Slashdot Mirror

This already exists and is managed by the Defense Security Service (DSS) and is mandated by an Executive Order:

https://www.dss.mil/isp/index....
https://www.archives.gov/isoo/...

Sure, it's all spelled out in the NISPOM:
https://en.wikipedia.org/wiki/...

The most relevant section is Chapter 5:
http://www.dss.mil/documents/o...

Nobody can take classified material home, ever. Nobody can put classified material onto an unapproved computer, ever. These are not things that change from contract to contract.

Please take your shilling elsewhere, or even better, don't. I have way too much experience with security at the National level for this trash to fly, and several others on this site have similar backgrounds.

Details: It is against the law to store classified documents on non-classified servers. Every politician working with classified data swears an oath to follow the law or be in violation of US Laws up to the crime of Treason. A red rubber stamp is not required for a message to be considered classified, a person entrusted with an office knows that questionable data is treated as classified until the appropriate intelligence agency determines otherwise and provides instruction. An elected official claiming "i did not know" is bullshit, because if they did not know the classification they must treat the document as the highest level of classification available to them.

Those rules were in place _before_ email was being used by political offices and have never been revoked, removed, or changed. Simply put, Hillary is a Liar just like you are a Liar.

References: NISP, DSS, and NISPOM, for starters. All standards are available from http://www.dss.mil/ for free. Further reading and standards can be found at NSA.GOV, US DOJ, FBI, and CIA. Also see DISA, and JF/AN which contains information for elected officials, NATO members, foreign nationals, etc...

Anyone holding a security clearance is subject to periodic reinvestigation.

so, clapper was investigated and found to be guilty of lying to congress? when does his sentence in prison start?

look, if you want to be taken seriously here on slash, you have to stop YOUR lying.

Let's review what I wrote:

Anyone holding a security clearance is subject to periodic reinvestigation. Things are stricter at actual intelligence agencies, including the use of polygraphs. (Spare me the discussion on them.)

And here is evidence:

Periodic Reinvestigations

The whole thing about Clapper is you trying to put words in my mouth, and falsely claiming that I'm a liar. You seem to be providing evidence that you have an integrity problem.

Tell you what, I'll throw you a bone on the Clapper thing since you can't be bothered to come to a deeper undersanding of Wyden's underhanded dealing on your own.

Clapper and Wyden: Scenes from a Sandbagging
Wyden’s Stunt Was Congress at its Worst

`

DSS are already our cyber detectives and can bring a great deal of wealth into what to expect with these types of attacks.

This is their report from last year on what kind of defense contractors are being targeted and why. (PDF Warning 2011-unclassified-trends.) Social engineering has generally always been the weakest link in a good secure system, but can still be deterred with strict security policies. It's not really a matter of if you'll get infected, but a matter of when. I've heard of incidents where companies have been infected for months without realization before the FBI stepped in to stop the further transmission of gigabytes of sensitive information.

If you think you or your company has been infected by foreign or domestic threats, go ahead and contact your local FBI office. They'll work with you in a cooperative investigation and guide you to prevent a similar incident from reoccurring. Despite what the movies show, the FBI does not come in and just take control of your network. You're still in charge and nothing happens without your consent.

DSS are already our cyber detectives and can bring a great deal of wealth into what to expect with these types of attacks.

This is their report from last year on what kind of defense contractors are being targeted and why. (PDF Warning 2011-unclassified-trends.) Social engineering has generally always been the weakest link in a good secure system, but can still be deterred with strict security policies. It's not really a matter of if you'll get infected, but a matter of when. I've heard of incidents where companies have been infected for months without realization before the FBI stepped in to stop the further transmission of gigabytes of sensitive information.

If you think you or your company has been infected by foreign or domestic threats, go ahead and contact your local FBI office. They'll work with you in a cooperative investigation and guide you to prevent a similar incident from reoccurring. Despite what the movies show, the FBI does not come in and just take control of your network. You're still in charge and nothing happens without your consent.

1. There are carefully controlled labs, and your competitor/enemy has them.

2. Depending on his situation, it may not be legal to reuse the disks without doing all the writes. If you're involved in defense work and these guys find out you've got one known improperly securitized system and may have more, every box in your company can be carted off, generally to be returned to you with hard drives and flash memory (including any soldered to the motherboard) removed.

