Traditional Security

V1R2 2013-07-11       U_traditional_security_v1r2_checklist-xccdf.xml
Previously the Traditional Security Checklist, consisted of five (5) component sub-checklists that were selected for use based upon the type of review being conducted. The new Traditional Security Checklist consolidates all checks into one document and is more granular both in the increased number of checks (151 total versus 96 total in the old checklists) and the details about how to conduct them. It provides a more complete and current list of references, the relationship and authority for checks relative to protection of Defense Information System Network (DISN) assets, and will enhance reviewer consistency with application of potential findings. While the number of potential findings have increased and are more focused to a specific check there is additional granularity within each check. In many of the primary checks there are additional considerations and "sub-checks". As the new checklist is further developed it may be that some of these sub-checks will become additional stand-alone primary checks. The format and content flow of the new checklist is like other Security Technical Implementation Guide (STIG) checklists derived from the Vulnerability Management System (VMS) database, which is used by DISA FSO, the Combatant Commands, Services, and Agencies (CC/S/A) and other Federal Agencies with access to the Defense Information Systems Network (DISN) to document and follow-up findings noted during Command Cyber Readiness Inspections (CCRIs). Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Vuln Rule Version CCI Severity Title Description
SV-40855r2_rule CS-01.01.01 HIGH COMSEC Account Management - Equipment and Key Storage Improper handling and storage of COMSEC material can result in the loss or compromise of classified cryptologic devices or classified key or unclassified COMSEC Controlled Items (CCI).Information Assurance OfficerInformation Assurance ManagerSecurity ManagerNetwork Security OfficerOtherECCM-1, PESS-1
SV-40925r2_rule CS-01.03.01 LOW COMSEC Account Management - Appointment of Responsible Person Lack of formal designation of an individual to be responsible for COMSEC items could result in mismanagement, loss or even compromise of COMSEC materials. Additionally, lack of formal vetting for a specific individual to be appointed for management of COMSEC material could result in a person (such as a non-US Citizen) having unauthorized access. ECCM-1
SV-40970r2_rule CS-01.03.02 LOW COMSEC Account Management - Program Management and Standards Compliance Recipients of NSA or Service COMSEC accounts are responsible to properly maintain the accounts. Procedures covering security, transport, handling, etc. of COMSEC must be developed to supplement regulatory guidelines. NSA or sponsoring Services of the COMSEC accounts maintain oversight by conducting required inspections. If COMSEC accounts are not properly maintained and findings are noted during an inspection they must be addressed properly and promptly. Should this not be done, the integrity of COMSEC items may be adversely impacted resulting in the loss or compromise of COMSEC equipment or key material. ECCM-1
SV-40973r2_rule CS-02.02.01 MEDIUM COMSEC Training - COMSEC Custodian or Hand Receipt Holder Lack of appropriate training for managers of COMSEC accounts could result in the mismanagement of COMSEC records, inadequate physical protection and ultimately lead to the loss or compromise of COMSEC keying material. ECCM-1
SV-40975r2_rule CS-02.02.02 MEDIUM COMSEC Training - COMSEC User Failure to properly brief COMSEC users could result in the loss of cryptologic devices or key, or the compromise of classified information.ECCM-1
SV-40976r3_rule CS-03.01.01 HIGH Classified Transmission - Electronic Means using Cryptographic System Authorized by the Director, NSA Failure to properly encrypt classified data in transit can lead to the loss or compromise of classified or sensitive information.DCSR-3, ECCT-2
SV-40980r3_rule CS-04.01.01 HIGH Protected Distribution System (PDS) Construction - Point of Presence (PoP) and Terminal Equipment Protection. This requirement concerns security of both the starting and ending points for PDS within proper physically protected and access controlled environments. A PDS that is not constructed and physically protected as required could result in the covert or undetected interception of classified information.Security ManagerInformation Assurance ManagerDCSR-3, ECCT-2, PESS-1
SV-40982r3_rule CS-04.02.01 MEDIUM Protected Distribution System (PDS) Construction - Visible for Inspection A PDS that is not inspected and monitored as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified.Category II Severity Level is the default. This requirement is not a finding if there is a properly alarmed carrier being used for the SIPRNet cable run. An alarmed carrier does not need to be completely visible for inspection; however, a properly alarmed carrier does include the requirement to conduct periodic tests of the alarm functionality. Therefore, portions of the alarmed PDS, while not necessarily visible, must still be accessible for alarm testing.Information Assurance ManagerSecurity ManagerDCSR-3, ECCT-2, PESS-1
SV-40984r3_rule CS-04.01.02 HIGH Protected Distribution System (PDS) Construction - Hardened Carrier A PDS that is not constructed and configured as required could result in the undetected interception of classified information.There are three types of PDS classified as Hardened Distribution Systems: 1. Hardened Carrier (STIG ID: CS-04.01.02) 2. Alarmed Carrier (STIG ID: CS-04.01.08) and 3. Continuously viewed Carrier. (STIG ID: CS-04.01.06) This requirement (Hardened Carrier, STIG ID CS-04.01.02) if used as the hardened carrier, makes the other types of Hardened Distribution Systems (STIG ID: CS-04.01.06 and STIG ID: CS-04.01.08) NA.Security ManagerInformation Assurance ManagerDCSR-3, ECCT-2, PESS-1
SV-40991r3_rule CS-04.02.02 MEDIUM Protected Distribution System (PDS) Construction - Sealed Joints A PDS that is not constructed and sealed as required could result in the undetected interception of classified information. Sealing of joints is necessary to ensure that daily visual inspections of the PDS for signs of attempted or actual intrusion can be accurately and thoroughly conducted. Security ManagerInformation Assurance ManagerDCSR-3, ECCT-2, PESS-1
SV-41000r2_rule CS-04.01.03 HIGH Protected Distribution System (PDS) Construction - Accessible Pull Box Security A PDS that is not constructed and configured as required could result in the undetected interception of classified information.Security ManagerInformation Assurance ManagerDCSR-3, ECCT-2, PESS-1
SV-41011r3_rule CS-04.01.04 HIGH Protected Distribution System (PDS) Construction - Buried PDS Carrier A PDS that is not constructed, configured and physically secured as required could result in the undetected interception of classified information.The default severity level is Category I based upon the following finding: 1. Manholes containing buried PDS are not secured with a SG 8077 changeable combination padlock or a standard locking manhole cover and approved micro-switch alarm. (CAT I) The severity level may be lowered to Category II if the above CAT I check is compliant and one or both of the following checks results in a finding: 2. Manholes containing buried PDS are not a minimum of 1 meter below the surface and on property owned or leased by the U.S. Government or the contractor having control of the PDS. (CAT II) 3. The buried PDS carrier in an installation outside the U.S. in a MEDIUM threat location, is not encased in approximately 20 cm (8 inches) of concrete or a concrete and steel container (of sufficient size to preclude surreptitious penetration in a period less than two hours as confirmed by laboratory tests). (CAT II) Security ManagerInformation Assurance ManagerDCSR-3, ECCT-2, PESS-1
SV-41012r2_rule CS-04.01.05 HIGH Protected Distribution System (PDS) Construction - External Suspended PDS A PDS that is not constructed and configured as required could result in the undetected interception of classified information.Security ManagerInformation Assurance ManagerDCSR-3, ECCT-2, PESS-1
SV-41013r2_rule CS-04.01.06 HIGH Protected Distribution System (PDS) Construction - Continuously Viewed Carrier A PDS that is not constructed and configured as required could result in the undetected interception of classified information. A continuously viewed PDS may not be in a physically hardened carrier and the primary means of protection is continuous observation and control of the unencrypted transmission line. If not maintained under continuous observation an attacker (insider or external) could have an opportunity to tap and intercept unencrypted communications on the exposed cable.The default severity level is a Category I based on a transmission line not under continuous observation, 24 hours per day, including when operational. (CAT I) If it is determined that the unencrypted SIPRNet transmission cable is under proper continuous observation and control 24 hours per day, including when operational and the following is found to be the only discrepancy, the finding may be reduced to a Category III severity level: It is not separated from all non-continuously viewed circuits ensuring an open field of view. (CAT III)There are three types of PDS classified as Hardened Distribution Systems: 1. Hardened Carrier (STIG ID: CS-04.01.02) 2. Alarmed Carrier (STIG ID: CS-04.01.08) and 3. Continuously viewed Carrier. (STIG ID: CS-04.01.06) This requirement Continuously viewed Carrier. (STIG ID: CS-04.01.06), if used as the hardened carrier, makes the other types of Hardened Distribution Systems (STIG ID: CS-04.01.02 and STIG ID: CS-04.01.08) NA.Security ManagerInformation Assurance ManagerDCSR-3, ECCT-2, PESS-1
SV-41015r2_rule CS-04.01.07 HIGH Protected Distribution System (PDS) Construction - Tactical Environment Application A PDS that is not constructed and configured as required could result in the undetected interception of classified information. Within mobile tactical situations a hardened carrier is not possible and therefore the unencrypted SIPRNet cable must be maintained within the confines of the tactical encampment with the cable under continuous observation and control to prevent exploitation by enemy forces. In theaters of operation where fixed facilities are well established, standard PDS applications must be employed unless a risk assessment is conducted to determine the vulnerabilities and risks associated with using unencrypted cable that is not in a hardened carrier.This requirements ONLY FOR USE IN TACTICAL ENVIRONMENTS. It is NOT APPLICABLE (NA) for all other locations.Information Assurance OfficerDesignated Approving AuthorityInformation Assurance ManagerSecurity ManagerOtherDCSR-3, ECCT-2, PESS-1
SV-41017r2_rule CS-05.03.01 LOW Protected Distribution System (PDS) Documentation - Signed Approval A PDS that is not approved could cause an Information Assurance Manager, Designated Approving Authority and other concerned managerial personnel to not be fully aware of all vulnerabilities and residual risk of IA systems under their purview.Designated Approving AuthorityInformation Assurance ManagerSecurity ManagerDCSR-3, ECCT-1, PESS-1
SV-41019r2_rule CS-05.03.02 LOW Protected Distribution System (PDS) Documentation - Request for Approval Documentation A PDS that is not approved could cause an Information Assurance Manager, Designated Accrediting Authority and other concerned managerial personnel to not be fully aware of all vulnerabilities and residual risk of IA systems under their purview.Designated Approving AuthorityInformation Assurance ManagerSecurity ManagerDCSR-3, ECCT-2, PESS-1
SV-41020r2_rule CS-06.02.01 MEDIUM Protected Distribution System (PDS) Monitoring - Daily (Visual) Checks A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified.1. This finding may be lowered to a CAT III if checks are conducted and recorded but there is no roster or written appointment of who is to conduct the checks.Information Assurance ManagerSecurity ManagerOtherDCSR-3, ECCT-2, PESS-1
SV-41021r2_rule CS-06.03.01 LOW Protected Distribution System (PDS) Monitoring - Technical Inspections A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified.Information Assurance ManagerSecurity ManagerOtherDCSR-3, ECCT-2, PESS-1
SV-41022r2_rule CS-06.03.02 LOW Protected Distribution System (PDS) Monitoring - Initial Inspection A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified.Designated Approving AuthorityInformation Assurance ManagerSecurity ManagerOtherDCSR-3, ECCT-2, PESS-1
SV-41023r2_rule CS-06.02.02 MEDIUM Protected Distribution System (PDS) Monitoring - Reporting Incidents A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified.CAT II is the default severity level when finding an incident that has not been properly reported and investigated. CAT III is the severity level if the ONLY finding is that a written procedure for reporting PDS anomalies is not available and no anomaly in the PDS has been discovered.Designated Approving AuthorityInformation Assurance ManagerSecurity ManagerOtherDCSR-3, ECCT-2, PESS-1
SV-41024r2_rule EM-01.02.01 MEDIUM TEMPEST Countermeasures Failure to implement required TEMPEST countermeasures could leave the system(s) vulnerable to a TEMPEST attack.Information Assurance ManagerSecurity ManagerECTC-1
SV-41025r2_rule EM-02.02.01 MEDIUM TEMPEST - Red/Black separation (Processors) Failure to maintain proper separation could result in detectable emanations of classified information.Information Assurance ManagerSecurity ManagerECTC-1
SV-41026r2_rule EM-03.02.01 MEDIUM TEMPEST - Red/Black Separation (Cables) Failure to maintain proper separation could result in detectable emanations of classified information.Information Assurance ManagerSecurity ManagerECTC-1
SV-41027r2_rule EC-01.02.01 MEDIUM Environmental IA Controls - Emergency Power Shut-Off (EPO) A lack of an emergency shut-off switch or a master power switch for electricity to IT equipment could cause damage to the equipment or injury to personnel during an emergency.OtherPEMS-1
SV-41028r2_rule EC-02.02.01 MEDIUM Environmental IA Controls - Emergency Lighting and Exits - Properly Installed Lack of automatic emergency lighting and exits can cause injury and/or death to employees and emergency responders. Lack of automatic emergency lighting can also cause a disruption in service.OtherPEEL-1, PEEL-2
SV-41029r2_rule EC-02.03.01 LOW Environmental IA Controls - Emergency Lighting and Exits - Documentation and Testing Lack of automatic emergency lighting can cause injury and/or death to employees and emergency responders. Lack of automatic emergency lighting can cause a disruption in service.PEEL-1, PEEL-2
