a. Facility Name/Address.

b. Contract Number.

c. Mission - Business.

d. Network environment and special considerations.

e. Criticality and Sensitivity.

(1) Applicable laws or regulations affecting the network.

(2) General description of information sensitivity.

(3) Classified data volume.

f. Network Identification:

(1) Responsible organization.

(2) Official network title.

(3) System category.

(a) Major application, or

(b) General support system.

(4) System operational status.

(a) Operational,

(b) Under development, or

(c) Major modification.

(5) Network inventory.

(a) Description of the network.

(b) Node interfaces.

(c) Interfaces to other networks.

(d) Identification of designated points of demarcation between networks.

(e) Hardware components.

1. Transmission media.

2. Network nodes.

3. User nodes.

4. Hardware protection mechanisms such as PDS or encryption devices.

5. Gateways, bridges, filters, repeaters, etc.

6. Identification of components of network nodes involved in.

a. Operation

b. Administration

c. Control.

7. Identification of the system security plans.

(f) Software components.

1. Protocols used.

2. Network monitor software.

3. Analysis software.

4. Security databases.

5. Applications software.

(6) Network configuration. This paragraph provides a network configuration description.

(7) Network purpose. This paragraph describes the purpose of the network and the advantages provided by networking.

(8) Physical location.

(a) Include the full name and address of all facilities interconnected by the network.

(b) Identify all areas in which the installation will take place; including building designations, floors, and room numbers. Where appropriate (e.g. for EMSEC considerations) a building schematic may be required. Identify the types of areas (exclusion, security, controlled, open) traversed by the network.

a. Who will use the network?

b. State if the plan will be used for life-cycle security procedures.

a. Designated Approving Authority.

b. Office of Primary Responsibility.

c. Computer Systems Manager.

d. Network Manager.

e. Network Security Officer.

f. TASOs for the network.

g. Functional OPR.

h. Any other assignments.

a. Applicable Guidance.

b. Personnel Security.

(1) Describe the controls used to ensure that personnel accessing the network have proper clearance and need to know for the resources they may access via the network.

(2) Outline the various components of a network which a user may have access to while performing their normal duties.

c. Physical Security.

(1) Physical Protection Measures:

(a) Describe the physical security measures utilized to protect the general area(s) in which the network is installed and restrict access to the various components of the network including the transmission media.

(b) Describe the physical protection employed for storage media associated with network control nodes. Do not include media covered by the individual system security plans unless the node is also used to control, administer, or operate the network.

(2) Protection against civil disorder. Highlight physical security protection available to limit interference by civil disorders.

d. Telecommunication Security:

(1) Transmission security. Describe the methods used to meet the transmission security requirement. Also, describe the type of transmission used, since digital compared to analog transmission will increase intercept difficulty because the perpetrator must determine the transmission rate and digital coding scheme used by carrier or user equipment.

(2) EMSEC Security. Describe the signaling level of the network components and determine if it conforms with INTEK-SSI 7000 requirements for low-level signaling. Non-EMSEC constrained networks should include a statement of non applicability regarding EMSEC requirements.

(3) Circuit Routing. Alternative routing compared with dedicated routing will increase intercept difficulty because the targeted transmission will not be limited to the same circuit.

e. Administrative Security.

(1) Individual Node Security. A statement assuring that all nodes on the network are covered by an active accredited System Security Plan.

(2) Network Operating Procedures. Verify the existence of network operating procedures available to maintenance and operations personnel.

(3) Configuration Management Procedures. Describe the procedures for maintaining configuration control.

(4) Physical Access Procedures. Describe the procedures for controlling physical access to network components.

(5) User Authorization Procedures. Describe the rules and restrictions for determination of user identification, authentication, and authorization.

(6) Audit Procedures. Describe the procedures for gathering, examining, and archiving audit information.

(7) Procedures for reporting security incidents. Describe the procedures for reporting observed network violations to the proper authorities.

(8) User responsibilities. Describe training available to the users of the network to increase their network security awareness.

(9) Information Security. Describe procedures for handling classified information and for the destruction of classified data.

(10) Node responsibilities. Describe the minimum security a node must meet before it will be allowed connection to the network.

f. Hardware and Software Security.

(1) User access Control 

Describe the procedures used to uniquely identify and authenticate both users and nodes. 

Describe how the log in information is protected during transmission on the network and on the individual nodes processing or storing that information. 

Describe how requests for connections are authorized. 

Describe the methods used to authorize/verify the usage of network services. Include descriptions of those controls to be provided by the network and those to be provided by the nodes.

(2) Need-to-know protection. Describe the method used to provide need-to-know protection.

(3) Discretionary/mandatory access controls. 

Describe the security aspects inherent to the protocol(s) used, including information such as how data are labeled during transmission and how connections are initiated, controlled, and terminated. 

Describe the error recovery/processing techniques used by the protocol and why information cannot be misrouted as a result of transmission errors. 

Describe how discretionary/mandatory access controls are fulfilled. Identify the network components that are labeled. 

Identify the classification level of all interconnected subnetworks. 

Describe the features provided by any security filters (if applicable). Include descriptions of those controls to be provided by the network and those to be provided by the nodes.

(4) Audit and monitoring function. 

Describe the methods and hardware/software components used to support the audit requirements. Include information about what data are to be gathered, how the data are to be obtained, how the audit information is protected from unauthorized access, and types of analyses to be performed on the audit information. 

Describe mechanisms in place to monitor the network including usage statistics, performance, and node identification. Include descriptions of those controls to be provided by the network and those to be provided by the nodes.

g. Operational Controls. Describe the operational controls used to provide the following:

(1) Physical and environmental protection.

(2) Production, I/O controls.

(3) Emergency, backup, and contingency planning

(4) Audit and variance detection.

(5) Application software maintenance controls.

(6) Documentation.

h. Security Control Measures for Major Applications.

(1) Development/implementation controls.

(a) Security specifications

(b) Design review and testing.

(c) Certification.

(2) Technical Controls.

(a) User identification and authentication.

(b) Authorization/access controls.

(c) Integrity controls.

(d) Audit trail mechanisms.

(e) Confidentiality controls.

(3) Controls over the security of applications.

i. Security Awareness and Training.