| V-31529 | High | Vault/Secure Room Storage Standards - Access Control During Working Hours Using Visual Control OR Automated ACS with PIN / Biometrics:
| Failure to properly monitor and control collateral classified open storage area access doors during working hours (while the FF-L-2740 combination lock is not secured) could result in an... |
| V-31284 | High | Vault/Secure Room Storage Standards - IDS Transmission Line Security
| Failure to meet standards for ensuring integrity of the intrusion detection system signal transmission supporting a secure room (AKA: collateral classified open storage area) containing SIPRNet... |
| V-31127 | High | Information Assurance - Unauthorized Wireless Devices - Connected to the SIPRNet
| Finding unauthorized wireless devices connected and/or operating on the SIPRNet is a security incident and could directly result in the loss or compromise of classified or sensitive information... |
| V-30969 | High | Protected Distribution System (PDS) Construction - Buried PDS Carrier
| A PDS that is not constructed, configured and physically secured as required could result in the undetected interception of classified information. |
| V-33456 | High | Protected Distribution System (PDS) Construction - Alarmed Carrier | A PDS that is not constructed and configured as required could result in the covert or undetected interception of classified information. |
| V-31132 | High | Information Assurance - Network Connections - Physical Protection of Classified Network Devices such as Routers, Switches and Hubs (SIPRNet or Other Classified Networks or Systems Being Inspected)
| SIPRNet or other classified network connections that are not properly protected in their physical environment are highly vulnerable to unauthorized access, resulting in the probable loss or... |
| V-31225 | High | Foreign National System Access - FN or Immigrant Aliens (not representing a foreign government or entity) System Access - Limited Access Authorization (LAA)
| Failure to verify citizenship and proper authorization for access to either sensitive or classified information could enable personnel to have access to classified or sensitive information to... |
| V-31221 | High | Foreign National (FN) Systems Access - Local Nationals (LN) Overseas System Access - Vetting for Privileged Access
| Failure to subject foreign nationals to background checks could result in the loss or compromise of
classified or sensitive information by foreign sources. |
| V-31549 | High | Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) and Intrusion Detection System (IDS) Head-End Equipment Protection:
The physical location (room or area) containing AECS and IDS head-end equipment (server and/or work station/monitoring equipment) where authorization, personal identification or verification data is input, stored, or recorded and/or where system status/alarms are monitored must be physically protected. | Inadequate physical protection of Intrusion Detection System or Automated Entry Control System servers, data base storage drives, or monitoring work stations could result in unauthorized access to... |
| V-30934 | High | Classified Transmission - Electronic Means using Cryptographic System Authorized by the Director, NSA | Failure to properly encrypt classified data in transit can lead to the loss or compromise of
classified or sensitive information. |
| V-30938 | High | Protected Distribution System (PDS) Construction - Point of Presence (PoP) and Terminal Equipment Protection. This requirement concerns security of both the starting and ending points for PDS within proper physically protected and access controlled environments. | A PDS that is not constructed and physically protected as required could result in the covert or undetected interception of classified information. |
| V-30837 | High | COMSEC Account Management - Equipment and Key Storage | Improper handling and storage of COMSEC material can result in the loss or compromise of classified cryptologic devices or classified key or unclassified COMSEC Controlled Items (CCI). |
| V-31242 | High | Foreign National (FN) Physical Access Control - Areas Containing US Only Information Systems Workstations/Monitor Screens, Equipment, Media or Documents | Physically co-locating REL Partners or other FN - who have limited or no access to the SIPRNet or other US Classified systems - near US personnel in a collateral classified (Secret or higher) open... |
| V-31991 | High | Classified Monitors/Displays (Physical Control of Classified Monitors From Unauthorized Viewing)
| Failure to limit access to unauthorized personnel to information displayed on classified monitors/displays can result in the loss or compromise of classified information, including NOFORN information.
|
| V-31993 | High | Monitor Screens - Disable Access by CAC or Token Removal, or Lock Computer via Ctrl/Alt/Del
| The DoD Common Access Cards (CAC) a "smart" card, is the standard identification for active-duty military personnel, Selected Reserve, DoD civilian employees, and eligible contractor personnel. ... |
| V-31986 | High | Storage/Handling of Classified Documents, Media, Equipment - must be under continuous personal protection and control of an authorized (cleared) individual OR guarded or stored in an approved locked security container (safe), vault, secure room, collateral classified open storage area or SCIF.
| Failure to store classified in an approved container OR to properly protect classified when removed from storage can lead to the loss or compromise of classified or sensitive information.
