information within three attempts. Additionally,
the system must ensure an unauthorized user is granted access with
less than 0.05 probability after three attempts to gain entry have
been made.
b. For a Level 2 key card and PIN system, the AECS must provide
a 0.97 probability of granting access to an authorized user
providing the proper identifying information within three attempts.
Additionally, the system must ensure an unauthorized user is granted
access with less than 0.010 probability after three attempts to gain
entry have bee made.
c. For a Level 3 key card and PIN and biometrics identifier
system, the AECS must provide a 0.99 probability of granting access
to an authorized user providing the proper identifying information
within three attempts. Additionally, the system must ensure an
unauthorized user is granted access with less than 0.005 probability
after three attempts to gain entry have been made.
1. Electric, Mechanical, or Electromechanical Access Control
Devices. Electric, mechanical, or electromechanical devices which
meet the criteria stated in subparagraphs 7.c.2. and 3, below, may
be used to control admittance to secure areas during duty hours if
the entrance is under visual control. These devices are also
acceptable to control access to compartmented areas within a secure
area. Access control devices must be installed in the following
manner:
2. The electronic control panel containing the mechanical
mechanism by which the combination is set is to be located inside
the area. The control (located within the area) shall require only
minimal degree of physical security designated to preclude
unauthorized access to the mechanism.
3. The control panel shall be installed in such a manner, or
have a shielding device mounted, so that an unauthorized person in
the immediate vicinity cannot observe the setting or changing of the
combination.
4. The selection and setting of the combination shall be
accomplished by an individual cleared at the same level as the
highest classified information controlled within.
5. Electrical components, wiring included, or mechanical links
(cables, rods, etc.) should be accessible only from inside the area,
or if they traverse an uncontrolled area they should be secured
within protecting covering to preclude surreptitious manipulation of
components.
Dated: June 22, 1995.
L.M. Bynum,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 95-15707 Filed 6-27-95; 8:45 am]
BILLING CODE 5000-04-M