MIL-HDBK-59A APPENDIX E APPENDIX E DATA PROTECTION AND INTEGRITY, DATA RIGHTS, AND RELATED ISSUES 201 MIL-HDBK-59A APPENDIX E THIS PAGE INTENTIONALLY LEFT BLANK. 202 MIL-HDBK-59A APPENDIX E 10 SCOPE 10.1 Applicability. This appendix provides guidance on data protection and integrity, data rights, change control, and related issues to government activities acquiring technical data in digital form or establishing CITIS functional requirements. It is applicable to all Department of Defense (DoD) components responsible for acquisition of weapon systems or related major equipment items. 10.2 Purpose. This appendix identifies issues that should be addressed by the acquisition manager, and suggests the best methods for tailoring the wording of standard DoD Requests for Proposal (RFP's) and Contract Data Requirement Lists (CDRL's) to allow and encourage the integrated preparation, government access to, and digital submission of deliverable data. 20 REFERENCED DOCUMENTS See list of references appearing in Appendix A. 30 DEFINITIONS See list of terms appearing in Appendix A. 40 GENERAL GUIDANCE 40.1 Contracting for digital data. A major thrust of the Computer-aided Acquisition and Logistic Support (CALS) program is the delivery of weapon system data in digital form. A second thrust is integration of the data bases which produce that data and make it available for use. Implementation of these objectives must be accomplished in a manner that protects from unauthorized access, use, or change: (1) information that is classified as having national security implications, (2) information that is contractor proprietary or competition sensitive, (3) information that is subject to export control as technologically sensitive, and (4) the systems that create, store, and distribute that information. Additional issues to be considered in contracts include data rights, privacy, and legal liability. 203 MIL-HDBK-59A APPENDIX E 50 DETAILED GUIDANCE 50.1 Data protection and integrity. The goal of CALS data protection and integrity policy is to ensure the integrity and confidentiality of all CALS assets to the extent possible within existing regulations, procedures, etc. Inherent in the attainment of this goal is the requirement for adequate risk and data protection planning and implementation throughout the life cycle of weapon system technical data. The purpose of this section of the handbook is to aid acquisition managers in accomplishing system and data protection and integrity planning to ensure proper development, implementation, and administration for CALS programs and activities. This section of the handbook supports implementation of DoDD 5200.28, Security Requirements for Automated Information Systems. It is not intended as a substitute for the extensive specialized functional and technical guidance available on this subject. 50.1.1 Background discussion. The emergence of digital media has resulted in a new series of methods and techniques for unauthorized use and dissemination of information. The acquisition manager, other government users of technical data, and the contractor have a shared responsibility to provide an adequate level of protection in all CALS-related delivery and access modes. The level of protection must be commensurate with the level of information sensitivity. Providers and users of technical data should recognize that evolving technology and standards for system and data protection are being matched by evolving technology for protection infringement. The acquisition manager should address system and data protection and integrity requirements early and continuously throughout the life cycle of the weapon system. The program office security officer should be thoroughly familiar with CALS concepts for delivery of data in digital form, and for interactive access by government users to contractor data bases and by contractor users to government data bases. Using this knowledge, the program office security officer should play an active role in selection of the appropriate delivery or access modes. The contractor should be advised as early as possible of the security-related requirements for technical data to be delivered or accessed in accordance with CALS standards and statement of work provisions. The contractor should be required to thoroughly describe the procedures to be implemented at each level of sensitivity to protect technical data, and the systems and networks hosting that data, from unauthorized use or abuse. 