DEPARTMENT OF THE ARMY HEADQUARTERS, UNITED STATES ARMY MATERIEL COMMAND 5001 EISENHOWER AVENUE, ALEXANDRIA, VA 22333-0001 *AMC Suppl 1 to AR 380-19-1 AMC Supplement 1 4 January 1991 to AR 380-19-1 Security CONTROL OF COMPROMISING EMANATIONS Further supplements to this regulation are prohibited without prior written approval by the Commander, AMC, ATTN: AMCMI. AR 380-19-1, 4 September 1990, is supplemented as follows: Page 4, paragraph 2-7a. Add the following at the end: The Office of the Deputy Chief of Staff for Development, Engineering, and Acquisition (AMCDE-PA) is the AMC focal point for ensuring staff review of these documents. Primary responsibility for reviewing the adequacy of TEMPEST considerations rests with the Office of the Deputy Chief of Staff for Intelligence (AMCMI-CS). Page 4, paragraph 2-7b. Add subparagraphs (1) and (2) after subparagraph b. (1) This responsibility will be fulfilled by AMC program managers (PM) duly established per AR 70-17, System/Program/ Project/Product Management. (2) The PM is specifically responsible for -- (a) Designating a TEMPEST Coordination Officer (TCO) for the program immediately upon determination that classified information will be processed. Ideally, that person will be an electrical or electronics engineer (EE) with a background in TEMPEST or electromagnetic compatibility/electromagnetic interference (EMC/EMI). If no engineer is available, an individual must still be appointed to coordinate the TEMPEST requirements of the program. The designated TCO should be assigned to the PM's Information Systems Security staff to ensure TEMPEST requirements are fully integrated into the security considerations for the system. (b) Specifying appropriate compromising emanations (CEM) limits for the system/component under development. Final determinations of system or component CEM limits requires the participation of an engineer. (c) Ensuring that the equipment or system meets the stated specification. The engineer who sets the CEM limits should also write the TEMPEST test requirement. *This supplement supersedes AMC Supplement 1 to AR 530-4, 31 August 1987.
Page 4, paragraph 2-7c. Add the following at the end: The Commander, U.S. Army Communications-Electronics Command (CECOM), is designated to fulfill this responsibility. Page 4, paragraph 2-7d(1). Add the following at the end: Such tests will be accomplished by either CECOM, the U.S. Army Test and Evaluation Command (TECOM), or a specified contractor as determined by the appropriate Test Integration Working Group (TIWG) and documented in the Test and Evaluation Master Plan. The TIWG will also recommend to the PM the source for fulfilling test requirements of paragraph 2-7d. Page 4, paragraph 2-7d(2). Add the following at the end: Field testing is normally the responsibility of TECOM. The TIWG will recommend to the PM the source for such tests. Page 4, paragraph 2-7d(3). Add the following at the end: Product assurance testing will be accomplished by either CECOM, TECOM, or a specified contractor as determined by the TIWG. The TIWG will recommend to the PM the source for such tests. Page 4, paragraph 2-7e. Add the following at the end: The Commander, CECOM, is designated to fulfill this responsibility. Coordination should be effected with the Commander, U.S. Army Laboratory Command (LABCOM), to exchange technologies which may be of use in CEM control; such as electromagnetic pulse, interference/compatibility, or microcircuit design. Page 4, paragraph 2-7f. Add the following at the end: All AMC elements involved in TEMPEST testing will provide the required reports and will review and forward test reports from contractors. Page 4, paragraph 2-7g. Add the following at the end: The Office of the Deputy Chief of Staff for Development, Engineering, and Acquisition (AMCDE-PB) will consolidate the TEMPEST portion of the AMC research, development, test, and evaluation (RDT&E) program submission. Page 4, paragraph 2-7h. Add the following at the end: The Commander, CECOM, is designated to fulfill this responsibility. Page 4, paragraph 2-7i. Add the following at the end: This is a responsibility of contracting agencies at all levels within AMC. Determination of required controls will be made for contractor activities only under provisions of paragraph 3-7 below. 2
