National Security Agency Endorsed TEMPEST Test Services Procedures (ETTSP) Package

19 November 1999
Source: Hardcopy from the National Security Agency TEMPEST Endorsement Programs, received November 17, 1999. Three packages, listed in the cover letter below, were provided by NSA in response to a telephone request. None of the material is classified.

This is the Endorsed TEMPEST Test Services Procedures (ETTSP) Package, 56 pages total.

See the other two packages, Endorsed TEMPEST Products Program (ETPP) Procedures Package, (96 pages) and the Zoned Equipment Program (ZEP) Procedures Package (16 pages).

The material was requested as follow-up to other TEMPEST-related documents obtained by FOIA.

NATIONAL SECURITY AGENCY
FORT GEORGE G. MEADE, MARYLAND 20755-6000

Serial: V14-263-99
10 November 1999

John Young
251 West 89th Street
Suite 6E
New York, NY 10024

Dear Mr. Young:

As requested, enclosed is the National Security Agency's Endorsed TEMPEST Test Services Program (ETTSP) Procedures Package, the Endorsed Products Program (ETPP) Procedures Package and the Zoned Equipment Program (ZEP) Procedures Package. Please note that TEMPEST Export Controls can be found on page 18 of the Endorsed Products Program (ETPP) Procedures Package.

If you have any questions in regards to the NSA TEMPEST Programs, please give me a call at (410) 854-6091.

Sincerely,

[Name omitted by request]
Program Manager
for
NSA TEMPEST Endorsement Programs

[1 page.]

TEMPEST ENDORSEMENT PROGRAM
(TEP)
TEST SERVICES PROCEDURE PACKAGE
DATED: 10/05/93

Enclosures:
1. Endorsed TEMPEST Test Services Program Procedures
2. Technical and Security Requirements Document (TSRD)
3. Memorandum of Agreement (MOA)
4. Endorsed TEMPEST Test Services Program Objective
5. Endorsed TEMPEST Test Services Program Process Assessment

POINT OF CONTACT FOR THE
TEMPEST ENDORSEMENT PROGRAM

ISSO BUSINESS AFFAIRS OFFICE
Attn: V14
NATIONAL SECURITY AGENCY
9800 SAVAGE ROAD
FORT GEORGE G. MEADE, MD. 20755-6740
(410) 854-6091

[10 pages.]

ENDORSED TEMPEST TEST SERVICES PROGRAM PROCEDURES

PART ONE: ELIGIBILITY REQUIREMENT8 AND PROGRAM OVERVIEW

The Endorsed TEMPEST Test Services Program (the Program) was established to foster the availability of endorsed TEMPEST test services facilities for use by U.S. Government departments and agencies, U.S. Government contractors and eligible U.S. TEMPEST product manufacturers in the development and production of TEMPEST products. The objective of the Program is to ensure that TEMPEST test and product configuration services required in the development and production of endorsed TEMPEST products are provided by facilities meeting the personnel, equipment, and facility requirements of this Program. This Program is an adjunct to the U.S. Government TEMPEST Certification Program (TCP) which is responsible for the certification of TEMPEST professionals.

Initial and continued eligibility to participate in the Program to provide TEMPEST test services is conditioned on a company meeting minimum requirements:

1) The company must not be under disqualifying foreign ownership, control, or influence (FOCI).
2) The company must have or obtain a secret facility security clearance and storage capability to handle classified TEMPEST information necessary to the design, development and testing of a TEMPEST product.
3) The company must demonstrate through its Process Assessment (PA) document that it can or will be able to satisfy the technical, security, personnel, and equipment requirements associated with becoming an endorsed TEMPEST test services facility.
4) The Company must neither be debarred or suspended from contracting with the U.S. Government.

The information which follows is intended to provide the potential TEMPEST test services facility with an overview of the six sequential events in the process of this Program. The steps are:

1. Pre-Proposal Memorandum of Understanding (MOU)
2. Company submission of a TEMPEST test services PA
3. Agency evaluation of the company PA
4. Negotiation of a Service Management Plan (SMP)
5. Memorandum of Agreement (MOA) between the Agency and the company
6. Agency evaluation and endorsement of the TEMPEST test services facility, which will include an on-site PA audit

A description of each sequential event is provided below:

1. Pre-ProPosal Memorandum of Understanding (MOU):

The pre-proposal MOU is designed to enable companies who otherwise do not have access to the classified technical standard for the Program (i.e., National TEMPEST Standard) to review the classified technical standard before making a decision to submit a test services PA in this Program. The MOU is only available to companies who are not under disqualifying foreign ownership, control, or influence (FOCI) and who have a secret facility clearance and storage capability. Companies meeting these requirements should send a letter to the Agency Point of Contact for this program, stating their interest in becoming an endorsed TEMPEST test services facility and to obtain the classified technical standard in order to determine the feasibility of submitting a TEMPEST test services PA to the Agency under the auspices of the Endorsed TEMPEST Test Services Program. The letter must include a DD Form "Department of Defense Security Agreement" and DD Form 441s "Certificate Pertaining To Foreign Interests", evidencing the Company has a secret security facility clearance and storage capability.

Upon receipt of the letter and the DD Form 441 and 441s, the Agency, in conjunction with the Defense Investigative Service (DIS), will review the company's FOCI status to determine its eligibility for access to TEMPEST information. Upon a favorable finding that the Company is not unacceptably FOCI, the Agency will forward the Pre-proposal Memorandum of Understanding (MOU) to the company for execution. The purpose and function of the MOU is to establish a formal relationship between the Company and the Agency, under which the Company is authorized access to the Program's classified technical standard for the purpose of determining whether it will develop a test services PA for submission to the Agency in accordance with the requirements of this document.

The Company agrees to protect the information in accordance with Government regulations and to only use the information for the purposes specified above. The Company is provided 120 days from receipt of the classified information to make a decision and submit a written test services PA. At the end of the 120 days, the Company must either submit a written test services PA or return the classified information. Companies electing to submit a PA will be permitted to retain the information through Agency review of the document.

Companies who are interested in obtaining the classified technical standard, but who do not possess a secret facility security clearance and secret information storage capability should send a letter to the Agency Point of Contact for this program stating the company's interest to become an endorsed TEMPEST test services facility and to obtain the classified technical standard for purposes of determining whether it will develop a TEMPEST test services PA. The company's letter should request the Agency to sponsor the company to DIS for the requisite clearances and storage capability certification. The letter should include a completed "Certificate Pertaining to Foreign Interests." The Agency will then sponsor the company to DIS. Upon Company submission to the Agency of the DD Form 441 and 441s, evidencing that the company now possesses a secret facility security clearance and storage capability, and Agency evaluation that the company is not unacceptably FOCI, the Agency will forward the company a pre-proposal MOU.

Companies who do not execute the pre-proposal MOU, are required to submit a DD Form 441 and 441s, for Agency review and approval, prior to submission of a test services PA. The DD Form 441 and 441s, are reviewed by the Agency in conjunction with the DIS, to determine whether the company is unacceptably FOCI, and thus, ineligible to participate in the Program. The Agency will notify the Company in writing of the results of its DD Form 441 and 441s review. It is recommended that the company not prepare or submit the test services PA until it has received a favorable review of its DD Form 441 and 441s.

2. Company submission of a TEMPEST test services Process Assessment:

The intent of the PA is to outline the company's processes for TEMPEST testing documentation preparation, quality assurance, training, maintenance, and management.

