Title: AR 25-2

Release Date: 2014-03-20

Text: A r m y Regulation 2 5 - 2Information ManagementInformationAssuranceRapid Action Revision (RAR) Issue Date: 23 March 2009HeadquartersDepartment of the ArmyWashington, DC24 October 2007UNCLASSIFIEDManningB_00016230PROSECUTION EXHIBIT 9 3 for identificationPAGE OFFERED:PAGE ADl/lTTED:_PAGEOFPAGESSUMMARY of CHANGEAR 25-2I n f o r m a t i o n AssuranceThis r a p i d a c t i o n r e v i s i o n , dated 23 March 2009-oC l a r i f i e s and c o r r e c t s references t o Department of Defense D i r e c t i v e 8750.1and Army t r a i n i n g requirements (para 4-3).o Removes i n c o r r e c t course reference t o I n f o r m a t i o n Assurance Manager Courseand provides c o r r e c t i n f o r m a t i o n on C e r t i f i e d I n f o r m a t i o n Systems S e c u r i t yProfessional modules (para 4-3) .o Removes i n c o r r e c t i n f o r m a t i o n regarding Fort Gordon course t o p i c s (para 4-3) .o Removes references t o the Asset and V u l n e r a b i l i t y Tracking Resourcecompliance r e p o r t i n g database, which i s no longer used, t o c o r r e c t l yreference the Army T r a i n i n g and C e r t i f i c a t i o n Tracking System (para 4-3).o Deletes i n c o r r e c t reference t o S k i l l p o r t f o r r e q u i r e d i n f o r m a t i o n assurancet r a i n i n g (para 4-3) .oChanges Department of Defense Warning Banner verbiage t o comply w i t hDepartment of Defense d i r e c t e d mandatory guidance (para 4-5) .oCorrects references t o the N a t i o n a l I n f o r m a t i o n Assurance Partnership (para6-1) .o Adds mandatory Department of Defense Standardized Notice and Consent UserAgreement language (app B-3) .o Updates o f f i c e symbols and acronyms (throughout).ManningB_00016231"Army Regulation 25-2HeadquartersDepartment of the ArmyWashington, DC24 October 2007Effective 13 November 2007Information ManagementInformation AssuranceBy Order of the Secretary of the Army:GEORGE W. CASEY, JR.General, United States ArmyChief of StaffOfficial:(/JOYCE E. MORROWAdministrative Assistant to theSecretary of the ArmyHistory. This publication is a rapid actionrevision (RAR). This RAR is effective 23April 2009. The portions affected by thisRAR are listed in the summary of change.Summary. This regulation provides Information Assurance policy, mandates,roles, responsibilities, and procedures forimplementing the Army Information Assurance Program, consistent with today'stechnological advancements for achievingacceptable levels of security in engineering, implementation, operation, and maintenance for information systemsconnecting to or crossing any U.S. Armymanaged network.program executive officers; direct reporting program managers; strategic, tactical,and non-tactical environments or installations; intemal or external organizations,services, tenants, or agencies (for example, DOD, sister Services, U.S. ArmyCorps of Engineers (USAGE); contractorsworking on Army information systemspursuant to Army contracts; Army andAir Force Exchange Service (AAFES);morale, welfare, and recreation activities;educational institutions or departments(for example, DOD schools, the U.S. Military Academy at West Point); and Armyaffiliated or sponsored agencies (for example, Western Hemisphere Institute forSecurity Cooperation). During mobilization, the proponent may modify chaptersand policies contained in this regulation.Proponent and exception authority.The proponent of this regulation is theChief Information Officer/G-6. The proponent has the authority to approve exceptions or waivers to this regulation thatare consistent with controlling law andregulations. The proponent may delegatethis approval authority, in writing, to adivision chief within the proponentagency or its direct reporting unit or fieldoperating agency, in the grade of colonelor the civilian equivalent. Activities mayrequest a waiver to this regulation by proApplicability. This regulation applies to viding justification that includes a fullthe Active Army, the Army National analysis of the expected benefits and mustGuard/Army National Guard of the United include a formal review by the activity'sStates, and the U.S. Army Reserve, unless senior legal officer. All waiver requestsotherwise stated. Also, it applies to all will be endorsed by the commander orusers, information systems, and networks senior leader of the requesting activityat all information classification levels;and forwarded through their higher headquarters to the policy proponent. Refer toAR 25-30 for specific guidance.Army management control process.This regulation contains management control provisions and identifies key management controls that must be evaluated (seeappendix C).Supplementation. Supplementation ofthis regulation and establishment of command and local forms are prohibited without prior approval from the ChiefInformation Officer, G-6 (SAIS-ZA), 107Army Pentagon, Washington DC20310-0107.Suggested improvements. Users areinvited to send comments and suggestedimprovements on DA Form 2028 (Recommended Changes to Publications andBlank Forms) directly to HQDA, CIO/G-6, 107 Army Pentagon, WashingtonDC 20310-0107.Distribution. Distribution of this publication is available in electronic mediaonly and is intended for command levelsB, C, D, and E for the Active Army, theArmy National Guard/Army NationalGuard of the United States, and the U.S.Army Reserve.C o n t e n t s (Listed by paragraph and page number)Chapter 1Introduction,page 1Purpose • 1-1, page IReferences • 1-2, page IExplanation of abbreviations and terms • 1-3, page 1Army Information Assurance Program • 1^, page 1'This publication supersedes AR 25-2, dated 3 August 2007. This edition publishes a rapid action revision ol AR 25-2.AR 25-2 « 24 October 2007/RAR 23 March 2009ManningB_00016232UNCLASSIFIEDContents—ContinuedOverview • 1-5, page 1Chapter 2Responsibilities, page 3Chief Information Officer/G-6 • 2-1, page 3Principal Headquarters, Department of the Army officials and staff • 2-2, page 4Administrative Assistant to the Secretary of the Army • 2-3, page 4Assistant Secretary of the Army for Acquisition, Logistics, and Technology • 2-4, page 4Tbe Deputy Chief of Staff, G-2 • 2-5, page 5Tbe Deputy Chief of Staff, G-3/5/7 • 2-6, page 5Tbe Deputy Chief of Staff, G-4 • 2-7, page 5Commanders of Army Commands; Army Service Component Commands; Direct Reporting Units; U.S. ArmyReserve; Army National Guard; program executive officers; direct reporting program managers; Regional ChiefInformation Officers; Functional Chief Information Officers; and the Administrative Assistant to tbe Secretary ofthe Army • 2-8, page 6Commander,Information Operations Command • 2-9, page 6Commanding General, Network Enterprise Technology Command/9* Signal Command (Army) • 2-10, page 7Commanding General, U.S. Army Training and Doctrine Command • 2-11, page 7Commanding General, U.S. Army Materiel Command • 2-12, page 7Commanding General, U.S. Army Intelligence and Security Command • 2-13, page 8Commanding General, U.S. Army Criminal Investigation Command • 2-14, page 8Chief, Army National Guard • 2-15, page 8Chief, Army Reserve • 2-16, page 8U.S. Army Reserve Command Chief of Staff • 2-17, page 8U.S. Army Corps of Engineers Chief of Engineers • 2-18, page 9U.S. Army Corps of Engineers Chief Information Officer • 2-19, page 9Commanding General, Eighth Army • 2-20, page 9Commanding General, U.S. Army Europe • 2-21, page 9Commanding General, U.S. Army Medical Command • 2-22, page 9Program executive officers and direct reporting program/project managers • 2-23, page 9Commanders, directors, and managers • 2-24, page 10Garrison commanders • 2-25, page 10U.S. Army Reserve major subordinate command • 2-26, page 11Army National Guard state D0IM/J6/CI0 • 2-27, page 11Regional Chief Information Officer • 2-28, page 11Army Reserve command/unit/activity G-6 • 2-29, page 11Director of Information Management • 2-30, page 11Chapter 3Army Information AssuranceProgram Personnel Structure,Personnel structure overview • 3-1, page 12Information assurance personnel structure • 3-2, page 12Information assurance support personnel • 3-3, page 15page 12Chapter 4Information Assurance Policy, page 18Section IGeneral Policy, page 18Policy overview • 4-1, page 18Funding • 4-2, page 19Information assurance training • 4-3, page 20Mission assurance category, levels of confidentiality, and levels of robustness » 4-4, page 21Minimum information assurance requirements • 4—5, page 22IIManningB_00016233AR 25-2 • 24 October 2007Contents—ContinuedSection IISoftware Security, page 29Controls • 4—6, page 29Database management • 4—7, page 29Design and test • 4—8, page 30Section IIIHardware, Firmware, and Physical Security, page 30Hardware-based security controls • 4—9, page 30Maintenance personnel • 4—10, page 30Security objectives and safeguards • 4-11, page 31Section IVProcedural Security, page 31Password control • 4-12, page 31Release of information regarding information system infrastructure architecture • 4—13, page 32Section VPersonnel Security, page 32Personnel security standards • 4-14, page 32Foreign access to information systems • 4-15, page 35Section VIInformation Systems Media, page 37Protection requirements • 4-16, page 37Labeling, marking, and controlling media • 4—17, page 37Clearing, purging (sanitizing), destroying, or disposing of media • 4-18, page 38Section VIINetwork Security, page 38Cross-domain security interoperability • 4-19, page 38Network security • 4-20, page 38Section VIII 'Incident and Intrusion Reporting, page 43Information system incident and intrusion reporting • 4—21, page 43Reporting responsibilities • 4-22, page 43Compromised information systems guidance • 4-23, page 43Section IXInformation Assurance Vulnerability Management, page 44Information assurance vulnerability management reporting process • 4-24, page 44Compliance reporting • 4-25, page 44Compliance verification • 4-26, page 45Operating noncompliant information system • 4-27, page 45Section XMiscellaneous Provisions, page 45Vulnerability and asset assessment programs • 4-28, page 45Portable electronic devices • 4-29, page 46Wireless local area networks • 4-30, page 47Employee-owned information systems • 4-31, page 47Miscellaneous processing equipment • 4-32, page 47AR 25-2 • 24 October 2007ManningB_00016234Contents—ContinuedChapter 5Certificationand Accreditation,page 48Certification and accreditation overview • 5-1, page 48Certification • 5-2, page 48Tailoring • 5-3, page 49Accreditation • 5^, page 49Recertification and re-accreditation • 5-5, page 49Accreditation documentation • 5-6, page 50Connection approval process • 5-7, page 50Designated approving authority • 5-8, page 50Lead agent of the certification authority • 5-9, page 51System owner • 5-10, page 52Chapter 6Communications Security, page 52Communications security overview • 6-1, page 52Protected distribution systems • 6-2, page 53Approval of protected distribution systems • 6-3, page 53Radio systems • 6-4, page 54Telecommunication devices • 6-5, page 54Chapter 7Risk Management, page 54Risk management process • 7-1, page 54Information operations condition • 7-2, page 55AppendixesA.References, page 56B.Sample Acceptable Use Policy, page 61C. Management Control Evaluation Checklist, page 67Table ListTable 4-1: MDEP MS4X, Information Assurance Phased Funding Utilization Plan/Actual Execution Report (RCS;CSIM-62)For period ending 092009 (MMYYYY), page 19Table 4—2: Investigative levels for users with privileged access (IT-I) to ISs, page 34Table 4-3: Investigative levels for users with limited privileged access (IT-II) to ISs, page 34Pigure ListFigure 8-1:Figure 8-1:Figure 8-1:Figure 8-2:Figure 8-2:Acceptable use policy, page 62Acceptable use policy—Continued, page 63Acceptable use policy—Continued, page 64Information system user agreements, page 66Information system user agreements -Continued, page 67GlossaryivManningB_00016235AR 25-2 • 24 October 2007O^a^terlIntroc^u^tion1^1. PurposeTbisregulationestablishesinformation assurance (IA) policy, roles,and responsibilities. It assigns responsibilitiesforallHeadquarters,Department of the Army (HODA) staff,commanders,directors,IApersonnel,users, and developersfor achieving acceptable levels of IA in the engineering, implementation, operation, and maintenance (EIOi^M) for allinformation systems (ISs) across theUS Army Enterprise Infostructtire(AEI)1^2. ReferencesRequired and related publications and prescribed and referenced forms are listed in appendix A.1^3. Explanation of abbreviations and termsAbbreviations and special terms used in this regulation are explained in the glossary.Army Information Assurance Program^. The Army Information Assurance Program (AIAP) is aunified approach to protect unclassified, sensitive, orclassifiedinformationstored,processed,accessed,ortransmittedby ISs,andis established to consolidate andfocusArmy efforts in securing that information, including its associated systems and resources,to increase thelevel of trustof this information and the originating source. Tbe AIAP will secure ISs through IA requirements, and does not extendaccess privileges to special access programs (SAPs),classified,or compartmentalized cIata;neitherdoesit circumventneed-to-know requirements of the data or information transmitted.^. The AIAP isdesigned to achieve the most effectiveandeconomical policy possible forall ISs using the riskmanagement approach for implementingsecurity safeguards. Toattainanacceptablelevelofrisk,acombinationofstaffandfieldactionsisnecessary to developlocalpolicyandguidance,identify threats,problems andrequirements,and adequately plan for tbe required resources.c^. Information systems exhibit inherent security vulnerabilities. Cost-effective, timely, andproactive IA measuresand corrective actions will be established and implemented to mitigate risksbefore exploitation and to protect againstvulnerabilities and threats once they have been identified.(1) Measures taken toattainlAobjectives willbe commensurate with theimportanceoftheoperations to missionaccomplishment, the sensitivity or criticality ofthe information being processed, and the relative risks (the combinationof threats, vulnerabilities, countermeasures,andmission impact) to thesystem. Implementation of an lAoperationalbaseline will be an incremental process of protecting critical assets or data first, and then building upon those levels ofprotection and trust across the enclave.(2) Statementsof security requirements willbe included in theearliest phases(forexample,mission needs statements, operational requirements document, capstone requirement document) of the system acquisition, contracting, anddevelopment life cycles.c^. An operationally focused lAprogram requires the implementationof innovative approaches.Tbroughthe use ofIA best business practices (88Ps) the best ideas, concepts, and methodologies acquired from industry and Armyresources will be used to define specific standards, measures, practices, or procedures necessary to meet rapidlychanging technology orlArequirements in supportof Army policy requirements. IA 88Psallowrapid transitionalimplementation of IAinitiativestointegrate,use,improve,or modify technological or procedural changes as requiredby policy. 88Ps are located at https://informationassurance.us.army.mil.^. Tbe elements of tbe Defense in Depth (DiD) strategy focus on three areas: people, operations, and defense of theenvironment(tbelatterofwhichencompassesthecomputingenvironment, tbenetworks, theenclaveboundaries,andthe supporting infrastructure).^ The AIAP is notastand-alone program,but incorporates related functions from other standards or policies suchas; operations security (OPSEC), communications security (COMSEC), transmission security (TRANSEC), informationsecurity (INFOSEC), personnel security, and physical security to achieve IA requirements.^. Failuretoimplementproactive or correctivelAsecurity measures,guidance,policy,or procedures may preventsystem or enclave accreditation, installation, or operation and may increase system vulnerability to foreign anddomesticcomputernetworkoperation(CNO)activitiesdesignedto(Ieny service, compromise information,or permitunauthorized access tosensitive information. lAornetworkpersonnel may blockaccess to ISs that refiect poor IAsecurity practices or fail to implement corrective measures.1-5. Overview^. The AIAP applies to ISs including, but not limited to, computers, processors, devices, or environments(operatinginaprototype,test bed, standalone, integrated, embedded,or networked configuration) that store, process, access,ortransmitdata, includingunclassified, sensitive(formerly knownassensitivebutunclassified(S8U)),andclassifieddata, with or without handling codes and caveats. ISs used for teleworking, telecommuting, or similar initiatives;contractor owned or operated ISs; ISs obtained with non-appropriated funds; automated tactical systems (ATSs);AR 2 5 - 2 ^ 2 4 October 2007^anningB^000^^23^1automated weapons systems (AWSs); distributed computing environments (DCEs); and systems processing intelligenceinformation are required to adhere to the provisions of this regulation./i. Commanders of activities requiring limited access by any local foreign national (FN) officials or personnel(including information technology (IT) positions) will follow the provisions of this regulation.c^. Thisregulationappliesequally to theoperation,safeguarding, andintegrity of theinfrastructures(for example,power, water, air conditioning), including the environment in which the IS operates.c^. Whilenoregulationorpolicyonsecurity measures caneverprovidea 100 percent solution, implementationofthe concepts, procedures, and recommendations in this regulation will drastically reduce the manageability requirements of assets, and minimize the effects of unauthorized access or loss. The cornerstone philosophy of IA is to design,implement, and secure access, data, ISs, and data repositories; increase trust and trusted relationships; employ technicaland operational security mechanisms; deny all unauthorized accesses; and permit necessary exceptions to supportArmy, DOD, and .loint interagency and multinational (.IIM) tactical and sustaining base operations.^. Army information constitutes an asset vitalto the effective performance ofour national security roles. While allcommunication systems are vulnerable to some degree, the ready availability oflowcostIT,freely distributed attacktools, increased system connectivity and asset distribution, and attack-standoff capabilities make computer networkattacks (CNAs) an attractive option to our adversaries. Information Assurance capabilities and actions protect anddefendnetworkavailability,protect dataintegrity, andprovide the ability toimplementeffectivecomputer networkdefense (CND). Management of Army informationisimperativesothat its confidentiality, integrity,availability,andnon-repudiation can be ensured, and that users of that data can be properly identified and authenticated.^ Tbe AEI architecture requires the establishment,verification, and maintenance of trusted enclaves,trusted connectivity, and trusted information and information sources along with the capability to access and distribute that information by leveraging technology and capabilities to amplify that trust.^. To accomplish these foundational objectives, this regulation establishes requirements as follows:(1) Provides administrative and systems security requirements, including those for interconnected systems.(2) Defines and mandates the use of risk assessments.(3) Defines and mandates the DiD strategy.(4) Promotes the use of efficient procedures and cost-effective, computer-based security features and assurances.(5) Describes the roles and responsibilities of tbe individuals who constitute tbe IA security community and itssystem users, and outlines training and certification requirements.(6) Requires a life cycle management approach to implementing IA requirements.(7) Introduces the concepts of mission assurance category, levels of confidentiality, and levels of robustness ofinformation.(8) Implements DODD 8500 1,DODI 8500 2, and Chairman of the .loint Chiefs of StaffManual(C.ICSM) 651001to align IA goals and requirements to support the DOD Information Management Strategic Plan.(9) Mandatesprocedures to document the status ofaccreditationsfor all ISsfieldedby DOD organizations. Armychartered program managers (PMs), and HODA staff proponents.(10) Mandates that DODand Army-level designated approvingautborities(DAAs)meet tbe system accreditationrequirements ofthis regulationbefore fielding or testing any system that requires connection to an Army network.(11) Requires the implementation of a configuration management (CM) process.(12) Describes the Continuity of Operations Plan (COOP).(13) Provides the foundation for the Networthiness Certification Program in AR 25 1.^. Other policies, procedures, or directives also govern certain systems. In the event of confiicts among thesepolicies,procedures,or directives,the more stringent requirement will take precedence. When the most stringent policycannot be determined, the affected Army component will submit a request for a policy decision through theirsupporting regional chief information officers/functionalchief information officers (RCIOs/FCIOs) tothe Chief InformationOfficer/G^(CIO/G6)1. Tbe mention of commercial products inthis regulation does not imply endorsement by either DOD or the Army.^ Military and civilian personnel may be subject to administrative and/or judicial sanctions if they knowingly,willfully, or negligently compromise, damage, or place Army information systems at risk by not ensuring implementation of DOD and Army policies andprocedures. Violations are identified in bolded text included in the followingparagraphs 3 3, 4-5, 4-6,4-12,4-13, 4-16,4-20, and 6^5.^. These provisions may be punished as violations as follows:(1) Sanctions for civilian personnel may include,but are not limited to,some or all of tbe following administrativeactions: oral or written warning or reprimand; adverse performance evaluation; suspension with or without pay; loss orsuspension of access to IS or networks, and classified material and programs; any other administrative sanctionsauthorized by contract or agreement; and/or dismissal from employment. Sanctions for civilians may also includeprosecutioninU.S.District Court or other courts and any sentences awarded pursuant to suchprosecution. Sanctionsmaybe awarded only bycivilianmanagers or military officials who have authority toimposethe specific sanction(s)proposed.2^anningB^000^^237^AR 2 5 - 2 ^ 2 4 October 2007(2) Sanctions for military personnel may include, but are not limited to, some of the following administrativeactions:oral or written warning or reprimand; adverse performance evaluation; and loss or suspension of access to ISor networks and classified material and programs. Sanctions for military personnel may also include any administrativemeasures authorized by service directives and any administrative measures or non-judicial or judicial punishmentsauthorized by the Uniform Code of Military .lustice (UCM.1).(3) Defense contractors are responsible for ensuring employees perform under the terms of the contract andapplicable directives, laws, and regulations and must maintain employee discipline. Tbe contracting officer, ordesignee, is the liaison with tbedefensecontractorfordirectingorcontrollingcontractor performance. Outside theassertion of criminal jurisdiction for misconduct, the contractor is responsible for disciplining contractor personnel.Only thcDepartment of .lustice may prosecute misconduct under app1icableFedera11aws,absentaformaldeclarationof war by Congress (which would subject civilians accompanying the force to UCM,1 jurisdiction). For additionalinformation on contractor personnel authorized to accompany U.S. Armed Forces, see DODI 3020.41.0I^a^ter2Responsibilities2-1. Chief Information Officer^G^TheCIO/C^will^c^. Establish and issue IA policy and procedures and serve as tbe focal point for IA programs and funding.^. Develop, review, and coordinate DA input into DOD IA policy documents.c^. Establish and maintain Army standardized evaluations and test methodology certification procedures and securityrequirements as part of tbe accreditation process.c^. Document, develop, coordinate, present, prioritize, and defend IA resource requirements in the planning, programming, and budgeting process.^. CoordinatewiththeDeputyChiefofStaff,C2(DCS,G 2) for the policy,development, dissemination, support,tactics, techniques, and procedures for the design, implementation, and operation of the key management infrastructure(I^MI) and systems to support Army encryption requirements.^ Provide program oversight for Army implementation of the l^MI and funding aspects of the Electronic l^eyManagement System (El^S).^. Prepare the annual IA readiness report./i. ProvidetechnicalandoperationalassistanceandsupporttotbeU.S. Army Audit Agency (USAAA)inits auditsand reviews of ISs.1. Evaluate technological trends in IA and establish a methodology to integrate advancements.^. Provide IA guidance to Army elements in identifying and incorporating requirements consistent with the I^MIrequirements in project development.^. Actas the certificationandaccreditation(Cc^A) designated approvingauthority(DAA)for1Ss with theexceptions found in paragraph 5 8^.7 Provideapointofcontact (POC) withtheDefenselnformation Systems Agency/Center forlnformation SystemsSecurity (DISA/CISS) for advice and assistance and implementation of certification tests and programs for Armyoperated ISs.^. Serve as the Army member of the Committee on National Security Systems (CNSS) and the Subcommittees forTelecommunications Security (STS) and Information Systems Security (SISS).^. Provide an Army voting member to the I^ey Management Executive Committee (I^MEC) and .loint I^eyManagement Infrastructure Working Group (.II^MIWG).c^. Provide policy, guidance,andoversightontheemploymentof National Institute of Standards andTechnoIogy(NIST) approved cryptography for the protection of unclassified and sensitive information.^. Appoint the chairperson and altemate chairperson for theTierl System Management 8oard(TSM8),which hasoperations management responsibilities for the Tri-Service EI^MS Common Tier 1 System (CTIS).^. ParticipatewitbtheDCS,C2;U.S. Army Intelligence and Security Command (INSCOM); NetworkEnterpriseTechnology Command/9th Signal Command(Anny) (NETCOM/9* SC (A); 1^^ Information Operations(LAND)Command (1^^ 10 CMD (LAND)); and the U.S. Army Criminal Investigation Command (CID) in analyses and studiesconcemingforeign intelligence threats,criminal intelligence,oroperationalvulnerabilitiesagainst which IA countermeasures will be directed.1^. Appoint, formally,by nameandorganization theDAA forlSsthatprocess Army data,uponrequest, throughformalsignedmemoordigitally signed e-mail. This appointment willbe consistent withparagraph5 8^ throughly.Ensure the concepts of, and strategies within, this regulation are utilized as the basis for networthiness certification per AR 25 1.AR 2 5 - 2 ^ 2 4 October 2007i^anningB^000^^23^^. Provide technical and operational assistance and support to the Army Web Risk Assessment Cell (AWRAC).1^. Provideprogramoversigbtof Communications Security Logistics Activity (CSLA) foran Army cryptographicapplications certification process (when developed).^. Appoint tbeDirector,Office of Information Assurance and Compliance (OIAc^C), NETCOM/9* SC (A),as theArmy senior informationsecurity officer under the provisions of tbeFederal Information SystemsManagement Act(EISMA)11^. Coordinate with the DCS, G 2 on Cc^A issues of sensitive compartmented information (SCI) systems andINSCOM/G^ for SIGINT systems, as applicable.^. See additional responsibilities at paragraph 2 2, below.2^2. Principal ^eadc^uarters, Oepartmentof the Army officials and staffPrincipal HODA officials and staff will—c^. Implement IA requirements within their respective functional areas.^. Develop, coordinate, supervise, execute, and allocate the research, development, test, andevaluation(RDTc^E)procurement resources in support of IA program requirements as required in their functional area.c^. Participate collectively with other IA stakeholders in the enterprise planning, acquisition, and operation of IAstrategies.c7. Integrate approved IA tools, doctrine, procedures, and techniques into all ISs under their purview.^. Establish intemalproceduresfor reporting security incidents or violations and report incidents andevents totheservicing regional computer emergency response teams (RCERTs) in accordance with Section VIII, Incident andIntrusion Reporting, consistent with paragraphs 4^21 and 4-22, below.^ SupporttheArmy'sInformation Assurance Vulnerability Management (lAVM)Program notification and correction processes. lAVM notification and correction are DOD and Army operational requirements.Develop andimplementlocalacceptableuse policy (AUP)forallusers authorized accesstoH0DAISs(app8presents a sample AUP)./i. Ensure all systems, for which the principal HODA Army office is the system owner (SO)are accredited, annuallyrevalidated, and re-accredited in accordance with the interim DOD Information Assurance Certification and Accreditation Process (DIACAP).I. Ensure the Cc^A package is submitted to the Army certification authority (CA) in sufficient time forareview andoperational IA risk recommendation in support of DAA authorization decision priorto operations or tests on a livenetwork or with live Army data.^'. Request appointment as the DAA for information systems, as appropriate, from the CIO/G6through the OIAc^Cconsistent with paragraph 5 8.^. Appoint appropriate IA personnel per chapter3of this regulation and provide CIO/G6acopy of the appointmentorders./. Identify personnel and procedures at all organizational and subordinate levels, as required, to implement aConfiguration Management 8oard (CM8) or Configuration Control 8oard(CC8) toeffect control and managementmechanisms on all ISs, devices, configurations, and IA implementations. Include IA personnel as members of tbeboard.^. Incorporate related OPSEC, COMSEC, and INFOSEC policies and requirements into a comprehensive IAmanagement program.2-3. Administrative Assistant to the Secretary of the ArmyTbeAASAwill^c^. Serve as the commander for Pentagon Information Technology Services (ITS).^. Request appointment, from the CIO/G6through tbe OIAc^C,as the DAA for tbe Pentagon ITS and IS connectedto the Pentagon Common 1nformationTechnology(CIT)Enterprise, associated swing space, and altemate COOP sitesthrough the national capital region (NCR).c^. Appoint, once authorized, Ceneral Officer (GO), SeniorExecutiveService(SES) or equivalent within AASApurview as DAAs,when they are the SOs or have life cycle responsibility for the IS,as appropriate.Provideacopy ofthe appointments to tbe OIAc^C through iacora(^us.army.mil.1^, Coordinate connectivity requirements to the Department of Defense Intelligence Information System (DODIIS) ITSCI enterprise backbone within the Pentagon CIT enterprise.^. See additional responsibilities at paragraph 2-2 and paragraph 2 8.2-^. Assistant Secretary of the Army for Acguisition, Logistics, andTechnoIogyTbeASA(ALT)will^c^. Forward to National Security Agency (NSA) and HODA approved materiel requirements for IA tools andequipment (including cryptographic equipment), along with requests for RDTc^E efforts to fulfill those needs.4l^anningB^000^^23^AR 2 5 - 2 ^ 2 4 October 2007^. Designate an Army materiel developer to conduct and update threat analyses as outlinedby AR 381 11.c^. Monitor NSA, other Service COMSEC, and lARDTc^E projects that are of interest to the Army. Designate Armyprogram managers as defined in AR 70^1 for each project having potential application for Army use. Require thedesignated manages to maintainaliaison between the developing agency and interested Army agencies of the progressof such projects.^. Establish coordinationwithNSAconcurrent life cycle management milestones for development of cryptographicequipment in support of IA initiatives.^. Conduct research and acquire basic knowledge of the techniques and the circuitry required to provide an effectiveCND capability in appropriate types of Army equipment.^Ensure application of capabilities to perform IS risk analysis, reduction, and management^. Ensure that Army program executive officers (PEOs) and direct reporting PMs include IA in all systemsdevelopment activities./i. Ensure ArmyPEOs and direct-reporting PMs obtain Cc^A approval to operate prior to system operations on theArmy network or with Army data.1. See additional responsibilities at paragraph 2 2.2 5 . T h e O e p u t y Chief Of Staff, G-2TheDCS,C2will^c^. Coordinate the development and dissemination of DOD, national,theater, and DA-level lAthreatinformationtotbe Army.^. Coordinate with the CIO/G^ for the policy, development, dissemination, support, tactics, techniques, andprocedures for the design, implementation, and operation of the I^MI and systems to support Army encryptionrequirements.c^. Develop policy and approve procedures for safeguarding and controlling COMSEC and controlled cryptographicitem (CCI) material.(7. Ensure all intelligence systems,for which tbe DCS,G-2is the Army proponent or sponsor, are accredited or reaccredited in accordance with Director, Central Intelligence Agency Directive (DCID) 6/3.^. Ensure that the DODIIS Program is implemented and guidance is published.^ Serve as tbe approval authority for external IS penetration and exploitation testing of operational networks.^ Participate with tbe CI0/G 6, INSCOM, NETC0M/9thSC (A), I^^IO CMD (LAND), and CID in analyses andstudies conceming foreign intelligence threats, criminal intelligence, or operational vulnerabilities against which IAcountermeasures will be directed./i. Act as tbe Service Certifying Organization and DAA for DODIIS processing SCI on the .loint World WideIntelligence System (.IWWICS)i. Act as tbe CA for SCI systems processing information at Protection Level (PL) 4.^'. Act as tbe DAA for SCI systems processing information up to PL 3.^. See additional responsibilities at paragraph 2-2.2 ^ . T h e O e p u t y Chief Of Staff, G-3^5^7Tbe DCS, G-3/5/7 w i l l ^c^. Support the CIO/G 6 in the accomplishment of IA responsibilities.^. Ensure IA training is integrated and conducted throughout the Army.c:^. Support audits and reviews of ISs and networks through operational and technical assistance, as required,c^. Provide guidance, requirements, and oversight for information operations condition (INFOCON) alerting andimplementation measures.^. Provide guidance, requirements, and oversight for OPSEC measures to support an IA management policy.^ See additional responsibilities at paragraph 2-2.2 7 . T h e O e p u t y Chief Of Staff, G ^TbeDCS,G^wiII^c^. Develop, as tbe Army independent logistician, logisticspolicies (including integratedlogistics support policy),concepts, procedures, and guidance for logistics support of IA equipment used in support of all Army missions.^. Prescribe execution ofNSA or DOD logistics management directives that apply to classified COMSEC and CCImateriel.c^. Prescribe and supervise tbe implementation of procedures for property control and the accounting of CCI materielduring distribution, storage, maintenance, use, and disposal. All guidance will conform to tbe security standardsdeveloped by the DCS, G 2 for safeguarding COMSEC and CCI materiel.c7. Supervise logistics support planning to ensure the availability of materials and publications needed for repair, testmeasurement, and diagnosis of IA equipment and systems.AR 2 5 - 2 ^ 2 4 October 2007^anningB^000^^2405^. Provide continuous logistical support for fielded IA material and test equipment.^ See additional responsibilities at paragraph 2 2.2 ^ . C o m m a n d e r s o f Army Commands^ Army Service Component Commands^Oirect ReportingOnits^O.S. Army Reserved Army National Guards program executive officers^ direct reporting programmanagers^ Regional Chief Information Officers^ Punctional Chief Information Officers^ and theAdministrative Assistant to the Secretary of the ArmyCommanders of ACOMs;ASCCs;DRUs;US. Army Reserve; ARNG; Chief,CAR;PEOs; direct reporting PMs;RCIOs/FCIOs; and the AASA are responsible for ensuring that their units, activities, or installations will—d. Develop and implement an IA program with the hardware, software, tools, personnel, and infrastructure necessaryto fill the IA positions and execute the duties and responsibilities outlined in this regulation.^. Oversee tbe maintenance, documentation, and updating of the Cc^A requirements required for the operation of allISs as directed in this regulation.c^. Implement and manage IT system configurations, including performing lAVM processes as directed by thisregulation.c^. Appoint IA and other personnel (for example, altemates)to perform the duties in chapter3of this regulation andprovideinformation assurance program manager (lAPM) and/or POCinformationtotheRCIOs, supporting RCERTs/TheaterNetworkOperationsandSecurity Centers (TNOSCs), and the Army ComputerEmergency ResponseTeam(ACERT). The ACOMs/ASCCsIAPMs will also provide reports to tbe RCIO of the region in which the headquartersis physically located.^. Appoint DAAs only as authorized in section II and paragraph 5 8.^Establish an oversight mechanism to validate the consistent implementation of IA security policy across theirareas of responsibility.^. Ensure annual securityeducation,training, and awareness programs are developed and conducted that addresses,ataminimum, physical security,acceptab1e use policies, malicious content and logic,and non-standard threats such associal engineering./i. Oversee the implementation of IA capabilities.1, Incorporate IA and security as an element of the system life cycle process.^'. Develop and implement an acceptable use policy for privately owned equipment (for example, cell phones,personal digital assistants (PDAs),wireless devices, and removable media) and ISs prohibited during training exercises,deployments, and tactical operations. Incorporate, as a minimum, the prohibition of utilizing such devices or thelimitations of acceptable use, as well as the threat of operational exposure represented by these devices in garrison, predeployment staging, tactical, and operational areas.^. Develop procedures for immediate notification and recall of IA personnel as assigned./. Adhere to and implement tbe procedures of the networthiness certification process per AR 25 1.^. Program, execute, and report management decision packages (MDEPs)MS4X and MX5Tresource requirements.n. See additional responsibilities at paragraph 2 2.2 - ^ . Commander, 1^^ Information Operations CommandThe Commander, l^^IOCMD(LAND)will^d. Exercise command and control of the ACERT and all of its components (including RCERTs).^. Establish tactics,techniques, and procedures (TTPs) for the ACERT,RCERTs,and Local Computer EmergencyResponse Teams (LCERTs) (if established) as required.c^. Integrate, in conjunction with NETC0M/9tb SC (A), computer emergency response, IA, and CND serviceprovider activities into network operations (NETOPS), network management, and information dissemination.^. Integrate, in coordinationwiththeDCS,C3/5/7,CND,OPSEC, and INFOCONactivitiesintoinformationoperations (10).^. Support the Army CND service provider as the focal point for security incidents and violations.^ Develop and publish incident response guidelines,checklists, andprocedures incoordination with lawenforcement (LE) and counterintelligence (CI) agencies.^. Provide status reports per directives on unusual activities occurring on Army networks worldwide./i. Support the IA security tool repository and provide recommendations for including new tools.1. Provide tools, methodologies, procedures, and oversight for the vulnerability assessment program and performvulnerability assessments through approved programs.^. Develop and maintain an Army CND vulnerability database for trend analysis.^. Support and maintain Army lAVM message staffing, notification, distribution, and resolution./. Develop TTPs for a threat warning and notification process.^. Develop procedures to issue CND lessons leamed identified from incidents, intrusions, analyses, or othertechnical processes.8i^anningB^0001^241AR 2 5 - 2 ^ 2 4 October 2007^. Maintain Army computer network situational intelligence awareness, including network threat analysis andIntemet network intelligence.(^ Participate with tbe C I 0 / G ^ , D C S , G 2 , INSCOM, NETC0M/9thSC (A), and CID in analyses and studiesconceming foreign intelligence threats, criminal intelligence, oroperational vulnerabilitiesagainst which IA countermeasures will be directed.^. See additional responsibilities at paragraph 2 2 and paragraph 2 8.2-10. Commanding General,Network EnterpriseTechnologyCommand^^^^ Signal Command ^Army^TheCC,NETC0M/9tbSC(A)will^c;i. Request appointment from the C I O / C ^ as the DAA for tbe Army enterprise.^. Appoint, once authorized, the Director, Enterprise Systems Technology Activity (ESTA) as the DAA for theArmy enterprise.c^. Operate, manage, monitor, administer, and defend the Army portion of the global information grid.c^. Perform configuration and patch management for all Army network components and systems.^. Execute Computer Network Defense Service Provider (CNDSP) and NETOPS missions and functions.^ Review,coordinate,evaluate,and approve proposedpolicies,procedures,directives,standards,doctrinal publications, plans, materiel requirement documents, life cycle management documents, basis-of-issue plans, and systemcertification and accreditation documents for all systems fielded, or planned to be fielded, to Army installations as wellas similar documents that have implications for adherence to policy.^. Establish TTPs to integrate 1A/CND service provider activities with system and network management andinformation dissemination./i. Provide timely fiows of NETOPS data to maintain an analysis view at all levels.I. Ensure an operational assessment of IA products is conducted before incorporation into systems under NETCOM/9th SC (A) management.^. Maintain a repository of the status and availability of Army critical systems and networks.^. Manage the DiD security architecture environment, strategies, connections, and configurations against unauthorized access, manipulation, or destruction./. ManagetheAEITechnica1CC8responsib1efor the Army security architecture. Establishbaseline configurationmanagement guidelines and technical and operational TTPs; and review, approve, prioritize, and manage change to theAELConduct quarterly vulnerability assessments of toplevelarchitecture (TLA) criticalassets,devices,servers,andIA implementecl devices.n Participate with the C I O / C ^ , D C S , G 2 , INSCOM, 1^^ 10 CMD (LAND), and CID in analyses and studiesconceming foreign intelligencethreats,criminal intelligence,or operational vulnerabilitiesagainst which IA countermeasures will be directed.CJ. See additional responsibilities at paragraph 2-2 and paragraph 2 8.2-11. Commanding General, LI S. Army Training and Ooctrine CommandTheCC.TRADOCwill^c^. Integrate approved IAtools,doctrine,procedures,legalities, and tecbniquesinto applicable programs of instruction forTRADOC schools^. Develop timely Armywide IA trainingliteratureandtrainingaids, leveragingsecureelectronicdistributionandremote access capabilities.c:. Develop, test, and recommend operational and organizational concepts and doctrine to achieve IA goals.c7. Develop and provide IA requirements to tbe materiel developers and ensure compliance with AR381-11and thisregulation.^. Conduct or participate in operational tests of IA implementations as part of system-wide operational tests, asdirected.^ Integrate IA practices into pre milestone A activities and events as required.^. See additional responsibilities at paragraph 2 2 and paragraph 2 8.2-12. Commanding General, LI S. Army Materiel CommandThe Commanding General, U.S. Army Materiel Command will—^. Provide Armywide materiel developer IA support for RDTi^E and production.^. Assist IS functional proponents in identifyingsecurity requirements forproposedandexisting sustainingbase,tactical, and weapons systems.c^. Maintainarepository of tacticallA tools, and distribute tools tofieldedtacticalsystems,as needed. Coordinatewith 1st IO CMD to integrate tactical and sustaining base toolboxes into a seamless repository for Army users.AR 25-2^24 October 2007i^anningB^000^^242^. ProvideaDA authorized (that is,CSLA) cryptographic advisor to the certification authority (CA) throughout tbeDIACAP process.^. See additional responsibilities at paragraph 2 2 and paragraph 2-8.2-13. Commanding General, LI S. Army Intelligence and Security CommandThe Commanding Ceneral, INSCOM will—c^. Serve as the Army Service Cryptologic Element (SCE) andpoint of contact for ISs under thepurview oftheNSA^. Provided support to Army elementson IA mattersandadviseaccreditationauthoritieson theforeign intelligence threat.Coordinate the Cc^A for all cryptographic systems and conduct Ci^A for all Army cryptographic systems at PL2(DCID 6/3) and belowc7 Participate with the C10/C6,DCS,C2,l^^IO CMD (LAND), NETC0M/9thSC (A), and CID in analyses andstudies conceming foreign intelligence threats, criminal intelligence, oroperational vulnerabilities against which IAcountermeasures will be directed.^. See additional responsibilities at paragraph 2 2 and paragraph 2 8.2 - 1 ^ . Commanding General, LI S. Army Criminal Investigation CommandThe Commanding Ceneral, CID will—c^. Operate the Computer Crime Investigative Unit (CCIU).^. Conduct criminal investigations involving intrusions into Army networks and computers.c^. Provide criminal and technical intelligence analyses of vulnerabilities, methodology,tools,techniques, or practicesobtained from computer crimes or forensic intrusion analyses to support CND, Cc^A, and program developers ormanagers.c^. Participate in 1AVA Compliance Verification Team (CVT) inspections.^. Conduct crime prevention surveys to identify crime conducive conditions involving Army networks and systems.^ Serve as cbiefenforcer of Federal lawsgovemingtheinvestigationofcriminaloffensesinvolving networks andsystems, serve as the sole entity for LE investigation determinations, and serve as tbe sole Army interface with Federaland civilian LE agencies.