Within the Department of Defense, these broad requirements are implemented and further specified primarily through two vehicles: 1) DoD Regulation 5200.1-R [Denning76] , which applies to all components of the DoD as such, and 2) DoD 5220.22-M, "Industrial Security Manual for Safeguarding Classified Information" [DoD-5200.28] , which applies to contractors included within the Defense Industrial Security Program. Note that the latter transcends DoD as such, since it applies not only to any contractors handling classified information for any DoD component, but also to the contractors of eighteen other Federal organizations for whom the Secretary of Defense is authorized to act in rendering industrial security services. (i.e., NASA, Commerce Department, GSA, State Department, Small Business Administration, National Science Foundation, Treasury Department, Transportation Department, Interior Department, Agriculture Department, U.S. Information Agency, Labor Department, Environmental Protection Agency, Justice Department, U.S. Arms Control and Disarmament Agency, Federal Emergency Management Agency, Federal Reserve System, and U.S. General Accounting Office.)
For ADP systems, these information security requirements are further amplified and specified in: 1) DoD Directive 5200.28 [Denning75] and DoD Manual 5200.28-M [DoD-5000.29] , for DoD components; and 2) Section XIII of DoD 5220.22-M [DoD-5200.28] for contractors. DoD Directive 5200.28, "Security Requirements for Automatic Data Processing (ADP) Systems," stipulates: "Classified material contained in an ADP system shall be safeguarded by the continuous employment of protective features in the system's hardware and software design and configuration . . . ." [8, sec. IV] Furthermore, it is required that ADP systems that "process, store, or use classified data and produce classified information will, with reasonable dependability, prevent:
Requirements equivalent to these appear within DoD 5200.28-M [DoD-5000.29] and in DoD 5220.22-M [DoD-5200.28] .
DoD Directove 5200.28 provides the security requirements for ADP systems. For some types of information, such as Sensitive Compartmented Information (SCI), DoD Directive 5200.28 states that other minimum security requirements also apply. These minima are found in DCID l/l6 (new reference number 5) which is implemented in DIAM 50-4 (new reference number 6) for DoD and DoD contractor ADP systems.
From requirements imposed by these regulations, directives and circulars, the three components of the Security Policy Control Objective, i.e., Mandatory and Discretionary Security and Marking, as well as the Accountability and Assurance Control Objectives, can be functionally defined for DoD applications. The following discussion provides further specificity in Policy for these Control Objectives.