DOJ 2640.2E

DOJ Seal

INFORMATION TECHNOLOGY SECURITY

Approval Date: Nov. 28, 2003

Approved By:

 PAUL R. CORTS
Assistant Attorney General
for Administration
Distribution: BUR/H-1; OBD/H-1
Initiated By: Department Chief Information Officer

FOREWORD

  1. PURPOSE. This order establishes uniform policy, responsibilities, and authorities for the implementation and protection of Department of Justice (Department) information technology (IT) systems that store, process or transmit classified and unclassified information. Unclassified IT systems shall be designated as sensitive but unclassified (SBU).

  2. SCOPE. The provisions of this order apply to all Department components, personnel, IT systems, to include hardware, software, and media, facilities, and to contractors acting on behalf of the Department. This policy also applies to any outside organizations, or their representatives, who are granted access to the Department's IT resources, such as other Federal agencies.

  3. CANCELLATION. Order DOJ 2640.2D is cancelled.

  4. AUTHORITIES. The Department Chief Information Officer (CIO) is responsible for providing policy, guidance, implementation and oversight for IT systems.

  5. REFERENCES. References to various regulations and laws applicable to the responsibilities of IT security are located in Appendix 1.

  6. DEFINITION OF TERMS. The National Information Systems Security (INFOSEC) Glossary provides definitions applicable to Department IT policy.
/ s / PAUL R. CORTS
Assistant Attorney General
for Administration

TABLE OF CONTENTS

CHAPTER 1. SECURITY PROGRAM MANAGEMENT.

  1. Component Information Technology Security Program.
  2. Information Technology Security Reporting Requirements.
  3. Repercussions for Component Non-Compliance.
  4. Computer Education, Training and Awareness.
  5. Computer Emergency Response.
  6. Information Technology Security Life Cycle.
  7. Certification and Accreditation.
  8. Security Assurances.
  9. Contingency Planning/Business Resumption Planning.
  10. Software Licenses and Use.
  11. Configuration Management.
  12. - 14. Reserved.

CHAPTER 2. SECURITY REQUIREMENTS.

  1. System Sensitivity Designation and Mode of Operation.
  2. Access Control.
  3. Identification and Authentication.
  4. Password Management.
  5. Accountability and Audit Trails.
  6. Warning Banner.
  7. Sensitive Compartmented Information.
  8. Tempest.
  9. Assignment and Segregation of System Responsibilities/Permissions.
  10. Personnel Security.
  11. Physical and Environmental Security.
  12. Storage and Marking.
  13. - 29. Reserved.

CHAPTER 3. NETWORK SECURITY CONTROLS

  1. Network and Computer Connections to Non-Department Entities.
  2. Automatic Forwarding.
  3. Security Architecture. (Reserved)
  4. Laptop Security and Mobile Computing.
  5. Boundary Protection Devices.
  6. Virus Control.
  7. Intrusion Detection Systems (IDS).
  8. Encryption.
  9. Mobile Code.
  10. Wireless Networks.
  11. Private Branch Exchange (PBX) Security.
  12. Facsimile.
  13. - 44. Reserved.

CHAPTER 4. MEDIA DISPOSAL AND REUSE.

  1. Media Disposal.
  2. Media Reuse.
  3. - 49. Reserved.

CHAPTER 5. ROLES AND RESPONSIBILITIES.

  1. Department Chief Information Officer (CIO).
  2. Department Security Officer (DSO).
  3. Component Heads or Their Designee.

APPENDIX 1. REFERENCES.

 

CHAPTER 1. SECURITY PROGRAM MANAGEMENT.

  1. COMPONENT INFORMATION TECHNOLOGY SECURITY PROGRAMS. Each component shall have the responsibility for establishing and maintaining an IT security program to secure the component's computer systems, networks, and data in accordance with Department policies, procedures and guidance.

  2. INFORMATION TECHNOLOGY SECURITY REPORTING REQUIREMENTS. Each component shall have the responsibility for reporting on the status of their IT security programs to the Department Chief Information Officer (CIO). Components shall report annually in accordance with guidance issued by JMD or the Department CIO. To the extent possible this reporting will be included within the Information Technology Investment Management (ITIM) process.

    1. Certification and Accreditation (C&A). Each component shall provide an up-to-date inventory of systems (both developmental and operational), the anticipated dates for the C&A of developmental systems, the dates of the latest C&A for each operational system, and the projected dates for the next C&A of operational systems. The component shall also report on the reasons for any changes to the C&A of any operational system.

    2. External Network Connections and Wireless Local Area Network (LANS). Each component shall report to the Department CIO on its current inventory of external network connections and wireless data networks (excluding any services provided by the Justice Wireless Network).

    3. Annual IT Security Assessment. Each component shall evaluate their IT security programs and system protection mechanisms and report deficiencies to the Department CIO. Components shall report quarterly on their actions and milestones for addressing any deficiencies.

