Building Secure Computers?

maotx asks: "Growing into the job of a system administrator, I've been tasked with something I'm not quite prepared for: purchase or build a computer that meets DoD compliance for classified 'Secret' information. Several vendors, including Dell our primary supplier, offers computers that will work, but being new to the criteria I want to make sure the right computer is purchased. The computer will be used to create secure CAD drawings (Solidworks, OrCAD, etc) and must have, from what I can tell, a removable hard drive and security stickers to prevent tampering. What is you're experience in setting up a secure computer and is it better to have a vendor do it, or yourself?"

Not rocket science, but pay attention to detail.

[jinx90277]

Most of what you need to know is contained on the Defense Security Services (DSS) Information Assurance website: http://www.dss.mil/infoas/ The guiding document for DoD contractors is the National Industrial Security Program Operating Manual (NISPOM). Classified systems have to go through a formal certification and accreditation process before they will be approved for classified processing. Since your ultimate goal is to satisfy the accreditor, you should contact him/her as soon as possible to have them explain what will be required and to hear their particular areas of concern so that you can address them early in your design. Security paperwork requires considerable time to fill out, and mistake can result in long delays in accreditation, or even the rejection of your system.

However, it isn't enough to just build a system with the proper hardware and software configuration -- you also have to make sure that the physical environment and users will meet the requirements of the NISPOM. If you don't already have a facility clearance, then you have a significant issue to tackle before you can even build your system. I'm hoping that you are simply building a new computer to add to an existing classified network or house in an existing DoD closed area -- if not, you may find this to be a very daunting task.

Re:Don't ask Slashdot

OK... here's the basics... Excuse the AC post, but the fewer people that know you have a security clearance, the better.

Yes, you can order from Dell, Gateway, HP, etc. The removable hard drive is employed so that when the computer is not in use the hard drive can be locked in a DoD approved container (a pretty heavy duty safe or filing cabinet, normally) that only authorized users can access. If you didn't have a removable hard drive, then the entire room the computer was housed in would need to be classified as a DoD secure space. As it is, while the computer is in use it will need to be out of sight of anyone not cleared to use it. Sometimes something as simple as a curtain is used, while others might keep the computer in a separate room or closet.

The stickers are not for tamper proofing. Rather, they are used to remind you that you are dealing with a classified system and should treat it as such. You can use them across seals, but they aren't required. At the least, they will need to be put on the hard drive, hard drive caddy, computer case, and monitor.

For the drives, it's probably a good idea to disable anything that you won't be using. You can leave floppy drives intact if you want, just be aware that as soon as a non-write-protected floppy goes in the drive, it is required to immediately be labeled as a classified disk and logged. You can take material from unclassified to classified systems, but not vice versa (duh, I know, but it needs to be said). Since this system will be stand-alone, you might consider disabling all the USB ports via the BIOS and just using PS2 for the mouse/keyboard. That will help prevent USB thumb drives from being used. Remember, if the system can write to it, then it has just become classified material. CDs are safe, but floppies, thumb drives, etc. are not unless they are in write-protect mode.

Hope that helps!

You won't like to hear this...

[Eil]

As a US Air Force member who handles information and uses computers classified as Secret, I can tell you that there's no physical difference between a Secret machine and an ordinary one. If vendors are telling you that they can build a DoD Secret classified computer, then they are simply blowing smoke up your ass.

DoD classifications are all about policy, paperwork, and regulations. Not fancy computers. Most people, when they hear of DoD classifications and security clearances, are quick to imagine black vans, polygraph tests, and high-tech datacenters protected better than Fort Knox. Honestly, that's all a bunch of nonsense. All of the classified systems that I've used were just ordinary computers from ordinary manufacturers.

In my current workplace, we have a standard Gateway PC with a removable hard disk and a few Panasonic Toughbooks. Nothing special at all. The only visible difference between these and the regular office PCs is that they have red stickers all over them that say "Secret" and the fact that we are not to process Secret data on the unclassified PCs and vice versa. The Gateway machine can only be connected to SIPRNET (google it) and the Toughbooks are never connected to any network. That's it. No crazy combination case locks, no biometric devices, no odd software. They all run Windows for crying out loud.

If it is your job to configure a computer to the equivalent of DoD's Secret classification (I know you don't work for DoD or you'd already have people showing you how), I'd recommend getting whatever kind of computer will fit your needs.

Then start looking at writing mountains of policies. The first thing you have to do is restrict physical access. This can be done by putting the machine in a locked room with no windows. A laptop would be even easier... just get a GSA-approved safe and keep it in there when it's not in use. Obviously, you would never, ever, ever connect it to any network, period. All the data going in and out should be on CDRs or USB keys and should be accountable somehow. Figure out who needs to have access to it and if they can be trusted. Be sure to emphasize that failure to follow proper security procedures is grounds for immediate termination, whether any information was compromised or not. Ensure that whenever the machine is used, there are never less than two people present. Create an emergency checklist of what to do if the building catches fire, for instance.

That's all I can think of off the top of my head, you'll probably be able to envision a lot more with some careful thought. Good luck.

Re:Don't ask Slashdot

[CyberSp00k]

You cannot use the machine in both a classified and a non-classified environment. You will get the machine certified for a specific level of classified processing and lock it into a room that is effectively a people-sized safe. Access to the room will be controlled and only cleared and authorized people will be permitted in. They will log their entrances and exits. Each project hard drive and associated backup media will be stored in a separate, individually lockable and differently keyed drawer of a safe certified for classified processing. Users will log every item in each safe drawer and will log every time they open or close any drawer of the safe. EVERY scrap of out put from the system (optical media, magnetic media, or hardcopy) will have to be logged and controlled at both creation and destruction - destruction requires special handling and facilities.

Issues of bootable CD-ROMS, USB data sticks, and product licensing are trivial housekeeping compared to the work you are going to have to undertake to create and maintain a secure processing facility. By the way, printers have memory and printer ribbons retain images - you have to address those items, too. Certified print required.

If you already have a secure processing facility, you also have a certified site security officer (SSO) who has been trained in the use and requirements of the NISPOM. You should be talking to this person, not us.

ATTN: Mods, this guy is a dimwit please mod down

[CHESTER+COPPERPOT]

Any of you /.'ers ever study art history? Here is a little lesson about fraud.

In the Art world when a piece of Art has a past where the time record has some glitches in it (Read: unaccountable) it is automatically considered a fraud. When things don't have a timeline, like this guys posting record here and the fact that his myspace profile says he is 19, you gotta know something is up.

Congratulations though /. mods. You just got social engineered.