SPB 168-96
At the second meeting of the Security Policy Advisory Board (SPAB) on 8 November 1996, the Board was advised by industry representatives of independent, uncoordinated information assurance policy efforts, ongoing simultaneously with the Security Policy Board's (SPB) Information Assurance Document (IAD) effort. Industry indicated they would like "just one collective effort that addresses a single policy and procedure for government and industry that does not exceed the current NISPOM standards and achieves compatibility." The SPAB requested a report on these efforts.
The SPB Staff is aware of at least three such ongoing efforts:
AISSIM-300:
While the NRO fully supports the IAD effort and participates on the Drafting and Review Groups, the organization currently follows the DCID 1/16 and the Automated Information Systems Security Implementation Manual (AISSIM)-200 for its policy and guidance for processing classified information on its information systems. The NRO has participated in the IAD in the hope that it may be offered as an update for the current DCID 1/16 and provide the government with a single document that will give a more consistent, cost-effective approach to protecting NRO information systems.
NRO has just begun an effort to update their current AISSIM-200 due to a critical need to provide their user community with more current guidance. This effort by the NRO is coordinated with NSA and CIA. It in no way detracts from the NRO commitment to the IAD, but rather, it is proceeding with the intent to merge whatever is created into the IAD and the associated annex. Some of the members of this effort are the very same individuals involved in the IAD Drafting and Review Groups, which further ensures that what is created will be in consonance with the IAD.
The rewrite and update of AISSIM-300 is only in its initial stage of producing a strawman draft document, with the intent to create a stand-alone document. This exercise is taking place because of technological and environmental changes affecting information security and the present uncertainty of exactly when the IAD will be approved and ready for publication. The NRO plan is that, once the IAD is approved, all segments covered in the IAD will be removed from the AISSIM, and the remaining items will be offered for inclusion in the associated IAD annex that addresses NRO-specific issues.
The OSD-Directed Defense Investigative Service (DIS) - Industry NISPOM Chapter 8 Rewrite Effort
In September 1996, after the decision was made by government representatives, including the SPB Staff and the IAD Drafting Group, to reject the industry "performance-based" draft of NISPOM Chapter 8, John Frields, of the DoD/C3I staff office responsible for NISPOM matters, asked DIS to attend a meeting with Roger Callahan and Doug Perritt to discuss some options for DoD. Because all Washington-based DIS AIS specialists were unavailable, John Edmiston attended the meeting. Mr. Edmiston is a GS-13 AIS Specialist stationed in Melbourne, Florida, and responsible for DIS contractors in the southeast region. At that meeting, OSD/C3I directed DIS to find some cooperative contractors to work with in order to revisit and rewrite the NISPOM Chapter 8, incorporating any and all DoD policy decisions regarding AIS which were currently operative, as well as Industry Security Letter (ISL) 95L3 which addressed AIS security issues. Mr. Edmiston was specifically told not to attempt to include policies reflected in the IAD.
Mr. Edmiston enlisted assistance from three Florida contractor AIS security specialists: John Petzl, Pratt & Whitney, West Palm Beach; Sandy Patton, Lockheed-Martin Information Systems Orlando; and Juana Williams-Ginski, Northrop Grumman, Melbourne. A draft was completed November 13, 1996, and forwarded to DISHQ in Washington for evaluation. At the moment, DIS is attempting to set up a briefing for Messrs. Callahan, Perritt, and Frields by Messrs. Edmiston and Petzl; probably sometime in December. The SPB Staff has not seen this paper.
DoD Directive 5200 28. "Security Requirements for Automated Information Systems." Rewrite Effort
A Defense Community effort is underway to reframe the Department's direction to ensure the soundness of the Defense Information Infrastructure. The Assistant Secretary of Defense, Command, Control, Communications, and Intelligence chartered a Department-wide Information Assurance Group to address such policy issues. Directive 5200.28 is a late 1980's approach needing revamping to provide a comprehensive direction in the global network environment that ASDC3I envisions will serve the Department into the next century. In statements during House Hearings this past summer and in response to GAO recommendations, ASDC3I committed to completing the revision by the end of FY 1997.
The SPB is not a part of this process because it is considered an internal DoD concern.