1. PURPOSE. This standard establishes uniform Information Technology Security Management Controls for laptop and standalone computers storing, processing, or transmitting National Security Information. This document contains directive materials to guide Department components in the development of appropriate controls and processes for these categories of systems.
2. SCOPE. The provisions of this standard apply to all Department Components, personnel, IT systems to include hardware, software, and media, facilities, and contractors acting on behalf of the Department. This standard also applies to any outside organizations, or their representatives, who are granted access to the Department’s IT resources, such as other Federal agencies.
3. CANCELLATION. N/A
4. AUTHORITIES. The Deputy Chief Information Officer, IT Security, is responsible for providing security policy, guidance, implementation and oversight for IT systems. Questions or comments regarding this standard can be directed to the IT Security Staff.
Signed on August 19, 2004 by:
VANCE E. HITCH
Chief Information Officer
Department of Justice
1.1 Feedback
Questions or comments concerning this document should be addressed to:
Deputy Director, Information Technology Security Staff U.S. Department of Justice
601 Pennsylvania Avenue, NW
Suite 230
Washington, D.C. 20530
202-353-3925
1.2 Waivers/Exceptions
If the minimum requirements cannot be met, organizations shall request a waiver. Waivers or exceptions to individual Department standards shall be obtained by submitting, in writing to the Department of Justice Chief Information Officer (CIO), detailed information stating business, technical, or other issues associated with implementing the standards and the alternative countermeasures that will be put in place to ensure that this standard is being enforced. An action plan shall accompany the request which states how and when existing deficiencies or non-compliance will be mitigated or resolved.
Document History
Version #
Date
Description of Change
Author
0.1
March 17, 2004
Initial Draft.
John Wyatt
0.2
March 18, 2004
Minor corrections and additions.
John Wyatt
0.3
March 26, 2004
Changes to address comments to date from ITSS
John Wyatt
0.4
March 30, 2004
Changes to address more comments from ITSS
John Wyatt
0.5
March 31, 2004
Changes to address more comments from ITSS
John Wyatt
0.7
April 20, 2004
Changes to address more comments from ITSS
John Wyatt
1.0
July 30, 2004
Changes to address more comments from Components and ITSS
John Wyatt
1.1
August 19, 2004
Changes to address more comments from SEPS and ITSS
John Wyatt
2 OVERVIEW
2.1 Content Scope
This document assigns responsibilities and addresses the information security policies for ensuring the confidentiality, integrity, and availability of Classified Laptop Computers and Classified Standalone Computers in the Department of Justice.
2.2 Policy
Department policy in this area is provided by DOJ Order 2640.2E or its successors. This DOJ Order states: “Laptops and mobile computing devices are not authorized to process or store classified information unless approved in writing by the DSO and Department CIO. The Department CIO will issue standards for devices authorized for such use and will coordinate authorized standards with the DSO.” In support of this policy, this standard contains the requirements for laptop computers that process or store classified information. In addition, this standard contains requirements for standalone computers that process or store classified information.
Consistent with the definitions used in the National Information Assurance Glossary and the National Information Assurance Certification and Accreditation Process (NIACAP), the Information Security Policy for a system is defined as “The aggregate of directives, regulations, rules, and practices that regulate how an organization manages, protects, and distributes information.” This policy draws from and supplements requirements contained in DOJ Order 2640.2E, the other DOJ IT Security Standards, the DOJ Security Program Operating Manual (SPOM), and other applicable national policies, federal laws, directives, regulations, rules and practices. In the event of a conflict between requirements contained herein and those in the reference documents, such conflicts should be brought to the attention of the DOJ Information Technology Security Staff for resolution.
All Government employees and contractor personnel will adhere to the DOJ SPOM and other applicable information security policies and procedures during all activities associated with the processing of such information on classified laptop computers and classified standalone computers. All information technology system components and media that process, store, or otherwise handle classified information must also be protected in accordance with the SPOM.
