DISA STIGS Viewer

Traditional Security Checklist

Overview

Version Date Finding Count (145) Downloads
2 2024-08-09 CAT I (High): 39 CAT II (Medium): 66 CAT III (Low): 40 Excel JSON XML
Stig Description
These requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Classified Public Sensitive  
I - Mission Critical Classified I - Mission Critical Public I - Mission Critical Sensitive II - Mission Critical Classified II - Mission Critical Public II - Mission Critical Sensitive III - Mission Critical Classified III - Mission Critical Public III - Mission Critical Sensitive

Findings - MAC I - Mission Critical Public

Finding ID Severity Title Description
V-245837 High Classified Material Destruction - Improper Disposal of Automated Information System (AIS) Hard Drives and Storage Media
V-245836 High Destruction of Classified Documents Printed from the SIPRNet Using Approved Devices on NSA Evaluated Products Lists (EPL).
V-245833 High Classified Reproduction - SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage.
V-245830 High Monitor Screens - Disable Access by CAC or Token Removal, or Lock Computer via Ctrl/Alt/Del
V-245829 High Classified Monitors/Displays (Physical Control of Classified Monitors From Unauthorized Viewing)
V-245825 High Storage/Handling of Classified Documents, Media, Equipment - must be under continuous personal protection and control of an authorized (cleared) individual OR guarded or stored in an approved locked security container (safe), vault, secure room, collateral classified open storage area or SCIF.
V-245809 High Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) and Intrusion Detection System (IDS) Head-End Equipment Protection: The physical location (room or area) containing AECS and IDS head-end equipment (server and/or work station/monitoring equipment) where authorization, personal identification or verification data is input, stored, or recorded and/or where system status/alarms are monitored must be physically protected. Inadequate physical protection of Intrusion Detection System or Automated Entry Control System servers, data base storage drives, or monitoring work stations could result in unauthorized access to core system devices providing protection for classified vaults, secure rooms and collateral classified open storage areas. This could result in the loss of...
V-245808 High Vault/Secure Room Storage Standards - Access Control During Working Hours Using Visual Control OR Automated Entry Control System (AECS) with PIN / Biometrics Failure to properly monitor and control collateral classified open storage area access doors during working hours (while the FF-L-2740 combination lock is not secured) could result in an undetected perimeter breach and limited or no capability to immediately notify response forces. Ultimately this could result in the undetected loss or...
V-245807 High Information Security (IS) - Continuous Operations Facility: Access Control Monitoring Methods Failure to control door access to a Continuous Operations Facility containing classified SIPRNET assets may result in immediate and potentially undetected access to classified information, with no capability to immediately alert response forces. Ultimately this could result in the undetected loss or compromise of classified material. USE CASE EXPLANATION: A...
V-245806 High Vault/Secure Room Storage Standards - IDS Access/Secure Control Units Must be Located within the Secure Room Space Failure to ensure that IDS Access and Secure Control Units used to activate and deactivate alarms (primarily motion detectors) within vaults or secure rooms protecting SIPRNet assets are not located within the confines of the vault or secure room near the primary ingress/egress door could result in the observation of...
V-245805 High Vault/Secure Room Storage Standards - IDS Transmission Line Security Failure to meet standards for ensuring integrity of the intrusion detection system signal transmission supporting a secure room (AKA: collateral classified open storage area) containing SIPRNet assets could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE...
V-245804 High Information Security (INFOSEC) - Secure Room Storage Standards - Four (4) Hour Random Checks in Lieu of Using Intrusion Detection System (IDS)
V-245803 High Information Security (INFOSEC) - Secure Room Storage Standards - Interior Motion Detection
V-245802 High Information Security (INFOSEC) - Secure Room Storage Standards - Balanced Magnetic Switch (BMS) on Perimeter Doors Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3 could result in the undetected loss or compromise of classified material. When a physical Intrusion Detection System (IDS) is...