SV-41031r2_rule EC-03.03.01 LOW Environmental IA Controls - Voltage Control (power) Failure to use automatic voltage control can result in damage to the IT equipment creating a service outage.PEVR-1
SV-41032r2_rule EC-04.03.01 LOW Environmental IA Controls - Training If employees have not received training on the environmental controls they will not be able to respond to a fluctuation of environmental conditions, which could damage equipment and ultimately disrupt operations.PETN-1
SV-41033r2_rule EC-05.03.01 LOW Environmental IA Controls - Temperature Lack of temperature controls can lead to fluctuations in temperature which could be potentially harmful to personnel or equipment operation.PETC-1, PETC-2
SV-41034r2_rule EC-06.03.01 LOW Environmental IA Controls - Humidity Fluctuations in humidity can be potentially harmful to personnel or equipment causing the loss of services or productivity.PEHC-1, PEHC-2
SV-41036r2_rule EC-07.03.01 LOW Environmental IA Controls - Fire Inspections/ Discrepancies Failure to conduct fire inspections and correct any discrepancies could result in hazardous situations leading to a possible fire and loss of service.PEFI-1
SV-41037r2_rule EC-08.03.01 LOW Environmental IA Controls - Fire Detection and Suppression Failure to provide adequate fire detection and suppression could result in the loss of or damage to data, equipment, facilities, or personnel.PEFD-1, PEFD-2, PEFI-1, PEFS-1, PEFS-2
SV-41039r2_rule ID-01.02.01 MEDIUM Industrial Security - DD Form 254 Failure to complete a DD Form 254 (Contract Security Classification Specification) or to specify security clearance and/or IT requirements for all contracts that require access to classified material can result in unauthorized personnel having access to classified material or mission failure if personnel are not authorized the proper access.Information Assurance ManagerSecurity ManagerPECF-1, PRAS-2, PRNK-1
SV-41040r2_rule ID-02.03.01 LOW Industrial Security - Contractor Visit Authorization Letters (VALs) Failure to require Visit Authorization Letters (VALs) for contractor visits could result in sensitive or classified materials being released to unauthorized personnel.Security ManagerECAN-1, PECF-1, PRAS-2
SV-41041r2_rule ID-03.02.01 MEDIUM Industrial Security - Contract Guard Vetting Failure to screen guards could result in employment of unsuitable personnel who are responsible for the safety and security of DOD personnel and facilities.Security ManagerPECF-1, PEPF-1
SV-41042r2_rule IA-01.03.01 LOW Information Assurance - System Security Operating Procedures (SOPs) Failure to have documented procedures in an SOP could result in a security incident due to lack of knowledge by personnel assigned to the organization.Information Assurance ManagerDCSD-1, PESP-1
SV-41043r2_rule IA-02.02.01 MEDIUM Information Assurance - COOP Plan Testing (Not in Place for MAC I II Systems or Not Considered for MAC III Systems) Failure to develop a COOP and test it periodically can result in the partial or total loss of operations and INFOSEC. A contingency plan is necessary to reduce mission impact in the event of system compromise or disaster.Information Assurance ManagerCOAS-1, COAS-2, COBR-1, CODB-1, CODB-2, CODB-3, CODP-1, CODP-2, CODP-3, COEB-1, COEB-2, COED-1, COED-2, COEF-1, COEF-2, COMS-1, COMS-2, COPS-1, COPS-2, COPS-3, COSP-1, COSP-2, COSW-1, COTR-1, DCAR-1, DCHW-1
SV-41051r2_rule IA-02.03.01 LOW Information Assurance - COOP Plan Testing (Incomplete) Failure to develop a COOP and test it periodically can result in the partial or total loss of operations and INFOSEC. A contingency plan is necessary to reduce mission impact in the event of system compromise or disasterInformation Assurance ManagerCOAS-1, COAS-2, COBR-1, CODB-1, CODB-2, CODB-3, CODP-1, CODP-2, CODP-3, COEB-1, COEB-2, COED-1, COED-2, COEF-1, COEF-2, COMS-1, COMS-2, COPS-1, COPS-2, COPS-3, COSP-1, COSP-2, COSW-1, COTR-1, DCAR-1, DCHW-1
SV-41055r2_rule IA-03.02.01 MEDIUM Information Assurance - System Security Incidents (Identifying, Reporting, and Handling) Failure to recognize, investigate and report information systems security incidents could result in the loss of confidentiality, integrity, and availability of the systems and its data.Information Assurance ManagerSecurity ManagerVIIR-1, VIIR-2
SV-41058r2_rule IA-05.02.01 MEDIUM Information Assurance - System Access Control Records (DD Form 2875 or equivalent) If accurate records of authorized users are not maintained, then unauthorized personnel could have access to the system. Failure to have user sign an agreement may preclude disciplinary actions if user does not comply with security proceduresInformation Assurance ManagerECAN-1, ECPA-1, IAAC-1, IAIA-1, IAIA-2
SV-41060r2_rule IA-06.02.01 MEDIUM Information Assurance - System Training and Certification/ IA Personnel Improperly trained personnel can cause serious system-wide/network-wide problems that render a system/network unstable.Information Assurance ManagerPRTN-1
SV-41133r2_rule IA-06.02.02 MEDIUM Information Assurance - System Training /Users Improperly trained personnel can cause serious system-wide/network-wide problems that render a system/network unstable.Information Assurance ManagerPRTN-1
SV-41139r2_rule IA-07.02.01 MEDIUM Information Assurance - Accreditation Documentation Failure to provide the proper documentation can lead to a system connecting without all proper safeguards in place, creating a threat to the networks.Information Assurance ManagerDCSD-1
SV-41177r2_rule IA-08.02.01 MEDIUM Information Assurance - NIPRNET Connection Approval (CAP) Failure to meet security standards and have approval before connecting to the NIPRNET can result in a vulnerability to the DISN.Information Assurance ManagerDCID-1, EBCR-1
SV-41178r2_rule IA-09.02.01 MEDIUM Information Assurance - SIPRNET Connection Approval Process (CAP) Failure to provide current connection documentation to the Classified Connection Approval Office (CCAO) and allowing a system to connect and operate without a current CCAO approval can result in a vulnerability to all SIPRNet connected systems on the DISN.Information Assurance ManagerDCID-1, EBCR-1
SV-41244r2_rule IA-10.02.01 MEDIUM Information Assurance - KVM Switch not Approved by the Defense Security Accreditation Working Group (DSAWG) Failure to use approved switch boxes can result in the loss or compromise of classified information. Information Assurance ManagerDCSP-1
SV-41259r3_rule IA-10.02.02 MEDIUM Information Assurance - KVM Switch (Port Separation) on CYBEX/Avocent 4 or 8 port The back plate of some 4 or 8 port CYBEX/AVOCENT KVM devices provides a physical connection between adjacent ports. Therefore failure to provide for physical port separation between SIPRNet (classified devices) and NIPRNet (unclassified devices) when using CYBEX/AVOCENT KVM devices can result in the loss or compromise of classified information. Information Assurance ManagerDCSP-1
SV-41260r2_rule IA-10.02.03 MEDIUM Information Assurance - KVM Switch Use of Hot-Keys on SIPRNet Connected Devices Use of "Hot Keys" for switching between devices relies on use of software to separate and switch between the devices. Unless software use involves an approved Cross Domain Solution (CDS) it can result in the loss or compromise of classified information from low side devices to those devices on the high side. Only physical switching between devices can assure that information will not be exchanged. Information Assurance ManagerDCSP-1
SV-41267r2_rule IA-10.03.01 LOW Information Assurance - KVM Switch (Request for Approval ) Documentation is not Available Failure to request approval for connection of new or additional KVM devices (switch boxes) for use in switching betwee SIPRNet devices and unclassified devices (NIPRNet) from the Classified Connection Approval Office (CCAO) could result in unapproved devices being used or approved devices being used or configured in an unapproved manner; therby increasing the risk for the DISN.Information Assurance ManagerDCSP-1
SV-41269r2_rule IA-11.01.01 HIGH Information Assurance - Unauthorized Wireless Devices - Connected to the SIPRNet Finding unauthorized wireless devices connected and/or operating on the SIPRNet is a security incident and could directly result in the loss or compromise of classified or sensitive information either intentionally or accidentally. Information Assurance ManagerECWN-1
SV-41275r2_rule IA-11.02.01 MEDIUM Information Assurance - Unauthorized Wireless Devices - Portable Electronic Devices (PEDs) Used in Classified Processing Areas without Certified TEMPEST Technical Authority (CTTA) Review and Designated Accrediting Authority (DAA) Approval Allowing wireless devices in the vicinity of classified processing or discussion could directly result in the loss or compromise of classified or sensitive information either intentionally or accidentally.Information AssuranceOfficial PDA/Blackberries must be allowed to sync. Recommend they only be powered up for syncing and the classified system not be running during that time. Devices may be allowed if they are powered off while in the facility, employees are initially briefed and periodically reminded of the policy and there is strict enforcement of not using wireless devices in classified processing areas.Information Assurance OfficerInformation Assurance ManagerSecurity ManagerECWN-1
SV-41280r2_rule IA-11.03.01 LOW Information Assurance - Unauthorized Wireless Devices - No Formal Policy and/or Warning Signs Not having a wireless policy and/or warning signs at entrances could result in the unauthorized introduction of wireless devices into classified processing areas.Information Assurance OfficerInformation Assurance ManagerSecurity ManagerECWN-1
SV-41289r2_rule IA-12.01.01 HIGH Information Assurance - Network Connections - Physical Protection of Classified Network Devices such as Routers, Switches and Hubs (SIPRNet or Other Classified Networks or Systems Being Inspected) SIPRNet or other classified network connections that are not properly protected in their physical environment are highly vulnerable to unauthorized access, resulting in the probable loss or compromise of classified or sensitive information. CAT I is the default severity level for when SIPRNet network connections/equipment is found not to be properly protected in a proper safe, vault, secure room, SCIF or under continuous observation and control. CAT II severity level may be assigned when the equipment is properly housed in an area or container approved for classified storage or under continuous observation and control of a properly cleared employee; however, persons other than the Network Administrators and other (authorized) personnel have unimpeded access to the Network Connections,.Information Assurance OfficerInformation Assurance ManagerSecurity ManagerNetwork Security OfficerDCPP-1, EBCR-1, ECND-2, ECTM-2, PESS-1
SV-41344r2_rule IA-12.01.02 HIGH Information Assurance - Network Connections - Wall Jack Security on Classified Networks (SIPRNet or other Inspected Classified Network or System) Where Port Authentication Using IEEE 802.1X IS NOT Implemented Network connections that are not properly protected are highly vulnerable to unauthorized access, resulting in the loss or compromise of classified or sensitive information. Information Assurance OfficerInformation Assurance ManagerSecurity ManagerNetwork Security OfficerDCPP-1, EBCR-1, ECND-2, ECTM-2, PESS-1
SV-41372r2_rule IA-12.02.01 MEDIUM Information Assurance - Network Connections - Physical Protection of Unclassified (NIPRNet) Network Devices such as Routers, Switches and Hubs Unclassified (NIPRNet) network connections that are not properly protected in their physical environment are highly vulnerable to unauthorized access, resulting in the probable loss or compromise of sensitive information such as personally identifiable information (PII) or For Official Use Only (FOUO). Information Assurance ManagerSecurity ManagerNetwork Security OfficerDCPP-1, EBCR-1, ECND-2, ECTM-2, PESS-1
SV-41387r2_rule FN-01.03.01 LOW Foreign National System Access - Local Access Control Procedures Unauthorized access by foreign nationals to Information Systems can result in, among other things, security incidents, compromise of the system, or the introduction of a virus. Information Assurance OfficerInformation Assurance ManagerSecurity ManagerECAN-1, IAAC-1
SV-41407r2_rule FN-01.02.01 MEDIUM Foreign National System Access - Identification as FN in E-mail Address Unauthorized access by foreign nationals to Information Systems can result in, among other things, security incidents, compromise of the system, or the introduction of a virus. Information Assurance ManagerSecurity ManagerWeb AdministratorE-Mail AdministratorECAD-1, ECAN-1, IAAC-1
SV-41411r2_rule FN-02.02.01 MEDIUM Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (NIPRNet User) Failure to subject foreign nationals to background checks could result in the loss or compromise of classified or sensitive information by foreign sources. Information Assurance ManagerSecurity ManagerECAN-1, IAAC-1
SV-41417r2_rule FN-02.01.01 HIGH Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (SIPRNet or Other Classified System or Classified Network being Reviewed) Failure to subject foreign nationals to background checks could result in the loss or compromise of classified or sensitive information by foreign sources. Information Assurance ManagerSecurity ManagerECAN-1, IAAC-1
SV-41430r2_rule FN-02.01.02 HIGH Foreign National (FN) Systems Access - Local Nationals (LN) Overseas System Access - Vetting for Privileged Access Failure to subject foreign nationals to background checks could result in the loss or compromise of classified or sensitive information by foreign sources. Information Assurance ManagerSecurity ManagerECAN-1, IAAC-1
SV-41432r2_rule FN-02.02.02 MEDIUM Foreign National (FN) Systems Access - Delegation of Disclosure Authority Letter (DDL) Unauthorized access by foreign nationals to Information Systems can result in, among other things, security incidents, compromise of the system, or the introduction of a virus. Information Assurance ManagerSecurity ManagerECAN-1, IAAC-1
SV-41434r2_rule FN-03.01.01 HIGH Foreign National System Access - FN or Immigrant Aliens (not representing a foreign government or entity) System Access - Limited Access Authorization (LAA) Failure to verify citizenship and proper authorization for access to either sensitive or classified information could enable personnel to have access to classified or sensitive information to which they are not entitled.Information Assurance ManagerSecurity ManagerECPA-1, PRAS-1, PRAS-2, PRNK-1
