Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Resources
Documents
Publishers
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Traditional Security Checklist
Profiles
II - Mission Support Public
II - Mission Support Public
An XCCDF Profile
Details
Items
Prose
145 rules organized in 145 groups
CS-01.03.01
1 Rule
COMSEC Account Management - Appointment of Responsible Person
Low Severity
Lack of formal designation of an individual to be responsible for COMSEC items could result in mismanagement, loss or even compromise of COMSEC materials. Additionally, lack of formal vetting for a specific individual to be appointed for management of COMSEC material could result in a person (such as a non-US Citizen) having unauthorized access. REFERENCES: DoD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Encl 3, paragraph 6.e. (3). DoD 5220.22-M (NISPOM), Section 4 DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), paragraphs 6.5.d., 7.16. e. & f. and 8.2.b. (3) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: IA-1, PL-1, PS-1, PS-2, and SC-1 NSA/CSS Policy Manual 3-16, Sections III, VI, X and XI CNSS Policy No.1, NATIONAL POLICY FOR SAFEGUARDING AND CONTROL OF COMSEC MATERIALS
CS-01.03.02
1 Rule
COMSEC Account Management - Program Management and Standards Compliance
Low Severity
Recipients of NSA or Service COMSEC accounts are responsible to properly maintain the accounts. Procedures covering security, transport, handling, etc., of COMSEC must be developed to supplement regulatory guidelines. NSA or sponsoring Services of the COMSEC accounts maintain oversight by conducting required inspections. If COMSEC accounts are not properly maintained and findings are noted during an inspection, they must be addressed properly and promptly. If this is not done, the integrity of COMSEC items may be adversely impacted, resulting in the loss or compromise of COMSEC equipment or key material. REFERENCES: DOD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 3, paragraph 6.e. (3). DOD 5220.22-M (NISPOM), Section 4 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AU-1, CA-1, CA-2, CA-2(1), CA-2(2), CA-2(3), CA-5, CM-3(6), PL-1, PL-2(3), PL-7, SC-1, SC-12, SC-12(1), and SC-13 NSA/CSS Policy Manual 3-16, Sections III, VI, X and XI CNSS Policy No.1, NATIONAL POLICY FOR SAFEGUARDING AND CONTROL OF COMSEC MATERIALS DOD Instruction 8523.01, Communications Security (COMSEC), January 6, 2021 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND)
CS-02.02.01
1 Rule
COMSEC Training - COMSEC Custodian or Hand Receipt Holder
Medium Severity
Lack of appropriate training for managers of COMSEC accounts could result in the mismanagement of COMSEC records and inadequate physical protection and ultimately lead to the loss or compromise of COMSEC keying material. REFERENCES: DOD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification DOD 5220.22-M (NISPOM), Section 4 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AT-3, AT-4, and SC-1 NSA/CSS Policy Manual 3-16, Section III, paragraph 16 . CNSS Policy No.1, NATIONAL POLICY FOR SAFEGUARDING AND CONTROL OF COMSEC MATERIALS DOD Instruction 8523.01, Communications Security (COMSEC), January 6, 2021 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND)
CS-02.02.02
1 Rule
COMSEC Training - COMSEC User
Medium Severity
Failure to properly brief COMSEC users could result in the loss of cryptologic devices or key, or the compromise of classified information. REFERENCES: DOD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification DOD 5220.22-M (NISPOM), Section 4 DOD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 7, Para 7.b. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AT-3, AT-4, and SC-1 NSA/CSS Policy Manual 3-16, Section IX, Paragraph 77. CNSS Policy No. 1, NATIONAL POLICY FOR SAFEGUARDING AND CONTROL OF COMSEC MATERIALS DOD Instruction 8523.01, Communications Security (COMSEC), January 6, 2021 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND)
CS-03.01.01
1 Rule
Classified Transmission - Electronic Means using Cryptographic System Authorized by the Director, NSA
High Severity
Failure to properly encrypt classified data in transit can lead to the loss or compromise of classified or sensitive information. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information: Encl 4, para 1.a. Encl 4, para 3.b. and 4.a. Encl 4, para 8. Encl 7, para 13.e. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-17(2) and SC-8 NSA/CSS Policy Manual 3-16, Sections III, VI, X and XI DoD Instruction 8523.01, Communications Security (COMSEC), April 22, 2008, paragraph 6.1. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35. CNSSI No.7003, September 2015, Protected Distribution Systems (PDS), SECTION IV - POLICY, paragraphs 6, 7 and 8.
CS-04.01.01
1 Rule
Protected Distribution System (PDS) Construction - Point of Presence (PoP) and Terminal Equipment Protection. This requirement concerns security of both the starting and ending points for PDS within proper physically protected and access controlled environments.
High Severity
A PDS that is not constructed and physically protected as required could result in the covert or undetected interception of classified information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DOD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section IV, paragraph 7., Section VIII, paragraphs 22, 25, 26 & paragraph 27.b. & c. and Section X, paragraph 30.a.
CS-04.01.02
1 Rule
Protected Distribution System (PDS) Construction - Hardened Carrier
High Severity
A PDS that is not constructed and configured as required could result in the undetected interception of classified information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section IV, Paragraph 7 and Section X, paragraph 30.a.
CS-04.01.03
1 Rule
Protected Distribution System (PDS) Construction - Pull Box Security
High Severity
A PDS that is not constructed and configured as required could result in the undetected interception of classified information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section VIII, paragraph 25 and Section VI - DEFINITIONS - PDS Lock.
CS-04.01.04
1 Rule
Protected Distribution System (PDS) Construction - Buried PDS Carrier
High Severity
Buried carriers are normally used to extend a PDS between CAAs that are located in different buildings. As with other Category 2 PDS the unencrypted data cables must be installed in a carrier. A PDS that is not constructed, configured and physically secured as required could result in the undetected interception of classified information. This is especially true for unencrypted cables running through an outdoor environment where physical barriers protecting the environment are often easily breeched. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 DoD 5220.22-M (NISPOM), Chapter 5, paragraphs 5-402. (c) and 5-403.(a). CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section IV, paragraph 7 and Section X, paragraph 30.b.
CS-04.01.05
1 Rule
Protected Distribution System (PDS) Construction - External Suspended PDS
High Severity
Suspended carriers (Exterior PDS) are a Category 2 PDS option used to extend a PDS between Controlled Access Areas (CAAs) that are located in different buildings. Suspended carriers may be used for short runs when it is not practical to bury the PDS between buildings (e.g., between the 3rd floors of adjacent buildings). Unlike other Category 2 PDS the unencrypted data cables are not required to be installed in a carrier. Proper elevation and ease of visibility as well as minimum daily visual inspections of suspended carriers is of paramount importance. A PDS that is not configured, physically secured and inspected as required could result in the undetected interception of classified information. This is especially true for unencrypted cables running through an outdoor environment where physical barriers protecting the environment are often easily breeched. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 DoD 5220.22-M (NISPOM), Chapter 5, paragraphs 5-402. (c) and 5-403. (a). CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section IV, paragraph 7 and Section X, paragraph 30.c.
CS-04.01.06
1 Rule
Protected Distribution System (PDS) Construction - Continuously Viewed Carrier
High Severity
A PDS that is not constructed and configured as required could result in the undetected interception of classified information. A continuously viewed PDS may not be in a physically hardened carrier and the primary means of protection is continuous observation and control of the unencrypted transmission line. If not maintained under continuous observation an attacker (insider or external) could have an opportunity to tap and intercept unencrypted communications on the exposed cable. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section IV, paragraph 7. and Section X, paragraph 30.e.
CS-04.01.07
1 Rule
Protected Distribution System (PDS) Construction - Tactical Environment Application
High Severity
A PDS that is not constructed and configured as required could result in the undetected interception of classified information. Within mobile tactical situations a hardened carrier is not possible and therefore the unencrypted SIPRNet cable must be maintained within the confines of the tactical encampment with the cable under continuous observation and control to prevent exploitation by enemy forces. In theaters of operation where fixed facilities are well established, standard PDS applications must be employed unless a risk assessment is conducted to determine the vulnerabilities and risks associated with using unencrypted cable that is not in a hardened carrier. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 Former guidance was in the legacy/superseded NSTISSI 7003, Protected Distribution Systems, Annex B, paragraph 1.a.(7) NOTE: There is no longer specific guidance in the updated CNSSI 7003 but the guidance for Continuously Viewed Carriers is the most applicable for Tactical Environments with PDS: CNSSI No.7003, September 2015, Protected Distribution Systems (PDS), Section X, paragraph 30.e.
CS-04.01.08
1 Rule
Protected Distribution System (PDS) Construction - Alarmed Carrier
High Severity
A PDS that is not constructed and configured as required could result in the covert or undetected interception of classified information. An Alarmed Carrier is one of five types of Category 2 PDS. It is the most suitable alternative to Hardened and Continuously Viewed PDS (internal facility PDS options), when the unencrypted data transmission line is concealed above suspended ceilings, below raised floors, between walls or in any situation where the line is not visible for inspection. In lieu of daily visual inspections the functionality of the PDS alarm must be tested at least weekly - as based on guidance in the CNSSI 7003. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c., 5-403 and Section 9 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information: Encl 4, para 3.b. and 4.a.; Appendix to Encl 3, para 2 & 2.f.(2); DoD Manual 5200.02 Procedures for the DoD Personnel Security Program (PSP), 3 April 2017 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, PE-6(1), (2) & (3), SC-7, and SC-8 CNSSI No.7003, September 2015, Protected Distribution Systems (PDS), Section IV, paragraph 7. and Section X, paragraph 30.d.
CS-04.02.01
1 Rule
Protected Distribution System (PDS) Construction - Visible for Inspection and Marked
Medium Severity
A PDS that is not completely visible for inspection and easily identified cannot be properly inspected and monitored as required, which could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, SC-8, and RA-6 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section VIII, paragraphs 23.c. and 24.
CS-04.02.02
1 Rule
Protected Distribution System (PDS) Construction - Sealed Joints
Medium Severity
A PDS that is not constructed and sealed as required could result in the undetected interception of classified information. Sealing of joints is necessary to ensure that daily visual inspections of the PDS for signs of attempted or actual intrusion can be accurately and thoroughly conducted. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section VIII, paragraph 26. and Section X, paragraph 30.a & b.
CS-05.03.01
1 Rule
Protected Distribution System (PDS) Documentation - Signed Approval
Low Severity
A PDS that is not approved could cause an Information System Security Manager (ISSM), Authorizing Official (AO) and other concerned managerial personnel to not be fully aware of all vulnerabilities and residual risk of IA systems under their purview. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section I, paragraph 1., Section III, paragraph 5., Section 4, paragraph 11., Section V, paragraph 14., Section VIII, paragraphs 23.c. and 27.a., Section X, paragraphs 30.a & b., Section XI, paragraph 34.b.2) and Annex A.
CS-05.03.02
1 Rule
Protected Distribution System (PDS) Documentation - Request for Approval Documentation
Low Severity
A PDS that is not approved could cause an Information System Security Manager (ISSM), Authorizing Official (AO) and other concerned managerial personnel to not be fully aware of all vulnerabilities and residual risk of IA systems under their purview. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, and SC-8 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section I, paragraph 1., Section V, paragraph 14., Section VIII, paragraphs 23.c., Section X, paragraphs 30.a., and Annex A.
CS-06.02.01
1 Rule
Protected Distribution System (PDS) Monitoring - Daily (Visual) Checks
Medium Severity
A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, SC-8, IR-4, and IR-6 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section VIII, paragraphs 23.c. & 24., Section XI, paragraphs 31, 32, 33 and 34.a. (1) & (2) and Table 3. Visual Inspection Schedule.
CS-06.02.02
1 Rule
Protected Distribution System (PDS) Monitoring - Reporting Incidents
Medium Severity
A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, SC-8, IR-4, IR-6, and PE-19 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section XI, paragraph 32.
CS-06.03.01
1 Rule
Protected Distribution System (PDS) Monitoring - Technical Inspections
Low Severity
A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, SC-8, IR-4, IR-6, and PE-19 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section XI, paragraph 34. and Table 4. PDS Technical Inspection Schedule.
CS-06.03.02
1 Rule
Protected Distribution System (PDS) Monitoring - Initial Inspection
Low Severity
A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or compromise of classified. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 35.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 4, paragraphs 5-402.c. and 5-403 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 4, para 3.b. and 4.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-4, SC-7, SC-8, IR-4, IR-6, and PE-19 CNSSI No. 7003, September 2015, Protected Distribution Systems (PDS), Section IV, paragraph 10, and Section XI, paragraph 34.b. 2) a)
EC-01.02.01
1 Rule
Environmental IA Controls - Emergency Power Shut-Off (EPO)
Medium Severity
A lack of an emergency shut-off switch or a master power switch for electricity to IT equipment could cause damage to the equipment or injury to personnel during an emergency. REFERENCES: DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-10 and PE-10(1) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100 Information Security Handbook: A Guide for Managers NFPA 79 & OSHA Emergency Stop Requirement
EC-02.02.01
1 Rule
Environmental IA Controls - Emergency Lighting and Exits - Properly Installed
Medium Severity
Lack of automatic emergency lighting and exits can cause injury and/or death to employees and emergency responders. Lack of automatic emergency lighting can also cause a disruption in service. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-12 and PE-12(1) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100 Information Security Handbook: A Guide for Managers
EC-02.03.01
1 Rule
Environmental IA Controls - Emergency Lighting and Exits - Documentation and Testing
Low Severity
Lack of automatic emergency lighting can cause injury and/or death to employees and emergency responders. Lack of automatic emergency lighting can cause a disruption in service. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-1, PE-12 and PE-12(1) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100 Information Security Handbook: A Guide for Managers
EC-03.03.01
1 Rule
Environmental IA Controls - Voltage Control (power)
Low Severity
Failure to use automatic voltage control can result in damage to the IT equipment creating a service outage. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-9(2) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100 Information Security Handbook: A Guide for Managers
EC-03.02.02
1 Rule
Environmental IA Controls - Emergency Power
Medium Severity
Failure to have alternative power sources available can result in significant impact to mission accomplishment and information technology systems including potential loss of data and damage to the IT equipment during a commercial power service outage. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-11 and PE-11(1) & (2) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100, Information Security Handbook: A Guide for Managers
EC-04.03.01
1 Rule
Environmental IA Controls - Training
Low Severity
If employees have not received training on the environmental controls they will not be able to respond to a fluctuation of environmental conditions, which could damage equipment and ultimately disrupt operations. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AT-3(1) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100, Information Security Handbook: A Guide for Managers
EC-05.03.01
1 Rule
Environmental IA Controls - Temperature
Low Severity
Lack of temperature controls can lead to fluctuations in temperature which could be potentially harmful to personnel or equipment operation. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-14 and PE-14(1) & (2) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100, Information Security Handbook: A Guide for Managers
EC-06.03.01
1 Rule
Environmental IA Controls - Humidity
Low Severity
Fluctuations in humidity can be potentially harmful to personnel or equipment causing the loss of services or productivity. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-14 and PE-14(1) & (2) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100, Information Security Handbook: A Guide for Managers
EC-07.03.01
1 Rule
Environmental IA Controls - Fire Inspections/ Discrepancies
Low Severity
Failure to conduct fire inspections and correct any discrepancies could result in hazardous situations leading to a possible fire and loss of service. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-13(4) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100, Information Security Handbook: A Guide for Managers
EC-08.03.01
1 Rule
Environmental IA Controls - Fire Detection and Suppression
Low Severity
Failure to provide adequate fire detection and suppression could result in the loss of or damage to data, equipment, facilities, or personnel. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 5, Section 1, paragraph 5-104 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-13 and PE-13(1), (2), (3) and (4) NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook NIST SP 800-100, Information Security Handbook: A Guide for Managers
EM-01.02.01
1 Rule
TEMPEST Countermeasures
Medium Severity
Failure to implement required TEMPEST countermeasures could leave the system(s) vulnerable to a TEMPEST attack. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND) DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 11 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-18, PE-19(1), and SC-8 Committee on National Security Systems Policy 300, "National Policy on Control of Compromising Emanations," April 2004, as amended Committee on National Security Systems Instruction 7000, "TEMPEST Countermeasures for Facilities," May 2004, as amended DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014
EM-02.02.01
1 Rule
TEMPEST - Red/Black separation (Processors)
Medium Severity
Failure to maintain proper separation could result in detectable emanations of classified information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND) DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 11 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-19 & PE-19(1) Committee on National Security Systems Policy 300, "National Policy on Control of Compromising Emanations," April 2004, as amended Committee on National Security Systems Instruction 7000, "TEMPEST Countermeasures for Facilities," May 2004, as amended DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 CNSSAM TEMPEST/ 1-13, 17 January 2014, RED/BLACK Installation Guidance
EM-03.02.01
1 Rule
TEMPEST - Red/Black Separation (Cables)
Medium Severity
Failure to maintain proper separation could result in detectable emanations of classified information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND) DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 11 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-19 & PE-19(1) Committee on National Security Systems Policy 300, "National Policy on Control of Compromising Emanations," April 2004, as amended Committee on National Security Systems Instruction 7000, "TEMPEST Countermeasures for Facilities," May 2004, as amended DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 CNSSAM TEMPEST/ 1-13, 17 January 2014, RED/BLACK Installation Guidance
FN-01.02.01
1 Rule
Foreign National System Access - Identification as FN in E-mail Address
Medium Severity
Unauthorized access by foreign nationals to Information Systems can result in, among other things, security incidents, compromise of the system, or the introduction of a virus. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations. SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/. Follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing. DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure A, Paragraph 7.d. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, AC-2, CA-1, and IA-4(4) DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 11.
