Security Modes in CISSP D3

Security Modes

System High Mode

Information systems security mode of operation wherein each user, with direct or indirect access to the information system, its peripherals, remote terminals, or remote hosts, has all of the following:

  1. valid security clearance for all information within an information system;
  2. formal access approval and signed nondisclosure agreements for all the information stored and/or processed (including all compartments, sub compartments and/or special access programs); and
  3. valid need-to- know for some of the information contained within the information system.

Source: CNSSI 4009-2015

Formal Access Approval

A formalization of the security determination for authorizing access to a specific type of classified or controlled unclassified information (CUI) categories or subcategories based on:

  1. specified access requirements,
  2. a determination of the individual’s security eligibility, and
  3. a determination that the individual’s official duties require the individual be provided access to the information.

Note: Providing access to, or transferring, CUI is based on Lawful Government Purpose unless such access is further restricted by law, regulation, or government wide policy.

Source: CNSSI 4009-2015

Need-to-know

  1. A determination within the executive branch in accordance with directives issued pursuant to this order that a prospective recipient requires access to specific classified information in order to perform or assist in a lawful and authorized governmental function.
    Source: CNSSI 4009-2015 E.O. 13526
  2. Decision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties.
    Source: CNSSI 4009-2015 under need-to-know determination

Security Operating Modes

Dedicated Security Mode

The mode of operation in which the system is specifically and exclusively dedicated to and controlled for the processing of one particular type or classification of information, either for fulltime operation or for a specified period of time.

System High Security Mode

The mode of operation in which system hardware/software is only trusted to provide need-to-know protection between users. In this mode, the entire system, to include all components electrically and/or physically connected, must operate with security measures commensurate with the highest classification and sensitivity of the information being processed and/or stored. All system users in this environment must possess clearances and authorizations for all information contained in the system, and all system output must be clearly marked with the highest classification and all system caveats, until the information has been reviewed manually by an authorized individual to ensure appropriate classifications and caveats have been affixed.

Multilevel Security Mode

The mode of operation which allows two or more classification levels of information to be processed simultaneously within the same system when some users are not cleared for all levels of information present.

Controlled Mode

The mode of operation that is a type of multilevel security in which a more limited amount of trust is placed in the hardware/software base of the system, with resultant restrictions on the classification levels and clearance levels that may be supported.

Compartmented Security Mode

The mode of operation which allows the system to process two or more types of compartmented information (information requiring a special authorization) or any one type of compartmented information with other than compartmented information. In this mode, system access is secured to at least the Top Secret (TS) level, but all system users need not necessarily be formally authorized access to all types of compartmented information being processed and/or stored in the system.

Source: CSC-STD-004-85


A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

Leave a Reply