CNSSP 8 Clean Copy September 20211

Download as pdf or txt
Download as pdf or txt
You are on page 1of 13

UNCLASSIFIED//FOR OFFICIAL USE ONLY

Committee on National Security Systems

CNSSP 8
September 23, 2021

PROCESS FOR THE RELEASE AND TRANSFER


OF U.S. GOVERNMENT CRYPTOLOGIC
NATIONAL SECURITY SYSTEMS TECHNICAL
SECURITY MATERIAL, CROSS DOMAIN
SOLUTIONS, INFORMATION, AND
TECHNIQUES TO FOREIGN GOVERNMENTS
AND INTERNATIONAL ORGANIZATIONS

THIS DOCUMENT PROVIDES MINIMUM


STANDARDS. FURTHER INFORMATION MAY BE
REQUIRED BY YOUR DEPARTMENT OR AGENCY

UNCLASSIFIED//FOR OFFICIAL USE ONLY


CHAIR

FOREWORD

1. (U) This Committee on National Security Systems (CNSS) Policy (CNSSP)


CNSSP 8, Process Governing the Release and Transfer of U.S. Government (USG)
Cryptologic National Security Systems Technical Security Material, Cross Domain
Solutions, Information, and Techniques to Foreign Governments and International
Organizations, defines the process and responsibilities to support the release of
cryptographic materials including approved Cross Domain Solutions (CDSs) as per
the authority of the National Security Directive (NSD) 42, National Policy for the
Security of National Security Telecommunications and Information Systems (5 July
1990).

2. (U) This policy supersedes the National Security Telecommunications and


Information Systems Security Policy (NSTISSP) 8, “National Policy Governing the
Release of INFOSEC Products or Associated INFOSEC Information to Foreign
Governments,” (13 February 1997).

3. (U) This policy is available from the CNSS Secretariat, www.cnss.gov,


or the following SIPRNet website: http://www.iad.nsa.smil.mil.

/s/
TERESA M. TAKAI

CNSS Secretariat (C074) National Security Agency. 9800 Savage Road, STE 6165. Ft Meade, MD 20755-6716
Office Phone Number: (410) 854-6805;
[email protected]
UNCLASSIFIED//FOR OFFICIAL USE ONLY

Process Governing the Release and Transfer of U.S. Government


Cryptologic National Security Systems Technical Security Material, Cross Domain
Solutions, Information, and Techniques to Foreign Governments and International
Organizations

SECTION I – PURPOSE

1. (U) This policy implements the CNSS’ responsibility to approve the release of
US Government (USG) cryptologic national security systems technical security material,
Cross Domain Solutions (CDS), information, and techniques and assists the National
Manager for U.S. national security systems1 in implementing his responsibility under
paragraph 7.e. of NSD 42 to conduct foreign computer security and communications
security liaison, including entering into agreements with foreign governments and with
international organizations, except for those foreign intelligence relationships conducted
for intelligence purposes by the Director of Central Intelligence. Any such agreements
shall be coordinated with affected departments and agencies. Such agreements govern
the release of USG cryptologic national security systems technical security material,
information, Cross Domain Solutions, and techniques, classified and unclassified, the
export of which is controlled by the International Traffic in Arms Regulations (ITAR), 22
C.F.R. Parts 120-130 2 (Ref.b.). Cybersecurity information that, pursuant to an official

1)1 U.S. “national security systems” means any information system (including any telecommunications system) used or
operated by an agency or by a contractor of an agency, or other organization on behalf of an agency - (1) the function,
operation, or use of which –
(I) involves intelligence activities;
(II) involves cryptographic activities related to national security;
(III) involves command and control of military forces;
(IV) involves equipment that is an integral part of a weapon or weapons system; or
(V) is critical to the direct fulfillment of military or intelligence missions (except for systems used for routine
administrative and business applications; or
2) is protected at all times by procedures established for information that has been specifically authorized under criteria
established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or
foreign policy. 44 U.S.C. § 3542(b)(2). Cryptologic includes but is not limited to encryption devices, cross domain
solutions (CDS), and multi-level security (MLS) systems. For CDS/MLS systems, this policy only covers CDS/MLS
devices that fall under ITAR 121 Category Xiii(b)(4). If the CDS/MLS device is not used to protect USG NSS then
CNSSP 8 does not apply. The CDS being sold must comply with NSA security requirement (e.g. Raise The Bar
(RTB)).

2 Much of the cryptologic national security systems technical security material, information, and techniques governed
by this policy are described in Category XIII of the United States Munitions List, see 22 C.F.R. § 121.1, Category XIII
– Auxiliary Military Equipment, which includes “Military Information Security Assurance Systems and equipment,
cryptographic devices, software, and components specifically designed, developed, modified, adapted, or configured
for military applications” as well as technical data and defense services related to such items. For specific examples,
see the United States Munitions List, available at http://www.pmddtc.state.gov/docs/ITAR/2006/ITAR_Part_121.pdf.

