Telephone Security Equipment. Submission and Evaluation. Procedures COMMITTEE ON NATIONAL SECURITY SYSTEMS. CNSSI No.



Similar documents
POLICY ON WIRELESS SYSTEMS

POLICY ON THE USE OF COMMERCIAL SOLUTIONS TO PROTECT NATIONAL SECURITY SYSTEMS

GUIDELINES FOR VOICE OVER INTERNET PROTOCOL (VoIP) COMPUTER TELEPHONY

NATIONAL INFORMATION ASSURANCE (IA) INSTRUCTION FOR COMPUTERIZED TELEPHONE SYSTEMS

Policy on Information Assurance Risk Management for National Security Systems

NATIONAL DIRECTIVE FOR IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT CAPABILITIES (ICAM) ON THE UNITED STATES (US) FEDERAL SECRET FABRIC

Committee on National Security Systems

Enterprise Audit Management Instruction for National Security Systems (NSS)

Department of Defense INSTRUCTION

UNCLASSIFIED NATIONAL POLICY ON CERTIFICATION AND ACCREDITATION OF NATIONAL SECURITY SYSTEMS UNCLASSIFIED. CNSS Policy No.

TSG GUIDELINES FOR COMPUTERIZED TELEPHONE SYSTEMS TSG STANDARD 2

This directive applies to all DHS organizational elements with access to information designated Sensitive Compartmented Information.

PROCESSING CLASSIFIED INFORMATION ON PORTABLE COMPUTERS IN THE DEPARTMENT OF JUSTICE

How To Write A Contract For Software Quality Assurance

FSIS DIRECTIVE

(U) RED/BLACK Installation Guidance

CARMEL UNIFIED SCHOOL DISTRICT REQUEST FOR PROPOSALS - VOIP SYSTEMS

Baseline Cyber Security Program

Announcing Approval of Federal Information Processing Standard (FIPS) 197, Advanced. National Institute of Standards and Technology (NIST), Commerce.

U.S. Department of Energy

PROPOSALS REQUESTED THE TOWN OF OLD ORCHARD BEACH POLICE DEPARTMENT FOR IP-BASED VOICE COMMUNICATION SYSTEM

B1 Project Management 100

FAR Table Instructions for Submitting Cost/Price Proposals When Cost or Pricing Data Are Required

National Security Agency Perspective on Key Management

SECURITY CATEGORIZATION AND CONTROL SELECTION FOR NATIONAL SECURITY SYSTEMS

REQUEST FOR INFORMATION (RFI) RFI No FOR INFORMATION TECHNOLOGY DISASTER RECOVERY AND COLOCATION DATA CENTER SOLUTIONS

2. Electronic Health Record EHR : is a medical record in digital format.

PROTECTED DISTRIBUTION SYSTEMS (PDS)

Department of Defense INSTRUCTION

REVENUE REGULATIONS NO issued on December 29, 2009 defines the requirements, obligations and responsibilities imposed on taxpayers for the

User Authentication Guidance for IT Systems

Configuration Management Self Assessment Checklist

NTSWG GUIDELINES FOR COMPUTERIZED TELEPHONE SYSTEMS (CTS) Supplemental. NTSWG STANDARD 2(a)

Final FAR Rule For Implementing Section 508 of the Rehab Act Electronic and Information Technology Accessibility for Persons with Disabilities

ORDER National Policy. Effective Date 09/21/09. Voice Over Internet Protocol (VoIP) Security Policy SUBJ:

Medicaid Eligibility and Enrollment (EE) Implementation Advanced Planning Document (IAPD) Template. Name of State Medicaid Agency:

Department of Defense

U.S. Department of Energy Washington, D.C.

SECURITY CATEGORIZATION AND CONTROL SELECTION FOR NATIONAL SECURITY SYSTEMS

Scope: Communications and Electronic Systems addressed in this section include:

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

Directives and Instructions Regarding Wireless LAN in Department of Defense (DoD) and other Federal Facilities

VILLAGE OF PALMETTO BAY PUBLIC RECORD REQUEST POLICY

FROM: «Contract_Start_Date» VENDOR ID NUMBER: TO: «Contract_End_Date» «Federal_Tax_ID_» FUNDING AMOUNT FOR INITIAL PERIOD: «Contract_Amount»

OFFICE OF INSURANCE REGULATION Company Admissions

CITY OF MILTON REQUEST FOR PROPOSAL # ITS

DRAWING NUMBER REVISION TITLE PAGE C Planning of Product Realization 1 of 5

Request for Proposal for Telephone System Hosted VoIP System On Premise VoIP System Hybrid IP System #RFP PHONE SYSTEM 1

