Classified Monitors/Displays (Physical Control of Classified Monitors From Unauthorized Viewing)

An XCCDF Rule

Description

<VulnDiscussion>Failure to limit access to unauthorized personnel to information displayed on classified monitors/displays can result in the loss or compromise of classified information, including NOFORN information. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems" DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, para 7.b.(1) & (2) and Encl C, para 27.f. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-5, PE-18, PS-3(1), PS-6, PS-6(2), MA-5 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), 3 April 2017, Section 6., paragraphs 6.1. and 6.2.b.&c. Originating DoD Manual 5200.01, Volume 1, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.j.(1) and Encl 3, para 5.b., 7.b.(5), 12.e. DoD Manual 5200.01, Volume 2, 24 February 2012, SUBJECT: DoD Information Security Program: Marking of Classified Information; Enclosure 3, paragraph 18.a. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 2, para 14.a & b.;Encl 3, para 5; Encl 4, para 2.c. ;Appendix to Encl 4, para 1.f. and Encl 7. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, Section 3, paragraphs 8-302.b.(1), 8-302.e., 8-302.g.(2), Chapter 10, Section 5 and definition of "Escort" on page C-3.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-245829r822888_rule
Severity: High
Updated: 9 months ago

REQUIREMENTS FOR BOTH US ONLY CLASSIFIED (SIPRNet) ENVIRONMENTS WITHOUT FN PRESENCE AND ENVIRONMENTS WITH FN PRESENCE:

1.  All classified information system processing locations must have physical and procedural controls to ensure that no unauthorized viewing of monitor screens is possible or occurring. This includes viewing by uncleared persons and/or those w/o need-to-know.  It also includes REL partners or other FN who may have been granted liberal physical access to areas where US ONLY classified is processed.  This is the primary purpose for this STIG Rule requirement.

2.  Classified monitor screens must not be visible or capable of being observed from outside the secure space (e.g., from common hallways or through doors or windows).
  3.  There must be a visitor/escort control procedure in place (that it is actually being used) for announcing unauthorized/uncleared personnel in the area and that uncleared persons and/or those without the need-to-know (to include FN)  are continuously escorted when they are in the immediate vicinity of US classified workstations and components.
 
REQUIREMENTS ONLY FOR CLASSIFIED (SIPRNet) ENVIRONMENTS WITH FN PRESENCE:

4.  There must be local written procedures AND adequate documented proof of training (annually minimum) covering rules for interaction between US and FN employees.  All US and FN employees must be equally aware of the rules and procedures.  BOTH must be provided with applicable written guidance and training in this area.

5.  U.S.-only workstations must be "grouped" together in a U.S.-controlled workstation space when workstations are located in workspaces physically accessible by foreign nationals (such as combined operations centers).
 
6.  If the grouping of U.S.-only workstations at a site is not operationally possible, the following steps must be taken:

    a. The U.S. command or agency must authorize an exception at the site, in writing, stating operational reasons for exception, and maintain the record of exception.  This exception must be approved by the appropriate CC/S/A level of command, which is normally a 3 or 4 star Flag Officer level.
  
    b. Develop, publish, and maintain site specific written procedures on security measures to safeguard U.S.-only classified workstations. (in conjunction with written procedures under requirement #4)
 
    c. U.S. personnel must be briefed, trained (annually minimum) and enforce security measures. (in conjunction with training under requirement #4)

NOTE:  Requirement #6 is an allowable alternative to Requirement #5 and one or the other must be conducted.

7.  If a foreign national is permitted to view a US Only screen, U.S. personnel must first ensure:

    a.  Information is releasable in accordance with CC/S/A guidance and is consistent with National Disclosure Policy (NDP)-1; DoDD 5230.11; DoDD 5230.20; DoD Manual 5200.01; and CJCSI 5221.01.

    b.  The organization Foreign Disclosure Officer, Foreign Contact Officer, or Security Manager must be consulted to  ensure the foreign national has a security clearance granted by his or her government at a level equal to that of the classified information involved, and a Delegation of Disclosure Letter (DDL) has been issued to the specific FN partner to support the release of US classified information or material, and that there is an official need-to-know.

Classified Monitors/Displays (Physical Control of Classified Monitors From Unauthorized Viewing)

Description

Remediation - Manual Procedure