A. The written test services PA assists NSA to establish the existence of capabilities and qualifications within the Company which should be present for successful provision of TEMPEST test services. This PA is designed to provide preliminary information as a prelude to a visit by an NSA survey team to evaluate the Company's test services facility. Companies are encouraged to submit as much detailed documentation as necessary to establish their identity, capability, and suitability for the Program. Some of the information required to be included in the PA may be duplicative of information requested in the data deliverables required for endorsement. The Company may, as appropriate, reference the pertinent part of its PA to satisfy data deliverable requirements (See Section VI of the Technical and Security Requirements Document). For guidance on preparing the PA refer to the enclosed National Security Agency TEMPEST Endorsement Program Process Assessment document and the NSA TEMPEST Endorsement Program Objective Standards.

(Five) copies of the complete PA package should be mailed to the Point of Contact for the TEMPEST Endorsement Program (TEP). The address and telephone number are noted on the cover letter to this procedures package.

Questions regarding the Endorsed TEMPEST Test Services Program PA process can be answered by writing to the Point of Contact for the TEP or by calling the TEP Office.

3. Agency Evaluation of company Process Assessment:

Upon receipt of the Company's PA, NSA will make a general assessment as to whether the Company possesses the technical capability to successfully generate TEMPEST Test Plans and Reports as well as test a TEMPEST product. The Agency will notify the company in writing of the results of its evaluation. Under normal circumstances, the Agency will endeavor to evaluate the PA within 30 working days. During this time the Agency will also visit the company to conduct an on-site survey to ensure the accuracy of the PA

4. Service Management Plan (SMP) negotiated between the parties:

After the company's receipt of a favorable evaluation notice, but prior to a formal acceptance of the company's PA through execution of a Memorandum of Agreement (MOA), the Agency and the company will negotiate a Service Management Plan which delineates a mutually agreed upon schedule of supportable milestones and events as well as delivery of data and reports required of each party to accomplish test services facility evaluation and endorsement under the Program. Failure to negotiate and conclude a SMP within 120 days of the company's receipt of the Agency's notice, constitutes grounds not to accept the company's PA. The Company may withdraw its PA at any time should it determine it does not wish to Pursue test services facility endorsement.

In developing a proposed SMP, a company should assume, under normal circumstances, that the Agency will require 30 working days to review and approve a data deliverable. The Agency will maintain a master service management plan of all approved SMPs in order to control the workload and ensure proper resource allocation. It is therefore critical that a company proposes delivery dates for deliverable submissions that are realistic and consistent with known obligations. Given that the master plan will be predicated on the negotiated SMP schedule, companies failing to submit deliverables, for which Agency review is required, on the date scheduled in the SMP may forfeit that timeframe for review. The Agency will reschedule the review date in accordance with its first available time period. If the Company realizes that it will not be able to meet the negotiated SMP delivery date, it must notify the Agency immediately upon making this realization in order to renegotiate a new delivery date and potentially a new SMP.

5. Memorandum of Agreement (MOA) between the Agency and the company:

Upon establishment of a SMP, NSA will forward the MOA to the company for execution. The purpose and function of the MOA is to establish a formal relationship between the company and NSA under which the Company obtains necessary TEMPEST information, agrees to protect the Agency provided information in accordance with Government regulations, and agrees to market, sell, and provide TEMPEST test services at its own risk and expense. Attached to the MOA is the Technical and Security Requirements Document (TSRD), Agreement Data Requirements List (ADRL) and the SMP which specify the requirements and time schedule for test services facility evaluation and endorsement. For its part under the MOA, the Agency agrees to protect Company proprietary information and to evaluate, and, if appropriate, endorse the Company's test services facility. The MOA also formally establishes the responsibilities and obligations of the parties with respect to the Company's marketing and sales of TEMPEST test services subsequent to endorsement as well as the terms and conditions for continued endorsement.

6. Agency evaluation and endorsement of the TEMPEST test services facility:

Once the MOA is executed, the company and the Agency perform the tasks necessary to satisfy the requirements of the MOA for test services facility evaluation and endorsement. Upon its determination that the company's test services facility is in compliance with the TSRD and ADRL, the Agency will notify the company in writing that the test services facility is endorsed. Agency endorsement is a statement of the Agency's findings that the test services facility satisfies the technical and security requirements set forth in the TSRD. Upon test services facility endorsement, the Company's name, facility location, and point of contact will then be placed on the Endorsed TEMPEST Test Services List published quarterly as part of the Information Systems Security Products and Services Catalogue. The List is available to assist U.S. Government departments and agencies, U.S. Government contractors, and TEMPEST product manufacturers to identify endorsed TEMPEST test services facilities. Initial and continued endorsement is contingent upon the Company's continued adherence to the technical, security and procedural terms and conditions of the MOA and its attachments.

PART TWO:

PROCESS FOR AGENCY TERMINATION OF MEMORANDUM OF AGREEMENT (MOA)
PRIOR TO ENDORSEMENT-STANDARDS AND PROCEDURES

Participation in the Program after MOA execution is permitted only if the Company continues to satisfy the eligibility requirements for the Program and pursues test services facility endorsement in accordance with the schedule in the Service Management Plan (SMP). The Agency may initiate processes to terminate the MOA if it finds:

a. The Company's facility security clearance and storage capability have been or will be revoked;
b. The Company becomes unacceptably foreign owned, controlled, or influenced;
c. The Company is suspended or debarred from contracting with the U.S. Government;
d. The Company refuses or demonstrates failure (two incidents) to adhere to the schedule agreed to in the SMP;
e. The Company fails to satisfy the requirements for endorsement in the time allotted in the SMP.

The Agency shall not terminate the MOA for an additional 14 days following Company receipt of the termination letter, to allow the Company an opportunity to appeal the decision to the Agency's Deputy Director for Information Security (DDI). The Company must submit its appeal in writing. The appeal notice must specify the Company's grounds for appeal and include all pertinent evidence. Termination of the MOA will be stayed until receipt of the DDI decision. DDI decision will be based solely on the written evidence submitted and there will be no opportunity for oral argument. The DDI will be the final arbiter of the dispute and his decision is final.

PART THREE:

AGENCY SERVICE ENDORSEMENT TERMINATION PROCESS
STANDARDS AND PROCEDURES

Continued TEMPEST test services facility endorsement is permitted only if the Company continues to satisfy the eligibility requirements for the Program and comply with the terms and conditions of the Memorandum of Agreement (MOA) and its attachments. The Agency may initiate processes to terminate the TEMPEST test services facility's endorsement if it finds:

a. The Company's facility security clearance and storage capability have been or will be revoked:
b. The Company becomes unacceptably foreign owned, controlled or influenced;
c. The Company is suspended or debarred from contracting with the U.S. Government.
d. Failure or refusal by the Company to satisfy staffing requirements as specified in the TSRD;
e. The Company refuses or demonstrates failure to adhere to the processes delineated in the TSRD and incorporated references.
f. Failure or refusal by the Company to satisfy facility or equipment requirements as specified in the TSRD;
g. The Company refuses or demonstrates failure to ensure that TEMPEST test services or Product Configuration services are only performed by Certified TEMPEST professionals as specified in the TSRD;
h. The Company refuses or demonstrates failure to adhere to the security requirements delineated in the MOA and incorporated references;
i. Company failure or refusal to allow access to the Agency designated representative to inspect Company facilities and records to ensure continued compliance with the requirements specified in the TSRD.

