Text

. _ _ _ _ _ _

s l

Ferm NRC 33 (1-75)

Published in advance of incorporation in Appendix 2101,XV: I NRC Manual File and retain in Manual until superseded.

B UNITED STATES NUCLEAR REGULATORY COMMISSION NRC MANUAL BU LLETIN 2101-15 DATE:

January 10, 1980 NO.

SUBJECT:

AUTOMATED INFORMATION SYSTEMS SECURITY PROGRAM FOR SENSITIVE DATA 1.

Introduction Office of Management and Budget (0MB) Circular No. A-71, Transmittal Memorandum No.1, " Security of Federal Automated Information Systems," dated July 27, 1978, promulgated policy and responsibilities for the development and imple-mentation of computer security programs by departments and agencies.

The General Accounting Office (GA0) issued a report entitled " Automated Systems Security--Federal Agencies Should Strengthen Safeguards Over Personal and Other Sensitive Data," dated January 23, 1979, which indicated that security procedures for systems processing personal and other sensitive data generally were inadequate.

The following procedures will be used by the NRC to minimize the risks of dis-closure of personal, proprietary, or other unclassified sensitive data (herein after referred to as sensitive data) processed by NRC or NRC contractor automated information systems. These risks lie in improper use, alteration, manipulation or unauthorized disclosure as a result of criminal, fraudulent, other improper actions, inadequate administrative practices, or misuse of computer or communi-cations technology.

It must be noted that while much of this Bulletin relates to the automated systems aspects of security, a program to provide security for data must provide adequate safeguards for all forms in which data resides in a system, from its collection to its dissemination to the user.

This means that the se-i curity program must provide for the security of source documents, on line and off line computer media storage, the data during processing and transmission, and the data output on user media.

Guidance on the non-computer aspects of automated system security has been incorporated by reference in paragraph 12 below.

8204010523 811204 PDR FOIA SHEARER 81-409 PDR J

. 2.

Definitions The following definitions apply to the protection of certain unclassified sensitive data processing by automated information systems:

a.

" Administrative Security" - the management constraints, operational procedures, and supplemental controls established to provide an acceptable level of protection for sensitive data; b.

" Automated System Security Proposal" - a proposal which outlines an automated system and the security measures to protect sensitive data processed or produced by the system.

Once approved, the pro-posal becomes a plan; c.

" Automated Systems Security Integrity Study" - an analysis, test, and evaluation of the automated systems security measures including its administrative, automated, and physical security measures to determine the adequacy of its measures to protect sensitive data; d.

" Automated Information Systems" - also referred to herein as " auto-mated systems," include all computer, word processor, micrographic, optical, digital, or video systems; all related equipment; all related operating system software (including uti'ity software) and application software used to process, store, or retrieve data; as well as all related input and output;

" Automated Decision Making Systems" - are computer applications e.

which issue checks, requisition supplies, or perform similar functions based on programmed criteria, with little human inter-vention; f.

" Contingency Plans" - are plans for emergency response, back-up operations and post-disaster recovery; g.

" Physical Security":

(1) the use of locks, guards, badges, and similar administrative measures to control access to the computer and related equip-ment; (2) the measures requiredfor the protection of the structures housing the computer, related equipment, and their contents from damage by accident, intentional action, fire, environ-mental hazards, etc.

h.

" Risk Analysis" - is an analysis of system assets and vulnerabili-ties to establish estimated expected losses ased on the occurrence of adverse events (e.g., fire, power loss or theft) and the prob-ability of the occurrence of these events; i

's

, i.

" Sensitive Application" - is an automated systems aoplication which requires a degree of protect'on because it processes sensitive data; j.

" Sensitive Data" - is certain unclassified information which requires a degree of protection due to the risk and magnitude of loss or harm which could result from inadvertent or deliberate disclosure, alteration, or destruction of the data (e.g., personal data, propri-etary data, or data that has a high potential for financial loss).

t For NRC purposes, data will be considered sensitive if it falls with-in the criteria of 10 CFR Part 9, subpart A, paragraph 9.5, subpara-graphs (2) - (9).