Directives and Instructions Regarding Security and Installation of Wireless LAN in DoD Federal Facilities

-1- PSEG-LI Update of LIPA SGIP Full Docw-NYISO reqmts above 10 MW

Department of Defense INSTRUCTION

E X E C U T I V E O F F I CE O F T H E P R E S I D EN T

Minimum Security Requirements for Federal Information and Information Systems

REQUEST FOR PROPOSAL to provide ON-CALL ENVIRONMENTAL CONSULTING SERVICES for the RIVERSIDE COUNTY TRANSPORTATION DEPARTMENT

LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES

Introduction The Role of Pharmacy Within a NHS Trust Pharmacy Staff Pharmacy Facilities Pharmacy and Resources 6

Department of Defense DIRECTIVE

FedRAMP Standard Contract Language

INDEPENDENT CONTRACTOR CONSULTING AGREEMENT INSTRUCTIONS, ROUTING AND APPROVAL COVER SHEET

City of Kenmore, Washington

UCLA Information Technology Services/ Medical Center Information Technology Services Ronald Reagan UCLA Medical Center

This is the Annexure A to Positive Covenant between and Woollahra Municipal Council

CMS Policy for Configuration Management

Joyce Plummer, Procurement Agent

Department of Defense INSTRUCTION. SUBJECT: Public Key Infrastructure (PKI) and Public Key (PK) Enabling

ALS Configuration Management Plan. Nuclear Safety Related

8. Master Test Plan (MTP)

HAWAI I RULES GOVERNING TRUST ACCOUNTING

QUALITY MANAGEMENT SYSTEM REVIEW AND APPROVAL TEMPLATE (DOE G A, Appendix A, )

DATA ITEM DESCRIPTION

Draft Information Technology Policy

Electronic Medical Record (EMR) Request for Proposal (RFP)

CHARTER OF THE AUDIT AND RISK MANAGEMENT COMMITTEE OF THE BOARD OF DIRECTORS OF BLACKBERRY LIMITED AS ADOPTED BY THE BOARD ON MARCH 27, 2014

Department of Defense INSTRUCTION

Legislative Language

National Information Assurance Certification and Accreditation Process (NIACAP)

WHITEPAPER: SOFTWARE APPS AS MEDICAL DEVICES THE REGULATORY LANDSCAPE

Avaya DECT R4 Telephones Models 3720, 3725, 3740, 3745 and 3749

IT Security Handbook. Incident Response and Management: Targeted Collection of Electronic Data

Business Associate Agreement

Old Phase Description New Phase Description

NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

MATERIALS: The Contractor shall provide the latest version of Primavera SureTrak software.

CYBER SECURITY PROCESS REQUIREMENTS MANUAL

Project Completion Report (PCR) User Guide

UNCLASSIFIED UNCLASSIFIED UNCLASSIFIED UNCLASSIFIED 1

MS 893: Freedom of Information Act Administration

Promulgation Details for 1 RCNY This rule became effective on August, 04, 2014.

FIRE ALARM SYSTEM SUBMITTAL CHECKLIST AND APPLICATION

FLORIDA STATE COLLEGE AT JACKSONVILLE COLLEGE CREDIT COURSE OUTLINE. CTS 2655 and CNT 2102 with grade of C or higher in both courses

Transcription:

COMMITTEE ON NATIONAL SECURITY SYSTEMS April 2013 Telephone Security Equipment Submission and Evaluation Procedures THIS DOCUMENT PRESCRIBES MINIMUM STANDARDS YOUR DEPARTMENT OR AGENCY MAY REQUIRE FURTHER IMPLEMENTATION

