Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19830 | SRC-RAP-030 | SV-21993r1_rule | ECSC-1 | High |
Description |
---|
Failure to use approved communications equipment and security measure can lead to unauthorized disclosure, loss, or compromise of classified information. |
STIG | Date |
---|---|
Remote Access Policy STIG | 2015-09-16 |
Check Text ( C-21322r1_chk ) |
---|
Interview the IAO. Ask if users are allowed to process classified information from remote locations. Work with the traditional reviewers to determine if there is a classified handling/transmitting policy in place for remote access. Also, ask if classified information is tunnelled using communications channels which are not secured to the level of classification transmitted without complying with the DSAWG Position Paper requirements as follows: - C2: The policy is to minimize tunneling classified information over transport other than SIPRNet. The SIPRNet will be the network of choice for C2 traffic. - Classified C2, or related requirements, across the NIPRNet are specifically denied except to meet operationally urgent conditions as defined and approved by the DSAWG and the DISN DAAs. - Non-C2: The Local DAA may approve tunneling classified information across an unclassified IP infrastructure if deemed operationally necessary. This must be documented and approved by the Classified Connection Approval Office (CCAO) and the Classified Data Service Manager (DISA/GS21). Supported rationale will be presented to the CDSM. - Type 1 encryption will be employed. - Must be documented in the DIACAP Implementation Plan (DIP) - Termination of the tunnel will be in facilities authorized to process classified US Government information classified at the Secret level. For the use of an ISP, a GIG Waiver must be issued by the OSD GIG Waiver Panel. SCI will not be tunneled. This does not alter or supersede any other DoD or DCI guidance or policy. **This check applies to Enhanced Compliance Validation visits. |
Fix Text (F-19138r1_fix) |
---|
The IAO will ensure classified information is not transmitted over any communications system unless it is transmitted using approved NSA security devices in addition to approved security procedures and practices. |