UNCLASSIFIED//FOR OFFICIAL USE ONLY


UNCLASSIFIED//FOR OFFICIAL USE ONLY

CNSSP 8

written decision by the cognizant U.S. Government department or agency, is released


within the public domain, as defined by the ITAR, 22 C.F.R. § 120.11, shall be deemed
to have satisfied all requirements in this Policy and is releasable without restriction.

SECTION II – AUTHORITY

2. (U) This policy implements the provisions of paragraph 5(b)(4) of NSD 42


(Ref a.), National Policy for the Security of National Security Telecommunications and
Information Systems, that directs the CNSS to “approve the release of cryptologic
national security systems technical security material, Cross Domain Solutions,
information, and techniques to foreign governments or international organizations. The
concurrence of the Director of Central Intelligence shall be obtained with respect to those
activities which he manages.

3. (U) The authority to issue this policy derives from National Security
Directive 42, which outlines the roles and responsibilities for securing national security
systems, consistent with applicable law, E.O. 12333, as amended and other Presidential
directives.

4. (U) Nothing in this Policy shall alter or supersede the authorities of the Director
of National Intelligence or the Director, Central Intelligence Agency.

SECTION III - SCOPE/APPLICABILITY

5. (U) This policy focuses on the approval to release USG cryptologic national
security systems technical security material, Cross Domain Solutions, information and
techniques to foreign governments or international organizations. This policy only
applies to CDS/MLS devices that are used for Foreign Release only. There are two
separate and distinct categories of CDSs and associated processes/oversight management.

6. (U) This policy is applicable to the USG departments and agencies who provide
USG cryptologic national security systems technical security material, information, Cross
Domain Solutions, and techniques to foreign governments or international organizations.

2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

CNSSP 8

SECTION IV – POLICY

7. (U) USG cryptologic national security systems technical security material, Cross
Domain Solutions, information, and techniques used to secure U.S. national security
systems are valuable national assets and shall be protected. Such material, information
and techniques will be released to foreign governments or international organizations
only when:

a. (U) There is a clearly defined benefit that is consistent with USG foreign
policy, military, intelligence, or economic objectives; and

b. (U) The release has been specifically authorized by the CNSS consistent with
U.S. law, regulations, Executive Orders, and applicable Presidential Directives in
accordance with the criteria, limitations, and procedures as specified in CNSS issuances.

8. (U) The CNSS or, when appropriate, the National Manager, shall consider
requests submitted by USG departments or agencies to release USG cryptologic national
security systems technical security material, Cross Domain Solutions, information, and
techniques to a foreign government or an international organization if the proposed
releases are clearly consistent with USG foreign policy and military, intelligence, or
economic objectives, and if the release will satisfy requirements to:

a. (U) Protect USG national security information to be provided to a foreign


government or international organization; or

b. (U) Provide a means to achieve secure communications interoperability that


is in the national security interests of the United States; or

c. (U) Satisfy any other purpose authorized by Federal law or regulation.

9. (U) All approved releases must meet the following criteria:

a. (U) Be consistent with USG foreign policy and military obligations or


economic objectives;

b. (U//FOUO) Have no unacceptable impact on USG Intelligence activities;

c. (U//FOUO) Prevent exposure of sources and methods; and

3
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

CNSSP 8

d. (U) Constitute an acceptable risk to the overall Cybersecurity posture of the


USG.

e. (U) CDSs being sold/used for Foreign Release must comply with NSA CDS
security requirements (i.e. Raise the Bar (RTB)).

SECTION V – RESPONSIBILITIES

10. (U) The CNSS shall review and approve initial requests for release to:

a. (U) All foreign governments except for Australia, Canada, New Zealand
and the United Kingdom; and

b. (U) All International organizations.

c. (U) The CDS being sold must comply with NSA security requirement
(e.g.RTB)

11. (U) CNSS Committee Members shall make a determination that the
proposed release satisfies the criteria of this policy.

12. (U) The CNSS Secretariat shall notify Committee Members and the National
Manager of the result of a vote on a proposed release request.

13. (U) The National Manager shall review and approve, as appropriate, all:

a. (U) Initial and subsequent requests for release to the governments of


Australia, Canada, New Zealand, and the United Kingdom; and

b. (U) Transfers to foreign governments based on previously approved releases


under paragraphs 9 and 14.a of this policy.

14. (U) The National Manager shall:

a. (U) Document all releases and transfers consistent with the requirements of
this policy; and

4
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

CNSSP 8

b. (U) Provide to the CNSS, on an annual basis, a report of such releases and
transfers.

