If the application contains classified data, the Program Manager will ensure a Security Classification Guide exists containing data elements and their classification.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6145	APP2040	SV-6145r1_rule	DCSD-1	Medium

Description
Without a classification guide the marking, storage, and output media of classified material can be inadvertently mixed with unclassified material, leading to its possible loss or compromise.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-3053r1_chk )
The IAO will ensure the classification guide for the application data exists and is available to users. If the application does not process classified information, this check is not applicable. The application may already be covered by a higher level program or other classification guide. If classification guide is not written specifically to the application, the sensitive application data should be reviewed to determine whether it is contained in the classification guide. DoD 5200.1-R, January 1997 identifies requirements for security classification and/or declassification guides (http://www.dtic.mil/whs/directives/corres/pdf/520001r.pdf). Security classification guides shall provide the following information: • Identify specific items, elements, or categories of information to be protected. • State the specific classification to be assigned to each item or element of information and, when useful, specify items of information that are unclassified. • Provide declassification instructions for each item or element of information, to include the applicable exemption category for information exempted from automatic declassification. • State a concise reason for classification for each item, element, or category of information that, at a minimum, cites the applicable classification categories in Section 1.5 of E.O. 12958. • Identify any special handling caveats that apply to items, elements, or categories of information. • Identify, by name or personal identifier and position title, the original classification authority approving the guide and the date of that approval. • Provide a point-of-contact for questions about the guide and suggestions for improvement. • For information exempted from automatic declassification because its disclosure would reveal foreign government information or violate a statute, treaty, or international agreement, the security classification guide will identify the government or specify the applicable statute, treaty, or international agreement, as appropriate. 1) If the security classification guide does not exist, or does not contain data elements and their classification, it is a finding.

Check Text ( C-3053r1_chk )

The IAO will ensure the classification guide for the application data exists and is available to users.

If the application does not process classified information, this check is not applicable.

The application may already be covered by a higher level program or other classification guide. If classification guide is not written specifically to the application, the sensitive application data should be reviewed to determine whether it is contained in the classification guide.

DoD 5200.1-R, January 1997 identifies requirements for security classification and/or declassification guides
(http://www.dtic.mil/whs/directives/corres/pdf/520001r.pdf).

Security classification guides shall provide the following information:
• Identify specific items, elements, or categories of information to be protected.
• State the specific classification to be assigned to each item or element of information and, when useful, specify items of information that are unclassified.
• Provide declassification instructions for each item or element of information, to include the applicable exemption category for information exempted from automatic declassification.
• State a concise reason for classification for each item, element, or category of information that, at a minimum, cites the applicable classification categories in Section 1.5 of E.O. 12958.
• Identify any special handling caveats that apply to items, elements, or categories of information.
• Identify, by name or personal identifier and position title, the original classification authority approving the guide and the date of that approval.
• Provide a point-of-contact for questions about the guide and suggestions for improvement.
• For information exempted from automatic declassification because its disclosure would reveal foreign government information or violate a statute, treaty, or international agreement, the security classification guide will identify the government or specify the applicable statute, treaty, or international agreement, as appropriate.

1) If the security classification guide does not exist, or does not contain data elements and their classification, it is a finding.

Fix Text (F-16971r1_fix)
Create and maintain a security classification guide.