Periods processing on DoD systems
I am a former federal employee who now works for a federal contractor. At the federal agency where I previously worked there was a policy against any "Periods Processing." Specifically, connecting a laptop to networks of different security classifications, simply by changing the hard drive and cycling power. I thought that the agency's policy was based on an overall federal government policy, but I have been unable to locate any reference to what policy this might be. The federal agency that I worked for implemented the change to "no periods processing" in January of 2001.
I ask the question because the federal contractor that I now work for has a
preliminary plan to use laptops on classified and unclassified DoD systems by
performing a cleansing process between usages. Swap the hard drive and power
the laptop off for a prescribed period of time. Any guidance that you might
offer on this subject would be greatly appreciated and would help us get our
planning off on the right foot.
You didn't mention what the unclassified systems were rated at (C1/C2/B1/B2) or whether the personnel involved were at different security clearances which may have a significant impact on what you do and how it is done. Overall, it sounds as though you are referring to either a multilevel secure or multilevel security mode issues. There are a couple of avenues you should probably look at such as Common Criteria, Rainbow Series documentation and industry specific criteria (i.e., HIPPA laws). Gary Meech (my work associate) suggests you review the Joint DODIIS Manual, the Trusted Network Interpretation NCSC-TG-005 RED Book (from the Rainbow Series), and because it could have been a local directive created by the federal agency/group, check with them.
This was first published in December 2001