2.3 Applicability
This document applies to the implementation, management, administrative, maintenance, and end user personnel and facilities throughout the life cycle of each classified laptop computer and classified stand-alone computer.
2.4 References
DOJ 2640.2E
DOJ Order Regarding Information Technology Security
DOJ 2620.7
Control and Protection of Limited Official Use
Information
DOJ/SPOM
Security Program Operating Manual
FIPS 197
Advanced Encryption Standard (AES)
DCID 6/3
Protecting Sensitive Compartmented Information Within Information Systems
NSTISSI No. 1000
National Information Assurance Certification and Accreditation Process (NIACAP)
NTISSAM
Advisory Memorandum on Office Automation Security Guideline
COMPUSEC/1-87
OMB Circular A-130
Management of Federal Information Resources
5 CFR Part 930
Training Requirement for the Computer Security Act
18 U.S.C. 2510
Electronic Communications Privacy Act
95 U.S.C. 552a
Privacy Act of 1987
DOJ ITS Standards
ITS Standard 1.1 Risk Management
ITS Standard 1.2 Review Security Controls
ITS Standard 1.3 Security Planning
ITS Standard 1.4 Certification and Accreditation
ITS Standard 1.5 System Security Plan
ITS Standard 2.1 Personnel IT Security
ITS Standard 2.2 Physical & Environmental IT Security
ITS Standard 2.3 Production Input Output IT Security
ITS Standard 2.4 Contingency Planning
ITS Standard 2.5 System Maintenance
ITS Standard 2.6 Data Integrity
ITS Standard 2.7 Security Documentation
ITS Standard 2.8 Security Awareness Training Education
ITS Standard 2.9 Incident Response and Reporting
ITS Standard 3.1 Identification and Authentication
ITS Standard 3.2 Logical Access Control
ITS Standard 3.3 Accountability and Audit.
3 REQUIREMENTS
The security policies to which classified laptop and standalone computers are subject have been developed to ensure the safe and secure operation of those computers. They are based on the minimum DOJ requirements mandated by DOJ Order 2640.2E, the DOJ Security Program Operating Manual (SPOM), the Office of Management and Budget Circular A-130, Appendix III, Management of Federal Information Resources, the National Information Assurance Certification and Accreditation Process (NIACAP), and the Director of Central Intelligence Directive (DCID) 6/3, Protecting Sensitive Compartmented Information Within Information Systems. In addition, all policies that are identified in the DOJ IT Security Standards apply to the classified laptop and standalone computers. Additional specific requirements for classified laptop and standalone computers, discussed below, are in the following categories:
Administrative Security
Physical Security
Personnel Security
Identification and Authentication
Audit Trail & Review
Logical Access Control
Password Management
Software Security
Telecommunications Security
Media Security
Continuity of Operations
Incident Response
Encryption.
Specific technical requirements that apply to classified laptop and standalone computers are contained in the Attachment 3, Hardware and Software Configurations of Classified Personal Computers.
In addition, each classified laptop and standalone computer must be certified and accredited prior to use and re-certified and re-accredited every three years or whenever a major system change occurs. To limit the unnecessary duplication of certification and accreditation activities, the Justice Management Division performed a “type accreditation” for classified laptop and standalone computers. Components are encouraged to implement computers consistent with the type accreditation. Information regarding the “type accreditation” for classified laptop and standalone computers can be obtained from the Certification and Accreditation Help Desk at 202-353-3925.
3.1 Administrative Security
Administrative security pertains to the implementation of a risk management program. The following policies apply to the management of classified laptop and standalone computers:
Each classified laptop and standalone computer will operate in either the Dedicated mode or the System High mode (as defined in the Security Program Operating Manual).
ISSOs and SAs should follow the recommended process in Attachment 7 or a similar, locally generated, process to configure classified computers.
No external systems, networks, or communications devices may be connected to classified laptop and standalone computers. (Classified computers that are intended to connect to classified computer networks are beyond the scope of this policy.)
