Vault/Secure Room Storage Standards - Access Control During Working Hours Using Visual Control OR Automated Entry Control System (AECS) with PIN / Biometrics

An XCCDF Rule

Description

<VulnDiscussion>Failure to properly monitor and control collateral classified open storage area access doors during working hours (while the FF-L-2740 combination lock is not secured) could result in an undetected perimeter breach and limited or no capability to immediately notify response forces. Ultimately this could result in the undetected loss or compromise of classified material. Entrances to secure rooms or areas (and/or vaults that are opened for access) must be under visual control at all times during duty hours to prevent entry by unauthorized personnel . This may be accomplished by several methods (e.g., employee work station, guard, continuously monitored CCTV). An automated entry control system (AECS) may be used to control admittance during working hours instead of visual control, if it meets certain criteria * and if the room or area is continuously occupied by at least one properly cleared person. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-2, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 3, paragraph 12 and Appendix to Enclosure 3, paragraphs 3.a. and 3.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-306, 5-312, 5-313, 5-314</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-245808r822862_rule
Severity: High
Updated: 9 months ago

*If use of visual control methods is the primary means to control access during duty hours, use the following three fixes to comply with requirements:

1.  All possible primary or secondary entrances to vaults or secure rooms must be continuously monitored by cleared employees or guards (inside or outside the room or area) or by CCTV, whenever the FF-L-2740 combination lock is disengaged for daytime or other routine access.     

2.  If CCTV is used it must send real time images to a continuously manned monitoring station.  
3. Access to a continuously (visually) monitored vault, secure room or collateral classified open storage area must be controlled by an Automated Entry Control System (AECS) using coded cards or badges (biometrics or PIN are not required) or by electric, mechanical or electro-mechanical access control devices to limit access during duty hours. 

**If use of an Automated Entry Control System (AECS) is used to control access (without use of any authorized visual control methods), use the following seven fixes to comply with requirements:

1.  The vault, secure room or area must be continuously occupied by at least one properly cleared employee during working hours (when the FF-L-2740 combination lock is not engaged).

2. The AECS must identify individuals and authenticate the person's authority to enter the area through the use of a coded identification (ID) badge or card. 

3. In addition to the swipe or proximity card or badge a personal identification number (PIN) must be used.  This is required WHEN VISUAL (MONITORING) CONTROLS of the entrance ARE NOT USED during working hours.  

4. The PINs must be separately entered into the system by each individual using a keypad device and consist of four or more digits, randomly selected, with no known or logical association with the individuals.
  
5. There must be a procedure in place to cover changing PINs when it is believed they have been compromised or subjected to compromise.  

6. Biometrics Devices, which identify an individual requesting access by some unique personal characteristic, such as Fingerprinting, Hand Geometry, Handwriting, Retina scans, or Voice recognition may be used in conjunction with an ID badge or card in lieu of a PIN.  

7.  VERY IMPORTANT: Electric, mechanical or electro-mechanical access control devices such as Cipher locks MUST NOT BE USED to control access to secure rooms or areas that are not under continuous visual control during working hours.  Generally these locks do not provide the means for individual access codes and do not report to a central server or system monitor.  Therefore they are permissible ONLY for access control to secure rooms and spaces when the entrance is under continuous visual control.

Vault/Secure Room Storage Standards - Access Control During Working Hours Using Visual Control OR Automated Entry Control System (AECS) with PIN / Biometrics

Description

Remediation - Manual Procedure