24 March 2001
Source:
http://www.nstissc.gov/Assets/pdf/nstissam_tempest_1-00.pdf
[5 pages; all marked "UNCLASSIFIED."]
National Security Telecommunications and Information Systems Security
Committee
NSTISSAM/TEMPEST 1-00
December 2000
National Security Telecommunications and Information Systems Security Committee
1. National Security Telecommunications and Information Systems Security Advisory Memorandum (NSTISSAM) TEMPEST/1-00, "Maintenance and Disposition of TEMPEST Equipment," supersedes NSTISSAM TEMPEST/3-91. This NSTISSAM provides guidance to personnel responsible for the maintenance and disposition of TEMPEST equipment. It is applicable to all departments and agencies of the U.S. Government that use, maintain, or make disposition of TEMPEST equipment.
2. Representatives of the NSTISSC may obtain additional copies of this
instruction at the address below. U.S. Government contractors may contact
their appropriate government agency or Contracting Officer Representative
regarding distribution of this document. It may also be found on the NSTISSC
Home Page located at www.nstissc.gov.
MICHAEL V. HAYDEN
Lieutenant General, USAF
NSTISSC Secretariat (142) National Security Agency. 9800 Savage Road
STE 6716 . Ft Meade MD 20755-6716
(410) 854-6805 . UFAX: (410) 854-6814
nstissc@radium.ncsc.mil
MAINTENANCE AND DISPOSITION OF TEMPEST EQUIPMENT
SECTION I - BACKGROUND
SECTION II - PURPOSE AND SCOPE
SECTION III - REFERENCES
SECTION IV - DEFINITIONS
SECTION V - PROCEDURES
SECTION VI - USER RESPONSIBILITY
SECTION VII - DISPOSITION PROCEDURES
SECTION I - BACKGROUND
1. All electronic and electromechanical information processing equipment can produce unintentional data-related or intelligence-bearing emanations which, if intercepted and analyzed, disclose the information transmitted, received, handled, or otherwise processed.
2. It is the policy of the U.S. Government that federal departments and agencies
and their designated agents apply TEMPEST countermeasures in proportion to
the threat of exploitation. In order to ensure the continuous application
of TEMPEST countermeasures, maintenance and disposition procedures should
be implemented for TEMPEST equipment.
SECTION II - PURPOSE AND SCOPE
3. This advisory memorandum provides guidelines for the maintenance and
disposition of TEMPEST equipment. Such equipment may contain specialized
suppression circuitry that must be maintained by knowledgeable persons to
ensure proper TEMPEST performance throughout its life cycle. Also, the
suppression technology used in such equipment must be protected from general
distribution and, therefore, disposition of TEMPEST equipment should be
controlled to prevent technology transfer. This document will be made available
to U.S. Government personnel who are responsible for maintenance and disposition
of TEMPEST equipment.
SECTION III - REFERENCES
4. Reference is made within this advisory memorandum to the following documents:
a. TEMPEST NSTISSAM/1-92, "Compromising Emanations Laboratory Test Requirements, Electromagnetic," dated 15 December 1992.b. Technical Security Requirements Document (TSRD) No. 88-913, dated 8 March 1991.
SECTION IV - DEFINITIONS
5. For the purpose of this document, the following definition applies:
TEMPEST equipment is defined as equipment listed on the
Endorsed TEMPEST Products
List (ETPL), the Preferred Products List (PPL), the NATO Recommended
Products List (NRPL), and equipment that complies with either Level I or
II of NSTISSAM TEMPEST/ 1-92 as certified by a department or agency.
SECTION V - PROCEDURES
6. Currently, the government has in place a
TEMPEST Endorsement program
(TEP) that establishes guidelines for vendors to manufacture, produce, and
maintain their TEMPEST endorsed equipment. In order for a product to remain
on the ETPL, the vendor must provide adequate maintenance and life cycle
support for its customers to ensure the continued TEMPEST integrity of the
product. This support is detailed in the TEP's TSRD No. 88-9B, dated 8 March
1991. Copies of this document may be obtained from the National Security
Agency Corporate Customer/Business Relations Office. However, to ensure the
continued protection of TEMPEST equipment and to control technology transfer,
only citizens of the U.S., Australia, New Zealand, and NATO countries may
perform maintenance on TEMPEST equipment. Clearances for maintenance personnel
will be based on the requirements of the supported environment.
SECTION VI - USER RESPONSIBILITY
7. The following are guidelines for the development of a maintenance and disposition program:
a. Consider the additional cost of the program for life cycle maintenance and disposition.b. Ensure that data resident on the equipment is not compromised during the maintenance/disposition process.
c. Keep a log of maintenance action for all TEMPEST equipment to include date of maintenance, action taken, technician name, and equipment model and serial number.
d. Test and recertify the equipment as deemed necessary by the department or agency.
e. Disposition/resale should be consistent with the established export control/technology transfer policy. Questions regarding export policy should be directed to the National Security Agency INFOSEC International Relations Office. Lateral transfers to other U.S. Government departments/agencies, or return to stock when deemed necessary, is highly recommended.
SECTION VII - DISPOSITION PROCEDURES
8. If TEMPEST equipment is to be disposed of in lieu of reuse, the following procedures should be followed:
a. Use approved purging software to overwrite hard drives (if possible). Remove the hard drive from the TEMPEST equipment and deliver to the local information systems security officer/information systems security manager or security officer for return to an appropriate department/agency organization for degaussing disposition.b. Maintain a log of the model and serial number of all equipment disposed/destroyed (e.g., central processing units, monitors, printers, keyboards, etc.).
c. Provide equipment only to citizens of U.S., Australia, New Zealand, or NATO countries.
d. Destruction of TEMPEST equipment no longer required is recommended if transfer to another U.S. Government department/ agency is impractical.
(1) Serial numbers and any classified markings will be removed from the equipment.(2) The equipment will be broken into pieces of such a nature as to preclude restoration. Such destruction will be witnessed by an individual cleared to the level of information that the equipment was used to process.
(3) A destruction certificate will be prepared and signed by the witnessing individual. The certificate will include a statement from the witness that all hard drives were removed prior to destruction.
(4) All residue will be returned as scrap metal to the Defense Reutilization Management Office, on DD Form 1348-1 or on an Optional Form 132. A copy of the log required by paragraph 8.b and the destruction certificate will be attached.
(5) Copies of all documents will be forwarded to the local property custodian so the items can be removed from the originator's property records.
Transcription and HTML by Cryptome.