Wireless peripherals and wireless communications capabilities shall NOT be used with the classified computers that are supported by this security policy.
The Certification Official will collect and maintain an inventory of all classified computers that are supported by this security policy.
3.2 Physical Security
Physical security encompasses the measures taken to protect classified laptop and standalone computers against threats associated with the physical environment. The following physical security policies apply:
Classified information SHALL ONLY be processed at approved U.S. Government facilities or approved contractor facilities.
When not in use, classified laptop computers must be stored in approved security containers or in office areas approved for open storage commensurate with the classification level of the computers.
Classified standalone computers with fixed hard disks can only be placed and used in office areas approved for open storage commensurate with the classification level of the computers.
When not in use, removable classified hard disks as well as all media must be stored commensurate with the classification level of the computers.
SCI computers can only be stored in a Sensitive Compartmented Information Facility (SCIF)
Classified non-SCI systems can only be stored in an approved security container or in an office area approved for the open storage of classified information
3.3 Personnel Security
Personnel security pertains to staffing positions that interact with information systems and providing security awareness and training to the incumbents in these positions. The following policies apply to classified laptop and standalone computers:
All personnel with access to classified information will receive background checks commensurate with the sensitivity of their positions.
All persons with access to classified laptop and standalone computers will receive initial and annual security awareness training.
All personnel using classified laptop and standalone computers shall possess a security clearance equal to or higher than the classification level of the information stored on the computers.
3.4 Identification and Authentication
The purpose of authentication is to provide for the reliable and proven identification of the user of the classified laptop and standalone computer. The following additional requirement applies:
A separate and unique user identifier will be assigned to each person who has access to the classified laptop and standalone computer. This identifier will be authenticated using a password authentication mechanism.
3.5 Audit Trail & Review
An audit trail is a chronological record of system activities that is sufficient to enable the reconstruction, review, and examination of a sequence of activities performed on a computer by one or more End Users or System Administrators. The classified laptop and standalone computer will meet all audit requirements promulgated in the ITS Standard 3.3, Accountability and Audit.
3.6 Logical Access Control
Logical access controls provide a technical means to control user access to information and system resources. They control what information users can access, the programs they can run, and the modifications they can make. The requirements for logical access control for classified laptop and standalone computers is contained in ITS Standard 3.2, Logical Access Control.
3.7 Password Management
Password management includes the generation, issuance, and control of the passwords that support authentication. Specific password management requirements are contained in ITS Standard 3.1, Identification and Authentication.
3.8 Software Security
The following policies apply to the installation and configuration of operating system and application software on the classified computer systems:
Executable software will be identified in the system security plan and protected from unauthorized modification.
A process to evaluate, test, and apply vendor-supplied patches, program fixes, and updates must be available. The process shall include a provision to expedite the application of high risk/high impact security-related patches. (This process will be complicated by the lack of network connectivity for classified laptop and standalone computers.)
3.9 Telecommunications Security
Telecommunications security is concerned with the protection of data during transmission. As currently defined, there will be no telecommunications capability for the classified laptop and standalone computers.
3.10 Media Security
The following policies apply to the marking and disposition of tapes, diskettes, hard drives, printouts, or any other media containing classified information:
Any media containing classified information will be marked with its classification and other identifying information based on requirements contained in section 8-203 of the DOJ Security Program Operating Manual. (Media labels will be color-coded depending on the classification of the information contained on the media as specified in DCID 6/3.)
Prior to release or disposal, electronic media containing classified data must be sanitized in accordance with section 8-207 of the DOJ Security Program Operating Manual, Disposition of Computer Media.
3.11 Continuity of Operations
The continuation of critical missions and business functions in the event of disruptions is assured by preparing in advance for contingencies and disasters. The ISSO, ISSM, and SA for each classified laptop and standalone computer should establish a contingency plan for the computer. The contingency plans for classified laptop and standalone computers shall be consistent with ITS Standard 2.4, Contingency Planning. In addition, any off-site storage facility must be approved for the storage of classified information and media.