FN-01.03.01
1 Rule
Foreign National System Access - Local Access Control Procedures
Low Severity
Unauthorized access by foreign nationals to Information Systems can result in, among other things, security incidents, compromise of the system, or the introduction of a virus. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, AC-2, AC-3, AC-24, PS-4, PS-5, CA-1, MA-5(4) and IA-4(4) DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017 DOD 8570.01-M, Information Assurance Workforce Improvement Program DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System
FN-02.01.01
1 Rule
Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (SIPRNet or Other Classified System or Classified Network being Reviewed)
High Severity
Failure to subject foreign nationals to background checks could result in the loss or compromise of classified or sensitive information by foreign sources. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance & Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, para 26.c. (2) & (3) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, AC-2, AC-3, AC-24, CA-1, PS-4, PS-5, PM-9, MA-5(4) and IA-4(4) DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017 DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System
FN-02.02.01
1 Rule
Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (NIPRNet User)
Medium Severity
Failure to subject foreign nationals to background checks could result in the loss or compromise of classified or sensitive information by foreign sources. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, para 26.c.(2)&(3) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, AC-2, AC-3, AC-24, CA-1, PS-4, PS-5, PM-9, MA-5(4) and IA-4(4) DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017, paragraph 6.4.f. DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System
FN-02.02.02
1 Rule
Foreign National (FN) Systems Access - Delegation of Disclosure Authority Letter (DDL)
Medium Severity
Unauthorized access by foreign nationals to Information Systems can result in, among other things, security incidents, compromise of the system, or the introduction of a virus. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information -- Specifically note paragraphs 4.6.3., E2.1.4. and Enclosure 4. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals, paragraph 4.4. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, para 26.c.(2)&(3) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, AC-2, AC-3, AC-24, CA-1, PS-4, PS-5, PM-9, MA-5(4) and IA-4(4) DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017 DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System
FN-03.01.01
1 Rule
Foreign National System Access - FN or Immigrant Aliens (not representing a foreign government or entity) System Access - Limited Access Authorization (LAA)
High Severity
Failure to verify citizenship and proper authorization for access to either sensitive or classified information could enable personnel to have access to classified or sensitive information to which they are not entitled. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, para 26.c.(2)&(3) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, AC-2, AC-3, AC-24, CA-1, PS-3, PS-4, PS-5, PM-9, MA-5(4) and IA-4(4) DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017, Section 6. DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals and Section 6. Contractor Operations Abroad, paragraph 10-601.b
FN-03.01.02
1 Rule
Foreign National (FN) System Access - FN or Immigrant Aliens (not representing a foreign government or entity) with LAA Granted Uncontrolled Access
High Severity
Failure to verify citizenship and proper authorization for access to either sensitive or classified information could enable personnel to have access to classified or sensitive information to which they are not entitled. Further uncontrolled/unsupervised access to physical facilities can lead directly to unauthorized access to classified or sensitive information. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, para 26.c.(2)&(3) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, AC-2, AC-3, AC-24, CA-1, PS-3, PS-4, PS-5, PM-9, MA-5(4) and IA-4(4) DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017, Section 6. DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System DOD Manual 5200.01, Volume 1, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.j.(1) and Encl 3, para 5.b., 7.b.(5), 12.e. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 3, para 5, Encl 4, para 2.c., Appendix to Encl 4, para 1.f. and Encl 7. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals and Section 6. Contractor Operations Abroad, paragraph 10-601.b.
FN-04.01.01
1 Rule
Foreign National (FN) Physical Access Control - Areas Containing US Only Information Systems Workstations/Monitor Screens, Equipment, Media or Documents
High Severity
Physically co-locating REL Partners or other FN - who have limited or no access to the SIPRNet or other US Classified systems - near US personnel in a collateral classified (Secret or higher) open storage area or in a Secret or higher Controlled Access Area (CAA) that processes classified material is permissible for operational efficiency and coordination. Failure to limit and control physical access to information visible on system monitor screens, information processing equipment containing classified data, removable storage media and printed documents is especially important in mixed US/FN environments. Inadequate access and procedural controls can result in FN personnel having unauthorized access to classified materials and data, which can result in the loss or compromise of classified information, including NOFORN information. Appropriate but simple physical and procedural security measures must be put in place to ensure the FN partners do not have unauthorized access to information not approved for release to them. The primary control measure is to either keep US Only classified documents, information systems equipment and/ or associated removable storage media under continuous observation and control of a cleared US employee or place such items in an approved safe when unattended. Additionally, escorting visitors AND all FN employees/personnel into any area where there is US Only classified processing, documents, media, equipment or materials is not only a prudent security measure but an absolute requirement to prevent both intentional (insider threat) or unintentional (inadvertent) unauthorized exposure to classified materials and information. Following are applicable excerpts from CJCSI 6510.01F pertaining to control of US Only workstation spaces (in particular SCIFs and secure rooms): 7. Information and Information System Access. Access to DOD ISs is a revocable privilege and shall be granted to individuals based on need-to-know and IAW DODI 8500.2, NSTISSP No. 200, "National Policy on Controlled Access Protection" , Status of Forces Agreements for host national access, and DOD 5200.2-R, "Personnel Security System". b. Individual foreign nationals may be granted access to specific classified U.S. networks and systems as specifically authorized under Information Sharing guidance outlined in changes to National Disclosure Policy (NDP-1). (1) Classified ISs shall be sanitized or configured to guarantee that foreign nationals have access only to classified information that has been authorized for disclosure to the foreign national's government or coalition, and is necessary to fulfill the terms of their assignments. (2) U.S.-only classified workstations shall be under strict U.S. control at all times. 27. Foreign Access. f. Foreign National Access to U.S.-Only Workstations and Network Equipment. CC/S/As shall: (1) Maintain strict U.S. control of U.S.-only workstations and network equipment at all times. (4) Announce presence. If a foreign national is permitted access to U.S.-controlled workstation space, the individual must be announced, must wear a badge clearly identifying him or her as a foreign national, and must be escorted at all times. In addition, a warning light must be activated if available and screens must be covered or blanked. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, para 7.b.(1) & (2) and Encl C, para 27.f. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-5, PE-18, PS-3(1), PS-6, PS-6(1), PS-6(2) DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017, Section 6. DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System DOD Manual 5200.01, Volume 1, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.j.(1) and Encl 3, para 5.b., 7.b.(5), 12.e. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 3, para 5, Encl 4, para 2.c., Appendix to Encl 4, para 1.f. and Encl 7. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals
FN-04.03.01
1 Rule
Foreign National (FN) Physical Access Control - (Identification Badges)
Low Severity
Failure to limit access to information visible on system monitor screens in mixed US/FN environments can result in FN personnel having unauthorized access to classified information, which can result in the loss or compromise of classified information, including NOFORN information. Physically co-locating REL Partners or other FN - who have limited access to the SIPRNet or other US Classified systems - near US personnel in a collateral classified (Secret) open storage area or in a Secret Controlled Access Area (CAA) that processes classified material is permissible for operational efficiency and coordination. Appropriate but simple physical and procedural security measures must be put in place to ensure the FN partners do not have unauthorized access to information not approved for release to them. Ensuring that US employees can clearly identify FN workers is an important control measure and can be accomplished by requiring the FN employees or partners to wear picture identification badges that clearly identify their affiliated / represented Country. Wearing of Country specific military uniforms also can be used. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems" DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, para 27.f.(4). NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-2, PE-3, PE-5, PE-6, PE-8, PE-18 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 11. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), 3 April 2017 DoD Manual 5200.01, Volume 1, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.j.(1) and Encl 3, para 5.b., 7.b.(5), 12.e. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 7. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals
FN-05.01.01
1 Rule
Foreign National (FN) Administrative Controls - Proper Investigation and Clearance for Access to Classified Systems and/or Information Assurance (IA) Positions of Trust
High Severity
Failure to validate that FN partners or employees have the required security clearance levels for access to classified systems and/or the proper level of background investigation for IA Positions of Trust could result in untrustworthy Foreign Nationals having access to classified or sensitive US systems. In situations where they have been assigned to IA positions of trust this consideration becomes even more critical as they could adversely impact the CIA of the systems, possibly without being easily discovered. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, para 27.f. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-2, AC-3, PS-2, PS-3 and PS-6 DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017 DOD Manual 5200.01, Volume 1, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.j.(1) and Encl 3, para 5.b., 7.b.(5), 12.e. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 2, para 3 & 4; Encl 3, para 5; Encl 4, para 2.c.; Appendix to Encl 4, para 1.f. DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals
FN-05.02.01
1 Rule
Foreign National (FN) Administrative Controls - Written Procedures and Employee Training
Medium Severity
Failure to limit access for Foreign Nationals to classified information can result in the loss or compromise of NOFORN information. Documented local policies and procedures concerning what information FN employees or partners have access to and what they are excluded from having, what physical access limitations and allowances are in place, how to recognize a FN (badges, uniforms, etc.), steps to take to sanitize a work area before a FN can access the area, etc. are an essential part of controlling FN access. Just as important as development of policy and procedure is the training/familiarization of both employees and assigned FNs with the rules of interaction. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 5, 6.f.(1), 9.b., 10., 27.a, 27.b., 27.c., 27.e. (8) and 27.f. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, PL-1, PL-4, AT-1, AT-2, AT-3, PE-2(1), PE-2(3) and PE-3 DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017 DOD Manual 5200.01, Volume 1, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 3, para 5.b. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 3, para 5; Encl 4, para 2.c.; Appendix to Encl 4, para 1.f.; Encl 7 DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals
FN-05.02.02
1 Rule
Foreign National (FN) Administrative Controls - Procedures for Requests to Provide Foreign Nationals System Access
Medium Severity
Unauthorized access by foreign nationals to Information Systems can result in, among other things, security incidents, compromise of the system, or the introduction of a virus. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 26.c.(3) and 27.f. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: CA-1, AC-2, AC-3, PS-1, PS-2 and PS-3 DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017 DOD Manual 5200.01, Volume 1, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.j.(1). DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 7 DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals
FN-05.03.01
1 Rule
Foreign National (FN) Administrative Controls - Contact Officer Appointment
Low Severity
Failure to provide proper oversight of Foreign National partners or employees and limit access to classified and sensitive information can result in the loss or compromise of NOFORN information. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals, paragraph 4.6. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 26.c.(3) and 27.f. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-2, PE-2 and PE-8 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), 3 April 2017 DoD Manual 5200.01, Volume 1, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 5.b. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals
IA-01.03.01
1 Rule
Information Assurance - System Security Operating Procedures (SOPs)
Low Severity
Failure to have documented procedures in an SOP could result in a security incident due to lack of knowledge by personnel assigned to the organization. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND) NIST Special Publication 800-53 (SP 800-53), Rev 4/5, Controls: MA-1, MA-2, MA-3, MA-4, PL-1, PL-2 and PL-4 DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information,, Encl 5, para 3.a.(4), 3.d., 7.a. ; Encl 7, para 5.c., 6, 10, and 11. DOD Instruction 8510.01, SUBJECT: Risk Management Framework (RMF) for DoD Information Technology (IT) United States Cyber Command Instruction (USCCI) 5200-13, 13 April 2019, SUBJECT: Cyberspace Protection Conditions (CPCON)
IA-02.02.01
1 Rule
Information Assurance - COOP Plan and Testing (Not in Place for Information Technology Systems or Not Considered in the organizational Holistic Risk Assessment)
Medium Severity
Failure to develop a COOP and test it periodically can result in the partial or total loss of operations and INFOSEC. A contingency plan is necessary to reduce mission impact in the event of system compromise or disaster. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, Paragraphs 15 & 32 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: CP-2, CP-2(1) through CP-2(8), CP-4, CP-4(1) through CP-4(4), CP-6, CP-7, CP-9, MA-6 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 3. DoDD 3020.26, SUBJECT: Department of Defense Continuity Programs, January 9, 2009 DoDI 3020.42, SUBJECT: Defense Continuity Plan Development, February 17, 2006 Implementation of DoD Continuity Strategy - Deputy Secretary of Defense, 25 May 07 National Security Presidential Directive (NSPD) 51 / Homeland Security Presidential Directive (HSPD) 20 - National Continuity Policy, 9 May 07 Federal Continuity Directives 1 Oct 12 and 2 Jul 13, Federal Executive Branch National Continuity Program and Requirements. NIST Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010 DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, paragraph 8-101.g. and 8-302.c.
IA-02.03.01
1 Rule
Information Assurance - COOP Plan or Testing (Incomplete)
Low Severity
Failure to develop a COOP and test it periodically can result in the partial or total loss of operations and INFOSEC. A contingency plan is necessary to reduce mission impact in the event of system compromise or disaster. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, Paragraphs 15 & 32 NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: CP-2, CP-2(1) through CP-2(8), CP-4, CP-4(1) through CP-4(4), CP-6, CP-7, CP-9, MA-6 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 3. DoDD 3020.26, SUBJECT: Department of Defense Continuity Programs, January 9, 2009 DoDI 3020.42, SUBJECT: Defense Continuity Plan Development, February 17, 2006 Implementation of DoD Continuity Strategy - Deputy Secretary of Defense, 25 May 07 National Security Presidential Directive (NSPD) 51 / Homeland Security Presidential Directive (HSPD) 20 - National Continuity Policy, 9 May 07 Federal Continuity Directives 1 Oct 12 and 2 Jul 13, Federal Executive Branch National Continuity Program and Requirements. NIST Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems, May 2010 DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, paragraph 8-101.g. and 8-302.c.
