TEMPEST Countermeasures

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30980	EM-01.02.01	SV-41024r2_rule	ECTC-1	Medium

Description
Failure to implement required TEMPEST countermeasures could leave the system(s) vulnerable to a TEMPEST attack.

STIG	Date
Traditional Security	2013-07-11

Details

Check Text ( C-39645r2_chk )
CHECKS: 1. Determine if TEMPEST countermeasures are required based on the geographical location and classification level processed. TEMPEST considerations apply to all OCONUS locations and select CONUS locations. 2. If required, ask to see a TEMPEST assessment. Verify the TEMPEST assessment was conducted by a Certified TEMPEST Technical Authority (CTTA). 3. Determine through inspection and/or interview if any required TEMPEST countermeasures are implemented. 4. TEMPEST countermeasures may or may not be feasible in a tactical environment. This can only be determined through a proper Risk Assessment, which is coordinated with a supporting CTTA for matters concerning emanations security. 5. Where required (OCONUS in particular) check to ensure an assessment of TEMPEST risk and applicability of countermeasures is included in a risk assessment and that the supporting CTTA was consulted. This process may be conducted by the Major US Combatant Command for Theater level operations rather than by individual units or location based commands. The key element to determine if this requirement is met is that any possible risk resulting from Emanations is properly considered and documented. NOTES: Where TEMPEST must be considered and although there is no finding, the reviewer should note in the report if a CTTA has conducted a TEMPEST review, the date it was completed and countermeasures recommended. Further note in the report if specific consideration for TEMPEST was provided for in the site risk assessment.

Check Text ( C-39645r2_chk )

CHECKS:
1. Determine if TEMPEST countermeasures are required based on the geographical location and classification level processed. TEMPEST considerations apply to all OCONUS locations and select CONUS locations.

2. If required, ask to see a TEMPEST assessment. Verify the TEMPEST assessment was conducted by a Certified TEMPEST Technical Authority (CTTA).

3. Determine through inspection and/or interview if any required TEMPEST countermeasures are implemented.

4. TEMPEST countermeasures may or may not be feasible in a tactical environment. This can only be determined through a proper Risk Assessment, which is coordinated with a supporting CTTA for matters concerning emanations security.

5. Where required (OCONUS in particular) check to ensure an assessment of TEMPEST risk and applicability of countermeasures is included in a risk assessment and that the supporting CTTA was consulted. This process may be conducted by the Major US Combatant Command for Theater level operations rather than by individual units or location based commands. The key element to determine if this requirement is met is that any possible risk resulting from Emanations is properly considered and documented.

NOTES: Where TEMPEST must be considered and although there is no finding, the reviewer should note in the report if a CTTA has conducted a TEMPEST review, the date it was completed and countermeasures recommended. Further note in the report if specific consideration for TEMPEST was provided for in the site risk assessment.

Fix Text (F-34791r3_fix)
1. Where TEMPEST is required to be considered a Certified TEMPEST Technical Authority (CTTA) must evaluate Emanation Security concerns and recommended countermeasures from this evaluation must be properly applied. 2. Where TEMPEST is required an assessment of TEMPEST risk and applicability of countermeasures must be included in the site risk assessment and the supporting CTTA must be consulted. NOTE: TEMPEST countermeasures are required based on the geographical location and classification level processed. TEMPEST considerations apply to all OCONUS locations and select CONUS locations.

Fix Text (F-34791r3_fix)

1. Where TEMPEST is required to be considered a Certified TEMPEST Technical Authority (CTTA) must evaluate Emanation Security concerns and recommended countermeasures from this evaluation must be properly applied.

2. Where TEMPEST is required an assessment of TEMPEST risk and applicability of countermeasures must be included in the site risk assessment and the supporting CTTA must be consulted.

NOTE: TEMPEST countermeasures are required based on the geographical location and classification level processed. TEMPEST considerations apply to all OCONUS locations and select CONUS locations.