|
| V-31278 | High | Information Security (INFOSEC) - Secure Room Storage Standards - Four (4) Hour Random Checks in Lieu of Using Intrusion Detection System (IDS)
| Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01,... |
| V-31275 | High | Information Security (INFOSEC) - Secure Room Storage Standards - Balanced Magnetic Switch (BMS) on Perimeter Doors
| Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01,... |
| V-31274 | High | Information Security (INFOSEC) - Secure Room Storage Standards - Intrusion Detection System (IDS)
| Failure to meet standards for maintenance and validation of structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual... |
| V-31276 | High | Information Security (INFOSEC) - Secure Room Storage Standards - Interior Motion Detection
| Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01,... |
| V-31271 | High | Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Openings in Perimeter Exceeding 96 Square Inches
| Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a vault or secure room (AKA: collateral classified open storage area) IAW DoD Manual... |
| V-31270 | High | Information Security (INFOSEC) - Secure Room Storage Standards Wall and Ceiling Structural Integrity (AKA: True Floor to True Ceiling Connection)
| Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01,... |
| V-31273 | High | Information Security (INFOSEC) - Vault Storage/Construction Standards
| Failure to meet standards IAW the DoD Manual 5200.01, Volume 3, Appendix to Enclosure 3, for ensuring that there is required structural integrity of the physical perimeter surrounding a classified... |
| V-31272 | High | Information Security (INFOSEC) - Secure Room Storage Standards Windows - Accessible from the Ground Hardened Against Forced Entry and Shielded from Exterior Viewing of Classified Materials Contained within the Area.
| Failure to meet standards for ensuring that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01,... |
| V-31171 | High | Information Assurance - Network Connections - Wall Jack Security on Classified Networks (SIPRNet or other Inspected Classified Network or System) Where Port Authentication Using IEEE 802.1X IS NOT Implemented
| Network connections that are not properly protected are highly vulnerable to unauthorized access,
resulting in the loss or compromise of classified or sensitive information.
|
| V-31227 | High | Foreign National (FN) System Access - FN or Immigrant Aliens (not representing a foreign government or entity) with LAA Granted Uncontrolled Access
| Failure to verify citizenship and proper authorization for access to either sensitive or classified information could enable personnel to have access to classified or sensitive information to... |
| V-32111 | High | Classified Destruction - Improper Disposal of Automated Information System (AIS) Hard Drives and Storage Media
| Failure to properly destroy classified or sensitive material can lead to the loss or compromise of classified or sensitive information.
|
| V-30958 | High | Protected Distribution System (PDS) Construction - Accessible Pull Box Security
| A PDS that is not constructed and configured as required could result in the undetected interception of classified information. |
| V-31268 | High | Information Security (INFOSEC) - Secure Room Storage Standards - Door Construction
| Failure to meet construction standards could result in the undetected loss or compromise of classified material. |
| V-31267 | High | Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Door Combination Lock Meeting Federal Specification FF-L-2740 | Failure to meet Physical Security storage standards could result in the undetected loss or compromise of classified material. |
| V-31264 | High | Foreign National (FN) Administrative Controls - Proper Investigation and Clearance for Access to Classified Systems and/or Information Assurance (IA) Positions of Trust
| Failure to validate that FN partners or employees have the required security clearance levels for access to classified systems and/or the proper level of background investigation for IA Positions... |
| V-32009 | High | Destruction of Classified Documents Printed from the SIPRNet Using Approved Devices on NSA Evaluated Products Lists (EPL).
| Failure to properly destroy classified material can lead to the loss or compromise of classified or NSA
sensitive information.
|
| V-30942 | High | Protected Distribution System (PDS) Construction - Hardened Carrier
| A PDS that is not constructed and configured as required could result in the undetected interception of classified information. |
| V-31215 | High | Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (SIPRNet or Other Classified System or Classified Network being Reviewed)
| Failure to subject foreign nationals to background checks could result in the loss or compromise of
classified or sensitive information by foreign sources. |
| V-32008 | High | Classified Reproduction - SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage.