Further detail concerning certain subparagraphs may be found in 10 CFR Part 2, subpart G, paragraph 2.790 and 10 CFR Part 9, subpart B, paragraph 9.51, subparagraph (c).

3.

Policy It is NRC policy that:

i 1

a.

an adequate level of security be afforded to NRC sensitive data whether processed in-house, in another government agency's facili-ties, or in comercial facilities under contract to NRC or another government agency; b.

security measures, including physical and administrative measures, be established to adequately protect sensitive data not subject to national security regulations.

4.

Scope This Bulletin is applicable to those automated systems operated by NRC and NRC con-t tractors, regardless of location, or for NRC by other government agencies or their contractors that process sensitive data.

NRC Manual Chapter and Appendix 2101, Part XII, " Security of Automatic Data Processing Systems," cover the security program involving automatic data processing (ADP) systems processing classified data.

j 5.

Responsibilities and Authcrities a.

The Director, Division of Security (1) develops and implements the overall NRC automated systems security program which involves administrative and physical security measures for the protection of sensitive data; (2) assures that appropriate security requirements are included in contracts, interagency agreements, and in-house systems designs for sensitive systems and applications;

4_

(3) approves automated systems security proposals for systems processing sensitive data prior to the progranming of such systems or prior to others making substantial changes affecting the security of an existing automated system processing sensitive data; (4) assures that automated systems security integrity studies for systems processing sensitive data are conducted and evaluated, assists in the development and conduct of such studies, and assures that any security deficiencies are rectified; (5) conducts annual security surveys to cortify or recertify the ade-quacy of any automated system processing sensitive data; (6) assures that all individuals who participate in the design, operation or maintenance of NRC automated systems processing sensitive data or who have access to data in automated systems processing sensitive data possess appropriate authorization; (7) assures that necessary action is taken concerning security deficiencies involving automated systems processing sensitive data; (8) participates in automated system design reviews, application system design reviews and application systems tests, prior to PRC use of the systems operationally, when the system processes sensitive data, to verify that the planned operational require-ments meet security requirements; (9) certifies, upon completion of the systems tests, that the system meets the documented and approved system security specifications, applicable policies, regulations and standards, and that the results of the tests demonstrate that the security provisions are adequate for processing sensitive data; (10) assures that appropriate contingency plans are developed and maintained for each automated system processing sensitive data; (11) assures that NRC and NRC contractor automated systems processing sensitive data comply with and follow security policies and pro-cedures as established herein; (12) assures that other government agencies or their contractors pro-cessing sensitive data on behalf of NRC have an automated system security program for the systems which provides a level of pro-tection which is at least equal to that required by NRC approved security reqm raments prior to progranming.

b.

The Director, Division of Automatic Data Processina Support (1) prepares or assists in the preparation of automated systems se-curity proposals for each automated system processing sensitive data

. operated by NRC, NRC contractors, or other government agencies or their contractors regardless of location on behalf of the NRC.

Develops specific technical (hardware and software) protective measures for proposed systems, performs risk analyses for such systems and prepares the automated systems security proposal in coordination with the user office, other government agency, or contractor, as applicable.

4 (2) prepares or assists in the preparation of automated systems integrity studies for systems processing sensitive data and assures that they are forwarded to the Division of Security for approval; (3) prepares or assists in the preparation of solicitations and the resultant contracts for sensitive systems to assure that the solicitations and contracts require the contractor to provide all information necessary to prepare an automated systems security proposal or, if appropriate, to provide the proposal itself; (4) assists users in the implementation of technical protective measures specified in the automated systems security plan.

c.

The Director, Division of Contracts (1) assures that requests for proposal actions for the acquisition (purchase or lease) of automated systems contain a statement that the system will/will not process or produce sensitive data; (2) assures that solicitations for systems designated as sensitive systems and the resultant contract contain a statement which indicates that the system being acquired will process or produce sensitive data and that such solicitations also contain a require-i ment for the submission of those elements of the automated systems security proposal specified by the Director, Division of Automatic t

Data Processing Support, as necessary for him to fulfill his responsibilities; (3) forwards to the Division of Security for review and action pro-l curement documents for automated systems which involve sensitive or classified data.

d.