The Agency will notify the Company in writing, certified mail, return receipt requested, of its intent to terminate, inform the Company of the grounds upon which such termination is founded and afford the Company a reasonable opportunity (at least 14 days) to show cause why such test services facility endorsement should not be terminated. Service endorsement shall be suspended effective immediately upon Company receipt of the letter. Once endorsement is suspended, the Company cannot continue to advertise its facility as NSA endorsed or take any new orders from U.S. Government department or agencies or TEMPEST product manufacturers requiring NSA endorsed services. Facilities with suspended endorsement are listed in Section II (Blue pages- facilities with suspended endorsement, pending facility endorsement termination and appeal. After reviewing the Company's response, if any, to the termination notification, the Agency will determine whether the endorsement should be terminated. The Agency will notify the Company, in writing, of its decision. The letter, which shall be mailed certified mail, return receipt requested, will state the effective date of termination, request the Company to immediately return all information, materials, parts, components, assemblies, and equipment provided pursuant to performance under the MOA. The letter will also provide any special instructions pertaining to completion of existing purchase orders for TEMPEST test services and include instructions on how to appeal the Agency's decision should the Company elect to do so.

Upon termination of a Company's test services facility endorsement, the Company is listed in Section III (Red Pages-terminated endorsement) of the Endorsed TEMPEST Test Services List. Once a test services facility endorsement is terminated, the Company's facility cannot be re-endorsed for a period of three years at which time it must reapply to the Agency in accordance with the procedures delineated in Part One.

Notice of Endorsement termination will not be posted on the Endorsed TEMPEST Test Services List for an additional 14 days following Company receipt of the termination letter, to allow the Company an opportunity to appeal the decision to the Agency's Deputy Director for Information Security (DDI). The Company must submit its appeal in writing. The appeal must specify the Company's grounds for appeal and include all pertinent evidence. Service endorsement termination will be stayed until receipt of the DDI decision. DDI decision will be based solely on the written evidence submitted and there will be no opportunity for oral argument. The DDI will be the final arbiter of the dispute and his decision is final.

[2 pages.]

D R A F T

MEMORANDUM TO ALL CURRENT AND PROSPECTIVE COMPANIES
PARTICIPATING IN THE TEMPEST ENDORSEMENT PROGRAM (TEP)

SUBJECT: Revision of the Endorsed TEMPEST Test Services Program (ETTSP) Procedures Package

More than two years have passed since the start of the TEMPEST Endorsement Program (TEP) which consists of three subprograms: The Endorsed TEMPEST Products Program (ETPP), the Endorsed TEMPEST Test Services Program (ETTSP), and the Zoned Equipment Program (ZEP). The latter was recently added to the program.

During the past two years the national TEMPEST policy has been in flux and has changed dramatically in 1993. To maintain a viable program in light of the economic downturn the Government/Industry TEMPEST Advisory Panel (GITAP), a sub-group of the TEMPEST Advisory Panel (TAG), commissioned a working group to look at the current program with the prospect of improving the ETPP and shortening the endorsement period for products. This was accomplished in April 93 and presented to the GITAP in June 1993. Upon acceptance by the GITAP the program was coordinated throughout the Government TEMPEST community. At the same time the ETTSP was also reviewed and changed to correspond with the changes of the ETPP. The updated program resulted in a totally new concept which now emphasizes the manufacturing processes rather than the product. It has also accomplished and important task and that is shortening the endorsement process for products.

The attached revision to the ETTSP procedures package provides guidance to endorsing the company's test service process. With the revised program, manufacturers and test services will be required to develop a Process Assessment document as part of the endorsement process. A new feature of the program allows for products to be tested to both level I and II standards. Any questions pertaining to this revised procedures package should be addressed to the TEMPEST Endorsement Program Staff using the address and telephone number listed on the cover page to this procedures package.

Sincerely,

[Name omitted by request]
Manager, TEMPEST Endorsement Programs
Office of Acquisition and Business Development

Encl: a/s

D R A F T

[1 page.]

NSA T5RD No. 88-8B
DATED: 5 Oct 93
SUPERCEDING
NSA TSRD No. 88-8A
DATED: 10 FEB 89

NATIONAL SECURITY AGENCY

TECHNICAL AND SECURITY REQUIREMENTS DOCUMENT

FOR THE

ENDORSED TEMPEST TEST SERVICES PROGRAM

[1 page.]

NSA TSRD No. 88-8B
DATED: 5 Oct 93

TABLE OF CONTENTS

SECTION I - INTRODUCTION

SECTION II - TEMPEST TEST SERVICES

2.1 TEMPEST TEST PLAN
2.2 PERFORMANCE OF TEMPEST TEST(S)
2.3 TEMPEST TEST REPORT

SECTION III - PRODUCT CONFIGURATION SERVICES

3.1 PRODUCT CONFIGURATION SERVICES REQUIREMENTS
3.1.1 PRODUCT TEST PLAN REVIEW
3.1.2 CHANGE PROPOSAL REVIEW

SECTION IV - SHIELDED ENCLOSURE & EQUIPMENT PROCEDURES

4.1 COMPANY CRITERIA FOR INITIAL AND CONTINUED ENDORSEMENT
4.1.1 SHIELDED ENCLOSURES
4.1.2 MISCELLANEOUS EQUIPMENT
4.1.2.1 DETECTION SYSTEMS
4.1.2.2 ANTENNAS 5
4.1.2.3 PLISN
4.1.2.4 OSCILLOSCOPES
4.1.2.5 SIGNAL CALIBRATOR SOURCES
4.1.2.6 FACILITY CAPABILITY

SECTION V - PERSONNEL REQUIREMENTS

5.1 PERSONNEL CRITERIA
5.2 TEMPEST TEST SERVICES CRITERIA
5.2.1 TRAINING CRITERIA
5.2.2 SUPERVISORY RESPONSIBILITIES OF CTP I/II
5.3 USE OF UNCERTIFIED PERSONNEL
5.4 STAFFING REQUIREMENTS
5.5 FAILURE TO MEET MINIMUM STAFFING REQUIREMENTS

SECTION VI - DOCUMENTATION REQUIRED FOR INITIAL AND CONTINUED ENDORSEMENT

6.1 PROCESS ASSESSMENT DOCUMENTATION

SECTION VII - GENERAL REQUIREMENTS

7.1 SECURITY REQUIREMENTS FOR ACCESS AND CONTROL OF CLASSIFIED INFORMATION
7.2 EXPORT CONTROLS
7.3 EXPORT LICENSE REQUIREMENTS
7.4 EXPORT LICENSE APPLICATION INFORMATION
7.5 EXPORT LICENSE EXCEPTIONS

APPENDIX A
APPENDIX B

[14 pages and graph.]

NSA TSRD No. 88-8B
DATED: 5 Oct 93

NATIONAL SECURITY AGENCY
TECHNICAL AND SECURITY REQUIREMENTS DOCUMENT (TSRD)

FOR THE

ENDORSED TEMPEST TEST SERVICES PROGRAM

SECTION I - INTRODUCTION

1.1 This document delineates the technical, security, and data requirements necessary for NSA endorsement of TEMPEST Test Services facilities under the auspices of the Endorsed TEMPEST Test Services Program (ETTSP). This Program was established to support NSA's Endorsed TEMPEST Products Program (ETPP), by fostering the availability of quality TEMPEST test services to U.S. Government departments and agencies, U.S. Government contractors, and manufacturers of TEMPEST products. The revision of the TSRD will bring the ETTSP in line with the revision of the ETTP. This Program is an adjunct to the U.S. Government TEMPEST Certification Program (TCP)*, responsible for certification of TEMPEST professionals, by requiring providers of endorsed TEMPEST test services to staff, equip, and operate their facilities in accordance with the requirements of this document.

