Controlled Unclassified Information - Posting Only on Web-Sites with Appropriate Encryption; not on Publicly Accessible Web-Sites.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32265	IS-16.02.06	SV-42582r2_rule	DCPA-1 EBPW-1	Medium

Description
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information.

STIG	Date
Traditional Security	2013-07-11

Details

Check Text ( C-40776r4_chk )
Check to ensure the following standards/guidance are adhered to: 1. FOUO, PII and other CUI may NOT be posted to publicly-accessible Internet sites and may NOT be posted to sites whose access is controlled only by domain (e.g., limited to .mil and/or .gov) as such restricted access can easily be circumvented. 2. At a minimum, posting CUI to a website requires certificate-based (e.g., common access card) or password and ID access as well as encrypted transmission using https: or similar technology. CUI other than FOUO may have additional posting restrictions. 3. See Deputy Secretary of Defense Memorandum Web Site Administration, December 7, 1998, with attached Web Site Administration Policies and Procedures, November 25, 1998 for detailed guidance. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Check Text ( C-40776r4_chk )

Check to ensure the following standards/guidance are adhered to:

1. FOUO, PII and other CUI may NOT be posted to publicly-accessible Internet sites and may NOT be posted to sites whose access is controlled only by domain (e.g., limited to .mil and/or .gov) as such restricted access can easily be circumvented.

2. At a minimum, posting CUI to a website requires certificate-based (e.g., common access card) or password and ID access as well as encrypted transmission using https: or similar technology. CUI other than FOUO may have additional posting restrictions.

3. See Deputy Secretary of Defense Memorandum Web Site Administration, December 7, 1998, with attached Web Site Administration Policies and Procedures, November 25, 1998 for detailed guidance.

TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix Text (F-36190r2_fix)
Ensure the following standards/guidance are adhered to: 1. FOUO, PII and other CUI may NOT be posted to publicly-accessible Internet sites and may NOT be posted to sites whose access is controlled only by domain (e.g., limited to .mil and/or .gov) as such restricted access can easily be circumvented. 2. At a minimum, posting CUI to a website requires certificate-based (e.g., common access card) or password and ID access as well as encrypted transmission using https: or similar technology. CUI other than FOUO may have additional posting restrictions. 3. See Deputy Secretary of Defense Memorandum Web Site Administration, December 7, 1998, with attached Web Site Administration Policies and Procedures, November 25, 1998 for detailed guidance.

Fix Text (F-36190r2_fix)

Ensure the following standards/guidance are adhered to:

1. FOUO, PII and other CUI may NOT be posted to publicly-accessible Internet sites and may NOT be posted to sites whose access is controlled only by domain (e.g., limited to .mil and/or .gov) as such restricted access can easily be circumvented.

2. At a minimum, posting CUI to a website requires certificate-based (e.g., common access card) or password and ID access as well as encrypted transmission using https: or similar technology. CUI other than FOUO may have additional posting restrictions.

3. See Deputy Secretary of Defense Memorandum Web Site Administration, December 7, 1998, with attached Web Site Administration Policies and Procedures, November 25, 1998 for detailed guidance.