The Director Management Development and Training Staff (1) provides for appropriate security training programs, such as automated system security, risk analysis and contingency planning, for NRC personnel working on NRC automated systems processing sensitive data, as identified and requested by office directors;

. (2) reviews and provides the Director, Division of Security, on a request basis, copies of security training plans received from the offices for personnel associated with the security of systems within the scope of this Bulletin.

e.

The Director, Division of Facilities and Operations Support Reviews and concurs in those aspects of security proposals which involve physical construction, building modification, provision of utilities, telecommunications, etc., to ensure the proposal is feasible and practical (e.g., floor loading con-straints are not violated).

f.

The Director, Office of Inspector and Auditor (1) receives reports of all alleged or suspected incidents of fraud, mis-conduct, unauthorized disclosure of sensitive data, misuse of automated systems, etc.;

(2) investigates incidents described in (1) above and, when appropriate, refers alleged or suspected criminal violations to the Department of Justice or other law enforcement agencies.

g.

The Directors, Headquarters Offices and Divisions, and Directors of Recional Offices having systems processing sensitive data (1) assure that such automated systems comply with and follow specified security policies and procedures; (2) assure that the provisions of NRC Manual Chapter 0204, " Privacy Act,"

are complied with if the infcnnation contained in the s.< stem is subject to the Privacy Act of 1974; i

(3) submit, in coordination with the Director, Division of Automatic Data Processing' Support, for approval an automated system security proposal to the Director, Division of Security, for each automated system processing sensitive data presently in operation or planned; (4) conduct, in coordiiation with the Director, Division of Automatic Data Proces< sing Support, automated systems integrity studies for systems processing sensitive data and submit reports of the re-sults with evaluation and recommendations to the Director, Division of Security, for approval; (5) appoint an automated systems security officer and alternate (s) for each system who are familiar with computer and security concepts and principles established for their system and assure that they perform the duties assigned in this Bulletin;

'\\

. (6) assure that NRC and NRC contractor personnel under their jurisdiction are aware of their responsibilities to report any hardware malfunctions, software error or other incidents that could reduce the protection afforded to sensitive data immediately to the Director, Division of Security; (7) accomplish follow-up actions relative to such matters as requested by the Division of Security, or as otherwise pertinent; (8) assure responsible office staff are provided with adequate training in computer security concepts; (9) report immediately to the Director, Office of Inspector and Auditor, all alleged or suspected incidents of fraud, misconduct, unauthorized disclosure of sensitive data, misuse of automated systems, etc.

6.

Personnel Security Requirements The Office of Personnel Management in Federal Personnel Management (FPM) Letter 732-7,

" Personnel Security Program for Positions Associated with Federal Computer Systems,"

establishes a level of investigation (e.g., background investigation or a National Agency Check with inquiries) which is to be conducted on federal employees who are associated with the operation of automated systems processing sensitive data.

Current NRC personnel security policies and procedures fulfill the requirements of this issuance. Those positions having the level of responsibility designated as "ADP-1" in the FPM letter fall within the criteria of NRC Appendix 2101, Part VI, " Personnel Security Program," Annex A, which requires a complete background investigation.

Since all NRC employees are processed for, as a minimum, an "L" clearance, the requirements for ADP-II and ADP-III positions are fulfilled.

j For each automated system or application processing sensitive data, it is necessary for the Office or Division Director, in coordination with the systems security officer, to review the functions and sensitivity of each NRC position associated with the system against the criteria of NRC

- Appendix 2101, Part VI to insure the positions are properly designated. Should this review indicate a position or positions requires upgrading or downgrading, the procedures of Part VI should be followed.

4 4

k

. 7.

Designation and Functions of Automated Systems Security Officer Each Director of a Headquarters Office or Division and each Director of a Regional Office must assign responsibility, in writing, for the security of each automated system processing sensitive data to a primary and alternate professional level official.

