Controlled Unclassified Information - Handling, Storage and Controlling Access to Areas where CUI is Processed or Maintained

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32261	IS-16.02.03	SV-42578r2_rule	DCSS-2 PECF-1 PEPF-1 PESP-1 PESS-1 PRAS-1	Medium

Description
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information.

STIG	Date
Traditional Security	2013-07-11

Details

Check Text ( C-40771r5_chk )
General Guidance: Standards of protection for most types of CUI are the same as for FOUO but some variance does exist. Therefore, specific requirements for certain CUI may need to be checked against applicable references to ensure proper protection is afforded. The checks are applicable to all forms of CUI: documents, AIS hard drives and storage media. Checks: For most CUI and FOUO specifically check to ensure the following standards are met: Check #1. During working hours, reasonable steps shall be taken to minimize the risk of access by unauthorized personnel. This would include things like placing cover sheets on FOUO documents and allowing unescorted access to areas where CUI (documents and AIS storage media) is processed/handled to only those persons with at least a favorably adjudicated National Agency Check (NAC). Check #2. After working hours, FOUO information (documents and removable media) may be stored in unlocked containers, desks, or cabinets if Government or Government-contract building security is provided. If such building security is not provided or is deemed inadequate, the information (documents and removable media) shall be stored in locked desks, file cabinets, bookcases, locked rooms, etc. In all cases FOUO and other CUI documents must be placed out of sight during non-working hours. While not required, recommending implementation of a clean desk policy would be appropriate. Check #3. Unescorted access to computer rooms or areas containing major items of AIS equipment processing CUI information (servers and network components) should only be granted to persons with at least a favorable NAC. All others should be physically escorted. Access control measures such as reception personnel, guards, keyed locks, cipher locks or automted access control systems may be used to control access to such areas. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Check Text ( C-40771r5_chk )

General Guidance:

Standards of protection for most types of CUI are the same as for FOUO but some variance does exist. Therefore, specific requirements for certain CUI may need to be checked against applicable references to ensure proper protection is afforded. The checks are applicable to all forms of CUI: documents, AIS hard drives and storage media.

Checks:

For most CUI and FOUO specifically check to ensure the following standards are met:

Check #1. During working hours, reasonable steps shall be taken to minimize the risk of access by unauthorized personnel. This would include things like placing cover sheets on FOUO documents and allowing unescorted access to areas where CUI (documents and AIS storage media) is processed/handled to only those persons with at least a favorably adjudicated National Agency Check (NAC).

Check #2. After working hours, FOUO information (documents and removable media) may be stored in unlocked containers, desks, or cabinets if Government or Government-contract building security is provided. If such building security is not provided or is deemed inadequate, the information (documents and removable media) shall be stored in locked desks, file cabinets, bookcases, locked rooms, etc. In all cases FOUO and other CUI documents must be placed out of sight during non-working hours. While not required, recommending implementation of a clean desk policy would be appropriate.

Check #3. Unescorted access to computer rooms or areas containing major items of AIS equipment processing CUI information (servers and network components) should only be granted to persons with at least a favorable NAC. All others should be physically escorted. Access control measures such as reception personnel, guards, keyed locks, cipher locks or automted access control systems may be used to control access to such areas.

TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix Text (F-36186r4_fix)
General Guidance: Standards of protection for most types of CUI are the same as for FOUO but some variance does exist. Therefore, specific requirements for certain CUI may need to be checked against applicable references to ensure proper protection is afforded. The fixes are applicable to all forms of CUI: documents, AIS hard drives and storage media. Fixes applicable for FOUO: For most CUI and FOUO specifically ensure the following standards are met: 1. During working hours, reasonable steps shall be taken to minimize the risk of access by unauthorized personnel. This would include things like placing cover sheets on FOUO documents and allowing unescorted access to areas where CUI (documents and AIS storage media) is processed/handled to only those persons with at least a favorably adjudicated National Agency CHeck (NAC). 2. After working hours, FOUO information (documents and AIS storage media) may be stored in unlocked containers, desks, or cabinets if Government or Government-contract building security is provided. If such building security is not provided or is deemed inadequate, the information (documents and AIS storage media) shall be stored in locked desks, file cabinets, bookcases, locked rooms, etc. In all cases FOUO and other CUI must be placed out of sight during non-working hours. While not required, implementation of a clean desk policy would be a good idea. 3. Unescorted access to computer rooms or areas containing major items of AIS equipment processing CUI information (servers and network components) should only be granted to persons with at least a favorable NAC. All others should be physically escorted. Access control measures such as reception personnel, guards, keyed locks, cipher locks or automted access control systems may be used to control access to such areas.

Fix Text (F-36186r4_fix)

General Guidance:

Standards of protection for most types of CUI are the same as for FOUO but some variance does exist. Therefore, specific requirements for certain CUI may need to be checked against applicable references to ensure proper protection is afforded. The fixes are applicable to all forms of CUI: documents, AIS hard drives and storage media.

Fixes applicable for FOUO:

For most CUI and FOUO specifically ensure the following standards are met:

1. During working hours, reasonable steps shall be taken to minimize the risk of access by unauthorized personnel. This would include things like placing cover sheets on FOUO documents and allowing unescorted access to areas where CUI (documents and AIS storage media) is processed/handled to only those persons with at least a favorably adjudicated National Agency CHeck (NAC).

2. After working hours, FOUO information (documents and AIS storage media) may be stored in unlocked containers, desks, or cabinets if Government or Government-contract building security is provided. If such building security is not provided or is deemed inadequate, the information (documents and AIS storage media) shall be stored in locked desks, file cabinets, bookcases, locked rooms, etc. In all cases FOUO and other CUI must be placed out of sight during non-working hours. While not required, implementation of a clean desk policy would be a good idea.

3. Unescorted access to computer rooms or areas containing major items of AIS equipment processing CUI information (servers and network components) should only be granted to persons with at least a favorable NAC. All others should be physically escorted. Access control measures such as reception personnel, guards, keyed locks, cipher locks or automted access control systems may be used to control access to such areas.