- CNSSP No. 17
- For Official Use Only
- May 2010
The Committee on National Security Systems (CNSS) is issuing this policy to help agencies better safeguard National Security Information (NSI) during wireless transmission and delivery, while stored on mobile systems, and while stored on fixed systems that can be accessed by wireless media. It addresses the use of wireless technologies in areas where NSI is discussed or processed. It also assigns responsibilities for improving the security posture of the Executive Departments and Agencies (D/A), and provides references for a minimum set of security measures required for the use of wireless technologies in a national security environment.
SECTION IV – POLICY
5. The following security controls shall be incorporated into D/A NSS programs where NSI is transmitted, received, processed, or stored using wireless technologies or where wireless technologies are used in the proximity of NSI. In those instances where a D/A NSS program does not exist, the D/A shall establish a wireless NSS program. Wireless controls shall address the complete lifecycle of information technologies consistent with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-64 Revision 2: Security Considerations in the System Development Life Cycle (Reference D). These include the planning, design, development, acquisition, implementation, use, operation and control, maintenance, and disposition of existing and future wireless capabilities.
a. At a minimum, D/As shall issue policies that include the following management controls:
i. When implementing standalone wireless capabilities for the transmission of NSI, or integrating wireless devices, services, and technologies into existing NSS, D/As shall implement a risk management process that adheres to the guidelines found in CNSS Policy No. 22: Information Assurance Risk Management Policy for National Security Systems (Reference E) and the principles set forth in National Security Decision Directive 298: National Operations Security Program (Reference F).
ii. The procurement of wireless technologies for the transmission of NSI shall be prohibited unless a risk assessment is completed and accepted (this includes the procurement of wireless technologies for tests, pilots, prototypes, and feasibility studies).
iii. Wireless risk assessments shall address the protection of NSI from the point of origin; during transmission; when received; while processed using wireless hardware and software; while stored on wireless media; and when using a wireless system as the sole or principal system for meeting critical or primary mission essential functions.
iv. A configuration baseline shall be established that defines the organization’s minimum requirements for compliance with this policy, and ensures that wireless hardware, firmware, software, and documentation are adequate to protect NSI. In those instances where a D/A has an existing Information Technology Configuration Control Board (ITCCB) for NSS; the ITCCB shall incorporate the wireless requirements referenced above.
v. All information systems that employ wireless technologies used for the transmission, receipt, processing, and storage of NSI shall complete a security control assessment and be granted authorization to operate by the D/A Authorizing Official (AO).
vi. A TEMPEST countermeasure requirements review for the implementation of wireless technologies in the facilities under consideration shall be completed by a Certified TEMPEST Technical Authority (CTTA) in accordance with CNSS Policy No. 300: National Policy on Control of Compromising Emanations (Reference G) and CNSS Instruction No. 7000: Tempest Countermeasures for Facilities (Reference H):
1. Prior to acquiring wireless NSS solutions; and
2. On wireless technologies in proximity to where NSI is discussed or processed.
vii. Periodic inspections shall be performed to identify deviations from the D/A-approved configuration baseline of wireless devices located in areas where NSI is discussed or processed, regardless of whether wireless devices are powered on or off, and; all deviations shall be reported to the AO.
viii. Where practicable, wireless technologies shall support interoperability through the adoption of commercially available, standards-based wireless products certified to transmit, receive, process, or store NSI in accordance with the requirements of this policy.
ix. A current inventory of wireless equipment, software, and services used for transmission of NSI shall be maintained.
x. Restrictions for the use of wireless technologies that transmit NSI shall be promulgated throughout the organization.
xi. Basic education, training, and awareness regarding the use of wireless technologies to transmit NSI shall be administered to all D/A managers, technical support personnel, and users of wireless technologies before they can be authorized to operate on wireless NSS. The content of this policy and procedures for its implementation shall be incorporated into training and awareness materials.
xii. The AO or Cognizant Authority can terminate wireless network operations in the event of an emergency or security breach.