IA-03.02.01
1 Rule
Information Assurance - System Security Incidents (Identifying, Reporting, and Handling)
Medium Severity
Failure to recognize, investigate and report information systems security incidents could result in the loss of confidentiality, integrity, and availability of the systems and its data. REFERENCES: CJCSM 6510.01B, CYBER INCIDENT HANDLING PROGRAM CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Appendix C NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: IR-1, IR-2, IR-3, IR-4, IR-5, IR-6, IR-7, IR-7(2), IR-8 DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Encl 2, para 13.h.(1)-(5); Encl 3, para 18.g&h., 19.d. DOD Manual 5200.01, Volume 1, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.g., 11.c, 12.b.; Encl 3, para 7.b.(8), 17.a., 17.c.,; Glossary pg 76, activity SM DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 6 (In its entirety - with emphasis on para 5.f.); Appendix 1 to Encl 6; Encl 7, para 5. DODI 5200.48 Controlled Unclassified Information (CUI) DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 1, Section 3, paragraphs: 1-303 & 1-304, Section 4, paragraph 1-401, Chapter 8, paragraphs 8-101.f. & 8-302.i. DOD Instruction 8510.01, SUBJECT: Risk Management Framework (RMF) for DOD Information Technology (IT), Encl 6, para 1.d. CNSSI 1001, National Instruction on Classified Information Spillage CNSSI 1010, 24X7 Computer Incident Response Capability (CIRC) on National Security Systems
IA-05.02.01
1 Rule
Information Assurance - System Access Control Records (DD Form 2875 or equivalent)
Medium Severity
If accurate records of authorized users are not maintained, then unauthorized personnel could have access to the system. Failure to have user sign an agreement may preclude disciplinary actions if user does not comply with security procedures. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, para 26.a. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Encl 2, para 13.j., 13.y.(1); Encl 3, para 10.c., 18.b., 19.c. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-3(3), AC-3(4), AC-3(5), AC-3(7), AC-2(7). DOD 8570.01-M, Information Assurance Workforce Improvement Program DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System
IA-06.02.01
1 Rule
Information Assurance - System Training and Certification/ IA Personnel
Medium Severity
Improperly trained personnel can cause serious system-wide/network-wide problems that render a system/network unstable. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, para 11. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Encl 2, para 9.g., 13.k.(2); Encl 3, para 10. a-e NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AT-2, AT-3, CP-3, IR-2 DOD 8570.01-M, Information Assurance Workforce Improvement Program, Appendix 3 DODD 8140.01, Cyberspace Workforce Management, 11 Aug 15, paragraphs 3.c. and 9.j. DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, paragraphs 8-103.a.(6) & 8-302.a.
IA-06.02.02
1 Rule
Information Assurance/Cybersecurity Training for System Users
Medium Severity
Improperly trained personnel can cause serious system-wide/network-wide problems that render a system/network unstable. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, para 11.a. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Encl 2, para 13.l.; Encl 3, para 10.c., 17.c., 19.c., 21.j. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AT-2, AT-3, CP-3, IR-2 DOD 8570.01-M, Information Assurance Workforce Improvement Program, paragraphs C.1.4.1.4,5.1., C.1.4.4.3., C.5.2.1.5., Table C.4.T.3. - M.I.6., Table C.4.T.5. - M.II.18.; Chapter 6 in its entirety for minimum user training requirements. DODD 8140.01, Cyberspace Workforce Management, 11 Aug 15, paragraph 9.b. DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, paragraphs 8-101.c., 8-103.a., & 8-302.j.
IA-07.02.01
1 Rule
Information Assurance - Accreditation Documentation
Medium Severity
Failure to provide the proper documentation can lead to a system connecting without all proper safeguards in place, creating a threat to the networks. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, para 2.; Encl B, para 6.f.; Encl C, para 3, 6.d.(2), 20.e.(1)(a)&(b), 24.e and 18a . NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PM-1, PM-9, PM-10, AC-3 AC 3(1), AC 3(2), AC-20, RA-2 and CA-6 DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Encl 3, para 2.a.(1), 9.a.(1)(c), 9.b.(13) DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 4, para 8.a.; Encl 7, para 4.c. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, Section 2. DOD Instruction 8510.01, SUBJECT: Risk Management Framework (RMF) for DOD Information Technology (IT), Encl 2, para 7.f & 7.g.; Encl 4, para 1.b.(2)(e); Encl 6, paragraphs 1.b.(1), 2., and 2.e.(4)(a)-(e). CJCSI 6211.02D, DEFENSE INFORMATION SYSTEMS NETWORK (DISN) RESPONSIBILITIES, para 7.1.; Encl B, para 2.b.(1), 2.c.(1), 2.f.; Encl C, para 2.a., 5.b., 6.b.(5), 6.c., 6.e.(4), 7.c.(2), 11.a.(3)(g)&(j); Encl D, para 2.b., 4.f.(5), 5.a.(5), 5.j.(1) 7.a, 8., and 12.a&b. CNSSP No.29, May 2013, National Secret Enclave Connection Policy DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide
IA-10.02.01
1 Rule
Information Assurance - KVM or A/B Switch not listed on the NIAP U.S. Government Approved Protection Products Compliance List (PCL) for Peripheral Sharing Switches
Medium Severity
Failure to use tested and approved switch boxes can result in the loss or compromise of classified information. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: SC-3 and SC-4 DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide NIAP Products Compliance List (PCL): https://www.niap-ccevs.org/index.cfm
IA-10.02.02
1 Rule
Information Assurance - KVM Switch (Port Separation) on CYBEX/Avocent 4 or 8 port
Medium Severity
The back plate of some 4 or 8 port CYBEX/AVOCENT KVM devices provides a physical connection between adjacent ports. Therefore failure to provide for physical port separation between SIPRNet (classified devices) and NIPRNet (unclassified devices) when using CYBEX/AVOCENT KVM devices can result in the loss or compromise of classified information. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: SC-3 and SC-4 DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide NIAP Products Compliance List (PCL): https://www.niap-ccevs.org/index.cfm
IA-10.02.03
1 Rule
Information Assurance - KVM Switch Use of Hot-Keys on SIPRNet Connected Devices
Medium Severity
Use of "Hot Keys" for switching between devices relies on use of software to separate and switch between the devices. Unless software use involves an approved Cross Domain Solution (CDS) it can result in the loss or compromise of classified information from low side devices to those devices on the high side. Only physical switching between devices can assure that information will not be exchanged. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: SC-3 and SC-4 DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide NIAP Products Compliance List (PCL): https://www.niap-ccevs.org/index.cfm
IA-10.03.01
1 Rule
Information Assurance - Authorizing Official (AO) and DoDIN Connection Approval Office (CAO) Approval Documentation for use of KVM and A/B switches for Sharing of Classified and Unclassified Peripheral Devices
Low Severity
Failure to request approval for connection of existing or additional KVM or A/B devices (switch boxes) for use in switching between classified (e.g., SIPRNet) devices and unclassified devices (e.g., NIPRNet) from both the Authorizing Official (AO) and the DODIN Connection Approval Office could result in unapproved devices being used or approved devices being used or configured in an unapproved manner, thereby increasing the risk for the DODIN. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: SC-3 and SC-4 DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide NIAP Products Compliance List (PCL): https://www.niap-ccevs.org/index.cfm
IA-11.01.01
1 Rule
Information Assurance - Classified Portable Electronic Devices (PEDs) Connected to the SIPRNet must be Authorized, Compliant with NSA Guidelines, and be Configured for Data at Rest (DAR) Protection
High Severity
Finding unauthorized and/or improperly configured wireless devices (PEDs) connected to and/or operating on the SIPRNet is a security incident and could directly result in the loss or compromise of classified or sensitive information either intentionally or accidentally. An assessment of risk in accordance with the Risk Management Framework (RMF) along with Certification and Accreditation and an Authorization to Operate (ATO) must be accomplished and documented prior to connecting NSA approved classified PED solutions on a classified network such as SIPRNet or using PEDs within a classified enclave. A key requirement is that classified PEDs used to store classified data must comply with either the NSA Data At Rest (DAR) Capability Package and associated Risk Assessment or achieve NSA approval as a Tailored Solution for protection of data at rest. Handling procedures should include guidance provided in NSA risk assessments and may involve two layers of National Information Assurance Partnership (NIAP)-approved DAR protection, shipping/storage in accordance with Reference (a), and programmed data wiping or certificate revocation. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 21.i. and 22. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-18, AC-18(1), AC-18(2), AC-18(3), AC-18(4) and AC-19 CNSSP No.29, May 2013, National Secret Enclave Connection Policy CNSSP No. 17, January 2014, Policy on Wireless Systems DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide Wireless STIG Mobility Policy Manual STIG DoDD 8100.02, Use of Commercial Wireless Devices, Services, and Technologies in the Department of Defense (DoD) Global Information Grid (GIG), paragraph 4.1.3. CNSSI 1400, National Instruction on the use of Mobile Devices within Secure Spaces Joint USD(I) and DoD CIO Memorandum, dated 25, Sep 2015, SUBJECT: Security and Operational Guidance for Classified Portable Electronic Devices NSA "Mobile Access Capability Package vl .0," April 2, 2015 or later NSA "Mobile Access Risk Assessment vi .0," March 27, 2015 or later DoD Instruction 8510.01, "Risk Management Framework (RMF) for DoD Information Technology (IT)," March 12, 2014 NSA "Commercial Solutions for Classified (CSfC) Incident Reporting Guidelines vl .0," June 18, 2014 or later NSA "Data at Rest Capability Package v 2.0," April 2, 2015 or later NSA "Data at Rest Risk Assessment v2.0," April 7, 2015 or later DoD Instruction 8420.01, Commercial Wireless Local Area Network (WLAN) Devices, Systems, and Technologies, 3 November 2017, Paragraphs 1.2.h., and 3.8.d.
IA-11.02.01
1 Rule
Information Assurance - Unauthorized Wireless Devices - Portable Electronic Devices (PEDs) Used in Classified Processing Areas without Certified TEMPEST Technical Authority (CTTA) Review and Authorizing Official (AO) Approval.
Medium Severity
Allowing wireless devices in the vicinity of classified processing or discussion could directly result in the loss or compromise of classified or sensitive information either intentionally or accidentally. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 21.i(3). and 22. CNSS Directive No. 510, 20 November 2017, Directive on the Use of Mobile Devices Within Secure Spaces NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-18, AC-18(1), AC-18(2), AC-18(3), AC-18(4) and AC-19 CNSSP No.29, May 2013, National Secret Enclave Connection Policy CNSSP No. 17, January 2014, Policy on Wireless Systems DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide Wireless STIG Mobility Policy Manual STIG DoDD 8100.02, Use of Commercial Wireless Devices, Services, and Technologies in the Department of Defense (DoD) Global Information Grid (GIG), paragraphs 4.2. and 4.3 CNSSI 1400, National Instruction on the use of Mobile Devices within Secure Spaces Joint USD(I) and DoD CIO Memorandum, dated 25, Sep 2015, SUBJECT: Security and Operational Guidance for Classified Portable Electronic Devices
IA-11.03.01
1 Rule
Information Assurance - Unauthorized Wireless Devices - No Formal Policy and/or Warning Signs
Low Severity
Not having a wireless policy and/or warning signs at entrances could result in the unauthorized introduction of wireless devices into classified processing areas. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 21.i(3). and 22. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-18, AC-18(1), AC-18(2), AC-18(3), AC-18(4) and AC-19 CNSSP No.29, May 2013, National Secret Enclave Connection Policy CNSSP No. 17, January 2014, Policy on Wireless Systems DISN Connection Process Guide: http://disa.mil/network-services/enterprise-connections/connection-process-guide Wireless STIG Mobility Policy Manual STIG DoDD 8100.02, Use of Commercial Wireless Devices, Services, and Technologies in the Department of Defense (DoD) Global Information Grid (GIG), paragraphs 4.2. and 4.3 CNSSI 1400, National Instruction on the use of Mobile Devices within Secure Spaces Joint USD(I) and DoD CIO Memorandum, dated 25, Sep 2015, SUBJECT: Security and Operational Guidance for Classified Portable Electronic Devices
IA-12.01.01
1 Rule
Information Assurance - Network Connections - Physical Protection of Network Devices such as Routers, Switches and Hubs (Connected to SIPRNet or Other Classified Networks or Systems Being Inspected)
High Severity
SIPRNet or other classified network connections that are not properly protected in their physical environment are highly vulnerable to unauthorized access, resulting in the probable loss or compromise of classified or sensitive information. REFERENCES: Network Infrastructure Security Technical Implementation Guide (STIG) Access Control in Support of Information Systems Security STIG (Access Control STIG) CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraph 34.c. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-5, SC-7 (14)&(15), SC-8, SC-14, SC-32, PE-2(1), PE-3(1) & (4), PE-4 & PE-18 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 3, Appendix to Encl 3, and Encl 7 DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, paragraph 8-302.b. Physical and Environmental Protection. DoD Instruction 8510.01, SUBJECT: Risk Management Framework (RMF) for DoD Information Technology (IT) DoD Instruction 8500.01, SUBJECT: Cybersecurity CJCSI 6211.02D, DEFENSE INFORMATION SYSTEMS NETWORK (DISN) RESPONSIBILITIES, CNSSP No.29, May 2013, National Secret Enclave Connection Policy
IA-12.01.02
1 Rule
Information Assurance - Network Connections - Wall Jack Security on Classified Networks (SIPRNet or other Inspected Classified Network or System) Where Port Authentication Using IEEE 802.1X IS NOT Implemented
High Severity
Following is a summary of the primary requirement to use the IEEE 802.1X authentication protocol to secure SIPRNet ports (AKA: wall jacks) , which is covered in the Network STIG: 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN. The term 'supplicant' is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols. In some cases, the authentication server software may be running on the authenticator hardware. The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant's identity has been validated and authorized. With 802.1X port-based authentication, the supplicant provides credentials, such as user name/password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network. The requirements in this Traditional Security STIG rule serve as physical security mitigations for the lack of proper SIPRNet port security using IEEE 802.1X. It is in essence a supplement to the Network STIG and provides the details for required mitigations. Network connections that are not properly protected are highly vulnerable to unauthorized access, resulting in the loss or compromise of classified or sensitive information. REFERENCES: Network Infrastructure Security Technical Implementation Guide (STIG) Access Control in Support of Information Systems Security STIG (Access Control STIG) CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraph 34.c. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: SC-8, PE-4 & PE-18 DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 3, Appendix to Encl 3, and Encl 7 DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8 DOD Instruction 8510.01, SUBJECT: Risk Management Framework (RMF) for DOD Information Technology (IT) DOD Instruction 8500.01, SUBJECT: Cybersecurity CJCSI 6211.02D, DEFENSE INFORMATION SYSTEMS NETWORK (DISN) RESPONSIBILITIES CNSSP No.29, May 2013, National Secret Enclave Connection Policy
IA-12.02.01
1 Rule
Information Assurance - Network Connections - Physical Protection of Unclassified (NIPRNet) Network Devices such as Routers, Switches and Hubs
Medium Severity
Unclassified (NIPRNet) network connections that are not properly protected in their physical environment are highly vulnerable to unauthorized access, resulting in the probable loss or compromise of sensitive information such as personally identifiable information (PII) or For Official Use Only (FOUO). REFERENCES: Network Infrastructure Security Technical Implementation Guide (STIG) Access Control in Support of Information Systems Security STIG (Access Control STIG) CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-5, SC-7 (14)&(15), SC-8, SC-14, SC-32, PE-2(1), PE-3(1) & (4), PE-4 & PE-18 DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 7 DODI 5200.48 Controlled Unclassified Information (CUI) DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, paragraph 8-302.b. Physical and Environmental Protection. DOD Instruction 8510.01, SUBJECT: Risk Management Framework (RMF) for DOD Information Technology (IT) DOD Instruction 8500.01, SUBJECT: Cybersecurity CJCSI 6211.02D, DEFENSE INFORMATION SYSTEMS NETWORK (DISN) RESPONSIBILITIES
ID-01.02.01
1 Rule
Industrial Security - DD Form 254
Medium Severity
Failure to complete a DD Form 254 (Contract Security Classification Specification) or to specify security clearance and/or IT requirements for all contracts that require access to classified material can result in unauthorized personnel having access to classified material or mission failure if personnel are not authorized the proper access. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, Para 11, Encl B, para 4.h & 4.i., Encl C, para 5. (a, b & c), Encl C, para 26.g. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-2, PE-2(1), PE-3, PE-8, , PS-3(1), PS-6(2), PS-7 DOD Manual 5200.01, Volume 4, SUBJECT: DOD Information Security Program: Controlled Unclassified Information (CUI), Encl 3, para 1.e. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 2, para 18.i. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, paragraph 8-302.a., b., g.& j, and paragraph 8-303.a and b. DOD Manual 5200.48 Controlled Unclassified Information (CUI) DOD Manual 5220.22, Volume 2, National Industrial Security Program: Industrial Security Procedures for Government Activities, 1 August 2018, Section 3, paragraph 3.4.a. and Section 6. DOD Instruction 8510.01, SUBJECT: Risk Management Framework (RMF) for DOD Information Technology (IT): Encl 2, para 7.l., Encl 3, para 3.b.(3), Encl 6, para 1.b.(5)(a)&(c)&(d) and para 2.c(c). DOD Instruction 8500.01, SUBJECT: Cybersecurity: Encl 2, para 13.i., j & l. and Encl 3, para 7.f., k., & l, para 9.b(4) and para 10.d. CJCSI 6211.02D, DEFENSE INFORMATION SYSTEMS NETWORK (DISN) RESPONSIBILITIES, Encl B, para 2.c.(7) and para 7., Encl C, para 6.b(7)(a) &(b), Encl D, para 2.j. DOD 8570.01-M, Information Assurance Workforce Improvement Program, paragraphs: C1.4.4.5, C1.4.4.12., C2.3.9., C3.2.4.4., C3.2.4.8., C3.2.4.8.1., C4.2.3.7.1., C7.3.4., C10.2.3.7.1., C11.2.4.7.1.