SV-41436r2_rule FN-03.01.02 HIGH Foreign National (FN) System Access - FN or Immigrant Aliens (not representing a foreign government or entity) with LAA Granted Uncontrolled Access Failure to verify citizenship and proper authorization for access to either sensitive or classified information could enable personnel to have access to classified or sensitive information to which they are not entitled. Further uncontrolled/unsupervised access to physical facilities can lead directly to unauthorized access to classified or sensitive information.Information Assurance OfficerInformation Assurance ManagerSecurity ManagerECPA-1, PRAS-1, PRAS-2, PRNK-1
SV-41465r2_rule FN-04.01.01 HIGH Foreign National (FN) Physical Access Control - Areas Containing US Only Information Systems Workstations/Monitor Screens, Equipment, Media or Documents Physically co-locating REL Partners or other FN - who have limited or no access to the SIPRNet or other US Classified systems - near US personnel in a collateral classified (Secret or higher) open storage area or in a Secret or higher Controlled Access Area (CAA) that processes classified material is permissible for operational efficiency and coordination. Failure to limit and control physical access to information visible on system monitor screens, information processing equipment containing classified data, removable storage media and printed documents is especially important in mixed US/FN environments. Inadequate access and procedural controls can result in FN personnel having unauthorized access to classified materials and data, which can result in the loss or compromise of classified information, including NOFORN information. Appropriate but simple physical and procedural security measures must be put in place to ensure the FN partners do not have unauthorized access to information not approved for release to them. The primary control measure is to either keep US Only classified documents, information systems equipment and/ or associated removable storage media under continuous observation and control of a cleared US employee or place such items in an approved safe when unattended. Additionally, escorting visitors AND all FN employees/personnel into any area where there is US Only classified processing, documents, media, equipment or materials is not only a prudent security measure but an absolute requirement to prevent both intentional (insider threat) or unintentional (inadvertent) unauthorized exposure to classified materials and information. Following are applicable excerpts from CJCSI 6510.01F pertaining to control of US Only workstation spaces (in particular SCIFs and secure rooms): 7. Information and Information System Access. Access to DOD ISs is a revocable privilege and shall be granted to individuals based on need-to-know and IAW DODI 8500.2, NSTISSP No. 200, “National Policy on Controlled Access Protection” , Status of Forces Agreements for host national access, and DOD 5200.2-R, “Personnel Security System”. b. Individual foreign nationals may be granted access to specific classified U.S. networks and systems as specifically authorized under Information Sharing guidance outlined in changes to National Disclosure Policy (NDP-1). (1) Classified ISs shall be sanitized or configured to guarantee that foreign nationals have access only to classified information that has been authorized for disclosure to the foreign national’s government or coalition, and is necessary to fulfill the terms of their assignments. (2) U.S.-only classified workstations shall be under strict U.S. control at all times. 27. Foreign Access. f. Foreign National Access to U.S.-Only Workstations and Network Equipment. CC/S/As shall: (1) Maintain strict U.S. control of U.S.-only workstations and network equipment at all times. (4) Announce presence. If a foreign national is permitted access to U.S.-controlled workstation space, the individual must be announced, must wear a badge clearly identifying him or her as a foreign national, and must be escorted at all times. In addition, a warning light must be activated if available and screens must be covered or blanked. Severity Override: The default severity level is Category I and there is no mitigation allow to a lower severity level. This check is to assess physical access control measures and control and internal control procedures for classified information system equipment and removable storage media in areas in which there are US Only terminals/monitors/documents/media or other US Only system/network equipment. Even though there may also be terminals/monitors/documents/media or other system/network equipment present in the same area to which FN have been granted access, the fact the FN do not have access to the US Only equipment requires that the FN are not granted unescorted physical access to such areas. Therefore, if there are absolutely no US Only classified / sensitive work stations, monitors, documents or media in an area (with FN presence) and the FN employee or partner has been granted access to all systems in the physical environment - then this requirement is NA and should be annotated to the VMS report as Not a Finding. This requirement is also NA if there is no routine FN presence in the classified work area. RELATED VULS (STIG ID): 1. STIG ID: FN-05.02.01. This requirement is specifically focused on checking written policy/procedures and initial/recurring training concerning US employee interactions with FN employees assigned to the organization OR frequent and recurring FN visitors. Even if there are procedures and training a finding may still be written when it is clear from interviews and observation of the environment by traditional security reviewers that a lack of employee understanding of the rules and procedures are evident and are not being exercised. 2. STIG ID: IS-08.01.01. Classified Monitors/Displays (Physical Control of Classified Monitors From Unauthorized Viewing) . This requirement is specifically focused on checking physical controls in place to protect classified work stations (monitor screens) from unauthorized viewing. This requirement includes positioning and control of classified monitors and covers environments where Foreign Nationals are present and US Only work stations/monitor screens are present. 3. STIG ID: IS-08.03.01. This requirement is specifically focused on checking written policy/procedures and initial/recurring training concerning cleared employee responsibilities and actions to protect classified work stations (monitor screens) under their control from unauthorized viewing. This requirement includes positioning and control of classified monitors and covers environments containing US Only work stations/monitor screens where Foreign Nationals are present. 4. STIG ID: IS-08.01.02. This requirement concerns maintaining control of Common Access Cards (CACs), SIPRNet tokens and locking of computer work stations/monitor screens when unattended by removal of CACs, SIPRNet tokens or using Clt/Alt/Del. This requirement includes environments containing US Only work stations/monitor screens where Foreign Nationals are present. Information Assurance OfficerInformation Assurance ManagerSecurity ManagerPEDI-1, PEPF-1, PEPF-2, PESS-1, PRAS-2, PRNK-1
SV-41466r2_rule FN-04.03.01 LOW Foreign National (FN) Physical Access Control - (Identification Badges) Failure to limit access to information visible on system monitor screens in mixed US/FN environments can result in FN personnel having unauthorized access to classified information, which can result in the loss or compromise of classified information, including NOFORN information. Physically co-locating REL Partners or other FN - who have limited access to the SIPRNet or other US Classified systems - near US personnel in a collateral classified (Secret) open storage area or in a Secret Controlled Access Area (CAA) that processes classified material is permissible for operational efficiency and coordination. Appropriate but simple physical and procedural security measures must be put in place to ensure the FN partners do not have unauthorized access to information not approved for release to them. Ensuring that US employees can clearly identify FN workers is an important control measure and can be accomplished by requiring the FN employees or partners to wear picture identification badges that clearly identify their affiliated / represented Country. Wearing of Country specific military uniforms also can be used. Security ManagerPEDI-1, PEPF-2, PRAS-2, PRNK-1
SV-41496r2_rule FN-05.03.01 LOW Foreign National (FN) Administrative Controls - Contact Officer Appointment Failure to provide proper oversight of Foreign National partners or employees and limit access to classified and sensitive information can result in the loss or compromise of NOFORN information. Security ManagerECAN-1, PECF-1, PECF-2, PEVC-1, PRAS-1, PRAS-2, PRNK-1
SV-41502r2_rule FN-05.02.01 MEDIUM Foreign National (FN) Administrative Controls - Written Procedures and Employee Training Failure to limit access for Foreign Nationals to classified information can result in the loss or compromise of NOFORN information. Documented local policies and procedures concerning what information FN employees or partners have access to and what they are excluded from having, what physical access limitations and allowances are in place, how to recognize a FN (badges, uniforms, etc.), steps to take to sanitize a work area before a FN can access the area, etc. are an essential part of controlling FN access. Just as important as development of policy and procedure is the training/familiarization of both employees and assigned FNs with the rules of interaction. Security ManagerInformation Assurance OfficerInformation Assurance ManagerECAD-1, ECAN-1, PESP-1, PRAS-1, PRAS-2
SV-41506r2_rule FN-05.01.01 HIGH Foreign National (FN) Administrative Controls - Proper Investigation and Clearance for Access to Classified Systems and/or Information Assurance (IA) Positions of Trust Failure to validate that FN partners or employees have the required security clearance levels for access to classified systems and/or the proper level of background investigation for IA Positions of Trust could result in untrustworthy Foreign Nationals having access to classified or sensitive US systems. In situations where they have been assigned to IA positions of trust this consideration becomes even more critical as they could adversely impact the CIA of the systems, possibly without being easily discovered. Information Assurance OfficerInformation Assurance ManagerSecurity ManagerDCSD-1, ECAN-1, PECF-1, PECF-2, PRAS-1, PRAS-2, PRNK-1
SV-41516r2_rule FN-05.02.02 MEDIUM Foreign National (FN) Administrative Controls - Procedures for Requests to Provide Foreign Nationals System Access Unauthorized access by foreign nationals to Information Systems can result in, among other things, security incidents, compromise of the system, or the introduction of a virus. Finding is a CAT II by default. Reduce to CAT III if no local policy and procedures exist for adding foreign nationals to systems - but no inappropriate system access was found to be granted IAW DoD 8570.01-M as follows: C3.2.4.8.2. ...LNs and Foreign Nationals (FNs) must comply with background investigation requirements and cannot be assigned to IAT Level III positions. System AdministratorDatabase AdministratorInformation Assurance OfficerInformation Assurance ManagerSecurity ManagerECAN-1, IAAC-1
SV-41522r2_rule IS-01.02.01 MEDIUM Information Security (INFOSEC) - Safe/Vault/Secure Room Management Lack of adequate or Improper procedures for management of safes/vaults and secure rooms could result in the loss or compromise of classified material. Security ManagerPESS-1
SV-41529r2_rule IS-02.01.01 HIGH Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Door Combination Lock Meeting Federal Specification FF-L-2740 Failure to meet Physical Security storage standards could result in the undetected loss or compromise of classified material.The default severity level is CAT I but may be reduced to a CAT II finding at DoD Industry sites ONLY if compliance with NISPOM standards are met. This allows for the use of either an approved built-in combination lock or an approved combination or key-operated padlock. Particular attention must be given to control of key operated padlocks and keys IAW the NISPOM paragraph 5-310. If proper key control is not maintained the downgrade to CAT II should not be allowed. Security ManagerPESS-1
SV-41531r2_rule IS-02.01.02 HIGH Information Security (INFOSEC) - Secure Room Storage Standards - Door Construction Failure to meet construction standards could result in the undetected loss or compromise of classified material.Category I is the default severity level for this requirement. There are four separate checks under this requirement and a deficiency found in all the checks - except for check # 1 will result in a CAT I finding. If check #1 is the ONLY deficiency found pertaining to door construction then the severity level of the finding may be reduced to CAT II. Following is the referenced CAT II requirement: The doors to the room (primary and secondary) are not substantially constructed of wood or metal . (CAT II) If any or all of the other three checks under this requirement are found to be deficient the severity level will be CAT I. Security ManagerPESS-1
SV-41535r2_rule IS-02.02.11 MEDIUM Information Security (INFOSEC) - Secure Room Storage Standards - Perimeter Construction using Proper Permanent Construction Materials for True Ceiling, Walls and Floors. Failure to meet standards for ensuring that there is structural integrity of the physical Perimeter surrounding a secure room (AKA: collateral classified open storage area) could result in a lack of structural integrity and the undetected loss or compromise of classified material. Permanent construction materials; while not impenetrable, provide physical evidence of an attempted or actual intrusion into a secure room space. Construction materials and application techniques that are not permanent in nature can potentially be removed to allow for access to secure room space and then replaced by an intruder upon egress from the area. This effectively negates the detection capability afforded by permanent construction techniques and materials. Examples of non-permanent material would be modular walls that can be removed and replaced with ease or plywood board (or other materials) applied with screws or nails that can be removed from outside the secure room space and then replaced with standard tools.Information Security For DoD Industry sites ONLY the following guidance concerning use of "modular partitions" is acceptable: If insert-type panels are used, a method shall be devised to prevent the removal of such panels without leaving visual evidence of tampering. If visual access is a factor, area barrier walls up to a height of 8 feet shall be of opaque or translucent construction.Security ManagerPESS-1