It really depends on the terms of the contract. That's what controls. You can theorize and speculate and pontificate all you want, that contract is what they agreed to, and what the government agreed to pay for.

Now, the phrases "sent to an appropriately recognized facility" and "data remanence" make me suspect this is classified information, which would mean the contract is under NISP (National Industrial Security Program) jurisdiction. There are four possible CSAs (Cognizant Security Authorities) -- DoD, DoE, CIA, and NRC. I'm really only familiar with DoD, but I believe the rest follow suit on this. To wit:

Since Oct 2007, when ISL 2007-01 (Industrial Security Letter) was issued, overwrite methods are not acceptable for fixed disks. Degaussing or physical destruction are the only acceptable methods.

Degaussing has to be done using a deguasser which is on the NSA EPL (Evaluated Products List). This generally renders the hard disk inoperable. (Modern hard disks have their servo tracks encoded at the factory, and generally don't have field low-level format capability.)

Physical destruction has to cover the entire recording media. (e.g., "target practice" isn't acceptable.) They generally want the entire recording surface ground off, melted down, shredded to dust, and/or raised above the curie point. You can't just toss it in any old shredder.

You have to provide a certificate of destruction, saying you've done this. Failure to do so results in loss of Security Clearance, loss of contract, loss of future contract opportunities, fines, and/or jail. I wouldn't recommend it.

Now, submitter mentions they're going on to a new contract. If this is DoD, they should check the DD254 to see if it's the same classification derivation. If it is, they should be able to get approval to continue using the old systems. They should have a formal ATO (Approval To Operate) that identifies who to contact.

Now, if I'm way off base, and this isn't classified, then it's still up to what the contract says. There are various government standards that might be called out. NIST 800-88 is one; it allows for sanitization by overwrite, IIRC.

This was the warning I received:

http://www.dss.mil/documents/NISP-Contractors-Protecting-Class-Info-%20coordinated-final-7-Feb.pdf

It seemed pretty clear to me: intentionally access wikileaks, lose your clearance lose your job. Inadvertently access wikilieaks, immediately file an security report to avoid losing your clearance and job.

Actually, it's not a DSS video, although it is made available on their website. The DSS's own security videos indicate the Defense Security Service's name: http://dssa.dss.mil/seta/training_videos.html You'll notice that the NSA video includes no mention of the agency that produced it. But the polygraph examiners shown on the video are NSA personnel.

http://dssa.dss.mil/seta/broadcast_news/video_resources/polygraph_videos/

"Taken from DoD 5220.22-M Wipe Standard:"

GAH!! Not this again. DoD 5220.22-M, full title "National Industrial Security Program Operating Manual", more commonly called NISPOM, is not and never was a wipe standard. It is a 150 page document that covers all aspects of the National Industrial Security Program (NISP). NISP is the jurisdiction for most commercial contractors doing classified work. Sanitization is about two paragraphs in this document. In every edition published within the past 15 years or so, I've never seen seen it get into specifics about methods -- it just says the CSA (Cognizant Security Authority) gets to set them. I've seen one document of uncertain origin, dated 1995, which did provide a list of methods, but there were several options depending on the nature of the medium and the data.

You can download the NISPOM from the official source here: https://www.dss.mil/GW/ShowBinary/DSS/isp/fac_clear/download_nispom.html Sanitization is Section 8-301(b) on page 8-3-1 (ordinal page 75).

Most NISP jurisdictions have to follow the DSS Clearing and Sanitization Matrix. As of ISL 2007-01 (Oct 2007), the C&SM does not permit overwriting for destruction. Only degaussing or physical destruction is acceptable.

Further, the degaussing standards require one to remove and degauss each individual platter. As someone else noted, degaussing a modern hard drive erases the factory formatting and renders it unusable.

For physical destruction, it's not enough to drill a hole through the platter, either. Every bit (pardon the pun) of surface area must be obliterated. Grinding, sandblasting, incineration, liquidation, vaporization, pulverization, etc.

The DSS (Defense Security Service), the guys that came up with the wipe standard, updated this June 28, 2007.

Section 54 of this document details the update.

Basically, the deal is that wiping a drive is no longer an option for sensitive or classified material. The media HAS to be physically destroyed.

