Skip to content

Traditional Security Checklist

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Storage/Handling of Classified Documents, Media, Equipment - must be under continuous personal protection and control of an authorized (cleared) individual OR guarded or stored in an approved locked security container (safe), vault, secure room, collateral classified open storage area or SCIF.

    <VulnDiscussion>Failure to store classified in an approved container OR to properly protect classified when removed from storage can lead to ...
    Rule High Severity
  • IS-06.03.01

    <GroupDescription></GroupDescription>
    Group
  • Non-Disclosure Agreement - Standard Form 312: no person may have access to classified information unless that person has a security clearance in accordance with DODM 5200.02 and has signed a Standard Form (SF) 312, Classified Information Non-Disclosure Agreement (NDA), and access is essential to the accomplishment of a lawful and authorized Government function (i.e., has a need to know).

    &lt;VulnDiscussion&gt;Failure to verify clearance and need-to-know and execute a nondisclosure agreement (NDA) before granting access to classified...
    Rule Low Severity
  • IS-07.03.01

    <GroupDescription></GroupDescription>
    Group
  • Handling of Classified Documents, Media, Equipment - Written Procedures and Training for when classified material/equipment is removed from a security container and/or secure room.

    &lt;VulnDiscussion&gt;Failure to develop procedures and to train employees on protection of classified when removed from storage could lead to the ...
    Rule Low Severity
  • IS-07.03.02

    <GroupDescription></GroupDescription>
    Group
  • Handling of Classified - Use of Cover Sheets on Documents Removed from Secure Storage

    &lt;VulnDiscussion&gt;Failure to protect readable classified information printed from classified systems such as SIPRNet when removed from secure s...
    Rule Low Severity
  • IS-08.01.01

    <GroupDescription></GroupDescription>
    Group
  • Classified Monitors/Displays (Physical Control of Classified Monitors From Unauthorized Viewing)

    &lt;VulnDiscussion&gt;Failure to limit access to unauthorized personnel to information displayed on classified monitors/displays can result in the ...
    Rule High Severity
  • IS-08.01.02

    <GroupDescription></GroupDescription>
    Group
  • Monitor Screens - Disable Access by CAC or Token Removal, or Lock Computer via Ctrl/Alt/Del

    &lt;VulnDiscussion&gt;The DoD Common Access Cards (CAC) a "smart" card, is the standard identification for active-duty military personnel, Selected...
    Rule High Severity
  • Classified Monitors/Displays (Procedures for Obscuration of Classified Monitors) - protection from uncleared persons or those without a need-to-know.

    &lt;VulnDiscussion&gt;Failure to develop procedures and training for employees to cover responsibilities and methods for limiting the access of una...
    Rule Low Severity
  • IS-09.02.01

    <GroupDescription></GroupDescription>
    Group
  • End-of-Day Checks - Organizations that process or store classified information must establish a system of security checks at the close of each duty and/or business day to ensure that any area where classified information is used or stored is secure. SF 701, Activity Security Checklist, shall be used to record such checks.

    &lt;VulnDiscussion&gt;Failure to have written guidance to provide guidance for end-of-day (EOD) checks could lead to such checks not being properl...
    Rule Medium Severity
  • IS-10.01.01

    <GroupDescription></GroupDescription>
    Group
  • Classified Reproduction - SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage.

    &lt;VulnDiscussion&gt;Classified Multi-Functional Devices (MFD) include printers, copiers, scanners and facsimile capabilities and contain hard dri...
    Rule High Severity
  • IS-10.02.01

    <GroupDescription></GroupDescription>
    Group
  • Classified Reproduction - Following guidance for System to Media Transfer of Data from systems connected specifically to the SIPRNet In-Accordance-With (IAW) US CYBERCOM CTO 10-133A.

    &lt;VulnDiscussion&gt;Failure to follow guidance for disabling removable media drives on devices connected to the SIPRNet or, if approved by the lo...
    Rule Medium Severity
  • IS-10.03.01

    <GroupDescription></GroupDescription>
    Group
  • Classified Reproduction - Written Procedures for SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage. NOTE: This vulnerability concerns only PROCEDURES for the reproduction (printing, copying, scanning, faxing) of classified documents on Multi-Functional Devices (MFD) connected to the DoDIN.

    &lt;VulnDiscussion&gt;Lack of or improper reproduction procedures for classified material could result in the loss or compromise of classified info...
    Rule Low Severity
  • IS-11.01.01

    <GroupDescription></GroupDescription>
    Group
  • Destruction of Classified Documents Printed from the SIPRNet Using Approved Devices on NSA Evaluated Products Lists (EPL).

