Joint dodiis/cryptologic



Yüklə 0,81 Mb.
səhifə7/13
tarix03.08.2018
ölçüsü0,81 Mb.
#66888
1   2   3   4   5   6   7   8   9   10   ...   13

MULTI-POSITION SWITCHES



19.1 (U) PURPOSE. The purpose of this chapter is to provide the policy and procedures outlining the minimum requirements for the management of multi-position switches. This policy applies to all elements that use multi-position switches to share a common keyboard, mouse and monitor between different CPU's. These CPU's may process, store, produce, or transmit information of different classifications, compartments, sub-compartments, code words or releasability.
19.2. (U) SCOPE. This chapter states the policy for Key Board/Video/Mouse (KVM) or Key Board/Monitor/Mouse (KMM) Switches used to connect systems operating at different classification levels, compartments, sub-compartments, caveats, control markings or special handling marking under the cognizant security authority of DIA/NSA including those of contractors. This policy does not restrict the use of these types of devices based on the sensitivity of the information or levels of classification of the data processed on the CPU's that are shared. This policy applies to all individuals who have authorized access to these devices on the systems they use. Not all users are approved for this type of access, and this policy does not provide that approval or countermand in any way any restrictions already placed on the user for the use of these devices.
These procedures are effective in the following life cycle phases:

CONCEPTS DEVELOPMENT PHASE

YES

DESIGN PHASE

YES

DEVELOPMENT PHASE

YES

DEPLOYMENT PHASE

YES

OPERATIONS PHASE

YES

RECERTIFICATION PHASE

YES

DISPOSAL PHASE

YES


19.3. (U) POLICY. Only KVM switches on the DIA Standard Products List for SCIFs accredited by DIA and KVM switches on the NSA Network Enterprise Solutions (NES) approved products list for SCIFs accredited by NSA shall be used within corresponding SCIFs when sharing a Key Board, Video Monitor or Mouse between CPUs at different classification levels. KVM switches currently in use that do not meet tempest or AIS requirements must be replaced with DIA/NSA approved switches by 31 December 2001. Authorizations are required from the DAAs of the respective systems when using a KVM switch to share the Key Board, Video Monitor, or Mouse. The DAAs are DIA for JWICS, NSA for NSANET, and the Defense Information Systems Agency (DISA) for NIPRnet and SIPRnet. The use of switchboxes for print services between classification levels is prohibited. Switchboxes may be used between the same classification levels for print services.

19.4. (U) RESPONSIBILITIES.

19.4.1. (U) DAA Rep.

  • Ensure all authorizations from DAAs of respective systems are obtained.

19.4.2. (U) ISSM.

  • Maintain the KVM Switch User Agreements files.

  • The ISSM will verify that the user has the necessary training and complies with the requirements for the introduction and use of multi-position switches.

19.4.3. (U) ISSO/System Administrator.

  • Ensure that the systems are approved by the configuration Management Board.

  • Ensure that the systems are installed correctly and meet all TEMPEST Standards.

  • Ensure the desktop banners, backgrounds, and screen locks have the proper classification banner.

19.4.4. (U) User.

  • Protect the Information System and KVM in your area.

  • Report any spillage of classified information in accordance with the JDCSISSS.

  • Safeguard and report any unexpected or unrecognized computer output, including both displayed or printed products in accordance with JDCSISSS.

  • Use different passwords on each system connected through a KVM.

  • Ensure that the classification level is displayed by each systems screen lock and that the password is required to regain entry to the system.

  • Ensure that the systems screen lock is invoked if the system is left unattended of if there is a 15-minute period of inactivity for each system.

  • Responsible for marking/maintaining magnetic media IAW Chapter 13 of JDCSISSS.

19.5. (U) AIS REQUIREMENTS. The introduction and use of multi-position switches in a SCI environment presents a moderate degree of risk to classified or sensitive information and systems. Therefore, all users will be responsible for the management of these devices. To minimize the risk of inadvertently entering information onto the wrong network, the following requirements must be met.

19.5.1. (U) Labels. All information systems components must be labeled in accordance with DCID 6/3, Paragraph 8.B.2 (a and b). All switch positions, cables, and connectors must be clearly marked with the appropriate classification labels.

19.5.2. (U) Desktop Backgrounds. To avoid inadvertent compromises, systems joined by multi-position switches will utilize desktop backgrounds that display classification banners at the top or bottom. The classification banner will state the overall classification of the system in large bold type, and the banner background will be in a solid color that matches the classification (SCI - yellow, Top Secret - orange, Secret - red, Confidential - blue, Unclassified - green). When systems have a similar classification level, but require separation for releasability or other constraints, use of unique colors for the different systems is permissible.

19.5.3. (U) Screen Locks. Screen Lock applications must display the maximum classification of the system on which the system is currently logged into and shall implement a lockout feature to re-authenticate the user.

19.5.4. (U) Smart Keys/Permanent Storage Medium. Systems using KVM switches must not employ “smart” or memory enhanced/data retaining keyboards, monitors or mice. These types of interfaces provide memory retention that creates a risk of data transfer between systems of different classifications.

19.5.5. (U) Hot Key Capability. Switches that support "Hot-Key" capability to switch, toggle or otherwise affect the switching between CPUs are prohibited.

19.5.6. (U) Scanning Capability. Switches with the ability to automatically scan and switch to different CPUs are prohibited.

19.5.7. (U) Wireless or Infrared Technology. Systems using KVM switches must not use keyboards or mice with wireless or infrared technology

19.5.8. (U) Unique Password Requirement. At a minimum, users must ensure that they use different/unique passwords for each system connected through a multi-position switch. Whenever possible, system administrators should employ different logon USERIDs to help users further distinguish between the systems.

19.5.9. (U) Data Hierarchy. Data of a higher classification must not be introduced to a system of a lower classification.

19.5.10. (U) Security CONOPS. A site with a requirement for multi-position switches must include the KVM procedures within the site's Security Concept of Operations (SECONOPS). The approval authority will be the Site ISSM.

19.5.11. (U) Training. ISSMs/ISSOs/Supervisors will ensure user training and compliance to the requirements associated with the introduction and use of multi-position switches.

19.5.12. (U) TEMPEST. Blanket approval to install keyboard, video, mouse (KVM) switches is granted within DIA accredited Sensitive Compartmented Information Facilities (SCIFs) located within the US and meeting NSTISSAM TEMPEST/2-95A, 3 Feb 00, recommendation “I” (having 100 meters of inspectable space) as defined by the SCIF’s TEMPEST accreditation document from DIA/DAC-2A. Blanket approval to install keyboard, video, mouse (KVM) switches is granted within NSA accredited Sensitive Compartmented Information Facilities (SCIFs) located within the US and meeting NSTISSAM TEMPEST/2-95A, 3 Feb 00, Zones C and D having more than 100 meters of inspectable space. Prior approval is required for overseas facilities and all other recommendations.

19.5.13. (U) Procedures for LOGON/Switching Between Systems.

Logging on to systems.

  • Identify the classification of the system currently selected.

  • Use the login and password appropriate to that system.

  • Verify the classification of the present system by checking the classification label.

  • Begin processing.

Switching between systems.

  • Select desired system with the multi-position switch.

  • Verify the classification of the present system by checking the classification label.

  • Begin processing at the new classification level.

EXCEPTIONS. Any exception to this policy requires approval of the DAA Rep responsible for the Certification/accreditation of systems in your SCIF.

19.6. (U) KVM SWITCH USER AGREEMENT. The user agreement (Figure 19-1) documents training and certification for personnel using the KVM switch.

KVM USER AGREEMENT

FORM

1. (U) KVM SWITCH USER AGREEMENT. The user agreement documents training and certification for personnel using the KVM switch.

1.1. (U) Procedures for LOGIN and Switching Between Systems. This process must be performed for each switch between systems. When the DoDIIS system is not selected, it is required to be screenlocked.

1.1.1. (U) Logging Onto a System.

  • Identify the classification of the system currently selected

  • Use the login and password(s) appropriate to that system

  • Verify the classification of the present system by checking the classification label

  • Begin Processing

1.1.2. (U) Switching Between Systems.

  • For DoDIIS systems, screenlock the system you are currently working on. For NSA systems, ensure that each system's screenlock is invoked if there is a 15 minute period of inactivity.

  • Select desired system with the KVM switch.

  • Enter your user id and password to deactivate the screen lock.

  • Verify the classification of the present system by checking the classification label.

1.1.3. (U) Logging Off of a System.

  • Close all applications processing on the active system

  • Logout of the system when processing in no longer required on the system

  • Logout of system at the end of duty day

1.2. (U) A weekly inspection of tamper seals (if any) will be performed by the user.

1.3. (U) Any suspected tampering and/or mishandling of KVM will be reported to your site ISSM.

Printed Name of User


__________________________________________________
Signature ____________________________ Date __________________
The above individual has received the necessary training and has complied with the requirements for application and use of KVM switches
Printed Name of ISSM
__________________________________________________
Signature ____________________________ Date __________________

FIGURE 19.1 (U) KVM SWITCH USER AGREEMENT FORM.
CHAPTER 20
CLEARING, SANITIZING, AND RELEASING COMPUTER COMPONENTS
20.1. (U) PURPOSE. The purpose of this chapter is to provide guidance and procedures to clear and sanitize magnetic storage media that is no longer useable, requires transfer, or should be released from control. These procedures apply to all Information Systems (IS) containing electronic, electromagnetic, electrostatic, or magnetic storage media. For clarification, Magnetic storage media is considered to be any component of a system which, by design, is capable of retaining information without power.

20.2. (U) SCOPE. These procedures are effective in the following life cycle phases:

CONCEPTS DEVELOPMENT PHASE

NO

DESIGN PHASE

NO

DEVELOPMENT PHASE

YES

DEPLOYMENT PHASE

YES

OPERATIONS PHASE

YES

RECERTIFICATION PHASE

YES

DISPOSAL PHASE

YES

Yüklə 0,81 Mb.

Dostları ilə paylaş:
1   2   3   4   5   6   7   8   9   10   ...   13



Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2024
rəhbərliyinə müraciət
gir | qeydiyyatdan keç
    Ana səhifə
Dərs
Dərslik
Guide
Kompozisiya
Mücərrəd
Mühazirə
Qaydalar
Referat
Report
Request
Review

yükləyin