"Effective immediately, DSS will no longer approve overwriting procedures for the sanitization or downgrading (e.g. release to lower level classified information controls) of IS storage devices (e.g., hard drives) used for classified processing."

even the DoD is fine with 7 passes.

Funny that, I know SIGINT (Australian signals intelligence) don't trust ANY form of drive erasure, with the cost of drives, they just burn them.

Considering the amount of budget these departments, why would they take the risk?

I'm not so sure the original poster is correct that the DoD is fine with 7 passes. Consider ISL 2007-01. It says that "Sanitization of memory and media is required when the memory or media is no longer needed to store classified information. Clearing is required before and after periods of processing as a method of ensuring need-to-know protection, and prior to maintenance."

And if you look at the matrix on page 19, overwriting is not acceptable for sanitization. Only degaussing or destruction are acceptable. It sounds like whoever disposed of this hard drive just did not follow guidelines, or that the drive was disposed of before ISL 2007-01 was released.

In that light, you should have no problems recommending we follow the DSS Clearing and Sanitization Matrix (page 19) and degauss our drives thoroughly before overwriting all addressable locations with a single character, or physically destroying them. Unless, of course, you mean to say that the NSA is full of wild-eyes conspiracy theorists, too...

Part of that is correct and part isn't. It depends on the type of media and the level of classification, but the DoD specs do say that you can sanitize a hard disk ("rigid disk" in their terminology) containing classified data by overwriting. You cannot do this for top secret data, but you can for secret and down.

Here's the exact wording of what you have to do, from the DoD guidelines: "Overwrite all addressable locations with a character, its complement, then a random character and veryify. THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP SECRET INFORMATION." (If you want to see the original, from a .mil site, check this out: http://www.dss.mil/files/pdf/clearing_and_sanitiza tion_matrix.pdf)

Incidentally, with hard disks being so cheap these days, I wouldn't do this - I'd toast that disk if it contained any classified info.

DragonHawk: "If somebody in a government position is doing something illegal, they probably just won't tell anybody about it. "

theLOUDroom: "That statement is based on the ridiculously flawed assumption that these actions involve only a single person."

Um, no. You'll notice it reads just as well if you assume a group instead of a single person.

The intent of my statement, which you and others seem oblivious to, is that classifying information creates accountability. There's all sorts of rules and regulations regarding classified information. There's classification guides, original agency tracking, regular inventories, all sorts of crap. (Go read the NISPOM if you don't believe me.) The point of calling something classified is not to keep something hidden, but to let the information be distributed. That distribution is done in an accountable manner, to trusted parties only, but the whole point is to provide a framework where that distribution can happen.

If an entity (be it an individual or a group) wishes to just keep the public from knowing something, it's much better to just not tell anyone else. And that's the other side of the coin which you seem to be missing: A conspiracy can exist easier if it operates outside of the rules. You don't need to call something "classified" to keep it a secret (lower case "S"). Any threats we face from within are going to be far more dangerous in that type of manifestation then under any official banner.

theLOUDroom: "Watergate would be a great example of how totally full of shit this statement is."

Exactly what classified material did the Watergate scandal involve? I'm no expert, but my understanding is that Nixon and his cronies broke into a DNC office in order to steal campaign info. Indeed, I had thought it was explicitly an "off-the-record" sort of program, in order to keep it from being widely known. Which was my point (I guess I need to point that out).

theLOUDroom: "The NSA wiretapping program would be another."

Which NSA wiretapping program? More than one has come to light over the years, ECHELON and TSP just being the most well-known. Speaking of just TSP, you'll remember that there's a not insignificant amount of support from people in all three branches of the government for the "legality" of at least some of it. You and I may not agree, of course, and the debate and controversy over them continues as we speak. Personally, I suspect it goes too far. But that's getting off the real point; read on.

I think the "illegal" part is mostly semantics. So I think you do raise a valid point, but I think the semantic argument obscures the real problem. I think it would be better to address the real problem head on: Even working "within the system", programs can exist, and activities can occur, which a large majority of the US citizenry would object to.

theLOUDroom: "The whole point of doing illegal things in government is that you have the resources of the gov't at your disposal."

