UCF STIG Viewer Logo

Traditional Security


Overview

Date Finding Count (151)
2013-07-11 CAT I (High): 40 CAT II (Med): 70 CAT III (Low): 41
STIG Description
Previously the Traditional Security Checklist, consisted of five (5) component sub-checklists that were selected for use based upon the type of review being conducted. The new Traditional Security Checklist consolidates all checks into one document and is more granular both in the increased number of checks (151 total versus 96 total in the old checklists) and the details about how to conduct them. It provides a more complete and current list of references, the relationship and authority for checks relative to protection of Defense Information System Network (DISN) assets, and will enhance reviewer consistency with application of potential findings. While the number of potential findings have increased and are more focused to a specific check there is additional granularity within each check. In many of the primary checks there are additional considerations and "sub-checks". As the new checklist is further developed it may be that some of these sub-checks will become additional stand-alone primary checks. The format and content flow of the new checklist is like other Security Technical Implementation Guide (STIG) checklists derived from the Vulnerability Management System (VMS) database, which is used by DISA FSO, the Combatant Commands, Services, and Agencies (CC/S/A) and other Federal Agencies with access to the Defense Information Systems Network (DISN) to document and follow-up findings noted during Command Cyber Readiness Inspections (CCRIs). Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-31529 High Vault/Secure Room Storage Standards - Access Control During Working Hours Using Visual Control OR Automated ACS with PIN / Biometrics:
V-31284 High Vault/Secure Room Storage Standards - IDS Transmission Line Security
V-31127 High Information Assurance - Unauthorized Wireless Devices - Connected to the SIPRNet
V-30969 High Protected Distribution System (PDS) Construction - Buried PDS Carrier
V-33456 High Protected Distribution System (PDS) Construction - Alarmed Carrier
V-31132 High Information Assurance - Network Connections - Physical Protection of Classified Network Devices such as Routers, Switches and Hubs (SIPRNet or Other Classified Networks or Systems Being Inspected)
V-31225 High Foreign National System Access - FN or Immigrant Aliens (not representing a foreign government or entity) System Access - Limited Access Authorization (LAA)
V-31221 High Foreign National (FN) Systems Access - Local Nationals (LN) Overseas System Access - Vetting for Privileged Access
V-31549 High Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) and Intrusion Detection System (IDS) Head-End Equipment Protection: The physical location (room or area) containing AECS and IDS head-end equipment (server and/or work station/monitoring equipment) where authorization, personal identification or verification data is input, stored, or recorded and/or where system status/alarms are monitored must be physically protected.
V-30934 High Classified Transmission - Electronic Means using Cryptographic System Authorized by the Director, NSA
V-30938 High Protected Distribution System (PDS) Construction - Point of Presence (PoP) and Terminal Equipment Protection. This requirement concerns security of both the starting and ending points for PDS within proper physically protected and access controlled environments.
V-30837 High COMSEC Account Management - Equipment and Key Storage
V-31242 High Foreign National (FN) Physical Access Control - Areas Containing US Only Information Systems Workstations/Monitor Screens, Equipment, Media or Documents
V-31991 High Classified Monitors/Displays (Physical Control of Classified Monitors From Unauthorized Viewing)
V-31993 High Monitor Screens - Disable Access by CAC or Token Removal, or Lock Computer via Ctrl/Alt/Del
V-31986 High Storage/Handling of Classified Documents, Media, Equipment - must be under continuous personal protection and control of an authorized (cleared) individual OR guarded or stored in an approved locked security container (safe), vault, secure room, collateral classified open storage area or SCIF.
V-31278 High Information Security (INFOSEC) - Secure Room Storage Standards - Four (4) Hour Random Checks in Lieu of Using Intrusion Detection System (IDS)
V-31275 High Information Security (INFOSEC) - Secure Room Storage Standards - Balanced Magnetic Switch (BMS) on Perimeter Doors
V-31274 High Information Security (INFOSEC) - Secure Room Storage Standards - Intrusion Detection System (IDS)
V-31276 High Information Security (INFOSEC) - Secure Room Storage Standards - Interior Motion Detection
V-31271 High Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Openings in Perimeter Exceeding 96 Square Inches
V-31270 High Information Security (INFOSEC) - Secure Room Storage Standards Wall and Ceiling Structural Integrity (AKA: True Floor to True Ceiling Connection)
V-31273 High Information Security (INFOSEC) - Vault Storage/Construction Standards
V-31272 High Information Security (INFOSEC) - Secure Room Storage Standards Windows - Accessible from the Ground Hardened Against Forced Entry and Shielded from Exterior Viewing of Classified Materials Contained within the Area.
