Committee on National Security Systems Policy No. 200—still commonly cited under its legacy title “NSTISSP No. 200”—is the authoritative national policy entitled “Controlled Access Protection (CAP).” It establishes minimum CAP requirements for telecommunications and automated information systems that handle national-security information. None of the other numbered policies or directives addresses CAP; they pertain to unrelated areas such as crypto-module use, TEMPEST, or information sharing.

A. NSTISSP No. 101 governs the use of Commercial‐off‐the‐Shelf (COTS) cryptographic modules in national-security systems, not CAP requirements.

C. NCSC No. 5 is an NSA technical guideline, not a CNSS policy, and does not set national policy on controlled access protection.

D. CNSSP No. 14 establishes requirements for the release/transfer of national-security information among nations, unrelated to CAP controls.

1. Committee on National Security Systems. “NSTISSP No. 200: National Policy on Controlled Access Protection

” 29 May 2000

pp. 1-2

§§1-2.

2. Committee on National Security Systems. CNSS Instruction 1253

“Security Categorization and Control Selection

” Mar 2012

p. A-4 (lists CAP linkage to Policy 200).

3. University of Maryland Global Campus (UMGC) INFA 620 Course Notes

Week 6: U.S. National IA Policy Framework

slide 12 (summarizes NSTISSP 200 as CAP policy).

4. MIT OpenCourseWare 6.858 “Computer Systems Security

” Lecture 6 Notes

reference table of CNSS/NSTISSP policies (identifies #200 as Controlled Access Protection).