  3. REPERCUSSIONS FOR COMPONENT NON-COMPLIANCE. The Department CIO may take appropriate action in the event a component is found to be non-compliant with Department IT security policies. The Department Security Officer (DSO) shall be notified in cases of such non-compliance in order to take appropriate action.

  4. COMPUTER EDUCATION, TRAINING, AND AWARENESS. Each component shall implement an IT security awareness, training, and education program.

  5. COMPUTER EMERGENCY RESPONSE. Each component shall develop an IT security incident response plan and exercise that plan at least annually. Security incidents that meet the criteria established by the DOJ Computer Emergency Response Team (DOJCERT) shall be reported by the component to DOJCERT within time frames established by DOJCERT. Security violations involving systems that process classified information shall be reported to the DSO. Incidents that result in the loss or compromise of information shall be reported to the DSO and Department CIO.

  6. INFORMATION TECHNOLOGY SECURITY LIFE CYCLE. Components shall develop and implement a risk-based security process to provide security throughout the life cycle of all systems supporting their operations and assets.

    1. All Department systems must include IT security as part of their life cycle management process.

    2. System data sensitivity, system security requirements, system boundaries, and system interconnections must be identified before starting formal development of a new system and shall be consistent with the time frame outlined in the Department's Business Case Analysis Investment Proposal Development, Information Technology Investment Management (ITIM) Guide.

    3. A configuration management process shall be in place to maintain control of changes to any system.

    4. A risk management process shall be implemented to assess the risks to component IT systems, as part of a risk-based approach used to determine adequate security for the system by analyzing threats and vulnerabilities and selecting appropriate cost-effective controls to achieve and maintain an acceptable level of risk.

  7. CERTIFICATION AND ACCREDITATION. Components shall ensure the certification and accreditation of all systems under their operational control.

    1. All systems shall be certified and accredited prior to being placed into operation. Therefore, until an IT system is certified and accredited, no operational data can be used for any purpose, including testing in pilot systems if live data is used or if the pilot system is connected to a department network.

    2. Each component shall designate an appropriate certification and accreditation officials for each system.

    3. The Component Head shall appoint a senior management official as the Designated Approving Authority (DAA) who shall assume responsibility for operating a system in a particular security mode using a prescribed set of safeguards to an acceptable level of risk. The Component Head may appoint one or more DAAs based upon ownership and responsibility of the system resources.

    4. The DAA shall:

      5. (1) Evaluate the certification findings and assess vulnerabilities and residual risks.
      (2) Approve corrective action and ensure its implementation.
      (3) Accept the statement of residual risks;
      (4) Determine which action to follow:
        (a) Accredit the system.
        (b) Terminate system operation if currently operational. OR
        (c) Not place the system into production.
      (5) If accredited, sign the accreditation memorandum recording the decision on the adequacy of system safeguards and provide the authorization to operate.
      (6) Determine period of accreditation, not to exceed three years.
      (7) Oversee compliance with security life cycle and risk management process.

    5. When operational needs or mission criticality require a system to become operational and the system does not provide adequate safeguards, the DAA may grant an accreditation with conditions. This accreditation is limited in time (shall not exceed 180 days without DAA approval and reaccreditation), and shall specify when the conditions must be corrected.

    6. The DAA may grant an accreditation with conditions based on the following:

      7. (1) Acceptability of system safeguards and risks of operating in conditional status.
      (2) Approval of proposed corrective action.
      (3) Approval of the schedule to accomplish proposed corrective action.

    7. Accreditations with conditions shall not be granted if system or application vulnerabilities permit the following:

      8. (1) Breaches to the confidentiality and integrity functions of the system or application and its data.
      (2) Breaches in system security over the network to include more than one component and/or accrediting official.

    8. If there is a major change to the system or operating environment, or a breach of security, the component shall immediately re-certify and re-accredit the system or application prior to the system being placed back into operation.

  8. SECURITY ASSURANCES. Component IT systems shall be examined for security prior to being placed into operation. All IT systems shall have safeguards in place to detect and minimize inadvertent or malicious modifications or destruction of the IT system.

    1. Components shall examine all hardware and software procured and/or developed to ensure that the hardware or software component contains no features that might be detrimental to the security of a Department system.

    2. Components are encouraged to use products that have been evaluated using the International Standard 15408, Common Criteria for Information Technology Security Evaluation.

    3. Components shall develop and implement a Security Test and Evaluation (ST&E) of each IT system to validate security requirements are satisfied.