____________________

*Note: The TEMPEST Certification Program (TCP) is administered by the TEMPEST Countermeasures Working Group (TCMWG) of the Countermeasures Advisory Panel of the National Security and Telecommunications Information Systems Security Committee (NSTISSC). There are two categories of certification under this program: Certified TEMPEST Professionals, Level II (CTP II) and Certified TEMPEST Professionals, Level I (CTP I). These categories were previously referred to as Certified TEMPEST Engineer (CTE) and Certified TEMPEST Tester (CTT), respectively. Information about the TCP can be obtained by calling (202) 282-2037 or writing:
Commanding Officer
Naval Electronic Systems Security Engineering Center
ATTN: Code 220 (TCMWG/TCP)
3801 Nebraska Avenue, NW
Washington, DC 20390-5270

1.2 TEMPEST test services consist of two elements: Preparation and execution of TEMPEST test plans. Preparation of TEMPEST test plans consists of an evaluation of the equipment and development of a test plan to test the equipment under test (EUT) to determine if it is in compliance with the requirements of the National TEMPEST Standard. Execution of the test plan consists of performing the TEMPEST test(s) and preparing a TEMPEST report of the test results.

1.3 NSA's Endorsed TEMPEST Products Program requires as a condition of product endorsement that execution of TEMPEST test plans be accomplished by an NSA endorsed TEMPEST test services facility. Preparation of TEMPEST test plans by an endorsed TEMPEST test services facility is desirable, but not mandatory, as long as the individual preparing the test plan has a valid TCP certification as a Certified TEMPEST Professional, Level II (CTP II). Manufacturers using in-house, endorsed facilities to prepare and execute TEMPEST test plans are responsible to take all reasonable steps to ensure that compliance with the requirements of the National TEMPEST Standard and this TSRD are the first priorities of the personnel performing TEMPEST test services. NSA endorsed TEMPEST Test Services facilities are also authorized to provide Product Configuration services to product manufacturers developing or producing products under the auspices of the Endorsed TEMPEST Products Program.

SECTION II - TEMPEST TEST SERVICES

2.1 TEMPEST Test Plan. The company shall submit to the Agency, for its review a TEMPEST Test Plan prior to the performance of tests as described in paragraph 2.2. Test plans detail the test methodology and test procedures to be used to verify the Equipment Under Test (EUT) compliance with the current National TEMPEST Standard. THE TEMPEST TEST PLAN MUST BE PREPARED BY A CURRENTLY CERTIFIED TEMPEST PROFESSIONAL LEVEL II (CTP II). Certification of CTP IIs is a function of the U.S. Government TEMPEST Certification Program (TCP).

The TEMPEST Test Plan must be prepared as specified in the current National TEMPEST Standard. In addition, the Test Plan must include a section on design methodology which will contain, as a minimum, details on construction techniques, interface techniques, and other TEMPEST design features. This section should provide sufficient detail to enable Agency evaluators to understand the Product's TEMPEST design in order to meaningfully evaluate the adequacy of the Test Plan. The Test Plan must be signed by the CTP II that prepared it and be reviewed and signed by a CTP II other than the author. In lieu of a second CTP II the company may request review and approval by the TEP Office (allow 30 days for TEP review). Indicate the name of the CTP II's employer, if other than the test service.

2.2 Performance of TEMPEST Test(s). Performance of the TEMPEST test(s) must be accomplished on a production unit, by a TEMPEST Test Services facility endorsed by the Agency under the auspices of the Agency's Endorsed TEMPEST Test Services Program. A production unit is a unit produced by individuals on the manufacturing line (vice in a laboratory by development engineers), using the production techniques, processes, and equipment by which all subsequent units are to be produced. The Agency reserves the right to witness performance of the test(s).

2.3 TEMPEST Test Report. The Company shall submit to the Agency an abbreviated TEMPEST Test Report which provides a description of the TEMPEST test (s) performed and the test results. Preparation of the Test Report must be accomplished by the Endorsed TEMPEST Test Services facility which performed the TEMPEST testing. The report must indicate the name of the endorsed TEMPEST Test Services facility that executed the TEMPEST Test Plan and be signed by the CTP Level I or II that performed the testing and prepared the report. The Test Report must be reviewed and signed by a CTP II other than the author. The report must be prepared in accordance with the abbreviated test report format in the current National TEMPEST Standard. The report must satisfy the Certification requirements for Facility, Detection System, and Test Setup Certification as detailed in the current National TEMPEST Standard. The TEMPEST Test Report must demonstrate whether the product tested is fully compliant with the requirements of current National TEMPEST Standard and include the originator/author's (CTP Level I or II) assessment to that effect.

SECTION III - PRODUCT CONFIGURATION SERVICES

3.1 Product Configuration Services Requirements. Endorsed TEMPEST Test Services facilities may perform Product Configuration Services on behalf of TEMPEST product manufacturers. The procedures and requirements for product configuration services are set out in detail in Section III, paragraph 3 of the Endorsed TEMPEST Products Program Technical and Security Requirements Document (TSRD), which is included in its entirety in Appendix A and the product manufacturers Process Assessment Report. In general, Product Configuration Services include the review of the product test plan and engineering changes, waivers, and deviations.

3.1.1 Product Test Plan Review. Review of the product's TEMPEST Test Plan, engineering drawings and associated lists of all components and ancillaries that perform product TEMPEST functions and preparation of a Critical Features List identifying the critical features (i.e., parts, materials, workmanship, assemblies, assembly procedures, and manufacturing processes, which are of paramount importance to the TEMPEST integrity of the Product.

3.1.2 Change Proposal Review. Review of all engineering changes, waivers, and deviations to the Product to determine whether the changes affect or potentially affect the TEMPEST integrity of the product and/or affect a critical feature of the product. A CTP II is responsible for preparing and providing to the Company for submission to the Agency, a technical assessment of the change proposal and supporting documentation. A CTP II shall prepare and execute test plan(s) as appropriate to substantiate the technical assessment.

SECTION IV - SHIELDED ENCLOSURE AND EQUIPMENT REQUIREMENTS

4.1 Company Criteria for Initial and Continued Endorsement. The Company must demonstrate, in accordance with the requirements set forth below, that it satisfies the following criteria for initial and continued endorsement as a TEMPEST Test Services Facility. The criteria are:

4.1.1 Shielded Enclosures: The Company must have a shielded enclosure that meets the required electromagnetic attenuation as specified in Appendix B. The size of the shielded enclosure must be suitable to configure the equipment under test (EUT) and maintain minimum separation distance of antennas from the EUT and shielded enclosure wall as specified in the National TEMPEST Standard. The shielded enclosure must meet the test environment requirement specified in the National TEMPEST Standard and be located in a facility cleared by DIS up to the SECRET level and eligible for access and storage of classified information and material.
4.1.2 Miscellaneous Equipment: Endorsed TEMPEST Test Services Facilities must, in accordance with paragraph 7.6 of the National TEMPEST Standard, have operational, calibrated equipment.
4.1.2.1 Detection Systems:
(a) A tunable detection system capable of being tuned over the frequency range of 200 Hz to 10 GHz. The sensitivity and bandwidths must meet the requirements specified in the National TEMPEST Standard. If this detection system is automated, and it is to be operated in the automated mode, it must also meet the requirements of Appendix E of the National TEMPEST Standard .
Note: The following guidance is provided by the TEMPEST Qualification Special Committee (TQSC):
If EUT ambient (EUTA) emanations, correlated emanations (CORRE), data related emanations (DRE), compromising emanations (CE), or undesired signal data emanations (USDE) are detected above 500 MHz, and their measured levels are higher than -6db in reference to the limit, you must test in the 1-10 GHz range for categories H and above.
(b) A non-tunable detection system capable of meeting the bandwidths and sensitivity requirements specified in the National TEMPEST Standard.