50.1.2 Systems approach to data protection and integrity. Data | protection and integrity requirements for CALS are divided into | the following six interrelated security disciplines. These | 204 MIL-HDBK-59A APPENDIX E disciplines must be integrated into an overall systems approach | in response to a formal risk assessment of a specific CALS | situation. | | a. Communications Security (COMSEC) The protection | resulting from the application of transmission security, crypto | security and emission security measures to telecommunications and | from the application of physical security measures to COMSEC | information. COMSEC activities consider administrative | procedures, functional checks, inspections, and analysis of data | links including secure voice systems. TEMPEST, a part of COMSEC, | refers to investigations and studies of "compromising emanations" | and is often used synonymously with this phase. TEMPEST testing | of communications systems, computer systems, and other electronic | systems is considered an appropriate measure applied on a case- | by-case basis considering the threat and consequent risk. | | b. Computer Security (COMPUSEC) The totality of security | safeguards needed to provide an acceptable level of protection | for automated data processing (ADP) systems and the sensitive | data processed. Includes all hardware/software functions, | characteristics and features; operational, accountable, and | access control procedures at the computer and remote terminal | facilities; and, the management constraints, physical structures, | and devices needed to provide an acceptable level of protection | for sensitive information in any state of storage, processing, | display or communication within the ADP system. | | c. Physical Security Those physical measures which are | designed to prevent unauthorized access to equipment, facilities, | material and documents, and to safeguard against espionage, | sabotage, damage and theft. Such measures provide for the | control of acoustical, visual and physical access through use of | barriers, electronic security aids/equipment,security forces, and | integrated operational procedures. These techniques may be used | singularly or in combination to ensure an effective application | of physical security. | | d. Personnel Security Those measures whereby the | trustworthiness and suitability of personnel are verified for | positions of trust (i.e., positions requiring access to sensitive | information, equipment or areas) based on information regarding | their loyalty, character, emotional stability and reliability. | | e. Information Security Those measures and administrative | procedures for identifying, controlling, and protecting against | unauthorized disclosure of classified information or sensitive | unclassified information. Such measures and procedures are | concerned with data protection and security education and | 205 MIL-HDBK-59A APPENDIX E training, assignment of proper classifications, downgrading and | declassification, safeguarding, and monitoring. | | f. Operations Security (OPSEC). The protection of | operations resulting from the identification and subsequent | elimination or control of intelligence indicators susceptible to | compromise. OPSEC efforts must prevent the disclosure of | information containing indicators that can be used to degrade | operational effectiveness. COMSEC, COMPUSEC, Physical Security | Personnel Security, Information Security, and OPSEC are | interacting and mutually supporting disciplines. OPSEC is | designed to protect the unclassified and highly visible aspects | of an operation as well as the sensitive aspects. | | 50.1.3 Government data protection and integrity issues. | As defined by Public Law 100-235, The Computer Security Act of | 1987, the term "sensitive information" means any information, the | loss, misuse or unauthorized access to or modification of which | could adversely affect the national interest, the conduct of | Federal programs, or the privacy to which individuals are | entitled under the Privacy Act, but which has not been | specifically authorized under criteria established by Executive | Order or Act of Congress, to be kept secret in the interest of | national defense or foreign policy. Technical information | generated in support of a weapon system acquisition program will | include non-sensitive information; sensitive information such as | For Official Use Only (FOUO), subject to export control, and | corporate proprietary/source selection sensitive; and information | classified from a national security standpoint, (e.g., | confidential, secret, top secret, etc.). Although the bulk of | this information will usually be unclassified from a national | defense perspective, the inferences which can be drawn from the | accumulation of unclassified information (a so-called data | aggregation) may dictate a higher level of classification for the | data elements which constitute the aggregate data. Moreover, the | delivery mode(s) selected for transmission of technical | information to the government must reflect a level of protection | commensurate with the information's designated level of | sensitivity. Multiple delivery modes may be required. For | example, a classified or otherwise sensitive portion of a | technical document may be delivered in hard copy, while the non- | sensitive main portion of the document could be delivered as a | set of processable data files. In the case of interactive access | to weapon system information, provisions for access control and | telecommunications security must be addressed in accordance with | DoD and National Security Agency regulations and instructions, as | well as the requirements of the Computer Security Act of 1987. | Each procurement must