National Manager FOREWORD 1. The Committee on National Security Systems Instruction (CNSSI) No. 5007, Telephone Security Equipment Submission and Evaluation Procedures, provides guidance to U.S. Government Departments or Agencies, U.S. Government sponsors, and vendors for submission and evaluation of telephone equipment or devices. 2. The National Telephone Security Working Group (NTSWG), formerly known as the Telephone Security Group (TSG), is the primary technical and policy resource of the U.S. Government for all aspects of the technical security program involving telephone systems located in areas where National Security Information (NSI), ( regardless of classification level) or other sensitive government information is discussed. The TSG was originally chartered to develop and promulgate telephone security standards. 3. This instruction also supports compliance with Intelligence Community Directive No. 705, Sensitive Compartmented Information Facilities (SCIF), 26 May 2010, which delineate SCIF compliance for the protection of sensitive information and unclassified telecommunications information processing systems and equipment. 4. Existing TSG standards will be replaced and issued as CNSS Instructions. 5. CNSS Instruction No. 5007 is effective on the date of signature. 6. Copies of this instruction may be obtained by contacting the Secretariat as cited below or at www.cnss.gov. 7. U.S. Government contractors and vendors shall contact their appropriate government agency or Contracting Officer Representative regarding distribution of this document. FOR THE NATIONAL MANAGER /s/ DEBORA A. PLUNKETT CNSS Secretariat (IE32) / National Security Agency * 9800 Savage Road - Suite 6716 - Ft Meade MD 20755-6716 Office: (410) 854-6805 / Fax: (410) 854-6814 cnss@nsa.gov

TABLE OF CONTENTS SECTION PAGE SECTION I PURPOSE 1 SECTION II AUTHORITY 1 SECTION III - SCOPE 1 SECTION IV RESPONSIBILITIES 2 SECTION V DEFINITIONS 2 SECTION VI REFERENCES 2 SECTION VII - SUBMISSION PROCEDURES 2 ANNEX ANNEX A REFERENCES A-1 ANNEX B SUBMITTAL REQUIREMENTS B-1 ANNEX C PRODUCT PRE-TESTING/LAB CHECKLIST C-1 SECTION I PURPOSE 1. This instruction provides guidance to U.S. Government Departments or Agencies, U.S. Government Sponsors, and vendors for submission and evaluation of telephone equipment or devices by the Interagency Telephony Lab (ITL). SECTION II AUTHORITY 2. The authority to issue this instruction derives from National Security Directive 42, (reference a.) which outlines the roles and responsibilities for securing National Security Systems (NSS), consistent with applicable law, E.O. 12333, as amended, and other Presidential directives. 3. Nothing in this Instruction shall alter or supersede the authorities of the Director of National Intelligence. SECTION III SCOPE 4. The provisions of this instruction apply to all U.S. Government Departments or Agencies or U.S. Government contractors who install and use telephony and related systems in spaces that National Security Information (NSI), regardless of classification 1

level, or other sensitive government information is discussed, or when used as a point of isolation in accordance with Intelligence Community Directive Number 705, Sensitive Compartmented Information Facilities, 26 May 2010 (reference b). 5. This instruction shall be referenced and included in U.S. Government-sponsored procurement specifications to define NTSWG type accepted telephones. 6. This instruction shall be made available to telephony manufacturers who are supporting U.S. Government requirements for the NTSWG. SECTION IV RESPONSIBILITIES 7. Heads of Federal Departments and Agencies shall: a. Develop, fund, implement, and manage programs to ensure that the goals of this policy are achieved and that plans, programs, and policy issuances that implement this instruction are fully supported. b. Incorporate the content of this instruction into annual user education, training, and awareness programs to include procurement training programs. SECTION V DEFINTIONS 8. The definitions contained in CNSS Instruction No. 4009, National IA Glossary (reference c) apply to this Instruction. SECTION VI REFERENCES 9. Future updates to referenced documents, unless they are in direct contradiction to the requirements of the effective edition of this policy, shall be considered applicable to this policy. SECTION VII SUBMISSION PROCEDURES 10. Telephone security equipment or device submission procedures are separated by the roles/responsibilities of the U.S. Government Sponsor, vendor, and ITL. References d through q provide specific guidance that should be reviewed and considered prior to submission of any telephone security equipment, device, or system. a. U.S. Government Sponsors must: 2

1) Be a CNSS Organizational Member or Observer; 2) Identify the requirement for submitting the equipment or device; 3) Confirm that the required evaluation, as delineated in ANNEX B, is completed prior to submission of equipment or device; 4) Notify the NTSWG Chair of the intent to present telephone equipment or device to working group members; 5) Follow applicable instructions in Product Pre-testing/Lab Checklist as delineated in ANNEX C. b. Vendors must: 1) Obtain U.S. Government sponsorship from a CNSS Member/Observer organization; Sponsor; 2) Complete an evaluation and present the results to their U.S. Government 3) Follow instructions in the Product Pre-testing/Lab Checklist and submit telephone equipment or device to the ITL for evaluation, which may include additional components as necessary; 4) Any additional components needed to make the equipment operational for testing is a sponsor/vendor responsibility. c. Interagency Telephony Lab must: 1) Prior to testing, review the Product Pre-testing/Lab Checklist, as delineated in ANNEX C. The Product Pre-testing/Lab Checklist shall be provided to the ITL by the U.S. Government Sponsor and/or vendor; 2) Prior to testing, notify the NTSWG Chair of receipt of the checklist; 3) Prior to testing, provide the vendor/sponsor a cost estimate based upon the number and kinds of tests that are to be performed; 4) Review pre-test evaluation results as presented by the vendor during a presentation session to the NTSWG; 5) Conduct evaluations of telephone equipment or devices to ensure specifications are met by the vendor; 3

