CSC-STD-003-85








                             COMPUTER SECURITY REQUIREMENTS

                   GUIDANCE FOR APPLYING THE DEPARTMENT OF DEFENSE
                     TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA
                               IN SPECIFIC ENVIRONMENTS
































Approved for public release;
 distribution unlimited.





      25 June 1985
						CSC-STD-003-85
					   Library No. S-226,727


                                          FOREWORD 

This publication, Computer Security Requirements--Guidance for Applying the
Department of Defense Trusted Computer System Evaluation Criteria in Specific
Environments, is being issued by the DoD Computer Security Center (DoDCSC)
under the authority of and in accordance with DoD Directive 5215.1, "Computer
Security Evaluation Center." It provides guidance for specifying computer
security requirements for the Department of Defense (DoD) by identifying the
minimum class of system required for a given risk index.  System classes are
those defined by CSC-STD-001-83, Department of Defense Trusted Computer System
Evaluation Criteria, 15 August 1983.  Risk index is defined as the disparity
between the minimum clearance or authorization of system users and the maximum
sensitivity of data processed by the system.  This guidance is intended to be
used in establishing minimum computer security requirements for the processing
and/or storage and retrieval of sensitive or classified information by the
Department of Defense whenever automatic data processing systems are employed.
Point of contact concerning this publication is the Office of Standards and
Products, Attention: Chief, Computer Security Standards.



                                         25 June 1985

Robert L. Brotzman
Director
DoD Computer Security Center


				i

		              ACKNOWLEDGMENTS

Acknowledgment is given to the following for formulating the computer security
requirements and the supporting technical and procedural rationale behind
these requirements: Col Roger R.  Schell, formerly DoDCSC, George F.  Jelen,
formerly DoDCSC, Daniel J.  Edwards, Sheila L.  Brand, and Stephen F.
Barnett, DoDCSC.

Acknowledgment is also given to the following for giving generously of their
time and expertise in the review and critique of these computer security
requirements: CDR Robert Emery, OJCS, Dan Mechelke, 902nd MI Gp, Mary Taylor,
DAMI-CIC, Maj.  Freeman, DAMI-CIC, Ralph Neeper, DAMI-CIC, Duane Fagg, NAVDAC,
H.  O.  Lubbes, HAVE LEX, Sue Berg, OPNAV, Susan Tominack, NAVDAC, Lt.  Linda
Fischer, OPNAV, Eugene Epperly, ODUSD(P), Maj.  Grace Culver, USAF- SITT, Capt
Mike Weidner, ASPO, and James P.  Anderson, James P.  Anderson & Co.

And finally, special recognition is extended to H.  William Neugent and Ingrid
M.  Olson of the MITRE Corporation and to Alfred W.  Arsenault of the DoDCSC
for preparation of this document.













				ii

		             TABLE OF CONTENTS
                                                                       Page
FOREWORD..............................................................   i
ACKNOWLEDGMENTS.......................................................  ii
LIST OF TABLES........................................................  iv
1.0 INTRODUCTION......................................................   1
2.0 DEFINITIONS.......................................................   3
3.0 RISK INDEX COMPUTATION............................................   7
4.0 COMPUTER SECURITY REQUIREMENTS....................................  11
REFERENCES............................................................  13












				iii

		              LIST OF TABLES


TABLE  1: Rating Scale for Minimum User Clearance.....................   8
TABLE  2: Rating Scale for Maximum Data Sensitivity...................   9
TABLE  3: Computer Security Requirements..............................  12











                                    iv


							1
 1.0 INTRODUCTION

This document establishes computer security requirements for
the Department of Defense (DoD) by identifying the minimum class of system
required for a given risk index.  The classes are those defined by
CSC-STD-001-83, Department of Defense Trusted Computer System Evaluation
Criteria (henceforth referred to as the Criteria).(1) A system's risk index is
defined as the disparity between the minimum clearance or authorization of
system users and the maximum sensitivity of data processed by the system. [1]

The recommendations in this document are those that the DoD Computer Security
Center (DoDCSC) believes to be the minimum adequate to provide an acceptable
level of security.  These recommendations are made in part due to the fact
that there is no comprehensive policy in effect today which covers this area
of computer security.  Where current policy does exist, however, this document
shall not be taken to supersede or override that policy, nor shall it be taken
to provide exemption from any policy covering areas of security not addressed
in this document.

Section 2 of this document provides definitions of terms used.  Risk index
computation is described in Section 3, while Section 4 presents the computer
security requirements.










----------------------------------
[1] Since a clearance implicitly encompasses lower clearance levels (e.g., a
Secret- cleared user has an implicit Confidential clearance), the phrase
"minimum clearance of the system users" is more accurately stated as "maximum
clearance of the least cleared system user." For simplicity, this document
uses the former phrase.
	    