clearly state the applicable data | sensitivity determinations, and what degree and levels of access | 206 MIL-HDBK-59A APPENDIX E will be required. | | 50.1.4 Industry data protection and integrity issues. | Industry must adequately protect weapon system technical | information commensurate with designated levels of sensitivity | and related access requirements. Additionally, industry must | deal with company proprietary, competition sensitive, or | liability sensitivities of data. This is the responsibility of | the contractor's facility even if government personnel have | interactive access capability. | 50.1.5 Telecommunications. The interrelationship and interdependency between telecommunications and computer systems are defined by the Computer Security Act of 1987. Government agencies and systems security steering groups, including the National Security Agency and the National Institute of Standards and Technology, have been given the responsibility to establish policies, standards, products, and technical/research centers. Encryption of classified or sensitive military data should be in accordance with procedures established by the National Security Agency. Encryption of other sensitive data should be by commercial practice commensurate with the level of sensitivity. 50.1.6 Computer security levels. Information processing products are evaluated to determine the level of their capability to protect information from unauthorized access. This evaluation is performed in accordance with the requirements set forth in DoD 5200.28-STD, The DoD Trusted Computer Systems Evaluation Criteria. One of the levels of information security is broadly categorized as system high. An information system that is operating at system high requires that all users with physical access to that system have a current security clearance equivalent to, or greater than, the highest classification level of any data resident on that system. A second level of information security is categorized as multilevel security. Multilevel security offers more advantages than system high to users who must deal with technical data whose elements are at different levels of classification or sensitivity. However, implementing an approved multilevel security system may pose major problems. An information system that incorporates multilevel security allows system access to users who have security clearances that are at a lower level than some of the data resident on the system. A multilevel security system must therefore protect information from unauthorized disclosure to individuals who have a lower security clearance, but who are authorized to access the system. All options and alternatives to multilevel security, including multiple physically isolated data bases, must be considered. 207 MIL-HDBK-59A APPENDIX E 50.1.7 Data protection and integrity requirements. Technical data generated, processed, and disseminated in a computer-aided and telecommunications environment must be protected in accordance with applicable statutes, regulations, and guidelines. Some data will be classified, and its protection is defined by law, executive order, and directive. Most data will be unclassified, but its protection is still necessary for the suppliers and users of the data. System and data administrators must also plan for disaster recovery; although this issue is unrelated to system/data compromise, the problems associated with restoration of data of known integrity are comparable. Survivability of both technical data and the weapon systems supported by that data will require the application of data protection and integrity measures for information, hardware, software and operating systems, and weapon system components. Life cycle data protection and integrity modeling will be used as: a. A framework for analyzing all aspects of CALS data protection and integrity. b. A basis for establishing data protection policies, plans, and procedures. 50.1.7.1 Industry. Appropriate data protection measures and standards are required when proprietary or technologically sensitive acquisition and logistics data are created, changed, transmitted, received, and stored in digital form. Effective industry application depends in part on the degree of control needed to meet data protection requirements, and the quality of the implementation and enforcement of those controls. To obtain early visibility and management of data protection and integrity issues, a risk assessment and security plan should be developed in response to anticipated weapon system program requirements as part of the offeror's proposal in response to an acquisition RFP. This plan should address levels of data protection for each access mode, and procedures for protection of classified data, with particular attention to interactive data base access and telecommunications. 