Traditional Security Checklist

  • Version/Release: V2R6
  • Published: 2024-08-09
  • Released: 2024-10-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

These requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
c
COMSEC Account Management - Equipment and Key Storage
High - V-245722 - SV-245722r822789_rule
RMF Control
Severity
High
CCI
Version
CS-01.01.01
Vuln IDs
  • V-245722
  • V-30837
Rule IDs
  • SV-245722r822789_rule
  • SV-40855r3_rule
Improper handling and storage of COMSEC material can result in the loss or compromise of classified cryptologic devices or classified key or unclassified COMSEC Controlled Items (CCI). REFERENCES: DoD 5220.22-M (NISPOM), Chapter 9, Section 4 DoD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Enclosure 3, para 12.c. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information: Paragraph 1.b. (1) Enclosure 2, para 8. & 12. Enclosure 3 and Appendix to Encl 3 Enclosure 4, para 1.a. Enclosure 7, para 7.b. & c. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: SC-12, SC-13 NSA/CSS Policy Manual 3-16, Sections III, VI, X and XI CNSS Policy No. 1, NATIONAL POLICY FOR SAFEGUARDING AND CONTROL OF COMSEC MATERIALS CNSS Policy No. 10, NATIONAL POLICY GOVERNING USE OF APPROVED SECURITY CONTAINERS IN INFORMATION SECURITY APPLICATIONS DoD Instruction 8523.01, Communications Security (COMSEC), April 22, 2008
Checks: C-49153r769826_chk

Ask the COMSEC Custodian, COMSEC Responsible Officer (CRO), Security Manager or ISSM how COMSEC equipment and materials are transported, handled and stored. Physically check that crypto equipment, keys, and keyed crypto are handled and stored properly. Reviewers must annotate specific types of crypto devices observed in the finding details or comments, (e.g. TACLANE, KIV 7, etc.)

Fix: F-49108r769827_fix

COMSEC material must be stored in a GSA approved container such as safe, vault, or secure room IAW (NSA/CSS Policy Manual 3-16, Section XI, paragraph 89). Specific standards are: 1. Keyed crypto equipment must be housed within a proper GSA safe, vault or secure room. 2. If crypto equipment is not housed within a proper GSA safe, vault or secure room the Crypto Encryption Key must be removed and stored in a GSA approved safe or in a separate room from the crypto equipment when the equipment is not under the continuous observation and control of a properly cleared person. 3. Information Processing System (IPS) containers (safes) may be used to securely store and operate keyed equipment. 4. If unclassified crypto equipment is not operated in a safe, vault or secure room it must minimally be maintained within an approved Secret or higher Controlled Access Area (CAA) and further secured in a locked room (equipment closet) or equipment rack suitable for control of sensitive equipment to ensure only system administrator and COMSEC personnel have access to the equipment. 5. NOTES: This requirement applies to a tactical environment. Unless under continuous observation and control, Crypto Equipment Key must be removed and maintained separately from the encryption device - unless it is operated in a proper safe, vault or secure room. Ensure that any COMSEC account, materials or equipment being inspected is used for encryption of DoDIN assets. COMSEC items not used with DoDIN assets should not be inspected. Specifically, only COMSEC items associated with the CCSDs being inspected are to be included in this check.

a
COMSEC Account Management - Appointment of Responsible Person
Low - V-245723 - SV-245723r822790_rule
RMF Control
Severity
Low
CCI
Version
CS-01.03.01
Vuln IDs
  • V-245723
  • V-30885
Rule IDs
  • SV-245723r822790_rule
  • SV-40925r3_rule
Lack of formal designation of an individual to be responsible for COMSEC items could result in mismanagement, loss or even compromise of COMSEC materials. Additionally, lack of formal vetting for a specific individual to be appointed for management of COMSEC material could result in a person (such as a non-US Citizen) having unauthorized access. REFERENCES: DoD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Encl 3, paragraph 6.e. (3). DoD 5220.22-M (NISPOM), Section 4 DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), paragraphs 6.5.d., 7.16. e. & f. and 8.2.b. (3) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: IA-1, PL-1, PS-1, PS-2, and SC-1 NSA/CSS Policy Manual 3-16, Sections III, VI, X and XI CNSS Policy No.1, NATIONAL POLICY FOR SAFEGUARDING AND CONTROL OF COMSEC MATERIALS
Checks: C-49154r769829_chk

Check there is a current COMSEC Custodian appointment letter or verify there is a Hand Receipt Holder for COMSEC key material received from a supporting account. NOTE: Ensure that any COMSEC account, materials or equipment being inspected is used for encryption of DoDIN assets. COMSEC accounts or items not used with DoDIN assets should not be inspected.

Fix: F-49109r769830_fix

A person must be identified and appointed in writing to be either the COMSEC custodian or a COMSEC Hand Receipt Holder. Alternates must also be appointed in writing.

a
COMSEC Account Management - Program Management and Standards Compliance
Low - V-245724 - SV-245724r917316_rule
RMF Control
Severity
Low
CCI
Version
CS-01.03.02
Vuln IDs
  • V-245724
  • V-30928
Rule IDs
  • SV-245724r917316_rule
  • SV-40970r3_rule
Recipients of NSA or Service COMSEC accounts are responsible to properly maintain the accounts. Procedures covering security, transport, handling, etc., of COMSEC must be developed to supplement regulatory guidelines. NSA or sponsoring Services of the COMSEC accounts maintain oversight by conducting required inspections. If COMSEC accounts are not properly maintained and findings are noted during an inspection, they must be addressed properly and promptly. If this is not done, the integrity of COMSEC items may be adversely impacted, resulting in the loss or compromise of COMSEC equipment or key material. REFERENCES: DOD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 3, paragraph 6.e. (3). DOD 5220.22-M (NISPOM), Section 4 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AU-1, CA-1, CA-2, CA-2(1), CA-2(2), CA-2(3), CA-5, CM-3(6), PL-1, PL-2(3), PL-7, SC-1, SC-12, SC-12(1), and SC-13 NSA/CSS Policy Manual 3-16, Sections III, VI, X and XI CNSS Policy No.1, NATIONAL POLICY FOR SAFEGUARDING AND CONTROL OF COMSEC MATERIALS DOD Instruction 8523.01, Communications Security (COMSEC), January 6, 2021 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND)
Checks: C-49155r917139_chk

Ask how the COMSEC account is managed. Check for written procedures and inspection reports. NOTES: 1. Applies in a tactical environment if the crypto equipment and key material being observed is at a location where supporting staff (IAM, SM, COMSEC Custodian) would logically be located. If it is a mobile tactical organization, responsibility for program management might simply be the identification of an individual responsible for keeping track of and maintaining COMSEC materials, but supporting documentation may not be immediately available and should not be written as a finding; however, observations and comments may still be documented. 2. Note in the report the COMSEC Account type e.g. NSA, Navy, Army, etc. 3. Note in the report the last COMSEC Inspection Date based on observed documentation. (Summarize the overall results and if the site is taking action to address/correct findings.) 4. Ensure that any COMSEC account, materials or equipment being inspected is used for encryption of DODIN assets. COMSEC accounts or items not used with DODIN assets should not be inspected. 5. This check is not intended to be an inspection of the COMSEC Program, rather it is a verification that a viable program is in place with NSA or oversight. The idea is to ensure that NSA or Service oversight inspection findings/deficiencies are being corrected in a timely manner by the site.

Fix: F-49110r917140_fix

The site must have local procedures covering maintenance of COMSEC equipment and key material. Further, any inspection findings from NSA or Services issuing the account or the account sponsor (for Hand Receipt holders) must be corrected or provide evidence there is a plan of action in place and underway to correct noted deficiencies.

b
COMSEC Training - COMSEC Custodian or Hand Receipt Holder
Medium - V-245725 - SV-245725r917317_rule
RMF Control
Severity
Medium
CCI
Version
CS-02.02.01
Vuln IDs
  • V-245725
  • V-30931
Rule IDs
  • SV-245725r917317_rule
  • SV-40973r3_rule
Lack of appropriate training for managers of COMSEC accounts could result in the mismanagement of COMSEC records and inadequate physical protection and ultimately lead to the loss or compromise of COMSEC keying material. REFERENCES: DOD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification DOD 5220.22-M (NISPOM), Section 4 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AT-3, AT-4, and SC-1 NSA/CSS Policy Manual 3-16, Section III, paragraph 16 . CNSS Policy No.1, NATIONAL POLICY FOR SAFEGUARDING AND CONTROL OF COMSEC MATERIALS DOD Instruction 8523.01, Communications Security (COMSEC), January 6, 2021 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND)
Checks: C-49156r917142_chk

Check for documented proof of COMSEC Custodian or hand receipt holder training. NOTES: 1. Formal training for primary COMSEC account holders must be completed within six months of being designated as COMSEC Custodian. 2. Ensure that any COMSEC account, materials or equipment being inspected is used for encryption of DODIN assets. COMSEC accounts or items not used with DODIN assets should not be inspected.

Fix: F-49111r917143_fix

Documented proof of required COMSEC Custodian or hand receipt holder training must be available. Formal training of primary COMSEC account holders is required within 6-months of being appointed as COMSEC Custodian or alternate. Sub-Account or hand receipt holders may be trained by the sponsoring primary account COMSEC Custodian.

b
COMSEC Training - COMSEC User
Medium - V-245726 - SV-245726r917318_rule
RMF Control
Severity
Medium
CCI
Version
CS-02.02.02
Vuln IDs
  • V-245726
  • V-30933
Rule IDs
  • SV-245726r917318_rule
  • SV-40975r3_rule
Failure to properly brief COMSEC users could result in the loss of cryptologic devices or key, or the compromise of classified information. REFERENCES: DOD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification DOD 5220.22-M (NISPOM), Section 4 DOD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 7, Para 7.b. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AT-3, AT-4, and SC-1 NSA/CSS Policy Manual 3-16, Section IX, Paragraph 77. CNSS Policy No. 1, NATIONAL POLICY FOR SAFEGUARDING AND CONTROL OF COMSEC MATERIALS DOD Instruction 8523.01, Communications Security (COMSEC), January 6, 2021 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND)
Checks: C-49157r917145_chk

Check proof of user training. NOTES: 1. Applies in a tactical environment if the crypto equipment and key material being observed is at a location where supporting staff (IAM, SM, COMSEC Custodian/COMSEC Responsible Officer (CRO) AKA: Hand Receipt Holder) would logically be located. If it is a mobile tactical organization, COMSEC users should previously have received proper training; however, since the documentation will likely not be available in a field environment this check will be NA. 2. Observations and comments may be entered for the record, even if there is no finding. 3. Ensure that any COMSEC account, materials or equipment being inspected is used for encryption of DODIN assets. COMSEC accounts or items not used with DODIN assets should not be inspected.

Fix: F-49112r769839_fix

Train all COMSEC users on proper procedures for operation of COMSEC equipment and on proper protection of both classified COMSEC materials as well as COMSEC Controlled Information (CCI). Documented proof of initial user training must be on-hand and updated at least annually.

c
Classified Transmission - Electronic Means using Cryptographic System Authorized by the Director, NSA
High - V-245727 - SV-245727r822794_rule
RMF Control
Severity
High
CCI
Version
CS-03.01.01
Vuln IDs
  • V-245727
  • V-30934
Rule IDs
  • SV-245727r822794_rule
  • SV-40976r4_rule
Failure to properly encrypt classified data in transit can lead to the loss or compromise of classified or sensitive information. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information: Encl 4, para 1.a. Encl 4, para 3.b. and 4.a. Encl 4, para 8. Encl 7, para 13.e. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-17(2) and SC-8 NSA/CSS Policy Manual 3-16, Sections III, VI, X and XI DoD Instruction 8523.01, Communications Security (COMSEC), April 22, 2008, paragraph 6.1. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35. CNSSI No.7003, September 2015, Protected Distribution Systems (PDS), SECTION IV - POLICY, paragraphs 6, 7 and 8.
Checks: C-49158r769841_chk

GENERAL REQUIREMENT: Classified information shall be transmitted by electronic means over an approved secure communications system authorized by the Director, NSA, or a Protected Distribution System (PDS) designed and installed to meet the requirements of Committee on National Security Systems Instruction (CNSSI) 7003. This applies to voice, data, message (both organizational and email), and facsimile transmissions. CHECK: Where classified (SIPRNet) transmissions are outside of an area approved for unprotected transmission check that the cryptographic system is designed and installed IAW NSA approved guidelines. Generally an area not approved for unprotected SIPRNet transmissions will be any transmission through an area that is not a SCIF, Secret or higher Vault or Secure Room or Secret or higher Controlled Access Area (CAA). NOTES: 1. This check is applicable in a tactical environment regardless if the unprotected SIPRNet transmission line is located within a fixed facility, or field/mobile environment. 2. This check is NA if the unencrypted signal is installed in a proper Protected Distribution System (PDS).

Fix: F-49113r769842_fix

When classified (particularly SIPRNet) voice, data, message (both organizational and e-mail), and facsimile transmissions transit an area not access controlled to at least the Secret level a cryptographic system designed and installed IAW NSA approved guidelines must be used to protect the data in transit. This check is NA if the transmission line/cable is installed in a proper Protected Distribution System (PDS).

c
Protected Distribution System (PDS) Construction - Point of Presence (PoP) and Terminal Equipment Protection. This requirement concerns security of both the starting and ending points for PDS within proper physically protected and access controlled environments.
High - V-245728 - SV-245728r917319_rule
RMF Control
Severity
High
CCI
Version
CS-04.01.01
Vuln IDs
  • V-245728
  • V-30938
Rule IDs
  • SV-245728r917319_rule
  • SV-40980r4_rule
A PDS that is not constructed and physically protected as required could result in the covert or undetected interception of classified information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DOD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section IV, paragraph 7., Section VIII, paragraphs 22, 25, 26 & paragraph 27.b. & c. and Section X, paragraph 30.a.
Checks: C-49159r917147_chk

This check concerns security requirements for the physical locations of both the starting and ending points for Protected Distribution Systems (PDS) within a physical enclave. Check to ensure: 1. The PDS originates within the room or area containing the SIPRNet Point of Presence (PoP) for the facility or area, which must be in a Secret or above Secure Room, Vault, SCIF or alternatively in an Information Processing Systems (IPS) Container with SIPRNet connected equipment (router/switch/PC/laptop/multi-function device (e.g., printer, copier, fax)). An IPS container is a specially designed safe for secured operation of classified network and end user equipment. 2. PDS terminal equipment (wall jacks/ports) are located in a Secret or higher Controlled Access Area (CAA), Secret or higher vault, Secret or higher Secure Room or in a SCIF. 3. PDS terminating in areas not a Secret or higher CAA may alternatively terminate in an IPS Container with SIPRNet connected equipment (router/switch/PC/laptop/multi-function device (printer, copier, and fax)). 4. If an IPS container is used to secure equipment at a PDS termination point, ensure it is located within at least a Limited Access Area (LAA). *It cannot ever be located in an Uncontrolled Access Area (UAA). 5. In exceptional situations, when the PDS termination area cannot be access controlled to the level of the data carried by the PDS (e.g., in a multi-use conference room), ensure the PDS termination point (wall jack/port) is secured with a lock box. Access Controlled to the level of the data carried by the PDS for SIPRNet connections means the PDS termination area must minimally be a secret CAA. The lock box must meet the same construction requirements as a pull box for the PDS carrier type. *Specifications for pull boxes and termination lock boxes are covered in rule: Protected Distribution System (PDS) Construction - Accessible Pull Box Security, STIG ID: CS-04.01.03, Rule ID: SV-41000r3_rule Vuln ID: V-245730. A finding for deficient pull box or termination lock box construction should be cited under STIG ID: CS-04.01.03. 6. If a lock box is used to secure a PDS termination/end point (wall jack/port), ensure it is located within at least a Limited Access Area (LAA). *It cannot ever be located in an Uncontrolled Access Area (UAA). 7. PDS lock boxes located within a LAA are physically disconnected (cables pulled) from equipment and the lock boxes secured with an approved PDS lock when the lock box is not under the continuous observation and control of a properly cleared person (secret security clearance for SIPRNet). NOTES: Access to all PDS points with breakouts must be restricted to personnel cleared at the highest level of the breakout and therefore, the PDS terminal equipment (end point) must either be locked or continuously safeguarded by cleared persons to prevent tampering. The S&G 8077 changeable combination padlock is the DOD standard/required PDS lock for user termination lock boxes that are opened/closed on a routine or frequent basis. Tamper evident locks (keyed padlocks with seals) are not permitted to be used within the DOD, per guidance from USD(I) Policy.

Fix: F-49114r917148_fix

This fix concerns security requirements for the physical locations of both the starting and ending points for Protected Distribution Systems (PDS) within a physical enclave. All of the following requirements must be met: 1. The PDS must originate within the room or area containing the SIPRNet Point of Presence (PoP) for the facility or area, which must be in a Secret or above Secure Room, Vault, SCIF or alternatively in an Information Processing Systems (IPS) Container with SIPRNet connected equipment (router/switch/PC/laptop/multi-function device (e.g., printer, copier, fax)). An IPS container is a specially designed safe for secured operation of classified network and end user equipment. 2. PDS terminal equipment (wall jacks/ports) must be located in a Secret or higher Controlled Access Area (CAA), Secret or higher vault, Secret or higher Secure Room or in a SCIF. 3. PDS terminating in areas not a Secret or higher CAA (SCAA) may alternatively terminate in an IPS Container with SIPRNet connected equipment (router/switch/PC/laptop/multi-function device (printer, copier, and fax)). 4. If an IPS container is used to secure equipment at a PDS termination point, it must be located within at least a Limited Access Area (LAA). *It cannot ever be located in an Uncontrolled Access Area (UAA). 5. In exceptional situations, when the PDS termination area cannot be access controlled to the level of the data carried by the PDS (e.g., in a multi-use conference room), the PDS termination point (wall jack/port) must be secured with a lock box. Access Controlled to the level of the data carried by the PDS for SIPRNet connections means the PDS termination area must minimally be a secret CAA (SCAA). The lock box must meet the same construction requirements as a pull box for the PDS carrier type. *Specifications for pull boxes and termination lock boxes are covered in rule: Protected Distribution System (PDS) Construction - Accessible Pull Box Security, STIG ID: CS-04.01.03, Rule ID: SV-41000r3_rule Vuln ID: V-245730. A finding for deficient pull box or termination lock box construction should be cited under STIG ID: CS-04.01.03. 6. If a lock box is used to secure a PDS termination/end point (wall jack/port), it must be located within at least a Limited Access Area (LAA). *It cannot ever be located in an Uncontrolled Access Area (UAA). 7. PDS lock boxes located within a LAA must be physically disconnected (cables pulled) from equipment and the lock boxes secured with an approved PDS lock when the lock box is not under the continuous observation and control of a properly cleared person (secret security clearance for SIPRNet). NOTES: Access to all PDS points with breakouts must be restricted to personnel cleared at the highest level of the breakout and therefore, the PDS terminal equipment (end point) must either be locked or continuously safeguarded by cleared persons to prevent tampering. The S&G 8077 changeable combination padlock is the DOD standard/required PDS lock for user termination lock boxes that are opened/closed on a routine or frequent basis. Tamper evident locks (keyed padlocks with seals) are not permitted to be used within the DOD, per guidance from USD (I) Policy.

c
Protected Distribution System (PDS) Construction - Hardened Carrier
High - V-245729 - SV-245729r822796_rule
RMF Control
Severity
High
CCI
Version
CS-04.01.02
Vuln IDs
  • V-245729
  • V-30942
Rule IDs
  • SV-245729r822796_rule
  • SV-40984r4_rule
A PDS that is not constructed and configured as required could result in the undetected interception of classified information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section IV, Paragraph 7 and Section X, paragraph 30.a.
Checks: C-49160r769847_chk

1. A Hardened Carrier IAW CNSSI 7003 must be constructed of ferrous, electrical metallic tubing (EMT); ferrous pipe conduit; or ferrous rigid sheet metal ducting. Flexible conduit and armored cables must not be used as a hardened carrier. The carrier must not open to expose data cables (e.g., removable covers), except at approved pull boxes and termination boxes. The carrier must utilize elbows, couplings, nipples, and connectors of the same materials. All joints and connections must be sealed. NOTE: A vendor product (AKA: Modular PDS) may be used if constructed of solid metal components and sealed - as described above. 2. The PDS is not within an Uncontrolled Access Area (UAA).

Fix: F-49115r769848_fix

1. Data cables must be installed in a carrier configured as a "Hardened Carrier" IAW CNSSI 7003. The carrier must be constructed of ferrous, electrical metallic tubing (EMT); ferrous pipe conduit; or ferrous rigid sheet metal ducting. Flexible conduit and armored cables must not be used as a hardened carrier. The carrier must not open to expose data cables (e.g., removable covers), except at approved pull boxes and termination boxes. The carrier must utilize elbows, couplings, nipples, and connectors of the same materials. All joints and connections must be sealed. NOTE: A vendor product (AKA: Modular PDS) may be used if constructed of solid metal components and sealed - as described above. 2. The PDS must not be located within an Uncontrolled Access Area (UAA).

c
Protected Distribution System (PDS) Construction - Pull Box Security
High - V-245730 - SV-245730r822797_rule
RMF Control
Severity
High
CCI
Version
CS-04.01.03
Vuln IDs
  • V-245730
  • V-30958
Rule IDs
  • SV-245730r822797_rule
  • SV-41000r3_rule
A PDS that is not constructed and configured as required could result in the undetected interception of classified information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section VIII, paragraph 25 and Section VI - DEFINITIONS - PDS Lock.
Checks: C-49161r769850_chk

If pull box covers are capable of being opened and used for accessing the transmission cable, the following 6 checks apply: Check 1. Box covers do not have removable hinge pins. The hinge must be hidden or mechanically blocked to prevent removal. Check 2. If the pull box will be accessed after installation, the pull box cover must be secured with an approved PDS lock. Multiple locks may be required for larger pull-boxes. NOTE 1: The ONLY approved PDS Lock within the DoD is the General Services Administration (GSA) approved changeable combination padlock and has historically been the lock used for securing accessible pull boxes and PDS termination boxes. The only padlock currently meeting this standard is the S&G 8077, changeable combination padlock. NOTE 2: A newer alternative PDS lock listed by the CNSSI 7003 is the tamper indicative padlock with a wire loop seal. This is a "keyed" padlock with an attached seal that is issued exclusively by the lock proponent, which is the National Security Agency (NSA) Information Assurance Division (IAD) Lock and Seal Office. The USD(I) has determined this lock will not be used for protecting PDS Pull Boxes within the DoD. NOTE 3: The new CNSSI 7003 under the PDS Lock definition identified the wrong federal specification for the changeable combination padlock. The lock identified under FF-L-2740B is designed for safes and will not fit properly on a small PDS lock box. The correct lock (S&G 8077 changeable combination padlock) is under the FF-P-110J federal specification. That is what the CNSSI 7003 proponent "intended" and the DoD TEMPEST Advisory Group (TAG) and NSA Protective Technologies Group are taking action to coordinate correction of this oversight. Check 3. Hasps (used with PDS locks) to secure the cover on the pull box are permanently and securely attached to the box (e.g., tack welded or with rivets) in such a way as it cannot be removed without breaking the hasp or its connection. Check 4. Ensure boxes with prepunched knockouts are not used. Check 5. Ensure that for medium threat areas (as defined in the CNSSI 7003), pull boxes are constructed of a ferrous metal with a minimum thickness of 14 gauge and must have a cover that can be locked. However, the material need not be thicker than the PDS carrier or the thickness needed for box rigidity. Check 6. Ensure that for low threat areas (as defined in the CNSSI 7003), pull boxes are constructed of a ferrous metal with a minimum thickness of 16 gauge. If pull box covers are NOT capable of being opened or used for accessing the transmission cable, the following 4 checks apply: Check 7. Ensure covers are secured to the pull boxes by welding or epoxy after installation as follows: - If welded, at least one weld must be applied on each side of the box and cover. - If epoxy is used, it must be applied between all mating surfaces continuously around the cover. - Painted surfaces must be treated to form a mechanically strong epoxy bond. Check 8. Ensure hinge-pins for pull-box covers are non-removable. The hinge must be hidden or mechanically blocked to prevent removal. Check 9. Boxes with pre-punched knockouts are not used under any circumstances. Check 10. For low threat areas (as defined in the CNSSI 7003), pull boxes are constructed of a ferrous metal with a minimum thickness of 16 gauge. NOTE: Pull boxes located in medium threat areas must have a lockable cover per the CNSSI 7003 and are therefore addressed in check #5 above under pull box covers capable of being opened and used for accessing the transmission cable.

Fix: F-49116r769851_fix

If pull box covers are capable of being opened and used for accessing the transmission cable, the following 6 requirements apply: 1. Box covers must not have removable hinge pins. The hinge must be hidden or mechanically blocked to prevent removal. 2. If the pull box will be accessed after installation, the pull box cover must be secured with an approved PDS lock. Multiple locks may be required for larger pull-boxes. NOTE 1: The ONLY approved PDS Lock within the DoD is the General Services Administration (GSA) approved changeable combination padlock and has historically been the lock used for securing accessible pull boxes and PDS termination boxes. The only padlock currently meeting this standard is the S&G 8077, changeable combination padlock. NOTE 2: A newer alternative PDS lock listed by the CNSSI 7003 is the tamper indicative padlock with a wire loop seal. This is a "keyed" padlock with an attached seal that is issued exclusively by the lock proponent, which is the National Security Agency (NSA) Information Assurance Division (IAD) Lock and Seal Office. The USD(I) has determined this lock will not be used for protecting PDS Pull Boxes within the DoD. NOTE 3: The new CNSSI 7003 under the PDS Lock definition identified the wrong federal specification for the changeable combination padlock. The lock identified under FF-L-2740B is designed for safes and will not fit properly on a small PDS lock box. The correct lock (S&G 8077 changeable combination padlock) is under the FF-P-110J federal specification. That is what the CNSSI 7003 proponent "intended" and the DoD TEMPEST Advisory Group (TAG) and NSA Protective Technologies Group are taking action to coordinate correction of this oversight. 3. Hasps (used with PDS locks) to secure the cover on the pull box must be permanently and securely attached to the box (e.g., tack welded or with rivets) in such a way as it cannot be removed without breaking the hasp or its connection. 4. Boxes with prepunched knockouts must not be used. 5. Ensure that for medium threat areas (as defined in the CNSSI 7003), pull boxes are constructed of a ferrous metal with a minimum thickness of 14 gauge and must have a cover that can be locked. However, the material need not be thicker than the PDS carrier or the thickness needed for box rigidity. 6. Ensure that for low threat areas (as defined in the CNSSI 7003), pull boxes are constructed of a ferrous metal with a minimum thickness of 16 gauge. If pull box covers are NOT capable of being opened or used for accessing the transmission cable, the following 4 requirements apply: 7. Covers must be secured to the pull boxes by welding or epoxy after installation as follows: - If welded, at least one weld must be applied on each side of the box and cover. - If epoxy is used, it must be applied between all mating surfaces continuously around the cover. - Painted surfaces must be treated to form a mechanically strong epoxy bond. 8. Hinge-pins for pull-box covers must be non-removable. The hinge must be hidden or mechanically blocked to prevent removal. 9. Boxes with pre-punched knockouts must not be used under any circumstances. 10. For low threat areas (as defined in the CNSSI 7003), pull boxes are constructed of a ferrous metal with a minimum thickness of 16 gauge. NOTE: Pull boxes located in medium threat areas must have a lockable cover and are therefore addressed in requirement #5 above under pull box covers capable of being opened and used for accessing the transmission cable.

c
Protected Distribution System (PDS) Construction - Buried PDS Carrier
High - V-245731 - SV-245731r865845_rule
RMF Control
Severity
High
CCI
Version
CS-04.01.04
Vuln IDs
  • V-245731
  • V-30969
Rule IDs
  • SV-245731r865845_rule
  • SV-41011r4_rule
Buried carriers are normally used to extend a PDS between CAAs that are located in different buildings. As with other Category 2 PDS the unencrypted data cables must be installed in a carrier. A PDS that is not constructed, configured and physically secured as required could result in the undetected interception of classified information. This is especially true for unencrypted cables running through an outdoor environment where physical barriers protecting the environment are often easily breeched. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 DoD 5220.22-M (NISPOM), Chapter 5, paragraphs 5-402. (c) and 5-403.(a). CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section IV, paragraph 7 and Section X, paragraph 30.b.
Checks: C-49162r865842_chk

Check Content for exterior PDS. If the Category 2 hardened carrier is buried: 1. Check to ensure the buried carrier is constructed of conduit consisting of EMT, rigid pipe, PVC, or a similar type of plastic electrical conduit. (CAT I finding) 2. Check that all connections are permanently sealed completely around all mating surfaces (e.g., welding, epoxy, fusion, or PVC glue). (CAT I finding) 3. Check to ensure it is buried a minimum of 1 meter (39 inches) below the surface and on the property (in a LOW Threat area within CONUS) owned or leased by the U.S. Government or the contractor having control of the PDS. NOTE: As an alternative, if the carrier cannot be buried to a one-meter depth due to soil conditions or blocked passage, a lesser depth may be used within a low threat area with prior approval of the Authorizing Official (AO) if the carrier is encased within the center of mass of approximately 20 centimeters (8 inches) of concrete. (CAT I finding) 4. Check that the buried carrier departs and enters a building through the building's concrete slab or basement wall. NOTE: As an alternative all portions of the PDS above the one-meter (39 inches) depth and not within a CAA (e.g., a PDS rising to a pull box on the side of a building) must meet the requirements of a Category 2 hardened carrier. (CAT I finding) 5. Check that manholes or any other access (e.g., hand hole) to the buried PDS are secured with a PDS lock or an alarm. The PDS lock must be visible for daily inspection. If a PDS lock cannot be used due to the physical construction of the manhole, then a standard locking manhole cover and micro-switch alarm should be used. NOTE: As an alternative to a PDS lock or approved micro-switch alarms, manhole covers may be completely welded around the opening surface to impede opening and provide for clear evidence of penetration. Spot-welding is not acceptable. If operational security needs dictate exceeding the STIG requirements, the site is always free to expand upon and increase their security posture by welding manhole covers. However, prior to this alternative method being instituted, the site must conduct and document an in-depth THREAT Assessment for their AOR and the assessment requires Senior Agency Official approval. This approval will be maintained on file. Also, daily visual inspections are still required per CNSSI 7003, Section X, para b. 3. (CAT I finding) NOTE: The USD(I) Policy has determined the PDS Locks referred to in the CNSSI 7003 as Tamper Indicative Padlock with a wire loop seal and Tamper Evident Seal ARE NOT permitted for use in the DoD. This is because neither product was properly vetted and listed by the DoD Lock Program. ONLY the SG 8077 Changeable Combination Padlock is to be used for securing Buried PDS manhole covers protecting SIPRNet within the DoD. 6. If the carrier is buried in a MEDIUM threat location, check to ensure it is buried a minimum of 1 meter (39 inches) below the surface AND be encased within the center of mass of approximately 20 centimeters (8 inches) of concrete. NOTE: A concrete and steel container of sufficient size (to preclude surreptitious penetration in a period less than two hours as confirmed by laboratory tests) may be used in lieu of the 20 centimeters (8 inches) of concrete. (CAT I finding) NOTE for Reviewers: If portions of the buried carrier cannot be checked due to being physically inaccessible, conduct whatever physical review is possible and attempt to validate PDS construction by reviewing contract/build documents, engineering drawings or certification documents from installation engineers that contain information about the physical makeup of the buried carrier. 7. Check the PDS is not within an Uncontrolled Access Area (UAA). (CAT I finding)

Fix: F-49117r865844_fix

The following requirements must be applied to Exterior PDS: 1. Ensure the buried carrier is constructed of conduit consisting of EMT, rigid pipe, PVC, or a similar type of plastic electrical conduit. 2. Ensure all connections are permanently sealed completely around all mating surfaces (e.g., welding, epoxy, fusion, or PVC glue). 3. Ensure the PDS is buried a minimum of 1 meter (39 inches) below the surface and on the property (in a LOW Threat area within CONUS) owned or leased by the U.S. Government or the contractor having control of the PDS. NOTE: As an alternative, if the carrier cannot be buried to a one-meter depth due to soil conditions or blocked passage, a lesser depth may be used within a low threat area with prior approval of the Authorizing Official (AO) if the carrier is encased within the center of mass of approximately 20 centimeters (8 inches) of concrete. 4. Ensure the buried carrier departs and enters a building through the building's concrete slab or basement wall. NOTE: As an alternative, all portions of the PDS above the 1 meter (39 inches) depth and not within a CAA (e.g., a PDS rising to a pull box on the side of a building) must meet the requirements of a Category 2 hardened carrier. 5. Ensure that manholes or any other access (e.g., hand hole) to the buried PDS are secured with a PDS lock or an alarm. The PDS lock must be visible for daily inspection. If a PDS lock cannot be used due to the physical construction of the manhole, then a standard locking manhole cover and micro-switch alarm should be used. NOTE: As an alternative to a PDS lock or approved micro-switch alarms, manhole covers may be completely welded around the opening surface to impede opening and provide for clear evidence of penetration. Spot-welding is not acceptable. If operational security needs dictate exceeding the STIG requirements, the site is always free to expand upon and increase their security posture by welding manhole covers. However, prior to this alternative method being instituted, the site must conduct and document an in-depth THREAT Assessment for their AOR and the assessment requires Senior Agency Official approval. This approval will be maintained on file. Also, daily visual inspections are still required per CNSSI 7003, Section X, para b. 3. (CAT I finding). NOTE: The USD(I) Policy has determined the PDS Locks referred to in the CNSSI 7003 as Tamper Indicative Padlock with a wire loop seal and Tamper Evident Seal ARE NOT permitted for use in the DoD. This is because neither product was properly vetted and listed by the DoD Lock Program. ONLY the SG 8077 Changeable Combination Padlock is to be used for securing Buried PDS manhole covers protecting SIPRNet within the DoD. 6. If the carrier is buried in a MEDIUM threat location, ensure it is buried a minimum of 1 meter (39 inches) below the surface AND be encased within the center of mass of approximately 20 centimeters (8 inches) of concrete. NOTE: A concrete and steel container of sufficient size (to preclude surreptitious penetration in a period less than two hours as confirmed by laboratory tests) may be used in lieu of the 20 centimeters (8 inches) of concrete. 7. Ensure the PDS is not located within an Uncontrolled Access Area (UAA).

c
Protected Distribution System (PDS) Construction - External Suspended PDS
High - V-245732 - SV-245732r822799_rule
RMF Control
Severity
High
CCI
Version
CS-04.01.05
Vuln IDs
  • V-245732
  • V-30970
Rule IDs
  • SV-245732r822799_rule
  • SV-41012r3_rule
Suspended carriers (Exterior PDS) are a Category 2 PDS option used to extend a PDS between Controlled Access Areas (CAAs) that are located in different buildings. Suspended carriers may be used for short runs when it is not practical to bury the PDS between buildings (e.g., between the 3rd floors of adjacent buildings). Unlike other Category 2 PDS the unencrypted data cables are not required to be installed in a carrier. Proper elevation and ease of visibility as well as minimum daily visual inspections of suspended carriers is of paramount importance. A PDS that is not configured, physically secured and inspected as required could result in the undetected interception of classified information. This is especially true for unencrypted cables running through an outdoor environment where physical barriers protecting the environment are often easily breeched. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 DoD 5220.22-M (NISPOM), Chapter 5, paragraphs 5-402. (c) and 5-403. (a). CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section IV, paragraph 7 and Section X, paragraph 30.c.
Checks: C-49163r769856_chk

Suspended carriers (Exterior PDS) may be used for short runs when it is not practical to bury the PDS between buildings (e.g., between the 3rd floors of adjacent buildings). Check to ensure: 1. Suspended carriers between buildings terminate in a Secret or higher Controlled Access Area (CAA) on each end OR immediately enter a hardened PDS at the building boundary. (CAT I) 2. Suspended carriers are hung directly between buildings. (CAT I) 3. Suspended carriers are elevated a minimum of 5 meters (16 feet 4 inches). (CAT I) 4. Suspended carriers are on property owned or leased by the USG or by a USG contractor or vendor that controls the PDS. (CAT I) 5. Suspended carriers are installed to provide unimpeded visual inspection and be clear of any obstruction or device which encroaches upon the system to facilitate tampering. (CAT I) 6. The areas containing suspended carriers are illuminated at night. (CAT I) 7. The PDS is not located within an Uncontrolled Access Area (UAA). (CAT I)

Fix: F-49118r769857_fix

Suspended carriers may only be used for short runs when it is not practical to bury the PDS between buildings (e.g., between the 3rd floors of adjacent buildings). Ensure that: 1. Suspended carriers between buildings are permissible if they terminate in a CAA on each end or immediately enter a hardened PDS at the building boundary. 2. The suspended carrier must be hung directly between buildings. 3. The suspended carrier must be elevated a minimum of 5 meters (16 feet 4 inches) and 4. The suspended carrier must only be used if the property traversed is owned or leased by the USG or by a USG contractor or vendor that controls the PDS. 5. Suspended carriers must be installed to provide unimpeded inspection and be clear of any obstruction or device which encroaches upon the system to facilitate tampering. 6. The area containing the suspended carrier must be illuminated at night. 7. The PDS must not be located within an Uncontrolled Access Area (UAA).

c
Protected Distribution System (PDS) Construction - Continuously Viewed Carrier
High - V-245733 - SV-245733r822800_rule
RMF Control
Severity
High
CCI
Version
CS-04.01.06
Vuln IDs
  • V-245733
  • V-30971
Rule IDs
  • SV-245733r822800_rule
  • SV-41013r3_rule
A PDS that is not constructed and configured as required could result in the undetected interception of classified information. A continuously viewed PDS may not be in a physically hardened carrier and the primary means of protection is continuous observation and control of the unencrypted transmission line. If not maintained under continuous observation an attacker (insider or external) could have an opportunity to tap and intercept unencrypted communications on the exposed cable. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section IV, paragraph 7. and Section X, paragraph 30.e.
Checks: C-49164r769859_chk

Interior or Exterior PDS: Continuously viewed Carrier. This is one of five types of Category 2 PDS allowed IAW the CNSSI 7003. Check to ensure: 1. The transmission line is under continuous observation, 24 hours per day, including when non-operational. (CAT I finding) 2. It is separated from all non-continuously viewed circuits ensuring an open field of view. (CAT III finding) 3. The carrier has an SOP that includes the requirement to investigate any attempt to disturb the PDS. The requirement must include that appropriate security personnel investigate the area of attempted penetration within 15 minutes of discovery. (CAT II finding) 4. The PDS is not located within an Uncontrolled Access Area (UAA). (CAT I)

Fix: F-49119r769860_fix

Interior or Exterior PDS: Continuously viewed Carrier. This is one of five types of Category 2 PDS allowed IAW the CNSSI 7003. There are four requirements that must be met for this type of distribution system: 1. The transmission line must be under continuous observation, 24 hours per day (including when non-operational). 2. The transmission line must be separated from all non-continuously viewed circuits ensuring an open field of view. 3. There must be an SOP for those responsible for observation of the carrier that includes the requirement to investigate any attempt to disturb the PDS. The requirement must include that appropriate security personnel investigate the area of attempted penetration within 15 minutes of discovery. 4. The PDS must not be located within an Uncontrolled Access Area (UAA).

c
Protected Distribution System (PDS) Construction - Tactical Environment Application
High - V-245734 - SV-245734r822801_rule
RMF Control
Severity
High
CCI
Version
CS-04.01.07
Vuln IDs
  • V-245734
  • V-30973
Rule IDs
  • SV-245734r822801_rule
  • SV-41015r3_rule
A PDS that is not constructed and configured as required could result in the undetected interception of classified information. Within mobile tactical situations a hardened carrier is not possible and therefore the unencrypted SIPRNet cable must be maintained within the confines of the tactical encampment with the cable under continuous observation and control to prevent exploitation by enemy forces. In theaters of operation where fixed facilities are well established, standard PDS applications must be employed unless a risk assessment is conducted to determine the vulnerabilities and risks associated with using unencrypted cable that is not in a hardened carrier. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 Former guidance was in the legacy/superseded NSTISSI 7003, Protected Distribution Systems, Annex B, paragraph 1.a.(7) NOTE: There is no longer specific guidance in the updated CNSSI 7003 but the guidance for Continuously Viewed Carriers is the most applicable for Tactical Environments with PDS: CNSSI No.7003, September 2015, Protected Distribution Systems (PDS), Section X, paragraph 30.e.
Checks: C-49165r769862_chk

PDS in a tactical environment. Check to ensure: 1. The PDS is located within the limits of the installation and command post, or in an area directly under the commander's physical control. 2. Continuously viewed Carriers must be used in tactical environments with mobile systems employing inter-shelter cabling. 3. Continuously viewed Carriers may also be used in tactical environments with "fixed facilities" ONLY if it is determined through a documented Risk Assessment that the cost or feasibility to install a Category 2 PDS (Hardened or Alarmed Carrier) is not warranted. If applicable based on the risk assessment STIG ID VULS CS-04.01.01 through CS-04.01.06 may be used for fixed facilities in a theater of operations. 4. ALL PDS in a tactical environment must be included in a well-documented Risk Assessment, for which residual risk has been acknowledged and accepted by the PDS Approval Authority.

Fix: F-49120r769863_fix

PDS in a tactical environment: 1. The PDS must be located within the limits of the installation and command post, or in an area directly under the commander's physical control. 2. Continuously viewed Carriers must be used in tactical environments with mobile systems employing inter-shelter cabling. 3. Continuously viewed Carriers may also be used in tactical environments with "fixed facilities" ONLY if it is determined through a documented Risk Assessment that the cost or feasibility to install a Category 2 (Hardened or Alarmed Carrier) is not warranted. If applicable based on the risk assessment STIG ID VULS CS-04.01.01 through CS-04.01.06 may be used for fixed facilities in a theater of operations. 4. ALL PDS in a tactical environment must be included in a well-documented Risk Assessment, for which residual risk has been acknowledged and accepted by the PDS Approval Authority.

c
Protected Distribution System (PDS) Construction - Alarmed Carrier
High - V-245735 - SV-245735r822802_rule
RMF Control
Severity
High
CCI
Version
CS-04.01.08
Vuln IDs
  • V-245735
  • V-33456
Rule IDs
  • SV-245735r822802_rule
  • SV-43876r3_rule
A PDS that is not constructed and configured as required could result in the covert or undetected interception of classified information. An Alarmed Carrier is one of five types of Category 2 PDS. It is the most suitable alternative to Hardened and Continuously Viewed PDS (internal facility PDS options), when the unencrypted data transmission line is concealed above suspended ceilings, below raised floors, between walls or in any situation where the line is not visible for inspection. In lieu of daily visual inspections the functionality of the PDS alarm must be tested at least weekly - as based on guidance in the CNSSI 7003. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c., 5-403 and Section 9 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information: Encl 4, para 3.b. and 4.a.; Appendix to Encl 3, para 2 & 2.f.(2); DoD Manual 5200.02 Procedures for the DoD Personnel Security Program (PSP), 3 April 2017 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, PE-6(1), (2) & (3), SC-7, and SC-8 CNSSI No.7003, September 2015, Protected Distribution Systems (PDS), Section IV, paragraph 7. and Section X, paragraph 30.d.
Checks: C-49166r769865_chk

An Alarmed PDS is one of five types of Category 2 PDS IAW the CNSSI 7003. It is a suitable alternative for the two types of interior PDS, which are Hardened Carrier or Continuously Viewed Carrier. It should be used when the unencrypted data transmission line is concealed above suspended ceilings, below raised floors, between walls or in any situation where the line is not visible for inspection. In lieu of daily visual inspections the functionality of the PDS alarm must be tested at least weekly - or as based on guidance in the CNSSI 7003. Use this set of checks where the unencrypted SIPRNet cable must be installed in a PDS and the site indicates it is an alarmed PDS. Check to ensure SIPRNet data cables are installed in a carrier properly configured as an "Alarmed Carrier" IAW the following guidelines: 1. Ideally the carrier will be constructed of solid electrical metallic tubing (EMT), ferrous conduit or pipe, or rigid-sheet steel ducting, utilizing elbows, couplings, nipples, and connectors of the same material. Connectors need not be permanently sealed in an alarmed carrier. As a minimum the carrier may consist of any material equal to or better than standards for a "Simple PDS" (e.g., wood, PVT, EMT, ferrous conduit. The key to determining the appropriateness of a PDS carrier is its suitability for supporting the functionality of the approved alarm sensor, which provides a means to detect tampering and/or breach of the actual PDS carrier - *not a breach of the space surrounding the carrier. An alarmed carrier must be protected by an alarm system that detects attempted penetration of the carrier. An IDS sensor capable of detecting changes in carrier air pressure is an example of an acceptable detection methodology. (CAT I) 2. As an alternative to an alarmed carrier, the space surrounding the entire carrier may be covered by an area or volumetric (e.g., infrared, motion detection) alarm system. (CAT I) 3. The carrier and/or volumetric alarm system sensor employed must be approved by the cognizant physical security authorities. Documentation must exist to support this approval. (CAT II) 4. The alarm system and signal transmission must be part of an Intrusion Detection System (IDS) meeting the requirements of the Appendix to Enclosure 3 of DoD Manual 5200.01,V3 (INFOSEC - Protection of Classified Information). For instance: The alarm must provide protection from tampering and be able to register malfunctions. The alarm system must also transmit a line fault message to the annunciator panel if the system fails. (CAT I) 5. The alarm signal must be sent to a 24/7 monitor station that is supervised continuously by U.S. citizens who have been subjected to a trustworthiness determination according to DoD Manual 5200.02 Procedures for the DoD Personnel Security Program (PSP). (CAT I) 6. The monitor station must be capable of notifying security forces that can respond within 15 minutes. (CAT I) *NOTE: May be reduced to a CAT II severity level finding if the monitor station is capable of notifying security forces but the security forces are not capable of responding within 15 minutes. 7. PDS alarm functionality and performance must be verified on at least a weekly basis IAW Table 5 of the CNSSI 7003. (CAT I) *NOTE: Alarm functionality tests performed less than weekly, but at least once every 3-months can be reduced to a CAT II severity level finding. 8. A Standard Operating Procedure (SOP) must be available, which is approved by the facility security officer or security manager and commander/director, and the PDS approval authority. (CAT III) This SOP must include procedures to: a. Verify the alarm functionality and performance on at least a weekly basis IAW Table 5 of the CNSSI 7003. b. Ensure response by security personnel in the area of possible attempted penetration, within 15 minutes of discovery; c. Provide for inspection of the PDS to determine the cause of the alarm; d. Define action to be taken regarding the termination of transmission; e. Initiate investigation of actual intrusion attempt, etc. 9. The PDS is not located within an Uncontrolled Access Area (UAA) and National Manager (NSA) approved encryption solutions must be employed. (CAT I)

Fix: F-49121r769866_fix

An Alarmed PDS is one of five types of Category 2 PDS IAW the CNSSI 7003. It is a suitable alternative for the two types of interior PDS, which are Hardened Carrier or Continuously Viewed Carrier. It should be used when the unencrypted data transmission line is concealed above suspended ceilings, below raised floors, between walls or in any situation where the line is not visible for inspection. In lieu of daily visual inspections the functionality of the PDS alarm must be tested at least weekly - or as based on guidance in the CNSSI 7003. Ensure unencrypted SIPRNet data cables are installed in a carrier properly configured as an "Alarmed Carrier" IAW the following guidelines: 1. Ideally the carrier will be constructed of solid electrical metallic tubing (EMT), ferrous conduit or pipe, or rigid-sheet steel ducting, utilizing elbows, couplings, nipples, and connectors of the same material. Connectors need not be permanently sealed in an alarmed carrier. As a minimum the carrier may consist of any material equal to or better than standards for a "Simple PDS" (e.g., wood, PVT, EMT, ferrous conduit. The key to determining the appropriateness of a PDS carrier is its suitability for supporting the functionality of the approved alarm sensor, which provides a means to detect tampering and/or breach of the actual PDS carrier - *not a breach of the space surrounding the carrier. An IDS sensor capable of detecting changes in carrier air pressure is an example of an acceptable detection methodology. 2. As an alternative to an alarmed carrier, the space surrounding the entire carrier may be covered by an area or volumetric (e.g., infrared, motion detection) alarm system. 3. The carrier and/or volumetric alarm system sensor employed must be approved by the cognizant physical security authorities. Documentation must exist to support this approval. 4. The alarm system and signal transmission must be part of an Intrusion Detection System (IDS) meeting the requirements of the Appendix to Enclosure 3 of DoD Manual 5200.01, V3 (INFOSEC - Protection of Classified Information). For instance: The alarm must provide protection from tampering and be able to register malfunctions. The alarm system must also transmit a line fault message to the annunciator panel if the system fails. 5. The alarm signal must be sent to a 24/7 monitor station that is supervised continuously by U.S. citizens who have been subjected to a trustworthiness determination according to DoD Manual 5200.02 Procedures for the DoD Personnel Security Program (PSP). 6. The monitor station must be capable of notifying security forces that can respond within 15 minutes. 7. PDS alarm functionality and performance must be verified on at least a weekly basis IAW Table 5 of the CNSSI 7003. 8. A Standard Operating Procedure (SOP) must be available, which is approved by the facility security officer or security manager and commander/director, and the PDS approval authority. This SOP must include procedures to: a. Verify the alarm functionality and performance on at least a weekly basis IAW Table 5 of the CNSSI 7003. b. Ensure response by security personnel in the area of possible attempted penetration, within 15 minutes of discovery; c. Provide for inspection of the PDS to determine the cause of the alarm; d. Define action to be taken regarding the termination of transmission; e. Initiate investigation of actual intrusion attempt, etc. 9. The PDS must not be located within an Uncontrolled Access Area (UAA) and National Manager (NSA) approved encryption solutions must be employed.

b
Protected Distribution System (PDS) Construction - Visible for Inspection and Marked
Medium - V-245736 - SV-245736r822803_rule
RMF Control
Severity
Medium
CCI
Version
CS-04.02.01
Vuln IDs
  • V-245736
  • V-30940
Rule IDs
  • SV-245736r822803_rule
  • SV-40982r4_rule
A PDS that is not completely visible for inspection and easily identified cannot be properly inspected and monitored as required, which could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, SC-8, and RA-6 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section VIII, paragraphs 23.c. and 24.
Checks: C-49167r769868_chk

Check to ensure: 1. The PDS is visible for inspection. The Category 2 (Hardened) carrier should be installed in plain view to meet both Visual and Technical inspection requirements. 2. The PDS is not installed above a false ceiling, below a false floor, or inside a wall unless it is clear that all portions within the wall, above the ceiling or below the floor are inspectable by means identified in the PDS approval request. NOTE: If the PDS cannot be installed in plain view, or is rendered un-inspectable, then the PDS must be an alarmed carrier. 3. The PDS is marked to make it easily identifiable to the inspector. The markings should be placed at sufficient intervals to facilitate inspections, however, intervals shall not exceed 3 meters (approximately 10 feet). 4. The PDS markings consist of tape, paint, cable tags, or any other suitable method that does not obscure or impair inspection. 5. The PDS is not labeled as a PDS, or labeled with text that would indicate that it carries National Security Information (NSI). 6. The markings are not red, since this color is often used to identify fire sprinkler systems, fire alarm wires, and NSI. 7. The PDS is not painted unless using a distribution system that has a factory painted coating.

Fix: F-49122r769869_fix

1. The PDS must be visible for inspection. The Category 2 (Hardened) carrier should be installed in plain view to meet both Visual and Technical inspection requirements. 2. The PDS should not be installed above a false ceiling, below a false floor, or inside a wall unless it is clear that all portions within the wall, above the ceiling or below the floor are inspectable by means identified in the PDS approval request. NOTE: If the PDS cannot be installed in plain view, or is rendered un-inspectable, then the PDS must be an alarmed carrier. 3. The PDS must be marked to make it easily identifiable to the inspector. The markings should be placed at sufficient intervals to facilitate inspections, however, intervals shall not exceed 3 meters (approximately 10 feet). 4. The PDS markings must consist of tape, paint, cable tags, or any other suitable method that does not obscure or impair inspection. 5. The PDS must not be labeled as a PDS, or labeled with text that would indicate that it carries National Security Information (NSI). 6. The markings must not be red, since this color is often used to identify fire sprinkler systems, fire alarm wires, and NSI. 7. The PDS must not be painted unless using a distribution system that has a factory painted coating.

b
Protected Distribution System (PDS) Construction - Sealed Joints
Medium - V-245737 - SV-245737r822804_rule
RMF Control
Severity
Medium
CCI
Version
CS-04.02.02
Vuln IDs
  • V-245737
  • V-30949
Rule IDs
  • SV-245737r822804_rule
  • SV-40991r4_rule
A PDS that is not constructed and sealed as required could result in the undetected interception of classified information. Sealing of joints is necessary to ensure that daily visual inspections of the PDS for signs of attempted or actual intrusion can be accurately and thoroughly conducted. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section VIII, paragraph 26. and Section X, paragraph 30.a & b.
Checks: C-49168r769871_chk

Check to ensure: 1. All PDS seams and connectors are permanently sealed completely around all surfaces (e.g., welding (continuous or track), epoxy, fusion). 2. When a connection consists of more than one seam (e.g., a compression couple), then all seams must be sealed. 3. The seal provides a mechanical bond between the components of the carrier and are visible for inspection. 4. Epoxy seals use a thick, opaque material. 5. Couplers that are secured with a "set screw" are not used. 6. If pull boxes are used during installation, check that the pull-box covers are secured/sealed to the pull boxes by welding or epoxy after installation. 7. If welded, at least one weld must be applied on each side of the box and cover. 8. If epoxy is used, it is applied between all mating surfaces continuously around the cover. 9. Painted surfaces are treated to form a mechanically strong epoxy bond. 10. Boxes with pre-punched knockouts are not used under any circumstances. NOTE: If a pre-fabricated (Modular types such as Holocom or Wiremold) PDS is used it is also required to have all joints sealed as specified above.

Fix: F-49123r769872_fix

1. All PDS seams and connectors must be permanently sealed completely around all surfaces (e.g., welding (continuous or track), epoxy, fusion). 2. When a connection consists of more than one seam (e.g., a compression couple), then all seams must be sealed. 3. The seal must provide a mechanical bond between the components of the carrier and are visible for inspection. 4. Epoxy seals must use a thick, opaque material. 5. Couplers that are secured with a "set screw" must not be used. 6. If pull boxes are used during installation, the pull-box covers must be secured/sealed to the pull boxes by welding or epoxy after installation. 7. If welded, at least one weld must be applied on each side of the box and cover. 8. If epoxy is used, it must be applied between all mating surfaces continuously around the cover. 9. Painted surfaces must be treated to form a mechanically strong epoxy bond. 10. Boxes with pre-punched knockouts must not be used under any circumstances. NOTE: If a pre-fabricated (Modular types such as Holocom or Wiremold) PDS is used it is also required to have all joints sealed as specified above.

a
Protected Distribution System (PDS) Documentation - Signed Approval
Low - V-245738 - SV-245738r822805_rule
RMF Control
Severity
Low
CCI
Version
CS-05.03.01
Vuln IDs
  • V-245738
  • V-30974
Rule IDs
  • SV-245738r822805_rule
  • SV-41017r3_rule
A PDS that is not approved could cause an Information System Security Manager (ISSM), Authorizing Official (AO) and other concerned managerial personnel to not be fully aware of all vulnerabilities and residual risk of IA systems under their purview. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section I, paragraph 1., Section III, paragraph 5., Section 4, paragraph 11., Section V, paragraph 14., Section VIII, paragraphs 23.c. and 27.a., Section X, paragraphs 30.a & b., Section XI, paragraph 34.b.2) and Annex A.
Checks: C-49169r769874_chk

Validate that: 1. The approval authority is the system Authorizing Official (AO), cognizant security office for contractors or other Department or Agency designee having Approval Authority for the installation and operation of the PDS and 2. A documented approval of the PDS is signed and dated by the current approval authority. NOTE: In tactical environments mobile systems employing inter-shelter cabling need not be re-approved for each relocation if the relocation provides security comparable to that of the original approval. Otherwise, new approval must be obtained.

Fix: F-49124r769875_fix

1. The approval authority must be the system Authorizing Official (AO), cognizant security office for contractors or other Department or Agency designee having Approval Authority for the for the installation and operation of the PDS and 2. A documented approval of the PDS must be signed and dated by the current approval authority. NOTE: In tactical environments mobile systems employing inter-shelter cabling need not be re-approved for each relocation if the relocation provides security comparable to that of the original approval. Otherwise, new approval must be obtained.

a
Protected Distribution System (PDS) Documentation - Request for Approval Documentation
Low - V-245739 - SV-245739r822806_rule
RMF Control
Severity
Low
CCI
Version
CS-05.03.02
Vuln IDs
  • V-245739
  • V-30975
Rule IDs
  • SV-245739r822806_rule
  • SV-41019r3_rule
A PDS that is not approved could cause an Information System Security Manager (ISSM), Authorizing Official (AO) and other concerned managerial personnel to not be fully aware of all vulnerabilities and residual risk of IA systems under their purview. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section I, paragraph 1., Section V, paragraph 14., Section VIII, paragraphs 23.c., Section X, paragraphs 30.a., and Annex A.
Checks: C-49170r769877_chk

This check concerns the documentation prepared and submitted to the PDS approval authority. Any subsequent requests for modification of the PDS should also be available for review. Check to ensure: 1. The PDS documentation is complete and current. Review a copy of the initial Request for Approval of PDS, which must contain the information IAW Annex A, CNSSI 7003. 2. Any requests for modification of the PDS approval are also available for review and contain the appropriate information. 3. PDS are recertified when modified or when the threat level or security posture changes. 4. PDS approval documentation and all updates are kept for the lifetime of the physical structure of the PDS. 5. That a standard operating procedure (SOP) to ensure proper installation, maintenance, operation and inspection of the PDS is developed by the PDS owner, approved by the AO, and approved by the cognizant security authority. *The SOP must be submitted as a part of the PDS approval documentation. NOTES: Applies in a tactical environment but will likely not be available in mobile field locations. Such documentation should be available for inspection at a location where supporting headquarters staff (ISSM, SM) would logically be located. Observations and comments may be entered, even if there is no finding.