| Classified Multi-Functional Devices (MFD) include copiers and contain hard drives that maintain classified data or images. Failure to locate these devices in spaces approved for classified open... |
| V-30971 | High | Protected Distribution System (PDS) Construction - Continuously Viewed Carrier
| A PDS that is not constructed and configured as required could result in the undetected interception of classified information. A continuously viewed PDS may not be in a physically hardened... |
| V-30970 | High | Protected Distribution System (PDS) Construction - External Suspended PDS
| A PDS that is not constructed and configured as required could result in the undetected interception of classified information. |
| V-30973 | High | Protected Distribution System (PDS) Construction - Tactical Environment Application
| A PDS that is not constructed and configured as required could result in the undetected interception of classified information. Within mobile tactical situations a hardened carrier is not... |
| V-31294 | High | Information Security (IS) - Continuous Operations Facility: Access Control Monitoring Methods
| Failure to control door access to a Continuous Operations Facility containing classified SIPRNET assets may result in immediate and potentially undetected access to classified information, with no... |
| V-31292 | High | Vault/Secure Room Storage Standards - IDS Access/Secure Control Units Must be Located within the Secure Room Space
| Failure to ensure that IDS Access and Secure Control Units used to activate and deactivate alarms (primarily motion detectors) within vaults or secure rooms protecting SIPRNet assets are not... |
| V-32457 | Medium | Intrusion Detection System (IDS) Monitoring Station Personnel - Suitability Checks
| Failure to subject personnel who monitor the IDS alarms to a trustworthiness determination can
result in the inadvertent or deliberate unauthorized access to, or release of classified material.
|
| V-31897 | Medium | Vault/Secure Room Storage Standards - Access Control System (ACS) Transmission Line Security:
ACS Transmission lines traversing an uncontrolled area (not within at least a Secret Controlled Access Area (CAA) ) shall use line supervision and be physically protected within conduit.
| Persons not vetted to at least the same level of classification residing on the information systems being protected by the ACS could gain access to the ACS transmission line and tamper with it to... |
| V-31286 | Medium | Vault/Secure Room Storage Standards - Masking of IDS Sensors Displayed at the Intrusion Detection System (IDS) Monitoirng Station
| Failure to meet standards for the display of masked alarm sensors at the IDS monitoring station could result in the location with masked or inactive sensors not being properly supervised. This... |
| V-31125 | Medium | Information Assurance - KVM Switch Use of Hot-Keys on SIPRNet Connected Devices
| Use of "Hot Keys" for switching between devices relies on use of software to separate and switch between the devices. Unless software use involves an approved Cross Domain Solution (CDS) it can... |
| V-31124 | Medium | Information Assurance - KVM Switch (Port Separation) on CYBEX/Avocent 4 or 8 port
| The back plate of some 4 or 8 port CYBEX/AVOCENT KVM devices provides a physical connection between adjacent ports. Therefore failure to provide for physical port separation between SIPRNet... |
| V-31128 | Medium | Information Assurance - Unauthorized Wireless Devices - Portable Electronic Devices (PEDs) Used in Classified Processing Areas without Certified TEMPEST Technical Authority (CTTA) Review and Designated Accrediting Authority (DAA) Approval
| Allowing wireless devices in the vicinity of classified processing or discussion could directly result in
the loss or compromise of classified or sensitive information either intentionally or accidentally. |
| V-31289 | Medium | Vault/Secure Room Storage Standards - IDS Alarm Monitoring Indicators, both audible and visual (Alarm Status) must be displayed for each sensor or alarmed zone at the monitoring station.
| Failure to meet standards for the display of audible and visual alarm indicators at the IDS monitoring station could result in an a sensor going into alarm state and not being immediately... |
| V-32580 | Medium | Physical Protection of Unclassified Key System Devices/Computer Rooms in Large Processing Facilities
| Allowing access to systems processing sensitive information by personnel without the need-to-know
could permit loss, destruction of data or equipment or a denial of service. Loss could be... |
| V-30993 | Medium | Industrial Security - DD Form 254
| Failure to complete a DD Form 254 (Contract Security Classification Specification) or to specify security clearance and/or IT requirements for all contracts that require access to classified... |
| V-30997 | Medium | Information Assurance - COOP Plan Testing (Not in Place for MAC I II Systems or Not Considered for MAC III Systems)
| Failure to develop a COOP and test it periodically can result in the partial or total loss of operations
and INFOSEC. A contingency plan is necessary to reduce mission impact in the event of... |
| V-30995 | Medium | Industrial Security - Contract Guard Vetting
| Failure to screen guards could result in employment of unsuitable personnel who are responsible
for the safety and security of DOD personnel and facilities. |
| V-32138 | Medium | Security Incident/Spillage - Lack of Procedures or Training for Handling and Reporting
| Failure to report possible security compromise can result in the impact of the loss or compromise
of classified information not to be evaluated, responsibility affixed, or a plan of action... |
| V-32342 | Medium | Position Sensitivity - Assignment based on Security Clearance and/or Information Technology (IT) Level on Assigned Information Systems (IS)
| Failure to designate position sensitivity could result in personnel having access to classified
information or other sensitive duties (such as privileged access to DoD Information Systems) ... |
| V-32343 | Medium | Validation Procedures for Security Clearance Issuance and (Classified Systems and/or Physical) Access Granted
| Failure to verify security clearance status could result in an unauthorized person having access to a
classified information system or an authorized person being unable to perform assigned duties.