				                              3


2.0 DEFINITIONS
 
Application
     Those portions of a system, including portions of the operating system,
     that are not responsible for enforcing the system's security policy.
Category
     A grouping of classified or unclassified but sensitive information to
     which an additional restrictive label is applied to signify that
     personnel are granted access to the information only if they have
     appropriate authorization (e.g., proprietary information (PROPIN),
     information that is Not Releasable to Foreign Nationals (NOFORN),
     compartmented information, information revealing sensitive intelligence
     sources and methods (WNINTEL)).  Closed security environment
     An environment in which both of the following conditions hold true:

     1.  Application developers (including maintainers) have sufficient
         clearances and authorizations to provide acceptable presumption that
         they have not introduced malicious logic.  Sufficient clearance is
         defined as follows: where the maximum classification of the data to
         be processed is Confidential or less, developers are cleared and
         authorized to the same level as the most sensitive data; where the
         maximum classification of the data to be processed is Secret or
         above, developers have at least a Secret clearance.

     2.  Configuration control provides sufficient assurance that
         applications are protected against the introduction of malicious
         logic prior to and during the operation of system applications.

Compartmented security mode

         The mode of operation which allows the system to process two or more
         types of compartmented information (information requiring a special
         authorization)6565 or any one type of compartmented information with
         other than compartmented information.  In this mode, all system users
         need not be cleared for all types of compartmented information
         processed, but must be fully cleared for at least.  Top Secret
         information for unescorted access to the computer.
 
Configuration control
         
         Management of changes made to a system's hardware, software,
         firmware, and documentation throughout the development and
         operational life of the system.
 							

    4




Controlled security mode

         The mode of operation that is a type of multilevel security mode in
         which a more limited amount of trust is placed in the
         hardware/software requirement base of the system, with resultant
         restrictions on the classification levels and clearance levels that
         may be supported.

Dedicated security mode

         The mode of operation in which the system is specifically and
         exclusively dedicated to and controlled for the processing of one
         particular type or classification of information, either for
         full-time operation or for a specified period of time.

Environment

         The aggregate of external circumstances, conditions, and events that
         affect the development, operation, and maintenance of a system.

Malicious logic

          Hardware, software, or firmware that is intentionally included in a
          system for the purpose of causing loss or harm (e.g., Trojan
          horses).

Multilevel security mode

          The mode of operation which allows two or more classification
          levels of information to be processed simultaneously within the
          same system when some users are not cleared for all levels of
          information present.

Open security environment

     An environment in which either of the following conditions holds true:

     1. Application developers (including maintainers) do not have sufficient
        clearance (or authorization) to provide an acceptable presumption that
        they have not introduced malicious logic.  (See "Closed security
        environment" for definition of sufficient clearance.)

     2. Configuration control does not provide sufficient assurance that
        applications are protected against the introduction of malicious
        logic prior to and during the operation of system applications.

Risk index

     The disparity between the minimum clearance or authorization of system
     users and the maximum sensitivity (e.g., classification and categories)
     of data processed by a system.
                                                                           5

Sensitive information
     
     Information that, as determined by a competent authority, must be
     protected because its unauthorized disclosure, alteration, loss, or
     destruction will at least cause perceivable damage to someone or
     something.
       
     System
     
     An assembly of computer hardware, software, and firmware configured for
     the purpose of classifying, sorting, calculating, computing, summarizing,
     transmitting and receiving, storing, and retrieving data with a minimum
     of human intervention.

System high security mode
     
     The mode of operation in which system hardware/software is only trusted
     to provide need-to-know protection between users.  In this mode, the
     entire system, to include all components electrically and/or physically
     connected, must operate with security measures commensurate with the
     highest classification and sensitivity of the information being processed
     and/or stored.  All system users in this environment must possess
     clearances and authorizations for all information contained in the
     system.  All system output must be clearly marked with the highest
     classification and all system caveats, until the information has been
     reviewed manually by an authorized individual to ensure appropriate
     classifications and caveats have been affixed.  
     
System users
     
     Those individuals with direct connections to the system, and also those
     individuals without direct connections who receive output or generate
     input that is not reliably reviewed for classification by a responsible
     individual.  The clearance of system users is used in the calculation of
     risk index.  
     
For additional definitions, refer to the Glossary of TheCriteria.(1)
     
     
                                                                           7


3.0 RISK INDEX COMPUTATION
     
     
The initial step in determining the minimum evaluation class required for a
system is to determine the system's risk index.  The risk index for a system
depends on the rating associated with the system's minimum user clearance
(Rmin) taken from Table 1 and the rating associated with the system's maximum
data sensitivity (Rmax) taken from Table 2.  The risk index is computed as
follows:

     Case a.  If Rmin is less than Rmax, then the risk index is determined by
subtracting Rmin from Rmax.[1]

                           Risk Index =  Rmax - Rmin

Case b. If Rmin is greater than or equal to Rmax, then

            !---1, if there are categories on the system to which some users
            !      are not authorized access
            !
Risk Index =!
            !
            !--- 0, otherwise

















[1]There is one anomalous value that results because there are two "types" of
Top Secret clearance and only one "type" of Top Secret data.  When the minimum
user clearance is TS/BI and the maximum data sensitivity is Top Secret without
categories, then the risk index is 0 (rather than the value 1- which would
result from a straight application of the formula)


 8



                                   TABLE 1

                 RATING SCALE FOR MINIMUM USER CLEARANCE [1].