ID-02.03.01
1 Rule
Industrial Security - Contractor Visit Authorization Letters (VALs)
Low Severity
Failure to require Visit Authorization Letters (VALs) for contractor visits could result in sensitive or classified materials being released to unauthorized personnel. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-2, PE-2(1), PE- 3, , PE-8, PS-3(1), PS-6(2) DOD Manual 5200.01, Volume 1, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.k., 9.l. & 9.m. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information, Encl 2, para 7.a. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 6.
ID-03.02.01
1 Rule
Industrial Security - Contract Guard Vetting
Medium Severity
Failure to screen guards could result in employment of unsuitable personnel who are responsible for the safety and security of DOD personnel and facilities. REFERENCES: NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PS-2, PS-2(1), PS- 3 DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), 3 April 2017
IS-01.02.01
1 Rule
Information Security (INFOSEC) - Safe/Vault/Secure Room Management
Medium Severity
Lack of adequate or Improper procedures for management of safes/vaults and secure rooms could result in the loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 26.s.(5) and 34.c. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4 and PE-5 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 2, para 9; Encl 3, para 1.b, 1.d., 6.b., 6.d., 7., 8., 9., 10., 11., 13., and 14. Information Security Oversight Office, 32 CFR Parts 2001 and 2003 Classified National Security Information; Final Rule: Subpart H - Standard Forms
IS-02.01.01
1 Rule
Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Door Combination Lock Meeting Federal Specification FF-L-2740
High Severity
Failure to meet Physical Security storage standards could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, paragraph 7.f.; Encl C, paragraph 10.a., and 10.b. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3 and PE-5 DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Encl 3, para 1.d, 2., 3.a.(2), 3.b.(1), 6.a.(2), 7. and Appendix to Encl 3, para 1.b.(3). Information Security Oversight Office, 32 CFR Parts 2001 and 2003 Classified National Security Information DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, paragraphs 5-303., 5-306., 5-307.c., 5-310., 5-312., 5-313., 5-314. & Section 8, Construction Requirements.
IS-02.01.02
1 Rule
Information Security (INFOSEC) - Secure Room Storage Standards - Door Construction
High Severity
Failure to meet construction standards could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, paragraph 7.f.; Encl C, paragraph 10.a., and 10.b. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3 and PE-5 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Encl 3, para 1.b, 14.b. and Appendix to Encl 3, para 1.b.(3), 2.e.(4) and Glossary page 122, vault definition. Information Security Oversight Office, 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.53 Open storage areas, (b) Doors. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 8, Construction Requirements.
IS-02.01.03
1 Rule
Information Security (INFOSEC) - Secure Room Storage Standards Wall and Ceiling Structural Integrity (AKA: True Floor to True Ceiling Connection)
High Severity
Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3, Enclosure 3 could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3 and PE-5 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Encl 3, para 1.b.(1). Information Security Oversight Office, 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.53 Open storage areas, (a) Construction. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 8, Construction Requirements.
IS-02.01.04
1 Rule
Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Openings in Perimeter Exceeding 96 Square Inches
High Severity
Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a vault or secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3, Enclosure 3 could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3 and PE-5 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Encl 3, para 1.b.(5). Information Security Oversight Office, 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.53 Open storage areas, (c) Vents, ducts, and miscellaneous openings. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 8, Construction Requirements, paragraph 5-801.h. Miscellaneous Openings.
IS-02.01.05
1 Rule
Information Security (INFOSEC) - Secure Room Storage Standards Windows - Accessible from the Ground Hardened Against Forced Entry and Shielded from Exterior Viewing of Classified Materials Contained within the Area.
High Severity
Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3 could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Encl 3, para 1.b.(4)(a) & (b). Information Security Oversight Office, 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.53 Open storage areas, (d) Windows (1) and (2). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 8, Construction Requirements, paragraph 5-801.c. Windows.
IS-02.01.06
1 Rule
Information Security (INFOSEC) - Vault Storage/Construction Standards
High Severity
Failure to meet standards IAW the DOD Manual 5200.01, Volume 3, Appendix to Enclosure 3, for ensuring that there is required structural integrity of the physical perimeter surrounding a classified storage vault could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3 and PE-5 DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Appendix to Encl 3, para 1.a.(1) & (2). The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 8, Construction Requirements, paragraph 5-802. Construction required for Vaults.
IS-02.01.07
1 Rule
Information Security (INFOSEC) - Secure Room Storage Standards - Intrusion Detection System (IDS)
High Severity
Failure to meet standards for maintenance and validation of structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3, could result in the undetected loss or compromise of classified material. Using a physical intrusion detection system enables immediate detection of attempted and/or actual intrusion into a secure room space. This is often the best supplemental protective measure (vice using 4-hour random checks) due to providing capability for immediate detection, and for immediate response to assess and counter the threat to the secure room space. Use of 4-hour checks may be adequate if supported by a risk assessment, but will not provide the immediate detection and response capability of a properly installed IDS. It is required that a risk assessment be conducted to determine which of these two intrusion detection methods (use of IDS OR 4-hour random checks) is appropriate for any particular location. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Encl 3, paragraphs 3.a.(3), 3.b.(1), 3.b.(3)(a)&(b) and paragraph 4. The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 3; paragraphs 5-306.b., 5-307.a., 5-307.b. & Section 9; paragraphs 5-900 and 5-904.
IS-02.01.08
1 Rule
Information Security (INFOSEC) - Secure Room Storage Standards - Balanced Magnetic Switch (BMS) on Perimeter Doors
High Severity
Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3 could result in the undetected loss or compromise of classified material. When a physical Intrusion Detection System (IDS) is used as the supplemental protection measure (in lieu of 4-hour random checks) for secure rooms there is a requirement to place a Balanced Magnetic Switch (BMS) alarm contact on the primary ingress/egress door and any secondary/emergency exit doors. This alarm sensor is an essential part of any properly installed IDS and ensures that doors opened by force or that are left open are immediately detected. A BMS (AKA: triple biased alarm contact) is the most difficult door alarm contact to defeat and must be used in lieu of dual biased or simple alarm contacts. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraph 2.e.(4). The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9. Intrusion Detection Systems.
IS-02.01.09
1 Rule
Information Security (INFOSEC) - Secure Room Storage Standards - Interior Motion Detection
High Severity
Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3 could result in the undetected loss or compromise of classified material. Motion detection located interior to secure rooms provides the most complete/overarching coverage of any Intrusion Detection System (IDS) alarm sensor. While most sensors like BMS alarm contacts, glass break detectors, etc. are only able to detect potential intrusion at specific locations, use of motion detection provides a capability to protect large areas with "blanket coverage" generally using fewer sensors. Principles and considerations for "ideal" employment of motion sensors are: - Consolidate critical assets in specific areas versus throughout a large room or facility. For instance rather than having classified servers and equipment in multiple locations in a five-story facility (entirely designated for classified open storage) consolidate classified assets on a single floor or even an area on that floor. That might allow for reducing the space designated as classified open storage (AKA: secure room) and reduce costs and simplify protection of assets. - Conversely some would argue that dispersing assets over a larger area enhances security by not putting all critical assets in one place. This is true to an extent - especially if we are considering redundant assets for COOP / disaster recovery but most often the reason for dispersing classified assets over large comes down to lack of foresight and planning. - Cover avenues of approach in layers so you can detect initial breeches of secured space and subsequent movement within. This approach is actually very good if you have a timely response force available and you are protecting a large facility. - Cover perimeter access points such as doors, windows, and openings greater than 96 sq. inches. Use of point sensors (BMS, vibration, etc., are probably best in these situations but supplementation by motion can be extremely effective. - Cover areas that cannot be directly observed by employees from within or directly outside the protected space. For instance in a secure room/area this might include areas above suspended ceilings, below raised floors, behind major pieces of equipment or other things that cause significant obstruction of visual observation (especially along avenues of approach or along perimeter walls). - Cover large open areas by careful placement of motion detection. Combinations of 360-degree and wall-mounted detectors considering equipment racks, walls, avenues of approach, etc. can effectively cover larger areas with fewer sensors. - Complete coverage of large areas and all avenues of approach is ideal but often funds are limited and sensors cannot be employed to provide blanket coverage. In such instances there are two approaches that can be used: * One is to cover the most critical assets directly (e.g., classified DoDIN servers, routers, DASD and other major IT technology). * Second approach is to conduct an assessment of the space to determine the most effective employment of limited sensors considering both avenues of approach and the actual location of critical assets in the space. NOTE: The second approach can be incorporated under the process of conducting a risk assessment and in conjunction with a determination and approval of security-in-depth countermeasures from the Senior Agency Official (SAO). This risk-based approach is based directly on requirements from the DoD Manual 5200.01, V3 and is in line with the current direction DoD is taking with regard to management of risk. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraph 1.b.(4)(a) and 2.e.(3) & (5). The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9. Intrusion Detection Systems.
IS-02.01.10
1 Rule
Information Security (INFOSEC) - Secure Room Storage Standards - Four (4) Hour Random Checks in Lieu of Using Intrusion Detection System (IDS)
High Severity
Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3 could result in the undetected loss or compromise of classified material. Using a physical intrusion detection system enables immediate detection of attempted and/or actual intrusion into a secure room space. This is often the best supplemental protective measure (vice using 4-hour random checks) due to providing capability for immediate detection, and for immediate response to assess and counter the threat to the secure room space. Use of 4-hour checks may be adequate if supported by a risk assessment, but will not provide the immediate detection and response capability of a properly installed IDS. It is required that a risk assessment be conducted to determine which of the two intrusion detection methods (use of IDS OR 4-hour random checks) is appropriate for any particular location. If the risk assessment results in a determination that use of 4-hour random checks is the most cost efficient supplemental control (vice IDS) to protect SIPRNet assets contained in secure rooms, the manner in which the checks are conducted can greatly impact the effectiveness of the checks. Thorough physical checks conducted on a frequent basis can reduce the time between an attempted or actual intrusion and time of discovery - during random checks. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 3, paragraph 3.b.(3)(a) and 4. The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: Subpart E - Safeguarding. paragraph 2001.40 General. (b) and paragraph 2001.43 Storage, (2) Secret. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraph 5-306. Closed Areas.; paragraph 5-307 Supplemental Protection. b. & c.; *paragraphs 8-102., 8-201. & 8-301.e. (*for risk assessment requirements)
IS-02.01.11
1 Rule
Vault/Secure Room Storage Standards - IDS Transmission Line Security
High Severity
Failure to meet standards for ensuring integrity of the intrusion detection system signal transmission supporting a secure room (AKA: collateral classified open storage area) containing SIPRNet assets could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraph 2.d.(1) and (2). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraph 5-904.
IS-02.01.12
1 Rule
Vault/Secure Room Storage Standards - IDS Access/Secure Control Units Must be Located within the Secure Room Space
High Severity
Failure to ensure that IDS Access and Secure Control Units used to activate and deactivate alarms (primarily motion detectors) within vaults or secure rooms protecting SIPRNet assets are not located within the confines of the vault or secure room near the primary ingress/egress door could result in the observation of the access/secure code by an unauthorized person. Further the control units would be more exposed with a greater possibility of tampering outside the more highly protected space of a secure room/collateral classified open storage area. This could result in the undetected breach of secure room space and the loss or compromise of classified information or materials. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraph 2.e.(2). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraph 5-902.d.
