The IT Law Wiki
The IT Law Wiki

Overview[]

CNSS Logo white New

Under Executive Order 13231, the President redesignated the National Security Telecommunications and Information Systems Security Committee (NSTISSC) as the Committee on National Security Systems (CNSS).

The Department of Defense chairs the Committee under the authorities established by National Security Directive 42 (NSD-42), as amended by Executive Orders (E.O.) 13284 and 13231.

The CNSS provides a forum for the discussion of policy issues, sets national policy, and promulgates direction, operational procedures, and guidance for the security of national security systems.

The Secretary of Defense and the Director of Central Intelligence are responsible for developing and overseeing the implementation of government-wide policies, principles, standards, and guidelines for the security of systems that handle national security information.

Activities[]

The committee has voting representatives from 21 departments and agencies.[1] In addition, nonvoting observers such as NIST participate in meetings, provide comments and suggestions, and participate in subcommittee and working group activities. The committee organizes its activities by developing an annual program of work and plan of action and milestones. NSA provides logistical and administrative support for the committee, including a Secretariat manager who organizes the day-to-day activities of the committee.

Since its inception, the committee has issued numerous policies, directives, and instructions that are binding upon all federal departments and agencies for national security systems.

Advisory memoranda[]

The following advisory or information memoranda address ad hoc issues of a general nature relating to national security systems issues. These advisories, as issued, are NOT binding upon U.S. Government departments and agencies.

  • NSTISSAM INFOSEC 1-99: The Insider Threat to U.S. Government Information Systems (July 1999).
  • NSTISSAM INFOSEC 1-00: Advisory Memorandum for the Use of the Federal Information Processing Standards (FIPS) 140-1 Validated Cryptographic Modules in Protecting Unclassified National Security Systems (Feb. 8, 2000).
  • NSTISSAM INFOSEC 2-00: Advisory Memorandum for the Strategy for Using the National Information Assurance Partnership (NIAP) for the Evaluation of Commercial Off-The-Shelf (COTS) Security Enabled Information Technology Products (Feb. 8, 2000).
  • NSTISSAM INFOSEC 3-00: Advisory Memorandum on WebBrowser Security Vulnerabilities (Aug. 2000).
  • NSTISSAM COMSEC 1-85: Advisory Memorandum on Release of Communications Security Equipment, Material or Information to Foreign Enterprises (Oct. 29, 1985).
  • NSTISSAM COMPUSEC 1-87: Advisory Memorandum on Office Automation Security Guideline (Jan. 16, 1987).
  • NSTISSAM COMPUSEC 1-98: The Role of Firewalls and Guards in Enclave Boundary Protection (Dec. 1998).
  • NSTISSAM COMPUSEC 1-99: Advisory Memorandum on the Transition From the Trusted Computer System Evaluation Criteria to the International Common Criteria for Information Technology Security Evaluation (Mar. 11, 1999).
  • NSTISSAM TEMPEST 1-00: Maintenance and Disposition of TEMPEST Equipment (Dec. 2000).
  • CNSSAM IA 1-04: Advisory Memorandum for Information Assurance (IA)-Security Through Product Diversity (July 2004).
  • CNSSAM IA 2-04: Advisory Memorandum for Information Assurance (IA)-Retirement of Data Encryption Standard (DES) Based Cryptography to Protect National Security Systems (Nov. 2004; rev. Mar. 2005).
  • CNSSAM IA 1-10: Advisory Memorandum for Information Assurance (IA)-Reducing the Risk of Removable Media in National Security Systems (Dec. 2010).
  • CNSSAM IA 1-12: Advisory Memorandum for Information Assurance (IA)-NSA-Approved Commercial Solution Guidance (June 2012).

Directives[]

CNSS directives provide details for achieving CNSS policies and are binding upon all U.S. Government departments and agencies. Key directives include:

  • CNSSD-500: Information Assurance (IA) Education, Training, and Awareness (Aug. 2006) (superseded NSTISSD-500 (Feb. 25, 1993)).
  • CNSSD-502: National Directive On Security of National Security Systems (Dec. 16, 2004) (supersedes NSTISSD-502 (Feb. 5, 1993)).
  • CNSSD-506: National Directive to Implement Public Key Infrastructure for the Protection of Systems Operating on Secret Level Networks (Oct. 9, 2012).
  • CNSSD-900: Governing Procedures of the Committee on National Security Systems (CNSS) (May 9, 2013) (supersedes CNSSD-900 (Sept. 2012)).
  • CNSSD-901: National Security Telecommunications and Information Systems Security (CNSS) Issuance System (Sept. 21, 2012) (superseded CNSSD-901 (Dec. 2004)).

