Classified Computing (S-9)

Standard: S-9
Responsible Executive: Vice President for Information Technology and Chief Information Officer
Responsible Office: Office of the Vice President for Information Technology
Date Issued: March 1, 2018
Date Last Revised: September 1, 2025

Contacts
Individuals and Entities Affected
Statement of Standard
Responsibilities
Definitions
Related Documents, Forms and Tools
History and Updates

Contacts

Clarification of Standard

Purdue Systems Security
765-494-4000 | itpolicyanswers@purdue.edu

Clarification of Legal Requirements

Facility Security Officer
765-357-6937 | fso@purdue.edu

Individuals and Entities Affected

All persons, departments, units, and campuses that currently, or seek to, process, utilize, obtain, or otherwise deal with Classified Information in an Information System.

Statement of Standard

Purdue University is required to adhere to federal requirements for the safeguarding of Classified Information. The responsibilities outlined in this standard reflect how the University complies with applicable laws, regulations, and agency requirements as they relate to the processing of Classified Information on University Information Systems. These requirements apply to all University Information Systems processing Classified Information and to all users of these systems.

Any user who fails to comply with this standard or any applicable System Security Plans (SSPs) will be subject to disciplinary action, up to and including termination of employment.

Responsibilities

Chief Information Security Officer

Oversee compliance with this standard.
Establish related technical standards and monitor compliance with them.
Coordinate technical oversight to ensure new implementations of and changes to existing applications and their related hardware are compliant with the current standards.
Keep abreast of changes in industry and standards.
In consultation with the Facility Security Officer, appoint an Information System Security Manager who is technically able to perform the responsibilities detailed below and who can be cleared to the level of the Facility Security Clearance.

Facility Security Officer

Make determinations on which individual users may be tasked with classified computing and, prior to that individual being granted access, process the necessary Personal Clearance for individual access to Classified Information.

Information System Security Manager

Ensure the development, documentation, and presentation of Information System security education, awareness, and training activities for facility management, Information System personnel, IS Users, and others, as it relates to federal requirements for classified computing.
Establish, document, implement, and monitor procedures and guidelines to ensure compliance with the University’s Information Security and Privacy Program and federal requirements for IS.
Identify and document unique local threats/vulnerabilities to Information Systems.
Ensure that periodic self-inspections of the University’s Information Systems are conducted as part of the overall facility self-inspection and that corrective action is taken for all identified findings and vulnerabilities. Self-inspections are to ensure that each approved Information System is operating as accredited and that accreditation conditions have not changed.
Ensure the development of facility procedures to:
- Govern marking, handling, controlling, removing, transporting, sanitizing, reusing, and destroying media and equipment containing Classified Information.
- Properly implement vendor supplied authentication (password, account names) features or security-relevant features.
- Report IS security incidents to the Cognizant Security Agency (CSA). Ensure proper protection or corrective measures have been taken when an incident/vulnerability has been discovered.
- Require that each IS User signs an acknowledgment of responsibility for the security of the Information System.
- Implement security features for the detection of malicious code, viruses, and intruders (hackers), as appropriate.
Certify to the CSA, in writing, that each System Security Plan (SSP) has been implemented, that the specified security controls are in place and properly tested, and that the IS functions as described in the SSP.
Ensure notification to the CSA when an IS no longer processes Classified Information or when changes occur that might affect accreditation.
Ensure that personnel are trained on the Information System’s prescribed security restrictions and safeguards before they are initially allowed to access a system.
Develop and implement general and remote maintenance procedures based on requirements provided by the CSA.
Appoint an Information System Security Officer(s) (ISSO) as necessary to assist in implementing and monitoring the security program.

IS Users

Comply with the University’s Information Security and Privacy Program, this standard, and any applicable SSPs.
Be aware of and knowledgeable about their responsibilities in regard to IS security.
Ensure that any authentication mechanisms (including passwords) issued for the control of their access to an IS are not shared and are protected at the highest classification level and most restrictive classification category of information to which they permit access.
Acknowledge, in writing, their responsibilities for the protection of the Information System and Classified Information.
Understand that access to Classified Information and Classified Information Systems is a privilege.

Definitions

All terms defined in this section are capitalized throughout the document. Additional defined terms may be found in the central Policy Glossary.

Classified Information
See definition in the policy on Classified Information (I.A.7).

Cognizant Security Agency (CSA)
Agencies of the executive branch of the U.S government that have been authorized to establish an industrial security program to safeguard Classified Information under the jurisdiction of those agencies when disclosed or released to U.S. industry.

Facility Security Clearance (FCL)
See definition in the policy on Classified Information (I.A.7).

Facility Security Officer
See definition in the policy on Classified Information (I.A.7).

Information System Security Manager
Primary point of contact for all matters regarding the processing of Classified Information on an Information System.

IS (Information System)
An integrated set of components for collecting, storing, and processing data and for delivering information, knowledge and digital products.

IS (Information System) User
Any person accessing or using Information Systems or information available through these systems. In the context of this standard, any person accessing or using Information Systems components that collect, store, process, or transmit Classified Information.

Personal Clearance
Authorization granted by a CSA to an individual for access to Classified Information at the same or lower classification category as the clearance being granted (e.g., confidential, secret, top secret).

SSP (System Security Plan)
The formal document used by the contractor (Purdue University) to identify the protection measures to safeguard information being processed in a classified environment.

History and Updates

September 1, 2025: Standard reviewed and updated to reflect changes in federal requirements and the establishment of an overarching university policy on Classified Information. Contacts section updated.

March 1, 2018: This is the first standard to address this issue. It details the University’s responsibilities relative to (1) the resolution by the Board of Trustees approved July 18, 2014, that updated duties and responsibilities concerning access to and management, handling, and protection of federally classified information and (2) the Department of Defense Security Agreement that grants a Facility Security Clearance to Purdue University.