V-31171 High Information Assurance - Network Connections - Wall Jack Security on Classified Networks (SIPRNet or other Inspected Classified Network or System) Where Port Authentication Using IEEE 802.1X IS NOT Implemented
V-31227 High Foreign National (FN) System Access - FN or Immigrant Aliens (not representing a foreign government or entity) with LAA Granted Uncontrolled Access
V-32111 High Classified Destruction - Improper Disposal of Automated Information System (AIS) Hard Drives and Storage Media
V-30958 High Protected Distribution System (PDS) Construction - Accessible Pull Box Security
V-31268 High Information Security (INFOSEC) - Secure Room Storage Standards - Door Construction
V-31267 High Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Door Combination Lock Meeting Federal Specification FF-L-2740
V-31264 High Foreign National (FN) Administrative Controls - Proper Investigation and Clearance for Access to Classified Systems and/or Information Assurance (IA) Positions of Trust
V-32009 High Destruction of Classified Documents Printed from the SIPRNet Using Approved Devices on NSA Evaluated Products Lists (EPL).
V-30942 High Protected Distribution System (PDS) Construction - Hardened Carrier
V-31215 High Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (SIPRNet or Other Classified System or Classified Network being Reviewed)
V-32008 High Classified Reproduction - SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage.
V-30971 High Protected Distribution System (PDS) Construction - Continuously Viewed Carrier
V-30970 High Protected Distribution System (PDS) Construction - External Suspended PDS
V-30973 High Protected Distribution System (PDS) Construction - Tactical Environment Application
V-31294 High Information Security (IS) - Continuous Operations Facility: Access Control Monitoring Methods
V-31292 High Vault/Secure Room Storage Standards - IDS Access/Secure Control Units Must be Located within the Secure Room Space
V-32457 Medium Intrusion Detection System (IDS) Monitoring Station Personnel - Suitability Checks
V-31897 Medium Vault/Secure Room Storage Standards - Access Control System (ACS) Transmission Line Security: ACS Transmission lines traversing an uncontrolled area (not within at least a Secret Controlled Access Area (CAA) ) shall use line supervision and be physically protected within conduit.
V-31286 Medium Vault/Secure Room Storage Standards - Masking of IDS Sensors Displayed at the Intrusion Detection System (IDS) Monitoirng Station
V-31125 Medium Information Assurance - KVM Switch Use of Hot-Keys on SIPRNet Connected Devices
V-31124 Medium Information Assurance - KVM Switch (Port Separation) on CYBEX/Avocent 4 or 8 port
V-31128 Medium Information Assurance - Unauthorized Wireless Devices - Portable Electronic Devices (PEDs) Used in Classified Processing Areas without Certified TEMPEST Technical Authority (CTTA) Review and Designated Accrediting Authority (DAA) Approval
V-31289 Medium Vault/Secure Room Storage Standards - IDS Alarm Monitoring Indicators, both audible and visual (Alarm Status) must be displayed for each sensor or alarmed zone at the monitoring station.
V-32580 Medium Physical Protection of Unclassified Key System Devices/Computer Rooms in Large Processing Facilities
V-30993 Medium Industrial Security - DD Form 254
V-30997 Medium Information Assurance - COOP Plan Testing (Not in Place for MAC I II Systems or Not Considered for MAC III Systems)
V-30995 Medium Industrial Security - Contract Guard Vetting
V-32138 Medium Security Incident/Spillage - Lack of Procedures or Training for Handling and Reporting
V-32342 Medium Position Sensitivity - Assignment based on Security Clearance and/or Information Technology (IT) Level on Assigned Information Systems (IS)
V-32343 Medium Validation Procedures for Security Clearance Issuance and (Classified Systems and/or Physical) Access Granted
V-32132 Medium Classified Emergency Destruction Plans - Develop and Make Available
V-32102 Medium Classified Destruction - Hard Drive and Storage Media Sanitization Devices and Plans are not Available for Automated Information System (AIS) Equipment On-Hand
V-30980 Medium TEMPEST Countermeasures
V-30981 Medium TEMPEST - Red/Black separation (Processors)
V-30982 Medium TEMPEST - Red/Black Separation (Cables)
V-30984 Medium Environmental IA Controls - Emergency Lighting and Exits - Properly Installed
V-31548 Medium Vault/Secure Room Storage Standards - Access Control System Records Maintenance, which includes documented procedures for removal of access.
V-32477 Medium Intrusion Detection System (IDS) Installation and Maintenance Personnel - Suitability Checks
V-31084 Medium Information Assurance - Accreditation Documentation
V-31908 Medium Vault/Secure Room Storage Standards - Access Control System (ACS) Door Locks: Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade and be configured to fail secure in the event of a total loss of power (primary and backup) .
