Traditional Security

Checks: C-39592r2_chk

Check for documented proof of COMSEC Custodian or hand receipt holder training. NOTES: 1. Formal training for primary COMSEC account holders must be completed within 6-months of being designated as COMSEC Custodian. 2. Ensure that any COMSEC account, materials or equipment being inspected is used for encryption of DISN assets. COMSEC accounts or items not used with DISN assets should not be inspected

Fix: F-34740r2_fix

Documented proof of required COMSEC Custodian or hand receipt holder training must be available. Formal training of primary COMSEC account holders is required within 6-months of being appointed as COMSEC Custodian or alternate. Sub-Account or hand receipt holders may be trained by the sponsoring primary account COMSEC Custodian.

Generate Mitigation Statement:

Checks: C-39594r4_chk

Check proof of user training. NOTES: 1. Applies in a tactical environment if the crypto equipment and key material being observed is at a location where supporting staff (IAM, SM, COMSEC Custodian/COMSEC Responsible Officer (CRO) AKA: Hand Receipt Holder)would logically be located. If it is a mobile tactical organization, COMSEC users should previously have received proper training; however, since the documentation will likely not be available in a field environment this check will be NA. 2. Observations and comments may be entered into VMS, even if there is no finding. 3. Ensure that any COMSEC account, materials or equipment being inspected is used for encryption of DISN assets. COMSEC accounts or items not used with DISN assets should not be inspected.

Fix: F-34744r3_fix

Train all COMSEC users on proper procedures for operation of COMSEC equipment and on proper protection of both classified COMSEC materials as well as COMSEC Controlled Information (CCI). Documented proof of initial user training must be on-hand and updated at least annually.

Generate Mitigation Statement:

Checks: C-39600r2_chk

Check to ensure: (1) The PDS is visible for inspection. Whenever possible it is not to be installed behind walls, below raised floors, or above the ceiling. Transitioning walls, floors or ceilings between rooms is the only allowance for interior PDS to not be completely visible. PDS carrier or access points must not be installed directly against walls or other surfaces so that the entire 360 degree surface of the PDS can be viewed. (2) If the PDS is not visible ensure it (the carrier itself) is alarmed. NOTE: While alarming the space surrounding the PDS mitigates vulnerability - it does not meet the standard.

Fix: F-34750r2_fix

1. The PDS must be installed so that it is completely visible for inspection. Whenever possible it is not to be installed behind walls, below raised floors, or above the ceiling. Transitioning walls, floors or ceilings between rooms is the only allowance for interior PDS to not be completely visible. 2. If the PDS is not visible ensure it (the carrier itself) is alarmed. NOTE: While alarming the space surrounding the PDS mitigates vulnerability - it does not meet the standard.

Generate Mitigation Statement:

Checks: C-39611r3_chk

Check to ensure: 1. All PDS seams and connectors are permanently sealed completely around all surfaces (e.g., welding (continuous or track), compression, epoxy, fusion, etc.). 2. If pull boxes are used, check that the pull-box covers are sealed to the pull boxes completely around the mating surfaces. 3. Boxes with prepunched knockouts are not be used. NOTE: If a pre-fabricated (Modular types such as Holocom or Wiremold) PDS is used it is also required to have all joints sealed as specified above.

Fix: F-34761r3_fix

1. All PDS seams and connectors must be permanently sealed *completely around* all surfaces (e.g., welding (continuous or track), compression, epoxy, fusion, etc.). 2. If pull boxes are used the pull-box covers must be sealed to the pull boxes *completely around* the mating surfaces. 3. Boxes with prepunched knockouts must not be used. NOTE: If a pre-fabricated (Modular type, such as Holocom or Wiremold) PDS is used it is also required to have all joints sealed as specified above.

Generate Mitigation Statement:

Checks: C-39639r3_chk

A PDS carrying SIPRNet cable is subject to periodic visual inspections IAW (Table B-2, of NSTISSI 7003). Check to ensure: 1. At least one daily inspection of the PDS line is conducted or more frequently if required by Table B-2. 2. The PDS inspection results are documented and maintained on hand for at least 90 days - or longer if required by the PDS Approval Authority. 3. Person(s) are formally appointed (in writing) to conduct the visual inspections. 4. The person(s) appointed to accomplish the visual inspection are trained sufficiently to recognize physical changes in PDS including attempts at penetration and tampering. NOTE: In a tactical environment periodic checks are not applicable for Continuously Viewed Carriers since they are under continuous observation, 24 hours per day (including when operational). This check is applicable to tactical environments where Continuously Viewed Carriers are not used.

Fix: F-34787r3_fix

A PDS carrying SIPRNet cable is subject to periodic visual inspections IAW (Table B-2, of NSTISSI 7003). To correct this finding visual checks of PDS must be completed on a continuing basis as follows: 1. At least one daily inspection of the PDS line must be conducted, or more frequently if required by Table B-2. 2. The PDS inspection results must be documented and maintained on hand for at least 90 days, or longer if required by the PDS Approval Authority. 3. Person(s) must be formally appointed (in writing) to conduct the visual inspections. 4. The person(s) appointed to accomplish the visual inspection must be trained sufficiently to recognize physical changes in PDS including attempts at penetration and tampering. NOTE: In a tactical environment periodic checks are not applicable for Continuously Viewed Carriers since they are under continuous observation, 24 hours per day (including when operational). This check is applicable to tactical environments where Continuously Viewed Carriers are not used.

Generate Mitigation Statement:

Checks: C-39642r5_chk

Checks: 1. Check to ensure there are procedures written that cover how to handle all possible types of potential PDS incidents. 2. Check daily and technical inspection results (logs) for evidence of discovered PDS anomalies. 3. Ensure any incidents of tampering, penetration, or unauthorized interception were reported immediately to the PDS Approving Authority and the local security/law enforcement authority. 4. Subject to law enforcement procedures, which take precedence, check to ensure the PDS was not used until the incident was assessed and its security status determined. 5. If discontinued use of the PDS is or was not practical, check to ensure users of all impacted PDS were notified of the possible breach in security, and instructed that use of systems running on the PDS be limited to the greatest extent possible. 6. Discovery of an anomaly in the PDS that is not properly reported and resolved is a finding. All discoveries must be documented and such documentation retained indefinitely -for as long as the PDS remains functional. NOTES: 1. This check is applicable to tactical environments. Incidents of possible tampering must be reported to the PDS approving authority in as expeditious a manner as possible. 2. Even if there is no finding, in the reviewer notes provide a brief note of any reported incidents or anomalies previously noted by the site, including the date it was initially noted.

Fix: F-34790r5_fix

1. A procedure must be written that covers how to handle all possible types of potential PDS incidents. 2. ALL incidents of suspected or actual tampering, penetration, or unauthorized interception must be reported immediately to the PDS Approving Authority and the local security/law enforcement authority. 3. Subject to law enforcement procedures, which take precedence, the PDS must not be used until the incident is assessed and its security status determined. 4. If discontinued use of the PDS is or was not practical, all users of impacted PDS must be notified of the possible breach in security and instructed that use of systems running on the PDS be limited to the greatest extent possible. 5. All discoveries must be documented and such documentation retained indefinitely -for as long as the PDS remains functional.

Generate Mitigation Statement:

Checks: C-39645r2_chk

CHECKS: 1. Determine if TEMPEST countermeasures are required based on the geographical location and classification level processed. TEMPEST considerations apply to all OCONUS locations and select CONUS locations. 2. If required, ask to see a TEMPEST assessment. Verify the TEMPEST assessment was conducted by a Certified TEMPEST Technical Authority (CTTA). 3. Determine through inspection and/or interview if any required TEMPEST countermeasures are implemented. 4. TEMPEST countermeasures may or may not be feasible in a tactical environment. This can only be determined through a proper Risk Assessment, which is coordinated with a supporting CTTA for matters concerning emanations security. 5. Where required (OCONUS in particular) check to ensure an assessment of TEMPEST risk and applicability of countermeasures is included in a risk assessment and that the supporting CTTA was consulted. This process may be conducted by the Major US Combatant Command for Theater level operations rather than by individual units or location based commands. The key element to determine if this requirement is met is that any possible risk resulting from Emanations is properly considered and documented. NOTES: Where TEMPEST must be considered and although there is no finding, the reviewer should note in the report if a CTTA has conducted a TEMPEST review, the date it was completed and countermeasures recommended. Further note in the report if specific consideration for TEMPEST was provided for in the site risk assessment.

Fix: F-34791r3_fix

1. Where TEMPEST is required to be considered a Certified TEMPEST Technical Authority (CTTA) must evaluate Emanation Security concerns and recommended countermeasures from this evaluation must be properly applied. 2. Where TEMPEST is required an assessment of TEMPEST risk and applicability of countermeasures must be included in the site risk assessment and the supporting CTTA must be consulted. NOTE: TEMPEST countermeasures are required based on the geographical location and classification level processed. TEMPEST considerations apply to all OCONUS locations and select CONUS locations.

Generate Mitigation Statement:

Checks: C-39646r2_chk

Check for separation of at least 50 centimeters (19.7 inches) between any RED processor and BLACK equipment. Requirement is mandatory for all OCONUS locations and certain specific CONUS locations. NOTE: This requirement is applicable in a tactical environment. The supporting CTTA should be contracted for specific separation requirements, which may be greater than the 50 cm minimum distance reflected in this check.

Fix: F-34792r2_fix

A separation of at least 50 centimeters (19.7 inches) between any RED processor and BLACK equipment is required. This requirement is mandatory for all OCONUS locations and certain specific CONUS locations based on geographic threat information. The supporting CTTA should be contracted for specific separation requirements, which may be greater than the 50 cm minimum distance reflected in this check.

Generate Mitigation Statement:

Checks: C-39647r2_chk

Check for a separation of at least 5 centimeters (2 inches) between any RED wire line and BLACK wire lines that exit the inspectable space (exit space not within a SCIF, Secret or above vault or secure room or Secret or above CAA) or are connected to an RF transmitter, or BLACK power lines. Requirement is mandatory for all OCONUS locations and certain specific CONUS locations based on geographic threat information. NOTE: This requirement is applicable in a tactical environment. The supporting CTTA should be contracted for specific separation requirements, which may be greater than the 5 cm distance reflected in this check.

Fix: F-34793r2_fix

A separation of at least 5 centimeters (2 inches) is required between any RED wire line and BLACK wire lines that exit the inspectable space (exit space not within a SCIF, Secret or above vault or secure room or Secret or above CAA) or are connected to an RF transmitter, or BLACK power lines. This requirement is mandatory for all OCONUS locations and certain specific CONUS locations based on geographical threat information. NOTE: The supporting CTTA should be contracted for specific separation requirements, which may be greater than the 5 cm distance reflected in this check.

Generate Mitigation Statement:

Checks: C-39648r2_chk

Check an emergency power cut-off (EPO) switch is located near the main IT area entrance. It must be clearly labeled and have a protective cover. This requirement is only for computer centers with large server rooms and/or supporting infrastructure rooms hosting large amounts of network equipment and/or equipment such as chillers, battery backup, transformers, etc. NOTES: In general such an area will be in raised floor space. The requirement should not be applied to purely administrative/office space. Also, this requirement should not be applied to a tactical environment, unless it is clearly an "established" fixed computer facility supporting missions in a Theater of Operations. The standards to be applied to determine applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over 1-year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc.

Fix: F-34794r2_fix

1. A master power switch or emergency cut-off switch for the IT equipment must be located near the main entrance of the IT area. 2. The emergency switch must be properly labeled. 3. The emergency switch must be protected by a cover to prevent accidental shut-off of the power.

Generate Mitigation Statement:

Checks: C-39649r4_chk

Check that emergency lighting and exits are located in IT areas. NOTES: This requirement should not be applied to a tactical environment, unless it is a fixed computer facility supporting missions in a Theater of Operations. The standards to be considered for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over 1-year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc.

Fix: F-34795r2_fix

Emergency lighting and exits must be installed in areas containing information systems.

Generate Mitigation Statement:

Checks: C-39660r3_chk

1. Check there are DD Forms 254 available for all classified contracts. NOTE: These forms may be held by the site contracting officials but should be available to the site security manager and information security manager for review. 2. Conduct a cursory review of the DD 254 to ensure all security requirements are properly detailed on the form, especially with regard to Information Assurance (ie., IT Position level designation). NOTE: Applicable to tactical environments if there are contractor personnel performing classified work. This form will likely only be found at fixed locations rather than field locations. While the DD 254 may not be available on site or even in Theater, the completed document's location should be identified and if possible a scanned and emailed copy requested for review. This will likely only be able to occur via SIPRNet email because some of these forms contain classified information, while all others are only FOUO.

Fix: F-34805r3_fix

1. DD Forms 254 must be on hand for each classified contract. 2. All security requirements must be properly detailed on the form, particularly for Information technology related requirements, such as IT Position levels for the positions or types of work to be performed.

Generate Mitigation Statement:

Checks: C-39662r2_chk

Check to ensure: 1. Contract guards have a minimum favorable National Agency Check (NAC) prior to DoD facility assignment or an appropriate level of security clearance if required by the DD 254 and classified duties performed. 2. If classified work is not required check to ensure security specifications are contained within the contract documentation (Statement of Work (SOW) or other appropriate documentation) for NAC and any other security requirements not involving access to classified. 3. That contract guards actually have current investigations for the position level of trust and/or security clearance requirements. NOTES: 1. Fully applicable in a tactical environment if contract guards are employed. 2. This check does not "necessarily" apply to base police/gate guards - only to the guards employed specifically to protect "inspected site" assets. If the host installation employs contract guards to assist or directly protect "inspected site" assets then the requirements of this Vul will apply.

Fix: F-34807r3_fix

1. Contract guards must have a minimum favorable National Agency Check (NAC) prior to DoD facility assignment or an appropriate level of security clearance if required by the DD 254 and classified duties are performed. 2. If classified work is not required security specifications must be contained within the contract documentation (Statement of Work (SOW) or other appropriate documentation) for a NAC and any other security requirements for guards not involving access to classified. NOTES: 1. Fully applicable in a tactical environment if contract guards are employed. 2. This check does not "necessarily" apply to base police/gate guards - only to the guards employed specifically to protect "inspected site" assets. If the host installation employs contract guards to assist or directly protect "inspected site" assets then the requirements of this Vul will apply.