  9. CONTINGENCY PLANNING/BUSINESS RESUMPTION PLANNING. Components shall plan for how they will perform their missions in the event their IT systems are unavailable and how they will recover these IT systems in the event of loss or failure. Components shall:

    1. Develop a contingency plan for each general support system and major application. Contingency plans shall:

      2. (1) Identify the priorities of the system for restoration, taking into consideration the system's role in fulfilling Department mission and interdependency requirements.
      (2) Determine the maximum amount of elapsed time permissible between an adverse event and putting the system's contingency plan into operation.
      (3) Determine the maximum amount of data and system settings that can be lost between the service interruption event and the last back-up (this measure shall determine system back-up policies).
      (4) Identify interdependencies with other systems (i.e., other component, Federal, State or local agencies) that could affect contingency operations.
      (5) Identify system owners, roles, and responsibilities.

    2. Develop and maintain site plans that detail responses to emergencies for IT facilities.

    3. Test contingency/business resumption plans annually or as soon as possible after a significant change to the environment that would alter the in-place assessed risk.

  10. SOFTWARE LICENSES AND USE. Components shall establish procedures to ensure that software installed on component IT systems is in compliance with applicable copyright laws and is incorporated into the system's life cycle management process.

  11. CONFIGURATION MANAGEMENT. Components shall:

    1. Establish and document a change control process for each system.

    2. Document and test all changes before modifying the accredited system and/or application so that new vulnerabilities are not introduced into the operational environment.

    3. Update system configuration information included in the certification and accreditation package, to include the system security plan, risk analysis, and contingency plan.

  12. - 14. RESERVED.

CHAPTER 2. SECURITY REQUIREMENTS.

  1. SYSTEM SENSITIVITY DESIGNATION AND MODE OF OPERATION. All classified and SBU IT systems shall be categorized with a system sensitivity designation and mode of operation.

    1. All IT systems that process unclassified information shall be designated as SBU.

    2. All IT systems that process classified information shall be designated by the highest classification, handling code, and category of information processed.

    3. Dedicated Security Mode and System High Security Mode are the only modes of operation authorized. Exceptions to allow the operations of classified IT systems in the compartmented and multilevel security modes shall be requested in writing to the Department CIO and DSO.

  2. ACCESS CONTROL. Access controls shall be in place and operational for all Department IT systems to:

    1. Enable the use of resources such as data and programs necessary to fulfill job responsibilities and no more.

    2. Prevent multiple concurrent active sessions for one user identification, unless the DAA grants authority based upon operational business needs. If the DAA permits more than one active session, the system must provide a user notification to identify that the user session is active in another location.

    3. Disable inactive sessions so that authentication is required to re-establish the session after 20 minutes or less of inactivity. Screen saver or workstation lockouts that require users to re-enter their passwords, such as those available in Windows, are acceptable.

    4. Ensure that only authorized personnel can add, change, or remove component devices, dial-up connections, network addresses and protocols, or remove or alter programs.

    5. Enforce separation of duties based on roles and responsibilities.

    6. Protect the system, its data and applications, from unauthorized disclosure, modification, or erasure.

    7. For systems operating in the system high mode of operation, the system security features must have the technical ability to restrict the user's access to only that information which is necessary for operations and for which the user has a need-to-know.

  3. IDENTIFICATION AND AUTHENTICATION. Department IT systems shall:

    1. Identify every individual user as unique.

    2. Authenticate a user before enabling access to system resources.

    3. Comply with the Department password management policy.

    4. Store passwords, algorithms, keys, certificates, codes, or other schemes that are used, maintained, or managed by the system for authentication purposes in a manner that prevents unauthorized individuals from gaining access to them.

  4. PASSWORD MANAGEMENT. Department IT systems that use passwords as the means for authentication shall implement at least the following minimum features:

    1. Require the system administrator to issue initial passwords.

    2. Require technical implementation to support the following:

      3. (1) An eight-character password composed of at least three of the following: English uppercase, English lower case, numerics, special characters.
      (2) Prevent the use of the previous six passwords.
      (3) Prevent the display of a clear text password.
      (4) Limit password lifetime to a maximum of 90 days.
      (5) Expire an initial use password at the time of its first use in a manner that requires the password owner to supply a new password.

    3. Prevent the capture and viewing of passwords through operating or application system features that may allow an individual access to a clear text password or a password in any form that can be replayed, unless it is used solely for the monitoring of user compliance with password policy and approved by the DAA.

    4. Disable system default passwords as soon as possible after system installation and before the system becomes operational.

    5. Store passwords in an encrypted form.

    6. Disable user accounts after no more than four consecutive invalid attempts are made to supply a password, and require the reinstatement of a disabled user account by an administrator.

  5. ACCOUNTABILITY AND AUDIT TRAILS.

    1. Department IT systems shall:

      2. (1) Maintain an audit trail of activity sufficient to reconstruct security relevant events.
      (2) Include in the audit trail the identity of each entity accessing the system, time and date of the access, time and date the entity terminated access, activities performed using an administrator's identification, and activities that could modify, bypass, or negate the system's security safeguards.
      (3) Protect the audit trail from actions such as unauthorized access, modification, and destruction that would negate its forensic value.
      (4) Retain the audit trail for a period of 90 days, the minimum record retention period specified by the component, or the period specified in the system security plan, whichever is longer.