    &lt;VulnDiscussion&gt;Failure to properly destroy classified material can lead to the loss or compromise of classified or sensitive information. R...
    Rule High Severity
  • IS-11.01.02

    <GroupDescription></GroupDescription>
    Group
  • Classified Material Destruction - Improper Disposal of Automated Information System (AIS) Hard Drives and Storage Media

    &lt;VulnDiscussion&gt;Failure to properly destroy classified material can lead to the loss or compromise of classified or sensitive information. R...
    Rule High Severity
  • IS-11.02.01

    <GroupDescription></GroupDescription>
    Group
  • Classified Destruction - Hard Drive and Storage Media Sanitization Devices and Plans are not Available for disposal of Automated Information System (AIS) Equipment On-Hand

    &lt;VulnDiscussion&gt;Failure to properly destroy classified material can lead to the loss or compromise of classified or sensitive information. R...
    Rule Medium Severity
  • IS-11.03.01

    <GroupDescription></GroupDescription>
    Group
  • Destruction of Classified and Unclassified Documents, Equipment and Media - Availability of Local Policy and Procedures

    &lt;VulnDiscussion&gt;Lack of plans and procedures to properly destroy classified and/or sensitive material can lead to the loss or compromise of c...
    Rule Low Severity
  • IS-13.02.01

    <GroupDescription></GroupDescription>
    Group
  • Classified Emergency Destruction Plans - Develop and Make Available

    &lt;VulnDiscussion&gt;Failure to develop emergency procedures can lead to the loss or compromise of classified or sensitive information during emer...
    Rule Medium Severity
  • IS-14.02.01

    <GroupDescription></GroupDescription>
    Group
  • Security Incident/Spillage - Lack of Procedures or Training for Handling and Reporting

    &lt;VulnDiscussion&gt;Failure to report possible security compromise can result in the impact of the loss or compromise of classified information n...
    Rule Medium Severity
  • IS-15.02.01

    <GroupDescription></GroupDescription>
    Group
  • Classification Guides Must be Available for Programs and Systems for an Organization or Site

    &lt;VulnDiscussion&gt;Failure to have proper classification guidance available for Information Systems and/or associated programs run on them can r...
    Rule Medium Severity
  • IS-16.02.01

    <GroupDescription></GroupDescription>
    Group
  • Controlled Unclassified Information (CUI) - Employee Education and Training

    &lt;VulnDiscussion&gt;Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Exec...
    Rule Medium Severity
  • IS-16.02.02

    <GroupDescription></GroupDescription>
    Group
  • Controlled Unclassified Information - Document, Hard Drive and Media Disposal

    &lt;VulnDiscussion&gt;Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Assi...
    Rule Medium Severity
  • IS-16.02.03

    <GroupDescription></GroupDescription>
    Group
  • Controlled Unclassified Information - Handling, Storage and Controlling Access to Areas where CUI is Processed or Maintained

    &lt;VulnDiscussion&gt;Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Exec...
    Rule Medium Severity
  • IS-16.02.04

    <GroupDescription></GroupDescription>
    Group
  • Controlled Unclassified Information - Encryption of Data at Rest

    &lt;VulnDiscussion&gt;Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Exec...
    Rule Medium Severity
  • IS-16.02.05

    <GroupDescription></GroupDescription>
    Group
  • Controlled Unclassified Information - Transmission by either Physical or Electronic Means

    &lt;VulnDiscussion&gt;Failure to handle/transmit CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENC...
    Rule Medium Severity
  • IS-16.02.06

    <GroupDescription></GroupDescription>
    Group
  • Controlled Unclassified Information - Posting Only on Web-Sites with Appropriate Encryption; not on Publicly Accessible Web-Sites.

    &lt;VulnDiscussion&gt;Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Exec...
    Rule Medium Severity
  • IS-16.03.01

    <GroupDescription></GroupDescription>
    Group
  • Controlled Unclassified Information (CUI) - Local Policy and Procedure

    &lt;VulnDiscussion&gt;Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Exec...
    Rule Low Severity
  • IS-16.03.02

    <GroupDescription></GroupDescription>
    Group
  • Controlled Unclassified Information - Marking/Labeling Media within Unclassified Environments (Not Mixed with Classified)

    &lt;VulnDiscussion&gt;Failure to mark CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Execut...
    Rule Low Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules