Vault/Secure Room Storage Standards - Access Control System Records Maintenance, which includes documented procedures for removal of access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-31548	IS-02.02.08	SV-41831r2_rule	PECF-1 PECF-2 PEPF-1 PEPF-2	Medium

Description
Failure to document procedures for removal of access and inadequate maintenance of access records for both active and removed persons could result in unauthorized persons having unescorted access to vaults, secure rooms or collateral classified open storage areas where classified information is processed and stored.

STIG	Date
Traditional Security	2013-07-11

Details

Check Text ( C-40276r3_chk )
Requirements Summary: A procedure must be established for removal of an individual's authorization to enter the secure room area upon reassignment, transfer, or termination, or when the individual's access is suspended, revoked, or downgraded to a level lower than the former access level. Records shall be maintained reflecting active assignment of ID badge/card, PIN, level of access, and similar system-related records. Records concerning personnel removed from the system shall be retained for a minimum of 90 days. CHECKS: Check #1. Check to ensure that records relecting active assignment of ID badge/card, PIN, level of access, and similar system-related records are maintained. (CAT II) Check #2. Check to ensure there is a documented procedure for removal of persons from the Access Control System. (CAT III) Check #3. Check to ensure that records concerning personnel removed from the system are retained for a minimum of 90 days. (CAT III) TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Check Text ( C-40276r3_chk )

Requirements Summary:

A procedure must be established for removal of an individual's authorization to enter the secure room area upon reassignment, transfer, or termination, or when the individual's access is suspended, revoked, or downgraded to a level lower than the former access level. Records shall be maintained reflecting active assignment of ID badge/card, PIN, level of access, and similar system-related records. Records concerning personnel removed from the system shall be retained for a minimum of 90 days.

CHECKS:

Check #1. Check to ensure that records relecting active assignment of ID badge/card, PIN, level of access, and similar system-related records are maintained. (CAT II)

Check #2. Check to ensure there is a documented procedure for removal of persons from the Access Control System.
(CAT III)

Check #3. Check to ensure that records concerning personnel removed from the system are retained for a minimum of 90 days. (CAT III)

TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Fix Text (F-35460r2_fix)
1. Ensure there is a documented procedure for removal of persons from the Access Control System. 2. Ensure that records relecting active assignment of ID badge/card, PIN, level of access, and similar system-related records are maintained. 3. Ensure that records concerning personnel removed from the system are retained for a minimum of 90 days.