Generate Mitigation Statement:

Checks: C-39664r3_chk

Check there is a written COOP plan for inspected systems: 1. For Mission Assurance Category (MAC) III systems only: If a COOP or Disaster Recovery Plan is not in place, ensure the DAA has considered and accepted the risk (specifically for lack of COOP) in a Risk Assessment. 2. Check COOP documentation for plan testing, discrepancies noted and if corrective action taken. 3. Conduct a cursory review of the COOP to ensure it is commensurate with the MAC Level of the system concerning recovery times and testing requirement(s). NOTES: 1. Certain large computing centers like the DISA Computing Services (DECCs) may offer COOP as a fee for service option. Since this is applicable to "customer" applications it should not be a finding attributed to the DECC. If appropriate, COOP or lack thereof if cited as a finding in this instance should be attributed to the specific customer. 2. This requirement should not be applied to a tactical environment, unless it is a fixed computer facility supporting operations within a Theater of Operations. The standards to be applied for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over 1-year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc.

Fix: F-34810r3_fix

Continuity of Operations Plans (COOP) must be developed and tested commensurate with Mission Assurance Category (MAC) Level for ALL DISN connected systems to ensure system and data availability in the event of any type of failure. For MAC III systems only: If no COOP is in place ensure the risk has been (specifically) accepted by the responsible DAA in a Risk Assessment.

Generate Mitigation Statement:

Checks: C-39667r4_chk

1. Check to ensure there are written procedures for identifying, reporting, and handling systems security incidents. 2. Check to ensure that procedures for handling system security incidents are included in both initial and annual (refresher) employee training. NOTE: Applies in a tactical environment. While procedures for incident handling might not be readily available in a mobile/field location, they should be established and available at a supporting fixed headquarters facility. Field units must still be informed and knowledgeable of their responsibility to report security incidents. This knowledge can be ascertained by asking field organization leadership what they would do in a spillage or similar computer security incident.

Fix: F-34815r4_fix

A program to recognize, investigate, and report information systems security incidents to include virus, system penetration, and classified contamination must be established. Such a program will include written procedures that are available for employee review as well as including the topic in initial and annual security refresher training.

Generate Mitigation Statement:

Checks: C-39673r6_chk

1. Check to ensure there are written procedures for personnel who request access to a computer system. 2. Note in the Vul findings what access form is used (locally developed, Service level or DD Form 2875). 3. If applicable - ensure the most current version of the DD Form 2875, System Access Request (SAR) is being used. 4. Note what training is required/conducted before system access is granted. 5. Review a sample of system access request forms to ensure the forms contain appropriate information for checking compliance with security requirements for privileged, user, classified and unclassified systems access. Information required will include identification of the individual requesting access, signature dates, supervisory approval, IAM and SM approval, investigation level and security clearance required, investigation and security clearance possessed, IA (AKA: ADP) position level and date Information Assurance Training was completed. 6. Check to ensure a separate "User Agreement" also exists for both system "users" and for "privileged account holders" (System Administrators...). For privileged users a signed Privileged Access Statement IAW Appendix 4 of DoD 8570.01-M, Information Assurance Workforce Improvement Program is required. 7. In a tactical environment the forms used to control systems access might not be readily accessible in the field. Determine where the forms are maintained and if the location is not within reach, attempt to obtain a sample copy of a completed form via fax, email, etc. Fixed locations with IA staff assigned should have the forms available.

Fix: F-34824r8_fix

1. Written procedures for personnel who request access to a computer system must be developed. 2. A System Authorization Access Control (SAAR) form (DD Form 2875 or equivalent) must be used to define and control individual access for systems. If applicable, the most current version of the DD Form 2875, System Access Request (SAR) must be used. Locally developed or Service level forms may also be used if the same information found on the DD Form 2875 is used. 3. Local or Service level System Authorization Access Request (SAAR) forms must minimally contain appropriate information for checking compliance with security requirements for privileged, routine user, classified and unclassified systems access like the DD Form 2875. Information required includes identification of the individual requesting access, signature dates, supervisory approval, IAM and SM approval, investigation level and security clearance required, investigation and security clearance possessed, IA (AKA: ADP) position level and date Information Assurance Training was completed. 4. A separate "User Agreement" must be signed by each user before access is granted. This includes both system "users" and "privileged account holders" (System Administrators...). For privileged users a signed Privileged Access Statement IAW Appendix 4 of DoD 8570.01-M, Information Assurance Workforce Improvement Program is required.

Generate Mitigation Statement:

Checks: C-39674r3_chk

1. Check records for required training/certification of (IA) IAM/IAT personnel. In addition to the initial and recurring (annual) training requirements every system user must undergo, the IA staff such as IAM, IAO, SA, NSO must be part of an organizational certification program IAW DoD 8570.01-M, Workplace Improvement Program. 2. Ensure this certification program is in place and that training/certification requirements are documented for each IA staff member, which includes current certification level: IAM (I-III) or IAT (I-III). TACTICAL ENVIRONMENT: In a tactical environment records should be maintained at fixed locations where IA and security staff are working. This check is not applicable to units in a mobile/field environment.

Fix: F-34826r2_fix

1. A program must be in place to establish and document required training/certification of (IA) IAM/IAT personnel. 2. In addition to the initial and recurring (annual) training requirements every system user must undergo, the IA staff such as IAM, IAO, SA, NSO must be part of an organizational certification program IAW DoD 8570.01-M, IA Workplace Improvement Program. 3. Training/certification requirements must be documented for each IA staff member to include their current certification level: IAM (I-III) or IAT (I-III).

Generate Mitigation Statement:

Checks: C-39681r3_chk

Check records for required initial and recurring (annual) training requirements every system user must undergo. TACTICAL ENVIRONMENT: In a tactical environment records should be maintained at fixed locations where IA and security staff are working. This check is not applicable to personnel in units in a mobile/field environment.

Fix: F-34887r3_fix

1. All system users must take both initial and recurring (annual) training based on applicable regulatory requirements that every system user must undergo. 2. All training accomplished must be documented for each individual user.

Generate Mitigation Statement:

Checks: C-39687r2_chk

Check the accreditation package with only a cursory review to ensure the ATO/IATO are current. TACTICAL ENVIRONMENT: The check is applicable. The ATO and associated documentation should be found in a fixed HQ location where the IAM/IAO are located. When possible, documentation should be requested/sought before departing on trips to tactical locations. Copies sent to the reviewers email (NIPR or SIPR depending on classification of document) can be used to validate compliance.

Fix: F-34892r2_fix

1. A current accreditation document approved by the DAA must be on hand for all systems and applications connected to the DISN. 2. Copies of the original accreditation documentation along with any subsequent modifications must be on-hand for review. 3. The Approval to Operate (ATO) or Interim Approval to Operate (IATO) must be up-to-date and must be signed by the current Approving Authority.

Generate Mitigation Statement:

Checks: C-39723r6_chk

1. Check the NIPRNet connection approval package. Conduct a cursory review for any traditional security issues. 2. Ensure the approval is current. The approval must come from the Unclassified Connection Approval Office (UCAO). TACTICAL ENVIRONMENT: The check is applicable. The ATO and associated documentation should be found in a fixed HQ location where the IAM/IAO are located. When possible, documentation should be requested/sought before departing on trips to tactical locations. Copies sent to the reviewers email (NIPR or SIPR depending on classification of document) can be used to validate compliance.

Fix: F-34921r3_fix

1. The NIPRNet connection approval package must be complete and accurate and the approval to connect (ATC) or Interim Approval to Connect (IATC) must be current. 2. The approval must come from the DISA Unclassified Connection Approval Office (UCAO).

Generate Mitigation Statement:

Checks: C-39724r4_chk

1. Check to ensure the site provided the Classified Connection Approval Office (CCAO), current certification documentation IAW CCAO guidance. 2. In addition check to ensure the site also has notified the CCAO of any changes/modification to the approved architecture. 3. Check to ensure the approval to connect (ATC) or Interim Approval to Connect (IATC) is current. TACTICAL ENVIRONMENT: The check is applicable. The ATC and associated documentation should be found in a fixed HQ location where the IAM/IAO are located. When possible, documentation should be requested/sought before departing on trips to tactical locations. Copies sent to the reviewers email (NIPR or SIPR depending on classification of document) can be used to validate compliance.

Fix: F-34922r3_fix

1. The Classified Connection Approval Office (CCAO) must be provided with current certification documentation IAW CCAO guidance. 2. The CCAO must be notified in writing of any changes/modification to the approved architecture. 3. The approval to connect (ATC) or Interim Approval to Connect (IATC) must be current.

Generate Mitigation Statement:

Checks: C-39789r3_chk

1. Check all KVM switches that switch from NIPR to SIPR - or other low side to high side systems being reviewed. 2. Ensure switches are on the most current approved DSAWG list or otherwise comply with DSAWG guidance for use for switching between high side and low side devices. 3. Check to ensure that any unapproved switch boxes in use have specific approval for use in the SIPRNet Approval to Connect (ATC) or (IATC) from the Classified Connection Approval Office (CCAO). TACTICAL ENVIRONMENT: The check is applicable where KVM devices are in use.

Fix: F-34994r2_fix

1. All KVM switches that switch from NIPR to SIPR - or other low side to high side systems being reviewed must be on the most current approved DSAWG list or otherwise comply with DSAWG guidance. 2. Any unapproved switch boxes in use (switching from NIPR to SIPR) must have specific approval for use and be addressed in the SIPRNet Approval to Connect (ATC) or IATC from the Classified Connection Approval Office (CCAO).

Generate Mitigation Statement:

Checks: C-39804r2_chk

Validate the correct configuration of CYBEX/Avocent 4 or 8 port KVMs IAW DSAWG guidance. This includes physical port separation between SIPRNet and NIPRNet (high & low) connections. Because of the internal physical configuration of the CYBEX boxes, only like classification levels may be connected to adjacent ports. TACTICAL ENVIRONMENT: The check is applicable where KVM devices are in use.

Fix: F-35002r2_fix

1. CYBEX/Avocent 4 or 8 port KVMs used for switching devices between the SIPRNet and NIPRNet (or any switching between SIPRNet and any other unclassified network devices) must be correctly configured IAW DSAWG guidance. 2. Correct configuration must include physical port separation between SIPRNet and NIPRNet (high & low) (or any switching between SIPRNet and any other unclassified network devices) connections. 3. Because of the internal physical configuration of the CYBEX/Avocent box back plates, only like classification levels may be connected to adjacent ports.

Generate Mitigation Statement:

Checks: C-39805r2_chk

1. Check to ensure users are physically switching between devices on SIPRNet and any devices connected to an unclassified network like NIPRNet, rather than using a Hot-Key feature. 2. Be suspicious of any KVM that is not easily reachable (within arms distance) by the keyboard operator. TACTICAL ENVIRONMENT: The check is applicable where KVM devices are in use.

Fix: F-35008r2_fix

Users of KVM devices must physically switch between devices connected to the SIPRNet and any devices connected to an Unclassified network such as NIPRNet, rather than using a Hot-Key feature.

Generate Mitigation Statement:

Checks: C-39822r3_chk

1. Check to ensure that unauthorized wireless devices (PEDs such as cell phones, blackberrys, laptops, etc.) are not being used in areas where classified systems or machines (SIPRNet) are in use. 2. If PED usage in classified processing areas is permitted by the site, check to ensure there is specific written DAA approval and that a CTTA has assessed the environment and that any resulting recommended TEMPEST countermeasures have been implemented. TACTICAL ENVIRONMENT: The check is applicable for ALL classified processing environments.

Fix: F-35021r2_fix

1. Unauthorized wireless devices (PEDs such as cell phones, blackberrys, laptops, etc.) must not be permitted for use in areas where classified systems or machines (SIPRNet) are in use. 2. If PED usage in classified processing areas is permitted, there must be specific written DAA approval and a CTTA assessment of the environment and any resulting recommended TEMPEST countermeasures must be implemented.

Generate Mitigation Statement:

Checks: C-39920r5_chk

1. Check that ALL network connections (on NIPRNet or other Unclassified Network under review) such as routers, switches, and hubs must are secured in a locked communications closet/room OR secured in a cabinet if the equipment is located in a room that is accessed by non-network personnel. 2. Ensure the locked room or cabinet cannot be easily accessed without forceable entry. Also ensure that proper key control procedures are used for ALL keys associated with both communication room doors and/or equipment cabinet doors. 3. ANY discrepancies with the above guidelines will result in a finding. TACTICAL ENVIRONMENT: The check is applicable for fixed tactical processing environments. It is assumed the type of equipment referenced will be in a fixed environment. Not applicable to a field/mobile environment.

Fix: F-35098r4_fix

1. All network connections (on NIPRNet or other Unclassified Network under review) such as routers, switches, and hubs must be secured within a locked communications closet/room OR secured within a cabinet if the equipment is located in a room that is accessed by non-network personnel. 2. The locked room or cabinet must be adequately secured so that it cannot be easily accessed without forceable entry. 3. Proper key control procedures must be in place for associated keys used to secure doors to communications rooms AND equipment cabinets. NOTE: Because locks and keys to equipment cabinets are often inferior and do not provide for adequate physical protection it is recommended that a metal hasp be attached (using rivets or other means that cannot be removed without evidence of forceable entry) to equipment cabinets securing network equipment. General Services Administration (GSA) Medium Security Keyed Padlocks or (preferably) the S&G 8077 Changeable Combination Padlock should then be used to secure the cabinet using the hasp.

Generate Mitigation Statement:

Checks: C-39932r3_chk

When organizations grant foreign national access to U.S. DoD systems check to ensure foreign nationals granted e-mail privileges on DOD systems are clearly identified as such in their e-mail addresses IAW DoDD 8500.01E and CJCSI 6510.01F. TACTICAL ENVIRONMENT: This check is applicable where LN/FN are employed in a tactical environment with access to US or Coalition Forces Systems.

Fix: F-35110r3_fix

Foreign Nationals granted e-mail privileges on DOD systems must be clearly identified as such in their e-mail addresses IAW DoDD 8500.01E and CJCSI 6510.01F.

Generate Mitigation Statement:

Checks: C-39936r7_chk

Check that all local foreign nationals hired by DoD organizations overseas, with NIPRNet user access, are employed IAW the applicable Status of Forces Agreement (SOFA) and have the following successfully adjudicated checks: a. Host government, law enforcement and security agency checks at the city, state (province), and national level, whenever permissible by the laws of the host government. b. Favorable DCII checks c. FBI-HQ/ID (Where information exists regarding residence by the foreign national in the U.S. or Territory for one year or more since age 18). TACTICAL ENVIRONMENT: This check is applicable where LN/FN are employed in a tactical environment with access to Unclassified US or Coalition Forces Systems.