    2. Audit trails shall be reviewed in compliance with the review period specified for the audit trail in the system's security plan.

    3. IT systems operating in the Dedicated Mode of Operation or in a stand-alone environment that do not implement an audit trail must be justified and documented in the risk analysis and certification process.

  6. WARNING BANNER. All Department IT systems shall implement a system banner that provides warning to employees that the Department may monitor any activity on the system and search and retrieve any information stored within the system; that accessing the system constitutes consent to such monitoring and information retrieval for law enforcement and other purposes; and that users should have no expectation of privacy as to any communication on or information stored within the system, including information stored on the network and stored locally on the hard drive or other media in use with the unit.

  7. SENSITIVE COMPARTMENTED INFORMATION (SCI). All IT systems that process, store, or transmit SCI must follow the requirements delineated in the Director of Central Intelligence Directive (DCID) 6/3, Protecting Sensitive Compartmented Information within Information Systems. In addition, SCI IT systems shall operate only in SCI facilities subject to the provisions of DCID 6/9, Sensitive Compartmented Information Facilities.

  8. NATIONAL TELECOMMUNICATIONS AND INFORMATION SYSTEMS SECURITY INSTRUCTION (NTISSI) NO. 7000, TEMPEST COUNTERMEASURES FOR FACILITIES. NTISSI No. 7000 shall be used to determine applicable TEMPEST countermeasures for computer systems processing classified information.

  9. ASSIGNMENT AND SEGREGATION OF SYSTEM RESPONSIBILITIES/PERMISSIONS. Department IT systems shall have assignment and segregation of system responsibilities defined and documented.

    1. At a minimum, there shall be a clearly defined role for a security administrator and a system administrator. The security administrator may be responsible for adding, changing, and deleting users and their system access privileges and shall be responsible for viewing and archiving security logs and audit trails. System administrators may view security logs and may add, change, or delete users and their system access privileges.

    2. Controls shall be in place to ensure that the user has access to only the resources required to accomplish their duties and no more.

    3. Controls used to implement and enforce roles shall be compliant with Department access control policies.

  10. PERSONNEL SECURITY.

    1. Department personnel and non-Department personnel, including but not limited to contractors, shall have personnel security clearances commensurate with the highest level of information processed by the system pursuant to the provisions of Department orders.

    2. For all Department IT systems the component shall:

      3. (1) Review and classify each assignment of system responsibility as a position in terms of its sensitivity, in accordance with Department policies.
      (2) Ensure that an appropriate background investigation has been completed on individuals who fill each position, in accordance with Department policies.

    3. Non-U.S. citizens shall not be authorized to access or assist in the development, operation, management or maintenance of Department IT systems, unless a waiver has been granted by the Head of the Component, with the concurrence of the DSO and the CIO.

      4. (1) All waiver requests must be submitted to the DSO and the CIO for concurrence prior to the Head of the Component's approval/disapproval of the request.
      (2) All requests for waivers must include:

        (a) Name and citizenship of the individual. (The country of citizenship must be on the Allied Nations List.)
        (b) Dates of residence in the United States. (The individual must meet the Department’s residency requirement, i.e. he/she must have lived in the United States three of the last five years.)
        (c) The compelling reason for using this individual as opposed to a U.S. citizen.
        (d) The duration of the waiver (not to exceed one year without review).
        (e) Identification of the unique benefits or contributions to the Department that can be attributed to the non-U.S. citizen.
        (f) Explanation of the security features/controls that the component program manager has in place to prevent this individual from gaining access to other systems in the Department.

    4. Access to SBU Systems In Foreign Locations/Embassies. Requirements for access to SBU systems by non-U.S. citizens working in Department offices outside the United States have been established by the Overseas Security Policy Board (OSPB) and may be found in the Foreign Affairs Handbook. These requirements are implemented by the Department of State’s (DOS’) Resident Security Officer at each U.S. embassy. Any inquiries may be directed to the DOS Systems Standards Branch (for Computer Security).

  11. PHYSICAL AND ENVIRONMENTAL SECURITY.

    1. Department IT systems shall be physically protected commensurate with the highest classification or sensitivity of the information.

    2. Department IT systems shall be environmentally protected, and the means for providing this protection shall be documented.

    3. Facilities supporting large scale IT operations, such as enterprise servers and telecommunication facilities, require consideration of additional environmental and physical controls as determined by a risk analysis.

  12. STORAGE AND MARKING. IT systems and electronic media shall be protected and marked in accordance with the data sensitivity and to the highest classification level authorized.