50.1.7.2 Government. Since CALS technologies allow dissemination and use of industry-developed data beyond the control of the owner of the data, government access and control of this contractor information must be managed through the use of DoD-wide uniform standards. Data protection and integrity requirements will increase significantly as CALS encompasses more classified and sensitive information, and employs more automated systems to originate, communicate, and receive data. It is the responsibility of the program office to conduct a security risk | 208 MIL-HDBK-59A APPENDIX E analysis to identify anticipated data protection requirements as | described in Table VIII. | | 50.1.7.3 Risk assessment procedures Over the last several | years, quantitative risk assessment has evolved into an important | computer and telecommunication system security analysis | technique. Quantitative risk assessment procedures employ a | structured and generally accepted methodology, and can serve as a | framework within which analysis can justify data protection and | integrity expenditures, determine the magnitude of system | security risks, and evaluate characteristics of control options. | | In overall terms, quantitative risk assessment involves the | estimation of losses stemming from the occurrence of various | threats and vulnerabilities, and the related analysis of the | effectiveness of countermeasures that mitigate such losses. The | analysis of countermeasures involves a review of whether current | and proposed controls meet data protection objectives, and | whether they are cost effective. In addition to being used as a | security review technique, risk assessment procedures can be | employed as valuable tools for use in the following efforts: | | a. Systems designs to ensure that appropriate controls are | built in; | | b. Systems upgrades to make certain that retrofitted | controls are appropriate; | | c. Systems security standards definition efforts to make | sure that standards are justified; | | d. Prioritization of countermeasure budget expenditures, | and; | | e. Auditing efforts to ensure effective allocation of | staff resources. | | 50.1.7.4 Risk approval procedures | | Risk approval procedures should be established to ensure that the | acquisition manager is provided with an adequate review of the | results of the risk assessment. Such a review will provide the | manager with information on consequent risks, tradeoffs, and | cost/benefit analyses, and thus will support an informed decision | concerning optimal data protection and integrity controls. Risk | approval procedures are based on the recognition that achieving | perfect data protection and integrity (i.e., the total | elimination of all vulnerabilities) is not usually feasible. The | goal of the risk approval process, therefore, is to provide the | 209 MIL-HDBK-59A APPENDIX E weapon system program with the best data protection, at | acceptable cost, consistent with other critical program | parameters.| 50.1.8 Considerations for implementation of data protection and integrity. System security engineering principles, as outlined in MIL-STD-1785, should be utilized to integrate data protection and integrity disciplines in an effective and efficient manner to achieve assured service, integrity, and confidentiality. Data protection and integrity programs will be developed on the basis of formal risk versus vulnerability assessment procedures. TABLE VIII. Identification of security by data item. ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º SECURITY CLASSIFICATIONS ³ º º ³ º º * DoD REQUIREMENTS ³ LEVELS OF SECURITY CONTROL º º ³ º º TOP SECRET ³ System level currently for º º SECRET ³ classified information º º CONFIDENTIAL ³ Transaction level currently forº º FOR OFFICIAL USE ONLY (FOUO)³ sensitive unclassified data º º MOSAIC AGGREGATION ³ Data element level in future º º EXPORT CONTROL ³ CALS systems º º ³ º º * INDUSTRY REQUIREMENTS ³ USER PROFILES º º ³ º º COMPETITION SENSITIVE ³ Access & Control (for example) º º COPYRIGHTED ³ by domestic company º º TECHNOLOGICALLY SENSITIVE ³ by foreign company º º COST SENSITIVE ³ by department º º MOSAIC (applies to industry ³ by project º º as well as DoD data) ³ by group º º ³ º º Procedures and software rules for access control user º º profiles, which becomes a matrix matching the data security º º level with the user profiles. º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ 50.1.8.1 Industry. In the transition from hard copy to CALS data interfacing and data integration technologies, the requirements for the protection of proprietary information will increase in sophistication and cost in proportion to the increased level of access control required. Access control issues exist at contractor/government sending and receiving sites, and in the telecommunication links connecting them. Data protection and integrity standards should be established and enforced early in the program in accordance with a CALS technical 210 MIL-HDBK-59A APPENDIX E data security plan approved by the government program office. Access controls should be established in accordance with this plan. 50.1.8.2 Government. Information and communication-computer | data protection and integrity management for CALS technical data | must be addressed in accordance with the Computer Security Act of | 1987, DoD 5200.1-R, Information Security Program Regulation, DoDD | 5200.28, Security