I rather suspect that illegal -- and/or (to follow on the above) immoral and objectionable -- things happen in government the same way they happen outside of government: Someone thinks they know better than the rest of us, and/or that "the rules" do not apply to them. The end justifying the means, and all that. I have certainly seen enough of that in private enterprise -- as well as in the ordinary, day-to-day activities of ordinary people -- to believe that there's nothing different there. I do wonder if we perhaps have a better chance of doing something about the corruption in public government, though.

Here is a source for my information, Executive Order 12958, Classified National Security Information, April 17, 1995: http://www.dss.mil/seclib/eo12958.htm

DoD grade is complete destruction by an NSA-approved procedure. They remove and shred the platters.

Please don't perpetuate that myth.

Actually there are several different levels of DOD grade in handling of hard drives depending on the grade of the information on them (unclassified, secret, top secret, etc).

I refer you to the Clearing and Sanitization Matrix.

Approved ways to 'Sanatize' (as opposed to 'Clear') hard drives include:

"d. Overwrite all addressable locations with a character, its complement, then a random character and verify. THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP SECRET INFORMATION."

So overwriting is indeed DOD approved, just not for "top Secret" information.

Top Secret data may be 'Sanatized' by:

"a. Degauss with a Type I degausser"
"b. Degauss with a Type II degausser."

As well as

"m. Destroy - Disintegrate, incinerate, pulverize, shred, or melt."

-- which seems to be the only one you are familiar with.

Please do your research before accusing someone of perpetuating myths.

and it's been an issue for a very long time. Some light reading http://www.pnl.gov/isrc/foci.stm and http://www.dss.mil/isec/focifaqs.htm

Not exactly... 1 pass is good enough if you pass over it every night. 6 is good, 8 is good for immediate secure delete... 7 is just standard for the government.

DoD 5220.22-M

Forgive the late response, but I just came across this and wanted to post something.

Since this took place in Athens, let's use an example from there. Perhaps you are unfamilar with the case of William Kampiles. In 1978, Kampiles, the son of Greek immigrants to the US, stole the manual for a then Top Secret and unknown (to the USSR)KH-11 reconnaissance satellite from the CIA. He sold the information to the Soviets for a mere $3,000 (he certainly wasn't the brightest kid on the block - the information in that book was worth millions) and hoped to get back in the CIA's good graces by selling himself as a double agent. Instead, he was given a 40-year prison sentence, which he is presently serving.

So, there you have it - in the same city even. It's not just the monitoring country one has to be concerned with. Walk-ins will travel half-way across the world to make a drop.

As far as wiretapping the embassy's switchboard/operator's line, the FBI did the same thing to the Soviets in the US for years during the Cold War. Many "phone-ins" thought they could evade the 24/7 surveillence of the building by FBI counter-intelligence by calling up the Soviets and arranging a meeting elsewhere. The FBI frequently intercepted the calls and acted as the operator, transferring the caller to an FBI agent who would give the caller bogus information and later apprehend him/her.

You must understand, you don't literally "walk in" to an embassy. As someone who has worked in an Embassy overseas, I can tell you that security is extremely tight and it's not just a matter of literally walking in for anyone. You must make an appointment, and you will probably not get by the guards with a smile on your face and by simply saying, "I have some information for you." Anyone with half a brain would also assume the embassy is also under surveillence and would rather not have their photo snapped as they walk through the door. Keeping the main operator's phone line under surveillence helps you know who's walking in. It's not just common sense - it's an established MO.

FYI, the "government standard" for removing classified information on an old hard drive is to shred the drive physically. There isn't a standard for sanitizing it electronically, at least that I've ever heard of. Once a system has been used for classified data storage, if it's going to be gotten rid of, the drives are destroyed.

This is, I believe, the document which sets out the standards, and it makes no mention of any way to destroy classified information through electronic means. It's very physical: shredding, mutilating, burning, chemical composition. Although there is an exception for "other methods" as allowed by the CSA, so perhaps something has changed recently.

http://www.dss.mil/isec/nispom_0195.htm

As many here have mentioned, you need to follow the DoD standards (http://www.dss.mil./

You need inspection and approval of your location and systems.

Your systems need to be audited (see the standards) on a regular basis.

Your systems need to be physically secured. This especially applies to any rewritable media.