    1. Users shall not store data on electronic media that cannot be adequately secured against unauthorized access.

    2. IT systems shall contain an external classification marking authorizing the level of information that can be processed.

  13. - 29. RESERVED.

CHAPTER 3. NETWORK SECURITY CONTROLS.

  1. NETWORK AND COMPUTER CONNECTIONS AND CONNECTIONS TO NON-DEPARTMENT ENTITIES.

    1. Connections to external networks (such as the Internet), dial-in and dial-out facilities and services, and dedicated connections to other government, public, or private entities shall be obtained through resources provided by JMD or approved by the Department CIO.

    2. All connections to networks and systems that are outside Department security administration boundaries shall be managed in accordance with the requirements described below:

      3. (1) Boundary protection devices (firewalls and guards), anti-viral software, and intrusion detection systems shall be implemented on Department networks and networked systems that connect to networks that are outside the Department security administration boundary.
      (2) Permitted services shall be documented in the system security plan. All other services shall be disabled and/or removed.
      (3) Modems shall not be attached or installed on workstations or other devices connected to a Department network except:
        (a) Devices that require remote access to facilities for maintenance and diagnostic purposes, when a waiver has been granted by the Department's CIO.
        (b) Mobile computing devices that require a modem to connect to the network.
        (c) Devices that provide for managed remote access services (e.g., modem pools).
      (4) A non-networked computer that connects to external networks or systems (via modem) shall not store Department data, unless the data can be protected from unauthorized access, modification, or destruction.
      (5) External network connections shall be managed in accordance with a Service Interface Agreement (SIA) that is agreed to by the cognizant Department organization and the non-Department entity and is included in the accreditation package. An SIA shall include:
        (a) Purpose and duration of the connection as stated in the memorandum of understanding/agreement, lease, or contract.
        (b) Points-of-contact and cognizant officials for both the Department and non-Department organizations.
        (c) Roles and responsibilities of points-of-contact and cognizant officials for both Department and non-Department organizations.
        (d) Security measures to be implemented by the non-Department organization to protect the Department's IT assets against unauthorized use or exploitation of the external network connection.
        (e) Requirements for notifying a specified Department official within four hours of a security incident on the network.
        (f) An agreement allowing the Department to periodically test the ability to penetrate the Department's network through the external network connection or system.
    3. Dial-in and dial-out connections shall be managed as follows:

      4. (1) Session activity shall be recorded in an audit trail.
      (2) Identification and authentication mechanisms shall be used to establish a dial-in connection in compliance with Department identification and authentication policy. However, if the purpose of the dial-in connection is to conduct system diagnostics or maintenance, the password for that session shall expire at the conclusion of the session and be verified unusable.
      (3) Encryption technology used for sessions across non-Department networks, including public switched networks and the Internet, shall comply with Department encryption policy.
      (4) Computing capability (devices) used to remotely access Department systems from a remote location (e.g., an employee's residence) must be documented in the system security plan, approved by the DAA, and configured to comply with the policies and procedures established for the system.
      (5) Computing devices used to remotely access a Department system shall not be connected to any other network during networked sessions with a Department system unless security can be afforded to the data and the Department system and the system security plan identifies this type of functionality.
      (6) Department networks and systems allowing for dial-in or dial-out sessions shall be certified and accredited for this purpose. Certification and accreditation documentation shall identify the devices that are permitted to access Department networks and systems and the circumstances and reasons for their connection.

    4. External network connections shall be reviewed annually by component personnel and documented in the annual IT security assessment transmitted to the Department CIO.

  2. AUTOMATIC FORWARDING. Automatic forwarding of email (via rule or macro) of e-mail received in a Department e-mail system to or through a non-Department e-mail system is prohibited, unless the DAA of the system grants a waiver based upon risk and operational needs.

  3. SECURITY ARCHITECTURE. RESERVED.

  4. LAPTOP SECURITY AND MOBILE COMPUTING.

    1. Laptops and mobile computing devices (including personal digital assistants) approved for processing SBU information shall:

      2. (1) Not be connected to Department networks or systems unless the network or system is certified and accredited for that functionality. In such cases the system security plan shall identify the devices that can be used to access the network or the system, the purposes for the access, and the security controls for the connection.
      (2) Employ virus protection software on laptop devices.
      (3) Employ encryption technology on laptop devices.

    2. Components who issue or otherwise allow the use of mobile computing devices for Department business purposes shall publish and enforce Rules of Behavior to address the unique operating environment presented by mobile computing devices. The Rules of Behavior shall address at a minimum: authorized and official use; prohibitions against unauthorized users; and changes to system configurations unless the changes are made by an authorized system administrator.

    3. Laptops and mobile computing devices are not authorized to process or store classified information unless approved in writing by the DSO and Department CIO. The Department CIO will issue standards for devices authorized for such use and coordinate authorized standards with the DSO.

