Information Security (IS) - Continuous Operations Facility: Access Control Monitoring Methods

Description

<VulnDiscussion>Failure to control door access to a Continuous Operations Facility containing classified SIPRNET assets may result in immediate and potentially undetected access to classified information, with no capability to immediately alert response forces. Ultimately this could result in the undetected loss or compromise of classified material. USE CASE EXPLANATION: A Continuous Operations Facility functions 24/7 and contains classified SIPRNet equipment and/or media. It often does not meet all the physical and/or procedural requirements of a vault or secure room (AKA: collateral classified open storage area) and the classified equipment and/or media may not be stored in an approved safe when not in use. Examples of such facilities are Emergency Operations Centers (EOC), Information System Monitoring Centers, Trouble Desk Centers, etc. All standards for access control monitoring for Continuous Operations Facilities are found in the DoD Manual 5200.01, V3 and this STIG Requirement/Rule provides additional clarification and implementation standards for all Continuous Operations Facilities containing SIPRNet assets. Continuous Operations Facilities are not routinely closed and secured after normal business hours and reopened at the beginning of normal workdays. A CONTINUOUS OPERATIONS FACILITY MUST BE CONTINUOUSLY OCCUPIED at all times, OR IT MUST MEET ALL PHYSICAL STRUCTURAL AND PROCEDURAL STANDARDS FOR A SECURE ROOM AND BE SECURED (*using an approved FF-L-2740 combination lock) DURING PERIODS WHEN IT IS NOT OCCUPIED. It is not necessary to activate the supplemental controls (IDS or 4-hour checks) when securing the facility using the FF-L-2740 lock during working hours. However, this must be done if the facility is formally closed at any time and will include End-of-Day (EOD) checks. A "facility" can be a single room or a larger contiguous area, often (but not always) without Federal Specification FF-L-2740 combination locks on the primary access door. Continuous Operations area access control procedures must meet the requirements herein even where the surrounding area is continuously occupied. Continuous Operations (again - continuous occupancy) minimizes or eliminates the need for/use of certain security measures such as FF-L-2740 combination locks, standard door locks, IDS, 4-hour guard checks, etc. Where there is a Continuous Operations Facility there should be demonstrated mission need for continuous occupation of the "specific" room or area containing the classified SIPRNet assets. A justification that the surrounding building or facility is continuously occupied is not acceptable. If this is observed, reviewers should consider the possibility that the stated requirement for a Continuous Operations Facility is being used to cover deficiencies with what should legitimately be established as a secure room or vault. In such cases the use of Traditional Security STIG Requirements and applicable physical and procedural standards for vaults and/or secure rooms may be more appropriate, resulting in findings under those Requirements. A Continuous Operations Facility containing classified materials is most appropriate when it is continuously occupied by properly cleared employees (or others with security clearance and a need-to-know) who are capable of controlling or monitoring ingress and egress from within the area. This provides the most legitimate justification for using a Continuous Operations Facility vice using a properly constructed and access controlled vault or secure room (AKA: collateral classified open storage area). Convenience and ease of access is not proper justification for a Continuous Operations Facility. Continuous Operations Facility door control may be accomplished multiple ways. There are five main types of access control methods listed below. One or more of the five methods may apply to any facility. Each access point must comply with one or more of the methods of access control for 24 hours of each operational day. Any deficiency for any facility access point (even for a portion of the day for an access point) will result in a finding under this STIG rule. All Continuous Operations Facilities access points should be checked for proper access control according to the type of access control method(s) implemented. Direct access control monitoring for both occupied and unoccupied Continuous Operations Facilities is conducted by: cleared employees, guards or receptionists located inside the area or directly outside the area. A properly configured Automated Entry Control System (AECS) or continuously monitored Closed Circuit Television (CCTV) are the only options for indirect monitoring of Continuous Operations Facilities. The five basic methods for controlling access to Continuous Operations Facilities are: 1. Method #1: Use of an Automated Entry Control System (AECS) Card Reader with Biometrics or Personal Identification Number (PIN) 2. Method #2: Access Continually Monitored by Occupants (Cleared Employees) of the Continuous Operations Facility - all doors NOT visible 3. Method #3: Access Monitored by Occupants (Cleared Employees) of the Continuous Operations Facility - all doors are visible 4. Method #4: Access Monitored by Employees Directly Outside the Open Storage Space - all doors MUST BE visible 5. Method #5: Access Monitored by Closed Circuit Television (CCTV) reporting to a Central Monitoring Station Staffed 24/7 by cleared Guards or Other cleared Security Professionals - each individual door MUST HAVE a CCTV camera(s) Normally only one method of access control will be applicable to a specific Continuous Operations Facility; however, there may be situations where more than one approved method is being used at a single facility. For instance an Automated Entry Control System (AECS) with card reader and PIN may be used to secure the access door while there are also employees located inside the room who can monitor and control access. In situations where multiple methods are found, reviewers need only choose one of the five to evaluate compliance and its effectiveness of access control to the Continuous Operations Facility. If one of the methods is found to be totally compliant while others in use contain deficiencies, the method that is 100% compliant should be selected for use during the review. In the example just provided, if the room is only occupied by one employee who is monitoring access and during breaks or for other reasons exits the room for periods of time this would cause a significant deficient condition since the access door is not continuously monitored by the employee. Therefore using the AECS as the method to evaluate access control for the Continuous Operations Facility would likely be selected since it appears to be (and for this example we will assume) 100% compliant. There is also a possibility that multiple Continuous Operations Facilities could be found at a particular site location (even in the same building) that are using different methods to control access. Once again, multiple methods of access control from the list of five could be selected for the evaluation, based on the access control methods actually being used for the various 24/7Continuous Operations Facilities. Once the applicable Continuous Operations Facility access control methods that apply to each of the Continuous Operations Facilities at the site are selected, the site must comply with all of the individual checks for the selected method(s). Specific checks for requirements associated with a method of access control are found in the Check Content information field. If there is no Continuous Operations Facility at a particular site this Requirement is Not Applicable (NA) for a review. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-2, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Specific paragraph references are individually annotated with each specific check - under the "Checks" section. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-306, 5-312, 5-313, 5-314</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>