IS-02.01.13
1 Rule
Information Security (IS) - Continuous Operations Facility: Access Control Monitoring Methods
High Severity
Failure to control door access to a Continuous Operations Facility containing classified SIPRNET assets may result in immediate and potentially undetected access to classified information, with no capability to immediately alert response forces. Ultimately this could result in the undetected loss or compromise of classified material. USE CASE EXPLANATION: A Continuous Operations Facility functions 24/7 and contains classified SIPRNet equipment and/or media. It often does not meet all the physical and/or procedural requirements of a vault or secure room (AKA: collateral classified open storage area) and the classified equipment and/or media may not be stored in an approved safe when not in use. Examples of such facilities are Emergency Operations Centers (EOC), Information System Monitoring Centers, Trouble Desk Centers, etc. All standards for access control monitoring for Continuous Operations Facilities are found in the DoD Manual 5200.01, V3 and this STIG Requirement/Rule provides additional clarification and implementation standards for all Continuous Operations Facilities containing SIPRNet assets. Continuous Operations Facilities are not routinely closed and secured after normal business hours and reopened at the beginning of normal workdays. A CONTINUOUS OPERATIONS FACILITY MUST BE CONTINUOUSLY OCCUPIED at all times, OR IT MUST MEET ALL PHYSICAL STRUCTURAL AND PROCEDURAL STANDARDS FOR A SECURE ROOM AND BE SECURED (*using an approved FF-L-2740 combination lock) DURING PERIODS WHEN IT IS NOT OCCUPIED. It is not necessary to activate the supplemental controls (IDS or 4-hour checks) when securing the facility using the FF-L-2740 lock during working hours. However, this must be done if the facility is formally closed at any time and will include End-of-Day (EOD) checks. A "facility" can be a single room or a larger contiguous area, often (but not always) without Federal Specification FF-L-2740 combination locks on the primary access door. Continuous Operations area access control procedures must meet the requirements herein even where the surrounding area is continuously occupied. Continuous Operations (again - continuous occupancy) minimizes or eliminates the need for/use of certain security measures such as FF-L-2740 combination locks, standard door locks, IDS, 4-hour guard checks, etc. Where there is a Continuous Operations Facility there should be demonstrated mission need for continuous occupation of the "specific" room or area containing the classified SIPRNet assets. A justification that the surrounding building or facility is continuously occupied is not acceptable. If this is observed, reviewers should consider the possibility that the stated requirement for a Continuous Operations Facility is being used to cover deficiencies with what should legitimately be established as a secure room or vault. In such cases the use of Traditional Security STIG Requirements and applicable physical and procedural standards for vaults and/or secure rooms may be more appropriate, resulting in findings under those Requirements. A Continuous Operations Facility containing classified materials is most appropriate when it is continuously occupied by properly cleared employees (or others with security clearance and a need-to-know) who are capable of controlling or monitoring ingress and egress from within the area. This provides the most legitimate justification for using a Continuous Operations Facility vice using a properly constructed and access controlled vault or secure room (AKA: collateral classified open storage area). Convenience and ease of access is not proper justification for a Continuous Operations Facility. Continuous Operations Facility door control may be accomplished multiple ways. There are five main types of access control methods listed below. One or more of the five methods may apply to any facility. Each access point must comply with one or more of the methods of access control for 24 hours of each operational day. Any deficiency for any facility access point (even for a portion of the day for an access point) will result in a finding under this STIG rule. All Continuous Operations Facilities access points should be checked for proper access control according to the type of access control method(s) implemented. Direct access control monitoring for both occupied and unoccupied Continuous Operations Facilities is conducted by: cleared employees, guards or receptionists located inside the area or directly outside the area. A properly configured Automated Entry Control System (AECS) or continuously monitored Closed Circuit Television (CCTV) are the only options for indirect monitoring of Continuous Operations Facilities. The five basic methods for controlling access to Continuous Operations Facilities are: 1. Method #1: Use of an Automated Entry Control System (AECS) Card Reader with Biometrics or Personal Identification Number (PIN) 2. Method #2: Access Continually Monitored by Occupants (Cleared Employees) of the Continuous Operations Facility - all doors NOT visible 3. Method #3: Access Monitored by Occupants (Cleared Employees) of the Continuous Operations Facility - all doors are visible 4. Method #4: Access Monitored by Employees Directly Outside the Open Storage Space - all doors MUST BE visible 5. Method #5: Access Monitored by Closed Circuit Television (CCTV) reporting to a Central Monitoring Station Staffed 24/7 by cleared Guards or Other cleared Security Professionals - each individual door MUST HAVE a CCTV camera(s) Normally only one method of access control will be applicable to a specific Continuous Operations Facility; however, there may be situations where more than one approved method is being used at a single facility. For instance an Automated Entry Control System (AECS) with card reader and PIN may be used to secure the access door while there are also employees located inside the room who can monitor and control access. In situations where multiple methods are found, reviewers need only choose one of the five to evaluate compliance and its effectiveness of access control to the Continuous Operations Facility. If one of the methods is found to be totally compliant while others in use contain deficiencies, the method that is 100% compliant should be selected for use during the review. In the example just provided, if the room is only occupied by one employee who is monitoring access and during breaks or for other reasons exits the room for periods of time this would cause a significant deficient condition since the access door is not continuously monitored by the employee. Therefore using the AECS as the method to evaluate access control for the Continuous Operations Facility would likely be selected since it appears to be (and for this example we will assume) 100% compliant. There is also a possibility that multiple Continuous Operations Facilities could be found at a particular site location (even in the same building) that are using different methods to control access. Once again, multiple methods of access control from the list of five could be selected for the evaluation, based on the access control methods actually being used for the various 24/7Continuous Operations Facilities. Once the applicable Continuous Operations Facility access control methods that apply to each of the Continuous Operations Facilities at the site are selected, the site must comply with all of the individual checks for the selected method(s). Specific checks for requirements associated with a method of access control are found in the Check Content information field. If there is no Continuous Operations Facility at a particular site this Requirement is Not Applicable (NA) for a review. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-2, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Specific paragraph references are individually annotated with each specific check - under the "Checks" section. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-306, 5-312, 5-313, 5-314
IS-02.01.14
1 Rule
Vault/Secure Room Storage Standards - Access Control During Working Hours Using Visual Control OR Automated Entry Control System (AECS) with PIN / Biometrics
High Severity
Failure to properly monitor and control collateral classified open storage area access doors during working hours (while the FF-L-2740 combination lock is not secured) could result in an undetected perimeter breach and limited or no capability to immediately notify response forces. Ultimately this could result in the undetected loss or compromise of classified material. Entrances to secure rooms or areas (and/or vaults that are opened for access) must be under visual control at all times during duty hours to prevent entry by unauthorized personnel . This may be accomplished by several methods (e.g., employee work station, guard, continuously monitored CCTV). An automated entry control system (AECS) may be used to control admittance during working hours instead of visual control, if it meets certain criteria * and if the room or area is continuously occupied by at least one properly cleared person. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-2, PE-3, PE-5 and PE-6 DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 3, paragraph 12 and Appendix to Enclosure 3, paragraphs 3.a. and 3.c. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-306, 5-312, 5-313, 5-314
IS-02.01.15
1 Rule
Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) and Intrusion Detection System (IDS) Head-End Equipment Protection: The physical location (room or area) containing AECS and IDS head-end equipment (server and/or work station/monitoring equipment) where authorization, personal identification or verification data is input, stored, or recorded and/or where system status/alarms are monitored must be physically protected.
High Severity
Inadequate physical protection of Intrusion Detection System or Automated Entry Control System servers, data base storage drives, or monitoring work stations could result in unauthorized access to core system devices providing protection for classified vaults, secure rooms and collateral classified open storage areas. This could result in the loss of confidentiality, integrity or availability of system functionality or data. The impact of this would be possible undetected and unauthorized access to classified processing spaces; resulting in the loss or compromise of classified information or sensitive information such as personal data (PII) of persons issued access control cards or badges. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-1, PE-2, PE-3, PE-6, PE-8 and PE-9. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraphs 2.f.(2), 3.a(5). and 3.a.(6). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-313. e. and 5-313 h.
IS-02.02.01
1 Rule
Information Security (INFOSEC) - Secure Room Storage Standards - Structural Integrity Checks
Medium Severity
Failure to ensure that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DOD Manual 5200.01, Volume 3 could result in the undetected loss or compromise of classified material. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-3.(1) & (2), PE-6 (4). DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Glossary, Part II, Definitions: Security-in-Depth DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-306.a & 8-302.b. Physical and Environmental Protection.
IS-02.02.02
1 Rule
Vault/Secure Room Storage Standards - IDS Performance Verification
Medium Severity
Failure to test IDS functionality on a periodic basis could result in undetected alarm sensor or other system failure. This in-turn could result in an undetected intrusion into a secure room (AKA: collateral classified open storage area) and the undetected loss or compromise of classified material. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 24.j. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-5, PE-6(1), PE-8 and MA-6. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraphs 2.c. and 2.e.(7). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-901., 5-904. and 5-905. Testing and alarm verification procedures for specific sensors and other IDS equipment may be obtained from the Electronic Security Center (ESS), U.S. Army Engineering and Support Center, Huntsville, AL 35816: ESS Question? AskESSMCX@usace.army.mil
IS-02.02.03
1 Rule
Vault/Secure Room Storage Standards - Masking of IDS Sensors Displayed at the Intrusion Detection System (IDS) Monitoring Station
Medium Severity
Failure to meet standards for the display of masked alarm sensors at the IDS monitoring station could result in the location with masked or inactive sensors not being properly supervised. This could result in an undetected breach of a secure room perimeter and the undetected loss or compromise of classified material. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5, PE-6(1) DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraphs 2d.(5) and (6). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9. Intrusion Detection Systems.
IS-02.02.04
1 Rule
Vault/Secure Room Storage Standards - IDS Alarm Monitoring Indicators, both audible and visual (Alarm Status) must be displayed for each sensor or alarmed zone at the monitoring station.
Medium Severity
Failure to meet standards for the display of audible and visual alarm indicators at the IDS monitoring station could result in an a sensor going into alarm state and not being immediately detected. This could result in an undetected or delayed discovery of a secure room perimeter breach and the loss or compromise of classified material. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5, PE-6(1) DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraphs 2.b.(2)(b). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9. Intrusion Detection Systems.
IS-02.02.05
1 Rule
Vault/Secure Room Storage Standards - Intrusion Detection System (IDS) / Automated Entry Control System (AECS) Primary and Emergency Power Supply
Medium Severity
Failure to meet standards for ensuring that there is an adequate commercial and back-up power sources for IDS/AECS with uninterrupted failover to emergency power could result in a malfunction of the physical alarm and access control system. This could result in the undetected breach of classified open storage / secure rooms or vaults containing SIPRNet assets and undetected loss or compromise of classified material. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5, PE-6(1) DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraphs 2.d.(7)(a) and (b). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9. Intrusion Detection Systems.
IS-02.02.06
1 Rule
Vault/Secure Room Storage Standards - Intrusion Detection System and Automated Entry Control System (IDS/AECS) Component Tamper Protection
Medium Severity
Failure to tamper protect IDS/AECS component enclosures and access points external to protected vaults/secure rooms space could result in the undetected modification or disabling of IDS/AECS system components. This could lead to the undetected breach of secure space containing SIPRNet assets and result in the undetected loss or compromise of classified information or materials. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5, PE-6(1) DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraphs 2.d.(8 and 3.a.(5)(b). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9. Intrusion Detection Systems and Section 3. AECS paragraph 5-313.f.
IS-02.02.07
1 Rule
Vault/Secure Room Storage Standards - Primary IDS Monitoring Location Outside the Monitored Space
Medium Severity
Failure to locate the alarm monitoring station at an external location; at a safe distance from the space being monitored, to ensure that it is not involved in any surprise attack of the alarmed space could result in a perimeter breach and the loss or compromise of classified material with limited or no capability to immediately notify response forces. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5, PE-6(1) DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraph 2.d.(6). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9. Intrusion Detection Systems, paragraphs 5-900 and 5-902.
IS-02.02.08
1 Rule
Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Records Maintenance, which includes documented procedures for granting and removal of access.
Medium Severity
Failure to document procedures for removal of access and inadequate maintenance of access records for both active and removed persons could result in unauthorized persons having unescorted access to vaults, secure rooms or collateral classified open storage areas where classified information is processed and stored. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-1, PE-2, PE-3, PE-6 and PE-8. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraph 3.a(4) and (7) DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, paragraph 5-313.i.
IS-02.02.09
1 Rule
Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Transmission Line Security: AECS Transmission lines traversing an uncontrolled area (not within at least a Secret Controlled Access Area (CAA) ) shall use line supervision OR Electrical, mechanical, or electromechanical access control devices, which do not constitute an AECS that are used to control access during duty hours must have all electrical components, that traverse outside minimally a Secret Controlled Access Area (CAA), secured within conduit.
Medium Severity
Persons not vetted to at least the same level of classification residing on the information systems being protected by the AECS or other access control system components could gain access to the unprotected transmission line and tamper with it to facilitate surreptitious access to the secure space. Proper line supervision and/or physical protection within conduit will enable detection of line tampering. Such failure to meet standards for line supervision and physical protection could result in the loss or compromise of classified material. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-3, PE-4, and PE-6. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraphs 3.a.(5)(d) and 3.c.(4). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 3, paragraph 5-313. g. and h.
IS-02.02.10
1 Rule
Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Door Locks: Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade and be configured to fail secure in the event of a total loss of power (primary and backup).
Medium Severity
There are a variety of locking mechanisms that may be used to secure both primary and secondary doors for vaults and classified open storage areas (secure rooms). While the primary access door is to be secured with an appropriate combination lock when closed; during working hours an AECS using electric strikes or magnetic locks, electrical, mechanical, or electromechanical access control devices, or standard keyed locks may be used to facilitate frequent access to the secured space by employees vetted for unescorted access. Where electrically actuated locks are used, locking mechanisms must be properly configured and controlled to ensure they fail only in a secure state during partial or total loss of power (primary and backup). Failure to provide for these considerations could result in the loss or compromise of classified material. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-3, and PE-6. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraph 3.a.(5)(e). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 3, paragraphs 5-312, 5-313, and 5-314.
IS-02.02.11
1 Rule
Information Security (INFOSEC) - Secure Room Storage Standards - Perimeter Construction using Proper Permanent Construction Materials for True Ceiling, Walls and Floors.
Medium Severity
Failure to meet standards for ensuring that there is structural integrity of the physical Perimeter surrounding a secure room (AKA: collateral classified open storage area) could result in a lack of structural integrity and the undetected loss or compromise of classified material. Permanent construction materials; while not impenetrable, provide physical evidence of an attempted or actual intrusion into a secure room space. Construction materials and application techniques that are not permanent in nature can potentially be removed to allow for access to secure room space and then replaced by an intruder upon egress from the area. This effectively negates the detection capability afforded by permanent construction techniques and materials. Examples of non-permanent material would be modular walls that can be removed and replaced with ease or plywood board (or other materials) applied with screws or nails that can be removed from outside the secure room space and then replaced using common tools. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.53 Open storage areas. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-3, PE-3, PE-4, and PE-5. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 3, paragraphs 3.a.(3) and 3.b.(1), (2) &(3); Appendix to Enclosure 3, paragraph 1.b.(1), (2) & (5). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 8, paragraph 5-801. b. Walls, f. Ceilings, g. Unusual Ceilings, & h. Openings.
IS-02.03.01
1 Rule
Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Keypad Device Protection: Keypad devices designed or installed in a manner that an unauthorized person in the immediate vicinity cannot observe the selection of input numbers.
Low Severity
If someone were to successfully observe an authorized user's selection of numbers for their PIN at an entrance to a classified storage area or unclassified but sensitive computer room it could result in an unauthorized person being able to use that same PIN to gain access. Where purely electronic (cipher type) locks are used without an access card or badge this could lead to direct access by an unauthorized person. Where coded AECS cards and badges are used the risk is diminished significantly as the coded badge associated with the PIN would need to be lost/stolen and subsequently recovered by someone with unauthorized knowledge of the PIN for them to be able to successfully gain access to the secured area. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.43 Storage, (2) Secret. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Control: PE-3. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraph 3.a.(5)(c). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 3, paragraph 5-314.b.
IS-03.02.01
1 Rule
Marking Classified - Equipment, Documents or Media: In a classified operating environment, all unclassified items must be marked in addition to all classified items.
Medium Severity
Failure to properly mark classified material could result in the loss or compromise of classified information. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.23 Classification marking in the electronic environment. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure A, paragraph 6.a. and Enclosure C, paragraphs 21.h.(7) & 29.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-16 and MP-3. DoD Manual 5200.01, Volume 2, 24 February 2012, SUBJECT: DoD Information Security Program: Marking of Classified Information; Enclosure 2, paragraph 4.b. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 201, Chapter 4, Section 2, paragraphs 4-201, 4-202, 4-203 and Chapter 8, Section 3, paragraph 8-302.g.(1) Satisfies: Marking Classified - Equipment, Documents or Media
IS-03.03.01
1 Rule
Marking Classified - Local or Enclave Classified Marking Procedures must be developed to ensure employees are familiar with appropriate organization Security Classification Guides (SCG), how to obtain guidance for marking classified documents, media and equipment, and where associated forms, classified cover sheets, labels, stamps, wrapping material for classified shipment, etc. can be obtained.
Low Severity
Failure to properly mark classified material could result in the loss or compromise of classified information. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.23 Classification marking in the electronic environment. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 21.a. and 21.g.(1). NIST Special Publication 800-53 (SP 800-53), Rev 4, Control: MP-1, MP-3, & AC-16. DoD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification; Enclosure 2, paragraph 9. DoD Manual 5200.01, Volume 2, 24 February 2012, SUBJECT: DoD Information Security Program: Marking of Classified Information; paragraph 5. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 201, Chapter 4, Section 2, and Chapter 8, Section 3, paragraphs 8-301.d. and 8-302.g.(1)
IS-04.03.01
1 Rule
Classified Working Papers are properly marked, destroyed when no longer needed, or treated as a finished document after 180 days.
Low Severity
Failure to properly mark or handle classified documents can lead to the loss or compromise of classified or sensitive information. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.24 Additional requirements, (d) Working papers and (m) Marking of electronic storage media. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure A, paragraph 6.a. and Enclosure C, paragraph 21.h.(7). NIST Special Publication 800-53 (SP 800-53), Rev 4, Control: MP-3 & PE-5(3). DoD Manual 5200.01, Volume 2, 24 February 2012, SUBJECT: DoD Information Security Program: Marking of Classified Information; Enclosure 3, paragraph 13 and figure 11. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 2, paragraph 13. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 4, Section 2, paragraph 4-214 and Chapter 5, Section 2, paragraph 5-203.b.
IS-05.01.01
1 Rule
Storage/Handling of Classified Documents, Media, Equipment - must be under continuous personal protection and control of an authorized (cleared) individual OR guarded or stored in an approved locked security container (safe), vault, secure room, collateral classified open storage area or SCIF.
High Severity
Failure to store classified in an approved container OR to properly protect classified when removed from storage can lead to the loss or compromise of classified or sensitive information. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: paragraph 2001.41 Responsibilities of holders. and 2001.43 Storage. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 15.b.(1), 21.d., 24.j., and 34.c. NIST Special Publication 800-53 (SP 800-53), Rev 4, Control: MP-4. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 2, paragraphs 2 & 8 and Enclosure 3, paragraph 3. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, Section 3, paragraphs 8-302.b. and g. Satisfies: Storage/Handling of Classified Documents, Media, Equipment
IS-06.03.01
1 Rule
Non-Disclosure Agreement - Standard Form 312: no person may have access to classified information unless that person has a security clearance in accordance with DODM 5200.02 and has signed a Standard Form (SF) 312, Classified Information Non-Disclosure Agreement (NDA), and access is essential to the accomplishment of a lawful and authorized Government function (i.e., has a need to know).
Low Severity
Failure to verify clearance and need-to-know and execute a nondisclosure agreement (NDA) before granting access to classified can result in unauthorized personnel having access to classified information. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: Subpart H-Standard Forms, § 2001.80 Prescribed standard forms.(d) Standard Forms. (2) SF 312, Classified Information Nondisclosure Agreement: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 11. NIST Special Publication 800-53 (SP 800-53), Rev 4, Control: PS-3., PS-6. & PS-6.(2). DOD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification, Enclosure 3, paragraph 11.b.(1). DOD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DOD Information Security Program: Protection of Classified Information; Enclosure 2, paragraph 3. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 3, Section 1, paragraph 3-106. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017, paragraphs 4.10.g.(2)(b), 8.1.b., and 12.1.c. ISSO Notice 2022-01: Digital Signatures of Standard Form (SF) 312 Classified Nondisclosure Agreement dated May 9, 2022
IS-07.03.01
1 Rule
Handling of Classified Documents, Media, Equipment - Written Procedures and Training for when classified material/equipment is removed from a security container and/or secure room.
Low Severity
Failure to develop procedures and to train employees on protection of classified when removed from storage could lead to the loss or compromise of classified or sensitive information due to a lack of employee knowledge of requirements. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: Subpart G-Security Education and Training CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Control: MP-1. DoD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Enclosure 2, paragraphs 9. c., d., f., j., & k. and 12.a. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 2, paragraphs 14 & 15; Enclosure 5, paragraphs 3.a.(2), 3.c.(2)(a) & (b), 3.d.(4), and 7.a. and Enclosure 7, paragraph 10. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5 and Chapter 8, Section 1, paragraph 8-103.a. Satisfies: Handling of Classified Documents, Media, Equipment - Written Procedures and Training
IS-07.03.02
1 Rule
Handling of Classified - Use of Cover Sheets on Documents Removed from Secure Storage
Low Severity
Failure to protect readable classified information printed from classified systems such as SIPRNet when removed from secure storage can lead to the loss or compromise of classified or sensitive information. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: Subpart H-Standard Forms § 2001.80 Prescribed standard forms. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Control: MP-1 and MP-5. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 2, paragraph 8. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraph 4-210.a.
IS-08.01.01
1 Rule
Classified Monitors/Displays (Physical Control of Classified Monitors From Unauthorized Viewing)
High Severity
Failure to limit access to unauthorized personnel to information displayed on classified monitors/displays can result in the loss or compromise of classified information, including NOFORN information. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems" DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl A, para 7.b.(1) & (2) and Encl C, para 27.f. and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-5, PE-18, PS-3(1), PS-6, PS-6(2), MA-5 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), 3 April 2017, Section 6., paragraphs 6.1. and 6.2.b.&c. Originating DoD Manual 5200.01, Volume 1, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.j.(1) and Encl 3, para 5.b., 7.b.(5), 12.e. DoD Manual 5200.01, Volume 2, 24 February 2012, SUBJECT: DoD Information Security Program: Marking of Classified Information; Enclosure 3, paragraph 18.a. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 2, para 14.a & b.;Encl 3, para 5; Encl 4, para 2.c. ;Appendix to Encl 4, para 1.f. and Encl 7. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, Section 3, paragraphs 8-302.b.(1), 8-302.e., 8-302.g.(2), Chapter 10, Section 5 and definition of "Escort" on page C-3.
IS-08.01.02
1 Rule
Monitor Screens - Disable Access by CAC or Token Removal, or Lock Computer via Ctrl/Alt/Del
High Severity
The DoD Common Access Cards (CAC) a "smart" card, is the standard identification for active-duty military personnel, Selected Reserve, DoD civilian employees, and eligible contractor personnel. It is also the principal card used to enable physical access to buildings and controlled spaces, and it provides access to defense computer networks and systems. The card, which is the property of the U.S. Government, is required to be in the personal custody of the member at all times. System Access Tokens are also used on the SIPRNet and the cards along with a Personal identity Number (PIN) can be used to access classified information on the SIPRNet in lieu of a logon ID and password. CAC and SIPRNet tokens are very important components for providing both physical and logical access control to DISN assets and must therefore be strictly controlled. Physically co-locating REL Partners or other FN - who have limited access to the SIPRNet or other US Classified systems - near US personnel in a collateral classified (Secret or higher) open storage area or in a Secret or higher Controlled Access Area (CAA) that processes classified material is permissible for operational efficiency and coordination. Failure to limit access to information systems is especially important in mixed US/FN environments. This is particularly important on US Only classified terminals when not personally and physically attended by US personnel. The failure to properly disable information workstations and monitor screens when unattended can result in FN personnel having unauthorized access to classified information, which can result in the loss or compromise of classified information, including NOFORN information. Appropriate but simple physical and procedural security measures must be put in place to ensure that unauthorized persons to include FN partners do not have unauthorized access to information not approved for release to them. Control of CACs, SIPRNet tokens and locking of computer work stations when unattended is an important aspect of proper procedural security measure implementation. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... Homeland Security Presidential Directive-12 (HSPD-12), "Policy for a Common Identification Standard for Federal Employees and Contractors," 27 August 2004 DoD Manual 1000.13, Volume 1, SUBJECT: DoD Identification (ID) Cards: ID Card Life-Cycle, January 23, 2014 DoD Manual 1000.13, Volume 2, SUBJECT: DoD Identification (ID) Cards: Benefits for Members of the Uniformed Services, Their Dependents, and Other Eligible Individuals, January 23, 2014 UNDER SECRETARY OF DEFENSE (Intelligence), Directive-Type Memorandum (DTM) 09-012, "Interim Policy Guidance for DoD Physical Access Control", December 8, 2009, Incorporating Change 6, Effective November 20, 2015 DoDI 1000.13, SUBJECT: Identification (ID) Cards for Members of the Uniformed Services, Their Dependents, and Other Eligible Individuals, January 23, 2014 DoDI 8520.02 , SUBJECT: Public Key Infrastructure (PKI) and Public Key (PK) Enabling, May 24, 2011 DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 26.d., 27.d.(e) and 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: IA-2, IA-4, PL-4, PS-6, PS-8, AC-3, AC-11, SC-28 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 8. DoD Manual 5200.01, Volume 1, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Encl 2, para 9.j.(1) and Encl 3, para 5.b., 7.b.(5), 12.e. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 3, para 5; Encl 4, para 2.c. ;Appendix to Encl 4, para 1.f. and Encl 7. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8, paragraph 8-103. Satisfies: Monitor Screens - Disable Access by CAC or Token Removal, or Lock Computer via Ctrl/Alt/Del
IS-08.03.01
1 Rule
Classified Monitors/Displays (Procedures for Obscuration of Classified Monitors) - protection from uncleared persons or those without a need-to-know.
Low Severity
Failure to develop procedures and training for employees to cover responsibilities and methods for limiting the access of unauthorized personnel to classified information reflected on information system monitors and displays can result in the loss or compromise of classified information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-1, PS-1, PE-5, PS-3(1) & (2) and PS-6(2). DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 7. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information, Enclosure 2 paragraph 14.a. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 3, paragraph 3-107.f.
IS-09.02.01
1 Rule
End-of-Day Checks - Organizations that process or store classified information must establish a system of security checks at the close of each duty and/or business day to ensure that any area where classified information is used or stored is secure. SF 701, Activity Security Checklist, shall be used to record such checks.
Medium Severity
Failure to have written guidance to provide guidance for end-of-day (EOD) checks could lead to such checks not being properly conducted. If EOD checks are not properly conducted the loss or improper storage of classified material might not be promptly discovered. This could result in a longer duration of the security deficiency before corrective action is taken and make discovery of factual information concerning what caused the security incident and assigning responsibility and remedial actions more difficult. Ultimately the failure to perform consistent EOD checks can lead to the loss or compromise of classified or sensitive information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-1, PE-3(2), MP-4 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 7. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information, Enclosure 2, paragraph 9. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, paragraph 5-102.
IS-10.01.01
1 Rule
Classified Reproduction - SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage.
High Severity
Classified Multi-Functional Devices (MFD) include printers, copiers, scanners and facsimile capabilities and contain hard drives that maintain classified data or images. Failure to locate these devices in spaces approved for classified open storage could enable uncleared persons to access classified information, either from unsanitized hard drives or from printed/copied material that is left unattended on the machine for any period of time. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-1, MP-4, PE-1, PE-5. DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 7. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 2 paragraph 14.&15., Enclosure 3 and Enclosure 7, paragraph 6. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 8-202.e. & 8-302.b. NIST Special Publication 800-88, Revision 1, Guidelines for Media Sanitization, December 2014 NSA/CSS Policy Manual 9-12, 15 December 2014, Subject: NSA/CSS Storage Device Sanitization Manual
IS-10.02.01
1 Rule
Classified Reproduction - Following guidance for System to Media Transfer of Data from systems connected specifically to the SIPRNet In-Accordance-With (IAW) US CYBERCOM CTO 10-133A.
Medium Severity
Failure to follow guidance for disabling removable media drives on devices connected to the SIPRNet or, if approved by the local AO, failure to follow US CYBERCOM procedures for using removable media on SIPRNet could result in the loss or compromise of classified information. REFERENCES: USCYBERCOM Communications Tasking Order (CTO) 10-133 CTO 10-004A; CTO 09-002; CTO 10-084A & CTO 10-133A CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure A, paragraph 6 and Enclosure C, paragraph 21.h. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-2, MP-4, SI-12. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 7. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 2 paragraph 15., Enclosure 3 and Enclosure 7. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 8. NIST Special Publication 800-88, Revision 1, Guidelines for Media Sanitization, December 2014 NSA/CSS Policy Manual 9-12, 15 December 2014, Subject: NSA/CSS Storage Device Sanitization Manual CNSSP 26, National Policy on Reducing the Risk of Removable Media
IS-10.03.01
1 Rule
Classified Reproduction - Written Procedures for SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage. NOTE: This vulnerability concerns only PROCEDURES for the reproduction (printing, copying, scanning, faxing) of classified documents on Multi-Functional Devices (MFD) connected to the DoDIN.
Low Severity
Lack of or improper reproduction procedures for classified material could result in the loss or compromise of classified information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-1, MP-4, PE-1,PE-5. DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 7. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 2 paragraphs 14.&15. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 4, paragraph 4-102, and Chapter 5, Section 6 (Reproduction).
IS-11.01.01
1 Rule
Destruction of Classified Documents Printed from the SIPRNet Using Approved Devices on NSA Evaluated Products Lists (EPL).
