Maintenance and Disposition of TEMPEST Equipment

24 March 2001
Source: http://www.nstissc.gov/Assets/pdf/nstissam_tempest_1-00.pdf

[5 pages; all marked "UNCLASSIFIED."]

National Security Telecommunications and Information Systems Security Committee

NSTISSAM/TEMPEST 1-00
December 2000

MAINTENANCE AND DISPOSITION
OF
TEMPEST EQUIPMENT

National Security Telecommunications and Information Systems Security Committee

National Manager

1. National Security Telecommunications and Information Systems Security Advisory Memorandum (NSTISSAM) TEMPEST/1-00, "Maintenance and Disposition of TEMPEST Equipment," supersedes NSTISSAM TEMPEST/3-91. This NSTISSAM provides guidance to personnel responsible for the maintenance and disposition of TEMPEST equipment. It is applicable to all departments and agencies of the U.S. Government that use, maintain, or make disposition of TEMPEST equipment.

2. Representatives of the NSTISSC may obtain additional copies of this instruction at the address below. U.S. Government contractors may contact their appropriate government agency or Contracting Officer Representative regarding distribution of this document. It may also be found on the NSTISSC Home Page located at www.nstissc.gov.

MICHAEL V. HAYDEN
Lieutenant General, USAF

NSTISSC Secretariat (142) National Security Agency. 9800 Savage Road STE 6716 . Ft Meade MD 20755-6716
(410) 854-6805 . UFAX: (410) 854-6814
nstissc@radium.ncsc.mil

MAINTENANCE AND DISPOSITION OF TEMPEST EQUIPMENT

SECTION I - BACKGROUND
SECTION II - PURPOSE AND SCOPE
SECTION III - REFERENCES
SECTION IV - DEFINITIONS
SECTION V - PROCEDURES
SECTION VI - USER RESPONSIBILITY
SECTION VII - DISPOSITION PROCEDURES

SECTION I - BACKGROUND

1. All electronic and electromechanical information processing equipment can produce unintentional data-related or intelligence-bearing emanations which, if intercepted and analyzed, disclose the information transmitted, received, handled, or otherwise processed.

2. It is the policy of the U.S. Government that federal departments and agencies and their designated agents apply TEMPEST countermeasures in proportion to the threat of exploitation. In order to ensure the continuous application of TEMPEST countermeasures, maintenance and disposition procedures should be implemented for TEMPEST equipment.

SECTION II - PURPOSE AND SCOPE

3. This advisory memorandum provides guidelines for the maintenance and disposition of TEMPEST equipment. Such equipment may contain specialized suppression circuitry that must be maintained by knowledgeable persons to ensure proper TEMPEST performance throughout its life cycle. Also, the suppression technology used in such equipment must be protected from general distribution and, therefore, disposition of TEMPEST equipment should be controlled to prevent technology transfer. This document will be made available to U.S. Government personnel who are responsible for maintenance and disposition of TEMPEST equipment.

SECTION III - REFERENCES

4. Reference is made within this advisory memorandum to the following documents:

a. TEMPEST NSTISSAM/1-92, "Compromising Emanations Laboratory Test Requirements, Electromagnetic," dated 15 December 1992.
b. Technical Security Requirements Document (TSRD) No. 88-913, dated 8 March 1991.

SECTION IV - DEFINITIONS

5. For the purpose of this document, the following definition applies:

TEMPEST equipment is defined as equipment listed on the Endorsed TEMPEST Products List (ETPL), the Preferred Products List (PPL), the NATO Recommended Products List (NRPL), and equipment that complies with either Level I or II of NSTISSAM TEMPEST/ 1-92 as certified by a department or agency.

SECTION V - PROCEDURES

6. Currently, the government has in place a TEMPEST Endorsement program (TEP) that establishes guidelines for vendors to manufacture, produce, and maintain their TEMPEST endorsed equipment. In order for a product to remain on the ETPL, the vendor must provide adequate maintenance and life cycle support for its customers to ensure the continued TEMPEST integrity of the product. This support is detailed in the TEP's TSRD No. 88-9B, dated 8 March 1991. Copies of this document may be obtained from the National Security Agency Corporate Customer/Business Relations Office. However, to ensure the continued protection of TEMPEST equipment and to control technology transfer, only citizens of the U.S., Australia, New Zealand, and NATO countries may perform maintenance on TEMPEST equipment. Clearances for maintenance personnel will be based on the requirements of the supported environment.

SECTION VI - USER RESPONSIBILITY

7. The following are guidelines for the development of a maintenance and disposition program:

a. Consider the additional cost of the program for life cycle maintenance and disposition.
b. Ensure that data resident on the equipment is not compromised during the maintenance/disposition process.
c. Keep a log of maintenance action for all TEMPEST equipment to include date of maintenance, action taken, technician name, and equipment model and serial number.
d. Test and recertify the equipment as deemed necessary by the department or agency.
e. Disposition/resale should be consistent with the established export control/technology transfer policy. Questions regarding export policy should be directed to the National Security Agency INFOSEC International Relations Office. Lateral transfers to other U.S. Government departments/agencies, or return to stock when deemed necessary, is highly recommended.

SECTION VII - DISPOSITION PROCEDURES

8. If TEMPEST equipment is to be disposed of in lieu of reuse, the following procedures should be followed:

a. Use approved purging software to overwrite hard drives (if possible). Remove the hard drive from the TEMPEST equipment and deliver to the local information systems security officer/information systems security manager or security officer for return to an appropriate department/agency organization for degaussing disposition.
b. Maintain a log of the model and serial number of all equipment disposed/destroyed (e.g., central processing units, monitors, printers, keyboards, etc.).
c. Provide equipment only to citizens of U.S., Australia, New Zealand, or NATO countries.
d. Destruction of TEMPEST equipment no longer required is recommended if transfer to another U.S. Government department/ agency is impractical.
(1) Serial numbers and any classified markings will be removed from the equipment.
(2) The equipment will be broken into pieces of such a nature as to preclude restoration. Such destruction will be witnessed by an individual cleared to the level of information that the equipment was used to process.
(3) A destruction certificate will be prepared and signed by the witnessing individual. The certificate will include a statement from the witness that all hard drives were removed prior to destruction.
(4) All residue will be returned as scrap metal to the Defense Reutilization Management Office, on DD Form 1348-1 or on an Optional Form 132. A copy of the log required by paragraph 8.b and the destruction certificate will be attached.
(5) Copies of all documents will be forwarded to the local property custodian so the items can be removed from the originator's property records.

Transcription and HTML by Cryptome.