V-245801 High Information Security (INFOSEC) - Secure Room Storage Standards - Intrusion Detection System (IDS)
V-245800 High Information Security (INFOSEC) - Vault Storage/Construction Standards
V-245799 High Information Security (INFOSEC) - Secure Room Storage Standards Windows - Accessible from the Ground Hardened Against Forced Entry and Shielded from Exterior Viewing of Classified Materials Contained within the Area.
V-245798 High Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Openings in Perimeter Exceeding 96 Square Inches Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a vault or secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3, Enclosure 3 could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION...
V-245797 High Information Security (INFOSEC) - Secure Room Storage Standards Wall and Ceiling Structural Integrity (AKA: True Floor to True Ceiling Connection) Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3, Enclosure 3 could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA)...
V-245796 High Information Security (INFOSEC) - Secure Room Storage Standards - Door Construction Failure to meet construction standards could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, paragraph 7.f.; Encl C, paragraph 10.a., and 10.b. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3...
V-245795 High Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Door Combination Lock Meeting Federal Specification FF-L-2740
V-245789 High Information Assurance - Network Connections - Wall Jack Security on Classified Networks (SIPRNet or other Inspected Classified Network or System) Where Port Authentication Using IEEE 802.1X IS NOT Implemented
V-245788 High Information Assurance - Network Connections - Physical Protection of Network Devices such as Routers, Switches and Hubs (Connected to SIPRNet or Other Classified Networks or Systems Being Inspected)
V-245785 High Information Assurance - Classified Portable Electronic Devices (PEDs) Connected to the SIPRNet must be Authorized, Compliant with NSA Guidelines, and be Configured for Data at Rest (DAR) Protection Finding unauthorized and/or improperly configured wireless devices (PEDs) connected to and/or operating on the SIPRNet is a security incident and could directly result in the loss or compromise of classified or sensitive information either intentionally or accidentally. An assessment of risk in accordance with the Risk Management Framework (RMF) along...
V-245767 High Foreign National (FN) Administrative Controls - Proper Investigation and Clearance for Access to Classified Systems and/or Information Assurance (IA) Positions of Trust
V-245765 High Foreign National (FN) Physical Access Control - Areas Containing US Only Information Systems Workstations/Monitor Screens, Equipment, Media or Documents
V-245764 High Foreign National (FN) System Access - FN or Immigrant Aliens (not representing a foreign government or entity) with LAA Granted Uncontrolled Access
V-245763 High Foreign National System Access - FN or Immigrant Aliens (not representing a foreign government or entity) System Access - Limited Access Authorization (LAA)
V-245759 High Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (SIPRNet or Other Classified System or Classified Network being Reviewed)
V-245735 High Protected Distribution System (PDS) Construction - Alarmed Carrier
V-245734 High Protected Distribution System (PDS) Construction - Tactical Environment Application A PDS that is not constructed and configured as required could result in the undetected interception of classified information. Within mobile tactical situations a hardened carrier is not possible and therefore the unencrypted SIPRNet cable must be maintained within the confines of the tactical encampment with the cable under continuous...
V-245733 High Protected Distribution System (PDS) Construction - Continuously Viewed Carrier A PDS that is not constructed and configured as required could result in the undetected interception of classified information. A continuously viewed PDS may not be in a physically hardened carrier and the primary means of protection is continuous observation and control of the unencrypted transmission line. If not maintained...
V-245732 High Protected Distribution System (PDS) Construction - External Suspended PDS Suspended carriers (Exterior PDS) are a Category 2 PDS option used to extend a PDS between Controlled Access Areas (CAAs) that are located in different buildings. Suspended carriers may be used for short runs when it is not practical to bury the PDS between buildings (e.g., between the 3rd floors...
V-245731 High Protected Distribution System (PDS) Construction - Buried PDS Carrier Buried carriers are normally used to extend a PDS between CAAs that are located in different buildings. As with other Category 2 PDS the unencrypted data cables must be installed in a carrier. A PDS that is not constructed, configured and physically secured as required could result in the undetected...