4.1.2.2 Antennas:
(a) Electric-Field Antenna. Each testing facility must have Electric-Field antenna(s) with the capability of covering the frequency range of 200 Hz to 10 GHz.
(b) Magnetic-Field Antenna. Each testing facility must have Magnetic-Field antenna(s) with the capability of covering the frequency range of 200 Hz to 30 MHz.
(c) When these antennas are used in conjunction with detection systems, the sensitivities must conform to the applicable requirements of the National TEMPEST Standard.

4.1.2.3 PLISN. Power Line Impedance Stabilization Network (PLISN). Each testing facility must have at least one set of PLISNs capable of performing the powerline tests specified in the National TEMPEST Standard.
4.1.2.4 Oscilloscopes. Each testing facility must have at least one dual-beam and/or dual trace oscilloscopes that meet the bandwidth requirements of the National TEMPEST Standard.
4.1.2.5 Signal Calibrator Sources (e.g., signal generators, synthesizers, impulse generators). Each testing facility must have precision calibration source(s) that meet the requirement of paragraph 7.5 of the National TEMPEST Standard.
4.1.2.6 Facility Capability. Each facility must have the demonstrated capability to sample and record detected emanations as required by the National TEMPEST Standard.
4.1.2.7 Ancillary Equipments. Each testing facility must have ancillary equipment:
Multi-meters, true RMS volt meters, attenuators, pre-amplifiers, coaxial cables, breakout boxes, terminators, cable adaptors, actuators, headphones, oscilloscope cameras.

SECTION V - PERSONNEL REQUIREMENTS

5.1 Personnel Criteria. Individuals employed to perform TEMPEST test or Product Configuration services must have a valid certification from the U.S. Government TEMPEST Certification Program (TCP), as either a Certified TEMPEST Professional, Level II (CTP II) or a Certified TEMPEST Professional, Level I (CTP I).

A CTP II is authorized to prepare, execute, and review TEMPEST test plans and test reports and perform product configuration services. A CTP I is only authorized to execute TEMPEST test plans and write TEMPEST test reports.

5.2 TEMPEST Test Services Criteria. To obtain and maintain endorsement, the TEMPEST Test Services facility must ensure all services are performed by a CTP II/CTP I with the allowable exception that:

5.2.1 Training Criteria. A CTP I training to be a CTP II will be permitted to assist in the preparation of TEMPEST test plans as long as the CTP I is under the direct supervision of a CTP II, who is responsible to ensure the contents of the test plan conform to the requirements of the National TEMPEST Standard. Each test plan must be signed by the CTP II and reflect the name of the CTP II trainee who assisted in the preparation of the test plan.
5.2.2 Supervisory Responsibilities of CTP I/II. Uncertified technicians may participate in the execution of test plans as long as they are under the direct supervision of a CTP I or CTP II. The CTP I or CTP II must be physically present and monitor performance of the entire test. The fact that a trainee participated in performing the test must be noted in the test report. The CTP I or CTP II signing the report is responsible for the test performed and to certify to the accuracy of the reported test results.

5.3 Use of Uncertified Personnel. Use of uncertified personnel to perform TEMPEST test services or use of a CTP I to prepare TEMPEST test plans, except under the training circumstances stated above, constitutes grounds for termination of a TEMPEST Test Services facility's endorsement in accordance with the Endorsed TEMPEST Test Services Program Procedures.

5.4 Staffing Requirements. Staffing of each TEMPEST Test Services facility with sufficient certified TEMPEST personnel to ensure that TEMPEST test services or product configuration services are only performed by certified personnel, is a condition of initial and continued endorsement of a TEMPEST Test Services facility. Thus, the minimum staffing requirement for a TEMPEST Test Services facility is one CTP II. Companies shall immediately report any changes in staffing to the Agency and failure to do so is grounds to process the Company for services endorsement termination.

5.5 Failure to Meet Minimum Staffing Requirements. Failure to maintain the minimal staffing level is grounds for endorsement suspension. Upon Company notification of a staffing deficiency, the Agency will notify the Company, in writing, certified mail, return receipt requested, that its services endorsement is suspended. If a TEMPEST Test Services facility's endorsement is suspended, the Company that operates the facility may not advertise its services as NSA endorsed, take any new orders for TEMPEST test services, or perform TEMPEST test services until the staffing deficiency has been corrected. If the Company fails to correct staffing deficiencies within 90 days from the date the Company receives notification of endorsement suspension, the Agency will initiate proceedings to terminate the services facility's endorsement.

SECTION VI - REQUIREMENTS FOR INITIAL AND CONTINUED ENDORSEMENT

6.1 Service Management Plan. In accordance with the schedule established in the Service Management Plan (SMP), an Agency site survey team will visit the TEMPEST Test Services facility to verify the company's compliance with requirements delineated in this document. Prior to the Agency's visit, and in accordance with the schedule delineated in the SMP, the Company shall develop and provide the Agency for its review and approval:

a. A list of Certified TEMPEST Personnel employed by the Company, providing names, titles, certification levels, and certification dates for each certified person.
b. An Equipment Report which indicated the number of each required equipment and describes how the Company has satisfied the equipment related requirements delineated in this TSRD and paragraph 7.6 of the National TEMPEST Standard. The Company's equipment calibration and maintenance program shall be also described. This report should be typewritten and be provided in duplicate on 8.5" by 11" paper.
c. A Facility Certification Report prepared in accordance with the requirements of paragraph 6.4 of the National TEMPEST Standard. This report should be typewritten and produced in duplicate on 8.5" by 11" paper. Upon endorsement and in accordance with the requirements of the National TEMPEST Standard, Company submission of this report will be required on a tri-annual basis
Note: The Agency has not standardized the amp load to which each Endorsed TEMPEST Test Services Facility should test in preparing its Facility Certification Report. This will be left to the discretion of the testing facility so long as justification for selecting that amp load is included in the report. If however, the amperage load of the product being tested exceeds by 25%, the amp load used in the original Facility Certification Report submitted for endorsement of the facility, the facility must amend its certification report to address the higher amp load.
d. A Test Instrumentation Certification Report prepared in accordance with the requirements of paragraph 6.3 of the National TEMPEST Standard, and if appropriate, Appendix E. This report should be typewritten and produced in duplicate on 8.5" by 11" paper. Upon endorsement, submission of the Test Instrumentation Certification Reports prepared in accordance with the above requirements will be required on a tri-annual basis. Companies using automated detection systems are however required to run tests that meet the requirements of Appendix E at least once a year and retain the data for Agency site inspection reviews for the duration of the test services facility endorsement.
e. A documented process for the generation and review of Test Plans and Test Reports. (Refer to the TEP Process Assessment documentation enclosed).
Note: Subsequent to endorsement, periodic visits by the Agency site survey team will be accomplished to ensure continued compliance with these requirements.

6.2 Agency Audits.

6.2.1 Agency Scheduled Audits. Aperiodically, but not more frequently than once a year, the Agency may use its current TEMPEST test process assessment to perform an audit at the Company's facility. This is done to ensure that no unauthorized changes have been made to the endorsed testing process documentation that could affect the TEMPEST integrity of the TEMPEST product, and to verify the continuing accuracy and completeness of the Process Assessment. The Agency shall afford the ComPany two weeks advance notice of each audit.
6.2.2 Unannounced TEMPEST Endorsement Program (TEP) Audits. The Agency may, no more frequently than twice a year, conduct a TEP audit for the purpose of assessing the Company's compliance with the requirements of the MOA and this TSRD. The Agency shall afford the Company 24 hours advance notice of these audits. The documentation to facilitate the Agency's audit.