Fix: F-39500r4_fix

All local foreign nationals hired by DoD organizations overseas, with NIPRNet user access, must be employed IAW the applicable Status of Forces Agreement (SOFA) and have the following successfully adjudicated checks: a. Host government, law enforcement and security agency checks at the city, state (province), and national level, whenever permissible by the laws of the host government. b. Favorable DCII checks c. FBI-HQ/ID (Where information exists regarding residence by the foreign national in the U.S. or Territory for one year or more since age 18).

Generate Mitigation Statement:

Checks: C-39948r3_chk

1. Check that a Delegation of Disclosure Authority Letter (DDL) is on hand for each assigned REL partner or other FN partner granted Limited Access to US Classified. NOTE: All disclosures and denials of classified military information are reported in the Foreign Disclosure and Technical Information System (FORDTIS) and it might also be possible for reviewers to request visual access to validate foreign clearance approvals at sites. However, a DDL is required for access to any US Classified information. 2. The organization's supporting Foreign Disclosure/Contact Officer (FDO) will be the ultimate POC for this. TACTICAL ENVIRONMENT: This check is applicable where REL Partners or other FN allies are employed in a tactical environment with access to US Classified or Sensitive Systems.

Fix: F-35122r3_fix

A Delegation of Disclosure Authority Letter (DDL) must be on hand for each assigned REL partner or other FN partner granted Limited Access to US Classified systems or information. NOTE 1: All disclosures and denials of classified military information are reported in the Foreign Disclosure and Technical Information System (FORDTIS). A DDL is required to validate and set parameters for FN access to any US Classified information. NOTE 2: The organization's supporting Foreign Disclosure/Contact Officer (FDO) will be the POC for this.

Generate Mitigation Statement:

Checks: C-39983r2_chk

Check to ensure that US employees clearly understand the differences and limitations between REL Officers, other NATO partners, Non-NATO partners and Coalition Partners. In a mixed US/FN partner environment the US personnel must know exactly what information can be shared and what cannot be shared or how to readily determine this information. For example the restrictions and cautions for partners from Belgium, Germany, France will be significantly greater relative to viewing anything on SIPRNet work stations versus the Australia, Canada, Great Britain partners. This can only be done if there are written local procedures and initial/recurring (at least annual) employee training to ensure familiarization with the rules for sharing classified and sensitive information with our partners. It is recommended that employees sign an acknowledgement that they understand their responsibilities for sharing information, but this is not to be required. This particular check should be validated by specifically checking for written procedures and training records. This subject can be included in the initial and annual site security awareness training but must be clearly detailed as having been properly completed. The effectiveness of the program can be validated by conducting random employee interviews concerning their understanding of rules covering sharing classified and sensitive information with FN partners assigned to or visiting their organization/site. Any one of the following three items: Lack of written procedures, lack of training, or evidence employees are not familiar with the rules for information sharing will result in a finding. TACTICAL ENVIRONMENT: This check is applicable where REL partners/LN/FN are employed in a tactical environment with access to US Systems

Fix: F-35158r2_fix

BACKGROUND: US employees must clearly understand the differences and limitations between REL Officers, other NATO partners, Non-NATO partners and Coalition Partners. In a mixed US/FN partner environment the US personnel must know exactly what information can be shared and what cannot be shared or how to readily determine this information. For example the restrictions and cautions for partners from Belgium, Germany, France will be significantly greater relative to viewing anything on SIPRNet work stations versus the Australia, Canada, Great Britain partners. REQUIREMENT: There must be written local procedures and initial/recurring (at least annual) employee training to ensure familiarization with the rules for sharing classified and sensitive information with our partners. This topic must be included in the initial and annual site security awareness training. Any one of the following three items will result in a finding: 1. Lack of written procedures, 2. Lack of training, or 3. Clear evidence employees are not familiar with the rules for information sharing.

Generate Mitigation Statement:

Checks: C-39994r3_chk

Check to ensure there are local written procedures for when foreign national request access to U.S. systems. Validate the standards are correct. Ensure Foreign Nationals only hold IT positions authorized by regulation - primarily DoD 8570.01-M, IA Workforce Improvement Program. TACTICAL ENVIRONMENT: This check is applicable where REL partners/LN/FN are employed in a tactical environment with access to classified or unclassified US Systems or Coalition Systems.

Fix: F-35162r4_fix

There must be local written procedures for when there is a foreign national request to access to U.S. systems. Foreign Nationals must only hold IT positions authorized by regulation. IAW DoD 8570.01-M: C3.2.4.8.2. ...LNs and Foreign Nationals (FNs) must comply with background investigation requirements and cannot be assigned to IAT Level III positions. TACTICAL ENVIRONMENT: This check is applicable where REL partners/LN/FN are employed in a tactical environment with access to classified or unclassified US Systems or Coalition Systems

Generate Mitigation Statement:

Checks: C-39995r7_chk

Check all safes, vaults and/or secure rooms (*only those containing DISN assets) for proper management practices: 1. Ensure only GSA-approved security containers are being utilized. GSA-approved security containers and vault doors must have a label indicating “General Services Administration Approved Security Container,” affixed to the front of the container, usually this is on the control or the top drawer of safes. 2. Ensure combinations are changed as required. This is recorded on the applicable SF 700 form and must be done: When placed in service, When someone with knowledge of the combination departs (unless other sufficient controls exist to prevent that individual’s access to the lock), When compromise of the combination is suspected, or When taken out of service built-in combination locks shall be reset to the standard combination of 50-25-50. 3. Ensure forms SF 700, Security Container Information are properly completed for each safe, vault and secure room used to store classified DISN assets. Examples of what to look for follows. For the SF 700 form ensure: a. It shows the location of the door or container. b. It reflects the names, home addresses, and home telephone numbers of the individuals having knowledge of the combination who are to be contacted in the event that the vault, secure room, or container is found open and unattended . c. The cover sheet is filled out, attach it to the inside of the control drawer or on the inside face of the vault or secure room door, with either tape or a magnetically-attached holder. d. The tear-off tab with the combination record is placed in the envelope, sealed, properly marked with the classification level and stored by the security manager in another approved classified container. 4. Ensure forms SF 702, Security Container Check Sheet are properly completed for each safe, vault and secure room used to store classified DISN assets. Examples of what to look for follows. For the SF 702 form ensure: a. It provides a record of the names and times that persons have opened, closed or checked a particular container (safe, vault or secure room) that holds classified information. b. It is properly annotated to reflect each opening and closing of the container. c. It is properly annotated to reflect (at least) daily checks of ALL containers - whenever an area housing the containers is entered/occupied – EVEN IF THE CONTAINER IS NOT OPENED. If on weekends or holidays the area housing the container is not occupied the SF 702 would not require annotation; however, in the event the area is accessed for even a short period of time, the SF 702 forms for each container in the area should be annotated to reflect the container was checked. Annotation of the SF 702 forms should be conducted IN ADDITION TO the annotation of SF 701 forms reflecting end-of-day checks. 5. Ensure container repairs are conducted correctly IAW FED-STD-809. Details are at the DoD Lock Program WEB Portal for Drawer head Replacement. TACTICAL ENVIRONMENT: This check is applicable where safes, vaults or secure rooms are used to protect classified materials or systems. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-35163r3_fix

All safes, vaults and/or secure rooms containing SIPRNet assets must adhere to the following proper management practices: 1. Only GSA-approved security containers are utilized. GSA-approved security containers and vault doors must have a label indicating “General Services Administration Approved Security Container,” affixed to the front of the container, usually this is on the control or the top drawer of safes. 2. Combinations must be changed as required. This is recorded on the applicable SF 700 form and must be done: When placed in service, When someone with knowledge of the combination departs (unless other sufficient controls exist to prevent that individual’s access to the lock), When compromise of the combination is suspected, or When taken out of service built-in combination locks shall be reset to the standard combination of 50-25-50. 3. Standard Forms (SF) 700, Security Container Information and SF 702, Security Container Check Sheet must be completed properly. 4. Repairs must be conducted correctly IAW FED-STD-809. Details are at the DoD Lock Program WEB Portal for Drawer head Replacement.

Generate Mitigation Statement:

Checks: C-39999r6_chk

For secure rooms or areas (*containing inspectable SIPRNet assets) check: 1. That walls, floor, and roof construction of secure rooms are made of permanent construction materials; i.e., plaster, gypsum wallboard, metal panels, hardboard, wood, plywood, or other materials offering resistance to, and evidence of unauthorized entry into the area. Materials such as plywood must be attached in a manner so as not to enable easy removal of screws or nails to gain ingress and then replace upon egress. 2. The "True" ceiling shall be constructed of plaster, gypsum, wallboard material, hardware or any other acceptable material. TACTICAL ENVIRONMENT: This check is applicable where vaults or secure rooms are used to protect classified materials or systems. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-35166r3_fix

1. Secure rooms or areas (*containing inspectable SIPRNet assets) must have walls, floor, and roof construction made of permanent construction materials; i.e., plaster, gypsum wallboard, metal panels, hardboard, wood, plywood, or other materials offering resistance to, and evidence of unauthorized entry into the area. 2. Materials such as plywood must be attached in a manner so as not to enable easy removal of screws or nails to gain ingress and then replace upon egress. 3. The "True" ceiling shall be constructed of plaster, gypsum, wallboard material, hardware or any other acceptable material.

Generate Mitigation Statement:

Checks: C-40019r8_chk

BACKGROUND: In spite of all physical security defensive devices deployed, the possibility of an intrusion always exists. The highest fence can be scaled, the most dense wall can be breached and the stoutest lock can be compromised. Even highly sophisticated alarm systems can be contravened by a knowledgeable professional. It is therefore necessary to institute a system of checks to physically inspect secure perimeters to check for signs of attempted intrusions and ensure that structural integrity of the perimeter is maintained. This requirement is concerned with ensuring there is periodic visual validation of structural integrity of secure room/collateral classified open storage area perimeters containing SIPRNet assets and associated media. It ensures that any breach or attempted breach of the walls, true floors and true ceilings of a secure area (which are not readily visible) are discovered in a timely manner. In Check #1 there are 3 different situations covered and each requires a different level of physical/visual validation for structural integrity. Check #1. Check to ensure that structural integrity of secure rooms or spaces containing SIPRNet equipment is validated as follows: Situation #1 (No structural integrity checks required): If interior IDS (motion detection) is *properly employed (*directly covering all SIPRNet assets) within the secure room or collateral classified open storage space where classified SIPRNet assets are located AND under raised floor spaces (if applicable) AND above suspended ceiling spaces (if applicable), then no physical check for structural integrity is required. This is contingent upon the interior motion sensors being activated when the room is closed or unattended, and that the sensors work properly as determined by required checks of sensor functionality. Situation #2 (Monthly checks required): If motion sensors are properly employed ONLY within the secure room space where classified assets are located, then a visual check of spaces below raised floor, above suspended ceilings and anywhere else the perimeter of the secure area cannot be readily observed must be conducted on at least a monthly basis. The goal is to visually inspect all walls, true floor and true ceiling perimeters for signs of breach or attempted breach. Situation #3 (Weekly checks required): When random checks (not exceeding 4-hours) of secure rooms or open storage spaces are used in lieu of IDS then the checks specified in situation #2 for above suspended ceilings and below raised floors must be conducted at least weekly. The increased frequency of checks is due to the significant vulnerability of the SIPRNet assets to undetected attack from portions of the perimeter that cannot be readily observed. NOTE: Physical inspection of the perimeter walls, floor and ceiling can be greatly expedited and may be conducted without ladders or other equipment where there are no false/suspended ceilings and/or raised floors within or surrounding the secure room or area. Check #2. Check to ensure there are written procedures developed for the checks and that the checks are documented and maintained on file for a minimum of 90 days. Where discrepancies (holes in perimeter or other signs of successful or attempted access) are noted these checks will be maintained indefinitely or until an inquiry determines the cause of the discrepancy. TACTICAL ENVIRONMENT: This check is applicable where Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-35188r5_fix

BACKGROUND: This fix is concerned with ensuring there is periodic visual validation of structural integrity of secure room/collateral classified open storage area perimeters containing SIPRNet assets and associated media. It ensures that any breach or attempted breach of the walls, true floors and true ceilings of a secure area (which are not readily visible) are discovered in a timely manner. In requirement #1 there are 3 different situations covered and each requires a different level of physical/visual validation for structural integrity. Requirement #1. Structural integrity of secure rooms or spaces containing SIPRNet equipment must be validated in each situation as follows: Situation #1 (No structural integrity checks required): If interior IDS (motion detection) is *properly employed (*directly covering all SIPRNet assets) within the secure room or collateral classified open storage space where classified SIPRNet assets are located AND under raised floor spaces (if applicable) AND above suspended ceiling spaces (if applicable), then no physical check for structural integrity is required. This is contingent upon the interior motion sensors being activated when the room is closed or unattended, and that the sensors work properly as determined by required checks of sensor functionality. Situation #2 (Monthly checks required): If motion sensors are properly employed ONLY within the secure room space where classified assets are located, then a visual check of spaces below raised floor, above suspended ceilings and anywhere else the perimeter of the secure area cannot be readily observed must be conducted on at least a monthly basis. The goal is to visually inspect all walls, true floor and true ceiling perimeters for signs of breach or attempted breach. Situation #3 (Weekly checks required): When random checks (not exceeding 4-hours) of secure rooms or open storage spaces are used in lieu of IDS then the checks specified in situation #2 for above suspended ceilings and below raised floors must be conducted at least weekly. The increased frequency of checks is due to the significant vulnerability of the SIPRNet assets to undetected attack from portions of the perimeter that cannot be readily observed. NOTE: Physical inspection of the perimeter walls, floor and ceiling can be greatly expedited and may be conducted without ladders or other equipment where there are no false/suspended ceilings and/or raised floors within or surrounding the secure room or area. Requirement #2. There must be written procedures developed for the checks and that the checks are documented and maintained on file for a minimum of 90 days. Where discrepancies (holes in perimeter or other signs of successful or attempted access) are noted these checks will be maintained indefinitely or until an inquiry determines the cause of the discrepancy.