Requirements for Automated Data Processing | Systems, and DoD 5200.22-M, Industrial Security Manual for | Safeguarding Classified Information. The process for | establishing data protection and integrity requirements should be | based on a comprehensive data sensitivity analysis and risk assessment which includes the following procedures: a. Establish data protection and integrity requirements using CSC-STD-004-85, Guidance for Applying the Department of Defense Trusted Computer System Evaluation Criteria in Specific Environments. For a given maximum data sensitivity and minimum clearance or authorization of a system user, a computer security category, ranging from C1 to A1, is required. b. Use DoD-5200.28-STD, the DoD Trusted Computer System Evaluation Criteria as a source for information pro- cessing product evaluation. The Evaluated Products for Trusted Computer Systems (called the Evaluated Products List) is contained in the Products and Services list that is prepared and published quarterly by the National Computer Security Center. c. After definition of information and communication- computer data protection and integrity requirements by DoD weapon system and data system acquisition managers and by security managers, requirements should be passed to contractors using DD Form 254, DoD Contract Security Classification Specifications. 50.1.9 Implementation guidance. The acquisition manager should develop a program plan that incorporates a multi-disciplinary systems approach to meeting the data protection and integrity requirements of the program. This plan will identify responsible personnel and resources, and require government or contractor performance of: a. Data protection and integrity threat and vulnerability analyses. 211 MIL-HDBK-59A APPENDIX E b. Data protection and integrity risk assessments and trade-off analyses. c. Data protection and integrity test and evaluation. d. Configuration control for security systems and trusted system components. e. Identification of vulnerabilities that remain after implementing all reasonable security measures. f. Periodic inspections to ensure compliance. 50.1.9.1 Program Office Security Officer. Information and communication-computer data protection and integrity requirements must be addressed early and continuously throughout the life of the weapon system. Oftentimes, the most easily compromised information is that which is considered too fluid, too preliminary, and too incomplete to warrant serious data protection. The program office security officer should completely familiarize himself with CALS digital information access and delivery objectives and related data protection and integrity issues, as described in this appendix and in other DoD instructions relating to protection of classified and otherwise sensitive data. The program office security officer should fully participate in all decisions concerning access or delivery modes and media for technical data in digital form. These decisions should be made in a manner which is consistent with the CALS objective for the program, and which provide an appropriate level of protection at reasonable cost. In conjunction with other program office personnel involved in setting requirements for delivery of technical data, the program office security officer should determine the anticipated data protection and integrity requirements for the program, including volume of data anticipated to be delivered or accessed at each level. The security plans proposed by the various offerors, and the security plans and facilities available at government activities which will receive and process technical information, should be reviewed and taken into account in recommending the appropriate method of delivery or access. 50.1.9.2 Contract implementation. Determination of data protec- tion and integrity requirements for technical information to be delivered or accessed, such as anticipated classification levels for technical manuals, engineering drawings, and other technical data, should be accomplished early in the program. Early dissemination of this information to potential contractors should be accomplished prior to award of contract, either as part of the bidder's briefing or in the RFP. This description should go 212 MIL-HDBK-59A APPENDIX E beyond the scope of the DD Form 254, and should provide the contractor with a sufficient level of detail to develop a contractor data protection and integrity plan. The RFP should request a description of the offeror's proposed method for implementing data protection and integrity procedures for the protection of both classified information and information that the offeror anticipates being proprietary or sensitive from an export standpoint. The plan should be used by the government to plan and acquire the resources needed to receive, store, and process sensitive technical data at government facilities involved in the life cycle support of the weapon system. 