  5. BOUNDARY PROTECTION DEVICES. Department networks shall be protected by boundary protection devices (firewalls and trusted guards) at identified points of interface. These security devices and configurations shall be designed and implemented employing a system security engineering/risk management process.

    1. Firewalls shall not be used to protect connections between classified and unclassified systems. Only trusted guards should be specified for use in security configurations bridging and protecting networks at various classifications and shall be approved by the Department CIO.

    2. Department firewalls shall:

      3. (1) Define and implement a network security policy based on an engineering/risk management process.
      (2) Block all services not required and disable unused ports.
      (3) Hide and prevent direct accessing of Department trusted network addresses from untrusted networks.
      (4) Maintain comprehensive audit trails.
      (5) Fail in a closed state.
      (6) Operate on a dedicated platform (device).

  6. VIRUS CONTROL. All Department IT systems shall employ virus protection software. Anti-virus software shall:

    1. Detect and eliminate viruses on computer workstations, laptops, servers, and simple mail transfer protocol gateways.

    2. Be enabled on workstations and servers at start-up and employ resident scanning.

    3. On servers, update virus signature files immediately, or as soon as possible, with each new release.

  7. INTRUSION DETECTION SYSTEMS (IDS). Department IT systems and networks that employ routable protocol devices shall contain intrusion detection systems. Intrusion detection systems shall be:

    1. Installed with boundary protection devices (e.g., firewalls) and/or routers to detect network intrusions and potential breaches in progress at all points external to the Department network and when the risk analyses dictate an IDS on internal networks.

    2. Installed on multiuser systems to detect intrusions on hosts, including servers that are located on wireless local area network segments and servers that are directly accessible from a network outside Department security administration boundaries.

    3. Operated in a manner that is compliant with Title 18, Section 2511 of the United States Code (USC 2511), the Electronic Communications Privacy Act.

  8. ENCRYPTION.

    1. Encryption technology shall be applied to the following during transmission:

      2. (1) Passwords and symmetric or private asymmetric keys from their point of origin to their destination.
      (2) Activities of a system administrator or for system maintenance that could affect the security of another networked system;
      (3) Packets transmitted on wireless network segments.
      (4) Classified information using equipment and keying material approved by the National Security Agency (NSA) (Type 1 products).

    2. Encryption technology shall be applied to the following while they are electronically stored:

      3. (1) Passwords. (This requirement allows automatic waivers of FIPS 140-1 requirements until standards- compliant encryption of passwords becomes available in COTS operating systems.)
      (2) Symmetric or private asymmetric keys.
      (3) Information stored on laptop computers.

    3. SBU IT systems employing encryption shall comply with applicable Federal Information Processing Standards (FIPS) publications and guidelines for encryption, except in those situations where encryption products or technologies are prohibited from exportation or deployment in a foreign country, across a national boundary, or in cooperation with a foreign country. In those cases, other compatible encryption technology can be considered upon a favorable determination of their protection by the Department CIO.

    4. Waivers for use of noncompliant encryption must be approved in writing by the Department CIO.

    5. Communications security (COMSEC) shall be implemented commensurate with the highest classification or sensitivity level of the information being transmitted and in accordance with national security standards. When classified information transits an area not under access controls as stringent as required for that classification, it shall be protected by encryption or a protected distribution system (PDS).

      6. (1) A PDS may be used for the local unencrypted transmission of classified information with the approval of the DSO.
      (2) Secure telephone units shall be used for the transmission of classified voice. In addition, these devices can be used for data/fax transmission.

  9. MOBILE CODE. Until reliable executable content scanning technology is available to address security concerns with regard to mobile code or executables obtained via the Web, the following shall apply:

    1. All mobile code or executable content employed within a Department intranet shall be documented in the system security plan and approved by the DAA.

    2. As feasible, components shall implement a code review and quality control process for deployed mobile code or executable content.

    3. For those instances where there is no operational need to download mobile code or executable content, the IT system shall be configured to prevent the downloading of mobile code or executable content.

    4. Downloading of mobile code and executable content from a controlled interface between interconnected systems shall be permitted only when a boundary protection device appropriately configured (to handle such a download) and is in place and approved by the DAA.

  10. WIRELESS NETWORKS. Wireless local area networks that employ routable protocols shall:

    1. Establish their own addressable network segment.

    2. Employ boundary protection devices at the precise and definable entry point to other Department network segments.

    3. Employ encryption technology for wireless transmissions (from origin to termination).

    4. Provide a virtual private network for those transmissions that traverse between the wireless local area network and Department trusted network segments.

    5. Authenticate network users by processes that are stronger than those that rely only on a password for establishing the validity of a claimed identity.