Fix: F-49125r769878_fix

Documentation must exist for the initial request for PDS approval and any modification requests. PDS must be recertified when modified or when the threat level or security posture changes. A standard operating procedure (SOP) to ensure proper installation, maintenance, operation and inspection of the PDS must be developed by the PDS owner, approved by the AO, and approved by the cognizant security authority. *The SOP must be submitted as a part of the PDS approval documentation. PDS approval documentation and all updates should be kept for the lifetime of the physical structure of the PDS. If the initial documentation or modification requests were not prepared or documentation cannot be located the fix is to prepare a request for PDS approval IAW the CNSSI 7003 template at Annex A and submit to the approving authority for approval.

b
Protected Distribution System (PDS) Monitoring - Daily (Visual) Checks
Medium - V-245740 - SV-245740r822807_rule
RMF Control
Severity
Medium
CCI
Version
CS-06.02.01
Vuln IDs
  • V-245740
  • V-30976
Rule IDs
  • SV-245740r822807_rule
  • SV-41020r3_rule
A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, SC-8, IR-4, and IR-6 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section VIII, paragraphs 23.c. & 24., Section XI, paragraphs 31, 32, 33 and 34.a. (1) & (2) and Table 3. Visual Inspection Schedule.
Checks: C-49171r769880_chk

A PDS carrying SIPRNet cable is subject to periodic visual inspections IAW (Table 3. Visual Inspection Schedule, of CNSSI 7003). Check to ensure: 1. At least one daily inspection of the PDS line is conducted or more frequently if required by Table 3. 2. A log is maintained of the PDS inspections. The log must contain the date of the inspection, the time of the inspection, the inspector's name, and the inspector's title. The log must be kept on record for a minimum of one year. 3. Person(s) are formally appointed (in writing) to conduct the visual inspections. 4. The person(s) appointed to accomplish the visual inspection are trained sufficiently to recognize physical changes in PDS including attempts at penetration and tampering. 5. That visual PDS inspections as detailed in Table 3 are conducted 365 days a year. NOTES: Visual inspections are not absolutely required for portions of PDS traversing a Secret or higher CAA but may be required by the AO. In a tactical environment periodic visual checks are not applicable for Continuously Viewed Carriers since they are under continuous observation, 24 hours per day (including when operational). This check for visual inspections is only applicable to tactical environments where Hardened Carriers - versus Continuously Viewed Carriers - are used.

Fix: F-49126r769881_fix

A PDS carrying SIPRNet cable is subject to periodic visual inspections IAW (Table 3. Visual Inspection Schedule, of CNSSI 7003). To correct this finding visual checks of PDS must be completed on a continuing basis as follows: 1. At least one daily inspection of the PDS line must be conducted, or more frequently if required by Table 3. 2. A log must be maintained of the PDS inspections. The log must contain the date of the inspection, the time of the inspection, the inspector's name, and the inspector's title. The log must be kept on record for a minimum of one year. 3. Person(s) must be formally appointed (in writing) to conduct the visual inspections. 4. The person(s) appointed to accomplish the visual inspection must be trained sufficiently to recognize physical changes in PDS including attempts at penetration and tampering. 5. That visual PDS inspections as detailed in Table 3 are conducted 365 days a year. NOTES: Visual inspections are not absolutely required for portions of PDS traversing a Secret or higher CAA but may be required by the AO. In a tactical environment periodic visual checks are not applicable for Continuously Viewed Carriers since they are under continuous observation, 24 hours per day (including when operational). This check for visual inspections is only applicable to tactical environments where Hardened Carriers - versus Continuously Viewed Carriers - are used.

b
Protected Distribution System (PDS) Monitoring - Reporting Incidents
Medium - V-245741 - SV-245741r822808_rule
RMF Control
Severity
Medium
CCI
Version
CS-06.02.02
Vuln IDs
  • V-245741
  • V-30979
Rule IDs
  • SV-245741r822808_rule
  • SV-41023r3_rule
A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, SC-8, IR-4, IR-6, and PE-19 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section XI, paragraph 32.
Checks: C-49172r769883_chk

1. Check to ensure there are procedures written that cover how to handle all possible types of potential PDS incidents. 2. Check daily and technical inspection results (logs) for evidence of discovered PDS anomalies. 3. Ensure any incidents of tampering, penetration, or unauthorized interception were reported immediately to the PDS Approving Authority and the local security/law enforcement authority. 4. Subject to law enforcement procedures, which take precedence, check to ensure the PDS was not used until the incident was assessed and its security status determined. 5. If discontinued use of the PDS is or was not practical, check to ensure users of all impacted PDS were notified of the possible breach in security, and instructed that use of systems running on the PDS be limited to the greatest extent possible. 6. Discovery of an anomaly in the PDS that is not properly reported and resolved is a finding. All discoveries must be documented and such documentation retained indefinitely -for as long as the PDS remains functional. NOTES: 1. This check is applicable to tactical environments. Incidents of possible tampering must be reported to the PDS approving authority in as expeditious a manner as possible. 2. Even if there is no finding, in the reviewer notes provide a brief note of any reported incidents or anomalies previously noted by the site, including the date it was initially noted.

Fix: F-49127r769884_fix

1. A procedure must be written that covers how to handle all possible types of potential PDS incidents. 2. ALL incidents of suspected or actual tampering, penetration, or unauthorized interception must be reported immediately to the PDS Approving Authority and the local security/law enforcement authority. 3. Subject to law enforcement procedures, which take precedence, the PDS must not be used until the incident is assessed and its security status determined. 4. If discontinued use of the PDS is or was not practical, all users of impacted PDS must be notified of the possible breach in security and instructed that use of systems running on the PDS be limited to the greatest extent possible. 5. All discoveries must be documented and such documentation retained indefinitely -for as long as the PDS remains functional.

a
Protected Distribution System (PDS) Monitoring - Technical Inspections
Low - V-245742 - SV-245742r822809_rule
RMF Control
Severity
Low
CCI
Version
CS-06.03.01
Vuln IDs
  • V-245742
  • V-30977
Rule IDs
  • SV-245742r822809_rule
  • SV-41021r3_rule
A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, SC-8, IR-4, IR-6, and PE-19 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section XI, paragraph 34. and Table 4. PDS Technical Inspection Schedule.
Checks: C-49173r769886_chk

Check to ensure: 1. Technical inspections of PDS are conducted at least one or more times annually IAW Table 4. PDS Technical Inspection Schedule of the CNSSI 7003. 2. Checks and results must be documented and retained on file for a minimum of one year - or longer if required by the AO. 3. The person selected to accomplish the technical system inspection is trained to recognize changes in the technical aspects of PDS, e.g., by-pass circuitry, attachment or removal of devices or components, inappropriate or suspicious signal levels, and mechanical, TEMPEST, and RED/BLACK integrity of the PDS. If conducted by the CTTA this meets the requirement; otherwise, sufficient documented proof of training must be provided for the person conducting the inspection. NOTE: This check is applicable within a tactical environment in a fixed facility but not applicable in a mobile field environment.

Fix: F-49128r769887_fix

Correction of this finding can only be made by complete compliance with all the following CNSSI 7003 requirements: 1. Technical inspections of PDS must be conducted at least one or more times annually IAW Table 4. PDS Technical Inspection Schedule, of the CNSSI 7003. 2. Checks and results must be documented and retained on file for a minimum of one year - or longer if required by the AO. 3. The person selected to accomplish the technical system inspection must be trained to recognize changes in the technical aspects of PDS, e.g., by-pass circuitry, attachment or removal of devices or components, inappropriate or suspicious signal levels, and mechanical, TEMPEST, and RED/BLACK integrity of the PDS. If conducted by the CTTA this meets the requirement; otherwise, sufficient documented proof of training must be provided for the person conducting the inspection. NOTE: This check is applicable within a tactical environment in a fixed facility but not applicable in a mobile field environment.

a
Protected Distribution System (PDS) Monitoring - Initial Inspection
Low - V-245743 - SV-245743r822810_rule
RMF Control
Severity
Low
CCI
Version
CS-06.03.02
Vuln IDs
  • V-245743
  • V-30978
Rule IDs
  • SV-245743r822810_rule
  • SV-41022r3_rule
A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, SC-8, IR-4, IR-6, and PE-19 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section IV, paragraph 10, and Section XI, paragraph 34.b. 2) a)
Checks: C-49174r769889_chk

Check to ensure: 1. The PDS was inspected prior to initial operation. Documentation of the inspection and results should be available for review. This meets the following requirement from the CNSSI 7003: "The Approval Authority (AO) must ensure PDS are inspected in accordance with SECTION XI and certified prior to initial operation." 2. The initial inspection was a technical inspection performed by a trained CTTA prior to approval of the PDS by the AO. 3. The initial inspection documented the path of the PDS, the locations for all pull boxes, and the locations for all conduit joints at intervals less than the length of conduit segments (typically 10 feet). NOTES: 1. The PDS may be documented using detailed "as-built" installation drawings or photographs. *Subsequent technical inspections can then verify the path of the PDS and the location of pull boxes and joints. 2. When test equipment is locally available and resident expertise allows, the initial inspection should measure and record the electrical characteristics of the PDS lines to obtain a baseline electrical profile of the PDS. 3. Such measurements may consist of signal levels, voltage levels, time domain reflectometer (TDR) recorded readings, and any other electrical measurements that may be recorded and retained. * Subsequent technical inspections may then record and compare measurements taken to the previously recorded baseline measurements to identify possible tampering attempts. 4. This check is applicable in a tactical environment if the PDS is located within a fixed facility. It is not applicable to field/mobile PDS. 5. In the reviewer notes be sure to provide the date of the initial inspection, name of inspector and general description of results.

Fix: F-49129r769890_fix

Following is a reiteration of the requirement: 1. The PDS must be inspected prior to initial operation. Documentation of the inspection and results must be available for review. This meets the following requirement from the CNSSI 7003: "The Approval Authority (AO) shall ensure PDS are inspected in accordance with SECTION XI and certified prior to initial operation." 2. The initial inspection must be a technical inspection performed by a trained CTTA prior to approval of the PDS by the AO. 3. The initial inspection must document the path of the PDS, the locations for all pull boxes, and the locations for all conduit joints at intervals less than the length of conduit segments (typically 10 feet). NOTES: 1. The PDS may be documented using detailed "as-built" installation drawings or photographs. *Subsequent technical inspections can then verify the path of the PDS and the location of pull boxes and joints. 2. When test equipment is locally available and resident expertise allows, the initial inspection should measure and record the electrical characteristics of the PDS lines to obtain a baseline electrical profile of the PDS. 3. Such measurements may consist of signal levels, voltage levels, time domain reflectometer (TDR) recorded readings, and any other electrical measurements that may be recorded and retained. * Subsequent technical inspections may then record and compare measurements taken to the previously recorded baseline measurements to identify possible tampering attempts. 4. This check is applicable in a tactical environment if the PDS is located within a fixed facility. It is not applicable to field/mobile PDS. 5. In the reviewer notes be sure to provide the date of the initial inspection, name of inspector and general description of results. 6. Obviously an initial inspection cannot ever be conducted once it is not completed. Therefore the fix for this finding is to send a written request to the PDS approval authority asking for an "initial" inspection of the PDS by an individual appointed by the approval authority. If the approval authority concurs to conduct the inspection then this finding can be closed once the inspection is actually completed and any results form that inspection are closed. If the reply from the approval authority indicates they will not complete their "required" inspection then then finding can be closed and the reply from the approval authority should be maintained for future reference.

b
Environmental IA Controls - Emergency Power Shut-Off (EPO)
Medium - V-245744 - SV-245744r1008534_rule
RMF Control
Severity
Medium
CCI
Version
EC-01.02.01
Vuln IDs
  • V-245744
  • V-30983
Rule IDs
  • SV-245744r1008534_rule
  • SV-41027r3_rule
A lack of an emergency shut-off switch or a master power switch for electricity to IT equipment could cause damage to the equipment or injury to personnel during an emergency. REFERENCES: DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-10 and PE-10(1) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100 Information Security Handbook: A Guide for Managers NFPA 79 & OSHA Emergency Stop Requirement
Checks: C-49175r1008532_chk

Check an emergency power cut-off (EPO) switch is located inside the IT room or area near the main entrance/exit. It must be clearly labeled and have a protective cover. Per NFPA 76 and OSHA Emergency Stop Requirements the EPO shall be bright yellow with red button, an emergency push button, "e-stop" or emergency stop/disconnection is required where there is a risk of an emergency or potential unsafe condition for equipment or for the operator. The switch shall be continually operable, readily accessible, and initiated via a single human action via a mechanical latching mechanism. This requirement is only for computer centers with large server rooms and/or supporting infrastructure rooms hosting large amounts of network equipment and/or equipment such as chillers, battery backup, transformers, etc. NOTES: In general, a server/computer room will have raised floor space and air conditioning and host multiple servers. The requirement should not be applied to purely administrative/office space. Also, this requirement should not be applied to a tactical environment unless it is clearly an "established" fixed computer facility supporting missions in a Theater of Operations. The standards to be applied to determine applicability in a tactical environment are: 1. The facility containing the computer room has been in operation more than one year. 2. The facility is "fixed facility" - a hard building made from normal construction materials (wood, steel, brick, stone, mortar, etc.).

Fix: F-49130r1008533_fix

1. A master power switch or emergency cut-off switch for the IT equipment must be located inside the IT area near the main entrance. 2. The emergency switch must be properly labeled. 3. The emergency switch must be protected by a cover to prevent accidental shut-off of the power. NOTE: Per NFPA 76 and OSHA Emergency Stop Requirements the EPO shall be bright yellow with red button, an emergency push button, "e-stop" or emergency stop/disconnection is required where there is a risk of an emergency or potential unsafe condition for equipment or for the operator. The switch shall be continually operable, readily accessible, and initiated via a single human action via a mechanical latching mechanism.

b
Environmental IA Controls - Emergency Lighting and Exits - Properly Installed
Medium - V-245745 - SV-245745r822812_rule
RMF Control
Severity
Medium
CCI
Version
EC-02.02.01
Vuln IDs
  • V-245745
  • V-30984
Rule IDs
  • SV-245745r822812_rule
  • SV-41028r3_rule
Lack of automatic emergency lighting and exits can cause injury and/or death to employees and emergency responders. Lack of automatic emergency lighting can also cause a disruption in service. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-12 and PE-12(1) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100 Information Security Handbook: A Guide for Managers
Checks: C-49176r769895_chk

Check that emergency lighting and exits are located in IT areas. NOTES: This requirement should not be applied to a tactical environment, unless it is a fixed computer facility supporting missions in a Theater of Operations. The standards to be considered for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over one year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc.

Fix: F-49131r769896_fix

Emergency lighting and exit signage must be installed in areas containing information systems.

a
Environmental IA Controls - Emergency Lighting and Exits - Documentation and Testing
Low - V-245746 - SV-245746r822813_rule
RMF Control
Severity
Low
CCI
Version
EC-02.03.01
Vuln IDs
  • V-245746
  • V-30985
Rule IDs
  • SV-245746r822813_rule
  • SV-41029r3_rule
Lack of automatic emergency lighting can cause injury and/or death to employees and emergency responders. Lack of automatic emergency lighting can cause a disruption in service. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-1, PE-12 and PE-12(1) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100 Information Security Handbook: A Guide for Managers
Checks: C-49177r769898_chk

Review Emergency Lighting and Exit documentation and testing. Check to ensure: 1. There are written procedures for emergency exit. 2. Evacuation routes are posted within the facility for employee reference. 3. The plan is rehearsed on a periodic basis. 4. Emergency lighting is tested on a periodic basis. NOTES: This requirement should not be applied to a tactical environment, unless it is a fixed computer facility supporting missions in a Theater of Operations. The considerations to be applied for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over one year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc.

Fix: F-49132r769899_fix

Emergency Lighting and Exit documentation and testing. 1. There must be written procedures for emergency exit. 2. Evacuation routes must be posted in the facility for employee reference. 3. The emergency exit plan must be rehearsed on a periodic basis. 4. Emergency lighting must be tested on a periodic basis.

a
Environmental IA Controls - Voltage Control (power)
Low - V-245747 - SV-245747r822814_rule
RMF Control
Severity
Low
CCI
Version
EC-03.03.01
Vuln IDs
  • V-245747
  • V-30987
Rule IDs
  • SV-245747r822814_rule
  • SV-41031r3_rule
Failure to use automatic voltage control can result in damage to the IT equipment creating a service outage. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-9(2) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100 Information Security Handbook: A Guide for Managers
Checks: C-49178r769901_chk

Check there is an IT area voltage control unit and that it is being utilized for all key IT assets. NOTES: This requirement should not be applied to a tactical environment, unless it is a fixed computer facility supporting missions in a Theater of Operations. The standards to be applied for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over one year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc.

Fix: F-49133r769902_fix

An Information Technology (IT) area voltage control unit must be installed and used for all key IT assets.

b
Environmental IA Controls - Emergency Power
Medium - V-245748 - SV-245748r917363_rule
RMF Control
Severity
Medium
CCI
Version
EC-03.02.02
Vuln IDs
  • V-245748
  • V-61629
Rule IDs
  • SV-245748r917363_rule
  • SV-76119r1_rule
Failure to have alternative power sources available can result in significant impact to mission accomplishment and information technology systems including potential loss of data and damage to the IT equipment during a commercial power service outage. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-11 and PE-11(1) & (2) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100, Information Security Handbook: A Guide for Managers
Checks: C-49179r917152_chk

Check that alternate sources of power are available for key IT system assets. Specifically check that both of the following requirements are complied with: A short-term uninterruptible power supply is available to facilitate an orderly shutdown of the information system and transition of the information system to longer-term alternate power (if available) in the event of a primary power source loss. (CAT II) The need for additional short term or long term alternative power sources such as use of a secondary commercial power supply or use of one or more generators with sufficient capacity to meet the needs of the organization have been considered in the organizations Holistic Risk Assessment; when such alternative sources of power are not available. (CAT III) NOTES: 1. In general rule application will be for major computing centers with raised floor space. The requirement should not be applied to administrative/office space. This requirement should also not be applied to a tactical environment, unless it is a fixed computer facility supporting missions in a Theater of Operations. The standards to be applied for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over 1-year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc. 2. It is not necessary for the risk assessment to specifically address the need for long term alternative power if it is actually available at the site.

Fix: F-49134r917153_fix

A short-term uninterruptible power supply must be installed to facilitate an orderly shutdown of the information system and transition of the information system to longer-term alternate power (if available) in the event of a primary power source loss. Additionally, the need for additional short term or long term alternative power sources such as use of a secondary commercial power supply or use of one or more generators with sufficient capacity to meet the needs of the organization must be considered in the organizations Holistic Risk Assessment; when such alternative sources of power are actually not available.

a
Environmental IA Controls - Training
Low - V-245749 - SV-245749r822816_rule
RMF Control
Severity
Low
CCI
Version
EC-04.03.01
Vuln IDs
  • V-245749
  • V-30988
Rule IDs
  • SV-245749r822816_rule
  • SV-41032r3_rule
If employees have not received training on the environmental controls they will not be able to respond to a fluctuation of environmental conditions, which could damage equipment and ultimately disrupt operations. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AT-3(1) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100, Information Security Handbook: A Guide for Managers
Checks: C-49180r769907_chk

Check training records to ensure that all required personnel have received their initial and periodic (minimum annually) environmental control training (specifically humidity/temperature). Ask personnel how they respond to an environmental alarm. NOTES: This requirement should not be applied to a tactical environment, unless it is a fixed computer facility supporting missions in a Theater of Operations. The standards to be applied for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation for more than one year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc.

Fix: F-49135r769908_fix

1. All required personnel involved with Information Technology (IT) area/computer rooms must receive initial and periodic (minimum annually) environmental control training (specifically regarding humidity/temperature controls). 2. Training records must be updated to reflect this special training.

a
Environmental IA Controls - Temperature
Low - V-245750 - SV-245750r822817_rule
RMF Control
Severity
Low
CCI
Version
EC-05.03.01
Vuln IDs
  • V-245750
  • V-30989
Rule IDs
  • SV-245750r822817_rule
  • SV-41033r3_rule
Lack of temperature controls can lead to fluctuations in temperature which could be potentially harmful to personnel or equipment operation. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-14 and PE-14(1) & (2) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100, Information Security Handbook: A Guide for Managers
Checks: C-49181r769910_chk

Check to see if temperature controls have been installed. Automatic controls are preferred and should be installed where personnel are not available 24/7 on site to respond to and correct anomalies and situations. Otherwise it is permissible for alarms to be used when temperatures fluctuate, requiring manual employee intervention. NOTES: 1. In general such an area will be in raised floor space. The requirement should not be applied to administrative/office space. This requirement should also not be applied to a tactical environment, unless it is a fixed computer facility supporting missions in a Theater of Operations. The standards to be applied for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over 1-year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc. 2. Use of alarms with manual intervention should be supported by specific assessment within the organizational holistic risk assessment.

Fix: F-49136r769911_fix

Ensure that temperature controls have been installed as follows: Automatic controls are preferred and should be installed where personnel are not available 24/7 on site to respond to and correct anomalies and situations. Otherwise it is permissible for alarms to be used when temperatures fluctuate, requiring manual employee intervention. Note that use of alarms with manual intervention should also be supported by specific assessment within the organizational holistic risk assessment.

a
Environmental IA Controls - Humidity
Low - V-245751 - SV-245751r822818_rule
RMF Control
Severity
Low
CCI
Version
EC-06.03.01
Vuln IDs
  • V-245751
  • V-30990
Rule IDs
  • SV-245751r822818_rule
  • SV-41034r3_rule
Fluctuations in humidity can be potentially harmful to personnel or equipment causing the loss of services or productivity. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-14 and PE-14(1) & (2) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100, Information Security Handbook: A Guide for Managers
Checks: C-49182r769913_chk

Check to see if humidity controls have been installed in all IT areas. Automatic controls are preferred and should be installed where personnel are not available 24/7 on site to respond to and correct anomalies and situations. Otherwise it is permissible for alarms to be used when humidity levels fluctuate, requiring manual employee intervention. NOTES: 1. In general such an area will be in raised floor space. The requirement should not be applied to administrative/office space. This requirement should also not be applied to a tactical environment, unless it is a fixed computer facility supporting missions in a Theater of Operations. The standards to be applied for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over 1-year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc. 2. Use of alarms with manual intervention should be supported by specific assessment within the organizational holistic risk assessment.

Fix: F-49137r769914_fix

Ensure that humidity controls have been installed in Information Technology (IT) areas (Computer Rooms) to protect personnel and equipment operation, as follows: Automatic controls are preferred and should be installed where personnel are not available 24/7 on site to respond to and correct anomalies and situations. Otherwise it is permissible for alarms to be used when humidity levels fluctuate, requiring manual employee intervention. Adjustments to humidity control systems can be made manually. Note that use of alarms with manual intervention should also be supported by specific assessment within the organizational holistic risk assessment.

a
Environmental IA Controls - Fire Inspections/ Discrepancies
Low - V-245752 - SV-245752r822819_rule
RMF Control
Severity
Low
CCI
Version
EC-07.03.01
Vuln IDs
  • V-245752
  • V-30991
Rule IDs
  • SV-245752r822819_rule
  • SV-41036r3_rule
Failure to conduct fire inspections and correct any discrepancies could result in hazardous situations leading to a possible fire and loss of service. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-13(4) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100, Information Security Handbook: A Guide for Managers
Checks: C-49183r769916_chk

Check fire marshal inspection reports and documentation that verifies discrepancies are addressed and corrected. Inspections must be conducted on at least an annual basis. NOTES: 1. In general this should be applied to major IT equipment areas (generally computer rooms with raised floor space containing servers and communications equipment). The requirement should not be applied to administrative/office space. 2. Also, this requirement should not be applied to a tactical environment, unless it is a fixed computer facility supporting missions in a Theater of Operations. The standards to be applied for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over 1-year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc. 3. Even if there is no finding the reviewer should note in the report the date the last fire marshal or similar inspection was conducted with a summary of results. This information could be useful during subsequent inspections.

Fix: F-49138r769917_fix

Periodic fire marshal inspections of (IT) computing facilities must be conducted (minimum annually) and discrepancies noted during the inspections must be promptly addressed.

a
Environmental IA Controls - Fire Detection and Suppression
Low - V-245753 - SV-245753r822820_rule
RMF Control
Severity
Low
CCI
Version
EC-08.03.01
Vuln IDs
  • V-245753
  • V-30992
Rule IDs
  • SV-245753r822820_rule
  • SV-41037r3_rule
Failure to provide adequate fire detection and suppression could result in the loss of or damage to data, equipment, facilities, or personnel. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-13 and PE-13(1), (2), (3) and (4) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100, Information Security Handbook: A Guide for Managers
Checks: C-49184r769919_chk

1. Check to ensure a fully automatic fire detection and suppression system is installed for information system areas that automatically activates when it detects heat, smoke, or particles. 2. Check that a servicing fire department receives an automatic notification of any activation of the smoke detection or fire suppression system. 3. Check for periodic fire detection and suppression test logs. 4. Check the fire detection and suppression system(s) are supported by an independent or alternate (backup) energy source. NOTES: This check applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors.

Fix: F-49139r769920_fix

An adequate fire detection and suppression system must be installed and must be periodically tested. The following considerations must be incorporated into the system: 1. A fully automatic fire detection and suppression system must be installed for information system areas that automatically activates when it detects heat, smoke, or particles. 2. A servicing fire department must receive an automatic notification of any activation of the smoke detection or fire suppression system. 3. Periodic testing of the fire detection and suppression system must be conducted. 4. The fire detection and suppression system(s) must be supported by an independent or alternate (backup) energy source.

b
TEMPEST Countermeasures
Medium - V-245754 - SV-245754r822821_rule
RMF Control
Severity
Medium
CCI
Version
EM-01.02.01
Vuln IDs
  • V-245754
  • V-30980
Rule IDs
  • SV-245754r822821_rule
  • SV-41024r3_rule
Failure to implement required TEMPEST countermeasures could leave the system(s) vulnerable to a TEMPEST attack. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND) DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 11 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-18, PE-19(1), and SC-8 Committee on National Security Systems Policy 300, "National Policy on Control of Compromising Emanations," April 2004, as amended Committee on National Security Systems Instruction 7000, "TEMPEST Countermeasures for Facilities," May 2004, as amended DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014
Checks: C-49185r769922_chk

1. Determine if TEMPEST countermeasures are required based on the geographical location and classification level processed. TEMPEST considerations apply to all OCONUS locations and select CONUS locations. 2. If required, ask to see a TEMPEST assessment. Verify the TEMPEST assessment was conducted by a Certified TEMPEST Technical Authority (CTTA). 3. Determine through inspection and/or interview if any required TEMPEST countermeasures are implemented. 4. TEMPEST countermeasures may or may not be feasible in a tactical environment. This can only be determined through a proper Risk Assessment, which is coordinated with a supporting CTTA for matters concerning emanations security. 5. Where required (OCONUS in particular) check to ensure an assessment of TEMPEST risk and applicability of countermeasures is included in a risk assessment and that the supporting CTTA was consulted. This process may be conducted by the Major US Combatant Command for Theater level operations rather than by individual units or location based commands. The key element to determine if this requirement is met is that any possible risk resulting from Emanations is properly considered and documented. NOTES: Where TEMPEST must be considered and although there is no finding, the reviewer should note in the report if a CTTA has conducted a TEMPEST review, the date it was completed and countermeasures recommended. Further note in the report if specific consideration for TEMPEST was provided for in the site risk assessment.

Fix: F-49140r769923_fix

1. Where TEMPEST is required to be considered a Certified TEMPEST Technical Authority (CTTA) must evaluate Emanation Security concerns and recommended countermeasures from this evaluation must be properly applied. 2. Where TEMPEST is required an assessment of TEMPEST risk and applicability of countermeasures must be included in the site risk assessment and the supporting CTTA must be consulted. NOTE: TEMPEST countermeasures are required based on the geographical location and classification level processed. TEMPEST considerations apply to all OCONUS locations and select CONUS locations.

b
TEMPEST - Red/Black separation (Processors)
Medium - V-245755 - SV-245755r822822_rule
RMF Control
Severity
Medium
CCI
Version
EM-02.02.01
Vuln IDs
  • V-245755
  • V-30981
Rule IDs
  • SV-245755r822822_rule
  • SV-41025r3_rule
Failure to maintain proper separation could result in detectable emanations of classified information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND) DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 11 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-19 & PE-19(1) Committee on National Security Systems Policy 300, "National Policy on Control of Compromising Emanations," April 2004, as amended Committee on National Security Systems Instruction 7000, "TEMPEST Countermeasures for Facilities," May 2004, as amended DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 CNSSAM TEMPEST/ 1-13, 17 January 2014, RED/BLACK Installation Guidance
Checks: C-49186r769925_chk

Check for minimum separation between any RED processor and BLACK equipment IAW the following guidance: A separation distance of 1 meter (39 inches) shall be provided between RED equipment and: 1. BLACK wirelines that connect to RF transmitters; and 2. BLACK equipment with lines that connect to RF transmitters. A separation distance of 30 cm (12 inches) shall be provided between RED Equipment and BLACK wirelines that directly leave the inspectable space. NOTES: 1. This requirement is applicable in a tactical environment. 2. The supporting Certified TEMPEST Technical Authority (CTTA) should always be contacted for specific separation requirements, which may be greater than the distance reflected in this check. 3. Inspectable Space is the three dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and remove a potential TEMPEST exploitation exists and is exercised. CTTAs have the authority to define the inspectable space.

Fix: F-49141r769926_fix

A separation distance of 1 meter (39 inches) shall be provided between RED equipment and: 1. BLACK wirelines that connect to RF transmitters; and 2. BLACK equipment with lines that connect to RF transmitters. A separation distance of 30 cm (12 inches) shall be provided between RED Equipment and BLACK wirelines that directly leave the inspectable space. NOTES: 1. This requirement is applicable in a tactical environment. 2. The supporting CTTA should always be contacted for specific separation requirements, which may be greater than the distance reflected in this check. 3. Inspectable Space is the three dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and remove a potential TEMPEST exploitation exists and is exercised. CTTAs have the authority to define the inspectable space.

b
TEMPEST - Red/Black Separation (Cables)
Medium - V-245756 - SV-245756r822823_rule
RMF Control
Severity
Medium
CCI
Version
EM-03.02.01
Vuln IDs
  • V-245756
  • V-30982
Rule IDs
  • SV-245756r822823_rule
  • SV-41026r3_rule
Failure to maintain proper separation could result in detectable emanations of classified information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND) DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 11 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-19 & PE-19(1) Committee on National Security Systems Policy 300, "National Policy on Control of Compromising Emanations," April 2004, as amended Committee on National Security Systems Instruction 7000, "TEMPEST Countermeasures for Facilities," May 2004, as amended DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 CNSSAM TEMPEST/ 1-13, 17 January 2014, RED/BLACK Installation Guidance
Checks: C-49187r769928_chk

Check that unless separated by a metal distribution system such as conduit or enclosed cable tray, a minimum separation distance of 5 cm (2 inches) or (15 cm (6 inches) for parallel cable lengths over 30 meters (98.4 feet)) is provided between any RED wire line and BLACK wire lines that exit the inspectable space or are connected to an RF transmitter, or BLACK power lines, or a digital switch (such as a computerized telephone switch or network router) that is contained within the inspectable space. NOTES: 1. This requirement is applicable in a tactical environment. 2. The supporting CTTA should always be contacted for specific separation requirements, which may be greater than the distance reflected in this check. 3. Inspectable Space is the three dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and remove a potential TEMPEST exploitation exists and is exercised. CTTAs have the authority to define the inspectable space.

Fix: F-49142r769929_fix

Unless separated by a metal distribution system such as conduit or enclosed cable tray, a minimum separation distance of 5 cm (2 inches) or ( 15 cm (6 inches) for parallel cable lengths over 30 meters (98.4 feet)) shall be provided between any RED wire line and BLACK wire lines that exit the inspectable space or are connected to an RF transmitter, or BLACK power lines, or a digital switch (such as a computerized telephone switch or network router) that is contained within the inspectable space. NOTES: 1. This requirement is applicable in a tactical environment. 2. The supporting CTTA should always be contacted for specific separation requirements, which may be greater than the distance reflected in this check. 3. Inspectable Space is the three dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and remove a potential TEMPEST exploitation exists and is exercised. CTTAs have the authority to define the inspectable space.

b
Foreign National System Access - Identification as FN in E-mail Address
Medium - V-245757 - SV-245757r1008537_rule
RMF Control
Severity
Medium
CCI
Version
FN-01.02.01
Vuln IDs
  • V-245757
  • V-31210
Rule IDs
  • SV-245757r1008537_rule
  • SV-41407r3_rule
Unauthorized access by foreign nationals to Information Systems can result in, among other things, security incidents, compromise of the system, or the introduction of a virus. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations. SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/. Follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing. DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure A, Paragraph 7.d. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, AC-2, CA-1, and IA-4(4) DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 11.
Checks: C-49188r1008535_chk

When organizations grant foreign national access to U.S. DOD systems check to ensure foreign nationals (including those foreign nationals serving in the US military) granted e-mail privileges on DOD systems are clearly identified as such in their e-mail addresses IAW DoDI 8500.01, SUBJECT: Cybersecurity and CJCSI 6510.01F. TACTICAL ENVIRONMENT: This check is applicable where LN/FN are employed in a tactical environment with access to U.S. or Coalition Forces Systems.

Fix: F-49143r1008536_fix

Foreign Nationals (including those foreign nationals serving in the US military) granted e-mail privileges on DOD systems must be clearly identified as such in their e-mail addresses IAW DoDI 8500.01, SUBJECT: Cybersecurity and CJCSI 6510.01F.

a
Foreign National System Access - Local Access Control Procedures
Low - V-245758 - SV-245758r917321_rule
RMF Control
Severity
Low
CCI
Version
FN-01.03.01
Vuln IDs
  • V-245758
  • V-31199
Rule IDs
  • SV-245758r917321_rule
  • SV-41387r3_rule
Unauthorized access by foreign nationals to Information Systems can result in, among other things, security incidents, compromise of the system, or the introduction of a virus. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, AC-2, AC-3, AC-24, PS-4, PS-5, CA-1, MA-5(4) and IA-4(4) DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017 DOD 8570.01-M, Information Assurance Workforce Improvement Program DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System
Checks: C-49189r917154_chk

1. When organizations grant foreign nationals access to U.S. DOD systems check to ensure there are written procedures to guide system administrators. There are numerous categories of foreign military and civilian personnel, which should be addressed, as applicable to the site or organization and include the following: - Foreign Liaison Officers (FLO) - Foreign Exchange Officers - REL Partners - Coalition Partners - Foreign Nationals/Local Nationals (FN/LN) employed by DOD Organizations Overseas under SOFA - Foreign Nationals employed by Government contractors - Foreign Nationals or immigrant aliens not affiliated with or representing their Country of citizenship, who may be granted a Limited Access Authorization (LAA) for access to US Classified. 2. Reviewers must validate that local procedures adequately cover all possible foreign national encounters applicable to the site and ensure guidance is correct and follows regulatory standards. 3. Reviewers must ensure system access request forms used clearly indicate that the applicant for systems access is a foreign national. TACTICAL ENVIRONMENT: This check is applicable where LN/FN are employed in a tactical environment with access to US or Coalition Forces Systems.

Fix: F-49144r917155_fix

1. Local written procedures to guide system administrators must be developed when granting foreign nationals access to U.S. DOD systems NOTE: There are numerous categories of foreign military and civilian personnel, which should be addressed, as applicable to the site or organization and include the following: - Foreign Liaison Officers (FLO) - Foreign Exchange Officers -REL Partners - Coalition Partners - Foreign Nationals/Local Nationals (FN/LN) employed by DOD Organizations Overseas under SOFA - Foreign Nationals employed by Government contractors - Foreign Nationals or immigrant aliens not affiliated with or representing their Country of citizenship, who may be granted a Limited Access Authorization (LAA) for access to US Classified. 2. Local procedures must cover all possible foreign national encounters applicable to the site and ensure guidance is correct and follows regulatory standards. 3. System Access Authorization Request (SAAR) forms used by the site must clearly indicate the applicant for systems access is a foreign national. NOTE: DODM 8570 requirements will be met until full implementation of DODM 8140.03 requirements. Implementation dates for DOD Manual 8140.03 include a two-year timeline for personnel (civilian and military) in positions coded with cybersecurity work roles and three years for personnel (civilian and military) in positions coded with work roles in any other workforce element. The dates for required qualification would be 15 February 2025 for cybersecurity work roles and the same date in February 2026 for all Defense Cyber Workforce Framework work roles.

c
Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (SIPRNet or Other Classified System or Classified Network being Reviewed)
High - V-245759 - SV-245759r917322_rule
RMF Control
Severity
High
CCI
Version
FN-02.01.01
Vuln IDs
  • V-245759
  • V-31215
Rule IDs
  • SV-245759r917322_rule
  • SV-41417r3_rule
Failure to subject foreign nationals to background checks could result in the loss or compromise of classified or sensitive information by foreign sources. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance & Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, para 26.c. (2) & (3) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, AC-2, AC-3, AC-24, CA-1, PS-4, PS-5, PM-9, MA-5(4) and IA-4(4) DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017 DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System
Checks: C-49190r917157_chk

Check that all local foreign nationals hired by DOD organizations overseas do not have access to classified systems and information unless: 1. Permitted by National Disclosure Policy - AND 2. Allowed under the applicable Status of Forces Agreement (SOFA) - AND 3. A proper background investigation/personnel vetting/security clearance adjudication for each FN granted access has been successfully completed IAW the SOFA and all other applicable DOD guidance. Security Clearance and access levels MUST be provided ONLY to the minimum necessary for mission accomplishment. 4. A Delegation of Disclosure Authority Letter (DDL) or similar approved certification method documenting approved access to US Classified information is available for review. TACTICAL ENVIRONMENT: This check is applicable where LN/FN are employed in a tactical environment with access to US or Coalition Forces Systems.

Fix: F-49145r917158_fix

All local foreign nationals (FN) hired by DOD organizations overseas must not have access to classified systems and information unless: 1. Permitted by National Disclosure Policy and the applicable SOFA - AND 2. A proper background investigation/personnel vetting/security clearance adjudication has been successfully completed for each FN granted systems access IAW the SOFA and all applicable DOD guidance. 3. Security Clearance and access levels MUST ONLY be provided ONLY to the minimum necessary for mission accomplishment. 4. A Delegation of Disclosure Authority Letter (DDL) or similar approved certification method documenting approved access to US Classified information must be available for review. NOTE: DODM 8570 requirements will be met until full implementation of DODM 8140.03 requirements. Implementation dates for DOD Manual 8140.03 include a two-year timeline for personnel (civilian and military) in positions coded with cybersecurity work roles and three years for personnel (civilian and military) in positions coded with work roles in any other workforce element. The dates for required qualification would be 15 February 2025 for cybersecurity work roles and the same date in February 2026 for all Defense Cyber Workforce Framework work roles.

b
Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (NIPRNet User)
Medium - V-245761 - SV-245761r917323_rule
RMF Control
Severity
Medium
CCI
Version
FN-02.02.01
Vuln IDs
  • V-245761
  • V-31211
Rule IDs
  • SV-245761r917323_rule
  • SV-41411r3_rule
Failure to subject foreign nationals to background checks could result in the loss or compromise of classified or sensitive information by foreign sources. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, para 26.c.(2)&(3) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, AC-2, AC-3, AC-24, CA-1, PS-4, PS-5, PM-9, MA-5(4) and IA-4(4) DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017, paragraph 6.4.f. DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System
Checks: C-49192r917160_chk

Check that all local foreign nationals hired by DOD organizations overseas, with NIPRNet user access, are employed IAW the applicable Status of Forces Agreement (SOFA) and meet the following requirements: 1. Access to DOD ISs is authorized only by the DOD Component head in accordance with DOD, Department of State, and ODNI disclosure guidance, as applicable. 2. Mechanisms are in place to limit access strictly to information that has been cleared for release to the represented foreign nation, coalition, or international organization (e.g., North Atlantic Treaty Organization) in accordance with policy guidance for unclassified information such as IAW DODD 5230.20E and DODI 5230.27. 3. The Foreign Nationals have the following successfully adjudicated checks: a. Host government, law enforcement and security agency checks at the city, state (province), and national level, whenever permissible by the laws of the host government. b. Favorable DCII checks c. FBI-HQ/ID (Where information exists regarding residence by the foreign national in the U.S. or Territory for one year or more since age 18). TACTICAL ENVIRONMENT: This check is applicable where LN/FN are employed in a tactical environment with access to Unclassified US or Coalition Forces Systems.

Fix: F-49147r917161_fix

All local foreign nationals hired by DOD organizations overseas, with NIPRNet user access, must be employed IAW the applicable Status of Forces Agreement (SOFA)and meet the following requirements: 1. Access to DOD ISs is authorized only by the DOD Component head in accordance with DOD, Department of State, and ODNI disclosure guidance, as applicable. 2. Mechanisms are in place to limit access strictly to information that has been cleared for release to the represented foreign nation, coalition, or international organization (e.g., North Atlantic Treaty Organization) in accordance with policy guidance for unclassified information such as IAW DODD 5230.20E and DODI 5230.27. 3. The Foreign Nationals have the following successfully adjudicated checks: a. Host government, law enforcement and security agency checks at the city, state (province), and national level, whenever permissible by the laws of the host government. b. Favorable DCII checks c. FBI-HQ/ID (Where information exists regarding residence by the foreign national in the U.S. or Territory for one year or more since age 18). NOTE: DODM 8570 requirements will be met until full implementation of DODM 8140.03 requirements. Implementation dates for DOD Manual 8140.03 include a two-year timeline for personnel (civilian and military) in positions coded with cybersecurity work roles and three years for personnel (civilian and military) in positions coded with work roles in any other workforce element. The dates for required qualification would be 15 February 2025 for cybersecurity work roles and the same date in February 2026 for all Defense Cyber Workforce Framework work roles.

b
Foreign National (FN) Systems Access - Delegation of Disclosure Authority Letter (DDL)
Medium - V-245762 - SV-245762r917324_rule
RMF Control
Severity
Medium
CCI
Version
FN-02.02.02
Vuln IDs
  • V-245762
  • V-31223
Rule IDs
  • SV-245762r917324_rule
  • SV-41432r3_rule
Unauthorized access by foreign nationals to Information Systems can result in, among other things, security incidents, compromise of the system, or the introduction of a virus. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information -- Specifically note paragraphs 4.6.3., E2.1.4. and Enclosure 4. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals, paragraph 4.4. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, para 26.c.(2)&(3) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, AC-2, AC-3, AC-24, CA-1, PS-4, PS-5, PM-9, MA-5(4) and IA-4(4) DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017 DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System
Checks: C-49193r917163_chk

1. Check that a Delegation of Disclosure Authority Letter (DDL) is on hand for each assigned REL partner or other FN partner granted Limited Access to US Classified. NOTE: All disclosures and denials of classified military information are reported in the Foreign Disclosure and Technical Information System (FORDTIS) and it might also be possible for reviewers to request visual access to validate foreign clearance approvals at sites. However, a DDL is required for access to any US Classified information. 2. The organization's supporting Foreign Disclosure/Contact Officer (FDO) will be the ultimate POC for this. TACTICAL ENVIRONMENT: This check is applicable where REL Partners or other FN allies are employed in a tactical environment with access to US Classified or Sensitive Systems.

Fix: F-49148r917164_fix

A Delegation of Disclosure Authority Letter (DDL) must be on hand for each assigned REL partner or other FN partner granted Limited Access to US Classified systems or information. NOTE 1: All disclosures and denials of classified military information are reported in the Foreign Disclosure and Technical Information System (FORDTIS). A DDL is required to validate and set parameters for FN access to any US Classified information. NOTE 2: The organization's supporting Foreign Disclosure/Contact Officer (FDO) will be the POC for this. NOTE 3: DODM 8570 requirements will be met until full implementation of DODM 8140.03 requirements. Implementation dates for DOD Manual 8140.03 include a two-year timeline for personnel (civilian and military) in positions coded with cybersecurity work roles and three years for personnel (civilian and military) in positions coded with work roles in any other workforce element. The dates for required qualification would be 15 February 2025 for cybersecurity work roles and the same date in February 2026 for all Defense Cyber Workforce Framework work roles.

c
Foreign National System Access - FN or Immigrant Aliens (not representing a foreign government or entity) System Access - Limited Access Authorization (LAA)
High - V-245763 - SV-245763r917325_rule
RMF Control
Severity
High
CCI
Version
FN-03.01.01
Vuln IDs
  • V-245763
  • V-31225
Rule IDs
  • SV-245763r917325_rule
  • SV-41434r3_rule
Failure to verify citizenship and proper authorization for access to either sensitive or classified information could enable personnel to have access to classified or sensitive information to which they are not entitled. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, para 26.c.(2)&(3) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, AC-2, AC-3, AC-24, CA-1, PS-3, PS-4, PS-5, PM-9, MA-5(4) and IA-4(4) DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017, Section 6. DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals and Section 6. Contractor Operations Abroad, paragraph 10-601.b
Checks: C-49194r917166_chk

BACKGROUND INFORMATION: Compelling reasons may exist to grant access to classified information to an immigrant alien or a foreign national. Such individuals may be granted a "Limited Access Authorization" (LAA) in those rare circumstances where a non-U.S. citizen - NOT REPRESENTING A FOREIGN GOVERNMENT OR OTHER ENTITY - possesses a unique or unusual skill or expertise that is urgently needed in pursuit of a specific DOD requirement involving access to specified classified information for which a cleared or clearable U.S. citizen is not available. LAAs may be granted only at the SECRET and CONFIDENTIAL level. LAAs for TOP SECRET are prohibited. Interim access is not authorized pending approval of a LAA. 1. Check to ensure that all non-U.S. citizens fitting the above described situation have had an LAA granted prior to being permitted access to sensitive duties, classified information and/or systems. 2. Ensure that the information the non-U S. citizen has access to is approved for release to the persons country or countries of citizenship, in accordance with DOD Directive 5230.11. 3. Ensure the non-U.S. citizen has been the subject of a favorably completed (within the last 5 years) and adjudicated SSBI prior to granting an LAA. If the SSBI cannot provide full investigative coverage, a polygraph examination (if there are no host country legal prohibitions) to resolve the remaining personnel security issues must be favorably completed before granting access. 4. Ensure that if geographical, political, or medical situations prevent the full completion of the SSBI or prevent the polygraph examination to supplement a less than full SSBI, an LAA may be granted only with approval of the DDI(I&S). TACTICAL ENVIRONMENT: This check is applicable where any non-U.S. citizens (not representing a foreign Government or entity) are employed in a tactical environment with access to US Classified or Sensitive Systems.

Fix: F-49149r917167_fix

BACKGROUND INFORMATION: Compelling reasons may exist to grant access to classified information to an immigrant alien or a foreign national. Such individuals may be granted a "Limited Access Authorization" (LAA) in those rare circumstances where a non-U.S. citizen - NOT REPRESENTING A FOREIGN GOVERNMENT OR OTHER ENTITY - possesses a unique or unusual skill or expertise that is urgently needed in pursuit of a specific DOD requirement involving access to specified classified information for which a cleared or clearable U.S. citizen is not available. LAAs may be granted only at the SECRET and CONFIDENTIAL level. LAAs for TOP SECRET are prohibited. Interim access is not authorized pending approval of a LAA. 1. All non-U.S. citizens fitting the above described situation must have an LAA granted prior to being permitted access to sensitive duties, classified information and/or systems. 2. The information the non-U S. citizen has access to must be approved for release to the persons country or countries of citizenship, in accordance with DOD Directive 5230.11. 3. The non-U.S. citizen must be the subject of a favorably completed (within the last 5 years) and adjudicated SSBI prior to granting an LAA. If the SSBI cannot provide full investigative coverage, a polygraph examination (if there are no host country legal prohibitions) to resolve the remaining personnel security issues must be favorably completed before granting access. 4. If geographical, political, or medical situations prevent the full completion of the SSBI or prevent the polygraph examination to supplement a less than full SSBI, an LAA may be granted only with approval of the DDI(I&S). NOTE: DODM 8570 requirements will be met until full implementation of DODM 8140.03 requirements. Implementation dates for DOD Manual 8140.03 include a two-year timeline for personnel (civilian and military) in positions coded with cybersecurity work roles and three years for personnel (civilian and military) in positions coded with work roles in any other workforce element. The dates for required qualification would be 15 February 2025 for cybersecurity work roles and the same date in February 2026 for all Defense Cyber Workforce Framework work roles.

c
Foreign National (FN) System Access - FN or Immigrant Aliens (not representing a foreign government or entity) with LAA Granted Uncontrolled Access
High - V-245764 - SV-245764r917326_rule
RMF Control
Severity
High
CCI
Version
FN-03.01.02
Vuln IDs
  • V-245764
  • V-31227
Rule IDs
  • SV-245764r917326_rule
  • SV-41436r3_rule
Failure to verify citizenship and proper authorization for access to either sensitive or classified information could enable personnel to have access to classified or sensitive information to which they are not entitled. Further uncontrolled/unsupervised access to physical facilities can lead directly to unauthorized access to classified or sensitive information. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, para 26.c.(2)&(3) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, AC-2, AC-3, AC-24, CA-1, PS-3, PS-4, PS-5, PM-9, MA-5(4) and IA-4(4) DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017, Section 6. DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System DOD Manual 5200.01, Volume 1, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.j.(1) and Encl 3, para 5.b., 7.b.(5), 12.e. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 3, para 5, Encl 4, para 2.c., Appendix to Encl 4, para 1.f. and Encl 7. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals and Section 6. Contractor Operations Abroad, paragraph 10-601.b.
Checks: C-49195r917169_chk

1. Check to ensure that personnel granted LAAs are not permitted uncontrolled access to areas where classified information is stored or discussed (safes, vaults and secure room in particular). Classified information must be maintained in a location that will be under the continuous control and supervision of an appropriately cleared U.S. citizen. 2. Check to ensure that access to DOD information systems is properly controlled so that any FN granted an LAA has systems access only to that sensitive (CUI) or classified information to which they are specifically authorized. This check will require close coordination and consultation with a network reviewer or SME. TACTICAL ENVIRONMENT: This check is applicable where any non-U.S. citizens (not representing a foreign Government or entity) are employed in a tactical environment with access to US Classified or Sensitive Systems.

Fix: F-49150r917170_fix

1. Personnel granted LAAs must not be permitted uncontrolled access to areas where classified information is stored or discussed (safes, vaults and secure room in particular). Classified information must be maintained in a location that will be under the continuous control and supervision of an appropriately cleared U.S. citizen. 2. Access granted to DOD information systems must be properly controlled so that any FN granted an LAA has systems access only to that sensitive (CUI) or classified information to which they are specifically authorized. NOTE: DODM 8570 requirements will be met until full implementation of DODM 8140.03 requirements. Implementation dates for DOD Manual 8140.03 include a two-year timeline for personnel (civilian and military) in positions coded with cybersecurity work roles and three years for personnel (civilian and military) in positions coded with work roles in any other workforce element. The dates for required qualification would be 15 February 2025 for cybersecurity work roles and the same date in February 2026 for all Defense Cyber Workforce Framework work roles.

c
Foreign National (FN) Physical Access Control - Areas Containing US Only Information Systems Workstations/Monitor Screens, Equipment, Media or Documents
High - V-245765 - SV-245765r917327_rule
RMF Control
Severity
High
CCI
Version
FN-04.01.01
Vuln IDs
  • V-245765
  • V-31242
Rule IDs
  • SV-245765r917327_rule
  • SV-41465r3_rule
Physically co-locating REL Partners or other FN - who have limited or no access to the SIPRNet or other US Classified systems - near US personnel in a collateral classified (Secret or higher) open storage area or in a Secret or higher Controlled Access Area (CAA) that processes classified material is permissible for operational efficiency and coordination. Failure to limit and control physical access to information visible on system monitor screens, information processing equipment containing classified data, removable storage media and printed documents is especially important in mixed US/FN environments. Inadequate access and procedural controls can result in FN personnel having unauthorized access to classified materials and data, which can result in the loss or compromise of classified information, including NOFORN information. Appropriate but simple physical and procedural security measures must be put in place to ensure the FN partners do not have unauthorized access to information not approved for release to them. The primary control measure is to either keep US Only classified documents, information systems equipment and/ or associated removable storage media under continuous observation and control of a cleared US employee or place such items in an approved safe when unattended. Additionally, escorting visitors AND all FN employees/personnel into any area where there is US Only classified processing, documents, media, equipment or materials is not only a prudent security measure but an absolute requirement to prevent both intentional (insider threat) or unintentional (inadvertent) unauthorized exposure to classified materials and information. Following are applicable excerpts from CJCSI 6510.01F pertaining to control of US Only workstation spaces (in particular SCIFs and secure rooms): 7. Information and Information System Access. Access to DOD ISs is a revocable privilege and shall be granted to individuals based on need-to-know and IAW DODI 8500.2, NSTISSP No. 200, "National Policy on Controlled Access Protection" , Status of Forces Agreements for host national access, and DOD 5200.2-R, "Personnel Security System". b. Individual foreign nationals may be granted access to specific classified U.S. networks and systems as specifically authorized under Information Sharing guidance outlined in changes to National Disclosure Policy (NDP-1). (1) Classified ISs shall be sanitized or configured to guarantee that foreign nationals have access only to classified information that has been authorized for disclosure to the foreign national's government or coalition, and is necessary to fulfill the terms of their assignments. (2) U.S.-only classified workstations shall be under strict U.S. control at all times. 27. Foreign Access. f. Foreign National Access to U.S.-Only Workstations and Network Equipment. CC/S/As shall: (1) Maintain strict U.S. control of U.S.-only workstations and network equipment at all times. (4) Announce presence. If a foreign national is permitted access to U.S.-controlled workstation space, the individual must be announced, must wear a badge clearly identifying him or her as a foreign national, and must be escorted at all times. In addition, a warning light must be activated if available and screens must be covered or blanked. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, para 7.b.(1) & (2) and Encl C, para 27.f. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-5, PE-18, PS-3(1), PS-6, PS-6(1), PS-6(2) DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017, Section 6. DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System DOD Manual 5200.01, Volume 1, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.j.(1) and Encl 3, para 5.b., 7.b.(5), 12.e. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 3, para 5, Encl 4, para 2.c., Appendix to Encl 4, para 1.f. and Encl 7. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals
Checks: C-49196r917172_chk

THIS REQUIREMENT PERTAINS TO CLASSIFIED ENVIRONMENTS such as Secret or higher vaults or classified open storage areas (secure rooms or SCIFs) WHERE FN partners ARE PRESENT with limited or no access to classified information /systems; in particular the SIPRNet. This is important to note, because without the FN presence in such an environment, placement of classified documents and classified removable media in safes when unattended would not normally be necessary/required. CHECK #1: Check to ensure all classified and sensitive documents and removable storage media containing US Only information are either under the continuous observation and control of cleared US personnel or placed in an approved GSA container (Safe) when not in use and under proper US control. (CAT I) The requirement in check #2 is complementary to the requirement covered in check #1. Unescorted access to areas where US Only classified equipment, documents and media are present must not be granted to any FN (regardless of clearance level) when cleared US personnel are not present to provide oversight. CHECK #2: Check to ensure FN access to classified open storage areas (includes vaults, secure rooms, and SCIFs) containing SIPRNet assets is permitted only during normal working hours when US personnel are present to provide oversight. (CAT I) TACTICAL ENVIRONMENT: This check is applicable where REL partners/LN/FN are employed within fixed facilities in a tactical environment with access to US Systems.

Fix: F-49151r917173_fix

This fix pertains to mixed classified environments containing US Only systems and media where FN partners are present: 1. All classified and sensitive documents and removable storage media containing US Only information must either be under the continuous observation and control of cleared US personnel or placed in an approved GSA container (Safe) when not in use and under proper US control. 2. Foreign National (FN) access to classified open storage areas (includes vaults, secure rooms, and SCIFs) must be permitted only during normal working hours when US personnel are present to provide oversight. NOTE: DODM 8570 requirements will be met until full implementation of DODM 8140.03 requirements. Implementation dates for DOD Manual 8140.03 include a two-year timeline for personnel (civilian and military) in positions coded with cybersecurity work roles and three years for personnel (civilian and military) in positions coded with work roles in any other workforce element. The dates for required qualification would be 15 February 2025 for cybersecurity work roles and the same date in February 2026 for all Defense Cyber Workforce Framework work roles.

a
Foreign National (FN) Physical Access Control - (Identification Badges)
Low - V-245766 - SV-245766r822827_rule
RMF Control
Severity
Low
CCI
Version
FN-04.03.01
Vuln IDs
  • V-245766
  • V-31243
Rule IDs
  • SV-245766r822827_rule
  • SV-41466r3_rule
Failure to limit access to information visible on system monitor screens in mixed US/FN environments can result in FN personnel having unauthorized access to classified information, which can result in the loss or compromise of classified information, including NOFORN information. Physically co-locating REL Partners or other FN - who have limited access to the SIPRNet or other US Classified systems - near US personnel in a collateral classified (Secret) open storage area or in a Secret Controlled Access Area (CAA) that processes classified material is permissible for operational efficiency and coordination. Appropriate but simple physical and procedural security measures must be put in place to ensure the FN partners do not have unauthorized access to information not approved for release to them. Ensuring that US employees can clearly identify FN workers is an important control measure and can be accomplished by requiring the FN employees or partners to wear picture identification badges that clearly identify their affiliated / represented Country. Wearing of Country specific military uniforms also can be used. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems" DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, para 27.f.(4). NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-2, PE-3, PE-5, PE-6, PE-8, PE-18 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 11. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), 3 April 2017 DoD Manual 5200.01, Volume 1, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.j.(1) and Encl 3, para 5.b., 7.b.(5), 12.e. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 7. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals
Checks: C-49197r769958_chk

Check to ensure foreign local nationals (LN) hired by DOD organizations overseas IAW the applicable SOFA are issued and wear identification/access badges that clearly distinguish them as foreign national employees. REL Partners and FN Liaison and Exchange personnel in OCONUS and CONUS locations must also be provided and wear identification/access badges that clearly distinguish them as foreign national partners. If practical they should also be required to wear the military uniform of their host country - although FN out of uniform should not be an automatic finding. The intent is to enable US personnel to clearly distinguish between FN and US personnel. Following is an applicable excerpt from CJCSI 6510.01F pertaining to controlled US Only workstation spaces: Announce presence. If a foreign national is permitted access to controlled US work station space, the individual must be announced, must wear a badge clearly identifying him or her as a FN, and must be escorted at all times. In addition a warning light must be activated if available and screens must be covered or blanked. TACTICAL ENVIRONMENT: This check is applicable where LN/FN are employed in a tactical environment with access to US Systems.

Fix: F-49152r769959_fix

1. "Foreign" local nationals (LN) hired by DOD organizations overseas IAW the applicable SOFA must be issued and wear identification/access badges that clearly distinguish them as foreign national employees. 2. REL Partners and FN Liaison and Exchange personnel in both OCONUS and CONUS locations must also be provided and wear identification/access badges that clearly distinguish them as foreign national partners. If practical they should also be required to wear the military uniform of their host country - although FN out of uniform should not be an automatic finding. The intent is to enable US personnel to clearly distinguish between FN and US personnel. Following is an applicable excerpt from CJCSI 6510.01F pertaining to controlled US Only workstation spaces: Announce presence. If a foreign national is permitted access to controlled US work station space, the individual must be announced, must wear a badge clearly identifying him or her as a FN, and must be escorted at all times. In addition a warning light must be activated if available and screens must be covered or blanked.

c
Foreign National (FN) Administrative Controls - Proper Investigation and Clearance for Access to Classified Systems and/or Information Assurance (IA) Positions of Trust
High - V-245767 - SV-245767r917328_rule
RMF Control
Severity
High
CCI
Version
FN-05.01.01
Vuln IDs
  • V-245767
  • V-31264
Rule IDs
  • SV-245767r917328_rule
  • SV-41506r3_rule
Failure to validate that FN partners or employees have the required security clearance levels for access to classified systems and/or the proper level of background investigation for IA Positions of Trust could result in untrustworthy Foreign Nationals having access to classified or sensitive US systems. In situations where they have been assigned to IA positions of trust this consideration becomes even more critical as they could adversely impact the CIA of the systems, possibly without being easily discovered. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, para 27.f. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-2, AC-3, PS-2, PS-3 and PS-6 DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017 DOD Manual 5200.01, Volume 1, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.j.(1) and Encl 3, para 5.b., 7.b.(5), 12.e. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 2, para 3 & 4; Encl 3, para 5; Encl 4, para 2.c.; Appendix to Encl 4, para 1.f. DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals
Checks: C-49198r769961_chk

Check that all foreign national partners or FN employees with SIPRNet access (or if applicable a classified Coalition System in the US Partition) have the proper investigation and clearance level required for their classified system access or IA position of trust. Normally this will be accomplished by reciprocally accepting the partner Country equivalent security clearance. TACTICAL ENVIRONMENT: This check is applicable where REL partners/LN/FN are employed in a tactical environment with access to classified US Systems or Coalition Systems.