Generate Mitigation Statement:

Checks: C-40042r3_chk

This check is concerned with verification of IDS functionality where IDS is used as a supplemental control for vaults or secure rooms/areas containing SIPRNet assets. Following are the required checks: Check #1. Checks of ALL individual alarm sensors (BMS, motion, glass break, etc.) will be conducted at least every 90 days. Check #2. Valid tests IAW best practices using government or industry standards and tools will be used to conduct the checks. Check #3. Written procedures will be developed for tests of each sensor type in use at a site. Check #4. Results of testing will be maintained on file for at least 180 days. TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-35191r2_fix

Conduct verification of IDS functionality where IDS is used as a supplemental control for vaults or secure rooms/areas containing SIPRNet assets. Following are the required fixes: Fix #1. Ensure that checks of ALL individual alarm sensors (BMS, motion, glass break, etc.) are conducted at least every 90 days. Fix #2. Ensure that valid tests IAW best practices using government or industry standards and tools are used to conduct the checks. Fix #3. Ensure that written procedures are developed for tests of each sensor type in use at a site. Fix #4. Ensure that results of testing are maintained on file for at least 180 days.

Generate Mitigation Statement:

Checks: C-40048r2_chk

Check: Shunting or masking of any secure room IDS internal zone or sensor must be appropriately logged or recorded in the system archive. A shunted or masked internal zone or sensor must be displayed as such at the monitor station throughout the period the condition exists whenever there is a system (IDS) survey of zones or sensors. TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-35203r2_fix

Shunting or masking of any secure room IDS internal zone or sensor must be appropriately logged or recorded in the system archive. A shunted or masked internal zone or sensor must be displayed as such at the monitor station throughout the period the condition exists whenever there is a system (IDS) survey of zones or sensors.

Generate Mitigation Statement:

Checks: C-40051r2_chk

Check that all alarm activations provide both a visual and audible indicators at the primary monitoring station. TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-35207r2_fix

Ensure that all alarm activations provide both a visual and audible indicator at the primary monitoring station.

Generate Mitigation Statement:

Checks: C-40052r5_chk

Primary Power Checks: Check #1. Check to ensure primary power for all Intrusion Detection System (IDS) equipment and Access Control system (ACS) equipment is either commercial AC or DC power. Check #2. Check to ensure that in the event of commercial power failure at either the secure room/area or monitor station, the equipment changes power sources without causing an intrusion alarm indication. An Uninterrupted Power Supply (UPS) will be required for this to ocurr. Emergency (Backup) Power Checks: Check #1. Check to ensure that emergency power consists of a protected independent backup power source that provides a minimum of 8-hours operating battery and/or generator power. When batteries are used for emergency power, they shall be maintained at full charge by automatic charging circuits. The manufacturer's periodic maintenance schedule shall be followed and results documented. Check #2. Power Source and Failure Indication: Check to ensure that an illuminated indication exists at the Power Control Unit (PCU) of the power source in use (AC or DC). Check #3. Check to ensure equipment at the IDS/ACS monitor station indicates a failure in power source, a change in power source, and the location of the failure or change. TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-35209r2_fix

Fixes - Primary Power: Fix #1. Ensure primary power for all Intrusion Detection System (IDS) equipment and Access Control system (ACS) equipment is either commercial AC or DC power. Fix #2. Ensure that in the event of commercial power failure at either the secure room/area or monitor station, the equipment changes power sources without causing an intrusion alarm indication. An Uninterrupted Power Supply (UPS) will be required for this to ocurr. Fixes - Emergency (Backup) Power: Fix #1. Ensure that emergency power consists of a protected independent backup power source that provides a minimum of 8-hours operating battery and/or generator power. When batteries are used for emergency power, they shall be maintained at full charge by automatic charging circuits. The manufacturer's periodic maintenance schedule shall be followed and results documented. Fix #2. Power Source and Failure Indication: Ensure that an illuminated indication exists at the Power Control Unit (PCU) of the power source in use (AC or DC). Fix #3. Ensure equipment at the IDS/ACS monitor station indicates a failure in power source, a change in power source, and the location of the failure or change.

Generate Mitigation Statement:

Checks:

Fix: F-35210r4_fix

Requirements Summary: Protection must be established and maintained for all component devices or equipment that constitute the entry/access control system (ACS) and/or the intrusion detection system (IDS) used to protect a vault, secure room or collateral classified open storage area, which contains SIPRNet assets. If access to a junction box or controller will enable an unauthorized modification, then alarmed tamper protection, which is normally provided by a pressure sensitive switch must be used. Fixes: 1. IDS/ACS components located both outside and inside the secure area must have tamper protection resulting in an alarm signal sent to the primary IDS Monitoring Station. Normally this is provided by a pressure sensitive switch, which automatically sends an alarm signal when the protective enclosure covering component equipment is opened. 2. ALL IDS/ACS ancillary equipment such as card readers, keypads, communication or interface devices for vaults, secure rooms, or collateral classified open storage areas containing SIPRNet assets must have tamper resistant enclosures and be securely fastened to the wall or other permanent structure. Control panels and ACS devices located within a Secret or TS Controlled Access Area (CAA) need only a minimal degree of physical security protection sufficient to preclude unauthorized access to the mechanism.

Generate Mitigation Statement:

Checks: C-40055r4_chk

Check to ensure that primary monitoring of alarms for secure rooms or spaces containing SIPRNet equipment is located outside of the protected space. It is allowable to monitor alarms within the protected space if this is only used for supplemental/secondary monitoring. Ideally alarms will be monitored from the same location that police/guards or other response forces are contacted and dispatched, although this is not required if there are procedures and means for the monitoring station personnel to notify security response forces in a timely manner. TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-35212r1_fix

Ensure that primary monitoring of alarms for secure rooms or spaces containing SIPRNet equipment is located outside of the protected space.

Generate Mitigation Statement:

Checks: C-40276r3_chk

Requirements Summary: A procedure must be established for removal of an individual's authorization to enter the secure room area upon reassignment, transfer, or termination, or when the individual's access is suspended, revoked, or downgraded to a level lower than the former access level. Records shall be maintained reflecting active assignment of ID badge/card, PIN, level of access, and similar system-related records. Records concerning personnel removed from the system shall be retained for a minimum of 90 days. CHECKS: Check #1. Check to ensure that records relecting active assignment of ID badge/card, PIN, level of access, and similar system-related records are maintained. (CAT II) Check #2. Check to ensure there is a documented procedure for removal of persons from the Access Control System. (CAT III) Check #3. Check to ensure that records concerning personnel removed from the system are retained for a minimum of 90 days. (CAT III) TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-35460r2_fix

1. Ensure there is a documented procedure for removal of persons from the Access Control System. 2. Ensure that records relecting active assignment of ID badge/card, PIN, level of access, and similar system-related records are maintained. 3. Ensure that records concerning personnel removed from the system are retained for a minimum of 90 days.

Generate Mitigation Statement:

Checks: C-40606r5_chk

Check to ensure Access Control Systems (ACS) protecting SIPRNet assets that use transmission lines to carry access authorizations, personal identification data, or verification data between devices or equipment, which are located outside at least a Secret Controlled Access Area (CAA) have line supervision and are physically protected within conduit. TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-35835r3_fix

Ensure Access Control Systems (ACS) that use transmission lines to carry access authorizations, personal identification data, or verification data between devices or equipment, which are located outside at least a Secret Controlled Access Area (CAA) have line supervision and are physically protected within conduit.

Generate Mitigation Statement:

Checks: C-40607r5_chk

Vault/Secure Room Storage Standards - Access Control System (ACS) Door Locks Standards for Areas Containing SIPRNet Assets. Check to ensure the following configuration and control considerations are used according to the types of locking mechanisms being used, as specified in each check: Check #1. Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade. Check #2. Backup batteries and/or emergency power generators should be connected to access control system (ACS) components; however, the total loss of power (primary and emergency) should also be planned for. Check #3. When used on secure rooms or areas protecting SIPRNet equipment, electric strikes on doors will be set to fail secure in the event of power disruption. Check #4. On the primary ingress/egress door to secure rooms (which contains the combination lock) the strike may be set to fail open to facilitate access to the room in emergencies only if the door is under continuous visual observation when the combination lock is not secure. In this instance the combination lock will be immediately secured and subsequently opened as required to allow access to the room. Check #5. As an alternative the strike on the primary access door (only those under continuous visual control) may be set to fail secure and configured to allow for opening of the strike lock with a key. Check #6. Keys for locks as discussed in check 5 will be strictly controlled, inventoried periodically and not issued to individuals for personal retention. Check #7. KEYS TO SECURE ROOMS WILL NOT BE REMOVED FROM THE SITE. Check #8. When Magnetic Locks (Mag locks) are used on primary access doors the total loss of ALL power (primary and backup) will cause the lock to fail open. Therefore doors with mag locks installed must be under continuous visual observation when the combination lock is open. Check #9. Where Mag locks are used on primary access doors and upon a total power failure - the combination lock will be immediately secured and subsequently opened as required to allow access to the room. Check #10. Secondary doors not used for access (emergency egress only) should use standard locking door latches rather than electric strikes or mag locks. Check #11. Access hardware on the side of the secondary door that is external to the room must be removed to prevent use of secondary doors for routine ingress. Check #12. In the event a mag lock or electric strike is used on a secondary door, the door must be configured to be locked during a power disruption. This can be accomplished with internal sliding deadbolt locks or lockable door latches. Electric strikes on secondary doors should be set to fail secure. Any secondary door secured with Mag Locks must be under CONTINUOUS visual observation when the interior deadbolt locks are not engaged. Deadbolt locks must not be engaged while the room is occupied - for life safety, but will be secured upon closing the secure room or area. TACTICAL ENVIRONMENT: This check is applicable where Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-35846r2_fix

Vault/Secure Room Storage Standards - Access Control System (ACS) Door Locks. Ensure the following configuration and control considerations are used as appropriate for the type of locks being used in access control systems protecting SIPRNet assets: 1. Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade. 2. Backup batteries and/or emergency power generators should be connected to access control system (ACS) components; however, the total loss of power should be planned for. 3. When used on secure rooms or areas protecting SIPRNet equipment, electric strikes on doors will be set to fail secure in the event of power disruption. 4. On the primary ingress/egress door to secure rooms (which contains the combination lock) the strike may be set to fail open to facilitate access to the room in emergencies only if the door is under continuous visual observation when the combination lock is not secure. In this instance the combination lock will be immediately secured and subsequently opened as required to allow access to the room. 5. As an alternative the strike on the primary access door (under continuous visual control) may be set to fail secure and configured to allow for opening of the strike lock with a key. 6. Keys for such locks will be strictly controlled, inventoried periodically and not issued to individuals for retention. 7. KEYS TO SECURE ROOMS WILL NOT BE REMOVED FROM THE SITE. 8. When Magnetic Locks (Mag locks) are used on primary access doors the total loss of ALL power (primary and backup) will cause the lock to fail open. Therefore doors with mag locks installed must be under continuous visual observation when the combination lock is open. 9. Where Mag locks are used on primary access doors and upon a total power failure - the combination lock will be immediately secured and subsequently opened as required to allow access to the room. 10. Secondary doors not used for access (emergency egress only) should use standard locking door latches rather than electric strikes or mag locks. 11. Access hardware on the side of the door that is external to the room must be removed to prevent use of secondary doors for routine ingress. 12. In the event a mag lock is used on a secondary door, the door must be configured to be locked during a power disruption. This can be accomplished with internal sliding deadbolt locks or supplemental door latches. Any secondary door secured with Mag Locks must be under CONTINUOUS visual observation when the interior deadbolt locks are not engaged. Deadbolt locks must not be engaged while the room is occupied - for life safety, but will be secured upon closing the secure room or area. Always be sure to coordinate door locking and emergency egress considerations with supporting facility risk management (fire/safety) personnel.

Generate Mitigation Statement:

Checks: C-40609r4_chk

Check to ensure ALL equipment/media/documents in the areas housing SIPRNet assets contain proper classification markings. In a classified operating environment, all unclassified items must be marked in addition to all classified items. For instance: In areas where any classified equipment such as servers, client workstations, printers, routers, crypto, etc. are being used - all classified equipment, media and documents must be properly marked with classification levels and handling caveats - AND ALL UNCLASSIFIED equipment (servers, client workstations, printers, routers, crypto, etc.), media and documents must also be properly marked as unclassified and with handling caveats such as FOUO, when appropriate. This total marking of all assets in a classified environment eliminates the assumption that anything not marked is unclassified. Hence, all equipment, media and documents within SCIFs, Vaults, Secure Rooms and classified Controlled Access Areas (CAA) must be marked with classification levels and handling caveats. TACTICAL ENVIRONMENT: This check is applicable in a tactical environment if classified documents or media are created/extracted from the SIPRNet. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used. All deployed SIPRNet equipment should already contain applicable classification markings/labels.

Fix: F-35848r3_fix

Ensure ALL equipment/media/documents in the areas housing SIPRNet assets contain proper classification markings. In a classified operating environment, all unclassified items must be marked in addition to all classified items. For instance: In areas where any classified equipment such as servers, client workstations, printers, routers, crypto, etc. are being used - all classified equipment, media and documents must be properly marked with classification levels and handling caveats - AND ALL UNCLASSIFIED equipment (servers, client workstations, printers, routers, crypto, etc.), media and documents must also be properly marked as unclassified and with handling caveats such as FOUO, when appropriate. This total marking of all assets in a classified environment eliminates the assumption that anything not marked is unclassified. Hence, all equipment, media and documents within SCIFs, Vaults, Secure Rooms and classified Controlled Access Areas (CAA) must be marked with classification levels and handling caveats.

