28 October 1997
Source:
http://www.hr.doe.gov/telcomsec/
|
U.S. Department of Energy's
|
|---|
Telecommunications Security, Engineering, and Services is an element of the Architecture, Standards and Engineering Group, (HR-43), Office of Information Management, (HR-4). The Telecommunications Security program is primarily responsible for developing, implementing, and issuing policy relating to Communications Security (COMSEC), Cryptographic/COMSEC Access, Emissions Security (TEMPEST), Protected Transmission Systems, Tamper Indicating Prismatic Seals, Public Key Cryptography and Deviations within the Department. Once policy has been issued to the appropriate field members throughout the Department, it is crucial for HR-43 to continuously review national policy to ensure compliance at the Department level. In addition, HR-43 conducts COMSEC audits and cryptofacility surveys, TEMPEST RED/BLACK inspections, TEMPEST advice and assistance visits, training workshops, and provides PDS oversight within the Department to ensure that these programs are maintained in accordance with national policy.
Visit the DOE Crypto Equipment and DOE Unclassified Encryption Equipment Guides that are provided online by our office! These guides support the Telecommunications Security Advisory.
The Information Management (IM) Program Order, 200.1, replaces many extremely detailed Orders with a single Order that takes a broad, high level view of the significance of information management within the Department of Energy community. This Order was developed with consideration for the following goals:
DOE O. 200.1 can be accessed at the DOE Directives website provided by the Los Alamos National Laboratory.
The DOE Telecommunications Security Manual became effective in March of 1997, following the implementation and distribution of the Information Management (IM) Program Order. This Manual supersedes any Telecommunications Security Program manuals or guides previously issued by HR-43. The Telecommunications Security Manual addresses Communications Security (COMSEC), Cryptographic/COMSEC Access Program, Emissions Security (TEMPEST), Protected Transmission Systems (Classified Distributive Information Network and Protected Distribution Systems), Tamper Indicating Prismatic Seals (TIPS), Tranmission Security, Public Key Infrastructure (PKI) and Deviations. It has been issued to a select group of DOE and DOE contractor personnel whose job responsibilities include these programs.
HR-43 is responsible for managing the operation and maintenance of the Department wide Communications Security (COMSEC) program. Communications Security is primarily related to Message Center Operation, but is equally applicable to all other forms of communications protection, such as encryption and decryption of voice communications, data facsimile, television, and control signals. HR-43 conducts biennial communications security audits and cryptofacility surveys of all Department of Energy COMSEC accounts.
To keep the field up to date with policy relating to COMSEC, it is also HR-43's responsibility to develop and conduct training and workshops for all COMSEC personnel. COMSEC account personnel should attend the COMSEC Workshop once every four years to ensure they have updated information and skills to perform their duties. These workshops are offered at different locations within the Department of Energy. They comprise three and a half days of intensive hands on work documenting the receipt, transfer and destruction of COMSEC material. This workshop also includes an up to date threat briefing from the Office of Counterintelligence and current briefings from the National Security Agency (NSA). This workshop is a classified workshop; therefore, it is attended by invitation only.
The DOE Cryptographic/COMSEC Accesss Program is based on and established in accordance with national policy. This national policy requires that a formal access program be maintained to control the access to certain cryptographic/COMSEC information. DOE's access program is explained in full detail in the Telecommunications Security Manual.
The DOE Emissions Security (TEMPEST) Program is based upon coordination and policy formulated by the National Security Agency (NSA). All DOE and DOE contractor facilities that process classified information are required to determine the TEMPEST vulnerability of the information and what countermeasures shall be applied based on the threat. One of HR-43's primary responsibilities is to serve as the Certified TEMPEST Technical Authority (CTTA) over the entire DOE TEMPEST program. HR-43 conducts TEMPEST inspections on a biennial basis of the most sensitive Department of Energy facilities to ensure adequate protection measures have been implemented and are maintained. HR-433 also develops and conducts training on an as needed basis and a workshop for all TEMPEST personnel to attend annually.
The Telecommunictaions Security Workshop that HR-43 provides to all TEMPEST personnel is a Department of Energy wide workshop. This workshop is intended for DOE TEMPEST coordinators and others whose duties require protection of classified or sensitive unclassified information during transmission. The first day of the three day workshop is dedicated to training TEMPEST Coordinators. The next two days are presentations ranging from discussions of PKI to threat briefings on signal intelligence. The workshop also includes a threat briefing from the Office of Counterintelligence (CI). This workshop is a classified workshop; therefore, it is attended by invitation only.
Within the Department of Energy, there are two approved methods for protecting classified information in transmission. The first is encryption, which is outlined in the COMSEC program, and the other is a protected transmission system. A protected transmission system is an approved wireline that has adequate physical and emanations security to allow the unencrypted transmission of classified information. The guidelines for a protected transmission system are disemminated by the National Security Agency (NSA) and are used as the basis for the DOE Protected Distribution System (PDS) and Classified Distributive Information Network (CDIN).
Within DOE, a PDS is only used when very sensitive information must be transmitted through an uncontrolled area. If the physical controls are adequate, the use of a PDS is not required. A CDIN may be used in those areas that have been evaluated as meeting certain criteria for physical, electromagnetic, and accoustical control. HR-43 conducts a program review of protected systems every three years. PDS and CDIN are explained in full detail in the DOE Telecommunications Security Manual.
The Tamper Indicating Prismatic Seals (TIPS) program entails the procurement, installation, and accountability of special seals used for securing protected transmission systems. These seals can be used in certain situations in lieu of welding and epoxy.
The Transmission Security program provides guidance in controlling compromising emanations in classified processors and wirelines not covered under the TEMPEST program. The implementation of this criteria will provide a low cost framework for the secure installation and continued control of classified wirelines to prevent inadvertent exposure to the information by uncleared personnel.
The use of public key cryptography for the protection of sensitive unclassified (SU) information is under the purview of the COMSEC program.
The implementation of public key cryptography will allow the Department to proceed on a path of greater reliance on digital signatures for electronic commerce, access control, and with encryption capabilities, secure message transmittals.
The infrastructure to support public key cryptography is being developed by working groups throughout the Department of Energy. These working groups will provide feedback to the DOE PKI Steering Committee with technical, legal, and policy recommendations. The DOE PKI must comply with all laws and federal requirements, be compatible with developing Federal PKI, and meet the needs of the diverse DOE complex that interacts with vendors, academia, and partners. Click here to see more about these working groups.
The DOE PKI chapter of the Telecommunications Security Manual will outline the roles, responsibilities and procedures for issuing, maintaining, protecting and revoking certificates.
Go to the, "Other Home Pages Section", to view other government and commercial PKI related home pages.
Deviations covers definitions and processes for the criteria covered in all of the programs mentioned. The use of deviations for the programs listed should be a last resort. HR-433 will assist in developing resolutions to noncompliance without the use of deviations, if possible. Waivers and Exceptions require HR-43 approval and are unlikely.
Please send any questions or comments to Sharon L. Shank of the Architecture, Standards and Engineering Group, Office of Information Management, at Sharon.Shank@hq.doe.gov or by telephone at (301) 903-3047.