Fix: F-49153r917175_fix

All foreign national (FN) partners or FN employees with SIPRNet access (or if applicable a classified Coalition System in the US Partition) must have the proper investigation and clearance level required for their level of classified system access or IA position of trust. Normally this will be accomplished by reciprocally accepting the partner Country equivalent security clearance. NOTE: DODM 8570 requirements will be met until full implementation of DODM 8140.03 requirements. Implementation dates for DOD Manual 8140.03 include a two-year timeline for personnel (civilian and military) in positions coded with cybersecurity work roles and three years for personnel (civilian and military) in positions coded with work roles in any other workforce element. The dates for required qualification would be 15 February 2025 for cybersecurity work roles and the same date in February 2026 for all Defense Cyber Workforce Framework work roles.

b
Foreign National (FN) Administrative Controls - Written Procedures and Employee Training
Medium - V-245768 - SV-245768r917329_rule
RMF Control
Severity
Medium
CCI
Version
FN-05.02.01
Vuln IDs
  • V-245768
  • V-31263
Rule IDs
  • SV-245768r917329_rule
  • SV-41502r3_rule
Failure to limit access for Foreign Nationals to classified information can result in the loss or compromise of NOFORN information. Documented local policies and procedures concerning what information FN employees or partners have access to and what they are excluded from having, what physical access limitations and allowances are in place, how to recognize a FN (badges, uniforms, etc.), steps to take to sanitize a work area before a FN can access the area, etc. are an essential part of controlling FN access. Just as important as development of policy and procedure is the training/familiarization of both employees and assigned FNs with the rules of interaction. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 5, 6.f.(1), 9.b., 10., 27.a, 27.b., 27.c., 27.e. (8) and 27.f. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, PL-1, PL-4, AT-1, AT-2, AT-3, PE-2(1), PE-2(3) and PE-3 DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017 DOD Manual 5200.01, Volume 1, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 3, para 5.b. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 3, para 5; Encl 4, para 2.c.; Appendix to Encl 4, para 1.f.; Encl 7 DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals
Checks: C-49199r917177_chk

Check to ensure that US employees clearly understand the differences and limitations between REL Officers, other NATO partners, Non-NATO partners and Coalition Partners. In a mixed US/FN partner environment the US personnel must know exactly what information can be shared and what cannot be shared or how to readily determine this information. For example the restrictions and cautions for partners from Belgium, Germany, France will be significantly greater relative to viewing anything on SIPRNet work stations versus the Australia, Canada, Great Britain partners. This can only be done if there are written local procedures and initial/recurring (at least annual) employee training to ensure familiarization with the rules for sharing classified and sensitive information with our partners. It is recommended that employees sign an acknowledgement that they understand their responsibilities for sharing information, but this is not to be required. This particular check should be validated by specifically checking for written procedures and training records. This subject can be included in the initial and annual site security awareness training but must be clearly detailed as having been properly completed. The effectiveness of the program can be validated by conducting random employee interviews concerning their understanding of rules covering sharing classified and sensitive information with FN partners assigned to or visiting their organization/site. Any one of the following three items: Lack of written procedures, lack of training, or evidence employees are not familiar with the rules for information sharing will result in a finding. TACTICAL ENVIRONMENT: This check is applicable where REL partners/LN/FN are employed in a tactical environment with access to US Systems

Fix: F-49154r917178_fix

BACKGROUND: US employees must clearly understand the differences and limitations between REL Officers, other NATO partners, Non-NATO partners and Coalition Partners. In a mixed US/FN partner environment the US personnel must know exactly what information can be shared and what cannot be shared or how to readily determine this information. For example the restrictions and cautions for partners from Belgium, Germany, France will be significantly greater relative to viewing anything on SIPRNet work stations versus the Australia, Canada, Great Britain partners. REQUIREMENT: There must be written local procedures and initial/recurring (at least annual) employee training to ensure familiarization with the rules for sharing classified and sensitive information with our partners. This topic must be included in the initial and annual site security awareness training. Any one of the following three items will result in a finding: 1. Lack of written procedures, 2. Lack of training, or 3. Clear evidence employees are not familiar with the rules for information sharing. NOTE: DODM 8570 requirements will be met until full implementation of DODM 8140.03 requirements. Implementation dates for DOD Manual 8140.03 include a two-year timeline for personnel (civilian and military) in positions coded with cybersecurity work roles and three years for personnel (civilian and military) in positions coded with work roles in any other workforce element. The dates for required qualification would be 15 February 2025 for cybersecurity work roles and the same date in February 2026 for all Defense Cyber Workforce Framework work roles.

b
Foreign National (FN) Administrative Controls - Procedures for Requests to Provide Foreign Nationals System Access
Medium - V-245769 - SV-245769r917330_rule
RMF Control
Severity
Medium
CCI
Version
FN-05.02.02
Vuln IDs
  • V-245769
  • V-31265
Rule IDs
  • SV-245769r917330_rule
  • SV-41516r3_rule
Unauthorized access by foreign nationals to Information Systems can result in, among other things, security incidents, compromise of the system, or the introduction of a virus. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 26.c.(3) and 27.f. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: CA-1, AC-2, AC-3, PS-1, PS-2 and PS-3 DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017 DOD Manual 5200.01, Volume 1, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.j.(1). DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 7 DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals
Checks: C-49200r917180_chk

Check to ensure there are local written procedures for when foreign national request access to U.S. systems. Validate the standards are correct. Ensure Foreign Nationals only hold IT positions authorized by regulation - primarily DOD 8570.01-M, IA Workforce Improvement Program. TACTICAL ENVIRONMENT: This check is applicable where REL partners/LN/FN are employed in a tactical environment with access to classified or unclassified US Systems or Coalition Systems.

Fix: F-49155r917181_fix

There must be local written procedures for when there is a foreign national request to access to U.S. systems. Foreign Nationals must only hold IT positions authorized by regulation. IAW DOD 8570.01-M: C3.2.4.8.2. ...LNs and Foreign Nationals (FNs) must comply with background investigation requirements and cannot be assigned to IAT Level III positions. TACTICAL ENVIRONMENT: This check is applicable where REL partners/LN/FN are employed in a tactical environment with access to classified or unclassified US Systems or Coalition Systems. NOTE: DODM 8570 requirements will be met until full implementation of DODM 8140.03 requirements. Implementation dates for DOD Manual 8140.03 include a two-year timeline for personnel (civilian and military) in positions coded with cybersecurity work roles and three years for personnel (civilian and military) in positions coded with work roles in any other workforce element. The dates for required qualification would be 15 February 2025 for cybersecurity work roles and the same date in February 2026 for all Defense Cyber Workforce Framework work roles.

a
Foreign National (FN) Administrative Controls - Contact Officer Appointment
Low - V-245770 - SV-245770r822831_rule
RMF Control
Severity
Low
CCI
Version
FN-05.03.01
Vuln IDs
  • V-245770
  • V-31262
Rule IDs
  • SV-245770r822831_rule
  • SV-41496r3_rule
Failure to provide proper oversight of Foreign National partners or employees and limit access to classified and sensitive information can result in the loss or compromise of NOFORN information. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals, paragraph 4.6. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 26.c.(3) and 27.f. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-2, PE-2 and PE-8 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), 3 April 2017 DoD Manual 5200.01, Volume 1, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 5.b. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals
Checks: C-49201r769970_chk

Check to ensure there is a Foreign Disclosure Officer (FDO) available or minimally that a Foreign Contact Officer has been appointed to control the activities of foreign visitors, REL Officers, FLO, and exchange personnel. Check that there is a formal Appointment Letter. TACTICAL ENVIRONMENT: This check is applicable where REL partners/LN/FN are employed in a tactical environment with access to US Systems.

Fix: F-49156r769971_fix

1. A Foreign Disclosure Officer (FDO) must be available or minimally a Foreign Contact Officer must be appointed to control the activities of foreign visitors, REL Officers, FLO, and exchange personnel. 2. A formal Appointment Letter for these duties that outlines responsibilities, etc. must be on-hand.

a
Information Assurance - System Security Operating Procedures (SOPs)
Low - V-245771 - SV-245771r1008538_rule
RMF Control
Severity
Low
CCI
Version
IA-01.03.01
Vuln IDs
  • V-245771
  • V-30996
Rule IDs
  • SV-245771r1008538_rule
  • SV-41042r3_rule
Failure to have documented procedures in an SOP could result in a security incident due to lack of knowledge by personnel assigned to the organization. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND) NIST Special Publication 800-53 (SP 800-53), Rev 4/5, Controls: MA-1, MA-2, MA-3, MA-4, PL-1, PL-2 and PL-4 DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information,, Encl 5, para 3.a.(4), 3.d., 7.a. ; Encl 7, para 5.c., 6, 10, and 11. DOD Instruction 8510.01, SUBJECT: Risk Management Framework (RMF) for DoD Information Technology (IT) United States Cyber Command Instruction (USCCI) 5200-13, 13 April 2019, SUBJECT: Cyberspace Protection Conditions (CPCON)
Checks: C-49202r769973_chk

Check written SOPs covering all systems, supporting infrastructure and physical facilities. Conduct a cursory review of the SOPs and as a minimum ensure the following areas are documented: a. Handling of suspected system compromise or spillage b. Cyberspace Protection Conditions (CPCON) - formerly Information Operations Condition (INFOCON) - procedures and policies c. Procedures for eradication after an attack d. Proper password management e. Purging of storage media (disks, CDs, DVDs, drives, etc.) prior to turn-in or disposal f. Remote diagnostic and maintenance approval and procedure g. Out-processing and turn-in of equipment h. Use of screensavers/Unattended terminals i. Virus detection and scanning j. In-processing and vetting of employees for systems access (proper investigation and security clearance) NOTE: This requirement for on-hand SOPs should not be applied to a tactical environment, unless it is a fixed computer facility in a Theater of Operations. The standards to be applied for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over 1-year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc. 3) Procedures for field/mobile elements are still required and should be available at a supporting headquarters, either in Theater or perhaps even CONUS. These may be requested during pre-trip coordination or obtained after visiting the tactical AO.

Fix: F-49157r769974_fix

1. Security Operating Procedures (SOPs) covering all systems, supporting infrastructure and physical facilities must be written. 2. The procedures must be readily available to both the Information Assurance Staff (ISSM, ISSO, SA) and all system users requiring information in the procedures to perform their jobs. Information can be placed in an Information System Users Guide (SFUG) and other applicable documents as appropriate. SOP availability must be on a site intranet, shared folders, WEB page, etc. for ease of reference by all employees - unless classified or otherwise requiring restricted access. As a minimum the following areas must be documented: a. Handling of suspected system compromise or spillage b. Cyberspace Protection Conditions (CPCON) - formerly Information Operations Condition (INFOCON) - procedures and policies c. Procedures for eradication after an attack d. Proper password management e. Purging of storage media (disks, CDs, DVDs, drives, etc.) prior to turn-in or disposal f. Remote diagnostic and maintenance approval and procedure g. Out-processing and turn-in of equipment h. Use of screensavers/Unattended terminals i. Virus detection and scanning j. In-processing and vetting of employees for systems access (proper investigation and security clearance)

b
Information Assurance - COOP Plan and Testing (Not in Place for Information Technology Systems or Not Considered in the organizational Holistic Risk Assessment)
Medium - V-245772 - SV-245772r822832_rule
RMF Control
Severity
Medium
CCI
Version
IA-02.02.01
Vuln IDs
  • V-245772
  • V-30997
Rule IDs
  • SV-245772r822832_rule
  • SV-41043r3_rule
Failure to develop a COOP and test it periodically can result in the partial or total loss of operations and INFOSEC. A contingency plan is necessary to reduce mission impact in the event of system compromise or disaster. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, Paragraphs 15 & 32 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: CP-2, CP-2(1) through CP-2(8), CP-4, CP-4(1) through CP-4(4), CP-6, CP-7, CP-9, MA-6 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 3. DoDD 3020.26, SUBJECT: Department of Defense Continuity Programs, January 9, 2009 DoDI 3020.42, SUBJECT: Defense Continuity Plan Development, February 17, 2006 Implementation of DoD Continuity Strategy - Deputy Secretary of Defense, 25 May 07 National Security Presidential Directive (NSPD) 51 / Homeland Security Presidential Directive (HSPD) 20 - National Continuity Policy, 9 May 07 Federal Continuity Directives 1 Oct 12 and 2 Jul 13, Federal Executive Branch National Continuity Program and Requirements. NIST Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010 DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, paragraph 8-101.g. and 8-302.c.
Checks: C-49203r769976_chk

Check there is a written COOP plan for inspected information technology systems: 1. If a COOP or Disaster Recovery Plan is not in place, ensure the AO has considered and accepted the risk (specifically for lack of COOP) from a Holistic Risk Assessment of the organization. 2. Check COOP documentation to ensure the plan is tested at least annually. Also check for discrepancies noted during the tests and if corrective action has been taken. 3. Conduct a cursory review of the COOP to ensure it is commensurate for COOP of IT systems as detailed within the risk assessment concerning recovery times and testing requirement(s). NOTES: 1. Certain large computing centers like the DISA Computing Services (DECCs) may offer COOP as a fee for service option. Since this is applicable to "customer" applications it should not be a finding attributed to the DECC. If appropriate, COOP or lack thereof if cited as a finding in this instance should be attributed to the specific customer. 2. This requirement should not be applied to a tactical environment, unless it is a fixed computer facility supporting operations within a Theater of Operations. The standards to be applied for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over 1-year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc.

Fix: F-49158r769977_fix

Continuity of Operations Plans (COOP) must be developed and tested for ALL DoDIN connected systems to ensure system and data availability in the event of any type of failure. If no COOP is in place ensure the risk has been (specifically for lack of a COOP) accepted by the responsible Authorizing Official (AO) in a Holistic Risk Assessment of the organization.

a
Information Assurance - COOP Plan or Testing (Incomplete)
Low - V-245773 - SV-245773r822834_rule
RMF Control
Severity
Low
CCI
Version
IA-02.03.01
Vuln IDs
  • V-245773
  • V-31004
Rule IDs
  • SV-245773r822834_rule
  • SV-41051r3_rule
Failure to develop a COOP and test it periodically can result in the partial or total loss of operations and INFOSEC. A contingency plan is necessary to reduce mission impact in the event of system compromise or disaster. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, Paragraphs 15 & 32 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: CP-2, CP-2(1) through CP-2(8), CP-4, CP-4(1) through CP-4(4), CP-6, CP-7, CP-9, MA-6 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 3. DoDD 3020.26, SUBJECT: Department of Defense Continuity Programs, January 9, 2009 DoDI 3020.42, SUBJECT: Defense Continuity Plan Development, February 17, 2006 Implementation of DoD Continuity Strategy - Deputy Secretary of Defense, 25 May 07 National Security Presidential Directive (NSPD) 51 / Homeland Security Presidential Directive (HSPD) 20 - National Continuity Policy, 9 May 07 Federal Continuity Directives 1 Oct 12 and 2 Jul 13, Federal Executive Branch National Continuity Program and Requirements. NIST Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010 DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, paragraph 8-101.g. and 8-302.c.
Checks: C-49204r822833_chk

This check is for when a reviewer finds that a COOP process is well established within the inspected organization, but it does not include a minority of systems, requirements, or testing of all systems, for which the risk of having no COOP or testing was not accepted by the Authorizing official (AO) in a holistic risk assessment for the organization. NOTES: 1. This finding/VUL is only applicable when some of the site/organization systems are connected to the DoDIN and do not have a COOP and/or the COOP is not tested and the risk for not having a COOP and/or documented testing is not accepted by the AO in a holistic risk assessment document. 2. If this finding/VUL is used, IA-02.02.01 is NA. 3. This VUL is applicable in a tactical environment if it involves a fixed facility as previously described.

Fix: F-49159r769980_fix

ALL systems connected to the DoDIN must be included in the enclave COOP documentation and testing. If it is determined that some (a portion of the systems on site) of the site/organization systems connected to the DoDIN do not need to be included in the COOP (plan and/or testing) then the risk for this must specifically be accepted by the AO in a holistic risk assessment document.

b
Information Assurance - System Security Incidents (Identifying, Reporting, and Handling)
Medium - V-245774 - SV-245774r917331_rule
RMF Control
Severity
Medium
CCI
Version
IA-03.02.01
Vuln IDs
  • V-245774
  • V-31008
Rule IDs
  • SV-245774r917331_rule
  • SV-41055r3_rule
Failure to recognize, investigate and report information systems security incidents could result in the loss of confidentiality, integrity, and availability of the systems and its data. REFERENCES: CJCSM 6510.01B, CYBER INCIDENT HANDLING PROGRAM CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Appendix C NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: IR-1, IR-2, IR-3, IR-4, IR-5, IR-6, IR-7, IR-7(2), IR-8 DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Encl 2, para 13.h.(1)-(5); Encl 3, para 18.g&h., 19.d. DOD Manual 5200.01, Volume 1, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.g., 11.c, 12.b.; Encl 3, para 7.b.(8), 17.a., 17.c.,; Glossary pg 76, activity SM DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 6 (In its entirety - with emphasis on para 5.f.); Appendix 1 to Encl 6; Encl 7, para 5. DODI 5200.48 Controlled Unclassified Information (CUI) DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 1, Section 3, paragraphs: 1-303 & 1-304, Section 4, paragraph 1-401, Chapter 8, paragraphs 8-101.f. & 8-302.i. DOD Instruction 8510.01, SUBJECT: Risk Management Framework (RMF) for DOD Information Technology (IT), Encl 6, para 1.d. CNSSI 1001, National Instruction on Classified Information Spillage CNSSI 1010, 24X7 Computer Incident Response Capability (CIRC) on National Security Systems
Checks: C-49205r917183_chk

1. Check to ensure there are written procedures for identifying, reporting, and handling systems security incidents. 2. Check to ensure that procedures for handling system security incidents are included in both initial and annual (refresher) employee training. NOTE: Applies in a tactical environment. While procedures for incident handling might not be readily available in a mobile/field location, they should be established and available at a supporting fixed headquarters facility. Field units must still be informed and knowledgeable of their responsibility to report security incidents. This knowledge can be ascertained by asking field organization leadership what they would do in a spillage or similar computer security incident.

Fix: F-49160r769983_fix

A program to recognize, investigate, and report information systems security incidents to include virus, system penetration, and classified contamination must be established. Such a program will include written procedures that are available for employee review as well as including the topic in initial and annual security refresher training.

b
Information Assurance - System Access Control Records (DD Form 2875 or equivalent)
Medium - V-245775 - SV-245775r1008541_rule
RMF Control
Severity
Medium
CCI
Version
IA-05.02.01
Vuln IDs
  • V-245775
  • V-31011
Rule IDs
  • SV-245775r1008541_rule
  • SV-41058r3_rule
If accurate records of authorized users are not maintained, then unauthorized personnel could have access to the system. Failure to have user sign an agreement may preclude disciplinary actions if user does not comply with security procedures. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, para 26.a. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Encl 2, para 13.j., 13.y.(1); Encl 3, para 10.c., 18.b., 19.c. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-3(3), AC-3(4), AC-3(5), AC-3(7), AC-2(7). DOD 8570.01-M, Information Assurance Workforce Improvement Program DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System
Checks: C-49206r1008539_chk

1. Check to ensure there are written procedures for personnel who request access to a computer system. 2. Note in the report finding details which access form is used (locally developed, service-level, or DD Form 2875). 3. If applicable, ensure the most current version of the DD Form 2875 (System Authorization Access Request [SAAR]) is being used for all new account requests. Note: This is not a mandate to update previously processed account request forms to the most current version. 4. Note what training is required/conducted before system access is granted. 5. Review a sample of system access request forms to ensure the forms contain appropriate information for checking compliance with security requirements for privileged, user, Classified, and Unclassified systems access. Information required will include identification of the individual requesting access, signature dates, supervisory approval, ISSM and SM approval, investigation level and security clearance required, investigation and security clearance possessed. Ensure all appropriate Information Assurance (IA) training was completed for the systems personnel are requesting access to. 6. Check to ensure a separate "User Agreement" also exists for both system "users" and "privileged account holders" (System Administrators). For privileged users, a signed Privileged Access Statement IAW Appendix 4 of DOD 8570.01-M, Information Assurance Workforce Improvement Program, is required. 7. In a tactical environment, the forms used to control systems access might not be readily accessible in the field. Determine where the forms are maintained and if the location is not within reach, attempt to obtain a sample copy of a completed form via fax, email, etc. Fixed locations with assigned IA staff should have the forms available.

Fix: F-49161r1008540_fix

1. Written procedures for personnel who request access to a computer system must be developed. 2. A System Authorization Access Request (SAAR) form (DD Form 2875 or equivalent) must be used to define and control individual access for systems. If applicable, the most current version of the DD Form 2875 SAAR must be used for ALL NEW account requests. Note: This is not a mandate to update previously processed account request forms to the most current version. Locally developed or service-level forms may also be used if the same information found on the DD Form 2875 is used. 3. Local or service-level SAAR forms must minimally contain appropriate information for checking compliance with security requirements for privileged, routine user, Classified, and Unclassified systems access as on the DD Form 2875. Information required includes identification of the individual requesting access, signature dates, supervisory approval, ISSM and SM approval, investigation level and security clearance required, investigation and security clearance possessed. Ensure all appropriate Information Assurance (IA) training was completed for the systems personnel are requesting access to. 4. A separate "User Agreement" must be signed by each user before access is granted. This includes both system "users" and "privileged account holders" (System Administrators). For privileged users, a signed Privileged Access Statement IAW Appendix 4 of DOD 8570.01-M, Information Assurance Workforce Improvement Program, is required. Note: DODM 8570 requirements will be met until full implementation of DODM 8140.03 requirements. Implementation dates for DOD Manual 8140.03 include a two-year timeline for personnel (civilian and military) in positions coded with cybersecurity work roles and three years for personnel (civilian and military) in positions coded with work roles in any other workforce element. The dates for required qualification would be 15 February 2025 for cybersecurity work roles and 15 February 2026 for all Defense Cyber Workforce Framework work roles.

b
Information Assurance - System Training and Certification/ IA Personnel
Medium - V-245776 - SV-245776r917333_rule
RMF Control
Severity
Medium
CCI
Version
IA-06.02.01
Vuln IDs
  • V-245776
  • V-31013
Rule IDs
  • SV-245776r917333_rule
  • SV-41060r3_rule
Improperly trained personnel can cause serious system-wide/network-wide problems that render a system/network unstable. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, para 11. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Encl 2, para 9.g., 13.k.(2); Encl 3, para 10. a-e NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AT-2, AT-3, CP-3, IR-2 DOD 8570.01-M, Information Assurance Workforce Improvement Program, Appendix 3 DODD 8140.01, Cyberspace Workforce Management, 11 Aug 15, paragraphs 3.c. and 9.j. DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, paragraphs 8-103.a.(6) & 8-302.a.
Checks: C-49207r917188_chk

1. Check records for required training/certification of (IA) IAM/IAT personnel. In addition to the initial and recurring (annual) training requirements every system user must undergo, the IA staff such as ISSM, ISSO, SA, NSO must be part of an organizational certification program IAW DOD 8570.01-M, Workplace Improvement Program. 2. Ensure this certification program is in place and that training/certification requirements are documented for each IA staff member, which includes current certification level: IAM (I-III) or IAT (I-III). TACTICAL ENVIRONMENT: In a tactical environment records should be maintained at fixed locations where IA and security staff are working. This check is not applicable to units in a mobile/field environment.

Fix: F-49162r917189_fix

1. A program must be in place to establish and document required training/certification of (IA) IAM/IAT personnel. 2. In addition to the initial and recurring (annual) training requirements every system user must undergo, the IA staff such as ISSM, ISSO, SA, NSO must be part of an organizational certification program IAW DOD 8570.01-M, IA Workplace Improvement Program. 3. Training/certification requirements must be documented for each IA staff member to include their current certification level: IAM (I-III) or IAT (I-III). NOTE: DODM 8570 requirements will be met until full implementation of DODM 8140.03 requirements. Implementation dates for DOD Manual 8140.03 include a two-year timeline for personnel (civilian and military) in positions coded with cybersecurity work roles and three years for personnel (civilian and military) in positions coded with work roles in any other workforce element. The dates for required qualification would be 15 February 2025 for cybersecurity work roles and the same date in February 2026 for all Defense Cyber Workforce Framework work roles.

b
Information Assurance/Cybersecurity Training for System Users
Medium - V-245777 - SV-245777r917544_rule
RMF Control
Severity
Medium
CCI
Version
IA-06.02.02
Vuln IDs
  • V-245777
  • V-31082
Rule IDs
  • SV-245777r917544_rule
  • SV-41133r3_rule
Improperly trained personnel can cause serious system-wide/network-wide problems that render a system/network unstable. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, para 11.a. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Encl 2, para 13.l.; Encl 3, para 10.c., 17.c., 19.c., 21.j. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AT-2, AT-3, CP-3, IR-2 DOD 8570.01-M, Information Assurance Workforce Improvement Program, paragraphs C.1.4.1.4,5.1., C.1.4.4.3., C.5.2.1.5., Table C.4.T.3. - M.I.6., Table C.4.T.5. - M.II.18.; Chapter 6 in its entirety for minimum user training requirements. DODD 8140.01, Cyberspace Workforce Management, 11 Aug 15, paragraph 9.b. DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, paragraphs 8-101.c., 8-103.a., & 8-302.j.
Checks: C-49208r917543_chk

Check training records for required initial and recurring (annual) training requirements every system user must undergo in accordance with Chapter 6 of the DOD 8570.01-M, Information Assurance Workforce Improvement Program. Ensure 100 percent of initial training briefings are accomplished and at least 95 percent of employees have completed annual training. Note that while 100 percent completion of annual training is the goal, employees on extended leave, TDY, or other circumstances make this difficult to accomplish. All training accomplished must be documented. Anything less will be a finding. TACTICAL ENVIRONMENT: In a tactical environment, records should be maintained at fixed locations where IA and security staff are working. This check is not applicable to personnel in units in a mobile/field environment.

Fix: F-49163r917544_fix

1. All system users must take both initial and recurring (annual) cybersecurity training based on applicable regulatory requirements that every system user must undergo, primarily in accordance with Chapter 6 of the DOD 8570.01-M, Information Assurance Workforce Improvement Program. 2. Ensure 100 percent of initial training briefings are accomplished and at least 95 percent of employees have completed annual training. Note that while 100 percent completion of annual training is the goal, employees on extended leave, TDY, or other circumstances make this difficult to accomplish. 3. All training accomplished must be documented for each individual user. NOTE: DODM 8570 requirements will be met until full implementation of DODM 8140.03 requirements. Implementation dates for DOD Manual 8140.03 include a two-year timeline for personnel (civilian and military) in positions coded with cybersecurity work roles and three years for personnel (civilian and military) in positions coded with work roles in any other workforce element. The dates for required qualification would be 15 February 2025 for cybersecurity work roles and the same date in February 2026 for all Defense Cyber Workforce Framework work roles.

b
Information Assurance - Accreditation Documentation
Medium - V-245778 - SV-245778r917335_rule
RMF Control
Severity
Medium
CCI
Version
IA-07.02.01
Vuln IDs
  • V-245778
  • V-31084
Rule IDs
  • SV-245778r917335_rule
  • SV-41139r3_rule
Failure to provide the proper documentation can lead to a system connecting without all proper safeguards in place, creating a threat to the networks. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, para 2.; Encl B, para 6.f.; Encl C, para 3, 6.d.(2), 20.e.(1)(a)&(b), 24.e and 18a . NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PM-1, PM-9, PM-10, AC-3 AC 3(1), AC 3(2), AC-20, RA-2 and CA-6 DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Encl 3, para 2.a.(1), 9.a.(1)(c), 9.b.(13) DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 4, para 8.a.; Encl 7, para 4.c. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, Section 2. DOD Instruction 8510.01, SUBJECT: Risk Management Framework (RMF) for DOD Information Technology (IT), Encl 2, para 7.f & 7.g.; Encl 4, para 1.b.(2)(e); Encl 6, paragraphs 1.b.(1), 2., and 2.e.(4)(a)-(e). CJCSI 6211.02D, DEFENSE INFORMATION SYSTEMS NETWORK (DISN) RESPONSIBILITIES, para 7.1.; Encl B, para 2.b.(1), 2.c.(1), 2.f.; Encl C, para 2.a., 5.b., 6.b.(5), 6.c., 6.e.(4), 7.c.(2), 11.a.(3)(g)&(j); Encl D, para 2.b., 4.f.(5), 5.a.(5), 5.j.(1) 7.a, 8., and 12.a&b. CNSSP No.29, May 2013, National Secret Enclave Connection Policy DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide
Checks: C-49209r917194_chk

Check the accreditation package with only a cursory review to ensure the ATO/IATO are current. 1. Check the SIPRNet/NIPRNet connection approval package. Conduct a cursory review for any traditional security issues. 2. Ensure the approvals are current. The approvals must come from the DISN Connection Approval Office (CAO). TACTICAL ENVIRONMENT: The check is applicable. The ATO and associated documentation should be found in a fixed HQ location where the ISSM/ISSO are located. When possible, documentation should be requested/sought before departing on trips to tactical locations. Copies sent to the reviewer's email (NIPR or SIPR depending on classification of document) can be used to validate compliance. Note: If any one of the approvals is missing, this is a finding.

Fix: F-49164r917195_fix

1. A current accreditation document approved by the AO must be available for all systems and applications connected to the DODIN. 2. Copies of the original accreditation documentation along with any subsequent modifications must be available for review. 3. The Approval to Operate (ATO) or Interim Approval to Operate (IATO) must be up to date and must be signed by the current Approving Authority. 4. Check to ensure the site provided the DISN Connection Approval Office (CAO) current certification documentation IAW CAO guidance. 5. Check to ensure the site also has notified the CAO of any changes/modification to the approved architecture. 6. Check to ensure the Approval to Connect (ATC) or Interim Approval to Connect (IATC) for both SIPRNet/NIPRNet are current.

b
Information Assurance - KVM or A/B Switch not listed on the NIAP U.S. Government Approved Protection Products Compliance List (PCL) for Peripheral Sharing Switches
Medium - V-245781 - SV-245781r917549_rule
RMF Control
Severity
Medium
CCI
Version
IA-10.02.01
Vuln IDs
  • V-245781
  • V-31115
Rule IDs
  • SV-245781r917549_rule
  • SV-41244r3_rule
Failure to use tested and approved switch boxes can result in the loss or compromise of classified information. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: SC-3 and SC-4 DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide NIAP Products Compliance List (PCL): https://www.niap-ccevs.org/index.cfm
Checks: C-49212r917202_chk

1. Check all KVM or A/B switches that switch from NIPR to SIPR or other low-side to high-side systems being reviewed. 2. Ensure switches on the most current approved NIAP Product Compliant List (PCL) are used for switching between high-side and low-side devices. 3. Check to ensure that any unapproved switch boxes in use have specific approval for use in the SIPRNet Approval to Connect (ATC) or (IATC) from the Classified Connection Approval Office (CCAO). NOTE: A KVM used for switching between high (SIPRNet) and low (NIPRNet) shared devices must meet one or both of the following basic criteria: a. Be on the NIAP PCL AND meet any configuration requirements for the sites' IA environment as a minimum requirement to be used on the DODIN. b. Based on the NIAP PCL, the devices listed may be used for switching between peripheral devices across high/low (SIPR/NIPR) domains. TACTICAL ENVIRONMENT: The check is applicable where KVM devices are in use.

Fix: F-49167r917549_fix

1. All KVM or A/B switches that switch from NIPR to SIPR or other low-side to high-side systems being reviewed must be on the most current approved NIAP PCL for use for switching between high-side and low-side devices. 2. Any unapproved switch boxes in use (switching from NIPR to SIPR) must have specific approval for use and be addressed in the SIPRNet ATC or IATC from the CCAO. NOTE: A KVM used for switching between high (SIPRNet) and low (NIPRNet) shared devices must meet one or both of the following basic criteria: a. Be on the NIAP PCL AND meet any configuration requirements for the sites' IA environment as the minimum requirement to be used on the DODIN. b. Based on the NIAP PCL, the devices listed may be used for switching between peripheral devices across high/low (SIPR/NIPR) domains.

b
Information Assurance - KVM Switch (Port Separation) on CYBEX/Avocent 4 or 8 port
Medium - V-245782 - SV-245782r917551_rule
RMF Control
Severity
Medium
CCI
Version
IA-10.02.02
Vuln IDs
  • V-245782
  • V-31124
Rule IDs
  • SV-245782r917551_rule
  • SV-41259r4_rule
The back plate of some 4 or 8 port CYBEX/AVOCENT KVM devices provides a physical connection between adjacent ports. Therefore failure to provide for physical port separation between SIPRNet (classified devices) and NIPRNet (unclassified devices) when using CYBEX/AVOCENT KVM devices can result in the loss or compromise of classified information. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: SC-3 and SC-4 DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide NIAP Products Compliance List (PCL): https://www.niap-ccevs.org/index.cfm
Checks: C-49213r917550_chk

Validate the correct configuration of CYBEX/Avocent 4 or 8 port KVMs IAW NIAP PCL guidance. This includes physical port separation between SIPRNet and NIPRNet (high and low) connections. Because of the internal physical configuration of the CYBEX boxes, only like classification levels may be connected to adjacent ports. TACTICAL ENVIRONMENT: The check is applicable where KVM devices are in use.

Fix: F-49168r917551_fix

1. Validate the correct configuration of CYBEX/Avocent 4 or 8 port KVMs used for switching devices between the SIPRNet and NIPRNet (or any switching between SIPRNet and any other unclassified network devices) IAW NIAP PCL guidance. 2. Correct configuration must include physical port separation between SIPRNet and NIPRNet (high and low) (or any switching between SIPRNet and any other unclassified network devices) connections. 3. Because of the internal physical configuration of the CYBEX/Avocent box backplates, only like classification levels may be connected to adjacent ports.

b
Information Assurance - KVM Switch Use of Hot-Keys on SIPRNet Connected Devices
Medium - V-245783 - SV-245783r863300_rule
RMF Control
Severity
Medium
CCI
Version
IA-10.02.03
Vuln IDs
  • V-245783
  • V-31125
Rule IDs
  • SV-245783r863300_rule
  • SV-41260r3_rule
Use of "Hot Keys" for switching between devices relies on use of software to separate and switch between the devices. Unless software use involves an approved Cross Domain Solution (CDS) it can result in the loss or compromise of classified information from low side devices to those devices on the high side. Only physical switching between devices can assure that information will not be exchanged. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: SC-3 and SC-4 DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide NIAP Products Compliance List (PCL): https://www.niap-ccevs.org/index.cfm
Checks: C-49214r770009_chk

1. Check to ensure users are physically switching between devices on SIPRNet and any devices connected to an unclassified network like NIPRNet, rather than using a Hot-Key feature. 2. Be suspicious of any KVM that is not easily reachable (within arms distance) by the keyboard operator. TACTICAL ENVIRONMENT: The check is applicable where KVM devices are in use.

Fix: F-49169r770010_fix

Users of KVM devices must physically switch between devices connected to the SIPRNet and any devices connected to an Unclassified network such as NIPRNet, rather than using a Hot-Key feature.

a
Information Assurance - Authorizing Official (AO) and DoDIN Connection Approval Office (CAO) Approval Documentation for use of KVM and A/B switches for Sharing of Classified and Unclassified Peripheral Devices
Low - V-245784 - SV-245784r939274_rule
RMF Control
Severity
Low
CCI
Version
IA-10.03.01
Vuln IDs
  • V-245784
  • V-31126
Rule IDs
  • SV-245784r939274_rule
  • SV-41267r3_rule
Failure to request approval for connection of existing or additional KVM or A/B devices (switch boxes) for use in switching between classified (e.g., SIPRNet) devices and unclassified devices (e.g., NIPRNet) from both the Authorizing Official (AO) and the DODIN Connection Approval Office could result in unapproved devices being used or approved devices being used or configured in an unapproved manner, thereby increasing the risk for the DODIN. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: SC-3 and SC-4 DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide NIAP Products Compliance List (PCL): https://www.niap-ccevs.org/index.cfm
Checks: C-49215r917370_chk

1. Check to ensure the Enclave Authorizing Official (AO) has specifically documented the approval for use of KVM and/or A/B switches in the ATO or other official documentation signed by the AO authorizing use of switches between high-side (classified/SIPRNet) and low-side (unclassified/NIPRNet) shared devices. 2. Check to ensure the AO has submitted initial and updated documentation (as required) to the DODIN Connection Approval Office (CAO) reflecting the use or addition of KVM or A/B devices on a user's enclave. The documentation may be part of the Authorization and Accreditation (A&A) documentation IAW RMF procedures or otherwise as specified by the DODIN CAO. TACTICAL ENVIRONMENT: The check is applicable where KVM devices are in use.

Fix: F-49170r917371_fix

1. The Enclave Authorizing Official (AO) must specifically document the approval for use of KVM and/or A/B switches in the ATO or other official documentation signed by the AO authorizing use of switches between high-side (classified/SIPRNet) and low-side (unclassified/NIPRNet) shared devices. 2. The AO must submit initial and updated documentation (as required) to the DODIN Connection Approval Office (CAO) reflecting the use or addition of KVM or A/B devices on a user's enclave. The documentation may be part of the Authorization and Accreditation (A&A) documentation IAW RMF procedures or otherwise as specified by the DODIN CAO.

c
Information Assurance - Classified Portable Electronic Devices (PEDs) Connected to the SIPRNet must be Authorized, Compliant with NSA Guidelines, and be Configured for Data at Rest (DAR) Protection
High - V-245785 - SV-245785r770017_rule
RMF Control
Severity
High
CCI
Version
IA-11.01.01
Vuln IDs
  • V-245785
  • V-31127
Rule IDs
  • SV-245785r770017_rule
  • SV-41269r3_rule
Finding unauthorized and/or improperly configured wireless devices (PEDs) connected to and/or operating on the SIPRNet is a security incident and could directly result in the loss or compromise of classified or sensitive information either intentionally or accidentally. An assessment of risk in accordance with the Risk Management Framework (RMF) along with Certification and Accreditation and an Authorization to Operate (ATO) must be accomplished and documented prior to connecting NSA approved classified PED solutions on a classified network such as SIPRNet or using PEDs within a classified enclave. A key requirement is that classified PEDs used to store classified data must comply with either the NSA Data At Rest (DAR) Capability Package and associated Risk Assessment or achieve NSA approval as a Tailored Solution for protection of data at rest. Handling procedures should include guidance provided in NSA risk assessments and may involve two layers of National Information Assurance Partnership (NIAP)-approved DAR protection, shipping/storage in accordance with Reference (a), and programmed data wiping or certificate revocation. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 21.i. and 22. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-18, AC-18(1), AC-18(2), AC-18(3), AC-18(4) and AC-19 CNSSP No.29, May 2013, National Secret Enclave Connection Policy CNSSP No. 17, January 2014, Policy on Wireless Systems DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide Wireless STIG Mobility Policy Manual STIG DoDD 8100.02, Use of Commercial Wireless Devices, Services, and Technologies in the Department of Defense (DoD) Global Information Grid (GIG), paragraph 4.1.3. CNSSI 1400, National Instruction on the use of Mobile Devices within Secure Spaces Joint USD(I) and DoD CIO Memorandum, dated 25, Sep 2015, SUBJECT: Security and Operational Guidance for Classified Portable Electronic Devices NSA "Mobile Access Capability Package vl .0," April 2, 2015 or later NSA "Mobile Access Risk Assessment vi .0," March 27, 2015 or later DoD Instruction 8510.01, "Risk Management Framework (RMF) for DoD Information Technology (IT)," March 12, 2014 NSA "Commercial Solutions for Classified (CSfC) Incident Reporting Guidelines vl .0," June 18, 2014 or later NSA "Data at Rest Capability Package v 2.0," April 2, 2015 or later NSA "Data at Rest Risk Assessment v2.0," April 7, 2015 or later DoD Instruction 8420.01, Commercial Wireless Local Area Network (WLAN) Devices, Systems, and Technologies, 3 November 2017, Paragraphs 1.2.h., and 3.8.d.
Checks: C-49216r770015_chk

1. Visually check during the walk-around to ensure that unauthorized wireless devices (e.g., PEDs) are not connected to the Network (SIPRNet). NOTE: Portable Electronic Devices (PEDs) include but are not limited to tablets, laptops, smartphones, and cellular telephones. 2. Consult with Network Reviewers and Wireless Scanners to ensure they have not detected unauthorized wireless devices. 3. If Portable Electronic Devices (PEDs) are found connected to the SIPRNet, verify with both site security personnel, Network Reviewers and others as necessary (e.g., site ISSM) that all devices are NSA approved/configured and meet requirements for Data at Rest (DAR) encryption. 4. Verify that SIPRNet connected PEDs comply with all requirements in the "Joint USD(I) and DoD CIO Memorandum, dated 25 September 2015, SUBJECT: Security and Operational Guidance for Classified Portable Electronic Devices". TACTICAL ENVIRONMENT: The check is applicable for ALL classified processing environments.

Fix: F-49171r770016_fix

Unauthorized wireless devices, such as phones, PEDs, Laptops, etc., must not be connected to the SIPRNet or other classified system/network being reviewed. Ensure that unauthorized wireless devices (e.g., PEDs) are not connected to the Network (SIPRNet). NOTE: Portable Electronic Devices (PEDs) include but are not limited to tablets, laptops, smartphones, and cellular telephones. If Portable Electronic Devices (PEDs) are connected to the SIPRNet, all devices must be NSA approved/configured and meet requirements for Data at Rest (DAR) encryption. All SIPRNet connected PEDs must comply with requirements in the "Joint USD(I) and DoD CIO Memorandum, dated 25 September 2015, SUBJECT: Security and Operational Guidance for Classified Portable Electronic Devices".

b
Information Assurance - Unauthorized Wireless Devices - Portable Electronic Devices (PEDs) Used in Classified Processing Areas without Certified TEMPEST Technical Authority (CTTA) Review and Authorizing Official (AO) Approval.
Medium - V-245786 - SV-245786r770301_rule
RMF Control
Severity
Medium
CCI
Version
IA-11.02.01
Vuln IDs
  • V-245786
  • V-31128
Rule IDs
  • SV-245786r770301_rule
  • SV-41275r3_rule
Allowing wireless devices in the vicinity of classified processing or discussion could directly result in the loss or compromise of classified or sensitive information either intentionally or accidentally. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 21.i(3). and 22. CNSS Directive No. 510, 20 November 2017, Directive on the Use of Mobile Devices Within Secure Spaces NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-18, AC-18(1), AC-18(2), AC-18(3), AC-18(4) and AC-19 CNSSP No.29, May 2013, National Secret Enclave Connection Policy CNSSP No. 17, January 2014, Policy on Wireless Systems DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide Wireless STIG Mobility Policy Manual STIG DoDD 8100.02, Use of Commercial Wireless Devices, Services, and Technologies in the Department of Defense (DoD) Global Information Grid (GIG), paragraphs 4.2. and 4.3 CNSSI 1400, National Instruction on the use of Mobile Devices within Secure Spaces Joint USD(I) and DoD CIO Memorandum, dated 25, Sep 2015, SUBJECT: Security and Operational Guidance for Classified Portable Electronic Devices
Checks: C-49217r770299_chk

1. Check to ensure that unauthorized wireless devices (PEDs such as cellphones, BlackBerry devices, laptops, etc.) are not being used in areas where classified systems or machines (SIPRNet) are in use. 2. If PED usage in classified processing areas is permitted by the site, check to ensure there is specific written AO (formerly DAA) approval and that a CTTA has assessed the environment and that any resulting recommended TEMPEST countermeasures have been implemented. TACTICAL ENVIRONMENT: The check is applicable for ALL classified processing environments.

Fix: F-49172r770300_fix

1. Unauthorized wireless devices (PEDs such as cellphones, BlackBerry devices, laptops, etc.) must not be permitted for use in areas where classified systems or machines (SIPRNet) are in use. 2. If PED usage in classified processing areas is permitted, there must be specific written AO (formerly DAA) approval and a CTTA assessment of the environment and any resulting recommended TEMPEST countermeasures must be implemented.

a
Information Assurance - Unauthorized Wireless Devices - No Formal Policy and/or Warning Signs
Low - V-245787 - SV-245787r770023_rule
RMF Control
Severity
Low
CCI
Version
IA-11.03.01
Vuln IDs
  • V-245787
  • V-31129
Rule IDs
  • SV-245787r770023_rule
  • SV-41280r3_rule
Not having a wireless policy and/or warning signs at entrances could result in the unauthorized introduction of wireless devices into classified processing areas. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 21.i(3). and 22. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-18, AC-18(1), AC-18(2), AC-18(3), AC-18(4) and AC-19 CNSSP No.29, May 2013, National Secret Enclave Connection Policy CNSSP No. 17, January 2014, Policy on Wireless Systems DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide Wireless STIG Mobility Policy Manual STIG DoDD 8100.02, Use of Commercial Wireless Devices, Services, and Technologies in the Department of Defense (DoD) Global Information Grid (GIG), paragraphs 4.2. and 4.3 CNSSI 1400, National Instruction on the use of Mobile Devices within Secure Spaces Joint USD(I) and DoD CIO Memorandum, dated 25, Sep 2015, SUBJECT: Security and Operational Guidance for Classified Portable Electronic Devices
Checks: C-49218r770021_chk

1. Check to ensure there is a local wireless policy or SOP. 2. During the walk-around, ensure there is appropriate signage at entrances notifying employees and visitors that wireless devices are not authorized in a classified facility. 3. Check that wireless policy is included in initial briefings for new employees and reinforced periodically such as during annual security refresher training. TACTICAL ENVIRONMENT: The check is applicable to tactical locations where fixed facilities are used for classified processing. Not applicable to mobile/field environments.

Fix: F-49173r770022_fix

1. A local wireless policy or SOP must be written and available for employee reference. 2. There must be appropriate signage at entrances notifying employees and visitors that wireless devices are not authorized in a classified facility. 3. Wireless policy must be included in initial briefings for new employees and reinforced periodically such as during annual security refresher training.

c
Information Assurance - Network Connections - Physical Protection of Network Devices such as Routers, Switches and Hubs (Connected to SIPRNet or Other Classified Networks or Systems Being Inspected)
High - V-245788 - SV-245788r822839_rule
RMF Control
Severity
High
CCI
Version
IA-12.01.01
Vuln IDs
  • V-245788
  • V-31132
Rule IDs
  • SV-245788r822839_rule
  • SV-41289r3_rule
SIPRNet or other classified network connections that are not properly protected in their physical environment are highly vulnerable to unauthorized access, resulting in the probable loss or compromise of classified or sensitive information. REFERENCES: Network Infrastructure Security Technical Implementation Guide (STIG) Access Control in Support of Information Systems Security STIG (Access Control STIG) CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraph 34.c. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-5, SC-7 (14)&(15), SC-8, SC-14, SC-32, PE-2(1), PE-3(1) & (4), PE-4 & PE-18 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 3, Appendix to Encl 3, and Encl 7 DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, paragraph 8-302.b. Physical and Environmental Protection. DoD Instruction 8510.01, SUBJECT: Risk Management Framework (RMF) for DoD Information Technology (IT) DoD Instruction 8500.01, SUBJECT: Cybersecurity CJCSI 6211.02D, DEFENSE INFORMATION SYSTEMS NETWORK (DISN) RESPONSIBILITIES, CNSSP No.29, May 2013, National Secret Enclave Connection Policy
Checks: C-49219r770024_chk

CHECK 1. Check to ensure that network devices on a Classified Network (SIPRNet) such as routers, switches, and hubs are housed within an approved classified storage safe, vault, or approved open storage area (AKA: secure room), or a SCIF. (CAT I) Two alternatives exist for check #1 in lieu of storage in a classified (secret or higher) vault, secure room or a SCIF: a. Information Processing System (IPS) containers are safes designed to house operational Information Systems (IS) equipment and can be used to meet this requirement. The use of an IPS container is often a good recommendation when a deficiency is found. b. A second alternative is to house network equipment in a 24/7 continuously occupied room or area. When using this method of control the equipment must be under the continuous (physical) observation and control of the cleared occupants. If using this alternative the network equipment must be maintained in lockable equipment storage cabinets. This is to ensure that only Network Administrators and other (authorized) personnel are the only persons with unimpeded access to the Network Connections. If the equipment is under continuous observation and control but not in a lockable cabinet or otherwise maintained to ensure that only Network Administrators and other(authorized) personnel have access, then it will be a CAT II finding under check #2 below. CHECK 2. Check also to ensure that only Network Administrators and other (authorized) personnel are the only persons with unimpeded access to the Network Connections, regardless if properly housed in a safe, vault or secure room (AKA: collateral classified open storage area). Lockable equipment storage cabinets may be used to meet this requirement (but only when the storage cabinets housing the network equipment is located within a vault, secure room or SCIF). (CAT II) CHECK 3. If other (authorized) personnel (e.g., other than assigned system/network administrators) are permitted to have unimpeded access to network devices, this authorization must be approved in writing by the site commander/director or perhaps other significant staff officer with security oversight of information systems (e.g., J6, ISSM). The documentation must include a justification indicating why the unimpeded/unescorted access is mission essential. This access allowance must be limited to very few personnel and not provided for mere convenience. (CAT II) TACTICAL ENVIRONMENT: The check is applicable for fixed tactical classified processing environments. It is assumed the type of equipment referenced will be in a fixed environment. Not applicable to a field/mobile environment.

Fix: F-49174r770025_fix

1. Network devices on a Classified Network (SIPRNet) such as routers, switches, and hubs must be housed within an approved classified storage safe, vault, or approved open storage area (AKA: secure room, or in a SCIF. Information Processing System (IPS) containers are safes designed to house operational Information System (IS) equipment and can be used to meet this requirement. 2. An alternative to housing classified network devices in approved storage containers or areas is they must be housed in a 24/7 continuously occupied room or area. Occupants of the room or area must possess a security clearance equal to or greater than the level of the classified network devices. 3. Network Administrators and other (authorized) personnel must be the only persons with unimpeded access to the SIPRNet Network devices, regardless if properly housed in an approved safe, vault, secure room (AKA: collateral classified open storage area),in a SCIF, or in a 24/7 continuously occupied room or area. Lockable equipment storage cabinets may be used to meet this requirement (when network devices are housed within a vault, secure room or SCIF). 4. If other (authorized) personnel (e.g., other than assigned system/network administrators) are permitted to have unimpeded access to network devices, this authorization must be approved in writing by the site commander/director or perhaps other significant staff officer with security oversight of information systems (e.g., J6, ISSM). The documentation must include a justification indicating why the unimpeded/unescorted access is mission essential. This access allowance must be limited to very few personnel and not provided for mere convenience.

c
Information Assurance - Network Connections - Wall Jack Security on Classified Networks (SIPRNet or other Inspected Classified Network or System) Where Port Authentication Using IEEE 802.1X IS NOT Implemented
High - V-245789 - SV-245789r917367_rule
RMF Control
Severity
High
CCI
Version
IA-12.01.02
Vuln IDs
  • V-245789
  • V-31171
Rule IDs
  • SV-245789r917367_rule
  • SV-41344r3_rule
Following is a summary of the primary requirement to use the IEEE 802.1X authentication protocol to secure SIPRNet ports (AKA: wall jacks) , which is covered in the Network STIG: 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN. The term 'supplicant' is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols. In some cases, the authentication server software may be running on the authenticator hardware. The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant's identity has been validated and authorized. With 802.1X port-based authentication, the supplicant provides credentials, such as user name/password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network. The requirements in this Traditional Security STIG rule serve as physical security mitigations for the lack of proper SIPRNet port security using IEEE 802.1X. It is in essence a supplement to the Network STIG and provides the details for required mitigations. Network connections that are not properly protected are highly vulnerable to unauthorized access, resulting in the loss or compromise of classified or sensitive information. REFERENCES: Network Infrastructure Security Technical Implementation Guide (STIG) Access Control in Support of Information Systems Security STIG (Access Control STIG) CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraph 34.c. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: SC-8, PE-4 & PE-18 DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 3, Appendix to Encl 3, and Encl 7 DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8 DOD Instruction 8510.01, SUBJECT: Risk Management Framework (RMF) for DOD Information Technology (IT) DOD Instruction 8500.01, SUBJECT: Cybersecurity CJCSI 6211.02D, DEFENSE INFORMATION SYSTEMS NETWORK (DISN) RESPONSIBILITIES CNSSP No.29, May 2013, National Secret Enclave Connection Policy
Checks: C-49220r917366_chk

At sites where port authentication using 802.1X is not implemented, check during your walk around to see if all SIPRNet wall jacks are secured in the proper manner. The wall jacks can: 1. Be located within a Secret or higher vault or Secret or higher secure room (open storage area) or a SCIF. 2. Be under the continuous observation of a cleared individual. 3. Be secured by a Hoffman or similar lock box with a GSA-approved three-position changeable combination padlock. Currently the ONLY lock meeting this standard is the S&G 8077 changeable combination padlock. *Lock boxes must also have hasps attached in such a way that they cannot be removed without force. Using rivets, welds, etc. is acceptable. Also hinges must not be exposed or be peened or welded in such a manner as to preclude removal without using detectable force. Electrical-type boxes with prepunch holes for conduit or cable cannot be used even if the holes are not removed. 4. Be disabled at the end of each work day. This can ONLY be accomplished by a physical disconnect of the transmission cable at the classified circuit (SIPRNet) Point of Presence (PoP). The PoP must be in an appropriate Secret or higher vault, secure room, or SCIF. DETAILED EXPLANATION FOLLOWS: 1. The primary and most basic requirement (IAW the Network Policy found in the Layer 2 Switch STIG - Cisco) is implementation of IEEE port authentication standard 802.1X (logical software-based port security) - regardless of the physical area or space in which the wall jacks/ports are located. TRADITIONAL SECURITY REVIEWERS MUST FIRST CHECK WITH THE NETWORK REVIEWER to determine if 802.1X has been properly implemented on SIPRNet before evaluating the physical security of SIPRNet wall jacks. * Do this early in your site visit so that wall jack physical security considerations can be properly evaluated during your site tour/walk around. 2. Not using 802.1X based port authentication on SIPRNet is a CAT I *Network STIG" finding, separate from any traditional security considerations. However, if 802.1X is not implemented there is another software-based alternative, which is the Network STIG requirement to allow for "legacy" port security via MAC address. Several caveats go with this alternative, and this is when the physical security mitigations are required to be implemented: a. Use of simple port security rather than 802.1X will result in a CAT III (*Network STIG) finding (on NIPRNet or SIPRNet). While this is not a traditional security check, it is something to be aware of. b. If simple port security rather than 802.1X is implemented *on SIPRNet* (OR IF THERE IS ABSOLUTELY NO LOGICAL SOFTWARE-BASED PORT SECURITY), the traditional security considerations and mitigations required IAW the Access Control STIG are as follows: (1) If the wall jacks/drops/ports are located within spaces properly established as Secret or TS vaults or Secret or TS Secure Rooms (AKA: Collateral Classified Open Storage Areas) OR within an approved SCIF, then there is no requirement for supplemental physical security measures. Again - No supplemental physical security controls are required for SIPRNet wall jacks in these areas. (2) If the wall jacks are not located in Secret or higher secure room/vault/SCIF, the following physical security controls must be in place: (a) SIPRNet wall jacks must be secured *when not attended by persons with Secret or higher clearance* by a properly constructed lock box (Hoffman or similar commercial product or locally fabricated). The lock box must be 18-gauge steel or better and have no exposed or removable hinges (internal hinges are ideal). If used, external hinge pins must be peened, welded, etc. so they cannot be removed without evidence of forced removal. Hasp hardware must be riveted to the box or otherwise installed so that removal will require physical breaking of the box or hasp, thereby leaving evidence of actual or attempted entry. No pre-punch (knock-out) holes are allowed in the box. The lock box must be secured with a 3-position high security combination padlock (IAW the CNSSI 7003 standard for PDS "Pull Boxes"). The S&G 8077 combination padlock is the ONLY existing combo padlock meeting this standard. See the DOD Lock Program site for details: https://portal.navfac.navy.mil/portal/page/portal/navfac/navfac_ww_pp/navfac_nfesc_pp/locks/CM_LOCKS/CL_PADLOCK/TAB_PADLOCK_PROD (b) If lock boxes are not used the alternative is to physically disconnect the hot SIPRNet transmission lines at the SIPRNet Point of Presence (PoP) after normal duty hours. The PoP must be located within a proper Secret or higher secure room or vault or SCIF. NOTE 1: To reiterate the basic requirement: If IEEE 802.1X is properly implemented at the switch to authenticate devices *with clients (such as user work stations)* no additional supplemental physical security controls are required for the wall jacks. VERIFICATION FOR 802.1X IMPLEMENTATION MUST BE COORDINATED WITH THE NETWORK REVIEWER. NOTE 2: Regardless of Port Authentication using IEEE 802.1X, *clientless devices (such as printers, scanners or multi-functional devices (MFD)* cannot be authenticated - but this should not cause an issue with needing supplemental physical controls (lock box or disconnect at PoP). The reason is because clientless devices like these that are connected to SIPRNet should "normally" be maintained in a Secret/TS secure room or vault or SCIF and therefore would not require supplemental physical security of the wall jacks. Otherwise, MFD wall jacks must be protected by lock boxes or physical disconnect at the PoP after normal duty hours. Additional physical security measures or procedures for protection of classified MFD hard drives, residual images and printed materials will also be required, but these considerations are addressed elsewhere on the checklist. NOTE 3: Do not confuse the STIG wall jack lock box requirement with the CNSSI 7003 lock box requirement on the physical end point (Termination Boxes) of a Protected Distribution System (PDS). The reference for PDS is the CNSSI 7003, not the Access Control STIG. The requirements for PDS (pull-boxes, Access Points or Termination Boxes) and wall jack (lock boxes) are totally separate and unique, although it is possible to find the end of a PDS terminating in a lock box - that ALSO fulfills the requirement for protection of a wall jack where 802.1X is not implemented. NOTE 4: If there is no "legacy" MAC port security in place there will be a CAT I port security finding written by the Network reviewer. If the traditional security reviewer also finds a CAT I finding for lack of physical security protective measures there is a CCRI scoring over ride that will decrease the OVERALL CCRI score. So where there is absolutely no logical or physical port/wall jack security in place - the result is very severe in terms of the CCRI score. Traditional Security reviewers, Network Reviewers (and Team Leads) need to be aware of this because of its significance to the site being reviewed. NOTE 5: TACTICAL ENVIRONMENT APPLICABILITY: The check is applicable for fixed facility tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-49175r917209_fix

Where port authentication using IEEE 802.1X is not implemented, all SIPRNet wall jacks must be physically secured in the proper manner. The physical security mitigation for Wall Jacks not protected by 802.1X must use one of the following compensatory measures: 1. SIPRNet connected wall jacks must be located within a Secret or higher vault or Secret or higher secure room (open storage area) or a SCIF. 2. SIPRNet connected wall jacks must be under the continuous observation of a cleared individual. 3. SIPRNet connected wall jacks must be secured by a Hoffman or similar lock box with a GSA-approved three-position changeable combination padlock. Currently the ONLY lock meeting this standard is the S&G 8077 changeable combination padlock. Lock boxes must also have hasps attached in such a way as they cannot be removed without force. Using rivets, welds, etc. is acceptable. Also hinges must not be exposed or be peened or welded in such a manner as to preclude removal without using detectable force. Electrical-type boxes with prepunch holes for conduit or cable cannot be used even if the prepunch holes are not removed. 4. SIPRNet connected wall jacks must be disabled at the end of each work day. This can ONLY be accomplished by a physical disconnect of the transmission cable at the classified circuit (SIPRNet) Point of Presence (PoP). The PoP must be located in an appropriate Secret or higher vault, secure room, or SCIF.

b
Information Assurance - Network Connections - Physical Protection of Unclassified (NIPRNet) Network Devices such as Routers, Switches and Hubs
Medium - V-245790 - SV-245790r917341_rule
RMF Control
Severity
Medium
CCI
Version
IA-12.02.01
Vuln IDs
  • V-245790
  • V-31190
Rule IDs
  • SV-245790r917341_rule
  • SV-41372r3_rule
Unclassified (NIPRNet) network connections that are not properly protected in their physical environment are highly vulnerable to unauthorized access, resulting in the probable loss or compromise of sensitive information such as personally identifiable information (PII) or For Official Use Only (FOUO). REFERENCES: Network Infrastructure Security Technical Implementation Guide (STIG) Access Control in Support of Information Systems Security STIG (Access Control STIG) CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-5, SC-7 (14)&(15), SC-8, SC-14, SC-32, PE-2(1), PE-3(1) & (4), PE-4 & PE-18 DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 7 DODI 5200.48 Controlled Unclassified Information (CUI) DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, paragraph 8-302.b. Physical and Environmental Protection. DOD Instruction 8510.01, SUBJECT: Risk Management Framework (RMF) for DOD Information Technology (IT) DOD Instruction 8500.01, SUBJECT: Cybersecurity CJCSI 6211.02D, DEFENSE INFORMATION SYSTEMS NETWORK (DISN) RESPONSIBILITIES
Checks: C-49221r917211_chk

1. Check that ALL network connections (on NIPRNet or other Unclassified Network under review) such as routers, switches, and hubs are secured in a locked communications closet/room OR secured in a locked equipment cabinet if the equipment is located in a room that is accessed by personnel other than designated network system administrators (e.g., SAs specifically designated to administer the network devices) and/or those with security management oversight (e.g., ISSM, ISSO, SM). The intent is to ensure that only Network Administrators and other (authorized) personnel are the only persons with unimpeded access to the Network Connections. 2. If other (authorized) personnel (e.g., other than assigned system/network administrators or security management) are permitted to have unimpeded access to network devices, this authorization must be approved in writing by the site commander/director or perhaps other significant staff officer with security oversight of information systems (e.g., J6, ISSM). The documentation must include a justification indicating why the unimpeded/unescorted access is mission essential. This access allowance must be limited to very few personnel and not provided for mere convenience. 3. Ensure the locked room or cabinet cannot be easily accessed without forcible entry. Also ensure that proper key control procedures are used for ALL keys associated with both communication room doors and/or equipment cabinet doors. 4. ANY discrepancies with the above guidelines will result in a finding. TACTICAL ENVIRONMENT: The check is applicable for fixed tactical processing environments. It is assumed the type of equipment referenced will be in a fixed environment. Not applicable to a field/mobile environment.