V-245730 High Protected Distribution System (PDS) Construction - Pull Box Security A PDS that is not constructed and configured as required could result in the undetected interception of classified information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs...
V-245729 High Protected Distribution System (PDS) Construction - Hardened Carrier A PDS that is not constructed and configured as required could result in the undetected interception of classified information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs...
V-245728 High Protected Distribution System (PDS) Construction - Point of Presence (PoP) and Terminal Equipment Protection. This requirement concerns security of both the starting and ending points for PDS within proper physically protected and access controlled environments.
V-245727 High Classified Transmission - Electronic Means using Cryptographic System Authorized by the Director, NSA Failure to properly encrypt classified data in transit can lead to the loss or compromise of classified or sensitive information. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security...
V-245722 High COMSEC Account Management - Equipment and Key Storage
V-245872 Medium Security Training - Information Security (INFOSEC) for ALL Employees; Military, Government Civilian and Contractor Failure to provide security training to ALL employees results in a weak security program and could lead to the loss or compromise of classified or sensitive information. REFERENCES: DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chapter 1, para 1-206 and Chapter 3. NIST Special Publication 800-53...
V-245871 Medium Security and Cybersecurity Staff Appointment, Training/Certification and Suitability
V-245869 Medium Sensitive Item Control - Keys, Locks and Access Cards Controlling Access to Information Systems (IS) or IS Assets Connected to the DISN Lack of an adequate key/credential/access device control could result in unauthorized personnel gaining access to the facility or systems with the intent to compromise classified information, steal equipment, or damage equipment or the facility. REFERENCES: UG 2040-SHR, User's Guide on Controlling Locks, Keys, and Access Cards and Best Practices -...
V-245868 Medium Visitor Control - To Facility or Organization with Information System Assets Connected to the DISN Failure to identify and control visitors could result in unauthorized personnel gaining access to the facility with the intent to compromise classified information, steal equipment, or damage equipment or the facility. REFERENCES: DoD 5200.8-R Physical Security Program Chap 3, para C3.3.1.4. and DL1.17. on pg 8 and DTM 09-012, 8...
V-245867 Medium Security-in-Depth (AKA: Defense-in-Depth) - Minimum Physical Barriers and Access Control Measures for Facilities or Buildings Containing DoDIN (SIPRNet/NIPRNet) Connected Assets.
V-245866 Medium Restricted Area and Controlled Area Designation of Areas Housing Critical Information System Components or Classified /Sensitive Technology or Data Failure to designate the areas housing the critical information technology systems as a restricted or controlled access area may result in inadequate protection being assigned during emergency actions or the site having insufficient physical security protection measures in place. Further, warning signs may not be in place to advise visitors...
V-245865 Medium Physical Protection of Unclassified Key System Devices/Computer Rooms in Large Processing Facilities Allowing access to systems processing sensitive information by personnel without the need-to-know could permit loss, destruction of data or equipment or a denial of service. Loss could be accidental damage or intentional theft or sabotage. REFERENCES: DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chapter 8, IS...
V-245864 Medium Risk Assessment -Holistic Review (site/environment/information systems)
V-245862 Medium Intrusion Detection System (IDS) Installation and Maintenance Personnel - Suitability Checks
V-245861 Medium Intrusion Detection System (IDS) Monitoring Station Personnel - Suitability Checks
V-245856 Medium Validation Procedures for Security Clearance Issuance (Classified Systems and/or Physical Access Granted)
V-245848 Medium Controlled Unclassified Information - Posting Only on Web-Sites with Appropriate Encryption; not on Publicly Accessible Web-Sites.
V-245847 Medium Controlled Unclassified Information - Transmission by either Physical or Electronic Means Failure to handle/transmit CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui NIST FIPS 140-2, Security Requirements for Cryptographic Modules DODI 8520.2, "Public Key Infrastructure (PKI) and Public Key...