3.12 Incident Response
An information system incident is an unexpected, unplanned event that could have a negative impact on information technology resources. It requires immediate action to prevent further negative impacts. It may be an event that violates security policies or one that circumvents security mechanisms (e.g., intrusions, malicious software). Incident response for the classified laptop and standalone computers shall be consistent with ITS Standard 2.9, Incident Response and Reporting and the SPOM. The incident response plan for the classified laptop and standalone computers provides for the handling of incidents via each component’s standard incident reporting and response procedures.
3.13 Encryption
Encryption of the hard drive is performed on classified computer systems to protect against access by unauthorized persons (i.e., people without the requisite clearance and need-to-know). However, the software encryption technology currently employed on the DOJ classified laptop and standalone computers is not robust enough to protect classified information from exploitation by a well-funded and skilled adversary who has physical access to the computer or the data contained on the computer. Therefore, even though the information on the hard disks is encrypted, the computer must be protected as a classified item. The following requirements apply to the encryption process used to protect information on the hard disks of classified laptop and standalone computers:
All information shall be encrypted using an ITSS-approved encryption software package.
Passwords, access devices, and cryptographic keys associated with the encryption process must be handled as classified information.
When a classified computer system is provided to a defense attorney, at the discretion of the U.S. Attorney, it is acceptable to not implement the ITSS-approved encryption package.
ATTACHMENT 1: SECURITY ACKNOWLEDGEMENT STATEMENT FOR AUTHORIZED END-USERS
I understand that as an authorized user of a classified laptop and standalone computer, it is my responsibility to comply with all security measures necessary to prevent the unauthorized disclosure, modification, or destruction of information and the unauthorized modification or loss of control of a classified laptop and standalone computer.
I understand that the computer to which I will have access has been specially configured for classified processing based on guidelines from the DOJ Information Technology Security Staff (ITSS). I acknowledge that the configuration of this computer is subject to change and that upgrades to the configuration of this computer may occur to better satisfy requirements for classified processing. I agree to make this computer available upon reasonable notice to have the configuration altered by representatives of the DOJ ITSS. I agree to comply with the following Rules of Behavior that apply to authorized end-users of classified laptop and standalone computers:
Protect and safeguard information in accordance with the applicable Department practices and procedures including the DOJ Security Program Operating Manual.
Complete computer security awareness training annually.
Operate the computer only in those areas approved for the classification level of the computer unless specific authorization has been received from the Information System Security Officer to operate the computer in other areas.
Store the computer or the removable hard disk in an approved security container (or in a facility approved for open storage) when it is not in use.
Never remove the computer from cleared DOJ facilities without specific approval of the Information System Security Officer and the Security Program Manager.
Sign all logs, forms, and receipts as required.
Properly mark the classification of each document and section in accordance with the applicable DOJ and program classification guides.
Protect all media used on the computer by properly classifying, labeling, controlling, transmitting, and destroying it in accordance with security requirements.
Protect all hard copy produced at the highest classification level of system approval until reviewed for proper classification and control.
Notify the Information System Security Officer when access to the computer is no longer needed (e.g., transfer, termination, leave of absence, or for any period of extended non-use).
Choose a password in compliance with DOJ password policies and change that password as required by the password policies. In addition, use a different password than is used on other DOJ systems.
Protect the password as classified information at the level of classification authorized for the computer.
Ensure compliance with software and copyright laws.
Obtain permission from the Information System Security Officer, before changing any of configurations and settings of the operating system and security-related software.
Never install any software without the explicit approval of the Information System Security Officer.
Unless authorized by the Information System Security Officer, never add, modify, or remove hardware accessories to the computer.
Unless authorized by the Information System Security Officer, never connect any peripherals (e.g., printers) or networks to the computer.