Fix: F-49176r770031_fix

1. All network connections (on NIPRNet or other Unclassified Network under review) such as routers, switches, and hubs must be secured within a locked communications closet/room OR secured within a cabinet if the equipment is located in a room that is accessed by personnel other than designated network system administrators (e.g., SAs specifically designated to administer the network devices) and/or those with security management oversight (e.g., ISSM, ISSO, SM). 2. If other (authorized) personnel (e.g., other than assigned system/network administrators or security management) are permitted to have unimpeded access to network devices, this authorization must be approved in writing by the site commander/director or perhaps other significant staff officer with security oversight of information systems (e.g., J6, ISSM). The documentation must include a justification indicating why the unimpeded/unescorted access is mission essential. This access allowance must be limited to very few personnel and not provided for mere convenience. 3. The locked room or cabinet must be adequately secured so that it cannot be easily accessed without forcible entry. 4. Proper key control procedures must be in place for associated keys used to secure doors to communications rooms AND equipment cabinets. NOTE: Because locks and keys to equipment cabinets are often inferior and do not provide for adequate physical protection it is recommended that a metal hasp be attached (using rivets or other means that cannot be removed without evidence of forcible entry) to equipment cabinets securing network equipment. General Services Administration (GSA) Medium Security Keyed Padlocks or (preferably) the S&G 8077 Changeable Combination Padlock should then be used to secure the cabinet using the hasp.

b
Industrial Security - DD Form 254
Medium - V-245791 - SV-245791r917342_rule
RMF Control
Severity
Medium
CCI
Version
ID-01.02.01
Vuln IDs
  • V-245791
  • V-30993
Rule IDs
  • SV-245791r917342_rule
  • SV-41039r3_rule
Failure to complete a DD Form 254 (Contract Security Classification Specification) or to specify security clearance and/or IT requirements for all contracts that require access to classified material can result in unauthorized personnel having access to classified material or mission failure if personnel are not authorized the proper access. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, Para 11, Encl B, para 4.h & 4.i., Encl C, para 5. (a, b & c), Encl C, para 26.g. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-2, PE-2(1), PE-3, PE-8, , PS-3(1), PS-6(2), PS-7 DOD Manual 5200.01, Volume 4, SUBJECT: DOD Information Security Program: Controlled Unclassified Information (CUI), Encl 3, para 1.e. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 2, para 18.i. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, paragraph 8-302.a., b., g.& j, and paragraph 8-303.a and b. DOD Manual 5200.48 Controlled Unclassified Information (CUI) DOD Manual 5220.22, Volume 2, National Industrial Security Program: Industrial Security Procedures for Government Activities, 1 August 2018, Section 3, paragraph 3.4.a. and Section 6. DOD Instruction 8510.01, SUBJECT: Risk Management Framework (RMF) for DOD Information Technology (IT): Encl 2, para 7.l., Encl 3, para 3.b.(3), Encl 6, para 1.b.(5)(a)&(c)&(d) and para 2.c(c). DOD Instruction 8500.01, SUBJECT: Cybersecurity: Encl 2, para 13.i., j & l. and Encl 3, para 7.f., k., & l, para 9.b(4) and para 10.d. CJCSI 6211.02D, DEFENSE INFORMATION SYSTEMS NETWORK (DISN) RESPONSIBILITIES, Encl B, para 2.c.(7) and para 7., Encl C, para 6.b(7)(a) &(b), Encl D, para 2.j. DOD 8570.01-M, Information Assurance Workforce Improvement Program, paragraphs: C1.4.4.5, C1.4.4.12., C2.3.9., C3.2.4.4., C3.2.4.8., C3.2.4.8.1., C4.2.3.7.1., C7.3.4., C10.2.3.7.1., C11.2.4.7.1.
Checks: C-49222r822842_chk

1. Check there are DD Forms 254 available for all classified contracts. NOTE: These forms may be held by the site contracting officials but should be available to the site security manager and information security manager for review. 2. Conduct a cursory review of the DD 254 to ensure all security requirements are properly detailed on the form, especially with regard to Information Assurance (i.e., IT Position level designation) in addition to security clearance, training and certification requirements. NOTE: Applicable to tactical environments if there are contractor personnel performing classified work. This form will likely only be found at fixed locations rather than field locations. While the DD 254 may not be available on site or even in Theater, the completed document's location should be identified and if possible a scanned and emailed copy requested for review. This will likely only be able to occur via SIPRNet email because some of these forms contain classified information, while all others are only FOUO.

Fix: F-49177r770034_fix

1. DD Forms 254 must be on hand for each classified contract. 2. All security requirements must be properly detailed on the form, particularly for Information Technology related requirements, such as IT Position levels (in addition to security clearance, training and certification requirements)for the positions or types of work to be performed.

a
Industrial Security - Contractor Visit Authorization Letters (VALs)
Low - V-245792 - SV-245792r917343_rule
RMF Control
Severity
Low
CCI
Version
ID-02.03.01
Vuln IDs
  • V-245792
  • V-30994
Rule IDs
  • SV-245792r917343_rule
  • SV-41040r3_rule
Failure to require Visit Authorization Letters (VALs) for contractor visits could result in sensitive or classified materials being released to unauthorized personnel. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-2, PE-2(1), PE- 3, , PE-8, PS-3(1), PS-6(2) DOD Manual 5200.01, Volume 1, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.k., 9.l. & 9.m. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 2, para 7.a. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 6.
Checks: C-49223r917214_chk

1. Check with the security manager or personnel security specialists to ensure there are written procedures for contractors visiting government sites. 2. Ask to see copies of the site VALs and/or determine site VAL process based on the processing of contractors on your inspection team. 3. Ensure all government facilities have a VAL on file for all contractors visiting the site, including permanent party contractors. NOTES: 1. DISS should and will likely be used for most short-term "visitor" VALs; however, in addition to DISS the VAL may also be passed via hard copy or electronically using email (mail, fax, email) for "assigned" contractor employees. This is because DISS is by design intended for short-term visits, whereas contractor "employee" VALs should require additional information (such as contract number, COR identification, etc.) that cannot be input or passed via DISS. Lack of a hard-copy VAL alone for assigned contractor employees at a site will not necessarily be cause for a finding if a VAL in DISS is available. Reviewers must use discretion when evaluating if the lack of hard-copy VAL has caused any substantive confusion over the company Facility Clearance Level (FCL), individual contract employee security clearance levels, IT position assignments based on job descriptions (found in applicable Statements of Work [SOW] and/or DD 254), etc. when deciding if a finding is warranted. For instance, an individual employee's DISS access might indicate they have TS clearance - but the FCL for the company is only at the Secret level and/or the contract only allows for up to Secret access. If the site is allowing access to TS for this individual, the lack of a hard-copy VAL could be cited as a finding, in addition to any other related findings for this discovery. 2. Applies in a tactical environment if contract personnel visit or are assigned. 3. Reviewers should be sure to note in the findings report if the finding concerns DISS issues for short-term contractor visitors or if it concerns "hard-copy" VALs for assigned contractor employees.

Fix: F-49178r917215_fix

1. Written procedures must be developed that cover the requirements and process for VALs for contractors visiting and/or employed at government sites. 2. All government sites must have a VAL on file for each contractor visiting the site temporarily and also for permanent party contractors routinely working/physically employed at the site. NOTES: DISS should be used for most short-term "visitor" VALs; however, in addition to DISS (or as an alternative to JPAS for contractors who do not have DISS accounts) VALs may also be passed via hard copy or electronically using email (mail, fax, email) for "assigned" contractor employees. This is because DISS is by design intended for short-term visits; whereas, contractor "employee" VALs require additional information (such as contract number, COR identification, etc.) that cannot be input or passed via DISS. A hard-copy VAL for assigned contractor employees will help to eliminate substantive confusion over the company Facility Clearance Level (FCL), individual contract employee security clearance levels, IT position assignments based on job descriptions (found in applicable SOW and/or DD 254), etc.

b
Industrial Security - Contract Guard Vetting
Medium - V-245793 - SV-245793r770041_rule
RMF Control
Severity
Medium
CCI
Version
ID-03.02.01
Vuln IDs
  • V-245793
  • V-30995
Rule IDs
  • SV-245793r770041_rule
  • SV-41041r3_rule
Failure to screen guards could result in employment of unsuitable personnel who are responsible for the safety and security of DOD personnel and facilities. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PS-2, PS-2(1), PS- 3 DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), 3 April 2017
Checks: C-49224r770039_chk

Check to ensure: 1. Contract guards have a minimum favorable Tier 1 (T1) background investigation (formerly National Agency Check (NAC)) prior to DoD facility assignment or an appropriate level of security clearance if required by the DD 254 and classified duties performed. 2. If classified work is not required check to ensure security specifications are contained within the contract documentation (Statement of Work (SOW) or other appropriate documentation) for T1/NAC and any other security requirements not involving access to classified. 3. That contract guards actually have current investigations for the position level of trust and/or security clearance requirements. NOTES: 1. Fully applicable in a tactical environment if contract guards are employed. 2. This check does not "necessarily" apply to base police/gate guards - only to the guards employed specifically to protect "inspected site" assets. If the host installation employs contract guards to assist or directly protect "inspected site" assets then the requirements of this requirement will apply.

Fix: F-49179r770040_fix

1. Contract guards must have a minimum favorable Tier 1 (T1) background investigation (formerly National Agency Check (NAC)) prior to DoD facility assignment or an appropriate level of security clearance if required by the DD 254 and classified duties are performed. 2. If classified work is not required security specifications must be contained within the contract documentation (Statement of Work (SOW) or other appropriate documentation) for a T1/NAC and any other security requirements for guards not involving access to classified. NOTES: 1. Fully applicable in a tactical environment if contract guards are employed. 2. This check does not "necessarily" apply to base police/gate guards - only to the guards employed specifically to protect "inspected site" assets. If the host installation employs contract guards to assist or directly protect "inspected site" assets then the requirements of this requirement will apply.

b
Information Security (INFOSEC) - Safe/Vault/Secure Room Management
Medium - V-245794 - SV-245794r770044_rule
RMF Control
Severity
Medium
CCI
Version
IS-01.02.01
Vuln IDs
  • V-245794
  • V-31266
Rule IDs
  • SV-245794r770044_rule
  • SV-41522r3_rule
Lack of adequate or Improper procedures for management of safes/vaults and secure rooms could result in the loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 26.s.(5) and 34.c. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4 and PE-5 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 2, para 9; Encl 3, para 1.b, 1.d., 6.b., 6.d., 7., 8., 9., 10., 11., 13., and 14. Information Security Oversight Office, 32 CFR Parts 2001 and 2003 Classified National Security Information; Final Rule: Subpart H - Standard Forms
Checks: C-49225r770042_chk

Check all safes, vaults and/or secure rooms (*only those containing DoDIN assets) for proper management practices: 1. Ensure only GSA-approved security containers are being utilized. GSA-approved security containers and vault doors must have a label indicating "General Services Administration Approved Security Container," affixed to the front of the container. Usually this is on the control or the top drawer of safes. 2. Ensure combinations are changed as required. This is recorded on the applicable SF 700 form and must be done: When placed in service, When someone with knowledge of the combination departs (unless other sufficient controls exist to prevent that individual's access to the lock), When compromise of the combination is suspected, or When taken out of service, built-in combination locks shall be reset to the standard combination of 50-25-50. 3. Ensure forms SF 700, Security Container Information are properly completed for each safe, vault and secure room used to store classified DISN assets. The SF 700 is a two-part form consisting of an envelope with a tear-off tab and cover sheet. The cover sheet and face of the envelope (Part 1 of the form) provide space for information about the activity, container, type of lock, and who to contact if the container is left open. Required checks follow. Ensure the SF 700: a. Shows the location of the door or container. b. Reflects the names, home addresses, and home telephone numbers of the individuals having knowledge of the combination who are to be contacted in the event that the vault, secure room, or container is found open and unattended. c. Part 1 of SF 700 is not classified, but contains personally identifiable information (PII) that shall be protected by sealing Part 1 in an opaque envelope (not provided as part of the SF 700) conspicuously marked "Security Container Information" and stored in accordance with SF 700 instructions. NOTE: If the information must be accessed during non-duty hours and a new opaque envelope is not available to replace the opened one, the original envelope should be temporarily resealed, to the extent possible, until Part 1 can be placed in a new envelope the next working day. d. After the cover sheet (Part 1) is filled out and sealed in an opaque envelope, attach it to the inside of the control drawer or on the inside face of the vault or secure room door, with either tape or a magnetically-attached holder. e. The tear-off tab (Part 2) with the combination record is placed in the envelope provided with the form, sealed, properly marked with the classification level and stored by the security manager in another approved classified container. 4. Ensure forms SF 702, Security Container Check Sheet are properly completed for each safe, vault and secure room used to store classified DISN assets. Following are required checks for the SF 702 form. Ensure: a. It provides a record of the names and times that persons have opened, closed or checked a particular container (safe, vault or secure room) that holds classified information. b. It is properly annotated to reflect each opening and closing of the container. c. It is properly annotated to reflect (at least) daily checks of ALL containers - whenever an area housing the containers is entered/occupied - EVEN IF THE CONTAINER IS NOT OPENED. If on weekends or holidays the area housing the container is not occupied the SF 702 would not require annotation; however, in the event the area is accessed for even a short period of time, the SF 702 forms for each container in the area should be annotated to reflect the container was checked. Annotation of the SF 702 forms should be conducted IN ADDITION TO the annotation of SF 701 forms reflecting end-of-day checks. NOTE: If CC/S/A INFOSEC implementing instructions contain specific guidance in contradiction to the above DoDIN SF 702 requirements/checks then the CC/S/A guidance may be followed. Failure to comply with either the above guidance or CC/S/A documented guidance will result in a finding of non-compliance. 5. Ensure container repairs are conducted correctly IAW FED-STD-809. Details are at the DoD Lock Program WEB Portal for Drawer head Replacement. TACTICAL ENVIRONMENT: This check is applicable where safes, vaults or secure rooms are used to protect classified materials or systems. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49180r770043_fix

All safes, vaults and/or secure rooms containing SIPRNet assets must adhere to the following proper management practices: 1. Only GSA-approved security containers are utilized. GSA-approved security containers and vault doors must have a label indicating "General Services Administration Approved Security Container," affixed to the front of the container, usually this is on the control or the top drawer of safes. 2. Combinations must be changed as required. This is recorded on the applicable SF 700 form and must be done: When placed in service, When someone with knowledge of the combination departs (unless other sufficient controls exist to prevent that individual's access to the lock), When compromise of the combination is suspected, or When taken out of service built-in combination locks shall be reset to the standard combination of 50-25-50. 3. Standard Forms (SF) 700, Security Container Information and SF 702, Security Container Check Sheet must be properly completed and maintained. 4. Repairs must be conducted correctly IAW FED-STD-809. Details are at the DoD Lock Program WEB Portal for Drawer head Replacement.

c
Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Door Combination Lock Meeting Federal Specification FF-L-2740
High - V-245795 - SV-245795r917344_rule
RMF Control
Severity
High
CCI
Version
IS-02.01.01
Vuln IDs
  • V-245795
  • V-31267
Rule IDs
  • SV-245795r917344_rule
  • SV-41529r3_rule
Failure to meet Physical Security storage standards could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, paragraph 7.f.; Encl C, paragraph 10.a., and 10.b. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3 and PE-5 DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Encl 3, para 1.d, 2., 3.a.(2), 3.b.(1), 6.a.(2), 7. and Appendix to Encl 3, para 1.b.(3). Information Security Oversight Office, 32 CFR Parts 2001 and 2003 Classified National Security Information DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, paragraphs 5-303., 5-306., 5-307.c., 5-310., 5-312., 5-313., 5-314. & Section 8, Construction Requirements.
Checks: C-49226r917217_chk

*This check is specifically for vaults and secure rooms or open storage areas containing inspectable SIPRNet assets*: Check the primary ingress/egress door to ensure a proper combination lock is installed and is being used. Door must be equipped with a built-in GSA-approved combination lock meeting Federal Specification FF-L-2740, such as the X07, X09, or Kaba Mas X-10 locks. NOTE: The use of automated entry control systems (AECS) is encouraged to control access to secure room space during working hours; however, electrically actuated locks (e.g., cypher and magnetic access card locks) do not afford by themselves the required degree of protection for classified information and must not be used as a substitute for the combination locks meeting Federal Specification FF-L-2740. TACTICAL ENVIRONMENT: This check is applicable where vaults or secure rooms are used to protect classified materials or systems. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49181r917218_fix

*This requirement is specifically for vaults and secure rooms or open storage areas containing inspectable SIPRNet assets*: The primary ingress/egress door must be equipped with a proper combination lock that is installed properly and is being used. Door must be equipped with a built-in GSA-approved combination lock meeting Federal Specification FF-L-2740, such as the X07, X09, and Kaba Mas X-10 locks. NOTE: The use of automated entry control systems (AECS) is encouraged to control access to secure room space during working hours; however, electrically actuated locks (e.g., cypher and magnetic access card locks) do not afford by themselves the required degree of protection for classified information and must not be used as a substitute for the combination locks meeting Federal Specification FF-L-2740.

c
Information Security (INFOSEC) - Secure Room Storage Standards - Door Construction
High - V-245796 - SV-245796r1008544_rule
RMF Control
Severity
High
CCI
Version
IS-02.01.02
Vuln IDs
  • V-245796
  • V-31268
Rule IDs
  • SV-245796r1008544_rule
  • SV-41531r3_rule
Failure to meet construction standards could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, paragraph 7.f.; Encl C, paragraph 10.a., and 10.b. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3 and PE-5 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Encl 3, para 1.b, 14.b. and Appendix to Encl 3, para 1.b.(3), 2.e.(4) and Glossary page 122, vault definition. Information Security Oversight Office, 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.53 Open storage areas, (b) Doors. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 8, Construction Requirements.
Checks: C-49227r1008542_chk

Check all secure room doors (*containing inspectable SIPRNet assets) as follows: 1. The doors to the room (primary and secondary) shall be substantially constructed of wood or metal. (CAT II) 2. For outswing doors, hinge-side protection shall be provided by making hinge pins nonremovable (i.e. spot welding) or by using hinges with interlocking leaves that prevent removal. There are certain hinge pins made with internal locking pins or locking flanges and are acceptable if they cannot be removed. (CAT I) 3. Secondary (emergency exit only) doors other than those secured with locks meeting FF-L-2740 shall be secured from the inside with deadbolt emergency egress hardware, a deadbolt, or a rigid wood or metal bar that extends across the width of the door. IAW Unified Facilities Criteria (UFC) UFC 4-026-01, 4 Mar 2020, section 5-5.5. All non-entry doors to the defense layer must present a blank, flush surface to the outside and have internal locking or bolting mechanisms to reduce vulnerability to attack (to the secure room) (CAT I) 4. Secondary doors (doors other than those secured with locks meeting FF-L-2740) shall be secured from the inside with deadbolt emergency egress hardware, a deadbolt, or a rigid wood or metal bar that extends across the width of the door. These deadbolt locks shall be secured when the combination lock on the primary door is spun. (CAT I) TACTICAL ENVIRONMENT: This check is applicable where secure rooms are used to protect classified materials or systems. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49182r1008543_fix

All secure room doors (*containing inspectable SIPRNet assets) must meet the following standards: 1. The doors to the room (primary and secondary) shall be substantially constructed of wood or metal. 2. For outswing doors, hinge-side protection shall be provided by making hinge pins nonremovable (i.e. spot welding) or by using hinges with interlocking leaves that prevent removal. There are certain hinge pins made with internal locking pins or locking flanges and are acceptable if they cannot be removed. 3. Secondary (emergency exit only) doors other than those secured with locks meeting FF-L-2740 shall be secured from the inside with deadbolt emergency egress hardware, a deadbolt, or a rigid wood or metal bar that extends across the width of the door. IAW Unified Facilities Criteria (UFC) UFC 4-026-01, 4 Mar 2020, section 5-5.5. All nonentry doors to the defense layer must present a blank, flush surface to the outside and have internal locking or bolting mechanisms to reduce vulnerability to attack (to the secure room). 4. Secondary doors (doors other than those secured with locks meeting FF-L-2740) shall be secured from the inside with deadbolt emergency egress hardware, a deadbolt, or a rigid wood or metal bar that extends across the width of the door. These deadbolt locks shall be secured when the combination lock on the primary door is spun.

c
Information Security (INFOSEC) - Secure Room Storage Standards Wall and Ceiling Structural Integrity (AKA: True Floor to True Ceiling Connection)
High - V-245797 - SV-245797r822847_rule
RMF Control
Severity
High
CCI
Version
IS-02.01.03
Vuln IDs
  • V-245797
  • V-31270
Rule IDs
  • SV-245797r822847_rule
  • SV-41537r3_rule
Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3, Enclosure 3 could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3 and PE-5 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Encl 3, para 1.b.(1). Information Security Oversight Office, 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.53 Open storage areas, (a) Construction. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 8, Construction Requirements.
Checks: C-49228r770051_chk

For secure rooms or areas (*containing inspectable SIPRNet assets) check walls are true floor to true ceiling. Walls shall be extended to the true ceiling and attached with permanent construction materials. As an alternative true walls and true ceilings can be connected with steel mesh or 18-gauge expanded steel screen. Likewise, walls below raised floor (computer room) space may be connected to the true floor with steel mesh or 18-gauge expanded steel screen. TACTICAL ENVIRONMENT: This check is applicable where secure rooms are used to protect classified materials or systems. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49183r770052_fix

1. For secure rooms or areas (*containing inspectable SIPRNet assets) walls must be true floor to true ceiling. 2. Walls shall be extended to the true ceiling and attached with permanent construction materials. 3. As an alternative true walls and true ceilings can be connected with steel mesh or 18-gauge expanded steel screen. 4. Likewise, walls below raised floor (computer room) space may be connected to the true floor with steel mesh or 18-gauge expanded steel screen.

c
Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Openings in Perimeter Exceeding 96 Square Inches
High - V-245798 - SV-245798r822848_rule
RMF Control
Severity
High
CCI
Version
IS-02.01.04
Vuln IDs
  • V-245798
  • V-31271
Rule IDs
  • SV-245798r822848_rule
  • SV-41538r3_rule
Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a vault or secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3, Enclosure 3 could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3 and PE-5 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Encl 3, para 1.b.(5). Information Security Oversight Office, 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.53 Open storage areas, (c) Vents, ducts, and miscellaneous openings. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 8, Construction Requirements, paragraph 5-801.h. Miscellaneous Openings.
Checks: C-49229r770054_chk

For vaults, secure rooms or areas (*containing inspectable SIPRNet assets): Utility openings such as ducts and vents and any holes or passages through the secure room perimeter will be kept at less than a man-passable (96 square inches) opening. Openings larger than 96 square inches will be hardened in accordance with Military Handbook 1013/1A. TACTICAL ENVIRONMENT: This check is applicable where secure rooms are used to protect classified materials or systems. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49184r770055_fix

For vaults, secure rooms or areas (*containing inspectable SIPRNet assets): Utility openings such as ducts and vents and any holes or passages through the secure room perimeter must be kept at less than a man-passable (96 square inches) opening. Openings larger than 96 square inches will be hardened in accordance with Military Handbook 1013/1A.

c
Information Security (INFOSEC) - Secure Room Storage Standards Windows - Accessible from the Ground Hardened Against Forced Entry and Shielded from Exterior Viewing of Classified Materials Contained within the Area.
High - V-245799 - SV-245799r822849_rule
RMF Control
Severity
High
CCI
Version
IS-02.01.05
Vuln IDs
  • V-245799
  • V-31272
Rule IDs
  • SV-245799r822849_rule
  • SV-41539r3_rule
Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3 could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Encl 3, para 1.b.(4)(a) & (b). Information Security Oversight Office, 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.53 Open storage areas, (d) Windows (1) and (2). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 8, Construction Requirements, paragraph 5-801.c. Windows.
Checks: C-49230r770057_chk

For secure rooms or areas (*containing inspectable SIPRNet assets) check windows as follows: 1. Window placement in secure rooms should be minimal. Ideally, there should be no large or entirely glass walls; although this will not automatically result in a finding if the glass is hardened to the same degree as the contiguous walls and properly obscured from outside viewing. Where windows are located on the exterior of secure rooms (AKA: collateral classified open storage areas) the vulnerabilities, existing and potential additional countermeasures, and residual risk associated with the windows must be considered in an assessment of risk for the secure room. NOTE that a risk assessment is required for all secure rooms IAW DoD Manual 5200.01, Volume 3, Enclosure 3, paragraph 4. 2. Windows that are less than 18 feet above the ground measured from the bottom of the window, or are easily accessible by means of objects directly beneath the windows shall be constructed from or covered with materials that provide protection from forced entry. The protection provided to the windows need be no stronger than the strength of the contiguous walls. Hurricane rated windows, ballistic proof windows, non-opening double or triple pane windows, etc. should be considered acceptable as equivalent to contiguous walls. Welded steel bars attached to the structure surrounding the window may also be used for hardening windows that are not as strong as the contiguous walls (e.g. single pane glass). 3. As an alternative to hardening windows (that are not as strong as the contiguous walls) with welded steel bars; secure rooms that are located within an access controlled installation or compound may eliminate the requirement for forced entry protection if the following countermeasures are taken: All windows within 18 feet of ground level, that are capable of being opened from inside the protected space shall make the windows inoperable either by permanently sealing them or equipping them on the inside with a locking mechanism and also protecting them by an IDS, either independently (e.g. glass break sensors) or by motion detection sensors in the space. 4. Windows will be covered with curtains, screens or otherwise limit visibility into the secure room space when classified equipment, documents or media can be viewed from outside the area. TACTICAL ENVIRONMENT: This check is applicable where secure rooms are used to protect classified materials or systems. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49185r770058_fix

For secure rooms or areas (*containing inspectable SIPRNet assets) the following standards must be used: 1. Window placement in secure rooms must be minimal. There must be no large or entirely glass walls. Where windows are located on the exterior of secure rooms (AKA: collateral classified open storage areas) the vulnerabilities, existing and potential additional countermeasures, and residual risk associated with the windows must be considered in an assessment of risk for the secure room. NOTE that a risk assessment is required for all secure rooms IAW DoD Manual 5200.01, Volume 3, Enclosure 3, paragraph 4. 2. Windows that are less than 18 feet above the ground measured from the bottom of the window, or are easily accessible by means of objects directly beneath the windows shall be constructed from or covered with materials that provide protection from forced entry. The protection provided to the windows need be no stronger than the strength of the contiguous walls. Hurricane rated windows, ballistic proof windows, non-opening double or triple pane windows, etc. should be considered acceptable as equivalent to contiguous walls. Welded steel bars attached to the structure surrounding the window may also be used for hardening windows that are not as strong as the contiguous walls (e.g. single pane glass). 3. As an alternative to hardening windows (that are not as strong as the contiguous walls) with welded steel bars; secure rooms that are located within an access controlled installation or compound may eliminate the requirement for forced entry protection if the following countermeasures are taken: All windows within 18 feet of ground level, that are capable of being opened from inside the protected space shall make the windows inoperable either by permanently sealing them or equipping them on the inside with a locking mechanism and also protecting them by an IDS, either independently (e.g. glass break sensors) or by motion detection sensors in the space. 4. Windows will be covered with curtains, screens or otherwise limit visibility into the secure room space when classified equipment, documents or media can be viewed from outside the area.

c
Information Security (INFOSEC) - Vault Storage/Construction Standards
High - V-245800 - SV-245800r917345_rule
RMF Control
Severity
High
CCI
Version
IS-02.01.06
Vuln IDs
  • V-245800
  • V-31273
Rule IDs
  • SV-245800r917345_rule
  • SV-41540r3_rule
Failure to meet standards IAW the DOD Manual 5200.01, Volume 3, Appendix to Enclosure 3, for ensuring that there is required structural integrity of the physical perimeter surrounding a classified storage vault could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3 and PE-5 DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Appendix to Encl 3, para 1.a.(1) & (2). The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 8, Construction Requirements, paragraph 5-802. Construction required for Vaults.
Checks: C-49231r917220_chk

For vaults containing inspectable SIPRNet assets check with supporting Facility Engineers to ensure it is properly constructed IAW one of the following two specifications: 1. As a Class A vault (concrete poured-in-place) built to Federal Standard (FED STD) 832 and specifically check/validate the following: a. Floor and Walls. Eight inches of reinforced concrete. Walls are to extend to the underside of the roof slab above. b. Roof/True Ceiling. Monolithic reinforced-concrete slab of thickness to be determined by structural requirements, but not less than the floors and walls. c. "True" vaults must have a Class 5 Vault Door and Frame and be fitted with an FF-L-2740 combination lock. The vault door and frame unit must conform to Federal Specification AA-D-600 Class 5 vault door with lock meeting Federal Specification FF-L-2740. Ensure it is not an armory vault door, which should have a GSA label (silver with red letters) stating that it is a "GSA Approved Armory Vault Door". AN ARMORY DOOR IS NOT APPROVED FOR CLASSIFIED STORAGE - AA&E STORAGE ONLY. The "proper" security vault door label reads "GSA Approved Security Vault Door" (label also silver with red letters). The difference between the two doors is that armory vault doors are fitted with Federal Specification FF-L-2937 mechanical combination locks. Facility Engineer (FE) construction certificates or other documentation should be requested to ensure construction standards are met. Often these certificates are posted on the inside of the vault near the door. 2. As a Class B vault (GSA-approved modular vault) meeting Federal Specification AA-V-2737, Modular Vault Systems, April 25, 1990, with Amendment 2, October 30, 2006. NOTE: Here again, normally FE certification documentation will be posted within the vault, but it is OK if such documentation is on file elsewhere at the site. The DOD Lock Program Web Portal provides detailed specifications for vaults and ordering instructions for doors. Available through DOD Lock Program at: https://exwc.navfac.navy.mil/DoD-Lock-Program/ TACTICAL ENVIRONMENT: This check is applicable where vaults are used to protect classified materials or systems in a tactical environment.

Fix: F-49186r917221_fix

Vaults containing inspectable SIPRNet assets must have documented confirmation from supporting Facility Engineers to ensure each is built to the following standards: 1. As a Class A vault (concrete poured-in-place) built to Federal Standard (FED STD) 832 and specifically check/validate the following: a. Floor and Walls. Eight inches of reinforced concrete. Walls are to extend to the underside of the roof slab above. b. Roof/True Ceiling. Monolithic reinforced-concrete slab of thickness to be determined by structural requirements, but not less than the floors and walls. c. Class 5 Vault Door and Frame and be fitted with an FF-L-2740 combination lock. The vault door and frame unit must conform to Federal Specification AA-D-600 Class 5 vault door with lock meeting Federal Specification FF-L-2740. It cannot be an armory vault door, which should have a GSA label (silver with red letters) stating that it is a "GSA Approved Armory Vault Door". AN ARMORY DOOR IS NOT APPROVED FOR CLASSIFIED STORAGE - AA&E STORAGE ONLY. The "proper" security vault door label must read: "GSA Approved Security Vault Door" (label also silver with red letters). The difference between the two doors is that armory vault doors are fitted with Federal Specification FF-L-2937 mechanical combination locks. 2. As a Class B vault (GSA-approved modular vault) meeting Federal Specification AA-V-2737, Modular Vault Systems, April 25, 1990, with Amendment 2, October 30, 2006. Facility Engineer (FE) construction certificates or other documentation must be available to ensure construction standards are met. Often these certificates are posted on the inside of the vault near the door, but can be on file elsewhere at the site.

c
Information Security (INFOSEC) - Secure Room Storage Standards - Intrusion Detection System (IDS)
High - V-245801 - SV-245801r822853_rule
RMF Control
Severity
High
CCI
Version
IS-02.01.07
Vuln IDs
  • V-245801
  • V-31274
Rule IDs
  • SV-245801r822853_rule
  • SV-41541r3_rule
Failure to meet standards for maintenance and validation of structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3, could result in the undetected loss or compromise of classified material. Using a physical intrusion detection system enables immediate detection of attempted and/or actual intrusion into a secure room space. This is often the best supplemental protective measure (vice using 4-hour random checks) due to providing capability for immediate detection, and for immediate response to assess and counter the threat to the secure room space. Use of 4-hour checks may be adequate if supported by a risk assessment, but will not provide the immediate detection and response capability of a properly installed IDS. It is required that a risk assessment be conducted to determine which of these two intrusion detection methods (use of IDS OR 4-hour random checks) is appropriate for any particular location. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Encl 3, paragraphs 3.a.(3), 3.b.(1), 3.b.(3)(a)&(b) and paragraph 4. The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 3; paragraphs 5-306.b., 5-307.a., 5-307.b. & Section 9; paragraphs 5-900 and 5-904.
Checks: C-49232r770063_chk

Background Details: Except for storage in a GSA-approved container (AKA: safe) or a vault built to FED STD 832, one of the following supplemental controls is required for secure rooms or areas containing SIPRNet (secret) assets, provided the CC/S/A senior agency official determines in writing that security-in-depth exists: (1) Inspection of the container or open storage area every four hours by an employee cleared at least to the Secret level; or (2) An IDS with the personnel responding to the alarm arriving within 30 minutes of the alarm annunciation. IMPORTANT NOTE: Random checks not exceeding 4-hours are an allowable alternative to IDS ONLY if supported by a valid risk assessment. Prior to the installation of an IDS, the site shall perform a risk analysis to determine the threat, vulnerabilities, security-in-depth countermeasures, the acceptability of risk, potential cost savings, procedural requirements, and potential cost of additional manpower associated with random checks of the secure room as an alternative to IDS. Random checks and risk analysis are each covered as separate checks elsewhere in this checklist. This particular check for IDS is Not Applicable (NA) if random checks are properly conducted and are supported by the risk analysis and security-in-depth approved by the senior agency official in writing. In summary this check is to validate an IDS is being used AND that it is supported by a valid risk assessment AND security-in-depth approved by the senior agency official in writing. Checks: 1. Check to ensure that all secure rooms/classified open storage areas that afford access to classified SIPRNet equipment (servers, routers, switches, comm equipment, work stations, DASD, etc...) are protected by an Intrusion Detection System (IDS) *unless continually occupied. (CAT I) 2. Where IDS is being used check to ensure that its use is supported by both a RISK ASSESSMENT and a SECURITY-IN-DEPTH DETERMINATION * (Security-In-Depth Determination must IN WRITING by the C/S/A senior agency (security) official) that specifically addresses the secure room or open storage space. (CAT II) TACTICAL ENVIRONMENT: This check is applicable where Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49187r770064_fix

1. All secure rooms (AKA: collateral classified open storage areas) that afford access to classified SIPRNet equipment (servers, routers, switches, comm equipment, work stations, DASD...) must be protected by an Intrusion Detection System (IDS) unless continuously occupied. IMPORTANT NOTE: Random checks not exceeding 4-hours are an allowable alternative to IDS ONLY if supported by a valid risk assessment and security-in-depth. Random checks and risk analysis are each covered as separate requirements elsewhere in this document. This particular requirement for IDS is Not Applicable (NA) if random checks are properly conducted and are supported by the risk analysis and security-in-depth approved by the senior agency (security) official in writing. 2. Prior to the installation of an IDS, the site must perform a risk analysis to determine the threat, vulnerabilities, security-in-depth countermeasures, the acceptability of risk, potential cost savings, procedural requirements, and potential cost of additional manpower associated with random checks of each secure room as an alternative to IDS. 3. Security-in-Depth for each secure room must be approved *in writing* by the CC/S/A senior agency official (senior official for security) In summary: An IDS must be used as a supplemental protective measure AND it must be supported both by a valid risk assessment AND security-in-depth as approved in writing by the senior agency official.

c
Information Security (INFOSEC) - Secure Room Storage Standards - Balanced Magnetic Switch (BMS) on Perimeter Doors
High - V-245802 - SV-245802r822854_rule
RMF Control
Severity
High
CCI
Version
IS-02.01.08
Vuln IDs
  • V-245802
  • V-31275
Rule IDs
  • SV-245802r822854_rule
  • SV-41542r3_rule
Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3 could result in the undetected loss or compromise of classified material. When a physical Intrusion Detection System (IDS) is used as the supplemental protection measure (in lieu of 4-hour random checks) for secure rooms there is a requirement to place a Balanced Magnetic Switch (BMS) alarm contact on the primary ingress/egress door and any secondary/emergency exit doors. This alarm sensor is an essential part of any properly installed IDS and ensures that doors opened by force or that are left open are immediately detected. A BMS (AKA: triple biased alarm contact) is the most difficult door alarm contact to defeat and must be used in lieu of dual biased or simple alarm contacts. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraph 2.e.(4). The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9. Intrusion Detection Systems.
Checks: C-49233r770066_chk

Where an IDS is used in lieu of 4-hour random checks, for secure rooms or collateral classified open storage areas containing SIPRNet assets, each perimeter door (primary and secondary) shall be protected by a balanced magnetic switch (BMS) that meets the standards of UL 634. NOTE: Ensure the alarm contact is an actual BMS, which is defined as a "Triple Biased" alarm contact. Introduction of a foreign magnet by an intruder in an attempt to defeat the BMS will result in an alarm being sent. If used, Simple and Dual Biased contacts are not BMS and will result in a CAT II finding. No alarm contacts on all doors is a CAT I finding. TACTICAL ENVIRONMENT: This check is applicable where Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49188r770067_fix

Where an IDS is used in lieu of 4-hour random checks, for secure rooms or collateral classified open storage areas containing SIPRNet assets, each perimeter door (primary and secondary) must be protected by a balanced magnetic switch (BMS) that meets the standards of UL 634. NOTE: The alarm contact must be an actual BMS, which is defined as a "Triple Biased" alarm contact. Introduction of a foreign magnet by an intruder in an attempt to defeat the BMS will result in an alarm being sent. Simple and Dual Biased contacts are not BMS and will result in a finding.

c
Information Security (INFOSEC) - Secure Room Storage Standards - Interior Motion Detection
High - V-245803 - SV-245803r822855_rule
RMF Control
Severity
High
CCI
Version
IS-02.01.09
Vuln IDs
  • V-245803
  • V-31276
Rule IDs
  • SV-245803r822855_rule
  • SV-41543r3_rule
Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3 could result in the undetected loss or compromise of classified material. Motion detection located interior to secure rooms provides the most complete/overarching coverage of any Intrusion Detection System (IDS) alarm sensor. While most sensors like BMS alarm contacts, glass break detectors, etc. are only able to detect potential intrusion at specific locations, use of motion detection provides a capability to protect large areas with "blanket coverage" generally using fewer sensors. Principles and considerations for "ideal" employment of motion sensors are: - Consolidate critical assets in specific areas versus throughout a large room or facility. For instance rather than having classified servers and equipment in multiple locations in a five-story facility (entirely designated for classified open storage) consolidate classified assets on a single floor or even an area on that floor. That might allow for reducing the space designated as classified open storage (AKA: secure room) and reduce costs and simplify protection of assets. - Conversely some would argue that dispersing assets over a larger area enhances security by not putting all critical assets in one place. This is true to an extent - especially if we are considering redundant assets for COOP / disaster recovery but most often the reason for dispersing classified assets over large comes down to lack of foresight and planning. - Cover avenues of approach in layers so you can detect initial breeches of secured space and subsequent movement within. This approach is actually very good if you have a timely response force available and you are protecting a large facility. - Cover perimeter access points such as doors, windows, and openings greater than 96 sq. inches. Use of point sensors (BMS, vibration, etc., are probably best in these situations but supplementation by motion can be extremely effective. - Cover areas that cannot be directly observed by employees from within or directly outside the protected space. For instance in a secure room/area this might include areas above suspended ceilings, below raised floors, behind major pieces of equipment or other things that cause significant obstruction of visual observation (especially along avenues of approach or along perimeter walls). - Cover large open areas by careful placement of motion detection. Combinations of 360-degree and wall-mounted detectors considering equipment racks, walls, avenues of approach, etc. can effectively cover larger areas with fewer sensors. - Complete coverage of large areas and all avenues of approach is ideal but often funds are limited and sensors cannot be employed to provide blanket coverage. In such instances there are two approaches that can be used: * One is to cover the most critical assets directly (e.g., classified DoDIN servers, routers, DASD and other major IT technology). * Second approach is to conduct an assessment of the space to determine the most effective employment of limited sensors considering both avenues of approach and the actual location of critical assets in the space. NOTE: The second approach can be incorporated under the process of conducting a risk assessment and in conjunction with a determination and approval of security-in-depth countermeasures from the Senior Agency Official (SAO). This risk-based approach is based directly on requirements from the DoD Manual 5200.01, V3 and is in line with the current direction DoD is taking with regard to management of risk. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraph 1.b.(4)(a) and 2.e.(3) & (5). The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9. Intrusion Detection Systems.
Checks: C-49234r770069_chk

The following applies where IDS is used in lieu of 4-hour random checks, for secure rooms or collateral classified open storage areas containing SIPRNet assets: Checks: 1. Check at sites where IDS is being used and: - There is NO RISK ASSESSMENT approved by the Component Authorizing Official (AO) or - The risk assessment does not specifically provide a detailed evaluation of the need for motion sensor employment, including a thorough assessment of the most effective and efficient methods for employment of motion detection and/or - There is NO SECURITY-IN-DEPTH DETERMINATION *IN WRITING by the CC/S/A Senior Agency Official (SAO)(Security/INFOSEC) that considers factors contained in the risk assessment and specifically focuses on the collateral classified secure room/open storage space: Check to ensure that secure rooms or areas where classified SIPRNet equipment and/or associated media is stored in the open is protected with interior motion detection sensors; e.g., ultrasonic and passive infrared, during times when the specific area containing the classified material is closed or not under continuous observation and control by a cleared employee. Use of dual technology sensors is authorized when one technology transmits an alarm condition independently from the other technology. A failed detector shall cause an immediate and continuous alarm condition. Employment of motion detectors need not cover 100% of the entire secure room space (although that is recommended) but shall minimally (directly) cover any SIPRNet assets (equipment or media) that are accessible (not stored within a GSA approved container (safe)) within the secure room or area. 2. Where a proper risk assessment signed by the AO, which specifically considers both the number and employment (positioning) of motion sensors in the secure room space and a supporting Security-in-Depth Determination signed by the SAO are both available: Check that motion sensors are either employed to directly cover all areas within the secure room containing SIPRNet assets OR that motion sensors are employed in the secure room space as specifically detailed in the risk assessment. NOTE: Unless adequately detailed and justified in the risk assessment, motion detectors placed to cover only doors that are protected with BMS alarm contacts are not sufficient to meet this requirement/check. TACTICAL ENVIRONMENT: This check is applicable where Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49189r770070_fix

Compliance with the following two considerations is required where an IDS is used in lieu of 4-hour random checks, for secure rooms or collateral classified open storage areas containing SIPRNet assets: 1. Where IDS is being used BUT there is NO RISK ASSESSMENT approved by the Component Authorizing Official (AO) and/or a SECURITY-IN-DEPTH DETERMINATION *IN WRITING by the CC/S/A Senior Agency Official (SAO) (Security/INFOSEC) that specifically addresses the secure room or open storage space OR the risk assessment does not specifically provide for a detailed evaluation of the need for motion sensor employment, including a thorough assessment of the most effective and efficient methods for employment of motion detection: Secure rooms or areas where classified SIPRNet equipment and/or associated media is stored in the open must be protected with interior motion detection sensors; e.g., ultrasonic and passive infrared when the specific area containing the classified material is closed or not under continuous observation and control of a cleared employee. Use of dual technology is authorized when one technology transmits an alarm condition independently from the other technology. A failed detector shall cause an immediate and continuous alarm condition. Employment of motion detectors need not cover 100% of the entire secure room space (although that is recommended) but shall minimally (directly) cover any SIPRNet assets (equipment or media) that are accessible (not stored within a GSA approved container (safe)) within the secure room or area. 2. At a minimum all SIPRNet connected equipment must be directly covered by motion sensors OR motion sensors must be employed in the secure room space as "specifically detailed" in the risk assessment, which is approved by the Component Authorizing Official (AO). Unless adequately detailed in the risk assessment, motion detectors placed to cover only doors that are protected with BMS alarm contacts are not sufficient to meet this requirement/check.

c
Information Security (INFOSEC) - Secure Room Storage Standards - Four (4) Hour Random Checks in Lieu of Using Intrusion Detection System (IDS)
High - V-245804 - SV-245804r822856_rule
RMF Control
Severity
High
CCI
Version
IS-02.01.10
Vuln IDs
  • V-245804
  • V-31278
Rule IDs
  • SV-245804r822856_rule
  • SV-41545r3_rule
Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3 could result in the undetected loss or compromise of classified material. Using a physical intrusion detection system enables immediate detection of attempted and/or actual intrusion into a secure room space. This is often the best supplemental protective measure (vice using 4-hour random checks) due to providing capability for immediate detection, and for immediate response to assess and counter the threat to the secure room space. Use of 4-hour checks may be adequate if supported by a risk assessment, but will not provide the immediate detection and response capability of a properly installed IDS. It is required that a risk assessment be conducted to determine which of the two intrusion detection methods (use of IDS OR 4-hour random checks) is appropriate for any particular location. If the risk assessment results in a determination that use of 4-hour random checks is the most cost efficient supplemental control (vice IDS) to protect SIPRNet assets contained in secure rooms, the manner in which the checks are conducted can greatly impact the effectiveness of the checks. Thorough physical checks conducted on a frequent basis can reduce the time between an attempted or actual intrusion and time of discovery - during random checks. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 3, paragraph 3.b.(3)(a) and 4. The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: Subpart E - Safeguarding. paragraph 2001.40 General. (b) and paragraph 2001.43 Storage, (2) Secret. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraph 5-306. Closed Areas.; paragraph 5-307 Supplemental Protection. b. & c.; *paragraphs 8-102., 8-201. & 8-301.e. (*for risk assessment requirements)
Checks: C-49235r770072_chk

Background: This check is concerned with using random checks as the required supplemental control of secure room/collateral classified open storage area space (containing SIPRNet assets) - instead of IDS. Checks: Check #1. Use of random checks in lieu of IDS must be supported by a valid risk assessment (addressing each secure room or area) that specifically considers the threat, vulnerabilities, security-in-depth countermeasures, acceptability of risk, potential cost savings, procedural requirements, and potential cost of additional manpower associated with random checks of the secure areas - as an alternative to IDS. Check #2. The frequency of random checks shall not exceed 4-hours when the secure area space is not attended. Check #3. Checks must be conducted by guards/employees who are cleared to at least the Secret level. Check #4. Checks will be conducted of each door (primary and all secondary), each window, and each opening exceeding 96 square inches (which are required to be protected with either bars, expanded metal grills, commercial metal sounds baffles) to ensure they are properly secured. Additionally all traversable space surrounding the exterior of the Secure Room should be viewed by the checker by walking around the entire perimeter. Check #5. Checks must be supported by written procedures/instructions for the checkers and results of checks must be recorded. Check #6. Locally developed checklists or the Standard Form (SF) 701 must be used to document checks. Completed checklists should be maintained on-hand for at least 90-days as an audit trail or indefinitely if discrepancies were noted during any checks. It is important to note that random checks are an allowable alternative to IDS *ONLY* if supported by a valid risk assessment AND security-in-depth countermeasures as determined in writing by the C/S/A senior security official. Otherwise this is a finding. Use of IDS and risk analysis are each covered as separate checks elsewhere in this document. This particular check (random checks of secure rooms) is Not Applicable (NA) if IDS is used. In summary this check must validate that random checks not exceeding 4-hours are being used AND that it is supported by a valid risk assessment along with security-in-depth countermeasures. TACTICAL ENVIRONMENT: This check is applicable where Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49190r770073_fix

Background: This requirement is concerned with using random checks as the required supplemental control of secure room/collateral classified open storage area space (containing SIPRNet assets) - instead of IDS. Fixes: 1. Use of random checks in lieu of IDS must be supported by a valid risk assessment (addressing each secure room or area) that specifically considers the threat, vulnerabilities, security-in-depth countermeasures, acceptability of risk, potential cost savings, procedural requirements, and potential cost of additional manpower associated with random checks of the secure areas - as an alternative to IDS. 2. The frequency of random checks must not exceed 4-hours when the secure area space is not attended. 3. Checks must be conducted by guards/employees who are cleared to at least the Secret level. 4. Checks must be conducted of each door (primary and all secondary), each window, and each opening exceeding 96 square inches (which are required to be protected with either bars, expanded metal grills, commercial metal sounds baffles) to ensure they are properly secured. Additionally all traversable space surrounding the exterior of the Secure Room must be viewed by the checker by walking around the entire perimeter. 5. Checks must be supported by written procedures/instructions for the checkers and results of checks must be recorded. 6. Locally developed checklists or the Standard Form (SF) 701 must be used to document checks. Completed checklists should be maintained on-hand for at least 90-days as an audit trail or indefinitely if discrepancies were noted during any checks. It is important to note that random checks are an allowable alternative to IDS *ONLY* if supported by a valid risk assessment AND security-in-depth countermeasures as determined in writing by the CC/S/A senior agency official (SAO)(INFOSEC). Not meeting this requirement will result in a finding. Use of IDS and risk analysis are each covered as separate checks elsewhere in this document. This particular requirement (random checks of secure rooms) is Not Applicable (NA) if IDS is used. In summary this requirement is intended to implement and validate that random checks not exceeding 4-hours are being used AND that it is supported by a valid risk assessment along with security-in-depth countermeasures.

c
Vault/Secure Room Storage Standards - IDS Transmission Line Security
High - V-245805 - SV-245805r822857_rule
RMF Control
Severity
High
CCI
Version
IS-02.01.11
Vuln IDs
  • V-245805
  • V-31284
Rule IDs
  • SV-245805r822857_rule
  • SV-41552r3_rule
Failure to meet standards for ensuring integrity of the intrusion detection system signal transmission supporting a secure room (AKA: collateral classified open storage area) containing SIPRNet assets could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraph 2.d.(1) and (2). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraph 5-904.
Checks: C-49236r770075_chk

Explanation of requirement: Transmission lines used to carry IDS sensor alarm signals between secure rooms or areas containing SIPRNet assets and IDS monitoring equipment, shall have line supervision. If all portions of an IDS transmission line (protecting SIPRNet assets) are run within secret or higher secure area space or secret or higher controlled access area (CAA) spaces it will not require line supervision. Check: Check that Class I or Class II line supervision is being used IAW DoD Manual 5200.01, with the exception of portions of the transmission line running entirely through spaces or areas where unescorted access is controlled to at least the Secret level. In summary, if portions of the transmission line run through spaces or areas where unescorted access is not controlled to at least the Secret level - it will require line supervision. The check and verification of line supervision can be obtained by viewing IDS specifications from the vendor, or by conducting a controlled test of a transmission line/signal. TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49191r770076_fix

Explanation of requirement: Transmission lines used to carry IDS sensor alarm signals between secure rooms or areas containing SIPRNet assets and IDS monitoring equipment, shall have line supervision. If all portions of an IDS transmission line (protecting SIPRNet assets) are run within secret or higher secure area space or secret or higher controlled access area (CAA) spaces it will not require line supervision. Fix: Class I or Class II line supervision must be used IAW DoD Manual 5200.01 for protection of IDS transmission line signals, with the exception of portions of the transmission line running entirely through spaces or areas where unescorted access is controlled to at least the Secret level. In summary, if portions of the transmission line run through spaces or areas where unescorted access is not controlled to at least the Secret level - it requires line supervision. Verification of line supervision can be obtained by viewing IDS specifications from the vendor, or by conducting a controlled test of a transmission line/signal.

c
Vault/Secure Room Storage Standards - IDS Access/Secure Control Units Must be Located within the Secure Room Space
High - V-245806 - SV-245806r822858_rule
RMF Control
Severity
High
CCI
Version
IS-02.01.12
Vuln IDs
  • V-245806
  • V-31292
Rule IDs
  • SV-245806r822858_rule
  • SV-41563r3_rule
Failure to ensure that IDS Access and Secure Control Units used to activate and deactivate alarms (primarily motion detectors) within vaults or secure rooms protecting SIPRNet assets are not located within the confines of the vault or secure room near the primary ingress/egress door could result in the observation of the access/secure code by an unauthorized person. Further the control units would be more exposed with a greater possibility of tampering outside the more highly protected space of a secure room/collateral classified open storage area. This could result in the undetected breach of secure room space and the loss or compromise of classified information or materials. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraph 2.e.(2). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraph 5-902.d.
Checks: C-49237r770078_chk

Requirement Explanation: Alarm sensor control units must be located inside the secure area and should be located near the primary entrance for ease of accessing and securing alarm sensors in the space. Only assigned personnel with proper security clearances and need-to-know should initiate changes in access and secure status. Check: Check to ensure that no capability exists to allow changing the access/secure status of the IDS from a location outside the protected area (secure room or vault). TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49192r770079_fix

No capability must exist to allow for changing the access/secure status of the IDS from a location outside the protected area (secure room or vault). Alarm sensor control units must be located inside the secure area and should be located near the primary entrance for ease of accessing and securing alarm sensors in the space. Only assigned personnel with proper security clearances and need-to-know should initiate changes in access and secure status.