V-30931 Medium COMSEC Training - COMSEC Custodian or Hand Receipt Holder
V-30933 Medium COMSEC Training - COMSEC User
V-31091 Medium Information Assurance - SIPRNET Connection Approval Process (CAP)
V-31090 Medium Information Assurance - NIPRNET Connection Approval (CAP)
V-31011 Medium Information Assurance - System Access Control Records (DD Form 2875 or equivalent)
V-31013 Medium Information Assurance - System Training and Certification/ IA Personnel
V-32263 Medium Controlled Unclassified Information - Encryption of Data at Rest
V-31082 Medium Information Assurance - System Training /Users
V-32396 Medium Background Investigations - Completed based Upon IT/Position Sensitivity Levels
V-31910 Medium Marking Classified - Equipment, Documents or Media: In a classified operating environment, all unclassified items must be marked in addition to all classified items.
V-31994 Medium End-of-Day Checks - Organizations that process or store classified information must establish a system of security checks at the close of each duty and/or business day to ensure that any area where classified information is used or stored is secure. SF 701, Activity Security Checklist, shall be used to record such checks.
V-31996 Medium Classified Reproduction - Following guidance for System to Media Transfer of Data from systems connected specifically to the SIPRNet In-Accordance-With (IAW) US Cybercom CTO 10-133 .
V-32265 Medium Controlled Unclassified Information - Posting Only on Web-Sites with Appropriate Encryption; not on Publicly Accessible Web-Sites.
V-32264 Medium Controlled Unclassified Information - Transmission by either Physical or Electronic Means
V-32261 Medium Controlled Unclassified Information - Handling, Storage and Controlling Access to Areas where CUI is Processed or Maintained
V-32150 Medium Classification Guides Must be Available for Programs and Systems for an Organization or Site
V-31008 Medium Information Assurance - System Security Incidents (Identifying, Reporting, and Handling)
V-32180 Medium Controlled Unclassified Information - Document, Hard Drive and Media Disposal
V-31279 Medium Vault/Secure Room Storage Standards - IDS Performance Verification
V-31277 Medium Information Security (INFOSEC) - Secure Room Storage Standards - Structural Integrity Checks
V-32541 Medium Risk Assessment -Holistic Review (site/environment/information systems)
V-30983 Medium Environmental IA Controls - Emergency Power Shut-Off (EPO)
V-31115 Medium Information Assurance - KVM Switch not Approved by the Defense Security Accreditation Working Group (DSAWG)
V-32372 Medium IT Position Designation
V-31223 Medium Foreign National (FN) Systems Access - Delegation of Disclosure Authority Letter (DDL)
V-31269 Medium Information Security (INFOSEC) - Secure Room Storage Standards - Perimeter Construction using Proper Permanent Construction Materials for True Ceiling, Walls and Floors.
V-31263 Medium Foreign National (FN) Administrative Controls - Written Procedures and Employee Training
V-31210 Medium Foreign National System Access - Identification as FN in E-mail Address
V-31266 Medium Information Security (INFOSEC) - Safe/Vault/Secure Room Management
V-31265 Medium Foreign National (FN) Administrative Controls - Procedures for Requests to Provide Foreign Nationals System Access
V-30940 Medium Protected Distribution System (PDS) Construction - Visible for Inspection
V-31293 Medium Vault/Secure Room Storage Standards - Primary IDS Monitoring Location Outside the "Monitored" Space
V-30949 Medium Protected Distribution System (PDS) Construction - Sealed Joints
V-30976 Medium Protected Distribution System (PDS) Monitoring - Daily (Visual) Checks
V-32159 Medium Controlled Unclassified Information (CUI) - Employee Education and Training
V-32601 Medium Security-in-Depth (AKA: Defense-in-Depth) - Minimum Physical Barriers and Access Control Measures for Facilities or Buildings Containing DISN (SIPRNet/NIPRNet) Connected Assets.
V-32600 Medium Restricted Area and Controlled Area Designation of Areas Housing Critical Information System Components or Classified /Sensitive Technology or Data
V-32603 Medium Sensitive Item Control - Keys, Locks and Access Cards Controlling Access to Information Systems (IS) or IS Assets Connected to the DISN
V-32602 Medium Visitor Control - To Facility or Organization with Information System Assets Connected to the DISN
V-32605 Medium Security and Information Assurance (IA) Staff Appointment, Training/Certification and Suitability
V-32606 Medium Security Training - Information Security (INFOSEC) and Information Assurance (IA) for ALL Employees; Military, Government Civilian and Contractor
V-31190 Medium Information Assurance - Network Connections - Physical Protection of Unclassified (NIPRNet) Network Devices such as Routers, Switches and Hubs
V-31211 Medium Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (NIPRNet User)
V-31291 Medium Vault/Secure Room Storage Standards - Intrusion Detection System and Access Control System (IDS/ACS) Component Tamper Protection
V-31290 Medium Vault/Secure Room Storage Standards - Intrusion Detection System (IDS) / Access Control System (ACS) Primary and Emergency Power Supply
V-30979 Medium Protected Distribution System (PDS) Monitoring - Reporting Incidents
V-31657 Low Vault/Secure Room Storage Standards - Access Control System Keypad Device Protection: Keypad devices designed or installed in a manner that an unauthorized person in the immediate vicinity cannot observe the selection of input numbers.