6) Notify the NTSWG of pass or fail evaluation results and brief the NTSWG members of the status; 7) Provide a monthly status report of equipment currently under evaluation, as well as the prioritization of those in the evaluation queue. Encl: ANNEX A ANNEX B ANNEX C REFERENCES SUBMITTAL REQUIREMENTS PRODUCT PRE-TESTING/LAB CHECKLIST 4

ANNEX A REFERENCES a. National Security Directive (NSD) 42, National Policy for the Security of National Security Telecommunications and Information Systems, July 5, 1990. b. Intelligence Community Directive Number 705, Sensitive Compartmented Information Facilities, 26 May 2010 with associate technical specifications. c. Committee on National Security Systems Instruction (CNSSI) No. 4009, National Information Assurance (IA) Glossary, Revised April 2010. d. Code of Federal Regulations, Title 32 National Defense, Volume 6, Part 2004 Directive on Safeguarding Classified National Security Information, Revised July 2003. e. Intelligence Community Directive (ICD) Number 702, Technical Surveillance Countermeasures, February 18, 2008. f. National Institute for Standards and Technology (NIST), Federal Information Processing Standards (FIPS) Publication 140-2, Security Requirements for Cryptographic Modules, 25 May 2001. g. Telephone Security Group (TSG) Standard 1, Introduction to Telephone Security, March 1990. h. Telephone Security Group (TSG) Standard 5, On-Hook Telephone Audio Security Performance Specifications, March 1990. i. Committee on National Security Systems Instruction (CNSSI) No. 5000, Guidelines for Voice over Internet Protocol (VoIP) Computer Telephony, April 2007. j. Committee on National Security Systems Instruction (CNSSI) No. 5001, Type- Acceptance Program for Voice over Internet Protocol (VoIP) Telephones, December 2007. k. CNSSI No. 5002 (formerly known as TSG 2), National Information Assurance (IA) Instruction for Computerized Telephone Systems, Revised September 1993. l. CNSSI No. 5006 (formerly known as TSG 6), Telephone Security Group Approved Equipment, Revised September 2011. A-1 ANNEX A to

m. IEEE 802.1.Q, IEEE Standard for Local and metropolitan area networks Virtual Bridged Local Area Networks, 2005. n. CNSS Policy No. 17, Policy on Wireless Communications; Protecting National Security Information, May 2010. o. Telephone Security Group (TSG) Standard 2a, NTSWG Guidelines for Computerized Telephone Systems Supplemental, dated March 2001. p. Telephone Security Group (TSG) Standard 3, Type-Acceptance Program for Telephones used with the Conventional Central Office Interface, March 1990. q. Telephone Security Group (TSG) Standard 4, Type-Acceptance Program for Electronic Telephones used in Computerized Telephone Systems, dated March 1990. A-2 ANNEX A to

ANNEX B SUBMITTAL REQUIREMENTS 1. The Evaluation process enumerates the documentation package s components and contents that vendors must submit to their sponsor for the NTSWG to consider for use of the product in spaces where NSI or other sensitive government information is discussed, and to recommend approval by the National Manager for National Security Telecommunications and Information Systems Security. 2. The documentation package must be comprised of the following: a. Application Letter b. Product Summary c. Product Functional Description d. Electrical Schematics e. Criterion Citation f. Field Test Guide g. Completed Entry Data Sheet (reference CNSSI No. 5006) 3. The documentation package components and contents are as follows: a. The Application Letter must contain: i. Product identification to include manufacturer, product line, model, serial number, and additional descriptive information, as necessary, to eliminate all possibility of ambiguity or confusion with any other product. ii. Device type and class for which application is being made. iii. Certification that the product meets the criteria for that type and class, if applicable, and that it may be opened for visual and electrical inspection at any time without invalidating the normal product warranties, except Type 1 Encryption Devices that are exempt from this requirement. iv. Point of contact for inquiries to include name, title, address, telephone number, and e-mail address. B-1 ANNEX B to