c
Information Security (IS) - Continuous Operations Facility: Access Control Monitoring Methods
High - V-245807 - SV-245807r822860_rule
RMF Control
Severity
High
CCI
Version
IS-02.01.13
Vuln IDs
  • V-245807
  • V-31294
Rule IDs
  • SV-245807r822860_rule
  • SV-41565r3_rule
Failure to control door access to a Continuous Operations Facility containing classified SIPRNET assets may result in immediate and potentially undetected access to classified information, with no capability to immediately alert response forces. Ultimately this could result in the undetected loss or compromise of classified material. USE CASE EXPLANATION: A Continuous Operations Facility functions 24/7 and contains classified SIPRNet equipment and/or media. It often does not meet all the physical and/or procedural requirements of a vault or secure room (AKA: collateral classified open storage area) and the classified equipment and/or media may not be stored in an approved safe when not in use. Examples of such facilities are Emergency Operations Centers (EOC), Information System Monitoring Centers, Trouble Desk Centers, etc. All standards for access control monitoring for Continuous Operations Facilities are found in the DoD Manual 5200.01, V3 and this STIG Requirement/Rule provides additional clarification and implementation standards for all Continuous Operations Facilities containing SIPRNet assets. Continuous Operations Facilities are not routinely closed and secured after normal business hours and reopened at the beginning of normal workdays. A CONTINUOUS OPERATIONS FACILITY MUST BE CONTINUOUSLY OCCUPIED at all times, OR IT MUST MEET ALL PHYSICAL STRUCTURAL AND PROCEDURAL STANDARDS FOR A SECURE ROOM AND BE SECURED (*using an approved FF-L-2740 combination lock) DURING PERIODS WHEN IT IS NOT OCCUPIED. It is not necessary to activate the supplemental controls (IDS or 4-hour checks) when securing the facility using the FF-L-2740 lock during working hours. However, this must be done if the facility is formally closed at any time and will include End-of-Day (EOD) checks. A "facility" can be a single room or a larger contiguous area, often (but not always) without Federal Specification FF-L-2740 combination locks on the primary access door. Continuous Operations area access control procedures must meet the requirements herein even where the surrounding area is continuously occupied. Continuous Operations (again - continuous occupancy) minimizes or eliminates the need for/use of certain security measures such as FF-L-2740 combination locks, standard door locks, IDS, 4-hour guard checks, etc. Where there is a Continuous Operations Facility there should be demonstrated mission need for continuous occupation of the "specific" room or area containing the classified SIPRNet assets. A justification that the surrounding building or facility is continuously occupied is not acceptable. If this is observed, reviewers should consider the possibility that the stated requirement for a Continuous Operations Facility is being used to cover deficiencies with what should legitimately be established as a secure room or vault. In such cases the use of Traditional Security STIG Requirements and applicable physical and procedural standards for vaults and/or secure rooms may be more appropriate, resulting in findings under those Requirements. A Continuous Operations Facility containing classified materials is most appropriate when it is continuously occupied by properly cleared employees (or others with security clearance and a need-to-know) who are capable of controlling or monitoring ingress and egress from within the area. This provides the most legitimate justification for using a Continuous Operations Facility vice using a properly constructed and access controlled vault or secure room (AKA: collateral classified open storage area). Convenience and ease of access is not proper justification for a Continuous Operations Facility. Continuous Operations Facility door control may be accomplished multiple ways. There are five main types of access control methods listed below. One or more of the five methods may apply to any facility. Each access point must comply with one or more of the methods of access control for 24 hours of each operational day. Any deficiency for any facility access point (even for a portion of the day for an access point) will result in a finding under this STIG rule. All Continuous Operations Facilities access points should be checked for proper access control according to the type of access control method(s) implemented. Direct access control monitoring for both occupied and unoccupied Continuous Operations Facilities is conducted by: cleared employees, guards or receptionists located inside the area or directly outside the area. A properly configured Automated Entry Control System (AECS) or continuously monitored Closed Circuit Television (CCTV) are the only options for indirect monitoring of Continuous Operations Facilities. The five basic methods for controlling access to Continuous Operations Facilities are: 1. Method #1: Use of an Automated Entry Control System (AECS) Card Reader with Biometrics or Personal Identification Number (PIN) 2. Method #2: Access Continually Monitored by Occupants (Cleared Employees) of the Continuous Operations Facility - all doors NOT visible 3. Method #3: Access Monitored by Occupants (Cleared Employees) of the Continuous Operations Facility - all doors are visible 4. Method #4: Access Monitored by Employees Directly Outside the Open Storage Space - all doors MUST BE visible 5. Method #5: Access Monitored by Closed Circuit Television (CCTV) reporting to a Central Monitoring Station Staffed 24/7 by cleared Guards or Other cleared Security Professionals - each individual door MUST HAVE a CCTV camera(s) Normally only one method of access control will be applicable to a specific Continuous Operations Facility; however, there may be situations where more than one approved method is being used at a single facility. For instance an Automated Entry Control System (AECS) with card reader and PIN may be used to secure the access door while there are also employees located inside the room who can monitor and control access. In situations where multiple methods are found, reviewers need only choose one of the five to evaluate compliance and its effectiveness of access control to the Continuous Operations Facility. If one of the methods is found to be totally compliant while others in use contain deficiencies, the method that is 100% compliant should be selected for use during the review. In the example just provided, if the room is only occupied by one employee who is monitoring access and during breaks or for other reasons exits the room for periods of time this would cause a significant deficient condition since the access door is not continuously monitored by the employee. Therefore using the AECS as the method to evaluate access control for the Continuous Operations Facility would likely be selected since it appears to be (and for this example we will assume) 100% compliant. There is also a possibility that multiple Continuous Operations Facilities could be found at a particular site location (even in the same building) that are using different methods to control access. Once again, multiple methods of access control from the list of five could be selected for the evaluation, based on the access control methods actually being used for the various 24/7Continuous Operations Facilities. Once the applicable Continuous Operations Facility access control methods that apply to each of the Continuous Operations Facilities at the site are selected, the site must comply with all of the individual checks for the selected method(s). Specific checks for requirements associated with a method of access control are found in the Check Content information field. If there is no Continuous Operations Facility at a particular site this Requirement is Not Applicable (NA) for a review. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-2, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Specific paragraph references are individually annotated with each specific check - under the "Checks" section. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-306, 5-312, 5-313, 5-314
Checks: C-49238r822859_chk

Unless otherwise indicated all the paragraph citations preceding each check are from DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information. The following set of 5 checks for Continuous Operations Access Control Monitoring Method #1 is to be used when an Automated Entry Control System (AECS) Card Reader with Biometrics or Personal Identification Number (PIN) is the primary means of access control to the Continuous Operations Facility: Method 1/Check #1. Appendix to Enclosure 3, para 3.a.(2)(a); para 3.a.(2)(b); para 3.a.(3); para 3.a.(4) -- Check to ensure an Automated Entry Control System (AECS) is used that incorporates a coded ID card or badge PLUS either a PIN or Biometrics on both the primary entrance and all secondary doors that may be used for continuous or intermittent access to the secure room space. (CAT I) Method 1/Check #2. Appendix to Enclosure 3, para 2.d.(6); para 2.f.(2)& para 3.a. -- Check to ensure the AECS is controlled and monitored at a continuously manned central monitoring station. (CAT I) Method 1/Check #3. Enclosure 3, para 3 & para 12; Appendix to Enclosure 3, para 2.e(6); Enclosure 2, para 2; -- If there is no IDS employed (*which must be based on a documented risk assessment) on doors or other man-passable openings: Check to ensure the 24/7 secure rooms or collateral secret open storage areas (containing SIPRNet equipment) are continuously occupied by at least one properly cleared employee. (CAT I) Method 1/Check #4. Appendix to Enclosure 3, para 2.e(6) -- If there is no Intrusion Detection System (IDS) employed in the Continuous Operations Facility: Check to ensure that a duress device is available for occupants inside the facility, IF DETERMINED NECESSARY BY A DOCUMENTED RISK ASSESSMENT (RA). If there is no duress device and no RA to validate that there is no need for duress, it is a finding. (CAT II) Method 1/Check #5. Enclosure 3, para 3.b.(3)(a) & (b)-- Where there is no IDS employed in the Continuous Operations Facility and ALL classified (SIPRNet) equipment, devices and media are not under the direct continuous observation and control of area occupants (CLEARED EMPLOYEES): Check to ensure a system of checks of classified assets (especially SIPRNet connected assets) internal to the Continuous Operations Facility, not exceeding 4 hours is established and conducted. (CAT I) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX The following set of 6 checks for Continuous Operations Access Control Monitoring Method #2 is to be used Access is Continuously Monitored by Occupants (Cleared Employees) of the Continuous Operations Facility - all doors are NOT visible - is the primary means of access control to the Continuous Operations Facility: Method 2/Check #1. Appendix to Enclosure 3, para 2.e(6) - When cleared occupants cannot directly and continuously observe all potential entrances into the room, check to ensure an open door alerting system is used to alert occupants of the 24/7 continuous operations. The alerting system MUST cover all access points that cannot be observed by occupants including the primary entrance and all secondary doors that could be used for continuous or intermittent access. (CAT I) Method 2/Check #2. Enclosure 3, para 3 & para 12; Appendix to Enclosure 3, para 2.e(6); Enclosure 2, para 2 -- Check to ensure the 24/7 Continuous Operations Facility is "continuously occupied" by at least one properly cleared employee. (CAT I) Method 2/Check #3. Appendix to Enclosure 3, para 3.a.(2)(a); para 3.a.(2)(b); para 3.a.(3); para 3.a.(4)-- On those doors not visible to cleared occupants: Check to ensure that an Automated Entry Control System (AECS) is used that incorporates both a coded ID card or badge plus either a PIN or Biometrics. This requirement is for all doors that are not continuously visible including the primary entrance and all secondary doors that may be used for continuous or intermittent access. (CAT I) Method 2/Check #4. Appendix to Enclosure 3, para 3.a. & para 3.c. -- Check to ensure doors that are continuously visible to cleared occupants are access controlled minimally by either an AECS using swipe or proximity cards (*not required to have PIN or biometric verification) OR by Electric, Mechanical, or Electromechanical Access Control Devices IAW the specifications of DoD Manual 5200.01, Volume 3, Appendix to Enclosure 3, para 3.c... (CAT I) Method 2/Check #5. Appendix to Enclosure 3, para 2.e(6) -- If there is no IDS employed in the Continuous Operations Facility: Check to ensure that a duress device is available for occupants inside the facility, IF DETERMINED NECESSARY BY A DOCUMENTED RISK ASSESSMENT (RA). If there is no duress device and no RA to validate that there is no need for duress, it is a finding. (CAT II) Method 2/Check #6. Enclosure 3, para 3.b.(3)(a) & (b) -- Where there is no IDS employed in the Continuous Operations Facility and ALL classified (SIPRNet) equipment, devices and media are not under the direct continuous observation and control of area occupants (CLEARED EMPLOYEES): Check to ensure a system of checks of classified assets (especially SIPRNet connected assets) internal to the Continuous Operations Facility, not exceeding 4 hours is established and conducted. (CAT I) XXXXXXXXXXXXXXXXXXXX The following set of 5 checks for Continuous Operations Access Control Monitoring Method #3 is to be used when Access is Monitored by Occupants (Cleared Employees) of the Continuous Operations Facility and all doors are visible - is the primary means of access control to the Continuous Operations Facility: Method 3/Check #1. Enclosure 3, para 12; Appendix to Enclosure 3, para 3.a -- Check to ensure that cleared employees who work in the space just inside the Continuous Operations Facility have continuous visual observation of all primary entrance and all secondary doors that may be used for continuous or intermittent access. (CAT I) Method 3/Check #2. Enclosure 3, para 3 & para 12; Appendix to Enclosure 3, para 2.e(6); Enclosure 2, para 2; -- -- Check to ensure the 24/7 Continuous Operations Facility is "continuously occupied" by at least one properly cleared employee. (CAT I) Method 3/Check #3. Appendix to Enclosure 3, para 3.a. & para 3.c. -- Check to ensure doors that are continuously visible to cleared occupants are access controlled minimally by either an AECS using swipe or proximity cards (*not required to have PIN or biometric verification) OR by Electric, Mechanical, or Electromechanical Access Control Devices IAW the specifications of DoD Manual 5200.01, Volume 3, Appendix to Enclosure 3, para 3.c... (CAT I) Method 3/Check #4. Appendix to Enclosure 3, para 2.e(6)-- If there is no IDS employed in the Continuous Operations Facility: Check to ensure that a duress device is available for occupants inside the facility, IF DETERMINED NECESSARY BY A DOCUMENTED RISK ASSESSMENT (RA). If there is no duress device and no RA to validate that there is no need for duress, it is a finding. (CAT II) Method 3/Check #5. Enclosure 3, para 3.b.(3)(a) & (b) -- Where there is no IDS employed in the Continuous Operations Facility and ALL classified (SIPRNet) equipment, devices and media are not under the direct continuous observation and control of area occupants (CLEARED EMPLOYEES): Check to ensure a system of checks of classified assets (especially SIPRNet connected assets) internal to the Continuous Operations Facility, not exceeding 4 hours is established and conducted. (CAT I) XXXXXXXXXXXXXXXXXXX The following set of 5 checks for Continuous Operations Access Control Monitoring Method #4 is to be used when Access is Monitored by Cleared Employees Directly Outside the Continuous Operations Facility - all doors MUST BE visible - is the primary means of access control to the Continuous Operations Facility: Method 4/Check #1. Appendix to Enclosure 3, para 3.a. - Check to ensure that cleared employees who work in the space just outside the Continuous Operations Facility (containing SIPRNet equipment) are providing continuous visual observation of the primary entrance and all secondary doors that may be used for continuous or intermittent access. They must be continuously present with no gaps in coverage. (CAT I) Method 4/Check #2. Appendix to Enclosure 3, para 3.a. - Check to ensure that cleared employees working outside the Continuous Operations Facility are located directly adjacent to a particular door or set of doors being monitored and are informed concerning their specific responsibilities for monitoring door security/access control. Written procedures must be available to substantiate this. (CAT II) Method 4/Check #3. Appendix to Enclosure 3, para 3.a. & para 3.c.-- Check to ensure doors that are continuously visible and controlled by cleared employees directly outside the Continuous Operations Facility are access controlled minimally by either an AECS using swipe or proximity cards (*not required to have PIN or biometric verification) OR by Electric, Mechanical, or Electromechanical Access Control Devices IAW the specifications of DoD Manual 5200.01, Volume 3, Appendix to Enclosure 3, para 3.c... (CAT I) Method 4/Check #4. Appendix to Enclosure 3, para 2.e(6) - If there is no IDS employed in the Continuous Operations Facility: Check to ensure that a duress device is available for cleared employees monitoring door access from outside the facility, IF DETERMINED NECESSARY BY A DOCUMENTED RISK ASSESSMENT (RA). If there is no duress device and no RA to validate that there is no need for duress, it is a finding. (CAT II) Method 4/Check #5. Enclosure 3, para 3.b.(3)(a) & (b) -- Where there is no IDS employed in the Continuous Operations Facility and ALL classified (SIPRNet) equipment, devices and media are not under the direct continuous observation and control of occupants within the facility (CLEARED EMPLOYEES): Check to ensure a system of checks of classified assets (especially SIPRNet connected assets) internal to the Continuous Operations Facility, not exceeding 4 hours is established and conducted. (CAT I) XXXXXXXXXXXXXXXXXXX The following set of 6 checks for Continuous Operations Access Control Monitoring Method #5 is to be used when Access is Monitored by Closed Circuit Television (CCTV) reporting to a Central Monitoring Station Staffed 24/7 by cleared Guards or Other cleared Security Professionals - all doors MUST HAVE CCTV cameras - is the primary means of access control to the Continuous Operations Facility: Method 5/Check #1. Enclosure 3, para 12; Appendix to Enclosure 3, para 3.a.; para 2.d.(6)& para 2.f.(2) - Check to ensure ALL doors (primary and secondary) are actively monitored via CCTV by cleared guards at a central monitoring facility. (CAT I) Method 5/Check #2. Appendix to Enclosure 3, 3.a.(7) - Check to ensure that CCTV activity is recorded and maintained on file for a minimum of 90 days. (CAT II) Method 5/Check #3. Enclosure 3, para 12; Appendix to Enclosure 3, para 3.a. & para 2.f.(2) - Check to ensure that guards are continuously present at the monitoring location and informed concerning their specific responsibilities for monitoring and responding to potential unauthorized attempts to breach the Continuous Operations Facility. Written procedures must be available. (CAT I) Method 5/Check #4. Enclosure 3, para 3 & para 12; Appendix to Enclosure 3, para 2.e(6); Enclosure 2, para 2; - Check to ensure the 24/7 Continuous Operations Facilities are continuously occupied by at least one properly cleared employee. (CAT I) Method 5/Check #5. Appendix to Enclosure 3, para 3.a. & para 3.c. -- Check to ensure doors that are continuously visible and controlled by CCTV from directly outside the Continuous Operations Facility are access controlled minimally by either an AECS using swipe or proximity cards (*not required to have PIN or biometric verification) OR by Electric, Mechanical, or Electromechanical Access Control Devices IAW the specifications of DoD Manual 5200.01, Volume 3, Appendix to Enclosure 3, para 3.c... (CAT I) Method 5/Check #6. Enclosure 3, para 3.b.(3)(a) & (b) -- Where there is no IDS employed in the Continuous Operations Facility and ALL classified (SIPRNet) equipment, devices and media are not under the direct continuous observation and control of occupants within the facility (CLEARED EMPLOYEES): Check to ensure a system of checks of classified assets (especially SIPRNet connected assets) internal to the Continuous Operations Facility, not exceeding 4 hours is established and conducted. (CAT I) TACTICAL ENVIRONMENT: The 5 sets of monitoring methods and associated checks are applicable where Continuous Operations Facilities are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49193r770082_fix

Continuous Operations Facilities storing classified SIPRNet assets in the open are not routinely opened or closed using Federal Specification FF-L-2740 combination locks due to being continuously occupied by cleared employees or due to very frequent access requirements for operational reasons. As applicable to the operating environment at a particular site/location, select one or more of the five Methods of Access Control to be used for 24/7 Continuous Operations Facilities. The five methods of access control along with specific requirements/checks are found in the Check Content of this Requirement. More than one method of access control might apply to a particular Continuous Operations Facility or to multiple Continuous Operations Facilities at a single site/location. Based on the access control method(s) used for each individual Continuous Operations Facility at a site, comply with all of the requirements detailed in all of the individual checks applicable to the selected method(s) of access control. Compliance with at least one complete set of checks applicable to a particular method of access control is required for each Continuous Operations Facility.

c
Vault/Secure Room Storage Standards - Access Control During Working Hours Using Visual Control OR Automated Entry Control System (AECS) with PIN / Biometrics
High - V-245808 - SV-245808r822862_rule
RMF Control
Severity
High
CCI
Version
IS-02.01.14
Vuln IDs
  • V-245808
  • V-31529
Rule IDs
  • SV-245808r822862_rule
  • SV-41811r3_rule
Failure to properly monitor and control collateral classified open storage area access doors during working hours (while the FF-L-2740 combination lock is not secured) could result in an undetected perimeter breach and limited or no capability to immediately notify response forces. Ultimately this could result in the undetected loss or compromise of classified material. Entrances to secure rooms or areas (and/or vaults that are opened for access) must be under visual control at all times during duty hours to prevent entry by unauthorized personnel . This may be accomplished by several methods (e.g., employee work station, guard, continuously monitored CCTV). An automated entry control system (AECS) may be used to control admittance during working hours instead of visual control, if it meets certain criteria * and if the room or area is continuously occupied by at least one properly cleared person. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-2, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 3, paragraph 12 and Appendix to Enclosure 3, paragraphs 3.a. and 3.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-306, 5-312, 5-313, 5-314
Checks: C-49239r822861_chk

Background Information and Requirements Summary: 1. The FF-L-2740 combination lock securing the primary access door for vaults and secure rooms (AKA: collateral classified open storage areas) may be opened at the beginning of normal duty hours and left unlocked for frequent employee access only if the entrance is properly monitored and controlled. The combination lock will be secured at the end of normal duty hours and interior motion alarms (if used) activated. 2. Entrances to vaults, secure rooms or collateral classified open storage areas must be under visual control at all times during duty hours to prevent entry by unauthorized personnel. 3. An automated access control system (AECS) may be used to monitor and control admittance during working hours instead of visual control, if it consists of a swipe or proximity coded card and reader, supplemented by the use of a Personal Identification Number (PIN) or by use of Biometric readers (fingerprints, retina scanner, etc.). Additionally, the secure room or classified storage area must be occupied by cleared employees OR under direct visual control from just outside the room or area. Use of an Automated Entry Control System (AECS) alone may not be used to meet this standard. Use of an AECS to control and monitor access requires the room or area be occupied by at least one properly cleared person. 4. Visual monitoring or control of secure room access points may be accomplished by several methods (e.g., employee work station, guard, "continuously monitored" CCTV). Employee monitoring may be conducted by cleared employees within the secure room space, who can observe all entrances or employees located just outside the secure room adjacent to an entrance may also "actively" monitor access. If CCTV is used to monitor, the CCTV cameras must cover all potential entrances and send real time images back to a continuously manned monitoring station. 5. Regardless of the visual method used to monitor daytime access, a locking system for access control must still be used on the entrance to the secure area. The use of automated entry control systems,(AECS with coded ID cards or badges) is encouraged. Supplementing the coded (swipe or proximity) cards or badges with a PIN or biometrics is not required if the entrances are properly monitored by visual means. 6. Access to secure areas may also be controlled by electric, mechanical or electro-mechanical access control devices to limit access during duty hours, but only if the entrance is also under continuous visual control. 7. IMPORTANT NOTE: Electrically actuated locks (e.g., cypher, proximity card and magnetic strip card locks) do not afford by themselves the required degree of protection for classified information and must not be used as a substitute for the combination locks meeting Federal Specification FF-L-2740. CHECKS: *If f visual control methods are the primary means to monitor and control access during duty hours, use the following three checks to evaluate: Check #1. Check to ensure that all possible primary or secondary entrances to vaults or secure rooms are continuously monitored by cleared employees or guards (inside or outside the room or area) or by CCTV, whenever the FF-L-2740 combination lock is disengaged for daytime or other routine access. (CAT I) Check #2. Check to ensure that if CCTV is used it sends real time images to a continuously manned monitoring station. (CAT I) Check #3. If CCTV is used to visually monitor the secure room or area and / or guards or other personnel are not physically controlling access: Check to ensure that access to a continuously (visually) monitored vault, secure room or collateral classified open storage area is controlled either by an Automated Entry Control System (AECS) using coded cards or badges (biometrics or PIN are not required) or by electric, mechanical or electro-mechanical access control devices to limit access during duty hours. (CAT I) NOTE: Electric, mechanical or electro-mechanical access control devices may not be used to control access when the entrance(s) to the vault, secure room or area are not under continuous visual monitoring either directly by cleared employees at the entrance(s) or via CCTV. If using CCTV it must also be continuously monitored and recorded at an occupied monitoring station. **If an Automated Entry Control System (AECS) is used to control access (without use of any authorized visual control methods), use the following seven checks to evaluate: CHECKS: Check #1. Check to ensure the vault, secure room or area is continuously occupied by at least one properly cleared employee during working hours (when the FF-L-2740 combination lock is not engaged. (CAT I) Check #2. Check to ensure the AECS identifies individuals and authenticates the person's authority to enter the area through the use of a coded identification (ID) badge or card. (CAT I) Check #3. Check to ensure that in addition to the swipe or proximity card or badge - that a personal identification number (PIN) is used. This is required WHEN VISUAL (MONITORING) of the entrance IS NOT USED during working hours. (CAT II - when an AECS card and reader is used w/o PIN or biometrics) Check #4. Check the PINs are separately entered into the system by each individual using a keypad device and consist of four or more digits, randomly selected, with no known or logical association with the individuals. (CAT II -only when an AECS with card and PIN is used) Check #5. Check to ensure there is a procedure to cover changing PINs when it is believed they have been compromised or subjected to compromise. (CAT III) Check #6. Biometrics Devices, which identify an individual requesting access by some unique personal characteristic, such as Fingerprinting, Hand Geometry, Handwriting, Retina scans, or Voice recognition may be used in conjunction with an ID badge or card in lieu of a PIN. (CAT II - when an AECS card and reader is used w/o PIN or biometrics) Check #7. VERY IMPORTANT: Check to ensure that electric, mechanical or electro-mechanical access control devices such as Cipher locks ARE NOT USED to control access to vaults, secure rooms or areas when entrances are not under continuous visual control during working hours. Generally these locks do not provide the means for individual access codes and do not report to a central server or system monitor. Therefore they are permissible ONLY for access control to vault, secure rooms and spaces when the entrance is under continuous visual control. (CAT I) TACTICAL ENVIRONMENT: These checks are applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49194r770085_fix

*If use of visual control methods is the primary means to control access during duty hours, use the following three fixes to comply with requirements: 1. All possible primary or secondary entrances to vaults or secure rooms must be continuously monitored by cleared employees or guards (inside or outside the room or area) or by CCTV, whenever the FF-L-2740 combination lock is disengaged for daytime or other routine access. 2. If CCTV is used it must send real time images to a continuously manned monitoring station. 3. Access to a continuously (visually) monitored vault, secure room or collateral classified open storage area must be controlled by an Automated Entry Control System (AECS) using coded cards or badges (biometrics or PIN are not required) or by electric, mechanical or electro-mechanical access control devices to limit access during duty hours. **If use of an Automated Entry Control System (AECS) is used to control access (without use of any authorized visual control methods), use the following seven fixes to comply with requirements: 1. The vault, secure room or area must be continuously occupied by at least one properly cleared employee during working hours (when the FF-L-2740 combination lock is not engaged). 2. The AECS must identify individuals and authenticate the person's authority to enter the area through the use of a coded identification (ID) badge or card. 3. In addition to the swipe or proximity card or badge a personal identification number (PIN) must be used. This is required WHEN VISUAL (MONITORING) CONTROLS of the entrance ARE NOT USED during working hours. 4. The PINs must be separately entered into the system by each individual using a keypad device and consist of four or more digits, randomly selected, with no known or logical association with the individuals. 5. There must be a procedure in place to cover changing PINs when it is believed they have been compromised or subjected to compromise. 6. Biometrics Devices, which identify an individual requesting access by some unique personal characteristic, such as Fingerprinting, Hand Geometry, Handwriting, Retina scans, or Voice recognition may be used in conjunction with an ID badge or card in lieu of a PIN. 7. VERY IMPORTANT: Electric, mechanical or electro-mechanical access control devices such as Cipher locks MUST NOT BE USED to control access to secure rooms or areas that are not under continuous visual control during working hours. Generally these locks do not provide the means for individual access codes and do not report to a central server or system monitor. Therefore they are permissible ONLY for access control to secure rooms and spaces when the entrance is under continuous visual control.

c
Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) and Intrusion Detection System (IDS) Head-End Equipment Protection: The physical location (room or area) containing AECS and IDS head-end equipment (server and/or work station/monitoring equipment) where authorization, personal identification or verification data is input, stored, or recorded and/or where system status/alarms are monitored must be physically protected.
High - V-245809 - SV-245809r822865_rule
RMF Control
Severity
High
CCI
Version
IS-02.01.15
Vuln IDs
  • V-245809
  • V-31549
Rule IDs
  • SV-245809r822865_rule
  • SV-41832r3_rule
Inadequate physical protection of Intrusion Detection System or Automated Entry Control System servers, data base storage drives, or monitoring work stations could result in unauthorized access to core system devices providing protection for classified vaults, secure rooms and collateral classified open storage areas. This could result in the loss of confidentiality, integrity or availability of system functionality or data. The impact of this would be possible undetected and unauthorized access to classified processing spaces; resulting in the loss or compromise of classified information or sensitive information such as personal data (PII) of persons issued access control cards or badges. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-1, PE-2, PE-3, PE-6, PE-8 and PE-9. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraphs 2.f.(2), 3.a(5). and 3.a.(6). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-313. e. and 5-313 h.
Checks: C-49240r822863_chk

Requirements Summary: Protection must be established and maintained for all component devices or equipment that constitute the automated entry control system (AECS) and/or the intrusion detection system (IDS) used to protect a vault, secure room or collateral classified open storage area, which contains SIPRNet assets. In particular the physical location (room or area) containing AECS and IDS "head-end" equipment (server and/or work station/monitoring equipment) where authorization, personal identification or verification data is input, stored, or recorded and/or where system status/alarms are monitored must be protected. CHECKS: Check #1. Check to ensure the physical location containing the primary IDS "head-end" equipment (server and/or work station/monitoring equipment) is in a continuously occupied location (e.g., guard monitoring station - for alarms and CCTV). (CAT I) Check #2. Check to ensure the continuously occupied space limits unescorted access to only those employees responsible for monitoring or controlling the IDS and/or AECS. Automated entry control system card/badge readers or cipher locks may be used to fulfill this requirement. (CAT II) Check #3. If not co-located with the IDS "head-end" equipment; check to ensure the physical location containing the primary AECS "head-end" equipment is in a continuously occupied location OR protected minimally within a room with a BMS alarm contact on each door, window or opening and with interior motion detection sensors that are activated at the end of each duty day. (CAT II) Check #4. Check to ensure that AECS system card readers with coded access cards or badges (not cipher locks or keyed locks) are used to secure the doors to rooms protecting AECS "head-end" equipment that are not located within a continuously occupied location. (CAT II) Check #5. Check to ensure that alarms from sensors in the room protecting AECS "head-end" equipment are monitored at the primary IDS monitoring location. (CAT II) Check #6. A secondary or supplemental AECS server/workstation or IDS data/monitoring workstation might not be located in a 24/7 occupied work space. In instances when AECS or IDS secondary head-end equipment is not continuously attended by employees responsible for monitoring or controlling it - Check to ensure it is protected minimally within a room with a BMS alarm contact on each door, window or opening and interior motion detection sensors are installed and activated at the end of each duty day. (CAT I) Check #7. Check to ensure that AECS system card readers with coded access cards or badges (not cipher locks or keyed locks) are used to secure the doors to rooms protecting secondary IDS or AECS "head-end" equipment that are not located within a continuously occupied location. (CAT II) Check #8. Check to ensure that alarms from sensors in the room protecting secondary IDS or AECS "head-end" equipment are monitored at the primary IDS monitoring location. (CAT I) Check #9. If 4-hour checks are used in lieu of IDS for vaults, secure rooms or collateral classified open storage areas; then 4-hour checks of the room or area used to house the (secondary) IDS and/or (primary/secondary) AECS "head-end" equipment may also be used in lieu of an IDS. Check to ensure the use of 4-hour checks in lieu of IDS to protect (secondary) IDS and/or (primary/secondary) AECS "head-end" equipment is based on a documented risk assessment. (CAT II) Check #10. If used, check to ensure that random checks (not to exceed 4-hours) of the room or area used to house the IDS or AECS "head-end" equipment are documented and maintained on file for a minimum of 90 days. (CAT II) TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49195r822864_fix

1. The physical location containing the primary IDS "head-end" equipment (server and/or work station/monitoring equipment) must be located in a continuously occupied location (e.g., guard monitoring station for alarms and CCTV). 2. The continuously occupied space must limit unescorted access to only those employees responsible for monitoring or controlling the IDS and/or AECS. Automated entry control system card/badge readers or cipher locks should be used to fulfill this requirement. 3. If not co-located with the IDS "head-end" equipment; the physical location containing the primary AECS "head-end" equipment must be located in a continuously occupied location OR protected minimally within a room with a BMS alarm contact on each door, window or opening and with interior motion detection sensors that are activated at the end of each duty day. 4. AECS system card readers with coded access cards or badges (not cipher locks or keyed locks) must be used to secure the doors to rooms protecting AECS "head-end" equipment that are not located within a continuously occupied location. 5. Alarms from sensors in the room protecting AECS "head-end" equipment must be monitored at the primary IDS monitoring location. 6. A secondary or supplemental AECS server/workstation or IDS data/monitoring workstation might not be located in a 24/7 occupied work space. In instances when AECS or IDS secondary head-end equipment is not continuously attended by employees responsible for monitoring or controlling it - it must be protected minimally within a room with a BMS alarm contact on each door, window or opening and interior motion detection sensors are installed and activated at the end of each duty day. 7. AECS system card readers with coded access cards or badges (not cipher locks or keyed locks) must be used to secure the doors to rooms protecting secondary IDS or AECS "head-end" equipment that are not located within a continuously occupied location. 8. Alarms from sensors in the room protecting secondary IDS or AECS "head-end" equipment must be monitored at the primary IDS monitoring location. 9. If 4-hour checks are used in lieu of IDS for vaults, secure rooms or collateral classified open storage areas; then 4-hour checks of the room or area used to house the (secondary) IDS and/or (primary/secondary) ACS "head-end" equipment may also be used. The use of 4-hour checks in lieu of IDS to protect (secondary) IDS and/or (primary/secondary) AECS "head-end" equipment must be based on a documented risk assessment. 10. If used, random checks (not to exceed 4-hours) of the room or area used to house the IDS or AECS "head-end" equipment must be documented and maintained on file for a minimum of 90 days.

b
Information Security (INFOSEC) - Secure Room Storage Standards - Structural Integrity Checks
Medium - V-245810 - SV-245810r1008547_rule
RMF Control
Severity
Medium
CCI
Version
IS-02.02.01
Vuln IDs
  • V-245810
  • V-31277
Rule IDs
  • SV-245810r1008547_rule
  • SV-41544r3_rule
Failure to ensure that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DOD Manual 5200.01, Volume 3 could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-3.(1) & (2), PE-6 (4). DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Glossary, Part II, Definitions: Security-in-Depth DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-306.a & 8-302.b. Physical and Environmental Protection.
Checks: C-49241r1008545_chk

BACKGROUND: In spite of all physical security defensive devices deployed, the possibility of an intrusion always exists. The highest fence can be scaled, the densest wall can be breached, and the stoutest lock can be compromised. Even highly sophisticated alarm systems can be contravened by a knowledgeable professional. It is therefore necessary to institute a system of checks to physically inspect secure room perimeters to check for signs of attempted intrusions and ensure that structural integrity of the perimeter is maintained. This requirement is concerned with ensuring there is periodic visual validation of structural integrity of secure room/collateral classified open storage area perimeters containing SIPRNet assets and associated media. It ensures that any breach or attempted breach of the walls, true floors, and true ceilings of a secure area (portions that are not readily visible) are discovered in a timely manner. In Check #1 there are three different situations covered and each requires a different inspection frequency for physical/visual validation of structural integrity. Check #1. Check to ensure that structural integrity of secure rooms or spaces containing SIPRNet equipment is validated as follows: Situation #1 (No structural integrity checks required): If interior IDS (motion detection) is properly employed (i.e., directly covering all SIPRNet assets) within the secure room or collateral classified open storage space where classified SIPRNet assets are located AND under raised floor spaces (if applicable) AND above suspended ceiling spaces (if applicable), then no physical check for structural integrity is required. This is contingent upon the interior motion sensors being activated when the room is closed or unattended and the sensors working properly as determined by required checks of sensor functionality. Situation #2 (Checks required IAW approved written guidance from AO): If motion sensors are properly employed ONLY within the secure room space where classified assets are located, then a visual check of spaces below raised floors, above suspended ceilings, and anywhere else the perimeter of the secure area cannot be readily observed must be conducted IAW AO written guidance. The goal is to visually inspect all walls, true floor, and true ceiling perimeters for signs of breach or attempted breach. Situation #3 (Checks required IAW written guidance from AO): When random checks (not exceeding four hours) of secure rooms or open storage spaces are used in lieu of IDS, then the checks specified in situation #2 for above suspended ceilings and below raised floors must be conducted IAW AO written guidance. The increased frequency of checks is due to the significant vulnerability of the SIPRNet assets to undetected attack from portions of the perimeter that cannot be readily observed. NOTE: Physical inspection of the perimeter walls, floor, and ceiling can be greatly expedited and may be conducted without ladders or other equipment where there are no false/suspended ceilings and/or raised floors within or surrounding the secure room or area. NOTE: If the entire perimeter of the secure room or area containing SIPRNet assets is surrounded by a secret or top secret (TS) Controlled Access Area (CAA), the frequency of structural integrity checks may be reduced to once every two weeks. This is due to the increased security-in-depth provided by the CAA. A secret or TS CAA is an area where unescorted access is granted only to individuals who have a secret or higher security clearance. All others are escorted by cleared employees. The DOD does not provide specific physical security requirements for a CAA but allows each CC/S/A Senior Agency Official (SAO) for Information Security the authority to establish such standards. All the Services have established standards for CAAs within their Protected Distribution System (PDS) implementing guidelines. Minimally, all require some form of access control methodology (AECS/guards/reception, etc.) be in place to ensure only properly vetted and cleared personnel have unescorted access to a CAA. Check #2. Check to ensure there are written procedures developed for the checks and that the checks are documented and maintained on file for a minimum of 90 days. Where discrepancies (holes in perimeter or other signs of successful or attempted access) are noted, these checks will be maintained indefinitely or until an inquiry determines the cause of the discrepancy. TACTICAL ENVIRONMENT: This check is applicable where secure rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short-term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49196r1008546_fix

BACKGROUND: This fix is concerned with ensuring there is periodic visual validation of structural integrity of secure room/collateral classified open storage area perimeters containing SIPRNet assets and associated media. It ensures that any breach or attempted breach of the walls, true floors, and true ceilings of a secure area (portions that are not readily visible) are discovered in a timely manner. In requirement #1 there are three different situations covered and each requires a different level of physical/visual validation for structural integrity. Requirement #1. Structural integrity of secure rooms or spaces containing SIPRNet equipment must be validated in each situation as follows: Situation #1 (No structural integrity checks required): If interior IDS (motion detection) is properly employed (directly covering all SIPRNet assets) within the secure room or collateral classified open storage space where classified SIPRNet assets are located AND under raised floor spaces (if applicable) AND above suspended ceiling spaces (if applicable), then no physical check for structural integrity is required. This is contingent upon the interior motion sensors being activated when the room is closed or unattended and the sensors working properly as determined by required checks of sensor functionality. Situation #2 (Checks required IAW written guidance from AO): If motion sensors are properly employed ONLY within the secure room space where classified assets are located, then a visual check of spaces below raised floors, above suspended ceilings, and anywhere else the perimeter of the secure area cannot be readily observed must be conducted IAW AO written guidance. The goal is to visually inspect all walls, true floor, and true ceiling perimeters for signs of breach or attempted breach. Situation #3 (Checks required IAW written guidance from AO): When random checks (not exceeding four hours) of secure rooms or open storage spaces are used in lieu of IDS, then the checks specified in situation #2 for above suspended ceilings and below raised floors must be conducted IAW AO written guidance. The increased frequency of checks is due to the significant vulnerability of the SIPRNet assets to undetected attack from portions of the perimeter that cannot be readily observed. NOTE: Physical inspection of the perimeter walls, floor, and ceiling can be greatly expedited and may be conducted without ladders or other equipment where there are no false/suspended ceilings and/or raised floors within or surrounding the secure room or area. NOTE: If the entire perimeter of the secure room or area is surrounded by a secret or top secret (TS) Controlled Access Area (CAA), the frequency of structural integrity checks may be reduced to once every two weeks. This is due to the increased security-in-depth provided by the CAA. A secret or TS CAA is an area where unescorted access is granted only to individuals who have a secret or higher security clearance. All others are escorted by cleared employees. The DOD does not provide specific physical security requirements for a CAA but allows each CC/S/A Senior Agency Official (SAO) for Information Security the authority to establish such standards. All the Services have established standards for CAAs within their Protected Distribution System (PDS) implementing guidelines. Minimally, all require some form of access control methodology (AECS/guards/reception, etc.) be in place to ensure only properly vetted and cleared personnel have unescorted access to a CAA. Requirement #2. There must be written procedures developed for the checks and the checks must be documented and maintained on file for a minimum of 90 days. Where discrepancies (holes in perimeter or other signs of successful or attempted access) are noted, these checks will be maintained indefinitely or until an inquiry determines the cause of the discrepancy.

b
Vault/Secure Room Storage Standards - IDS Performance Verification
Medium - V-245811 - SV-245811r822867_rule
RMF Control
Severity
Medium
CCI
Version
IS-02.02.02
Vuln IDs
  • V-245811
  • V-31279
Rule IDs
  • SV-245811r822867_rule
  • SV-41547r3_rule
Failure to test IDS functionality on a periodic basis could result in undetected alarm sensor or other system failure. This in-turn could result in an undetected intrusion into a secure room (AKA: collateral classified open storage area) and the undetected loss or compromise of classified material. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-5, PE-6(1), PE-8 and MA-6. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraphs 2.c. and 2.e.(7). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-901., 5-904. and 5-905. Testing and alarm verification procedures for specific sensors and other IDS equipment may be obtained from the Electronic Security Center (ESS), U.S. Army Engineering and Support Center, Huntsville, AL 35816: ESS Question? AskESSMCX@usace.army.mil
Checks: C-49242r770093_chk

This check is concerned with verification of IDS functionality where IDS is used as a supplemental control for vaults or secure rooms/areas containing SIPRNet assets. Following are the required checks: Check #1. Checks of ALL individual alarm sensors (BMS, motion, glass break, etc.) will be conducted at least semi-annually. Check #2. Valid tests IAW best practices using government or industry standards and tools will be used to conduct the checks. Check #3. Written procedures will be developed for tests of each sensor type in use at a site. Check #4. Results of testing will be maintained on file for at least 1-year. TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49197r770094_fix

Conduct verification of IDS functionality where IDS is used as a supplemental control for vaults or secure rooms/areas containing SIPRNet assets. Following are the required fixes: Fix #1. Ensure that checks of ALL individual alarm sensors (BMS, motion, glass break, etc.) are conducted at least semi-annually. Fix #2. Ensure that valid tests IAW best practices using government or industry standards and tools are used to conduct the checks. Fix #3. Ensure that written procedures are developed for tests of each sensor type in use at a site. Fix #4. Ensure that results of testing are maintained on file for at least 1-year.

b
Vault/Secure Room Storage Standards - Masking of IDS Sensors Displayed at the Intrusion Detection System (IDS) Monitoring Station
Medium - V-245812 - SV-245812r822868_rule
RMF Control
Severity
Medium
CCI
Version
IS-02.02.03
Vuln IDs
  • V-245812
  • V-31286
Rule IDs
  • SV-245812r822868_rule
  • SV-41554r3_rule
Failure to meet standards for the display of masked alarm sensors at the IDS monitoring station could result in the location with masked or inactive sensors not being properly supervised. This could result in an undetected breach of a secure room perimeter and the undetected loss or compromise of classified material. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5, PE-6(1) DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraphs 2d.(5) and (6). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9. Intrusion Detection Systems.
Checks: C-49243r770096_chk

Shunting or masking of any secure room IDS internal zone or sensor must be appropriately logged or recorded in the system archive. A shunted or masked internal zone or sensor must be displayed as such at the monitor station throughout the period the condition exists whenever there is a system (IDS) survey of zones or sensors. TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49198r770097_fix

Shunting or masking of any secure room IDS internal zone or sensor must be appropriately logged or recorded in the system archive. A shunted or masked internal zone or sensor must be displayed as such at the monitor station throughout the period the condition exists whenever there is a system (IDS) survey of zones or sensors.

b
Vault/Secure Room Storage Standards - IDS Alarm Monitoring Indicators, both audible and visual (Alarm Status) must be displayed for each sensor or alarmed zone at the monitoring station.
Medium - V-245813 - SV-245813r822870_rule
RMF Control
Severity
Medium
CCI
Version
IS-02.02.04
Vuln IDs
  • V-245813
  • V-31289
Rule IDs
  • SV-245813r822870_rule
  • SV-41560r3_rule
Failure to meet standards for the display of audible and visual alarm indicators at the IDS monitoring station could result in an a sensor going into alarm state and not being immediately detected. This could result in an undetected or delayed discovery of a secure room perimeter breach and the loss or compromise of classified material. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5, PE-6(1) DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraphs 2.b.(2)(b). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9. Intrusion Detection Systems.
Checks: C-49244r822869_chk

Check that all alarm activations provide both visual and audible indicators at the primary monitoring station. TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49199r770100_fix

Ensure that all alarm activations provide both a visual and audible indicator at the primary monitoring station.

b
Vault/Secure Room Storage Standards - Intrusion Detection System (IDS) / Automated Entry Control System (AECS) Primary and Emergency Power Supply
Medium - V-245814 - SV-245814r822871_rule
RMF Control
Severity
Medium
CCI
Version
IS-02.02.05
Vuln IDs
  • V-245814
  • V-31290
Rule IDs
  • SV-245814r822871_rule
  • SV-41561r3_rule
Failure to meet standards for ensuring that there is an adequate commercial and back-up power sources for IDS/AECS with uninterrupted failover to emergency power could result in a malfunction of the physical alarm and access control system. This could result in the undetected breach of classified open storage / secure rooms or vaults containing SIPRNet assets and undetected loss or compromise of classified material. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5, PE-6(1) DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraphs 2.d.(7)(a) and (b). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9. Intrusion Detection Systems.
Checks: C-49245r770102_chk

Primary Power Checks: Check #1. Check to ensure primary power for all Intrusion Detection System (IDS) equipment and Automated Entry Control system (AECS) equipment is either commercial AC or DC power. Check #2. Check to ensure that in the event of commercial power failure at either the secure room/area or monitor station, the equipment changes power sources without causing an intrusion alarm indication. An Uninterrupted Power Supply (UPS) will be required for this to occur. Emergency (Backup) Power Checks: Check #1. Check to ensure that emergency power consists of a protected independent backup power source that provides a minimum of 8-hours operating battery and/or generator power. When batteries are used for emergency power, they shall be maintained at full charge by automatic charging circuits. The manufacturer's periodic maintenance schedule shall be followed and results documented. Check #2. Power Source and Failure Indication: Check to ensure that an illuminated indication exists at the Power Control Unit (PCU) of the power source in use (AC or DC). Check #3. Check to ensure equipment at the IDS/AECS monitor station indicates a failure in power source, a change in power source, and the location of the failure or change. TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49200r770103_fix

Fixes - Primary Power: Fix #1. Ensure primary power for all Intrusion Detection System (IDS) equipment and Automated Entry Control system (AECS) equipment is either commercial AC or DC power. Fix #2. Ensure that in the event of commercial power failure at either the secure room/area or monitor station, the equipment changes power sources without causing an intrusion alarm indication. An Uninterrupted Power Supply (UPS) will be required for this to occur. Fixes - Emergency (Backup) Power: Fix #1. Ensure that emergency power consists of a protected independent backup power source that provides a minimum of 8-hours operating battery and/or generator power. When batteries are used for emergency power, they shall be maintained at full charge by automatic charging circuits. The manufacturer's periodic maintenance schedule shall be followed and results documented. Fix #2. Power Source and Failure Indication: Ensure that an illuminated indication exists at the Power Control Unit (PCU) of the power source in use (AC or DC). Fix #3. Ensure equipment at the IDS/AECS monitor station indicates a failure in power source, a change in power source, and the location of the failure or change.

b
Vault/Secure Room Storage Standards - Intrusion Detection System and Automated Entry Control System (IDS/AECS) Component Tamper Protection
Medium - V-245815 - SV-245815r822872_rule
RMF Control
Severity
Medium
CCI
Version
IS-02.02.06
Vuln IDs
  • V-245815
  • V-31291
Rule IDs
  • SV-245815r822872_rule
  • SV-41562r3_rule
Failure to tamper protect IDS/AECS component enclosures and access points external to protected vaults/secure rooms space could result in the undetected modification or disabling of IDS/AECS system components. This could lead to the undetected breach of secure space containing SIPRNet assets and result in the undetected loss or compromise of classified information or materials. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5, PE-6(1) DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraphs 2.d.(8 and 3.a.(5)(b). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9. Intrusion Detection Systems and Section 3. AECS paragraph 5-313.f.
Checks: C-49246r770105_chk

Requirements Summary: Protection must be established and maintained for all component devices or equipment that constitute the Automated Entry Control System (AECS) and/or the Intrusion Detection System (IDS) used to protect a vault, secure room or collateral classified open storage area, which contains SIPRNet assets. If access to a junction box or controller will enable an unauthorized modification, then alarmed tamper protection, which is normally provided by a pressure sensitive switch must be used. CHECKS: 1. Check to ensure that IDS/AECS components located both outside and inside the secure area have tamper protection resulting in an alarm signal sent to the primary IDS Monitoring Station. Normally this is provided by a pressure sensitive switch, which automatically sends an alarm signal when the protective enclosure covering component equipment is opened. 2. Check to ensure that ALL IDS/AECS ancillary equipment such as card readers, keypads, communication or interface devices for vaults, secure rooms, or collateral classified open storage areas containing SIPRNet assets have tamper resistant enclosures and are securely fastened to the wall or other permanent structure. Control panels and AECS devices located within a Secret or TS Controlled Access Area (CAA) need only a minimal degree of physical security protection sufficient to preclude unauthorized access to the mechanism. TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49201r770106_fix

Requirements Summary: Protection must be established and maintained for all component devices or equipment that constitute the Automated Entry Control System (AECS) and/or the Intrusion Detection System (IDS) used to protect a vault, secure room or collateral classified open storage area, which contains SIPRNet assets. If access to a junction box or controller will enable an unauthorized modification, then alarmed tamper protection, which is normally provided by a pressure sensitive switch must be used. Fixes: 1. IDS/AECS components located both outside and inside the secure area must have tamper protection resulting in an alarm signal sent to the primary IDS Monitoring Station. Normally this is provided by a pressure sensitive switch, which automatically sends an alarm signal when the protective enclosure covering component equipment is opened. 2. ALL IDS/AECS ancillary equipment such as card readers, keypads, communication or interface devices for vaults, secure rooms, or collateral classified open storage areas containing SIPRNet assets must have tamper resistant enclosures and be securely fastened to the wall or other permanent structure. Control panels and AECS devices located within a Secret or TS Controlled Access Area (CAA) need only a minimal degree of physical security protection sufficient to preclude unauthorized access to the mechanism.

b
Vault/Secure Room Storage Standards - Primary IDS Monitoring Location Outside the Monitored Space
Medium - V-245816 - SV-245816r822873_rule
RMF Control
Severity
Medium
CCI
Version
IS-02.02.07
Vuln IDs
  • V-245816
  • V-31293
Rule IDs
  • SV-245816r822873_rule
  • SV-41564r3_rule
Failure to locate the alarm monitoring station at an external location; at a safe distance from the space being monitored, to ensure that it is not involved in any surprise attack of the alarmed space could result in a perimeter breach and the loss or compromise of classified material with limited or no capability to immediately notify response forces. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5, PE-6(1) DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraph 2.d.(6). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9. Intrusion Detection Systems, paragraphs 5-900 and 5-902.
Checks: C-49247r770108_chk

Check to ensure that primary monitoring of alarms for secure rooms or spaces containing SIPRNet equipment is located outside of the protected space. It is allowable to monitor alarms within the protected space if this is only used for supplemental/secondary monitoring. Ideally alarms will be monitored from the same location that police/guards or other response forces are contacted and dispatched, although this is not required if there are procedures and means for the monitoring station personnel to notify security response forces in a timely manner. TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49202r770109_fix

Ensure that primary monitoring of alarms for secure rooms or spaces containing SIPRNet equipment is located outside of the protected space.

b
Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Records Maintenance, which includes documented procedures for granting and removal of access.
Medium - V-245817 - SV-245817r822874_rule
RMF Control
Severity
Medium
CCI
Version
IS-02.02.08
Vuln IDs
  • V-245817
  • V-31548
Rule IDs
  • SV-245817r822874_rule
  • SV-41831r3_rule
Failure to document procedures for removal of access and inadequate maintenance of access records for both active and removed persons could result in unauthorized persons having unescorted access to vaults, secure rooms or collateral classified open storage areas where classified information is processed and stored. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-1, PE-2, PE-3, PE-6 and PE-8. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraph 3.a(4) and (7) DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, paragraph 5-313.i.
Checks: C-49248r770111_chk

Requirements Summary: A procedure must be established for removal of an individual's authorization to enter the secure room area upon reassignment, transfer, or termination, or when the individual's access is suspended, revoked, or downgraded to a level lower than the former access level. Records shall also be accurately maintained reflecting active assignment of ID badge/card, PIN, level of access, and similar system-related records. Records concerning personnel removed from the system shall be retained for a minimum of 90 days. CHECKS: Check #1. Check to ensure that records reflecting active assignment of ID badge/card, PIN, level of access, and similar system-related records are accurately maintained. (CAT II) Check #2. Check to ensure there is a documented procedure for removal of persons from the Automated Entry Control System. (CAT III) Check #3. Check to ensure that records concerning personnel removed from the system are retained for a minimum of 90 days. (CAT III) TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49203r770112_fix

1. Ensure there is a documented procedure for removal of persons from the Automated Entry Control System. 2. Ensure that records reflecting active assignment of ID badge/card, PIN, level of access, and similar system-related records are accurately maintained. 3. Ensure that records concerning personnel removed from the system are retained for a minimum of 90 days.

b
Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Transmission Line Security: AECS Transmission lines traversing an uncontrolled area (not within at least a Secret Controlled Access Area (CAA) ) shall use line supervision OR Electrical, mechanical, or electromechanical access control devices, which do not constitute an AECS that are used to control access during duty hours must have all electrical components, that traverse outside minimally a Secret Controlled Access Area (CAA), secured within conduit.
Medium - V-245818 - SV-245818r822875_rule
RMF Control
Severity
Medium
CCI
Version
IS-02.02.09
Vuln IDs
  • V-245818
  • V-31897
Rule IDs
  • SV-245818r822875_rule
  • SV-42194r3_rule
Persons not vetted to at least the same level of classification residing on the information systems being protected by the AECS or other access control system components could gain access to the unprotected transmission line and tamper with it to facilitate surreptitious access to the secure space. Proper line supervision and/or physical protection within conduit will enable detection of line tampering. Such failure to meet standards for line supervision and physical protection could result in the loss or compromise of classified material. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-3, PE-4, and PE-6. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraphs 3.a.(5)(d) and 3.c.(4). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 3, paragraph 5-313. g. and h.
Checks: C-49249r770114_chk

1. Where Automated Entry Control Systems (AECS)protect SIPRNet assets in Secure Rooms, Vaults, or secret/TS CAAs: Ensure that transmission lines used to carry access authorizations, personal identification data, or verification data between devices or equipment, which are located outside "minimally" a Secret Controlled Access Area (CAA) have line supervision. 2. Electrical, mechanical, or electromechanical access control devices, which do not constitute an AECS that are used to control access during duty hours (while under direct continuous visual observation and control of a cleared employee or via CCTV) must have all electrical components, including wiring, or mechanical links (cables, rods, and so on) accessible only from inside the area, or, if they traverse outside a controlled area "minimally" a Secret Controlled Access Area (CAA), they must be physically secured within conduit to preclude surreptitious manipulation of components. TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49204r770115_fix

1. Where Automated Entry Control Systems (AECS)protect SIPRNet assets in Secure Rooms, Vaults, or secret/TS CAAs: Ensure that transmission lines used to carry access authorizations, personal identification data, or verification data between devices or equipment, which are located outside "minimally" a Secret Controlled Access Area (CAA) have line supervision. 2. Where electrical, mechanical, or electromechanical access control devices, which do not constitute an AECS are used to control access during duty hours (while under direct continuous visual observation and control of a cleared employee or via CCTV) they must have all electrical components, including wiring, or mechanical links (cables, rods, and so on) accessible only from inside the area, or, if they traverse outside a controlled area "minimally" a Secret Controlled Access Area (CAA), they must be physically secured within conduit to preclude surreptitious manipulation of components.

b
Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Door Locks: Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade and be configured to fail secure in the event of a total loss of power (primary and backup).
Medium - V-245819 - SV-245819r822876_rule
RMF Control
Severity
Medium
CCI
Version
IS-02.02.10
Vuln IDs
  • V-245819
  • V-31908
Rule IDs
  • SV-245819r822876_rule
  • SV-42205r3_rule
There are a variety of locking mechanisms that may be used to secure both primary and secondary doors for vaults and classified open storage areas (secure rooms). While the primary access door is to be secured with an appropriate combination lock when closed; during working hours an AECS using electric strikes or magnetic locks, electrical, mechanical, or electromechanical access control devices, or standard keyed locks may be used to facilitate frequent access to the secured space by employees vetted for unescorted access. Where electrically actuated locks are used, locking mechanisms must be properly configured and controlled to ensure they fail only in a secure state during partial or total loss of power (primary and backup). Failure to provide for these considerations could result in the loss or compromise of classified material. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-3, and PE-6. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraph 3.a.(5)(e). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 3, paragraphs 5-312, 5-313, and 5-314.
Checks: C-49250r770117_chk

Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Door Lock Standards for Areas Containing SIPRNet Assets. Check to ensure the following configuration and control considerations are used according to the types of locking mechanisms being used, as specified in each check: Check #1. Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade. Check #2. Backup batteries and/or emergency power generators should be connected to AECS components; however, the total loss of power (primary and emergency) should also be planned for. Check #3. When used on secure rooms, vaults or areas protecting SIPRNet equipment, electric strikes on doors will be set to fail secure in the event of power disruption. Check #4. On the primary ingress/egress door to secure rooms (which contains the combination lock) the strike may be set to fail open to facilitate access to the room in emergencies only if the door is under continuous visual observation when the combination lock is not secure. In this instance the combination lock will be immediately secured and subsequently opened as required to allow access to the room. Check #5. As an alternative the strike on the primary access door (only those under continuous visual control) may be set to fail secure and configured to allow for opening of the strike lock with a key. Check #6. Keys for locks as discussed in check 5 will be strictly controlled, inventoried periodically and not issued to individuals for personal retention. Check #7. KEYS TO SECURE ROOMS WILL NOT BE REMOVED FROM THE SITE. Check #8. When Magnetic Locks (Mag locks) are used on primary access doors the total loss of ALL power (primary and backup) will cause the lock to fail open. Therefore doors with mag locks installed MUST BE UNDER CONTINUOUS VISUAL OBSERVATION WHEN THE COMBINATION LOCK IS OPEN. Check #9. Where Mag locks are used on primary access doors and upon a total power failure - the combination lock will be immediately secured and subsequently opened as required to allow access to the room. Check #10. Secondary doors not used for access (emergency egress only) should use standard locking door latches rather than electric strikes or mag locks. Check #11. Access hardware on the side of the secondary door that is external to the room must be removed to prevent use of secondary doors for routine ingress. Check #12. In the event a mag lock or electric strike is used on a secondary door, the door must be configured to be locked during a power disruption. This can be accomplished with internal sliding deadbolt locks or lockable door latches. Electric strikes on secondary doors should be set to fail secure. Any secondary door secured with Mag Locks must be under CONTINUOUS visual observation when the interior deadbolt locks are not engaged. Deadbolt locks must not be engaged while the room is occupied - for life safety, but will be secured upon closing the secure room or area. TACTICAL ENVIRONMENT: This check is applicable where Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49205r770118_fix

Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Door Locks. Ensure the following configuration and control considerations are used as appropriate for the type of locks being used in access control systems protecting SIPRNet assets: 1. Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade. 2. Backup batteries and/or emergency power generators should be connected to (AECS) components; however, the total loss of power should be planned for. 3. When used on secure rooms, vaults, or areas protecting SIPRNet equipment; electric strikes on doors will be set to fail secure in the event of power disruption. 4. On the primary ingress/egress door to secure rooms (which contains the combination lock) the strike may be set to fail open to facilitate access to the room in emergencies only if the door is under continuous visual observation when the combination lock is not secure. In this instance the combination lock will be immediately secured and subsequently opened as required to allow access to the room. 5. As an alternative the strike on the primary access door (under continuous visual control) may be set to fail secure and configured to allow for opening of the strike lock with a key. 6. Keys for such locks will be strictly controlled, inventoried periodically and not issued to individuals for retention. 7. KEYS TO SECURE ROOMS WILL NOT BE REMOVED FROM THE SITE. 8. When Magnetic Locks (Mag locks) are used on primary access doors the total loss of ALL power (primary and backup) will cause the lock to fail open. Therefore doors with mag locks installed must be under continuous visual observation when the combination lock is open. 9. Where Mag locks are used on primary access doors and upon a total power failure - the combination lock will be immediately secured and subsequently opened as required to allow access to the room. 10. Secondary doors not used for access (emergency egress only) should use standard locking door latches rather than electric strikes or mag locks. 11. Access hardware on the side of the door that is external to the room must be removed to prevent use of secondary doors for routine ingress. 12. In the event a mag lock is used on a secondary door, the door must be configured to be locked during a power disruption. This can be accomplished with internal sliding deadbolt locks or supplemental door latches. Any secondary door secured with Mag Locks must be under CONTINUOUS visual observation when the interior deadbolt locks are not engaged. Deadbolt locks must not be engaged while the room is occupied - for life safety, but will be secured upon closing the secure room or area. Always be sure to coordinate door locking and emergency egress considerations with supporting facility risk management(fire/safety) personnel.

b
Information Security (INFOSEC) - Secure Room Storage Standards - Perimeter Construction using Proper Permanent Construction Materials for True Ceiling, Walls and Floors.
Medium - V-245820 - SV-245820r822877_rule
RMF Control
Severity
Medium
CCI
Version
IS-02.02.11
Vuln IDs
  • V-245820
  • V-31269
Rule IDs
  • SV-245820r822877_rule
  • SV-41535r3_rule
Failure to meet standards for ensuring that there is structural integrity of the physical Perimeter surrounding a secure room (AKA: collateral classified open storage area) could result in a lack of structural integrity and the undetected loss or compromise of classified material. Permanent construction materials; while not impenetrable, provide physical evidence of an attempted or actual intrusion into a secure room space. Construction materials and application techniques that are not permanent in nature can potentially be removed to allow for access to secure room space and then replaced by an intruder upon egress from the area. This effectively negates the detection capability afforded by permanent construction techniques and materials. Examples of non-permanent material would be modular walls that can be removed and replaced with ease or plywood board (or other materials) applied with screws or nails that can be removed from outside the secure room space and then replaced using common tools. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.53 Open storage areas. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-3, PE-3, PE-4, and PE-5. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 3, paragraphs 3.a.(3) and 3.b.(1), (2) &(3); Appendix to Enclosure 3, paragraph 1.b.(1), (2) & (5). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 8, paragraph 5-801. b. Walls, f. Ceilings, g. Unusual Ceilings, & h. Openings.
Checks: C-49251r770120_chk

For secure rooms or areas (*containing inspectable SIPRNet assets) check: 1. That walls, floor, and roof construction of secure rooms are made of permanent construction materials; i.e., plaster, gypsum wallboard, metal panels, hardboard, wood, plywood, or other materials offering resistance to, and evidence of unauthorized entry into the area. Materials such as plywood must be attached in a manner so as not to enable easy removal of screws or nails to gain ingress and then replace upon egress. 2. The "True" ceiling shall be constructed of plaster, gypsum, wallboard material, hardware or any other acceptable material. TACTICAL ENVIRONMENT: This check is applicable where vaults or secure rooms are used to protect classified materials or systems. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49206r770121_fix

1. Secure rooms or areas (*containing inspectable SIPRNet assets) must have walls, floor, and roof construction made of permanent construction materials; i.e., plaster, gypsum wallboard, metal panels, hardboard, wood, plywood, or other materials offering resistance to, and evidence of unauthorized entry into the area. 2. Materials such as plywood must be attached in a manner so as not to enable easy removal of screws or nails to gain ingress and then replace upon egress. 3. The "True" ceiling shall be constructed of plaster, gypsum, wallboard material, hardware or any other acceptable material.

a
Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Keypad Device Protection: Keypad devices designed or installed in a manner that an unauthorized person in the immediate vicinity cannot observe the selection of input numbers.
Low - V-245821 - SV-245821r822878_rule
RMF Control
Severity
Low
CCI
Version
IS-02.03.01
Vuln IDs
  • V-245821
  • V-31657
Rule IDs
  • SV-245821r822878_rule
  • SV-41944r3_rule
If someone were to successfully observe an authorized user's selection of numbers for their PIN at an entrance to a classified storage area or unclassified but sensitive computer room it could result in an unauthorized person being able to use that same PIN to gain access. Where purely electronic (cipher type) locks are used without an access card or badge this could lead to direct access by an unauthorized person. Where coded AECS cards and badges are used the risk is diminished significantly as the coded badge associated with the PIN would need to be lost/stolen and subsequently recovered by someone with unauthorized knowledge of the PIN for them to be able to successfully gain access to the secured area. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Control: PE-3. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraph 3.a.(5)(c). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 3, paragraph 5-314.b.
Checks: C-49252r770123_chk

Requirements Summary: Keypad devices (cipher locks or PIN pads for card readers) shall be designed or installed in such a manner that an unauthorized person in the immediate vicinity cannot observe the selection of input numbers. CHECKS: Check to ensure that all keypad devices are properly shielded and/or that persons using these devices have been advised by site security and are aware of the risk of having someone in the vicinity view their PIN as it is entered and that they are exercising due care to shield entry of their PIN. Verification of employee awareness can be obtained by observing SOPs or employee training records reflecting a warning or requirement to shield entry of PINs. TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49207r770124_fix

Ensure that keypad devices (cipher locks or PIN pads for card readers) are designed or installed in such a manner that an unauthorized person in the immediate vicinity cannot observe the selection of input numbers. During initial, annual refresher training and when key cards with PINs are issued advise persons using the keypad devices of the risk of someone overseeing their PIN and encourage them to use appropriate caution to shield their selection of numbers.

b
Marking Classified - Equipment, Documents or Media: In a classified operating environment, all unclassified items must be marked in addition to all classified items.
Medium - V-245822 - SV-245822r865855_rule
RMF Control
Severity
Medium
CCI
Version
IS-03.02.01
Vuln IDs
  • V-245822
  • V-31910
Rule IDs
  • SV-245822r865855_rule
  • SV-42207r3_rule
Failure to properly mark classified material could result in the loss or compromise of classified information. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.23 Classification marking in the electronic environment. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure A, paragraph 6.a. and Enclosure C, paragraphs 21.h.(7) & 29.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-16 and MP-3. DoD Manual 5200.01, Volume 2, 24 February 2012, SUBJECT: DoD Information Security Program: Marking of Classified Information; Enclosure 2, paragraph 4.b. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 201, Chapter 4, Section 2, paragraphs 4-201, 4-202, 4-203 and Chapter 8, Section 3, paragraph 8-302.g.(1) Satisfies: Marking Classified - Equipment, Documents or Media
Checks: C-49253r865853_chk

Check to ensure all equipment/media/documents in the areas housing SIPRNet assets contain proper classification markings. In a classified operating environment, all unclassified items must be marked in addition to all classified items. For instance, in areas where any classified equipment such as servers, client workstations, printers, routers, crypto, etc. are being used, all classified equipment, media, and documents must be properly marked with classification levels and handling caveats. All unclassified equipment (servers, client workstations, printers, routers, crypto, etc.), media, and documents must also be properly marked as unclassified and with handling caveats, such as CUI, when appropriate. This total marking of all assets in a classified environment eliminates the assumption that anything not marked is unclassified. Hence, all equipment, media, and documents within SCIFs, Vaults, Secure Rooms and classified Controlled Access Areas (CAAs) must be marked with classification levels and handling caveats. SPECIAL NOTE FOR MONITORS: Monitors connected to SIPRNet/NIPRNet are inert items of equipment in that they do not store or retain classified data. As long as the monitor border displays the classification level alerting personnel using the system of the protection requirements there is no need to place a classification sticker on the monitor. If a classification banner is displayed on an active monitor screen then the physical monitor is not required to have a SF-710 (unclassified) or SF-707 (secret) sticker. Typically, most monitor screens connected to the DISN do have classification banners displayed, so placement of SF stickers on monitors is not an issue. Also, consider that many workstations are using KVM switches to share monitor screens between NIPRNet and SIPRNet. Hence, the single monitor will be unclassified or classified depending on the network it is connected to at a particular moment, making placement of physical classification labels impractical. TACTICAL ENVIRONMENT: This check is applicable in a tactical environment if classified documents or media are created or extracted from the SIPRNet. The only exception will be for urgent (short-term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used. All deployed SIPRNet equipment should already contain applicable classification markings/labels.