V-245846 Medium Controlled Unclassified Information - Encryption of Data at Rest Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui DoD CIO Memorandum, Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage...
V-245845 Medium Controlled Unclassified Information - Handling, Storage and Controlling Access to Areas where CUI is Processed or Maintained
V-245844 Medium Controlled Unclassified Information - Document, Hard Drive and Media Disposal
V-245843 Medium Controlled Unclassified Information (CUI) - Employee Education and Training
V-245842 Medium Classification Guides Must be Available for Programs and Systems for an Organization or Site Failure to have proper classification guidance available for Information Systems and/or associated programs run on them can result in the misclassification of information and ultimately lead to the loss or compromise of classified or sensitive information. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified...
V-245841 Medium Security Incident/Spillage - Lack of Procedures or Training for Handling and Reporting Failure to report possible security compromise can result in the impact of the loss or compromise of classified information not to be evaluated, responsibility affixed, or a plan of action developed to prevent recurrence of future incidents. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND),...
V-245840 Medium Classified Emergency Destruction Plans - Develop and Make Available
V-245838 Medium Classified Destruction - Hard Drive and Storage Media Sanitization Devices and Plans are not Available for disposal of Automated Information System (AIS) Equipment On-Hand
V-245834 Medium Classified Reproduction - Following guidance for System to Media Transfer of Data from systems connected specifically to the SIPRNet In-Accordance-With (IAW) US CYBERCOM CTO 10-133A.
V-245832 Medium End-of-Day Checks - Organizations that process or store classified information must establish a system of security checks at the close of each duty and/or business day to ensure that any area where classified information is used or stored is secure. SF 701, Activity Security Checklist, shall be used to record such checks. Failure to have written guidance to provide guidance for end-of-day (EOD) checks could lead to such checks not being properly conducted. If EOD checks are not properly conducted the loss or improper storage of classified material might not be promptly discovered. This could result in a longer duration of the...
V-245822 Medium Marking Classified - Equipment, Documents or Media: In a classified operating environment, all unclassified items must be marked in addition to all classified items.
V-245820 Medium Information Security (INFOSEC) - Secure Room Storage Standards - Perimeter Construction using Proper Permanent Construction Materials for True Ceiling, Walls and Floors.
V-245819 Medium Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Door Locks: Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade and be configured to fail secure in the event of a total loss of power (primary and backup). There are a variety of locking mechanisms that may be used to secure both primary and secondary doors for vaults and classified open storage areas (secure rooms). While the primary access door is to be secured with an appropriate combination lock when closed; during working hours an AECS using electric...
V-245818 Medium Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Transmission Line Security: AECS Transmission lines traversing an uncontrolled area (not within at least a Secret Controlled Access Area (CAA) ) shall use line supervision OR Electrical, mechanical, or electromechanical access control devices, which do not constitute an AECS that are used to control access during duty hours must have all electrical components, that traverse outside minimally a Secret Controlled Access Area (CAA), secured within conduit. Persons not vetted to at least the same level of classification residing on the information systems being protected by the AECS or other access control system components could gain access to the unprotected transmission line and tamper with it to facilitate surreptitious access to the secure space. Proper line supervision...
V-245817 Medium Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Records Maintenance, which includes documented procedures for granting and removal of access. Failure to document procedures for removal of access and inadequate maintenance of access records for both active and removed persons could result in unauthorized persons having unescorted access to vaults, secure rooms or collateral classified open storage areas where classified information is processed and stored. REFERENCES: The Information Security Oversight...
V-245816 Medium Vault/Secure Room Storage Standards - Primary IDS Monitoring Location Outside the Monitored Space Failure to locate the alarm monitoring station at an external location; at a safe distance from the space being monitored, to ensure that it is not involved in any surprise attack of the alarmed space could result in a perimeter breach and the loss or compromise of classified material with...