SECTION VII - GENERAL REQUIREMENTS

7.1 Security Requirements for Access and Control of Classified Information:

a. To acquire and retain classified information, a Company is required to comply with the requirements of DoD 5220.22M, "Industrial Security Manual for Safeguarding Classified Information", dated September, 1987 and all amendments thereto and the DoD 5220.22-S-1, "COMSEC Supplement of the Industrial Security Manuals for Safeguarding Classified Information", dated March, 1988, and all amendments thereto. Both documents are incorporated by reference into the Memorandum of Understanding (MOU) and Memorandum of Agreement (MOA). For purposes of classification and control, all TEMPEST information is considered to be communications security (COMSEC) information. However, TEMPEST information is not subject to the requirements of the NSA/CSS CSCM-1, "National Security Agency COMSEC Material Control Manual", dated February, 1985. The Company is not required, therefore, to establish a COMSEC account for TEMPEST information.
b. The Company is required to comply with the terms of the Contract Security Classification Specification, DD Form 254, which is incorporated by reference into each MOU and MOA. The DD Form 254 constitutes the vehicle by which the Government releases classified information to the Company and the vehicle the Company is required to use to release classified information to its subcontractors. The Company may use classified information for purposes other than those specifically provided in the MOU/MOA or DD Form 254 if the Company has requested and the Agency has approved, in writing, such use. Approval is contingent upon Agency determination that the proposed use is consistent with the stated policies and objectives of the Program and the national security interests of the U.S. Government.
c. The use of classified information related to TEMPEST products, instrumentation, or services, whether provided to or generated by a company, to institute or prosecute any suit, action at law, claim, or other action to resolve a dispute is NOT authorized. Companies shall notify the Agency Program Manager, as soon as possible, of any such actions in which the company is or may become involved and which, in anyway, relates to the Company's work with the Agency in respect to a TEMPEST product, instrumentation, or service. If necessary to ensure classified information is not disclosed in such actions, the Agency may request, and the company shall afford, reasonable opportunity (1) for the Agency to review all pleadings, motions, correspondence, or other documents prior to use of filing, and (2) to attend any depositions or interviews at which such TEMPEST information may discussed.

7.2 Export Controls.

a. TEMPEST products, TEMPEST test instrumentation and TEMPEST information may only be exported for sale to Government and military departments of NATO, NATO member governments or governments of Australia or New Zealand.

(i.e., exports to companies or non-military organizations in these countries or governments of countries other than those listed below are prohibited.

1. Canada
2. Australia
3. New Zealand
4. Great Britain
5. Germany
6. Italy
7. Norway
8. Denmark
9. France
10. Luxembourg
11. Netherlands
12. Belgium
13. Iceland
14. Portugal
15. Greece
16. Spain
17. Turkey
[Following handwritten]
18. Poland
19. Hungary
20. Czech Republic

7.3 Export License Requirements. An export license is required to export equipment manufactured or modified to meet the Nation[al] TEMPEST Standard or to be used as TEMPEST test instrumentation. Classified TEMPEST information as well as all unclassified TEMPEST information which is related to the design, engineering, development, production, processing, manufacture, use, operation, overhaul, repair, maintenance, modification, or reconstruction of TEMPEST products or TEMPEST test instrumentation is transferred to foreign governments through a government-to-government transfer. Classified materials to be forwarded to a foreign government on a government-to-government basis shall be provided to the Agency. Attn: INFOSEC International Relations, along with a cover letter which provides the name of the foreign government and the address to which the material is to be sent. Clearance information of company visitors to the foreign government or foreign government visitors to the Company should likewise be provided to the Agency for forwarding (reference paragraph 2.d.2 on page 4 of the MOA).

7.4 Export License Application Information. Application forms and information regarding report licenses can be obtained from the Center for Defense Trade, Department of State, Washington, DC 20520 or by calling the licensing division at (703) 875-6644. General information may be obtained by calling (703) 875-6652.

7.5 Export License Exceptions. Exports to the Canadian Government do not require an export license (requirements for a technical assistance agreement and/or warehousing agreement continue to apply). The company is, however, required to notify the Canadian Department of National Defense, in writing, of any product(s) to be exported to the Canadian Government. The notice should be sent to the following address:

Department of National Defense
Communications Security Establishment
101 Colonel By Drive
Ottawa, Ontario KLAOK2
Canada

APPENDIX A - APPENDIX RELATING TO PRODUCT CONFIGURATION SERVICES

Appendix A is Section III, paragraph 3.1 - 3.3.3.2 of the Endorsed TEMPEST Products Program Technical and Security Requirements Document (TSRD), Appendix A to that TSRD entitled "Examples of Critical Features", and Process Assessment Report, Section III Product Assurance.

SECTION III - PRODUCT INTEGRITY PROCESSES

3.1 Critical Features List (CFL). (Refer to APPENDIX A and to ADRL B001) The company shall establish a Critical Features List which identifies specific critical features of product manufacturing, (i.e., parts, material, workmanship, techniques, assemblies, assembly procedures, and manufacturing processes) which are of paramount importance to the TEMPEST integrity of the product. The Company Appointed TEMPEST Authority (CATA) shall be responsible to ensure that the CFL has been reviewed and approved by the engineer primarily responsible for the design and development of the product and the CTP II responsible for developing the Test Plan. The CFL shall provide the drawing or process number with the revision level of each critical feature, and the assembly on which it is found.

3.2 Configuration Baseline List. (Refer to ADRL B002) The Company shall establish a Configuration baseline. The configuration baseline list is to be maintained current to provide configuration control. The Company shall submit to the Agency, a list of all production release engineering drawings, parts list, and manufacturing processes for all piece parts and assemblies. This document list shall be maintained current for the whole product and submitted within two months of every engineering change approval that changes the revision level of a critical feature document. In no case shall the time between submittals of this list exceed one year.

3.3 Product Configuration Change Procedure. The Company shall ensure that no changes are made to the product which could degrade the TEMPEST integrity of the product. The CFL shall constitute a basis upon which all engineering changes, waivers, and deviations are measured to determine whether the changes could affect the TEMPEST integrity of the product. The CATA shall ensure that all engineering changes, waivers, and deviations receive a TEMPEST assessment by a CTP II, the engineer primarily responsible for the TEMPEST design of the product, and the individuals primarily responsible for Product Assurance and Configuration Management for the product.

3.4 Product Assurance. (Refer to the manufacturers Process Assurance Report) The key elements of a successful product assurance system include early planning, implementation of adequate controls to ensure product quality and reliability, close coordination among key organizational elements, continued maintenance of equipment, and closed-loop corrective action efforts. An integral part of this program is an effective and efficient quality assurance system addressing all phases of production beginning with procurement initiatives and continuing through delivery of the product.

3.5 Agency Scheduled Audits. Aperiodically, but no more frequently than once a year, the Agency may use its current Configuration Baseline List to perform an audit at the Company's facility. This is done to ensure that no unauthorized changes have been made to the endorsed manufacturing process or the endorsed product configuration that could affect the TEMPEST integrity, and to verify the continuing accuracy and completeness of the Process Assessment as well as completeness of the technical drawings and lists. The Agency shall afford the Company two weeks advance notice of each audit.

3.6 Unannounced TEMPEST Endorsement Program (TEP) Audits. The Agency may, no more frequently than twice a year, conduct a TEP audit for the purpose of assessing the Company's compliance with the requirements of the MOA and this TSRD. The Agency shall afford the Company 24 hours advance notice of these audits. The Company shall make available the necessary resources and documentation to facilitate the Agency's audit.

APPENDIX B - REQUIRED ELECTROMAGNETIC ATTENUATION

[1 page.]