15. (U) In the event of exigent circumstances, where U.S. lives are at risk and time
and circumstances do not allow for review by and approval of the full CNSS membership
and SIGCOM in accordance with paragraph 9 of this policy, the National Manager shall
review such requirements and approve the release of appropriate USG cryptologic
national security systems technical security material, Cross Domain Solutions,
information, and techniques. The National Manager can make a decision to expedite
when circumstances are deemed critical. As soon as practicable, the National Manager
shall provide the CNSS a complete summary of the circumstances as well as a listing of
the types of USG cryptologic national security systems technical security material, Cross
Domain Solutions, information, and techniques released.

SECTION VI – DEFINITIONS

16. (U) Terms defined in CNSS Instruction 4009: Committee on National Security
Systems (CNSS), Glossary, August 2021 (Ref. c) apply to this policy. For purposes of
this policy, the following additional definitions apply:

a. (U) Release: A deliberate review and decision process undertaken by the


CNSS and National Manager to authorize the provision, either on a temporary or
permanent basis, of USG cryptologic national security systems technical security
material, information, and techniques to foreign governments or international
organizations in furtherance of USG foreign policy and military, intelligence, or
economic objectives.

b. (U) Transfer: To provide USG cryptologic national security systems


technical security material, information, and techniques to a foreign government or
international organization, by means of sale, lease, loan, or other means, by physical or
electronic delivery.

c. (U) Technical Security Material: Equipment, components, devices, and


associated documentation or other media which pertain to cryptography, or to the security
of telecommunications and information systems.

5
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

CNSSP 8

SECTION VII – REFERENCES

17. (U) References throughout CNSSP 8 include:

a. (U) National Security Directive 42, National Policy for the Security of
National Security Telecommunications and Information Systems, July 5, 1990

b. (U) ITAR, 22 C.F.R. Parts 120-130, International Traffic in Arms


Regulations

c. (U) CNSSI 4009, Committee on National Security Systems, (CNSS)


Glossary, August 2021

d. (U) Chairman of the Joint Chiefs of Staff Instruction 6510.06 (current


version), Communication Security Release to Foreign Nations, March 31, 2011

e. (U) CNSSD 502, National Directive on Security of National Security


Systems, December 16, 2004

f. (U) E.O. 12333, United States Intelligence Activities, December 4, 1981

6
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

CNSSP 8

Enclosures:
ANNEX A – Procedures for Submitting and Processing Requests for the Release and
Transfer of U.S. Government (USG) Cryptologic National Security Systems Technical
Security Material, Cross Domain Solutions (CDS), Information, and Techniques to
Foreign Governments and International Organizations

7
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

ANNEX A

Procedures for Submitting and Processing Requests for


the Release and Transfer of U.S. Government Cryptologic National Security
Systems Technical Security Material, Cross Domain Solutions, Information, and
Techniques to Foreign Governments and International Organizations

1. (U) Requests for the Release of U.S. Government (USG) cryptologic national
security systems technical security material, Cross Domain Solutions, information, and
techniques to foreign governments and international organizations from CNSS Member
Organizations covered by Chairman of the Joint Chiefs of Staff Instruction CJCSI
6510.06B, dated 31 March 2011 (Communication Security Release to Foreign Nations)
(Ref. d) shall follow that instruction.

2. (U) Reference d, Chairman of the Joint Chiefs of Staff Instruction CJCSI


6510.06B, Communication Security Release to Foreign Nations, dated 31 March 2011
shall be processed as follows:

a. (U) Member departments or agencies desiring to release USG cryptologic


national security systems technical security material, Cross Domain Solutions,
information, and techniques shall make an initial determination that the proposed release
satisfies the criteria of policy CNSSP 8, Process Governing the Release and Transfer of
USG cryptologic national security systems technical security material, Cross Domain
Solutions, information, and techniques to Foreign Governments and International
Organizations.

b. (U//FOUO) Requests determined to satisfy the criteria, Section IV, Paragraph


9 of CNSSP 8, shall be submitted to the National Manager for purposes of determining
how the requirement can best be satisfied.

c. (U) In those cases (initial and subsequent requests for release to the
governments of Australia, Canada, New Zealand, and the United Kingdom and transfers
to foreign governments based on previously approved releases) where a decision to
release falls within the purview of the responsibilities listed by CNSSP 8, the National
Manager may recommend and/or approve the release of USG cryptologic
national security systems technical security material, information, Cross Domain
Solutions, and techniques that will satisfy the stated requirement.