If something needs to be removed from the secure area, you need to ensure any classified data is no longer on it. This includes CRTs, eprom, ram, disks, floppies, CDs. For example, a CRT must be powered off for 24 hours before it's judged safe to be removed from the secured areas. You can't connect to external networks once it's classified.

People must be cleared and briefed on a need to know basis to access.

Everything must be documented and reviewed. This means all hardware, OS, all software (including patches) must be inventoried. Updates and patches may need approval before being installed.

As far as computer security,

telnet is allowed, rsh is allowed. sniffers are disallowed. Only the sysadmin (ISSO/M, gotta read my docs) is allowed to use sniffers if it's needed. SSH is not required, etc, etc. All software brought into the secure environment must be installed by the sysadmin.

Remember, there's no connection to other networks. Users are not supposed to be installing software.

It's up to the manager of the secured area to ensure that procedures are followed. I've heard of them being fired when inspections were failed.

The NISPOM reference is all the rules you need. Google it or just use http://www.dss.mil/isec/nispom.pdf . Don't try to over think this. Thinking something is secure won't cut it. You have to be able to prove it to an inspector who is NOT a security researcher. They are government inspectors, think like TSA at the airport, and your cool ideas won't help them fit you into the "followed the rules" box.

With respect to the computer specifically, really it's a lot simpler than you think. What you need is to get it certified for classified processing. What this means is finding the person who will be doing the certification and ask them what they are going to check for. Then impliment that. As a contractor facility it should be DSS who does this. A good place to start is getting your hands on a copy of the DISA Gold Disk and a copy of the Minimal Security Activity Checklists (MSACs). I also recommend patching the computer as completely as possible. Also read up on the DoD 8500 series and DIACAP.

right now. And take the NISPOM Chapter 9 course.

It's scary to see how bad these answers are. I've been securing computers for the DoD and other angenies for 5 years. The short answer is that you don't need to do much. It depends on how many people need access, is it just for one project, how is the equipment secured when not in use, etc.

If you're doing CAD work, get a Dell Precision. If you buy the laptop version just stick the whole thing in a GSA secret approved safe when you're not using it. Otherwise with the desktop you'll need a removable hard drive. All the comments about turning off floppies and USB are stupid. You can have all of that stuff enabled...IF YOU NEED IT. When you fill in your security and IS plans you need to be able to justify what you've done.

As a starting point to securing the OS...wipe the drive, do a clean install NOT using those Dell restore disks (they put on a 32 MB FAT partition at the begining of the HD that is unsecure), format using NTFS, install drivers, apply SP2 plus all patches, install anti-virus, disable the NIC, turn off all unneeded services, install the DoD banner (you're gov't rep should give this to you). Document EVERYTHING. Anytime you even login...keep track of who, when, and that all security precautions were taken. Logging needs to be enabled on the OS.

Also, I hope you have a clearance, otherwise you'r enever going to use this computer again.

Here are some links that will get you started.

Defense Security Service (DSS)
http://www.dss.mil/infoas/index.htm

National Institute of Standards and Technology
http://csrc.nist.gov/

If you need more...email me (god help me for putting this on /. ...)
rjhedgehog@gmail.com

Good Luck!

The general specifications for DoD computer systems are freely available to all. NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL OPERATING MANUAL. Specifically, see chapter CHAPTER 8. AUTOMATED INFORMATION SYSTEM SECURITY.

The actual computer system is pretty trivial, the only difference may be, just as you identified, the removable hard drive. Just get any of the IDE or even SATA removable hard drive kits and you are set. This is definitely something you can do yourself.

You see the security is in the whole system DoD will be looking for security in layers, many layers. How is the building secured, who has access to the building, the same floor, the floor above & below, the room, etc. What kind of security patrol, alarms, alarms response? What kind of physical security? What kind of walls, ceiling, floor, doors? What kind of electrical service, telecommunication service? The last layer will be the actual computer. What will be attached to the computer, a small LAN, a printer? Don't even think about wireless!