The system manager, where designated, is the official responsible for day to day operation of the system and, therefore, is also responsible for the security of the system.

The system manager may be designated as the automated system security officer or those responsibilitie3 may be delegated to a staff professional depending on what is most efficient under the circumstances. The official (s) shall be familiar with the established security priiciples and procedures for their system. This knowledge may be acquired by on-tae-job training, attendance at seminars or work-shops and other related training programs.

An informatf3n copy of this designation shall be furnished to the Director, Division of Security. The automated system security officer for each system processing sensitive data, shall:

a.

determine the sensitivity of the system through application of the criteria of sensitivity; b.

develop and implement the administrative security procedures for the system; c.

assure the employment and enforcement of security procedures as specified in the automated systems security plan; d.

submit initial and amended automated systems security proposals developed in conjunction with the Division of Automatic Data Processing Support through the Office or Division Director to the Division of Security for review and approval; e.

review annually automated systems security plans covering systems proces-sing sensitive data and update those requiring same.

8.

Content and Processing of Automated Systems Security Proposal The automated systems security proposal shall be prepared by the Division of Automatis Data Processing Support, in conjunction with the automated systems security officer, for existing systems, new systems, or for substantial changes affecting the security of existing systems processing or producing sensitive data, whether performed in-housG by contract, or by another federal agency.

For new acquisitions involving contracts or interagency agreements the offeror, will be reauired to orovide.these portions of the automated systems security proposal specified in the solicitation by the Division of Automatic Data Processinq Support.

The automated systems security proposal shall set forth the measures to be implemented for each system processing or producing sensitive data and be submitted to the Director, Division of Security, for approval.

. The automated systems security proposal shall contain the following information:

(1) General description of the system; the location of input, processing, storing, and output equipment; equipment description by name and model number; the name and the title of the Automated Systems Security Officer; and a brief description of the sensitive data to be processed; (2) Statement of the hardware and software security measures to protect sensitive data including the use and safeguarding of passwords and progranmed lock-out features; (3) Explanation of the administrative security measures used to protect sensitive data including the control of hard copy input and output media; (4) Description of the physical security measures to protect sensitive data such as the use of guards, alarms, access controls, etc.;

(5) Discussion of the personnel security measures to protect sensitive data, including the use of personnel security clearances;

'(6) A risk analysis of the automated system processing sensitive data, including estimating potential losses to the system and its users from loss or destruction of data and program files; (7) A discussion of the automated systems contingency plans, including emergency response and backup planning.

Solicitations for automated systems processing or producing sensitive data will require the submission of specified portions of the automated systems security proposal.

In the case of a system or application to be operated at a non-NRC facility, it will require all of the items listed above except (6). To permit the preparation of an effective automated system security proposal, the solicitation shall provide the system security requirements which the offeror must meet.

In the case of a system or application operated at an NRC facility, the Division of Automatic Data Processing Support will require, in the solicitation, those elements of the automated systems security proposal necessary to assemble a completed proposal. Automated system security proposals submitted in response to an NRC solicitation shall be reviewed by a member of the Division of Security functioning as an advisor to the Source Evaluation Panel. Deficiencies in the proposal shall be treated in accordance with

{

regulations governing the contracting proce.ss. A final determination of the automated j

systems security proposal's acceptability wiil be made by the Director, Division of Security, prior to the award of a contract.

i FIPS PUB 31, " Guidelines for Automatic Data Processing Physical Security and Risk l

Management," and FIPS PUB 65, " Guidelines for Automatic Data Processing Risk Analysis,"

contain information on how to perform and prepare risk analysis and contingency plans.

j For proposed automated systems processing sensitive data the proposal shall be sub-i mitted and approved prior to processing any sensitive data.

For existing systems processing sensitive data an implementation plan indicating completion dates shall be prepared by the Director, Division of Automatic Data Processing Support, and be submitted to the Division of Security within 90 days after publication of this Bulletin.

+

. f 9.