Unless authorized by the Information System Security Officer, never access the internal components of the computer.
Make the computer available at any time to the Information System Security Officer for inspection and review of audit logs.
Make the computer available at any time to the System Administrator for the installation of patches and other system administration activities.
Never circumvent the security mechanisms used on and by the computer.
Unless authorized by the Information System Security Officer, never test the capabilities of the security control software that is installed on the computer.
Unless authorized by the Information System Security Officer, never attempt to access any electronic audit trails that may exist on the computer.
Immediately report, to the Information System Security Officer, any evidence of tampering with the computer.
I understand that these Rules of Behavior establish standards of actions in recognition of the fact that knowledgeable users are the foundation of a successful security program, and that non-compliance to these rules will be enforced through sanctions commensurate with the level of infraction. Administrative actions due to failure to follow these Rules of Behavior may range from a verbal or written warning, removal of system access for specific period of time, reassignment to other duties, to termination, depending on the severity of the violation. In addition, activities that lead to or cause the disclosure of classified information may result in criminal prosecution under the U.S. Code, Title 18, Section 798, and other applicable statutes.
________________________________ ______________
Printed Name of User Date
ATTACHMENT 2: SECURITY ACKNOWLEDGEMENT STATEMENT FOR SYSTEM ADMINISTRATORS
I understand that as an authorized system administrator of classified laptop and standalone computers, it is my responsibility to comply with all security measures necessary to prevent the unauthorized disclosure, modification, or destruction of information and the unauthorized modification or loss of control of a classified laptop and standalone computer.
I understand that the computers to which I will have access have been, or will be, specially configured for classified processing based on guidelines from the DOJ Information Technology Security Staff (ITSS). I agree to properly implement guidelines from the ITSS in a timely manner on classified computers. I acknowledge that the configuration of the computer(s) is subject to change and that upgrades to the configuration of the computer(s) may occur to better satisfy requirements for classified processing. I agree to make the computer(s) available upon reasonable notice to have the configuration altered by representatives of the DOJ ITSS; or, if so directed, to make changes to the computer(s) consistent with guidance from DOJ Order 2640.2E, the IT Security Standards and directives from the ITSS.
I agree to comply with the following Rules of Behavior that apply to authorized system administrators of classified laptop and standalone computers:
Ensure that the Certification Agent (CA) or a CA appointed agent validates system security at least annually.
Protect and safeguard information in accordance with the applicable Department practices and procedures including the DOJ Security Program Operating Manual.
Make the computer(s) available for reviews of the security configuration by independent testers.
Complete computer security awareness training annually.
Operate the computer(s) only in those areas approved for the classification level of the computer(s) unless specific authorization has been received from the Information System Security Officer to operate the computer(s) in other areas.
Store the computer or the removable hard disk in an approved security container (or in a facility approved for open storage) when it is not in use.
Never remove the computer(s) from cleared DOJ facilities without specific approval of the Information System Security Officer and the Security Program Manager.
Sign all logs, forms, and receipts as required.
Protect all media used on the computer(s) by properly classifying, labeling, controlling, transmitting, and destroying it in accordance with security requirements.
Protect all hard copy produced at the highest classification level of system approval until reviewed for proper classification and control.
Notify the Information System Security Officer when access to the computer(s) is no longer needed (e.g., transfer, termination, leave of absence, or for any period of extended non-use).
Choose a password in compliance with DOJ password policies and change that password as required by the password policies. In addition, use a different password than is used on other DOJ systems.
Protect the password as classified information at the level of classification authorized for the computer(s).
Ensure compliance with software and copyright laws.
Obtain permission from the Information System Security Officer, before changing any of configurations and settings of the operating system and security-related software.
Never install any software without the explicit approval of the Information System Security Officer.
Unless authorized by the Information System Security Officer, never add, modify, or remove hardware accessories to the computer(s).
Unless authorized by the Information System Security Officer, never connect any peripherals (e.g., printers) or networks to the computer(s).
