Develop a user agreement to be signed by all remote users prior to obtaining access. This agreement may be integrated with the site's remote access usage training.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19139	SRC-EPT-040	SV-20952r1_rule		Low

Description
Lack of user training and understanding of responsibilities to safeguard wireless technology are a significant vulnerability to the enclave. Once policies are established, users must be trained to meet these requirements or the risk to the network remains. User agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise, thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures.

Description

Lack of user training and understanding of responsibilities to safeguard wireless technology are a significant vulnerability to the enclave. Once policies are established, users must be trained to meet these requirements or the risk to the network remains. User agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise, thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures.

STIG	Date
Remote Access Policy STIG	2016-03-28

Details

Check Text ( C-22759r1_chk )
Inspect a copy of the site’s user agreement. Verify the user agreement is signed by the remote users and has the minimum elements as follows: - The agreement will contain the type of access required by the user (i.e., privileged, end-user, remote access, wireless access, mobile access). - The agreement will contain the responsibilities, liabilities, and security measures (e.g., malicious code detection training) involved in the use of the remote access device. - Incident handling and reporting procedures are identified along with a designated point of contact. - The policy will contain general security requirements and practices and will be signed by the remote user. - If classified devices are used for remote access from an alternative work site, the remote user will adhere to DoD policy with regard to facility clearances, protection, storage, distributing, etc. - Government-owned hardware and software is used for official duty only. The employee is the only individual authorized to use this equipment. If site user agreements do not exist or are not compliant with the minimum requirements, this is a finding.

Check Text ( C-22759r1_chk )

Inspect a copy of the site’s user agreement. Verify the user agreement is signed by the remote users and has the minimum elements as follows:

- The agreement will contain the type of access required by the user (i.e., privileged, end-user, remote access, wireless
access, mobile access).

- The agreement will contain the responsibilities, liabilities, and security measures (e.g., malicious code detection training) involved in the use of the remote access device.

- Incident handling and reporting procedures are identified along with a designated point of contact.

- The policy will contain general security requirements and practices and will be signed by the remote user.

- If classified devices are used for remote access from an alternative work site, the remote user will adhere to DoD policy with regard to facility clearances, protection, storage, distributing, etc.

- Government-owned hardware and software is used for official duty only. The employee is the only individual authorized to use this equipment.

If site user agreements do not exist or are not compliant with the minimum requirements, this is a finding.

Fix Text (F-19690r1_fix)
Develop documentation as required.