|
| V-32132 | Medium | Classified Emergency Destruction Plans - Develop and Make Available
| Failure to develop emergency procedures can lead to the loss or compromise of classified or
sensitive information.
|
| V-32102 | Medium | Classified Destruction - Hard Drive and Storage Media Sanitization Devices and Plans are not Available for Automated Information System (AIS) Equipment On-Hand
| Failure to properly destroy classified material can lead to the loss or compromise of classified or
sensitive information.
|
| V-30980 | Medium | TEMPEST Countermeasures
| Failure to implement required TEMPEST countermeasures could leave the system(s)
vulnerable to a TEMPEST attack. |
| V-30981 | Medium | TEMPEST - Red/Black separation (Processors)
| Failure to maintain proper separation could result in detectable emanations of classified information. |
| V-30982 | Medium | TEMPEST - Red/Black Separation (Cables)
| Failure to maintain proper separation could result in detectable emanations of classified information. |
| V-30984 | Medium | Environmental IA Controls - Emergency Lighting and Exits - Properly Installed
| Lack of automatic emergency lighting and exits can cause injury and/or death to employees and
emergency responders. Lack of automatic emergency lighting can also cause a disruption in
service. |
| V-31548 | Medium | Vault/Secure Room Storage Standards - Access Control System Records Maintenance, which includes documented procedures for removal of access. | Failure to document procedures for removal of access and inadequate maintenance of access records for both active and removed persons could result in unauthorized persons having unescorted access... |
| V-32477 | Medium | Intrusion Detection System (IDS) Installation and Maintenance Personnel - Suitability Checks
| Failure to subject personnel who install and maintain the IDS alarms to a trustworthiness determination can result in the inadvertent or deliberate unauthorized release of classified material.
|
| V-31084 | Medium | Information Assurance - Accreditation Documentation
| Failure to provide the proper documentation can lead to a system connecting without all proper
safeguards in place, creating a threat to the networks. |
| V-31908 | Medium |
Vault/Secure Room Storage Standards - Access Control System (ACS) Door Locks: Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade and be configured to fail secure in the event of a total loss of power (primary and backup) .
| There are a variety of locking mechanisms that may be used to secure both primary and secondary doors for vaults and classified open storage areas (secure rooms). While the primary access door is... |
| V-30931 | Medium | COMSEC Training - COMSEC Custodian or Hand Receipt Holder
| Lack of appropriate training for managers of COMSEC accounts could result in the mismanagement of COMSEC records, inadequate physical protection and ultimately lead to the loss or compromise of... |
| V-30933 | Medium | COMSEC Training - COMSEC User
| Failure to properly brief COMSEC users could result in the loss of cryptologic devices or key, or
the compromise of classified information. |
| V-31091 | Medium | Information Assurance - SIPRNET Connection Approval Process (CAP)
| Failure to provide current connection documentation to the Classified Connection Approval Office (CCAO) and allowing a system to connect and operate without a current CCAO approval can result in a... |
| V-31090 | Medium | Information Assurance - NIPRNET Connection Approval (CAP)
| Failure to meet security standards and have approval before connecting to the NIPRNET can result
in a vulnerability to the DISN. |
| V-31011 | Medium | Information Assurance - System Access Control Records (DD Form 2875 or equivalent)
| If accurate records of authorized users are not maintained, then unauthorized personnel could have
access to the system. Failure to have user sign an agreement may preclude disciplinary actions... |
| V-31013 | Medium | Information Assurance - System Training and Certification/ IA Personnel
| Improperly trained personnel can cause serious system-wide/network-wide problems that render
a system/network unstable. |
| V-32263 | Medium | Controlled Unclassified Information - Encryption of Data at Rest
| Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive
information. |
| V-31082 | Medium | Information Assurance - System Training /Users
| Improperly trained personnel can cause serious system-wide/network-wide problems that render
a system/network unstable. |
| V-32396 | Medium | Background Investigations - Completed based Upon IT/Position Sensitivity Levels
| Failure to investigate personnel based upon their position sensitivity could result in unauthorized
personnel having access to classified or sensitive information.
|
| V-31910 | Medium | Marking Classified - Equipment, Documents or Media: In a classified operating environment, all unclassified items must be marked in addition to all classified items.
| Failure to properly mark classified material could result in the loss or compromise of classified
information. |
| V-31994 | Medium | End-of-Day Checks - Organizations that process or store classified information must establish a system of security checks at the close of each duty and/or business day to ensure that any area where classified information is used or stored is secure. SF 701, Activity Security Checklist, shall be used to record such checks.
