UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Develop a user agreement to be signed by all remote users prior to obtaining access. This agreement may be integrated with the site's remote access usage training.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19139 SRC-EPT-040 SV-20952r1_rule Low
Description
Lack of user training and understanding of responsibilities to safeguard wireless technology are a significant vulnerability to the enclave. Once policies are established, users must be trained to meet these requirements or the risk to the network remains. User agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise, thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures.
STIG Date
Remote Access Policy STIG 2016-03-28

Details

Check Text ( C-22759r1_chk )
Inspect a copy of the site’s user agreement. Verify the user agreement is signed by the remote users and has the minimum elements as follows:

- The agreement will contain the type of access required by the user (i.e., privileged, end-user, remote access, wireless
access, mobile access).

- The agreement will contain the responsibilities, liabilities, and security measures (e.g., malicious code detection training) involved in the use of the remote access device.

- Incident handling and reporting procedures are identified along with a designated point of contact.

- The policy will contain general security requirements and practices and will be signed by the remote user.

- If classified devices are used for remote access from an alternative work site, the remote user will adhere to DoD policy with regard to facility clearances, protection, storage, distributing, etc.

- Government-owned hardware and software is used for official duty only. The employee is the only individual authorized to use this equipment.

If site user agreements do not exist or are not compliant with the minimum requirements, this is a finding.
Fix Text (F-19690r1_fix)
Develop documentation as required.