SV-41537r2_rule IS-02.01.03 HIGH Information Security (INFOSEC) - Secure Room Storage Standards Wall and Ceiling Structural Integrity (AKA: True Floor to True Ceiling Connection) Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3, Enclosure 3 could result in the undetected loss or compromise of classified material.Security ManagerPESS-1
SV-41538r2_rule IS-02.01.04 HIGH Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Openings in Perimeter Exceeding 96 Square Inches Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a vault or secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3, Enclosure 3 could result in the undetected loss or compromise of classified material. Security ManagerPESS-1
SV-41539r2_rule IS-02.01.05 HIGH Information Security (INFOSEC) - Secure Room Storage Standards Windows - Accessible from the Ground Hardened Against Forced Entry and Shielded from Exterior Viewing of Classified Materials Contained within the Area. Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3 could result in the undetected loss or compromise of classified material. Security ManagerPESS-1
SV-41540r2_rule IS-02.01.06 HIGH Information Security (INFOSEC) - Vault Storage/Construction Standards Failure to meet standards IAW the DoD Manual 5200.01, Volume 3, Appendix to Enclosure 3, for ensuring that there is required structural integrity of the physical perimeter surrounding a classified storage vault could result in the undetected loss or compromise of classified material. INFOSEC-Vault Storage/Construction Standards For Indusrty sites ONLY that are not located within the bounds of a DoD installation the standards for vault construction found in the NISPOM under Section 8, paragraph 5-802. Construction Required for Vaults - may be used.Security ManagerPESS-1
SV-41541r2_rule IS-02.01.07 HIGH Information Security (INFOSEC) - Secure Room Storage Standards - Intrusion Detection System (IDS) Failure to meet standards for maintenance and validation of structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3, could result in the undetected loss or compromise of classified material. Using a physical intrusion detection system enables immediate detection of attempted and/or actual intrusion into a secure room space. This is often the best supplemental protective measure (vice using 4-hour random checks) due to providing capability for immediate detection, and for immediate response to assess and counter the threat to the secure room space. Use of 4-hour checks may be adequate if supported by a risk assessment, but will not provide the immediate detection and response capability of a properly installed IDS. It is required that a risk assessment be conducted to determine which of these two intrusion detection methods (use of IDS OR 4-hour random checks) is appropriate for any particular location.1. The default when no IDS is used in secure rooms or classified open storage areas housing SIPRNet equipment is a CAT I finding. 2. Where IDS is being used properly BUT there is NO RISK ASSESSMENT and/or a SECURITY-IN-DEPTH DETERMINATION * IN WRITING by the C/S/A senior agency (security) official that specifically addresses the secure room or open storage space - then the severity level is a CAT II. 3. This requirement/check is NA if random checks not exceeding 4-hours are used in lieu of IDS, but only if the use of random checks is supported by a valid risk assessment and a security-in-depth determination. 4. This requirement/check for IDS (IS-02.01.07) cannot be used together with the requirement/check for 4-hour random checks (IS-02.01.10). Only one or the other is applicable to any individual secure room or collateral classified open storage area. Security ManagerPEPF-2, PESS-1
SV-41542r2_rule IS-02.01.08 HIGH Information Security (INFOSEC) - Secure Room Storage Standards - Balanced Magnetic Switch (BMS) on Perimeter Doors Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3 could result in the undetected loss or compromise of classified material. When a physical Intrusion Detection System (IDS) is used as the supplemental protection measure (in lieu of 4-hour random checks) for secure rooms there is a requirement to place a Balanced Magnetic Switch (BMS) alarm contact on the primary ingress/egress door and any secondary/emergency exit doors. This alarm sensor is an essential part of any properly installed IDS and ensures that doors opened by force or that are left open are immediately detected. A BMS (AKA: triple biased alarm contact) is the most difficult door alarm contact to defeat and must be used in lieu of dual biased or simple alarm contacts.Default severity level is a CAT I: Secure Rooms containing SIPRNet assets that use an Intrusion Detection System (IDS) do not have all doors (primary and secondary) monitored with an alarm contact. Reduction to CAT II: Secure Rooms containing SIPRNet assets using an IDS have all doors monitored with alarm contacts; however, the alarm contacts are not Balanced Magnetic Switches (BMS) meeting UL Standard 634. This particular requirement for BMS (IS-02.01.08) can only be used when the IDS requirement (IS-02.01.07) is the supplemental control selected for secure rooms. It is not applicable (NA) if the requirement for 4-hour random checks (IS-02.01.10) is used in lieu of IS-02.01.07. Security ManagerPEPF-2, PESS-1
SV-41543r2_rule IS-02.01.09 HIGH Information Security (INFOSEC) - Secure Room Storage Standards - Interior Motion Detection Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3 could result in the undetected loss or compromise of classified material. Motion detection located interior to secure rooms provides the most complete/overarching coverage of any Intrusion Detection System (IDS) alarm sensor. While most sensors like BMS alarm contacts, glass break detectors, etc. are only able to detect potential intrusion at specific locations, use of motion detection provides a capability to protect large areas with "blanket coverage" generally using fewer sensors. This capability need not cover the entire secure room space (although that would be best) but can be used effectively by placement directly over the protected assets or in hallways or other restricted passage ways leading to classified/sensitive assets. Consolidating classified information system assets in specific spaces within secure rooms enables a more efficient use of motion detectors and ensures the most critical assets are properly protected. The default severity level for a finding is CAT I for either no motion detection or lack of adequate interior motion detection (defined as when classified SIPRNet assets are not directly covered by motion detection). There is no mitigation provided for reduction to a CAT II or CAT III severity level. This particular requirement/check for motion detection (IS-02.01.09) can only be used when the IDS requirement (IS-02.01.07) is the supplemental control selected for secure rooms or collateral classified open storage areas areas containing classified SIPRNet assets. It is not applicable (NA) if the requirement for 4-hour random checks (IS-02.01.10) is used in lieu of IS-02.01.07. Security ManagerPEPF-2, PESS-1
SV-41544r2_rule IS-02.02.01 MEDIUM Information Security (INFOSEC) - Secure Room Storage Standards - Structural Integrity Checks Failure to ensure that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3 could result in the undetected loss or compromise of classified material. The default finding is a CAT II. It may be lowered to a CAT III finding if it can be determined the perimeter checks are actually conducted as specified, but written procedures or documentation covering results of the checks are not developed or maintained. Security ManagerPEPF-2, PESP-1, PESS-1
SV-41545r2_rule IS-02.01.10 HIGH Information Security (INFOSEC) - Secure Room Storage Standards - Four (4) Hour Random Checks in Lieu of Using Intrusion Detection System (IDS) Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3 could result in the undetected loss or compromise of classified material. Using a physical intrusion detection system enables immediate detection of attempted and/or actual intrusion into a secure room space. This is often the best supplemental protective measure (vice using 4-hour random checks) due to providing capability for immediate detection, and for immediate response to assess and counter the threat to the secure room space. Use of 4-hour checks may be adequate if supported by a risk assessment, but will not provide the immediate detection and response capability of a properly installed IDS. It is required that a risk assessment be conducted to determine which of these two intrusion detection methods (use of IDS OR 4-hour random checks) is appropriate for any particular location. If the risk assessment results in a determination that use of 4-hour random checks is the most cost efficient supplemental control (vice IDS) to protect SIPRNet assets contained in secure rooms, the manner in which the checks are conducted can greatly impact the effectiveness of the checks. Thorough physical checks conducted on a frequent basis can reduce the time between an attempted or actual intrusion and time of discovery - during random checks. The default severity level for a finding is Category I (CAT I): A site does not employ IDS for protection of secret secure rooms protecting SIPRNet assets and random guard checks not to exceed 4-hours are not *properly conducted*. A proper check of the secure room or area will consist of ensuring all doors, ground level windows capable of being opened, and openings exceeding 96 square inches are checked. Physical Checks will ensure doors, windows and openings are still locked and/or supplemental security measures (bars, grills, etc. are still intact). Checks MUST BE made on a RANDOM basis rather than just once every 4-hours to be proper and effective. A Documented Record of all checks must be made and maintained on file for 90 days for checks to be considered proper. If use of random checks is not supported by both a risk assessment and a security-in-depth determination in writing by the Agency (C/S/A) senior security official is not available - this is also a CAT I finding. If guards or employees conducting the checks do not have at least a Secret clearance this is not a proper check and is a CAT I finding. Downgrade to CAT II: If random checks are properly conducted: 1. but documented procedures are not provided for checkers to follow OR 2. a record of checks is not maintained. This requirement/check (random checks) is Not Applicable (NA) if IDS is used as the supplemental control. This requirement, 4-hour random checks (IS-02.01.10) cannot be used together with the requirement/check for IDS (IS-02.01.07). Only one or the other is applicable to any individual secure room or collateral classified open storage area. Security ManagerPESS-1
SV-41547r2_rule IS-02.02.02 MEDIUM Vault/Secure Room Storage Standards - IDS Performance Verification Failure to test IDS functionality on a periodic basis could result in undetected alarm sensor or other system failure. This in-turn could result in an undetected intrusion into a secure room (AKA: collateral classified open storage area) and the undetected loss or compromise of classified material. meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure roomDefault CAT II: If IDS functionality checks are not conducted at least every 90 days using industry best practices or other DoD standards this is a CAT II finding. Downgrade to CAT III: If IDS functionality testing is conducted but there is a lack of adequate written procedures for the process or results of testing are not maintained for audit purposes this finding may be downgraded to CAT III. Not Applicable (NA) if 4-hour random checks of secure room spaces are conducted in lieu of IDS. Security ManagerPEPF-2, PESS-1
SV-41552r2_rule IS-02.01.11 HIGH Vault/Secure Room Storage Standards - IDS Transmission Line Security Failure to meet standards for ensuring integrity of the intrusion detection system signal transmission supporting a secure room (AKA: collateral classified open storage area) containing SIPRNet assets could result in the undetected loss or compromise of classified material. Security ManagerPEPF-2, PESS-1
SV-41554r2_rule IS-02.02.03 MEDIUM Vault/Secure Room Storage Standards - Masking of IDS Sensors Displayed at the Intrusion Detection System (IDS) Monitoirng Station Failure to meet standards for the display of masked alarm sensors at the IDS monitoring station could result in the location with masked or inactive sensors not being properly supervised. This could result in an undetected breach of a secure room perimeter and the undetected loss or compromise of classified material. Security ManagerPEPF-2, PESS-1
SV-41560r2_rule IS-02.02.04 MEDIUM Vault/Secure Room Storage Standards - IDS Alarm Monitoring Indicators, both audible and visual (Alarm Status) must be displayed for each sensor or alarmed zone at the monitoring station. Failure to meet standards for the display of audible and visual alarm indicators at the IDS monitoring station could result in an a sensor going into alarm state and not being immediately detected. This could result in an undetected or delayed discovery of a secure room perimeter breach and the loss or compromise of classified material. Default CAT II: Alarm activations do not provide BOTH visual and audible indicators. Security ManagerPEPF-2, PESS-1
SV-41561r2_rule IS-02.02.05 MEDIUM Vault/Secure Room Storage Standards - Intrusion Detection System (IDS) / Access Control System (ACS) Primary and Emergency Power Supply Failure to meet standards for ensuring that there is an adequate commercial and back-up power sources for IDS/ACS with uninterrupted failover to emergency power could result in a malfunctionof the physical alarm and access control system. This could result in the undetected breach of classified open storage / secure rooms or vaults containing SIPRNet assets and undetected loss or compromise of classified material. Security ManagerPEPF-2, PESS-1