Instructions[]

The instructions presented under this topic provide guidance and establishes technical criteria for specific national security systems issues. These instructions include technical or implementation guidelines, restrictions, doctrines, and procedures applicable to information assurance. All instructions are binding upon all U.S. Government departments and agencies. Key instructions include:

  • CNSSI-1001: National Instruction On Classified Information Spillage (Feb. 2008).
  • CNSSI-1300: National Instruction On Public Key Infrastructure X.509 Certificate Policy, Under CNSS Policy No. 25 (June 2011).
  • CNSSI-1253: Security Categorization and Control Selection for National Security Systems (Mar. 27, 2014).
  • NSTISSI-3028: Operational Security Doctrine for the FORTEZZA User PCMCIA Card (Dec. 2001).
  • CNSSI-4007: Communications Security (COMSEC) Utility Program (Nov. 2007).
  • CNSSI-4008: Program for the Management and Use of National Reserve Information Assurance Security Equipment (Mar. 2007).
  • CNSSI-4009: National Information Assurance Glossary (May 2003) (rev. Apr. 2010).
  • CNSSI-4031: Cryptographic High Value Products (CHVP) (Feb. 2012).
  • CNSSI-4033: Nomenclature for Communications Security Material (Nov. 2012) (supersedes NSTISSAM/COMSEC 1-93 (Nov. 1, 2012).
  • CNSSI-5000: Guidelines for Voice Over Internet Protocol (VoIP) Computer Telephony (Apr. 2007).
  • CNSSI-5001: Type-Acceptance Program for Voice Over Internet Protocol (VoIP) Telephones (Dec. 2007).
  • CNSSI-5002: National Information Assurance (IA) Instruction for Computerized Telephone Systems (Feb. 1, 2012).
  • CNSSI-5006: National Instruction for Approved Telephone Equipment (Sept. 1, 2011).
  • CNSSI-5007: Telephone and Security Equipment Submission and Evaluation Procedures (Apr. 1, 2013).
  • NACSI-6002: National COMSEC Instruction (June 14, 1984).
  • NSTISSI-7003: Protective Distribution Systems (PDS) (Dec. 13, 1996).

Policies[]

The following policies address national security systems issues from a broad perspective. They establish national-level goals and objectives, all of which are binding upon all U.S. Government departments and agencies.

  • CNSSP-1: National Policy for Safeguarding and Control of Communications Security Material (Sept. 2004).
  • CNSSP-3: National Policy for Granting Access to U.S. Classified Cryptographic Information (Oct. 2007).
  • NCSC-5: National Policy on Use of Cryptomaterial by Activities Operating in High Risk Environments (Jan. 6, 1981).
  • CNSSP-6: National Policy on Certification and Accreditation of National Security Telecommunications & Information Systems
  • CNSSP-11: National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products (June 2013).
  • CNSSP-12: National Information Assurance Policy for Space Systems Used to Support National Security Missions (Nov. 28, 2012).
  • CNSSP-14: National Policy Governing the Release of Information Assurance (IA) Products and Services to Authorized U.S. Persons or Activities that are Not a Part of the Federal Government (Nov. 2002).
  • CNSSP-15: National Information Assurance Policy on the Use of Public Standards for the Secure Sharing of Information Among National Security Systems (Oct. 1, 2012).
  • CNSSP-17: Policy on Wireless Communications: Protecting National Security Information (May 2010).
  • CNSSP-18: National Policy on Classified Information Spillage (June 2006).
  • CNSSP-19: National Policy Governing the Use of High Assurance Internet Protocol Encryptor (HAIPE) Products (June 2013).
  • CNSSP-21: National Information Assurance Policy on Enterprise Architectures for National Security Systems (Mar. 2007).
  • CNSSP-22: Information Assurance Risk Management Policy for National Security Systems (Jan. 2012).
  • CNSS-021-13: Amendment 1 for CNSSP-22 (June 2013).
  • CNSSP-24: Policy on Assured Information Sharing (AIS) for National Security Systems (NSS) (May 2010).
  • CNSSP-25: National Policy For Public Key Infrastructure in National Security Systems (Mar. 2009).
  • CNSSP-29: National Secret Enclave Connection Policy (May 2013).
  • NSTISSP-101: National Policy on Securing Voice Communications (Sept. 14, 1999).
  • NSTISSP-200: National Policy on Controlled Access Protection (July 15, 1987).

Reports[]

These Reports seek to identify the key issues and challenges being focused on by the CNSS and the rest of the national security community, the progress being made to address these issues within the national security community, and identify additional challenges and priorities that the national security community should consider addressing in the next year.

  • FY2012 Annual Report (Feb. 2013).
  • Progress Against 2008 Priorities (Apr. 2009).
  • An Agenda for Safeguarding National Security Systems (Mar 2008).

References[]