^Participate with tbe CIO/C-6,DCS,C2, INSCOM, NETC0M/9tbSC (A), and 1st 10 CMD (LAND) in analysesand studies conceming foreign intelligence threats, criminal intelligence, or operational vulnerabilities against which IAcountermeasures will be directed./i. See additional responsibilities at paragraph 2-2 and paragraph 2 8.2-15. Chief, Army National GuardThe Chief, ARNG w i l l ^Cl. Request appointment as the DAA for the ARNC and CuardNet XXI from the CIO/G^.^. Appoint,onceauthorized, the ARNC stateDirector of InformationManagement(DOIM)/.16/CIOfor individualstates in accordance with paragraph5 8.Ceneral officers within the ARNG are state employees not TitlelOorTitle 32Soldiers,therefore,thestateDOIM/.l6/CIO will be appointed as DAAs. Provideacopy of these appointmentsto theCIO/C6tbroughtbeOIAi^Cc^ Set the ARNC lApriorities, provide oversight, andensure the coordination and complianceof the ARNC IAprogram isaccomp1ishedwiththeCC,NETCOMto1everage Army technicalauthority standards andensure compliance with this regulation.^. See additional responsibilities at paragraph 2 2 and paragraph 2 8.2 - 1 ^ . Chief, Army ReserveTbeCARwill^d. Request appointment as the DAA for tbe U.S. Army Reserve (USAR) from tbe CIO/G 6./i. Appoint,onceauthorized, the Army Reserve Command(USARC)Chiefof Staff (COS)as the Army ReserveNetwork (ARNET)DAAwhen the COS meets the requirements of paragraph5 8.Provideacopy of this appointmenttotheCIO/C6tbrougbtbe01Ac^Cc^. Set the USAR IA priorities, provide oversight, andensure thecoordination andcompliance of theUSAR IAprogram with the CC, NETCOM to leverage Army technical authority standards and ensure compliance with thisregulation.c7. See additional responsibilities at paragraph 2 2 and paragraph 2-8.2 - 1 ^ . LIS. Army ReserveCommand Chief of StaffTbeUSARCCOSwill^^^anningB^000^^243AR 2 5 - 2 ^ 2 4 October 2007c^. Request appointment as the ARNET DAA, as applicable, from the CAR./i. Appoint, once authorized, tbe major subordinate command (MSC) Commander as DAA for command/unit/activities non-ARNET system/network implementations when the MSC meets the requirements of paragraph 5 8.Provide a copy of this appointment to tbe CIO/G^ through the OIAi^C.c^. Ensureall ARcommands/units/activities,toinclude but notIimitedto,al1off installation Government and nonGovernment satellites, facilities, and buildings, meet the requirements for connecting physically, logically, and/orvirtually to the ARNET backbone.c^. Ensure MSC Commanders implement the AR IA program in accordance with CAR priorities and the CG,NETCOM via the applicable Army technical authority standards and ensure compliance with this regulation.^. See additional responsibilities at paragraph 2 2 and paragraph 2 8.2-18.LI S. Army Corps of Engineers Chief of EngineersThe USACE Chief of Engineers (COE) w i l l ^d. Set IApriorities,provideoversight,andensure thecoordinationandcomplianceofthe lAprogram throughoutUSAGE^. Ensure theUSACECIO implements theUSACEIAprogramin accordance withUSACE priorities and the CC,NETCOM via the applicable Army technical authority standards and ensure compliance with this regulation,c^. See additional responsibilities at paragraph 2 2 and paragraph 2 8.2 - 1 ^ . LI S. Army Corps of Engineers Chief Information OfficerTheUSACE Chief Information Officer (CIO) w i l l ^c^. Request appointment as the DAA for the USACE Wide Area Network (WAN) and all corporate IS.^. Appoint, onceauthorized, the USACE Division Commandersas DAA forUSACE IS asapplicable, when theDivisionCommandermeets tberequirementsofparagraph5 8. Provideacopy of thisappointmenttotheCIO/G^throughtbeOIAc^Cc^. See additional responsibilities at paragraph 2 2 and paragraph 2 8.2-20.Commanding General, Eighth ArmyThe CC, Eighth Army will—^. Request appointment as the DAA for Eighth Army from tbe HODA CIO/C^.^. Appoint, once authorized, the Eighth Army CIO/C 6 as the DAA when tbe Eighth Army CIO/C 6 meets therequirements of paragraph 5 8. Provide a copy of this appointment to the CIO/G^ through the OIAc^C.c^. EnsureMSCcommandersimplementtheEighthlAprograminaccordancewithEightb Army priorities andtheCC, NETCOM via the applicable Army technical authority standards and ensure compliance with this regulation.c7. See additional responsibilities at paragraph 2 2 and paragraph 2 8.2 - 2 1 . Commanding General, LI S. Army EuropeTheCCUSAREURwill^Cl. Request appointment as the DAA for Army Europe from tbe CIO/G^.^. Appoint,onceauthorized,tbeDAAs for USAREUR backbone,tenant and MSC in accordance with the requirements of paragraph 5 8. Provide a copy of this appointment to the CIO/G^ through the OIAc^C.c^. Ensure tenant and MSC Commanders implement the USAREUR IA program in accordance witbUSAREURpriorities and the CG, NETCOM via the applicable Army technical authority standards and ensure compliance with thisregulation.c7. See additional responsibilities at paragraph 2 2 and paragraph 2 8.2-22.CommandingGeneral, LIS. Army Medical CommandTbe CG, MEDCOM w i l l ^d. Request appointment as the DAA for MEDCOM from the CIO/C^./i. Appoint.once authorized,theDAAforindividualRegional Medical Commands (RMC) Commander and MSCsin accordance with paragraph 5 8. Provide a copy ofthis appointment to the CIO/C 6 through the OlAc^C.c^. Ensure RMC and MSC Commanders implement tbe MEDCOM IA program in accordance with MEDCOMpriorities and the CC, NETCOM via the applicable Army technical authority standards and ensure compliance with thisregulation.c^. See additional responsibilities at paragraph 2-2 and paragraph 2 8.2 23. P r o g r a m e x e c u t i v e o f f i c e r s a n d direct reporting program^pro^ect managersProgram executive officers (PEOs) and program/project managers (including PMs outside tbe PEO structure responsible for fielding systems to multiple Army organizations) will—AR 2 5 - 2 ^ 2 4 October 2007l^anningB^000^^244cn. Acquire, operate, and support systems within their command or activity per this regulation.^. Embed IA engineering and capabilities in all system RDTc^E activities,c^. Appoint an lAPM to perform those duties listed in paragraph 3 2^.c7. Ensure that designatedpredeploymentinformationassurancesecurityofficers(IASOs)effectcontinuouscoordination with the organizational IA personnel for which the systems are demonstrated, tested, or fielded.^ Request appointment as the DAA for named acquisition systems developed under their charter from the CIO/C^through the OIAi^C^ Provide the Cc^A package to the CAfor an operationallA risk recommendation supporting theDAA approvaltooperate decision prior to operational use or testing on a live network or with live Army data.^ Ensure that the SO makes the Cc^A package available to the ACOM/ASCC, RCIO lAPM, and NETCOM, 30days before initial operational test and evaluation (lOTc^E) and before deployment of the system./i. Integrate IA, COMSEC, and TEMPEST into entire system life cycle design, development, and deployment.1. Address and include the addition of anylT/IApersonnel (such as system administrator (SA) or network securitymanagersneededto operate theneworexpandedsystemor network) or accessrequirements and responsibilities forpatch management and system administration as part of the development cost of stated system or network.^. Integrate IA practices into pre-milestone A activities and events.^. Perform acquisition and life cycle management of materiel in support of the IA strategy./. ReporttoHODACIO/C 6the percentage of PEO/PM-programmedtundingallocatedtothe AIAP. Thereportwill include current and planned IA investments.Bn. Accomplish all intelligence and threat support requirements outlined in AR 381 11 and this regulation.^. Enforce IA standards and maintain/report an inventory of IS products, equipment, locations, and contactinformation.d. EnforceIAVMcompliancemeasures(forexample,notifications,patchmanagement)andincorporate them intolife cycle management procedures.^. Coordinate with CSLA to ensure cryptographic life cycle equipment management is a consideration duringsystem design phase.^. See additional responsibilities at paragraph 2 2 and paragraph 2 8.2-24. Commanders, directors, and managersCommanders, directors, and managers will—Cl. 8e responsible for implementing the AIAP in their command or activity./i. Acquire, operate, and maintain systems within their command or activity per this regulation.c^. Incorporate and define requestsfor new systems or changes to existing systems,including security requirementsnecessary for the system's conceptofoperation. Once validated,include these security requirementsintothe systemdesign as defined in procurement contracts. Address the addition of IT/IA personnel (such as SAs or network securitymanagers needed to operate the new or expanded system or network) as part of the development cost of stated systemor network.c^. Include 10 and IA requirements in submissions of commander's critical information requirements (CCIR) orpriority intelligence requirements (P1R).^. Ensureuses of marketdriven/industry-developed (MDID), commercial-off-theshelf (COTS), orotber productsare consistent with IA requirements and do not introduce an unacceptable risk.^ Appoint appropriate IA personnel per chapter 3 of this regulation.^. Ensure that designated pre deployment lASOs effect continuous coordination with the organizational IA personsnel for which the systems are demonstrated, tested, or fielded./i. Ensure IA, COMSEC, and TEMPEST requirements are incorporated into life cycle planning.I. Ensureimplementationofthisregulationisaccomplisbedincompliance withall statutory andcontractual laborrelations obligations.^'. See additional responsibilities at paragraph 2-2 and paragraph 2 8.2-25. Garrison commandersGarrison commanders will—Cl. Implement the installation level lAprogram in accordance with tbe installation commander priorities and the CC,NETCOM via the applicablecontinental United States(CONUS) RCIO Army technical authority standards and toensure compliance with this regulation.^. Obtain approval to operate the garrison information systems from the first general officer or SESin the chain ofcommand that has obtained the appropriate DAA appointment from the CIO/C 6.c^. Ensure the installation D01M develops the installation Ci^A package, and obtains and maintains approval tooperate the installation campus area network (1CAN) and any DOIM controlled or managed consolidated servicelocations (server farms).^0^anningB^000^^245AR 2 5 - 2 ^ 2 4 October 2007c7. Ensure all installation tenants, to include but not limited to, all off installation Govemment and non-Govemmentsate11ites,facilities, and buildings, meet the requirementsfor connecting physically and/or virtually totheICAN(thatis, the installation backbone).^. Coordinate withthe supporting NETCOM/9tbSC (A) component, ACOM/ASCC,IMA,and tenant organizationsfor IA implementation and compliance.^Acquire, operate, and maintain systems within their installation or activity per this regulation^. Maintain the CM of the garrison network and ensure that the installation level CC8/CM8 provides oversightsupport to the installation commander./i. Monitor andmanage the connection, access, and IA standards forstandalone andnetworked ISs down to theworkstation level across all installation and tenant organizations.1. Manage and oversee tbe operation of the installation infrastructure throughout the system life cycle.^'. Provide technical and functional IA guidance and assistance in support of network management.^. Review, before adoption, proposed changes that could affect the operation of the installation infrastructure'snetwork security and operation (confidentiality, integrity, and availability)./. See additional responsibilities at paragraph 2 2 and paragraph 2 8.2-2^. LIS. Army Reserve ma^orsubordinate commandThe USAR M S C w i l l ^d. Request appointment as the non-ARNET system/network DAA, as applicable, from tbe USARC COS.^. Implementacommand/unit/activitylevellAprogramin accordance withCARpriorities andensure compliancewith this regulation.c^. Ensure the command/unit/activity C ^ develops command/unit/activity level certification and accreditation for allnon ARNET system/network implementation.c7 See additional responsibilities at paragraph 2 2 and paragraph 2 8.2 2 7 . A r m y National Guard State OOIM^J^^CIOThe ARNC State D0IM/^6/C10will-^Cl. Request appointment as tbe ARNCState DAA, as applicable, from tbe Chief ARNG.Ceneral officers within theARNC are state employees not Title lOorTitle 32 Soldiers, therefore,tbe state D01M/.16/CI0 will perform the stateDAA duties once appointed.^. Implement the ARNC lAprogram in thestate,as applicable, incoordination with the ARNC Chief to ensurecompliance with this regulation.c^. Ensureall ARNCStatetenants,toincludebutnotlimited to, all ARNCstate government and nonCovemmentsate11ites,facilities,andbui1dings,meettherequirementsforconnectingphysica11y and/or virtually tothe ARNGstateand ARNCbackbone (that is,CuardNet XXI).c^. See additional responsibilities at paragraph 2 2 and paragraph 2 8.2-28.Regional Chief Information OfficerThe RCIO, as CC, NETCOM representative will—d. 8e responsible for ensuring tbe technical authority enterprise standards are refiected in the installation IApriorities and implemented through coordination with the appropriate IC, garrison commander and DOIM.^. See additional responsibilities at paragraph 2 2, paragraph 2 8, and paragraph 3 2.2-2^. Army Reserve command^unit^activity G - ^The USAR command/unit/activity C-6 will—c^. Implement an lAprogram as directed by the USAR MSC Commander that refiects the CAR priorities and ensurecompliance with this regulation.^. Ensure USAR standards for connections to the ARNET are met.c^. Develop nonARNETsystem/networkimplementations certification and accreditation,provide to the CAfor anoperational IA risk recommendation supporting the DAA approval to operate decision prior to operational use onalivenetwork or with live Army data.c7. See additional responsibilities at paragraph 2 2 and paragraph 2 8.2-30.director of Information ManagementTheDOIMswill^1^. Implement an lAprogram as directed by the garrison commander that refiects the ICpriorities and with the CC,NETCOM via the applicable Army technical authority standards and is compliant with this regulation.^. Ensure Army standards for connection to the ICAN are met.AR 2 5 - 2 ^ 2 4 October 2007i^anningB^0001^24^11c^. Developtbeinstallationcertificationandaccreditationpackage,andprovidetothe Army C A f o r anoperationalIA risk recommendation in support of a DAA approval to operate decision.ci^. Obtain and maintain approval to operate for the installation ICAN and any DOIM controlled or managedconsolidated service locations (server farms) from the appropriate DAA.^. See additional responsibilities at paragraph 2 2 and paragraph 2 8.Ol^a^ter^Arn^y Information Assi^ran^e ^ro^ram personnel Structure3-1. Personnel structure overviewCommanders will establish an IA personnel structure to implement the AIAP. These personnel will be the focal pointsfor IA matters within theircommands or activities and will have the authority to enforce, with DAA concurrence,security policies and safeguards for their systems or networks. This authority includes recommending to the DAAsuspension ofsystem operations based on an identified security deficiency,poor security practice, or unacceptable risk.PositionthelA staff inthe organizationto ensure operations donot negate system security,except as directed by theDAA. Tbe IA staff will be involved in tbe acquisitioning and contracting for ISs or IS services.3-2. Information assurance personnel structureCommanders will position IA personnel organizationally to provide a balance between security and operationalmissions. Tbe following is tbe AIAP personnel structure and activities to be performed.ci.7^C7(^.NETCOM/9thSC (A) RCIOs have the authority and responsibility t o ^(1) Translate strategic plans and tecbnicalguidance provided into objectives, strategies,and architecturalguidance.(2) Exercise staff supervision and technical control for all ITorganizations within their region and execute responsibilities for baseline services (communication and system support, visual information, documents management, IA,INFOCON, automation), either operationally or programmatically, as well as oversight of NETOPS.(3) Provide all personnel operating on Army installations the IT baseline services in a manner consistent withpolicies and regulations.(4) Provide administrative, financial, and managerial IT support to any Army installation located within theirgeographic region.(5) Coordinate the management of outsourced IT services.(6)Definethebaselineandobjectives,andestablishspecificservicelevelsdetailingcontractua1arrangementsandsatisfactory contractor performance.(7) Lead enterprise level initiatives that assure users' training requirements are considered and integrated intoprocesses for developing, implementing, and maintaining capabilities and systems.(8) Act as tbe focal point for command, control, communications, and computers for information management(C41M) leadership and coordination of IT activities within tbe region.(9) Execute the duties assigned under theNETC0M/9tbSC (A) CONOPSfor Service Level Agreements,Configuration Management, and Networthiness Certification Program.(10) Ensure all ISs, networks, and devices are scanned quarterly as a minimum, including, but not limited to,scanning for vulnerabilities, poor security practices, noncompliance, backdoor connections, unauthorized modems,malicious logic, and unauthorized network connections; take actions to report all violations.(11) Ensure implementation of AIAP policy and procedures within their region.(12) Oversee tbe assignment of regional IA personnel and appoint a regional lAPM.(13) Provide supported commands,organizations,and agencies with POCinformation,especiallyifgeographica11ydisbursed across several regions.^. 7^7^.i^.The1APM will be accountable for establishing, managing, and assessing the effectiveness of all aspects ofthe IA program within a region, command, or functional activity. A contractor will not fill tbe 1APM position.(Temporary assignment ofcontractorpersonnelforaspecifiedtime, as an exception, is authorizeduntil the positioncanbe properlyfilled.)TheIAPMmustbeaU.S.citizenandholdaU.S.Govemment security clearance and accessapproval commensurate with the level of responsibility.Designate this position as information technologyl(ITI).The1APM must be IA trained and certified, and maintain the certification. Tbe lAPM will—(1) Develop, manage, and maintainaformallA security programtbat includes defining thelApersonnelstructureandensuring theappointmentofan information assurance network manager (IANM),informationassurancenetworkofficer (lANO), information assurance manager (lAM), and an 1AS0 at subordinate levels.(2) Enforce Army and regional IA policy, developing command unique procedures as needed.(3) Ensure that lApersonnelimplement vulnerability remediation bulletins and advisories that affect tbe security oftbeirISs12^anningB^000^^24/^AR 2 5 - 2 ^ 2 4 October 2007(4) Ensuretbatall lApersonnelreceivetbenecessary technical(forexampIe,operatingsystem,network,securitymanagement, and system administration) and security training to carry out their duties and maintain certifications.(5) Serve as tbe primary point of contact for lA-related actions. This includes lAVM reporting, compliance,vulnerability assessments, and feedback to Army staff on current and upcoming IA policies.(6) As applicable,Regionaland Command lAPMswillprovide their supporting RCERTorTNOSCwithguidanceand priorities regarding lA/CND support to their regions, command, and subordinates.(7) Manage the DIACAP program to ensure compliance with requirements.(8) Ensure the development of system Ci^Adocumentation by reviewingandendorsingsuchdocumentation andrecommending action to the DAA.(9) Enforce tbe use of Army approved procedures for clearing, purging, reusing, and releasing system memory,media, output, and devices.(10) Ensure DAAs maintain a repository for all systems' Cc^A documentation and modifications.(11) Ensurethat security violations andincidents are reported to the servicingRCERTin accordance withSectionVIIL Incident and Intrusion Reporting.(12) Ensure that RCERTdirected protective and corrective measures are implemented for vulnerabilities or incidentsremediation.(13) Identify dataownership(includingaccountability, access, andspecial bandlingrequirements) foreachlS ornetwork within their authority.(14) Conduct announced and unannounced IA assessments.(15) Regional lAPMs will maintain liaison with appropriate Army theater and DOD activities, at a minimumincluding C10/C^, RCIO, DISA, NSA, the Defenselntelligence Agency (DIA), HODA, 1st 10 CMD, ACERT,supporting RCERT/TNOSCCID, and INSCOM elements(16) Program, manage, execute, and report MDEPs MS4X and MX5T resource requirements.(17) Administer an IA management control evaluation programseparate from, or in support of, Force ProtectionAssessment Teams (FPATs).(18) Serve as a member of the configuration board where one exists.(19) IncoordinationwiththeDCS,C 3, DCS, C 2, and CIO/C 6, provide technical and non-technical informationto support a commander's INFOCON program.(20) Ensure that program controls are in place to confirm user access requirements.(21) The ACOM/ASCC/functional lAPMs will ensure that any ACOM/ASCC sponsored or developed uniquesystems are fully accredited and certified prior to connection to the network.Ensure that any proposed distribution willmeet Networthiness certification and tbe NETC0M/9th SC (A) connection approval process, and fulfill all requirements as a standard PM-developed fielding prior to distribution.c^. T^^^ic^i^di/7^/^^.The1ANM(if appointed) may serve as tbe altemate lAPM.Acontractor will not fill tbe lANMposition.(Temporary assignment of contractor personnel foraspecified period, as an exception, is authorized, until theposition can be properly filled.)Tbe1ANM must beaU.S.citizen and holdaU.S.Government security clearance andaccess approval commensurate with the level of responsibility. This position will be designated IT I . The lANM mustbe IA certified and maintain his or her certification. The 1ANM, under the purview of the 1APM, will—(1) Provide direct support to the 1APM on matters of CND and the regional/command IA program.(2) Develop and oversee operational (technical) IA implementation policy and guidelines.(3) Advise the 1APM or DAA on the use of specific network security mechanisms.(4) Evaluate threats and vulnerabilities to ascertain tbe need for additional safeguards.(5) Assess changes in the network, its operational and support environments, and operational needs that could affectits accreditation.(6) Ensure procurement actions, installations, and modifications to existing infrastructure comply with Armyapproved IA architectural guidance.(7) Develop and staff IA technical policy and procedures for all networks.(8) Ensure that all networks on tbe installation or activity for which they are responsible, including tenant networksaccessing the host installation's infrastructure, are planned, installed, managed, accredited, maintained, and operated pertbe security requirements of this regulation and the standards required for connectivity and classification of the networkconcemed.(9) Develop and issuenetwork security policy, guidance, and countermeasure implementation instructions to assigned and tenant activities.(10) Oversee periodic use of authorized scanning and assessment tools.(11) Assist tbe 1APM in monitoring and enforcing the lAVM and INFOCON processes.(12) Serve as a member of tbe CM8 where one exists.c7. 7^^. AppointlAMs at allappropriatelevelsofcommand.Thisincludes subordinate commands,posts, installations, and tactical units. Appoint an 1AM as needed for those Army activities responsible for project development,deployment,and management of command-acquired software,operating systems, and networks. AcontractorwillnotAR 2 5 - 2 ^ 2 4 October 2007i^anningB^000^^24^13fill tbeMSC,instal1ation,or post lAMpositions and the person filling tbe position will beaU.S.citizen.Commands,activities, or organizations with multiplelAMs will appointaseniorlAM for their command, activity, or organization.In installations withmu1tipleIAMs,tbeInsta11ationIAM istbeSeniorlAM. All lAMswillholdaU.S.Governmentsecurity clearance and access approval commensurate with the level of information processed by the system. ThispositionwillbedesignatedIT I , IT II, or IT-III. The lAM must be IA trained and certified, and must maintain his orher certification. Tbe 1AM will—(1) Develop and enforce a formal IA security and training program.(2) Enforce 1AVM dissemination, reporting, compliance, and verification procedures as described in CICSM6510 01(3) Report security violations and incidents to the servicing RCERT in accordance with SectionVIII,Incident andIntrusion Reporting.(4) Conduct security inspections, assessments, tests, and reviews.(5) Manage lASOs, as required, toestablisb thescope of responsibilities and tbe technical andsecurity trainingrequirements.(6) Conduct semi-annual reviews of all ISs and networks to ensure no security changes have been made toinvalidate tbe Cc^A.(7) Negotiate Cc^A issues w i t b t b e D A A , o r bis or her designated representative,for incoming systems and makerecommendations to the commander on additional protection mechanisms necessary prior to operation of the incomingISs(8) Maintain training and certification records for IA personnel and user IA awareness training records.(9) Ensure the use of Army approved procedures for clearing, purging, reusing, and releasing system memory,media, output, and devices.(10) Review all lACc^A support documentation packages and system fielding, operations, or upgrades requirementsto ensure accuracy and completeness, and that they meet minimal risk acceptance standards.(11) Maintainarepository for all systems Cc^A documentation and modifications,version control,and managementof GOTS, COTS, and non-developmental items (NDIs) for his or her organization or site.(12) Identify data ownership (includingaccountability, access, and special handling requirements) foreach IS ornetwork within their authority.(13) Verify that all ISs withintbe scope of responsibility are properly certified and accreditedin accordance withDIACAP and CMpolicies and practices before operating or authorizing the use of hardware and software on an IS ornetwork.(14) Serve as a member of an applicable CC8, where one exists.(15) Ensure that IA personnel are maintaining and auditing access and log data.(16) Assist the lAPM to identity and validate IA resource requirements.(17) Provide input to the lAPM for management controls.(18) Tbe Installation l A M will provide policy and guidance to all lAMs on an installation.(19) Tenant lAMs will assist and support Installation lAMs.(20) Installation lAMswillprovide reports to the RC10IAPM^. 7^/^.i^ci^7B^/^^. Thegarrisoncommander or manager of theinstallationor activity responsibleforthenetworkwillappointan lANM for eacbinstallation or group of networks at allappropriatelevelsofcommandbelowACOMand DA staff and field operating agencies, including subordinate commands, posts, installations, and tactical units.AppointlANOstoassistlANMsasrequired.lANMandlANOpositionswillbedesignatedIT l o r l T I f Acontractorw i l l n o t f i l l thelnstallationlANMposition.ThelANMmustbeaU.S. citizenand holdaU.S.Government securityclearance and access approvalcommensuratewiththelevelof responsibility. Each lANM and lANO must b e l A andvulnerability assessmenttechnician(VAT) certified and must maintainhis or her certification.TbelANM andlANO,in addition to providing direct support to the lAM, will—(1) Implement tbe IA program to ensure the AEI is operational and secure.(2) Comply with and implement policy received from the appropriate network security manager or the l A M .(3) Conduct reviews of the network architecture for vulnerabilities.(4) Ensure measures and procedures used at network nodes support the security integrity of the network and complywith applicable directives.(5) Develop, issue, and implement security procedures and protocols goveming network operations per thisregulation.(6) Prepare, disseminate, and maintain plans, instmctions, and standing operating procedures (SOPs) concemingnetwork security.(7) Conduct reviews of network threats and vulnerabilities per this regulation and the lAVM process.(8) Reportsecurity violations andincidents tothe servicingRCERTin accordance with Section VIII, Incident andIntrusion Reporting.(9) Review and evaluate the effects on security of changes to the network, including interfaces with other networks.f4i^anningB^0001^24^AR 2 5 - 2 ^ 2 4 October 2007(10) Perform required monitoring of network resources per this regulation.(11) Ensure tbe use of Army approved IA products from the IA Approved Products List.(12) Implement IA and 1AVM reporting and compliance procedures as set out in dCSM 6510.01.(13) Analyze and maintain network audit data.(14) Ensure adequate network connectivity by making proper decisions conceming levels of confidentiality androbustness for the system.^ 7^,^C^.The commander or manager/director of the activity responsible for the ISs will appoint an lASO for each ISor group of ISs. The same 1ASO may be appointed for multiple ISs. The lASO position will be designated IT I, IT-II,orIT III.Acontractor may not fill MSC,installation, or post 1AS0 positions at IT I , i f created.Tbe 1AS0 must be IAcertified and maintain bis or her certification. Appoint pre-deployment or operational lASOs for developmental systemswith the applicable responsibilities. DOD uses the term lAO for 1AS0 responsibilities. All lASOs will—(1) Enforce IA policy, guidance, and training requirements per this regulation and identified 88Ps.(2) Ensure implementation of lAVM dissemination, reporting, and compliance procedures.(3) Ensure all users meet the requisite favorable security investigations,clearances, authorization,need-to-know,andsecurity responsibilities before granting access to the IS.(4) Ensure users receive initial and annual IA awareness training.(5) Ensure logfilesandauditsaremaintainedandreviewedforall systemsandthat authentication(forexample,password) policies are audited for compliance.(6) Prepare, distribute, and maintain plans, instructions, and SOPs conceming system security.(7) Review and evaluate the effects on security of system changes, including interfaces with other ISs and documentall changes.(8) Ensure that all ISs within their area of responsibility are certified, accredited and reaccredited.(9) Maintain and document CM for IS software (including IS warning banners) and hardware.(10) Predeployment oroperational lASOs will ensuresystemrecovery processes aremonitoredand that securityfeatures and procedures are properly restored.(11) Pre-deployment or operational lASOs will maintain current software licenses and ensure security relateddocumentation is current anci accessible to properly authorized individuals.(12) Tenant lASOs will support and assist tenant lAMs (or the installation lAM if no tenant lAM exists).(13) Reportsecurity violations and incidents to tbe servicing RCERT in accordance with SectionVIII,Incident andIntrusion Reporting.3-3. Information assurancesupport personnelIn addition to the above described IA structure, other personnel have crucial responsibilities.c^. ^ . ^ / ^ i ^ c^^ ^^ri^c^i^^ cic^iiiiiii'.^^i^ci^cj^.^. System administrators (SAs) and network administrators (NAs) must bedesignated1T-1,1T II, or IT III (see para 4—14). Each SA/NA must be trained, experienced, IA certified, and currentlycertified on the ISs that they are required to maintain. The SA/NA shouldbe a U.S. citizen and must hold aU.S.Govemment security clearance and local access approvals commensurate with the level of information processed on thesystem or network. SA/NA responsibilities include, but are not limited to, implementing the AIAP within theircommand, installation, or activity. SA/NAs will be designed on appointment orders and will—(1) Enforce thelS security guidance policies as provided by thelAM and perform lASO duties if an lASO has notbeen appointed.(2) Enforce system access, operation, maintenance, and disposition requirements.(3) Ensure tbatpersonnel meet requiredsecurity investigation, clearance, authorization, mission requirement, andsupervisory approval before granting access to the IS.(4) Reportsecurity violations andincidentstothe servicingRCERTin accordance with Section VIII,Incident andIntrusion Reporting.(5) ConductrequiredlAVMscanningandvulnerabilityassessments with approved software as authorized by their1AM/1AS0. SAs/NAs are not limited to only lAVM scanning, but should be conducting comprehensive networkassessments of their networks as authorized.(6) Ensure CM includes all pertinent patches and fixes by routinely reviewing vendor sites, bulletins, and notifications and proactively updating systems withfixes,patches,definitions,and service packs with lAMorlAPM approval.(7) Ensure any system changes resulting from updating or patching are reported to the 1AM/IAS0.(8) Record 1AVM compliance in the Asset and Vulnerability Tracking Resource (Ac^VTR) database.(9) Maintain current anti-virus (AV) engines and definitions on all ISs.(10) Reviewand verify currency of user accounts,accesses,andlogins. Remove departing users' accountsbeforedeparture. Terminate inactive accounts verified as no longer required that exceed 45 days.(11) Suspend user accounts for the following types of actions: actions that knowingly threaten, damage, or harm theIS, network or communications security; revocation, suspension, or denial of security clearance or interim securityclearance investigations; or unauthorized use of IS and networks per para 4—5.s.AR 2 5 - 2 ^ 2 4 October 2007^anningB^000^^25015(12) Remove or disable all default, guest, and service accounts in ISs or network devices, and rename administrativeaccounts as applicable.(13) l^aintain and use at Ieast2separate accounts for access to network resources,Ifor their privileged levelaccess and a separate general user, non privileged level account for routine procedures(14) ReviewIS and network audit logs and log files,and report anomalous or suspicious information in accordancewith Section V111, Incident and Intrusion Reporting.(15) Monitor IS performance to ensure that recovery processes, security features, and procedures are properlyrestored after an IS has been rebooted.(16) Monitor IS performance to ensure that processes, security features, and operating system configurations areunaltered.(17) Perform equipment custodian duties as necessary.(18) Notify the lAM or 1APM when a system no longer processes sensitive or classified information, or whenchanges occur that might affect Cc^A, to obtain disposition or resolution instructions.(19) Ensure CM for security-relevant IS software (includinglSwamingbanners)andhardwareismaintained anddocumented.(20) Implement and test IS and data backup procedures for integrity.(21) Prohibit attempts to strain or test security mechanisms orto perform networkline or keystroke monitoringwithout authorization.(22) Establish audit trails, conduct reviews, and create archives as directed by the lAM.(23) Will signaPrivileged-level Access Agreement (PAA)andaNonDisclosure Agreement (NDA) asaprerequisite to maintaining their positions. Reference the IA 88P on PAA; AUP (https://informationassurance.us.army.mil).^. T^d^c^ di^n^i^,^. Data owners will, at a minimum, provide guidance or feedback to the System Owner (SO)conceming—(1) The confidentiality of information under the data owner's purview.(2) Tbe DIACAP team'sdecision regarding the level of classification,confidentiality,integrity,availability, encryption, and protection requirements for the data at rest or in transit.(3) Specific requirements for managing tbe owner'sdata(for example, incident response, information contaminationto other system/media, and unique audit requirements).(4) Whether FNs may accessISs accredited under this regulation. Accessmustbe consistent with DOD,DA,andDIA goveming directives (for example, AR 380 10 and DCIDs 1/7 and 5/6).c^. ^^^^^cn^ii.^^!^.^. Use of Govemment ISandaccessto Govemment networksisarevocableprivilege,notaright.Usersare thefoundationofthe DiD strategy and their actionsaffectthemostvulnerableportion ofthe AEI. Usersmust haveafavorable background investigation or boldasecurity clearance and access approvals commensurate withthe level of information processed or available on tbe system. Users will—(1) Comply witb tbe command s AUP for Government owned ISs and sign an AUP prior to or upon accountactivation(2) Complete initial and/or annual IA training as defined in the IA training 88P(https://informationassurance.us.army.mil).(3) Markandsafeguardfiles,outputproducts,and storage mediaper the classificationlevelanddisseminatethemonly to individuals authorized to receive them with a valid need to know.(4) Protect ISs and IS peripherals located in theirrespective areas in accordance withphysical security anddataprotection requirements.(5) Practice safenetwork and Intemet operating principlesand take no actions that threaten the integrity of thesystem or network.(6) O b t a i n p r i o r approval for tbe use of any media (for e x a m p l e , U S 8 , C f ^ l ^ 0 1 ^ , f l o p p y disk) f r o m tbe SA/lAl^(7) Scan all files, attacbments, and media witb an approved and i n s t a l l e d A V p r o d u c t before o p e n i n g a f i l e orattachment or introducing media into tbe fS(8) Report allknownor suspected spam,cbain1etters,and violations ofacceptableuse tothe SA,IAM,or1ASO.(9) Immediately stop using an infected IS; and report suspicious, erratic, or anomalous IS operations, and missing oradded files, services, or programs to the SA/1ASO in accordance with local policy.(10) Not disclose tbeir individual account passv^ord or pass phrase autbenticators(11) Invoke passv^ord-proteeted screen locks o n y o u r v ^ o r k s t a t i o n after not more than l ^ m i n u t e s o f n o n useor inactivity(12) Logoff ISs at tbe end of each workday(13) Access only tbat data, control information, softv^are, hardware, and f i r m w a r e for wbicb tbe user isauthorized access(14) Access only that data that they are authorized or have a need to know.1^^anningB^0001^251AR 2 5 - 2 ^ 2 4 October 2007(15) Assume only authorized roles and privileges as assigned(16) Users authorized CovemmentprovidedIAproducts(forexample,AVor personal firewalls) will be encouragedtoinstalland updatethese products ontheirpersonalsystems and may be required to do so as directed by theDAAand documented in the Ci^A package for any approved remote access.c7. CC^/^^Cc:i^,^rcic^i'c^^,^c^iic^i^.^^^c^/i^^^^r',^ci^^^/. Execute responsibilities as requiredperthisregulationand AR380^0^. T'^^^^^T^^^^.^u^^^/. Execute responsibilities as required in AR 381 14.^ 7ii^^//i^^iic:^^^i^,^c^^^^/. Senior intelligenceofficers (SIOs) orcommand intel1igenceofficers(DCSINT/G2s/S2s)will^(1) Ensure the command statement of intelligence interest (SII) (AR381-10andAR 381 20) registers requirementsforthe receipt of validated intelligence adversely affecting the integrity and reliability of ISs.(2) Provide assistance inthe identification of threat factors affecting the risk management approach for implementing security safeguards.^. T^di^c:^ ^^c^/^c^/icjn ci^c:^^!^,^. Execute responsibilities as required by AR 525 13./i. 7ii/^i^^ci^ic^^ cj^^i^d^ic^i^.^ ci^^c^^i^.^. Execute responsibilities as required by FM 3 13.1. C^7^,^i5'Cc:i,^c::^i^,^.Tbe primary OPSECvulnerability is information made publicly accessible throughWeb sites andWeb-enabled applications.Commanders andDirectorswilldevelopandimplementanOPSECreviewplanaspartoftbeir inspection programs. All content placed on a Web site will be reviewed for OPSEC sensitive information.Additionally, execute responsibilities as required per AR 530^1.^'. T^i^^^ic^ ci,^!!^.^ c^c^^i^.^ (T^^C^.^^. Execute IA responsibilities as required per this and AR 25-1.^. Bfc^i^i^i.^i^ici^c:i,^c:^i^.^. IncludelArequirementsintbeacquisitionphases and execute responsibilities as required byDOD 50002 RandNSTISSPNo 11/. 7^C^7^. Execute responsibilities per this regulation and AR 25-1.Bn. 7^^^,^ (^^^ ^ciB'ci . ^ - 1 ^ .(1) T h e D A A w i l l ^(dl) 8e a U.S. citizen.(7i^ HoldaU.S. Govemment security clearance and access approvals commensurate withthelevelof informationprocessed by the system under his or her jurisdiction.(c^^ 8e an employee of the U.S. Govemment and meet the grade requirements identified in paragraph 5 8.(c^ Complete tbe DAA 8asics Computer 8ased Training prior to performing the duties of DAA.(^^ Request appointment from the CIO/C 6 for IS by name.(^ Ensure tbcDAApositionis designated as an IT Lbased on the duties assigned and the expected effects ontbeArmy mission.(^ Meet training and certification requirements in accordance with NSTISS1 No. 4012.(7i^ Tbe DAA will understand the operational need for the systems and the operational consequences of notoperating the systems.TheDAAwill have an in-depth knowledge ofDiD to drive stateof-theart acquisition,focusarobust training program, and institute executable policy across the IA enterprise.(2) The DAA will ensure the following as a minimum—(i^^ ProperCc^Abasedonsystemsenvironment,missionassurancecategory(MAC)leve1,confidentiality level,andsecurity safeguards in accordance with this regulation and the Interim DIACAP.(^^ Issue written memo ordigitally signedemail IA Cc^A authorization statements(that is, interimapproval tooperate (lATO), interimauthorization totest(IATT), approval tooperate(ATO),denial of authorization tooperate(DATO)), after receipt of CA recommendation.(c^^ Maintain records (including use of IA tools) for all IS Cc^A activities under bis or her purview.(ci^ Accomplish roles and responsibilities as outlined in this regulation during each phase ofthe accreditation processand for each IS as required.(^^ Ensure operational IS security policies are in place for each system, project, program, and organization or site forwhich the DAA has approval authority.(^ Incorporate security, Cc^A, and Networthiness as an element of tbe life cycle process.(^ Ensure data owner requirements are met before granting any FN access to the system.(Tl) Consider and acknowledge CI and criminal intelligence activities during the Cc^A process.(^i) Report security-relatedeventstoaffectedparties (forexample,dataowners,all involvedDAAs). DAAs mustcoordinate with investigative activities (for example, CCIU, RCERT) before making notifications.(^^ Assign written security responsibilities to the individuals reporting directly to the DAA (for example, lAM or anlASO if an 1AM does not exist)(^ Appoint a CA for each IS (or group of ISs) and network(1^ Ensure CSLA certification of cryptographic applications occurs during tbe Ci^A process.Bl. C^. Authority and responsibility for certification is vested in the ArmyFISMA Senior lAOfficer(SIAO).TbeAR 2 5 - 2 ^ 2 4 October 2007^anningB^000^^25217Director 0IAc^C,NETC EST-1, was appointed F1SMASIA0 by the CIO/G^ and will be tbe single Army certification authority (see para 5 2).c^. Bf^^ii/ci^^/i^c:^^r^^i^c::i^^iciiic^i^^/icii^ir^(^CBf^. (Seealsopara5 9).The Army CA will maintainalistofqualifiedGovemmentorganizationsand1abs,as Agents of the CA(ACA),toperformthe certification activities. Tbe ACAs,funded by the SOs, are available to provide SOs with certification capabilities. Organizations can request appointmentas an ACA by following the process in the ACA 88P.^. ,^C^. AGovemmentSOwillbeidentifiedforeachlSusedby or in supportof the Army.Tbe SOisresponsiblefor ensuring the security of the IS as long as it remains in Army inventory, or until transferred (temporarily orpermanently) to another Govemment person or organization and such transfer is appropriately documented, andprovided as an artifact to the accreditation package (see para 5 10).^. 77c^,^^ciiBic7/^Bic^ii^i^^.^^ciBi.^i^i/i/i^.^. Army tenant units or activitiesmustcomplywiththelArequirements of theirparent ACOM/ASCCandtheirsupportinginstallation. Army andnon-Armytenantoperationsmustcomply with thehost installation's IA policy if they connect to the installation's information infrastructure. Army tenant units oractivitiesandunitsbased inorunderoperational control (OPCON)ofan ACOM/ASCCotherthan their parent willcomply with the IA requirements ofboth parent and host commands. Address unresolved confiicts of IA policy per thisregulationthroughlocalcommand channels and RC10stoHODA,CIO/G^. UntilCIO/G 6resolvestheconfiict,theprovisions of thisregulation will apply.including those pertaining totheuseofgateways or informationmanagementresources as pathways to connect their ISs.If the nonArmy tenant uses any part of the host installationinfrastructure,the installation lAMwill require the use of CMcontrols consistent with the installation'sinformation management andCM process. All tenant activities will—(1) Identify and coordinate a11systemupgrades,fie1dings,pi1ots,tests,and operations of newor upgraded systemswiththeinsta11ation1AM,DAA,andD01M(2) Identify ISs and provide the approved Cc^A documentation to the installation 1AM.(3) Identify their security support requirements to tbe installation 1AM and provide technical assistance, as required.(4) Identify appropriate IA personnel to tbe installation lAM.(5) Support installation IA efforts and requirements, and identify constraints in sufficient time to permit coordinationand preparation of a viable IS security solution.(6) Coordinate and conduct vulnerability assessments or compliance scanning, and report completion and results asrequired.^I^a^ter^Information Assurance ^oli^ySection IGeneral Policy^ 1 . Policy overviewThiscbapterprovidespolicy to implement IA requirementsdeveloped torespondto tbe 1Acha11enge,as defined inPublic Law, National Security, DOD, and Army directives, policies, and regulations.c^ Implement all security analyses, security engineering, and security countermeasures to protect ISs within theframework of risk management and adherence to public laws, DOD directives, and Army regulations.