| Failure to have written guidance to provide guidance for end-of-day (EOD) checks could lead to such checks not being properly conducted. If EOD checks are not properly conducted the loss or... |
| V-31996 | Medium | Classified Reproduction - Following guidance for System to Media Transfer of Data from systems connected specifically to the SIPRNet In-Accordance-With (IAW) US Cybercom CTO 10-133 .
| Failure to follow guidance for disabling removable media drives on devices connected to the SIPRNet or if approved by the local DAA failure to follow US CYBERCOM procedures for using removable... |
| V-32265 | Medium | Controlled Unclassified Information - Posting Only on Web-Sites with Appropriate Encryption; not on Publicly Accessible Web-Sites.
| Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive
information.
|
| V-32264 | Medium | Controlled Unclassified Information - Transmission by either Physical or Electronic Means
| Failure to handle/transmit CUI in an approved manner can result in the loss or compromise of sensitive
information.
|
| V-32261 | Medium | Controlled Unclassified Information - Handling, Storage and Controlling Access to Areas where CUI is Processed or Maintained
| Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive
information.
|
| V-32150 | Medium | Classification Guides Must be Available for Programs and Systems for an Organization or Site
| Failure to have proper classification guidance available for can result in the misclassification of information and ultimatley lead to the loss or compromise of classified or sensitive information.
|
| V-31008 | Medium | Information Assurance - System Security Incidents (Identifying, Reporting, and Handling)
| Failure to recognize, investigate and report information systems security incidents could result in
the loss of confidentiality, integrity, and availability of the systems and its data. |
| V-32180 | Medium | Controlled Unclassified Information - Document, Hard Drive and Media Disposal
| Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive
information.
|
| V-31279 | Medium | Vault/Secure Room Storage Standards - IDS Performance Verification
| Failure to test IDS functionality on a periodic basis could result in undetected alarm sensor or other system failure. This in-turn could result in an undetected intrusion into a secure room ... |
| V-31277 | Medium | Information Security (INFOSEC) - Secure Room Storage Standards - Structural Integrity Checks
| Failure to ensure that there is structural integrity of the physical perimeter surrounding a secure room (AKA: collateral classified open storage area) IAW DoD Manual 5200.01, Volume 3 could... |
| V-32541 | Medium | Risk Assessment -Holistic Review (site/environment/information systems)
| Failure to conduct a risk analysis could result in not implementing an effective countermeasure to a
vulnerability or wasting resources on ineffective measures leading to a possible loss of... |
| V-30983 | Medium | Environmental IA Controls - Emergency Power Shut-Off (EPO)
| A lack of an emergency shut-off switch or a master power switch for electricity to IT equipment
could cause damage to the equipment or injury to personnel during an emergency. |
| V-31115 | Medium | Information Assurance - KVM Switch not Approved by the Defense Security Accreditation Working Group (DSAWG)
| Failure to use approved switch boxes can result in the loss or compromise of classified information.
|
| V-32372 | Medium | IT Position Designation
| Failure to designate an appropriate IT level could result in an individual having access to an
information system without the required investigative and adjudicative prerequisites.
|
| V-31223 | Medium | Foreign National (FN) Systems Access - Delegation of Disclosure Authority Letter (DDL)
| Unauthorized access by foreign nationals to Information Systems can result in, among other things, security incidents, compromise of the system, or the introduction of a virus.
|
| V-31269 | Medium | Information Security (INFOSEC) - Secure Room Storage Standards - Perimeter Construction using Proper Permanent Construction Materials for True Ceiling, Walls and Floors.
| Failure to meet standards for ensuring that there is structural integrity of the physical Perimeter surrounding a secure room (AKA: collateral classified open storage area) could result in a lack... |
| V-31263 | Medium | Foreign National (FN) Administrative Controls - Written Procedures and Employee Training
| Failure to limit access for Foreign Nationals to classified information can result in the loss or compromise of NOFORN information. Documented local policies and procedures concerning what... |
| V-31210 | Medium | Foreign National System Access - Identification as FN in E-mail Address
| Unauthorized access by foreign nationals to Information Systems can result in, among other things,
security incidents, compromise of the system, or the introduction of a virus. |
| V-31266 | Medium | Information Security (INFOSEC) - Safe/Vault/Secure Room Management
| Lack of adequate or Improper procedures for management of safes/vaults and secure rooms could result in the loss or compromise of classified material. |
| V-31265 | Medium | Foreign National (FN) Administrative Controls - Procedures for Requests to Provide Foreign Nationals System Access
| Unauthorized access by foreign nationals to Information Systems can result in, among other things,
security incidents, compromise of the system, or the introduction of a virus.
