III - Administrative Classified
Rules and Groups employed by this XCCDF Profile
-
IS-17.03.01
<GroupDescription></GroupDescription>Group -
Classified Annual Review
<VulnDiscussion>Failure to conduct the annual review and clean out day can result in an excessive amount of classified (including IS storage ...Rule Low Severity -
PE-01.03.01
<GroupDescription></GroupDescription>Group -
Position of Trust - Knowledge of Responsibility to Self Report Derogatory Information
<VulnDiscussion>Failure to inform personnel of the expected standards of conduct while holding a position of trust and their responsibility t...Rule Low Severity -
PE-01.03.02
<GroupDescription></GroupDescription>Group -
Position of Trust - Local Policy Covering Employee Personal Standards of Conduct and Responsibilities
<VulnDiscussion>Failure to inform personnel of the expected standards of conduct while holding a position of trust can result in conduct by t...Rule Low Severity -
PE-01.03.03
<GroupDescription></GroupDescription>Group -
Position of Trust - Training Covering Employee Standards of Conduct and Personal Responsibilities
<VulnDiscussion>Failure to inform personnel of the expected standards of conduct while holding a position of trust can result in conduct by t...Rule Low Severity -
PE-03.02.01
<GroupDescription></GroupDescription>Group -
Validation Procedures for Security Clearance Issuance (Classified Systems and/or Physical Access Granted)
<VulnDiscussion>Failure to properly verify security clearance status could result in an unauthorized person having access to a classified inf...Rule Medium Severity -
PE-07.03.01
<GroupDescription></GroupDescription>Group -
Out-processing Procedures for Departing or Terminated Employees (Military, Government Civilian and Contractor)
<VulnDiscussion>Failure to properly out-process through the security section allows the possibility of continued (unauthorized) access to the...Rule Low Severity -
PE-08.02.01
<GroupDescription></GroupDescription>Group -
Intrusion Detection System (IDS) Monitoring Station Personnel - Suitability Checks
<VulnDiscussion>Failure to subject personnel who monitor the IDS alarms to a trustworthiness determination can result in the inadvertent or d...Rule Medium Severity -
PE-08.02.02
<GroupDescription></GroupDescription>Group -
Intrusion Detection System (IDS) Installation and Maintenance Personnel - Suitability Checks
<VulnDiscussion>Failure to subject personnel who install and maintain the IDS alarms to a trustworthiness determination can result in the ina...Rule Medium Severity -
PH-01.03.01
<GroupDescription></GroupDescription>Group -
Physical Security Program - Physical Security Plan (PSP) and/or Systems Security Plan (SSP) Development and Implementation with Consideration/Focus on Protection of Information System Assets in the Physical Environment
<VulnDiscussion>Failure to have a well-documented Physical Security/Systems Security program will result in an increased risk to DoD Informat...Rule Low Severity -
PH-02.02.01
<GroupDescription></GroupDescription>Group -
Risk Assessment -Holistic Review (site/environment/information systems)
<VulnDiscussion>Failure to conduct a risk analysis could result in not implementing an effective countermeasure to a vulnerability or wasting...Rule Medium Severity -
PH-03.02.01
<GroupDescription></GroupDescription>Group -
Physical Protection of Unclassified Key System Devices/Computer Rooms in Large Processing Facilities
<VulnDiscussion>Allowing access to systems processing sensitive information by personnel without the need-to-know could permit loss, destruct...Rule Medium Severity -
PH-04.02.01
<GroupDescription></GroupDescription>Group -
Restricted Area and Controlled Area Designation of Areas Housing Critical Information System Components or Classified /Sensitive Technology or Data
<VulnDiscussion>Failure to designate the areas housing the critical information technology systems as a restricted or controlled access area ...Rule Medium Severity -
PH-05.02.01
<GroupDescription></GroupDescription>Group -
Security-in-Depth (AKA: Defense-in-Depth) - Minimum Physical Barriers and Access Control Measures for Facilities or Buildings Containing DoDIN (SIPRNet/NIPRNet) Connected Assets.
<VulnDiscussion>Failure to use security-in-depth can result in a facility being vulnerable to an undetected intrusion or an intrusion that ca...Rule Medium Severity -
PH-06.02.01
<GroupDescription></GroupDescription>Group -
Visitor Control - To Facility or Organization with Information System Assets Connected to the DISN
<VulnDiscussion>Failure to identify and control visitors could result in unauthorized personnel gaining access to the facility with the inten...Rule Medium Severity -
PH-07.02.01
<GroupDescription></GroupDescription>Group -
Sensitive Item Control - Keys, Locks and Access Cards Controlling Access to Information Systems (IS) or IS Assets Connected to the DISN
<VulnDiscussion>Lack of an adequate key/credential/access device control could result in unauthorized personnel gaining access to the facilit...Rule Medium Severity -
PH-09.03.01
<GroupDescription></GroupDescription>Group -
Physical Penetration Testing - of Facilities or Buildings Containing Information Systems (IS) Connected to the DISN
<VulnDiscussion>Failure to periodically test facility/building security where Information Systems (IS) connected to the DISN are present coul...Rule Low Severity -
SM-01.03.01
<GroupDescription></GroupDescription>Group -
Security and Cybersecurity Staff Appointment, Training/Certification and Suitability
<VulnDiscussion>Failure to formally appoint security personnel and detail responsibilities, training and other requirements in the appointmen...Rule Medium Severity -
SM-02.02.01
<GroupDescription></GroupDescription>Group -
Security Training - Information Security (INFOSEC) for ALL Employees; Military, Government Civilian and Contractor
<VulnDiscussion>Failure to provide security training to ALL employees results in a weak security program and could lead to the loss or compro...Rule Medium Severity -
SM-03.03.01
<GroupDescription></GroupDescription>Group -
Counter-Intelligence Program - Training, Procedures and Incident Reporting
<VulnDiscussion>Failure to establish a good working relationship with the supporting/local CI agency and lack of proper CI training for site/...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.