50.1.9.3 Suggested instructions to offeror language. The following language is suggested for inclusion in instructions to offerors: The offeror shall develop an approach which addresses | intended data protection and integrity provisions for tech- nical data to be developed and maintained by the contractor, and delivered to the government or accessed by government personnel. This approach shall be derived from the | anticipated program data protection and integrity requirements provided by the government. It shall address levels and methods of data protection for all levels of technical data from the viewpoints of economy, impact on other program contract activities and schedule, and government plans for interactive access. It shall describe requirements (such as number and type of data encoding devices) to accomplish the data protection and integrity provisions contained therein. It shall be complete enough that the government can assess an offeror's potential for compliance with data protection and integrity requirements while meeting the CALS objectives. 50.1.9.4 Suggested statement of work (SOW) language. The following language is suggested for incorporation in SOW's for classified data: The contractor shall minimize the volume of information requiring specialized handling for purposes of data protection and integrity, and shall provide information at the lowest classification level practicable. For example, unclassified technical manuals are preferred over classified manuals, provided they contain adequate information to perform the function described therein. Largely unclassified technical manuals with a classified appendix or supplement are preferred over largely classified technical manuals. In organizing technical information in this manner, the contractor shall pay particular attention to 213 MIL-HDBK-59A APPENDIX E items of information which by themselves are unclassified, but when taken in aggregation, allow classified information to be inferred. The government shall retain the right to conduct announced and unannounced inspections by security specialists at any time to review, audit, and account for classified materials. 50.2 Data rights, privacy, and legal liability. (CALS related work in the area of data rights, privacy, and legal liability is being performed by the CALS Acquisition Task Group. Supplemental guidance will appear in a future update to this handbook.) | 50.2.1 Application of CALS standards. Application of CALS standards must be analyzed to ensure that adequate management procedures are implemented to control access to data that may require controlled distribution for reasons other than the data's security classification. Access and distribution may be controlled because of any of the following: a. Sensitive technology as indicated by documents or computer files marked or annotated in accordance with DoD 5230.24, Distribution Statements on Technical Documents, and controlled in accordance with DoD 5230.25, Withholding of Unclassified Technical Data from Public Disclosure. Refer to the relevant Service, Agency, or Command office, or, in accordance with Service or Command procedures, to the Office of the Deputy Undersecretary of Defense for Research and Technology. b. Rights in technical data. Refer to Defense FAR Supple- ment Part 27.4 and the basic data rights clause at 52.227-7013. 50.2.2 Liability and warranty. Liability and warranty issues must also be addressed. Liability is often confused with ownership, but is a more precise concept. It is possible to own a computer program, such as a word processing application, without having the right to copy it, nor responsibility, nor liability for its proper use. Adequate control of changes and determination of change authority is also a critical legal issue. These issues are conceptually the same in a CALS environment as in the current paper-based environment. However, the application of CALS technologies provides both an opportunity to better address these issues, and the potential for additional abuse. It is the responsibility of the acquisition manager, in coordination with supporting DoD legal counsel, to establish, implement, and enforce procedures and safeguards to preclude the opportunity for such abuse. The contractor shares a responsibility to develop, 214 MIL-HDBK-59A APPENDIX E implement, and enforce corresponding procedures and safeguards. 50.2.3 Information change management and configuration control. The selection of digital standards also requires review of manual and automated procedures for controlling and tracking data changes. Generally, the more functional utility provided by a data interchange or access standard, the more sophisticated and extensive must be the procedures for configuration management of the technical data. The ability to manage, control, and identify changes and change authority is absolutely necessary to proper assignment of liability and responsibility. 215 MIL-HDBK-59A CONCLUDING MATERIAL Custodians: Preparing Activity Army - CR OSD-CL Navy - SH (PROJECT ILSS-0013) Air Force - 24 DLA - DH Review activities: Army - AM Air Force - 01, 02 NSA - NS DCA - DC NSA - NA Other - NIST, DOE, GPO, NCS User activities: OSD - IR Army - AL,AT,AV,CR,EA,ER,GL,ME,MI,MR,SM,TE,TM Navy - AS,EC,OS,SA,YD Air Force - 11,13,14,17,18,19,68,79,99 216