V-245815 Medium Vault/Secure Room Storage Standards - Intrusion Detection System and Automated Entry Control System (IDS/AECS) Component Tamper Protection Failure to tamper protect IDS/AECS component enclosures and access points external to protected vaults/secure rooms space could result in the undetected modification or disabling of IDS/AECS system components. This could lead to the undetected breach of secure space containing SIPRNet assets and result in the undetected loss or compromise of...
V-245814 Medium Vault/Secure Room Storage Standards - Intrusion Detection System (IDS) / Automated Entry Control System (AECS) Primary and Emergency Power Supply Failure to meet standards for ensuring that there is an adequate commercial and back-up power sources for IDS/AECS with uninterrupted failover to emergency power could result in a malfunction of the physical alarm and access control system. This could result in the undetected breach of classified open storage / secure...
V-245813 Medium Vault/Secure Room Storage Standards - IDS Alarm Monitoring Indicators, both audible and visual (Alarm Status) must be displayed for each sensor or alarmed zone at the monitoring station. Failure to meet standards for the display of audible and visual alarm indicators at the IDS monitoring station could result in an a sensor going into alarm state and not being immediately detected. This could result in an undetected or delayed discovery of a secure room perimeter breach and the...
V-245812 Medium Vault/Secure Room Storage Standards - Masking of IDS Sensors Displayed at the Intrusion Detection System (IDS) Monitoring Station Failure to meet standards for the display of masked alarm sensors at the IDS monitoring station could result in the location with masked or inactive sensors not being properly supervised. This could result in an undetected breach of a secure room perimeter and the undetected loss or compromise of classified...
V-245811 Medium Vault/Secure Room Storage Standards - IDS Performance Verification Failure to test IDS functionality on a periodic basis could result in undetected alarm sensor or other system failure. This in-turn could result in an undetected intrusion into a secure room (AKA: collateral classified open storage area) and the undetected loss or compromise of classified material. REFERENCES: The Information Security...
V-245810 Medium Information Security (INFOSEC) - Secure Room Storage Standards - Structural Integrity Checks
V-245794 Medium Information Security (INFOSEC) - Safe/Vault/Secure Room Management Lack of adequate or Improper procedures for management of safes/vaults and secure rooms could result in the loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 26.s.(5) and 34.c. NIST Special Publication 800-53 (SP 800-53), Rev 4,...
V-245793 Medium Industrial Security - Contract Guard Vetting Failure to screen guards could result in employment of unsuitable personnel who are responsible for the safety and security of DOD personnel and facilities. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PS-2, PS-2(1), PS- 3 DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), 3...
V-245791 Medium Industrial Security - DD Form 254
V-245790 Medium Information Assurance - Network Connections - Physical Protection of Unclassified (NIPRNet) Network Devices such as Routers, Switches and Hubs
V-245786 Medium Information Assurance - Unauthorized Wireless Devices - Portable Electronic Devices (PEDs) Used in Classified Processing Areas without Certified TEMPEST Technical Authority (CTTA) Review and Authorizing Official (AO) Approval. Allowing wireless devices in the vicinity of classified processing or discussion could directly result in the loss or compromise of classified or sensitive information either intentionally or accidentally. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 21.i(3). and 22. CNSS Directive No....
V-245783 Medium Information Assurance - KVM Switch Use of Hot-Keys on SIPRNet Connected Devices Use of "Hot Keys" for switching between devices relies on use of software to separate and switch between the devices. Unless software use involves an approved Cross Domain Solution (CDS) it can result in the loss or compromise of classified information from low side devices to those devices on the...
V-245782 Medium Information Assurance - KVM Switch (Port Separation) on CYBEX/Avocent 4 or 8 port The back plate of some 4 or 8 port CYBEX/AVOCENT KVM devices provides a physical connection between adjacent ports. Therefore failure to provide for physical port separation between SIPRNet (classified devices) and NIPRNet (unclassified devices) when using CYBEX/AVOCENT KVM devices can result in the loss or compromise of classified information....