Generate Mitigation Statement:

Checks: C-40634r3_chk

Organizations that process or store classified information must establish a system of security checks at the close of each duty and/or business day to ensure that any area where classified information is used or stored is secure. SF 701, “Activity Security Checklist,” shall be used to record such checks. An integral part of the security check system shall be the securing of all vaults, secure rooms, and containers used for storing classified material. SF 702, “Security Container Check Sheet,” shall be used to record each opening, closing, and verification checks of these storage mediums. Area verification checks will be recorded on the SF 701 upon completion of end-of-day checks. Recommended end-of-day checks, which should be included on the SF 701 are: a. Activation of Intrusion Detection System (IDS) alarm sensors where applicable. b. All classified material has been properly stored. c. Removal of CAC Cards from workstations. d. All windows, doors or other openings are properly secured. e. Verification of lock box closure for SIPRNet wall jacks and PDS lines, where applicable. f. Additional checks such as turning off of coffee pots and lights, power-off of printers/MFDs, securing of STE keys, etc. can be identified and accomplished as part of the check. g. The SF 701, Activity Security Checklist shall be used to record these checks, to include after hours, weekend and holiday activities. Results of end-of-day checks (SF 701 forms) should be retained for at least 30 days after completion of the monthly form (or otherwise as required by Component records management schedules) to ensure availability for audits and resolution of subsequent discovery of security incidents or discrepancies. TACTICAL ENVIRONMENT: This check is applicable in a fixed operational facility in a tactical environment if classified equipment is used or documents or media are created/extracted from the SIPRNet. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-35926r4_fix

Ensure that areas where classified information is processed or stored have an established system of security checks implemented at the close of each duty and/or business day to ensure that any area where classified information is used or stored is secure. SF 701, “Activity Security Checklist,” must be used to record these checks. In addition to the SF 701, the responsible site or organization should have a written procedure to outline the end-of-day check process and to guide checkers with their duties. For instance the procedure should include instructions on how to handle any classified information that is found outside of proper storage. An integral part of the security check system must incorporate the securing of all vaults, secure rooms, and containers used for storing classified material. SF 702, “Security Container Check Sheet,” must be used to record each opening, closing, and verification checks of these storage mediums. Area verification checks will be recorded on the SF 701 upon completion of end-of-day checks. Following are recommended end-of-day checks, which should be included on the SF 701, but ultimately the checks must be tailored to fit the physical configuration and mission of the site: a. Activation of Intrusion Detection System (IDS) alarm sensors where applicable. b. All classified material has been properly stored. c. Removal of CAC Cards from workstations. d. All windows, doors or other openings are properly secured. e. Verification of lock box closure for SIPRNet wall jacks and PDS lines, where applicable. f. Additional checks such as turning off of coffee pots and lights, power-off of printers/MFDs, securing of STE keys, etc. can be identified and accomplished as part of the check. g. The SF 701, Activity Security Checklist shall be used to record these checks, to include after hours, weekend and holiday activities. Results of end-of-day checks (SF 701 forms) should be retained for at least 30 days (or otherwise as required by Component records management schedules) after completion of the monthly form to ensure availability for audits and resolution of subsequent discovery of security incidents or discrepancies. While 24/7 operational areas storing classified materials do not necessarily require end-of-day (EOD) checks it is highly recommended that a system of checks be instituted (similar to EOD checks) upon each change of shift. Such checks jointly conducted by incoming and outgoing supervisors can be used to verify the integrity of safes and classified equipment/materials under their control and can be used to narrow the window of time for a preliminary inquiry should a security incident occur.

Generate Mitigation Statement:

Checks: C-40636r4_chk

General guidance: Paper copies, electronic files, and other material containing classified information shall be reproduced only when necessary for accomplishing the organizations mission or for complying with applicable statutes or Directives. Personnel reproducing classified information must be knowledgeable of the procedures for classified reproduction and aware of the risks involved with the specific reproduction equipment and media being used and the appropriate countermeasures they are required to take. Reproduced material is to be placed under the same accountability and control requirements as applied to the original material. Classified material is to be reproduced only on approved and when applicable, properly accredited systems. This check concerns ONLY reproduction and/or transfer of classified data using all forms of removable media on SIPRNet connected devices or systems. Check to ensure that US Cybercom Communications Tasking Order (CTO) 10-133 is being complied with as follows: 1. Ensure that the write capability for all possible removable media is disabled as a default setting on all SIPRNet connected machines. 2. Ensure that write settings are only allowed when specifically approved by using the HBSS Device Control Module (DCM). 3. Ensure the system DAA has specifically approved all persons authorized to transfer data from SIPRNet connected system components. 4. Ensure the IAM maintains a list of all persons authorized by the DAA to transfer data from the SIPRNet. 5. Ensure there are written procedures approved by the DAA for use of removable media on SIPRNet. NOTE: Coordination with Technical Reviewers may be required to determine all of the information outlined above. TACTICAL ENVIRONMENT: This check is applicable in a fixed operational facility in a tactical environment if classified equipment is used or documents or media are created/extracted from the SIPRNet. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-35930r1_fix

General guidance to consider: Paper copies, electronic files, and other material containing classified information shall be reproduced only when necessary for accomplishing the organizations mission or for complying with applicable statutes or Directives. Personnel reproducing classified information must be knowledgeable of the procedures for classified reproduction and aware of the risks involved with the specific reproduction equipment and media being used and the appropriate countermeasures they are required to take. Reproduced material is to be placed under the same accountability and control requirements as applied to the original material. Classified material is to be reproduced only on approved and when applicable, properly accredited systems. This check concerns ONLY reproduction and/or transfer of classified data using all forms of removable media on SIPRNet connected devices or systems. Ensure that US Cybercom Communications Tasking Order (CTO) 10-133 is being complied with as follows: 1. Ensure that the write capability for all possible removable media is disabled as a default setting on all SIPRNet connected machines. 2. Ensure that write settings are only allowed when specifically approved by using the HBSS Device Control Module (DCM). 3. Ensure the system DAA has specifically approved all persons authorized to transfer data from SIPRNet connected system components. 4. Ensure the IAM maintains a list of all persons authorized by the DAA to transfer data from the SIPRNet. 5. Ensure there are written procedures approved by the DAA for use of removable media on SIPRNet.

Generate Mitigation Statement:

Checks: C-40660r5_chk

Check to ensure there is equipment and/or plans for the destruction of classified or sensitive systems and media used by the site or organization. Lack of appropriate equipment to properly sanitize the classified media used or lack of plans for disposal and/or proper protection in transit will result in a finding. Checks: Check #1. If used by the site are hard drive and tape degaussers periodically tested and certified as required by the manufacturer? Check #2. Are appropriate wipe products available for classified systems or spillage incidents? Check #3. Is there an approved product (such as the Whitaker Brothers Inc. Datastroyer) on-hand to properly remove readable surfaces from optical media such as CDs or DVDs? Check #4. Is all obsolete classified equipment and media properly secured in a safe, vault or secure room until properly disposed of? (Note: This would be a CAT I finding under the appropriate "storage" vulnerability) Check #5. In the event the site has limited or no destruction equipment: Are there plans or arrangements to take classified material to NSA for proper disposal or another DoD organization who has destruction equipment and has agreed to provide support for destruction of classified? Check #6. Are there appropriate transportation and/or shipping arrangments to ensure the classified material is properly protected while in transit to the destruction facility? TACTICAL ENVIRONMENT: Applies in all environments whenever classified documents or materials are to be destroyed.

Fix: F-36053r4_fix

Ensure there is equipment and/or plans for the destruction of classified or sensitive systems and media used by the site or organization. Considerations: 1. If used by the site are hard drive and tape degaussers periodically tested and certified as required by the manufacturer? 2. Are appropriate wipe products available for classified systems or spillage incidents? 3. Is there an approved product (such as the Whitaker Brothers Inc. Datastroyer) on-hand to properly remove readable surfaces from optical media such as CDs or DVDs? 4. Is all obsolete classified equipment and media properly secured in a safe, vault or secure room until properly disposed of? 5. In the event the site has limited or no destruction equipment are there plans or arrangements to take classified material to NSA for proper disposal or another DoD organization who has destruction equipment and has agreed to provide support for destruction of classified? 6. Are there appropriate transportation and/or shipping arrangments to ensure the classified material is properly protected while in transit to the destruction facility?

Generate Mitigation Statement:

Checks: C-40662r4_chk

General Requirement: Plans shall be developed to protect, remove, or destroy classified material in case of fire, natural disaster, civil disturbance, terrorist activities, or enemy action, to minimize the risk of compromise, and for the recovery of classified information, if necessary, following such events. Checks: Check #1. Check to ensure there is local site documentation for the emergency, protection, removal, and destruction of classified material and equipment. (CAT II) Check #2. Also check to ensure that these instructions are readily available to the employee population. Such plans should be posted on or near safes, exits to vaults and secure rooms or at any location where classified materials are stored. (CAT III) TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix: F-36073r2_fix

General Requirement: Plans shall be developed to protect, remove, or destroy classified material in case of fire, natural disaster, civil disturbance, terrorist activities, or enemy action, to minimize the risk of compromise, and for the recovery of classified information, if necessary, following such events. Ensure there is local site documentation for the emergency, protection, removal, and destruction of classified material and equipment. Also ensure that these instructions are readily available to the employee population. Such plans should be posted on or near safes, exits to vaults and secure rooms or at any location where classified materials are stored.

Generate Mitigation Statement:

Checks: C-40663r4_chk

General requirement: Anyone finding classified information out of proper control shall, if possible, take custody of and safeguard the material and immediately notify the appropriate security authorities. Secure communications should be used for notification whenever possible. Every civilian employee and Active, Reserve, and National Guard Military member of the Department of Defense, and every DoD contractor or employee of a contractor working with classified material, as provided by the terms of the contract, who becomes aware of the loss or potential compromise of classified information shall immediately report it to the head of his or her local activity and to the activity security manager. Prompt reporting of security incidents ensures incidents are properly investigated and necessary actions are taken to negate or minimize the adverse effects of an actual loss or unauthorized disclosure of classified information and to preclude recurrence through a properly tailored, and up-to-date security education and awareness program. In cases where compromise has been ruled out and there is no adverse effect on national security, a common sense approach to the early resolution of an incident at the lowest appropriate level is encouraged. All security incidents involving classified information shall involve a security inquiry, a security investigation, or both. Reviewer Checks: Check #1. Check to ensure the site or organization has written procedures on reporting possible security incidents. Check #2. Check to ensure personnel within the organization have training to be able to know when to report a possible security incident and who to report it to. Check #3. Check to ensure employees know what to do when discovering classified material unsecure or out of proper control. Ask random employees if they know what to do if they discover a security incident? TACTICAL ENVIRONMENT: Classified material that is discovered not properly secured must immediatly be secured and the incident reported - regardless of environment.

Fix: F-36074r1_fix

General requirement: Anyone finding classified information out of proper control shall, if possible, take custody of and safeguard the material and immediately notify the appropriate security authorities. Secure communications should be used for notification whenever possible. Every civilian employee and Active, Reserve, and National Guard Military member of the Department of Defense, and every DoD contractor or employee of a contractor working with classified material, as provided by the terms of the contract, who becomes aware of the loss or potential compromise of classified information shall immediately report it to the head of his or her local activity and to the activity security manager. Prompt reporting of security incidents ensures incidents are properly investigated and necessary actions are taken to negate or minimize the adverse effects of an actual loss or unauthorized disclosure of classified information and to preclude recurrence through a properly tailored, and up-to-date security education and awareness program. In cases where compromise has been ruled out and there is no adverse effect on national security, a common sense approach to the early resolution of an incident at the lowest appropriate level is encouraged. All security incidents involving classified information shall involve a security inquiry, a security investigation, or both. Fixes: 1. Ensure the site or organization has written procedures on reporting possible security incidents. 2. Ensure personnel within the organization have training to be able to know when to report a possible security incident and who to report it to. 3. Ensure employees know what to do when discovering classified material unsecure or out of proper control. Verify by asking random employees if they know what to do if they discover a security incident.

Generate Mitigation Statement:

Checks: C-40669r4_chk

Check to ensure the site has all Classification Guides for the systems and programs they are responsible for and/or which are applicable to their operations. Further, such classification guides and training on the use of them should be made available to employees working with the equipment or systems to which they apply. At a minimum if a site has SIPRNet connections they should have a copy of the SIPRNet Security Classification Guide. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environ

Fix: F-36079r1_fix

Ensure the site has all Classification Guides for the programs and systems they are responsible for and/or which are applicable to their operations. Further, such classification guides and training on the use of them should be made available to employees working with the equipment or systems to which they apply. At a minimum if a site has SIPRNet connections they should have a copy of the SIPRNet Security Classification Guide.

Generate Mitigation Statement:

Checks: C-40677r2_chk

General Policy Guidance: At a minimum, DoD civilians, military members and on-site support contractors with access to CUI shall receive both initial and annual refresher training that reinforces the policies, principles, and procedures covered in CUI policy. Refresher training shall also address the threat and the techniques foreign intelligence activities use while attempting to obtain controlled unclassified DoD information and advise personnel of penalties for unauthorized disclosures. The importance of unclassified information, its potential sensitivity, and the requirement to have all information reviewed and approved for release prior to public disclosure or Web posting shall be reiterated. Refresher training shall also address relevant changes in CUI policy or procedures and issues or concerns identified during DoD Component oversight reviews. Checks: Check #1. Reviewers must check for an initial orientation on handling of CUI during new employee inprocessing Check #2. Check that Annual Refresher training includes the topic of CUI as provided in the general policy guidance. Check a sample number of individual training records and Annual Training briefing slides/materials for evidence of CUI training. Lack of either intitial orientation or refresher training or both is a finding. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where training and associated documentation should be in place. Not applicable to a field/mobile environment.

Fix: F-36088r1_fix

General Policy Guidance: At a minimum, DoD civilians, military members and on-site support contractors with access to CUI shall receive both initial and annual refresher training that reinforces the policies, principles, and procedures covered in CUI policy. Refresher training shall also address the threat and the techniques foreign intelligence activities use while attempting to obtain controlled unclassified DoD information and advise personnel of penalties for unauthorized disclosures. The importance of unclassified information, its potential sensitivity, and the requirement to have all information reviewed and approved for release prior to public disclosure or Web posting shall be reiterated. Refresher training shall also address relevant changes in CUI policy or procedures and issues or concerns identified during DoD Component oversight reviews. Fix: Ensure an initial orientation on handling of CUI is included during new employee inprocessing and that Annual Refresher training includes the topic of CUI as provided in the general policy guidance. Ensure that all initial and refresher training is documented.

