Security-in-Depth (AKA: Defense-in-Depth) - Minimum Physical Barriers and Access Control Measures for Facilities or Buildings Containing DoDIN (SIPRNet/NIPRNet) Connected Assets.

An XCCDF Rule

Description

<VulnDiscussion>Failure to use security-in-depth can result in a facility being vulnerable to an undetected intrusion or an intrusion that cannot be responded to in a timely manner - or both. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure A, paragraph 5.a.(1). NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-2(2), PE-3, PE-6(1), and page B-6: Security-in-Depth defined. DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 2, paragraph 13.s. and Enclosure 3, paragraph 7. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 2 paragraph 12.; Enclosure 3, paragraph 3.b.(3) & paragraph 4.; Enclosure 7, paragraph 7.d.; and Glossary page 121, Security-in-Depth defined. DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chapter 5, paragraphs 5-303, 5-307 & 5-904.b. and Appendix C, Definitions, page C-6 - Security in Depth. DoD 5200.8-R Physical Security Program, April 9, 2007, Incorporating Change 1, May 27, 2009: Chapter 2, C2.3.1, C3.2.1 and DL1.17., Security-in-Depth defined. CNSSI No.7003, September 2015, Protected Distribution Systems (PDS), Section IV, paragraph 6, Section VIII, Table 1 and Table 2, and Section VI - DEFINITIONS - Controlled Access Area (CAA).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-245867r822930_rule
Severity: Medium
Updated: 9 months ago

Background Information:  This standard is intended to validate security-in-depth protection measures in place for facilities containing either unclassified DoDIN assets (NIPRNet) or classified (SIPRNet) DoDIN assets or both.  The first two fixes are specifically for unclassified DoDIN facilities, while fixes 3 and 4 are for facilities containing SIPRNet assets.  Where both NIPRNet and SIPRNet assets are contained in a facility - the more stringent standards for SIPRNet will be used.

Fixes:

1. Ensure that any facility/building housing unclassified information system assets connected to the DoDIN (such as end-user NIPRNet work stations) has at least one physical barrier supplemented by any type of 24/7 access control (keyed locks, reception, guards, Access Control System, Cipher Locks, etc.).
2. Ensure that unclassified Computer Rooms containing equipment connected to the DoDIN (located within a facility (building, room or area) meeting the standard in #1 above) have an additional layer of physical protection and access control. This fix is intended for rooms with key system assets such as servers, routers, DASD, etc., rather than end user workstations.  

3.  Protection of classified (SIPRNet) assets (such as end user workstations with typical office equipment that are NOT housed and operated within a facility designated as a collateral classified open storage area):

    a.  Ensure that every physical access point to facilities housing DoDIN end-user workstations that process or display classified information is guarded or alarmed 24/7 (minimum of alarm contacts on the doors) and that intrusion alarms are properly monitored.  This is space NOT designated as a collateral classified open storage area.  Normally such space should be controlled/designated as a secret controlled access area (CAA) for SIPRNet.

    b.  Ensure that two forms of identification are required to gain access to a facility housing DoDIN workstations that process or display classified information (e.g., key card with PIN/biometrics or two acceptable forms of picture ID presented to a guard or receptionist). 

    c.  Ensure that a visitor log is maintained for facilities containing DoDIN end-user workstations that process or display classified information. Automated Entry Control System (AECS) log entries may be used to meet this requirement.

NOTE:  Physical access points to facilities housing DoDIN workstations in secret CAAs that process or display classified information, which are located on an access controlled military installation (or that employ another layer of physical barrier/access control) are not required to have an IDS alarm contact on the doors and need only one level of access control.  For instance access control to the facility using only a swipe or proximity card (w/o PIN or biometrics) or a guard checking a single picture ID is acceptable.

4.  Where there are Information System assets stored in secure rooms (AKA: collateral classified open storage areas) that are connected to the SIPRNet - ensure that the senior agency official has determined in writing that security-in-depth exists. 

*Note that the SAO for the Defense Security Service (DSS)/industry is the Cognizant Security Agency (CSA)/Cognizant Security Office (CSO).

Security-in-Depth (AKA: Defense-in-Depth) - Minimum Physical Barriers and Access Control Measures for Facilities or Buildings Containing DoDIN (SIPRNet/NIPRNet) Connected Assets.

Description

Remediation - Manual Procedure