SV-41562r2_rule IS-02.02.06 MEDIUM Vault/Secure Room Storage Standards - Intrusion Detection System and Access Control System (IDS/ACS) Component Tamper Protection Failure to tamper protect IDS/ACS component enclosures and access points external to protected vaults/secure rooms space could result in the undetected modification or disabling of IDS/ACS system components. This could lead to the undetected breach of secure space containing SIPRNet assets and result in the undetected loss or compromise of classified information or materials. Security ManagerPEPF-2, PESS-1
SV-41563r2_rule IS-02.01.12 HIGH Vault/Secure Room Storage Standards - IDS Access/Secure Control Units Must be Located within the Secure Room Space Failure to ensure that IDS Access and Secure Control Units used to activate and deactivate alarms (primarily motion detectors) within vaults or secure rooms protecting SIPRNet assets are not located within the confines of the vault or secure room near the primary ingress/egress door could result in the observation of the access/secure code by an unauthorized person. Further the control units would be more exposed with a greater possibility of tampering outside the more highly protected space of a secure room/collateral classified open storage area. This could result in the undetected breach of secure room space and the loss or compromise of classified information or materials. IA Controls: PESS-1 Storage & PEPF-2 (IDS) Security ManagerPEPF-2, PESS-1
SV-41564r2_rule IS-02.02.07 MEDIUM Vault/Secure Room Storage Standards - Primary IDS Monitoring Location Outside the "Monitored" Space Failure to locate the alarm monitoring station at an external location; at a safe distance from the space being monitored to not be involved in any surprise attack of the alarmed space could result in a perimeter breach and the loss or compromise of classified material with limited or no capability to immediately notify response forces. Security ManagerPEPF-2, PESS-1
SV-41565r2_rule IS-02.01.13 HIGH Information Security (IS) - Continuous Operations Facility: Access Control Monitoring Methods Failure to control door access to a Continuous Operations Facility containing classified SIPRNET assets may result in immediate and potentially undetected access to classified information, with no capability to immediately alert response forces. Ultimately this could result in the undetected loss or compromise of classified material. USE CASE EXPLANATION: A Continuous Operations Facility functions 24/7 and contains classified SIPRNet equipment and/or media that does not meet all the physical and procedural requirements of a vault or secure room (AKA: collateral classified open storage area) and the classified equipment and/or media may not be stored in an approved safe when not in use. Examples of such facilities are Emergency Operations Centers (EOC), Information System Monitoring Centers, Trouble Desk Centers, etc. All standards for Continuous Operations Facilities are found in the DoD Manual 5200.01, V3 and this STIG Requirement provides additional clarification and implementation standards for all Continuous Operations Facilities containing SIPRNet assets. Continuous Operations Facilities are not routinely closed and secured after normal business hours and reopened at the beginning of normal workdays. A Continuous Operations Facility is either continuously occupied or receives frequent access (several times during an 8 hour shift). A “facility” can be a single room or a larger contiguous area, usually (but not always) without Federal Specification FF-L-2740 combination locks on the primary access door. Continuous Operations area access must meet the requirements herein even where the surrounding area is continuously occupied. Continuous Operations minimizes or eliminates the need for certain other security measures such as door locks, IDS, etc. Where there is a Continuous Operations Facility there should be demonstrated need for continuous occupation or frequent access to the “specific” room or area containing the classified SIPRNet assets. A justification that the surrounding building or facility is continuously occupied is not acceptable. If this is observed, reviewers should consider the possibility that the stated requirement for a Continuous Operations Facility is being used to cover deficiencies with what should legitimately be established as a secure room or vault. In such cases the use of Traditional Security STIG Requirements and applicable standards for vaults and/or secure rooms may be more appropriate, resulting in findings under those Requirements. A Continuous Operations Facility containing classified materials is most appropriate when it is continuously occupied by properly cleared employees (or others with security clearance and a need-to-know) who are capable of controlling or monitoring ingress and egress from within the area. This provides the most legitimate justification for using a Continuous Operations Facility vice using a properly constructed and access controlled vault or secure room (AKA: collateral classified open storage area). Alternatively (and less desirable from a security perspective) the area may not be continuously occupied but access is required on a very frequent basis by cleared employees. The frequency of access makes opening and closing of the area impractical. So while there is not an absolute rule, if such a room or area is not routinely accessed for operational reasons several times during a standard 8-hour shift the justification for not constructing and securing it in accordance with requirements for a secure room or vault is unacceptable. Convenience and ease of access is not proper justification for a Continuous Operations Facility. Continuous Operations area door control may be accomplished multiple ways. The five main types of access control methods are listed below. One or more of the five methods may apply to any site. Each access point must comply with one or more of the methods of access control for 24 hours of each day. Any deficiency for any area access point or for a portion of the day for an access point will result in a finding under this item. All Continuous Operations Facilities access points should be checked for proper access control according to the type of access control methods implemented. Direct access control monitoring for both occupied and unoccupied Continuous Operations Facilities is conducted by: cleared employees, guards or receptionists located inside the area or directly outside the area. A properly configured Automated Entry Control System (AECS) or continuously monitored Closed Circuit Television (CCTV) are the only options for indirect monitoring of Continuous Operations Facilities. The five basic methods for controlling access to Continuous Operations Facilities are: 1. Method #1: Use of an Automated Entry Control System (AECS) Card Reader with Biometrics or Personal Identification Number (PIN) 2. Method #2: Access Continually Monitored by Occupants (Cleared Employees) of the Continuous Operations Facility - all doors NOT visible 3. Method #3: Access Monitored by Occupants (Cleared Employees) of the Continuous Operations Facility - all doors are visible 4. Method #4: Access Monitored by Employees Directly Outside the Open Storage Space - all doors MUST BE visible 5. Method #5: Access Monitored by Closed Circuit Television (CCTV) reporting to a Central Monitoring Station Staffed 24/7 by cleared Guards or Other cleared Security Professionals - all doors MUST HAVE CCTV cameras Normally only one method of access control will be applicable to a specific Continuous Operations Facility; however, there may be situations where more than one approved method is being used at a single facility. For instance an Automated Entry Control System (AECS) with card reader and PIN may be used to secure the access door while there are also employees located inside the room who can monitor and control access. In situations where multiple methods are found, reviewers should choose only one of the five to evaluate compliance and the effectiveness of access control to the Continuous Operations Facility. If one of the methods is found to be totally compliant while others in use contain deficiencies, the method that is 100% compliant should be selected for use during the review. In the example just provided, if the room is only occupied by one employee who during breaks or for other reasons must exit the room for periods of time this would cause a significant deficient condition since the room is not continuously occupied by an employee. Therefore using the AECS as the method to evaluate access control for the Continuous Operations Facility would likely be selected since it appears to be (and for this example we will assume) 100% compliant. There is also a possibility that multiple Continuous Operations Facilities could be found at a particular site location (even in the same building) that are using different methods to control access. Once again, multiple methods of access control from the list of five could be selected for the evaluation, based on the access control methods actually being used for the various 24/7Continuous Operations Facilities. Once the applicable Continuous Operations Facility access control methods that apply to each of the Continuous Operations Facilities at the site are selected, the site must comply with all of the individual checks for the selected method(s). Specific checks for requirements associated with a method of access control are found in the Check Content information field. If there is no Continuous Operations Facility at a particular site this Requirement is Not Applicable (NA) for a review. Default severity level for this requirement is a Category I (CAT I). If one or more of the following four checks are the *ONLY* findings (no CAT I checks are found to be deficient), the finding under this requirement may be downgraded to a CAT II severity level.: **Method 1/Check #4. Appendix to Enclosure 3, para 2.e(6) -- If there is no Intrusion Detection System (IDS) employed in the Continuous Operations Facility: Check to ensure that a duress device is available for occupants inside the facility, IF DETERMINED NECESSARY BY A DOCUMENTED RISK ASSESSMENT (RA). If there is no duress device and no RA to validate that there is no need for duress, it is a finding. (CAT II) **Method 4/Check #2. Appendix to Enclosure 3, para 3.a. - Check to ensure that cleared employees working outside the Continuous Operations Facility are located directly adjacent to a particular door or set of doors being monitored and are informed concerning their specific responsibilities for monitoring door security/access control. Written procedures must be available to substantiate this. (CAT II) **Method 4/Check #4. Appendix to Enclosure 3, para 2.e(6) If there is no IDS employed in the Continuous Operations Facility: Check to ensure that a duress device is available for cleared employees monitoring door access from outside the facility, IF DETERMINED NECESSARY BY A DOCUMENTED RISK ASSESSMENT (RA). If there is no duress device and no RA to validate that there is no need for duress, it is a finding. (CAT II) **Method 5/Check #2. Appendix to Enclosure 3, 3.a.(7) - Check to ensure that CCTV activity is recorded and maintained on file for a minimum of 90 days. (CAT II) Security ManagerPEPF-2, PESS-1
SV-41811r2_rule IS-02.01.14 HIGH Vault/Secure Room Storage Standards - Access Control During Working Hours Using Visual Control OR Automated ACS with PIN / Biometrics: Failure to properly monitor and control collateral classified open storage area access doors during working hours (while the FF-L-2740 combination lock is not secured) could result in an undetected perimeter breach and limited or no capability to immediately notify response forces. Ultimately this could result in the undetected loss or compromise of classified material. Entrances to secure rooms or areas (and/or vaults that are opened for access) must be under visual control at all times during duty hours to prevent entry by unauthorized personnel . This may be accomplished by several methods (e.g., employee work station, guard, continuously monitored CCTV). An automated entry control system (AECS) may be used to control admittance during working hours instead of visual control, if it meets certain criteria. Default severity level is a Category I (CAT I). The severity level may be decreased to CAT III if the following check is the ONLY finding under this Requirement: This check pertains only to situations where access is controlled by use of a swipe or proximity card (using an AECS card reader) along with a Personal Identity Number (PIN): Check to ensure there is a procedure to cover changing PINs when it is believed they have been compromised or subjected to compromise. (CAT III - if this is the only finding)Security ManagerPECF-2, PEPF-1, PEPF-2, PESS-1
SV-41831r2_rule IS-02.02.08 MEDIUM Vault/Secure Room Storage Standards - Access Control System Records Maintenance, which includes documented procedures for removal of access. Failure to document procedures for removal of access and inadequate maintenance of access records for both active and removed persons could result in unauthorized persons having unescorted access to vaults, secure rooms or collateral classified open storage areas where classified information is processed and stored. Default is a CAT II for a finding that records relecting active assignment of ID badge/card, PIN, level of access, and similar system-related records are not maintained. May be reduced to a CAT III severity level if one or both of the following checks are the only findings: Check to ensure there is a documented procedure for removal of persons from the Access Control System.(CAT III - for lack of written procedures) Check to ensure that records concerning personnel removed from the system are retained for a minimum of 90 days. (CAT III - if records are maintained for less than 90 days) Security ManagerPECF-1, PECF-2, PEPF-1, PEPF-2