Generate Mitigation Statement:

Checks: C-40687r11_chk

Check to ensure compliance with appropriate methods for disposal of the following: 1. Unclassified Hard Drives: a. When no longer needed, unclassified computer systems and hard drives may be disposed of outside the Department of Defense. In some circumstances, the equipment may be provided to non-government entities for reutilization. To ensure that no data or information remains on operable unclassified hard drives that are transferred or permanently removed from DoD custody, the drives must be sanitized by overwriting. b. Where overwriting is inappropriate or cannot be completely accomplished (e.g., inoperable disk) the drives are to be totally removed from service (i.e., thrown away). In this case the drives must be physically destroyed before disposal. c. The specific methods and procedures differ depending on sensitivity of data and ownership of the hard drive. To ensure DoD information is not inadvertently disclosed to unauthorized individuals, the activity security manager should coordinate with the local DAA and/or IT staff to ensure local procedures for disposal of computer hard drives appropriately address removal of U.S. Government data prior to disposal. (See Assistant Secretary of Defense for Command, Control, Communications and Intelligence Memorandum, Disposition of Unclassified DoD Computer Hard Drives, June 4, 2001 for detailed guidance.) Generally the use of Hard Drive degaussers with an appropriate strength (Coercivity of magnetic field) for the drive being erased (Oestrid rating) is recommended as part of the requirement for physical destruction. After degaussing the hard drive the physical destruction of individual platters should be accomplished to make attempted data retrieval impractical. 2. Unclassified Automated Information System (AIS) Media: a. Various types of AIS media may contain CUI and must be disposed of in accordance with guidance in the NIST Special Publication 800-88, Guidelines for Media Sanitization. b. NSA/CSS publishes lists of products that meet specific performance criteria for sanitizing, destroying or disposing of various types of media containing sensitive or classified information. The lists are available at http://www.nsa.gov/ia/guidance/media_destruction_guidance/index.shtml or by calling (410)854-6358. 3. Unclassified documents: a. Record copies of FOUO documents shall be disposed of in accordance with the Federal Records Act (44 U.S.C. 33 and Component records management directives. b. Non-record FOUO documents may be destroyed by shredding or tearing into pieces and discarding the pieces in regular trash containers. c. NOTE: The guidance provided here is for FOUO paper documents and this is the least stringent standard found for any CUI document destruction. There are other types of CUI, such as DEA Sensitive material, which must be destroyed by a means approved for destruction of Confidential material. Be certain to check DoD Manual 5200.01 for specific destruction requirements for each type of CUI document. 4. Additional reviewer checks and considerations: a. Check recycle bins, regular trash, and the availability of shredders or collection containers for sensitive material. Ensure the organization knows who gets the recycling (especially if it contains CUI) and that it is disposed of properly (for instance by shredding). NOTE: If you find (ie. in the trash) and can easily reconstruct any document marked FOUO (or other CUI document) and it contains extremely sensitive information such as PII (with SSN, etc) - this should be made a finding. b. In all cases the reviewer should recommend using at least a cross cut shredder for destruction of CUI documents. Further, while a shred-all policy is not required, this is another recommendation that should be made. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where training and associated documentation should be in place. Not applicable to a field/mobile environment.

Fix: F-36106r3_fix

Ensure compliance with appropriate methods for disposal of the following: 1. Unclassified Hard Drives: a. When no longer needed, unclassified computer systems and hard drives may be disposed of outside the Department of Defense. In some circumstances, the equipment may be provided to non-government entities for reutilization. To ensure that no data or information remains on operable unclassified hard drives that are transferred or permanently removed from DoD custody, the drives must be sanitized by overwriting. b. Where overwriting is inappropriate or cannot be completely accomplished (e.g., inoperable disk) the drives are to be totally removed from service (i.e., thrown away). In this case the drives must be physically destroyed before disposal. c. The specific methods and procedures differ depending on sensitivity of data and ownership of the hard drive. To ensure DoD information is not inadvertently disclosed to unauthorized individuals, the activity security manager should coordinate with the local DAA and/or IT staff to ensure local procedures for disposal of computer hard drives appropriately address removal of U.S. Government data prior to disposal. (See Assistant Secretary of Defense for Command, Control, Communications and Intelligence Memorandum, Disposition of Unclassified DoD Computer Hard Drives, June 4, 2001 for detailed guidance.) Generally the use of Hard Drive degaussers with an appropriate strength (Coercivity of magnetic field) for the drive being erased (Oestrid rating) is recommended as part of the requirement for physical destruction. After degaussing the hard drive the physical destruction of individual platters should be accomplished to make attempted data retrieval impractical. 2. Unclassified Automated Information System (AIS) Media: a. Various types of AIS media may contain CUI and must be disposed of in accordance with guidance in the NIST Special Publication 800-88, Guidelines for Media Sanitization. b. NSA/CSS publishes lists of products that meet specific performance criteria for sanitizing, destroying or disposing of various types of media containing sensitive or classified information. The lists are available at http://www.nsa.gov/ia/guidance/media_destruction_guidance/index.shtml or by calling (410)854-6358. 3. Unclassified documents: a. Record copies of FOUO documents shall be disposed of in accordance with the Federal Records Act (44 U.S.C. 33 and Component records management directives. b. Non-record FOUO documents may be destroyed by shredding or tearing into pieces and discarding the pieces in regular trash containers. c. NOTE: The guidance provided here is for FOUO paper documents and this is the least stringent standard found for any CUI document destruction. There are other types of CUI, such as DEA Sensitive material, which must be destroyed by a means approved for destruction of Confidential material. Be certain to check DoD Manual 5200.01 for specific destruction requirements for each type of CUI document. 4. Additional considerations: a. Periodically inspect recycle bins, regular trash, and the availability of shredders or collection containers for sensitive material. Ensure it is known who gets the recycling (especially if it contains CUI) and that it is disposed of properly. NOTE: If you find (ie. in the trash) and can easily reconstruct any document marked FOUO (or other CUI document) and it contains extremely sensitive information such as PII (with SSN, etc) - this should be investigated and corrective actions taken immediately. b. While not required it is highly recommended using at least a cross cut shredder for destruction of CUI documents. Further, while a shred-all policy is also not required, this is another strong recommendation.

Generate Mitigation Statement:

Checks: C-40771r5_chk

General Guidance: Standards of protection for most types of CUI are the same as for FOUO but some variance does exist. Therefore, specific requirements for certain CUI may need to be checked against applicable references to ensure proper protection is afforded. The checks are applicable to all forms of CUI: documents, AIS hard drives and storage media. Checks: For most CUI and FOUO specifically check to ensure the following standards are met: Check #1. During working hours, reasonable steps shall be taken to minimize the risk of access by unauthorized personnel. This would include things like placing cover sheets on FOUO documents and allowing unescorted access to areas where CUI (documents and AIS storage media) is processed/handled to only those persons with at least a favorably adjudicated National Agency Check (NAC). Check #2. After working hours, FOUO information (documents and removable media) may be stored in unlocked containers, desks, or cabinets if Government or Government-contract building security is provided. If such building security is not provided or is deemed inadequate, the information (documents and removable media) shall be stored in locked desks, file cabinets, bookcases, locked rooms, etc. In all cases FOUO and other CUI documents must be placed out of sight during non-working hours. While not required, recommending implementation of a clean desk policy would be appropriate. Check #3. Unescorted access to computer rooms or areas containing major items of AIS equipment processing CUI information (servers and network components) should only be granted to persons with at least a favorable NAC. All others should be physically escorted. Access control measures such as reception personnel, guards, keyed locks, cipher locks or automted access control systems may be used to control access to such areas. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix: F-36186r4_fix

General Guidance: Standards of protection for most types of CUI are the same as for FOUO but some variance does exist. Therefore, specific requirements for certain CUI may need to be checked against applicable references to ensure proper protection is afforded. The fixes are applicable to all forms of CUI: documents, AIS hard drives and storage media. Fixes applicable for FOUO: For most CUI and FOUO specifically ensure the following standards are met: 1. During working hours, reasonable steps shall be taken to minimize the risk of access by unauthorized personnel. This would include things like placing cover sheets on FOUO documents and allowing unescorted access to areas where CUI (documents and AIS storage media) is processed/handled to only those persons with at least a favorably adjudicated National Agency CHeck (NAC). 2. After working hours, FOUO information (documents and AIS storage media) may be stored in unlocked containers, desks, or cabinets if Government or Government-contract building security is provided. If such building security is not provided or is deemed inadequate, the information (documents and AIS storage media) shall be stored in locked desks, file cabinets, bookcases, locked rooms, etc. In all cases FOUO and other CUI must be placed out of sight during non-working hours. While not required, implementation of a clean desk policy would be a good idea. 3. Unescorted access to computer rooms or areas containing major items of AIS equipment processing CUI information (servers and network components) should only be granted to persons with at least a favorable NAC. All others should be physically escorted. Access control measures such as reception personnel, guards, keyed locks, cipher locks or automted access control systems may be used to control access to such areas.

Generate Mitigation Statement:

Checks: C-40774r3_chk

Check to ensure the following standards concerning encryption of data-at-rest are met: In accordance with DoD policy, all unclassified DoD data that has not been approved for public release and is stored on mobile computing devices or removable storage media must be encrypted using commercially available encryption technology. This requirement includes all CUI as well as other unclassified information that has not been reviewed and approved for public release. This includes certain Personally Identifiable Information (PII). See ASD(NII) Memorandum, Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media, 3 Jul 07 for detailed guidance. TACTICAL ENVIRONMENT: The check is applicable for all tactical processing environments.

Fix: F-36188r1_fix

Ensure the following standards concerning encryption of data-at-rest are met: In accordance with DoD policy, all unclassified DoD data that has not been approved for public release and is stored on mobile computing devices or removable storage media must be encrypted using commercially available encryption technology. This requirement includes all CUI as well as other unclassified information that has not been reviewed and approved for public release. This includes certain Personally Identifiable Information (PII). See ASD(NII) Memorandum, Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media, 3 Jul 07 for detailed guidance.

Generate Mitigation Statement:

Checks: C-40775r6_chk

General Information: Standards for transmission for most types of CUI are the same as for FOUO but some variance does exist. Therefore, specific requirements for certain CUI may need to be checked against applicable references to ensure proper means for transmission are used. For most CUI and FOUO specifically check to ensure the following standards are met: 1. FOUO information and material may be transmitted via first class mail, parcel post, or, for bulk shipments, via fourth class mail. 2. Electronic transmission of FOUO information, e.g., e-mail, shall be by approved secure communications systems or systems utilizing other protective measures such as Public Key Infrastructure (PKI) or transport layer security (e.g., https). 3. Use of wireless telephones (cell phones, wireless hand held phones, bluetooth, etc.) should be avoided when other options are available. 4. Transmission of FOUO by facsimile machine (fax) is permitted; the sender is responsible for determining that appropriate protection will be available at the receiving location prior to transmission (e.g., machine attended by a person authorized to receive FOUO; fax located in a controlled government environment). TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-36189r2_fix

General Information: Standards for transmission for most types of CUI are the same as for FOUO but some variance does exist. Therefore, specific requirements for certain CUI may need to be checked against applicable references to ensure proper means for transmission are used. For most CUI and FOUO specifically ensure the following standards are met: 1. FOUO information and material may be transmitted via first class mail, parcel post, or, for bulk shipments, via fourth class mail. 2. Electronic transmission of FOUO information, e.g., e-mail, shall be by approved secure communications systems or systems utilizing other protective measures such as Public Key Infrastructure (PKI) or transport layer security (e.g., https). 3. Use of wireless telephones (cell phones, wireless hand held phones, bluetooth, etc.) should be avoided when other options are available. 4. Transmission of FOUO by facsimile machine (fax) is permitted; the sender is responsible for determining that appropriate protection will be available at the receiving location prior to transmission (e.g., machine attended by a person authorized to receive FOUO; fax located in a controlled government environment).

Generate Mitigation Statement:

Checks: C-40776r4_chk

Check to ensure the following standards/guidance are adhered to: 1. FOUO, PII and other CUI may NOT be posted to publicly-accessible Internet sites and may NOT be posted to sites whose access is controlled only by domain (e.g., limited to .mil and/or .gov) as such restricted access can easily be circumvented. 2. At a minimum, posting CUI to a website requires certificate-based (e.g., common access card) or password and ID access as well as encrypted transmission using https: or similar technology. CUI other than FOUO may have additional posting restrictions. 3. See Deputy Secretary of Defense Memorandum Web Site Administration, December 7, 1998, with attached Web Site Administration Policies and Procedures, November 25, 1998 for detailed guidance. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix: F-36190r2_fix

Ensure the following standards/guidance are adhered to: 1. FOUO, PII and other CUI may NOT be posted to publicly-accessible Internet sites and may NOT be posted to sites whose access is controlled only by domain (e.g., limited to .mil and/or .gov) as such restricted access can easily be circumvented. 2. At a minimum, posting CUI to a website requires certificate-based (e.g., common access card) or password and ID access as well as encrypted transmission using https: or similar technology. CUI other than FOUO may have additional posting restrictions. 3. See Deputy Secretary of Defense Memorandum Web Site Administration, December 7, 1998, with attached Web Site Administration Policies and Procedures, November 25, 1998 for detailed guidance.

Generate Mitigation Statement:

Checks: C-40791r6_chk

Background Information: All positions (military and civilian) must be categorized as either nonsensitive, noncritical-sensitive, or critical-sensitive based on security clearance and/or ADP (AKA: IT) position requirements. The type of background investigation (eg, SSBI, NACI) applicable to the position is based upon the designated position sensitivity. While Contractor personnel are not assigned to positions within DoD organizations, the type of investigation and security clearance requirements for each type or category of work must be detailed in the applicable Statement of Work and/or DD Form 254 (Contract Security Specification). Users of DoD Information Systems (IS) are either privileged users (e.g., system administrators) or general users (e.g., non-IS associated system users). Checks: Check #1. Review organizational manning records that indicate the position sensitivity of all employees and randomly select/review positions for the correct Information Technology (IT) sensitivity level (AKA: Automated Data Processing (ADP) sensitivity level) and security clearance requirement. *Ensure that the position sensitivity level is correct based on the clearance and IT level. Check #2. For general users (non-privileged access) of information systems: Check to ensure they meet the minimum standards, criteria, and guidelines for access to controlled unclassified and classified information, as follows: a. Prior to being granted access to the NIPRNET, U.S. military, government civilian, and contractor personnel must minimally have a favorably completed NAC and a Common Access Card (CAC) with PKI Certificates issued. For government civilians a NAC plus Written Inquiries (NACI) must have been requested. b. At a minimum prior to being granted access to the SIPRNET, U.S. military, government civilian, and contractor personnel must have a favorably completed NAC and have been granted an interim SECRET clearance. c. Foreign nationals must meet standards, criteria, and guidelines for access to controlled unclassified and classified information IAW DoD Manual 5200.01, DoD 5200.2-R, CJCSI 6510.01F and National Disclosure Policy. Check #3. For privileged users (eg, SA, IAO, NSO): Check to ensure that privileged users if military or government civilian are in critical sensitive positions and have a successfully adjudicated SSBI with 5-year periodic reviews. Contractors performing work in priviledged IS roles must also undergo sucessful SSBIs with 5-year reviews. Privileged users must undergo an SSBI regardless of of the security clearance level required (eg, even if no clearance or only Confidential or Secret is required). Foreign Nationals or Local Nationals employed by DoD ARE NOT AUTHORIZED to have (IT-I) privileged access to US Information Systems. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.