                                                              RATING
                                                               (Rmin)

  Uncleared (U)                                                  0
  Not Cleared but Authorized Access to Sensitive Unclassified    1
  Information (N)
  Confidential (C)                                               2
  Secret                                                         3
  Top Secret (TS)/Current Background Investigation (BI)          4
  Top Secret (TS)/current Special Background Investigation (SBI) 5
  One Category (1C)                                              6
  Multiple Categories (MC)                                       7













---------------------------------------
[1] The following clearances are as defined in DIS Manual 20-1(2):
Confidential, Secret, Top Secret/Current Background Investigation, Top
Secret/Current Special Background Investigation.


                                                                           9


                                   TABLE 2

                 RATING SCALE FOR MAXIMUM DATA SENSITIVITY


   MAXIMUM DATA
    SENSITIVITY
     RATINGS [2]       RATING      MAXIMUM DATA SENSITIVITY WITH
     WITHOUT           (Rmax)             CATEGORIES [1]
    CATEGORIES
        (Rmax)

    Unclassified(U)      0                 Not Applicable [3]

    Not Classified but   1         N With One or More Categories            2
      Sensitives [4]

    Confidential(C)      2         C With One or More Categories            3

       Secret (S)        3         S With One or More Categories With No    4
                                     More Than One Category Containing
                                              Secret Data
                                   S With Two or More Categories Containing 5
                                                 Secret Data

    Top Secret (TS)     5 [5]       TS With One or More Categories With No   6
                                      More Than One Category Containing
                                           Secret or Top Secret Data
                                    TS With Two or More Categories           7
                                    Containing Secret or Top Secret Data

-------------------------------

[1] The only categories of concern are those for which some users are not
authorized access.  When counting the number of categories, count all
categories regardless of the sensitivity level associated with the data.  If a
category is associated with more than one sensitivity level, it is only
counted at the highest level.

[2] Where the number of categories is large or where a highly sensitive
category is involved, a higher rating might be warranted.

[3] Since categories are sensitive and unclassified data is not, unclassified
data by definition cannot contain categories.

[4] Examples of N data include financial, proprietary, privacy, and mission
sensitive data.  In some situations (e.g., those involving extremely large
financial sums or critical mission sensitive data), a higher rating may be
warranted.  The table prescribes minimum ratings.

[5] The rating increment between the Secret and Top Secret data sensitivity
levels is greater than the increment between other adjacent levels.  This
difference derives from the fact that the loss of Top Secret data causes
exceptionally grave damage to the national security, whereas the loss of
Secret data causes only serious damage.

                                                                           11




4.0 COMPUTER SECURITY REQUIREMENTS


Table 3 identifies the minimum evaluation class appropriate for systems based
on the risk index computed in Section 3.  The classes identified are those
from The Criteria.(1) A risk index of 0 encompasses those systems operating in
either system high or dedicated security mode.  Risk indices of 1 through 7
encompass those systems operating in multilevel, controlled, compartmented, or
the Navy's limited access security mode; that is, those systems in which not
all users are fully cleared or authorized access to all sensitive or
classified data being processed and/or stored in the system.  In situations
where the local environment indicates that additional risk factors are
present, a system of a higher evaluation class may be required.






 12


                                  TABLE 3

                       COMPUTER SECURITY REQUIREMENTS


                                           MINIMUM          MINIMUM
 RISK INDEX     SECURITY OPERATING MODE  CRITERIA CLASS  CRITERIA CLASS
                                          FOR OPEN         FOR CLOSED
                                          ENVIRONMENTS [4]  ENVIRONMENTS [4]

  0                Dedicated           No Prescribed   No Prescribed
			    	Minimum [1]     Minimum [1]	     

  0               System High               C2[2]            C2[2]

  1       Limited Access, Controlled,       B1[3]            B1[3]
           Compartmented, Multilevel

  2       Limited Access, Controlled,       B2               B2
             Compartmented, Multilevel

  3          Controlled, Multilevel         B3               B2

  4               Multilevel                A1               B3

  5               Multilevel                *                *

  6               Multilevel                *                *

  7               Multilevel                *                *





--------------------

[1] Although there is no prescribed minimum class, the integrity and denial of
service requirements of many systems warrant at least class C1 protection.

[2] If the system processes sensitive or classified data, at least a class C2
system is required.  If the system does not process sensitive or classified
data, a class C1 system is sufficient.

[3] Where a system processes classified or compartmented data and some users
do not have at least a Confidential clearance, or when there are more than two
types of compartmented information being processed, at least a class B2 system
is required.

[4] The asterisk (*) indicates that computer protection for environments with
that risk index is considered to be beyond the state of current computer
security technology.  Such environments must augment technical protection with
physical, personnel, and/or administrative security solutions.


    
                                                                      13



                      REFERENCES

1.   DoD Computer Security Center, DoD Trusted Computer System Evaluation
     Criteria, CSC-STD-001-83, 15 August 1983.  

2.  Defense Investigative Service (DIS) Manual 20-1, Manual for Personnel
    Investigations, 30 January 1981 .