Fix: F-49208r865854_fix

Ensure all equipment, media, and documents in the areas housing SIPRNet assets contain proper classification markings. In a classified operating environment, all unclassified items must be marked in addition to all classified items. For instance, in areas where any classified equipment such as servers, client workstations, printers, routers, crypto, etc. are being used, all classified equipment, media, and documents must be properly marked with classification levels and handling caveats. All unclassified equipment (servers, client workstations, printers, routers, crypto, etc.), media, and documents must also be properly marked as unclassified and with handling caveats, such as CUI, when appropriate. This total marking of all assets in a classified environment eliminates the assumption that anything not marked is unclassified. Hence, all equipment, media, and documents within SCIFs, Vaults, Secure Rooms and classified Controlled Access Areas (CAAs) must be marked with classification levels and handling caveats. SPECIAL NOTE FOR MONITORS: Monitors connected to SIPRNet/NIPRNet are inert items of equipment in that they do not store or retain classified data. As long as the monitor border displays the classification level alerting personnel using the system of the protection requirements, there is no need to place a classification sticker on the monitor. If a classification banner is displayed on an active monitor screen, then the physical monitor is not required to have a SF-710 (unclassified) or SF-707 (secret) sticker. Typically, most monitor screens connected to the DISN do have classification banners displayed, so placement of SF stickers on monitors is not an issue. Also, consider that many workstations are using KVM switches to share monitor screens between NIPRNet and SIPRNet. Hence, the single monitor will be unclassified or classified depending on the network it is connected to at a particular moment, making placement of physical classification labels impractical.

a
Marking Classified - Local or Enclave Classified Marking Procedures must be developed to ensure employees are familiar with appropriate organization Security Classification Guides (SCG), how to obtain guidance for marking classified documents, media and equipment, and where associated forms, classified cover sheets, labels, stamps, wrapping material for classified shipment, etc. can be obtained.
Low - V-245823 - SV-245823r822880_rule
RMF Control
Severity
Low
CCI
Version
IS-03.03.01
Vuln IDs
  • V-245823
  • V-31909
Rule IDs
  • SV-245823r822880_rule
  • SV-42206r3_rule
Failure to properly mark classified material could result in the loss or compromise of classified information. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.23 Classification marking in the electronic environment. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 21.a. and 21.g.(1). NIST Special Publication 800-53 (SP 800-53), Rev 4, Control: MP-1, MP-3, & AC-16. DoD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification; Enclosure 2, paragraph 9. DoD Manual 5200.01, Volume 2, 24 February 2012, SUBJECT: DoD Information Security Program: Marking of Classified Information; paragraph 5. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 201, Chapter 4, Section 2, and Chapter 8, Section 3, paragraphs 8-301.d. and 8-302.g.(1)
Checks: C-49254r770129_chk

Check to ensure the local site/enclave security manager has developed written procedures on proper marking of classified documents / media/ equipment. These procedures should primarily involve guidance for employees concerning what to mark, how to mark items, where classified labels, stamps and other marking tools and supplies are located, etc. Reference to DoD or component marking guides should be in the local procedures with information on how/where to obtain copies. TACTICAL ENVIRONMENT: This check is applicable in a tactical environment if classified documents or media are created/extracted from the SIPRNet. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used. All deployed SIPRNet equipment should already contain applicable classification markings/labels.

Fix: F-49209r770130_fix

Ensure the local site/enclave security manager has developed written procedures on proper marking of classified documents / media/ equipment. These procedures should primarily involve guidance for employees concerning what to mark, how to mark items, where classified labels, stamps and other marking tools and supplies are located, etc. Reference to DoD or component marking guides should be in the local procedures with information on how/where to obtain copies.

a
Classified Working Papers are properly marked, destroyed when no longer needed, or treated as a finished document after 180 days.
Low - V-245824 - SV-245824r822881_rule
RMF Control
Severity
Low
CCI
Version
IS-04.03.01
Vuln IDs
  • V-245824
  • V-31976
Rule IDs
  • SV-245824r822881_rule
  • SV-42275r3_rule
Failure to properly mark or handle classified documents can lead to the loss or compromise of classified or sensitive information. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.24 Additional requirements, (d) Working papers and (m) Marking of electronic storage media. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure A, paragraph 6.a. and Enclosure C, paragraph 21.h.(7). NIST Special Publication 800-53 (SP 800-53), Rev 4, Control: MP-3 & PE-5(3). DoD Manual 5200.01, Volume 2, 24 February 2012, SUBJECT: DoD Information Security Program: Marking of Classified Information; Enclosure 3, paragraph 13 and figure 11. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 2, paragraph 13. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 4, Section 2, paragraph 4-214 and Chapter 5, Section 2, paragraph 5-203.b.
Checks: C-49255r770132_chk

Check any Working Papers, documents and/or Computer Media (CD, tape, flash drive, etc.)for compliance with the following guidance: Working papers are documents and material (includes computer media) accumulated or created in the preparation of finished documents and material. Working papers are marked in the same manner as a finished document at the same classification level when released by the originator outside the originating activity, retained more than 180 days from date of origin (30 days for SAPs), or filed permanently. Working papers containing classified information shall be: - Dated when created - Marked Top and Bottom with the highest classification of any information contained in the document - Annotated "WORKING PAPER" If any Automated Information System (AIS) hard drives or media are found to contain working papers or documents, the automated documents must be marked and handled in the same manner as hard copy documents. If an entire AIS media storage device (tapes, diskettes, flash drives, CDs, DVDs, etc.) contains classified documents or data that are being treated as a working documents - then each individual working document on the media should be marked and handled as detailed above AND the media itself should be marked with the highest classification level, dated and marked "Working Documents". TACTICAL ENVIRONMENT APPLICABILITY: If classified working documents are found in a tactical environment they should be marked and handled according to the aforementioned guidance.

Fix: F-49210r770133_fix

Ensure that all Working Papers, documents and/or computer media comply with the following guidance: Working papers are documents and material accumulated or created in the preparation of finished documents and material. Working papers are marked in the same manner as a finished document at the same classification level when released by the originator outside the originating activity, retained more than 180 days from date of origin (30 days for SAPs), or filed permanently. Working papers containing classified information shall be: - Dated when created - Marked Top and Bottom with the highest classification of any information contained in the document - Annotated "WORKING PAPER" If any Automated Information System (AIS) hard drives or media are found to contain working papers or documents, the automated documents must be marked and handled in the same manner as hard copy documents. If an entire AIS media storage device (tapes, diskettes, flash drives, CDs, DVDs, etc.) contains classified documents or data that are being treated as a working documents - then each individual working document on the media should be marked and handled as detailed above AND the media itself should be marked with the highest classification level, dated and marked "Working Documents".

c
Storage/Handling of Classified Documents, Media, Equipment - must be under continuous personal protection and control of an authorized (cleared) individual OR guarded or stored in an approved locked security container (safe), vault, secure room, collateral classified open storage area or SCIF.
High - V-245825 - SV-245825r822882_rule
RMF Control
Severity
High
CCI
Version
IS-05.01.01
Vuln IDs
  • V-245825
  • V-31986
Rule IDs
  • SV-245825r822882_rule
  • SV-42285r3_rule
Failure to store classified in an approved container OR to properly protect classified when removed from storage can lead to the loss or compromise of classified or sensitive information. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.41 Responsibilities of holders. and 2001.43 Storage. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 15.b.(1), 21.d., 24.j., and 34.c. NIST Special Publication 800-53 (SP 800-53), Rev 4, Control: MP-4. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 2, paragraphs 2 & 8 and Enclosure 3, paragraph 3. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, Section 3, paragraphs 8-302.b. and g. Satisfies: Storage/Handling of Classified Documents, Media, Equipment
Checks: C-49256r770135_chk

1. In areas containing SIPRNet assets - Check to ensure that classified documents, information system (IS) equipment and removable media that is not under the direct personal control and observation of an authorized person is guarded or stored in a locked security container (GSA approved safe), vault, secure room, collateral classified open storage area or SCIF with protection equal to or exceeding the highest classification of the material/equipment. (CAT I) 2. Check to ensure that site security personnel develop written procedures for response to incidents of classified materials found not in secure storage or under continuous observation and control of a cleared employee and make the procedures readily available to each employee via electronic means, such as in space on an organizational intranet, shared folders or other means available. (CAT III) Procedures for response to classified materials discovered that are not in proper storage or under proper control of a cleared person must include the following: a. Site security personnel, security reviewers/inspectors, employees or anyone making discovery of classified material not in secure storage or under continuous observation and control of a cleared employee immediately take control and properly secure the classified materials not under proper control when not in approved storage. Second they must report the discovery to their supervisory chain and/or site security officials. (CAT III) b. Site security personnel must initiate a preliminary inquiry if appropriate to determine the cause of the improperly secure material and to determine if any material was lost or compromised (security incident). (CAT III) c. Site security personnel must conduct remedial training action subsequent to incidents of classified materials found not in secure storage or under continuous observation and control of a cleared employee to remind employees of procedures and requirements to maintain positive control of classified materials removed from approved storage. (CAT III) d. Site managers/supervisors must discipline employees, as appropriate who do not comply with appropriate requirements to maintain positive control of classified material they have removed from secure storage. (CAT III) 3. Check to ensure that's site security personnel conduct initial and annual training to indoctrinate and remind employees of procedures and requirements to maintain positive control of classified materials removed from approved storage and measures to take upon discovery of classified material not in proper storage or under proper control of a cleared person. (CAT II) Suggested methodology for reviewers: During the review/walk-around be observant for classified materials (documents media, and equipment) that have been removed from approved storage. Specifically look to determine if employees are maintaining positive control of the material. Unless a properly cleared employee is able to clearly see and control the material - this will be a finding. The employee(s) must be specifically aware the classified material is in their area AND that they are responsible for ensuring it is controlled/protected. Just having cleared employee(s) "in the area" of the classified material or assuming other cleared employees in the area are responsible for the classified material is not sufficient control. An example of a possible finding is when someone working on a classified system departs their work space (cube environment) for lunch or other type of break and does not ask another cleared employee to take control of their classified equipment, documents or media OR does not place the classified hard drive, classified documents and classified media in approved storage. TACTICAL ENVIRONMENT: This check is applicable in a tactical environment. The only exception will be where there is a lack of permanent storage solutions for urgent (short term) tactical operations or other contingency situations. Primarily this involves field/mobile environments where fixed facilities and equipment are not yet present or incapable of being used. However, all classified equipment, documents or media not properly stored in a safe, vault or secure room must still be under the continuous observation and control of an appropriately cleared person.

Fix: F-49211r770136_fix

Primary Requirements for Control of Classified Material: Classified documents, information system (IS) equipment and removable media must be: 1. Under the direct personal control and observation of an authorized person, who possesses a security clearance and need-to know equal to or greater than the classified information or material being controlled. The properly cleared employee(s) must be able to clearly see and control the classified material. The employee(s) must be specifically aware the classified material is in their area AND that they are responsible for ensuring it is protected. or 2. Guarded by a trained professional security official who possesses a security clearance equal to or greater than the classified information or material being controlled. or 3. Stored in a locked security container (GSA approved safe), vault, secure room, collateral classified open storage area or SCIF with protection equal to or exceeding the highest classification of the material/equipment. Secondary Requirements: Actions to enhance protection of classified materials: 1. Site security personnel must conduct initial and annual training to indoctrinate and remind employees of procedures and requirements to maintain positive control of classified materials removed from approved storage. 2. Site security personnel must develop written procedures for protection and storage of classified materials and make the procedures readily available to each employee via electronic means, such as in space on an organizational intranet, shared folders or other means available. 3. Site security personnel must conduct regular checks of their areas of responsibility and constantly be observant to ensure that classified materials (documents media, and equipment) that have been removed from approved storage are under the continuous personal observation and control of cleared persons. Tertiary Requirements: Required Actions upon discovery of classified material not in secure storage or under continuous observation and control of a cleared employee: 1. Site security personnel, security reviewers/inspectors, employees or anyone making discovery of classified material not in secure storage or under continuous observation and control of a cleared employee must immediately take control and properly secure any classified materials not under proper control when not in approved storage. Second they must report the discovery to their supervisory chain and/or site security officials. 2. Site security personnel must initiate a preliminary inquiry if appropriate to determine the cause of the improperly secure material and to determine if any material was lost or compromised (security incident). 3. Site security personnel must develop written procedures for response to incidents of classified materials found not in secure storage or under continuous observation and control of a cleared employee and make the procedures readily available to each employee via electronic means, such as in space on an organizational intranet, shared folders or other means available. 4. Site security personnel must conduct remedial training action subsequent to incidents of classified materials found not in secure storage or under continuous observation and control of a cleared employee to remind employees of procedures and requirements to maintain positive control of classified materials removed from approved storage. 5. Site managers/supervisors must discipline employees, as appropriate who do not comply with appropriate requirements to maintain positive control of classified material they have removed from secure storage.

a
Non-Disclosure Agreement - Standard Form 312: no person may have access to classified information unless that person has a security clearance in accordance with DODM 5200.02 and has signed a Standard Form (SF) 312, Classified Information Non-Disclosure Agreement (NDA), and access is essential to the accomplishment of a lawful and authorized Government function (i.e., has a need to know).
Low - V-245826 - SV-245826r917347_rule
RMF Control
Severity
Low
CCI
Version
IS-06.03.01
Vuln IDs
  • V-245826
  • V-31987
Rule IDs
  • SV-245826r917347_rule
  • SV-42286r3_rule
Failure to verify clearance and need-to-know and execute a nondisclosure agreement (NDA) before granting access to classified can result in unauthorized personnel having access to classified information. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: Subpart H-Standard Forms, § 2001.80 Prescribed standard forms.(d) Standard Forms. (2) SF 312, Classified Information Nondisclosure Agreement: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 11. NIST Special Publication 800-53 (SP 800-53), Rev 4, Control: PS-3., PS-6. & PS-6.(2). DOD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Enclosure 3, paragraph 11.b.(1). DOD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DOD Information Security Program: Protection of Classified Information; Enclosure 2, paragraph 3. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 3, Section 1, paragraph 3-106. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017, paragraphs 4.10.g.(2)(b), 8.1.b., and 12.1.c. ISSO Notice 2022-01: Digital Signatures of Standard Form (SF) 312 Classified Nondisclosure Agreement dated May 9, 2022
Checks: C-49257r917226_chk

The check is to review a sample of Personnel Security Records (minimum of 10 percent assigned military and civilian employees) to ensure SF 312s have been signed by persons granted access to classified information systems. The now outdated SF 189 or SF 189A, if found, are still valid NDAs. The execution of an NDA should also be annotated in the Defense Information System for Security (DISS). If a paper copy is found but the form is not in DISS OR if it is annotated in DISS and a paper copy is not on hand, this is not a finding. TACTICAL ENVIRONMENT: This check is applicable in a tactical environment. Anyone with access to classified information must have signed an NDA. Paper copies of the signed NDA will likely not be available in a tactical area of operations; however, system access to DISS should be possible if the theater of operations has been well established.

Fix: F-49212r917227_fix

All assigned personnel granted access to classified information must have a signed NDA on record. The execution of an NDA must be annotated in the DISS and a signed hard copy MAY also be available locally. Personnel who transfer from other units or organizations will not necessarily have a signed hard-copy NDA on file locally since they are only required to sign the NDA once, but it MUST be reflected in DISS. If an NDA is not annotated in DISS and a hard copy is not on hand locally, a new SF 312 must be executed and annotated in DISS. For individuals without an SF 312 or other approved NDA form on file (either hard copy or in DISS), immediately remove access to classified information systems (i.e., SIPRNet) pending proper execution of an NDA (SF 312) and annotation in DISS.

a
Handling of Classified Documents, Media, Equipment - Written Procedures and Training for when classified material/equipment is removed from a security container and/or secure room.
Low - V-245827 - SV-245827r822884_rule
RMF Control
Severity
Low
CCI
Version
IS-07.03.01
Vuln IDs
  • V-245827
  • V-31988
Rule IDs
  • SV-245827r822884_rule
  • SV-42287r3_rule
Failure to develop procedures and to train employees on protection of classified when removed from storage could lead to the loss or compromise of classified or sensitive information due to a lack of employee knowledge of requirements. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: Subpart G-Security Education and Training CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Control: MP-1. DoD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Enclosure 2, paragraphs 9. c., d., f., j., & k. and 12.a. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 2, paragraphs 14 & 15; Enclosure 5, paragraphs 3.a.(2), 3.c.(2)(a) & (b), 3.d.(4), and 7.a. and Enclosure 7, paragraph 10. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5 and Chapter 8, Section 1, paragraph 8-103.a. Satisfies: Handling of Classified Documents, Media, Equipment - Written Procedures and Training
Checks: C-49258r770141_chk

1. Check there are written procedures for handling classified material/equipment when removed from a security container and/or secure room. These procedures must thoroughly cover all aspects of protection and storage of classified materials and be made readily available to each employee via electronic means, such as in space on an organizational intranet, shared folders or other means available. (CAT III) 2. Check training logs (initial and annual refresher) that all employees granted access to classified are briefed on proper handling procedures e.g., use of cover sheets, maintaining positive control of the material, marking/labeling, access by vendors, determining clearance and need-to-know before release, reproduction, etc. (CAT III) TACTICAL ENVIRONMENT: The check is applicable for fixed tactical classified processing environments. Not applicable to a field/mobile environment.

Fix: F-49213r770142_fix

There must be written procedures for handling classified material/equipment when removed from approved storage (security container and/or secure room, vault, collateral classified open storage area or SCIF). The procedures must be readily available to each employee via electronic means, such as in space on an organizational intranet, shared folders or other means available Training logs (initial and annual refresher) must reflect that all employees granted access to classified are briefed on proper handling procedures e.g., use of cover sheets, maintaining positive control of the material, marking/labeling, access by vendors, determining clearance and need-to-know before release, reproduction, etc.

a
Handling of Classified - Use of Cover Sheets on Documents Removed from Secure Storage
Low - V-245828 - SV-245828r822885_rule
RMF Control
Severity
Low
CCI
Version
IS-07.03.02
Vuln IDs
  • V-245828
  • V-31989
Rule IDs
  • SV-245828r822885_rule
  • SV-42288r3_rule
Failure to protect readable classified information printed from classified systems such as SIPRNet when removed from secure storage can lead to the loss or compromise of classified or sensitive information. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: Subpart H-Standard Forms § 2001.80 Prescribed standard forms. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Control: MP-1 and MP-5. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 2, paragraph 8. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraph 4-210.a.
Checks: C-49259r770144_chk

During the review/walk-around be observant for classified documents without cover sheets. Unless an employee is specifically working on the document - a cover sheet must be placed on it to ensure classified information is not inadvertently exposed. If the document without a cover sheet is located in a SCIF, Secret or TS vault or secure room - this should not be written as a finding; however, highly recommend use of cover sheets as a best security practice for enforcement of need-to-know. If the document w/o cover sheet is found in a Secret Controlled Access Area (CAA) or below, this should be made a finding. TACTICAL ENVIRONMENT: The check is applicable for fixed tactical classified processing environments. It is assumed the type of equipment referenced will be in a fixed environment. Not applicable to a field/mobile environment.

Fix: F-49214r770145_fix

Ensure classified handling procedures address use of cover sheets on classified documents printed from systems such as SIPRNet, when the documents are removed from secure storage. Address use of cover sheets during initial and annual refresher security training. Periodically check areas for use of cover sheets. While not required by regulation it is good security practice to use document cover sheets in a SCIF, Secret or TS vault or secure room to prevent inadvertent access to classified information by persons without need-to-know and uncleared visitors to such classified areas.

c
Classified Monitors/Displays (Physical Control of Classified Monitors From Unauthorized Viewing)
High - V-245829 - SV-245829r822888_rule
RMF Control
Severity
High
CCI
Version
IS-08.01.01
Vuln IDs
  • V-245829
  • V-31991
Rule IDs
  • SV-245829r822888_rule
  • SV-42290r3_rule
Failure to limit access to unauthorized personnel to information displayed on classified monitors/displays can result in the loss or compromise of classified information, including NOFORN information. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems" DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, para 7.b.(1) & (2) and Encl C, para 27.f. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-5, PE-18, PS-3(1), PS-6, PS-6(2), MA-5 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), 3 April 2017, Section 6., paragraphs 6.1. and 6.2.b.&c. Originating DoD Manual 5200.01, Volume 1, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.j.(1) and Encl 3, para 5.b., 7.b.(5), 12.e. DoD Manual 5200.01, Volume 2, 24 February 2012, SUBJECT: DoD Information Security Program: Marking of Classified Information; Enclosure 3, paragraph 18.a. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 2, para 14.a & b.;Encl 3, para 5; Encl 4, para 2.c. ;Appendix to Encl 4, para 1.f. and Encl 7. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, Section 3, paragraphs 8-302.b.(1), 8-302.e., 8-302.g.(2), Chapter 10, Section 5 and definition of "Escort" on page C-3.
Checks: C-49260r822886_chk

BACKGROUND NOTE: This requirement includes both situations where there is primarily a US Classified processing environment (no routine Foreign National (FN) presence) AND also contains guidance to be used for environments where FN are employed or present. It is arranged first by GUIDELINES FOR SITES WITHOUT A FN PRESENCE followed by GUIDELINES FOR ENVIRONMENTS WITH FN PRESENCE. Following a lengthy discussion of the guidelines and considerations, the specific checks for this requirement are found, along with the default severity level applicable to each check. Finally, guidance for applicability to tactical environments is provided. GUIDELINES FOR SITES WITHOUT A FN PRESENCE: The following physical controls should be used (individually or collectively) as a guide to evaluate compliance and can be recommended for site use; however, any method or combination of methods clearly being used successfully by the site under review may be acceptable. POSSIBLE SOLUTIONS: 1. The best physical control solution is to locate all US Only classified terminals (open SIPRNet) in areas where only persons with at least a secret (or higher) security clearance have unescorted access. This type of area is commonly known as a secret Controlled Access Area (CAA). Placement of classified terminals in more highly controlled spaces like in secret or top secret (TS) vaults or secure rooms or SCIFs meets the access control requirements of a secret or TS CAA in addition to providing superior physical security of the location. Such additional physical security protection may be appropriate depending on organization mission and need to continually maintain classified information processing equipment within an open storage environment. 2. Regardless of the type of environment in which classified work stations/monitors are located, ensuring that uncleared persons or those without need-to-know do not have easy access or inadvertent visibility to the classified monitor screens can be accomplished by placing (grouping together) the classified work stations in the back of such rooms/areas or behind partitions. This ensures uncleared visitors have limited opportunity to walk by a classified monitor and inadvertently be exposed to classified data. 3. If isolation (grouping in controlled space) of the terminals is not practical, a privacy filter should be placed on each classified (SIPRNET) monitor to prevent ease of observation by any unauthorized individual simply passing by. This is a good idea even if other physical controls of classified work stations are used. The use of the privacy filters is an excellent alternative solution where physical separation or repositioning of monitors in rooms is not possible due to space limitations. 4. Classified monitor screens should not be placed facing doorways or windows through which public or unrestricted viewing of the monitor is possible. If space limitations do not allow for such placement then ensuring doors are closed or that windows are covered by screens or blinds during classified processing can be used - but only if this procedure is part of documented security procedures and security training. 5. Finally a solution for areas where work stations (cubes) are used is to place doors or the less costly cube screens across the openings for use when classified work is being conducted. ABSOLUTE REQUIREMENTS: While the "possible solutions" cover a range of suggest compliance possibilities the following covers an absolute requirement for which there can be no exception: 1. When uncleared visitors need to enter CAAs, secure rooms, vaults or SCIFs where classified work stations are located there must be a procedure to ensure their presence is announced before entering. This will allow time for screens and classified material to be covered from view. 2. All uncleared visitors must be under continuous escort by a properly cleared employee while within the CAA/secure room/vault/or SCIF. GUIDELINES FOR ENVIRONMENTS WITH FN PRESENCE: Environments where FN are present (may even be embedded as US DoD employees) require even more diligence and additional considerations for protection of US Only classified (SIPRNet) terminal screens/workstation screens and monitors. This is because while sharing of certain specific classified information may be permitted, there is always the possibility that US Only or NOFORN information may also be present within the physical environment or accessible on visible/unprotected workstation screens. Foreign Nationals, even if they are embedded partners in US DoD operations, are not afforded access to any and all US classified information. This erroneous assumption is prevalent in many CC/S/A operation centers where FN liaison and exchange personnel are routinely present. Release of US classified information can only be made to FN partners if specifically compliant with National Disclosure Policy, has been determined releasable to the Foreign National's host country and a Delegation of Disclosure Letter (DDL) has been issued to the specific FN partner to support the release of US classified information or material. *Where FN are present (regardless of their authorized physical and systems access or security clearance) - US Only work stations and network equipment must be under strict US control at all times. This process involves a combination of physical control measures AND employee awareness. Reviewers must use a flexible approach with an understanding of the synergistic relationship of physical controls and employee awareness to properly evaluate compliance. REGULATORY STANDARD FOR ENVIRONMENTS WITH FN PRESENCE: This relationship of physical protective measures with employee awareness gained through procedures and training is based on the following excerpt from CJCSI 6510-01F: In areas where there is the potential for Foreign National Access to U.S.-Only Workstations and Network Equipment, CC/S/As shall: 1. Maintain strict U.S. control of U.S.-only workstations and network equipment at all times. This includes network equipment such as printers, copiers, and faxes. 2. Group U.S.-only workstations together in a U.S.-controlled workstation space when workstations are located in workspaces physically accessible by foreign nationals (such as combined operations centers). 3. If the grouping of U.S.-only workstations at a site is not operationally possible, the following steps shall be taken: a. The U.S. command or agency shall authorize an exception at the site, in writing, stating operational reasons for exception, and maintain the record of exception. NOTE: this exception must be approved by the appropriate CC/S/A level of command, which is normally a 3 or 4 star Flag Officer. b. Develop, publish, and maintain specific site written procedures on security measures to safeguard U.S.-only classified workstations. c. Ensure that U.S. personnel are briefed and enforce security measures. 4. Announce presence. If a foreign national is permitted access to U.S.-controlled workstation space, the individual must be announced, must wear a badge clearly identifying him or her as a foreign national, and must be escorted at all times. In addition, a warning light must be activated if available and screens must be covered or blanked. 5. If the foreign national is permitted to view the screen, U.S. personnel must ensure: a. Information is releasable in accordance with CC/S/A guidance and shall be consistent with National Disclosure Policy (NDP)-1; DoDD 5230.11; DoDD 5230.20; DoD Manual 5200.01; and CJCSI 5221.01. b. Check with organization security office to ensure foreign national has security clearances granted by his or her government at a level equal to that of the classified information involved and an official need-to-know. POSSIBLE SOLUTIONS: The following physical controls should be used (individually or collectively) as a guide to evaluate compliance and can be recommended for site use; however, any method or combination of methods clearly being used successfully by the site under review may be acceptable: 1. The "best physical control solution" is to locate all US Only terminals in areas where the FN do not have easy access or visibility to the monitor screens. This can be accomplished by placing them in the back of rooms/areas or behind partitions. Normally if US Only SIPRNet PCs are placed in the back of a room or within the secure space the REL/FN work stations would then be placed near the front of the area to reduce the frequency of FN officers passing by US Only SIPRNet (or other US Only classified) work stations. When FN employees need to enter areas where US Only work stations are located there should be a procedure to ensure their presence is announced before entering. This will allow time for screens and classified material not releasable to FN to be covered from view. 2. If isolation of the terminals is not practical, a privacy filter should be placed on each US Only classified (SIPRNET) monitor to prevent ease of observation by any unauthorized individual. This is a good idea even if physical separation of US Only and REL/FN work stations is used. The use of the privacy filters is the best alternative "physical control solution" where physical separation in rooms is not possible due to space limitations and/or the impeding of interaction between US personnel and FN partners. 3. Another acceptable physical security alternative solution for areas where work stations (cubes) are used is to place doors or the less costly cube screens across the openings for when classified work (especially on the US Only cubes) is being performed. 4. Finally, in addition to any physical separation, obscuration or other control measures in place (or lack thereof) written local policy/procedures and initial/recurring training are absolutely necessary to ensure that all US personnel are: a. Aware of REL/FN Officers presence in common work areas when working on non-releasable applications/sites on the SIPRNet and b. Aware of exactly what classified or sensitive information is not releasable. ABSOLUTE REQUIREMENTS: While the "possible solutions" cover a range of suggest compliance possibilities the following covers an absolute requirement for which there can be no exception: 1. When uncleared visitors need to enter CAAs, secure rooms, vaults or SCIFs where classified work stations are located there must be a procedure to ensure their presence is announced before entering. This will allow time for screens and classified material to be covered from view. 2. All uncleared visitors must be under continuous escort by a properly cleared employee while within the CAA/secure room/vault/or SCIF. 3. Announce presence of Foreign Nationals (FN). If a foreign national is permitted access to U.S.-controlled workstation space, the individual must be announced, must wear a badge clearly identifying him or her as a foreign national, and must be escorted at all times. In addition, a warning light must be activated if available and screens must be covered or blanked. 4. If the foreign national is permitted to view a US Only screen, U.S. personnel must ensure: a. Information is releasable in accordance with CC/S/A guidance and is consistent with National Disclosure Policy (NDP)-1; DoDD 5230.11; DoDD 5230.20; DoD Manual 5200.01; and CJCSI 5221.01. b. A check with the organization security office is conducted to ensure the foreign national has security clearances granted by his or her government at a level equal to that of the classified information involved, that an appropriate DDL is on-hand to validate the security clearance and release of US classified information, and that there is an official need-to-know. CHECKS FOR *BOTH* US ONLY CLASSIFIED (SIPRNet) ENVIRONMENTS WITHOUT FN PRESENCE AND ENVIRONMENTS WITH FN PRESENCE: 1. CHECK all classified monitor locations to ensure that no unauthorized viewing is possible or occurring. This includes viewing by uncleared persons and/or those w/o need-to-know. It also includes REL partners or other FN who may have been granted liberal physical access to areas where US ONLY classified is processed. This check is the primary action for reviewers under this requirement. (CAT I) 2. CHECK/validate that classified monitors cannot be observed from outside the secure space (e.g., from common hallways or through doors or windows). (CAT I) 3. CHECK access control procedures and observe actual escort procedures. Ensure there is a process (and that it is actually being used) for announcing unauthorized/uncleared personnel in the area and that uncleared persons and/or those without the need-to-know (to include FN) are continuously escorted when they are in the immediate vicinity of US classified workstations and components. (CAT I) CHECKS *ONLY FOR* CLASSIFIED (SIPRNet) ENVIRONMENTS WITH *FN PRESENCE*: 4. CHECK to ensure there are local written procedures AND adequate documented proof of training (annually minimum) covering rules for interaction between US and FN employees. All US and FN employees must be equally aware of the rules and procedures. BOTH must be provided with applicable written guidance and training in this area. (CAT II) 5. CHECK that U.S.-only workstations are "grouped" together in a U.S.-controlled workstation space when workstations are located in workspaces physically accessible by foreign nationals (such as combined operations centers). (CAT II) 6. CHECK that If the grouping of U.S.-only workstations at a site is not operationally possible, the following steps have been taken: a. The U.S. command or agency has authorized an exception at the site, in writing, stating operational reasons for exception, and maintain the record of exception. This exception must be approved by the appropriate CC/S/A level of command, which is normally a 3 or 4 star Flag Officer level. (CAT II) b. Develop, publish, and maintain site specific written procedures on security measures to safeguard U.S.-only classified workstations. (in conjunction with written procedures required for CHECK #4) (CAT II) c. Ensure that U.S. personnel are briefed, trained (annually minimum) and enforce security measures. (in conjunction with training required for CHECK #4) (CAT II) NOTE: CHECK #6 is an allowable alternative to CHECK #5 and one or the other must be conducted. 7. CHECK that if a foreign national is permitted to view a US Only screen, U.S. personnel have ensured: a. Information is releasable in accordance with CC/S/A guidance and is consistent with National Disclosure Policy (NDP)-1; DoDD 5230.11; DoDD 5230.20; DoD Manual 5200.01; and CJCSI 5221.01. (CAT I) b. The organization Foreign Disclosure Officer, Foreign Contact Officer, or Security Manager was consulted to ensure the foreign national has a security clearance granted by his or her government at a level equal to that of the classified information involved, and a Delegation of Disclosure Letter (DDL) has been issued to the specific FN partner to support the release of US classified information or material, and that there is an official need-to-know. (CAT I) TACTICAL ENVIRONMENT: 1. This check is applicable for all classified processing environments including a field/mobile environment. Commanders in such environments may use whatever means available or feasible to control unauthorized physical access to classified monitors. 2. This check is applicable where REL Partners or other FN allies are employed within fixed facilities located in a theater of operations (tactical environment) with physical access to US Classified or Sensitive Systems. 3. Wherever classified systems/with screens/monitors are used, uncleared persons must always be escorted when permitted in the physical processing environment.

Fix: F-49215r822887_fix

REQUIREMENTS FOR BOTH US ONLY CLASSIFIED (SIPRNet) ENVIRONMENTS WITHOUT FN PRESENCE AND ENVIRONMENTS WITH FN PRESENCE: 1. All classified information system processing locations must have physical and procedural controls to ensure that no unauthorized viewing of monitor screens is possible or occurring. This includes viewing by uncleared persons and/or those w/o need-to-know. It also includes REL partners or other FN who may have been granted liberal physical access to areas where US ONLY classified is processed. This is the primary purpose for this STIG Rule requirement. 2. Classified monitor screens must not be visible or capable of being observed from outside the secure space (e.g., from common hallways or through doors or windows). 3. There must be a visitor/escort control procedure in place (that it is actually being used) for announcing unauthorized/uncleared personnel in the area and that uncleared persons and/or those without the need-to-know (to include FN) are continuously escorted when they are in the immediate vicinity of US classified workstations and components. REQUIREMENTS ONLY FOR CLASSIFIED (SIPRNet) ENVIRONMENTS WITH FN PRESENCE: 4. There must be local written procedures AND adequate documented proof of training (annually minimum) covering rules for interaction between US and FN employees. All US and FN employees must be equally aware of the rules and procedures. BOTH must be provided with applicable written guidance and training in this area. 5. U.S.-only workstations must be "grouped" together in a U.S.-controlled workstation space when workstations are located in workspaces physically accessible by foreign nationals (such as combined operations centers). 6. If the grouping of U.S.-only workstations at a site is not operationally possible, the following steps must be taken: a. The U.S. command or agency must authorize an exception at the site, in writing, stating operational reasons for exception, and maintain the record of exception. This exception must be approved by the appropriate CC/S/A level of command, which is normally a 3 or 4 star Flag Officer level. b. Develop, publish, and maintain site specific written procedures on security measures to safeguard U.S.-only classified workstations. (in conjunction with written procedures under requirement #4) c. U.S. personnel must be briefed, trained (annually minimum) and enforce security measures. (in conjunction with training under requirement #4) NOTE: Requirement #6 is an allowable alternative to Requirement #5 and one or the other must be conducted. 7. If a foreign national is permitted to view a US Only screen, U.S. personnel must first ensure: a. Information is releasable in accordance with CC/S/A guidance and is consistent with National Disclosure Policy (NDP)-1; DoDD 5230.11; DoDD 5230.20; DoD Manual 5200.01; and CJCSI 5221.01. b. The organization Foreign Disclosure Officer, Foreign Contact Officer, or Security Manager must be consulted to ensure the foreign national has a security clearance granted by his or her government at a level equal to that of the classified information involved, and a Delegation of Disclosure Letter (DDL) has been issued to the specific FN partner to support the release of US classified information or material, and that there is an official need-to-know.

c
Monitor Screens - Disable Access by CAC or Token Removal, or Lock Computer via Ctrl/Alt/Del
High - V-245830 - SV-245830r822889_rule
RMF Control
Severity
High
CCI
Version
IS-08.01.02
Vuln IDs
  • V-245830
  • V-31993
Rule IDs
  • SV-245830r822889_rule
  • SV-42292r3_rule
The DoD Common Access Cards (CAC) a "smart" card, is the standard identification for active-duty military personnel, Selected Reserve, DoD civilian employees, and eligible contractor personnel. It is also the principal card used to enable physical access to buildings and controlled spaces, and it provides access to defense computer networks and systems. The card, which is the property of the U.S. Government, is required to be in the personal custody of the member at all times. System Access Tokens are also used on the SIPRNet and the cards along with a Personal identity Number (PIN) can be used to access classified information on the SIPRNet in lieu of a logon ID and password. CAC and SIPRNet tokens are very important components for providing both physical and logical access control to DISN assets and must therefore be strictly controlled. Physically co-locating REL Partners or other FN - who have limited access to the SIPRNet or other US Classified systems - near US personnel in a collateral classified (Secret or higher) open storage area or in a Secret or higher Controlled Access Area (CAA) that processes classified material is permissible for operational efficiency and coordination. Failure to limit access to information systems is especially important in mixed US/FN environments. This is particularly important on US Only classified terminals when not personally and physically attended by US personnel. The failure to properly disable information workstations and monitor screens when unattended can result in FN personnel having unauthorized access to classified information, which can result in the loss or compromise of classified information, including NOFORN information. Appropriate but simple physical and procedural security measures must be put in place to ensure that unauthorized persons to include FN partners do not have unauthorized access to information not approved for release to them. Control of CACs, SIPRNet tokens and locking of computer work stations when unattended is an important aspect of proper procedural security measure implementation. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... Homeland Security Presidential Directive-12 (HSPD-12), "Policy for a Common Identification Standard for Federal Employees and Contractors," 27 August 2004 DoD Manual 1000.13, Volume 1, SUBJECT: DoD Identification (ID) Cards: ID Card Life-Cycle, January 23, 2014 DoD Manual 1000.13, Volume 2, SUBJECT: DoD Identification (ID) Cards: Benefits for Members of the Uniformed Services, Their Dependents, and Other Eligible Individuals, January 23, 2014 UNDER SECRETARY OF DEFENSE (Intelligence), Directive-Type Memorandum (DTM) 09-012, "Interim Policy Guidance for DoD Physical Access Control", December 8, 2009, Incorporating Change 6, Effective November 20, 2015 DoDI 1000.13, SUBJECT: Identification (ID) Cards for Members of the Uniformed Services, Their Dependents, and Other Eligible Individuals, January 23, 2014 DoDI 8520.02 , SUBJECT: Public Key Infrastructure (PKI) and Public Key (PK) Enabling, May 24, 2011 DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 26.d., 27.d.(e) and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: IA-2, IA-4, PL-4, PS-6, PS-8, AC-3, AC-11, SC-28 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 8. DoD Manual 5200.01, Volume 1, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.j.(1) and Encl 3, para 5.b., 7.b.(5), 12.e. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 3, para 5; Encl 4, para 2.c. ;Appendix to Encl 4, para 1.f. and Encl 7. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, paragraph 8-103. Satisfies: Monitor Screens - Disable Access by CAC or Token Removal, or Lock Computer via Ctrl/Alt/Del
Checks: C-49261r770150_chk

Check to ensure: 1. SIPRNet servers and/or work station hard drives/monitors/keyboards are disabled (locked) by CAC or Token Removal, or where CACs or tokens are not used the Computer must be locked via Ctrl/Alt/Del - when not personally and physically attended by properly vetted and cleared US personnel. (CAT I) 2. NIPRNet servers and/or work station hard drives/monitors/keyboards (*used by system administrators with privileged access) are disabled (locked) by CAC or Token Removal, or where CACs or tokens are not used the Computer must be locked via Ctrl/Alt/Del - when not personally and physically attended by properly vetted US personnel. (CAT I) 3. NIPRNet work station hard drives/monitors/keyboards (*used by general users or individuals without privileged systems access) are disabled (locked) by CAC or Token Removal, or where CACs or tokens are not used the Computer must be locked via Ctrl/Alt/Del - when not personally and physically attended by properly vetted US personnel. (CAT II) 4. CACs and other tokens are not left unattended and are in the physical custody of the person to whom they were issued. (CAT II) TACTICAL ENVIRONMENT: This check is applicable to all environments (including a field/mobile tactical environment) where information system assets are connected to the DISN.

Fix: F-49216r770151_fix

1. SIPRNet servers and/or work station hard drives/monitors/keyboards must be disabled (locked) by CAC or Token Removal, or where CACs or tokens are not used the Computer must be locked via Ctrl/Alt/Del - when not personally and physically attended by properly vetted and cleared US personnel. 2. NIPRNet servers and/or work station hard drives/monitors/keyboards must be disabled (locked) by CAC or Token Removal, or where CACs or tokens are not used the Computer must be locked via Ctrl/Alt/Del - when not personally and physically attended by properly vetted US personnel. 3. CACs and other tokens must not be left unattended and must be in the physical custody of the person to whom they were issued.

a
Classified Monitors/Displays (Procedures for Obscuration of Classified Monitors) - protection from uncleared persons or those without a need-to-know.
Low - V-245831 - SV-245831r822890_rule
RMF Control
Severity
Low
CCI
Version
IS-08.03.01
Vuln IDs
  • V-245831
  • V-31992
Rule IDs
  • SV-245831r822890_rule
  • SV-42291r3_rule
Failure to develop procedures and training for employees to cover responsibilities and methods for limiting the access of unauthorized personnel to classified information reflected on information system monitors and displays can result in the loss or compromise of classified information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-1, PS-1, PE-5, PS-3(1) & (2) and PS-6(2). DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 7. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information, Enclosure 2 paragraph 14.a. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 3, paragraph 3-107.f.
Checks: C-49262r770153_chk

Check to ensure there are written procedures for employees to follow to keep classified monitors from being viewed by unauthorized persons. Procedures should include when to cover or turn-off classified monitors - such as when visitors are announced, importance of maintaining monitor positioning for privacy, pulling of window shades, blinds, etc. Procedures must be tailored to the physical environment and mission operations of the organization. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-49217r770154_fix

Ensure there are written procedures for employees to follow to keep classified monitors from being viewed by unauthorized persons. Procedures should include when to cover or turn-off classified monitors - such as when visitors are announced, importance of maintaining monitor positioning for privacy, pulling of window shades, blinds, etc. Procedures must be tailored to the physical environment and mission operations of the organization.

b
End-of-Day Checks - Organizations that process or store classified information must establish a system of security checks at the close of each duty and/or business day to ensure that any area where classified information is used or stored is secure. SF 701, Activity Security Checklist, shall be used to record such checks.
Medium - V-245832 - SV-245832r822892_rule
RMF Control
Severity
Medium
CCI
Version
IS-09.02.01
Vuln IDs
  • V-245832
  • V-31994
Rule IDs
  • SV-245832r822892_rule
  • SV-42293r3_rule
Failure to have written guidance to provide guidance for end-of-day (EOD) checks could lead to such checks not being properly conducted. If EOD checks are not properly conducted the loss or improper storage of classified material might not be promptly discovered. This could result in a longer duration of the security deficiency before corrective action is taken and make discovery of factual information concerning what caused the security incident and assigning responsibility and remedial actions more difficult. Ultimately the failure to perform consistent EOD checks can lead to the loss or compromise of classified or sensitive information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-1, PE-3(2), MP-4 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 7. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information, Enclosure 2, paragraph 9. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, paragraph 5-102.
Checks: C-49263r822891_chk

Organizations that process or store classified information must establish a system of security checks at the close of each duty and/or business day to ensure that any area where classified information is used or stored is secure. SF 701, "Activity Security Checklist," shall be used to record such checks. An integral part of the security check system shall be the securing of all vaults, secure rooms, and containers used for storing classified material. SF 702, "Security Container Check Sheet," shall be used to record each opening, closing, and verification checks of these storage mediums. Area verification checks will be recorded on the SF 701 upon completion of end-of-day checks. Recommended end-of-day checks, which should be included on the SF 701 are: a. Activation of Intrusion Detection System (IDS) alarm sensors where applicable. b. All classified material has been properly stored. c. Removal of CAC Cards and SIPRNet tokens from workstations. d. All windows, doors or other openings are properly secured. e. Verification of lock box closure for SIPRNet wall jacks and PDS lines, where applicable. f. Additional checks such as turning off of coffee pots and lights, power-off of printers/MFDs, securing of STE keys, etc. can be identified and accomplished as part of the check. g. The SF 701, Activity Security Checklist shall be used to record these checks, to include after hours, weekend and holiday activities. Results of end-of-day checks (SF 701 forms) should be retained for at least 30 days after completion of the monthly form (or otherwise as required by Component records management schedules) to ensure availability for audits and resolution of subsequent discovery of security incidents or discrepancies. TACTICAL ENVIRONMENT: This check is applicable in a fixed operational facility in a tactical environment if classified equipment is used or documents or media are created/extracted from the SIPRNet. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49218r770157_fix

Ensure that areas where classified information is processed or stored have an established system of security checks implemented at the close of each duty and/or business day to ensure that any area where classified information is used or stored is secure. SF 701, "Activity Security Checklist," must be used to record these checks. In addition to the SF 701, the responsible site or organization should have a written procedure to outline the end-of-day check process and to guide checkers with their duties. For instance the procedure should include instructions on how to handle any classified information that is found outside of proper storage. An integral part of the security check system must incorporate the securing of all vaults, secure rooms, and containers used for storing classified material. SF 702, "Security Container Check Sheet," must be used to record each opening, closing, and verification checks of these storage mediums. Area verification checks will be recorded on the SF 701 upon completion of end-of-day checks. Following are recommended end-of-day checks, which should be included on the SF 701, but ultimately the checks must be tailored to fit the physical configuration and mission of the site: a. Activation of Intrusion Detection System (IDS) alarm sensors where applicable. b. All classified material has been properly stored. c. Removal of CAC Cards and SIPRNet tokens from workstations. d. All windows, doors or other openings are properly secured. e. Verification of lock box closure for SIPRNet wall jacks and PDS lines, where applicable. f. Additional checks such as turning off of coffee pots and lights, power-off of printers/MFDs, securing of STE keys, etc. can be identified and accomplished as part of the check. g. The SF 701, Activity Security Checklist shall be used to record these checks, to include after hours, weekend and holiday activities. Results of end-of-day checks (SF 701 forms) should be retained for at least 30 days (or otherwise as required by Component records management schedules) after completion of the monthly form to ensure availability for audits and resolution of subsequent discovery of security incidents or discrepancies. While 24/7 operational areas storing classified materials do not necessarily require end-of-day (EOD) checks it is highly recommended that a system of checks be instituted (similar to EOD checks) upon each change of shift. Such checks jointly conducted by incoming and outgoing supervisors can be used to verify the integrity of safes and classified equipment/materials under their control and can be used to narrow the window of time for a preliminary inquiry should a security incident occur.

c
Classified Reproduction - SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage.
High - V-245833 - SV-245833r822893_rule
RMF Control
Severity
High
CCI
Version
IS-10.01.01
Vuln IDs
  • V-245833
  • V-32008
Rule IDs
  • SV-245833r822893_rule
  • SV-42324r3_rule
Classified Multi-Functional Devices (MFD) include printers, copiers, scanners and facsimile capabilities and contain hard drives that maintain classified data or images. Failure to locate these devices in spaces approved for classified open storage could enable uncleared persons to access classified information, either from unsanitized hard drives or from printed/copied material that is left unattended on the machine for any period of time. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-1, MP-4, PE-1, PE-5. DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 7. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 2 paragraph 14.&15., Enclosure 3 and Enclosure 7, paragraph 6. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 8-202.e. & 8-302.b. NIST Special Publication 800-88, Revision 1, Guidelines for Media Sanitization, December 2014 NSA/CSS Policy Manual 9-12, 15 December 2014, Subject: NSA/CSS Storage Device Sanitization Manual
Checks: C-49264r770159_chk

This set of checks covers multi-functional devices (MFD) (connected to the SIPRNet) that are used for printing, copying or other reproduction of classified DOCUMENTS. Checks: 1. Unless the MFD can be properly purged and sanitized (made unclassified) of all classified data or images after each use for classified - it must be housed in an area approved for open storage of classified material. Most current copiers, printers, scanners and facsimile machines or multi-functional devices (MFD) contain hard drives that collect and store images and data. Therefore check to ensure that such machines are maintained in space approved for open storage of classified (secret or higher for SIPRNet). NOTE that to be properly sanitized means that the MFD can be treated as an unclassified piece of equipment once a successful purge of data or images is completed. (CAT I) 2. If not maintained within a secret or higher collateral classified open storage area: Check that MFD (or individual copiers, scanners, printers or facsimile machines) do not have hard drives containing non-volatile memory in the device and that the volatile memory is purged/sanitized of all classified data or images after each use. Additionally check that these MFD are maintained in space where access is controlled to at least the level of the classified material authorized to be copied on the machine. This type of area is referred to as a Controlled Access Area (CAA) - at least a secret CAA or TS CAA for SIPRNet connections. ONLY those MFD with entirely volatile memory can be sanitized and reused upon removal of power from the device. Check to ensure that powering down the machine is a part of the MFD sanitization procedure to ensure that volatile memory is totally erased and sanitized so that it can be considered to be an unclassified device. Documented procedures must be on-hand for this process. NOTE: Sanitizing a MFD means it can be considered and treated as an unclassified device. Hard drives with non-volatile memory cannot be sanitized by current overwriting/clearing procedures and must be destroyed (degaussing and/or physical destruction) to be considered sanitized/unclassified. Hence MFD with non-volatile memory cannot be sanitized for reuse. Only MFD with volatile memory can be sanitized for reuse. Only if ALL of the sub-checks listed under check 2 are compliant is it a CAT II finding. Otherwise if ANY of the sub-checks are not compliant it remains a CAT I finding. (CAT II) 3. If not maintained within a secret or higher collateral classified open storage area and hard drives with non-volatile memory are present: Check to ensure MFD (or individual copiers, scanners, printers or facsimile machines) are located in a secret or higher CAA and the hard drive is promptly removed after each use and stored in a GSA approved safe. Check to ensure that powering down the machine is a required part of this procedure to ensure that volatile memory is totally erased and sanitized so that it can be considered to be an unclassified device. Check that documented procedures are on hand to support this process. Only if ALL of the sub-checks listed under check 3 are compliant is it a CAT II finding. Otherwise if ANY of the sub-checks are not compliant it remains a CAT I finding. (CAT II) EXPLANATION for CAT II FINDINGS: Despite the mitigations in checks 2 and 3 above, there is still a concern that the mitigation procedure will not be accomplished promptly or successfully each time and there is a risk for printed or copied classified documents to be left unattended for periods of time in the networked MFD machines, especially when printed from a remote workstation location. Therefore, since a potential vulnerability still exists it is still considered as a CAT II finding. TACTICAL ENVIRONMENT: This check is applicable in a fixed operational facility in a tactical environment if classified equipment is used or documents or media are created/extracted from the SIPRNet. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49219r770160_fix

This Potential Vulnerability covers multi-functional devices (MFD) (connected to the SIPRNet) that are used for printing, copying or other reproduction of classified DOCUMENTS. 1. Unless the MFD can be properly purged of all classified data or images after each use for classified - it must be housed in an area approved for open storage of classified material. Most current copiers, printers, scanners and facsimile machines or multi-functional devices (MFD) contain hard drives that collect and store images and data. Therefore these machines must be maintained in space approved for open storage of classified (secret or higher for SIPRNet). NOTE: Clearing of hard drives (such as by overwriting) is not adequate to sanitize a classified hard drive (magnetic or solid state) so that it can be deemed unclassified and left unattended in an area not approved for classified open storage. This is regardless of the number of times the drive is over-written. A hard drive (magnetic or solid state) can only be sanitized (made unclassified) by degaussing and/or physical destruction, thereby rending the drive no longer usable. 2. If not maintained within a secret or higher collateral classified open storage area and hard drives (non-volatile memory) ARE NOT present: MFD (or individual copiers, scanners, printers or facsimile machines) must be properly purged (AKA: sanitized) of classified data or images after each period of reproducing classified and be maintained in space where access is controlled to at least the level of the classified material authorized to be copied on the machine. This type of area is referred to as a Controlled Access Area (CAA) - at least a secret CAA or TS CAA for SIPRNet connections. Sanitizing a MFD means it can be considered and treated as an unclassified device. NOTE: Hard drives with non-volatile memory cannot be sanitized by current overwriting/clearing procedures and must be destroyed to be considered sanitized/unclassified. Hence MFD with non-volatile memory cannot be sanitized for reuse. Only those MFD with entirely volatile memory can be sanitized and reused with removal of power from the device. It is important to note that powering down the machine will be a necessary part of this procedure to ensure that volatile memory is totally erased and sanitized so that it can be considered to be an unclassified device. Documented procedures must be on-hand for this process. 3. If not maintained within a secret or higher collateral classified open storage area and hard drives (non-volatile memory) ARE present: MFD (or individual copiers, scanners, printers or facsimile machines) with hard drives (non-volatile memory) must be located and operated in a secret or higher CAA and the hard drive must be promptly removed after each use (or otherwise when unattended by cleared employees) and stored in a GSA approved safe. It is important to note that powering down the machine will still be a necessary part of this procedure to ensure that volatile memory is totally erased and sanitized so that it can be considered to be an unclassified device. There must be documented procedures on-hand for this process. NOTE: Despite the mitigations in 2 and 3 above, there is still a concern that the procedure will not be accomplished promptly or successfully each time and that the risk for printed or copied classified documents to be left unattended for periods of time in the MFD machines still exists. Therefore vulnerability still exists and must be considered as a potential finding.