Now, I've said that setting up the computer is trivial, but the administration is NOT. The NISPOM specifies a lot of documentation. Something like writing down the serial number of every component, maybe keeping logs of certain types of activities (loging in, loging out, installing software, updating software, etc.). Checking the logs weekly for suspicious acitivity, etc. If you've heard the old adage that good system administrators write everything down, double it ... twice ... then you are on the right track.

maotx you need to check with your Facility Security Officer and/or ISSM/ISSO if you have one. If you don't have one, then you'll need to contact you DSS representative for guidance. You can't just buy a system that is ready to go. There is a lot of documentation and policies/procedures that you need to prepare AND get approved before you can do any classified work on a system. I would also suggest that you visit the DSS web site at www.dss.mil and try and take the NISPOM Chapter 8 course before anything as it'll give you some background on your task. (I think it's available as an online course now) Consequently, you should NOT be asking these questions in a public forum as you draw attention to yourself and your line of work... which is not a good thing.

Take a look at this "very readable" document: http://www.dss.mil/isec/nispom.htm Also look at: http://iase.disa.mil/stigs/stig/ Get some help! The DSS is the approving authority if I am reading your needs right (a computer used by a civilian contractor). If you didn't know about the DSS, you really need to find someone who knows the processes. Talk to your facility security officer -- they should be able to point you to the right folks in your company.

Most of what you need to know is contained on the Defense Security Services (DSS) Information Assurance website: http://www.dss.mil/infoas/ The guiding document for DoD contractors is the National Industrial Security Program Operating Manual (NISPOM). Classified systems have to go through a formal certification and accreditation process before they will be approved for classified processing. Since your ultimate goal is to satisfy the accreditor, you should contact him/her as soon as possible to have them explain what will be required and to hear their particular areas of concern so that you can address them early in your design. Security paperwork requires considerable time to fill out, and mistake can result in long delays in accreditation, or even the rejection of your system.

However, it isn't enough to just build a system with the proper hardware and software configuration -- you also have to make sure that the physical environment and users will meet the requirements of the NISPOM. If you don't already have a facility clearance, then you have a significant issue to tackle before you can even build your system. I'm hoping that you are simply building a new computer to add to an existing classified network or house in an existing DoD closed area -- if not, you may find this to be a very daunting task.

This policy stipulated that passwords were only to be changed by the MIS department, and that all password requests must go through them.


Under most circumstances that is actually a very wise policy. Many products, MS Windows Terminal Services among others, do not allow the admin to access the user account without his password.

Requiring the admins to know the user password is NOT a wise policy. That policy mixes authentication and authorization. If two people need to know the password to an account to do something, you weaken security because you cannot be sure who used the system to do something and because you have doubled (or multiplied if more than two people know) the chance that the password might be disclosed (accidentally or maliciously).

If you do not share the keys (and needing the keys to do some administrative task is sharing), you can be sure who did what on the system, with the added benefit of being able to change the policy easily (revoking rights, for example).

A good way of dealing with passwords can be found in military manuals (don't remember which manual exactly, but I think it's in the NISPOM). To set a password, the user has to go see the security officer and request a change. Then the system chooses a random password and shows it to the user (but not the security officer). By doing this, the security officer knows all the necesary details, but does not know the password (so he cannot pretend to be the user).

Of course that does not prevent the user from writing a copy of it under the keyboard, only education helps with that.

By the way, I use MS terminal services also. I have my own account so it is known that it's me using the system (authentication) but my powers come from the fact that I belong to the administrators' group (authorization). Of course I cannot log in directly as another user, but that need is not very common either.

Fortunately he was an honest man and didn't sell the list, rather he contacted the DoJ and DoJ contacted DISCO to help get their shit together. The instructor was making the point that when you surplus equipment that you really need to make sure that you wipe the drives and any other storage media. His bias was that the easiest way to do this was to physically remove and destroy the media because you could never really be sure if a wipe program had worked (well you could go over the drive to make sure that it had been erased, but who's going to do this?).

When I don't want to physically destroy a drive but want to make sure that it's gone I either wipe it with a low-level hardware format utility such as the one built into Adaptec SCSI cards, or I use a program such as autoclave by Josh Larios (which he isn't supporting any more outside of the University of Washington community) although now I guess I'll have to try the recommended replacement Darik's Boot and Nuke. A side benefit of programs such as this one is that they really exercise the Hell out of your disks, which is great to smoke out any potential failures.

So you were in from "Feb. 1996 to Dec. 1998".