V-245781 Medium Information Assurance - KVM or A/B Switch not listed on the NIAP U.S. Government Approved Protection Products Compliance List (PCL) for Peripheral Sharing Switches Failure to use tested and approved switch boxes can result in the loss or compromise of classified information. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: SC-3 and SC-4 DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide NIAP Products Compliance List (PCL): https://www.niap-ccevs.org/index.cfm
V-245778 Medium Information Assurance - Accreditation Documentation
V-245777 Medium Information Assurance/Cybersecurity Training for System Users
V-245776 Medium Information Assurance - System Training and Certification/ IA Personnel
V-245775 Medium Information Assurance - System Access Control Records (DD Form 2875 or equivalent) If accurate records of authorized users are not maintained, then unauthorized personnel could have access to the system. Failure to have user sign an agreement may preclude disciplinary actions if user does not comply with security procedures. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND),...
V-245774 Medium Information Assurance - System Security Incidents (Identifying, Reporting, and Handling)
V-245772 Medium Information Assurance - COOP Plan and Testing (Not in Place for Information Technology Systems or Not Considered in the organizational Holistic Risk Assessment)
V-245769 Medium Foreign National (FN) Administrative Controls - Procedures for Requests to Provide Foreign Nationals System Access
V-245768 Medium Foreign National (FN) Administrative Controls - Written Procedures and Employee Training
V-245762 Medium Foreign National (FN) Systems Access - Delegation of Disclosure Authority Letter (DDL)
V-245761 Medium Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (NIPRNet User)
V-245757 Medium Foreign National System Access - Identification as FN in E-mail Address
V-245756 Medium TEMPEST - Red/Black Separation (Cables)
V-245755 Medium TEMPEST - Red/Black separation (Processors)
V-245754 Medium TEMPEST Countermeasures Failure to implement required TEMPEST countermeasures could leave the system(s) vulnerable to a TEMPEST attack. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND) DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 11 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-18, PE-19(1),...
V-245748 Medium Environmental IA Controls - Emergency Power
V-245745 Medium Environmental IA Controls - Emergency Lighting and Exits - Properly Installed Lack of automatic emergency lighting and exits can cause injury and/or death to employees and emergency responders. Lack of automatic emergency lighting can also cause a disruption in service. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP...
V-245744 Medium Environmental IA Controls - Emergency Power Shut-Off (EPO)
V-245741 Medium Protected Distribution System (PDS) Monitoring - Reporting Incidents A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C,...
V-245740 Medium Protected Distribution System (PDS) Monitoring - Daily (Visual) Checks
V-245737 Medium Protected Distribution System (PDS) Construction - Sealed Joints
V-245736 Medium Protected Distribution System (PDS) Construction - Visible for Inspection and Marked A PDS that is not completely visible for inspection and easily identified cannot be properly inspected and monitored as required, which could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE...
V-245726 Medium COMSEC Training - COMSEC User Failure to properly brief COMSEC users could result in the loss of cryptologic devices or key, or the compromise of classified information. REFERENCES: DOD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification DOD 5220.22-M (NISPOM), Section 4 DOD Manual 5200.01, Volume 3,...
V-245725 Medium COMSEC Training - COMSEC Custodian or Hand Receipt Holder Lack of appropriate training for managers of COMSEC accounts could result in the mismanagement of COMSEC records and inadequate physical protection and ultimately lead to the loss or compromise of COMSEC keying material. REFERENCES: DOD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DOD Information Security Program: Overview, Classification, and...
V-245873 Low Counter-Intelligence Program - Training, Procedures and Incident Reporting Failure to establish a good working relationship with the supporting/local CI agency and lack of proper CI training for site/organization employees could result in not being informed of local threats and warnings leaving the organization vulnerable to the threat and/or a delay in reporting a possible incident involving reportable FIE-Associated...