b
Classified Reproduction - Following guidance for System to Media Transfer of Data from systems connected specifically to the SIPRNet In-Accordance-With (IAW) US CYBERCOM CTO 10-133A.
Medium - V-245834 - SV-245834r917348_rule
RMF Control
Severity
Medium
CCI
Version
IS-10.02.01
Vuln IDs
  • V-245834
  • V-31996
Rule IDs
  • SV-245834r917348_rule
  • SV-42295r3_rule
Failure to follow guidance for disabling removable media drives on devices connected to the SIPRNet or, if approved by the local AO, failure to follow US CYBERCOM procedures for using removable media on SIPRNet could result in the loss or compromise of classified information. REFERENCES: USCYBERCOM Communications Tasking Order (CTO) 10-133 CTO 10-004A; CTO 09-002; CTO 10-084A & CTO 10-133A CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure A, paragraph 6 and Enclosure C, paragraph 21.h. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-2, MP-4, SI-12. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 7. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 2 paragraph 15., Enclosure 3 and Enclosure 7. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8. NIST Special Publication 800-88, Revision 1, Guidelines for Media Sanitization, December 2014 NSA/CSS Policy Manual 9-12, 15 December 2014, Subject: NSA/CSS Storage Device Sanitization Manual CNSSP 26, National Policy on Reducing the Risk of Removable Media
Checks: C-49265r917229_chk

General guidance: Paper copies, electronic files, and other material containing classified information shall be reproduced only when necessary for accomplishing the organizations mission or for complying with applicable statutes or Directives. Personnel reproducing classified information must be knowledgeable of the procedures for classified reproduction and aware of the risks involved with the specific reproduction equipment and media being used and the appropriate countermeasures they are required to take. Reproduced material is to be placed under the same accountability and control requirements as applied to the original material. Classified material is to be reproduced only on approved and when applicable, properly accredited systems. This check concerns ONLY reproduction and/or transfer of classified data using all forms of removable media on SIPRNet connected devices or systems. Check to ensure that US CYBERCOM Communications Tasking Order (CTO) 10-133A is being complied with as follows: 1. Ensure that the write capability for all possible removable media is disabled as a default setting on all SIPRNet connected machines. 2. Ensure that write settings are only allowed when specifically approved by using the HBSS Device Control Module (DCM). 3. Ensure the system AO has specifically approved all persons authorized to transfer data from SIPRNet connected system components. 4. Ensure the ISSM maintains a list of all persons authorized by the AO to transfer data from the SIPRNet. 5. Ensure there are written procedures approved by the AO for use of removable media on SIPRNet. NOTE: Coordination with Technical Reviewers may be required to determine all of the information outlined above. TACTICAL ENVIRONMENT: This check is applicable in a fixed operational facility in a tactical environment if classified equipment is used or documents or media are created/extracted from the SIPRNet. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49220r917230_fix

General guidance to consider: Paper copies, electronic files, and other material containing classified information shall be reproduced only when necessary for accomplishing the organizations mission or for complying with applicable statutes or Directives. Personnel reproducing classified information must be knowledgeable of the procedures for classified reproduction and aware of the risks involved with the specific reproduction equipment and media being used and the appropriate countermeasures they are required to take. Reproduced material is to be placed under the same accountability and control requirements as applied to the original material. Classified material is to be reproduced only on approved and when applicable, properly accredited systems. This check concerns ONLY reproduction and/or transfer of classified data using all forms of removable media on SIPRNet connected devices or systems. Ensure that US CYBERCOM Communications Tasking Order (CTO) 10-133A is being complied with as follows: 1. Ensure that the write capability for all possible removable media is disabled as a default setting on all SIPRNet connected machines. 2. Ensure that write settings are only allowed when specifically approved by using the HBSS Device Control Module (DCM). 3. Ensure the system AO has specifically approved all persons authorized to transfer data from SIPRNet connected system components. 4. Ensure the ISSM maintains a list of all persons authorized by the AO to transfer data from the SIPRNet. 5. Ensure there are written procedures approved by the AO for use of removable media on SIPRNet.

a
Classified Reproduction - Written Procedures for SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage. NOTE: This vulnerability concerns only PROCEDURES for the reproduction (printing, copying, scanning, faxing) of classified documents on Multi-Functional Devices (MFD) connected to the DoDIN.
Low - V-245835 - SV-245835r822896_rule
RMF Control
Severity
Low
CCI
Version
IS-10.03.01
Vuln IDs
  • V-245835
  • V-31995
Rule IDs
  • SV-245835r822896_rule
  • SV-42294r3_rule
Lack of or improper reproduction procedures for classified material could result in the loss or compromise of classified information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-1, MP-4, PE-1,PE-5. DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 7. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 2 paragraphs 14.&15. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 4, paragraph 4-102, and Chapter 5, Section 6 (Reproduction).
Checks: C-49266r822895_chk

Classified Reproduction - Document Copying using Multi-Functional Device (MFD) machines (i.e., printer, copier, fax, scanner) connected to SIPRNet. This Check concerns ONLY PROCEDURES for the reproduction of classified DOCUMENTS on Multi-Functional Devices (MFD) connected to the DoDIN. General guidance: Paper copies, electronic files, and other material containing classified information shall be reproduced only when necessary for accomplishing the organization's mission or for complying with applicable statutes or Directives. Personnel reproducing classified information must be knowledgeable of the procedures for classified reproduction and aware of the risks involved with the specific reproduction equipment being used and the appropriate countermeasures they are required to take. Reproduced material is to be placed under the same accountability and control requirements as applied to the original material. Classified material is to be reproduced only on approved and, when applicable, properly accredited systems. Check to ensure: Check #1. Procedures for the proper reproduction of classified documents are posted on or near the MFD approved for classified reproduction. This is especially true when the MFD is capable of directly making copies of documents on the machine. The procedures must alert users when the particular MFD is approved for classified reproduction. Check #2. Other MFD (used as copiers) in the organization that are not approved for classified document reproduction must also be marked to alert users of the prohibition against making classified copies. Check #3. Procedures posted near the MFD must contain steps for users to take after printing, copying, scanning or faxing classified documents. Steps must include double checking of the MFD for missed pages, counting original and copied pages, purging or clearing of images from the MFD (if applicable), use of cover sheets, and general protection/control guidelines for reproduced documents. NOTE: Most MFD contain both hard drives (non-volatile memory) and volatile memory and cannot be properly sanitized of classified data or images to make the MFD unclassified. Therefore, most (if not all) classified MFD should be housed and operated within space approved for collateral classified open storage. If not maintained in spaces approved for classified open storage all MFD with non-volatile memory that is used for classified reproduction must be under the continuous observation and control of a cleared person AT ALL TIMES. A violation of this is a Category 1 Severity level finding and is covered under STIG ID: IS-10.01.01. TACTICAL ENVIRONMENT: This check is applicable in a fixed operational facility in a tactical environment if classified equipment is used or documents or media are created/extracted from the SIPRNet. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix: F-49221r770166_fix

Classified Reproduction - Document Copying using Multi-Functional Device (MFD) machines (ie., printer, copier, fax, scanner) connected to SIPRNet. This STIG Check concerns ONLY PROCEDURES for the reproduction of classified DOCUMENTS on Multi-Functional Devices (MFD) connected to the DoDIN. General guidance: Paper copies, electronic files, and other material containing classified information shall be reproduced only when necessary for accomplishing the organization's mission or for complying with applicable statutes or Directives. Personnel reproducing classified information must be knowledgeable of the procedures for classified reproduction and aware of the risks involved with the specific reproduction equipment being used and the appropriate countermeasures they are required to take. Reproduced material is to be placed under the same accountability and control requirements as applied to the original material. Classified material is to be reproduced only on approved and, when applicable, properly accredited systems. Ensure: 1. Procedures for the proper reproduction of classified documents are posted on or near the MFD approved for classified reproduction. This is especially true when the MFD is capable of directly making copies of documents on the machine. The procedures must alert users when the particular MFD is approved for classified reproduction. 2. Other MFD (used as copiers) in the organization that are not approved for classified document reproduction must also be marked to alert users of the prohibition against making classified copies. 3. Procedures posted near the MFD must contain steps for users to take after printing, copying, scanning or faxing classified documents. Steps must include double checking of the MFD for missed pages, counting original and copied pages, purging of images (if applicable), use of cover sheets, and general protection/control guidelines for reproduced documents. NOTE: Most MFD contain both hard drives (non-volatile memory) and volatile memory and cannot be properly sanitized of classified data or images to make the MFD unclassified. Therefore, most (if not all) classified MFD should be housed and operated within space approved for collateral classified open storage. If not maintained in spaces approved for classified open storage all MFD with non-volatile memory that is used for classified reproduction must be under the continuous observation and control of a cleared person AT ALL TIMES.

c
Destruction of Classified Documents Printed from the SIPRNet Using Approved Devices on NSA Evaluated Products Lists (EPL).
High - V-245836 - SV-245836r917369_rule
RMF Control
Severity
High
CCI
Version
IS-11.01.01
Vuln IDs
  • V-245836
  • V-32009
Rule IDs
  • SV-245836r917369_rule
  • SV-42325r3_rule
Failure to properly destroy classified material can lead to the loss or compromise of classified or sensitive information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 29.h.(1) & 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-1, MP-6, PE-1. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 3 paragraphs 17, 18, & 19. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-704, 5-705 & 5-708. https://www.nsa.gov/Resources/Media-Destruction-Guidance
Checks: C-49267r917369_chk

General Guidance: Classified documents and paper material identified for destruction shall be destroyed completely, to prevent anyone from reconstructing the classified information. Effective January 1, 2011, only equipment listed on an evaluated products list (EPL) issued by NSA may be used to destroy classified information. In all cases, if any such previously approved equipment needs to be replaced or otherwise requires a rebuild or replacement of a critical assembly (e.g., shredder blade assembly), the unit must be replaced with one listed on the appropriate EPL. The EPLs and further guidance may be obtained by calling (410) 854-6358 or at: https://www.nsa.gov/Resources/Media-Destruction-Guidance Checks: Check #1. Check that only crosscut shredders listed on an EPL for High Security Crosscut Paper Shredders are used to destroy classified material. Check #2. Check that only pulverizers, disintegrators and pulping (wet process) devices listed on an EPL are used to destroy classified water-soluble material. Check #3. Check to ensure that burn bags (if used to store classified paper awaiting destruction at a central destruction facility) are sealed and safeguard in a safe or vault or area approved for classified open storage until actually destroyed. NOTE: Recommend that reviewers check shredded material, no matter how new or old the shredder appears to be. Look to determine if it is readily apparent the shred material is "not within specifications" due to lack of maintenance, bad teeth, etc., This discovery can result in a finding. TACTICAL ENVIRONMENT: Applies in all environments whenever classified documents are to be destroyed.

Fix: F-49222r917233_fix

General Guidance: Classified documents and paper material identified for destruction shall be destroyed completely, to prevent anyone from reconstructing the classified information. Effective January 1, 2011, only equipment listed on an evaluated products list (EPL) issued by NSA may be used to destroy classified information. 1. Unless determined otherwise by NSA, whenever an EPL is revised, equipment removed from the EPL may be utilized for destruction of classified information for up to 6 years from the date of its removal from the EPL. 2. In all cases, if any such previously approved equipment needs to be replaced or otherwise requires a rebuild or replacement of a critical assembly (e.g., shredder blade assembly), the unit must be replaced with one listed on the appropriate EPL. The EPLs and further guidance may be obtained by calling (410) 854-6358 or at https://www.nsa.gov/Resources/Media-Destruction-Guidance/ Fixes: 1. Only crosscut shredders listed on an EPL for High Security Crosscut Paper Shredders can be used to destroy classified material. 2. Only pulverizers, disintegrators and pulping (wet process) devices listed on an EPL can be used to destroy classified water-soluble material. 3. Burn bags (if used to store classified paper awaiting destruction at a central destruction facility) must be sealed and safeguard in a safe or vault or area approved for classified open storage until actually destroyed.

c
Classified Material Destruction - Improper Disposal of Automated Information System (AIS) Hard Drives and Storage Media
High - V-245837 - SV-245837r917350_rule
RMF Control
Severity
High
CCI
Version
IS-11.01.02
Vuln IDs
  • V-245837
  • V-32111
Rule IDs
  • SV-245837r917350_rule
  • SV-42428r3_rule
Failure to properly destroy classified material can lead to the loss or compromise of classified or sensitive information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 21.h.(9); 28; 29b.,d.(1)&(2).h.(1)&(2) and para 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-1, MP-6, PE-1. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 9.b.(8) & (9) DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 2, paragraph 14 & 14(d); Enclosure 3 paragraphs 17, 18, & 19; Enclosure 5, paragraph 3.d.(3); Enclosure 7, paragraph 6. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-704, 5-705, 5-706, 5-707, 5-708, 8-202.e. & 8-302.g. NIST SP 800-88, Guidelines for Media Sanitization NSA/CSA Policy Manual 9-12, NSA/CSS Storage Device Declassification Manual NSA/CSS product lists for sanitization, destroying or disposing of various types of media containing sensitive or classified information: https://www.nsa.gov/Resources/Media-Destruction-Guidance
Checks: C-49268r917235_chk

For CLASSIFIED automated information system (AIS) data processing and/or storage equipment such as hard drives and media: Check to ensure data processing or storage devices are properly sanitized (purged of all classified data so that recovery using known laboratory attack is not possible) in accordance with current NSA guidance before such equipment or media is disposed of or placed in use (and/or stored) in a lower classification environment or an unclassified environment. NOTE 1: Clearing procedures using overwrite software is not sufficient to dispose of classified equipment or media (for instance by release to property disposal, vendors, or placement in trash) or to re-use it in an unclassified or lesser classification environment other than its original classification level. Clearing will only enable the equipment or media to be re-used within the original classified environment. NOTE 2: NSA guidance can be found in the NSA/CSA Policy Manual 9-12, NSA/CSS Storage Device Declassification Manual. Be certain to also read and apply specific guidance for the DOD from Enclosure 3 and Enclosure 7 of Volume 3 of DOD Manual 5200.01. Important excerpts from this guidance pertaining to disposal of classified equipment and storage media follow: Classified IT storage media (e.g., hard drives) cannot be declassified by overwriting. Sanitization (which may destroy the usefulness of the media) or physical destruction is required for disposal. NOTE 3: The specific methods and procedures for sanitization of classified hard drives or storage media differ depending on sensitivity of data, type of hard drive or storage media (magnetic, solid state, etc...) and ownership of the hard drive or storage media. To ensure DOD information is not inadvertently disclosed to unauthorized individuals, the activity security manager should coordinate with the local Authorizing Official (AO) and/or IT staff to ensure local procedures for disposal of computer hard drives appropriately address removal of U.S. Government data prior to disposal. TACTICAL ENVIRONMENT: Applies in all environments whenever classified documents or materials are to be destroyed.

Fix: F-49223r917236_fix

For CLASSIFIED automated information system (AIS) data processing and/or storage equipment such as hard drives and media: CLASSIFIED automated information system (AIS) data processing/storage devices such as system hard drives and media must be properly sanitized using approved NSA guidelines (purged of all classified data so that recovery using known laboratory attack is not possible) before such equipment or media is disposed of or placed in use (and/or stored) in a lower classification environment or an unclassified environment. NOTE 1: Clearing procedures using overwrite software is not sufficient to dispose of classified equipment or media (for instance by release to property disposal, vendors, or placement in trash) or to re-use it in an unclassified or lesser classification environment other than its original classification level. Clearing will only enable the equipment or media to be re-used within the original classified environment. NOTE 2: NSA guidance for classified equipment can be found in the NSA/CSA Policy Manual 9-12, NSA/CSS Storage Device Declassification Manual. Sanitization and disposal must also be IAW Enclosure 3 and Enclosure 7 of Volume 3 of DOD Manual 5200.01, which provides additional clarifying guidance for the DOD. Some important excerpts from this guidance pertaining to classified equipment and storage media follows: Classified IT storage media (e.g., hard drives) cannot be declassified by overwriting. Sanitization (which may destroy the usefulness of the media) or physical destruction is required for disposal. NOTE 3: The specific methods and procedures for sanitization of classified hard drives or storage media differ depending on sensitivity of data, type of hard drive or storage media (magnetic, solid state, etc...) and ownership of the hard drive or storage media. To ensure DOD information is not inadvertently disclosed to unauthorized individuals, the activity security manager should coordinate with the local Authorizing Official (AO) and/or IT staff to ensure local procedures for disposal of computer hard drives appropriately address removal of U.S. Government data prior to disposal.

b
Classified Destruction - Hard Drive and Storage Media Sanitization Devices and Plans are not Available for disposal of Automated Information System (AIS) Equipment On-Hand
Medium - V-245838 - SV-245838r917351_rule
RMF Control
Severity
Medium
CCI
Version
IS-11.02.01
Vuln IDs
  • V-245838
  • V-32102
Rule IDs
  • SV-245838r917351_rule
  • SV-42419r3_rule
Failure to properly destroy classified material can lead to the loss or compromise of classified or sensitive information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 21.h.(9); 28; 29b.,d.(1)&(2).h.(1)&(2) and para 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-1, MP-6, PE-1. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 9.b.(8) & (9) DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 2, paragraph 14 & 14(d); Enclosure 3 paragraphs 17, 18, & 19; Enclosure 5, paragraph 3.d.(3); Enclosure 7, paragraph 6. Assistant Secretary of Defense for Command, Control, Communications and Intelligence Memorandum, "Disposition of Unclassified DOD Computer Hard Drives," June 4, 2001 DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-704, 5-705, 5-706, 5-707, 5-708, 8-202.e. & 8-302.g. NIST SP 800-88, Guidelines for Media Sanitization NSA/CSA Policy Manual 9-12, NSA/CSS Storage Device Declassification Manual https://www.nsa.gov/Resources/Media-destruction-Guidance
Checks: C-49269r917238_chk

Check to ensure there is equipment and/or plans for the destruction of classified or sensitive systems and media used by the site or organization. Lack of appropriate equipment to properly sanitize the classified media used or lack of plans for disposal and/or proper protection in transit to a disposal facility will result in a finding. Checks: Check #1. If used by the site are hard drive and tape degaussers periodically tested and certified as required by the manufacturer? Check #2. Are appropriate wipe products available for classified systems or spillage incidents? Check #3. Is there an approved product (such as the Whitaker Brothers Inc. Datastroyer) on-hand to properly remove readable surfaces from optical media such as CDs or DVDs? Check #4. Is all obsolete classified equipment and media properly secured in a safe, vault or secure room until properly disposed of? (Note: This would be a CAT I finding under the appropriate "storage" vulnerability) Check #5. In the event the site has limited or no destruction equipment: Are there plans or arrangements to take classified material to NSA for proper disposal or another DOD organization who has destruction equipment and has agreed to provide support for destruction of classified? Check #6. Are there appropriate transportation and/or shipping arrangements to ensure the classified material is properly protected while in transit to the destruction facility? TACTICAL ENVIRONMENT: Applies in all environments whenever classified documents or materials are to be destroyed.

Fix: F-49224r917239_fix

Ensure there is equipment and/or plans for the destruction of classified or sensitive systems and media used by the site or organization. Considerations: 1. If used by the site are hard drive and tape degaussers periodically tested and certified as required by the manufacturer? 2. Are appropriate wipe products available for classified systems or spillage incidents? 3. Is there an approved product (such as the Whitaker Brothers Inc. Datastroyer) on-hand to properly remove readable surfaces from optical media such as CDs or DVDs? 4. Is all obsolete classified equipment and media properly secured in a safe, vault or secure room until properly disposed of? 5. In the event the site has limited or no destruction equipment are there plans or arrangements to take classified material to NSA for proper disposal or another DOD organization who has destruction equipment and has agreed to provide support for destruction of classified? 6. Are there appropriate transportation and/or shipping arrangements to ensure the classified material is properly protected while in transit to the destruction facility?

a
Destruction of Classified and Unclassified Documents, Equipment and Media - Availability of Local Policy and Procedures
Low - V-245839 - SV-245839r917352_rule
RMF Control
Severity
Low
CCI
Version
IS-11.03.01
Vuln IDs
  • V-245839
  • V-32090
Rule IDs
  • SV-245839r917352_rule
  • SV-42407r3_rule
Lack of plans and procedures to properly destroy classified and/or sensitive material can lead to the loss or compromise of classified or sensitive information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 21.h.(9); 28; 29b.,d.(1)(2).h.(1)(2) and para 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-1, MP-6, PE-1. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 9.b.(8) (9) DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 2, paragraph 14 14(d); Enclosure 3 paragraphs 17, 18, 19; Enclosure 5, paragraph 3.d.(3); Enclosure 7, paragraph 6. Assistant Secretary of Defense for Command, Control, Communications and Intelligence Memorandum, Disposition of Unclassified DOD Computer Hard Drives, June 4, 2001 DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-704, 5-705, 5-706, 5-707, 5-708, 8-202.e. & 8-302.g. NIST SP 800-88, Guidelines for Media Sanitization NSA/CSA Policy Manual 9-12, NSA/CSS Storage Device Declassification Manual https://www.nsa.gov/Resources/Media-Destruction-Guidance Satisfies: Destruction of Classified and Unclassified Documents, Equipment and Media - Policy/Procedure
Checks: C-49270r917241_chk

Check to ensure there are procedures for the destruction of classified or sensitive documents, systems and media. Also check to ensure this documentation is readily available for employee reference and included in initial and recurring (annual) security training. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix: F-49225r917242_fix

Ensure there are procedures for the destruction of classified or sensitive documents, systems and media. Also check to ensure this documentation is readily available for employee reference and included in initial and recurring (annual) security training.

b
Classified Emergency Destruction Plans - Develop and Make Available
Medium - V-245840 - SV-245840r917353_rule
RMF Control
Severity
Medium
CCI
Version
IS-13.02.01
Vuln IDs
  • V-245840
  • V-32132
Rule IDs
  • SV-245840r917353_rule
  • SV-42449r3_rule
Failure to develop emergency procedures can lead to the loss or compromise of classified or sensitive information during emergency situations. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 32. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: CP-4, PL-1 & RA-1. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 9.b.(8) (9) DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 2, paragraph 10. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraph 5-104. NIST SP 800-88, Guidelines for Media Sanitization NSA/CSA Policy Manual 9-12, NSA/CSS Storage Device Declassification Manual https://www.nsa.gov/Resources/Media-Destruction-Guidance
Checks: C-49271r917244_chk

General Requirement: Plans shall be developed to protect, remove, or destroy classified material in case of fire, natural disaster, civil disturbance, terrorist activities, or enemy action, to minimize the risk of compromise, and for the recovery of classified information, if necessary, following such events. Checks: Check #1. Check to ensure there is local site documentation for the emergency, protection, removal, and destruction of classified material and equipment. (CAT II) Check #2. Also check to ensure that these instructions are readily available to the employee population. Such plans should be posted on or near safes, exits to vaults and secure rooms or at any location where classified materials are stored. (CAT III) TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix: F-49226r917245_fix

General Requirement: Plans shall be developed to protect, remove, or destroy classified material in case of fire, natural disaster, civil disturbance, terrorist activities, or enemy action, to minimize the risk of compromise, and for the recovery of classified information, if necessary, following such events. Ensure there is local site documentation for the emergency, protection, removal, and destruction of classified material and equipment. Also ensure that these instructions are readily available to the employee population. Such plans should be posted on or near safes, exits to vaults and secure rooms or at any location where classified materials are stored.

b
Security Incident/Spillage - Lack of Procedures or Training for Handling and Reporting
Medium - V-245841 - SV-245841r822904_rule
RMF Control
Severity
Medium
CCI
Version
IS-14.02.01
Vuln IDs
  • V-245841
  • V-32138
Rule IDs
  • SV-245841r822904_rule
  • SV-42455r3_rule
Failure to report possible security compromise can result in the impact of the loss or compromise of classified information not to be evaluated, responsibility affixed, or a plan of action developed to prevent recurrence of future incidents. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 6.k.(1), 9.c., 18.k.(e), 26.s.(6), 29. and 31.c. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AT-1, AT-2, AU-2, AU-7, AU-11, IR-1, IR-2, IR-4, IR-5, IR-6, IR-7, IR-8 and IR-9. DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 7.g. and 19.d. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 6, Appendix 1 to Encl 6, Appendix 2 to Encl 6 and Enclosure 7, paragraph 5. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 1-303, 1-304, 1-400, 1-401 and 8-302.i. CNSSP No. 18, National Policy on Classified Information Spillage CNSSI 1001, National Instruction on Classified Information Spillage
Checks: C-49272r770183_chk

General requirement: Anyone finding classified information out of proper control shall, if possible, take custody of and safeguard the material and immediately notify the appropriate security authorities. Secure communications should be used for notification whenever possible. Every civilian employee and Active, Reserve, and National Guard Military member of the Department of Defense, and every DoD contractor or employee of a contractor working with classified material, as provided by the terms of the contract, who becomes aware of the loss or potential compromise of classified information shall immediately report it to the head of his or her local activity and to the activity security manager. Prompt reporting of security incidents ensures incidents are properly investigated and necessary actions are taken to negate or minimize the adverse effects of an actual loss or unauthorized disclosure of classified information and to preclude recurrence through a properly tailored, and up-to-date security education and awareness program. In cases where compromise has been ruled out and there is no adverse effect on national security, a common sense approach to the early resolution of an incident at the lowest appropriate level is encouraged. All security incidents involving classified information shall involve a security inquiry, a security investigation, or both. Reviewer Checks: Check #1. Check to ensure the site or organization has written procedures on reporting possible security incidents. Check #2. Check to ensure personnel within the organization have training to be able to know when to report a possible security incident and who to report it to. Check #3. Check to ensure employees know what to do when discovering classified material unsecure or out of proper control. Ask random employees if they know what to do if they discover a security incident? TACTICAL ENVIRONMENT: Classified material that is discovered not properly secured must immediately be secured and the incident reported - regardless of environment.

Fix: F-49227r770184_fix

General requirement: Anyone finding classified information out of proper control shall, if possible, take custody of and safeguard the material and immediately notify the appropriate security authorities. Secure communications should be used for notification whenever possible. Every civilian employee and Active, Reserve, and National Guard Military member of the Department of Defense, and every DoD contractor or employee of a contractor working with classified material, as provided by the terms of the contract, who becomes aware of the loss or potential compromise of classified information shall immediately report it to the head of his or her local activity and to the activity security manager. Prompt reporting of security incidents ensures incidents are properly investigated and necessary actions are taken to negate or minimize the adverse effects of an actual loss or unauthorized disclosure of classified information and to preclude recurrence through a properly tailored, and up-to-date security education and awareness program. In cases where compromise has been ruled out and there is no adverse effect on national security, a common sense approach to the early resolution of an incident at the lowest appropriate level is encouraged. All security incidents involving classified information shall involve a security inquiry, a security investigation, or both. Fixes: 1. Ensure the site or organization has written procedures on reporting possible security incidents. 2. Ensure personnel within the organization have training to be able to know when to report a possible security incident and who to report it to. 3. Ensure employees know what to do when discovering classified material unsecure or out of proper control. Verify by asking random employees if they know what to do if they discover a security incident.

b
Classification Guides Must be Available for Programs and Systems for an Organization or Site
Medium - V-245842 - SV-245842r823108_rule
RMF Control
Severity
Medium
CCI
Version
IS-15.02.01
Vuln IDs
  • V-245842
  • V-32150
Rule IDs
  • SV-245842r823108_rule
  • SV-42467r3_rule
Failure to have proper classification guidance available for Information Systems and/or associated programs run on them can result in the misclassification of information and ultimately lead to the loss or compromise of classified or sensitive information. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: Subpart B - § 2001.15 Classification guides. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 6.c. and paragraph 26.e. NIST Special Publication 800-53 (SP 800-53), Rev 4, Control: AC-3, IA-5, MP-5, MP-6, PE-2, PS-3, PS-6. DoD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Enclosure 2, paragraph 9.h.; Enclosure 4; Enclosure 5 and Enclosure 6. DoD Manual 5200.01, Volume 2, 24 February 2012, SUBJECT: DoD Information Security Program: Marking of Classified Information; Enclosure 3, paragraph 2.a. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 6, paragraphs 4, 51 and Glossary. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 4-101, 4-102, 4-103 and 7-102.
Checks: C-49273r823107_chk

Check to ensure the site has all Classification Guides for the systems and programs they are responsible for and/or which are applicable to their operations. Further, such classification guides and training on the use of them should be made available to employees working with the equipment or systems to which they apply. At a minimum if a site has SIPRNet connections they should have a copy of the most recent SIPRNet Security Classification Guide. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix: F-49228r770187_fix

Ensure the site has all Classification Guides for the programs and systems they are responsible for and/or which are applicable to their operations. Further, such classification guides and training on the use of them should be made available to employees working with the equipment or systems to which they apply. At a minimum if a site has SIPRNet connections they should have a copy of the most recent SIPRNet Security Classification Guide.

b
Controlled Unclassified Information (CUI) - Employee Education and Training
Medium - V-245843 - SV-245843r822908_rule
RMF Control
Severity
Medium
CCI
Version
IS-16.02.01
Vuln IDs
  • V-245843
  • V-32159
Rule IDs
  • SV-245843r822908_rule
  • SV-42476r3_rule
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure A, Paragraph 11, Enclosure B, paragraph 4.h & 6.m., and Enclosure C, paragraph 5. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AT-1, AT-2, AT-3 and AT-4. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 5. DoD Manual 5200.01, Volume 4, SUBJECT: DoD Information Security Program: Controlled Unclassified Information (CUI); Enclosure 4. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 3.
Checks: C-49274r822906_chk

General Policy Guidance: At a minimum, DoD civilians, military members and on-site support contractors with access to CUI shall receive both initial and annual refresher training that reinforces the policies, principles, and procedures covered in CUI policy. Refresher training shall also address the threat and the techniques foreign intelligence activities use while attempting to obtain controlled unclassified DoD information and advise personnel of penalties for unauthorized disclosures. The importance of unclassified information, its potential sensitivity, and the requirement to have all information reviewed and approved for release prior to public disclosure or Web posting shall be reiterated. Refresher training shall also address relevant changes in CUI policy or procedures and issues or concerns identified during DoD Component oversight reviews. Checks: Check #1. Reviewers must check for an initial orientation on handling of CUI during new employee in-processing Check #2. Check that Annual Refresher training includes the topic of CUI as provided in the general policy guidance. Check a sample number of individual training records and Annual Training briefing slides/materials for evidence of CUI training. Lack of either initial orientation or refresher training or both is a finding. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where training and associated documentation should be in place. Not applicable to a field/mobile environment.

Fix: F-49229r822907_fix

General Policy Guidance: At a minimum, DoD civilians, military members and on-site support contractors with access to CUI shall receive both initial and annual refresher training that reinforces the policies, principles, and procedures covered in CUI policy. Refresher training shall also address the threat and the techniques foreign intelligence activities use while attempting to obtain controlled unclassified DoD information and advise personnel of penalties for unauthorized disclosures. The importance of unclassified information, its potential sensitivity, and the requirement to have all information reviewed and approved for release prior to public disclosure or Web posting shall be reiterated. Refresher training shall also address relevant changes in CUI policy or procedures and issues or concerns identified during DoD Component oversight reviews. Fix: Ensure an initial orientation on handling of CUI is included during new employee in-processing and that Annual Refresher training includes the topic of CUI as provided in the general policy guidance. Ensure that all initial and refresher training is documented.

b
Controlled Unclassified Information - Document, Hard Drive and Media Disposal
Medium - V-245844 - SV-245844r1008550_rule
RMF Control
Severity
Medium
CCI
Version
IS-16.02.02
Vuln IDs
  • V-245844
  • V-32180
Rule IDs
  • SV-245844r1008550_rule
  • SV-42497r3_rule
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Assistant Secretary of Defense for Command, Control, Communications and Intelligence Memorandum: "Disposition of Unclassified DOD Hard Drives, 4 June 2001." 44 USC Chapter 33 - Disposal of Records, dated 01/03/2012 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 21.h.(9); 28.a.&c. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-6 and SI-12. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, paragraph 3.h. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 3 paragraphs 17, 18, & 19; Enclosure 7, paragraph 6. DODI 5200.48 Controlled Unclassified Information (CUI) DOD 5200.22-M (NISPOM), Incorporating Change 2, 18 May 2016, 4-103.c., 5-203.b., and Chapter 5, Section 7 Disposition and Retention NIST SP 800-88, Guidelines for Media Sanitization NSA/CSS product lists for sanitization, destroying or disposing of various types of media containing sensitive or classified information: https://www.nsa.gov/Resources/Media-Destruction-Guidance The Information Security Oversight Office (ISOO): https://www.archives.gov/cui Satisfies: Controlled Unclassified Information - Document, Hard Drive and Media Disposal
Checks: C-49275r1008548_chk

Check to ensure compliance with appropriate methods for disposal of the following: 1. Unclassified Hard Drives: a. When no longer needed, unclassified computer systems and hard drives may be disposed of outside the Department of Defense (DOD). In some circumstances, the equipment may be provided to nongovernment entities for reutilization. To ensure that no data or information remains on operable unclassified hard drives that are transferred or permanently removed from DOD custody, the drives must be sanitized by overwriting. b. Where overwriting is inappropriate or cannot be completely accomplished (e.g., inoperable disk) the drives are to be totally removed from service (i.e., thrown away). In this case the drives must be physically destroyed before disposal. c. The specific methods and procedures differ depending on sensitivity of data and ownership of the hard drive. To ensure DOD information is not inadvertently disclosed to unauthorized individuals, the activity security manager should coordinate with the local DAA and/or IT staff to ensure local procedures for disposal of computer hard drives appropriately address removal of U.S. Government data prior to disposal. Generally the use of hard drive degaussers with an appropriate strength (coercivity of magnetic field) for the drive being erased (Oestrid rating) is recommended as part of the requirement for physical destruction. After degaussing the hard drive, the physical destruction of individual platters should be accomplished to make attempted data retrieval impractical. 2. Unclassified Automated Information System (AIS) Media: a. Various types of AIS media may contain CUI and must be disposed of in accordance with guidance in the NIST Special Publication 800-88, Guidelines for Media Sanitization. b. NSA/CSS publishes lists of products that meet specific performance criteria for sanitizing, destroying, or disposing of various types of media containing sensitive or classified information. The lists are available at https://www.nsa.gov/Resources/Media-Destruction-Guidance. 3. Unclassified documents: a. Record copies of CUI documents shall be disposed of in accordance with the Federal Records Act (44 U.S.C. 33 and Component records management directives. b. Nonrecord CUI documents may be destroyed by shredding or tearing into pieces and discarding the pieces in regular trash containers. c. NOTE: The guidance provided here is for CUI paper documents and this is the least stringent standard found for any CUI document destruction. There are other types of CUI, such as DEA Sensitive material, which must be destroyed by a means approved for destruction of Confidential material. Be certain to check DOD Manual 5200.01 for specific destruction requirements for each type of CUI document. 4. Additional reviewer checks and considerations: a. Check recycle bins, regular trash, and the availability of shredders or collection containers for sensitive material. Ensure the organization knows who gets the recycling (especially if it contains CUI) and that it is disposed of properly (for instance by shredding). NOTE: If you find (e.g., in the trash) and can easily reconstruct any document marked CUI (or other CUI document) and it contains extremely sensitive information such as PII (with SSN, etc.), this should be made a finding. b. In all cases the reviewer should recommend using at least a cross cut shredder for destruction of CUI documents. Further, while a shred-all policy is not required, this is another recommendation that should be made. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where training and associated documentation should be in place. Not applicable to a field/mobile environment.

Fix: F-49230r1008549_fix

Ensure compliance with appropriate methods for disposal of the following: 1. Unclassified Hard Drives: a. When no longer needed, unclassified computer systems and hard drives may be disposed of outside the Department of Defense (DOD). In some circumstances, the equipment may be provided to nongovernment entities for reutilization. To ensure that no data or information remains on operable unclassified hard drives that are transferred or permanently removed from DOD custody, the drives must be sanitized by overwriting. b. Where overwriting is inappropriate or cannot be completely accomplished (e.g., inoperable disk) the drives are to be totally removed from service (i.e., thrown away). In this case the drives must be physically destroyed before disposal. c. The specific methods and procedures differ depending on sensitivity of data and ownership of the hard drive. To ensure DOD information is not inadvertently disclosed to unauthorized individuals, the activity security manager should coordinate with the local DAA and/or IT staff to ensure local procedures for disposal of computer hard drives appropriately address removal of U.S. Government data prior to disposal. Generally the use of hard drive degaussers with an appropriate strength (Coercivity of magnetic field) for the drive being erased (Oestrid rating) is recommended as part of the requirement for physical destruction. After degaussing the hard drive the physical destruction of individual platters should be accomplished to make attempted data retrieval impractical. 2. Unclassified Automated Information System (AIS) Media: a. Various types of AIS media may contain CUI and must be disposed of in accordance with guidance in the NIST Special Publication 800-88, Guidelines for Media Sanitization. b. NSA/CSS publishes lists of products that meet specific performance criteria for sanitizing, destroying or disposing of various types of media containing sensitive or classified information. The lists are available at https://www.nsa.gov/Resources/Media-Destruction-Guidance. 3. Unclassified documents: a. Record copies of CUI documents shall be disposed of in accordance with the Federal Records Act (44 U.S.C. 33 and Component records management directives. b. Nonrecord CUI documents may be destroyed by shredding or tearing into pieces and discarding the pieces in regular trash containers. c. NOTE: The guidance provided here is for CUI paper documents and this is the least stringent standard found for any CUI document destruction. There are other types of CUI, such as DEA Sensitive material, which must be destroyed by a means approved for destruction of Confidential material. Be certain to check DOD Manual 5200.01 for specific destruction requirements for each type of CUI document. 4. Additional considerations: a. Periodically inspect recycle bins, regular trash, and the availability of shredders or collection containers for sensitive material. Ensure it is known who gets the recycling (especially if it contains CUI) and that it is disposed of properly. NOTE: If you find (e.g., in the trash) and can easily reconstruct any document marked CUI (or other CUI document) and it contains extremely sensitive information such as PII (with SSN, etc.), this should be investigated and corrective actions taken immediately. b. While not required it is highly recommended using at least a cross cut shredder for destruction of CUI documents. Further, while a shred-all policy is also not required, this is another strong recommendation.

b
Controlled Unclassified Information - Handling, Storage and Controlling Access to Areas where CUI is Processed or Maintained
Medium - V-245845 - SV-245845r939275_rule
RMF Control
Severity
Medium
CCI
Version
IS-16.02.03
Vuln IDs
  • V-245845
  • V-32261
Rule IDs
  • SV-245845r939275_rule
  • SV-42578r3_rule
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure C, paragraph 25.d. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4 and PE-3. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 7, paragraph 13.f. DoDI 5200.48 Controlled Unclassified Information (CUI) DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, 4-103.c., 5-203.b., and Chapter 5 and Chapter 8, paragraph 8-302.b.& g.
Checks: C-49276r770195_chk

General Guidance: Standards of protection for most types of CUI are the same as for FOUO but some variance does exist. Therefore, specific requirements for certain CUI may need to be checked against applicable references to ensure proper protection is afforded. The checks are applicable to all forms of CUI: documents, AIS hard drives and storage media. Checks: For most CUI and FOUO specifically check to ensure the following standards are met: Check #1. During working hours, reasonable steps shall be taken to minimize the risk of access by unauthorized personnel. This would include things like placing cover sheets on FOUO documents and allowing unescorted access to areas where CUI (documents and AIS storage media) is processed/handled to only those persons with at least a favorably adjudicated National Agency Check (NAC). Check #2. After working hours, FOUO information (documents and removable media) may be stored in unlocked containers, desks, or cabinets if Government or Government-contract building security is provided. If such building security is not provided or is deemed inadequate, the information (documents and removable media) shall be stored in locked desks, file cabinets, bookcases, locked rooms, etc. In all cases FOUO and other CUI documents must be placed out of sight during non-working hours. While not required, recommending implementation of a clean desk policy would be appropriate. Check #3. Unescorted access to computer rooms or areas containing major items of AIS equipment processing CUI information (servers and network components) should only be granted to persons with at least a favorable NAC. All others should be physically escorted. Access control measures such as reception personnel, guards, keyed locks, cipher locks or automated access control systems may be used to control access to such areas. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix: F-49231r770196_fix

General Guidance: Standards of protection for most types of CUI are the same as for FOUO but some variance does exist. Therefore, specific requirements for certain CUI may need to be checked against applicable references to ensure proper protection is afforded. The fixes are applicable to all forms of CUI: documents, AIS hard drives and storage media. Fixes applicable for FOUO: For most CUI and FOUO specifically ensure the following standards are met: 1. During working hours, reasonable steps shall be taken to minimize the risk of access by unauthorized personnel. This would include things like placing cover sheets on FOUO documents and allowing unescorted access to areas where CUI (documents and AIS storage media) is processed/handled to only those persons with at least a favorably adjudicated National Agency Check (NAC). 2. After working hours, FOUO information (documents and AIS storage media) may be stored in unlocked containers, desks, or cabinets if Government or Government-contract building security is provided. If such building security is not provided or is deemed inadequate, the information (documents and AIS storage media) shall be stored in locked desks, file cabinets, bookcases, locked rooms, etc. In all cases FOUO and other CUI must be placed out of sight during non-working hours. While not required, implementation of a clean desk policy would be a good idea. 3. Unescorted access to computer rooms or areas containing major items of AIS equipment processing CUI information (servers and network components) should only be granted to persons with at least a favorable NAC. All others should be physically escorted. Access control measures such as reception personnel, guards, keyed locks, cipher locks or automated access control systems may be used to control access to such areas.

b
Controlled Unclassified Information - Encryption of Data at Rest
Medium - V-245846 - SV-245846r770200_rule
RMF Control
Severity
Medium
CCI
Version
IS-16.02.04
Vuln IDs
  • V-245846
  • V-32263
Rule IDs
  • SV-245846r770200_rule
  • SV-42580r3_rule
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui DoD CIO Memorandum, Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media, 3 July 2007 NIST FIPS 140-2, Security Requirements for Cryptographic Modules NSTISSI No. 11, National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraphs 6.b., 13.b.(2), 13.b.(3) and Enclosure C, paragraphs 21.f. and 21.g. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-5, PL-2 and SC-28. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 7, paragraphs 8. and 9.a. DoD Instruction 8420.01, Commercial Wireless Local Area Network (WLAN) Devices, Systems, and Technologies, 3 November 2017, paragraphs 1.2.b., 1.2.h., 3.2.a., 3.2.a.(3), and 3.8.d. NSA, Commercial Solutions for Classified Data at Rest Capability Package, current edition
Checks: C-49277r770198_chk

Check to ensure the following standards concerning encryption of data-at-rest are met: In accordance with DoD policy, all unclassified DoD data that has not been approved for public release and is stored on mobile computing devices or removable storage media must be encrypted using commercially available encryption technology. This requirement includes all CUI as well as other unclassified information that has not been reviewed and approved for public release. This includes certain Personally Identifiable Information (PII). Examples of common devices requiring DAR encryption are laptops used for telework or TDY and mobile devices such as cellular phones, tablets, etc. approved for processing and storing DoD sensitive data, and CDs, thumb drives (flash media) DVDs and other removable media. See ASD(NII) Memorandum, Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media, 3 Jul 07 for detailed guidance. TACTICAL ENVIRONMENT: The check is applicable for all tactical processing environments.

Fix: F-49232r770199_fix

Ensure the following standards concerning encryption of data-at-rest are met: In accordance with DoD policy, all unclassified DoD data that has not been approved for public release and is stored on mobile computing devices or removable storage media must be encrypted using commercially available encryption technology. This requirement includes all CUI as well as other unclassified information that has not been reviewed and approved for public release. This includes certain Personally Identifiable Information (PII). Examples of common devices requiring DAR encryption are laptops used for telework or TDY and mobile devices such as cellular phones, tablets, etc. approved for processing and storing DoD sensitive data, and CDs, thumb drives (flash media) DVDs and other removable media. See ASD(NII) Memorandum, Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media, 3 Jul 07 for detailed guidance.

b
Controlled Unclassified Information - Transmission by either Physical or Electronic Means
Medium - V-245847 - SV-245847r917355_rule
RMF Control
Severity
Medium
CCI
Version
IS-16.02.05
Vuln IDs
  • V-245847
  • V-32264
Rule IDs
  • SV-245847r917355_rule
  • SV-42581r3_rule
Failure to handle/transmit CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui NIST FIPS 140-2, Security Requirements for Cryptographic Modules DODI 8520.2, "Public Key Infrastructure (PKI) and Public Key Enabling (PKE)" CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraphs 13.a., 13.b.(2)(3), and Enclosure C, paragraphs 22.d,, 25.a.,d.,e.,f., 26.j.(2), and 35.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-17, AC-20, IA-2, SC-8, SC-9, and SC-23. DOD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DOD Information Security Program: Protection of Classified Information; Enclosure 7, paragraph 13. DODI 5200.48 Controlled Unclassified Information (CUI)
Checks: C-49278r917250_chk

General Information: Standards for transmission for most types of CUI are the same as for FOUO but some variance does exist. Therefore, specific requirements for certain CUI may need to be checked against applicable references to ensure proper means for transmission are used. For most CUI and FOUO specifically check to ensure the following standards are met: 1. FOUO information and material may be transmitted via first class mail, parcel post, or, for bulk shipments, via fourth class mail. 2. Electronic transmission of FOUO information, e.g., email, shall be by approved secure communications systems or systems utilizing other protective measures such as Public Key Infrastructure (PKI) or transport layer security (e.g., https). 3. Use of wireless telephones (cellphones, wireless hand-held phones, Bluetooth, etc.) should be avoided when other options are available. 4. Transmission of FOUO by facsimile machine (fax) is permitted; the sender is responsible for determining that appropriate protection will be available at the receiving location prior to transmission (e.g., machine attended by a person authorized to receive FOUO; fax located in a controlled government environment). TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-49233r917251_fix

General Information: Standards for transmission for most types of CUI are the same as for FOUO but some variance does exist. Therefore, specific requirements for certain CUI may need to be checked against applicable references to ensure proper means for transmission are used. For most CUI and FOUO specifically ensure the following standards are met: 1. FOUO information and material may be transmitted via first class mail, parcel post, or, for bulk shipments, via fourth class mail. 2. Electronic transmission of FOUO information, e.g., email, shall be by approved secure communications systems or systems utilizing other protective measures such as Public Key Infrastructure (PKI) or transport layer security (e.g., https). 3. Use of wireless telephones (cellphones, wireless hand-held phones, Bluetooth, etc.) should be avoided when other options are available. 4. Transmission of FOUO by facsimile machine (fax) is permitted; the sender is responsible for determining that appropriate protection will be available at the receiving location prior to transmission (e.g., machine attended by a person authorized to receive FOUO; fax located in a controlled government environment).

b
Controlled Unclassified Information - Posting Only on Web-Sites with Appropriate Encryption; not on Publicly Accessible Web-Sites.
Medium - V-245848 - SV-245848r939276_rule
RMF Control
Severity
Medium
CCI
Version
IS-16.02.06
Vuln IDs
  • V-245848
  • V-32265
Rule IDs
  • SV-245848r939276_rule
  • SV-42582r3_rule
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui Deputy Secretary of Defense Memorandum, "WEB Site Administration" 7 Dec 98, with attached "WEB Site Administration Policies and Procedures", 25 Nov 98. DoD 5400.7-R, DoD Freedom of Information Act Program, Sep 98. DoD 5400-11-R, Department of Defense Privacy Program, 14 May 07. DoDD 5230.09, 22 Aug 08, Clearance of DoD Information for Public Release DoDI 5230.29, 8 Jan 09, Security and Policy Review of DoD Information for Public Release. PL 104-191, 21 Aug 96, Health Insurance Portability and Accountability Act of 1996 NIST FIPS 140-2, Security Requirements for Cryptographic Modules DODI 8520.2, "Public Key Infrastructure (PKI) and Public Key Enabling (PKE)" CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraph 7.a. and Enclosure C, paragraph 26.i. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-14, AC-17, IA-8 and SC-7. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 7, paragraph 13.f.. DoDI 5200.48 Controlled Unclassified Information (CUI) DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 1, Section 3, paragraph 1-300.b.&c., Chapter 5, Section 5, paragraph 5-511 and Chapter 7, Section 1, paragraph 7-102.
Checks: C-49279r770204_chk

Check to ensure the following standards/guidance are adhered to: 1. FOUO, PII and other CUI may NOT be posted to publicly-accessible Internet sites and may NOT be posted to sites whose access is controlled only by domain (e.g., limited to .mil and/or .gov) as such restricted access can easily be circumvented. 2. At a minimum, posting CUI to a website requires certificate-based (e.g., common access card) or password and ID access as well as encrypted transmission using https: or similar technology. CUI other than FOUO may have additional posting restrictions. 3. See Deputy Secretary of Defense Memorandum Web Site Administration, December 7, 1998, with attached Web Site Administration Policies and Procedures, November 25, 1998 for detailed guidance. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix: F-49234r770205_fix

Ensure the following standards/guidance are adhered to: 1. FOUO, PII and other CUI may NOT be posted to publicly-accessible Internet sites and may NOT be posted to sites whose access is controlled only by domain (e.g., limited to .mil and/or .gov) as such restricted access can easily be circumvented. 2. At a minimum, posting CUI to a website requires certificate-based (e.g., common access card) or password and ID access as well as encrypted transmission using https: or similar technology. CUI other than FOUO may have additional posting restrictions. 3. See Deputy Secretary of Defense Memorandum Web Site Administration, December 7, 1998, with attached Web Site Administration Policies and Procedures, November 25, 1998 for detailed guidance.

a
Controlled Unclassified Information (CUI) - Local Policy and Procedure
Low - V-245849 - SV-245849r917356_rule
RMF Control
Severity
Low
CCI
Version
IS-16.03.01
Vuln IDs
  • V-245849
  • V-32156
Rule IDs
  • SV-245849r917356_rule
  • SV-42473r3_rule
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure C, paragraph 25.d. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-1, PL-1 and SI-1. DODI 5200.48 Controlled Unclassified Information (CUI) DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 7, Section 1, paragraph 7-101.a.(2).
Checks: C-49280r917253_chk

General Policy Guidance: All personnel of the Department of Defense are personally and individually responsible for properly protecting classified information and Controlled Unclassified Information (CUI) under their custody and control. All officials within the Department of Defense who hold command, management, or supervisory positions have specific, non-delegable responsibility for the quality of implementation and management of the information security program within their areas of responsibility. Check: This check is specifically to ensure there are local written procedures for handling, marking, storing, destroying and transmitting Controlled Unclassified Information. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix: F-49235r917254_fix

General Policy Guidance: All personnel of the Department of Defense are personally and individually responsible for properly protecting classified information and Controlled Unclassified Information (CUI) under their custody and control. All officials within the Department of Defense who hold command, management, or supervisory positions have specific, non-delegable responsibility for the quality of implementation and management of the information security program within their areas of responsibility. Fix: Ensure there are local written procedures for handling, marking, storing, destroying and transmitting Controlled Unclassified Information.

a
Controlled Unclassified Information - Marking/Labeling Media within Unclassified Environments (Not Mixed with Classified)
Low - V-245850 - SV-245850r917357_rule
RMF Control
Severity
Low
CCI
Version
IS-16.03.02
Vuln IDs
  • V-245850
  • V-32262
Rule IDs
  • SV-245850r917357_rule
  • SV-42579r3_rule
Failure to mark CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraph 6.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-3. DODI 5200.48 Controlled Unclassified Information (CUI) DOD 5200.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 4 and Chapter 8, Section 3, paragraph 8-302.g.(1).
Checks: C-49281r917256_chk

General Information: This check is only for unclassified/sensitive media being used in a strictly unclassified physical environment. If all Controlled Unclassified Information (CUI) media are in a mixed environment where classified systems and media are in use, then STIG ID IS-03.02.01. applies and this check is NA. Check to ensure the following standard is met: Regardless of media type, the requirement to identify as clearly as possible the information requiring protection remains. Therefore check to ensure that all unclassified media containing CUI is properly marked according to content. Where it is not feasible to include markings with all of the information required for classified or sensitive documents or media, an explanatory statement that provides the required information shall be included on the item or with the documentation that accompanies it. While For Official Use Only (FOUO) is the primary CUI marking used in DOD, all types of CUI markings must be considered for use as appropriate. For instance: "Law Enforcement Sensitive" is a marking sometimes applied, in addition to the marking "FOR OFFICIAL USE ONLY," by the Department of Justice and other activities in the law enforcement community, including those within the Department of Defense. TACTICAL ENVIRONMENT: The check is applicable for all fixed tactical processing environments where CUI is developed and used. Not applicable to a field/mobile environment.

Fix: F-49236r917257_fix

General Information: This fix is only for unclassified/sensitive media being used in a strictly unclassified physical environment. If all Controlled Unclassified Information (CUI) media are in a mixed environment where classified systems and media are in use, then STIG ID IS-03.02.01. applies and this potential vulnerability is NA. Ensure the following standard is met: Regardless of media type, the requirement to identify as clearly as possible the information requiring protection remains. Therefore ensure that all unclassified media containing CUI is properly marked according to content. Where it is not feasible to include markings with all of the information required for classified or sensitive documents or media, an explanatory statement that provides the required information shall be included on the item or with the documentation that accompanies it. While For Official Use Only (FOUO) is the primary CUI marking used in DOD, all types of CUI markings must be considered for use as appropriate. For instance: "Law Enforcement Sensitive" is a marking sometimes applied, in addition to the marking "FOR OFFICIAL USE ONLY," by the Department of Justice and other activities in the law enforcement community, including those within the Department of Defense.

a
Classified Annual Review
Low - V-245851 - SV-245851r917358_rule
RMF Control
Severity
Low
CCI
Version
IS-17.03.01
Vuln IDs
  • V-245851
  • V-32321
Rule IDs
  • SV-245851r917358_rule
  • SV-42658r3_rule
Failure to conduct the annual review and clean out day can result in an excessive amount of classified (including IS storage media) being on hand and therefore being harder to account for, resulting in the possibility of loss or compromise of classified or sensitive information. REFERENCES: DOD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DOD Information Security Program: Protection of Classified Information; Enclosure 3, paragraph 17.b. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure C, paragraph 34.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PS-1. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 7, paragraph 5-700.b.
Checks: C-49282r770213_chk

Check #1. Check to ensure there are written procedures for the annual review and clean out of classified material. Check #2. Check to ensure there is a memorandum or some form of documentation covering results of the last clean out day. This is to validate actual completion of the requirement. TACTICAL ENVIRONMENT: This check is not applicable for fixed (established) tactical processing environments and is not applicable to a field/mobile environment. Classified documents and materials in these environments should be properly disposed of as soon as possible after it is determined there is no longer a need for them.

Fix: F-49237r917259_fix

1. Ensure there are written procedures for the annual review and clean out of classified material. 2. Ensure the memorandum for the annual clean-out includes the number of security containers checked and the amount of classified material destroyed.

a
Position of Trust - Knowledge of Responsibility to Self Report Derogatory Information
Low - V-245852 - SV-245852r917359_rule
RMF Control
Severity
Low
CCI
Version
PE-01.03.01
Vuln IDs
  • V-245852
  • V-32336
Rule IDs
  • SV-245852r917359_rule
  • SV-42673r3_rule
Failure to inform personnel of the expected standards of conduct while holding a position of trust and their responsibility to self-report derogatory information to the organization security manager can result in conduct by the individual that will require them being removed from that position REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraph 7.f. and Enclosure C, paragraph 4.e. and 5. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PS-1, PS-6, AT-1, AT-3 and PL-4. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter paragraphs 3-107.d. and 3-108. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), April 3, 2017, Paragraphs 7.4. ADJUDICATIVE GUIDELINES, 9.2., 11.2. a. (1), (2), (3) and b. 12.1. White House Memorandum and Intelligence Community Policy Guidance 704.2, December 29, 2005, Subject: Adjudicative Guidelines DOD 5200.2-R, Personnel Security Program, Chapter 9, paragraph C9.1.4 - Individual Responsibility (rescinded but provided for purpose of historical reference).
Checks: C-49283r917261_chk

Check to ensure that Individuals are familiar with pertinent personnel security regulations, such as DOD Manual 5200.02 and are aware of standards of conduct required of persons holding positions of trust, including (and especially) the requirement to report derogatory information to their local security manager. This check can be validated by: 1. Checking organizational personnel security initial and annual refresher training records to ensure that the topic of standards of conduct for individuals holding a security clearance and each individual's responsibility to self- report derogatory information to their security manager are covered. 2. Conducting a general survey of multiple employees to determine if they understand the standards of conduct and their responsibility to self-report. The results should be based on a compilation of survey results rather than a single instance of an employee who is not familiar with personal responsibilities (standards and self-reporting). TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments AND is applicable to a field/mobile environment.