SV-41832r2_rule IS-02.01.15 HIGH Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) and Intrusion Detection System (IDS) Head-End Equipment Protection: The physical location (room or area) containing AECS and IDS head-end equipment (server and/or work station/monitoring equipment) where authorization, personal identification or verification data is input, stored, or recorded and/or where system status/alarms are monitored must be physically protected. Inadequate physical protection of Intrusion Detection System or Automated Entry Control System servers, data base storage drives, or monitoring work stations could result in unauthorized access to core system devices providing protection for classified vaults, secure rooms and collaterial classified open storage areas. This could result in the loss of confidentiality, integrity or availability of system functionality or data. The impact of this would be possible undetected and unauthorized access to classified processing spaces; resulting in the loss or compromise of classified information or sensitive information such as personal data (PII) of persons issued access control cards or badges.Severity level is CAT I if either of the following three checks are found to be non-compliant: 1. Check to ensure the physical location containing the primary IDS head-end equipment (server and/or work station/monitoring equipment) is in a continuously occupied location (eg., guard monitoring station for alarms and CCTV). (CAT I) 6. A secondary or supplemental AECS server/workstation or IDS data/monitoring workstation might not be located in a 24/7 occupied work space. In instances when AECS or IDS secondary head-end equipment is not continuously attended by employees responsible for monitoring or controlling it - Check to ensure it is protected minimally within a room with a BMS alarm contact on each door, window or opening and interior motion detection sensors are installed and activated at the end of each duty day. (CAT I) 8. Check to ensure that alarms from sensors in the room protecting secondary IDS or AECS head-end equipment are monitored at the primary IDS monitoring location. (CAT I) This VUL may be downgraded to severity level CAT II if all of the CAT I checks are compliant and any or all of the following checks are found to be non-compliant: 2. Check to ensure the continuously occupied space limits unescorted access to only those employees responsible for monitoring or controlling the IDS and/or AECS. Access control system card/badge readers or cipher locks may be used to fulfill this requirement. (CAT II) 3. If not co-located with the IDS head-end equipment; check to ensure the physical location containing the primary AECS head-end equipment is in a continuously occupied location OR protected minimally within a room with a BMS alarm contact on each door, window or opening and with interior motion detection sensors that are activated at the end of each duty day. (CAT II) 4. Check to ensure that AECS system card readers with coded access cards or badges (not cipher locks or keyed locks) are used to secure the doors to rooms protecting AECS head-end equipment that are not located within a continuously occupied location. (CAT II) 5. Check to ensure that alarms from sensors in the room protecting AECS head-end equipment are monitored at the primary IDS monitoring location. (CAT II) 7. Check to ensure that AECS system card readers with coded access cards or badges (not cipher locks or keyed locks) are used to secure the doors to rooms protecting secondary IDS or AECS head-end equipment that are not located within a continuously occupied location. (CAT II) 9. If 4-hour checks are used in lieu of IDS for vaults, secure rooms or collateral classified open storage areas; then 4-hour checks of the room or area used to house the (secondary) IDS and/or (primary/secondary) AECS head-end equipment may also be used. Check to ensure the use of 4-hour checks for protection of (secondary) IDS and/or (primary/secondary) AECS head-end equipment in lieu of IDS is based on a documented risk assessment. (CAT II) 10. If used, check to ensure that random checks (not to exceed 4-hours) of the room or area used to house the IDS or ACS head-end equipment are documented and maintained on file for a minimum of 90 days. (CAT II) Security ManagerCODB-3, DCPP-1, PECF-1, PECF-2, PEPF-1, PEPF-2, PESS-1
SV-41944r2_rule IS-02.03.01 LOW Vault/Secure Room Storage Standards - Access Control System Keypad Device Protection: Keypad devices designed or installed in a manner that an unauthorized person in the immediate vicinity cannot observe the selection of input numbers. If someone were to sucessfully observe an authorized user's selection of numbers for their PIN at an entrance to a classified storage area or unclassified but sensitive computer room it could result in an unauthorized person being able touse that same PIN to gain access. Where purely electronic (cipher type) locks are used without an access card or badge this could lead to direct access by anunauthorized person. Where coded Access Control System cards and badges are used the risk is deminished significantly as the coded badge associated with the PIN would need to be lost/stolen and subsequently recovered by someone with unauthorized knowledge of the PIN for them to be able to successfully gain access to the secured area.Security ManagerPECF-1, PECF-2, PEPF-1, PEPF-2, PESS-1
SV-42194r2_rule IS-02.02.09 MEDIUM Vault/Secure Room Storage Standards - Access Control System (ACS) Transmission Line Security: ACS Transmission lines traversing an uncontrolled area (not within at least a Secret Controlled Access Area (CAA) ) shall use line supervision and be physically protected within conduit. Persons not vetted to at least the same level of classification residing on the information systems being protected by the ACS could gain access to the ACS transmission line and tamper with it to facilitate surreptitious access to the secure space. Proper line supervision and physical protection within conduit will enable detection of line tampering. Such failure to meet standards for line supervision and physical protection could result in the loss or compromise of classified material.Security ManagerECAT-2, ECCD-1
SV-42205r2_rule IS-02.02.10 MEDIUM Vault/Secure Room Storage Standards - Access Control System (ACS) Door Locks: Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade and be configured to fail secure in the event of a total loss of power (primary and backup) . There are a variety of locking mechanisms that may be used to secure both primary and secondary doors for vaults and classified open storage areas (secure rooms). While the primary access door is to be secured with an appropriate combination lock when closed; during working hours Automated Access Control Systems (ACS) using electric strikes or magnetic locks, electrical, mechanical, or electromechanical access control devices, or standard keyed locks may be used to facilitate frequent access to the secured space by employees vetted for unescorted access. Where electrically actuated locks are used, locking mechanisms must be properly configured and controlled to ensure they fail in a secure state during partial or total loss of power (primary and backup). Failure to provide for these considerations could result in the loss or compromise of classified material.Security ManagerCOPS-1, COPS-2, COPS-3, PECF-1, PECF-2, PEPF-1, PEPF-2, PESS-1
SV-42206r2_rule IS-03.03.01 LOW Marking Classified - Local or Enclave Classified Marking Procedures must be developed to ensure employees are familiar with appropriate organization Security Classification Guides (SCG), how to obtain guidance for marking classified documents, media and equipment, and where associated forms, classified cover sheets, labels, stamps, wrapping material for classified shipment, etc. can be obtained. Failure to properly mark classified material could result in the loss or compromise of classified information. Security ManagerECML-1
SV-42207r2_rule IS-03.02.01 MEDIUM Marking Classified - Equipment, Documents or Media: In a classified operating environment, all unclassified items must be marked in addition to all classified items. Failure to properly mark classified material could result in the loss or compromise of classified information.Information Assurance ManagerSecurity ManagerECML-1
SV-42275r2_rule IS-04.03.01 LOW Classified Working Papers are properly marked, destroyed when no longer needed, or treated as a finished document after 180 days Failure to properly mark or handle classified documents can lead to the loss or compromise of classified or sensitive information. Information Assurance ManagerSecurity ManagerPESP-1, PESS-1
SV-42285r2_rule IS-05.01.01 HIGH Storage/Handling of Classified Documents, Media, Equipment - must be under continuous personal protection and control of an authorized (cleared) individual OR guarded or stored in an approved locked security container (safe), vault, secure room, collateral classified open storage area or SCIF. Failure to store classified in an approved container OR to properly protect classified when removed from storage can lead to the loss or compromise of classified or sensitive information. There are 3 individual checks and 4 sub-checks associated with this finding. The default finding severity level is Category I (CAT I) for check #1: 1. In areas containing SIPRNet assets - Check to ensure that classified documents, information system (IS) equipment and removable media that is not under the direct personal control and observation of an authorized person is guarded or stored in a locked security container (GSA approved safe), vault, secure room, collateral classified open storage area or SCIF with protection equal to or exceeding the highest classification of the material/equipment. (CAT I) If a finding under check #1 or check # 3 is not found the severity level may be reduced to CAT III for a finding under check #2 or any one of the four sub checks (2.a through 2.d.): 2. Check to ensure that site security personnel develop written procedures for response to incidents of classified materials found not in secure storage or under continuous observation and control of a cleared employee and make the procedures readily available to each employee via electronic means, such as in space on an organizational intranet, shared folders or other means available. (CAT III) Procedures for response to classified materials discovered that are not in proper storage or under proper control of a cleared person must include the following: a. Site security personnel, security reviewers/inspectors, employees or anyone making discovery of classified material not in secure storage or under continuous observation and control of a cleared employee immediately take control and properly secure the classified materials not under proper control when not in approved storage. Second they must report the discovery to their supervisory chain and/or site security officials. (CAT III) b. Site security personnel must initiate a preliminary inquiry if appropriate to determine the cause of the improperly secure material and to determine if any material was lost or compromised (security incident). (CAT III) c. Site security personnel must conduct remedial training action subsequent to incidents of classified materials found not in secure storage or under continuous observation and control of a cleared employee to remind employees of procedures and requirements to maintain positive control of classified materials removed from approved storage. (CAT III) d. Site managers/supervisors must discipline employees, as appropriate who do not comply with appropriate requirements to maintain positive control of classified material they have removed from secure storage. (CAT III) If a finding under check #1 or check # 2 is not found the severity level may be reduced to CAT II for a finding under check #3: 3. Check to ensure thats site security personnel conduct initial and annual training to indoctrinate and remind employees of procedures and requirements to maintain positive control of classified materials removed from approved storage and measures to take upon discovery of classified material not in proper storage or under proper control of a cleared person. (CAT II) Information Assurance ManagerSecurity ManagerPESS-1
SV-42286r2_rule IS-06.03.01 LOW Non-Disclosure Agreement - Standard Form 312: no person may have access to classified information unless that person has a security clearance in accordance with DoD 5200.2-R and has signed a Standard Form (SF) 312, Classified Information Non-Disclosure Agreement (NDA), and access is essential to the accomplishment of a lawful and authorized Government function (i.e., has a need to know). Failure to verify clearance, need-to-know, and execute a non-disclosure agreement before granting access to classified can result in unauthorized personnel having access to classified. Security ManagerECAN-1, PRNK-1
SV-42287r2_rule IS-07.03.01 LOW Handling of Classified Documents, Media, Equipment - Written Procedures for when classified material/equipment is removed from a security container and/or secure room. Failure to develop procedures and to train employees on protection of classified when removed from storage could lead to the loss or compromise of classified or sensitive information due to a lack of employee knowledge of requirements. Information Assurance ManagerSecurity ManagerPESP-1, PESS-1
SV-42288r2_rule IS-07.03.02 LOW Handling of Classified - Use of Cover Sheets on Documents Removed from Secure Storage Failure to protect readable classified information printed from classified systems such as SIPRNet when removed from secure storage can lead to the loss or compromise of classified or sensitive information.Information Assurance ManagerSecurity ManagerPESP-1, PESS-1
SV-42290r2_rule IS-08.01.01 HIGH Classified Monitors/Displays (Physical Control of Classified Monitors From Unauthorized Viewing) Failure to limit access to unauthorized personnel to information displayed on classified monitors/displays can result in the loss or compromise of classified information, including NOFORN information. The default finding for this requirement is a Category I severity level, but the following override guidance should be followed: There are ten individual checks and sub-checks associated with this requirement with five checks defaulting as CAT I. The other five checks, which are associated only with classified (SIPRNet) environments with a FN presence default as a CAT II finding. If just one or all of the five CAT I default checks is found to be deficient then the finding will be a CAT I severity level. If just one or all of the CAT II default checks is found to be deficient (*and none of the CAT I checks are found to be deficient) then the finding will be listed as a CAT II severity level. RELATED VULS (STIG ID): 1. STIG ID: FN-04.01.01. This requirement concerns two related concerns. First is control of physical access to areas containing US Only workstations/monitor screens, equipment, media or documents in working environments where Foreign Nationals are employed or present. Second, It also covers maintaining continuous observation and control of US Only classified information system removable storage media and documents within classified storage locations (such as SCIFs, secure rooms or vaults) where foreign nationals are present OR or placement in an approved safe. 2. STIG ID: IS-08.01.02. This requirement concerns maintaining control of Common Access Cards (CACs), SIPRNet tokens AND locking of computer work stations/monitor screens when unattended by removal of CACs, SIPRNet tokens or using Ctrl/Alt/Del. 3. STIG ID: IS-08.03.01. This requirement is specifically focused on checking written policy/procedures and initial/recurring training concerning cleared employee responsibilities and actions to protect classified work stations (monitor screens) under their control from unauthorized viewing. This requirement includes environments where US Only monitors or Foreign Nationals are present. Information Assurance OfficerInformation Assurance ManagerSecurity ManagerPECF-1, PECF-2, PEDI-1, PEPF-1, PEPF-2, PRAS-2, PRNK-1
SV-42291r2_rule IS-08.03.01 LOW Classified Monitors/Displays (Procedures for Obscuration of Classified Monitors) - protection from uncleared persons or those without a need-to-know. Failure to develop procedures and training for employees to cover responsibilities and methods for limiting the access of unauthorized personnel to classified information reflected on information system monitors and displays can result in the loss or compromise of classified information.RELATED VULS (STIG ID): 1. STIG ID: FN-04.01.01. This requirement concerns two related concerns. First is control of physical access to areas containing US Only workstations/monitor screens, equipment, media or documents in working environments where Foreign Nationals are employed or present. Second, It also covers maintaining continuous observation and control of US Only classified information system removable storage media and documents within classified storage locations (such as SCIFs, secure rooms or vaults) where foreign nationals are present OR or placement in an approved safe. 2. STIG ID: IS-08.01.01. This requirement is specifically focused on checking physical controls in place to protect classified work stations (monitor screens/displays) from unauthorized viewing. This check does cover considerations for environments with US Only monitors and Foreign National (FN) presence but is not specific to only FN work environments. It is also applicable to ALL environments where classified work stations (monitor screens/displays) are being used and there is a possibility of unauthorized viewing of the monitor screens by uncleared persons or those without a need-to-know. 3. STIG ID: IS-08.01.02. This requirement concerns maintaining control of Common Access Cards (CACs), SIPRNet tokens AND locking of computer work stations/monitor screens when unattended by removal of CACs, SIPRNet tokens or using Ctrl/Alt/Del. Information Assurance OfficerInformation Assurance ManagerSecurity ManagerPEDI-1, PEPF-1, PEPF-2, PRAS-2, PRNK-1
SV-42292r2_rule IS-08.01.02 HIGH Monitor Screens - Disable Access by CAC or Token Removal, or Lock Computer via Ctrl/Alt/Del The DoD Common Access Cards (CAC) a "smart" card, is the standard identification for active-duty military personnel, Selected Reserve, DoD civilian employees, and eligible contractor personnel. It is also the principal card used to enable physical access to buildings and controlled spaces, and it provides access to defense computer networks and systems. The card, which is the property of the U.S. Government, is required to be in the personal custody of the member at all times. System Access Tokens are also used on the SIPRNet and the cards along with a Personal identity Number (PIN) can be used to access classified information on the SIPRNet in lieu of a logon ID and password. CAC and SIPRNet tokens are very important components for providing both physical and logical access control to DISN assets and must therefore be strictly controlled. Physically co-locating REL Partners or other FN - who have limited access to the SIPRNet or other US Classified systems - near US personnel in a collateral classified (Secret or higher) open storage area or in a Secret or higher Controlled Access Area (CAA) that processes classified material is permissible for operational efficiency and coordination. Failure to limit access to information systems is especially important in mixed US/FN environments. This is particularly important on US Only classified terminals when not personally and physically attended by US personnel. The failure to properly disable information workstations and monitor screens when unattended can result in FN personnel having unauthorized access to classified information, which can result in the loss or compromise of classified information, including NOFORN information. Appropriate but simple physical and procedural security measures must be put in place to ensure that unauthorized persons to include FN partners do not have unauthorized access to information not approved for release to them. Control of CACs, SIPRNet tokens and locking of computer work stations when unattended is an important aspect of proper procedural security measure implementation. The default severity level is Category I (CAT I) based on the following requirement to lock server, work station and monitor screens connected to the DISN (SIPRNet and NIPRNet) when not physically attended: Hard Drives/Monitors/Keyboards are not disabled (locked) by CAC or Token Removal, or Lock Computer via Ctrl/Alt/Del, when not personally and physically attended by cleared US personnel. (CAT I) If the above deficiency is not discovered (monitor screens are properly locked when unattended) but a CAC or SIPRNet Token is discovered not under the personal control of the person to whom it was issued then the finding may be reduced to CAT II. Following is the applicable finding relative to a CAT II severity level: CACs and other tokens are left unattended and are not in the physical custody of the person to whom they were issued. (CAT II) RELATED VULS (STIG ID): 1. STIG ID: FN-04.01.01. This requirement concerns two related concerns. First is control of physical access to areas containing US Only workstations/monitor screens, equipment, media or documents in working environments where Foreign Nationals are employed or present. Second, It also covers maintaining continuous observation and control of US Only classified information system removable storage media and documents within classified storage locations (such as SCIFs, secure rooms or vaults) where foreign nationals are present OR or placement in an approved safe. 2. STIG ID: IS-08.01.01. Classified Monitors/Displays (Physical Control of Classified Monitors From Unauthorized Viewing) . This requirement is specifically focused on checking physical controls in place to protect classified work stations (monitor screens) from unauthorized viewing. This requirement includes positioning and control of classified monitors and covers environments where Foreign Nationals are present and US Only work stations/monitor screens are present. 3. STIG ID: IS-08.03.01. This requirement is specifically focused on checking written policy/procedures and initial/recurring training concerning cleared employee responsibilities and actions to protect classified work stations (monitor screens) under their control from unauthorized viewing. This requirement includes positioning and control of classified monitors and covers environments where Foreign Nationals are present and US Only work stations/monitor screens are present. Information Assurance OfficerInformation Assurance ManagerSecurity ManagerPECF-1, PECF-2, PEDI-1, PEPF-1, PEPF-2, PRAS-2, PRNK-1
SV-42293r2_rule IS-09.02.01 MEDIUM End-of-Day Checks - Organizations that process or store classified information must establish a system of security checks at the close of each duty and/or business day to ensure that any area where classified information is used or stored is secure. SF 701, Activity Security Checklist, shall be used to record such checks. Failure to have written guidance to provide guidance for end-of-day (EOD) checks could lead to such checks not being properly conducted. If EOD checks are not properly conducted the loss or improper storage of classified material might not be promptly discovered. This could result in a longer duration of the security deficiency before corrective action is taken and make discovery of factual information concerning what caused the security incident and assigning responsibility and remedail actions more difficult. Ultimately the failure to perform consistent EOD checks can lead to the loss or compromise of classified or sensitive information.Security ManagerPESP-1, PESS-1
SV-42294r2_rule IS-10.03.01 LOW Classified Reproduction - Document Copying Procedures: This STIG Check (AKA: Vulnerability (Vul)) concerns ONLY PROCEDURES for the reproduction (copying) of classified DOCUMENTS on Multi-Functional Devices (MDF) connected to the DISN. Lack of or improper reproduction procedures for classified material could result in the loss or compromise of classified information. Security ManagerPESP-1, PESS-1
SV-42295r2_rule IS-10.02.01 MEDIUM Classified Reproduction - Following guidance for System to Media Transfer of Data from systems connected specifically to the SIPRNet In-Accordance-With (IAW) US Cybercom CTO 10-133 . Failure to follow guidance for disabling removable media drives on devices connected to the SIPRNet or if approved by the local DAA failure to follow US CYBERCOM procedures for using removable media on SIPRNet could result in the loss or compromise of classified information. Designated Approving AuthorityInformation Assurance ManagerSecurity ManagerPESP-1, PESS-1
SV-42324r2_rule IS-10.01.01 HIGH Classified Reproduction - SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage. Classified Multi-Functional Devices (MFD) include copiers and contain hard drives that maintain classified data or images. Failure to locate these devices in spaces approved for classified open storage could enable uncleared persons to access classified information, either from unsanitized hard drives or from printed/copied material that is left unattended on the machine for any period of time.Default finding is Cat I. When a MFD (copier/printer/fax) connected to SIPRNet is located within a secret or higher Controlled Access Area (CAA) the finding may be reduced if the following procedures are done: May be mitigated to CAT II if it can be positively demonstrated the device hard drive is purged of all classified data or images after each use. Powering down the machine will be a necessary part of this procedure to ensure that volitile memory is also erased. Documented procedures will also need to be available to support this process. May be mitigated to a CAT III finding if the hard drive is prompty removed after each use and stored in an appropriate safe. Powering down the machine will be a necessary part of this procedure to ensure that volitile memory is also erased. Documented procedures will also need to be available to support this process. Information Assurance OfficerInformation Assurance ManagerSecurity ManagerPESP-1, PESS-1
SV-42325r2_rule IS-11.01.01 HIGH Destruction of Classified Documents Printed from the SIPRNet Using Approved Devices on NSA Evaluated Products Lists (EPL). Failure to properly destroy classified material can lead to the loss or compromise of classified or NSA sensitive information. Security ManagerPEDD-1
SV-42407r2_rule IS-11.03.01 LOW Classified Destruction - Availability of Local Policy and Procedures Failure to properly destroy classified material can lead to the loss or compromise of classified or sensitive information. Security ManagerPEDD-1
SV-42419r2_rule IS-11.02.01 MEDIUM Classified Destruction - Hard Drive and Storage Media Sanitization Devices and Plans are not Available for Automated Information System (AIS) Equipment On-Hand Failure to properly destroy classified material can lead to the loss or compromise of classified or sensitive information. Security ManagerPEDD-1
SV-42428r2_rule IS-11.01.02 HIGH Classified Destruction - Improper Disposal of Automated Information System (AIS) Hard Drives and Storage Media Failure to properly destroy classified or sensitive material can lead to the loss or compromise of classified or sensitive information. CAT I is default severity level for improper disposal/destruction of classified equipment and media. CAT II is default severity level for improper disposal/destruction of unclassified equipment and media.Security ManagerPECS-1, PECS-2, PEDD-1
SV-42449r2_rule IS-13.02.01 MEDIUM Classified Emergency Destruction Plans - Develop and Make Available Failure to develop emergency procedures can lead to the loss or compromise of classified or sensitive information. CAT II if there are not any plans developed for emergency destruction, removal, etc. CAT III if plans have been developed but are not readily available for reference by employees.Security ManagerPECS-1, PECS-2, PEDD-1, PESP-1
SV-42455r2_rule IS-14.02.01 MEDIUM Security Incident/Spillage - Lack of Procedures or Training for Handling and Reporting Failure to report possible security compromise can result in the impact of the loss or compromise of classified information not to be evaluated, responsibility affixed, or a plan of action developed to prevent recurrence of future incidents. Security ManagerSecurity ManagerVIIR-1, VIIR-2
SV-42467r2_rule IS-15.02.01 MEDIUM Classification Guides Must be Available for Programs and Systems for an Organization or Site Failure to have proper classification guidance available for can result in the misclassification of information and ultimatley lead to the loss or compromise of classified or sensitive information. Security ManagerECAN-1, PESP-1
SV-42473r2_rule IS-16.03.01 LOW Controlled Unclassified Information (CUI) - Local Policy Procedure Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. Security ManagerSecurity ManagerPEPF-1, PESP-1
SV-42476r2_rule IS-16.02.01 MEDIUM Controlled Unclassified Information (CUI) - Employee Education and Training Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information.Security ManagerPRTN-1
SV-42497r2_rule IS-16.02.02 MEDIUM Controlled Unclassified Information - Document, Hard Drive and Media Disposal Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. Security ManagerInformation Assurance OfficerInformation Assurance ManagerNetwork Security OfficerPECS-1, PEDD-1
SV-42578r2_rule IS-16.02.03 MEDIUM Controlled Unclassified Information - Handling, Storage and Controlling Access to Areas where CUI is Processed or Maintained Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. Information Assurance ManagerSecurity ManagerDCSS-2, PECF-1, PEPF-1, PESP-1, PESS-1, PRAS-1