Page 4, paragraph 2-10b. Add the following at the end: The Facility TEMPEST Assessment/Risk Analysis (FTA/RA) will be forwarded through the installation/activity ISSM or designated TCO. Table 3-5 provides a sample forwarding letter. Page 5, paragraph 2-10c. Add the following at the end: The Deputy Chief of Staff for Intelligence (AMCMI) exercises overall staff management and proponency for the AMC TEMPEST program. The AMC Signal Security Officer (AMCMI-CS) also serves as the command TCO. Page 5, paragraph 2-10d. Add the following at the end: See paragraph 3-6c below for identification of waiver authorities. Page 5, paragraph 3-1c. Add the following at the end: The requisition, purchase, lease, or use of TEMPEST approved/compliant equipment is not authorized solely because classified information is being or planned to be processed. The FTA/RA will provide the necessary determination of TEMPEST countermeasures. Only by that process will the need for TEMPEST approved/compliant equipment be clearly indicated. Contracting officers will review the results of the FTA/RA to support requests by user activities/staffs for TEMPEST approved/compliant products and will ensure that a baseline FTA/RA is submitted with the AIS automated information system accreditation document, except for levels V and VI, which do not require completion of an FTA/RA per paragraph 3-5d, basic regulation. Page 5, paragraph 3-1d. Add the following at the end: Additional guidance on tactical systems is contained in SECRET document, subject: TEMPEST Guidelines for Program Managers (U), 22 August 1986, prepared by HQDA (DAIM-AD/DAMI-CIC). Page 5, paragraph 3-1. Add subparagraph g after subparagraph f. g. Nontactical, mobile, transportable or semifixed facilities. (1) Mobile and transportable vans or units, such as data collection test vans and computer facilities, not designed or intended for tactical employment, present a special situation. (a) Many such systems were either uniquely designed for a specific application or produced in very limited quantities. Classified processing in these facilities may have been intended to be extensive or occasional. Configurations vary from use of existing military signal shelters, with some built-in shielding, to commercial recreation vehicles and semitractor trailers. Such facilities have been moved among numerous locations on one installation and transported to various locations worldwide. In many ways, these facilities are operated the same as tactical systems when used in garrison environments. 3
(b) FTA/RAs will be prepared according to paragraph 3-1 for all facilities described above. Two methods may be used. First, a single or baseline FTA/RA may be prepared based upon worst case factors (such as high volume; smallest limited or exclusion area boundary; or limited controls on accessibility) likely to be encountered. Second, multiple FTA/RAs may be prepared to cover a variety of environments in which the facility will be operating. In this manner, appropriate control measures can be implemented based upon those specific locations. This could prove more cost efficient than overall system changes. (c) For facilities housing systems requiring accreditation under AR 380-19, activities will submit a baseline FTA/RA with their accreditation documentation. (2) Semifixed facilities are those facilities which could be transported, if necessary, but have been built to remain in one place as if they were fixed facilities. Such facilities are often established to reduce construction costs associated with permanent buildings. They often are not operated on a daily basis. Sometimes, they are used as temporary buildings. These facilities will be treated as fixed facilities requiring compliance with paragraph 3-1. Page 6, paragraph 3-6c. Add the following at the end: Waiver authorities in AMC are the same as the accreditation authorities described in AMC Supplement 1 to AR 380-19 for critically sensitive 2 (CS2) and critically sensitive 3 (CS3) automated information systems. These waiver authorities remain the same for equipment/systems/facilities not under the provisions of AR 380-19. These waivers will be approved for the same duration as the accreditation. Extensions, if required, will be accomplished during the reaccreditation process. Page 6, paragraph 3-6. Add subparagraph e after subparagraph d. e. AMC requests and approvals. Facilities commanders, directors or chiefs will sign requests for an exception to operate. All requests will be forwarded through command channels to the TCO supporting the waiver authority. The TCO will review the request and prepare the necessary documentation to support the decision of the waiver authority. All requests will comply with paragraph 3-6b above. Additionally, one copy of the approval and request will be forwarded to the AMC TCO (AMCMI-CS) when granted by subordinate waiver authorities. To avoid duplication of effort for those systems/facilities requiring accreditation under AR 380-19, requests may be attached as part of the accreditation documentation. Approval of the TEMPEST waiver by the accreditation authority will be indicated as a separate paragraph in the accreditation statement. Such processing requires coordination of accreditation packages with the appropriate TCOs. 4