V-31129 Low Information Assurance - Unauthorized Wireless Devices - No Formal Policy and/or Warning Signs
V-30992 Low Environmental IA Controls - Fire Detection and Suppression
V-30991 Low Environmental IA Controls - Fire Inspections/ Discrepancies
V-30990 Low Environmental IA Controls - Humidity
V-30996 Low Information Assurance - System Security Operating Procedures (SOPs)
V-30994 Low Industrial Security - Contractor Visit Authorization Letters (VALs)
V-32340 Low Position of Trust - Local Policy Covering Employee Personal Standards of Conduct and Responsibilities
V-32341 Low Position of Trust - Training Covering Employee Standards of Conduct and Personal Responsibilities
V-31976 Low Classified Working Papers are properly marked, destroyed when no longer needed, or treated as a finished document after 180 days
V-30985 Low Environmental IA Controls - Emergency Lighting and Exits - Documentation and Testing
V-30988 Low Environmental IA Controls - Training
V-30989 Low Environmental IA Controls - Temperature
V-32482 Low Physical Security Program - Physical Security Plan Development and Implementation with Consideration of Information Systems Assets
V-31909 Low Marking Classified - Local or Enclave Classified Marking Procedures must be developed to ensure employees are familiar with appropriate organization Security Classification Guides (SCG), how to obtain guidance for marking classified documents, media and equipment, and where associated forms, classified cover sheets, labels, stamps, wrapping material for classified shipment, etc. can be obtained.
V-31987 Low Non-Disclosure Agreement - Standard Form 312: no person may have access to classified information unless that person has a security clearance in accordance with DoD 5200.2-R and has signed a Standard Form (SF) 312, Classified Information Non-Disclosure Agreement (NDA), and access is essential to the accomplishment of a lawful and authorized Government function (i.e., has a need to know).
V-32408 Low Periodic Reinvestigations - Submitted in a Timely Manner based Upon Position Sensitivity and Type of Investigation Required
V-31989 Low Handling of Classified - Use of Cover Sheets on Documents Removed from Secure Storage
V-31988 Low Handling of Classified Documents, Media, Equipment - Written Procedures for when classified material/equipment is removed from a security container and/or secure room.
V-30928 Low COMSEC Account Management - Program Management and Standards Compliance
V-30987 Low Environmental IA Controls - Voltage Control (power)
V-31243 Low Foreign National (FN) Physical Access Control - (Identification Badges)
V-31995 Low Classified Reproduction - Document Copying Procedures: This STIG Check (AKA: Vulnerability (Vul)) concerns ONLY PROCEDURES for the reproduction (copying) of classified DOCUMENTS on Multi-Functional Devices (MDF) connected to the DISN.
V-32156 Low Controlled Unclassified Information (CUI) - Local Policy Procedure
V-31992 Low Classified Monitors/Displays (Procedures for Obscuration of Classified Monitors) - protection from uncleared persons or those without a need-to-know.
V-30885 Low COMSEC Account Management - Appointment of Responsible Person
V-32262 Low Controlled Unclassified Information - Marking/Labeling Media within Unclassified Environments (Not Mixed with Classified)
V-31004 Low Information Assurance - COOP Plan Testing (Incomplete)
V-31126 Low Information Assurance - KVM Switch (Request for Approval ) Documentation is not Available
V-32425 Low Outprocessing Procedures for Departing or Terminated Employees (Military, Government Civilian and Contractor)
V-31262 Low Foreign National (FN) Administrative Controls - Contact Officer Appointment
V-32336 Low Position of Trust - Knowledge of Responsibility to Self Report Derogatory Information
V-30974 Low Protected Distribution System (PDS) Documentation - Signed Approval
V-30977 Low Protected Distribution System (PDS) Monitoring - Technical Inspections
V-32604 Low Physical Penetration Testing - of Facilities or Buildings Containing Information Systems (IS) Connected to the DISN
V-32607 Low Counter-Intelligence Program - Training, Procedures and Incident Reporting
V-31199 Low Foreign National System Access - Local Access Control Procedures
V-30975 Low Protected Distribution System (PDS) Documentation - Request for Approval Documentation
V-32321 Low Classified Annual Review
V-32090 Low Classified Destruction - Availability of Local Policy and Procedures
V-30978 Low Protected Distribution System (PDS) Monitoring - Initial Inspection