^. DefineasecuritypolicyandaprotectionprofileforlSsduringconceptdevelopment.Consider security requirements based on these items throughout tbe IS life cycle.c:^. ThelS developer willensurethe early and continuousinvolvement of thefunctiona1proponent,threatandriskassessors,users,1Apersonne1,data owners,certification authorities, and DAAsindefiningandimplementing securityrequirements of the IS.c^. Statements of security requirements will be included in the acquisition and procurement specifications andcontracts for ISs, products, and services. Purchases will be in accordance with Army contracting and acquisitionguidelines, 81anket Purchase Agreements (8PAs), and lA-approved products. NIST Special Publication 800^64 REV Imay be referenced for specification, tasks, and clauses that are used in writing contracts. The statements will refiect aninitial risk assessment and will specify the required protection level per DODD 8500.1 and DODI 8500.2.^. The ACOMs,ASCCs,DRUs, direct reporting PMs, or functional proponents will not field, and commanders willnot accept, systems—(1) That do not meet minimum security standards stated in the acquisition and procurement specifications.(2) For which a Ci^A authorization has not been obtained from the appropriate DAA.^ Commanders are responsiblefor ensuring that ISs under tbeir purview are operated inamanner consistent withtbe system Cc^A package and this regulation.f^^anningB^0001^253AR 25 2 ^ 2 4 October 2007^. Development and modification to existing ISs will be performed inamanner that makes security an integral partof the development, acquisition, fielding, anci operational processes.^. All ISs will be subjected to the acquisition life cycle per AR 70-1.1. AR 525-13 prescribes policies and procedures for tbe Army antiterrorism program and assigns responsibilities forincluding defensive information operations.^ 2 . PundingHODAwill manage and provide annual IA initiatives funding guidance and support required for Management DecisionPackages (MDEPs) MS4X and MX5T,and others as appropriate.Funding guidance will change from year to year, andCIO/G 6will publish annual guidance on the submission of IA requirements and tbe CIO/C 6validation processes ofthosesubmittedrequirements.Thisfundingandbudgetingprocess willcontinue under the Army InformationSystemSecurity Program (AISSP) direction and guidance. This annual guidance provided to lAPMs and other appropriatepersonnel willidentifyvalidlAsubmissionrequirements andthe type of information required.CI0/G^wi11presentvalidated IA requirements to the appropriate Program Evaluation Croup (PEC).c^. T^^^cjB^^iBi^B^^^i^iB^^iBi^Bi^,^. The RCIOsand ACOMs/ASCCs willprovide tbeMDEP MS4X Report(il1ustrated intable 4^1)totheH0DA,C1O/C6,asindicatedbe1ow^(1) Submit fiscal year (FY)-pbased execution plans to the CIO/G^ no later than 10 August of each year.(2) Funded commands must provide a detailed midyear and yearend actual execution report.(cii) The midyear actual execution report is due to the CIO/G 6 not later than 10 May of each fiscal year,(i^^ The yearend actual execution report is due to the CIO/G^ not later than 10 October of each fiscal year.(c:i) 8oth themidyearandyearendactualexecutionreportsmustbetiedtophasedexecutionplansandreconciledwith tbe official Execution Database Summary (218) report.(c^ Review execution reports for unauthorized expenditures and unauthorized fund reprogramming.(^^ HODA, CIO/C 6 will monitor program execution on a regular basis.(^ Commands receiving MDEP MS4X funds will submit semi-annual reports. (Reporting Requirements (RCS:CS1M62))Table 4-1MDEP MS4X, Information Assurance Phased Funding Utilization Plan/Actual Execution Report (RCS: CSIM-62)For period ending 092009 (MMYYYY)Project executionPhased Fund Utili- Estimated costActual obligationDate obligatedActual executiondatazation Plan(09/09)Item (for example, ($000)($000)($000) (09/08)Remarks: (for example,training (what typestatus of procurement acand number of partion, explanation for nonticipants); specificexecution of funds in lineequipment items)with execution plan; explain what specific equipment items will be usedfor)b, MDEP MX5T funds, MDEP MX5T funds are used in centralized procurement of COMSEC and IA equipmentwithin the Army. The following guidance is provided:(1) Commanders are responsible for developing their respective command and combatant command-level MX5Trequirements. Inputs will be staffed through their local IA channels and provided to the RCIO and HQDA for all tbeirsub-activities and subordinate commands.(2) Garrison commanders and tenant activities will report INFOSEC, COMSEC, and IA requirements to theirrespective RCIOs.(3) PEOs are responsible for developing, managing, and providing input to the HQDA for all tbeir PMs.(4) A PM that reports directly to HQDA is responsible for developing requirements and providing his or her input toHQDA.(5) Forecast data over a 15-year period for the purpose of short-term, mid-term, and long-term funding projections.Provide this data to the CSLA database located at Fort Huachuca, Arizona. Provide the following minimum data:(a) Name of INFOSEC, COMSEC, or IA system, equipment, or product needed.(b) Name of system requiring INFOSEC, COMSEC, or IA systems, equipment, or products.(c) Quantity of each type of INFOSEC, COMSEC, or IA equipment needed starting with the first year of theprogram objective memorandum (POM).(d) Name of the approving authority.AR 25-2 • 24 October 2007ManningB_0001625419(^^^(^(^(^^PointNameShortOtherof contact's name, mailing address, and e-mail and Defense Message System (DMS) addresses.o f operational requirements document (ORD) and date approved.description of system.information as directed b y H Q D A C I O / C ^ or D C S , G 3 .(6) Submission of un resourced requirements will be to CIO/C 6, Attention: NETC ESTA I.^ 3 . Information assurance trainingA l l individualsappointedas IA ornetworkoperationspersonnel must successfully completean IA securitytrainingcertification course of instruction equivalent to the duties assigned to them. Individuals must also be certified inaccordance with tbe DOD baseline requirements o f D O D D 8570.1. Personnel with privileged access must sign aprivileged level user agreement. Personnel in technical level positions w i l l complete the applicable computing environment certifications. Methods of training are web based at https://ia.gordon.army.mil, or other Service or Agencyequivalent.Cl. T^^^i^iB^^m^Bi^,^.(1)(c;i)(^^(c^^(c^IAPMwill^Complete the Army 1AS0 course within 6 months of appointment.Complete Army E-leaming training course for Certified Information Systems Security Professional (CISSP).Completion dates are automatically uploaded into the ATCTS.Complete applicable DOD baseline management certification.(2) I A N M w i l l ^(^c^^ Comply with paragraphs ci(l)(a), ci(l)(c), and c^(l)(d), above.(^^ Complete the S A / N M security course (at Fort Gordon or a mirror site) within 6 months of appointment.(3) l A M w i l l comply with paragraphs ci(l)(a), ci(1)(c), and ci(1)(d), above.(4) l A N O w i l l comply with paragraphs cii(l)(a), c;i(1)(c), and c;i(1)(d), above.(5) I A S O w i 1 1 ^(d^ Complete an lASO Course within 6 months of appointment. Methods of training are Web based (http://ia.gordon.army.mil), DISA Information Assurance Policy and Technology (lAPc^T) Web 8ased Training at http://iase.disa.mil/eta/index.btm1). Army E Leaming/C8T IA modules, command (or other Service) course(^^ Comply with paragraphs ci(l)(c) and c^(l)(d), above.(6) S A s w i 1 1 ^(Cl) Completeintroductory training (Level I) w i t h i n 6 m o n t h s of assuming position. SAs w i l l b e certified t o L e v e l la s a m i n i m u m . MethodsoftrainingareWebbased(https://ia.gordon.army.mil), DISA Information AssurancePolicyandTechnoIogy ( I A P c ^ T ) W e b 8 a s e d Training at bttp://iase.disa.mil/eta/index.html), Army E L e a m i n g / C 8 T 1 A modules, or command (or other Service) courses.RCIOs or command IA personnel (as applicable) will determine i f limitson SA duties warrant certification to Level I only.(^^ Complete technical training (Level II) SA Security Course (schedules available at http://ia.gordon.army.mil) o r aCommand-equivalent course within 6 months o f assuming position.(c^) Complete advancedtraining (Level II1)at t h e N a t i o n a 1 G u a r d 8 u r e a u ( N G 8 ) C o m p u t e r E m e r g e n c y ResponseTeam OperationalTraining Experience (CERT OTE) or USARComputer Network Defense Course (CNDC) courses,or other Service or agency equivalents as required.(ci^ Complete applicable DOD technical and computing environment baseline certifications.(^^ Comply with paragraphci(l)(c), above.(7) Contracting officer'srepresentatives(CORs).Contracting officer'srepresentatives will compare contractor qualificationstothestatementofwork/performanceworkstatementrequirements toensurecontractor-nominatedlAandSA positions meet minimum requirements before acceptance for employment. I f tbe personnel provided are noncompliant with the statement of work requirements, the COR w i l l notify tbe Contracting Officer for implementation ofcontract remedies.(8) lAuserawarenesstraining. I A M s , S A s , a n d 1 A S 0 s w i l l e n s u r e t h a t a u s e r t r a i n i n g program i s i n p l a c e f o r a l lusers in the command. Online user training courses can be found https://ia gordon army.mil.(i^^ A l l users must receive IA awareness training tailored to the system and information accessible before issuance ofa password for network access. The training will include the following:7. Threats, vulnerabilities, and risks associated with the system. This portion w i l l include specific informationregarding measures toreducemalicious logic tbreats,principlesofshared risk, extemaland intemal tbreatconcems,acceptable use, privacy issues, prohibitions on loading unauthorized software or hardware devices, and the requirementfor frequent backups.2. Information security objectives (that is, what needs to be protected).Responsibilities and accountability associated with IA.^. Information accessibility, handling, and storage considerations.20l\/lanningB_00016255AR 25-2 • 24 October 2007/RAR 23 March 2009Physical and environmental considerations necessary to protect the system.1^. System data and access controls.7. Emergency and disaster plans.^. Authorized systems configuration and associated CM requirements.^. Incident, intrusion, malicious logic, virus, abnormal program, or system response reporting requirements.7(^. INFOCON requirements and definitions.77. AUP requirements.(^^ Users will receive annual refresher training as a minimum or as conditions warrant,(9) Vulnerability assessment certification. lApersonnel conducting vulnerability assessmentson ISsmust achieveVAT certification through their supporting RCERT or TNOSC. (This is not equivalent to the 1AVM programassessment procedures.) Additional guidanceandprocedures in accordance with thepolicy can be found on the IA88P Web site.^ .^^^^/i^i^/i^c^iiiiBi^ Refresber training for 1APMs,1AMs,IANMs,IASOs, and SAs/NAs will be attendance at anIA workshop every 18 24 months, attendance at DOD sponsored IA workshops, completion of modules in ArmyE LeaminglAleaming path, or approved commercial courses. 8aseline certifications will be maintained in accordancewith the requirements of the certifying body.C^. ,^1^^,^/l^l^^lCIBl.^ C^l^ ^ ^ l ^ l V d / ^ l l C ^ l ^ , ^ .(1) IAPMs,IAMs,IASOs, and lANMs can substitute other Service or Agency courses to fulfill these requirements.Identify tbe substitute course, duration, and sponsor when tracking completion dates.(2) SAs and lANMs can substitute courses to fulfill the technical training (Level II) requirement.4-^. Mission assurancecategory, levels of confidentiality, and levels of robustnesscn. ^i.^.^iciBici.^.^i^i^ciBic^^c^c^^^^c^B^. All ISs will be assignedamission assurance category that refiects the importance oftbeinformation relative tothe achievement of DODgoalsandobjectives.The ISmission assurancecategory will bedetermined by the DOD or Army proponent and agreed upon by the DIACAP team. The MAC level is used todetermine the lAControls for integrity and availability in accordance with DODI 8500.2.Refer to DOD18500.2 (http://iase.disa.mil/policy.html)foradditionaldetailedguidanceandproceduresfordefiningorassigningmissionassurancecategories.(1) M A C I isahighintegrity,high availability for DODISs handling informationthat is determined to be vital tothe operational readiness or mission effectivenessof deployedandcontingency forces in terms ofboth content andtimeliness.The consequences of loss of integrity or availability isunacceptable and could includetheimmediate andsustained loss of mission effectiveness.(2) MAC II is a high integrity, medium availability for DOD ISs handling information that is important to thesupport ofdeployed and contingency forces.The consequence oflossofintegrity is unacceptable.Loss ofavailabilityis clifficult to deal with and can only be tolerated for a short time.(3) MAC III is a basic integrity, basic availability for DOD ISs handling information that is necessary for tbeconductofday-todaybusiness,but does not materially affect support to deployedor contingency forcesintheshortterm. The consequences of loss of integrity or availability can be tolerated or overcome without significant impacts onmission effectiveness or operational readiness.^. CciBi^c7^Bi^icii/ii^/^i^^/.^. AllISs willbe assignedaconfidentialitylevel based ontbe classification or sensitivity ofthe information processed.The confidentialitylevelis used to establish acceptable access factors and to determine tbeDODI 8500.2 IAControls applicable to the information system.DODhas defined the following three confidentialitylevels:(1) Classified — Information designated top secret, secret or confidential in accordance with Executive Order12356(2) Sensitive — Information the loss, or unauthorized access to or modification of could adversely affect thenational interest or conduct ofFederal programs, or PrivacyAct information.Includes, but is not limited to For OfficialUse Only (FOUO), Privacy data, unclassified controlled nuclear information, and unclassified technical data.(3) PublicInformation has been reviewed and approved for public release.c^. 7,^iB^/,^ci^B^c^/ii^.^^Bi^.^.^. AllISs willemploy protection mecbanismsthat satisfy criteriafor basic,medium,or highlevels of robustness per DODI 85002 and Federal Information Processing Standard (FIPS) 140^2 Each I S w i l l bemanaged and operated to achieve tbe appropriate level of protection for the applicable functional security requirements.(1) 77i^/i B^ci/i^,^^Bi^,^.^. High robustness is tbe security services and mechanisms that provide the most stringentprotection and rigorous security countermeasures.Generally,high robustness technical solutions requireNSA-certifiedhighrobustness solutions for cryptography,access control and key management, and high assurance security design asspecified in NSA endorsed high robustness protection profiles, where available.(2) ^^c7ii^BBi i^c^^i^.^^ii^.^.1^. Medium robustness is security services and mechanisms that provide for layering ofadditional safeguards above good commercial practices.Medium robustness technical solutions require,ataminimum,strong (for example, crypto-based) authenticated access control, NSA approved key management, NIST FlPS-validatedAR 25-2 • 24 October 2007/RAR 23 March 2009ManningB_0001625621cryptography, and tbe assurance properties as specified in NSA-endorsed medium robustness protection profiles or theProtection Profile Consistency Guidance for medium robustness.(3) ^c^.^ic^ B'cj^i^.^/ii^.^,^. 8asic robustness is the security services and mechanisms that equate to best commercialpractices.8asic robustness technical solutions require, ataminimum, authenticated access control,NIST approved keymanagement algorithms,NIST FlPS-validated cryptography,and the assurance properties specified inNSA-endorsedbasic robustness protection profiles or the Protection Profile Consistency Guidance for 8asic Robustness.c;^. 7,^v^/ci^/ci/ci/,^^,^^^Bii^.ii:^c^.^iiB^^. Theappropriatelevelofprotectionforeachfunctionalsecurity requirement willbe determined usingacombination of the mission assurance category, level of confidentiality,and level ofrobustness.(1) EachlS will be reviewed against the mission assurance category definitions provided in DODI8500.2, Enclosure 2, and assigned to a mission assurance category.(2) Each IS will be assigned a confidentiality level basedon the classification or sensitivity ofthe informationprocessed, stored, or transmitted.(3) Determine tbe applicable IA controls from DODI 8500.2.(4) The identified controls for the level of total system exposure serve as the baselinelA requirements for Cc^Aorreaccreditation and will be reassessed and revalidated every 3 years as a minimum.4-5. Minimum information assurance rec^uirementsAll required risk analyses willevaluate and identify possible vulnerabilities and adverse security effects on associatedISs and networks. Although manual procedures are acceptable when an automated safeguard is not feasible, IApersonnel will embed automated security safeguards into the design and acquisition of ISs to ensure a secureinfrastructure.Cl. T^B-d/ii^i'^^c^cic^^i^i^i^,^. In addition to the prohibited activities listed in AR 25 1, the following activities arespecifically prohibited by any authorized user on a Govemment provided IS or connection:(1) Use of ISs for unlawful or unauthorized activities sucb as file sharing of media, data, or other content thatis protected by federal or state law, including copyright or other intellectual property statutes(2) Installation of softwares configuration of an IS, or connecting anylSstoadistributed computer environsment (f^C^), for example tbe S^TI project or tbe human genome research programs(3) l^odilicationof tbelSor software,useofitinany mannerotbertban itsintendedpurpose,oraddinguser configurable or unauthorized software such as, but not limited to, commercial instant messaging, commer-^cial Internet cbat, collaborative environments, or peer to peer client applications These applications createexploitable vulnerabilities andcircumvent normalmeans ofsecuringandmonitoringnetwork activity andprovideavector for theintroduction of malicious code, remote access, networkintrusions or tbe exfiltrationof protected data.(4) Attempts to strain, test, circumvent, or bypass network or IS security mechanisms, or to perform networkor keystroke monitoring RCERTs, RedTeam, or other official activities, operating in their official capacities only,may be exempted from this requirement.(5) Physical relocation or changes to configuration or network connectivity of IS equipment(6) Installation of non-Governmentowned computing systemsor devices without prior authorization oftheappointed f^AA including but not limited to US8 devices, external media, personal or contractor owned laptops,andl^Cf^s(7) Release, disclose, transfer, possess, or alter information without the consent of the data owner, the originalclassificationautbority(OCA)asdefinedby AR 380 5,theindividual's supervisory chainof command, FreedomofInformation Act (FOIA) official. Public Affairs Office, or disclosure officer's approval.(8) Sharing personal accounts and autbenticators (passwords or PINs) or permitting tbe use of remote accesscapabilities through Government provided resources with any unauthorized individuaL(9) f^isabling or removing security or protective software and other mechanisms and tbeir associated logsfrom IS^c^c^B^^c7i^ci^ic^Bi. ISs and networks will be accredited in accordance with interim DOD and Army DIACAPdocumentation and Army supplemental networthiness guidance.c^. ^c^c:^^.^.^ c^cJu^B^d/. IA personnel will implement system and device access controls using tbe principle of leastprivi1ege(POLP)viaautomatedor manual means toactivelyprotectthe IS fromcompromise,unauthorizeduseoraccess, and manipulation. IA personnel will immediately report unauthorized accesses or attempts to their servicingRCERT in accordance with Section V111, Incident and Intrusion reporting. Commanders and DAAs will—(1) Enforce users'suspensions and revocation for violations of access authorization or violation in accordance withpara 3 3c^(13).(2) Develop the approval processes for specific groups and users.(3) Validate individualsecurity investigation (or approveinterim access) requirements before authorizingIS accessby any user.(4) Verify systems are configured to automatically generate an auditable record or log entry for each access grantedor attempted.22ManningB_00016257AR 25-2 • 24 October 2007/RAR 23 March 2009(5) Validate that systems identify users through tbe user's use of unique user identifications (USERIDs).(6) Validate that systems authenticate users through the use of the CAC asatwo-factor authentication mechanism.The CAC has certificates on the integrated circuit chip (ICC), and w i l l be used as tbe primary user identifier and accessauthenticator to systems.(7) Validate system configurations to authenticate user access to all systems w i t h a m i n i m u m o f a U S E R I D and anauthenticator when thesystemsare incapable of CACenablement until theseare replaced. Anauthenticatormay besomethingtheuserknows(password), something theuserpossesses(token),oraphysicalcharacteristic (biometric).Tbe most common authenticator is a password.(8) Verify that system configurations use password-protected screen savers, screen locks, or other lockout features toprotect against unauthorized access of ISs during periods of temporary non-use. Ensure such mechanisms automaticallyactivate when a terminal is left unattended or unused. The DOD activation standard is established at 15 minutes.Establisbashorter period when IS are used inamultinational or coalition work area.In instances where the unattendedlockout featurehindersoperations, forexample; standalonebriefingpresentation systems, medical triage devices, oroperating room systems s t a t u s ; t h e D A A and SO can approve longer timeouts as an exception only when it imposesaminimum o f risk, other control mechanisms are enabled to mitigate these risks, and documented in the Cc^A package.However tbe timeout feature w i l l never be disabled and the system will never remainunattended during this extendeduse period. Exceptions w i l l never be granted formatters of convenience or ease of use.(9) Va1idate that system configurations prohibit anonymous accesses or accounts (for example, Studentl,Student2,Patroni, Patron2, anonymous).(10) Prohibit the use of genericgroup accounts.Permit exceptions only o n a c a s e b y c a s e basis when supporting anoperational oradministrativerequirement such as watch-standingorhelpdeskaccounts, or that requirecontinuity ofoperations, functions,or capabilities. l A M s w i l l implement procedurestoidentify and audit users o f g r o u p accountsthrough other operational mechanisms such as duty logs.(11) Verify that system configurations limit tbe number ofuser failed log-on attempts to three before denying accessto (locking) that account, when account locking is supported by the IS or device. I f IS-supported, tbe system willprevent rapid retries when an authenticator is incorrectly entered and gives noindications or error messages that eithertbe authenticator or ID was incorrectly entered (for example, implement time delays between failed attempts).(12) Verify that system configurations generate audit logs, and investigate security event violations when themaximum number of authentication attempts is exceeded,the maximum number of attempts from o n e l S i s exceeded,or the maximum number of failed attempts over a set period is exceeded.(13) Reinstate accesses only after the appropriate1A(for example, SA/NA) personnelhave verified the reasonforfailed log-on attempts and have confirmed the access holder's identity. Permit automatic account unlocking, forexample, after an established time period has elapsed, as documented in the Cc^A package and approved by the D A A ,based on sensitivity of tbe data or access requirements.(14) I f documented in the Cc^A package and authorized by the D A A , time-based lockouts (that is, access isrestricted based on time or access contro1sbasedon1Paddress,terminalport,or combinations o f these) andbarriersthat require some time to elapse to enable bypassing may be used. In those instances the D A A will specify, as acompensatory measure, the following policies:(ci^ Implement mandatory audit trails to record all successful and unsuccessful log-on attempts.(^^^ Within 72 hours of any failed log on and user lockout, IA personnel will verify the reason for failure andimplement corrective actions or report the attempted unauthorized access.(c^^ The SA will maintain a written record of all reasons for failure for 1 year.(15) Enforce temporary d i s a b l i n g o f a l l a c c o u n t s f o r d e p l o y e d f o r c e s o n g a r r i s o n networks unless the accounts areoperationally required.(16) Create and enforce procedures for suspending, changing, or deleting accounts and access privileges fordeployed forces in tbe event o f capture, loss, or death of personnel having network privilege level access.(17) Create and enforce access auditing, and protect physical access control events (for example, card readeraccesses)andauditevent logs for physical security violationsoraccesscontrols tosupport investigative efforts asrequired.c7. T^^ii^c^^^ c^c^c^^.^.^ (T^B^(1) Systemsbeing used forremoteaccess must meet security configurations to include l A V M , certification andaccreditation standards,and will employ host-based security, for exampleafirewall and I D S , w i t h A V s o f t w a r e beforeauthorization to connect to any remote access server. Security configurations will be reviewed quarterly.(2) Encrypt log-in credentials as they traverse tbe network as required for tbe level of information being accessed orrequired for need-to-know separation.(3) Encrypt a l l R A f o r n e t w o r k c o n f i g u r a t i o n or management activities regardless of classification level,device,oraccess method.(4) Users w i l l protect RA ISs and data consistent with the level o f i n f o r m a t i o n retrieved during the session.AR 2 5 - 2 ^ 2 4 October 2007^anningB^000^^25^23(5) Disable remote device password save-ftinctionsincorporatedwithinsoftware or applicationstoprevent storageof plain text passwords.(6) Remote access users will read and sign security and end-user agreements for remote access annually as acondition for continued access.^. ^^Bud/^ c^c^c^^,^,^ ,^^r^^i^,^ (7^,^,^^.(1) Secure remote terminal devices consistent with tbe mode of operation and sensitivity ofthe information andimplement non-repudiation measures when necessary.(2) Any IS that provides RAS capabilities will employ host-basedfirewallsand intrusion detection systems to detectunauthorized access and to prevent exploitation of network services.(3) Any RAS being accessed remotely willemploy a^^Time-Ouf'protectionfeature that automatically disconnectsthe remote device after a predetermined period of inactivity has elapsed, dependent on classification level of theinformation, but no longer than 10 minutes.(4) Remote access users will be required to authenticate all dial-in operations withauniqueUSERID and password,compliant with the remote authentication dial-in user system (RADIUS) standard.(5) AIIRAswill terminate atacentrally managed access point located witbinademilitarized zone (DM^) that isconfigured to log user activities during a session.(6) Prohibit all RA (that is, virtualprivate network (VPN), dial-in) to individual ISs within an enc1ave(that is,behind the DM^ firewall).(7) DOIMs and lAMs must ensure all remote access servers (RASs) undergo CM and Cc^A processes.(8) Stand alone dial back modems and modem systems that authenticate using RADIUS are tbe only allowable dialin modems.(9) Physical security for tbe terminal will meet the requirements for storage of data at tbe highest classification levelreceived at the terminal and must be implemented within a restricted access area.(10) Databetweenthe client and theRAS willbe encryptedtoprovideconfidentiality,identification,nonrepudiation and authentication of the data. The CAC provides the user with an official certificate.(11) Approved telework or telecommuting access will be in accordance with established DOIM, RCIO, andNETC0M/9th SC (A) Cc^A access procedures from a Govemment provided system only. Ad hoc telework access(defined as one-time, informal, or on an infrequent basis) will be through existing anci approved extemal accessmethods or portals such asTerminalServerAccess Control System (TSACS) or tbe Armyl^nowledge Online (AI^O)Web site.(12) Outside the continentalUnited States (OCONUS)telework procedures and authorization will be approved bytbe DAA and RCIO on a case-by-case basis and documented in the Cc^A package.(13) Audit all RAS connections at a minimum weekly.(14) Review RAS devices biweekly for security configuration, patches, updates, and lAVM compliance.^ Cc^Bi^^i^c^/icjBi iBic^Bic^^^i^^n/ B^^^iiiB^^BBi^n/,^. The following policy will be the minimum used forthe CM of allsystems:(1) All CM plans will includeamaintenance and update strategy to proactively manage all IS and networks with thelatest security or application updates.While lAVM is part ofaCMstrategy,it is not all-inclusive for every IS in use intbe Army. All ISs will have a vulnerability management strategy for testing and maintaining patches, updates, andupgrades.(2) Hardwareandsoftwarechanges to anaccredited IS, witban established baseline, willbeeffectedthrougbtheCM process.(3) Tbe CC8 or the CM8forasite must approve modifying or reconfiguring the hardware of any computer system.Hardware will not be connected toany system or network witbouttheexpress written consentof tbe lAM and theCM8 or CC8.Inthe absence ofaCC8 or CM8,the appropriate commander or manager will provide the consent onthe advice of the cognizant IA official.(4) Modifying, installing,ordownloadingofany software on any computer systemmay affect systemCi^Aandmust be evaluated and approved by the 1AM with tbe local CM8, CC8, and DAA.(5) Configuration management controls,including version controls,will be maintained on all software developmentefforts; RDTc^Eactivities;follow-ontest andevaluation(FOTc^E)activities;and other relatedtestsby the softwaredesigner. ACM^^baselineimage"wi11 be created,documented, kept current, and maintained by network and systemadministration personnel for all ISs within their span of control. Exceptions to this baseline image will be documentedin tbe Cc^A package and approved by tbe DAA.(6) Theminimumbaselineconfiguration for ISs willbe thepublished Security Technical ImplementationGuide(STIC) requirements orthe common criteria protection profiles for IA products, as available or supplemented andpublished by DOD and NETC0M/9thSC (A), with any changes documented STIGS are located at: http://iase.disa.mil/stigs/index.htmL(7) Prohibit default installations of ^^out of the box"configurations of COTSpurchased products.COTS purchasedproductswill require system CM and lAVMcompliance asaminimum.Comprehensive vulnerability assessments of24^anningB^000^^25^AR 25-2^24 October 2007the test IS will be conducted and documented before and after installation of any COTS products under considerationfor CM review or approvaL(8) Upon acceptance for operational use (whether developmental, GOTS, or COTS), keep software under close andcontinuous CM controls to prevent unauthorized changes.(9) ISsmust meet minimumlevels of total system exposure. See paragraph 4 ^ andDODI 8500.2 toestablisb IAbaseline requirements.^. ^^.^.^^.^.^Bn^Bi^.^ Commanders will verify that lApersonnel conduct initial and continual assessments to detect IS andnetwork vulnerabilitiesusingapproved tools, tactics,andtechniquestofacilitate the riskmanagementprocess and toensure compliance withnetworkmanagement,CM, 1AVM requirements,and security policiesandprocedures. Commanders and IA personnel will ensure that all networks and networked ISs undergo a self assessed, vulnerabilityassessment scan quarterly. Prohibit theuseofcommercial scanning services or vendors withoutthe C10/G6's chiefinformation security officer's (CISO) approvaL/i. Bfi^c^i/in^. SAs will configure ISs to automatically log all access attempts. Audits of IS will be either automated ormanual means. SAs will implement audit mechanisms for those ISs that support multiple users.(1) Use audit servers to consolidate system audit logs for centralized review to remove tbe potential for unauthorizedediting or deletion of audit logs in the event of an incident or compromise.(2) Commands, organizations, tenants, activities, and installations will support centralized audit server implementations in tbe enterprise.(3) Centralized audit servers logs will be maintained for a minimum of 1 year.(4) Conduct self-inspections by the respective SA/NA or IA manager.(5) Enable and refine default ISlogging capabilities to identify abnormal or potentially suspiciouslocal or networkactivity(ci^ Investigate all failed login attempts or account lockouts.(^^^ Maintain audit trails in sufficient detail to reconstruct events in determining the causes of compromise andmagnitude ofdamagesbouldamalfunctionorasecurity violation occurs. Maintain system audit logslocally for noless than 90 days.(c:'^ Retain classified and sensitive IS audit files for 1 year (5 years for SCI systems, depending on storagecapability).(ci^ Provide audit logs to tbe ACERT, Army ClobalNetwork Operations and Security Center (A-GNOSC),LE,orCI personnel to support forensic, criminal, or counter-intelligence investigations as required.(^^ Review logs andaudit trailsat aminimum weekly,morefrequently if required, and takeappropriate actions.i. Ccju^iBi^^nc:'^ ^/c^Bimn^. A contingency plan is a plan for emergency response, backup operations, transfer ofoperations, and post disaster recovery procedures maintained by an activity as a part of its IA security program.Commanders will create andpractice contingency plans foreach IS (a single IS or local area netwrok (LAN)) forcritical assets as identified by the data owner or commander to support continuity of operations planning (COOP). SeeDAPam25 1 2foradditionalguidance and procedures for developing contingency plans.Exercise contingency plansannually.^. T^d^d i i i ^ ^ ^ i ^ i i ^ .(1) Implement safeguards to detect and minimize unauthorized access andinadvertent,malicious,or non-maliciousmodification or destruction of data.(2) Implement safeguards to ensure that security classification levels remain with the transmitted data.(3) DAA will identify dataowners foreachdatabaseon their networks.Onlytheoriginal classification authority(OCA) is authorized to change the data classification.(4) D A A w i l l develop and enforce policies and procedures to routinely or automatically backup,verify,and restore(as required) data, ISs,or devices at every level.These policies and procedures will be captured in the Cc^Apackage.(5) Use data or data sources that have verifiable or tmsted information. Examples of trusted sources include, but arenot limited to, information published on DOD and Army sites and vendor sites that use verified source code orcryptographic hash values.(6) Protect data at rest (for example,databases,fi1es) tothe classification leveloftheinformationwitb authorizedencryption and strict access control measures implemented.^. Cc^^^cuc^^di^^. TheCc^Apackage willbeavailable to thesite-assignedlASO forthe life ofeach IS or LAN,includingoperational,prototype, test,ordeve1opmenta1systems.ThisCc^Apackagewill include ataminimumtheSystem Identification Profile (SIP), Scorecard, and plan of action and milestones (POAc^M)./. 7B^ ^i^dcB^i^c^/ cic^^i^i.^i/ic^ii. All security related COTS hardware, firmware, and software components (excludingcryptographic modules) required to protect ISs will beacquired in accordance withpublic law and will havebeenevaluated and validated in accordance with appropriate criteria, schemes, or protection profiles (http://www.niap.nist.gov/) and this regulation. IA products listed on the IA Approved Products List (APL) available on the IAwebsite, will beevaluated/selectedfirst, and thenprocured through Army ComputerHardware, Enterprise, SoftwareandSolutionscontractvehiclesbefore other lAproducts are procured. ForPEO/PM's,the CSLA 8PArequirementsAR 25-2^24 October 2007/RAR 23 March 2009^anningB^000^^2^025only applies to tbe procurement of COMSEC devices. A l l COTS products w i l l be evaluated by N S A o r in accordancewith NSA-approved p r o c e s s e s . N E T C O M / 9 t b S C ( A ) a n d C I O / G - 6 may approve exceptions to lAproducts evaluationswhen no criteria, protection profi1e,or schema exists or is under development, and tbe removal or prohibition of suchan I A product would significantly degrade or reduce tbe ability of personnel to secure, manage, and protect theinfrastructure./^cj^ic^^c^Bici^c^c^Bi.^^Bi/^i^c^c^^c7i^B^^,^. Commanders will verify that all computers under theircontrol, independently,prominently and completely display tbe Notice and Consent 8anner immediately upon users' authentication to thesystem, including, but not limited to, web, ftp, telnet, or other services access.(1) Ceneral Notification: Army users of DOD telecommunications systems or devices are advised that DODprovides such systems and devices for conducting authorized use. Users are subject to telecommunications monitoring,including tbeir personal communications and stored information.(2) Using Govemment telecommunications systems and devices constitutes tbe user's consent to monitoring.(3) Users w i l l be advised that there is no expectation of privacy while using ISs or accessing Army resources.(4) Tbe user must take a positive action to accept the terms o f t h e notice and consent w a m i n g b a n n e r b e f o r e asuccessful logon is completed.(5) Post appropriate waming banners and labels in accordance with this regulation.(6) The following access waming banner replaces the waming banner in AR 380 53 and will not be modifiedfiirther. The banner to be posted on Army networks, systems, and devices will state—(7) ^^YOU ARE A C C E S S I N C A U S G O V E R N M E N T (USC) I N F O R M A T I O N SYSTEM (IS) T H A T IS PROVIDEO FOR U S C A U T H O R I ^ E D USE 0 N L Y B ' 8 y using this IS (which includes any device attached to this IS), youconsent to tbe following conditions: The USC routinely intercepts and monitors communications on this IS forpurposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense,personnel misconduct ( P M ) , l a w e n f o r c e m e n t ( L E ) , and counterintelligence (Cl)investigations. At any t i m e , t h e U S Gmay inspect a n d s e i z e d a t a s t o r e d o n this IS. Communications using, ordatastored on, this IS are not private, aresubject to routine monitoring,interception,and search,and may be disclosed or used for anyUSG-authorized purpose.This IS includes security measures (e.g., authentication and access controls) to protect USC interests—not for yourpersonalbenefit or privacy. Notwithstanding theabove,using this IS does not constituteconsent t o P M , LE, o r C Iinvestigative searching or monitoring of tbe content of privileged communications, or work product, related to personalrepresentation or services by attomeys, psychotherapists, or clergy,and tbeir assistants.Such communications and workproduct are private and confidential. See User Agreement for details.(8) For those personal computing devices such as 81ackberries and other PDAs that have technical limitations to thefull banner, then tbe only approved solution will be: ^^1've read c^ consent to terms in IS user agreem't."(9) For media devices, services, protocols, and other limited text input requirements other than PDA devicesrequiring access, such as routers,firewalls,bannered access ports, and s o f o r t h . T h i s banner will be^^Subject to ArmyWaming banner in A R 25 2, 4-5BBi(7)."Bl. ^iB^iB.^^B'ci^^c^^iciBi. Implement the virus protection guidance provided below on a l l I S s and networks,regardless ofclassification or purpose—(1) Users and SAs w i l l scan all files, removable media, and software, including new ^^shrink-wrapped" COTSsoftware,with an installed and authorizedAVproduct before introducing them onto an IS or network.Files,media andsoftware found to be infected with a virus will be reported by users to the SA.(2) To minimize tbe risks of viruses, implement the following countermeasures:(ci) SAs w i l l configure all ISs w i t b a c u r r e n t and supportable version of t h e A V s o f t w a r e configured to provide real^time protection from the approved products list with automated updates and reporting enabled.(^^ IA personnel should take the multilevel approach to virus detection by installing one A V package on theworkstations and a different A V package on the servers.(^^^ SAs w i l l update virus definitionsat a minimum weekly, o r a s directedby the ACERT for immediate threatreduction.Virus definition availability is based on vendors'capabilities.lApersonnel w i l l institute automated antivirusdefinition updates as published or available from authorized DOD or Army sites.(3) IA personnel will train users to recognize and report virus symptoms immediately.(4) l A M s will implement virus-reporting procedures to support DOD and Army reporting requirements.CJ. ^ C l ^ l / ^ C^CJCI^^.(1) Mobile code is executable software,transferredacrossanetwork, downloaded, and executed o n a l o c a l systemwithout notification to, or explicit installation and execution by, the recipient.(2) Mobile codehasthepotential to severely degrade operationsif improperly usedor controlled.The objective ofthe mobile code security policy is to deny untrusted mobile code the ability to traverse the Army enterprise. As aminimum, tbe Army mobile code mitigation policy w i l l be implemented to support the DOD mobile code policy.Untrusted mobile code w i l l not be allowed to traverse the enterprise unless NETC0M/9tb SC (A) CC8 approvedmitigating actions have been emplaced.^.TBcriB^B^iBi^.26ManningB_00016261AR 25-2 • 24 October 2007/RAR 23 March 2009(1) Layering isaprocess of implementing similar security configurations or mechanisms at multiple points in an ISarchitecture. Doing so eliminates single points of failure,provides redundant capabilities,increasesaccessgranularityand auditing, and implements an effective computer or network attack detection and reaction capability.(2) The Army enterprise IA security DiD structure requiresalayering of security policies, procedures, and technology,including best practices such as redundant capabilities or use of altemative operating systems,to protect all networkresources within the enterprise. Layered defenses at the boundaries, for example, include, but are not limited to usinginbound and outbound proxy services, firewalls, IDSs, IPSs, and D M ^ s .^. Ti'i'/^^B^iBi^. Filtering policies w i l l block ingress and egress services, content, sources, destinations, ports, andprotocols not required or authorized across the enterpriseboundary. Routerand firewall accesscontrol l i s t s ( A C L s )provide a basic level o f access control over network connections based on security or operational policy.(1) Filteringattbeenterpriseboundary is the primary responsibility of t h e N E T C 0 M / 9 t h S C ( A ) T N 0 S C s u s i n gtools and techniques applied at tbe enterprise level.(2) At all levels subordinate t o N E T C O M / 9 t h SC (A), filteringpolicies and technology will be implementedandlayered throughout tbearchitectureandenforced at all capabledevices. Audit and systemordevicegeneratedeventlogs will be provided to NETC0M/9th SC (A). These policies should be complementary.(3) Filtering products and techniques are intended to proactively reduce ingress and egress security threats toenterprise systems and information without targeting specific individuals. Tbe most common threats are associated withmalicious content,misuse,security policy vio1ations,contentpo1icyvio1ations,orcrimina1activity.Threat mitigationpolicies w i l l b e incorporated, c o n f i g u r e d , a n d m o n i t o r e d t o r e d u c e o r identify these t h r e a t s a n d i n c l u d e , b u t a r e n o t1 i m i t e d t o , A C L c o n f i g u r a t i o n o n r o u t i n g d e v i c e s t o p r e v e n t access tounauthorized sites, A V installations,cache orproxy servers (to maintain connection state), firewalls, mail exchange configurations (forexample, autodeletion ofattachments), network monitoring software such as IDS or Intrusion Prevention System (IPS) configured to terminatesuspicious traffic, content management, or web filtering applications.B^^^T^(1) Commanders and Directors will implement an AUP f o r a l l user accesses under theircontrol (seethe sampleAUP at appendix 8 ) .(2) Users will review and sign an AUP prior to or upon account activation. Digital signatures are authorized.(3) IA personnel will maintain documented training records.(4) DOD policy states that Federal Govemment communication systems and equipment (including Governmentownedtelephones,facsimile machines,electronicmai1, intemet systems,andcommercialsystems),whenuse o f s u c hsystems and equipment i s p a i d f o r by t h e F e d e r a l G o v e m m e n t , w i l l b e f o r o f f i c i a l u s e and authorized purposes only.(5) Official use includes emergency communications and communications necessary to carry out the business of theFederal Govemment. Official use can also include other use authorized by a theater commander for Soldiers andcivilian employees deployed for extended periods away from home on official business.(6) Authorized purposes include brief communications by employees while they are traveling on Govemmentbusiness to notify family members of official transportation or schedule changes. Authorized purposes can also includelimitedpersonal use established by appropriateauthoritiesundertbeguidelines of the .loint EthicsRegulation(DOD55007 R)(7) Certain activities are never authorized on Army networks. AUPs will include the following minimums asprohibited These activities include any personal use of Govemment resources involving: pomography or obscenematerial(adu1torchi1d);copyright infringement(suchas the s h a r i n g o f c o p y r i g h t m a t e r i a l b y means of peer-topeersoftware); gamb1ing;tbe transmission o f chain letters; unofficial advertising, soliciting, or selling except on authorizedbulletin boards established for such use; or the violation of any statute or regulation.