PROGRAM NR. ___________________

MEMORANDUM OF AGREEMENT

BETWEEN

THE NATIONAL SECURITY AGENCY
INFORMATION SECURITY ORGANIZATION

AND

(COMPANY NAME)
(COMPANY DIVISION)
(COMPANY ADDRESS)

CONCERNING

PROVISION OF TEMPEST TEST SERVICES

EFFECTIVE DATE: ___________________

[7 PAGES.]

MEMORANDUM OF AGREEMENT

BETWEEN

THE NATIONAL SECURITY AGENCY
INFORMATION SECURITY ORGANIZATION

AND

(COMPANY NAME)
(COMPANY DIVISION)
(COMPANY ADDRESS)

CONCERNING

PROVISION OF TEMPEST TEST SERVICES

This Memorandum of Agreement (MOA) between the National Security Agency, Information Security Organization (the Agency) and Company Name (the Company) is entered into for the purpose of describing the responsibilities and obligations of the parties with respect to the Agency's endorsement of the Company's TEMPEST test services facility under the auspices of the Agency's Endorsed TEMPEST Test Services Program. The Agency has established the Endorsed TEMPEST Test Services Program to endorse TEMPEST test services facilities which may be used in the development and production of TEMPEST products. The Company wishes to have its TEMPEST test services facility evaluated and endorsed by the Agency under this Program.

Therefore, in consideration of the foregoing, the parties agree:

1. The Company shall:

a. On a voluntary basis, at its own risk and expense, and as a condition for receiving TEMPEST and TEMPEST related information, enter the Program to market, sell, and provide TEMPEST test services to U.S. Government departments and agencies, U.S. Government contractors, U.S. TEMPEST product manufacturers, and certain other eligible purchasers.
b. Demonstrate to the Agency, as a condition of initial and continued endorsement, and in accordance with the schedule set forth in the Service Management Plan (SMP) and the procedures set forth in the Technical and Security Requirements Document (TSRD), that the Company's test 1 services facility satisfies the technical, security, personnel, and equipment requirements delineated in the TSRD.
c. Abide by all the terms and conditions of the following documents which form a part of the MOA:
(1) DoD 5220.22M, "Industrial Security Manual for Safeguarding Classified Information," dated September 1987, and all amendments thereto;
(2) DoD 5220.22-S-1, "COMSEC Supplement of Industrial Security Manual for Safeguarding Classified Information," dated March 1988, and all amendments thereto. For purposes of classification and control, all TEMPEST information is considered to be COMSEC information;
(3) DD Form 254, "Contract Security Classification Specification," dated ____________, and all subsequent revisions thereto. The parties understand and agree that Agency provision of classified material not listed in this DD Form 254, as well as Company return of classified materials, are administrative actions which neither affect the terms and conditions nor are to be construed as modifications of either this MOA or the DD Form 254;
(4) Technical and Security Requirements Document, TSRD Nr. ____________, dated ____________ and all revisions thereto:
(5) Service Management Plan, Pgr.Nr. ____________ dated ____________, and all revisions thereto.

d. Not disclose any classified information provided by or at the direction of the Agency or generated by the Company in furtherance of the Company's provision of TEMPEST test services unless:
(1) the individual to receive information has all required clearances and has a need to know the information in order to perform functions related to this MOA; and
(2) the individual to receive information, unless a Company employee, is specifically authorized by an Agency representative in writing, in advance of disclosure, to receive such information.

e. Not disclose outside the Company unclassified technical information provided by or at the direction of the Agency or generated by the Company in furtherance of the Company's provision of TEMPEST test services without the prior written approval of the Agency, unless the information has already been approved by the Agency in writing for release in accordance with this paragraph or paragraph 2.g. of this MOA.
f. Clearly identify and properly mark all Company trade secrets or confidential commercial information provided to the Agency on a privileged or confidential basis so that such Company information can be protected to the full extent authorized by law.
g. Designate a company TEMPEST focal point, hereinafter to be referred to as the Company Appointed TEMPEST Authority (CATA), to coordinate Company efforts to comply with the requirements of this MOA and to act as the company point of contact on all matters pertaining to the terms of this MOA.
h. Authorize the Agency's designated representative, upon Agency request, and at reasonable intervals, access to Company facilities and records, for insPection against the standards set forth in the TSRD.
i. Provide to the Agency for approval any Company prepared, Product-related brochures, advertisements, marketing materials, press releases, articles for publication, or speeches containing TEMPEST information, at least thirty (30) working days prior to proposed distribution or release for publication. The materials are reviewed in accordance with Agency regulations governing the dissemination of COMSEC and COMSEC related information to ensure the submitted materials do not contain classified information or other information the Agency is authorized by statute to protect. No material shall be distributed or released for publication without the prior written approval from the Agency. The thirty (30) working days shall begin upon receipt of the material by the Agency pursuant to this Paragraph .
j. Not institute against the U.S. Government any suit or action at law or otherwise, nor in any way aid in the institution or prosecution of any claim, demand, action, or cause of action for damages, costs, loss of service, expenses or compensation for or on account of the performance under this MOA or in any way incident to the provision of TEMPEST test services. Further, the Company shall hold harmless and indemnify the U.S. Government in any and all capacities for any loss occasioned by the performance under this MOA.

2. The Agency shall:

a. Provide or authorize other sources to provide on a strict need to know basis, TEMPEST and TEMPEST related information required in performance of this MOA.
b. Evaluate, and if appropriate, endorse the Company's TEMPEST test services facility, if the Agency finds from a review of the supporting data and site visit(s), that the Company's facility satisfies all the technical, security, personnel, and equipment requirements specified in the TSRD. No endorsement shall be effective until written notification of the endorsement has been received by the Company. It is understood and agreed that the Agency's endorsement of the Company's facility is a statement of the Agency's findings that the facility satisfies the requirements set forth in the TSRD.
c. Upon endorsement, authorize the Company to market, sell, and provide its NSA endorsed TEMPEST test services to U.S. Government departments and agencies, U.S. Government contractors, and eligible U.S. TEMPEST product manufacturers
d. Upon endorsement, authorize the Company to market, sell, and provide its NSA endorsed TEMPEST test services to NATO, NATO member governments, and the governments of Australia and New Zealand, in accordance with export control laws, the requirements delineated in the TSRD and procedures:
1) For purposes of this MOA, the term "market" shall be construed to mean "advertise." The Company shall obtain written approval from the Agency prior to initiation of marketing efforts with any foreign government or international organization.
2) Each classified visit to a foreign government by the Company to market or sell TEMPEST test services shall be approved in advance by the Agency. To ensure the Agency can fully evaluate proposed visits, the Company shall provide, in writing, to the Director, National Security Agency, Attn: INFOSEC International Relations, Ft. George G. Meade, Md. 20755-6000, the names of the foreign government organization(s) to be visited, the names and titles of the representatives of that government which will be present, the names of visitors to be present for the Company, the dates and reasons for the visit, topics and classification level of discussion(s), a copy of the export license application submitted to the Department of State, and 4 clearance information for each visitor (e.g. clearance level, date clearance granted, citizenship, Social Security number, date of birth, etc.). On initial visits to a foreign government, this information shall be provided to the Agency no less than three weeks prior to the proposed visit. For subsequent proposed visits to the same organization, the Company shall provide the aforestated information in writing at least 24 hours before the proposed visit.
3) Company provision of TEMPEST test services for NATO or foreign governments must be accomplished within the United States unless otherwise approved by the Agency in writing.

e. Include the Company's facility, once endorsed, in the Endorsed TEMPEST Test Services List of the Information Systems Security Products and Services Catalogue.
f. Hold in strict confidence and only use properly marked Company proprietary information and data submitted under this MOA as necessary to perform responsibilities and obligations under this MOA. If required, the Agency will actively solicit the Company's assistance in establishing supportable bases for protecting Company records in response to Freedom of Information Act requests.
g. Review and approve the dissemination of Company-prepared brochures, advertisements, press releases, written publications, speeches or other material which contain TEMPEST information so long as the submitted materials do not contain classified information or other information the Agency is authorized by statute to protect. Such brochures, advertisements, and other publications shall be submitted for review to the Point of Contact for the TEMPEST Endorsement Program (TEP) as noted on the cover letter to the program procedures package.
[h. not used.]
i. Inspect the Company's TEMPEST test services facility and records as necessary to ensure continued compliance with the requirements set forth in the TSRD.