    6. Discriminate access to the network by media access control address.

    7. Wireless transmission technology that does not employ routable protocols shall encrypt transmissions from the wireless source device of the transmission to the destination wireless device.

  11. PRIVATE BRANCH EXCHANGE (PBX) SECURITY.

    1. PBX processors that require remote vendor maintenance via a dial-in telephone line must have a single dedicated telephone line and shall comply with the following:

      2. (1) Access to the public-switched telephone network shall be disabled at all times except during an authorized and supervised maintenance session.
      (2) An audit trail containing date, time, identity of users, and activities performed is required.
      (3) Encryption is required for transmissions.
      (4) Identification and authentication is required. If authentication is provided through a password mechanism, the password lifetime use for the remote session shall be limited only to that session. Stronger authentication mechanisms are recommended.

    2. Administrative or maintenance activities performed using a routable network shall comply with the Department encryption policy.

    3. Technical and administrative controls shall be in place, operational, and compliant with the applicable sections of this policy.

    4. End-user applications, such as voice mail, shall be secured at a minimum by an eight-digit static password. This supersedes Department password policy and is applicable only in this case.

  12. FACSIMILE.

    1. All classified and SBU facsimile transmissions shall be preceded by a cover sheet. The cover sheet shall contain the following:

      2. (1) The classification and sensitivity of the information.
      (2) The name, office, and voice/fax telephone numbers for the recipient(s) and sender.
      (3) A warning banner with instructions to the recipient if the facsimile was received in error.

    2. Classified information shall be transmitted only with equipment operating with NSA approved encryption.

  13. - 44. RESERVED.

CHAPTER 4. MEDIA DISPOSAL AND REUSE.

  1. MEDIA DISPOSAL.

    1. When no longer usable, diskettes, tape cartridges, ribbons, and other similar items used to process SBU and classified information shall be destroyed by shredding, incineration, or degaussing, whichever method is available, appropriate, and cost effective. Classified media shall be disposed of in accordance with measures established by NSA.

    2. IT systems that have processed, stored, or transmitted SBU and/or classified information shall not be released from a component's control until the equipment is sanitized and all stored information has been cleared. For SBU information, the sanitization method shall be approved by the component. For classified systems, NSA-approved measures shall be used. This requirement includes equipment transferred to schools.

    3. Department IT equipment under maintenance warranty contracts shall include stipulations that equipment removed from the Department's physically protected offices shall be sanitized before its removal.

  2. MEDIA REUSE. When no longer required for mission or project completion, IT storage media that will be re-utilized by another person within the component shall be overwritten with software and protected consistent with the data sensitivity and/or at the highest classification level at which they were previously used. The procedures shall be documented in the system security plan.

  3. - 49. RESERVED.

CHAPTER 5. ROLES AND RESPONSIBILITIES.

  1. DEPARTMENT CHIEF INFORMATION OFFICER. The Department Chief Information Officer (CIO) is responsible for:

    1. Providing integrated IT security policy.

    2. Approving encryption technologies that are not FIPS-compliant in those situations where FIPS-compliant products are not available.

    3. Ensuring the Department's IT security program is established and implemented in compliance with Federal laws and regulations.

    4. Approving and monitoring waivers to IT security requirements (other than waivers relating to non-U.S. citizens accessing or assisting the development, operation, management, or maintenance of Department IT systems).

    5. Concurring with or disapproving requests for waivers relating to non-U.S. citizens accessing or assisting in the development, operation, management, or maintenance of Department IT systems.

    6. Reporting to the Attorney General and Office of Management and Budget on the status of the Department's IT security program.

    7. Enforcing Department security policy, including levying sanctions on components for non-compliance.

    8. Serving as the Department's Critical Infrastructure Assurance Officer in support of Presidential Decision Directive (PDD) 63, Critical Infrastructure Protection, as it relates to IT.

  2. DSO. The Department Security Officer (DSO) is responsible for:

    1. Providing advice to the Department CIO on security program areas affecting information technology.

    2. Conducting security compliance reviews to assess the overall effectiveness of security program implementation across the Department, including IT security. IT security reviews which require system testing shall be coordinated with the Department CIO. All IT security-related findings shall be reported to the Department CIO.

    3. Providing advice and recommendations to the Department CIO on waiver requests.

    4. Concurring with or disapproving requests for waivers relating to non-U.S. citizens accessing or assisting in the development, operation, management, or maintenance of Department IT systems.

    5. Ensuring the development and implementation of Department-wide policies and procedures to govern TEMPEST (¶ 22); Personnel Security (¶ 24); Physical and Environmental Security (¶ 25); Storage and Marking (¶ 26); Communications Security (COMSEC) materials(¶ 37e); Facsimile Security (¶ 41); Media Disposal (¶ 45); Media Reuse (¶ 46); copier security, Technical Surveillance Countermeasures (TSCM); and those aspects of the DSO's responsibilities for Personnel Security, Document Security, Physical Security, COMSEC, and Emergency Planning described in Order DOJ 2600.2C.