V-245870 Low Physical Penetration Testing - of Facilities or Buildings Containing Information Systems (IS) Connected to the DISN
V-245863 Low Physical Security Program - Physical Security Plan (PSP) and/or Systems Security Plan (SSP) Development and Implementation with Consideration/Focus on Protection of Information System Assets in the Physical Environment
V-245860 Low Out-processing Procedures for Departing or Terminated Employees (Military, Government Civilian and Contractor)
V-245854 Low Position of Trust - Training Covering Employee Standards of Conduct and Personal Responsibilities
V-245853 Low Position of Trust - Local Policy Covering Employee Personal Standards of Conduct and Responsibilities Failure to inform personnel of the expected standards of conduct while holding a position of trust can result in conduct by the individual that will require them being removed from that position and/or result in an untrustworthy person continuing in a position of trust without proper vetting of new derogatory...
V-245852 Low Position of Trust - Knowledge of Responsibility to Self Report Derogatory Information Failure to inform personnel of the expected standards of conduct while holding a position of trust and their responsibility to self-report derogatory information to the organization security manager can result in conduct by the individual that will require them being removed from that position REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA)...
V-245851 Low Classified Annual Review Failure to conduct the annual review and clean out day can result in an excessive amount of classified (including IS storage media) being on hand and therefore being harder to account for, resulting in the possibility of loss or compromise of classified or sensitive information. REFERENCES: DOD Manual 5200.01, Volume...
V-245850 Low Controlled Unclassified Information - Marking/Labeling Media within Unclassified Environments (Not Mixed with Classified) Failure to mark CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraph 6.a. NIST...
V-245849 Low Controlled Unclassified Information (CUI) - Local Policy and Procedure Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure C, paragraph 25.d. NIST...
V-245839 Low Destruction of Classified and Unclassified Documents, Equipment and Media - Availability of Local Policy and Procedures
V-245835 Low Classified Reproduction - Written Procedures for SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage. NOTE: This vulnerability concerns only PROCEDURES for the reproduction (printing, copying, scanning, faxing) of classified documents on Multi-Functional Devices (MFD) connected to the DoDIN.
V-245831 Low Classified Monitors/Displays (Procedures for Obscuration of Classified Monitors) - protection from uncleared persons or those without a need-to-know.
V-245828 Low Handling of Classified - Use of Cover Sheets on Documents Removed from Secure Storage Failure to protect readable classified information printed from classified systems such as SIPRNet when removed from secure storage can lead to the loss or compromise of classified or sensitive information. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR...
V-245827 Low Handling of Classified Documents, Media, Equipment - Written Procedures and Training for when classified material/equipment is removed from a security container and/or secure room.
V-245826 Low Non-Disclosure Agreement - Standard Form 312: no person may have access to classified information unless that person has a security clearance in accordance with DODM 5200.02 and has signed a Standard Form (SF) 312, Classified Information Non-Disclosure Agreement (NDA), and access is essential to the accomplishment of a lawful and authorized Government function (i.e., has a need to know).
V-245824 Low Classified Working Papers are properly marked, destroyed when no longer needed, or treated as a finished document after 180 days.
V-245823 Low Marking Classified - Local or Enclave Classified Marking Procedures must be developed to ensure employees are familiar with appropriate organization Security Classification Guides (SCG), how to obtain guidance for marking classified documents, media and equipment, and where associated forms, classified cover sheets, labels, stamps, wrapping material for classified shipment, etc. can be obtained.
V-245821 Low Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Keypad Device Protection: Keypad devices designed or installed in a manner that an unauthorized person in the immediate vicinity cannot observe the selection of input numbers. If someone were to successfully observe an authorized user's selection of numbers for their PIN at an entrance to a classified storage area or unclassified but sensitive computer room it could result in an unauthorized person being able to use that same PIN to gain access. Where purely electronic (cipher...