No, I said I was at 10th Mountain Division during that time, which is exactly what the post you referenced says. Learn to read and actually understand what you're reading. You are proof that the American education system has been failing for a long time.

Hmmm, revision 1-00.

Note that it says "Previous edition unusable" which implies that there was a previous edition.

Guess what the revision date on *my* SF 312 is? 1-91.

Proof that that version exists? here: "The new Standard Form (SF) 312, "Classified Information Nondisclosure Agreement," is now available through the government supply system and should be used in place of the previous 1991 version. The form, actually approved in January 2000, was prevented from a timely release due to administrative delays. The General Services Administration (GSA) will make the new form available by early April, both in electronic and hard copy format. In the meantime, copies can be made from the pdf version of the SF 312, attached to this announcement." (Bold text placed to facilitate your reading comprehension.)

Note that you found the current one approved in January 2000.

Here is proof that an even earlier version exists: "(a) SF 312, SF 189, and SF 189-A are nondisclosure agreements between the United States and an individual. The prior execution of at least one of these agreements, as appropriate, by an individual is necessary before the United States Government may grant that individual access to classified information. From the effective date of this rule, September 29, 1988, the SF 312 shall be used in lieu of both the SF 189 and the SF 189-A for this purpose."

So, we have that the SF312 was in use from September 29, 1988.

Make all the claims you want to. It doesn't matter to me. I did 7 years and got out in 1990.

You mean, got kicked out in 1990 because someone figured out you don't have any reading comprehension, and you jump to conclusions before you've put even an ounce of thought in.

I don't have to play games with words like you claiming to be a "veteran" (no combat time and only 34 months in service) to boost my self-esteem. Nor do I have to spin lies about forms I was required to sign before they were even printed.

I never claimed to be a combat veteran (as in, earned a combat patch), and you know it. The government still defines me as a "veteran", the dictionary definition agrees, and I put in my required time, all 8 years split up between active duty, reserves, and IRR (during which I was called up twice, so it's not like I sat twiddling my thumbs for a few years). I may not have been stationed in a combat zone, but I did more for my country than the average person has. I also got the chance to make sure some people didn't shoot each other up. I was even able to help save some lives in a disaster area, too. You want to criticize me for not having seen *actual* combat (mostly due to timing), go ahead, I'm sure you are someone's hero.

Anyway, I have proved the existence of the SF312 as early as 1988, which is well before I left the service, and before you claim to have left. You might not have signed one because you got your clearance revoked, in which case they give you a different form, if the same procedures in AR 380-5 were in effect in 1990.

You made the claim "Enlisteds don't sign NDAs with the Army"
* I have told you I retain a photocopy of it. (I even dug through all my paperwork to make sure, and found it.)
* Once I found my copy, I gave you the form number, SF 312, revision 1-91.
* I have told you when and where I last signed one, and what office administered it to me.
* I have shown the regulation that required me to have signed at least a portion of it at the time. An

36. Issue: Paragraphs 8-306b and 8-310b discuss the "trusted download" process where electronic files and/or media can be created at a classification level lower than the accreditation level of the IS without going into sufficient detail of the review process or program. Because of the many different vendor platforms and applications (e.g., word processing, database, electronic mail, spreadsheets) additional guidance is needed.

Answer: Every vendor's platform and application are unique and each requires a thorough review by the ISSM and DSS before they can be used to create classified or unclassified files and/or media. DSS has developed a "standard" for the trusted download process that can be found at http://www.dss.mil/infoas/index.htm. If the ISSM is unable to implement the DSS "standard," the SSP must include a description of how and why the contractor has deviated from the standard under the vulnerability-reporting requirement of paragraph 8-610a(1)(c). If the ISSM is unable to provide any acceptable countermeasure to mitigate this vulnerability, the ISSM must notify and get acceptance from the GCA/data owner of the additional risk.

36. Issue: Paragraphs 8-306b and 8-310b discuss the "trusted download" process where electronic files and/or media can be created at a classification level lower than the accreditation level of the IS without going into sufficient detail of the review process or program. Because of the many different vendor platforms and applications (e.g., word processing, database, electronic mail, spreadsheets) additional guidance is needed.