^ciBii/c^B^iBi^ Bi^ri^c^B^^.(1) Network monitoring includes any o f a n u m b e r of actions by lApersonnel aimed at ensuring proper performanceand management. When any of these monitoring activities involve intercepting(capturing in real time) tbe contents ofwireorelectroniccommunications, they must fall w i t h i n t b e l i m i t s o f t h e s e r v i c e p r o v i d e r e x c e p t i o n to tbeFederalwiretap statute. The service provider exception allows system and network administrators to intercept, use, and discloseintercepted communications as long as the actions are conducted in the normal course o f employment and the SA/NAis engaged in an activity t h a t i s n e c e s s a r y t o k e e p t h e service operationalor to protectthe rights or propertyof theservice provider. Therefore, IA personnel must consult with legal counsel to ensure that their activities involvingsystems management and protection are properly authorized.(2) lApersonnel performing ingress and egress network monitoring or filtering activities are authorized to use CIO/G 6 a p p r o v e d automated monitoring tools maintained and configured b y N E T C O M / 9 t b S C (A) as network devices toaid in the performance and management. It is important to recognize that tbe SA/NA does not have unlimited authorityi n t h e use of these network monitoring tools.The approved tool may contain technical capabilities beyond those tasksf o r w h i c h tbe tool wasapproved; as such the IA personnel must ensure that approved t o o l s a r e u s e d o n l y f o r t h e i rintended purpose.AR 2 5 - 2 ^ 2 4 October 2007^anningB^000^^2^227(3) l A p e r s o n n e l w i l l not use unapproved I A tools,use I A tools for unapproved purposes, or misuse automated I A tools. Violations w i l l be reported through appropriate command channels to tbe C I O / G ^ . E x c e p t i o n s to theconfiguration ofthese devices will be approved on a case-by-case basis by NETC0M/9th SC (A).(4) In general terms,lApersonnel and SAs/NAs do not engage in blanket network monitoring o f intemal communications. However, the Army reserves tbe right at any time to monitor, access, retrieve, read, or disclose intemalcommunications when a l e g i t i m a t e n e e d e x i s t s t h a t c a n n o t b e s a t i s f i e d b y other meanspursuanttopara4—5^,below.(5) As a matter of normal auditing, SAs/NAs may review web sites logs, files downloaded, ingress and egressservices andsimilarauditedor related informationexchangedover connected systems. Supervisors and managersmayreceive reports detailing the usage of these and other intemalinformation systems,and are responsible for determiningthat such usage is both reasonable and authorized.(6) A s a m a t t e r o f norma1auditing,SAs/NAs may store all files and messagesthroughroutinebackupsto tape,disk, or other storage media.This means that information stored or processed, even i f a u s e r has specifically deleted it,is often recoverable and may be examined at a later date by SAs/NAs and others permitted by lawful authority.(7) SA/NAs may provide assistance to Army supervisory and management personnel, under lawful authority, toexamine archived electronic mail, personal computer file directories, hard disk drive files, and other information storedon ISs.Thisinformation may include personaldata. Such examinations aretypically performed to assure compliancewith intemal policies; support tbe performance o f administrative investigations; and assist in tbe management andsecurity o f data and ISs.(8) When lApersonneldiscover information during the course of their normal activity that indicatesaviolation ofacceptable use or a possible criminal offense, they w i l l immediately report tbe finding to their Commander. Thecommander w i l l immediately report knownorsuspectedcriminal activity to LE and w i l l consult with legal counselconceming activities that appear merely to violate acceptableuse. IA personnel w i l l retain andprovide informationrelated to the matter to LE when required.(9) W i t h the exceptions of the SA/NA as identified below. A r m y personnel and contractors are prohibitedf r o m browsing or accessing other user^s e-mail accounts(10) The SA/NA may only intercept, retrieve, or otherwise recover an e-mail message and any attachments thereto,only under the following circumstances:(cii) With consent (expressed or implied) o f a party to tbe communication involved.(^^ In response to a request for technical assistance from:7. LE/C1 personnel pursuant to a properly authorized LE/C1 investigation.2. A supervisor as part of a non-investigatory management search in accordance with paragraph 4^5/, below.^. A n investigating officer pursuant toaproperly authorized administrative investigation (for examp1e,apre1iminaryinquiry u n d e r R u l e f o r Courts-Martial 3 0 3 , a n i n f o r m a l i n v e s t i g a t i o n u n d e r A R 1 5 ^ , o r a p r e l i m i n a r y inquiry underA R 380 5)^. Information systems security monitoring personnel pursuant to properly authorized IS security monitoringactivities.Inspector Ceneral personnel pursuant to an authorized inspection, investigation, or inquiry.(11) Tbe SA/NA may remove a n y e m a i l , f i l e , o r attachment that is interfering w i t h t h e operation of an ISwithoutconsent o f t h e originator or recipient. Tbe SA/NA will notify the originator and recipient of such actions.(12) TheSATNA i s n o t a u t h o r i z e d t o u s e techniquesor software topenetrate or bypassuser's informationprotections (for example, content restrictions or read-only protections used to maintain or enforce document integrity,versioncontrol, or need-to-know enforcement)./. /^ciBic^^^BBi^Bi^ .^^ciB^c^/i. In tbe absence o f tbe user (for example, T D Y , extended hospital stay, incapacitation,emergency operational requirement), only the SA/NA is authorized limited access to the user's files to supportadministrative management searches to provide tbe requested information as required for official purposes. When suchaccess is requested, the SA w i l l —(1) 8 r i e f tbe supervisor as to the limits o f accessing the user's data files.(2) Limit tbe scope o f t h e authorized search to those files reasonably related to the objective o f t h e search (that is,email access would not be reasonable when searching for a word clocument file).(3) Limit the search to the time necessary to locate tbe required data in the most relevant file location.(4) Inform tbe individual o f requested file access as soon as possible after such requests, and document this accessin a memorandum.(5) SAs/NAs w i l l not grant unrestricted supervisory access to individual information, data files, or accounts.(6) SA/NAs w i l l not access individual information or data files unless conducting a management search, anauthorized administrative search, or supporting a LE/CI authorized investigation.(7) SA/NAs may conduct an authorized investigative or management search o f assigned IS upon an individuals'termination ofemployment, death, or other permanent departure from the organization to retrieve data and filesassociated with the organizational mission.2^i^anningB^0001^2^3AR 2 5 - 2 ^ 2 4 Octobec 2007S e c t i o n IISoftware Security4-6.ControIsd. IA personnel w i l l implement controls to protect system software from compromise, unauthorized use, ormanipulation.^. T b e D A A , m a t e r i e I d e v e 1 o p e r , C I O , o r I A M w i l l d o c u m e n t a l l s o f t w a r e u s e d f o r c o n t r o l p u r p o s e s i n t h e C c ^ Apackage as a minimum.c:. PEOs, PMs, and functional proponents w i l l require vendors seeking to support the A E I to submit SF 328(Certificate Pertaining to Foreign Interests).c7. A l l COTS software used on ISs w i l l be ftilly licensed (under U.S. Copyright Law).^. Incorporate l A V M c o m p l i a n c e , patch management, I A , a n d A V s o f t w a r e into contracts with software developersregardless o f tbe software's purpose (for example, medical devices).^ Program managers and D A A will restrict systems used or designated as ^^test platforms" from connecting tooperationalnetwork. P M a n d DAAscanauthorizetemporaryconnectionsto conduct upgrades,downloadpatches,orperform vulnerability scans when off-line support capabilities are insufficient and protections have been validated.Remove the ^^testplatform"1S immediately upon completion of the action until it has been operationally accredited andis fully compliant.^. Use of ^^shareware" or ^^freeware" is prohibitedunless specifically approved through IA personnel a n d b y theD A A for a specific operational mission requirement and length of time when no approved product exists. NotifyRCIOs and the supporting RCERT/TNOSC of local software use approvaL/i. Use of ^^opensource"software (for example, Red Hat L i n u x ) i s permitted whenthe source codeis available forexaminationofmaliciouscontent, applicableconfiguration implementationguidance isavailableand implemented,aprotection p r o f i l e i s i n existence,orarisk and vulnerability assessment hasbeen conducted with mitigation strategiesimplemented with D A A and C C 8 approval and documentation in the Cc^A package. Notify RCIOs and the supportingRCERT/TNOSC of local software use approvaLi. Use of dataassurance and operating systems integrity products (forexample, public key infrastmcture (PI^I),Tripwire, Intemet protocol security (IPSec), transmission control protocol/Intemet protocol (TCP/IP) wrappers) will beincluded in product development and integrated into end-state production systems.^. l A M s and developers will transition higb risk services such as, but not limited to, ftp or telnet to securetechnologies and services such as secure ftp (sftp) and secure shell (ssh).^ A r m y personnel, including contractors,will not introduce classified or sensitive information into an IS untilthe data confidentiality level and protection level of tbe IS has been certified, tbe appropriate IS protectionmechanismsare operational, a n d t b e f ^ A A approval or waiver hasbeen obtained The data owner willapproveentering thedata,whereapplicab1e. Data w i l l n o t e x c e e d t b e s e c u r i t y classification level f o r w h i c h the IS hasbeenapproved.database managementd. Databasesstore informationand w i l l b e m a n a g e d toensurethatthedataisaccurate,protected,accessibIe,andverifiable so that commanders at all levels can rely on trusted information in the decision making process.Commanderswill appoint a database administrator ( D 8 A ) for each operational database.^. The D 8 A w i l l be certified through either training or experience in the database being managed.c^. Tbe D 8 A w i l l develop and implement controls to protect database management systems from unauthorizedschema modifications.c7. The D 8 A w i l l develop and implement access and auditing controls to protect database management systems fromunauthorized accesses, queries, input or activity.^. Tbe D 8 A w i l l conduct weekly backups of tbe database and schema, a s a m i n i m u m , o r more often as directed bythelAPMorlAM^ The SO will protect databases from direct Intemet access using filtering and access control devices (for example,firewalls, routers, access control lists (ACLs)).^. Dataowners will identify the classificationor confidentiality l e v e l o f d a t a r e s i d i n g i n the database and specialcontrols, access requirements, or restrictions required to be implemented by the D 8 A ./i. The SO will place databases on isolated and dedicated servers with restricted access controls D 8 A s w i l l notinstall other vulnerable servers or services (forexample, web servers, ftp servers) that may compromise or permitunauthorized access of the database through another critical vulnerability identified in tbe additional servers or services.1. Databases should be hosted on trusted military IS or networks.As part o f tbe Cc^A process, the CA and D A A w i l lreview and approve a detailed risk management process as documented in tbe Cc^A package before operationalimplementation o f databases located in contractor owned, operated, or managed networks.AR 2 5 - 2 ^ 2 4 October 2007^anningB^000^^2^429^ 8 e f o r e the D A A grants an approval to operate (ATO), the following minimum requirements w i l l be addressed i n asecurity compliance plan:(1) D 8 A certifications and experience in the proffered system(s) and application(s).(2) Security background investigation(s) of the administrator(s) and verification procedures equivalent to tbe ITposition held by tbe D 8 A and tbe classification of the system.(3) Control measures for encrypted privileged-level, root, administrator, and user accesses in accordance with Armyaccess standards.(4) Contro1measurestoprotectdatabase(s)and management systemsfromunauthorizedqueries, input,or activityfor example; data input validation and exception routines.(5) Control measures for database(s) and server update, management, backup, andrecovery procedures.(6) Control measures and procedures for audits, analysis, incident and intmsion response.(7) Control measures to protect database(s) servers and interfaces from direct, unauthorized, or un-autbenticatedIntemet access using filtering and access control devices or capabilities (for example, firewalls, routers, ACLs).(8) Control measures to protect database(s) servers and interfaces from physical access threats.(9) Control measures to protect database(s) servers and interfaces from logical threats.(10) Forcontractor owned, operated, or managed databases, tbe contractor w i l l conduct an initial comprehensivevulnerability assessment of tbe configuration, security, and network upon which the servers reside, and provide thecomplete results to authorized Army representatives.(11) Forcontractor owned, operated, ormanageddatabases, the contractor w i l l conduct quarterly comprehensivevulnerability assessments and evaluations and fiimish the results to authorized Army representatives.^. Data owners and D 8 A s will implement and support DOD data/meta-data tagging requirements as initiatives,software, procedures, and methodologies are developed and implemented.4 - 8 . Oesign and testCl. A l l information systems w i l l be designed to meet the IA controls as identified in D O D I 8500.2 and be configuredin compliance with the applicableDISA STIC or baselined system with identified changes documented as part o f theaccreditation process.^. A l l information and information-based systems willincorporate embedded software security solutions throughoutthe system life cycle.c^. System developers will contact CSLA during initial design to determine COMSEC device requirements ( i frequired) in system design.c^. 8efore fielding,all information and information-based systems w i l l be tested per an approvedTest and EvaluationMaster Plan (TEMP) that contains current, validated threats to each IS. The systems w i l l demonstrate successfulcompletion o f a l l required test and evaluation events at each acquisition decision milestone.^. Conduct vulnerability assessments on all systems before fielding or installing systems to identify residualvulnerabilities and provide risk mitigation strategies for those vulnerabilities that are operationally required.S e c t i o n IIIl^ard^are, Pirm^are, and Physical Security4—9. H a r d w a r e - b a s e d s e c u r i t y c o n t r o l sConsider hardware security,COMSEC,and IA requirements in the concept, design, development, acquisition,fielding,and support o f ISs.dl. System developers w i l l incorporate controls to protect hardware and firmware from compromise and unauthorizeduse, removal, access, or manipulation.^. After initial fielding and installation ofhardware or firmware, proposed additions must go through an Installationconfiguration management board for approval before installation and operation. The CC8 Chair or responsibleInformation Management ( I M ) official will notify the D A A , A r m y CA,materiel developer,CIO, 1 A M , R C I O , D O I M ,or authorized I M officer before installation and operation, as applicable. Proposed additions may require revalidation orre-accreditation of the system's security posture and accreditation approval.c^. Tbe Cc^A w i l l include an inventory of all identifiable hardware, firmware, and software that areparts o f t h esystem.c7. Maintain C M controls for all hardware and firmware test and evaluation, follow-on test and evaluation, and otherrelated activities by the materiel developer.^. 1 A P M s , I A M s , or system developers w i l l contact CSLA to review applicable I A 8 P A s (both from DOD and theArmy) before initiating requisition actions.4-10. Maintenance personnelThe Commander will verify or validate tbe following:30^anningB^000^^2^5AR 2 5 - 2 ^ 2 4 October 2007cn. C/^c^B^i^Bic^^.^. Maintenancepersonnel w i l l be cleared t o t h e highest level of datahandledby the IS. Clearancerequirements w i l l be included in maintenance contracts, statements of work, and specified on the DD Form 254(Department of Defense (DOD) Contract Security Classification Specification), in accordance with A R 3 8 ( ^ 9 , w h e r eapplicable.^. 7^^,^^i^ic^^ic^Bi.^. Escort and observe uncleared maintenance personnel at all times by a cleared and technicallyqualified individual.NonU.S.citizens will not perform maintenance on ISs that processTOP SECRET (TS), SensitiveCompartmentedlnformation(SCI), Special Intelligence(SI), Single IntegratedOperational Plan-Extremely SensitiveInfonnation (SIOP ES1),or SAP information.c^. ^.^^ci^BiciBi^.,^.c^i^i^^Bi.^. When non-US.citizens are employed to maintain ISs, address such use asavulnerability in the risk assessment and identify and employ appropriate countermeasures.c7. ^c^iBi/^BiciBic^^^^c::/^dB^^c7^^B^.^i^BiBi^/. Personnel who perform maintenance on classified systems will be cleared andindoctrinated to tbehighest classification l e v e l o f information processed o n t b e system. Appropriately cleared maintenance personnel do not require an escort.Needtoknow requirements may be inherent to adequately perform maintenance or take corrective actions. An appropriatelycleared and technicallyknowledgeable employee w i l l be present orreview the system during maintenance to assure adherence to security procedures.^. ^ciiBi^^BiciBic^^i^iic^/^c^B^^c^ (^dB^ /di^^B^ c^/^di^^c^ ^^B^.^ciBiBi^/. I f cleared maintenance personnel are unavailable,individuals with tbe technical expertise to detect unauthorized modifications will m o n i t o r a l l uncleared maintenancepersonneL(1) Uncleared maintenance personnel will be U.S. citizens. Outside tbe U.S., where U.S. citizens are not available toperform maintenance, use FNs as an exception, with D A A approval and documentation in the Ci^A package.(2) 8efore maintenance by uncleared personnel, the IS w i l l —(d^ 8ecompletely cleared and allnonvolatile data storage media removed or physically disconnected and secured,(/i^ W h e n a s y s t e m c a n n o t b e cleared, lAM-approvedprocedures w i l l b e enforced to deny the unclearedindividualvisual and electronic access to any classified or sensitive information that is contained on the system.(3) Aseparate,unclassified copy of the operating system (for example,aspecific copy other than the copies used inprocessing information), including any fioppy disks or cassettes that are integral to the operating system,will be usedforallmaintenanceoperationsperformedby unclearedpersonneL Thecopy willbelabeled^^UNCLASSIFIED FORM A I N T E N A N C E O N L Y " and protected in accordance with procedures established in the SSAA/System SecurityPolicy (SSP). Ensure that tbe media is write protected before use in classified systems.(4) Maintenance procedures for an IS usinganon-removable storage device o n w h i c b t h e operating system residesw i l l be considered and approved by the 1AM on a case-by-base basis.(5) T h e u s e o f c o m m e r c i a l data recovery services w i l l b e d o c u m e n t e d i n the C i ^ A p a c k a g e a n d a p p r o v e d b y theD A A with approval from the data owner and notification to the CIO/G 6 CISO.4-11. Security objectives and safeguardsThe Commander w i l l verify or validate the following:d. Secure removable media that process and store classified information in an area or a container approved forsafeguarding classified media per AR 380 5.^. Establish checks and balances to reduce the risk of one individual adversely affecting system or networkoperations.c^. Implement physical security requirements for ISs to prevent loss, damage, or unauthorized access.c^. Prohibited storage ofportable ISs or personal electronic devices (PEDs) that contain classified information inpersonal residences.Exceptions w i l l follow the guidance as prescribed i n A R 3 8 0 ^ 5 , p a r a g r a p h 7 ^ , a n d authorized asan exception only when an operational requirement exists.^. Include facilities or spaces housing critical systems (forexample, e m a i l servers, web servers) as part of thephysical security program and restrict access.SectionI^Procedural Security4-12. Password controld. Implement two-factor authentication techniques as the access control mechanism in lieu of passwords. Use CACasthe primary access credential,or biometric or single-sign on access c o n t r o l d e v i c e s w h e n t b e l S does not supportCAC^. Tbe l A M or designee will manage the password generation, issuance, and control process. I f used, generatepasswords in accordance with the 8 8 P for Army Password Standards.c^ The holder of a password is the only authorized user o f that password.d^. The use o f o n e t i m e passwords is acceptable,but organizations must transitionto secure access capabilities suchas SSH or secure sockets layer (SSL). See remote access requirements in para 4—5c7.AR 2 5 - 2 ^ 2 4 October 2007^anningB^000^^2^^31^. SAs will configure ISs to prevent displaying passwords in the clear unless tactical operations (for example, headsup displays while an aircraft is in fiight) pose risks to life or limb.^ lAMs will approve and manage procedures to audit password files and user accounts for weak passwords,inactivity, and change history. lAMs will conduct quarterly auditingof password files on a stand-alone or securedsystem with limited access.^. Deployed and tactical systems withlimited data input capabilities willincorporate password controlmeasures tothe extent possible.^ lAl^s and SAs will remove or change default, system, factory installed, function key embedded, or mainte^nance passwords1. lAMs and SAs will prohibit automated scripts or linkage capabilities, including, but not limited to,Web site linksthat embed both account and authentication within the unencrypted link.^. SAs/NAs, withDAA approval, will implement proceduresfor user authenticationor verification before resettingpasswords or unlocking accounts in accordance with the Cc^A package.^. SAs/NAs will conduct weekly auditing of service accounts for indications of misuse.7 Theuse of passwordgeneratingsoftwareordevicesis authorized asamemoryaid when itrandomly generatesand enforces password length, configuration, and expiration requirements; protects from unauthorized disclosurethrough authentication or access controls; and presents a minimal or acceptable risk level in its use.4-13. Release ofinformation regarding information system infrastructurearchitecturec^ All Army personnel and contractors will protect and restrict access to all documentation (for example,maps, test andevaluation results, vulnerability assessments,audits, results,or findings)describingoperationalIS architectures, designs, eonfigurations,vulnerabilities, address listings,or user information This information isaminimum of FOUO and will not be made publicly accessible.Evaluate Freedom of Information Act (FOIA) requestsfor such documents in these categories on a case-by-case basis.^. All information or IS responses that document ordisplay specific vulnerabilitiesof a system or network thatwould aid attempts by an adversary to compromise those critical systems or networks are OPSEC sensitive and will beprotected,controlled,marked,or stored at the appropriate classification levelfor tbe system concemed.Thisinformation will not be made publicly available.c^. Protect and restrict access to information that isacollection of interrelated processes, systems,and networks thatprovidesinformation on IA services throughout the Army;the1^M1;or the incident detection and responseinfrastructure, capabilities, orconfiguration. This informationshouldbemarked FOUOandmay beexempt from mandatoryrelease pursuant to the FOIA.Coordinate with your servicing FOIA or PrivacyAct office and servicing judge advocateor legal advisor before releasing or deciding to withhold such information.Section ^Personnel Security4-14. Personnel security standardsTbefollowing standards designate positions requiring access toITand for processing information within ITsystems,These security designations are required to distinguish potential adverse effects on Army functions and operations and,therefore, tberelativesensitivity of functionsperformedby individualshavingcertainprivileges. ThesepositionsarereferredtoasITand IT-relatedpositions. Therequirementsofthissection will be appliedtoall ITand IT relatedpositions,wbetber occupied b y D A civilian employees,military personnel,consultants, contractor personnel,or othersaffiliated with tbe DOD(forexamp1e, volunteers). Additionalguidance is available in DOD 5200.2 R.c;i. ^c^.^ic^ B^^^i^iB^^BBi^Bi^,^.(1) Personnel requiring access to ISs to fulfill tbeir duties must possess the required favorable security investigation,security clearance, or formal access approvals, and fulfill any need-to-know requirements.(2) I T I i s ^l^d^ Definedaspersonnel in 1Apositions(for example, SAs/NAsforinfrastmcturedevices, IDSs, VPNs, routers;SAs/NAsfor classified systems and devices) with privileged-levelaccess to control,manage,orconfigure1Atools ordevices, individual and networked IS and devices, and enclaves.(7i^ Favorable completion of a National Agency Check (NAC) (current within 180 days).(c^^ Initiation ofaSingle Scope 8ackground Investigation (SS81) and favorable review of SF85P(Questionaire ForPublic Trust Positions), SF 86 (Questionaire For National Security Positions), and Supplemental Questionnaire.(3) I T I I i s ^(dl) Defined as personnel in IA positions (for example, operating system administration of common networkapplications or enclaves,back-up operators) withlimited privilegedlevelaccessto control,manage,orconfigureISsand devices, with very limited (single device) or no IA device access or management.(^^ A favorable review of local personnel, base/military, medical, and other security records as appropriate.(c^^ InitiationofaNational Agency Check withCredit Check and Written1nquiries(NACIC)(for civilians) o r a32^anningB^000^^2^7^AR 25-2^24 October 2007National Agency Check with Local Agency and Credit Checks (NACLC) (for military and contractors), as appropriateor favorable review of SF 85P and Supplemental Questionnaire.(4) IT-III is-^(d^ Defined as—7. Personnel in IA positions, for example, power users or a SA on individual systems for configuration ormanagement with limited privileged-level access to that IS(s) or device(s). This is a position of higher trust2. Personnel with roles, responsibilities, and access authorization of normal users with non privileged level access tothe IS or device.^. Personnel with non privileged level access authorization in tbe role of official or statutory volunteers. Tbeprovisions for statutory volunteers are covered in AR 608 1..(^^ A favorable review of local personnel, base andmilitary, medical, andotbersecurity records, as appropriate.(i^^ Initiation of a NAC1C (for civilians) or national agency check (NAC) (for military and contractors), asappropriate and favorable review of SF 85P and Supplemental Questionnaire.(5) I T I V i s ^(^^^ Definedaspersonnel in non-1Tpositionsthataretemporary,intermittent,or seasonal, for example, unofficialvolunteers or summer hire positions, requiring restricted user-level access to unclassified, non-sensitive ISs only.(^^ Individual completes SF 85P and supplemental questionnaire.(c^^ A favorable review of local personnel, base/military, medica1,andother security records asappropriate. Thisinvestigation does not require submission to OPM.(d^ A favorable recommendation by the organization security manager, DAA, Commander, and installation commander, with notification to the RCIO/FCIO./i. 7^^B^.^c^BiBi^/ .^^c^iiB^ii^ c:^ciBi^B^cj/.^.(1) Personnel security controls,both technicaland nontechnical (forexample,separationofduties,leastprivilegeaccess, identification and authentication (1i^A),digitalsignatures, and audits), willbeincorporatedintothelSandlSprocedures, as appropriate.(2) Individuals assigned to IT L IT H, or IT III positions who lose their clearance, orhave access to classifiedsystems suspended pending the results of an investigation,will be barred access to thelSsuntilfavorable adjudicationof that investigation. Waiversforcontinuedaccesstounclassifiedsystems willbejustifiedinawrittenrequest, withthe Commander's concurrence,totbeDAAfor approvaL AccesswillbegrantedonlyuponDAA authorization.Thisrequest and approval will become part of the Ci^A package.Users designated in IT-Ipositions will be removed fromthese positions and this denial of access is non-waiverable.(3) WaiversprocessedforIT II and IT III personnel only are valid foraperiod not to exceed6montbs.Ifasecondwaiver extensionisrequired,onemaybegrantedaslongasanewrequestfor waiver issubmittedtothcDAAandapproved by tbe first general officer, or equivalent in position or civilian grade, in the Chain of Command.(4) While the Commander and DAA have the discretiontoprocessthe waiver forlT-lland IT III,it isimportantthat this discretion is not without limits. The Commander and DAA are advised to proceed carefully and deliberately inmakinga determination on whether the individual constitutes a security risk. The IT II/IT 111 rolesmustbehighlysupervised. Any access to protective devices (for example,firewalls, VPNs, intrusion detection systems (IDSs),IPSs,and so on) will be prohibited until favorable adjudication.(5) The servicing legal office should be consulted for advice conceming personnel, security, contract and laborrelations issues that may impact the final determination. Recheck local records to identify any issues that may be adeciding factor in the waiver process.(6) New,credib1e derogatory information revokes any standing waiver and resultsin immediate denialof access toIT systems (exceptions are for military only based on immediate supervision of tbe individual while on the IS).(7) Contractor, FN or temporary individualsassigned to any ITpositions who have their unclassifiedsystem ornetwork accesses revoked or suspended for derogatory reasons, will be barred access to the ISs until favorableadjudication of that investigation. The organization's 1AS0/1AN0/1AM (as appropriate) will identify any other officialsystems/networksforwhich that individual hasanaccount(for example, A1i^0)andhave ittemporarily disabledorsuspended.(8) Tbe required investigation levels for an IT 1 position are outlined below in table 4^2.AR 25-2^24 October 2007^anningB^000^^2^^33Table 4 - 2Investigative levels for users with privileged access (IT-I) to ISsPrivileged access—IT-CUser rolesDAA or lAPMForeign nationalU.S. civilianU.S. militaryU.S. contractorConditions or examplesNot allowedSSBISSBINot allowedNonelANMNot allowedSSBISSBIConditionalSSBIWith CIO/G-6 written approval, contractors may continue as lA personnel until replacedlAMNot allowedSSBISSBIConditionalSSBIContractor may not fill MSC, installation,or post lAM positionlASO/IANONot allowedSSBISSBIConditionalSSBIContractor may not fill MSC, installation,or post lASO/IANO position (if created)Monitoring or test- Not allowedingSSBISSBISSBINoneSA/NA or Adminis- Conditionally altrator (with IA priv- lowed—SSBIileged access) or(equivalent) ^maintenance of IAdevicesSSBISSBISSBIExamples: administration of lA devices(for example, boundary devices, IDSs,routers, and switches)Notes:' Investigative levels are delined in DOD 5200.2-R. The term 'Foreign National" (FN) refers lo all individuals who are non-U.S. citizens, including U.S. military personnel, DOD civilian employees, and contractors^ FN—under the immediate supervision ol a U.S. citizen with written approval of ClO/G-6.(9) The required investigation levels for an IT-II position are outlined below in table 4-3.Table 4 - 3Investigative levels for users with limited privileged access (IT-II) to ISsLimited privileged access—IT-I I ^User rolesFN(see note 2)U.S. civilianU.S. militaryU.S. contractorConditions or exampleslAM/IANMNot allowedNACINACLCNACLCNonelANO/IASOConditionally allowed—NACLCequivalentNACINACLCNACLCFN—with DAA written approval, anddocumentation in the C&A package,direct or indirect hires may continueas IA personnel until they are replaced, provided they serve under theimmediate supervision of a U.S. citizen lAM and have no supervisory dutiesSupervisor of IT 1 or Not allowedIT II positionsNACINACLCNACLCNoneAdministrator (withConditionally alno IA privileged aclowed—NACLCcess) or maintenance equivalent^of lA-enabled productsNACINACLCNACLCExamples: IS administration, OS administration, end-user administration,and administration of common applications (for example, e-mail, wordprocessing)Notes:' Invesligalive levels are defined in DOD 5200 2-R FN refers lo all individuals who are non-U.S. citizens, including U.S. military personnel, DOD civilianemployees, and contractors.^ FN—under the immediate supervisor ol a U.S. citizen.34ManningB_00016269AR 25-2 • 24 October 2007C^. .^C^C^^,^,^B l d B l - ^ . ^ . C^l'^l'^^Bl,^.(1) Minimize employment of non-US. citizens in ITpositions. However, compelling reasons may exist to grantaccess t o D O D I T r e s o u r c e s in those circumstances in w h i c h a n o n U . S . c i t i z e n possessesaunique or unusual s k i l l o rexpertise that is urgently needed f o r a s p e c i f i c D O D requirement and for wbicbasuitable U.S.citizen is not available.Written compelling reason justification, documentation in the Cc^A package, and D A A approval are required.(2) Access to sensitive informationby anon-U.S. citizen who is not a DODemployee will only bepermitted inaccordance with applicable disclosure policies (for example. National Disclosure Policy 1, D O D D 5230.9, DODD5230.25) and U.S. statutes (for example, the Arms Export Control Act, 22 USC 2551, eL seq ).(3) I f i n f o r m a t i o n t o w b i c b t b e i n c u m b e n t w i l l h a v e accessis authorized for foreigndisclosure,nonU.S. citizensassigned to DOD IT positions are subject to the investigative requirements outlined below.(4) Non-US.citizens may hold ITpositions under the conditions described in the paragraphs below and i f the D A Athat accredited the system and the dataowners approve the assignment requirementsinwriting.The written approvalmust be on file andprovided as an artifact to the Cc^A package, before requesting the required investigation. Tberequired investigation must be completed and favorably adjudicated before authorizing access to DOD systems ornetworks. Interim access is prohibited.(5) Assignment (includingassignments due t o a c c r e t i o n o f d u t i e s ) o f c u r r e n t DOD employees,military personnel,consultants, and contractors to positions with different responsibilities or changed access privileges requires verificationof tbe appropriate investigative basis and authority for holding a position of that level of sensitivity.c^. 7Bi^^B^iBBi d.^,^i^iiBBi^Bi^.^.(1) Individualsincluding temporary,intermittent,or seasonal personnel may be assigned to unclassified IT 11 andI T - I I I positions on an interim basis beforeafavorable completion of tbe required personnel security investigation onlyafter the conditions specified have been met(d) Individual completes SF 85P and supplemental questionnaire.(^^ Afavorable recommendation by tbe organization security manager,Commander or Director, D A A , a n d Installation Commander, with RCIO/FCIO notification.(c'^ Initiation of security investigation has been submitted or is pending adjudication,(d^ Interim access is not authorized for non-U S. citizens.(2) Tbe security manager at tbe requesting activity will make interim assignment approvals for civilian and militarypersonneL(3) The Govemment sponsor's security manager or official will make the approval for volunteer access.(4) The interimassignmentofcontractor personnel fulfilling ITpositions w i l l b e r e s t r i c t e d a n d i m p l e m e n t e d o n l yupondocumentation in the Cc^Apackage and acceptance of t h e D A A a n d t h e Contracting Officer evaluations o n acase-by-case basis.^. Bfc^'i^c^ic:d/ic^Bi.(1) Tbe provisions of this section apply only to contractor personneL (Civilian employees, military personnel,consultants, volunteers, and seasonal, part time, and intermittent employees w i l l be favorably adjudicated by tbeappropriate DOD central adjudication facility.)(2) OPM will adjudicate investigations foratrustworthiness determination using the national adjudicative guidelinesforaccesstoclassifiedinformation. 1 f t h e a d j u d i c a t i o n i s f a v o r a b l e , O P M w i l l i s s u e a l e t t e r o f t m s t w o r t h i n e s s t o t h erequesting activity.(3) Ifafavorable trustworthiness is indeterminate, OPM w i l l forward tbe case to the Defense Office ofHearings andAppeals (DOHA) in Columbus, O H , for further processing under D O D D 5220.6. A final unfavorable decisionprecludes assignment to an IT L IL or 111 position.(4) Enter all OPM IT trustworthiness determinations of DOD contractor personnel into the OPM Security/SuitabilityInvestigative Index (SII).^ 7^^iBiiB^.^^i^d^ic^Bi. Individuals occupying an IT position will be subject to a periodic reinvestigation according toexisting contract, labor relations, or personnel security policy.4-15. Poreign access to information systemsd. To ensure standardized and appropriate access to the Unclassified but Sensitive Intemet Protocol RoutingN e t w o r k ( N 1 P R N E T ) b y foreign officials, lApersonnel will meettherequirementsdelineatedbelow. Provide eachauthorized foreign officia1a .mil address on the unclassified network required for executing his or her foreign officialduties as outlined i n h i s o r h e r r e s p e c t i v e c e r t i f i c a t i o n . Foreach authorized foreignofficial, the localareanetworkadministrator w i l l p l a c e a c a v e a t or marker on the user account and all outgoing e-mails from that person identifyingthem a s a f o r e i g n official f r o m a s p e c i f i c country. In doing so,tbelocal area network administrator w i l l spell out thewords ^^ForeignOfficial"and tbe country name of the foreign official and will not use an acronym for that country. Inaddition,thelocal area administrator willindicate the type of foreign official access that isgranted.The requiredtagsfor each o f tbe five categories of foreign officials would thus read as shown below (replace each hypothetical countryname with the appropriate one).AR 2 5 - 2 ^ 2 4 October 2007^anningB^0001^27^035(1) EoreignIiaisonofficer(FLO):^^Last Name,First NameMiddlelnitial-ForeignNational-Germany-FLO."(Note:Local area network administrators w i l l designate FLOs representing the United l^ingdom, Canada, or Australia asSTANREPs rather than as FLOs )(2) CooperativeProgrampersonnel (CPP): ^^LastName,FirstNameMiddle Initial-Foreign National-Turkey-CPP".(3) Engineer and Scientist Exchange Program (ESEP): ^^Last Name, First Name Middle Initial-Foreign NationalIsraelESEP"(4) Standardization representative (STANREP): ^^Last Name, First Name Middle Initial-Foreign National-Unitedl^ingdomSTANREP"(5) Military Personne1ExchangeProgram(MPEP):^^LastName,FirstNameMidd1eInitia1-ForeignNationa1-ItalyMPEP".^. Limit access to foreign officials, exchange personnel, or representatives to computers that incorporate Armymandated access and auditing controls. Approval to access the NIPRNETdoes not equate to authority to exchange dataor access systems located on that network.The appropriate system D A A w i l l approve access toforeign officials on anasneeded basis andupdating the documentation i n t h e Cc^Apackage. Similarly, the designatedrelease or disclosureauthority w i l l grant access to the information on ISs to foreign officials on an as-needed basis.c^. E mail signature blocks w i l l be automatically generated for all foreign personnel, and include the foreignindividual's nationality and position.1^. I f tbe organization w h e r e a f o r e i g n official is certified determines t h e r e i s a n e e d f o r t h e f o r e i g n o f f i c i a l t o h a v ea c c e s s t o t b e N 1 P R N E T b e y o n d e - m a i 1 a c c e s s ( f o r e x a m p l e , a n A I ^ O a c c o u n t ) , s u b m i t a n e x c e p t i o n t o p o l i c y throughtbe D A A to the R C 1 0 I A P M , t o be forwarded to tbe C10/C6.Tbe approval will become part of the Cc^A package fortbe IS. This includes individuals granted access prior to the publication of this regulation. Commands w i l l immediatelyevaluateeachcase andforward theirexception recommendation. Tbeexception will b e r e v i e w e d b y theappropriateHQDA Program Manager and t h e N E T C O M / 9 t h S C (A) OlAc^Cprior to disposition.The exception must includethefollowing information(1) Request from the Commander that states the need to know, tied to the foreign official's certification andDelegation of Disclosure Authority Letter (DDL).(2) Statements from the installation and c o m m a n d ' s l A M stating proper security procedures are in place.TheDCS,G 2, Foreign Disclosure and Security Directorate will also review the exception before final disposition.^. Official access to information residing on an IS or network w i l l be limited to that controlled but unclassifiedinformation required t o f u l f i l l the terms o f the contract or agreement provided minimum security requirements of thissection are met^ Disclosure of classified military information toforeign governments and intemational organizations is limited andw i l l be in accordance with A R 380^10, D O D D 5230.11, and C.ICSI 5221018.^. Intemational Military Students(IMS) who havebeen vettedandapproved f o r U . S . Army trainingand Professional Military Education (PME) attending resident training or enrolled in tbe Army Distance Education Program(DEP) at U.S. Army and Army-managed schools/training activities will agree to comply with all U.S. M1LDEPrequirements.They are required to sign a n A U P user agreemenLThere is no requirement for background investigationsas described sincein-country U.S. officialsperformasecurityscreeningofeacbstudentbefore selection approval.Toprevent inadvertent disclosure of information, international military students w i l l be identified as students in their emailaddress, display name and automated signature block (for example, john.i.smith.uk.stu(^xxx.army.mil)./i. NIPRNET access policy and procedures for FNs in non-official positions as identified above, are as follows:(1) Components or organizations will maintain records on access including the following information—(d) Specific mission requirements for foreign access or connection.(^^ .lustification for each individual FN.(^c^^ Confirmation that tbe minimum-security requirements of this section are enacted, including tbe user agreementdiscussed below.(2) 8efore authorizing FN access toaspecific IS on tbe N I P R N E T o r the Secret Intemet Protocol Routing Network(SIPRNET), Army components w i l l —(d^ Ensure the information is properly processed for disclosure.(Tl) Ensure DAAs and data owners concur with the access.(c^^ Ensure the Cc^A documentation for the system is updated to refiect FN access,(c^ Ensure security measures employed adhere to this policy.(^^ Validate tbe identity of each FN authorizedaccess to ISs toensureaccountability of all actions takenby tbeforeign user.(^ Ensure t h e F N f o l l o w s appropriate security policies and procedures and that t b e l A S O possesses the authority toenforce these policies and procedures. 8efore accessing any system, an FN will sign an AUP agreement that includes—7 Acknowledgment of appropriate information security policies, procedures, and responsibilities.2. The consequences of not adhering to security procedures and responsibilities.36^anningB^000^^27^^AR 2 5 - 2 ^ 2 4 October 2007^. Identification requirements when dealing withothers through oral, written,and electronic communications, suchas e-maiL^. Department of tbe Army employees or contractors who are FNs and are direct or indirect hires, currentlyappointed in IA positions, may continue in these positions provided they satisfy the provisions of paragraph4—14,D O D D 8 5 0 0 1 , D O D I 8500 2, and DOD 5200 2 R; are under the supervision of an l A M who i s a U S c i t i z e n ; and areapproved in writing by the D A A and captured in the Cc^A package.FNs assigned into IT positions will be subject to the same (or equivalent) vetting as U.S. citizens.1^. FNs may hold or be authorized access t o I T H a n d IT lllpositions provided the required background investigation has been completed or favorably adjudicated.7. Additionally, an FN may be assigned to an IT Iposition only after the D A A w b o owns the system and the dataowner who owns the information s i g n a w a i v e r and the assignment has been approved by the C I O / G ^ . T b e approvalsw i l l become part of the Cc^A package. Sign and place the waiver in the individual's security file before requesting therequired background investigation. Tbe required background investigation must be completed and favorably adjudicatedbefore authorizing IT 1 access to DA systems/networks.1^. D o n o t a s s i g n F N s t o l T L I T I I , o r l T - I I I p o s i t i o n s on a n i n t e r i m b a s i s b e f o r e a f a v o r a b l e adjudication o f therequired personnel security investigation.1. Generally, an FN o r o f f i c i a l representative is not authorized access to the U.S. controlled SIPRNET terminalworkspace.If an authorized foreign official or national working a t a U . S . Army site hasarequirement for accessing theSIPRNET, tbe commander w i l l submit an exception to policy through the D A A to tbe RCIO 1APM, to be forwarded tothe HQDA CIO/G 6,and reviewed by the D C S , G 2 F o r e i g n Disclosure Directorate prior to d i s p o s i t i o n . C 1 0 / G ^ willcoordinatetberequestwiththe Army staff and forward t o D I S A . T h e s e requests w i l l b e staffecl w i t h t h e presumptionofdenial. Apply the procedures of this section after DISA's approval and any additionalguidance provided by DISAon the connection process for FNs. E mail signature blocks will be automatically generated for all FNs, and include theforeign individual's nationality and position. Tbe approvals will become part of tbe Cc^A package.SectionalInformation Systems Media4-1^. Protection requirementsd. A l l I S e q u i p m e n t a n d f a c i l i t i e s u s e d forprocessing,handling,andstoringc1assifieddata w i l l b e o p e r a t e d a n dsecured where applicable per the DCID 6 / 3 , A R 380^5,this regulation,or.loint DODIIS Cryptologic SCIInformationSystemsSecurity Standards (.IDCS1SSS).