Fix: F-36255r3_fix

Background Information: All positions (military and civilian) must be categorized as either nonsensitive, noncritical-sensitive, or critical-sensitive based on security clearance and/or ADP (AKA: IT) position requirements. The type of background investigation (eg, SSBI, NACI) applicable to the position is based upon the designated position sensitivity. While Contractor personnel are not assigned to positions within DoD organizations, the type of investigation and security clearance requirements for each type or category of work must be detailed in the applicable Statement of Work and/or DD Form 254 (Contract Security Specification). Users of DoD Information Systems (IS) are either privileged users (e.g., system administrators) or general users (e.g., non-IS associated system users). Fixes: Fix #1. Review organizational manning records that indicate the position sensitivity of all employees and review all positions for the correct Information Technology (IT) sensitivity level (AKA: Automated Data Processing (ADP) sensitivity level) and security clearance requirement. *Ensure that the position sensitivity level is correct based on the clearance and IT level. Fix #2. For general users (non-privileged access) of information systems: Ensure they meet the minimum standards, criteria, and guidelines for access to controlled unclassified and classified information, as follows: a. Prior to being granted access to the NIPRNET, U.S. military, government civilian, and contractor personnel must minimally have a favorably completed NAC and a Common Access Card (CAC) with PKI Certificates issued. For government civilians a NAC plus Written Inquiries (NACI) must have been requested. b. At a minimum prior to being granted access to the SIPRNET, U.S. military, government civilian, and contractor personnel must have a favorably completed NAC and have been granted an interim SECRET clearance. c. Foreign nationals must meet standards, criteria, and guidelines for access to controlled unclassified and classified information IAW DoD Manual 5200.01, DoD 5200.2-R, CJCSI 6510.01F and National Disclosure Policy. Fix #3. For privileged users (eg, SA, IAO, NSO): Ensure that privileged users if military or government civilian are in critical sensitive positions and have a successfully adjudicated SSBI with 5-year periodic reviews. Contractors performing work in priviledged IS roles must also undergo sucessful SSBIs with 5-year reviews. Privileged users must undergo an SSBI regardless of of the security clearance level required (eg, even if no clearance or only Confidential or Secret is required). Foreign Nationals or Local Nationals employed by DoD ARE NOT AUTHORIZED to have (IT-I) privileged access to US Information Systems.

Generate Mitigation Statement:

Checks: C-40792r8_chk

Background Information: When checking how an organization validates security clearance information for systems access the first thing to consider is there are various categories of personnel and associated considerations with each one. These categories include: Military employees, Government Civilian employees, Contract employees, Foreign Nationals and Local National employees under a Status of Forces (SOFA) agreement and Visitors. Ask what procedures are used for verifying that all personnel that have access to classified information systems have the appropriate security clearance and access authorization. Generally, organizations validation of clearance levels should come from JPAS, DCII, a service or agency data base or higher security office. Also note that organization manning documents should include the required clearance level for each Military and Civilian position and should be requested for review. Checks: Check #1. Review a sample of the organization personnel security records and compare with applicable System Access Authorization Request forms to ensure proper validation of clearance levels. Because it is generally not feasible to review all records it recommended to select where possible ALL those who have "privileged" systems access (such as SAs, IAOs, Network Admin, etc.) and supplement with a random sample of those with basic "user" access to systems. Check #2. If there are contract employees with systems access - check to ensure there is a Statement of Work with accompanying DD 254 ("Classified" Contract Security Specification) that covers security clearance requirements for each type of work being performed by contractors. Check #3. Check that a delegation of disclosure authority letter (DDL) is on-hand in all cases where US Classified information is released/shared with Foreign National Exchange or Liaison personnel. Check #4. Check to ensure that a Limited Access Authorization (LAA) is on hand when system access to classified information is granted to an immigrant alien or a foreign national - not associated with or representing a foreign government. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.

Fix: F-36256r4_fix

Background Information: When checking how an organization validates security clearance information for systems access the first thing to consider is there are various categories of personnel and associated considerations with each one. These categories include: Military employees, Government Civilian employees, Contract employees, Foreign Nationals and Local National employees under a Status of Forces (SOFA) agreement and Visitors. Ask what procedures are used for verifying that all personnel that have access to classified information systems have the appropriate security clearance and access authorization. Generally, organizations validation of clearance levels should come from JPAS, DCII, a service or agency data base or higher security office. Also note that organization manning documents should include the required clearance level for each Military and Civilian position and should be requested for review. Fixes: 1. Review all the organization personnel security records and compare with applicable System Access Authorization Request forms to ensure proper validation of clearance levels. Be especially aware of ALL those who have "privileged" systems access (such as SAs, IAOs, Network Admin, etc.) and ensure that correct clearance and IT assurance level have been granted. 2. If there are contract employees with systems access ensure there is a Statement of Work with accompanying DD 254 (Contract Security Specification) that covers security clearance requirements for each type of work being performed by contractors. 3. Ensure that a delegation of disclosure authority letter (DDL) is on-hand in all cases where US Classified information is released/shared with Foreign National Exchange or Liaison personnel. 4. Ensure that a Limited Access Authorization (LAA) is on hand when system access to classified information is granted to an immigrant alien or a foreign national - not associated with or representing a foreign government.

Generate Mitigation Statement:

Checks: C-40820r8_chk

Checks: Check #1. Request to see and ensure that organization manning documents (eg., JTD) and position descriptions for Military and Government Civilians and the statement of work and/or DD 254 (Contract Security Specification) for Contractors – are available for identification of current ADP (AKA: IT position) designations. Check #2. Check to ensure that IT position (AKA: ADP) designations are assigned to each civilian and military position or contractor employee duties contained in statements of work in which an employee has duties requiring access to a Government Information System (IS). * In most cases this will encompass 100% of all employees. NOTE 1: Personnel Occupying Information Systems Positions Designated ADP-I, ADP-II and ADP-III. DoD military, civilian personnel, consultants, and contractor personnel performing on unclassified automated information systems may be assigned to one of three position sensitivity designations (in accordance with Appendix 10 of DoD 5200.2-R, Personnel Security Program) and MINIMALLY investigated as follows: ADP-I (AKA: IT-1): SSBI/SBPR/PPR ADP-II (AKA: IT-2): ANACI /NACI /NACLC/ S-PR ADP-III (AKA: IT-3): NAC/ENTNAC Those personnel falling in the above ADP categories who also require access to classified information will, of course, be subject to the appropriate investigative scope for the level of security clearance required. The investigative scope for clearances may exceed but not be less than that required for the designated ADP level. Check #3. Check to ensure that employees or any persons with Privileged Access (eg.,SA, NSO or IAO) to Information Systems (IS) are in positions identified as ADP I (AKA: IT I) and that a current (5-year PR) or successfully adjudicated SSBI is on file for each incumbent of such positions. NOTE 2: Privileged access typically provides access to the following system controls IAW Change 3, APPENDIX 1 of the DoD 8570.01-M: - Access to the control functions of the information system/network, administration of user accounts, etc. - Access to change control parameters (e.g., routing tables, path priorities, addresses) of routers, multiplexers, and other key information system/network equipment or software. - Ability and authority to control and change program files, and other users’ access to data. - Direct access to operating system level functions (also called unmediated access) that would permit system controls to be bypassed or changed. - Access and authority for installing, configuring, monitoring, or troubleshooting the security monitoring functions of information systems/networks (e.g., network/system analyzers; intrusion detection software; firewalls) or in performance of cyber/network defense operations. NOTE 3: Certain employees with very limited AND "supervised" privileged access on IS may be in positions designated as IT II and all basic system users should be in positions designated as IT III. NOTE 4: All designated IA Positions IAW DoD 8570.01-M (IAT Levels I-III or IAM Levels I-III) must be checked, time permitting. Random checks of all other site personnel records should be made. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.

Fix: F-36294r2_fix

Fixes: Ensure that organization manning documents (eg., JTD) and position descriptions for Military and Government Civilians and the statement of work and/or DD 254 (Contract Security Specification) for Contractors – are available for identification of current ADP (AKA: IT position) designations. Ensure that IT position (AKA: ADP) designations are assigned to each civilian and military position or contractor employee duties contained in statements of work in which an employee has duties requiring access to a Government Information System (IS). * In most cases this will encompass 100% of all employees. NOTE 1: Personnel Occupying Information Systems Positions Designated ADP-I, ADP-II and ADP-III. DoD military, civilian personnel, consultants, and contractor personnel performing on unclassified automated information systems may be assigned to one of three position sensitivity designations (in accordance with Appendix 10 of DoD 5200.2-R, Personnel Security Program) and MINIMALLY investigated as follows: ADP-I (AKA: IT-1): SSBI/SBPR/PPR ADP-II (AKA: IT-2): ANACI /NACI /NACLC/ S-PR ADP-III (AKA: IT-3): NAC/ENTNAC Those personnel falling in the above ADP categories who also require access to classified information will, of course, be subject to the appropriate investigative scope for the level of security clearance required. The investigative scope for clearances may exceed but not be less than that required for the designated ADP level. Ensure that employees or any persons with Privileged Access (eg.,SA, NSO or IAO) to Information Systems (IS) are in positions identified as ADP I (AKA: IT I) and that a current (5-year PR) or successfully adjudicated SSBI is on file for each incumbent of such positions. NOTE 2: Privileged access typically provides access to the following system controls IAW Change 3, APPENDIX 1 of the DoD 8570.01-M: - Access to the control functions of the information system/network, administration of user accounts, etc. - Access to change control parameters (e.g., routing tables, path priorities, addresses) of routers, multiplexers, and other key information system/network equipment or software. - Ability and authority to control and change program files, and other users’ access to data. - Direct access to operating system level functions (also called unmediated access) that would permit system controls to be bypassed or changed. - Access and authority for installing, configuring, monitoring, or troubleshooting the security monitoring functions of information systems/networks (e.g., network/system analyzers; intrusion detection software; firewalls) or in performance of cyber/network defense operations. NOTE 3: Certain employees with very limited AND supervised privileged access on IS may be in positions designated as IT II and all basic system users should be in positions designated as IT III.

Generate Mitigation Statement:

Checks: C-40839r2_chk

Check site personnel records against JPAS and as applicable any local PERSEC Data Base or equivalent for completion of appropriate level of investigation based on clearance/IT position designations. NOTE 1: Personnel Occupying Information Systems Positions Designated ADP-I, ADP-II and ADP-III. DoD military, civilian personnel, consultants, and contractor personnel performing on unclassified automated information systems may be assigned to one of three position sensitivity designations (in accordance with Appendix 10 of DoD 5200.2-R, Personnel Security Program) and MINIMALLY investigated as follows: ADP-I (AKA: IT-1): SSBI/SBPR/PPR ADP-II (AKA: IT-2): ANACI /NACI /NACLC/ S-PR ADP-III (AKA: IT-3): NAC/ENTNAC Those personnel falling in the above ADP categories who also require access to classified information will, of course, be subject to the appropriate investigative scope for the level of security clearance required. The investigative scope for clearances may exceed but not be less than that required for the designated ADP level. NOTE 2: All designated IA Positions IAW DoD 8570.01-M (IAT Levels I-III or IAM Levels I-III) must be checked. Random checks of all other site personnel records should be made. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.

Fix: F-36313r2_fix

Ensure that the appropriate level of investigation for each military, civilian or contract employee has been completed based on clearance/IT position designations and is reflected in JPAS and as applicable any local PERSEC Data Base or equivalent. NOTE 1: Personnel Occupying Information Systems Positions Designated ADP-I, ADP-II and ADP-III. DoD military, civilian personnel, consultants, and contractor personnel performing on unclassified automated information systems may be assigned to one of three position sensitivity designations (in accordance with Appendix 10 of DoD 5200.2-R, Personnel Security Program) and MINIMALLY investigated as follows: ADP-I (AKA: IT-1): SSBI/SBPR/PPR ADP-II (AKA: IT-2): ANACI /NACI /NACLC/ S-PR ADP-III (AKA: IT-3): NAC/ENTNAC Those personnel falling in the above ADP categories who also require access to classified information will, of course, be subject to the appropriate investigative scope for the level of security clearance required. The investigative scope for clearances may exceed but not be less than that required for the designated ADP level. NOTE 2: All designated IA Positions IAW DoD 8570.01-M (IAT Levels I-III or IAM Levels I-III) must be checked. Random checks of all other site personnel records should be made.

Generate Mitigation Statement:

Checks: C-40902r1_chk

Check that IDS - protecting vaults, secure rooms or spaces containing SIPRNet assets - is monitored by U.S. personnel who have been subject to a trustworthiness check IAW DoD 5200.2-R. Minimally they must be subjects of a successfully adjudicated National Agency Check (NAC). TACTICAL ENVIRONMENT APPLICABILITY: Apply to fixed tactical environments where IDS is installed to protect SIPRNet and other DISN connected assets.

Fix: F-36380r1_fix

Ensure that IDS - protecting vaults, secure rooms or spaces containing SIPRNet assets - is monitored by U.S. personnel who have been subject to a trustworthiness check IAW DoD 5200.2-R. Minimally they must be subjects of a successfully adjudicated National Agency Check (NAC).

Generate Mitigation Statement:

Checks: C-40917r1_chk

Check physical IDS - protecting vaults, secure rooms or spaces containing SIPRNet assets - to ensure that installation and maintenance is accomplished by U.S. citizens who have been subjected to a trustworthiness determination in accordance with DoD 5200.2-R. Minimally they must be subjects of a successfully adjudicated National Agency Check (NAC). TACTICAL ENVIRONMENT APPLICABILITY: Apply to fixed tactical environments where IDS is installed to protect SIPRNet and other DISN connected assets.

Fix: F-36394r1_fix

Ensure that installation and maintenance of physical IDS - protecting vaults, secure rooms or spaces containing SIPRNet assets - is accomplished by U.S. citizens who have been subjected to a trustworthiness determination in accordance with DoD 5200.2-R. Minimally they must be subjects of a successfully adjudicated National Agency Check (NAC).

Generate Mitigation Statement:

Checks: C-40983r2_chk

Checks: 1. Check that there is a Risk Assessment for the Information Technology (IT) facility/ Information System (IS) equipment and validate it is current. 2. Check to ensure it is revalidated/updated at least annually. 3. Check to ensure that the current site commander/director signed the risk assessment in conjunction with or in coordination with the DAAs for resident system(s), signifying acceptance of any residual risk. NOTE 1: While a DAA signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment. NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments. NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, Md among others. NOTE 4: Time permitting the reviewer should make recommendations for improving the risk analysis process at a site since this is a critical element in any effective security management program. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix: F-36459r1_fix

Fixes: 1. Ensure there is a Risk Assessment for the Information Technology (IT) facility/ Information System (IS) equipment and validate it is current. 2. Ensure it is revalidated/updated at least annually. 3. Ensure that the current site commander/director signed the risk assessment in conjunction with or in coordination with the DAAs for resident system(s), signifying acceptance of any residual risk. NOTE 1: While a DAA signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment. NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments. NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, Md among others.