Content and Processing of Automated Systems Security Integrity Studies An automated systems security integrity study shall be prepared by the Division of Automatic Data Processing Support, in conjunction with the automated systems security officer, prior to the completion of acceptance testing for new systems or changes to systems which are acquired or performed under contractual or interagency agreements.

For completely in-house systems, the Automated System Integrity Study will be completed prior to full operational use of the system. The study will be concurred in by the Director, Division of Autor.atic Data Processing Support, and the Director of the Office or Division involved, and forwarded to the Division of Security for approval.

For existing systems processing sensitive data, the Automated Systems Integrity Study will be completed within 120 days after approval of the automated systems security proposal.

The Automated Systems Integrity Study will contain the following information:

(1) Name and location of the facility and system, hardware and software characteristics of the system, name and capacity of the persons who developed the system's security measures, name and capacity of the persons who conducted the systems integrity study, and a brief description of the sensitive data processed with an indication of whether the system operates in a static (e.g., transaction oriented) or dynamic (e.g., scientific com-putation oriented) environment; (2) An assessment of whether or not the following such activities could affect the reliability and operational characteristics of the system's security measures :

a.

deliberate attempts by personnel not authorized to make hardware and software security changes (e.g., those having access to only remote terminal equipment);

b.

failure of system components; c.

the phasing in or out of equipment; d.

outages; or e.

Other such accidental or deliberate incidents.

(3) An assumption that unauthorized personnel will attempt the following actions and an assessment of the probable results:

a.

obtain sensitive data from sensitive files or records; b.

obtain information about the software security measures written by NRC or NRC contractor personnel which would reduce the effectiveness of these measures;

c.

insert false or misleading information into sensitive files or records in order to cause confusion or render the files or records useless to authorized personnel; d.

destroy the operating system software; e.

subvert the system's security measures; f.

cause the system to operate for a purpose other than that for which it was intended.

(4) a discussion of any tests conducted to assess the security measures specified in the automated system security plan and the results obtained. This could include:

a.

tests concerning the systems hardware and software security measures;

)

b.

tests concerning the knowledge and ability of facility personnel to insure access to the sensitive data is limited to authorized individuals; c.

tests to insure.that access to the facility and its equipment is sufficiently controlled to prevent unauthorized use of or tampering with hardware, software or data.

(5) a summary of the study including any deficiencies found and proposed corrective neasures.

If no corrective measures are practical or feasible, this should be clearly stated with supporting rationale.

The Automated Systems Security Integrity Study will be marked, handled, and protected in the same manner as the most sensitive data to be processed in the system (e.g.,

Official Use Only).

10. Security Measures for Automated Systems Containino sensitive nata The security measures to be applied to NRC sensitive data shall follow the guidelines below. (These guidelines are expected to be superseded by new ones from General Services Administration or the Department of Comnerce per Office of Management and Budget Circular A-71, TM-1.)

a.

Physical Safeguards The physical protection of facilities containing. sensitive data shall conform, at least, to the requirements set forth in NRC Appendix 2101,Part VIII," Physical Protection of Unclassified NRC Facilities."

i

.... b.

Control of Machine Readable Records and Their Related Documents Containing sensitive Data All machine readable records and their related documents that are determined to contain sensitive data shall be handled, as a minimum, as Official Use Only.

The policies and procedures for the dissemination, marking, protection, destruction and remov'al of controls for such documents shall, therefore.

be governed by NRC Appendix 2101, Part IV, " Control of Official Use Only Infonnation."

FPMR-101-11.4, " General Records Schedule 20," dated February 16, 1977, contains guidance regarding the disposition of machine readable records ar.d their related documents.

c.

Automated Systems Security-The systems security measures of automated systems processing sensitive data shall conform, at least, to the requirements of FIPS PUB 41, " Computer Security Guidelines for Implementing the Privacy Act of 1974," dated May 30, 1975.

A gY Sd'r nd J. Bra

, Dir ct r y

. /)iv sion pf S urity 9f ce of Ad, nistr io 1

f t

k I,

g