b. The Product Summary must contain: i. A brief description of the product, major features, common applications, and technical specifications that would be annotated in the manufacturer s sales and technical brochures c. The Product Functional Description must contain: i. Product operation theory ii. Appearance iii. Installation Requirements iv. Operations manual v. Identification of all systems with which the product is compatible vi. Features, options, and auxiliary units available with the product d. Electrical Schematics must: i. Contain high-level block diagram that show relationship between functions. ii. Identify all transducers, circuit components, circuit boards, and subassemblies that provide audio protection. iii. Identify all signal and power paths into and out of the device. iv. Identify manufacturer and model of all components used to implement and control positive security measures. v. Identify on-page and off-page connectors with clear and consistent labels, as required. vi. Clearly identify label test points where protection integrity can be electrically confirmed. e. Criterion Citation contains: i. A citation of each applicable type-acceptance criterion by paragraph number in the Design and Construction Specifications/Requirements part of the pertinent document and show how the proposed product complies with the criterion in the following sections: B-2 ANNEX B to

1) Introduction 2) Operational Limitations 3) Telephone Security Inspection Support Measures ii. Telephone type and pertinent document include References e, i, and j that are listed in ANNEX A and are posted on the CNSS website, www.cnss.gov. f. Field Test Guide, except for Type 1 Encryption Devices that are exempt from this requirement: i. Instructions on how to disassemble the device and gain access to the electrical test points from a field tester s perspective. ii. Explanation of testing to include instruments used, measurement values, and/or thresholds for passing and failing. iii. Instructions on how to assemble the device back to an operational state. g. The Completed Entry Data Sheet must document: i. Device Type ii. Manufacturer iii. Model iv. Trade Name v. Description and Use vi. Order Code vii. Point of Contact viii. Price ix. Comments B-3 ANNEX B to

ANNEX C PRODUCT PRE-TESTING/LAB CHECKLIST 1. The Interagency Telephony Lab (ITL) package enumerates the product pre-testing/lab checklist components and content. The sponsor shall ensure delivery of or request the vendor deliver these components and content to the ITL prior to the product testing. The ITL shall not conduct any testing until receipt of the package components and content are acknowledged by the NTSWG Chair. 2. Sponsor, vendor, and ITL personnel shall coordinate delivery of the package components and content. The ITL shall provide the mailing address to the Sponsor/vendor to expedite delivery of the package components and content. 3. The ITL package must be comprised of the following components: a. Product Identification b. Production Units (2 each) c. Ancillary Parts, which may include additional system components as necessary. d. Network Connection Instructions e. Product Functional Description f. Technical point of contact g. Sponsor contact information 4. The ITL package components must contain the following: a. Product Identification to include: i. Manufacturer, product line, model, serial number, and additional descriptive information, as necessary, to eliminate all possibility of ambiguity or confusion with any other product. b. Production Units i. Two fully functioning production units with all items that would be delivered C-1 ANNEX C to

during normal procurement must be received by the ITL. Production units are devices from a normal production run or are identical to units that would be manufactured during a normal production run. c. Ancillary Parts / Components Requested for Operation i. Items, such as expansion modules and headsets, that the vendor would like tested while connected to the product, must be received by the ITL. Parts that have not been submitted, while the product is under testing, will not be considered as CNSS approved. ii. Any additional components needed to make the equipment operational for testing is a sponsor/vendor responsibility. d. Network Connection Instructions i. The ITL must receive instructions on how to connect the product to the network(s) that it will use. Instructions shall include how to place the product into a mode that permits configuration; details on the settings that should be configured; and suggestions for setting values. Lastly, instructions shall identify the type, configuration, and required settings for the network(s) where the product is used. e. Product Functional Description: i. The description is available from the ITL package submitted by the sponsor or vendor and shall include the following: 1) Product operational theory 2) Appearance 3) Installation requirements 4) Operation manual 5) Identification of all systems with which the product is compatible 6) Features, options, and auxiliary units available with the product f. Technical Point of Contact i. The sponsor/vendor shall provide the name, telephone number, e-mail address, and organization of at least, one individual who will be available to provide technical guidance in the event that the ITL personnel require assistance in configuring C-2 ANNEX C to

and/or making the product operate properly. The technical point of contact shall be prepared to visit the ITL, as required. g. Sponsor Contact Information i. The sponsor shall provide their name, telephone number, e-mail address, agency, and organization to the ITL. C-3 ANNEX C to

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information