  3. COMPONENT HEADS OR THEIR DESIGNEE. Component heads, or their designee, are responsible for:

    1. Ensuring component policies and procedures are consistent with Department policy.

    2. Enforcing compliance with component and/or Department security policies, including the identification of sanctions and penalties for user non-compliance.

    3. Performing annual internal IT security program reviews.

    4. Approving, with the concurrence of the DSO and the CIO, waivers relating to non-U.S. citizens accessing or assisting in the development, operation, management, or maintenance of Department IT systems, and monitoring those waivers.

    5. Implementing a risk management process throughout each system life cycle.

    6. Performing certification and accreditation activities throughout the system life cycle.

    7. Ensuring best security practices (i.e., requirements) are implemented and maintained throughout the system life cycle.

      8. (1) Implementing configuration/change management.
      (2) Implementing an effective security education, training, and awareness program.
      (3) Administering a virus prevention and incident reporting program that coordinates with the Department's Computer Emergency Response Team (DOJCERT).
      (4) Ensuring separation of duties and assigning appropriate system permissions and responsibilities for component system users.
      (5) Managing user accounts and passwords.
      (6) Ensuring continuity of operations (system back-ups, redundancy, disaster recovery).

APPENDIX 1. REFERENCES.

The following references are applicable to the Department's IT security policy:

  1. CONGRESSIONAL MANDATES.

    1. Federal Information Systems Management Act of 2002 (FISMA), Pub. L. 107-347, Dec. 17, 2002, 116 Stat. 2899.

    2. Clinger Cohen Act of 1996, Pub. L. 104-106, Feb. 10, 1996, 110 Stat. 186;and, Pub. L. 104-208, Sept. 30, 1996, 110 Stat. 3009;

    3. Computer Fraud and Abuse Act of 1986, 18 U.S.C. § 1030 (1996).

    4. Computer Security Act of 1987, 15 U.S.C. 272, 278h, 278g-3, 278g-4.

    5. Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2511.

    6. Federal Managers Financial Integrity Act of 1982 (FMFIA), Public Law 97-255, September 8, 1982, 96 Stat. 814.

    7. Freedom of Information Act (FOIA) and 5 U.S.C. § 552.

    8. Paperwork Reduction Act of 1995 (PRA), Pub. L. 104-13, May 22, 1995, 109 Stat. 163; 44 U.S.C. 3501-3520.

    9. Privacy Act of 1974 5 U.S.C. § 552a.

  2. FEDERAL/DEPARTMENTAL REGULATIONS/GUIDANCE.

    1. 28 C.F.R. §45.4, Personal Use of Government Property.

    2. 36 C.F.R. 1194, Electronic and Information Technology Accessibility Standards (65 FR 80500, Dec. 21, 2000).

    3. 41 C.F.R, Part 101-35, Telecommunications Management Policy.

    4. Order DOJ 2610.2A, Employment Security Regulations.

    5. Government Paperwork Elimination Act, 44 USC 3504.

    6. Order DOJ 2880.1A, Information Resources Management.

  3. PRESIDENTIAL AND OFFICE OF MANAGEMENT AND BUDGET (OMB) GUIDANCE.

    1. Executive Order 12958, Classified National Security Information, dated 20 April 1995.

    2. Executive Order 12968, Access to Classified Information, dated 4 August 1995.

    3. National Security Directive 42, National Policy for the Security of National Security and Telecommunications and Information Systems, dated 5 July 1990.

    4. Presidential Decision Directive 63, Protecting America's Critical Infrastructures.

    5. Presidential Decision Directive 67, Enduring Constitutional Government and Continuity of Government Operations.

    6. OMB Circular A-130, Management of Federal Information Resources (with Appendices and periodic revisions).

    7. OMB Memorandum M-99-18, Privacy Policy on Federal Web Sites.

    8. OMB Memorandum M-00-13, Privacy Policies and Data Collection on Federal Web Sites.

    9. General Accounting Office Federal Information System Control Audit Manual (FISCAM).

    10. OMB Memorandum M-01-05, Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy.

    11. NIST Special Publication 800-14, Generally Accepted Principles and Practices for Security Information Technology Systems.

    12. NIST Special Publication 800-16, Information Technology Security Training Requirements.

    13. NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems.

    14. Federal Information Processing Standards.

    15. International Standard 15408, Common Criteria for Information Technology Security Evaluation.

    16. DCID 6/3, Protecting Sensitive Compartmented Information within Information Systems.

    17. DCID 6/9, Manual for Physical Security Standards for Sensitive Compartmented Information Facilities.

    18. NSTISSI No. 7000, Tempest Countermeasures for Facilities.