Page 6, paragraph 3-7b(2). Add the following at the end: AMC Suppl 1 to AR 380-19-1 More than one FTA/RA may be required. An FTA/RA is necessary for each separate classified information processing facility belonging to the contractor which supports the contract. Page 7, paragraph 3-7. Add subparagraph c after subparagraph b. c. Contracting officer responsibilities. Contracting officers will ensure cleared U.S. contractors comply with a and b above by inclusion of necessary provisions in the contract. The contents of paragraph 3-4 and tables 3-1 through 3-3 will be provided to these contractors. The completed FTA/RA and records on amounts of classified information processed will be submitted to the contracting agency for review by the supporting security office. NOTE: This regulation (AR 380-19-1) is not releasable to foreign nations. In order to ensure compliance, it may be necessary for the PM or contracting agency to fund travel by the supporting security office personnel or the appropriate TCO. Page 7, paragraph 3-7. Add paragraph 3-8 after paragraph 3-7. 3-8. AMC activities. a. A TEMPEST coordination officer will be appointed by commanders of MSC/SRA/program managers for managing the implementation of and compliance with the basic regulation and this supplement. (1) MSC. The TCO will be appointed from the security staff element, e.g., the command DCS for Intelligence or equivalent. (2) SRA. The TCO will be the security manager for the activity so that all relevant security disciplines may properly interact. (3) Direct reporting PMs. The TCO will be appointed as stated in paragraph 2-7b(2)(a), above. b. MSC/SRA/direct reporting PM TCOs will coordinate TEMPEST matters directly with the AMC TCO (AMCMI-CS). These TCOs will fulfill the duties specified in paragraph 3-3, basic regulation, for their commands/activities. One copy of the appointment letter will be forwarded to the AMC TCO (AMCMI- CS). c. TCOs should be appointed at additional subordinate organizations, down to installation/activity level. Further lower-level appointment may be made when deemed necessary by MSC/SRA/PM TCOs. When appointed, a copy of the appointment letter will be forwarded to the next higher level TCO. d. TCOs are encouraged to apply for TEMPEST training courses commensurate with the level of their responsibilities. Coordinate with the appropriate supporting military or civilian personnel training offices for course availability and allocations. 5
e. TCOs should maintain close and continuing coordination with the command/local Directorate for Information Management. Communicationselectronics personnel can contribute technical expertise, especially in the areas of TEMPEST installation and separation techniques. f. TCOs should participate on command/local panels, working groups, boards or councils, such as the Information Systems Security Council, as required in basic regulation to ensure timely coordination and overall organizational involvement of TEMPEST-related issues. Page 9, table 3-5 is added: Table 3-5 Sample letter for forwarding Facility TEMPEST Assessment/Risk Analysis DEPARTMENT OF THE ARMY U.S. ARMY MISSILE MAINTENANCE AND SUPPORT ACTIVITY FT. NOWHERE, PA 99999-0001 AMMMS-TE-QA (380-19-1) 5 July 1990 MEMORANDUM THRU Commander, U.S. Army Missile Maintenance and Support Activity, ATTN: AMMMS-IS-S (TCO), Fort Nowhere, PA 99999-0001 FOR Commander, TEMPEST Detachment MI BN (CI) (TECH), 902d MI Group, ATTN: IAGPA-A-VH, Vint Hill Farms Station, Warrenton, VA 22186-5126 SUBJECT: Facility TEMPEST Assessment/Risk Analysis 1. Reference CONFIDENTIAL AR 380-19-1, 24 Sep 90, Control of Compromising Emanations (U). 2. In accordance with paragraph 3-5c, above reference, enclosed for your review and comment is the completed Facility TEMPEST Assessment/Risk Analysis for a stand-alone IBM PC system. The system consists of a monitor and keyboard, central processing unit with a removable hard disk, and a laser printer. Request response by 1 December 1990. 3. Point of contact is Mrs. Ethel Mertz, DSN 555-5555. FOR THE COMMANDER: Encl JOHN S. JONES Lieutenant Colonel, ADA Chief, Test and Evaluation Division 6
The proponent of this supplement is the United States Army Materiel Command. Users are invited to send comments and suggested improvements on DA Form 2028 (Recommended Changes to Publications and Blank Forms) to the Commander, HQ AMC (AMCM-C), 5001 Eisenhower Avenue, Alexandria, VA 22333-0001. FOR THE COMMANDER: OFFICIAL: THOMAS H. DOLAN Chief, Operations and Systems Integration Division WILLIAM B. McGRATH Major General, USA Chief of Staff DISTRIBUTION: Initial Distr H (60) 1 ea HQ Acty/Staff Ofc B LEAD (3,814) AMXDO-SP stockroom (50) AMCDE-P (5) AMCDE-S (5) AMCIM-ST-S (50) AMCMI-CS (100) AMCIS-RS (50) AMCSM (10) AMSAC (10) AMCIG (10) AMXLS-LM (100) Commander: AMCCOM (ATTN: AMSMC-SS) (20) AVSCOM (ATTN: AMSAV-OC) (20) CECOM (ATTN: AMSEL-SI-SD) (50) DESCOM (ATTN: AMSDS-SI) (75) LABCOM (ATTN: AMSLC-MI-SS) (20) MICOM (ATTN: AMSMI-SI-SE) (100) TACOM (ATTN: AMSTA-SC) (20) TECOM (ATTN: AMSTE-IS-S) (50) TROSCOM (ATTN: AMSTR-Y) (10) HQDA (DAMI-CIC-AS) 7