Skip to content
ATO Pathways
  Log In

Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Keypad Device Protection: Keypad devices designed or installed in a manner that an unauthorized person in the immediate vicinity cannot observe the selection of input numbers.

An XCCDF Rule

Description

<VulnDiscussion>If someone were to successfully observe an authorized user's selection of numbers for their PIN at an entrance to a classified storage area or unclassified but sensitive computer room it could result in an unauthorized person being able to use that same PIN to gain access. Where purely electronic (cipher type) locks are used without an access card or badge this could lead to direct access by an unauthorized person. Where coded AECS cards and badges are used the risk is diminished significantly as the coded badge associated with the PIN would need to be lost/stolen and subsequently recovered by someone with unauthorized knowledge of the PIN for them to be able to successfully gain access to the secured area. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Control: PE-3. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraph 3.a.(5)(c). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 3, paragraph 5-314.b.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-245821r822878_rule
Severity
Low
Updated



Remediation - Manual Procedure

Ensure that keypad devices (cipher locks or PIN pads for card readers) are designed or installed in such a manner that an unauthorized person in the immediate vicinity cannot observe the selection of input numbers. During initial, annual refresher training and when key cards with PINs are issued advise persons using the keypad devices of the risk of someone overseeing their PIN and encourage them to use appropriate caution to shield their selection of numbers.