SV-42579r2_rule IS-16.03.02 LOW Controlled Unclassified Information - Marking/Labeling Media within Unclassified Environments (Not Mixed with Classified) Failure to mark CUI in an approved manner can result in the loss or compromise of sensitive information. Information Assurance ManagerSecurity ManagerCODB-2, ECML-1
SV-42580r2_rule IS-16.02.04 MEDIUM Controlled Unclassified Information - Encryption of Data at Rest Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information.Information Assurance OfficerInformation Assurance ManagerSecurity ManagerDCNR-1, ECCR-1
SV-42581r2_rule IS-16.02.05 MEDIUM Controlled Unclassified Information - Transmission by either Physical or Electronic Means Failure to handle/transmit CUI in an approved manner can result in the loss or compromise of sensitive information. Information Assurance OfficerInformation Assurance ManagerSecurity ManagerDCNR-1, ECCT-1
SV-42582r2_rule IS-16.02.06 MEDIUM Controlled Unclassified Information - Posting Only on Web-Sites with Appropriate Encryption; not on Publicly Accessible Web-Sites. Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. System AdministratorInformation Assurance OfficerInformation Assurance ManagerSecurity ManagerDCPA-1, EBPW-1
SV-42658r2_rule IS-17.03.01 LOW Classified Annual Review Failure to conduct the annual review and clean out day can result in an excessive amount of classified (including IS storage media) being on hand and therefore being harder to account for, resulting in the possibility of loss or compromise of classified or sensitive information. Security ManagerPESP-1
SV-42673r2_rule PE-01.03.01 LOW Position of Trust - Knowledge of Responsibility to Self Report Derogatory Information Failure to inform personnel of the expected standards of conduct while holding a position of trust and their responsibility to self-report derogatory information to the organization security manager can result in conduct by the individual that will require them being removed from that position. Security ManagerPRRB-1
SV-42677r2_rule PE-01.03.02 LOW Position of Trust - Local Policy Covering Employee Personal Standards of Conduct and Responsibilities Failure to inform personnel of the expected standards of conduct while holding a position of trust can result in conduct by the individual that will require them being removed from that position and/or result in an untrustworthy person continuing in a postion of trust without proper vetting of new derogatory information. Security ManagerPRRB-1
SV-42678r2_rule PE-01.03.03 LOW Position of Trust - Training Covering Employee Standards of Conduct and Personal Responsibilities Failure to inform personnel of the expected standards of conduct while holding a position of trust can result in conduct by the individual that will require them being removed from that position or result in a person no longer meeting standards criteria continuing to hold a position of trust without proper vetting for suitability. Security ManagerPRRB-1, PRTN-1
SV-42679r2_rule PE-02.02.01 MEDIUM Position Sensitivity - Assignment based on Security Clearance and/or Information Technology (IT) Level on Assigned Information Systems (IS) Failure to designate position sensitivity could result in personnel having access to classified information or other sensitive duties (such as privileged access to DoD Information Systems) without the required investigative and adjudicative prerequisites Security ManagerPECF-1, PECF-2, PRAS-1, PRAS-2, PRNK-1
SV-42680r2_rule PE-03.02.01 MEDIUM Validation Procedures for Security Clearance Issuance and (Classified Systems and/or Physical) Access Granted Failure to verify security clearance status could result in an unauthorized person having access to a classified information system or an authorized person being unable to perform assigned duties. System AdministratorInformation Assurance OfficerInformation Assurance ManagerSecurity ManagerPECF-2, PEVC-1, PRAS-1, PRAS-2, PRNK-1
SV-42709r2_rule PE-04.02.01 MEDIUM IT Position Designation Failure to designate an appropriate IT level could result in an individual having access to an information system without the required investigative and adjudicative prerequisites. Information Assurance OfficerInformation Assurance ManagerSecurity ManagerECPA-1, PRAS-1, PRAS-2, PRNK-1
SV-42733r2_rule PE-05.02.01 MEDIUM Background Investigations - Completed based Upon IT/Position Sensitivity Levels Failure to investigate personnel based upon their position sensitivity could result in unauthorized personnel having access to classified or sensitive information. Information Assurance OfficerInformation Assurance ManagerSecurity ManagerECPA-1, PRAS-1, PRAS-2, PRNK-1
SV-42745r2_rule PE-06.03.01 LOW Periodic Reinvestigations - Submitted in a Timely Manner based Upon Position Sensitivity and Type of Investigation Required Failure to subject personnel to periodic reinvestigation can result in derogatory information not being discovered on personnel having access to sensitive or classified information. Security ManagerECPA-1, PRAS-1, PRAS-2, PRNK-1
SV-42762r2_rule PE-07.03.01 LOW Outprocessing Procedures for Departing or Terminated Employees (Military, Government Civilian and Contractor) Failure to properly out process through the security section allows the possibility of (unauthorized) continued access to the facility and/or the systems.Information Assurance OfficerInformation Assurance ManagerSecurity ManagerPESP-1
SV-42794r2_rule PE-08.02.01 MEDIUM Intrusion Detection System (IDS) Monitoring Station Personnel - Suitability Checks Failure to subject personnel who monitor the IDS alarms to a trustworthiness determination can result in the inadvertent or deliberate unauthorized access to, or release of classified material. Security ManagerPEPF-1, PEPF-2, PRMP-1, PRMP-2, PRNK-1
SV-42814r2_rule PE-08.02.02 MEDIUM Intrusion Detection System (IDS) Installation and Maintenance Personnel - Suitability Checks Failure to subject personnel who install and maintain the IDS alarms to a trustworthiness determination can result in the inadvertent or deliberate unauthorized release of classified material. Security ManagerPEPF-1, PEPF-2, PRMP-1, PRMP-2, PRNK-1
SV-42819r2_rule PH-01.03.01 LOW Physical Security Program - Physical Security Plan Development and Implementation with Consideration of Information Systems Assets Failure to have a physical security program will result in an increased risk to DoD Information Systems; including personnel, equipment, material and documents. Security ManagerPECF-1, PECF-2, PEPF-1, PEPF-2, PESP-1, PESS-1
SV-42878r2_rule PH-02.02.01 MEDIUM Risk Assessment -Holistic Review (site/environment/information systems) Failure to conduct a risk analysis could result in not implementing an effective countermeasure to a vulnerability or wasting resources on ineffective measures leading to a possible loss of classified, equipment, facilities, or personnel. The System identification Profile (SIP) identifies the data requirements for registering an information system (IS) with the governing DoD Component IA program. Information requirements for the SIP are described in Table E3.A1.T1.Information Assurance OfficerDesignated Approving AuthorityInformation Assurance ManagerSecurity ManagerDCSD-1
SV-42917r2_rule PH-03.02.01 MEDIUM Physical Protection of Unclassified Key System Devices/Computer Rooms in Large Processing Facilities Allowing access to systems processing sensitive information by personnel without the need-to-know could permit loss, destruction of data or equipment or a denial of service. Loss could be accidental damage or intentional theft or sabotage.Information Assurance OfficerDesignated Approving AuthorityInformation Assurance ManagerSecurity ManagerNetwork Security OfficerPECF-1, PECF-2
SV-42937r2_rule PH-04.02.01 MEDIUM Restricted Area and Controlled Area Designation of Areas Housing Critical Information System Components or Classified /Sensitive Technology or Data Failure to designate the areas housing the critical information technology systems as a restricted or controlled access area may result in inadequate protection being assigned during emergency actions or the site having insufficient physical security protection measures in place. Further, warning signs may not be in place to advise visitors or other unauthorized persons that such areas are off-limits, resulting in inadvertent access by unauthorized persons. Security ManagerPEPF-1, PEPF-2
SV-42938r2_rule PH-05.02.01 MEDIUM Security-in-Depth (AKA: Defense-in-Depth) - Minimum Physical Barriers and Access Control Measures for Facilities or Buildings Containing DISN (SIPRNet/NIPRNet) Connected Assets. Failure to use security in-depth can result in a facility being vulnerable to an undetected intrusion or an intrusion that cannot be responded to in a timely manner - or both. Security ManagerPEPF-1, PEPF-2
SV-42939r2_rule PH-06.02.01 MEDIUM Visitor Control - To Facility or Organization with Information System Assets Connected to the DISN Failure to identify and control visitors could result in unauthorized personnel gaining access to the facility with the intent to compromise classified information, steal equipment, or damage equipment or the facility. Security ManagerPEPF-1, PEPF-2, PEVC-1
SV-42940r2_rule PH-07.02.01 MEDIUM Sensitive Item Control - Keys, Locks and Access Cards Controlling Access to Information Systems (IS) or IS Assets Connected to the DISN Lack of an adequate key/credential/access device control could result in unauthorized personnel gaining access to the facility or systems with the intent to compromise classified information, steal equipment, or damage equipment or the facility.Security ManagerPEPF-1, PESS-1
SV-42941r2_rule PH-09.03.01 LOW Physical Penetration Testing - of Facilities or Buildings Containing Information Systems (IS) Connected to the DISN Failure to periodically test facility/building security where Information Systems (IS) connected to the DISN are present could lead to the unauthorized access of an individual into the facility with nefarious intentions to affect the Confidentiality, Integrity or Assurance of data or hardware on the IS.Security ManagerInformation Assurance ManagerECMT-1, ECMT-2, PEPS-1
SV-42942r2_rule SM-01.03.01 MEDIUM Security and Information Assurance (IA) Staff Appointment, Training/Certification and Suitability Failure to formally appoint security personnel and detail responsibilities, training and other requirements in the appointment notices could result in a weaken security program due to critical security and information assurance personnel not being fully aware of the scope of their duties and responsibilities or not being properly trained or meeting standards for appointment to assigned positions. Default is CAT II based on Check #4 below. If check #4 is compliant then reduce to CAT III for checks #1 through #3 as follows: Check #1. Check to ensure there are appointment letters for all security staff members including the SM, DAA, IAM, IAOs, System Administrators, and NSO. (CAT III) Check #2. Check to ensure the appointments are current and an appropriate authority has made the appointments. (CAT III) Check #3. Check to ensure that pertinent duties, responsibilities, training/certification and other suitability requirements for the appointed positions are contained in the appointment order. (CAT III) Check # 4. Check supporting documentation to ensure that security staff have been properly trained and certified for the positions to which they are appointed and that they meet all applicable requirements for the positions. For instance the DAA and IAM must be US Citizens. (CAT II)System AdministratorDatabase AdministratorInformation Assurance OfficerDesignated Approving AuthorityInformation Assurance ManagerSecurity ManagerNetwork Security OfficerDCSD-1, PRTN-1
SV-42943r2_rule SM-02.02.01 MEDIUM Security Training - Information Security (INFOSEC) and Information Assurance (IA) for ALL Employees; Military, Government Civilian and Contractor Failure to provide security training to ALL employees results in a weak security program and could lead to the loss or compromise of classified or sensitive information. Information Assurance OfficerInformation Assurance ManagerSecurity ManagerDCSD-1, PESP-1, PETN-1, PRTN-1
SV-42944r2_rule SM-03.03.01 LOW Counter-Intelligence Program - Training, Procedures and Incident Reporting Failure to establish a good working relationship with the supporting/local CI agency and lack of proper CI training for site/organization employees could result in not being informed of local threats and warnings leaving the organization vulnerable to the threat and/or a delay in reporting a possible incident involving reportable FIE-Associated Cyberspace Contacts, Activities, Indicators, and Behaviors, which could adversely impact the Confidnetiality, Intergity or Availability (CIA) of the DISN. . Security ManagerDCSD-1, PRTN-1
SV-43876r2_rule CS-04.01.08 HIGH Protected Distribution System (PDS) Construction - Alarmed Carrier A PDS that is not constructed and configured as required could result in the covert or undetected interception of classified information.The default is a Category I severity level when the physical make-up of the alarmed PDS is found to be inadequate, non-functional or otherwise vulnerable to undetected intrusion. Not conducting any checks of the PDS alarm functionality will also result in a CAT I finding. Alarms not continuously monitored by properly cleared US Personnel at a 24/7 monitoring location will also result in a CAT I finding. May be reduced to CAT II if the PDS alarm system functions properly and checks of the alarm system are conducted at a frequency less than on a weekly basis. Checks must be conduct at least every 3-months or a CAT I severity level must be applied. May be reduced to a CAT II if the PDS alarm functions properly and checks of the alarm system are conducted on a weekly basis but the alarm system sensor employed is not approved by the cognizant COMSEC and/or physical security authorities and/or documentation does not exist to support this approval. May be reduced to a CAT III if the PDS alarm functions properly and checks of the alarm system are conducted on at least a weekly basis but there is no SOP detailing actions for checking the system functionality or response to alarms.There are three types of PDS classified as Hardened Distribution Systems: 1. Hardened Carrier (STIG ID: CS-04.01.02) 2. Alarmed Carrier (STIG ID: CS-04.01.08) and 3. Continuously viewed Carrier. (STIG ID: CS-04.01.06) This requirement (Alarmed Carrier, STIG ID CS-04.01.08) if used as the hardened carrier, makes the other types of Hardened Distribution Systems (STIG ID: CS-04.01.02 and STIG ID: CS-04.01.06) NA.Information Assurance OfficerInformation Assurance ManagerSecurity ManagerDCSR-3, ECCT-2, PESS-1