Classified Computing (S-9)

Standard: S-9
Responsible Executive: Vice President for Information Technology and System Chief Information Officer
Responsible Office: Office of the System Chief Information Officer, Information Technology Security and Policy
Date Issued: March 1, 2018
Date Last Revised: N/A 

TABLE OF CONTENTS

Individuals and Entities Affected by this Standard
Contacts
Statement of Standard
Responsibilities

• Chief Information Security Officer
• Facility Security Officer
• Information System Security Manager
• Information System (IS) Users

Definitions
Related Documents, Forms and Tools
History and Updates

INDIVIDUALS AND ENTITIES AFFECTED BY THIS STANDARD

All persons, departments, units, and campuses that currently, or seek to, process, utilize, obtain, or otherwise deal with Classified Information in an Information System.

CONTACTS

STATEMENT OF STANDARD

Purdue University is required to adhere to the Classified Information National Industrial Security Program Operating Manual (NISPOM), which outlines specific requirements for the safeguarding of Classified Information. The responsibilities outlined in this standard reflect how the University will comply with the NISPOM as it relates to the processing of Classified Information on University Information Systems. These requirements apply to all University Information Systems processing Classified Information and to all users of said systems.

Any user who fails to comply with the policy on Information Security and Privacy (VII.B.8), this standard, any applicable System Security Plans (SSPs), and/or the NISPOM will be subject to disciplinary action, up to and including termination of employment.

RESPONSIBILITIES

Chief Information Security Officer

• Ensure compliance with this standard.
• Establish related technical standards and monitor compliance with them.
• Coordinate technical oversight to ensure new implementations of and changes to existing applications and their related hardware are compliant with the current standards.
• Keep abreast of changes in industry and standards.
• In consultation with the Facility Security Officer, appoint an Information System Security Manager who is technically able to perform the responsibilities detailed below and who can be cleared to the level of the Facility Security Clearance.

Facility Security Officer

• Supervise and direct security measures necessary for the implementation of applicable requirements of the NISPOM and related federal requirements for Classified Information.
• Oversee and approve any physical security requirements necessary to secure Information Systems in accordance with the NISPOM.
• Make determinations on which individual users may be tasked with classified computing and, prior to that individual being granted access, process the necessary Personal Clearance for individual access to Classified Information.

Information System Security Manager

• Ensure the development, documentation, and presentation of Information System security education, awareness, and training activities for facility management, Information System personnel, users, and others, as it relates to the NISPOM requirements.
• Establish, document, implement, and monitor procedures and guidelines to ensure compliance with the University’s Information Security and Privacy Program and NISPOM requirements for IS.
• Identify and document unique local threats/vulnerabilities to Information Systems.
• Coordinate the Purdue University Information Security and Privacy Program with other University security programs.
• Ensure that periodic self-inspections of the University’s Information Systems are conducted as part of the overall facility self-inspection and that corrective action is taken for all identified findings and vulnerabilities. Self-inspections are to ensure that each approved Information System is operating as accredited and that accreditation conditions have not changed.
• Ensure the development of facility procedures to:
  • Govern marking, handling, controlling, removing, transporting, sanitizing, reusing, and destroying media and equipment containing Classified Information.
  • Properly implement vendor supplied authentication (password, account names) features or security-relevant features.
  • Report IS security incidents to the Cognizant Security Agency (CSA). Ensure proper protection or corrective measures have been taken when an incident/vulnerability has been discovered.
  • Require that each IS User signs an acknowledgment of responsibility for the security of the Information System.
  • Implement security features for the detection of malicious code, viruses, and intruders (hackers), as appropriate.
• Certify to the CSA, in writing, that each System Security Plan (SSP) has been implemented, that the specified security controls are in place and properly tested, and that the IS is functioning as described in the SSP.
• Ensure notification to the CSA when an IS no longer processes Classified Information or when changes occur that might affect accreditation.
• Ensure that personnel are trained on the Information System’s prescribed security restrictions and safeguards before they are initially allowed to access a system.
• Develop and implement general and remote maintenance procedures based on requirements provided by the CSA.

IS Users

• Comply with the NISPOM, the University’s Information Security and Privacy Program, this standard, and any applicable SSPs. 
• Be aware of and knowledgeable about their responsibilities in regard to IS security.
• Ensure that any authentication mechanisms (including passwords) issued for the control of their access to an IS are not shared and are protected at the highest classified level and most restrictive classification category of information to which they permit access.
• Acknowledge, in writing, their responsibilities for the protection of the Information System and Classified Information
• Understand that access to Classified Information and classified Information Systems is a privilege.

DEFINITIONS

All terms defined in this section are capitalized throughout the document. Additional defined terms may be found in the central Policy Glossary.

Classified Information
As defined in the Classified Information Procedures Act 1980, any information or material that has been determined by the U.S. government, pursuant to an executive order, statute, or regulation, to require protection against unauthorized disclosure for reasons of national security and any restricted data, as defined in paragraph r. of section 11 of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)). 

Cognizant Security Agency (CSA)
Agencies of the executive branch of the U.S government that have been authorized to establish an industrial security program to safeguard Classified Information under the jurisdiction of those agencies when disclosed or released to U.S. industry. 

Facility Security Clearance (FCL)
An administrative determination made by the Department of Defense that, from a national security standpoint, a facility (in this case, Purdue University) is eligible for access to Classified Information at the same or lower classification category as the clearance being granted (e.g., confidential, secret, or top secret). The FCL includes the execution of a Department of Defense Security Agreement. Under the terms of the agreement, the federal government agrees to issue the FCL and inform the contractor as to the security classification of information to which the contractor will have access. The contractor (Purdue University), in turn, agrees to abide by the security requirements set forth in the NISPOM. 

Facility Security Officer
A U.S. citizen employee of the University, who is cleared and appointed as part of the FCL, responsible for supervising and directing security measures necessary for implementing applicable  NISPOM measures and related federal requirements for the protection of classified systems.

Information System Security Manager
Primary point of contact for all matters regarding the processing of Classified Information on an Information System. 

IS (Information System)
An integrated set of components for collecting, storing, and processing data and for delivering information, knowledge and digital products. 

IS (Information System) User
Any person accessing or using Information Systems or information available through these systems. In the context of this standard, any person accessing or using Information Systems components that collect, store, process, or transmit Classified Information.

NISPOM
The National Industrial Security Program Operating Manual, DoD 5220.22-M, which establishes the standard procedures and requirements for all government contractors with regards to Classified Information. 

Personal Clearance
Authorization granted by a CSA to an individual for access to Classified Information at the same or lower classification category as the clearance being granted (e.g., confidential, secret, top secret). 

SSP (System Security Plan)
The formal document used by the contractor (Purdue University) to identify the protection measures to safeguard information being processed in a classified environment. 

RELATED DOCUMENTS, FORMS AND TOOLS

This standard is issued in support of the policies on Information Security and Privacy (VII.B.8) and Acceptable Use of IT Resources and Information Assets (VII.A.4), as amended or superseded.

• IT Security policies, standards and guidelines
• National Industrial Security Program Library (includes links to the NISPOM and Industrial Security Letters)

HISTORY AND UPDATES

March 1, 2018: This is the first standard to address this issue. It details the University’s responsibilities relative to (1) the resolution by the Board of Trustees approved July 18, 2014, that updated duties and responsibilities concerning access to and management, handling, and protection of federally classified information and (2) the Department of Defense Security Agreement that grants a Facility Security Clearance to Purdue University.