V-245792 Low Industrial Security - Contractor Visit Authorization Letters (VALs)
V-245787 Low Information Assurance - Unauthorized Wireless Devices - No Formal Policy and/or Warning Signs Not having a wireless policy and/or warning signs at entrances could result in the unauthorized introduction of wireless devices into classified processing areas. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 21.i(3). and 22. NIST Special Publication 800-53 (SP 800-53), Rev 4,...
V-245784 Low Information Assurance - Authorizing Official (AO) and DoDIN Connection Approval Office (CAO) Approval Documentation for use of KVM and A/B switches for Sharing of Classified and Unclassified Peripheral Devices Failure to request approval for connection of existing or additional KVM or A/B devices (switch boxes) for use in switching between classified (e.g., SIPRNet) devices and unclassified devices (e.g., NIPRNet) from both the Authorizing Official (AO) and the DODIN Connection Approval Office could result in unapproved devices being used or...
V-245773 Low Information Assurance - COOP Plan or Testing (Incomplete)
V-245771 Low Information Assurance - System Security Operating Procedures (SOPs) Failure to have documented procedures in an SOP could result in a security incident due to lack of knowledge by personnel assigned to the organization. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND) NIST Special Publication 800-53 (SP 800-53), Rev 4/5, Controls: MA-1, MA-2, MA-3,...
V-245770 Low Foreign National (FN) Administrative Controls - Contact Officer Appointment
V-245766 Low Foreign National (FN) Physical Access Control - (Identification Badges)
V-245758 Low Foreign National System Access - Local Access Control Procedures
V-245753 Low Environmental IA Controls - Fire Detection and Suppression Failure to provide adequate fire detection and suppression could result in the loss of or damage to data, equipment, facilities, or personnel. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-13 and PE-13(1),...
V-245752 Low Environmental IA Controls - Fire Inspections/ Discrepancies Failure to conduct fire inspections and correct any discrepancies could result in hazardous situations leading to a possible fire and loss of service. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-13(4) NIST...
V-245751 Low Environmental IA Controls - Humidity
V-245750 Low Environmental IA Controls - Temperature
V-245749 Low Environmental IA Controls - Training If employees have not received training on the environmental controls they will not be able to respond to a fluctuation of environmental conditions, which could damage equipment and ultimately disrupt operations. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication...
V-245747 Low Environmental IA Controls - Voltage Control (power) Failure to use automatic voltage control can result in damage to the IT equipment creating a service outage. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-9(2) NIST SP 800-12, An Introduction to...
V-245746 Low Environmental IA Controls - Emergency Lighting and Exits - Documentation and Testing Lack of automatic emergency lighting can cause injury and/or death to employees and emergency responders. Lack of automatic emergency lighting can cause a disruption in service. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4,...
V-245743 Low Protected Distribution System (PDS) Monitoring - Initial Inspection A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C,...
V-245742 Low Protected Distribution System (PDS) Monitoring - Technical Inspections A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C,...
V-245739 Low Protected Distribution System (PDS) Documentation - Request for Approval Documentation A PDS that is not approved could cause an Information System Security Manager (ISSM), Authorizing Official (AO) and other concerned managerial personnel to not be fully aware of all vulnerabilities and residual risk of IA systems under their purview. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK...
V-245738 Low Protected Distribution System (PDS) Documentation - Signed Approval
V-245724 Low COMSEC Account Management - Program Management and Standards Compliance Recipients of NSA or Service COMSEC accounts are responsible to properly maintain the accounts. Procedures covering security, transport, handling, etc., of COMSEC must be developed to supplement regulatory guidelines. NSA or sponsoring Services of the COMSEC accounts maintain oversight by conducting required inspections. If COMSEC accounts are not properly maintained...
V-245723 Low COMSEC Account Management - Appointment of Responsible Person