High Severity
Failure to properly destroy classified material can lead to the loss or compromise of classified or sensitive information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 29.h.(1) & 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-1, MP-6, PE-1. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 3 paragraphs 17, 18, & 19. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-704, 5-705 & 5-708. https://www.nsa.gov/Resources/Media-Destruction-Guidance
IS-11.01.02
1 Rule
Classified Material Destruction - Improper Disposal of Automated Information System (AIS) Hard Drives and Storage Media
High Severity
Failure to properly destroy classified material can lead to the loss or compromise of classified or sensitive information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 21.h.(9); 28; 29b.,d.(1)&(2).h.(1)&(2) and para 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-1, MP-6, PE-1. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 9.b.(8) & (9) DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 2, paragraph 14 & 14(d); Enclosure 3 paragraphs 17, 18, & 19; Enclosure 5, paragraph 3.d.(3); Enclosure 7, paragraph 6. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-704, 5-705, 5-706, 5-707, 5-708, 8-202.e. & 8-302.g. NIST SP 800-88, Guidelines for Media Sanitization NSA/CSA Policy Manual 9-12, NSA/CSS Storage Device Declassification Manual NSA/CSS product lists for sanitization, destroying or disposing of various types of media containing sensitive or classified information: https://www.nsa.gov/Resources/Media-Destruction-Guidance
IS-11.02.01
1 Rule
Classified Destruction - Hard Drive and Storage Media Sanitization Devices and Plans are not Available for disposal of Automated Information System (AIS) Equipment On-Hand
Medium Severity
Failure to properly destroy classified material can lead to the loss or compromise of classified or sensitive information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 21.h.(9); 28; 29b.,d.(1)&(2).h.(1)&(2) and para 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-1, MP-6, PE-1. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 9.b.(8) & (9) DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 2, paragraph 14 & 14(d); Enclosure 3 paragraphs 17, 18, & 19; Enclosure 5, paragraph 3.d.(3); Enclosure 7, paragraph 6. Assistant Secretary of Defense for Command, Control, Communications and Intelligence Memorandum, "Disposition of Unclassified DOD Computer Hard Drives," June 4, 2001 DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-704, 5-705, 5-706, 5-707, 5-708, 8-202.e. & 8-302.g. NIST SP 800-88, Guidelines for Media Sanitization NSA/CSA Policy Manual 9-12, NSA/CSS Storage Device Declassification Manual https://www.nsa.gov/Resources/Media-destruction-Guidance
IS-11.03.01
1 Rule
Destruction of Classified and Unclassified Documents, Equipment and Media - Availability of Local Policy and Procedures
Low Severity
Lack of plans and procedures to properly destroy classified and/or sensitive material can lead to the loss or compromise of classified or sensitive information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 21.h.(9); 28; 29b.,d.(1)(2).h.(1)(2) and para 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-1, MP-6, PE-1. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 9.b.(8) (9) DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 2, paragraph 14 14(d); Enclosure 3 paragraphs 17, 18, 19; Enclosure 5, paragraph 3.d.(3); Enclosure 7, paragraph 6. Assistant Secretary of Defense for Command, Control, Communications and Intelligence Memorandum, Disposition of Unclassified DOD Computer Hard Drives, June 4, 2001 DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 5-704, 5-705, 5-706, 5-707, 5-708, 8-202.e. & 8-302.g. NIST SP 800-88, Guidelines for Media Sanitization NSA/CSA Policy Manual 9-12, NSA/CSS Storage Device Declassification Manual https://www.nsa.gov/Resources/Media-Destruction-Guidance Satisfies: Destruction of Classified and Unclassified Documents, Equipment and Media - Policy/Procedure
IS-13.02.01
1 Rule
Classified Emergency Destruction Plans - Develop and Make Available
Medium Severity
Failure to develop emergency procedures can lead to the loss or compromise of classified or sensitive information during emergency situations. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 32. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: CP-4, PL-1 & RA-1. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 9.b.(8) (9) DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 2, paragraph 10. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraph 5-104. NIST SP 800-88, Guidelines for Media Sanitization NSA/CSA Policy Manual 9-12, NSA/CSS Storage Device Declassification Manual https://www.nsa.gov/Resources/Media-Destruction-Guidance
IS-14.02.01
1 Rule
Security Incident/Spillage - Lack of Procedures or Training for Handling and Reporting
Medium Severity
Failure to report possible security compromise can result in the impact of the loss or compromise of classified information not to be evaluated, responsibility affixed, or a plan of action developed to prevent recurrence of future incidents. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 6.k.(1), 9.c., 18.k.(e), 26.s.(6), 29. and 31.c. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AT-1, AT-2, AU-2, AU-7, AU-11, IR-1, IR-2, IR-4, IR-5, IR-6, IR-7, IR-8 and IR-9. DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, Enclosure 3, paragraph 7.g. and 19.d. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 6, Appendix 1 to Encl 6, Appendix 2 to Encl 6 and Enclosure 7, paragraph 5. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 1-303, 1-304, 1-400, 1-401 and 8-302.i. CNSSP No. 18, National Policy on Classified Information Spillage CNSSI 1001, National Instruction on Classified Information Spillage
IS-15.02.01
1 Rule
Classification Guides Must be Available for Programs and Systems for an Organization or Site
Medium Severity
Failure to have proper classification guidance available for Information Systems and/or associated programs run on them can result in the misclassification of information and ultimately lead to the loss or compromise of classified or sensitive information. REFERENCES: The Information Security Oversight Office (ISOO): http://www.archives.gov/isoo/ Implementing Directive for Protection of Classified (for Executive Order 13526), 32 CFR Parts 2001 and 2003 Classified National Security Information: Subpart B - § 2001.15 Classification guides. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 6.c. and paragraph 26.e. NIST Special Publication 800-53 (SP 800-53), Rev 4, Control: AC-3, IA-5, MP-5, MP-6, PE-2, PS-3, PS-6. DoD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Enclosure 2, paragraph 9.h.; Enclosure 4; Enclosure 5 and Enclosure 6. DoD Manual 5200.01, Volume 2, 24 February 2012, SUBJECT: DoD Information Security Program: Marking of Classified Information; Enclosure 3, paragraph 2.a. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 6, paragraphs 4, 51 and Glossary. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, paragraphs 4-101, 4-102, 4-103 and 7-102.
IS-16.02.01
1 Rule
Controlled Unclassified Information (CUI) - Employee Education and Training
Medium Severity
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure A, Paragraph 11, Enclosure B, paragraph 4.h & 6.m., and Enclosure C, paragraph 5. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AT-1, AT-2, AT-3 and AT-4. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 5. DoD Manual 5200.01, Volume 4, SUBJECT: DoD Information Security Program: Controlled Unclassified Information (CUI); Enclosure 4. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 3.
IS-16.02.02
1 Rule
Controlled Unclassified Information - Document, Hard Drive and Media Disposal
Medium Severity
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Assistant Secretary of Defense for Command, Control, Communications and Intelligence Memorandum: "Disposition of Unclassified DOD Hard Drives, 4 June 2001." 44 USC Chapter 33 - Disposal of Records, dated 01/03/2012 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 21.h.(9); 28.a.&c. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-6 and SI-12. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, paragraph 3.h. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 3 paragraphs 17, 18, & 19; Enclosure 7, paragraph 6. DODI 5200.48 Controlled Unclassified Information (CUI) DOD 5200.22-M (NISPOM), Incorporating Change 2, 18 May 2016, 4-103.c., 5-203.b., and Chapter 5, Section 7 Disposition and Retention NIST SP 800-88, Guidelines for Media Sanitization NSA/CSS product lists for sanitization, destroying or disposing of various types of media containing sensitive or classified information: https://www.nsa.gov/Resources/Media-Destruction-Guidance The Information Security Oversight Office (ISOO): https://www.archives.gov/cui Satisfies: Controlled Unclassified Information - Document, Hard Drive and Media Disposal
IS-16.02.03
1 Rule
Controlled Unclassified Information - Handling, Storage and Controlling Access to Areas where CUI is Processed or Maintained
Medium Severity
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure C, paragraph 25.d. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4 and PE-3. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 7, paragraph 13.f. DoDI 5200.48 Controlled Unclassified Information (CUI) DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, 4-103.c., 5-203.b., and Chapter 5 and Chapter 8, paragraph 8-302.b.& g.
IS-16.02.04
1 Rule
Controlled Unclassified Information - Encryption of Data at Rest
Medium Severity
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui DoD CIO Memorandum, Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media, 3 July 2007 NIST FIPS 140-2, Security Requirements for Cryptographic Modules NSTISSI No. 11, National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraphs 6.b., 13.b.(2), 13.b.(3) and Enclosure C, paragraphs 21.f. and 21.g. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-5, PL-2 and SC-28. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 7, paragraphs 8. and 9.a. DoD Instruction 8420.01, Commercial Wireless Local Area Network (WLAN) Devices, Systems, and Technologies, 3 November 2017, paragraphs 1.2.b., 1.2.h., 3.2.a., 3.2.a.(3), and 3.8.d. NSA, Commercial Solutions for Classified Data at Rest Capability Package, current edition
IS-16.02.05
1 Rule
Controlled Unclassified Information - Transmission by either Physical or Electronic Means
Medium Severity
Failure to handle/transmit CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui NIST FIPS 140-2, Security Requirements for Cryptographic Modules DODI 8520.2, "Public Key Infrastructure (PKI) and Public Key Enabling (PKE)" CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraphs 13.a., 13.b.(2)(3), and Enclosure C, paragraphs 22.d,, 25.a.,d.,e.,f., 26.j.(2), and 35.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-17, AC-20, IA-2, SC-8, SC-9, and SC-23. DOD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DOD Information Security Program: Protection of Classified Information; Enclosure 7, paragraph 13. DODI 5200.48 Controlled Unclassified Information (CUI)
IS-16.02.06
1 Rule
Controlled Unclassified Information - Posting Only on Web-Sites with Appropriate Encryption; not on Publicly Accessible Web-Sites.
Medium Severity
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui Deputy Secretary of Defense Memorandum, "WEB Site Administration" 7 Dec 98, with attached "WEB Site Administration Policies and Procedures", 25 Nov 98. DoD 5400.7-R, DoD Freedom of Information Act Program, Sep 98. DoD 5400-11-R, Department of Defense Privacy Program, 14 May 07. DoDD 5230.09, 22 Aug 08, Clearance of DoD Information for Public Release DoDI 5230.29, 8 Jan 09, Security and Policy Review of DoD Information for Public Release. PL 104-191, 21 Aug 96, Health Insurance Portability and Accountability Act of 1996 NIST FIPS 140-2, Security Requirements for Cryptographic Modules DODI 8520.2, "Public Key Infrastructure (PKI) and Public Key Enabling (PKE)" CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraph 7.a. and Enclosure C, paragraph 26.i. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-14, AC-17, IA-8 and SC-7. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 7, paragraph 13.f.. DoDI 5200.48 Controlled Unclassified Information (CUI) DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 1, Section 3, paragraph 1-300.b.&c., Chapter 5, Section 5, paragraph 5-511 and Chapter 7, Section 1, paragraph 7-102.
IS-16.03.01
1 Rule
Controlled Unclassified Information (CUI) - Local Policy and Procedure
Low Severity
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure C, paragraph 25.d. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-1, PL-1 and SI-1. DODI 5200.48 Controlled Unclassified Information (CUI) DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 7, Section 1, paragraph 7-101.a.(2).
IS-16.03.02
1 Rule
Controlled Unclassified Information - Marking/Labeling Media within Unclassified Environments (Not Mixed with Classified)
Low Severity
Failure to mark CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraph 6.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-3. DODI 5200.48 Controlled Unclassified Information (CUI) DOD 5200.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 4 and Chapter 8, Section 3, paragraph 8-302.g.(1).
IS-17.03.01
1 Rule
Classified Annual Review
Low Severity
Failure to conduct the annual review and clean out day can result in an excessive amount of classified (including IS storage media) being on hand and therefore being harder to account for, resulting in the possibility of loss or compromise of classified or sensitive information. REFERENCES: DOD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DOD Information Security Program: Protection of Classified Information; Enclosure 3, paragraph 17.b. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure C, paragraph 34.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PS-1. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 7, paragraph 5-700.b.
PE-01.03.01
1 Rule
Position of Trust - Knowledge of Responsibility to Self Report Derogatory Information
Low Severity
Failure to inform personnel of the expected standards of conduct while holding a position of trust and their responsibility to self-report derogatory information to the organization security manager can result in conduct by the individual that will require them being removed from that position REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraph 7.f. and Enclosure C, paragraph 4.e. and 5. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PS-1, PS-6, AT-1, AT-3 and PL-4. DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter paragraphs 3-107.d. and 3-108. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), April 3, 2017, Paragraphs 7.4. ADJUDICATIVE GUIDELINES, 9.2., 11.2. a. (1), (2), (3) and b. 12.1. White House Memorandum and Intelligence Community Policy Guidance 704.2, December 29, 2005, Subject: Adjudicative Guidelines DOD 5200.2-R, Personnel Security Program, Chapter 9, paragraph C9.1.4 - Individual Responsibility (rescinded but provided for purpose of historical reference).
PE-01.03.02
1 Rule
Position of Trust - Local Policy Covering Employee Personal Standards of Conduct and Responsibilities
Low Severity
Failure to inform personnel of the expected standards of conduct while holding a position of trust can result in conduct by the individual that will require them being removed from that position and/or result in an untrustworthy person continuing in a position of trust without proper vetting of new derogatory information. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraph 7.f. and Enclosure C, paragraph 4.e. and 5. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PS-1, PS-6, AT-1, AT-3 and PL-4. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter paragraphs 3-107.d. and 3-108. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), April 3, 2017, Paragraphs 7.4. ADJUDICATIVE GUIDELINES, 9.2., 11.2. a. (1), (2), (3) and b. 12.1. White House Memorandum and Intelligence Community Policy Guidance 704.2, December 29, 2005, Subject: Adjudicative Guidelines DoD 5200.2-R, Personnel Security Program, Chapter 9, paragraph C9.1.2 - Management Responsibility (rescinded but provided for purpose of historical perspective/reference).
PE-01.03.03
1 Rule
Position of Trust - Training Covering Employee Standards of Conduct and Personal Responsibilities
Low Severity
Failure to inform personnel of the expected standards of conduct while holding a position of trust can result in conduct by the individual that will require them being removed from that position or result in a person no longer meeting standards criteria continuing to hold a position of trust without proper vetting for suitability. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraph 7.f. & 11. and Enclosure C, paragraph 4.e. & 5. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PS-1, PS-6, AT-1, AT-3 and PL-4. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 1, Section 2, paragraph 1-205 and Chapter 3. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), April 3, 2017, Paragraphs 9.2.,11.2.a. and 12.1. DoD 5200.2-R, Personnel Security Program, Chapter 2, paragraph C2.2., Chapter 9, paragraphs C9.1.4. & C9.2.3. (rescinded but provided for purpose of historical perspective/reference). DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 1, Section 2, paragraph 1-205 and Chapter 3. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), April 3, 2017, Paragraphs 9.2.,11.2.a. and 12.1.
PE-03.02.01
1 Rule
Validation Procedures for Security Clearance Issuance (Classified Systems and/or Physical Access Granted)
Medium Severity
Failure to properly verify security clearance status could result in an unauthorized person having access to a classified information system or an authorized person being unable to perform assigned duties. REFERENCES: DOD 8570.01-M, Information Assurance Workforce Improvement Program, 19 December 2005, Incorporating Change 4, 11/10/2015 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND): Enclosure C, paragraphs 26.c.(2) (3) and 27.f.(5) (6) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, MA-5, PE-2, PE-3, and PS-2 DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 2, Section 2 and Chapter 8, Section 3, paragraph 8-302.a. Personnel Security. DOD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 2, paragraphs 1 and 3 DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), April 3, 2017, Paragraphs 3.1.c., 4.1. Civilian Personnel, 4.2. Military Personnel, 4.3. Contractors, 4.4. Consultants. 4.5. Non-U.S. Citizens Employed Overseas in Support of National Security Positions. 4.6. Temporary Employees, 5A.2. Verify Eligibility, and Glossary G.2. Definitions: LAA. Now Cancelled: DOD 5200.2-R, Personnel Security Program, Chapter 3, para C3.4.3., Chapter 7 para C7.1.2. C7.1.3. and Appendix 9, para AP9.2. & AP9.3.6.2. DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals Paragraph 4.4. DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information: Paragraphs 4.6.3., E2.1.4, Enclosure 3 and Enclosure 4.