^. A l l Army personnel and contractors w i l l mark, ship, store, process, and transmit classified or sensitive information in accorclance with A R 380 5.c^. Control ISs containing non removable, non-volatile media used for processing classified information.d^. Commanders, Directors, and IA personnel will verify procedures and train users, administrators and securitypersonnel in processes for spillage incidents of higher-level or classified information to a lower level IS.^. SAs will configure ISs to apply security or handling markings automatically when possible or available.^ SAs w i l l configure ISs to display the classification level on tbe desktop or login screen (for example,wallpaper,splasb screen) when the device is locked,the user is logged off, or t h e l S is used in spanning m u l t i classification networks through the use of a I ^ V l ^ device^. A l l Army personnel and contractors w i l l not transmit classified information over any communication systemunlessusingapprovedsecurity proceduresandpractices inc1uding,encryption, securenetworks,secure workstations,and ISs accredited at the appropriate classification leveL4-17. Labeling, marking, and controlling mediad. Unless write-protectedor read-only, all personnel w i l l p r o t e c t a n d c l a s s i f y media inserted into a s y s t e m a t t h ehighest level thesystem is accreditedtoprocessuntil the d a t a o r m e d i a i s reviewed anddowngraded by t h e l A S O .^. A l l personnel w i l l clear removable media before reusing in ISs operating at the same or higher protection leveLc:. A l l personnel w i l l mark and control all media devices, peripherals, and ISs as follows:(1) TS or SCI or intelligence data per DCID 6/3, D C 1 D l / 7 a n d . 1 D C S I S S S as applicable(2) Classified media per A R 380^5 requirements.(3) FOUO media per A R 25-55 requirements.(4) Privacy Act media per A R 340^21 requirements.(5) N A T O information per AR 380 5 requirements.c7. Allpersonnel w i l l m a r k a n d c o n t r o l t b e m e d i a o r l S a f t e r d e t e r m i n a t i o n o f the classification l e v e l o f the dataplaced on the media.lmplement media accountability procedures based on the type o f media and the classification oftbe data as required above.AR 2 5 - 2 ^ 2 4 October 2007^anningB^000^^2/^2374—18. C l e a r i n g , p u r g i n g ^saniti^ing^, d e s t r o y i n g , o r d i s p o s i n g o f m e d i ad. Proceduresfor disposition o f unclassified harddrive media outsideDOD custody w i l l f o l l o w c u r r e n t g u i d e l i n e saddressed in the published 8 8 P .^. A l l personnel will purge media before reuse in a different environment than tbe one in which they werepreviously used(new users without a need-to-know f o r t h e o r i g i n a l data)or with d a t a a t a d i f f e r e n t classification orsensitivity level or when tbe drives have met tbe end of tbeir life cycle. Ensure custodial equipment transferrequirements are accomplished. IA personnel will verify that personnel are trained on local procedures. Purgingelectronic media does not declassify the media, as declassification is an administrative process.c^. IA personnel w i l l conduct random security inspections for violations of removable media physical securitymeasures quarterly.d^. IA personnel will purge unclassified media before consideration for release outside DOD control.^. lApersonnel will destroy media that has ever contained N S A T y p e 1 cryptographic or COMSECmateriel at endof life cycle in accordance with approved destmction processes.^ lApersonnel w i l l d e s t r o y S C I m e d i a at end of life c y c l e i n accordance w i t h D C I D 6/3 f o r D O D I I S systems andNSA 130^1 and 130^2 for NSA Cryptologic systems in accordance with approved destruction processes.^. lApersonnel w i l l destroy media that contained classified material or was involved inaclassified spillage incidentat end of life cycle in accordance with approved destruction processes./i. When it is more cost effective, or to ensure absolute security,destroy media instead of purging or declassifying inaccordance with approved destruction processes.1. The l A M w i l l establish procedures to periodically verify tbe results of any purging and IS release processes.^'. Spillage recovery procedures for data from higher-classified information to lower-classified systems are addressedin a separately published 8 8 P .Section^llNetwork Security4-19. Cross domain security interoperabilityThe DOD Global Information Grid, Inter-connection Approval Process (GIAP) was created out of the need to provideaconsistent way to simplify and consolidatethe various connection approvalprocesses.AllDODServices and agenciesmust comply with these processes when connecting networks of different classification levels. The Top Secret and8elow Interoperability (TA81) and the Secret and 8elow Interoperability (SA81) processes provide an integrated,comprehensive, andconsistent approach toaddressingtheshared riskassociated with the connection of networksofdifferent classification levels.d. Organizations requiring a cross domain solution must first complete the information on the C1AP Web site(bttps://giap.disa.smil.mil).^. Organizations requiringacross-domain solution w i l l also contact the N E T C O M / 9 t h S C ( A ) O f f i c e ofinformationAssurance and Compliance, Cross-Domain Solutions Office to provide notification o f the cross domain processinitiation.c^. Tbe cross-domain process follows t b e D I A C A P and requires that n e t w o r k s b e f u l l y c e r t i f i e d and accredited andthat all associated security devices be certified,tested, and evaluated (CTc^E) in accordance with the NSA compliancestandards. Approved standardized cross domain solutions will be acquired through CSLA. Non-standard solutions willrequire an extensive engineering effort.c^. A l l Army organizations that maintain connections between networks of different classification levels mustannually revalidate their connections in accordance with the SIPRNET D A A directives. Contact the SIPRNETConnection Approval Office for current guidance and requirements.^. Manage all interconnections o f D O D ISs to continuously minimize community risk by ensuring that one system isnot undermined by vulnerabilities o f other interconnected systems and that one system does not undermine othersystems A l l ISs within interconnected (or trusted networks) will meet networthiness certification4-20. Network securityd. T^B^c^c^c^c^i^i^^.^. Commanders will establish procedures to manage and control access to all ISs, networks, andnetworkequipment to ensure integrity, confidentiality,availability, non-repudiation, and authentication,regardlessofclassification leveL^. ^^i^i^iB^^BBi^Bi^,^. Positive IA measures ensure all users satisfy tbe requirements specified before granting anindividual access (including dial up services and Intemet access) to DOD and Army networks, systems, and standalone computers.(1) 7Bic^i^ic^i^d/. Commanderswill verify and lApersonnel w i l l deny physical and logical accesstoindividuals whocannot meet access requirements.(2) T^B^c^^cjBi^Bi^.^. Proponents for programs that require network services for family members, retirees, and otherindividuals serviced at Army installations for example, unofficial recreational activities; libraries;educationcenters;or38^anningB^000^^27^3AR 2 5 ^ 2 ^ 2 4 October 2007Army-Air Force Exchange Service (AAFES) kiosks, should arrange for services througbacommercial Intemet serviceprovider (ISP) or other isolated connection capability. Proponents w i l l coordinate with the installation D O I M forservice and the 1AM for IA requirements. These connections are unofficial communications and will be isolated eitherlogically or physically from official DOD and Army NIPRNET networks.(3) /l^l^7^^dB^B^i,^ciBidc:/ivi/i^.^. M W R garrisonactivities dependent upon the Installation L A N for network connectivity in accordance with DODI 1 0 1 5 . 1 0 a n d A R 2 1 5 1 to provide Executive Controled Essential Command Supervision (ECECS) in support of tbe Commanders Fiduciary responsibi1ity,are authorized the use ofNIPRNETconnectivityto support Commander'sMWR activities. Published 88Ps describe the standardsfor acceptable connectivity a n d I Asecurity requirements.(4) ,77.i^Bi^r^c^B^^. .IIM networks that haveNETCOM/9th SC ( A ) p r o v i d e d connectivity will implement the mostrestrictive and isolating configuration and implementation management principles (inclusive of, but not limited to,separate enclaves and identifications, and tunneledor dedicated connectivity) tothose that are absolutely requiredformilitary or support operations as necessary and in compliance with IA requirements in this and other applicableregulations. In order to be entirely separate, .IIM networks must not—(d) Utilize Army IP numbering for their end users, servers or network devices.(^^ Utilize army.mil as their logical extension.(c^^ Connect to any local Army network on Army installations.(d^ Require Army network and systems management, systems administration, or maintenance and repair support asastandard level o f service.(^^^ Require Army to provide security oversight, management, or services from tbe A r m y asastandard level o fservice.(^ Report l A V M compliance through Army channels.(^^ Receive Army funding for implementation at the location.c^. ^^.^^B^ic^^ic^Bi.^. Supervisors and managers w i l l —(1) Ensure transmission of classified or sensitive information via applicable secure means.(2) Authorize commercial ISP accounts per chapter 6, AR 25 1.(3) Ensure there areno cross-connections directly betweenthelntemet and N I P R N E T o f ISs. For example d o n o tpermit a modem connection (for example, multi-functional devices such as copier/fax/printer combinations) to acommercial ISP or service while the IS is also connected to the NIPRNET.NIPRNETconnected systems will have thisfunction disabled.(4) Permit direct connections to tbe Intemet to support electronic commerce when those systems will not connect tothe N I P R N E T o r tbe SIPRNETc7. ,^^c^i^B^i'r^^B^ci^^c::/i'ciBi^^ri^^^Bi^Bic^/d^^,^. (that portion of the network outside the installation's or activity's controls).Commanders and IA Personnel w i l l utilize tbe following processes on routers, switches, firewalls, and other networkingdevices to provide protection from extemal networks.(1) Firewalls. Configure firewalls with least-privilege access controls. Layer firewalls at the boundaries betweenborder and extemalnetworks and as needed throughout the architecture t o i m p r o v e t h e l e v e l o f assurance.NETCOM/9th S C ( A ) w i l l approve firewallimplementation guidance for use withintbe Army. Every information system shouldbe protected by either an approved host-based or network-based (enclave) firewalL(2) Access control lists. Update and manage access control lists (ACLs) through secure mechanisms and incorporatea ^^deny all, permit by exception" (DAPE) policy enforcemenL(3) Networkconfigurations.lApersonnel will implement networkconfigurationstoremove or block any unnecessary or unauthorized services, software, protocols, and applications such as: LanMan, gaming software,Gnute11a, IRC,ICQ, Instant Messaging, peer-to peer.(4) Ports, Protocols, and Services Management (PPSM). Permit only ports, protocols, and services (PPS) asauthorized. Tbe Commander and network management personnel w i l l :(d^ Restrict enterprise andenclaveboundaryfirewallsandfirewalllikedevices to t h e u s a g e o f a p p r o v e d P P S inaccordance with the D O D I 8551.1 on PPSM DOD considers PPSs not listed on the D O D PPS T A G list as ^^deny bydefault."(^^ PPSs designated as ^^bigh risk" are unacceptable for routine use. Prohibit high-risk PPSs unless expresslyapproved for a specific implementation with defined conditions and risk mitigation strategies.(i^^ PPSs designatedas^^medium-risk"havean acceptable level o f r i s k f o r r o u t i n e u s e whenused with requiredmitigation strategies.(d^ PPSs designated as ^^low risk" are recommended as best security practices and advocated for use by Armydevelopers in future systems and applications. Not all low risk PPSs are acceptable under all implementations and mayrequire approvaL(^^^ T h e g o a l o f N E T C O M / 9 t b S C ( A ) i s t h e m i g r a t i o n s y s t e m s that u s e b i g h - a n d medium-risk PPSs t o l o w - r i s kPPSs as part of its life cycle management processes through system redesign while maintaining current standards-basedapplications and requirements (for example, port 21 for ftp, port 80 for Web).AR 2 5 - 2 ^ 2 4 October 2007^anningB^000^^27^^39(^ N E T C 0 M / 9 t h SC (A) isresponsibleforPPS management and will approveandpublisb Armywidemitigationstrategies for PPSs.(5) Domain name service (DNS). TNOSCs w i l l monitor DNS servers for compliance and adherence to DNSpolicies. Owning organizations w i l l provide bost based intrusion detection monitoring for these servers.(6) Virtual private networks (VPNs). Virtual private networks w i l l require approval to connect and operate from theR C I O u s i n g N E T C O M / 9 t h S C ( A ) C C 8 - a p p r o v e d a n d p u b l i s h e d i m p l e m e n t a t i o n p r o c e s s e s ( w b e n implemented)afterdocumentingawell-defined acceptable use policy,security concept ofoperations, an SSAA risk analysis and management plan, and Networthiness certification, before implementation.(7) Storage area configurations. As developing technologies (for example, storage area networks, collaborativeenvironments,data sharing technologies,webcasting,or real/near-realtime distribution capabilities) are implemented,they must incorporate secure IA principles. Minimum requirements include, but are not limited to tbe listed belowrequirements. Network management personnel w i l l —(d) Obtain approval for Cc^A, CAP, and Networthiness.(^^ Use approved NETC0M/9th SC (A) configuration-management implemented processes,(c:^ Secure the information at rest and in transit and ensure that tbe configuration does not introduce additional risksor vulnerabilities.(c^ Use secure communication and access protocols.(^2^ Implement security controls and validate all user supplied input(^ Implement extranet connections through a multi-tiered and layered approach requiring separate and distinctservers across the environment for each tier, and minimally include—7. User access tier, usually through a Web site that offers static pages and will be SSL enabled as a minimum.2. Application tier, authenticates authorized users, access, and interfaces between the user and the data.^. Protection of the database or data tier (for example, fiat files, e-mail), information that is accessed by theapplication on behalf of the user.( ^ Incorporate firewalls, filtering, protective, andmonitoring devices (forexample, IPSs, IDSs) at each enclavelayer.(Tl) Employ encryption, single-sign-on, tokens, or DOD authorized digital certificates equivalent to thelevel of dataaccessed or available and adequately passed through the application server to access the data requested.(i) Employ data separation and authentication ^^need to know" measures and requirements.^. T^B^d/^c^/ic^Bici^iBi^^B^Bid/ii^ri^cjB^^. (portion of tbe network that is directly controlled by the installation or activity).Network management personnel w i l l :(1) Establishtmsts in accordance with the installation Cc^A.There w i l l be no trusted relationships established withany other domains or networks until both are Networthiness certified and approved by tbe respective DAAs anddocumented in the Ci^A package.(d) The DAAs of tbe participating ISs and the D A A of the overall network ( i f designated) w i l l signaMemorandumof Understanding (MOU). Tbe M O U becomes an artifact to tbe Cc^A package.(^^ The D A A ' s approval w i l l i n c l u d e a d e s c r i p t i o n o f t h e c l a s s i f i c a t i o n a n d c a t e g o r i e s o f information that canbesent over the respective networks.(2) Connection between accredited ISs must be consistent with the confidentiality level andany other restrictionsimposed by the accredited ISs.Unless the I S i s accredited for multilevel operations and can reliably separate and labeldata, t h e l S i s a s s u m e d t o b e t r a n s m i t t i n g t b e h i g b e s t l e v e l o f d a t a p r e s e n t o n thesystemduringnetworkconnection.(3) Employ identification, authentication, and encryption technologies when accessing network devices.(4) Employ 1ayeredprotective,fi1tering,andmonitoringdevices (for example,firewa11s,IDSs)atenclaveboundaries, managed access points, and key connection points.(5) Scan all installationassetsanddevices, implementprotectivemeasures,andreport noncompliance to RCIOs/FCIOs as required (minimum is semi annual).(6) Proxy all Intemet accesses through centrally managed access points and isolate from other DOD or ISs byphysical or technical means.^ ^BBidi'/.^^c^icB^i'r^. Allpersonnel w i l l usee-mail systemsfortransmissionofcommunications equivalent t o o r lessthan the classification level o f tbe IS.(1) IA personnel w i l l —(d) Promotesecurity awareness.Train users t o s c a n a l l attacbmentsroutinely b e f o r e o p e n i n g o r d o w n l o a d i n g a n yfile from e mail.(^./ ConfigureISs to use encryption when available or as part of tbe global enterprise to secure the content of the email to meet the protection requirements of the data.(c^^ Implement physical security measures for any information media and servers.(c^ Install and configure antiviral and protective software on e mail servers and client workstations.40^anningB^000^^27^5AR 2 5 - 2 ^ 2 4 October 2007(^1^ Wam users to treat unusual e-mail messages the same way they treat unsolicited or unusual parcels; withcaution.(^ Use digital signatures to authenticate a message as needed (non repudiation).(^^ Configure ISs to prevent opening attachments or executing active code directly from mail applications.(2) Personnel w i l l not share their personally assigned e-mail accounts(3) Commanders and Directors may allow the limited use of organizational or group e-mail accounts whereoperationally warranted.(4) Emailpasswords w i l l d i f f e r f r o m t b e n e t w o r k p a s s w o r d whenused,unti1ag1oba1 P^l initiativeisavailable.(5) A l l personnel w i l l e m p l o y G o v e m m e n t o w n e d o r p r o v i d e d e - m a i l s y s t e m s o r d e v i c e s f o r o f f i c i a l communications. Tbe use of commercial ISP or e mail accounts for official purposes is prohibited.(6) A u t o f o r w a r d i n g of official mail to non-official accounts or devices is prohibited(7) Permit communications to vendors orcontractors for official business and implement encryption and controlmeasures appropriate for the sensitivity o f the information transmitted.(8) l A P e r s o n n e l w i l l c o n f i g u r e systems so that authorized users who are contractors, DOD direct or indirect hires,FNs,foreign representatives,seasonalor temporary hires, andvolunteers have their respective affiliations or positionsdisplayed as part of their official accounts and e mail addresses.^. 7Bi^^B^Bi^^, 7Bi^B^dBi^^, ^^^B'dBi^^, dBic7 ^^ff^.^^c:i^i^ir^.(1) A R 2 5 1 outlines requirements and p o l i c y o n t b e u s e o f Govemment-owned or leased computersforaccesstothe IntemeL(2) Users are authorized to downloadprograms, graphics, and textual information to aCovemment-owned IS aslong as doing so doesnotviolateFedera1andstate1aw,regu1ations,acceptable use, and localpolicies (for example,CM,1A)(3) Govemment-ownedorleasedISs will notuse commercial 1SPs(forexample,CompuServe, Americaon Line,Prodigy) as service providers,unlessaGovemment-acquiredsubscriptionto such servicesisin place and the accessisfor official business or meets the criteria for authorized personal use as indicated in AR 25 1, paragraph 6 1.(4) NetworkmanagementandlApersonnel w i l l implement appropriate access, filtering,and security controls(forexample, firewalls, restriction by IP address).(5) Network management and lApersonnel willimplement and enforcelocal area management access and securitycontrols.Publicly accessible web sites will not be installed or m n u n d e r a p r i v i l e g e d l e v e l account on any web server.Non-public webservers w i l l b e s i m i l a r l y c o n f i g u r e d u n l e s s operationally r e q u i r e d t o r u n a s a p r i v i l e g e d account, andappropriate risk mitigation procedures have been implemented.(6) Commercial ISP services are authorized to support those organizations identified in paragraph 4^20^(2), above,and no cross or direct connectivity to tbe NIPRNET will exist or be implemented.(7) A l l personnel w i l l protect information not authorized to be released for public disclosure.(8) Extranet and intranet servers w i l l provide adequate encryption and user authentication.(9) Extranetserversandaccesswillbeapproved through theinstallation 1AM,documentedin theCc^Apackage,and approved by the appropriate D A A .(10) N e t w o r k m a n a g e r s a n d l A p e r s o n n e l willconfigure allservers (including Webservers)that are connectedtopublicly accessible computer networkssuchas the Intemet, orprotectednetworkssuchas the SIPRNET, t o e m p l o yaccessand security contro1s(for example,firewalls,routers,hostbasedIDSs)toensuretheintegrity,confidentiality,accessibility, and availability of DOD ISs and data.(11) Commandersand supervisors w i l l comply withFederal, DOD, and DA Websiteadministrationpoliciesandimplementing content-approval procedures that include OPSEC a n d P A O reviews before updating or posting information on all Web sites.(12) Network managersand lApersonnel willprotect publicly accessible Army Web sitesby placing thembehindan Army reverse Web proxy server.The reverse proxy server acts a s a p r o x y f r o m t h e intranet tothe protected server,brokering service requests o n b e b a l f o f the externaluser or s e r v e r . T h i s u s e o f a r e v e r s e proxy server providesalayerof protection against Web page defacements by preventing direct connections to Army Web servers.(13) Publicly accessible Web sites not protected behindareverse Web proxy (until moved) will be onadedicatedserver i n a D M ^ , with al1unnecessaryservices,processes,or protocols disabled or removed. Remove allsample ortutorialapplications,or portions thereof, from the operational server.SupportingRCERTsand TNOSCs will conductperiodic vulnerability assessments on allpublic servers and m a y d i r e c t b l o c k i n g o f the site dependent ontheinberentrisk o f identified vulnerabilities. Commanders or assigned l A M s w i l l correct identified deficiencies.(14) A l l private (non public) Army Web sites that restrict access with password protection or specific addressfiltering willimplement SSL protocols u t i 1 i z i n g a C I a s s 3 D 0 D P I ^ I certificate a s a m i n i m u m . N E T C 0 M / 9 t b S C (A)issues and manages these certificates.(15) Commanders w i l l c o n d u c t a n n u a l O P S E C r e v i e w s of allorganizational Web sites and include these resultsintheir annual OPSEC reports pursuant to A R 5 3 ( ^ 1 .(16) To verify compliance with Federal, DOD, and D A Web site administration policies, procedures, and bestAR 2 5 - 2 ^ 2 4 October 2007^anningB^000^^27^^41practices, tbe AWRAC will continuously review thecontent of publicly accessible U.S. Army Web sites to ensurecompliance. (See also AR 25 1 for Web site administrative policies.) AWRAC will provide results from theseassessments to commanders for corrective actions./i. Bf^^B-dv^d^ ^^^^c^dB-d^, iBid^^c^,( ^ 1 ^ ^ (i^^^^ddB^c7, BBic^Bi^' c^B^, Biicji^.^^ (7^.^/1^^ .^i^i/c/i^,^. These devices areprimarily introduced to achieve a reduction ofhardware on the desktop and do not provide any IA features.(1) These devices are not authorized for use for cross-domain interoperability (NIPRNET to SIPRNET orSIPRNET-toNIPRNETguardingsolution)networkconnections. See88Psdocumentationon the CIO/C 6 IA Website for approved items and implementation guidelines (https://informationassurance.us.army.mil).(2) lApersonnel will configure systems to utilize screen-saver lockout mechanisms for I^VM/I^MM switch environments approved by the DAA.1. 7Bi^B^BBid/idBid.^,^i^B^dBic^^^cici/,^. Allpersonnel willuse only IA security softwarelisted on thelAtoolslist on Armysystems and networks. The list of Army approved IA tools is available through tbe IA Web site. Requests forconsideration and approval for additional security software packages to be added to thelAtoolslist must be submittedthrough NETC0M/9thSC (A) channels ATTN: NETC E S T L ^ T T N : 0 1 A c ^ C to C I O / G ^(1) Installation lAM designated and Army-certified IA personnel may conduct tests under stringent conditionscoordinated with the installation DOIM, 1AM, TNOSC, and RCERT, at a minimum.(2) RCIO lAPM approval, and advance notification of tbe servicing RCERT and TNOSC, is required beforecertified lApersonnel may utilize public domain vulnerability assessment tools (for example, Nessus,Nmap, Saint, orTitan)(3) Organizational fA personnel are prohibited from conducting penetration testing attempts onISs utilizingunauthorized hacker tools or techniques. This restriction is applicable to operational networks and does not apply tothose personnel or techniques used in a testing environment for Cc^A, vulnerability assessments of developmentalsystems, or used in a training environment for personnel certifications on isolated networks.(4) Organizational lAMs can request penetration testingof their networks. Subordinateorganizationsmay requestpenetration testing through tbeir ACOM/ASCC 1AM to the installation 1AM.(5) The use of ^^keystroke monitoring software of any kind is prohibited, except by LE/CI personnel actingwithin proper legal authority^', A^^r^cjB^^iBi^ .^^c^i^B^ii^ /dc^/.^. Tbe following policies apply to networking security tools used on ISs:(1) Establish a security and implementation policy for each protection tool before purchase and implementation.(2) Implement security tools within tbe security perimeter defensive architecture with NETC0M/9th SC (A)approval.(3) Limit login access to intemetworking devices to those individuals who operate and maintain those devices.(4) Review configuration and audit files of security intemetworking tools weekly.(5) TheNETC0M/9tb SC (A), in coordination w i t b C I O / G ^ and tbe ACERT,operatesdetectionandprotectiondevicesfor networks connectedtotheN1PRNET.A1thougbNETCOM/9thSC (A) owns,operates,andmaintainstheenterprise devices, this does not preclude tbe Command, DOIM,or activity lApersonnel from managing and analyzinglocal networks or data. Local management of an IDS/IPS is recommended with notification to tbe DOIM and/orTNOSC.The notification willdocument tbe operationalrequirement,theintent of monitoring, andthe deviceutilized.Staff the notification to the RCIO lAPM and submit to the supporting DOIM and RCERT/TNOSC. The requestingactivity is responsible for providing the hardware andsoftware necessary. All independent installationsof IDS/IPStechnologies will be configured to also support enterprise sensing and waming management activities. Coordinate theconfiguration and reporting requirements with tbe supporting RCERT/TNOSC.^. Tdc^/ic^d/ .^^.^/^BBi.^.(1) Tactical systems, including weapon system and devices integral to weapon or weapon support systems, thatinclude features normally associated with an ISwill implement the requirements of this regulation,DODI 8500.2, andInterim DIACAP.(2) When one or more of tbe minimum-security requirements are impracticalor adversely impose risk of safety-ofuse because of the function and design of the system, the situation will be addressed in the Cc^A package andconsidered by the CA and the DAA in determining the CA recommendation and the DAA authorization decision.(3) Mechanisms must be available to render the IS inoperable in case of imminent capture by hostile forces.(4) Tactical networks connecting to standard tactical entry point (STEP) sites, garrison, or other fixed networks mustbe compliant with all security requirements (for example,configurations, approved software,Cc^A) before connection.They will be protected by access controls and intrusion prevention and intrusion detection systems in the same manneras garrison network defenses described earlier and will implement a DiD strategy.42^anningB^000^^277^AR 25-2^24 October 2007SectionVIIIIncident and Intrusion Reporting4-21. Information system incident and intrusion reportingIncidents may result from accidental or deliberate actions on the part of a user or extemal infiuence. Evidence orsuspicion of an incident, intmsion, or criminal activity will be treated with care, and tbe IS maintained without change,pending coordinationwithIA,ACERT/RCERT,andLE/CIpersonneLCommanders and lApersonnel w i l l enforce tbepolicies goveming unauthorized use of computer resources. A l l personnel w i l l report all potential or maliciousincidents.Time-sensitive actions are necessary to limit the amount ofdamage or access.Commanders and lApersonnelw i l l r e p o r t l S i n c i d e n t s t o extemal agenciesto assist LE or investigative agencies,and assist incompiling supportingevidence, impact assessments,associatedcosts,containment viability,anderadicationandreconstmctionmeasurestoeffectively manage the breach and provide evidentiary material for prosecution.d. A l l personnel will protect IS incident reports as a minimum FOUO or to the level f o r w h i c h tbe system isaccredited.^. IA personnel will validate IS incident reporting procedures annually for all users,c^. A l l personnel w i l l report IS incidents or events including, but not limited to—(1) l^nown or suspected intrusion or access by an unauthorized individual.(2) Authorized user attempting to circumvent security procedures or elevate access privileges.(3) Unexplained modifications of files, software, or programs.(4) Unexplained or erratic IS system responses.(5) Presence of suspicious files, shortcuts, or programs.(6) Malicious logic infection (for example, virus, worm, Trojan).(7) Receipt of suspicious e mail attachments, files, or links.(8) Spillage incidents or violations of published 8 8 P procedures.c^. Aserious incident report (SIR) w i l l be generated and reported p e r A R 190-45 under the following conditions—(1) Tbe incident poses grave danger to tbe Army's ability to conduct established information operations.(2) Adverse effects on the Army's image such as Web page defacements.(3) Access or compromise of classified, sensitive, or protected information (for example. Soldier identificationinformation (SSN), medical condition or status, doctor patient, or attomey client privilege).(4) Compromise originating from a foreign source.(5) Compromise of systemstbat may risk s a f e t y , l i f e , l i m b , o r h a s t h e p o t e n t i a l f o r catastrophic effects,or containinformation for which the Army is attributable (for example, publicly accessible waterways navigational safetyinformation from the USACE).(6) Loss of any IS or media containing protected or classified information.4-22. Reporting responsibilitiesd. An individual who suspects or observes an unusual or obvious incident or occurrence will cease all activities andwill notify his or her SA/NA, lASO, or 1AM immediately.^. I f tbe SA/NA, I A S O , o r 1 A M i s not avai1able,the individual w i l l contact his or her supporting installationlAMand theater RCERTc^. Any SA/NA, lASO, or l A M w h o o b s e r v e s o r suspects an incident or intrusion, or receives information on anincident,wi111ogical1y isolate the system,prohibit any additional activities on or to the system, and immediately notifyhis or her supporting RCERT/TNOSC. Take no additional actions to investigate the incident until directed by theRCERTc7. Isolationincludespbysical isolation(unp1uggingthenetworkconnection),restrictinganydirectphysica1access,and logical isolation (blocking the IP at security routers or firewalls both inbound and outbound) from the network tothe system.^. I f the RCERT is not available then the SA or lASO w i l l contact the A C E R T d i r e c t l y . I n addition, report per localsupervisory reporting policies in effecL^ Each R C E R T i s r e s p o n s i b l e f o r c o l l e c t i n g a n d r e c o r d i n g a l l therequiredinformation, coordinatingall incidentresponse procedures between LE/CI personnel and the organization, and conducting all intrusion containment, eradication, and verification measures.^. T h e l S i n c i d e n t reporting format and additional reporting requirements are available on the A C E R T a n d supporting RCERT N1PRNET/SIPRNET Web sites4 - 2 3 . C o m p r o m i s e d ir^formation s y s t e m s g u i d a n c ed. When directed by RCERT,all ISs determined to be compromised either through unauthorized access or maliciouslogic w i l l b e r e b u i l t f r o m o r i g i n a l m e d i a , p a t c h e d , a n d s c a n n e d f o r c o m p l i a n c e b e f o r e r e i n t r o d u c t i o n to thenetwork.^. lApersonnel w i l l scan all similar ISs or devices o n t b e compromised networkfor configuration compliance orAR 2 5 - 2 ^ 2 4 October 2007^anningB^000^^27^43vulnerability identification and immediately correct vulnerable systems. I f during tbe course of this assessmentadditional ISs are identified as compromised, lApersonnel w i l l report these system as compromised and take no furtheraction.c^. Networks may require re accreditation, under the DIACAP, following any successful compromise.c7. Specific details and actions for a compromised system are available on the ACERT Web site.Section 1^Information Assurance^ulnerability Management4-24. Information assurance vulnerability management reporting processd. ^^Bi^B^d7 Tbe Information Assurance Vulnerability Management (1AVM) Program is the absolute minimumstandard for all ISs, not the preferred end state which is a proactive methodology o f maintaining, patching, andupdatingsystemsbeforenotificationor exploitation. 1AVM requirestbecompletionof four distinctphasesto ensurecompliance. These phases are—(1) Vulnerability identification, dissemination, and acknowledgemenL(2) Application of measures to affected systems to make them compliant(3) Compliance reporting.(4) Compliance verification.^. 7^^,^^dii,^i/ii/i^i^,^.TheCI0/G^ w i l l be tbe POC to acknowledge receipt (within five days) o f D O D CERT issuedlAVMmessages,aggregate compliance andwaiver data, and report (within 30 days or as directed) t o D O D . Systemsand processes for collecting detailed information and for implementing l A V M are the responsibility of every IAperson.c^. BfB^BBi^ iBBi^/^BBi^Bird^idBi d^7Bfl^^. ACERT/A GNOSC w i l l serve as the Army's focal point for initiation o f t h e1AVM process.(1) l^ii/ii^B^d^i/iriB ici^^Bi/i^c'd^idBi, c7i,^.^^BBiiBid^idBi, dBic7 dc:^B^di^/^ci^Bii^Bi/. ACERT/A GNOSC w i l l issue Army 1AVMmessages. Thereare t h r e e t y p e s o f D O D I A V M messages: alert ( I A V A ) , b u l 1 e t i n ( I A V 8 ) , andTecbnical Advisory(TA). DOD has restricted tbe use of these terms to the l A V M program only.(d^ l A V A s w i l l establish mandatory suspense dates for acknowledgement and compliance, corrective actions tonegate vulnerabilities, and implementation of additional CND requirements.(^^^ 1AV8s willestablish mandatory suspense datesforacknowledgementyetallowcommandersand lApersonnelfiexibility for implementation o f t h e correctiveactions to negate vulnerabilities or implementation o f CND requirements. Corrective actions are required to be completed, but not reported.(c^^ Information AssuranceTechnical Tips ( I A T T s ) ( A r m y designation) allow commanders and lApersonnel fiexibility for acknowledgement and implementation to negate vulnerabilities or implement C N D requirements.Acknowledgement and compliance are not reported. Corrective actions are required to be completed but not reported.A l l personnel responsible for implementing tbe l A V M process w i l l join tbe A r m y l A V M Community Group onAfi^O to receive messages.Use only official e-mail accounts for this distribution list lAVMmessages are available ontbe asset and vulnerability tracking resource (Ac^VTR) Web site.(2) 7Bf^^ c:dBBi^/idBic^^. Commanders, PEOs, PMs, and designated IA officers w i l l disseminate implementationguidance and ensure compliance to 1AVM requirements. Commanders or IA personnel w i l l provide contractors,contracted support, or other personnel (as necessary) l A V M information as required to support compliancerequirements.4-25. Compliance reportingd. The RCIOs, ACOMs/ASCCs/DRUscommanders, PEOs, P M s ( o r t h e i r 1 A officers), andgarrison commandersw i l l ensure that messages are acknowledged,corrective actions are implemented,extensions are requested, compliancei s v e r i f i e d , a n d r e p o r t i n g i n f o r m a t i o n i s e n t e r e d i n t o A c ^ V T R . Within 10 calendar d a y s f r o m t b e date of t h e l A V Mmessage, SA/NAs will conductabaseline assessment scan for affected assets and enter identified assets into A i ^ V T R .RCIOs w i l l oversee 1AVM compliance reporting for their regions or commands.^. PEOsand PMs w i l l implement correctiveactions f o r l A V M vulnerabilities that apply tosystemsunder theircontroL Tactical systems willdocument compliancemethodology i n a c l a s s i f i e d S c o r e c a r d a n d POAc^M aspart oftbeir Cc^Apackage. DAAs w i l l r e s o l v e c o m p l i a n c e i s s u e s w h e r e i t may result insafety or performance issues o f acombat system that are operationally unacceptable.c^. I f corrective actions required by issued alerts adversely affect operations, l A M s or their designated representatives(for example, affected SAs or l A N M s ) w i l l conductarisk assessment for the commander and contact their supportingRCIO, l A P M , or l A M Tbe RCIO, 1APM, or 1AM w i l l contact the C I O / G ^ through A C E R T / N E T C 0 M / 9 t h S C (A) torequest an extension, not to exceedl80 days,and to develop and implement an acceptable altemative security solution.Tbe altemative security solutions must be coordinated with tbe A C E R T / N E T C 0 M / 9 t h S C (A) before approval by theappropriate D A A . This extensionrequest w i l l includeriskmitigationsteps taken t o r e d u c e o r e l i m i n a t e t h e l A V M -44^anningB^000^^279AR 2 5 - 2 ^ 2 4 October 2007identifiedrisksuntil an acceptablesolution is implemented.Tbe extensionrequest w i l l includea POAc^M (get wellplan) to be considered in the CA risk determination.c7. l A V M compliancereporting will beaccomplished through the Army's Ac^VTR. To meet DOD requirements,register specific system/asset owners and SAs, including applicable electronic addresses, in A i ^ V T R .^. A l l I A V M c o m p l i a n c e reporting of classified, tactical,or operationally sensitiveISs w i l l be through the Ac^VTRwhen located on the SIPRNET.4-25. Compliance verification1AVA Compliance Verification Teams (CVTs) will conduct short-notice inspections of randomly selected units toverify compliance with 1AVM messages.d. M e m b e r s h i p i n t h e C V T m a y i n c 1 u d e a C I 0 / C 6 T e a m C h i e f ; a v u l n e r a b i l i t y s c a n t e c h n i c i a n ; U . S . Army AuditAgency representatives, operating under A R 36^2 and A R 36^5; and U.S. Army Criminal Investigation Commandrepresentatives operating under AR 195 2.^. In addition to reporting requirements under A R 36-2, A R 36^5, and A R 195 2, tbe C V T w i l l report to tbei n s p e c t e d u n i t , t b e C I O / G ^ , a n d t h e S e n i o r A r m y Leadership.Tbe C I O / G ^ w i 1 1 p r o v i d e a c o p y t o t h e appropriateA C O M , ASCC, PEO, and P M C I O sc^. Findings require a reply by endorsement on the corrective actions taken by tbe inspected command.4-27. Operating noncompliant information systemCommanders, organizationdirectorsand responsible individuals forexample; D A A s , lAPMs, or l A M s , will operatenoncompliant assets only with an approved Mitigation Action Plan (MAP) and POAc^M. MAPs are temporarymeasuresapprovedtopermit additional time or developsolutionstobringnoncompliant assets into compliance.TheP O A i ^ M identifies t h e g e t w e l l p l a n i n c l u d i n g t h e s c h e d u l e . Noncompliantassets without a n a p p r o v e d M A P w i l l b edisconnected, blocked, or otherwise have the vulnerability mitigated. Organizations and individuals operating noncompliantassets areacceptingrisks,accountability,andresponsibility for intemal andextemal impacts to thenetwork inthe event tbe system is compromised or the vulnerability is exploited.d Establisbacapability to implement or effectively mitigate the risk posed by critical vulnerabilities as identified in1AVA notifications.^. MAPs w i l l address specific actions taken to mitigate risks identified in l A V A messages.c. MAPs are tracked in Ac^VTR Database. Approvals and denials are granted at the appropriate D A A , D O I M ,A C E R T / A ^ N O S C , and HQDA levels, and in some instances approvals are reserved only for the DCS, C 3/5/7.c^. MAPs focus on systems not able to comply within the period specified in the 1AVA notification message.Organizations w i l l first use all tbeiravailable resources toensure vulnerable systems are patchedbefore requestingextensions. MAPs w i l l refiect a detailed reason, operational impact statement, efforts to bring the systems intocompliance, and a mitigation strategy.^ First M A P requests:The D A A for the I C A N may approve MAPs up to 30 days from the compliance date on thel A V A message and includes the number o f impacted systems not able to comply within period specified in thenotification message.Tbe First M A P begins the day after tbe original lAVAcompliance suspense and is valid for up to30 days. Approval will be based on a sound M A P that minimizes tbe risk of compromise to Army networks.^ Second MAPrequests: This M A P w i l l b e v a l i d u p t o 60 days after tbe enddate of thelocal D A A approved30daysand w i l l r e f i e c t t b e n u m b e r o f r e m a i n i n g s y s t e m s n o t able t o c o m p l y after t h e 3 0 d a y approval from the localD A A . T b e D i r e c t o r , N E T C O M Office of Information AssuranceandCompliance(OIAc^C), approvessecond MAPswith A C E R T / A C N O S C A2TACrecommendations^. Third M A P requests:Tbe CIO/G 6approves third MAPs.They are reserved for rare cases where circumstanceshave p r e v e n t e d c o m p l i a n c e w i t h a n l A V A d u r i n g the t i m e l i n e s f o r f i r s t o r second MAPs, toincludemissionrequiredlegacy systems.Third MAPs begin the day after the second M A P ends and mns f o r a p e r i o d directed by tbe approvalauthority, for a maximum of 2 years./i. The A i ^ V T R keeps a history file of all M A P actions. Open MAPs will be reviewed and revalidated withinAi^VTR.1. 1 f a n 1 A V A m e s s a g e s t a t e s : D C S , G 3/5/7approva1 only, then the M A P can only be approved by the D C S , G 3/5/7 with recommendations accepted from the local D A A , the NETCOM OlAc^C Director, and the CIO/G 6.SectionsMiscellaneous Provisions4-28. vulnerability and asset assessment programsSeveral Vulnerability Assessment Programs and services are available throughout tbe Army. The ACERT/A GNOSCprovidescomprehensivesupport in t h e a r e a s o f CND and IA Vulnerability Assessments; t h e U . S . CommunicationsElectronicsCommand(CECOM)providesassessmentsandsupportin the areas of platforms a n d I A architecture; theAR 2 5 - 2 ^ 2 4 October 2007^anningB^000^^2^045Army ResearcbLaboratory (ARL)may provide support in the areas ofsurvivabi1ityandletba1ity;andC1D providescomprehensive crime prevention surveys.d. All scans will be coordinated within AOR between the initiating or oversight component and the supportingRCERT/TNOSC^. Prohibit scans across network segments protected by a TNOSC security router or IDS, unless specificallycoordinated and approved b y N E T C 0 M / 9 t h S C ( A )c^. Only trained or product certified personnel will use assessment software.c^. 8efore conducting mapping or scanning ofanetwork,war dialing, or war driving, tbe lAM will notify the DOIMand the servicing RCERT/TNOSC with the purpose, start, type and duration of the scanning activity.^ Personnel will provide a copy of the assessment results to tbe servicing DOIM and RCERT/'TNOSC.^ Installations that donot have the expertise,requisitecertification1evel,orresourcestoscantheirownnetworksmay request an assessment scan through their supporting RCERT/TNOSC.^. Commanders,lApersonnel and network management personnel will treat unannounced or unauthorized scanningof networks as potential intrusions and report when detected. Persons conducting unauthorized scans of Army networksmay be subject to administrative actions or criminal prosecution./i. lAMs and lASOs will establish procedures to scan their networks quarterly to identify assets; application,network, and operating system vulnerabilities; configuration errors; and points of unauthorized access.1. Train all IA participantson approved scanning tools andassessors will sign an acknowledgment of completeunderstanding of the ^^mles of engagement" before conducting any scanning activity. For example—(1) No reading of personal data on networks while conducting a vulnerability assessment(2) No penetration testing.