Intrusion Detection System (IDS ) Monitoring Over Data Networks

This document identifies minimum acceptance criteria for the utilization of data networks for IDS alarm monitoring for the protection of classified material under the National Industrial Security Program Operating Manual (DoD 5220.22-M) (NISPOM). These data networks may include private data networks (intranets or virtual private networks/VPN’s))or public data networks(“the internet”). This guidance establishes baseline security policies and requirements for sensitive, national security related applications and systems used for such alarm monitoring.
A. The NISPOM and the DoD Arms, Ammunitions & Explosives (AA&E) Manual (DoD 5100.76-M),specifies requirements regarding the use of IDS for the protection of classified material and certain risk categories of classified and unclassified AA&E. IDS utilized as supplemental protection for classified material as well as AA&E must comply with the Underwriters Laboratories standard for National Industrial Security Systems (UL 2050) for installation, testing, operations and maintenance.UL 2050 also identifies physical security measures for IDS when utilized for protection of DoD AA&E.
B. UL 2050 provides the option of utilizing a data network2for alarm signal monitoring. While UL2050 allows monitoring over data networks and specifies technical performance specifications,3itdoes not address security requirements, policies and procedures for IDSs that utilize information systems (IS) for alarm signal monitoring over public or private communication lines. As NISPOM requirements apply only to classified information systems, additional guidance is needed to establish baseline security policies and requirements for sensitive, national security related applications and systems used for alarms.
C.IDS’ using data networks may range from the relatively simple (i.e. a contractor protected area connected directly through a static internet protocol (IP) network address to a Central Station Monitoring Service (CSMS), to the significantly complex [for example, hundreds of installations being remotely monitored over a corporate network at a Government Contractor Monitoring Station(GCMS).]
A.IDS’ utilizing data network transmission shall be installed in conformance with appropriate UL 2050requirements. All IDS equipment that is used to communicate with the data network shall be listed by
2 UL 2050 describes data network transmission as “switching that sends packets of information from the alarm control/transmission panel in an alarmed area to a monitoring station by way of private data networks (intranets or virtual private networks/VPN’s)) or public data networks(“the internet”). A private data network is also known as a local area network (LAN) or a wide area network (WAN). “For the purpose of the standard, public data networks may also include WAN and/or Internet Protocol (IP) networks.
3 Installation criteria, power, signal transmission, system operation, response personnel and procedures, time frames, records,etc.
10 UL for use with a data network, and the installation must result in the issuance of an appropriate UL2050 certificate.
B.Prior to installing an IDS [utilizing data networks for alarm system monitoring] for supplemental protection under the NISPOM, contractors will submit a request for approval to the CSA including the following information:
(1)UL Alarm System Description for National Industrial Security Alarm System Certificate(Form No. CS-ASD-NISS);
(2)Proposed IDS hardware configuration and connectivity diagram (e.g. LAN/WAN schematic diagram) detailing the components (e.g. control panel, network interface cards, and method of data transfer (e.g. encryption implementation in hardware/firmware/software, etc.) between the protected area(s) and monitoring station locations. Hardware components and software will be identified by product name and release version.
C.Depending on the type of installation (e.g. subscriber or monitoring station) and complexity of the IDS (as reflected in the hardware configuration and connectivity diagram,) the request must also address and certify compliance with the following requirements, as applicable:
(1)Government Contractor Monitoring Station (GCMS) or Central Station Monitoring Service (CSMS) IDS IS Server(s)/Host Computer:
The IDS IS Server(s) that receive and convert alarm signals to human readable form for appropriate assessment and response shall meet applicable UL requirements. The IS Server(s)running the IDS alarm signal processing software will be dedicated to the security system and staffed by monitoring personnel cleared to the Secret level. When monitoring personnel are not in attendance, the IDS IS[running IDS application
software] will be secured within a locked room
4with UL certified Extent 3 IDS protection.
(2)Remote Terminals:
Networked terminals that allow privileged access to the IDS IS host computer (i.e. can program or modify system operating parameters or user accesses, etc.)shall be continuously staffed by authorized personnel or protected within a locked room with UL certified Extent 3 IDS protection.  There shall be no capability for changing the mode of operation or status of the protected area(s) IDS from locations outside the authorized IDS staffed terminals or protected area(s).
Workstations are terminals that only provide for acknowledgement of alarm signals. Unattended workstations will be secured within a locked room with UL certified Extent 3 IDS protection.
(4)User ID’s and Passwords:
A unique user ID (UID) and password is required for each individual granted access to the IDS IS Server, remote terminal and workstation.Passwords shall be a minimum of eight characters; consist of alpha, numeric, and special characters; and shall be changed a minimum of every six months.
4  Rooms securing unattended IDS monitoring servers/host computers, remote terminals and/or workstations shall be comprised of walls, floors and ceilings that are fixed in place and constitute a solid physical boundary.
5 “Extent of Protection” is defined in paragraph 5.18 and Table 23.1, UL 2050.
(5)Personnel Security Clearance (PCL) 6Requirements:
a.Authorized Alarm Service Company (ASC) Representatives: No clearance required.