|
| V-30940 | Medium | Protected Distribution System (PDS) Construction - Visible for Inspection
| A PDS that is not inspected and monitored as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the loss or... |
| V-31293 | Medium | Vault/Secure Room Storage Standards - Primary IDS Monitoring Location Outside the "Monitored" Space
| Failure to locate the alarm monitoring station at an external location; at a safe distance from the space being monitored to not be involved in any surprise attack of the alarmed space could... |
| V-30949 | Medium | Protected Distribution System (PDS) Construction - Sealed Joints
| A PDS that is not constructed and sealed as required could result in the undetected interception of classified information. Sealing of joints is necessary to ensure that daily visual inspections... |
| V-30976 | Medium | Protected Distribution System (PDS) Monitoring - Daily (Visual) Checks
| A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the... |
| V-32159 | Medium | Controlled Unclassified Information (CUI) - Employee Education and Training
| Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive
information. |
| V-32601 | Medium | Security-in-Depth (AKA: Defense-in-Depth) - Minimum Physical Barriers and Access Control Measures for Facilities or Buildings Containing DISN (SIPRNet/NIPRNet) Connected Assets.
| Failure to use security in-depth can result in a facility being vulnerable to an undetected intrusion or an intrusion that cannot be responded to in a timely manner - or both.
|
| V-32600 | Medium | Restricted Area and Controlled Area Designation of Areas Housing Critical Information System Components or Classified /Sensitive Technology or Data
| Failure to designate the areas housing the critical information technology systems as a restricted or controlled access area may result in inadequate protection being assigned during emergency... |
| V-32603 | Medium | Sensitive Item Control - Keys, Locks and Access Cards Controlling Access to Information Systems (IS) or IS Assets Connected to the DISN
| Lack of an adequate key/credential/access device control could result in unauthorized personnel gaining
access to the facility or systems with the intent to compromise classified information,... |
| V-32602 | Medium | Visitor Control - To Facility or Organization with Information System Assets Connected to the DISN
| Failure to identify and control visitors could result in unauthorized personnel gaining access to the
facility with the intent to compromise classified information, steal equipment, or damage... |
| V-32605 | Medium | Security and Information Assurance (IA) Staff Appointment, Training/Certification and Suitability
| Failure to formally appoint security personnel and detail responsibilities, training and other requirements in the appointment notices could result in a weaken security program due to critical... |
| V-32606 | Medium | Security Training - Information Security (INFOSEC) and Information Assurance (IA) for ALL Employees; Military, Government Civilian and Contractor
| Failure to provide security training to ALL employees results in a weak security program and could lead to the loss or compromise of classified or sensitive information.
|
| V-31190 | Medium | Information Assurance - Network Connections - Physical Protection of Unclassified (NIPRNet) Network Devices such as Routers, Switches and Hubs
| Unclassified (NIPRNet) network connections that are not properly protected in their physical environment are highly vulnerable to unauthorized access, resulting in the probable loss or compromise... |
| V-31211 | Medium | Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (NIPRNet User)
| Failure to subject foreign nationals to background checks could result in the loss or compromise of
classified or sensitive information by foreign sources.
|
| V-31291 | Medium | Vault/Secure Room Storage Standards - Intrusion Detection System and Access Control System (IDS/ACS) Component Tamper Protection
| Failure to tamper protect IDS/ACS component enclosures and access points external to protected vaults/secure rooms space could result in the undetected modification or disabling of IDS/ACS system... |
| V-31290 | Medium | Vault/Secure Room Storage Standards - Intrusion Detection System (IDS) / Access Control System (ACS) Primary and Emergency Power Supply
| Failure to meet standards for ensuring that there is an adequate commercial and back-up power sources for IDS/ACS with uninterrupted failover to emergency power could result in a malfunctionof the... |
| V-30979 | Medium | Protected Distribution System (PDS) Monitoring - Reporting Incidents
| A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the... |
| V-31657 | Low | Vault/Secure Room Storage Standards - Access Control System Keypad Device Protection:
Keypad devices designed or installed in a manner that an unauthorized person in the immediate vicinity cannot observe the selection of input numbers. | If someone were to sucessfully observe an authorized user's selection of numbers for their PIN at an entrance to a classified storage area or unclassified but sensitive computer room it could... |
| V-31129 | Low | Information Assurance - Unauthorized Wireless Devices - No Formal Policy and/or Warning Signs
| Not having a wireless policy and/or warning signs at entrances could result in the unauthorized introduction of wireless devices into classified processing areas. |
| V-30992 | Low | Environmental IA Controls - Fire Detection and Suppression
| Failure to provide adequate fire detection and suppression could result in the loss of or damage to
data, equipment, facilities, or personnel. |
| V-30991 | Low | Environmental IA Controls - Fire Inspections/ Discrepancies
| Failure to conduct fire inspections and correct any discrepancies could result in hazardous
