placed on the system by the designated approving
CONTROLLED SECURITY MODE. A
computer system is operating in the controlled security
mode when at least some personnel (users) with access
to the system have neither a security clearance nor a
need-to-know for all classified material then contained
in the computer system. However, the separation and
control of users and classified material on the basis,
respectively, of security clearance and security
classification are not essentially under operating system
control as in the multilevel security mode.
Sensitive Unclassified Data
Sensitive unclassified data is unclassified data that
requires special protection. Examples are data For
Official Use Only and data covered by the Privacy Act
The Privacy Act of 1974 imposes numerous
requirements upon federal agencies to prevent the
misuse of data about individuals, respect its
confidentiality, and preserve its integrity. We can meet
these requirements by applying selected managerial,
administrative, and technical procedures which, in
combination, achieve the objectives of the Act.
The major provisions of the Privacy Act that most
directly involve computer security are as follows:
Limiting disclosure of personal information to
authorized persons and agencies;
Requiring accuracy, relevance, timeliness, and
completeness of records; and
Requiring the use of safeguards to ensure the
confidentiality and security of records.
To assure protection for AIS processing of sensitive
unclassified data, the Navy has established the limited
AIS access security mode.
A computer system or network is operating in the
limited access security mode when the type of data
being processed is categorized as unclassified and
requires the implementation of special access controls
to restrict the access to the data only to individuals who
by their job function have a need to access the data.
Although unclassified data does not require the
safeguards of classified and sensitive unclassified data,
it does have value. Therefore, it requires proper
handling to assure that it is not intentionally or
unintentionally lost or destroyed.
AIS MEDIA PROTECTION MEASURES
AIS media protection is important because that is
where we store data, information, and programs. All
data and information, whether classified or not, require
some degree of protection. Software also requires
protection. You would not want to lose the only copy
of a program you had worked 4 months to write, test,
and debug. The amount of protection depends on the
classification of data, the type of AIS storage media
used, the value of the material on it, and the ease with
which the material can be replaced or regenerated. AIS
media includes magnetic tapes, disks, diskettes, disk
packs, drums, cathode-ray tube (CRT) displays, hard
copy (paper), core storage, mass memory storage,
printer ribbons, carbon paper, and computer output
microfilm and microfiche.
You are responsible for controlling and
safeguarding (protecting) the AIS media at all times.
For purposes of control, AIS media can be divided into
two types or categories: working copy media and
finished media. You will be working with both.
Working copy media is temporary in nature. It is
retained for 180 days or less and stays within the
confines and control of your activity. Examples of
working copy media are tapes and disk packs that are
used and updated at frequent intervals and coding forms
that are returned immediately to the user after
Finished media is permanent in nature. It includes
tapes and disk packs, hard-copy output, or any other
AIS media containing data or information to be retained
for more than 180 days. Finished media can be released
to another activity. For example, a magnetic tape can
be sent to another activity as a finished media.
However, the receiving activity may treat it as working
copy media if it is kept 180 days or less. Of course, AIS
media, whether working copy or finished copy, requires
the use of security controls.
The security controls we discuss are general in
nature and are considered the minimum essential
controls for protecting AIS media. Your activitys
standard operating procedures (SOPS) are designed to
ensure that an adequate level of protection is provided.
Classified working copy media must be dated when
created, marked, and protected in accordance with the