When working in IDS protected areas ASC representatives will be precluded from access to classified information and will be escorted/supervised by appropriately cleared personnel.
b.System Administrator (SA):
The SA responsible for ensuring IDS IS server configuration,IDS communications signal processing software installation and updates, user account administration and maintenance will be cleared to the Secret level. For less complex IDS installations where the SA’s duties are limited to the assignment of a network address/enabling of a network path for signal transmission between the protected area and monitoring station, a PCL will not be required. If the SA requires unescorted access to closed areas storing information above the Secret level, they will be cleared to the appropriate level consistent with the level of access and need-to-know.
c.Information Technology (IT) Personnel:
There is no PCL required unless they have privileged access to the IDS server. Privileged access requires a Secret PCL. If IT personnel require full unescorted access to closed areas storing information above the Secret level, they will be cleared to the appropriate level consistent with the level of access and need to know.
Personnel working in closed areas who arm/disarm the system will be cleared to the appropriate level of classified access
e.Monitoring Personnel:
Secret PCL required.
(6)Intrusion Detection Software:
IDS IS server(s) and remote terminals running IDS application and signal processing software will utilize intrusion detection software to monitor and log access attempts and all changes to IDS applications. The SA and facility security supervisor will be notified of unauthorized system access attempts and/or modifications for investigation or other appropriate action. Records will be retained for a period of 12 months (from the date of entry.)
(7)IDS Signal Transmissions:
All IDS signal transmissions between the protected area (closed area) and the monitoring station shall be:
a.Protected though firewalls or similar enhancements (e.g. routers, Virtual Private Networks/VPN’s, etc.) that are configured to allow only protective signaling data transfers between IDS components and addresses; and
b.Encrypted using a National Institute of Standards (NIST)Federal Information Processing Standards (FIPS)
7 approved algorithm with a key length of 128 bits(or greater); and,
6 A Personnel Security Clearance (PCL) is an administrative determination, based on an appropriate investigation, that an individual is eligible, from a security point of view, for access to classified information of the same or lower category as the level of the personnel clearance being granted.
7  UL 2050 also requires that the cryptographic modules must be certified in writing by the equipment manufacturer as complying with the NIST FIPS 140-2. The NIST validation list is available at
8 Both the three-key Triple Data Encryption Algorithm (TDEA) and the Advanced Encryption Standard (AES) algorithm (FIPS197) are acceptable.
12c. Polled at a minimum of six minutes regardless of protected area alarm system status, or closed.
(8) Service and Maintenance:
IDS IS testing, diagnostics, maintenance or programming will only be accomplished by the SA or ASC personnel,as appropriate. The ASC certifying alarm system installation and performing service,modifications or maintenance must be appropriately UL listed. While working in IDS protected areas, ASC personnel will be precluded from access to classified information and will be escorted by cleared and technically knowledgeable contractor employees. Unapproved use or substitution of non-UL listed IDS equipment or components can result in withdrawal of the UL certificate.
(9)Annual IDS Testing.  After initial testing and approval, the IDS shall be inspected and tested annually to provide assurances that the IDS is functioning properly in accordance with UL 2050and the NISPOM.
(10)IDS Failure / Emergency Procedures.  In the case of IDS failure, closed areas storing Secret or Top Secret material, GSA approved security containers storing Top Secret material, or substandard security containers storing no higher than Secret classified material will be periodically inspected by appropriately cleared personnel in accordance with NISPOM standards for providing supplemental controls. Areas storing DoD AA&E material will be continuously staffed. Emergency procedures will remain in effect until the system is restored to operational
D. The CSA will review the contractor’s request for approval. The CSA representative (IS Rep or in the case of AA&E, the designated Contracting Officer Representative) may consult with the appropriate UL POC regarding compliance with UL standards. If the IDS request and Alarm System Description form reflects compliance with these requirements,the designated CSA representative will sign [onpage 4 – Alarm Transmission for Data Networks] the Alarm System Description Form (CS-ASD-NISS) and maintain a copy of the form with the contractor documentation in the official facility file.The original will be provided to UL by the ASC or contractor, as appropriate. The CSA representative may then formally approve the proposed IDS as supplemental controls under the NISPOM.
E. The ASC will submit the signed Alarm Systems Description for National Industrial Security Alarm System Certificate (CS-ASD-NISS)along with the [ASC completed] Alarm System Certificate Request (CS-R2) to UL for issuance of the CRZH certificate for the protected space. Form CS-R2 is a multi-copy form. A completed copy will remain with the alarm customer as proof of [UL] submittal until the completed certificate arrives.
F. IDS currently approved in writing by a US Government cognizant security authority as meeting the requirements of DCID 6/9 for protection of SCImay be approved under the NISP provided the CSA approval was issued without waiving any requirements of the DCID 6/9 for Networked IDS. Alarm systems, procedures and related records approved for NISP use will be accessible for verification and review by DSS.
G. If an IDS approved under these procedures are subsequently determined not to be in compliance with UL and NISPOM requirements, the approval will be rescinded and the contractor will be required to implement an alternative procedures for supplemental protection of classified material.