situations leading to a possible fire and loss of service. |
| V-30990 | Low | Environmental IA Controls - Humidity
| Fluctuations in humidity can be potentially harmful to personnel or equipment causing the loss of
services or productivity. |
| V-30996 | Low | Information Assurance - System Security Operating Procedures (SOPs)
| Failure to have documented procedures in an SOP could result in a security incident due to lack of
knowledge by personnel assigned to the organization. |
| V-30994 | Low | Industrial Security - Contractor Visit Authorization Letters (VALs)
| Failure to require Visit Authorization Letters (VALs) for contractor visits could result in sensitive or classified materials being released to unauthorized personnel. |
| V-32340 | Low | Position of Trust - Local Policy Covering Employee Personal Standards of Conduct and Responsibilities
| Failure to inform personnel of the expected standards of conduct while holding a position of trust
can result in conduct by the individual that will require them being removed from that position... |
| V-32341 | Low | Position of Trust - Training Covering Employee Standards of Conduct and Personal Responsibilities
| Failure to inform personnel of the expected standards of conduct while holding a position of trust
can result in conduct by the individual that will require them being removed from that position... |
| V-31976 | Low | Classified Working Papers are properly marked, destroyed when no longer needed, or treated as a finished document after 180 days
| Failure to properly mark or handle classified documents can lead to the loss or compromise of
classified or sensitive information.
|
| V-30985 | Low | Environmental IA Controls - Emergency Lighting and Exits - Documentation and Testing
| Lack of automatic emergency lighting can cause injury and/or death to employees and
emergency responders. Lack of automatic emergency lighting can cause a disruption in
service. |
| V-30988 | Low | Environmental IA Controls - Training
| If employees have not received training on the environmental controls they will not be able to
respond to a fluctuation of environmental conditions, which could damage equipment and ultimately... |
| V-30989 | Low | Environmental IA Controls - Temperature
| Lack of temperature controls can lead to fluctuations in temperature which could be potentially
harmful to personnel or equipment operation. |
| V-32482 | Low | Physical Security Program - Physical Security Plan Development and Implementation with Consideration of Information Systems Assets
| Failure to have a physical security program will result in an increased risk to DoD Information Systems; including personnel, equipment, material and documents.
|
| V-31909 | Low | Marking Classified - Local or Enclave Classified Marking Procedures must be developed to ensure employees are familiar with appropriate organization Security Classification Guides (SCG), how to obtain guidance for marking classified documents, media and equipment, and where associated forms, classified cover sheets, labels, stamps, wrapping material for classified shipment, etc. can be obtained.
| Failure to properly mark classified material could result in the loss or compromise of classified
information.
|
| V-31987 | Low | Non-Disclosure Agreement - Standard Form 312: no person may have access to classified information unless that person has a security clearance in accordance with DoD 5200.2-R and has signed a Standard Form (SF) 312, Classified Information Non-Disclosure Agreement (NDA), and access is essential to the accomplishment of a lawful and authorized Government function (i.e., has a need to know).
| Failure to verify clearance, need-to-know, and execute a non-disclosure agreement before granting
access to classified can result in unauthorized personnel having access to classified.
|
| V-32408 | Low | Periodic Reinvestigations - Submitted in a Timely Manner based Upon Position Sensitivity and Type of Investigation Required
| Failure to subject personnel to periodic reinvestigation can result in derogatory information not
being discovered on personnel having access to sensitive or classified information.
|
| V-31989 | Low | Handling of Classified - Use of Cover Sheets on Documents Removed from Secure Storage
| Failure to protect readable classified information printed from classified systems such as SIPRNet when removed from secure storage can lead to the loss or compromise of classified or sensitive... |
| V-31988 | Low | Handling of Classified Documents, Media, Equipment - Written Procedures for when classified material/equipment is removed from a security container and/or secure room.
| Failure to develop procedures and to train employees on protection of classified when removed from storage could lead to the loss or compromise of classified or sensitive information due to a lack... |
| V-30928 | Low | COMSEC Account Management - Program Management and Standards Compliance
| Recipients of NSA or Service COMSEC accounts are responsible to properly maintain the accounts. Procedures covering security, transport, handling, etc. of COMSEC must be developed to supplement... |
| V-30987 | Low | Environmental IA Controls - Voltage Control (power)
| Failure to use automatic voltage control can result in damage to the IT equipment creating a
service outage. |
| V-31243 | Low | Foreign National (FN) Physical Access Control - (Identification Badges)
| Failure to limit access to information visible on system monitor screens in mixed US/FN environments can result in FN personnel having unauthorized access to classified information, which can... |
| V-31995 | Low | Classified Reproduction - Document Copying Procedures: This STIG Check (AKA: Vulnerability (Vul)) concerns ONLY PROCEDURES for the reproduction (copying) of classified DOCUMENTS on Multi-Functional Devices (MDF) connected to the DISN.