3. It is understood and agreed that execution of this MOA by the Agency shall not be construed as an endorsement of the Company's facility, or a commitment to the Company for the procurement of TEMPEST test services, nor shall it preclude the U.S. Government from seeking full and open competition to meet its future requirements for such equipment .

4. It is understood and agreed that the Company shall not assign or otherwise transfer any rights or obligations incident to the performance of this MOA without the prior written approval of the Agency.

5. It is mutually understood and agreed that no promise of payment is made herein and that this MOA constitutes the total obligation of the parties. No other promises, either express or implied, are made or are to be imputed between them. Changes to this MOA will not be effective unless reduced to writing and signed by both parties.

6. This MOA may be terminated by the Company for any reason upon written notice to the Agency. Such termination shall be effective immediately upon Agency receipt of the Company's termination notice, unless otherwise mutually agreed by the parties. Company termination of the MOA subsequent to endorsement will result in automatic revocation of the Agency's endorsement.

7. The Agency may terminate this MOA prior to endorsement if it finds in accordance with Part II of the Endorsed TEMPEST Test Services Program Procedures, that the Company has failed to maintain its eligibility to participate in the Endorsed TEMPEST Test Services Program or to reasonably satisfy the schedule set forth in the SMP. After Agency endorsement of the Company's facility, the Agency may terminate this MOA and the facility endorsement, if it finds in accordance with Part III of the Endorsed TEMPEST Test Services Procedures that the Company has failed to maintain its eligibility to participate in the Endorsed TEMPEST Test Services Program or continue to satisfy the requirements of the TSRD. The Endorsed TEMPEST Test Services Program Procedures are hereby incorporated into this MOA by reference

8. It is understood and agreed that upon termination of the MOA for any reason, each party shall return to the other all information, materials, parts, components, assemblies, and equipment which were provided pursuant to the performance of this MOA.

9. This MOA shall be reviewed by both parties 2 years after its effective date.

This MOA will become effective as of the date of the latest signature.

COMPANY NAME

BY: _______________________________
TITLE: ____________________________
DATE: ____________________________
NATIONAL SECURITY AGENCY,
INFORMATION SYSTEMS SECURITY
ORGANIZATION
BY: _______________________________
TITLE: ____________________________
DATE: ____________________________

[1 page.]

NSA

TEMPEST ENDORSEMENT PROGRAM

OBJECTIVE STANDARDS

[3 pages.]

PREFACE

The objective standards represent the compilation of NSA experience in observing the characteristics possessed by companies engaged in TEMPEST test and product configuration services. It is intended to serve as a guide for companies and should be used to assess the adequacy of existing practices and procedures.

These standards are divided into sections which provide objective implementation guidance and considerations that can be helpful in understanding and achieving the stated objective. Alternative approaches which adequately address the objectives are welcome and may be submitted for consideration.

I. Management

Objective: To provide as much detailed documentation as necessary to establish the company's management structure, authority, responsibility, capability, and suitability for the program.

Guidance: The key features that characterize successful management is that no single contractor's organization, function, or person is responsible for the fulfillment of the requirements.

Considerations:

1. Company name and address.
2. Corporate Quality statement.
3. Organizational authority/responsibilities.
4. Products and services offered.
5. Expertise and clearance levels of key personnel.

II. TEMPEST Documentation

Objective: To provide guidance for generating TEMPEST documentation processes and to ensure the correct application of established standards.

Guidance: The establishment of acceptable TEMPEST documentation processes will require a good working knowledge of the applicable TSRD requirements and a demonstrated expertise in applying the national TEMPEST Standard.

Considerations:

1. Use of internal TEMPEST services required for product endorsement.
2. Steps to be used for compliance with NSA TSRD No. 88-8B, paragraph 2.1 TEMPEST Test Plan and with NSTISSAM TEMPEST/1-92, Paragraph 6.2. Test Plan Requirements/Contents.
[3. not used.]
4. Product availability to the CTP II and the estimated amount of time to be allotted for study.
5. Review of the Test Plan by a currently certified CTP II or agency approval upon company request.
6. Steps to be used for compliance with NSA TSRD No. 88-8B, paragraph 2.3 TEMPEST Test Report and with NSTISSAM TEMPEST/1-92, Paragraph 6.8 Abbreviated Documentation and Certification Requirements.
7. Steps to be used for compliance with NSA TSRD No. 88-8B, paragraph 3.1 Product Configuration Services.
8. How the Company plans to meet the specific requirements indicated in items a through k of paragraph 6.8.1 and the data requirement in paragraph 6.8.2 of NSTISSAM TEMPEST/1-92.
9. Review of the Test Report by a currently certified CTP II or agency approval upon company request.
Note: The document reviewer must not be the author or preparer of the Test Plan or the Test Report being reviewed. The process must include steps for implementing corrective actions to document discrepancies required by the CTP II before acceptance. Each document must include a certifying statement to be signed by the CTP II reviewer.

[1 page.]

NATIONAL SECURITY AGENCY

TEMPEST Endorsement Program

Process Assessment

[3 pages.]

PREFACE

As part of the process whereby a decision is made whether to enter into a formal relationship with a company for the purpose of providing TEMPEST test and product configuration services, the National Security Agency (NSA) must establish the existence of capabilities and qualifications within the company which should be present for the successful completion of these services.

This "Process Assessment" (PA) is designed to provide preliminary information as a prelude to a visit by an NSA survey team to your company's facility. The PA questions should be answered as completely as possible using the attached Objective Standards as a guide. Please include a reason if you determine a question is not applicable to your company and/or proposed services.

NOTE: At the company's option, video tapes and/or pictures may be submitted with the PA to additionally clarify their responses and facilitate the review process. The company is cautioned however, that should they elect to provide these items, the tapes/photos will not be used in lieu of a site survey or returned to the company.

I. MANAGEMENT

1. Describe your organizational structure, authority, responsibilities, capability, and suitability for the program.
2. Provide company name and address, principal point of contact, a technical point of contact, marketing point of contact, and alternates. For each include name and title, business address, business telephone, citizenship, security clearance (if applicable), social security number, and date/place of birth.
3. Describe the expertise and clearance levels of the key personnel to be involved with the proposed TEMPEST test and product configuration services, with emphasis on previous TEMPEST experience.
4. Describe the services offered (this could be supplemented with a company capabilities brochure).

II. TEMPEST DOCUMENTATION PROCESSES

1. Describe your process for Endorsed TEMPEST Test Services.
2. Describe your process for generating TEMPEST Test Plans.
3. Describe your process for TEMPEST testing the original Test Sample (first production sample) and subsequent Product Assurance testing.
4. Describe your process for documenting deviations to the Test Plan found necessary during testing.
5. Describe your process for generating TEMPEST Test Reports.
6. Describe your process for document reviews/certifications by the CTP II. who is not an author of the document.
7. Describe your process for updating Test Plans/Reports to cover Engineering Change Orders/Numbers (ECOs/ECNs).
8. Describe your process for updating NSA's copy of Test Plans/Reports to cover revisions made after original submissions.

[End ETTSP package.]

Transcription and HTML by Cryptome.