Part C: The four security processing modes
Dedicated security mode: A mode in which all users have the required security clearance, formal
access approval, and a need-to-know for all information processed by the system.
EXAMPLE : A computer is used to process classified (up to SECRET) information, including
NATO SECRET. In this mode all users must have at least a SECRET clearance, all users must have
formal access approval for NATO SECRET, and all users must have a need-to-know for all information
processed.
Systems high security mode: A mode n which all users have the required security clearance and
formal access approval, but do not have a need-to-know for all information processed.
EXAMPLE: A computer is used to process classified (up to SECRET) information, including
NATO SECRET. In this mode all users must have at least a SECRET clearance and all users must
have formal access approval for NATO SECRET. However, not all users have a need-to-know for all
information processed.
Partitioned security mode: A mode in which all users have the required security clearance. However,
not all users have formal access approval and a need-to-know for all information processed by the
system.
Multilevel security mode: A mode in which not all users have the required security clearance for
all information processed by the computer.
Part D: The Accreditation Document/Security Plan
Accreditation is authorization for a computer to process information at one of the sensitivity levels, in
a particular security processing mode, using a prescribed set of security safeguards.
Appendix C, AR 380-19, provides the sample format for the Security Plan/Accreditation Document"
which describes that prescribed set of security safeguards. The document/plan is a detailed
description of the system (make, model, location, and use; sensitivity level; information to be
processed; and the security processing mode) and the security safeguards which will protect both
the computer and the information processed.
The document/plan is normally prepared by the ISSO and is forwarded to the DAA along with the
commanders request for accreditation. The DAA will review the document/plan to determine if
security is adequate and if the computer will be accredited. If the DAA decides that security is NOT
adequate, he will not accredit the system, and will return the document/plan with guidance on what
must be done to improve security.
Among the security safeguards which must be described in the document/plan, is how classified and
unclassified- sensitive information will be protected from unauthorized exploitation. Before the DAA
will accredit the system, safeguards and procedures must be developed to protect this information
from unauthorized disclosure, manipulation, and destruction by an unauthorized person, like a foreign
intelligence agent.
IT0772
3-2
Previous Page