Answer: Every vendor's platform and application are unique and each requires a thorough review by the ISSM and DSS before they can be used to create classified or unclassified files and/or media. DSS has developed a "standard" for the trusted download process that can be found at http://www.dss.mil/infoas/index.htm. If the ISSM is unable to implement the DSS "standard," the SSP must include a description of how and why the contractor has deviated from the standard under the vulnerability-reporting requirement of paragraph 8-610a(1)(c). If the ISSM is unable to provide any acceptable countermeasure to mitigate this vulnerability, the ISSM must notify and get acceptance from the GCA/data owner of the additional risk.

If you meant "US Department of Defense 5220.22 M", try ( http://www.dss.mil/isec/nispom_0195.htm ). That's the home page for the National Industrial Security Program Operating Manual (NISPOM).

Also, as I understand it, the write head does not write PRECISELY right on top of the previous sector. Apparently, HD recovery/forensics experts can detect edges of partially written areas on the disk. In other words, if you bumped the hard drive and the head is shifted by some insignificant amount (for normal use), it doesn't completely write over the block it did previously. And if you have sensitive enough equipment, you can apparently detect portions of previous writes.

I think writing zeros makes it even easier to detect because it's the same thing over and over. OS X for example, has a secure erase trash function that writes random junk over the data seven times. This is apparently in accordance with US Department of Defense requirements.

W

Personal data need to be treated as government certification of Secret documents

First, I think you mean classification, not certification.

Second, there is a reason and a definition behind each classification. For example, the definition of SECRET according to the Defense Security Service (available here (scroll down)) is as follows:

SECRET. The designation that shall be applied only to information or material the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe. (emphasis mine)

Nutshell: yes, personal information should be protected; no, it does not warrant the same protection as classified information.

or at least give it Collateral classification level treatment

Finally, Collateral is not a classification; it is a category of information classification. Our friends at DSS clarify the issue here:

The current classification system starts with three levels of classification (Confidential, Secret, and Top Secret), often referred to collectively as collateral.

Please do some research before providing erroneous information. (For many years I worked in positions where I was required to know these things.)

Personal data need to be treated as government certification of Secret documents

First, I think you mean classification, not certification.

Second, there is a reason and a definition behind each classification. For example, the definition of SECRET according to the Defense Security Service (available here (scroll down)) is as follows:

SECRET. The designation that shall be applied only to information or material the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe. (emphasis mine)

Nutshell: yes, personal information should be protected; no, it does not warrant the same protection as classified information.

or at least give it Collateral classification level treatment

Finally, Collateral is not a classification; it is a category of information classification. Our friends at DSS clarify the issue here:

The current classification system starts with three levels of classification (Confidential, Secret, and Top Secret), often referred to collectively as collateral.

Please do some research before providing erroneous information. (For many years I worked in positions where I was required to know these things.)

Different levels of security are offered so unless you are aiming high, you can get a clearance suitable for most IT work without becoming a citizen. Read everything you ever wanted to know about government security clearance and the different levels/requirements here.

assuming your clearance is with the DOD (and given the breakdown on who has the most cleared people most people have one with them) then simply go to this site and they will explain what to do.

here
and here, a sublink
Heh, love the line right above the second link... We do not investigate unexplained phenomena

assuming your clearance is with the DOD (and given the breakdown on who has the most cleared people most people have one with them) then simply go to this site and they will explain what to do.

here
and here, a sublink
Heh, love the line right above the second link... We do not investigate unexplained phenomena

Here's the standards Eraser claims to satisfy. It uses US DoD 5220-22.M and Guttmann . The Guttmann method of erasing is only exceeded by using C4 as you decribed.

Yep, it costs 60k for a TS investigation. Your information that you provide is confidential, you will likely fill out an epsq questionaiire. Look at it and read more here.

-Lucas

Polygraphs have valid uses. Just ask anyone who's going through a background investigation starting with the EPSQ. I'm sure that some people have learned to "fool" the system, but a trained operator will detect most.

The deal also includes the cost of integration. The OS is probably Windows 2000, some will undoubtedly be server edition. Add the complexity of configuring a system for NISPOM (see particularly Chapter 8) and I can easily see such a cost as justifiable.

I am an intelligence analyst for the New Jersey Army National Guard. I use the EPSQ software to complete and submit each SF-86. You can check out the web site or go directly to the download page and check it out.