(3) No denial-of-service attacks or tests.(4) No scanning outside local network enclave borders.^. UtilizetheDoitYourselfVulnerability Assessment Program (D1TYVAP) to assess configurations,comp1iance,asset identification,unautborizedconnectivity,and security vulnerabilities within local network enclave borders.DITYVAP assessments prohibit the use of data cormption, data manipulation, data denial, examination of data content,denial of service, or ^^hacking" and penetration tools and techniques.^. Information Operations VulnerabilityAssessments Division (I0VAD)81ueTeam and RedTeam Programs.Tbe1^^ 10 CMD 10VAD offers assessment support in the areas of information management and security, in which focusedefforts assess IA through the elements of OPSEC, C00P,1NF0SEC, COMSEC, and CND In addition, 10VAD RedTeams are available to challenge and assess readiness.7 RCERTs andTNOSCsmay conduct nonotice remote scanning across enterprise boundaries, inc1uding,butnotlimited to, 1AVM support, threat or asset identification, or vulnerable systems and services identification, with orwithout coordination with commanders or lApersonnel.Assessment scanning from authorized extemal organizations isnormally conducted from documented and readily identified systems IA personnel will implement verification procedures to validate,but not binder or deny,these scanning activities.RCERTsand TNOSCs may block or deny access tovulnerable systems identified during these scans until corrections have been made.4-29. Portable electronic devicesPortable electronic devices (PEDs) are portable ISs or devices with or without the capability of wireless or LANconnectivity.These include, but are not limited to,cell phones, pagers, personal digital assistants (PDAs)(for example,PalmPilots, PocketPCs),1aptops,memory sticks, thumb drives,andtwo-way radios. Currenttechno1ogies(infrared,radio frequency, voice, video, microwave) allow tbe inclusion of numerous capabilities within a single device anddramatically increases the risks associated with IS and network access. Management of these devices will be asfollows:d. PEDs containing wireless communicationsorconnectivity, audio, video, recording, ortransmissioncapabilitieswill be probibitedfrom areas where classifiedinformationis discussed or electronically processed,unless specificallydocumented in tbe Cc^A package and permitted as an exception by the DAA and all classification, access, andencryption restrictions are enforced for the PED as they would be for a classified device.^. Implement identification and authentication measures at both the device and network level if connectivity isapproved. Voice does not require DOD Pl^l IA.c^. PEDs will support PI^Ldigital certificates,FIPS,or NSAvalidated crypto modules or data encryption standardsappropriate for the classification level of the information processed.c7. Provide all PED users with security awareness training regarding the physical and information security vulnerabilities and policies of the device.^. Contractor provided or owned PEDs (if approved) will be stated as mission essential in contracts, and will meetall Cc^A standards and are subject to inspections and IA requirements as any other IS.^ Employee owned PEDs are prohibited for use in official communications or connections to Army networks.46^anningB^0001^2^^AR 25-2^24 October 20074 - 3 0 . ^ i r e l e s s l o c a l area n e t w o r k sWirelessLANs areextensionsofwirednetworks and w i l l implement lApoIiciesandprocedures inaccordance withthis and other applicable regulations. Non-compliant wireless LANs w i l l have migration plans documented inPOAc^Ms, that ensure thesystems w i l l meet theminimumrequirements o f t h i s p o l i c y . The D A A will consider thePOAc^M in tbe authorization decision. A l l Army organizations andactivities operating wireless local area networks( W L A N s ) w i l l comply with the following and as supplemented in 88Ps:d. Pilot and fielded wireless LANs and PEDs with L A N connectivity w i l l meet the same Cc^A and IA securityrequirements as wired L A N ISs in accordance with this regulation, A R 380 53, AR 25 1, and DODI 8500.2.^. DOIMs and l A M s w i l l verify the IA Cc^A authorization of W L A N s that connect to the installation.c^. SOs w i l l configure and install wireless solutions to preclude backdoors.d^. Where wireless LANs are implemented or proposed, thorough analysis, testing, and risk assessments must bedone to determine the risks associated with potentialinformation intercepts or monitoring,TEMPESTemanations, andnetwork vulnerability.^. Tbe use of A V software on wireless-capable ISs and devices is required.^ Users will be authenticated to the devices authorized for W L A N .^. D O I M s a n d l A M s will control, monitor, andprotect wireless accessgateways with firewallsand IDS devices./i. Certify all wireless devices procured with Army funds for spectrum supportability through the Military Communications Electronics 8oard ( M C E 8 ) per D O D D 5000.1 and AR 5 12. Submit spectmm supportability requests toNETCOM/9th SC (A), A T T N : NETC E S T V , S u i t e 1204, 2461 Eisenhower Avenue, A1exandria,VA 22331-02001. D O I M s a n d l A M s w i l l terminate w i r e 1 e s s a c c e s s p o i n t s a t a b o u n d a r y d e v i c e i n t h e D M ^ , n o t in tbe intemalenclave.^. Certify that W L A N frequencies meet any host nation or Govemment restrictions,4 - 3 1 . E m p l o y e e - o ^ n e d information systemsd. Prohibit tbe use of employee owned information systems (EOISs) for classified or sensitive information.^. Theuse o f a n E O I S for ad-hoc(onetime or infrequent) processingofunclassifiedinformationisrestricted andonly permitted with 1 A M , D A A , o r commander approvaL Requirements for use and approval are included i n A R 25 1.c^. I f approved for ad hoc use, EOISs processing official data w i l l comply with all security provisions of thisregulation. Computer owners will implementlAcountermeasuresrequired by thisregulation,specifically A V a n d I Asoftware and updates, o r b e prohibited from such activity. A l l processed data will be removed from the EOIS andpersonnel w i l l sign compliance statements that the data was removed.c7. Include security requirements and authorized software availability for the use and safeguarding of EOISs insecurity training.^. Contractor owned and operated ISs w i l l meet all security requirements for Govemment-owned hardware andsoftware when operating on tbe A E I , managing, storing, or processing Army or DOD data or information, orconducting official communications or business.^ Scan all data processed from an EOIS before inclusion or introduction into the network.^. Prohibit all remote access for remote management from any EOISs.4 - 3 2 . M i s c e l l a n e o u s p r o c e s s i n g ec^uipmentThere is a variety of non-COMSEC approved miscellaneous process equipment (MPE) involved with classified orsensitive information. This includescopiers, facsimile machines,peripherals, electronic typewriters, wordprocessingsystems,andotbers.Activitiesmust identify thosefeatures,parts,or functionsusedtoprocessinformationthat mayretain all or part of the information. Security procedures must prescribe the appropriate safeguards, in accordance withA R 380 5, chapter 7 to prevent unauthorized access to either tbe information or equipmentd. Digital copiers, printers, scanners, faxes, and similar IS devices employ embedded bard-drives or other media thatmay retain residual classified or sensitive information. Include these devices as part o f the Cc^A process.^. Destroy replaced equipment parts per classification level when removed.c^. Cleared and technically qualified personnel will inspect equipment before equipment removal from protectedareas.c7. Peripheral devices (forexample, printers, copiers) are subject to 1AVM compliance and accreditation.^. Peripheral devices (for example, printers, copiers) are subject to sanitizing, purging, or disposition restrictions aspublished.AR 2 5 - 2 ^ 2 4 October 2007^anningB^0001^25247^i^a^ter 5certification an^ Accreditation5 - 1 . Certification and accreditation overviewd. This chapter outlines the policies goveming the Information Assurance Certification and Accreditation ( l A C c ^ A )o f I S s which includes networks in accordance with D O D D 8 5 0 0 1 , D O D I 85002,P.L. 100 2 3 5 , 0 M 8 C i r c u l a r A 130,D O D D 522022, DOD 522022M, DOD 5220 22 M S U P , a n d 44 USC 3541 as it pertains to Ci^A The goal of IACc^A is to understand the vulnerabilities, determine the risk introduced through operations or connections of thesystem, and provide appropriate information f o r t h e D A A to consider tbe IA risk in contemplating an approval tooperate decision. This section streamlines some of the process to enable those risk determinations to be madeconsistently, economically and timely.^. Cc^A policy is found in this regulation and is supported by the guidelines located in the Cc^A 8 8 P —(1) The l A C c ^ A Process 8 8 P .(2) T h e I A C c ^ A D A A 8 8 P(3) The l A C i ^ A C e r t i f i c a t i o n Authority ( C A ) 8 8 P .(4) T h e I A C c ^ A Agents o f tbe Certification Authority ( A C A ) 8 8 Pc^. A l l ISs w i 1 1 b e c e r t i f i e d a n d a c c r e d i t e d i n a c c o r d a n c e w i t h t h e 1 n t e r i m D I A C A P d o c u m e n t i n g c o m p 1 i a n c e , a t aminimum, w i t h t b i s r e g u 1 a t i o n , a n d D O D 1 8500.2 l A c o n t r o l s associated with the s p e c i f i c M A C a n d c o n f i d e n t i a l i t yleveL Ci^A w i l l b e p e r f o r m e d a c c o r d i n g t o the type accreditationprocessorbytbesite-basedaccreditationprocess.Tbe IS being accredited may be considered as a single system, system of systems, enclave or network.c7. Army DODIISsystems w i l l be certified and accredited by t h e D C S , G - 2 f o r P L 1 , 2 a n d 3 inaccordance withDCID 6/3^. Information systems currently operatingunderan ATO will not need to redo the accreditation underthis newprocess until such time as the approval expires or is otherwise revoked.This could be the result o f 3 y e a r s expiration,annual revalidation results, caveat in the A T O , major change in tbe system, its environment or operations, or asrequired by t h e D I T S C A P .^ Tactical IS mustaddress tbeir tacticalandgarrisonconfigurationandenvironment ( i f they i n t e n d t o o p e r a t e i ngarrison on a live network or with live data) during the Cc^A process.^. Tactical ISthat are subject to deployment must havea^^fiy away" package of IA information to provide to theirnetwork service provider as required.Refer to tbe C c ^ A 8 8 P for details o n t b e composition of t h e f i y away package./i. A G o v e m m e n t S O w i l l b e i d e n t i f i e d for each I S u s e d b y o r in support of tbe A r m y . T h e S O i s responsibleforensuring tbe security o f t h e l S as long a s i t r e m a i n s i n Army inventory,or until transferred (temporarilyor permanent1y)toanotber Govemment personor organization and suchtransfer is appropriately documented andprovided as anartifact to the accreditation package.1. I f t h e SO cannot be identified, then the IS sbouldbedeemedunnecessary a n d r e m o v e d f r o m Army inventory.^'. Wbense1ectingsoftware,priority s b o u l d b e g i v e n t o software with vendor integrity statements (VlSs)that verifythat vendor software w i l l not affect the integrity o f operating systems when utilizecf.^. When selecting software priority should be given to corporations that develop, manufacture and manage softwarethat are U.S. owned, controlled or infiuenced./. Foreign-Ownership, Control, or Infiuence (FOCI) will be taken into account prior to software development,integration, or purchase and identified in tbe IS Cc^A package.BBi. Published or established N E T C 0 M / 9 T H SC (A) CC8 and Networthiness certification requirements will beincorporated during the Cc^A process.5-2. Certificationd. Authority and responsibility for certification is vested in the Army Federal Information Security Management Act(FISMA) Senior IA Officer ( S I A O ) T h e Director OIAc^C, NETC E S T L ^ a s appointed as the F I S M A S I A O by theD A C 1 0 / G - 6 and w i l l be tbe single Army C A . T h e Army C A i s tbe single authority for CA recommendations to allArmy DAAs with the exception o f IS completing Ci^A under the DOD1ISS Program./i. The Army C A w i l l m a i n t a i n a l i s t o f q u a l i f i e d Govemment organizations and labs,astrusted Agents of tbe CA( A C A ) , t o p e r f o r m t h e certification activities. Tbereimbursable ACAs are availabletoprovideSOs with certificationcapabilities.While the lead A C A w i l l report the results of the certification activities to the CA, only tbe C A w i l l maketbe operational IA risk recommendation to the D A A in support of an approval to operate decision.c:^. Organizations can request appointment as an A C A by following the process in tbe IA Ci^A A C A 8 8 P .c7. It is the responsibility of the SO to plan and budget for IS certification and accreditation efforts.^. It is the responsibility of tbe SO to select from the approved A C A list an A C A organization that best supports tbeprogram requirements, such as those of cost and schedule.^ IA certification considers—46l^anningB^000^^2^3AR 2 5 - 2 ^ 2 4 Ocfobec 2007(1) The IA posture o f t h e IS itself, that is the overall reliability and viability o f t h e IS plus acceptability o f t h eimplementation and performance o f IA mechanisms or safeguards that are inherent in the system itself(2) How the system behaves in the larger information environment (for example, does it introduce vulnerabilities tothe environment, does it correctly and securely interact with the information environment management and controlservices).^. The A C A certification determination is based on actual results of the validation and the risk introduced by noncompliance with stated requirements./i. Certification represents proof of compliance with this regulation and tbe D O D I 8500.2 IA controls for tbeappropriate M A C level and the Confidentiality level, a t a minimum. Noncompliance w i l l require t h e c r e a t i o n o f aPOAc^M to bring tbe IS into compliance.1. DCS, G 2 is the Service Certifying Organization for the Army DODIIS Program up to PL 4.5-3. Tailoringd. The time and labor expended in the Cc^A process must be proportional to tbe system mission assurance category( M A C ) level, confidentiality level, and number o f users.^. Tbe activities defined in tbe D I A C A P are mandatory. However, implementation of these activities and theiroutput should be tailored as appropriate and integrated with other acquisition activities and documentation whereapplicable.c^. Compliance with Information Assurance controls is notatailorable factor. A l l applicable lAcontrols must be meteither by incorporation, inheritance, waiver or exception.5-4. Accreditationd. Accreditationistheofficialmanagementauthorizationto operate a n I S o r network a n d i s b a s e d , i n p a r t , o n t b eformal certification o f the degree to which a system meets a prescribed set o f security requirements. Tbe Cc^Astatement affixes security responsibility associated with operational IA risk with the accrediting authority.^. Accreditation must address each operational environment of t h e l S f o r both fixed and deployable configurations.For example, a n I S m a y operate atone confidentiality level i n a s t a n d a l o n e m o d e a n d c o n n e c t t o a g l o b a l n e t w o r k a tanother confidentiality leveLTheCc^A must clearly establish procedures for transition between tbe two environments.Multiple operationalenvironments can result in multiple accreditations f o r a s i n g l e l S i f different D A A s are involved.However, in theconceptoftbeoperationsdocument,asingleaccreditation thataddressesall variationsissufficienLRefer to the Cc^A 88Ps for further guidance and procedures on IS accreditation.c^. Site-based accreditations are appropriate f o r a s i n g l e unit or f o r a L A N with appropriately accredited ISs generallyperforming similar functions with similar equipmenLc^. Type accreditations are appropriateforlSfielded to multiple users under thePEO/direct reporting PMstructureto multiple locations. Additional1y,type accreditations are appropriate wbeneverasingle office or agency is responsiblefor fielding an I S t o m u l t i p l e Army users at multiplelocations.Type accreditationsmust indicate whether they areageneric accreditation of centrally fielded IS or an operational accrecfitation of IS that are procured or obtained locally,and whether a single identifiable system or group of similar systems is covered.5-5. Recertification and re-accreditationd. Information systems w i l l be recertified and reaccredited once every three years.Each of tbe lAControls assignedto the information system must be revalidated. The results o f validation tests o f IA Controls conducted during anannual review may be used in tbe recertification and re-accreditation o f the information system i f performed within oneyear.^. N o t l e s s t h a n annually, t h e S O w i l l p r o v i d e a writtenstatement or digitally s i g n e d e - m a i l t o t h e C A t b a t e i t h e rconfirms the effectiveness of assigned lAControls and their implementation,or recommends changes or improvementsto the implementation of assigned 1Acontro1s,the assignment of additionallAcontrols or changes or improvements tothe design of the IS itselfc^. Thisannual revalidation may b e p e r f o r m e d a s a selfassessmenL However,a tbirdparty independentevaluatormust perform the validation every 3^^year, at a minimum.c^. The CA w i l l review the written statement and make a recommendation to the D A A .^. T h e D A A willevaluate the recommendation,mission, and information environment indications,and determineacourse of action.^ The D A A may use any favorable annual review to re-authorize processing under tbe current authorizationtermination date ( A T D ) or adjust tbe A T D f o r a n additional year.^. The D A A may use any unfavorable annual review to downgrade the accreditation status to:(1) A n l A T O and reset A T D to 180 days. Tbe SO will prepareaPOAc^Mexecutable within the 180 days(2) Denial ofauthorization to operate (DATO). Operationof the IS will be halted until the IS isbrought intocompliance.AR 2 5 - 2 ^ 2 4 October 2007^anningB^000^^2^^49^. The results of the annual reviews w i l l be reported i n t h e Army PortfolioManagement Solution,asappropriate,and become part of the IS accreditation package until tbe IS is decommissioned.5-5. Accreditation documentationd. The SO w i l l f o r w a r d to the receiving ACOM/ASCC,installation,and/or a c t i v i t y D A A and applicableNETCOMR C I O , a c o p y of theaccreditationdecision,supportingCc^AdocumentationandCertificate of Networthiness (CON).The D A A or representative, together with tbe command functional user representative and NETCOM RCIO, willreview tbe Cc^A package and either accept the accreditation decision as is or implement additional measures orprocedures to meet the needs o f tbeir unique operating environmenL Such additional measures w i l l be appended to thesystem accreditation and provided to the C A f o r consideration in the operational I A risk recommendation to tbe gainingD A A for approval in that unique environmenL^. SCI systems will not obtain a CON, but w i l l follow the DCID 6/3 requirements.c^. There are four potential D A A accreditation decisions: ATO, l A T O , 1ATT, and D A T O .c^. The A T O decision which will specify anauthorizationterminationdate(ATD) that is within three years of tbeauthorization date.^. T b e l A T O decision which w i l l specify an A T D that is within 180 days ofauthorization, limited to no more thanone l A T O extension. l A T O requests must be accompanied by a POAc^M, with corrective actions funded andachievable within tbe authorization period.^ Tbe l A T T decision which w i l l specify an A T D the is consistent with the completion o f the tesL Tbe l A T Testablishes tbe agreed upon test duration and any special considerations or constraints.^. The D A T O decision w i l l specify and effective date. The D A T O is effective until the D A A believes the IAposture o f the IS has been raised to an acceptable leveL5-7. Connection approval processd. Army organizations requiring network access to the Defense Information Systems Network (DISN) w i l l prepareaCAP package requesting connection approval. Army organizations requiring network access to t h e D I S N w i l l prepareaCAP forsubmission to t h e p r o p e r D I S A l A o f f i c e . T h e D I S A l A o f f i c e will review the CAP package and approve/disapprovecustomer for access t o t h e DISN. Approval w i l l b e g r a n t e d w i t h a n interim authority t o c o n n e c t ( I A T C )authority to connect (ATC) letter./i. Interconnectionoftwo or moreenclaves requires D A A approval through MOUs or Memoranda of Agreement(MOAs) between all DAAs. MOUs/MOAs w i l l address interconnection requirements as outlined in DODI 8500.2.c^. A l l IS must obtain C O N a s approval to connect through the Networthiness process prior to becoming operationalwithin the Army.d^. A n enclave'sMAC level and security domain remain fixed during interconnection to other enclaves; they do noti n f i a t e t o m a t c b t h e M A C l e v e l o r s e c u r i t y d o m a i n o f a n interconnectingenclave. Enclaves with h i g h e r M A C levelsconnecting to enclaves w i t h l o w e r M A C l e v e l s are responsiblefor ensuring that the connectiondoesnotdegrade theavailability or integrity o f the higher enclave.^. Interconnectionsthatinclude or impact t h e D 1 S N o r . I W I C S are subject toDISNor.1WICSconnectionmanagement requirements and processes.^ Interconnections t h a t c r o s s s e c u r i t y d o m a i n s a r e s u b j e c t t o D O D p o l i c y a n d p r o c e d u r e s f o r c o n t r o l l e d i n t e r f a c e sand cross domain solutions (CDS) as appropriate.^. Adjunctnetworks thatrely on the i n s t a l l a t i o n n e t w o r k f o r N I P R N E T a n d S I P R N E T s e r v i c e s will providetbeirCc^A documentation to the installation D A A for approval prior to connecting to the I C A N ./i. Interconnections that include or impact the .IW1CS are subject t o D I A connection approval process managementrequirements.5-8. designated approving authorityd. The D A A iso f risk. The D A Aprotection o f t h eprotection of thevested with the authority to formally assume responsibility for operating an IS at an acceptable levelmust weigh the operational need for the systems capabilities, the protection o f personal privacy, theinformation being processed, and the protection of the information environment, which includesother missions and business fiinctions reliant on the shared information environmenL^. T h e D A A may rely on the Army C A o p e r a t i o n a l l A risk recommendation and may authorize operationtbroughtbe approval o f a n A T O , 1 A T O , 1 A T T , o r deny operations t h r o u g b a D A T O . Absent an accreditation decision an I S i sconsidered unaccredited and will not be operated within or in support of the Army.c:. A D A A may downgradeor revoke their initial Accreditation Decision any t i m e r i s k c o n d i t i o n s o r c o n c e m s sowarrantc^. A D A A w i l l be identified f o r e a c h information system operating within or on behalf o f t h e DA, to includeoutsourced business processes supportedby private sector IS and outsourced IT (forexample, Govemment owned.Contractor Operated (COCO) and Contractor Owned, Contractor Operated (COCO).^. D A A responsibility must reside with tbe organization that maintains funding, management and operational control50^anningB^000^^2^5AR 2 5 - 2 ^ 2 4 October 2007over tbe I S w h i l e in development, and once deployed, as applicable.In the instance of type accreditation these may bedifferent organizations but will have documented MOUs when the transfer is made.^ T h e C I O / G ^ w i l l remain the D A A for Army informationsystems, with tbeexception of Army SCI systems.^. Tbe CIO/C 6 w i l l appoint in writing, o r d i g i t a l l y signed e mail, all Army DAAs with the exceptions notedbelow. Existing appointments or delegations w i l l become invalid within 90 days of the approval date of this AR 25-2Cc^Aupdate. Requestsfor appointment m u s t b e s u b m i t t e d t o t h e O I A c ^ C f o r p r o c e s s i n g d u r i n g t h e s e t h r e e m o n t b s .D A A responsibility can be assigned t o a p o s i t i o n i n t h e organization; however, appointments will always be to namedindividuals. D A A appointment will be for specific named systems or networks. T h e O I A c ^ C , NETC EST IC, willcoordinate the D A A appointments on behalf o f t h e C I O / G ^ ./i. A l l DAAs w i l l be at tbe General Officer, Senior Executive Service or equivalent level regardless of theconfidentiality l e v e l a t w h i c h t h e l S operates.This appointment w i l l n o t b e f u r t h e r c l e l e g a t e d o r a p p o i n t e d d o w n w a r dexcept as noted below or as approved by the CIO/C 6.1. A l l D A A s w i l l b e U S . c i t i z e n s , DOD employees,holdaU.S.Govemment security clearance and formal accessapprovals commensurate with the level of information processed by the IS under tbeir jurisdiction, or a Secretclearance, which ever is higher.^ A l l DAAs w i l l b a v e a l e v e l of authority commensurate with accepting in writing the risk of operating DA ISunder their purview.^. A l l DAAs w i l l complete IA training consistent with tbe A r m y T r a i n i n g 8 8 P . A c o p y of the completion trainingcertificate must be provided to C I O / C ^ through the OIAc^C prior to assuming D A A duties.7 D A A a p p o i n t m e n t m u s t b e r e q u e s t e d o f t b e C I O / C 6. Requests for appointmentsshouldbeconsistent w i t h t h efollowing examples when compliant with 5 8/i through ^, above:(1) The Commanding C e n e r a l ( C G ) , N E T C O M f o r t h e Army enterprise with the authority to appoint tbeDirectorNETCOM ESTA for the Army enterprise.(2) PEOs or direct reporting PM for acquisition systems developed under their charter except as noted below.(3) Principal Army Staff officers for Army Staff unique systems that remain under that office's control andmanagement after deployment, except as noted below.(4) CAR for t h e U S A R , w i t h the authority to appoint t b e U S A R C O S f o r the ARNET.(5) Chief, A R N G for the A R N C and CuardNet X X L with tbe authority to appoint A R N G state D 0 I M / ^ 6 / C I 0 forindividual states, as appropriate.(6) The A A S A asthe A C O M / A S C C c o m m a n d e r f o r P e n t a g o n l T S , t o i n c l u d e l S c o n n e c t e d t o t h e P e n t a g o n C I Tenterprise, associated swing space, and altemate COOP sites through the national capital region (NCR) with theauthority to appoint those GO, SES or equivalent within A A S A purview that are tbe SOs or have life cycleresponsibility for tbe IS, as appropriate.(7) Tbe M E D C O M C o m m a n d e r , w i t b the authority to appoint the M E D C O M RMC/MSC Commanders for medical,dental and veterinary activities and treatment facilities, as appropriate.(8) Tbe USACE CIO for tbe U S A C E W A N and corporate 1S,with the authority to appoint the USACE DivisionCommanders for USACE IS, as applicable.(9) The Commander USAREUR, with the authority to appoint DAAs for tenant and MSC commanders withinUSAREUR, as appropriate.BBi. The following Cc^A D A A positions remain in place:(1) Tbe C 1 0 / G ^ for Army Special Access Programs.(2) Tbe C 1 0 / G ^ for classified systems developed by DA staff agencies.(3) Tbe D C S , G 2 f o r DODIIS processing SCI at Protection Level 1 , 2 , a n d 3(4) The Director, National Security Agency for cryptographic solutions used to protect classified information.(5) Tbe Director, .loint Staff is the D A A for systems that process SIOP ESI data.(6) Commander, INSCOM for signals intelligence (SIGINT) systems within the Army.Bl. Questions conceming D A A requests or appointmentsshould be directedtothe01Ac^Catiacora(^us.army.miLd. D A A s may assign members of their staff to act as tbeir representative during the Cc^A process. However,signature authority w i l l r e m a i n w i t h t b e i n d i v i d u a l a p p o i n t e d by the C I O / C ^ . Following tbe chain ofcommand theD A A m a y authorizeamember of his/her staff t o ^ ^ s i g n f o r " h i m / h e r , b u t the signatureblockandresponsibility willr e m a i n w i t h t h e C 1 0 / G 6 a p p o i n t e d individuaL A c o p y of the authorization memo w i l l be submitted to the CIO/C 6through iacora(^us.army.mil.5-9. Lead agent o f t h e certification authorityd. Lead A C A and A C A organizations w i l l be designated by tbe CA through tbe process documented in the l A C c ^ AACA88P^. The lead A C A w i l l be, at a minimum, a Govemment employee, a U.S. citizen, at least a LTC, GS 14, orequivalent, and be appropriately cleared (Secret at a minimum). Refer to tbe A C A 8 8 P for furtberdetails.c^. The lead A C A w i l l be responsible forpreparation,p1anningand conducting tbe certification testing.AR 2 5 - 2 ^ 2 4 October 2007^anningB^000^^2^^51c7 Tbe reimbursable A C A w i l l perform the following, at a minimum;(1) Prepare IA Certification Event Test Plans.(2) Conduct IA Certification Test Events and STE as appropriate.(3) Prepare IA Certification Test Event Reports.(4) Prepare IA Scorecards.(5) Prepare IA Risk Assessments from tbe IA Certification Test Event findings, at a minimum.(6) Provide t h e l A c e r t i f i c a t i o n results and any supporting documentation to the Army C A f o r consideration in tbeIA operational risk recommendation.^. A C A organizations may perform other functions as negotiated by the SO.^ The A C A concept does not apply to DODIIS and SIGINT systems. Certification of these systems will beconducted in accordance with DCID 6/3.5-10. System o^nerd. AGovemment SO will be identified for e a c h l S u s e d b y o r in support of the A r m y . T b e S O i s responsibleforensuring the security of the IS as long as it remains in Army inventory, or until transferred (temporarily or permanently) to another Govemment person, organization or agency, and such transfer is appropriately documented and providedas an artifact to the accreditation package.^. Tbe SO is responsiblefor tbe certification and a c c r e d i t a t i o n o f t h e l S and w i l l p r o v i d e tbe Cc^Apackage t o t h eArmy C A i n s u f f i c i e n t t i m e f o r r e v i e w a n d determination o f o p e r a t i o n a l l A risk recommendationinsupportof D A Aapproval to operate decision prior to operational use or testing on a live network or with live Army data.c^.The SO will ensure that the Cc^A package and the SSAA are provided to the ACOM/ASCC, RCIO l A P M , a n dNETCOM prior to lOTc^E on/or before deployment of the system.d^. I f tbe SO can not be identified, then tbe IS should be deemed unnecessary and removed from the Army inventory.^. It is the responsibility o f the SO to plan and budget for IS certification efforts.^ It is the responsibility of the SO to select the A C A t h a t best supports his requirements,such as those ofcost andschedule.^. Not lessthanannually all SO w i l l p r o v i d e a writtenstatementordigitally signede-mail to the Army CA thateither confirms the effectiveness of assigned l A C o n t r o l s and their implementation,recommends changes or improvements to the implementation of assigned lAcontrols, or assigns additional lAcontrols, changes or improvements to thedesign of tbe IS itself/i. The system owner will forward to the receiving ACOM/ASCC, installation and activity D A A a copy o f t h eaccreditation decision, supporting Cc^A documentation and CON.Oi^a^ter^Communications security5-1. Communications security overviewThis chapter provides DA policy for tbe acquisition, implementation, and life cycle management o f cryptographicsystems, products, and services used to protect sensitive and classified national security information, systems, andnetworks. A l l tactical ISs are considered critical to the direct fulfillment of military or intelligence missions, andtherefore are regarded as national security systems. With the exception of those systems approved by NSA andendorsedby HQDA CIO/C 6, at no time will U.S. classified national security information be protected by foreigncryptographic systemsor products,orbyaNIST/N1APcommoncriteriatesting1aboratoryevaluatedproducL Exceptions w i l l be reapproved on an annual basis. Use of any unapproved product toprotect classified national securityinformation w i l l beconsidered a s a reportablecommunications security incident under AR 380—40, paragraph 7 3^d. 7^B^c^^^c^^idBicj^c:'/d.^,^i^^d^iBi^B^BBid/idBidBic7.^^.^^^BBi,^^/i^^/i^B^Bid^approvedcryptographic systems w i l l b e used to protect classified nationalsecurity information and national securitysystems.(1) Classified national security information will be protected in transmission by NSA approved cryptography.(2) Tactical information systems w i l l be protected by NSA approved cryptography.(3) Requirements for NSA-approved cryptographic systems will be identified and validated in the A I A P andmanaged by tbe Army OlAc^C.(4) NSA cryptographic systems will be centrally acquired and managed by the CSLA.(5) Only keying material produced by NSA or generated by NSA-approved key generators will be used to keycryptographic systems that protect classified national security information.(6) A l l cryptographic systems employed in the tactical force stmcture that protect classified national security52^anningB^000^^2^7AR 2 5 ^ 2 ^ 2 4 October 2007/RAR 23 March 2009information must be Army Electronic I^ey Management System/I^ey Management Infrastmcture (EI^MS/I^MI) complianL Each approved cryptographic system will have a NSA approved key management plan.^. T^B^d^^c^/idBi cj^ iiBic^/d.^.^i^^d^dBid^.^^Bi.^1'^1'^^ I'Bi^B^BBid^idBi dBic7,^^.^^^BBi,^. NIST/NIAP approved cryptographic systemswill only be usecf to protect Unclassified or Sensitive information. NIST/NIAP approved cryptographic systems orforeign cryptographic systems t o b e e m p l o y e d i n t h e t a c t i c a l f o r c e stmcture w i l l be approvedonacase-bycase basisby the HQDA C I O / G ^ . Company and 8e1ow Units may use NIST/NIAP approved cryptographic systems forprotecting Non Mission/Non Operational unclassified or sensitive information. Cryptographic systems or productsintended for the protection of unclassified or sensitive information or systems w i l l —(1) 8e evaluated by a N1AP/CCEVS approved Common Criteria Test Lab (CCTL) against a U.S. GovernmentProtection Profile for medium robustness environmenL(2) 8e validated under the NIST Cryptographic ModuleValidation Program (CMVP) t h a t , a t a m i n i m u m meet,level2 security requirements o f the Federal Information Processing Standard 140^2 (FIPS 14(^2).(3) Products that exceed minimum FIPS 140^2 security requirements and common criteria evaluation assurancelevels w i l l be given preference when considered for procuremenL(4) NIST-approved cryptographic systems intended to protect unclassified sensitive information will be identified inthe A l A P a n d managed by tbe Army OlAc^C. Funding for these systems w i l l b e the responsibilityof the organizationor activity identifying the requiremenL(5) A l l NIST/NIAP approved cryptographic systems will be centrally acquired and managed through CSLA.(6) E a c b N I S T / N I A P - a p p r o v e d c r y p t o g r a p h i c s y s t e m w i l l b a v e a k e y m a n a g e m e n t p l a n that describes indetail allactivities involved in the handling of cryptographic keying material f o r t h e system, including other related securityparameters (such as IDs and passwords). The plan will describe accountability over the keying material over the entirelife cycle o f tbe system's keysfromgeneration,storage,distribution, and entry intothesystemthroughuse,deletion,and final destruction.c^. T^d^d i5'Bic:B^^^idBi ,^^dBic7dB^c^ (7^^,^. A l l implementations of FIPS 46-2 DES are prohibited within tbe Army.c^. ^d^^dBic^^d^ ^Bic^r^^^idii ,^^dBid^dB^c^(Bf^,^ Tbe implementation of AES in products intended to protect classifiednationalsecurity information and systems must be reviewed and certified b y N S A , a n d approved by H Q D A C I O / G ^prior to their acquisition through CSLA.^. 7^11^/ic ^^^c^B^^^d^B-d^/i^ Systems that employ public key (asymmetric key) technology to protect unclassifiedsensitiveorclassifiednationalsecurity information and systems w i l l b e approved by the C I O / G ^ . Asymmetrickeysw i l l be obtained through authorized DOD or Army certificate authorities operating under current DOD approvedCertificate Practice Statements.^ ^^^B^diB^d^ CB^^/d^B'd^^ic^ .^.^/^BBi.^ dBid^^/^dB^i^/iBBi.^. The CSLA will maintain a list o f approved cryptographics y s t e m s a n d a l g o r i t h m s f o r u s e i n t b e Army. Allcryptograpbic products must be procured through C S L A t o be validf o r u s e o n an Army system. CSLAmanaged Army ApprovedProduct List (APL) i s a v a i l a b l e b y calling t h e C S L Acustomer support help desk at 1 8 0 0 ^ 6 2 2123 or from the CSLA Web page (when established).5-2. Protected distribution systemsd. Aprotecteddistribution system(PDS) will b e u s e d o n l y i f c o s t e f f e c t i v e a n d sufficiently controlledtopreventcovert penetration and interception.^. Any IS that includesaPDS to transmit data w i l l not be operationally accredited until the PDS has been approved.5-3. Approval of protected distribution systemsd. PDSsmustbeconstmcted per criteria contained i n N S T I S S I N o . 7003 and supplemented w i t b l A p r o c e d u r e s i nthis regulation.^. Authority to approve a PDS for the clear text transmission of classified information within fixed plant andgarrison installations is delegated as follows:(1) Principal HQDA officials for activities under their staff supervision, direction, or controL(2) Garrison commanders for tbeir organic activities.c:. Requests for approval o f a P D S to transmit TS information must include an evaluation by tbe appropriate supportelemenL Approval authorities may request technical assistance from INSCOM, 902nd M l Group, Fort Meade, M D20755, in applying security criteria and processing the approval action for other PDSs.d^. Commanders of battalion and higher echelons may approve circuits for clear text electrical transmission ofSECRET and C O N F I D E N T I A L information in tactical environments. Under combat conditions, commanders maydelegate thisauthority to thecompany leveL Tactical PDSs w i l l not be approvedfor clear t e x t t r a n s m i s s i o n o f T Sinformation.^. Once a PDS hasbeenapproved, no changes in installation, additions, or use may b e m a d e u n t i l the approvalauthority has granted approval for such changes.^ Requests to approveaPDS w i l l be submitted through channels to the installationlAM and DAA.Requests w i l l beclassified at least C O N F I D E N T I A L and will contain the following information:AR 25-2 • 24 October 2007/RAR 23 March 2009ManningB_0001628853(1) Full identification and location o f t h e requesting organization.(2) A statement of the classification of information to be transmitted on tbe PDS.(3) A copy of the building fioorplan ( o r a diagram o f t h e field area as appropriate) designating the following:(d) Proposed cable route and locationof subscriber sets,distributionframes,junctionboxes,and anyothercomponents associated with the circuiL(^^ Other wiring along the PDS route.(4) D e s c r i p t i o n o f t b e c a b l e insta11ation(for example, 2 4 p a i r s o f sbieldedcable i n r i g i d s t e e 1 c o n d u i t , 6 p a i r s o fshielded cable in fioor, or fiber optic cable). Indicate the cable length.(5) Description and nomenclature o f terminal and subscriber equipment to be used.(6) Clearance of individuals having access to the circuiL(7) Type o f guards (for examp1e,U.S.mi1itary,U.S.civilian, foreign civilian)and their security clearance or accessauthorization status.(8) Descriptionofaccesscontroland surveillance of unclearedpersonnelwhomay be a l l o w e d e n t r y i n t o t h e areahousing any part of the PDS.(9) Identificationof the power s o u r c e t o b e u s e d for t h e P D S a n d a s t a t e m e n t o f the distancetothe nearest pointwhere undetected tampering would be possible.(10) A justification for using tbe proposed PDS.(11) A s t a t e m e n t c o n c e m i n g a n y d e v i a t i o n s f r o m t b e e s t a b l i s h e d P D S c r i t e r i a and a n e v a l u a t i o n o f their securityimplications.(12) For PDSs to be used with TS information, a copy of the security evaluation.(13) The request and approval must become part of the Cc^A package.5-4. R a d i o s y s t e m sd. Protect all voice or data military radio systems and COTS-implemented cellular or wireless communicationsdevices and services to tbe level of sensitivity of the information.^. Use electronic,auto-manual,or manualcrypto-systems to provide the needed security for existing radio systemsthat d o n o t have embeddedorelectroniccrypto-systems. However,all future p r o c u r e m e n t s m u s t c o m p l y w i t b p a r a graph 6 ^ 1 , above.c^. Prohibit the use o f commercial non-encrypted radio systems in support of command and control functions.c7. Radiosused for publicsafety communications withcivilagencies or to communicate oncivilaviationchannelsare e x c l u d e d f r o m t h e r e q u i r e m e n t s o f p a r a g r a p h s d a n d ^ , a b o v e . T h i s exclusiondoesnot apply to communicationsdealing with aviation combat operations.5-5. Telecommunication devicesd A l l personnel are prohibited f r o m using Government-owned receiving, transmitting, recording, and ampli^fication telecommunications equipment in restricted areas^ such as classified w o r k areas, mission essentialvulnerable areas ( ^ ^ V A s ) , or staging areas before deployment unless authorized in w r i t i n g by the commanderTbe D A A remains the accreditation authority for telecommunication devices in restricted areas.^. A l l personnel w i l l use NSA or C I O / G - 6 approved secure telephones to discuss classified informationtelephonically.c^ A l l personnel are prohibited f r o m possessing or using any privately owned Pl^f^ (for example, cell phones,T ^ ^ ^ ) w i t h i n the confines of classified, restricted, or open storage areas designated by the commander^I^a^ter^l^isi^ l^ana^ement^ - 1 . Risk management processd. Absolute confidence in the information accessed or available in tbe Army enterprise is unachievable; as such, theArmy and D O D w i l l approach increasing that level of tmst through tbe implementation o f a r i s k management process.With technological advances and capabilities, training, and lA-focused processes to reduce identifiable threats, the levelof tmst of information and ISs is significantly increased. Establisharisk management process containing the followingphases a s a m i n i m u m f o r all ISs. T h e p r o c e s s o u t l i n e d i n t h i s chapter i s b a s e d , i n p r i n c i p l e , o n t b e r i s k m a n a g e m e n tdoctrine as defined by FM 5 19—(1) Identify threats such as those posed by default designs or configurations, architecture deficiencies, insider access,and foreign or nation-state interests, ownership and capabilities.(2) Assess threats to determine risks,(d) What information is accessib1e754l^anningB^000^^289AR 2 5 ^ 2 ^ 2 4 October 2007(7i^ What information will be stored electronically and secured, for example self generated, prototype, research anddevelopment, electronic forms and documents, calendars, operational logs7(c^ What will be the stored format ofthe information and the naming or identification mechanism7(d^ Who has authorization to access and share the information7(i^^ What is tbe potential adverse effect of loss, access, or manipulation of tbe data7(/^ What are the OPSECissues ofdata availabi1ity7What are tbe data owner's requirements and length of required storage or access7(^^ What legacy operating systems or applications are required for stored information7 What hardware is required toaccess and read the storage mediae(i) What are tbe backup and disaster recovery plans7(^^ What is the plan to migrate legacy data to current application capabilities7(3) Develop controls and make risk management decisions. How do you protect the information access, andinfrastructure7(4) Implement controls, countermeasures, or solutions. Choose the correct IA tools, controls and countermeasures todefend against adversarial attacks on IS and networks.(5) Implement a capability to monitor for compliance and success.(6) Supervise, evaluate, review, and refine as necessary.^. Commanders,Directors,combatdeve1opers,andmaterie1deve1opers will integrate the risk management processin the planning, coordination, and development of ISs.c^. Reevaluateandreissueanyriskanalysesandmitigationsplansif there isasuccessftilcompromiseofan IS ordevice.d^. Telecommunications systems that do not include tbe features normally associated with an IS and that handleclassified or sensitive information will be implemented and operated in conformance with tbe risk management process.7-2. Information operations conditionThe lAPM or the command'sseniorIA person is responsible for coordinating an INFOCON plan.The LNFOCON isaCommander's Alert System that establishes auniform DOD and Army process forposturinganddefendingagainstmalicious activity targeting DOD ISs and networks. The countermeasures at each level will be available whenpublisbedor asdirectedby thecombatant command when the command is an ACOM/ASCC. Ifthere is a confiictbetween Army and combatant command directed measures, those of the combatant command take precedence. Typicalcountermeasures include preventative actions and actions taken during an attack as well as damage control andmitigation actions.AR 25^2^24 October 2007^anningB^000^^29055A^^en^ix Al^eferencesSection IRei^uired PublicationsAl^2^lArmyl^nowledgeManagement and InformationTechno1ogyManagemenL(Cited in paras 1 5 ^ 1 3 ) , 233/,4-5d,4-20c^,4-20^,4-29d,4-30^)1.^,2 8/, 3-3^',Al^3^0^5Departmentofthe Army Information Security Program.