d. (U) For other cases, the National Manager will provide feedback to the

A-1 ANNEX A to
UNCLASSIFIED//FOR OFFICIAL USE ONLY CNSSP 8
UNCLASSIFIED//FOR OFFICIAL USE ONLY

CNSSP 8

requesting department or agency on a recommended solution and a way forward. Based


on that feedback, the requesting department or agency shall determine resource
availability, identify a proposed method of transfer (e.g., sale, lease, or loan) and
provide the legal framework for the transfer, accounting and safeguarding of any USG
cryptologic national security systems technical security material, Cross Domain
Solutions, information, and techniques. If resources are not available, the requesting
department or agency will work with the National Manager to address resource shortfalls.

e. (U) Requests other than those in c. above requiring a release determination by


the full CNSS membership and SIGCOM, will be referred by the National Manager to
the Chairman of the CNSS through the CNSS Secretariat. The National Manager shall
include the following in its referral:

(1) (U) Comments regarding the most appropriate solution;


(2) (U) A recommendation regarding the most acceptable means of transfer;
(3) (U) A SIGINT and Cybersecurity impact statement; and
(4) (U) A recommended CNSS action.

3. (U//FOUO) The CNSS Secretariat will prepare a Foreign Release staffing


package containing information regarding the Foreign Release case, concurrently to both
the SIGINT Committee (aka SIGCOM) and CNSS Representatives for consideration,
review of inquiries and concurrence/non-concurrence. A period of 30 working days each
will be allowed for both the CNSS and SIGCOM for approval for each assessment. In the
event that the CNSS or SIGINT Committee does not respond within the 30 day timeframe,
a non-response will be considered as a concur and the package will move forward.

f. (U//FOUO) In the event the SIGINT Committee determines that the proposed
release will impact adversely on national intelligence programs or objectives putting the
U.S. at risk, the CNSS Secretariat will so advise the CNSS members. The CNSS Chair
will then coordinate with the SIGINT Committee to work through the situation until the
national intelligence issue is resolved.

4. (U) In the event that either the CNSS or the SIGINT Committee cannot reach a
consensus within their own organization or group, the CNSS Secretariat will forward the
CNSS Chairman, supporting documentation for the Chairman’s decision or coordination
at the appropriate leadership level.

A-2
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

CNSSP 8

g. (U//FOUO) If the CNSS Members have reached a consensus, the Secretariat


will record the votes and inform the Chairman of the CNSS, the National Manager and
the CNSS Members of the outcome. In the event the CNSS Members cannot reach a
consensus, the Secretariat will forward to the CNSS Chairman, supporting documentation
for the Chairman’s decision or coordination at the appropriate leadership level. The
Secretariat will then inform the National Manager and the CNSS Members of the release
decision.

h. (U) The National Manager will inform the requesting department or agency
of the CNSS outcome.

i. (U) In implementing release decisions of the CNSS, the requesting


department or agency will coordinate the provision of the appropriate USG cryptologic
national security systems technical security material, Cross Domain Solutions,
information, and techniques with the National Manager and provide details within 30
working days of date of actual transfer, regarding the quantities of materials involved and
method of transfer.

5. (U) Requests for the release of USG cryptologic national security systems
technical security material, information, Cross Domain Solutions, and techniques to
Foreign Governments and International Organizations from non-CNSS Member
Organizations shall be sent to the National Manager. The National Manager will follow
the steps outlined in Paragraph 2 above.

6. (U) The National Manager shall maintain a record of all USG cryptologic
national security systems technical security material, information, Cross Domain
Solutions, and techniques released to foreign governments or international organizations
and provide the CNSS with an annual report which summarizes all release activities
during the previous 12-month period unless there has been a government wide shutdown
which would interrupt release activities.

7. (U) Departments or agencies may appeal CNSS Committee release decisions


directly to the Secretary of Defense in his/her role as the Executive Agent for National
Security Systems, and then, if necessary to the National Security Council through the
Executive Secretary of the CNSS who shall be advised of such appeal actions and keep
the Chairman of the CNSS apprised of their status.

8. (U) In accordance with this policy, participation in military services training

A-3
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY

CNSSP 8

modules, joint exercises, and field training containing USG cryptologic national security
systems technical security material, information, Cross Domain Solutions, and techniques
demonstrations or discussion, must be limited to those foreign students and service
members from foreign nations that have been approved for release of the specific
equipment discussed or addressed in each module. However, many of the foreign
students scheduled to train at U.S. Military Service Training Courses for Officer and
Enlisted Personnel, and foreign participants in joint training exercises, may not be
eligible to receive training on the array of U.S. Type 1 encryption or Controlled
Cryptographic Item devices covered in those course modules or joint training programs.

A-4 ANNEX A to
UNCLASSIFIED//FOR OFFICIAL USE ONLY CNSSP 8

You might also like