PE-07.03.01
1 Rule
Out-processing Procedures for Departing or Terminated Employees (Military, Government Civilian and Contractor)
Low Severity
Failure to properly out-process through the security section allows the possibility of continued (unauthorized) access to the facility and/or the systems. REFERENCES: DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information Appendix to Encl 3, paragraph 3.a.(4). and Enclosure 5, paragraph 9. DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 1, paragraph 1-206. and Chapter 3, paragraph 3-109. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), April 3, 2017, Chapter 12, paragraph 12.1.b.&f., Appendix G.2. Definitions, JPAS NIST Special Publication 800-53 (SP 800-53) Controls: AC-1, AC-2, PE-3, PS-4, and PS-5 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Enclosure C, para 11
PE-08.02.01
1 Rule
Intrusion Detection System (IDS) Monitoring Station Personnel - Suitability Checks
Medium Severity
Failure to subject personnel who monitor the IDS alarms to a trustworthiness determination can result in the inadvertent or deliberate unauthorized access to, or release of classified material. REFERENCES: DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information Appendix to Enclosure 3, para 2.f.(1)&(2) DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9, paragraphs 5-902.b. & 5-906 NIST Special Publication 800-53 (SP 800-53) Control: PS-2 and PS-3 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl A para 7.f. and Encl D Reference q Legacy DOD 5200.2-R; Personnel Security Program Paragraph C3.1.2.1.2.5. Current DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP) 3 April 2017, Paragraph 4.1.a.(3)
PE-08.02.02
1 Rule
Intrusion Detection System (IDS) Installation and Maintenance Personnel - Suitability Checks
Medium Severity
Failure to subject personnel who install and maintain the IDS alarms to a trustworthiness determination can result in the inadvertent or deliberate unauthorized exposure to or release of classified material. REFERENCES: DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information Appendix to Enclosure 3, para 2.f.(1)&(2) DoD 5200.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 5, Section 9, paragraphs 5-902.b. & 5-906 NIST Special Publication 800-53 (SP 800-53) Control: PS-2 and PS-3 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl A para 7.f. and Encl D Reference q Legacy DOD 5200.2-R; Personnel Security Program Paragraph C3.1.2.1.2.5. Current DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP) 3 April 2017, Paragraph 4.1.a.(3)
PH-01.03.01
1 Rule
Physical Security Program - Physical Security Plan (PSP) and/or Systems Security Plan (SSP) Development and Implementation with Consideration/Focus on Protection of Information System Assets in the Physical Environment
Low Severity
Failure to have a well-documented Physical Security/Systems Security program will result in an increased risk to DoD Information Systems; including personnel, equipment, media, material and documents. REFERENCES: DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016 Chapter 8, Section 1, paragraphs 8-100, 8-101, 8-102, 8-301 and 8-302.b.&c. DoD 5200.8-R Physical Security Program Chapters 1, 2 and 3 DoD Manual 5200.08 Volume 3, Physical Security Program: Access to DoD Installations, 2 January 2019 NIST Special Publication 800-53 (SP 800-53) Controls: PE-1 through PE-20 and PL-1 & PL-2 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl A, para 5.a.(1), Encl C, para: 24.j., 27., 28.b., and 34.
PH-02.02.01
1 Rule
Risk Assessment -Holistic Review (site/environment/information systems)
Medium Severity
Failure to conduct a risk analysis could result in not implementing an effective countermeasure to a vulnerability or wasting resources on ineffective measures leading to a possible loss of classified, equipment, facilities, or personnel. REFERENCES: DoD 5200.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chap 1, Section 2, para 1-207a.(1) & b.; Chap 8 Sec 1, para 8-100.a., d. & e., 8-101., 8-102., 8-201., 8-202., 8-301., and 8-304.b. NIST Special Publication 800-53 (SP 800-53) Controls: PE-18(1), PL-1, PL-2, PS-1, RA-1 RA-3 DoD 5200.8-R Physical Security Program Definitions: 1.13, 1.14., 1.15., 1.22.; Chap 1, C1.2.3. C1.2.4. and Chap 2, C2.1.3.3. DoD Manual 5200.08 Volume 3, Physical Security Program: Access to DoD Installations, 2 January 2019 DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information Encl 2, para 10.; Encl 3, para 4.: Appendix to Encl 3, para 2.a. and Encl 7 para 4.c. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl A, para 12; Encl B, para 2.d(3), 2.g., and 3.h.; Encl C, para 3.a., 6.b.(6) and 33. DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), March 13, 2014 DoD Instruction 8500.01, "Cybersecurity," March 13, 2014 Encl 2, paragraph 2.k., 9.q., 15.e. and Encl 3, paragraph 2. (*2.f.) & 9.b.(5) NIST SP 800-30, Guide for Conducting Risk Assessments NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems
PH-03.02.01
1 Rule
Physical Protection of Unclassified Key System Devices/Computer Rooms in Large Processing Facilities
Medium Severity
Allowing access to systems processing sensitive information by personnel without the need-to-know could permit loss, destruction of data or equipment or a denial of service. Loss could be accidental damage or intentional theft or sabotage. REFERENCES: DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chapter 8, IS Security DoD 5200.8-R Physical Security Program Chapters 1, 2 and 3 DoD Manual 5200.08 Volume 3, Physical Security Program: Access to DoD Installations, 2 January 2019 NIST Special Publication 800-53 (SP 800-53) Controls: PE-2, PE-3, PE-4, PE-6 and PE-18 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl C, para 34. DoDI 8500.01, Cybersecurity, March 14, 2014, Enclosure 2, paragraph 13.s. DoD Manual 5200.01, Volume 4, February 24, 2012 SUBJECT: DoD Information Security Program: Controlled Unclassified Information (CUI)
PH-04.02.01
1 Rule
Restricted Area and Controlled Area Designation of Areas Housing Critical Information System Components or Classified /Sensitive Technology or Data
Medium Severity
Failure to designate the areas housing the critical information technology systems as a restricted or controlled access area may result in inadequate protection being assigned during emergency actions or the site having insufficient physical security protection measures in place. Further, warning signs may not be in place to advise visitors or other unauthorized persons that such areas are off-limits, resulting in inadvertent access by unauthorized persons. REFERENCES: DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Appendix C - Definition of Restricted Area and Chapter 5, para 5-305. NIST Special Publication 800-53 (SP 800-53) Controls: PE-2 and PE-3 DoD 5200.8-R Physical Security Program Definitions: DL1.12., and Chapter 3, para C3.2.4.
PH-05.02.01
1 Rule
Security-in-Depth (AKA: Defense-in-Depth) - Minimum Physical Barriers and Access Control Measures for Facilities or Buildings Containing DoDIN (SIPRNet/NIPRNet) Connected Assets.
Medium Severity
Failure to use security-in-depth can result in a facility being vulnerable to an undetected intrusion or an intrusion that cannot be responded to in a timely manner - or both. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure A, paragraph 5.a.(1). NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-2(2), PE-3, PE-6(1), and page B-6: Security-in-Depth defined. DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 2, paragraph 13.s. and Enclosure 3, paragraph 7. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information: Enclosure 2 paragraph 12.; Enclosure 3, paragraph 3.b.(3) & paragraph 4.; Enclosure 7, paragraph 7.d.; and Glossary page 121, Security-in-Depth defined. DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chapter 5, paragraphs 5-303, 5-307 & 5-904.b. and Appendix C, Definitions, page C-6 - Security in Depth. DoD 5200.8-R Physical Security Program, April 9, 2007, Incorporating Change 1, May 27, 2009: Chapter 2, C2.3.1, C3.2.1 and DL1.17., Security-in-Depth defined. CNSSI No.7003, September 2015, Protected Distribution Systems (PDS), Section IV, paragraph 6, Section VIII, Table 1 and Table 2, and Section VI - DEFINITIONS - Controlled Access Area (CAA).
PH-06.02.01
1 Rule
Visitor Control - To Facility or Organization with Information System Assets Connected to the DISN
Medium Severity
Failure to identify and control visitors could result in unauthorized personnel gaining access to the facility with the intent to compromise classified information, steal equipment, or damage equipment or the facility. REFERENCES: DoD 5200.8-R Physical Security Program Chap 3, para C3.3.1.4. and DL1.17. on pg 8 and DTM 09-012, 8 Dec 09, Incorporating Change 7, Effective April 17, 2017 DoD Manual 5200.08 Volume 3, Physical Security Program: Access to DoD Installations, 2 January 2019 DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chapter 6, Visits and Meetings NIST Special Publication 800-53 (SP 800-53) Controls: PE-2, PE-3 and PE-8 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl C, para 34. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information Glossary, definition of security-in-depth and Encl 2, para 7.a and 7.b.
PH-07.02.01
1 Rule
Sensitive Item Control - Keys, Locks and Access Cards Controlling Access to Information Systems (IS) or IS Assets Connected to the DISN
Medium Severity
Lack of an adequate key/credential/access device control could result in unauthorized personnel gaining access to the facility or systems with the intent to compromise classified information, steal equipment, or damage equipment or the facility. REFERENCES: UG 2040-SHR, User's Guide on Controlling Locks, Keys, and Access Cards and Best Practices - found on the DoD Lock Program site: https://www.navfac.navy.mil/content/dam/navfac/Specialty%20Centers/Engineering%20and%20Expeditionary%20Warfare%20Center/DoD_Lock_Program/PDFs/UG-2040-SHR.pdf DoD 5200.8-R Physical Security Program Chapter 2, para C2.1.4.4., C2.1.4.5., C2.1.4.8. and Chapter 3, para C3.3 and Pg 7, DL1.9 Personnel Identity Management and Protection DoD Manual 5200.08 Volume 3, Physical Security Program: Access to DoD Installations, 2 January 2019 DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chapter 5, paragraphs 5-308, 5-310, 5-312, 5-313, 5-314 NIST Special Publication 800-53 (SP 800-53) Controls: IA-5, SC-12, MA-5, PE-2, PE-3, PS-4, PS-5 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl C, para 34. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information Encl3, para 6.e.(1) (2) and Appendix to Encl 3, para 3.a. Satisfies: Sensitive Item Control - Keys, Locks and Access Cards
PH-09.03.01
1 Rule
Physical Penetration Testing - of Facilities or Buildings Containing Information Systems (IS) Connected to the DISN
Low Severity
Failure to periodically test facility/building security where Information Systems (IS) connected to the DISN are present could lead to the unauthorized access of an individual into the facility with nefarious intentions to affect the Confidentiality, Integrity or Assurance of data or hardware on the IS. REFERENCES: DoD 5200.8-R Physical Security Program Chapter 2, para C2.1.3.2. C2.1.3.4. and C2.2.4. DoD Manual 5200.08 Volume 3, Physical Security Program: Access to DoD Installations, 2 January 2019 DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chapter 8, paragraph 8-101.d. NIST Special Publication 800-53 (SP 800-53) Controls: CA-2, CA-8 and PE-3(6) and PE-6 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl A, para 8.b., Encl C paragraphs 6.b. 12.a. 34. DoDI 8500.01, March 14, 2014, DoD CIO, SUBJECT: Cybersecurity Encl 2, para 13.s. and Encl 3, paragraphs 3.b. & 5.c.
SM-01.03.01
1 Rule
Security and Cybersecurity Staff Appointment, Training/Certification and Suitability
Medium Severity
Failure to formally appoint security personnel and detail responsibilities, training and other requirements in the appointment notices could result in a weaken security program due to critical security and information assurance personnel not being fully aware of the scope of their duties and responsibilities or not being properly trained or meeting standards for appointment to assigned positions. REFERENCES: DOD 8570.01-M, Information Assurance Workforce Improvement Program, 19 December 2005, Incorporating Change 4, 11/10/2015 Chap 3, para C3.2.4.4., Chap 4 para C4.2.3.6., Chap 5 para C5.1.1. and Chap 10 para C10.2.3.6. DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management Program DOD Manual 5200.02, PROCEDURES FOR THE DOD PERSONNEL SECURITY PROGRAM (PSP), Effective: April 3, 2017 Section 2, paragraph 2.10.a., h. & i. and Appendix 7A: Determination Authorities NIST Special Publication 800-53 (SP 800-53) Controls: PM-2, PS-2, PS-3, AC-5, AC-6(5), PM-10, CA-6 and AT-3 DOD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DOD Information Security Program: Overview, Classification, and Declassification Encl 2, para 6.b., 7., 7.c., 8.b., 8.c., 8.d., 9. & 12.; Encl 3 para 6.a., 6.b. & 6.b.(5); and Definitions, pg 76 activity SM CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl C, paragraphs 3.a.(1) (2)(a)(b), 4.a. through 4.e., 26.(c), & 27. and Encl A para 11.b. DOD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Paragraphs: 1-201., 2-103.c., 2-306.d., 3-102., & 8-103 DODI 8500.01, March 14, 2014, SUBJECT: Cybersecurity Enclosure 2, paragraph 1.c., 13.c. and Enclosure 3, paragraph 13.b., 16.a.(2), 18.d. Satisfies: Security and Cybersecurity Staff Appointment, Training/Certification and Suitability
SM-02.02.01
1 Rule
Security Training - Information Security (INFOSEC) for ALL Employees; Military, Government Civilian and Contractor
Medium Severity
Failure to provide security training to ALL employees results in a weak security program and could lead to the loss or compromise of classified or sensitive information. REFERENCES: DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chapter 1, para 1-206 and Chapter 3. NIST Special Publication 800-53 (SP 800-53) Controls: AT-1, AT-2, AT-3 and AT-4 DoD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification Encl 2, para 7.c., 7.d., 7.g., 9.f.; Encl 3, para 5.f.; Encl 4 para 10.c.; Encl 5, para 3.b. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl A, para 11; Encl B, para 4.h., 4.i., 6.m.; Encl C para 5., 7.f., 21.h.(2), 27e.(8)(d) and 31.b. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information Enclosure 5
SM-03.03.01
1 Rule
Counter-Intelligence Program - Training, Procedures and Incident Reporting
Low Severity
Failure to establish a good working relationship with the supporting/local CI agency and lack of proper CI training for site/organization employees could result in not being informed of local threats and warnings leaving the organization vulnerable to the threat and/or a delay in reporting a possible incident involving reportable FIE-Associated Cyberspace Contacts, Activities, Indicators, and Behaviors, which could adversely impact the Confidentiality, Integrity, or Availability (CIA) of the DISN. REFERENCES: DoDD 5240.06, Counterintelligence Awareness and Reporting (CIAR), 17 May 11, Incorporating Change 2, July 21, 2017 Enclosure 3 and Enclosure 4. para 4.a. Satisfies: Counter-Intelligence Program - Training, Procedures and Incident Reporting
CS-01.01.01
1 Rule
COMSEC Account Management - Equipment and Key Storage
High Severity
Improper handling and storage of COMSEC material can result in the loss or compromise of classified cryptologic devices or classified key or unclassified COMSEC Controlled Items (CCI). REFERENCES: DoD 5220.22-M (NISPOM), Chapter 9, Section 4 DoD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Enclosure 3, para 12.c. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information: Paragraph 1.b. (1) Enclosure 2, para 8. & 12. Enclosure 3 and Appendix to Encl 3 Enclosure 4, para 1.a. Enclosure 7, para 7.b. & c. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: SC-12, SC-13 NSA/CSS Policy Manual 3-16, Sections III, VI, X and XI CNSS Policy No. 1, NATIONAL POLICY FOR SAFEGUARDING AND CONTROL OF COMSEC MATERIALS CNSS Policy No. 10, NATIONAL POLICY GOVERNING USE OF APPROVED SECURITY CONTAINERS IN INFORMATION SECURITY APPLICATIONS DoD Instruction 8523.01, Communications Security (COMSEC), April 22, 2008