Unless authorized by the Information System Security Officer, never access the internal components of the computer(s).
Make the computer(s) available at any time to the Information System Security Officer for inspection and review of audit logs.
Never circumvent the security mechanisms used on and by the computer(s).
Unless authorized by the Information System Security Officer, never test the capabilities of the security control software that is installed on the computer(s).
Unless authorized by the Information System Security Officer, never attempt to access any electronic audit trails that may exist on the computer(s).
Immediately report, to the Information System Security Officer, any evidence of tampering with the computer(s).
I understand that these Rules of Behavior establish standards of actions in recognition of the fact that knowledgeable users are the foundation of a successful security program, and that non-compliance to these rules will be enforced through sanctions commensurate with the level of infraction. Administrative actions due to failure to follow these Rules of Behavior may range from a verbal or written warning, removal of system access for specific period of time, reassignment to other duties, to termination, depending on the severity of the violation. In addition, activities that lead to or cause the disclosure of classified information may result in criminal prosecution under the U.S. Code, Title 18, Section 798, and other applicable statutes.
________________________________ ______________
Printed Name of User Date
ATTACHMENT 3: HARDWARE AND SOFTWARE CONFIGURATIONS OF CLASSIFIED LAPTOP AND STANDALONE COMPUTERS
Classified Laptop Computers
Recommended Hardware Configuration
- A laptop computer with a currently available microprocessor.
- 256 Mbytes of memory or more.
- 40 Gbytes of hard disk space (or more) completely encrypted by ITSS-approved disk encryption software.
- Floppy disk drive (Read/Write/Execute/Delete)
- CD ROM drive (Read/Write/Execute)
- Mouse connected through P2 port.
- Printer connected through USB or parallel port.
Mandatory Hardware Features
- Wired connections between all components (e.g., laptop screen, laptop base, printer, mouse)
- All Ethernet and modem cards are disabled.
- Docking station port physically disabled.
- Infrared hardware physically disabled.
- All wireless ports physically disabled.
- All unused ports physically disabled.
- Boot only from hard disk to properly start the hard disk encryption/decryption software.
- No network connectivity permitted.
Software Configuration
- Current DOJ-approved operating system with the ITSS-approved service pack.
- DOJ-approved disk encryption software.
- DOJ-approved office suite software including word processor, spreadsheet, and presentation graphics
- DOJ-approved anti-virus software, with current virus signatures.
- Software drivers for infrared and wireless ports must be removed or disabled.
Classified Stand-Alone Computers
Recommended Hardware Configuration
- A desktop computer with a currently available microprocessor.
- 256 Mbytes of memory or more.
- 40 Gbytes of hard disk space (or more) completely encrypted by DOJ-approved disk encryption software.
- Floppy disk drive (Read/Write/Execute/Delete)
- CD ROM drive (Read/Write/Execute)
- Mouse connected through P2 port.
- Printer connected through USB or parallel port.
Mandatory Hardware Features
- Wired connections between all components (e.g., monitor, system unit, printer, mouse)
- All Ethernet and modem cards are disabled.
- Infrared hardware physically disabled.
- All wireless ports physically disabled.
- All unused ports physically disabled.
Software Configuration
- Current DOJ-approved operating system with the DOJ-approved service pack.
- DOJ-approved disk encryption software.
- DOJ-approved office suite software including word processor, spreadsheet, and presentation graphics
- DOJ-approved anti-virus software, with current virus signatures.
- Software drivers for infrared and wireless ports must be removed or disabled.
Computers with Removable Hard Drives
Recommended Hardware Configuration
- An Intel-based laptop computer with a Pentium IV microprocessor.
- 256 Mbytes of memory or more.
- Removable hard disk with 40 Gbytes of hard disk space (or more) completely encrypted by the ITSS-approved encryption software.
- Removable hard disk receptacle with a key lock.