(Cited in paras 4 - 5 d ( 7 ) , 4 ^ 5 , ^ ( 1 0 ) ( b ) 3 , 4 - l l d , 4 - l l c ^ , 4 ^ 1 6 d ,4-16^,4-17c^,4-32)Al^3^0^^3Information Systems Security Monitoring. (Cited in paras 4-5Bii(6), 4-29d.)DAPam2^lIInformation Technology Support and Services. (Cited in para 4^5i.)Section IIRelated PublicationsArelated publication is merelyasource of additional information.The user does not have to read it to understand thisregulation.AI^^I2Army Management o f tbe Electromagnetic SpectrumAl^l^^Procedures for Investigating Officers and 8oards of OfficersAl^2^^5The Department of the Army Freedom o f i n f o r m a t i o n Act ProgramAf^36^2Audit Services in the Department o f tbe ArmyAl^70^Army Acquisition PolicyAl^f90^^Law Enforcement ReportingAI^I9l^5tSecurity of Unclassified Army Property (Sensitive and Nonsensitive)AI^I9^2Criminal Investigation ActivitiesAI^2I^IMilitary Morale, Welfare, and Recreation Programs and Nonappropriated Fund InstmmentalitiesA l ^ 340^21The Army Privacy ProgramA56l ^ 3^0^10^ a n n i n Foreigng B ^ 0 0 0Disclosure^^29^AR 2 5 - 2 ^ 2 4 October 2007and Contacts with Foreign RepresentativesAl^3^0^0Policy for Safeguarding and Controlling Communications Security (COMSEC) MaterialAl^3^0^9Industrial Security ProgramAl^3^0^7Tbe Department of the Army Personnel Security ProgramAl^3^l10U.S. Army Intelligence ActivitiesAl^3^lIIIntelligence Support to Capability DevelopmentAlR3^f14Technical Counterintelligence (TCI)Al^ 3^120The Army Counterintelligence ProgramAI^^2^I3AntiterrorismAl^^30^lOperations Security (OPSEC)Al^60^lArmy Community Service CenterI^APam2^l2Information Technology Contingency Planning.Chairman of the .foint Chiefs of Staff Instruction ^221.018Delegation of Authority to Commanders of Combatant Commands to Disclose Classified Military Information toForeign Govemments and Intemational Organizations. (Available at http://www.dtic.mil/cjcs directives/.)Chairman of the .foint Chiefs of Staff I ^ a n u a l 6 5 f 0 . 0 fDefense-in Depth: Information Assurance (IA) and Computer Network Defense (CND). (Available at http://www.dtic.mil/cjcs directives/.)Common Criteria Evaluation and Validation Scheme (CCEVS)(bttp://niap.babialab.com/cc scheme/)Committee on National Security Systems (CNSS) Instruction 4012Operation of tbe Defense Acquisition System. (Available at http://www.cnss.gov/instmctions.html.)1^01^5200.2 1^Personnel Security Program. (Available at http://www.dtic.mil/whs/directives.)1^01^5220.221^National Industrial Security Program Operating ManuaL (Available at http://www.dtic.mil/whs/directives.)1^O1^5220.221^^UPNational Industrial Security Program Operating Manual SupplemenL(Available at bttp://www.dtic.mil/whs/directives.)1^01^5400.7 1^DOD Freedom o f i n f o r m a t i o n Act Program. (Available at http://www.dtic.mil/wbs/directives.)0 0 0 5500.71^.loint Ethics Regulation (.lER). (Available at http://www.dtic.mil/whs/directives.)AR 2 5 - 2 ^ 2 4 October 2007^anningB^000^^292571^00^510.11^Department of Defense Information Technology Security Certification and Accreditation Process (D1TSCAP)Application ManuaL (Available at bttp://www.dtic.mil/whs/directives.)O O O O i r e c t i v e 5000.1The Defense Acquisition System. (Available at http://www.dtic.mil/whs/directives.)O O O O i r e c t i v e 5220.6Defense Industrial Personnel Security Clearance Review Program. (Availableat http://www.dtic.mil/whs/directives.)D O O O i r e c t i v e 5220.22DOD Industrial Security Program. (Available at http://www.dtic.mil/whs/directives.)O O O D i r e c t i v e 5230.9Clearance of DOD Information for Public Release. (Available at http://www.dtic.mil/wbs/directives.)O O O O i r e c t i v e 5230.11Disclosureof Classified Military Information to ForeignCovemments and Intemational Organizations. (Availableathttp://wvyw.dtic.mil/wbs/directives.)O O O D i r e c t i v e 5230.25Withholding ofUnclassifiedTechnical Data From Public Disclosure.(Available at http;//ww^.dtic.mil/whs/directives.)O O O O i r e c t i v e ^100.2Use o f Commercial Wireless Devices, Services, and Technologies in tbe Department of Defense (DOD) GlobalInformation Grid (GIG). (Available at http://www.dtic.mil/whs/directives.)OOOOirective ^500.01^Information Assurance. (Available at bttp://www.dtic.mil/whs/directives.)O O O O i r e c t i v e ^570.01Information Assurance ( I A ) Training, Certification, and Workforce ManagemenL (Available at http://www.dtic.mil/whs/directives.)O O O I n s t r u c t i o n 3020.41Contractor Personnel Authorized to Accompany the U.S. Armed Forces. (Available at http://www.dtic.mil/whs/directives.)O O O I n s t r u c t i o n 5000.2Operation o f tbe Defense Acquisition System. (Available at http://wwrw.dtic.mil/whs/directives.)O O O 1 n s t r u c t i o n 5200.40DOD Information Technology Security Certification and Accreditation Process (DITSCAP). (Available at http://www.dtic.mil/wbs/directives.)O O O I n s t r u c t i o n ^100.3Department ofDefense (DOD) Voice Networks. (Available at bttp://www,dtic.mil/whs/directives.)O O O I n s t r u c t i o n ^110.1Multinational Information SharingNetworks Implementation. (Available at bttp://www.dtic.mil/wbs/directives.)O O O I n s t r u c t i o n ^500.2Information Assurance ( I A ) Implementation. (Available at http://www.dtic.mik/whs/directives.)f ^ O O I n s t r u c t i o n 8551.1Ports, Protocols, and Services (PPSM). (Available at http://www.dtic.mil/whs/directives.)O O O I n s t r u c t i o n 1015.10Programs for Military Morale, Welfare, and Recreation. (Available at http://www.dtic.mil/wbs/directives.)56^anningB^0001^293AR 2 5 - 2 ^ 2 4 October 2007d i r e c t o r , Central Intelligence Agency l^ireetive 1/7Security Controls on tbe Dissemination o f Intelligence Information. (Available at bttp://www.cms.cia.sgov.gov/dci/policy/dcid/default.htm.)I^irector, Central Intelligence Agency Oirective 5/6Intelligence Disclosure Policy. (Available at http://www.cms.cia.sgov.gov/dci/policy/dcid/default.htm.)Oefense Intelligence Agency l^anual 5 0 ^Security o f Compartmented Computer Operations. (Information may be obtained from the Defense IntelligenceAgency, 200 M a c D i l l 8 1 v d , 8 1 d g 6000, 8 o l l i n g A F 8 , W a s h i n g t o n , DC 20340 )Director, Central Intelligence Agency Oirective 6/3Protecting Sensitive Compartmented Information within Information Systems. (Available at http://www.cms.cia.sgov.gov/dci/policy/dcid/defau1t.htm.)OOO l^emo, .fuly 06, 2006, Sub^ect^ I n t e r i m Oepartment of Defense ( D O D ) Information Assurance ( I A )Certification and Accreditation (Cc^A) Process Guidance(Available at https://diacap.iaportal.navy.mil.)I^xecutive O r d e r 12356National Security Information^Eederal Information Security l^anagement Act of 2002Section 3541 of title 44, United States Code. (Available at http://csrc.nist.gov/policies/HR2458-fina1.pdf.)I^ederal Information Processing Standards Publication 46^2(http://www.it1.nisLgov/)l^ederal Information Processing Standards Publication 140^2Security Requirements for Cryptographic Modules. (Available at bttp://www.iti.nist.gov/.)1^ieldl^anua1313Information Operations: Doctrine, Tactics, Techniques, and Proceduresl ^ i e l d l ^ a n u a l 5^19 ( 1 0 0 1 4 )Composite Risk Management.loint D O D I I SCryptologic SCI Information Systems Security Standards. (Available at http://www.nmic.navy.smil.mil/onihome-s/security/sso navy/policyNpubs/jdcsisss/jdcissi-r2.html.).IP1^2.loint Publication, Department ofDefense Dictionary of Military and Associated Terms.1TAA.loint Technical Architecture Army. (Available via AI^O at https://www.us.army.mil.)NSA/CSSl^anual1301Operational Information Systems and Networks Security PolicyNSA/CSSl^anual1302Media Declassification and Destmction ManualN I S T Special Publication 8 0 0 ^ 4 I^EV.1Security Considerations in tbe Information Systems Development L i f e C y c l e (http://csrc.nist.gov/pub1ications/nistpubs/800^64/NISTSP800 64pdf)NSTISSINo.4012National Training Standard for Designated Approving Authority ( D A A ) . (Available at http://www.cnss.gov/instmctions.html.)AR 2 5 - 2 ^ 2 4 October 2007^anningB^000^^29^59NSTISSINo.4015National Training Standard for System Certifiers. (Available at http;//www.cnss.gov/instmctions.btm1.)NSTISSINo.7003Protective Distribution Systems. (Available at http://www.cnss.gov/instmctions.htm1.)NST1SSPNo.11National Information Assurance Acquisition Policy. (Available at http://w^vw.cnss.gov/instmctions.btmI.)Office of l^anagement and budget Circular A 130Management ofFederal Information ResourcesPublic Law 100 235Computer Security Act of 1987Public 1^aw 107 3148ob Stump National Defense Authorization Act for Fiscal Year 20031^uleforCourtsl^artial303Preliminary inquiryUCl^.1Uniform Code of Military .lustice5 U S C 552aThe Privacy Act of 197422 USC 2551Congressional statement of purpose22 USC 2751, et. seq.Arms Export Control Act44 USC 3541Information security; Purposes1^CSCS11V162MDEP M54X ReportSection IIIPrescribed PormsThis entry has no prescribed forms.SectionI^Referenced PormsDAFormsareavailableonthe Army Publishing Directorate Web site (www.apd.army.mil): DDForms are availablefrom the OSD Web site (http://www.dtic.mil/whs/directives/infomgt/forms/formsprogram.htm). SFs and OFs are available from the GSA Web site (http://www.gsa.gov).DA1^orm1121^Management Control Evaluation Certification StatementDA1^orm 202^Recommended Changes to Publications and 81ank FormsDD1^orm254DOD Contract Security Classification SpecificationS1^85PQuestionaire For Public Tmst Positions60^anningB^000^^295AR 25-2^24 October 2007S1^^6Questionaire For National Security PositionsS1^32^Certificate Pertaining to Foreign InterestsA^^en^ix 8Sample Acce^tal^ie l^se policy8 - 1 . PurposeThis appendixprovidesasample AUP that may be used byorganizationstoobtainexplicitacknowledgementsfromindividuals on tbeir responsibilities and limitations in using ISs.8-2. Explanation of conventions in sample acceptable use policyFigure8-1,below,illustratesarepresentative AUP.Inthis figure,text appearing initalicized font should be replacedwith the appropriate information pertinent to the specific AUP being executed. Army organizations may tailor theinformation in the sample AUP to meet their specific needs, as appropriate.AR 25-2^24 October 2007i^anningB^000^^29851Acceptable Use Policy1. Understanding. I understand that I have the primary responsibility to safeguard theinformation contained in classified network name (CNN) and/or unclassified network name (UNN)from unauthorized or inadvertent modification, disclosure, destruction, denial of service, and use.2. Accass. Access to this/these network(s) is for official use and authorized purposes and as setforth in DoD 5500.7-R, "Joint Etfiics Regulation" or as further limited by this policy.3. Revocabillty. Access to Army resources is a revocable privilege and is subject to contentmonitoring and security testing.4. Classified information processing. CNN is the primary classified IS for [insert yourorganization). CNN is a US-only system and approved to process (insert classification) collateralinformation as well as; (insert additional caveats or tiandling instructions). CNN is not authorizedlo process [insert classification or additional caveats or special tiandling instructions).a. CNN provides communication to external DoD (or specify ottier appropriate U.S,Government) organizations using Ihe SIPRNET. Primarily this is done via electronic mail andinternet networking protocols such as web, ftp, telnet (insert others as appropriate).b. The CNN is authorized for SECRET or lower-level processing In accordance withaccreditation package number, identification, etc.c. The classification boundary between CNN and UNN requires vigilance and attention by allusers. CNN is also a US-only system and not accredited tor transmission of NATO material.d. The ultimate responsibiity for ensuring the protection of information lies with the user. Therelease of TOP SECRET information through the CNN is a security violation and will beinvestigated and handled as a security violation or as a criminal offense.5. Unclassified Infomiation Processing. UNN is the primary unclassified automatedadministration tool for the [insert your c^anization), UNN is a US-only system.a. UNN provides unclassified communication to external DoD and other United StatesGovernment organizations. Primarily this is done via electronk; mail and internet networkingprotocols such as web, ftp, telnet (insert others as appropriate).b. UNN is approved to process UNCLASSIFIED, SENSITIVE information in accordance with(insert local regulation dealing witt) automated information system security managementprogram).c. The UNN and the Internet, as viewed by the [insert your organization), are synonymous. Email and attachments are vulnerable to interception as they traverse the NIPRNET and Internet.Figure B-1. Acceptable use policy62ManningB_00016297AR 25-2 • 24 October 20076. Minimum security rules and requirements. As a CNN and/or UNN system user, thefollowing minimum security rules and requirements apply:a. Personnel are not permitted access to CNN and UNN unless in complete compliance with the(insert your organization) personnel security requirement for operating in a TOP SECRETsystem-high environment.b. I have completed the user security awareness-training module. I will participate in all trainingprograms as required (inclusive of threat identification, physical security, acceptable use policies,malicious content and logic identification, and non-standard threats such as social engineering)before receiving system access.c. I will generate, store, and protect passwords or pass-phrases. Passwords will consist of atleast 10 characters with 2 each of uppercase and lowercase letters, numbers, and specialcharacters. I am the only authorized user of this account. (I will not use user ID, common names,birthdays, phone numbers, military acronyms, call signs, or dictionary words as passwords orpass-phrases.)d. I will use only authorized hardware and software. I will not install or use any personally ownedhardware, software, shareware, or public domain softvrare.e. I will use virus-checking procedures before uploading or accessing infonnation from anysystem, diskette, attachment, or compact disk.f. I will not attempt to access or process data exceeding the authorized IS classification level.g. I will not alter, change, configure, or use operating systems or programs, except as specificallyauthorized.h. I will not introduce executable code (such as, but not limited to, exe, com, vbs, or .bat files)without authorization, nor will I write malicious code.i. I will safeguard and mark with the appropriate classification level all information created,copied, stored, or disseminated from the IS and will not disseminate it to anyone without aspecific need to know.j. I will not utilize Army- or DoD-provided ISs for commercial financial gain or illegal activities.k. ivlaintenance will be performed by the System Administrator (SA) only.I. I will use screen locks and log off the workstation when departing the area.m. I will immediately report any suspicious output, files, shortcuts, or system problems to the(insert your organization) SA and/or lASO and cease all activities on the system.n. I will address any questions regarding policy, responsibilities, and duties to (insert yourorganization) SA and/or lASO.Figure B-1. Acceptable use policy—ContinuedAR 25-2 • 24 October 2007MannlngB_00016298I630. I understand that each IS is the property of the Army and is provided to me for official andauthorized uses. I further understand that each IS is subject to monitoring for security purposesand to ensure that use is authorized. I understand that I do not have a recognized expectation ofprivacy in official data on the IS and may have only a limited expectation of privacy in personaldata on the IS. I realize that I should not store data on the IS that I do not want others to see.p. I understand that monitoring of (CNN) (UNNj will be conducted for various purposes andinformation captured during monitoring may be used for administrative or disciplinary actions orfor criminal prosecution. I understand that the following activities define unacceptable uses of anArmy IS:{insert specific criteria)•••t••••to show what is not acceptable useto show what is acceptable during duty/non-duty hoursto show what is deemed proprietary or not releasable (key word or data identification)to show what is deemed unethical (e.g., spam, profanity, sexual content, gaming)to show unauthorized sites (e.g., pornography, streaming video, E-Bay)to show unauthorized services (e.g., peer-to-peer, distributed computing)to define proper email use and restrictions (e.g., mass mailing, hoaxes, autofonA^ardlng)to explain expected results of policy violations (1 ^, 2™*, 3"*, etc)(Nofe; Activity in any criteria can lead to criminal offenses.)q. The authority for soliciting a social security number (SSN) is EO 939. The information belowwill be used to identify you and may be disclosed to law enforcement authorities for investigatingor prosecuting violations. Disclosure of information is voluntary; however, failure to discloseinformation could result in denial of access to (insert your organization) information systems.7. Acknowledgement I have read the above requirements regarding use of [insert yourorganization) access systems. I understand my responsibilities regarding these systems and theinformation contained in them.insert name fiereDirectorate/Division/Branchinsert date hereDateinsert name hereLast Name, First, Ml*insert Rank/Grade and SSN hereRank/Grade/SSNinsert name hereSignatureinsert ptione number fierePhone NumberFigure B-1. Acceptable use policy—Continued64ManningB_00016299AR 25-2 • 24 October 20078-3. Standard mandatory notice and consentforall 0 0 0 information system user agreementsFigure8 2,below,isinformationfromthe standard mandatory notice and consent for all DODinformationsystemuseragreements.AR 25-2 • 24 October 2007/RAR 23 March 2009ManningB_0001630065^ i l e Anny organizations may customize their AUP to their environments the following text is mandatedby OoO and iniill he included^ amended or i^med as a standalone dc^ument as part ofthe AUP prc^es9^8y signing this documents yot^ acknowledge and consent that when you access f^epartment of defense^OoO) information systems;^Yoi^ are accessing a U.^. Government (U^G^ information system ^1^^ (which includes any deviceattached to this information system) that is provided for U.^. Government authorized use only.^ You consent to the following conditions;o T h e U ^ Govemment routinely intercepts and monitors communications on this information systemfor purposes including, but not limited to^ penetration testing, communications security ^CO^^^)monitoring^ network operations and defenses personnel misconduct ^PM)^ law enfc^cement(L^)^ andcounterintelligence (Cl) investigations.o At anytime^ the U.^. Government may inspect and seize data stored on this information system.o Communications using^ or data stored on^ this information system are not priiiate^ are subject toroutine mc^itoring^ interceptions and search^ and may be disclosed or used for any U.S. Governmentauthorized purpose.o This information system includes security measures (e.g.^ authentication and access cc^trc^s) toprotect U S Government interests-notfc^ your personal benefit or privacyo Notwithstanding theabove^ using an information system does not constituteconsent to personnelmisconducts law enforcements or counterintelligence investigative searching or monitoring of thecontent of privileged cc^munications or dato (including work product) that are related to personalrepresentation or services by attorneys^ psychotherapists^ or dergy^ and their assistants Under thesecircumstances, such communications and work product are private and confidential^ as furtherexplained bek^;- Nothing in this User Agreement shall be interpreted to limit the user^s consent to, or in anyotherwayrestrictoraffect^anyU.^ Govemment actions fc^pi^rposes of network administrationsoperations protections or defense, or for communications security. This includesall communications anddata on an information systems regardless ofany applicable privilege or confidentiality.whether any particular communication or c^ta qualifies for the protection of a privileged or iscoiiered by a duty ofconfidentiality^ is detenmined in accordance with established legal standards andOoO policy. Users are strongly encouraged to seek personal legal counsel on such matters prior to usingan information system if the user intends to rely on the protections of a privilege or confidentiality.Users should take reasonable steps to identify such communications or data that the userassertsareprotectedbyanysuchprivilegeorconfidentiality. However, the user^s identification orassertion of a privilege or confidentiality is not sufficient to create such pmtection where none existsunder established legal standards and OoO policy.Figure B-2. information system user agreements66ManningB_00016301AR 25-2 • 24 October 2007/RAR 23 March 2009AuseBsfailure to take reasonable steps to identify suc:hcommunicationsor data as privilegedor confidential does not waive the privilegeor confidentiality if such protec:tionsotherwise exist underestablished iegalstandards and f^l^policy.ltowever^in such cases the U.^.i5overnmentisauthorized totake reasonabieac^tionsto identify suchc^ommunicationordata as beingsubjec;ttoaprivilege orconfidentiaiity,and such ac:tions do not negate any applicable privilege or c:onfidentiality.-These conditions preserve theconfidentiaiity ofthe communicationordata^ andthe legalprotections regardingthe use and disclosure of privileged informations and thus such communicationsand data are private and confidential.l^urther,theU.5. Government shall take all reasonable measuresto protect the content of c;aptured/^sei^ed privileged communic^ations and data to ensure they areappropriately protected.oincases when the user hasconsentedtocontent searching or monitoring of communic;ationsor data for personnel misconducts law enforcement, or counterintelligenc:e investigative searching^ (i.e.^for all communications anddata otherthan privileged c:ommunicationsor data that are related topersonal representation orservices by attorneys^ psychotherapists^orclergy^and their assistants)^ theU.5. government may^soiely at its discretion and in accordanc^e with DoOpoiicy^eiecttoapplyaprivilege or other restriction on the U.S. (5overnment^sotherwise^authorized use or disclosureof suchinformation.oAil of the above c:onditions apply regardless of whetherthe access or use of an informationsystem inc^ludes the displayofaNotice and (consent banner (^banneB^).^enabannerisused^ thebanner functions to remind the user oftheconditions that are set forth in this User Agreementsregardless ofwhether the banner describes these c:onditions in full detail or providesasummary of suchconditions^ and regardless ofwhetherthebannerexpressly references this User Agreement.FigureB 2. Information system user agreements-ContinuedA^^en^ix^l^anagement c o n t r o l evaluation ^fiecl^li^tC - 1 , PunctionThe function covered by this checklist is tbe administration o f the Army Information Assurance Program.C-2. PurposeThe purpose of this checklist is to assist assessable unit manager and management control administrators in evaluatingthe key management controls outlined below. It is not intended to cover all controls.C-3. InstructionsAnswers must be based on the actual testing of key management controls (for example, document analysis, directobservation, sampling, simulation, or others). Answers that indicate deficiencies must be explained and correctiveaction indicated in supporting documentation. These key management controls must be formally evaluated at least onceevery 5 years. Certification that this evaluation has been conducted must be accomplished on DA Form 11 2 R(Management Control Evaluation Certification Statement). DA F o r m l l 2 R i s available on the APD Web site (http://www.apd.army.mil).AR 25-2 « 24 October 2007/RAR 23 March 2009ManningB_0001630267C-4. Test questionsd. Have appropriate security personnel (for example, lAPMs, lAMs, or lASOs) been appointed^^. Haveriskanalysesandvulnerability assessments beenperformed for systemstbat process,access,transmit,orstore Army information7c^. Are the appropriateleadership and management personnel aware of the results of risk analyses and vulnerabilityassessments7c7. Have vulnerability assessments been performed as per standard Army methodologies as detailed in this regulationto ensure consistency7^. Have countermeasures been identified based on the results of risk analyses and vulnerability assessments7^ Are countermeasures in place commensurate with risks and vulnerabilities7Is there a written security plan to document implementation of countermeasures7/i. Has leadership and management formally accepted the risk to process the information involved(or more preciselystated: ^^Are the systems accredited7"1. Are countermeasures routinely tested (for example, user IDs, passwords, audit trails)7^. Are Command and subordinate organizations implementing and reporting compliance to USSTRATCOM,,ITF CNO, DOD and Army directed solutions or actions such as Command Tasking Orders (CTOs), 1AVM, orINFOCON measures7^. Is Information Assurance training being performed77 Are ACOM, ASCC, DRU, installations, or activities identifying tbeir IA requirements under tbe appropriateMDEP7BBI. Are security incidents and violations (for example, vimses, unauthorized access, or attempts) reported7Bl. Have plans been developed to ensure continuedoperation in the event of majordismption (forexample, fire,natural disaster, bomb threat, or civil disorder)7d. Has a configuration control board approved each network7^. Is there an appropriate security official as a member of each board7^. Is there a current SSAA on file foreach 1S7C-5. SupersessionThis checklist replaces the checklist previously published in AR 25 2, dated 14 November 2003.C-5. CommentsHelptomakethisabetter toolfor evaluating management controls.Submit comments to;Chief Information Officer/G ^ ( C I 0 / G 6 ) , 107ArmyPentagon,Wasbington, DC 20310^10766l^anningB^000^8303AR 25-2^24 October 2007^lo^^arySection IAbbreviationsAc^VTRAsset and Vulnerability Tracking ResourceAASAAdministrative Assistant to tbe Secretary o f the Army^ACAAgent o f tbe Army Certification Authority (Cc^A)AC^I^TArmy Computer Emergency Response TeamAC^access control listACOl^Army CommandAOP (replaced by I T )automated data processingAEIArmy Enterprise InfostmctureAESAdvanced Encryption StandardAGNOSCArmy - Global Network Operations and Security CenterAIAPArmy Information Assurance Program (replacement for AISSP, Army Information Systems Security Program)AISSPArmy Information Systems Security Program (replaced by A I A P )AI^OArmy I^owledge OnlineAl^CArmy Materiel CommandAPapproval products listA1^Army RegulationAI^L^Army Research LaboratoryAI^Nl^TArmy Reserve NetworkASA(AI^T)AR 25 2 ^ 2 4 October 2007Assistant Secretary o f t h e Army for Acquisition, Logistics, and Technologyl^anningB^0001830^ASCArmy Signal CommandASCCArmy Service Component CommandATOAuthorization Termination DateATSAutomated Tactical SystemATOapproval to operateAUPAcceptable Use PolicyAVAnti VimsA^I^CArmy Web Risk Assessment CellAWSAutomated Weapons System88P8est 8usiness Practices8PAblack purchase agreementC411^Command, Control, Communications, and Computers for Information ManagementCACertification AuthorityCc^Acertification and accreditationCACcommon access cardCAI^Certification Authority RepresentativeC8T1Acomputer based training70CC8l^anningB^000^^305Configuration Control 8oardCCIcontrolledcommon taskCCTt^cryptographiccriteria lab itemAR 2 5 - 2 ^ 2 4 October 2007CCIUComputer Crime Investigative UnitCEI^Tcomputer emergency response teamClcounterintelligenceCIOCriminal Investigation CommandC10/G^Chief Information Officer, G 6CISOchief information security officerC1SSCenter for Information Systems SecurityCISSPCenter for Information Systems Security ProfessionalCITcommon information technologyCl^configuration managementC1^8Configuration Management 8oardCl^VPCryptographic Module Validation ProgramCNOcomputer network defenseCNOCComputer Network Defense CourseCNOSPComputer Network Defense Service ProviderCNOcomputer network operationsCNSSCommittee on National Security SystemsCOCOMannlngB_00016306contractor owned, contractor operatedCOMlSI2^CcommunicationsCCertificateONof Netv^orthinesssecurityAR 25-2 • 24 October 200771CONUSContinental United StatesCORcontracting officer's representativeCOSChief o f staffCOTScommercial off-the-shelfCOOPContinuity of Operations PlanCPPCooperative Program PersonnelCROcompliance reporting databaseCSI^ACommunications Security Logistics AgencyCTISCommon Tier 1 SystemCTc^5^certification, test and evaluationCVTCompliance Verification TeamOAAdesignated approving authorityOAPE^Deny all, permit by exceptionOATODenial o f Authorization to OperateOC^distributed computing environment001^Delegation of Disclosure Authority LetterOESdata encryption standard01ACAPDepartment ofDefense Information Assurance Certification and Accreditation Process72AR 2 5 - 2 ^ 2 4 October 2007OiOl^anningB^000^^307Defense in Depth01SA/C1SSDefense Information Systems Agency/Center for Infi;irmation System Security01TYVAPDo-it-Yourself Vulnerability Assessment Program01^^demilitarized zoneONSDomain Name ServiceoooDepartment ofDefenseOOOODepartment ofDefense Directive0001Department ofDefense InstructionOOll^Director ofinformation ManagementOI^Udirect reporting unit5^10c^l^engineering, implementation, operation, and maintenanceEl^l^SElectronic I^ey Management SystemEOISEmployee Owned Information SystemESEPEngineer and Scientist Exchange ProgramI^IPSFederal Information Processing StandardI^ISl^AFederal Information Security Management Actl^t^Oforeign liaison officerENforeign nationalEOC1Foreign ownership, control, or infiuenceE01AAR 25-2^24 October 2007Freedom ofinformation Actl^anningB^0001^308EOTc^Efollow-on test and evaluationForce Protection Assessment TeamEPAT73EYfiscal yearGOTSgovemment-off-the-shelfHQOAHeadquarters, Department o f the Armyli^Aidentification and authenticationIAInformation AssurancelAl^Information Assurance ManagerlANl^Information Assurance Network Manager1ANOInformation Assurance Network OfficerlAPl^Information Assurance Program ManagerlAP^Tinformation assurance policy c^ technology1ASOInformation Assurance Security Officer1ATCinterim authority to connectlATOinterim approval to operate1ATTInformation Assurance Technical Tip1ATTInterim Authorization to Test (Cc^A)1AVAInformation Assurance Vulnerability Alert1AV8Information Assurance Vulnerability 8ul1etin74AR 2 5 - 2 ^ 2 4 October 2007lAVl^l^anningB^000^^309Information Assurance Vulnerability ManagementICANIintegratedInstallationCCcircuitCampuschipArea Network (installation backbone)IOSIntrusion Detection Systemll^AInstallation Management AgencyINI^OCONinformation operations condition1NEOSECinformation securityIOinformation operationslOTc^Einitial operational test and evaluation10VA0Information Operations Vulnerability Assessments DivisionIPIntemet ProtocolISinformation systemISSInformation Systems Security (replaced by Information Assurance)ITinformation technologyITSinformation technology services,11^.loint Interagency and Multinational.fOCSISSS.loint DODIIS Cryptologic SCI Information Systems Security Standards.fl^l^l^G.loint l^ey Management Infrastmcture Working Croupl^l^ECl^ey Management Executive Committeel^l^lkey management infrastmctureI^Vl^/1^1^1^keyboard, video, mouse/keyboard, monitor, mouseAR 2 5 - 2 ^ 2 4 October 2007LANl^anningB^000^^310local area networkI^CERTLocal Computer Emergency Response Team75t^E/CILaw Enforcement/Counter Intelligence Centert^OClevel o f confidentialityMIACmission assurance categoryl^APMitigation Action Plan1V1C0mobile computer device1^CE8Military Communications Electronics 8oardl^OEPmanagement decision package1^010market driven/industry developedl^EVAmission essential vulnerable areal^OAMemorandum o f Agreementl^PEmiscellaneous processing equipmentl^PEPMilitary Personnel Exchange Programl^SCmajor subordinate commandl^^Rmorale, welfare, and recreationNAnetwork administratorNACNational Agency CheckNAC1CNational Agency Check with Credit Check and written inquiries76NACI^CAR 2 5 - 2 ^ 2 4 October 2007l^anningB^0(^0^^3^^National Agency Check with Local Agency and Credit ChecksNCRNationalNOInon-developmentalCapital RegionitemNETCOl^Network Enterprise Technology CommandNETOPSnetwork operationsNG8National Guard 8ureauN1APNational Information Assurance PartnershipNISTNational Institute of Standards and TechnologyNl^network managerNSANational Security AgencyNS1National Security InformationNSSNational Security SystemOCAoriginal classification authorityOCONUSoutside continental United StatesOlAc^COffice o f i n f o r m a t i o n Assurance and ComplianceOPCONoperational controlOPl^Office of Personnel ManagementOROoperation requirements documentOTEoperational training experiencePOApersonal digital assistantPOSAR 2 5 - 2 ^ 2 4 October 2007l^anningB^000^^3^2Protected Distribution SystemPEOpersonalprogramPEGelectronicevaluation devicegroup or portable electronic device77PEOprogram executive officerPINpersonal identification numberPt^public law or protection levelPl^program manager or project manager or product managerPOAc^l^Plan of Action and MilestonesPOLPprinciple of least privilegePOl^program objective memorandumPPSports, protocols, and servicesRAremote accessRA01USRemote Authentication Dial in User SystemRASremote access serverRCERTRegional Computer Emergency Response TeamRCIOregional chief information officerROTc^Eresearch, development, test, and evaluationROl^read only memorySASystems AdministratorSA81secret and below interoperability76S8Ul^anningB^000^^3^3Sensitive but Unclassified (obsolete term)SCIsensitivestrategic electronicSET1compartmentedtechnologyinformationinformationAR 2 5 - 2 ^ 2 4 October 2007S1AOSenior Information Assurance OfficerSIIStatement of Intelligence Interest or Security/Suitability Investigations IndexS10senior intelligence officerS10PES1Single Integrated Operational Plan-Extremely Sensitive InformationSIRserious incident reportSETPSecure File Transfer ProtocolSISSSubcommittee for Information Systems SecuritySOP^standard operating procedureSSAASystem Security Authorization AgreementSS81single-scope background investigationSSHsecure shellSSLsecure sockets layerSSNsocial security numberSSPSystem Security PolicySTANREPstandardization representativeSTEPstandard tactical entry pointST1GSecurity Technical Implementation GuideSTSSubcommittee for Telecommunications SecurityAR 2 5 ^ 2 ^ 2 4 October 2007SOl^anningB^000^^3^^System OwnerTAtechnical advisory^79TAGtechnical advisory groupTOYtemporary dutyTEl^PTest and Evaluation Master Plan^TI^ATop Layer ArchitectureTNOSCTheater Network Operations and Security CenterTSTop SecretTSACSTerminal Server Access Control SystemTS1^8Tier 1 System Management 8oardTS/SClTop Secret/Sensitive Compartmented InformationTTPtactics, techniques, and proceduresURLuniversal resource locatorUSAAAUnited States Army Audit AgencyUSER10user identificationVATvulnerability assessment technicianVIS^vendor integrity statementVPNvirtual private network^t^ANwireless local area networkWorld W i d e W e bS e c t i o n IITermsAccess(IS) Ability and meansto communicate with (that is,provide input to or receive output from),or otherwise make use60l^anningB^0001^3^5AR 25 2 ^24 October 2007of any information, resource,or component in an IS.(COMSEC) Capability and opportunity to gain knowledge or toalter information or materieLAccess controlThe process of limiting access to the resources of an IS only to authorized users, programs, processes, or other systems.Accountability(IS) Property that enables auditing of activities on an IS to be traced to persons who may then be held responsible fortheir actions. (COMSEC) Principle that an individual is responsible for safeguarding and controlling of COMSECequipment, keying materiel, and information entmsted to bis or her care and is answerable to proper authority for theloss or misuse of that equipment or information.Accreditation OecisionA n o f f i c i a l designation f r o m a D A A , in w r i t i n g o r d i g i t a l l y signede-mail, made visible to the CIO/G 6, regardingacceptance o f the risk associated with operating an IS. Expressed as A T O , l A T O , 1ATT, or D A T O .A d j u n c t NetworkFor the purpose of Ci^A, those networks that depend on the connections to the common transport network and serviceso f t h e l C A N . T h e s e networks r e l y o n t h e l C A N f o r N I P R N E T a n d S I P R N E T c o n n e c t i v i t y . T h e s e m a y o r may not beu n d e r D O l M managementandusually connect to the I C A N b e l o w t h e s e c u r i t y stack. They may b e c o n t r o l l e d b y atenant as small as an office or as large as a ACOM/ASCC headquarters.A p p r o v a l to operateSynonymous with accreditation.ArmyinformationInformation originated by or conceming the Army.AuditIndependent reviewandexamination of recordsand activities toassesstheadequacy of system controls, toensurecompliance with established policies andoperational procedures, and to recommend necessary changes in controls,policies, or procedures.^Audit trailChronological record of system activities to enable the constmction and examination o f t h e sequence of events orc h a n g e s i n a n e v e n t ( o r b o t h ) . An audit trailmay apply t o i n f o r m a t i o n i n a n I S , t o message r o u t i n g i n a c o m m u n i c a tions system, or to the transfer of COMSEC materieLAuthenticateT o v e r i f y the i d e n t i t y o f a u s e r , u s e r d e v i c e , o r other e n t i t y , o r t b e i n t e g r i t y o f d a t a stored,transmitted,or otherwiseexposed topossibleunauthorizedmodification in anautomatedinformation system, or toestablisb the validity o f atransmitted message.AuthenticationSecurity measure designed to establish tbe validity ofatransmission, message, or originator, orameans of verifying anindividual's identity or eligibility to receive specific categories of information or perform specific actions.Authorization to operateAuthorization granted by the D A A for an information system to process, store, or transmit information. Authorizationis based on acceptability o f the solution, the system architecture, implementation o f assigned IA Controls, theoperational IA risk level, and tbe mission need.Auto-manual systemProgrammable, hand held COMSEC equipment used to perform encoding and decoding functions.Automated information system (obsolete term)(See information system (IS))Automated Information System ApplicationFor IA purposes, the product or deliverable resulting from an acquisition program. A n Automated Information System(AIS) application performs clearly defined functions for which there are readily identifiable security considerations andAR 2 5 - 2 ^ 2 4 October 2007l^anningB^000^83^^81needs that are addressed as part o f t h e acquisition. An AIS application may be a single software application (forexample, integrated consumable items support); multiple software applications that are related t o a s i n g l e mission (forexample, payroll or personnel); o r a combination of software and hardware performing a specific support functionacrossarange of missions (forexample, Global C o m m a n d a n d C o n t r o l System, Defense Messaging System). AISapplicationsaredeployed to enclaves foroperations,andoftenbave theiroperational security needs assumedby theenclave.Note that an AIS application is analogous toa^^majorapplication'^as defined in 0 M 8 A 130; however,thisterm is not used in order to avoid confusion with the DOD acquisition category of major AIS.Automated Tactical SystemAny IS that is used forcommunications, operations, o r a s a weapon during mobilization, deployment, o r a tacticalexercise. An AutomatedTactical System (ATS) may include, but is not limited to, data processors, firmware, hardware,peripherals, sofiware or other interconnected components and devices(for example, radar equipment, global positioningdevices, sensors, guidance systems for airbome platforms).Automated weapon systemsAny weapons s y s t e m t b a t u t i l i z e s a c o m b i n a t i o n o f c o m p u t e r hardware and sofiware t o p e r f o r m t h e f u n c t i o n s o f a ninformation system (such as collecting, processing, transmitting, and displaying information) in its operation.AvailabilityThe state when data are in the place needed by the user, at the time the user needs them, and in the form needed by theuser.CategoryRestrictivelabel that has been a p p l i e d t o b o t h classified andunclassifieddata,thereby increasing the requirementforprotectionof,andrestrictingtheaccess to, thedata. Examplesinclude sensitive compartmentedinformation,proprietary information, and North Atlantic Treaty Organization information. Individuals are granted access to specialcategory information only after being granted formal access authorization.Central computer facilityO n e o r m o r e c o m p u t e r s with their peripheraland storage units,centra1processingunits,and communications equipment in a single controlledarea. Central computer facilities are those areas where computer(s) (otherthan personalcomputer(s)) are housed to provide necessary environmental, physical, or other controls.CertificationComprehensive evaluation of tbe technical and non-technical security features of an IS and other safeguards, made insupport of tbe accreditation process,to establish the extent to whicbaparticular design and implementation meetsasetof specified security requirements.Certification and accreditationThe standard D O D approach for identifying information security requirements, providing security solutions, andmanaging the security of DOD information systems.Certification authorityC o v e m m e n t c i v i l i a n o r m i l i t a r y o f f i c i a l w i t h t h e authority and responsibility for formal e v a l u a t i o n o f t b e l A c a p a b i l ities and servicesofan informationsystemandrisksassociated w i t h o p e r a t i o n o f t h e informationsystem.Tbe ArmyC A i s tbe Army F I S M A S I A O , the Director O l A i ^ C , NETC E S T LCertification supportThose activities associated with coordination o f certification events such as preparationfor certification test activities,conduct of tbe certification event(s),preparation of tbe Certification Report,preparation o f the certification scorecard,and preparation o f the ISs risk assessmenL Certification support does not include those functions that are theresponsibility of thesystem owner (forexample, InformationSystemSecurity Engineering,primary SSAA development, SSAA consolidation prior to submission for approval, or POAc^M development).Certification eventAn evaluation of an information system to determine compliance with l A C o n t r o l s . This m a y b e in supportof anIATO,1ATT,ATO,orDATO62l^anningB^00018317^AR 2 5 ^ 2 ^ 2 4 October 2007Classified defense informationOfficial informationregarding national security thathasbeendesignatedtopsecret,secret,or confidential inaccordance with Executive Order 12958, as amended by Executive Orders 12972, 13142, and 13292.ClearingRemoval of data from an IS,its storage devices, and other peripheral devices with storage capacity in s u c h a w a y thatthe data may not be reconstmcted using normal system capabilities (for example,tbrougb the keyboard). A n I S n e e dn o t b e d i s c o n n e c t e d f r o m a n y extemal networkbeforeclearing takesplace. Clearingenablesaproduct t o b e r e u s e dw i t h i n t b e sameenvironment a t t h e sameclassificationandconfidentiality leveL l t d o e s notproduceadeclassifiedproduct by itself, but may be the first step in the declassification process (see Purge).Commercial Communications Security Endorsement ProgramRelationship between theNationalSecurityAgency and i n d u s t r y , i n w h i c h t h e N a t i o n a l S e c u r i t y Agency provides theCOMSECexpertise (that is,standards, algorithms, evaluations,and guidance) and industry provides design,development, andproduction capabilities to producea type 1 o r t y p e 2 producL Productsdeveloped under tbeCommercialCOMSEC Endorsement Program may include modules, subsystems, equipment, systems, and ancillary devices.Compartmented modeIS security m o d e o f o p e r a t i o n w h e r e i n e a c b u s e r w i t h d i r e c t o r indirect accesstotbesystem, itsperipherals, remoteterminals, o r r e m o t e h o s t s h a s a l l o f t h e following: (1) Valid security clearance f o r t h e m o s t restricted informationprocessed in the system; (2) Formal access approval and signed non-disclosure agreements for that information towhich a user is to have access; and (3) Valici need-to-know for information to which a user is to have access.Compromising emanationsUnintentional signals that, i f intercepted and analyzed,would disclose theinformationtransmitted, received, handled,or otherwise processed by telecommunications or automated information systems equipment (see TEMPEST).ComputerA m a c h i n e capable o f accepting data,performing calculations o n , o r otherwise manipulating that data, storing i t , a n dproducing new data.Computer facilityPhysical resources that include stmctures or parts o f stmctures that support or house computer resources. The physicalarea where tbe equipment is located.Computer securityMeasures and controls that ensure confidentiality,integrity,and availability of the information processed and stored bya computer.ConfidentialityAssurance that information is not disclosed to unauthorized entities or processes.Configuration controlProcess ofcontrolling modifications toatelecommunication or information system hardware,firmware, software, anddocumentation to ensure the system is protected against improper modifications prior to, during, and afier systemimplementation.Configuration managementTbe management of security features and assurances through control o f changes made to hardware, software, firmware,documentation,test,test fixtures,and test documentationofanlStbroughout the development and operationallife ofthe system.Contingency planA p i a n maintained foremergency response,backupoperations, andpost-disaster recovery f o r a n IS, a s a p a r t of itssecurity program,tbat will ensure the availability of critical resources and facilitate the continuity of operations in anemergency situation.Controlled access protectionLog-inprocedures, audit of security-relevant events,and resourceisolation as prescribed for class C 2 i n D O D 5200.28-STDAR 2 5 - 2 ^ 2 4 October 2007l^anningB^0001831883Controlled cryptographic itemSecure telecommunications or information handling equipment, or associated cryptographic component,that is unclassified but g o v e m e d b y a s p e c i a l set of control requirements Such items are marked CONTROLLED CRYPTOGRAPHIC I T E M or, where space is limited, controlled cryptographic item.'CountermeasureAn action, device, procedure, technique, or other measure that reduces the vulnerability o f an IS.CryptographicPertaining to, or concemed with, cryptography.Cryptographic equipmentEquipment that embodies a cryptographic logic.CryptographyPrinciples, means, and methods for rendering plain information unintelligible and for restoring encrypted information tointelligible form.Oata securityProtection of data from unauthorized (accidental or intentional) modification, destmction, or disclosure.Oeclassification (of magnetic storage media)A n administrative procedure resulting in a determination that classified information formerly stored on a magneticmedium has been removed or overwritten sufficiently to permit reuse in an unclassified environmenLOefense in OepthThe D i D encompasses a physical and logical stmcture that requires a layeringofsecurity policies, procedures, andtechnology mechanisms to protect network resources, from the desktop to the enterprise, within and across theenterprise architecture. Layered defenses include, but are not limited to, the installation o f IA policy protectionscomplementing the use of proxy services, firewalls, IDSs, implementation of D M ^ s , redundant filtering policies acrossdevices, and access control and accountability.OegaussDestroy infonnation contained in magnetic media by subjecting that media to high intensity alternating magnetic fields,following which the magnetic fields slowly decrease.Oemilitarized zoneA s m a l l network or computer host that serves asa^^neutral zone" between an intemal network and the public network.A D M ^ prevents users from obtaining direct access to an intemal server that may have business data on i L A D M ^ isanother approach to the use o f a firewall and can act as a proxy server i f desired.Oenial of serviceResult of any action or series o f actions that prevents any part of a telecommunications or IS from ftinctioning.Oesignated approving authorityA general officer (GO), S E S o r e q u i v a l e n t o f f i c i a l appointedby tbe Army C 1 0 / G ^ with theautbority to formallyassume responsibility for operatingasystem at an acceptable level of risk.This term is synonymous with DesignatedAuthorization Authority and Delegated Accrediting Authority.OATOD A A determination that an information system cannot operate because of an inadequate IA design or failure toimplement assigned IA controls. I f the system is already in use, operation o f the system is baited.Oigital signatureAn electronic rather t h a n a w r i t t e n signature used by someone to authenticate tbe identity o f a s e n d e r o f a m e s s a g e orsigner o f a documenL A digital signature ensures that tbe content of a message or document is unaltered. Digitalsignatures can be time-stamped, cannot be imitated by another person, cannot be easily repudiated, and aretransportable.Oiscretionary access control (OAC)Means o f restricting accesstoobjectsbasedontbeidentity and n e e d t o - k n o w o f users or g r o u p s t o w h i c h t h e object64l^anningB^000^^3^9AR 2 5 ^ 2 ^ 2 4 October 2007belongs.Controls are discretionary in the sense thatasubject with certain access permission is capable of passing thatpermission (directly or indirectly) to any other subjecLEavesdroppingMethod used by an unauthorized individual to obtain sensitive information (for example, passwords, data) from anetwork. Eavesdropping techniquesinclude wiretapping,eavesdropping by radio,eavesdropping via auxiliary ports onaterminal,and use of software that monitors packets sent overanetwork. Vulnerable network programs are telnet andftpEmbedded cryptographyCryptography that is engineered i n t o a p i e c e ofequipment or system the basic function of which is not cryptographic.Components comprising tbe cryptographic module are inside the equipment or system and share host-device power andhousing. The cryptographic function may be dispersed i f identifiable as a separate module within the bosLEmbedded (computer) systemComputer system that is an integral part o f a l a r g e r system or subsystem that performs or controlsafunction, either inwhole or in parLEmission securityProtection resulting from allmeasurestakento deny unauthorized personsinformation of value that might be derivedfromintercept and analysis ofcompromisingemanationsfromcryptographicequipment,1Ss,andte1ecommunicationssystems.EnclaveThe c o l l e c t i o n o f c o m p u t i n g e n v i r o n m e n t s c o n n e c t e d b y o n e o r m o r e i n t e m a l n e t w o r k s , u n d e r the c o n t r o l o f a s i n g l eauthority and security policy that includes personnel and physical security. Enclaves always assume the highest missionassurancecategory andsecurity classificationof the AlSapplications or outsourced IT-basedprocessesthey support,andderive tbeir security needs from thosesystems. They provide standard IA capabilitiessuchasboundary defense,incident detection and response, and key management, and also deliver common applications such as office automationand electronic mail. Enclaves may be specific to an organization o r a m i s s i o n , a n d tbe computing environments may beorganized by physical proximity or by function independent of location. Examples of enclaves include local areanetworks and the applications they host, backbone networks, and data processing centers.ExtranetA p r i v a t e network that uses Intemet protocols and tbe public telecommunications system to securely share informationamong selected extemal users. A n Extranet requires tbe use of firewalls, authentication, encryption, and VPNs thattunnel through the public network.I^ile serverComputer h a r d w a r e u s e d t o p r o v i d e s t o r a g e f o r user data and software applications,processingcapabilitiesfor userworkstations, and (normally) connection and control of workstations to a L A N .EirewallA system or group of systems that enforces an access control policy between two networks with the properties ofallowingonlyauthorizedtraffic to pass betweenthe networks from inside and outside the controlled environment andis immune to penetration.EirmwareSoftware that ispermanently stored in ahardware device that allows reading and executing the softw^are, but notwriting or modifying i fEly Away C ^ A package (tactical deployed)Tactical Cc^Apackage tbatsupportstactical IS deployment a n d c o n t a i n s t h e m i n i m u m a m o u n t o f C c ^ A informationnecessary for secure operations and allow connection to a network in tbeir deployed location.Eoreign exchange personnelMilitary members or civilian officials o f a f o r e i g n defense establishment (that i s , a D O D equivalent) who are assignedt o a D O D component in accordance with the terms o f an exchange agreement and who perform duties, prescribed b y aposition description, for the D O D componenLAR 2 5 ^ 2 ^ 2 4 October 2007l^anningB^000^^32085Eoreign liaison officersA f o r e i g n govemment military or civilian employee who is authorized by his or her govemment, and is certified by tbeDODComponent, t o a c t a s a n o f f i c i a l representative of thatgovemment in itsdealing with t h e D O D component inconnection with programs, projects, or agreements o f interest to the govemments. Three types of foreign liaisonofficers include security cooperation, operational, and national representatives.Eoreign nationalNon-U.S. citizens who normally reside in tbe country where employed, though they may not be citizens of thatcountry, and who are employed by the Govemment or t h c D A to perform services or duties and are not consideredaforeign official or representative of that nation.Eoreign officialN o n - U . S . c i t i z e n s w h o m a y o r m a y not resideintbe country where employed, who are employed by theirrespectivenation as an official representative of that nation in theirofficial capacity, and assigned to the Govemment or DAorganizations or commands in tbe role of liaison, representative, engineer, scientist, or a member of the MilitaryPersonnel Exchange Program.Eormal access approvalDocumented approval by a data owner to allow access to a particular category of information.Eoreign ownership, control, or influenceAcompany is considered to be under foreign ownership, control,or infiuence wbeneveraforeign interest has the director indirect power either throughthe ownership of the company's securities,contractual arrangements,or other means;to direct or decide matters affecting the operations of that company.Tbisinfiuence may result inunauthorized accessto classified or sensitive information, information systems, or information systems architectures.Information assurance productProduct or technology whose primary purpose is to provide security services (for example,confidentiality,authentication, integrity, access control, or non-repudiation o f data); correct known vulnerabilities; orprovide layered defenseagainst various categories o f nonauthorizedor malicious penetrationsof informationsystems or networks. Examplesinclude such products as data/network encryptors, firewalls, and intmsion detection devices.Information assurance-enabled productProduct or technology whose primary role is not security, but which provides security services as an associated featureo f i t s intended operating capabilities. Examples include such products as securityenabled web browsers, screeningrouters, tmsted operating systems, and security-enabled messaging systems.l A A viewSee interconnected accredited IS view.Information ownerGovemment, civilian or military official with statutory or operational authority for specified information, and responsibility forestablishing t h e c o n t r o l s f o r itsgeneration,collection,processing,disseminationanddisposaL Informationowners w i l l ensure that the DA information entmsted to their care is store, processed, or transmitted only oninformationsystemsthathaveobtainedlAapproval t o o p e r a t e i n a c c o r d a n c e w i t h A r m y p r o c e s s e s f o r t h e confidentiality l e v e l o f their information.This applies to all systems,toinclude services o n C O C O systems as w e l l a s COCOsystems.Interconnected accredited information system viewI f a n e t w o r k c o n s i s t s o f previously accredited I S s , a M O A i s required b e t w e e n t h e D A A o f each DOD componentISand tbe D A A responsible for tbe network The network D A A must ensure that interface restrictions and limitations areobserved forconnectionsbetween DOD Component ISs. Inparticular, connections between accredited ISs must bec o n s i s t e n t w i t h t h e m o d e o f o p e r a t i o n o f e a c h l S a s w e l l a s t h e s p e c i f i c s e n s i t i v i t y l e v e l o r range of sensitivity levelsforeach IS. I f a component that requires an extemal connection to perform a useful function is accredited, it mustcomply with any additionalinterface constraints associated w i t h t h e particular interface device used for the connectionas well as any other restrictions required by the M O A .Information systemSet o f information resources organized for the collection, storage, processing, maintenance, use, sharing, dissemination.66l^anningB^0D01^321AR 2 5 - 2 ^ 2 4 October 2007disposition, display, or transmission o f information. Includes AIS applications, enclaves, outsourced IT-basedprocesses, and platform IT interconnections.Information assuranceTbe protection of systems and information in storage,processing,or transit from unauthorized access or modification;denial o f service to unauthorized users;or tbe provision of service to authorized users.It also includes those measuresnecessary to detect, document, and counter such threats. Measures that protect and defend information and ISs byensuring theiravailability, integrity, authentication, confidentiality, and non-repudiation. This includesproviding forrestoration of ISs by incorporating protection,detection,and reaction capabilities.This regulation designatesIA as thesecurity discipline that encompasses COMSEC, INFOSEC, and control of compromising emanations (TEMPEST).Information Assurance Vulnerability l^anagement (1AV1V1)l A V M is the DOD program to identify and resolve identified vulnerabilities in operating systems. It requires thecompletion of four distinct phases to ensure compliance.Information dissemination managementActivities to support the management ofinformation and data confidentiality, integrity, and availability, includingdocument management, records management, official mail, and work-fiow managemenLInformation technology ( I T )Tbe hardware, firmware,and software used a s a p a r t of an information system to perform DOD information functions.This definition includes computers, telecommunications, automated information systems, and automatic data processingequipmenL I T i n c l u d e s a n y assembly of hardware,software,or firmware configuredto collect, create,communicate,compute, disseminate, process, store, or control data or information.IntegrityThe degree o f protection for data from intentional or unintentional alteration or misuse.Intelligence informationInformation collected and maintained in support of a U.S. intelligence mission.I n t e r i m authority to operateTemporary authorizationgrantedby t h e D A A t o o p e r a t e a n information systemundertheconditions orconstraintsenumerated in the Accreclitation Decision.I n t e r i m authority to test (certification and accreditation)Temporary authorization granted by the D A A to test an information system in a specified operational informationenvironment ( u s u a l l y a l i v e information environment or with live data) within the timeframe and under the conditionsor constraints enumerated in the Accreditation Decision.IncidentAssessed occurrence having actual or potentially adverse effects on an information system.InternetA g l o b a l collaboration o f data networks that are connected to each other,using common protocols (for example,TCP/IP) to provide instant access to an almost indescribable wealth of information from computers around the world.IntranetS i m i l a r t o tbe 1ntemet,but is accessible only by the organization's employees or others with authorization. Usuallyintemal to a specific organization.Installation Campus Area NetworkTbe common transport network provided by the responsible D O I M on everyArmy post/camp/station and the associatedcommon network services,including network management a n d I A s e r v i c e s . T h e l C A N is often commonly referred toas the backbone network.Information system security incident (security incident)Any unexplained event that could result i n t h e l o s s , c o r m p t i o n , o r denial of access to data, as well as any event thatcannot be easily dismissed or explained as normal operations of the system. Also, an occurrence involving classified orsensitive information being processed by an ISwbere there may be:adeviation from the requirements of the govemingsecurity regulations;asuspected or confirmed compromise or unauthorized disclosure of the information;questionableAR 2 5 - 2 ^ 2 4 October 2007l^anningB^000^^32287data or information integrity (for example,unauthorizedmodification);unauthorized modification o f d a t a ; o r u n a v a i l able information f o r a p e r i o d o f t i m e . A n attempt to exploit any IS such that the actual or potential adverse effects mayinvolvefraud, waste.or abuse; compromiseof information; l o s s o r d a m a g e o f p r o p e r t y or information; ordenial ofservice. Security incidents include penetration of computer systems, exploitation of technical and administrativevu1nerabi1ities,andintroductionofcomputer vimses or other forms of malicious code.(Asecurity incident may alsoi n v o l v e a v i o l a t i o n o f l a w . I f a v i o l a t i o n o f l a w is evidentor suspected, theincident must a l s o b e r e p o r t e d t o b o t bsecurity and law enforcement organizations for appropriate action.) (NST1SSD 503)informationsystemseriousincidentAny event that poses grave danger to the Army's ability to conduct established information operations.I^eyInformation (usuallyasequence of random or pseudo-random binary digits) used initially to set up and periodically tochange tbe operations performed in crypto-equipment for the purpose of encrypting or decrypting electronic signals, fordetermining electronic counter-measures pattems (for example,frequency hopping or spread spectmm),or for producing another key.I^ey managementProcess by which a key is generated, stored, protected, transferred, loaded, used, and destroyed.L^east privilegePrinciple that requires that each subject be granted the most restrictive set of privileges needed for the performance ofauthorized tasks. This also applies to system privileges that might not be needed to perform tbeir assigned job. NOTE:A p p l i c a t i o n o f this principlelimitsthe damage that can result from errors, and accidentalandunauthorized use of anISLimited privileged accessPrivilegedaccess with limitedscope(forexample,autbority tochangeuser access to dataor system resourcesforasingle information system or physically isolated network).Local area networkA system that allows microcomputers to share information and resources within a limited (local) area.IVIachine cryptosystemCryptosystem in which tbe cryptographic processes are performed by crypto-equipmenLl^ainframeA computer system that is characterized by dedicated operators (beyond the system users); high capacity, distinctstorage devices; special environmental considerations; and an identifiable computer room or complex.IVIalicious codeSofiware or firmware capable of performing an unauthorized function on an IS.l^alicious software codeAny software code intentionally created or introduced intoacomputer system for the distinct purpose ofcausing barmor loss to the computer system,itsdata,or other resources.Many users equate malicious code with computer vimses,which can lie dormant for long periods o f time until tbe computer system executes the trigger that invokes the vims toexecute. Within the last several years, the Intemet has been the conduit of various types of computer vimses. However,there are other types of malicious codes used to cause havoc that are not as well publicized as tbe vims.^issionassurancecategoryRefiects the importance o f i n f o r m a t i o n relative to the achievement of DOD goals and objectives, particularly thewarfigbters' combat mission. Mission assurance categories are primarily used to determine the requirements foravailability and integrity.l^anual cryptosystemCryptosystemin which tbe cryptographicprocesses are p e r f o r m e d m a n u a l l y w i t h o u t t h e u s e o f c r y p t o - e q u i p m e n t o rauto-manual devices.66l^anningB^000^^323AR 2 5 - 2 ^ 2 4 October 2007l ^ i l i t a r y information environmentThe environment contained within the global information environment, consisting of information systems and organizationsfriendly and adversary,military and non-military-that support, enable, or significantly infiuenceaspecific militaryoperation.l^onitoringMonitoring i s t h e o b s e r v a t i o n o f a r e s o u r c e for the purpose ofascertainingitsstatus or operationalstate. Monitoringincludes the automated, real or near-real time interception o f information transiting the system or network b y a s y s t e mo r n e t w o r k a d m i n i s t r a t o r d u r i n g t h e n o r m a l c o u r s e o f e m p l o y m e n t wbileengaged in activitiesnecessary t o k e e p t h esystemor networkoperationalandto protect tbe rights and property of the s y s t e m o r n e t w o r k o w n e r . Forexample,automated monitoring or logging of system or network events (such as by IDS, IPS, firewalls, and so on) can providevaluable information related to malicious content o f communications; unauthorized access, exceeding access or misuseof systems or networks; policy and criminal violations, etc. as well as the performance of the systems. 8ecause mostelectroniccommunications d o n o t invo1ves^^partiestotbeconversation,"monitoringbysystemandnetworkadministrators is not ^^electronic surveillance" as defined in A R 381 10.l^ultilevel (security) modeIS security mode o f o p e r a t i o n w h e r e i n a l l t b e following statements are satisfied conceming tbe users who have director indirect access to the system, its peripherals, remote terminals, or remote hosts:d. Some users do not have a valid security clearance for all the information processed in the IS.A l l users have the proper security clearance and appropriate formal access approval for that information to whichthey have access.c^. A l l users have a valid need to-know only for information to which they have access.Mlultilevel securityConceptofprocessinginformationwithdifferentclassificationsandcategories that simultaneously permits accessbyusers witbdifferent security clearances,butpreventsusersfromobtainingaccess to i n f o r m a t i o n f o r w b i c h t b e y lackauthorization.National Security System (44 USC 3542)Any information system (including any telecommunications system) used or operated by an agency or byacontractorof anagency, or otherorganization o n b e b a l f o f an a g e n c y - ( i ) tbe function, operation, or use of which involvesintelligence activities; involves cryptologic activities related to national security; involves command andcontrol ofmilitary forces; involves equipment that is an integral part o f a w e a p o n o r weapons system;or is critical t o t h e directfulfillment of military or intelligence missions (excludingasystem that is to be used for routine administrative andbusiness applications, for example, payroll, finance, logistics, and personnel management applications); or, (ii) isprotectedat all timesbyproceduresestablishedforinformationtbathavebeenspecificallyauthorizedunder criteriaestablished by anExecutive Order or an A c t o f C o n g r e s s t o b e k e p t c l a s s i f i e d i n t h e i n t e r e s t o f n a t i o n a l d e f e n s e orforeign policy.Need-to-knowApproved access to, or knowledge orpossession of, specific information required to carry out official duties.Net-centricityA r o b u s t globally connected network environment (including infrastmcture, systems,processes,and people) in whichdata is shared timely and seamlessly among users, applications, and platforms. Net centricity enables substantiallyimproved military situational awareness and significantly shortened decision making cycles.NetworkC o m m u n i c a t i o n s m e d i u m a n d a l l c o m p o n e n t s a t t a c h e d t o t h a t m e d i u m w h o s e f u n c t i o n i s tbe transfer of information.Components may includeISs, packet switches,telecommunications controllers,key distribution centers,and technicalcontrol devices.Network managementActivities to support tbe management and support of tbe network, including the engineering of changes to the network,maintenance of the network and its components, and user support activities.Network operationsThe organizations and procedures required to monitor, manage, and control the global information grid. Networkoperations incorporate network management, IA, and information dissemination managemenLAR 2 5 - 2 ^ 2 4 October 2007l^anningB^000^^32^89Network securityProtection of networks and their services from unauthorized modification, destmction, or disclosure. It providesassurance the network performs its critical functions correctly and there are no harmful side effects.NetworthinessThe networthiness program manages the specific risks associated with the fielding of ISs and supporting efforts,requires formal certification throughout the life cycle of all ISs that use tbe infostmcture, and sustains the health of theArmy enterprise infostmcture.Networthiness certificationThe Army's networthiness certificationprocessincorporates and demonstratesthe completeness ofguidance,formats,and practices such as the Army knowledge enterprise; the Command, Control, Communications, Computers andIntelligence Support Plan (C4ISP); the DIACAP; and existing developmental and operational test requirements.Non-communications emitterAny device that radiateselectromagneticenergy for purposes other than communicating (for example,radar,navigational aids, and laser range finders). A non-communication emitter may include features normally associated withcomputers, in which case it must also meet tbe requirements for an IS.Non-privileged accessUserlevel access; normalaccessgiventoatypicaluser. Genera11y,allaccess tosystemresourcesiscontrolledinaway that does not permit those controls and mies to be changed or bypassed by a typical user.Operations SecurityFor theDOD components,OPSECisaprocess of identifying criticalinformation and subsequently analyzing friendlyactions attendant to defense acquisition, defense activities, military operations, and other activities to:d. Identify those actions that may be observed by adversary intelligence systems.^. Determine what indicators hostile intelligence systems may obtaintbat could be interpreted or pieced together toderive critical information in time to be useful to adversaries.c:. Select and execute measures that eliminate or reduce to an acceptable level tbe vulnerabilities of friendly actionsto adversary exploitation.Outsourced IT-based ProcessFor DOD1A purposes,an outsourced IT-based processisageneral term used to refer to outsourced business processessupported by private sector information systems, outsourced information technologies, or outsourced informationservices. Anoutsourced ITbasedprocessperforms clearly defined functions for which there arereadily identifiablesecurity considerations and needs that are addressed in both acquisition and operations.PasswordProtected or private character string used to authenticate an identity or to authorize access to data.Personal computerSee information system.Personal digital assistantAhand-held computer that allows an individual to store, access, and organize information.Most PDAs work on eithera Windows-basecl or a Palm operating system. PDAs can be screen based or keyboard-based, or both.Personal electronic devicesAgeneric title used to describe myriad available small electronic portable devices that employ the wireless applicationprotocol and other ^^open standards".Personal e-mail accountAn e-mail account acquired by an individual for personal use. Also know as a private accounLPlatform information technology interconnectionFor DOD IA purposes, platform IT interconnection refers to network access to platform IT.Platform IT interconnectionhasreadily identifiablesecurity considerationsandneeds thatmustbeaddressedinbotbacquisition,andoperations.Platform ITrefers to computer resources, bothhardwareandsoftware, that arephysically part of, dedicated to, oressential in real time to themission performanceof special purposesystemssuch as weapons, trainingsimulators,diagnostic test and maintenance equipment, calibration equipment, equipment used in the research and development of90l^anningB^000^^325AR 25-2^24 October 2007weapons systems, medical technologies, transport vehicles, buildings, and utility distribution systems such as water andelectric. Examplesof platform ITinterconnectionstbatimposesecurityconsiderationsinclude communications interfacesfor data exchanges with enclavesfor mission planning or execution, remote administration, and remote upgradeor reconfiguration.Principle of least privilegeThe principle of least privilege requires that a user be given no more privilege than necessary to perform a job.Ensuring least privilege requires identifying what the user'sjob is, determining the minimum set o f privileges requiredto perform that job, and restricting the user to a system or domain with those privileges and nothing more.^^Private accountSeepersonal e-mail accounLPrivileged accessAuthorized access that providesacapability to alter tbe properties,behavior,or control o f the information system ornetwork. It includes, but is not limited to, any of the following types of access:d. ^^Superuser,"^^root,"or equivalent access,such as accesstothecontrolftinctions of theinformationsystemornetwork, administration of user accounts, and so forth.^. Access to change control parameters (forexample, routing tables, path priorities, addresses) of routers, multiplexers, and other key information system or network equipment or software.c^. Ability and authority to control and change program files, and other users' access to data.c7. Direct access(a1so called unmediated access) to functions at the operating-system level that would permit systemcontrols to be bypassed or changed.^. Access and authority for insta11ing,configuring,monitoring,or troubleshooting the security monitoring functionsof information systems or networks (for example,networkor system analyzers;intmsion detection software;firewa11s)or in performance of cyber or network defense operations.Protected Oistribution SystemWire-line or fiber-optic telecommunications system that includes terminals and adequate acoustic, electrical,electromagnetic,andphysical safeguards topermit itsuse fortheunencryptedtransmissionofclassified information.Proxy serverAserver acting on behalf of another server or servers.Such an arrangement allowsasingle point o f entry or exit i n t o aTCP/IP network. A p r o x y server may also have built-in software that w i l l allow it to be configured to act a s a f i r e w a l l ,cache server, or logging server.^PurgeR e m o v a l o f d a t a from an I S , i t s storage devices,or other peripheral devices with storage capacity in s u c h a w a y thatthe data may not be reconstmcted. A n IS must be disconnected from any extemal network before a purge (seeClearing).RA01USRemote Authentication Dial-In User Service isaprotocol by which users can have access to secure networks throughacentrally managed server.RADIUS provides authentication foravariety of services,such as login,dial-back, serial lineIntemet protocol (SLIP), and point to point protocol (PPP).Remote access serverA s e r v e r that is dedicated t o h a n d l i n g u s e r s t h a t a r e n o t o n a L A N , b u t need remote access t o i L T h e remote accessserver allowsusers to gain access tofiles and print services on t h e L A N f r o m a r e m o t e l o c a t i o n . F o r example,auserwho d i a l s i n t o a n e t w o r k f r o m home using an analog modem or an I S D N c o n n e c t i o n w i l l d i a l i n t o a r e m o t e accessserver.Once the user is authenticated he can access shared drives and printers as i f he were physically connected to tbeoffice L A N .Remote terminalA terminal that is not in the immediate vicinity o f t h e IS it accesses. This is usually associated with a mainframeenvironment and the use of a terminaL Terminals usually cannot operate in a stand alone mode.RiskThe probability thataparticular threat w i l l exploitaparticular vulnerability of an information system or telecommunications system.AR 2 5 - 2 ^ 2 4 October 2007l^anningB^000^^32^91Risk assessmentProcess of analyzing threats to and vulnerabilities of aninformation system, and determining potential adverse effectsthat the loss of information or capabilities ofasystem would have on national security and using the analysis asabasisfor identifying appropriate and cost-effective countermeasures.Security guard/filterIS tmsted subsystem that enforces security policy on the data that passes through iLSecurity test and evaluationExamination and analysis ofthe safeguards required to protect an IS, as they havebeen applied in an operationalenvironment, to determine tbe security posture of tbe system.Sensitive but unclassified (obsolete term)An obsolete term (in DOD) that has been replaced by sensitive information (see below).Sensitive informationAny information the loss, misuse, or unauthorized access to or modification of which could adversely affect tbenational interest or the conduct ofFederal programs,or the privacy to which individuals are entitled under5USC 552a(ThePrivacyAct),butwhichhasnotbeenspecificallyauthorizedundercriteriaestablishedby executive order or anAct of Congress tobekept secret inthe interest of nationaldefense or foreignpolicy. Sensitiveinformationincludesinformation in routine DOD payroll, finance, logistics, and personnel management systems. Examples of sensitiveinformation include, but are not limited to, the following categories:d. FOUO,inaccordancewitbDOD 5400.7 R,isinformationthat may be withheld from mandatory publicdisclosure under the FOIA.^. Unclassified technical data is data related to military or dual-use technology that is subject to approval, licenses,orauthorization underthe Arms Export Control Act and withheld from public disclosure in accordance with DOD5230 25c^. Department of State(DOS) sensitivebut unc1assified(S8U) is informationoriginatingfrom the DOS that hasbeen determined to be S8U under appropriate DOS information security polices.c7. Foreign govemment information is information originating from a foreign govemment that is not classifiedCONFIDENTIAL or higher but must be protectedin accordance with DOD 5200.1 R.^. Privacy data is personal and private information (for example, individualmedical information, home address andtelephone number, social security number) as defined in the Privacy Act of 1974.Social engineeringTerm used among crackers and security professionals for cracking techniques that rely on weaknesses in process ratherthan software; the aim is to trick people into revealing passwords or other information that compromises a targetsystem'ssecurity.Classic scams include phoning upauser or helpdesk who has the required information and posing asa field service tech or a fellow employee with an urgent access problem.SPAl^Unsolicited e-mail received on or fromanetwork,usuallytheIntemet, inthe form of bulk mail obtained from e-maildistribution lists or discussion group lists.Stand-alone information systemAn IS that is physically, electronically, and electrically isolated from all other IS.SurvivabilityThe ability ofacomputer communication systembased application to satisfy and to continue to satisfy certain criticalrequirements (for example,specificrequirements for security, reliability, realtime responsiveness,and correctness)intbe face of adverse conditions.SusceptibilityTechnicalcharacteristics describing inherent limitations ofasystem that have potentialfor exploitation by the enemy.SystemTbe entire computer system, including input/output devices, tbe supervisorprogram or operating system, and otherincluded software.System administratorAsystemadministrator(SA),orsysadmin, isaprivileged-levelindividualemployedorauthorized tomaintainand92l^anningB^000^^32/^AR 25-2^24 October 2007operateacomputer systemor network. Individualresponsiblefortheinstallationandmaintenanceofaninformationsystem, providing effective information system utilization, adequate security parameters, and sound implementation ofestablished information assurance policy and procedures. (CNSS Instmction No. 4009)System auditThe process of auditing and spot checking to verify secure operation of a system and its support software. I firregularities are discovered,theauditprocessincludes analysis andidentificationof the problem,performingcorrecfive actions necessary to resolve the situation, tracking open items actively, and briefingmanagement on identifiedsecurity deficiencies.System of systemsA t o t a l network made up o f all the interconnected computer systems, communication systems, and network componentswithin some logical boundary. (Replaced with the term enclave.)System ownerThe Govemment civilian or military person or organization responsible for introduction or operation of a n I S used byo r i n s u p p o r t o f t h e Army. T h e S O isresponsibleforensuringthesecurity o f t h e IS as longas it remains in Armyinventory, or until transferred (temporarily or permanently) to another Govemment person or organization and suchtransfer is appropriatelydocumented and provided as an artifact t o t h e accreditationpackage. Ifacontractor providesIA services toasystem with the intent of meeting some or all of the SOs IA responsibilities, the IA responsibilities donot shift from the Govemment SO to the contractor.The Govemment SO remains responsible for ensuring that the IAservices are provided.Tbe Govemment SO may charge t h e l A M with authority to perform many of the S O I A d u t i e s ,ifappropriate;however,finalresponsibility will remain w i t h t h e S O . T h e S O could b e a p r o d u c t , p r o g r a m or projectm a n a g e r , a s t a f f o r command element that purchases or developslTequipment and s y s t e m s , a D O I M o r anyone elsewho is responsible for an IS. The SO is responsible for ensuring that all IA requirements are identified and included inthedesign,acquisition, installation,operation,maintenance,upgrade or replacement o f a l l D A I S inaccordance withD O D D 8500 1T e r m i n a l Access Controller Access SystemA system developed by tbe Defense DataNetwork community to control access to its terminal access controllers.Technical vulnerabilityA hardware, firmware, communication, or software weakness that leaves a computer processing system open forpotential exploitation or damage,either extemallyor internally,resulting in risk for tbe owner,user,or manager of thesystem.TelecommunicationsPreparation, transmission, communication, or related processing of information (writing, images, sounds, or other data)by electrical, electromagnetic, electromechanical, electro-optical, or electronic means.Telecommunications and information systems securityProtection afforded to telecommunications and information systems to prevent exploitation through interception,unauthorized electronic access, or related technical intelligence threats and to ensure authenticity. Note: Such protectionresults from t h e a p p l i c a t i o n o f security measures (includingcryptosecurity, transmission security, emission security,and computer security) to systems that generate, store,process, transfer, orcommunicate information of use to anadversary,andalsoincludesthephysicalprotectionoftecbnicalsecuritymaterielandtechnicalsecurity information.Telecommunications systemAny system that transmits, receives, or otherwise communicates information by electricaL electromagnetic, electromechanicaL or electro-optical means. A telecommunications system may include features normally associated withcomputers, in which case it must also meet the requirements for an IS.TelnetA t e r m i n a l emulation program forTCP/IP networks such as t h e l n t e m c L T e l n e t i s a c o m m o n w a y to remotely controlWeb servers.TerminalAny device that is used to access an IS,including^^dumb" terminals (which only functionto access an IS), as well aspersonal computers or other sophisticated ISs that may access other ISs as one of their functions.AR 2 5 - 2 ^ 2 4 October 2007l^anningB^0001^32893ThreatCapabilities,intentions,and attack methods ofadversariestoexploit,damage,or alter informationor an informationsystem. Also, any circumstance or event with the potential to cause harm to information or an information system. Anycircumstance or event with tbe potential to adversely impact an information system through unauthorized access,destmction, disclosure, modification o f data, and/or denial of service (see CNSS Instmction No. 4009).Threat agentA means or method used to exploit a vulnerability in a system, operation, or facility.Threat analystDesignated member of the intelligence staff of the supported command of tbe D A A w h o w i l l provide the interface onbehalf o f D A w i t h the DOD Intelligence C o m m u n i t y , t b e G 2 , N E T C O M / 9 t h S C (A), and tbe intelligence component ofthe 1st Information Operations Command (Land) to document foreign threats regarding computer network attack(CNA) and computer network exploitation (CNE) or other non-technical threats.Time bomb and logic bombMalicious code that can be triggered byaspecific event or recur a t a g i v e n t i m e . A l o g i c bomb is triggered by an eventinstead o f a specific time. One example o f a logic bomb would be a set of programmed instmctions to search acompany'spayroll files,checking for the presence of tbe programmer's name.Oncetbe programmer ceases employment, the logic bomb is triggered to cause damage to data or software.TrapdoorA bidden software program (potentially embedded into the hardware or firmware) mechanism that causes systemprotection mechanisms to bebypassed.The code canbe hidden i n t h e l o g o n sequence where users are asked toinputtheir user IDs and thenpasswords. I n n o r m a l circumstances, tbe inputpasswords arecbeckedagainst stored valuescorresponding to theuser I D ; i f thepasswordsare valid, logonproceeds. The trapdoor sofiware would check f o r aspecific user ID, and whenever that user ID is checked, it bypasses the password checking routine and authorizesimmediate logon. Trapdoors are sometimes built into development systems by programmers to avoid the lengthy logonprocedure.T r i v i a l file transfer protocolA simple form o f t h e File transfer protocol (FTP). TFTPuses the userdatagramprotocol (UDP), a connection-lessprotocol that, l i k e T C P , m n s on top of IP networks.It is used primarily for broadcasting messages overanetwork andprovides no security features. It is often used by servers to boot diskless workstations, X-terminals, and routers.T r o j a n horseAnon-replicating program that appears to be legitimate, but is designed to have destmctive effects on data residing intbe computerontowhich the program was1oaded.Theseprogramscanperformvariousmaliciousactivities,suchasdeleting files, changing system settings, allowing unauthorized remote access, and mnning malicious programs resulting in destmction or manipulation of data. Trojan horses require user intervention to propagate and install such asopening an e mail attachmenLUserPerson or process accessing an IS by direct connections (for example, via terminals) or indirect connections.User 10Unique symbol or character string that is used by an IS to uniquely identify a specific user.V i r t u a l private networkA p r i v a t e data network that makes use of the public telecommunication infrastmcture, maintaining privacy through tbeuse o f a tunneling protocol and security procedures,^VirusA s m a l l program written to alter the wayacomputer operates without tbe permission or knowledge o f the u s e r . A v i m sis self replicating with a potentially malicious program segment that attaches or injects itself into an applicationprogramor other executablesystemcomponentandleaves no extemalsigns of itspresence,andusual1y programmedto damage system programs, delete files, create a denial of service, or reformat the hard disk.94l^anningB^000^^329AR 2 5 - 2 ^ 2 4 October 2007VulnerabilityWeakness in an infonnation system, cryptographic system, or components o f either (for example, system securityprocedures, hardware design, intemal controls) that could be exploited.Vulnerability assessmentSystematic examination of an IS or product to determine the adequacy of security measures, identify securitydeficiencies, provide data from which to predict theeffectiveness of proposed security measures, and confirm theadequacy o f such measures after implementation.e a r n i n g bannerA waming banner is verbiage thatauser sees or is referred to at the point of a c c e s s t o a s y s t e m w h i c h sets the rightexpectations for users regarding acceptable use of a computer system and its resources, data, and network accesscapabilities. These expectations include noticeofauthorized m o n i t o r i n g o f users' activities while they are using thesystem, and wamings of legal sanctions should the authorized monitoring reveal evidence of illegal activities o r aviolation of security policy.^ i d e area networkA W A N coversawider geographic area t h a n a L A N , i s an integrated voice or data network, ofien uses common carrierl i n e s f o r t h e interconnectionofitsLANs,andconsistsofnodesconnectedoverpoint-to-pointchannels. Commercialexamples are Intemet and public data. Govemment examples are NIPRNET and SIPRNET.^orld^ide^ebThe universeof accessible information availableon many computers spreadthrougb tbe worldandattacbed to thatgigantic computer network called t h e l n t e m c L T h e W e b e n c o m p a s s e s a b o d y of sofiware,aset o f p r o t o c o l s , a n d a s e tofdefined conventionsfor accessing tbeinformation ontbe W e b . T h e W e b useshypertext and multimediatechniquesto make theWeb easy for anyone to roam,browse, and contribute t o . T h e W e b makes publishing information (that is,making that information public)as easy as creatinga^^homepage" and posting it onaserver somewhere in tbe IntemeLAlso called W E 8 or W3^ormA n independent program that replicatesitself by copying from one s y s t e m t o a n o t h e r , u s u a l l y o v e r a n e t w o r k withoutthe use o f a host file. Like a vims, a worm may damage data directly, or it may degrade system performance byconsuming system resources or even shutting a network down, but, in contrast to vimses, does not require thespreading of an infected host file.Usually tbe worm will releaseadocument that already has the^^worm"macro insidethe documenLS e c t i o n IIISpecial Abbreviations and TermsThis section contains no entries.AR 2 5 - 2 ^ 2 4 October 2007l^anningB^000^^33095ManningB_00016331UNCLASSIFIEDPIN 081066-000USAPDELECTRONIC PUBLISHING SYSTEMOneCol FORMATTER WIN32 Version 253PIN:DATE:TIME:PAGES SET:081066-00003-24-0911:21:0599DATA FILE:DOCUMENT:C:\wincomp\r25-2.filAR 25-2SECURITY:UNCLASSIFIEDDOC STATUS: REVISIONManningB_00016332


Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh