CHAPTER 7 – PART 1
USDA’s C2 LEVEL OF TRUST
1
BACKGROUND
USDA has traditionally depended upon diverse and rapidly
changing commercially available IT resources to support its business
practices and deliver services to the public. Often those resources
have been implemented without consideration or implementation
of minimum secure access controls and therefore, leaves sensitive
information vulnerable to exploitation. USDA is establishing the
minimum secure access control settings by defining its
version of a Controlled Access Protection (C2) policy. This secure
access control will be utilized until such time as the Common
Criteria (CC) settings are available. Class C2 when implemented
according to this policy by USDA agencies/staff office and
contractors will meet the minimum security requirements necessary
to implement, maintain, and enforce the level of trust required for
sensitive data.
The Computer Security Act of 1987 (P.L. 100-235) was enacted to
create “a means for establishing minimum acceptable security
practices” for federal unclassified computer systems. The Act also
emphasizes that federal information requires protection against
unauthorized modification or destruction, as well as unauthorized
disclosure. To distinguish systems covered by P.L. 100-235 from
those used to process national security information, the law uses the
term “sensitive”. Confusion over this term may have led some
agencies to focus their limited computer security resources on
determining which systems would be labeled “sensitive”.
Information “owners” should use a risk based approach to
determine what harm may result if a system is inadequately
protected. The intent of the Computer Security Act is to assure
adequate protection of all federal IT systems. NIST believes, as does
CS, that all unclassified agency information requires some degree of
protection to provide confidentiality, integrity or availability.
Therefore each agency must determine the appropriate level of
prot