Joint dodiis/cryptologic

APPENDIX A

(U) The following publications are the primary security regulations associated with, and affecting Information Systems (IS) Intelligence operations. This appendix is not an inclusive list of all security regulations.

Computer Fraud and Abuse Act, 18 U.S. Code section 1030, 1984.

Electronic Communications Privacy Act, 18 U.S. Code Section 2510, 1986.

Public Law 100-235, The Computer Security Act of 1987, 8 January 1988.

Executive Order 12333, United States Intelligence Activities, 4 December 1981.

Executive Order 12829, National Industrial Security Program, 6 January 1993.

Executive Order 12958, Classified National Security Information, 20 April 1995.

Common Criteria for Information Technology Security Evaluation, CCIB-98-026, Version 2.0, May 1998.

DCID 1/19, Security Policy Manual for Sensitive Compartmented Information and Security Policy Manual, 1 March 1995.

DCID 1/21, Physical Security Standards for SCIFs, 29 July 1994.

DCID 2/12, Community Open Source Program, 1 March 1994.

The Intelligence Community Open Source Strategic Plan, 21 April 1993.

NSTISSAM TEMPEST/2-95, National Security Telecommunications and Information Systems Security Advisory Memorandum (NSTISSAM) TEMPEST/2-95 (formerly NACSIM 5203), Red/Black Installation Guidelines, 12 December 1995.

NSTISSI 3013, National Security Telecommunication and Information Systems Security Instruction (NSTISSI) 3013, Operational Security Doctrine for the Secure Telephone Unit III (STU-III) Type 1 Terminal, 8 February 1990.

NSTISSI 4009, National Security Telecommunication and Information Systems Security Instruction (NSTISSI) 4009, National Information Systems Security (INFOSEC) Glossary, January 1999.

NSTISSI 7000, National Security Telecommunications and Information Systems Security Instruction (NSTISSI) 7000, TEMPEST Countermeasures For Facilities, 29 November 1993.

NSTISSI 7003, National Security Telecommunications and Information Systems Security Instruction (NSTISSI) 7003 (C/NF), Protected Distribution Systems, 13 December 1996.

NSTISSP 300, National Security Telecommunications and Information Systems Security Policy (NSTISSP) 300, National Policy on Control of Compromising Emanations, 29 November 1993.

OMB Circular A-130, Management of Federal Information Resources, 15 July 1994, and principally, Appendix III, Security of Federal Automated Information, February 1996.

DoD 5105.21-M-1, Sensitive Compartmented Information Administrative Security Manual (U), August 1998.

DoD Directive 5200.1-R, Information Security Program Regulation, January 1997.

DoD Directive 5200.2-R, Policy on Investigation and Clearance of DoD Personnel for Access to Classified Defense Information, 15 February 1986

DoD Directive C-5200.5, Communications Security (COMSEC), 21 April 1990.

DoD Directive C-5200.19, Control of Compromising Emanations, 16 May 1995.

DoD Directive 5200.28, Security Requirements for Automated Information Systems (AIS), 21 March 1988.

DoD Directive 5215.1, Computer Security Evaluation Center, 25 October 1982.

DoD Directive 5220.22, DoD Industrial Security Program, 8 December 1980.

DoD 5220.22-R, Industrial Security Regulation, December 1985.

DoD 5220.22-M, National Industrial Security Program Operating Manual (NISPOM), January 1995, and its Supplement, dated February 1995.

DoD Directive 5240.4, Reporting of Counterintelligence and Criminal Violations, 22 September 1992.

DoD Trusted Computer System Evaluation Criteria (Orange Book of the Rainbow Series), December 1985.

DEFENSE INTELLIGENCE AGENCY (DIA) PUBLICATIONS

DIA Manual 50-4, Department of Defense (DoD) Intelligence Information Systems (DoDIIS) Information Systems Security (INFOSEC) Program, 30 April 1997.

DIA Regulation 50-2, Information Security Program, 15 July 93

Defense Intelligence Management Document SC-2610-141-93, DoDIIS Site Information Systems Security Officer’s (ISSO) Handbook, November 1993.

Defense Intelligence Management Document DS-2610-142-00, DoD Intelligence Information System (DoDIIS) Security Certification and Accreditation Guide April 2000.

Defense Intelligence Management Document SC-2610-143-93, DoDIIS Site Certifier’s Guide, November 1993.

The Intelligence Community Open Source Strategic Plan, 21 April 1993.

NATIONAL SECURITY AGENCY (NSA)/CENTRAL SECURITY SERVICE (CSS) PUBLICATIONS

NSA/CSS Circular 25-5, Systems Acquisition Management, 3 April 1991.

NSA/CSS Circular 90-11, Protected Wireline Distribution System for COMINT Facilities, 7 June 1993.

NSA/CSS Classification Guide 75-98, 20 February 1998.

NSA/CSS Directive 21-1, DoD Computer Security Center Operations, 29 March 1984.

NSA/CSS Directive 130-1, Operational Information System & Network Security Policy, 17 October 1990.

NSA/CSS Manual 130-1, Operational Computer Security, October 1990.

NSA/CSS Manual 130-2, Media Declassification and Destruction Manual, November 2000.

NSA/CSS Regulation 110-2, The NSA/CSS ADP Program, 27 November 1981.

NSA/CSS Regulation 120-1, Reporting of Security Incidents and Criminal Violations, 16 March 1989.

NSA/CSS Regulation 120-24, STU-III Security Requirements, 20 February 1990.

NSA/CSS Regulation 130-2, Computer Virus Prevention Policy, 13 January 1993.

NSA/CSS Regulation 130-3, Security Testing of NSA/CSS Automated Information Systems (AIS) and Networks, 24 July 1992.

NSA/CSS Regulation 130-4, Computer Security for Connection of an Automated Information System (AIS) to the STU-III (type 1) Terminal Data Port, 27 July 1993.

NSA/CSS Regulation 130-5, Use of Unclassified Publicly Accessible Computer Networks and information Systems such as the INTERNET (U), 15 July 1996.

USSID 12, United States Signals Intelligence (SIGINT) Directive 12, Automatic Data Processing (ADP) Policy for SIGINT Operations, 20 October 1980.

NSA/CSS Information Systems Certification and Accreditation Process (NISCAP), 15 October 2000