| Lack of or improper reproduction procedures for classified material could result in the loss or compromise of classified information.
|
| V-32156 | Low | Controlled Unclassified Information (CUI) - Local Policy Procedure
| Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive
information.
|
| V-31992 | Low | Classified Monitors/Displays (Procedures for Obscuration of Classified Monitors) - protection from uncleared persons or those without a need-to-know.
| Failure to develop procedures and training for employees to cover responsibilities and methods for limiting the access of unauthorized personnel to classified information reflected on information... |
| V-30885 | Low | COMSEC Account Management - Appointment of Responsible Person | Lack of formal designation of an individual to be responsible for COMSEC items could result in mismanagement, loss or even compromise of COMSEC materials. Additionally, lack of formal vetting for... |
| V-32262 | Low | Controlled Unclassified Information - Marking/Labeling Media within Unclassified Environments (Not Mixed with Classified)
| Failure to mark CUI in an approved manner can result in the loss or compromise of sensitive
information.
|
| V-31004 | Low | Information Assurance - COOP Plan Testing (Incomplete)
| Failure to develop a COOP and test it periodically can result in the partial or total loss of operations
and INFOSEC. A contingency plan is necessary to reduce mission impact in the event of... |
| V-31126 | Low | Information Assurance - KVM Switch (Request for Approval ) Documentation is not Available
| Failure to request approval for connection of new or additional KVM devices (switch boxes) for use in switching betwee SIPRNet devices and unclassified devices (NIPRNet) from the Classified... |
| V-32425 | Low | Outprocessing Procedures for Departing or Terminated Employees (Military, Government Civilian and Contractor)
| Failure to properly out process through the security section allows the possibility of (unauthorized) continued access to the facility and/or the systems. |
| V-31262 | Low | Foreign National (FN) Administrative Controls - Contact Officer Appointment
| Failure to provide proper oversight of Foreign National partners or employees and limit access to classified and sensitive information can result in the loss or compromise of NOFORN information.
|
| V-32336 | Low | Position of Trust - Knowledge of Responsibility to Self Report Derogatory Information
| Failure to inform personnel of the expected standards of conduct while holding a position of trust and their responsibility to self-report derogatory information to the organization security... |
| V-30974 | Low | Protected Distribution System (PDS) Documentation - Signed Approval
| A PDS that is not approved could cause an Information Assurance Manager, Designated Approving Authority and other concerned managerial personnel to not be fully aware of all vulnerabilities and... |
| V-30977 | Low | Protected Distribution System (PDS) Monitoring - Technical Inspections
| A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the... |
| V-32604 | Low | Physical Penetration Testing - of Facilities or Buildings Containing Information Systems (IS) Connected to the DISN | Failure to periodically test facility/building security where Information Systems (IS) connected to the DISN are present could lead to the unauthorized access of an individual into the facility... |
| V-32607 | Low | Counter-Intelligence Program - Training, Procedures and Incident Reporting
| Failure to establish a good working relationship with the supporting/local CI agency and lack of proper CI training for site/organization employees could result in not being informed of local... |
| V-31199 | Low | Foreign National System Access - Local Access Control Procedures
| Unauthorized access by foreign nationals to Information Systems can result in, among other things, security incidents, compromise of the system, or the introduction of a virus.
|
| V-30975 | Low | Protected Distribution System (PDS) Documentation - Request for Approval Documentation
| A PDS that is not approved could cause an Information Assurance Manager, Designated Accrediting Authority and other concerned managerial personnel to not be fully aware of all vulnerabilities and... |
| V-32321 | Low | Classified Annual Review
| Failure to conduct the annual review and clean out day can result in an excessive amount of
classified (including IS storage media) being on hand and therefore being harder to account for,... |
| V-32090 | Low | Classified Destruction - Availability of Local Policy and Procedures
| Failure to properly destroy classified material can lead to the loss or compromise of classified or
sensitive information.
|
| V-30978 | Low | Protected Distribution System (PDS) Monitoring - Initial Inspection
| A PDS that is not inspected, monitored and maintained as required could result in undetected access, sabotage or tampering of the unencrypted transmission lines. This could directly lead to the... |