Fix: F-49238r917262_fix

Ensure that Individuals are familiar with pertinent personnel security regulations, such as DOD Manual 5200.02 and are aware of standards of conduct required of persons holding positions of trust, including (and especially) the requirement to report derogatory information to their local security manager. Compliance can be validated by: 1. Ensuring that organizational personnel security initial and annual refresher training records include the topic of standards of conduct for individuals holding a security clearance in addition to covering each individual's responsibility to self-report derogatory information to their security manager. 2. Conducting a general survey of multiple employees to ascertain their familiarity with personal responsibilities while holding a security clearance.

a
Position of Trust - Local Policy Covering Employee Personal Standards of Conduct and Responsibilities
Low - V-245853 - SV-245853r822918_rule
RMF Control
Severity
Low
CCI
Version
PE-01.03.02
Vuln IDs
  • V-245853
  • V-32340
Rule IDs
  • SV-245853r822918_rule
  • SV-42677r3_rule
Failure to inform personnel of the expected standards of conduct while holding a position of trust can result in conduct by the individual that will require them being removed from that position and/or result in an untrustworthy person continuing in a position of trust without proper vetting of new derogatory information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraph 7.f. and Enclosure C, paragraph 4.e. and 5. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PS-1, PS-6, AT-1, AT-3 and PL-4. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter paragraphs 3-107.d. and 3-108. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), April 3, 2017, Paragraphs 7.4. ADJUDICATIVE GUIDELINES, 9.2., 11.2. a. (1), (2), (3) and b. 12.1. White House Memorandum and Intelligence Community Policy Guidance 704.2, December 29, 2005, Subject: Adjudicative Guidelines DoD 5200.2-R, Personnel Security Program, Chapter 9, paragraph C9.1.2 - Management Responsibility (rescinded but provided for purpose of historical perspective/reference).
Checks: C-49284r770219_chk

Check to ensure that a local policy exists and is readily available to employees that informs them about pertinent security regulations and standards of conduct required of persons holding positions of trust, including (and especially) the requirement to report derogatory information to their local security manager. SOPs should be readily available to all employees in a common reading library or more efficiently, accessible on line in a common file or organization intranet. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix: F-49239r770220_fix

Ensure that a local policy exists and is readily available to employees that informs them about pertinent security regulations and standards of conduct required of persons holding positions of trust, including (and especially) the requirement to report derogatory information to their local security manager. SOPs should be readily available to all employees in a common reading library or more efficiently, accessible on line in a common file or organization intranet.

a
Position of Trust - Training Covering Employee Standards of Conduct and Personal Responsibilities
Low - V-245854 - SV-245854r822919_rule
RMF Control
Severity
Low
CCI
Version
PE-01.03.03
Vuln IDs
  • V-245854
  • V-32341
Rule IDs
  • SV-245854r822919_rule
  • SV-42678r3_rule
Failure to inform personnel of the expected standards of conduct while holding a position of trust can result in conduct by the individual that will require them being removed from that position or result in a person no longer meeting standards criteria continuing to hold a position of trust without proper vetting for suitability. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraph 7.f. & 11. and Enclosure C, paragraph 4.e. & 5. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PS-1, PS-6, AT-1, AT-3 and PL-4. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 1, Section 2, paragraph 1-205 and Chapter 3. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), April 3, 2017, Paragraphs 9.2.,11.2.a. and 12.1. DoD 5200.2-R, Personnel Security Program, Chapter 2, paragraph C2.2., Chapter 9, paragraphs C9.1.4. & C9.2.3. (rescinded but provided for purpose of historical perspective/reference). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 1, Section 2, paragraph 1-205 and Chapter 3. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), April 3, 2017, Paragraphs 9.2.,11.2.a. and 12.1.
Checks: C-49285r770222_chk

General Information: The effectiveness of an individual in meeting security responsibilities is proportional to the degree to which the individual understands them. Thus, an integral part of the DoD security program is the indoctrination and continuous training of individuals on their security responsibilities. CHECK to ensure that Standards of Conduct and Personal Responsibilities are covered in initial, annual refresher and termination training/briefings. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix: F-49240r770223_fix

General Information: The effectiveness of an individual in meeting security responsibilities is proportional to the degree to which the individual understands them. Thus, an integral part of the DoD security program is the indoctrination and continuous training of individuals on their security responsibilities. FIX: Ensure that Standards of Conduct and Personal Responsibilities are covered in initial, annual refresher and termination training/briefings.

b
Validation Procedures for Security Clearance Issuance (Classified Systems and/or Physical Access Granted)
Medium - V-245856 - SV-245856r1008552_rule
RMF Control
Severity
Medium
CCI
Version
PE-03.02.01
Vuln IDs
  • V-245856
  • V-32343
Rule IDs
  • SV-245856r1008552_rule
  • SV-42680r3_rule
Failure to properly verify security clearance status could result in an unauthorized person having access to a classified information system or an authorized person being unable to perform assigned duties. REFERENCES: DOD 8570.01-M, Information Assurance Workforce Improvement Program, 19 December 2005, Incorporating Change 4, 11/10/2015 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND): Enclosure C, paragraphs 26.c.(2) (3) and 27.f.(5) (6) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, MA-5, PE-2, PE-3, and PS-2 DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 2, Section 2 and Chapter 8, Section 3, paragraph 8-302.a. Personnel Security. DOD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 2, paragraphs 1 and 3 DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), April 3, 2017, Paragraphs 3.1.c., 4.1. Civilian Personnel, 4.2. Military Personnel, 4.3. Contractors, 4.4. Consultants. 4.5. Non-U.S. Citizens Employed Overseas in Support of National Security Positions. 4.6. Temporary Employees, 5A.2. Verify Eligibility, and Glossary G.2. Definitions: LAA. Now Cancelled: DOD 5200.2-R, Personnel Security Program, Chapter 3, para C3.4.3., Chapter 7 para C7.1.2. C7.1.3. and Appendix 9, para AP9.2. & AP9.3.6.2. DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals Paragraph 4.4. DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information: Paragraphs 4.6.3., E2.1.4, Enclosure 3 and Enclosure 4.
Checks: C-49287r1008551_chk

BACKGROUND: When checking how an organization validates security clearance information for either systems or physical access the first thing to consider is that there are various categories of personnel and associated considerations with each one. These categories include: Military employees, Government Civilian employees, Contract employees, Foreign Nationals, and Local National employees under a Status of Forces (SOFA) agreement and Visitors. Generally, an organization validation of security clearance levels should come from official databases such as DISS, DCII, a service or agency data base or "high level" (major subordinate command) headquarters security office. Also note that organization manning (staffing) documents should include the required clearance level for each assigned Military and Civilian position. Staffing documents should be requested by inspectors for review. The minimum security clearance requirement for systems access to the SIPRNet or unescorted access to the physical environment surrounding SIPRNet system information technology assets is secret. Local procedures must be developed for verifying that all personnel with access to classified information systems (logical or physical access) have the appropriate security clearance and access authorization. Inspectors should review local procedures. Checks: Check #1. Review a sample of the organization personnel security records (from local data bases, physical files, DISS...) and compare with applicable System Access Authorization Request (SAAR) forms to ensure proper validation of clearance levels for access to the SIPRNet (both logical systems access and/or physical access to SIPRNet environments). Minimum of secret security clearance is required. Check organizational records against the DISS data base if possible. Ensure that organizational manning records (security clearance requirements for the position occupied) match the actual security clearance held by the incumbent employee (military or DOD civilian) as reflected in DISS. Because it is generally not feasible to review all records it is recommended to select where possible ALL those who have privileged systems access or responsibility for oversight of systems security (such as SAs, ISSM, ISSOs, Network Admin, etc.) along with key management personnel (commander/director, ISSM, division/branch chiefs, etc.) and supplement with a random sample of those with basic "user" access to systems. Check #2. If there are contractor employees with classified systems access (SIPRNet) (both logical and/or physical access) - check to ensure there is a Statement of Work with accompanying DD 254 ("Classified" Contract Security Specification) that covers security clearance requirements for each type of work (or specified positions) being performed by contractors. Check #3. Check to ensure that contractor employees performing the tasks outlined in the Statement of Work and/or DD Form 254 actually have the security clearance required by the contract - minimum secret for SIPRNet access. If possible validate this in the DISS data base. Check #4. Check that a delegation of disclosure authority letter (DDL) is on-hand in all cases where US Classified information is released/shared with Foreign National Exchange or Liaison personnel who are either assigned to or visiting the site. The DDL will reflect the level of security clearance the FN official has and the level and type of information authorized to be shared. Check #5. Check to ensure that a Limited Access Authorization (LAA) is on hand when system access (or physical access) to classified information is granted to an immigrant alien or a foreign national - not associated with or representing a foreign government. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.

Fix: F-49242r917265_fix

Background Information: When developing an organizational program to validate security clearance information for systems access and/or physical access to SIPRNet work environments, the first thing to consider is there are various categories of personnel and associated considerations with each one. These categories include: Military employees, Government Civilian employees, Contract employees, Foreign Nationals and Local National employees under a Status of Forces (SOFA) agreement and Visitors. The minimum security clearance requirement for systems access to the SIPRNet or unescorted access to the physical environment surrounding SIPRNet system information technology assets is secret. Generally, an organization validation of security clearance levels should come from official databases such as DISS, DCII, a service or agency data base or "high level" (major subordinate command) headquarters security office. Also note that organization manning (staffing) documents should include the required clearance level for each assigned Military and Civilian position. Local procedures must be developed for verifying that all personnel with access to classified information systems (logical or physical access) have the appropriate security clearance and access authorization. Fixes: 1. Ensure that organizational manning (staffing) records (*security clearance requirements for the position occupied) match the actual security clearance held by the incumbent employee (military or DOD civilian) as reflected in DISS. Review all the organization personnel security records and compare with applicable System Access Authorization Request (SAAR) forms to ensure proper validation of clearance levels. Be especially aware of ALL those who have "privileged" systems access or responsibility for systems security oversight (such as SAs, ISSM, ISSOs, Network Admin, etc.) and ensure that correct clearance and IT assurance levels have been granted. 2. If there are contract employees with systems and/or physical access to SIPRNet, ensure there is a Statement of Work with accompanying DD 254 (Contract Security Specification) that covers security clearance requirements for each type of work being performed by contractors. Review contractor records (those physical assigned to the site or working remotely on projects for the organization) to ensure they actually have the required security clearances. 3. Ensure that a delegation of disclosure authority letter (DDL) is on-hand in all cases where US Classified information is released/shared with Foreign National Exchange or Liaison personnel. 4. Ensure that a Limited Access Authorization (LAA) is on hand when system access to classified information is granted to an immigrant alien or a foreign national - not associated with or representing a foreign government. 5. Ensure there is an organizational procedure developed to outline methodology for validation and maintenance of required security clearances.

a
Out-processing Procedures for Departing or Terminated Employees (Military, Government Civilian and Contractor)
Low - V-245860 - SV-245860r822921_rule
RMF Control
Severity
Low
CCI
Version
PE-07.03.01
Vuln IDs
  • V-245860
  • V-32425
Rule IDs
  • SV-245860r822921_rule
  • SV-42762r3_rule
Failure to properly out-process through the security section allows the possibility of continued (unauthorized) access to the facility and/or the systems. REFERENCES: DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information Appendix to Encl 3, paragraph 3.a.(4). and Enclosure 5, paragraph 9. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 1, paragraph 1-206. and Chapter 3, paragraph 3-109. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), April 3, 2017, Chapter 12, paragraph 12.1.b.&f., Appendix G.2. Definitions, JPAS NIST Special Publication 800-53 (SP 800-53) Controls: AC-1, AC-2, PE-3, PS-4, and PS-5 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Enclosure C, para 11
Checks: C-49291r770240_chk

Check to ensure the organization has documented out-processing procedures. Review a sampling of personnel security files of departed personnel to ensure compliance. Files of departed personnel should be maintained by an organization for at least 90-days. Ensure the procedures and records of departed employees reviewed include: -Removal from access to Government Information Systems, - Turning in all access badges, classified and/or sensitive information, - Removal from automated entry control systems (AECS) and - Signing of an SF 312 acknowledging a security debriefing. NOTE: The SF 312 is only applicable for those persons holding a security clearance. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) and personnel records should be in place. Not applicable to a field/mobile environment.

Fix: F-49246r770241_fix

Ensure there are local procedures covering the out-processing of departing employees (Military, Government Civilian and Contractor) and that records of departed employees on-hand reflect that out-processing was conducted. Out-processing records should be retained for a minimum of 90-days. Ensure that out-processing procedures and records include: -Removal from access to Government Information Systems, - Turning in all access badges, classified and/or sensitive information, - Removal from automated entry control systems (AECS) and - Signing of an SF 312 acknowledging a security debriefing. NOTE: The SF 312 is only applicable for those persons holding a security clearance.

b
Intrusion Detection System (IDS) Monitoring Station Personnel - Suitability Checks
Medium - V-245861 - SV-245861r822922_rule
RMF Control
Severity
Medium
CCI
Version
PE-08.02.01
Vuln IDs
  • V-245861
  • V-32457
Rule IDs
  • SV-245861r822922_rule
  • SV-42794r3_rule
Failure to subject personnel who monitor the IDS alarms to a trustworthiness determination can result in the inadvertent or deliberate unauthorized access to, or release of classified material. REFERENCES: DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information Appendix to Enclosure 3, para 2.f.(1)&(2) DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9, paragraphs 5-902.b. & 5-906 NIST Special Publication 800-53 (SP 800-53) Control: PS-2 and PS-3 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl A para 7.f. and Encl D Reference q Legacy DOD 5200.2-R; Personnel Security Program Paragraph C3.1.2.1.2.5. Current DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP) 3 April 2017, Paragraph 4.1.a.(3)
Checks: C-49292r770243_chk

Check that IDS - protecting vaults, secure rooms, alarmed Protected Distribution Systems (PDS), or other spaces containing SIPRNet assets - is monitored by U.S. personnel who have been subject to a trustworthiness check IAW DoD Manual 5200.02. For Industrial Security (Contractor sites) ONLY: Minimally, SECRET-cleared central station employees shall be in attendance at the alarm monitoring station in sufficient number to monitor each alarmed area within the cleared contractor facility IAW NISPOM requirements. For all other DoD locations: Minimally monitor station personnel must be subjects of a successfully adjudicated Tier 3 investigation or an older NACLAC and ANACI that is still within scope. TACTICAL ENVIRONMENT APPLICABILITY: Apply to fixed tactical environments where IDS is installed to protect SIPRNet and other DoDIN (AKA: DISN) connected assets.

Fix: F-49247r770244_fix

Ensure that IDS - protecting vaults, secure rooms, alarmed Protected Distribution Systems (PDS), or other spaces containing SIPRNet assets - is monitored by U.S. personnel who have been subject to a trustworthiness check IAW DoD Manual 5200.02. For Industrial Security (Contractor sites) ONLY: Minimally, SECRET-cleared central station employees shall be in attendance at the alarm monitoring station in sufficient number to monitor each alarmed area within the cleared contractor facility IAW NISPOM requirements. For all other DoD locations: Minimally monitor station personnel must be subjects of a successfully adjudicated Tier 3 investigation or an older NACLAC and ANACI that is still within scope.

b
Intrusion Detection System (IDS) Installation and Maintenance Personnel - Suitability Checks
Medium - V-245862 - SV-245862r822923_rule
RMF Control
Severity
Medium
CCI
Version
PE-08.02.02
Vuln IDs
  • V-245862
  • V-32477
Rule IDs
  • SV-245862r822923_rule
  • SV-42814r3_rule
Failure to subject personnel who install and maintain the IDS alarms to a trustworthiness determination can result in the inadvertent or deliberate unauthorized exposure to or release of classified material. REFERENCES: DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information Appendix to Enclosure 3, para 2.f.(1)&(2) DoD 5200.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9, paragraphs 5-902.b. & 5-906 NIST Special Publication 800-53 (SP 800-53) Control: PS-2 and PS-3 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl A para 7.f. and Encl D Reference q Legacy DOD 5200.2-R; Personnel Security Program Paragraph C3.1.2.1.2.5. Current DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP) 3 April 2017, Paragraph 4.1.a.(3)
Checks: C-49293r770246_chk

Check physical IDS - protecting vaults, secure rooms or spaces containing SIPRNet assets - to ensure that installation and maintenance is accomplished by U.S. citizens who have been subjected to a trustworthiness determination in accordance with DoD Manual 5200.02. Minimally installation and maintenance personnel must be subjects of a successfully adjudicated Tier 3 investigation or an older NACLAC and ANACI that is still within scope. TACTICAL ENVIRONMENT APPLICABILITY: Apply to fixed tactical environments where IDS is installed to protect SIPRNet and other DoDIN (AKA: DISN) connected assets.

Fix: F-49248r770247_fix

Ensure that installation and maintenance of physical IDS - protecting vaults, secure rooms or spaces containing SIPRNet assets - is accomplished by U.S. citizens who have been subjected to a trustworthiness determination in accordance with DoD Manual 5200.02. Minimally installation and maintenance personnel must be subjects of a successfully adjudicated Tier 3 investigation or an older NACLAC and ANACI that is still within scope.

a
Physical Security Program - Physical Security Plan (PSP) and/or Systems Security Plan (SSP) Development and Implementation with Consideration/Focus on Protection of Information System Assets in the Physical Environment
Low - V-245863 - SV-245863r822925_rule
RMF Control
Severity
Low
CCI
Version
PH-01.03.01
Vuln IDs
  • V-245863
  • V-32482
Rule IDs
  • SV-245863r822925_rule
  • SV-42819r3_rule
Failure to have a well-documented Physical Security/Systems Security program will result in an increased risk to DoD Information Systems; including personnel, equipment, media, material and documents. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 8, Section 1, paragraphs 8-100, 8-101, 8-102, 8-301 and 8-302.b.&c. DoD 5200.8-R Physical Security Program Chapters 1, 2 and 3 DoD Manual 5200.08 Volume 3, Physical Security Program: Access to DoD Installations, 2 January 2019 NIST Special Publication 800-53 (SP 800-53) Controls: PE-1 through PE-20 and PL-1 & PL-2 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl A, para 5.a.(1), Encl C, para: 24.j., 27., 28.b., and 34.
Checks: C-49294r770249_chk

1. Check to ensure there is a Physical Security Plan (PSP), either an organizational/site AND/OR an installation security plan in which granular security concerns and procedures at the site are addressed and considered. NOTE 1: If a higher level installation or base plan is used ensure that it specifically addresses security concerns/procedures for the inspected organization or site. Ideally, a local site or organization should always be included in the host installation security plan. If not, then a separately developed local (site/organization) Physical Security Plan (and/or Systems Security Plan (SSP)) is required, which integrates local security procedures for the site with the security-in-depth (SID) measures detailed in the host installation PSP. The installation level PSP will likely not address granular security concerns for computer rooms and areas hosting information systems assets at individual installation sites. Therefore the local organization(s) should still document specific protection measures covering SIPRNet and/or NIPRNet assets in a local PSP or in an SSP. 2. Check to ensure security requirements of the computer room(s) (SIPRNet and/or NIPRNet) and collateral classified open storage areas (as applicable) are addressed and that guidance is provided to counter threats during peacetime, transition to war, and in wartime. 3. Check to ensure the plan also addresses entry/access control procedures for the facility overall and for individual computer rooms/secure rooms or other areas housing network equipment (routers/crypto/switches, etc.). Use of an AECS, guards, lock & key systems, cipher locks, etc. should be specifically and thoroughly addressed in the plan. 4. Check to ensure that access control procedures cover requirements for various categories of persons expected to access the facility such as employees, visitors, vendors, facility maintenance, and foreign nationals. NOTE 2: To be complete the plan should specifically address access control of vendors (ie., vending machine deliveries), cleaning and food service personnel, cleared versus uncleared visitors, foreign national (FN) visitors, FN employees (OCONUS SOFA, liaison, exchange and REL partners). 5. Finally check to ensure the plan addresses security measures and response (Emergency Planning Measures) to include application of Force Protection Conditions, anti-terrorism planning and measures, civil disturbances, natural disasters, crime and any other possible local disruptions of the mission. A thorough plan will include measures designed to detect, delay, assess and respond to intrusions and other emergency situations. NOTE 3: If the plan or any of the critical elements of the plan (everything mentioned here) applicable to the specific site are missing - a finding should be written. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix: F-49249r822924_fix

1. Ensure there is a Physical Security Plan (PSP), either an organizational/site AND/OR an installation security plan in which granular security concerns and procedures at the site are addressed and considered. NOTE 1: If a higher level installation or base plan is used ensure that it specifically addresses security concerns/procedures for the inspected organization or site. Ideally, a local site or organization should always be included in the host installation security plan. If not, then a separately developed local (site/organization) Physical Security Plan (and/or Systems Security Plan (SSP)) is required, which integrates local security procedures for the site with the security-in-depth (SID) measures detailed in the host installation PSP. The installation level PSP will likely not address granular security concerns for computer rooms and areas hosting information systems assets at individual installation sites. Therefore the local organization(s) should still document specific protection measures covering SIPRNet and/or NIPRNet assets in a local PSP or in an SSP. 2. Ensure security requirements of the computer room(s) (SIPRNet and/or NIPRNet) and collateral classified open storage areas (as applicable) are addressed and that guidance is provided to counter threats during peacetime, transition to war, and in wartime. 3. Ensure the plan also addresses entry/access control procedures for the facility overall and for individual computer rooms/secure rooms or other areas housing network equipment (routers/crypto/switches, etc.). Use of an AECS, guards, lock & key systems, cipher locks, etc. should be specifically and thoroughly addressed in the plan. 4. Ensure that access control procedures cover requirements for various categories of persons expected to access the facility such as employees, visitors, vendors, facility maintenance, and foreign nationals. NOTE 2: To be complete the plan should specifically address access control of vendors (i.e., vending machine deliveries), cleaning and food service personnel, cleared versus uncleared visitors, foreign national (FN) visitors, FN employees (OCONUS SOFA, liaison, exchange and REL partners). 5. Finally, ensure the plan addresses security measures and response (Emergency Planning Measures) to include application of Force Protection Conditions, anti-terrorism planning and measures, civil disturbances, natural disasters, crime and any other possible local disruptions of the mission. A thorough plan will include measures designed to detect, delay, assess and respond to intrusions and other emergency situations.

b
Risk Assessment -Holistic Review (site/environment/information systems)
Medium - V-245864 - SV-245864r822927_rule
RMF Control
Severity
Medium
CCI
Version
PH-02.02.01
Vuln IDs
  • V-245864
  • V-32541
Rule IDs
  • SV-245864r822927_rule
  • SV-42878r3_rule
Failure to conduct a risk analysis could result in not implementing an effective countermeasure to a vulnerability or wasting resources on ineffective measures leading to a possible loss of classified, equipment, facilities, or personnel. REFERENCES: DoD 5200.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chap 1, Section 2, para 1-207a.(1) & b.; Chap 8 Sec 1, para 8-100.a., d. & e., 8-101., 8-102., 8-201., 8-202., 8-301., and 8-304.b. NIST Special Publication 800-53 (SP 800-53) Controls: PE-18(1), PL-1, PL-2, PS-1, RA-1 RA-3 DoD 5200.8-R Physical Security Program Definitions: 1.13, 1.14., 1.15., 1.22.; Chap 1, C1.2.3. C1.2.4. and Chap 2, C2.1.3.3. DoD Manual 5200.08 Volume 3, Physical Security Program: Access to DoD Installations, 2 January 2019 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information Encl 2, para 10.; Encl 3, para 4.: Appendix to Encl 3, para 2.a. and Encl 7 para 4.c. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl A, para 12; Encl B, para 2.d(3), 2.g., and 3.h.; Encl C, para 3.a., 6.b.(6) and 33. DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), March 13, 2014 DoD Instruction 8500.01, "Cybersecurity," March 13, 2014 Encl 2, paragraph 2.k., 9.q., 15.e. and Encl 3, paragraph 2. (*2.f.) & 9.b.(5) NIST SP 800-30, Guide for Conducting Risk Assessments NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems
Checks: C-49295r770252_chk

1. Check that there is a "Holistic" Risk Assessment (RA) for the site that includes consideration of environmental hazards, weather hazards, criminal and terrorist hazards, insider threat hazards and any other threats that could possibly impact the Confidentiality/Integrity/Availability (CIA) of the Information Technology (IT) facility and/or Information System (IS) equipment. 2. Check to ensure the RA is revalidated/updated at least annually. 3. Check to ensure the current site commander/director signed the risk assessment in conjunction with or in coordination with the Authorizing Officials (AOs) for resident system(s), signifying acceptance of any residual risk. NOTE 1: While an AO signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment, which is a very specific and separate individual document. NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments. NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, MD among others. NOTE 4: The NIST SP 800-30, Guide for Conducting Risk Assessments provides a widely used format and instructions for conducting a RA. Reviewers should recommend sites use this publication as the basis for conducting their RA. NOTE 5: Time permitting the reviewer should make recommendations for improving the risk analysis process at a site since this is a critical element in any effective security management program. NOTE 6: When there is a government/DoD contract with an industry partner; the government sponsor is inherently and ultimately responsible for risk based decisions. The contractor only performs mission related tasks IAW contract specifications (e.g., statement of work (SOW)), which should ideally include guidance for risk assessment and acceptance. Hence, while the industry partner can prepare and coordinate the risk assessment it is the government/DoD customer who has the ultimate responsibility for accepting and coordinating risk based on their mission requirements. Therefore, the head of the contract sponsoring organization must approve/sign the risk assessment/acceptance of residual risk. The Authorizing Official (AO) for industry locations is the Defense Security Service (DSS) Cognizant Security Office (CSO). Each CSO appoints an AO for system related risk evaluation. NOTE 7: A thorough organizational risk assessment and acceptance of residual risk should be properly coordinated with all stakeholders to ensure there are no conflicts or issues. This must include the Authorizing Official (AO), and should also include where appropriate the DISN Connection Approval Office (CAO), the Program Management Office (PMO), local law enforcement, fire/safety, Counter Intelligence (CI) Support, Federal Emergency Management Agency (FEMA) along with state and local emergency management counterparts as applicable. The government Contracting Officer and/ or Contracting Officer's Representative (COR) should inherently be included for coordination with all contractor related risk assessments. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix: F-49250r822926_fix

1. Ensure there is a "Holistic" Risk Assessment (RA) for the site that includes consideration of environmental hazards, weather hazards, criminal and terrorist hazards, insider threat hazards and any other threats that could possibly impact the Confidentiality/Integrity/Availability (CIA) of the Information Technology (IT) facility and/or Information System (IS) equipment. 2. Ensure the RA is revalidated/updated at least annually. 3. Ensure the current site commander/director signed the risk assessment in conjunction with or in coordination with the AOs for resident system(s), signifying acceptance of any residual risk. NOTE 1: While an AO signed ATO does in fact signify acceptance of risk for specific systems, this alone does not meet the requirement for a formal risk assessment, which is a very specific and separate individual document. NOTE 2: Conducting a risk analysis is not just a simple paper work drill - or at least it should not be. Often organizations take a risk analysis template and simply insert their organizations information, local environmental information, etc. - but do not do a good job of actually assessing threats, countermeasures in place (or that can be applied) to come up with an acceptable level of residual risk. A good risk assessment is a team effort (security, IA, COOP, engineers, safety, management...) and should be headed by someone with at least some training in conducting risk assessments. NOTE 3: Training is offered by the Defense Security Service (DSS) Academy in Linthicum, MD among others. NOTE 4: The NIST SP 800-30, Guide for Conducting Risk Assessments provides a widely used format and instructions for conducting a RA. Reviewers should recommend sites use this publication as the basis for conducting their RA. NOTE 5: When there is a government/DoD contract with an industry partner; the government sponsor is inherently and ultimately responsible for risk based decisions. The contractor only performs mission related tasks IAW contract specifications (e.g., statement of work (SOW)), which should ideally include guidance for risk assessment and acceptance. Hence, while the industry partner can prepare and coordinate the risk assessment it is the government/DoD customer who has the ultimate responsibility for accepting and coordinating risk based on their mission requirements. Therefore, the head of the contract sponsoring organization must approve/sign the risk assessment/acceptance of residual risk. The Authorizing Official (AO) for industry locations is the Defense Security Service (DSS) Cognizant Security Office (CSO). Each CSO appoints an AO for system related risk evaluation. NOTE 6: A thorough organizational risk assessment and acceptance of residual risk should be properly coordinated with all stakeholders to ensure there are no conflicts or issues. This must include the Authorizing Official (AO), and should also include where appropriate the DISN Connection Approval Office (CAO), the Program Management Office (PMO), local law enforcement, fire/safety, Counter Intelligence (CI) Support, Federal Emergency Management Agency (FEMA) along with state and local emergency management counterparts as applicable. The government Contracting Officer and/or Contracting Officer's Representative (COR) should inherently be included for coordination with all contractor related risk assessments.

b
Physical Protection of Unclassified Key System Devices/Computer Rooms in Large Processing Facilities
Medium - V-245865 - SV-245865r822928_rule
RMF Control
Severity
Medium
CCI
Version
PH-03.02.01
Vuln IDs
  • V-245865
  • V-32580
Rule IDs
  • SV-245865r822928_rule
  • SV-42917r3_rule
Allowing access to systems processing sensitive information by personnel without the need-to-know could permit loss, destruction of data or equipment or a denial of service. Loss could be accidental damage or intentional theft or sabotage. REFERENCES: DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chapter 8, IS Security DoD 5200.8-R Physical Security Program Chapters 1, 2 and 3 DoD Manual 5200.08 Volume 3, Physical Security Program: Access to DoD Installations, 2 January 2019 NIST Special Publication 800-53 (SP 800-53) Controls: PE-2, PE-3, PE-4, PE-6 and PE-18 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl C, para 34. DoDI 8500.01, Cybersecurity, March 14, 2014, Enclosure 2, paragraph 13.s. DoD Manual 5200.01, Volume 4, February 24, 2012 SUBJECT: DoD Information Security Program: Controlled Unclassified Information (CUI)
Checks: C-49296r770255_chk

1. Check to ensure that Unclassified system assets (servers, DASD, tape drives, hubs, etc.) are protected in secure locked/access controlled rooms or closets and maintained separately from general employee access. NOTE 1: This check concerns protection of "ONLY UNCLASSIFIED" System and Network Devices. NOTE 2: While not required; the ideal situation with larger computer systems is to locate all major system components within "raised floor" computer rooms. Regardless of the location the key factor in determining acceptable security compliance is if the equipment is accessible only to properly vetted persons who require unescorted access to the equipment for performance of duties. NOTE 3: While not preferred, if space and/or size of the Information Systems (IS) assets do not allow for being housed in a secure room or closet they may be maintained in locked Information System (IS) cabinets that preclude ease of access by unauthorized individuals. 2. Check to ensure that properly managed Automated Entry Control Systems (AECS), mechanical access devices such as cipher locks, or keyed locks are being used to control access to these rooms, closets or cabinets. NOTE 4: If keyed locks are used check to ensure that proper key control procedures are in place. *If key control procedures are determined to be inadequate a finding under this STIG rule should be written. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-49251r770256_fix

1. Ensure that Unclassified system assets (servers, DASD, tape drives, hubs, etc.) are protected in secure locked/access controlled rooms or closets and maintained separately from general employee access. NOTE 1: This potential VUL concerns protection of "ONLY UNCLASSIFIED" System and Network Devices. NOTE 2: While not required; the ideal situation with larger computer systems is to locate all major system components within "raised floor" computer rooms. Regardless of the location the key factor in determining acceptable compliance is if the equipment is accessible only to properly vetted persons who require unescorted access to the equipment for performance of duties. NOTE 3: While not preferred, if space and/or size of the Information Systems (IS) assets do not allow for being housed in a separate room or closet they may be maintained in locked Information System (IS) cabinets that preclude ease of access by unauthorized individuals. 2. Ensure that properly managed Automated Entry Control Systems (AECS), mechanical access devices such as cipher locks, or keyed locks are being used to control access to these rooms, closets or cabinets. NOTE 4: If keyed locks are used, ensure that proper key control procedures are in place.

b
Restricted Area and Controlled Area Designation of Areas Housing Critical Information System Components or Classified /Sensitive Technology or Data
Medium - V-245866 - SV-245866r822929_rule
RMF Control
Severity
Medium
CCI
Version
PH-04.02.01
Vuln IDs
  • V-245866
  • V-32600
Rule IDs
  • SV-245866r822929_rule
  • SV-42937r3_rule
Failure to designate the areas housing the critical information technology systems as a restricted or controlled access area may result in inadequate protection being assigned during emergency actions or the site having insufficient physical security protection measures in place. Further, warning signs may not be in place to advise visitors or other unauthorized persons that such areas are off-limits, resulting in inadvertent access by unauthorized persons. REFERENCES: DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Appendix C - Definition of Restricted Area and Chapter 5, para 5-305. NIST Special Publication 800-53 (SP 800-53) Controls: PE-2 and PE-3 DoD 5200.8-R Physical Security Program Definitions: DL1.12., and Chapter 3, para C3.2.4.
Checks: C-49297r770258_chk

Check to ensure the areas housing critical information technology systems are designated as Restricted Areas or Controlled Areas IAW host installation and/or Service, Agency or COCOM guidance. Signage should be properly posted at all access points and at adequate intervals to advise those approaching of the restricted area/controlled area designation, authority and consequences for violation of access restrictions. Signs will be in English as well as in any language prevalent in the area. Signs may not be required where OPSEC countermeasures dictate. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-49252r770259_fix

Ensure the areas housing critical information technology systems are designated as Restricted Areas or Controlled Areas IAW host installation and/or Service, Agency or COCOM guidance. Signage should be properly posted at all access points and at adequate intervals to advise those approaching of the restricted area/controlled area designation, authority and consequences for violation of access restrictions. Signs will be in English as well as in any language prevalent in the area. Signs may not be required where OPSEC countermeasures dictate.

b
Security-in-Depth (AKA: Defense-in-Depth) - Minimum Physical Barriers and Access Control Measures for Facilities or Buildings Containing DoDIN (SIPRNet/NIPRNet) Connected Assets.
Medium - V-245867 - SV-245867r822930_rule
RMF Control
Severity
Medium
CCI
Version
PH-05.02.01
Vuln IDs
  • V-245867
  • V-32601
Rule IDs
  • SV-245867r822930_rule
  • SV-42938r3_rule
Failure to use security-in-depth can result in a facility being vulnerable to an undetected intrusion or an intrusion that cannot be responded to in a timely manner - or both. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure A, paragraph 5.a.(1). NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-2(2), PE-3, PE-6(1), and page B-6: Security-in-Depth defined. DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 2, paragraph 13.s. and Enclosure 3, paragraph 7. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 2 paragraph 12.; Enclosure 3, paragraph 3.b.(3) & paragraph 4.; Enclosure 7, paragraph 7.d.; and Glossary page 121, Security-in-Depth defined. DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chapter 5, paragraphs 5-303, 5-307 & 5-904.b. and Appendix C, Definitions, page C-6 - Security in Depth. DoD 5200.8-R Physical Security Program, April 9, 2007, Incorporating Change 1, May 27, 2009: Chapter 2, C2.3.1, C3.2.1 and DL1.17., Security-in-Depth defined. CNSSI No.7003, September 2015, Protected Distribution Systems (PDS), Section IV, paragraph 6, Section VIII, Table 1 and Table 2, and Section VI - DEFINITIONS - Controlled Access Area (CAA).
Checks: C-49298r770261_chk

Background Information: This set of checks is intended to validate security-in-depth protection measures in place for facilities with either Unclassified DoDIN assets (NIPRNet) or Classified (SIPRNet) DoDIN assets or both. Checks are specifically oriented to each (one or more) of the following 4-situations: 1. Protection of unclassified (NIPRNet) assets (such as-end user workstations with typical office equipment - PC/laptop/thin client/multi-functional devices (MFD), printers, copiers, scanners, facsimile machine...) that are housed and operated in administrative office spaces. 2. Protection of unclassified (NIPRNet) assets housed and operated in unclassified computer rooms. This check is intended for rooms with key system assets such as servers, routers, DASD, etc., rather than end user workstations. This high level system equipment requires an additional layer of physical protection and access control. 3. Protection of classified (SIPRNet) assets (such as end-user workstations with typical office equipment - PC/laptop/thin client/multi-functional devices (MFD), printers, copiers, scanners, facsimile machine...) that are housed and operated in administrative office spaces NOT designated for collateral classified open storage (AKA: secure room or closed storage area). Normally such space should be controlled/designated as secret controlled access areas (CAA) for SIPRNet. 4. Protection of classified (SIPRNet) assets housed and operated in space designated for collateral classified open storage (AKA: secure room or closed storage area). Assets in this situation may include both end-user workstations with typical office equipment as detailed above and/or Computer Rooms containing key system assets such as servers, routers, DASD, etc. So to restate, this includes any classified equipment (both end-user and key system equipment) stored and operated in space designated for and meeting collateral classified open storage standards. Where both NIPRNet and SIPRNet assets as well as end-user and system level assets are co-located in a facility - the most stringent SID standards applicable for the area will be used. Checks: 1. Protection of areas containing unclassified (NIPRNet) assets (such as end user workstations): Check that any facility (building, room or area) housing unclassified information system assets connected to the DODIN (such as end user NIPRNet work stations) has at least one physical barrier supplemented by any type of 24/7 access control (keyed locks, reception, guards, Access Control System, Cipher Locks, etc.). 2. Protection of unclassified (NIPRNet) assets housed and operated in unclassified computer rooms: Check to ensure that Unclassified Computer Rooms containing equipment connected to the DoDIN (located within a facility (building, room or area) meeting the standard in #1 above) have an additional layer of physical protection and access control (beyond that for the surrounding facility or area). This check is intended for rooms with key system assets such as servers, routers, etc., rather than end user workstations. 3. Protection of classified (SIPRNet) assets (such as end user workstations with typical office equipment that are NOT housed and operated within a facility designated as a collateral classified open storage area): a. Check to ensure that every physical access point to facilities housing DoDIN end-user workstations that process or display classified information is guarded or alarmed 24/7 (minimum of alarm contacts on the doors) and that intrusion alarms are properly monitored. This is space NOT designated as a collateral classified open storage area. Normally such space should be access controlled/designated as a secret controlled access area (CAA) for SIPRNet. b. Check that two forms of identification are required to gain access to a facility housing DoDIN workstations that process or display classified information (e.g., key card with PIN/biometrics or two acceptable forms of picture ID presented to a guard or receptionist). c. Check to ensure that a visitor log is maintained for facilities containing DoDIN end-user workstations that process or display classified information. Automated Entry Control System (AECS) log entries may be used to meet this requirement. NOTE: Physical access points to facilities housing DoDIN workstations in secret CAAs that process or display classified information, which are located on an access controlled military installation (or that employ another layer of physical barrier/access control) are not required to have an IDS alarm contact on the doors and need only one level of access control. For instance access control to the facility using only a swipe or proximity card (w/o PIN or biometrics) or a guard checking a single picture ID is acceptable. 4. Protection of classified (SIPRNet) assets housed and operated in space designated for collateral classified open storage (AKA: secure room or closed storage area): *Check to ensure that the senior agency official (SAO) has determined in writing that security-in-depth (SID) exists. Note that the SAO for the Defense Security Service (DSS)/industry is the Cognizant Security Agency (CSA)/Cognizant Security Office (CSO). SID Explained: SID is a determination that the security program consists of layered and complementary security controls sufficient to deter and detect unauthorized entry and movement within the facility. Examples include, but are not limited to, use of perimeter fences, employee and visitor access controls, use of an IDS, random guard patrols throughout the facility during non-working hours, closed circuit video monitoring or other safeguards that mitigate the vulnerability of open storage areas without alarms as well as for security containers (safes) during non-working hours. Specific Secure Room security standards are not covered under this check for security-in-depth as they are covered in other Rules within this STIG. Selection of supplementary controls for secure rooms (IDS versus 4-hours guard checks) is based upon the SID in conjunction with an assessment of risk that is accepted by the SAO. Access control requirements for collateral open storage areas are established and must be IAW the DoD Manual 5200.01, V3 and as implemented by Rules in this STIG. An SID determination may be rendered using one of two methods: First, the SAO can issue SID approvals on a case-by-case basis. For instance the facility or organization with collateral open storage space would provide the SAO with a request for SID (IAW pre-established organizational (CC/S/A) procedures) that is subsequently approved or disapproved by the SAO. A second method would be for the CC/S/A to establish a policy (Manual, Instruction, Regulation, Circular, etc.) that provides specific criteria or requirements that when met by organizations is evidence of adequate SID for collateral open storage spaces. Criteria may be based on additional considerations such threat environments (high, medium, or low), if the space is on access controlled installations versus off-installations in public accessible space, CONUS versus OCONUS sites or other such considerations per the discretion of the SAO of the CC/S/A. Regardless of the method used by the SAO to render an SID determination, it must be properly documented and clearly apply to the collateral open storage area (AKA: secure room or closed storage area) being evaluated. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-49253r770262_fix

Background Information: This standard is intended to validate security-in-depth protection measures in place for facilities containing either unclassified DoDIN assets (NIPRNet) or classified (SIPRNet) DoDIN assets or both. The first two fixes are specifically for unclassified DoDIN facilities, while fixes 3 and 4 are for facilities containing SIPRNet assets. Where both NIPRNet and SIPRNet assets are contained in a facility - the more stringent standards for SIPRNet will be used. Fixes: 1. Ensure that any facility/building housing unclassified information system assets connected to the DoDIN (such as end-user NIPRNet work stations) has at least one physical barrier supplemented by any type of 24/7 access control (keyed locks, reception, guards, Access Control System, Cipher Locks, etc.). 2. Ensure that unclassified Computer Rooms containing equipment connected to the DoDIN (located within a facility (building, room or area) meeting the standard in #1 above) have an additional layer of physical protection and access control. This fix is intended for rooms with key system assets such as servers, routers, DASD, etc., rather than end user workstations. 3. Protection of classified (SIPRNet) assets (such as end user workstations with typical office equipment that are NOT housed and operated within a facility designated as a collateral classified open storage area): a. Ensure that every physical access point to facilities housing DoDIN end-user workstations that process or display classified information is guarded or alarmed 24/7 (minimum of alarm contacts on the doors) and that intrusion alarms are properly monitored. This is space NOT designated as a collateral classified open storage area. Normally such space should be controlled/designated as a secret controlled access area (CAA) for SIPRNet. b. Ensure that two forms of identification are required to gain access to a facility housing DoDIN workstations that process or display classified information (e.g., key card with PIN/biometrics or two acceptable forms of picture ID presented to a guard or receptionist). c. Ensure that a visitor log is maintained for facilities containing DoDIN end-user workstations that process or display classified information. Automated Entry Control System (AECS) log entries may be used to meet this requirement. NOTE: Physical access points to facilities housing DoDIN workstations in secret CAAs that process or display classified information, which are located on an access controlled military installation (or that employ another layer of physical barrier/access control) are not required to have an IDS alarm contact on the doors and need only one level of access control. For instance access control to the facility using only a swipe or proximity card (w/o PIN or biometrics) or a guard checking a single picture ID is acceptable. 4. Where there are Information System assets stored in secure rooms (AKA: collateral classified open storage areas) that are connected to the SIPRNet - ensure that the senior agency official has determined in writing that security-in-depth exists. *Note that the SAO for the Defense Security Service (DSS)/industry is the Cognizant Security Agency (CSA)/Cognizant Security Office (CSO).

b
Visitor Control - To Facility or Organization with Information System Assets Connected to the DISN
Medium - V-245868 - SV-245868r822931_rule
RMF Control
Severity
Medium
CCI
Version
PH-06.02.01
Vuln IDs
  • V-245868
  • V-32602
Rule IDs
  • SV-245868r822931_rule
  • SV-42939r3_rule
Failure to identify and control visitors could result in unauthorized personnel gaining access to the facility with the intent to compromise classified information, steal equipment, or damage equipment or the facility. REFERENCES: DoD 5200.8-R Physical Security Program Chap 3, para C3.3.1.4. and DL1.17. on pg 8 and DTM 09-012, 8 Dec 09, Incorporating Change 7, Effective April 17, 2017 DoD Manual 5200.08 Volume 3, Physical Security Program: Access to DoD Installations, 2 January 2019 DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chapter 6, Visits and Meetings NIST Special Publication 800-53 (SP 800-53) Controls: PE-2, PE-3 and PE-8 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl C, para 34. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information Glossary, definition of security-in-depth and Encl 2, para 7.a and 7.b.
Checks: C-49299r770264_chk

Review visitor control procedures and implementation and ensure they include verification of clearance/investigation status (where required for access), personal identification of visitor, registering of visitors, proper badging (using DoD issued Common Access Cards (CAC) or other authorized credentials) and escorts. NOTE 1: Traditional Security reviewers may be able to evaluate implementation of the visitor process by reviewing how the review team was identified and badged. NOTE 2: Detailed audit logs of all facility visitors should be maintained for at least 90 days. Automated Entry Control System (AECS) electronic logs may be used to meet this requirement. NOTE 3: Additional interviews can be conducted with personnel handling the visitor control function. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-49254r770265_fix

Review visitor control procedures and implementation and ensure they include verification of clearance/investigation status (where required for access), personal identification of visitor, registering of visitors, proper badging (using DoD issued Common Access Cards (CAC) or other authorized credentials) and escorts. NOTE: Detailed audit logs of all facility visitors should be maintained for at least 90 days. Automated Entry Control System (AECS) electronic logs may be used to meet this requirement.

b
Sensitive Item Control - Keys, Locks and Access Cards Controlling Access to Information Systems (IS) or IS Assets Connected to the DISN
Medium - V-245869 - SV-245869r822933_rule
RMF Control
Severity
Medium
CCI
Version
PH-07.02.01
Vuln IDs
  • V-245869
  • V-32603
Rule IDs
  • SV-245869r822933_rule
  • SV-42940r3_rule
Lack of an adequate key/credential/access device control could result in unauthorized personnel gaining access to the facility or systems with the intent to compromise classified information, steal equipment, or damage equipment or the facility. REFERENCES: UG 2040-SHR, User's Guide on Controlling Locks, Keys, and Access Cards and Best Practices - found on the DoD Lock Program site: https://www.navfac.navy.mil/content/dam/navfac/Specialty%20Centers/Engineering%20and%20Expeditionary%20Warfare%20Center/DoD_Lock_Program/PDFs/UG-2040-SHR.pdf DoD 5200.8-R Physical Security Program Chapter 2, para C2.1.4.4., C2.1.4.5., C2.1.4.8. and Chapter 3, para C3.3 and Pg 7, DL1.9 Personnel Identity Management and Protection DoD Manual 5200.08 Volume 3, Physical Security Program: Access to DoD Installations, 2 January 2019 DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chapter 5, paragraphs 5-308, 5-310, 5-312, 5-313, 5-314 NIST Special Publication 800-53 (SP 800-53) Controls: IA-5, SC-12, MA-5, PE-2, PE-3, PS-4, PS-5 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl C, para 34. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information Encl3, para 6.e.(1) (2) and Appendix to Encl 3, para 3.a. Satisfies: Sensitive Item Control - Keys, Locks and Access Cards
Checks: C-49300r822932_chk

1. Check to ensure there are written procedures for the control of sensitive items such as keys, locks, badges and smart cards (CAC, token, or other locally issued badge). 2. Check to verify the process is being followed and that it is effective. As a minimum, lock and key systems or automated entry control systems (AECS) using coded access swipe/proximity badges - require a key or credential inventory, issuance records, and procedures for returning the key or access control credential once the user no longer needs it. 3. Check to ensure a Key/Credential Control Officer and/or Key/Credential Custodians are appointed in writing to implement the system for controlling keys, locks and access control credentials. 4. Check to ensure the Key/Credential Control Officer conducts at least an annual inventory/reconciliation of all keys/credentials issued and on-hand. 5. Check to ensure that all keys/credentials are also inventoried upon change of Key/Credential Control Officer or Key/Credential Custodian. NOTE FOR REVIEWERS: If the Combatant Command, Service or Agency (CC/S/A) has issued guidelines for control of sensitive items the inspected organization may be considered compliant if following the issued guidelines. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-49255r770268_fix

1. Ensure there are written procedures for the control of sensitive items such as keys, locks, badges and smart cards. 2. Verify the process for controlling keys/locks and credentials is being followed and that it is effective. As a minimum, lock and key systems or access control systems (using coded access swipe/prox badges) require a key or credential inventory, issue records, and a procedure for returning the key or access control credential once the user no longer needs it. 3. Ensure a Key Control/Credential Officer and/or Key/Credential Custodians are appointed in writing to implement the system for controlling keys, locks and access control credentials. 4. Ensure the Key/Credential Control Officer conducts at least an annual inventory/reconciliation of all keys/credentials issued and on-hand. 5. Ensure that all keys/credentials are also inventoried upon change of Key/Credential Control Officer or Key/Credential Custodian. NOTE: If the organization's Combatant Command, Service or Agency (CC/S/A) has issued guidelines for control of sensitive items, then compliance with this rule will be considered validated if following the issued guidelines.

a
Physical Penetration Testing - of Facilities or Buildings Containing Information Systems (IS) Connected to the DISN
Low - V-245870 - SV-245870r822936_rule
RMF Control
Severity
Low
CCI
Version
PH-09.03.01
Vuln IDs
  • V-245870
  • V-32604
Rule IDs
  • SV-245870r822936_rule
  • SV-42941r3_rule
Failure to periodically test facility/building security where Information Systems (IS) connected to the DISN are present could lead to the unauthorized access of an individual into the facility with nefarious intentions to affect the Confidentiality, Integrity or Assurance of data or hardware on the IS. REFERENCES: DoD 5200.8-R Physical Security Program Chapter 2, para C2.1.3.2. C2.1.3.4. and C2.2.4. DoD Manual 5200.08 Volume 3, Physical Security Program: Access to DoD Installations, 2 January 2019 DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chapter 8, paragraph 8-101.d. NIST Special Publication 800-53 (SP 800-53) Controls: CA-2, CA-8 and PE-3(6) and PE-6 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl A, para 8.b., Encl C paragraphs 6.b. 12.a. 34. DoDI 8500.01, March 14, 2014, DoD CIO, SUBJECT: Cybersecurity Encl 2, para 13.s. and Encl 3, paragraphs 3.b. & 5.c.
Checks: C-49301r822934_chk

Check to ensure that procedures for a facility penetration testing process are developed that includes periodic, unannounced attempts to penetrate key computing facilities. Results of these tests should be provided to the site or organization commander/director and if applicable, the supporting base physical security specialist. Any discrepancies should be addressed and corrective action taken (i.e., update procedures or provide additional training). If a test has not been completed within the last 12-months this should be a finding. Note: It is often a good idea for the site conducting physical penetration tests to coordinate support or this testing from supporting host installation security or an outside source. That enables the test to be conducted by someone that most site personnel might not be familiar with and will facilitate a good test using social engineering or other methodology to gain unauthorized access. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-49256r822935_fix

Ensure that procedures for a facility penetration testing process are developed that includes periodic, unannounced attempts to penetrate key computing facilities. Results of these tests should be provided to the site or organization commander/director and if applicable, the supporting base physical security specialist. Any discrepancies should be addressed and corrective action taken (i.e., update procedures or provide additional training). Ensure the test is completed at least annually. Note: It is often a good idea for the site conducting physical penetration tests to coordinate support or this testing from supporting host installation security or an outside source. That enables the test to be conducted by someone that most site personnel might not be familiar with and will facilitate a good test using social engineering or other methodology to gain unauthorized access.

b
Security and Cybersecurity Staff Appointment, Training/Certification and Suitability
Medium - V-245871 - SV-245871r917361_rule
RMF Control
Severity
Medium
CCI
Version
SM-01.03.01
Vuln IDs
  • V-245871
  • V-32605
Rule IDs
  • SV-245871r917361_rule
  • SV-42942r3_rule
Failure to formally appoint security personnel and detail responsibilities, training and other requirements in the appointment notices could result in a weaken security program due to critical security and information assurance personnel not being fully aware of the scope of their duties and responsibilities or not being properly trained or meeting standards for appointment to assigned positions. REFERENCES: DOD 8570.01-M, Information Assurance Workforce Improvement Program, 19 December 2005, Incorporating Change 4, 11/10/2015 Chap 3, para C3.2.4.4., Chap 4 para C4.2.3.6., Chap 5 para C5.1.1. and Chap 10 para C10.2.3.6. DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management Program DOD Manual 5200.02, PROCEDURES FOR THE DOD PERSONNEL SECURITY PROGRAM (PSP), Effective: April 3, 2017 Section 2, paragraph 2.10.a., h. & i. and Appendix 7A: Determination Authorities NIST Special Publication 800-53 (SP 800-53) Controls: PM-2, PS-2, PS-3, AC-5, AC-6(5), PM-10, CA-6 and AT-3 DOD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification Encl 2, para 6.b., 7., 7.c., 8.b., 8.c., 8.d., 9. & 12.; Encl 3 para 6.a., 6.b. & 6.b.(5); and Definitions, pg 76 activity SM CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl C, paragraphs 3.a.(1) (2)(a)(b), 4.a. through 4.e., 26.(c), & 27. and Encl A para 11.b. DOD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Paragraphs: 1-201., 2-103.c., 2-306.d., 3-102., & 8-103 DODI 8500.01, March 14, 2014, SUBJECT: Cybersecurity Enclosure 2, paragraph 1.c., 13.c. and Enclosure 3, paragraph 13.b., 16.a.(2), 18.d. Satisfies: Security and Cybersecurity Staff Appointment, Training/Certification and Suitability
Checks: C-49302r917267_chk

Check #1. Check to ensure there are appointment letters for all security staff members including the SM, AO, ISSM, ISSOs, System Administrators (SA), and Network Security Officers (NSO). (CAT III) Check #2. Check to ensure the appointments are current and an appropriate authority has made the appointments. (CAT III) Check #3. Check to ensure that pertinent duties, responsibilities, training/certification and other suitability requirements for the appointed positions are contained in the appointment order. (CAT III) Check #4. Check supporting documentation to ensure that security staff have been properly trained and certified for the positions to which they are appointed (e.g. IAM I, II or III for ISSM/ISSO) and that they meet all applicable requirements for the positions. For instance the AO and ISSM must be US Citizens. (CAT II) TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-49257r917268_fix

1. Ensure there are appointment letters for all Traditional Security staff and Cybersecurity staff members including the SM, DAA, IAM, IAOs, System Administrators (SA), and Network Security Officers (NSO). 2. Ensure the appointments are current and appropriate authorities have made the appointments. 3. Ensure that pertinent duties, responsibilities, training/certification and other suitability requirements for the appointed positions are contained in the appointment order. 4. Ensure that security staff have been properly trained and certified for the positions to which they are appointed (e.g. IAM I, II or III for ISSM/ISSO) and that they meet all applicable requirements for the positions. For instance the AO and ISSM must be US citizens. NOTE: DODM 8570 requirements will be met until full implementation of DODM 8140.03 requirements. Implementation dates for DOD Manual 8140.03 include a two-year timeline for personnel (civilian and military) in positions coded with cybersecurity work roles and three years for personnel (civilian and military) in positions coded with work roles in any other workforce element. The dates for required qualification would be 15 February 2025 for cybersecurity work roles and the same date in February 2026 for all Defense Cyber Workforce Framework work roles.

b
Security Training - Information Security (INFOSEC) for ALL Employees; Military, Government Civilian and Contractor
Medium - V-245872 - SV-245872r822940_rule
RMF Control
Severity
Medium
CCI
Version
SM-02.02.01
Vuln IDs
  • V-245872
  • V-32606
Rule IDs
  • SV-245872r822940_rule
  • SV-42943r3_rule
Failure to provide security training to ALL employees results in a weak security program and could lead to the loss or compromise of classified or sensitive information. REFERENCES: DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chapter 1, para 1-206 and Chapter 3. NIST Special Publication 800-53 (SP 800-53) Controls: AT-1, AT-2, AT-3 and AT-4 DoD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification Encl 2, para 7.c., 7.d., 7.g., 9.f.; Encl 3, para 5.f.; Encl 4 para 10.c.; Encl 5, para 3.b. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl A, para 11; Encl B, para 4.h., 4.i., 6.m.; Encl C para 5., 7.f., 21.h.(2), 27e.(8)(d) and 31.b. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information Enclosure 5
Checks: C-49303r822938_chk

Check #1. Check that initial and recurring (minimum annually) information security is provided to each employee. Check #2. Check to ensure the following training topics are covered. Some topics may not be necessary based on the organizations mission or other considerations. Reviewers should use discretion in determining if adequate training topics are covered: a. Classified Handling (physical (storage) security, transportation/transmission & marking of documents, equipment and media) b. Communications Security c. Computer (AKA: cybersecurity) Security requirements d. Counter-intelligence briefings e. Penalties for engaging in espionage activities f. Courier briefing (if applicable) g. Reporting of derogatory information h. Reporting of Security Incidents i. Security of Laptop computers when traveling j. Special access programs, NATO, COSMIC TS, etc. (as applicable) k. Use of personal computers for conducting official business l. Concerns identified during Component self-inspections m. Procedures to be followed when using classified removable data storage media. n. Procedures to be followed if an individual believes an unauthorized disclosure of classified data has occurred on an information system or network (typically called a "data spill"). Check #3. Check records of employee training and ensure 100% of initial training briefings are accomplished and at least 95% of employees have completed annual training. Note that while 100% completion of annual training is the goal, employees on extended leave. TDY or other circumstances make this a difficult thing to accomplish. All training accomplished must be documented. Anything less will be a finding. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-49258r822939_fix

1. Ensure initial and recurring (annual minimum) information security training is provided to each employee. 2. Ensure the following training topics are covered at a MINIMUM: a. Classified Handling (physical (storage) security, transportation/transmission & marking of documents, equipment and media) b. Communications Security c. Computer (AKA: cybersecurity) Security requirements d. Counter-intelligence briefings e. Penalties for engaging in espionage activities f. Courier briefing (if applicable) g. Reporting of derogatory information h. Reporting of Security Incidents i. Security of Laptop computers when traveling j. Special access programs, NATO, COSMIC TS, etc. (as applicable) k. Use of personal computers for conducting official business l. Concerns identified during Component self-inspections m. Procedures to be followed when using classified removable data storage media. n. Procedures to be followed if an individual believes an unauthorized disclosure of classified data has occurred on an information system or network (typically called a "data spill"). o. Ensure 100% of initial training and termination briefings are accomplished and at least 95% of employees have annual training. While 100% annual training is the goal, things like extended employee TDY or leave make this difficult to achieve. All training accomplished must be documented. Anything less will be a finding.

a
Counter-Intelligence Program - Training, Procedures and Incident Reporting
Low - V-245873 - SV-245873r770281_rule
RMF Control
Severity
Low
CCI
Version
SM-03.03.01
Vuln IDs
  • V-245873
  • V-32607
Rule IDs
  • SV-245873r770281_rule
  • SV-42944r3_rule
Failure to establish a good working relationship with the supporting/local CI agency and lack of proper CI training for site/organization employees could result in not being informed of local threats and warnings leaving the organization vulnerable to the threat and/or a delay in reporting a possible incident involving reportable FIE-Associated Cyberspace Contacts, Activities, Indicators, and Behaviors, which could adversely impact the Confidentiality, Integrity, or Availability (CIA) of the DISN. REFERENCES: DoDD 5240.06, Counterintelligence Awareness and Reporting (CIAR), 17 May 11, Incorporating Change 2, July 21, 2017 Enclosure 3 and Enclosure 4. para 4.a. Satisfies: Counter-Intelligence Program - Training, Procedures and Incident Reporting
Checks: C-49304r770279_chk

Background Information: It is DoD policy that: a. Initial and annual CI awareness and reporting (CIAR) training on the foreign intelligence entity (FIE) threat, methods, reportable information, and reporting procedures shall be provided to DoD personnel as outlined in Enclosure 3 of DoDD 5240.06, 17 May 11 . b. Potential FIE threats to the DoD, its personnel, information, materiel, facilities, and activities, or to U.S. national security shall be reported by DoD personnel in accordance with Enclosure 4 of DoDD 5240.06. c. Failure to report FIE threats as identified in paragraph 3.a and section 5 of Enclosure 4 of DoDD 5240.06 may result in judicial or administrative action or both pursuant to applicable law or policy. Checks: Check #1. Check to ensure all assigned site/organization personnel have received both initial and annual CIAR training in accordance with DoDD 5240.06. Check #2. Check to ensure there are procedures for reporting possible threat information and that local threat assessments and warnings received are properly shared with the work force. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Fix: F-49259r770280_fix

Background Information: It is DoD policy that: a. Initial and annual CI awareness and reporting (CIAR) training on the foreign intelligence entity (FIE) threat, methods, reportable information, and reporting procedures shall be provided to DoD personnel as outlined in Enclosure 3 of DoDD 5240.06, 17 May 11 . b. Potential FIE threats to the DoD, its personnel, information, materiel, facilities, and activities, or to U.S. national security shall be reported by DoD personnel in accordance with Enclosure 4 of DoDD 5240.06. c. Failure to report FIE threats as identified in paragraph 3.a and section 5 of Enclosure 4 of DoDD 5240.06 may result in judicial or administrative action or both pursuant to applicable law or policy. Fixes: Ensure all assigned site/organization personnel have received both initial and annual CIAR training in accordance with DoDD 5240.06. Further, ensure there are procedures for reporting possible threat information and that local threat assessments and warnings received are properly shared with the work force.