Generate Mitigation Statement:

Checks: C-41025r2_chk

Checks: 1. Check to ensure that Unclassified system assests (servers, DASD, tape drives, hubs, etc.) are protected in separate locked/access controlled rooms or closets. NOTE 1: This potential VUL concerns protection of "ONLY UNCLASSIFIED" System and Network Devices. NOTE 2: While not required; the ideal situation with larger computer systems is to locate all major system components within "raised floor" computer rooms. Regardless of the location the key factor in determining acceptable compliance is if the equipment is accessible only to properly vetted persons who require unescorted access to the equipment for performance of duties. NOTE 3: While not preferred, if space and/or size of the Information Systems (IS) assets do not allow for being housed in a separate room or closet they may be maintained in locked Information System (IS) cabinets that preclude ease of access by unauthorized individuals. 2. Check to ensure that properly managed access control systems, mechanical access devices, or keyed locks are being used to control access to these rooms, closets or cabinets. NOTE 4: If keyed locks are used check to ensure that proper key control procedures are in place. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-36507r1_fix

Fixes: 1. Ensure that Unclassified system assests (servers, DASD, tape drives, hubs, etc.) are protected in separate locked/access controlled rooms or closets. NOTE 1: This potential VUL concerns protection of "ONLY UNCLASSIFIED" System and Network Devices. NOTE 2: While not required; the ideal situation with larger computer systems is to locate all major system components within "raised floor" computer rooms. Regardless of the location the key factor in determining acceptable compliance is if the equipment is accessible only to properly vetted persons who require unescorted access to the equipment for performance of duties. NOTE 3: While not preferred, if space and/or size of the Information Systems (IS) assets do not allow for being housed in a separate room or closet they may be maintained in locked Information System (IS) cabinets that preclude ease of access by unauthorized individuals. 2. Ensure that properly managed access control systems, mechanical access devices, or keyed locks are being used to control access to these rooms, closets or cabinets. NOTE 4: If keyed locks are used, ensure that proper key control procedures are in place.

Generate Mitigation Statement:

Checks: C-41039r2_chk

Check to ensure the areas housing critical information technology systems are designated as Restricted Areas or Controlled Areas IAW host installation and/or Service, Agency or COCOM guidance. Signage should be properly posted at all access points and at adequate intervals to advise those approaching of the restricted area/controlled area designation, authority and consequences for violation of access restrictions. Signs will be in English as well as in any language prevalent in the area. Signs may not be required where OPSEC countermeasures dictate. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-36515r1_fix

Ensure the areas housing critical information technology systems are designated as Restricted Areas or Controlled Areas IAW host installation and/or Service, Agency or COCOM guidance. Signage should be properly posted at all access points and at adequate intervals to advise those approaching of the restricted area/controlled area designation, authority and consequences for violation of access restrictions. Signs will be in English as well as in any language prevalent in the area. Signs may not be required where OPSEC countermeasures dictate.

Generate Mitigation Statement:

Checks: C-41040r7_chk

Background Information: This set of checks is intended to validate security-in-depth protection measures in place for facilities containing either Unclassified DISN assets (NIPRNet) or Classified (SIPRNet) DISN assets or both. The first two checks are specifically for Unclassified DISN facilities, while checks 3, 4, 5 and 6 are for facilites containing SIPRNet asstes. Where both NIPRNet and SIPRNet assets are contained in a facility - the more strigent standards for SIPRNet will be used. Checks: 1. Check that any facility/building housing Unclassified Information System assets conected to the DISN (such as end user NIPRNet work stations) has at least one physical barrier supplemented by any type of 24/7 access control (keyed locks, reception, guards, Access Control System, Cipher Locks, etc.). 2. Check to ensure that Unclassified Computer Rooms containing equipment connected to the DISN (located within a facility or bldg meeting the standard in #1 above) have an additional layer of physical protection and access control. This check is intended for rooms with key system assets such as servers, routers, etc., rather than end user workstations. 3. Check to ensure that every physical access point to facilities housing DISN workstations that process or display classified information is guarded or alarmed 24/7 (minimum of alarm contacts on the doors) and that intrusion alarms are properly monitored. 4. Check that two forms of identification are required to gain access to a facility housing DISN workstations that process or display classified information (e.g., key card with PIN/biometrics or two forms of picture ID present to a guard or receptionist). NOTE 1: Physical access points to facilities housing DISN workstations that process or display classified information, which are located on an access controlled military installation (or that employ another layer of physical barrier/access control) are not required to have an IDS alarm contact on the doors and need only one level of access control. For instance access control to the facility using only a swipe or prox card (w/o PIN or biometrics) or a guard checking a single picture ID is acceptable. 5. Check to ensure that a visitor log is maintained for facilities or buildings containing DISN workstations that process or display classified information. Access Control System (ACS) log entries may be used to meet this requirement. 6. Where there are Information System assets stored in secure rooms (AKA: collateral classified open storage areas) that are connected to the SIPRNet - check to ensure that the senior agency official has determined in writing that security-in-depth exists. NOTE 2: Checks number 3, 4, 5 and 6 are intended to only assess the appropriateness of physical barriers and access control measures leading to or surrounding Secure Rooms, rather than actual secure room protection measures. Classified Computer Rooms must have additional layers of physical protection and access control, which are implemented IAW Secure Room standards. Again, Secure Room standards are not covered under this check for security-in-depth. They are covered elsewhere on the checklist. To reiterate in another way; these checks are strictly for areas containing classified DISN assets that ARE NOT maintained in spaces approved for collateral classified open storage (such as secure rooms, vaults or SCIFs). Typically the type of applicable area covered by this check will be an area designated as a Secret (or possibly Top Secret) Controlled Access Area (CAA). TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-36516r6_fix

Background Information: This standard is intended to validate security-in-depth protection measures in place for facilities containing either Unclassified DISN assets (NIPRNet) or Classified (SIPRNet) DISN assets or both. The first two fixes are specifically for Unclassified DISN facilities, while fixes 3, 4, 5 and 6 are for facilites containing SIPRNet asstes. Where both NIPRNet and SIPRNet assets are contained in a facility - the more strigent standards for SIPRNet will be used. Checks: 1. Ensure that any facility/building housing Unclassified Information System assets conected to the DISN (such as end user NIPRNet work stations) has at least one physical barrier supplemented by any type of 24/7 access control (keyed locks, reception, guards, Access Control System, Cipher Locks, etc.). 2. Ensure that Unclassified Computer Rooms containing equipment connected to the DISN (located within a facility or bldg meeting the standard in #1 above) have an additional layer of physical protection and access control. This fix is intended for rooms with key system assets such as servers, routers, etc., rather than end user workstations. 3. Ensure that every physical access point to facilities housing DISN workstations that process or display classified information is guarded or alarmed 24/7 (minimum of alarm contacts on the doors) and that intrusion alarms are properly monitored. 4. Ensure two forms of identification are required to gain access to a facility housing DISN workstations that process or display classified information (e.g., key card with PIN/biometrics or two forms of picture ID present to a guard or receptionist). NOTE 1: Physical access points to facilities housing DISN workstations that process or display classified information, which are located on an access controlled military installation (or that employ another layer of physical barrier/access control) are not required to have an IDS alarm contact on the doors and need only one level of access control. For instance access control to the facility using only a swipe or prox card (w/o PIN or biometrics) or a guard checking a single picture ID is acceptable. 5. Ensure that a visitor log is maintained for facilities or buildings containing DISN workstations that process or display classified information. Access Control System (ACS) log entries may be used to meet this requirement. 6. Where there are Information System assets stored in secure rooms (AKA: collateral classified open storage areas) that are connected to the SIPRNet - ensure that the senior agency official has determined in writing that security-in-depth exists. NOTE 2: Fixess number 3, 4, 5 and 6 are intended to only assess the appropriateness of physical barriers and access control measures leading to or surrounding Secure Rooms, rather than actual secure room protection measures. Classified Computer Rooms must have additional layers of physical protection and access control, which are implemented IAW Secure Room standards. Again, Secure Room standards are not covered under this fix for security-in-depth. They are covered elsewhere on the checklist. To reiterate in another way; these fixes are strictly for areas containing classified DISN assets that ARE NOT maintained in spaces approved for collateral classified open storage (such as secure rooms, vaults or SCIFs). Typically the type of applicable area covered by this fix will be an area designated as a Secret (or possibly Top Secret) Controlled Access Area (CAA).

Generate Mitigation Statement:

Checks: C-41041r4_chk

Checks: Review visitor control procedures and implementation and ensure they include verification of clearance/investigation status, personal identification of visitor, registering of visitors, proper badging and escorts. NOTE 1: Traditional Security reviewers may evaluate implementation of the visitor process by reviewing how the review team was identified and badged. NOTE 2: Detailed audit logs of all facility visitors should be maintained for at least 90 days. Access Control System (ACS) electronic logs may be used to meet this requirement. NOTE 3: Additional interviews can be conducted with personnel handling the visitor control function. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-36517r2_fix

Fixes: Review visitor control procedures and implementation and ensure they include verification of clearance/investigation status, personal identification of visitor, registering of visitors, proper badging and escorts. NOTE: Detailed audit logs of all facility visitors should be maintained for at least 90 days. Access Control System (ACS) electronic logs may be used to meet this requirement.

Generate Mitigation Statement:

Checks: C-41042r1_chk

Checks: 1. Check to ensure there are written procedures for the control of sensitive items such as keys, locks, badges and smart cards. 2. Check to verify the process is being followed and that it is effective. As a minimum, lock and key or access control systems (using coded access swipe/prox badges) require a key or credential inventory, issue records, and a procedure for returning the key or access control credential once the user no longer needs it. 3. Check to ensure a Key Control/Credential Officer and/or Key/Credential Custodians are appointed in writing to implement the system for controling keys, locks and access control credentials. 4. Check to ensure the Key/Credential Control Officer conducts at least an annual inventory/reconciliation of all keys/credentials issued and on-hand. 5. Check to ensure that all keys/credentials are also inventoried upon change of Key/Credential Control Officer or Key/Credential Custodian. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-36518r1_fix

Fixes: 1. Ensure there are written procedures for the control of sensitive items such as keys, locks, badges and smart cards. 2. Verify the process for controlling keys/locks and credentials is being followed and that it is effective. As a minimum, lock and key or access control systems (using coded access swipe/prox badges) require a key or credential inventory, issue records, and a procedure for returning the key or access control credential once the user no longer needs it. 3. Ensure a Key Control/Credential Officer and/or Key/Credential Custodians are appointed in writing to implement the system for controling keys, locks and access control credentials. 4. Ensure the Key/Credential Control Officer conducts at least an annual inventory/reconciliation of all keys/credentials issued and on-hand. 5. Ensure that all keys/credentials are also inventoried upon change of Key/Credential Control Officer or Key/Credential Custodian.

Generate Mitigation Statement:

Checks: C-41044r3_chk

Checks: Check #1. Check to ensure there are appointment letters for all security staff members including the SM, DAA, IAM, IAOs, System Administrators, and NSO. (CAT III) Check #2. Check to ensure the appointments are current and an appropriate authority has made the appointments. (CAT III) Check #3. Check to ensure that pertinent duties, responsibilities, training/certification and other suitability requirements for the appointed positions are contained in the appointment order. (CAT III) Check # 4. Check supporting documentation to ensure that security staff have been properly trained and certified for the positions to which they are appointed and that they meet all applicable requirements for the positions. For instance the DAA and IAM must be US Citizens. (CAT II) TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-36520r1_fix

Fixes: 1. Ensure there are appointment letters for all security staff and IA members including the SM, DAA, IAM, IAOs, System Administrators, and NSO. 2. Ensure the appointments are current and appropriate authorities have made the appointments. 3. Ensure that pertinent duties, responsibilities, training/certification and other suitability requirements for the appointed positions are contained in the appointment order. 4. Ensure that security staff have been properly trained and certified for the positions to which they are appointed and that they meet all applicable requirements for the positions. For instance the DAA and IAM must be US Citizens.

Generate Mitigation Statement:

Checks: C-41045r7_chk

Checks: Check #1. Check that initial and recurring (minimum annually) information security AND information assurance training is provided to each employee. Check #2. Check to ensure the following training topics are covered. Some topics may not be necessary based on the organizations mission or other considerations. Reviewers should use discretion in determining if adequate training topics are covered: a. Classified Handling (physical (storage) security, transportation/transmission & marking of documents, equipment and media) b. Communications Security c. Computer (AKA: Information Assurance) Security requirements d. Counter-intelligence briefings e. Penalties for engaging in espionage activities f. Courier briefing (if applicable) g. Reporting of derogatory information h. Reporting of Security Incidents i. Security of Laptop computers when traveling j. Special access programs, NATO, COSMIC TS, etc (as applicable) k. Use of personal computers for conducting official business l.Concerns identified during Component self- inspections Check #3. Check records of employee training and ensure 100% of initial training briefings are accomplished and at least 95% of employees have completed annual training. Note that while 100% completion of annual training is the goal, employees on extended leave. TDY or other circumstances make this a difficult thing to accomplish. All training accomplished must be documented. Anything less will be a finding. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-36521r3_fix

Fixes: 1. Ensure initial and recurring (annual minimum) information security and information assurance training is provided to each employee. 2. Ensure the following training topics are covered at a MINIMUM: a. Classified Handling (physical (storage) security, transportation/transmission & marking of documents, equipment and media) b. Communications Security c. Computer (AKA: Information Assurance) Security requirements d. Counter-intelligence briefings e. Penalties for engaging in espionage activities f. Courier briefing (if applicable) g. Reporting of derogatory information h. Reporting of Security Incidents i. Security of Laptop computers when traveling j. Special access programs, NATO, COSMIC TS, etc (as applicable) k. Use of personal computers for conducting official business l.Concerns identified during Component self- inspections m. Check records of employee training and ensure 100% of initial training and termination briefings are accomplished and at least 95% of employees have annual training. While 100% annual training is the goal, things like extended employee TDY ot leave make this difficult to achieve. All training accomplished must be documented. Anything less will be a finding.

Generate Mitigation Statement: