The following document is the third revised version of the DoD Cryptologic Sensitive Compartmented Information (SCI) Information Systems Security Standards published in April 2003. A fourth revision from January 1, 2006 has also been released, though, it is not yet publicly available. The second revision published March 31, 2001 was originally made available by the Federation of American Scientists .

(U) The policy of the U.S. Government is that all classified information must be appropriately safeguarded to assure the confidentiality, integrity, and availability of that information. This document provides procedural guidance for the protection, use, management, and dissemination of Sensitive Compartmented Information (SCI), and is applicable to the Department of Defense (DoD) to include DoD components and Government contractors who process SCI. The combination of security safeguards and procedures used for Information Systems (IS) shall assure compliance with DoD 5105.21-M-1, Director, Central Intelligence Directive 6/3 (DCID 6/3), National Security Agency/Central Security Service (NSA/CSS) Manual 130-1 and the Defense Intelligence Agency Manual (DIAM 50-4). The Joint DoDIIS/Cryptologic SCI Information Systems Security Standards (JDCSISSS) is a technical supplement to both the NSA/CSS Manual 130-1 and DIAM 50-4.

(U) The prime purpose of this document is to provide IS security implementation guidance relative to the management of SCI and the automated infrastructure used to process this information at the organizational level.

…

1.1 (U) BACKGROUND

The DIA DoDIIS Information Assurance (IA) Program includes the Air Force, Army, Navy, and National Imagery and Mapping Agency (NIMA) Service Certification Organizations (SCO). The NSA/CSS Cryptologic Information Assurance (IA) Program includes the Air Force, Army, and Navy Service Cryptologic Elements (SCE). Together, they identified a requirement to standardize security procedures used in the management of Sensitive Compartmented Information (SCI) systems and the information they process. SCI is defined as information and materials requiring special community controls indicating restricted handling within present and future community intelligence collection programs and their end products. These special community controls are formal systems of restricted access established to protect the sensitive aspects of sources, methods, and analytical procedures of foreign intelligence programs. It was also determined that by standardizing procedural guidelines, it would significantly improve support to the increasingly interconnected customer base of the Joint Services. This document describes the protection philosophy and functional procedures essential in the implementation of an effective IA Program. Further, it provides implementation guidelines and procedures applicable to the protection, use, management, and dissemination of SCI; assigns responsibilities; and establishes procedures for the development, management, and operations of systems and networks used for processing SCI. The primary purpose of this supplemental guidance is to address day-to-day IS security (ISS) issues and provide support to those responsible for managing SCI and the automated infrastructure used to process this information at the organizational level.

…

1.5.12 (U) General Users

General users must hold U.S. Government security clearance/access approvals commensurate with the highest level of information processed by the system. The responsibilities of a general user shall

include:

· Use the system for official use, only. Appropriate personal use of IS must be approved first by the individual’s supervisor.

· Participate, at a minimum, in annual computer security awareness briefings/training.

· Provide appropriate caveat and safeguard statements on all IS files, output products, and storage media.

· Protect ISs and IS peripherals located in his/her respective areas.

· Secure unattended ISs by invoking screen lock or logging off.

· Safeguard and report any unexpected or unrecognizable output products to the ISSO/SA as appropriate. This includes both display and printed products.

· Safeguard and report the receipt of any media received through any channel to the appropriate ISSO/SA for subsequent virus inspection and inclusion into the media control procedures.

· Report all security incidents to the ISSO/SA or ISSM.

· Protect passwords at the same level as the highest classification of material which the system is accredited to process.

· Protect passwords by never writing passwords down and destroy the original password documentation following initial review.

· Protect passwords from inadvertent disclosure.

· Protect all files containing classified data.

· Notify the system ISSO/SA if he or she suspects that a possible IS and/or network security problem exists.

· Ensure access doors, covers, plates and TEMPEST seals are properly installed on ISs to eliminate security hazards.

· Protect their authenticators and report any compromise or suspected compromise of an authenticator to the appropriate ISSO.

1.5.13 (U) Prohibited Activities

In general, there are activities that all users shall not perform on Government systems:

· Use ISs for personal gain, personal profit or illegal activities.

· Release, disclose, or alter information without the consent of the data owner or the disclosure officer’s approval. Violations may result in prosecution of military members under the Uniform

Code of Military Justice, Article 92 or appropriate disciplinary action for civilian employees.

· Attempt to strain or test security mechanisms, or perform network line monitoring or keystroke monitoring without proper authorization.

· Attempt to bypass or circumvent computer security features or mechanisms.

· Modify the system equipment or software or use it in any manner other than its intended purpose.

· Relocate or change IS equipment or the network connectivity of IS equipment without proper security authorization.

· Introduce malicious code into any IS or network and will comply with rules and regulations for scanning all magnetic media that he/she introduces, mails, or transports into or out of the organization.

…

21.5.4.2.1 (U) Shipping Instructions

Below are the shipping instructions for destruction of magnetic media, including cassette tapes, videotapes, hard disks, optical disks (including CDs) and magnetic tapes on reels. Paperwork required is either a DD1149 (shipping document) or 1295A (transmittal of classified material document). POC is at NSA LL24, (301) 688-6136 DSN 644-6136 (NSTS 977-7248).

· CLASSIFIED UP TO AND INCLUDING SECRET, send by regular mail to:

National Security Agency

9800 Savage Road

Fort George Meade, MD 20755-6875

SAB-3, Suite 6875

Attn: CMC, Degaussing

· CLASSIFIED HIGHER THAN COLLATERAL SECRET, send via Defense Courier Service (DCS) to:

449276-BA21

DIRNSA, FT MEADE

Degaussing

· CLASSIFIED EQUIPMENT UP TO AND INCLUDING SECRET, send by regular mail:

National Security Agency

9800 Savage Road

Fort George Meade, MD 20755-6632

SAB-4, Suite 6632

Attn: LL23 Cleansweep

· CLASSIFIED EQUIPMENT HIGHER THAN COLLATERAL SECRET, send via Defense Courier Service (DCS) to:

449276-BA21

DIRNSA, FT MEADE

CLEANSWEEP

Note: Phone POC for equipment questions, (301) 688-6776 or (NSTS) 977-7183.