I - Mission Critical Public
Rules and Groups employed by this XCCDF Profile
-
IA-03.02.01
Group -
Information Assurance - System Security Incidents (Identifying, Reporting, and Handling)
Failure to recognize, investigate and report information systems security incidents could result in the loss of confidentiality, integrity, and availability of the systems and its data. REFERENCES...Rule Medium Severity -
IA-05.02.01
Group -
Information Assurance - System Access Control Records (DD Form 2875 or equivalent)
If accurate records of authorized users are not maintained, then unauthorized personnel could have access to the system. Failure to have user sign an agreement may preclude disciplinary actions if ...Rule Medium Severity -
IA-06.02.01
Group -
Information Assurance - System Training and Certification/ IA Personnel
Improperly trained personnel can cause serious system-wide/network-wide problems that render a system/network unstable. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPU...Rule Medium Severity -
IA-06.02.02
Group -
Information Assurance/Cybersecurity Training for System Users
Improperly trained personnel can cause serious system-wide/network-wide problems that render a system/network unstable. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPU...Rule Medium Severity -
IA-07.02.01
Group -
Information Assurance - Accreditation Documentation
Failure to provide the proper documentation can lead to a system connecting without all proper safeguards in place, creating a threat to the networks. REFERENCES: CJCSI 6510.01F, INFORMATION ASSU...Rule Medium Severity -
IA-10.02.01
Group -
Information Assurance - KVM or A/B Switch not listed on the NIAP U.S. Government Approved Protection Products Compliance List (PCL) for Peripheral Sharing Switches
Failure to use tested and approved switch boxes can result in the loss or compromise of classified information. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: SC-3 and...Rule Medium Severity -
IA-10.02.02
Group -
Information Assurance - KVM Switch (Port Separation) on CYBEX/Avocent 4 or 8 port
The back plate of some 4 or 8 port CYBEX/AVOCENT KVM devices provides a physical connection between adjacent ports. Therefore failure to provide for physical port separation between SIPRNet (classi...Rule Medium Severity -
IA-10.02.03
Group -
Information Assurance - KVM Switch Use of Hot-Keys on SIPRNet Connected Devices
Use of "Hot Keys" for switching between devices relies on use of software to separate and switch between the devices. Unless software use involves an approved Cross Domain Solution (CDS) it can re...Rule Medium Severity -
IA-10.03.01
Group -
Information Assurance - Authorizing Official (AO) and DoDIN Connection Approval Office (CAO) Approval Documentation for use of KVM and A/B switches for Sharing of Classified and Unclassified Peripheral Devices
Failure to request approval for connection of existing or additional KVM or A/B devices (switch boxes) for use in switching between classified (e.g., SIPRNet) devices and unclassified devices (e.g....Rule Low Severity -
IA-11.01.01
Group -
Information Assurance - Classified Portable Electronic Devices (PEDs) Connected to the SIPRNet must be Authorized, Compliant with NSA Guidelines, and be Configured for Data at Rest (DAR) Protection
Finding unauthorized and/or improperly configured wireless devices (PEDs) connected to and/or operating on the SIPRNet is a security incident and could directly result in the loss or compromise of ...Rule High Severity -
IA-11.02.01
Group -
Information Assurance - Unauthorized Wireless Devices - Portable Electronic Devices (PEDs) Used in Classified Processing Areas without Certified TEMPEST Technical Authority (CTTA) Review and Authorizing Official (AO) Approval.
Allowing wireless devices in the vicinity of classified processing or discussion could directly result in the loss or compromise of classified or sensitive information either intentionally or accid...Rule Medium Severity -
IA-11.03.01
Group -
Information Assurance - Unauthorized Wireless Devices - No Formal Policy and/or Warning Signs
Not having a wireless policy and/or warning signs at entrances could result in the unauthorized introduction of wireless devices into classified processing areas. REFERENCES: CJCSI 6510.01F, INFO...Rule Low Severity -
IA-12.01.01
Group -
Information Assurance - Network Connections - Physical Protection of Network Devices such as Routers, Switches and Hubs (Connected to SIPRNet or Other Classified Networks or Systems Being Inspected)
SIPRNet or other classified network connections that are not properly protected in their physical environment are highly vulnerable to unauthorized access, resulting in the probable loss or comprom...Rule High Severity -
IA-12.01.02
Group -
Information Assurance - Network Connections - Wall Jack Security on Classified Networks (SIPRNet or other Inspected Classified Network or System) Where Port Authentication Using IEEE 802.1X IS NOT Implemented
Following is a summary of the primary requirement to use the IEEE 802.1X authentication protocol to secure SIPRNet ports (AKA: wall jacks) , which is covered in the Network STIG: 802.1X authentica...Rule High Severity -
IA-12.02.01
Group -
Information Assurance - Network Connections - Physical Protection of Unclassified (NIPRNet) Network Devices such as Routers, Switches and Hubs
Unclassified (NIPRNet) network connections that are not properly protected in their physical environment are highly vulnerable to unauthorized access, resulting in the probable loss or compromise o...Rule Medium Severity -
ID-01.02.01
Group -
Industrial Security - DD Form 254
Failure to complete a DD Form 254 (Contract Security Classification Specification) or to specify security clearance and/or IT requirements for all contracts that require access to classified materi...Rule Medium Severity -
ID-02.03.01
Group -
Industrial Security - Contractor Visit Authorization Letters (VALs)
Failure to require Visit Authorization Letters (VALs) for contractor visits could result in sensitive or classified materials being released to unauthorized personnel. REFERENCES: NIST Special Pu...Rule Low Severity -
ID-03.02.01
Group -
Industrial Security - Contract Guard Vetting
Failure to screen guards could result in employment of unsuitable personnel who are responsible for the safety and security of DOD personnel and facilities. REFERENCES: NIST Special Publication 8...Rule Medium Severity -
IS-01.02.01
Group -
Information Security (INFOSEC) - Safe/Vault/Secure Room Management
Lack of adequate or Improper procedures for management of safes/vaults and secure rooms could result in the loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSU...Rule Medium Severity -
IS-02.01.01
Group -
Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Door Combination Lock Meeting Federal Specification FF-L-2740
Failure to meet Physical Security storage standards could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO...Rule High Severity -
IS-02.01.02
Group -
Information Security (INFOSEC) - Secure Room Storage Standards - Door Construction
Failure to meet construction standards could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NET...Rule High Severity -
IS-02.01.03
Group -
Information Security (INFOSEC) - Secure Room Storage Standards Wall and Ceiling Structural Integrity (AKA: True Floor to True Ceiling Connection)
Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, ...Rule High Severity -
IS-02.01.04
Group -
Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Openings in Perimeter Exceeding 96 Square Inches
Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a vault or secure room (AKA: collateral classified open storage area) IAW DoD Manual ...Rule High Severity -
IS-02.01.05
Group -
Information Security (INFOSEC) - Secure Room Storage Standards Windows - Accessible from the Ground Hardened Against Forced Entry and Shielded from Exterior Viewing of Classified Materials Contained within the Area.
Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, ...Rule High Severity -
IS-02.01.06
Group -
Information Security (INFOSEC) - Vault Storage/Construction Standards
Failure to meet standards IAW the DOD Manual 5200.01, Volume 3, Appendix to Enclosure 3, for ensuring that there is required structural integrity of the physical perimeter surrounding a classified ...Rule High Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.