- Floppy disk drive (Read/Write/Execute/Delete)
- CD ROM drive (Read/Write/Execute)
- Mouse connected through P2 port.
- Printer connected through USB or parallel port.
Mandatory Hardware Features
- Wired connections between all components (e.g., monitor, system unit, printer, mouse)
- All Ethernet and modem cards are disabled.
- Infrared hardware physically disabled.
- All wireless ports physically disabled.
- All unused ports physically disabled.
Software Configuration
- Current DOJ-approved operating system with the DOJ-approved service pack.
- DOJ-approved disk encryption software.
- DOJ-approved office suite software including word processor, spreadsheet, and presentation graphics
- DOJ-approved anti-virus software, with current virus signatures.
- Software drivers for infrared and wireless ports must be removed or disabled.
ATTACHMENT 4: LIST OF ACRONYMS
AO
C&A
CA
CIO
DAA
DCID
DOJ
DOJ CERT
DSO
FIPS
ISSM
ISSO
IT
ITSS
NIACAP
PC
SA
SEPS
SPM
ST&E
Authorizing Official
Certification and Accreditation
Certification Agent
Chief Information Officer
Designated Approving Authority
Director of Central Intelligence Directive
Department of Justice
DOJ Computer Emergency Response Team
Department Security Officer
Federal Information Processing Standard
Information System Security Manager
Information System Security Officer
Information Technology
Information Technology and Security Staff
National Information Assurance Certification and Accreditation Process
Personal Computer
System Administrator
Security and Emergency Planning Staff
Security Program Manager
Security Test and Evaluation
ATTACHMENT 7: CLASSIFIED LAPTOP AND STANDALONE COMPUTER TECHNICAL CHECKLIST
Determine if a laptop or stand-alone (desktop) computer is more appropriate:
Is a GSA-approved safe available for storage of a laptop computer or removable hard disk?
Is the facility where the computer will be used approved for the open storage of classified material?
If the answer to a is “yes”, a laptop computer or computer with removable hard disk is appropriate.
If the answer to b is “yes”, a stand-alone computer may be used for classified processing.
If the answer to both questions is “no”, classified processing cannot be performed until a safe is acquired or the facility is approved for open storage.
Appoint an Information System Security Officer (ISSO) and System Administrator (SA) for the classified computer. Provide the name, address, telephone number, and e-mail address of the ISSO and SA to ITSS.
Acquire the computer that is to be used for classified processing. Inspect the computer for completeness and verify that no tampering is evident before proceeding further. (If tampering is evident, do not use the computer for classified processing and seek guidance on appropriate steps from the Security Program Manager.)
The ISSO will establish a Usage Log and Maintenance Log for the computer.
The ISSO will attach security classification stickers. (From this point on, the computer must be treated as a classified item.)
The SA will configure the hardware and software:
Typically, new computers will be delivered with the operating system and certain applications already installed.
Verify that the computers comply with the requirement in Attachment 3 of the Classified Laptop and Stand-Alone Computers Security Policy. In particular, ensure that there are no wireless (RF or Infrared) ports active and; if necessary, disable any such ports that are found. Disable any internal modems.
Obtain a copy of the ITSS-approved disk encryption software from the JCON help desk.
If possible, prior to the installation of the disk encryption software, make a complete backup of the hard disk to support restoration of the software in the event that the disk encryption software installation does not successfully complete.
Install and configure the disk encryption software software.
Install any additional ISSO-approved application software.
Record on the system maintenance log that the operating system, disk encryption software software, and application software were successfully installed.
Disable any unneeded hardware interfaces (e.g., serial ports) and record this appropriately on the system maintenance log.
The ISSO will report the following about the newly-configured classified computer to the ITSS:
Computer Model and Serial Number
Classification Level (e.g., Top Secret)
Date Placed In Service
The ISSM will arrange for an initial independent verification of the configuration and logs of the classified computer.
The ISSM will work with the ISSO to schedule reviews of the configurations and logs of each classified computer.
