III - Administrative Public
Rules and Groups employed by this XCCDF Profile
-
IS-06.03.01
Group -
Non-Disclosure Agreement - Standard Form 312: no person may have access to classified information unless that person has a security clearance in accordance with DODM 5200.02 and has signed a Standard Form (SF) 312, Classified Information Non-Disclosure Agreement (NDA), and access is essential to the accomplishment of a lawful and authorized Government function (i.e., has a need to know).
Failure to verify clearance and need-to-know and execute a nondisclosure agreement (NDA) before granting access to classified can result in unauthorized personnel having access to classified inform...Rule Low Severity -
IS-07.03.01
Group -
Handling of Classified Documents, Media, Equipment - Written Procedures and Training for when classified material/equipment is removed from a security container and/or secure room.
Failure to develop procedures and to train employees on protection of classified when removed from storage could lead to the loss or compromise of classified or sensitive information due to a lack ...Rule Low Severity -
IS-07.03.02
Group -
Handling of Classified - Use of Cover Sheets on Documents Removed from Secure Storage
Failure to protect readable classified information printed from classified systems such as SIPRNet when removed from secure storage can lead to the loss or compromise of classified or sensitive inf...Rule Low Severity -
IS-08.01.01
Group -
Classified Monitors/Displays (Physical Control of Classified Monitors From Unauthorized Viewing)
Failure to limit access to unauthorized personnel to information displayed on classified monitors/displays can result in the loss or compromise of classified information, including NOFORN informati...Rule High Severity -
IS-08.01.02
Group -
Monitor Screens - Disable Access by CAC or Token Removal, or Lock Computer via Ctrl/Alt/Del
The DoD Common Access Cards (CAC) a "smart" card, is the standard identification for active-duty military personnel, Selected Reserve, DoD civilian employees, and eligible contractor personnel. It...Rule High Severity -
IS-08.03.01
Group -
Classified Monitors/Displays (Procedures for Obscuration of Classified Monitors) - protection from uncleared persons or those without a need-to-know.
Failure to develop procedures and training for employees to cover responsibilities and methods for limiting the access of unauthorized personnel to classified information reflected on information s...Rule Low Severity -
IS-09.02.01
Group -
End-of-Day Checks - Organizations that process or store classified information must establish a system of security checks at the close of each duty and/or business day to ensure that any area where classified information is used or stored is secure. SF 701, Activity Security Checklist, shall be used to record such checks.
Failure to have written guidance to provide guidance for end-of-day (EOD) checks could lead to such checks not being properly conducted. If EOD checks are not properly conducted the loss or impro...Rule Medium Severity -
IS-10.01.01
Group -
Classified Reproduction - SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage.
Classified Multi-Functional Devices (MFD) include printers, copiers, scanners and facsimile capabilities and contain hard drives that maintain classified data or images. Failure to locate these de...Rule High Severity -
IS-10.02.01
Group -
Classified Reproduction - Following guidance for System to Media Transfer of Data from systems connected specifically to the SIPRNet In-Accordance-With (IAW) US CYBERCOM CTO 10-133A.
Failure to follow guidance for disabling removable media drives on devices connected to the SIPRNet or, if approved by the local AO, failure to follow US CYBERCOM procedures for using removable med...Rule Medium Severity -
IS-10.03.01
Group -
Classified Reproduction - Written Procedures for SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage. NOTE: This vulnerability concerns only PROCEDURES for the reproduction (printing, copying, scanning, faxing) of classified documents on Multi-Functional Devices (MFD) connected to the DoDIN.
Lack of or improper reproduction procedures for classified material could result in the loss or compromise of classified information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SU...Rule Low Severity -
IS-11.01.01
Group -
Destruction of Classified Documents Printed from the SIPRNet Using Approved Devices on NSA Evaluated Products Lists (EPL).
Failure to properly destroy classified material can lead to the loss or compromise of classified or sensitive information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO CO...Rule High Severity -
IS-11.01.02
Group -
Classified Material Destruction - Improper Disposal of Automated Information System (AIS) Hard Drives and Storage Media
Failure to properly destroy classified material can lead to the loss or compromise of classified or sensitive information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO CO...Rule High Severity -
IS-11.02.01
Group -
Classified Destruction - Hard Drive and Storage Media Sanitization Devices and Plans are not Available for disposal of Automated Information System (AIS) Equipment On-Hand
Failure to properly destroy classified material can lead to the loss or compromise of classified or sensitive information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO CO...Rule Medium Severity -
IS-11.03.01
Group -
Destruction of Classified and Unclassified Documents, Equipment and Media - Availability of Local Policy and Procedures
Lack of plans and procedures to properly destroy classified and/or sensitive material can lead to the loss or compromise of classified or sensitive information. REFERENCES: CJCSI 6510.01F, INFORM...Rule Low Severity -
IS-13.02.01
Group -
Classified Emergency Destruction Plans - Develop and Make Available
Failure to develop emergency procedures can lead to the loss or compromise of classified or sensitive information during emergency situations. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (I...Rule Medium Severity -
IS-14.02.01
Group -
Security Incident/Spillage - Lack of Procedures or Training for Handling and Reporting
Failure to report possible security compromise can result in the impact of the loss or compromise of classified information not to be evaluated, responsibility affixed, or a plan of action develope...Rule Medium Severity -
IS-15.02.01
Group -
Classification Guides Must be Available for Programs and Systems for an Organization or Site
Failure to have proper classification guidance available for Information Systems and/or associated programs run on them can result in the misclassification of information and ultimately lead to the...Rule Medium Severity -
IS-16.02.01
Group -
Controlled Unclassified Information (CUI) - Employee Education and Training
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Inform...Rule Medium Severity -
IS-16.02.02
Group -
Controlled Unclassified Information - Document, Hard Drive and Media Disposal
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Assistant Secretary of Defense for Command, Control, Communications and Inte...Rule Medium Severity -
IS-16.02.03
Group -
Controlled Unclassified Information - Handling, Storage and Controlling Access to Areas where CUI is Processed or Maintained
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Inform...Rule Medium Severity -
IS-16.02.04
Group -
Controlled Unclassified Information - Encryption of Data at Rest
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Inform...Rule Medium Severity -
IS-16.02.05
Group -
Controlled Unclassified Information - Transmission by either Physical or Electronic Means
Failure to handle/transmit CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) T...Rule Medium Severity -
IS-16.02.06
Group -
Controlled Unclassified Information - Posting Only on Web-Sites with Appropriate Encryption; not on Publicly Accessible Web-Sites.
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Inform...Rule Medium Severity -
IS-16.03.01
Group -
Controlled Unclassified Information (CUI) - Local Policy and Procedure
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Inform...Rule Low Severity -
IS-16.03.02
Group -
Controlled Unclassified Information - Marking/Labeling Media within Unclassified Environments (Not Mixed with Classified)
Failure to mark CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Informat...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.