Position Sensitivity - Assignment based on Security Clearance and/or Information Technology (IT) Level on Assigned Information Systems (IS)

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32342	PE-02.02.01	SV-42679r2_rule	PECF-1 PECF-2 PRAS-1 PRAS-2 PRNK-1	Medium

Description
Failure to designate position sensitivity could result in personnel having access to classified information or other sensitive duties (such as privileged access to DoD Information Systems) without the required investigative and adjudicative prerequisites

STIG	Date
Traditional Security	2013-07-11

Details

Check Text ( C-40791r6_chk )
Background Information: All positions (military and civilian) must be categorized as either nonsensitive, noncritical-sensitive, or critical-sensitive based on security clearance and/or ADP (AKA: IT) position requirements. The type of background investigation (eg, SSBI, NACI) applicable to the position is based upon the designated position sensitivity. While Contractor personnel are not assigned to positions within DoD organizations, the type of investigation and security clearance requirements for each type or category of work must be detailed in the applicable Statement of Work and/or DD Form 254 (Contract Security Specification). Users of DoD Information Systems (IS) are either privileged users (e.g., system administrators) or general users (e.g., non-IS associated system users). Checks: Check #1. Review organizational manning records that indicate the position sensitivity of all employees and randomly select/review positions for the correct Information Technology (IT) sensitivity level (AKA: Automated Data Processing (ADP) sensitivity level) and security clearance requirement. *Ensure that the position sensitivity level is correct based on the clearance and IT level. Check #2. For general users (non-privileged access) of information systems: Check to ensure they meet the minimum standards, criteria, and guidelines for access to controlled unclassified and classified information, as follows: a. Prior to being granted access to the NIPRNET, U.S. military, government civilian, and contractor personnel must minimally have a favorably completed NAC and a Common Access Card (CAC) with PKI Certificates issued. For government civilians a NAC plus Written Inquiries (NACI) must have been requested. b. At a minimum prior to being granted access to the SIPRNET, U.S. military, government civilian, and contractor personnel must have a favorably completed NAC and have been granted an interim SECRET clearance. c. Foreign nationals must meet standards, criteria, and guidelines for access to controlled unclassified and classified information IAW DoD Manual 5200.01, DoD 5200.2-R, CJCSI 6510.01F and National Disclosure Policy. Check #3. For privileged users (eg, SA, IAO, NSO): Check to ensure that privileged users if military or government civilian are in critical sensitive positions and have a successfully adjudicated SSBI with 5-year periodic reviews. Contractors performing work in priviledged IS roles must also undergo sucessful SSBIs with 5-year reviews. Privileged users must undergo an SSBI regardless of of the security clearance level required (eg, even if no clearance or only Confidential or Secret is required). Foreign Nationals or Local Nationals employed by DoD ARE NOT AUTHORIZED to have (IT-I) privileged access to US Information Systems. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.

Check Text ( C-40791r6_chk )

Background Information:

All positions (military and civilian) must be categorized as either nonsensitive, noncritical-sensitive, or critical-sensitive based on security clearance and/or ADP (AKA: IT) position requirements.

The type of background investigation (eg, SSBI, NACI) applicable to the position is based upon the designated position sensitivity.

While Contractor personnel are not assigned to positions within DoD organizations, the type of investigation and security clearance requirements for each type or category of work must be detailed in the applicable Statement of Work and/or DD Form 254 (Contract Security Specification).

Users of DoD Information Systems (IS) are either privileged users (e.g., system administrators) or general users (e.g., non-IS associated system users).

Checks:

Check #1. Review organizational manning records that indicate the position sensitivity of all employees and randomly select/review positions for the correct Information Technology (IT) sensitivity level (AKA: Automated Data Processing (ADP) sensitivity level) and security clearance requirement. *Ensure that the position sensitivity level is correct based on the clearance and IT level.

Check #2. For general users (non-privileged access) of information systems: Check to ensure they meet the minimum standards, criteria, and guidelines for access to controlled unclassified and classified information, as follows:

a. Prior to being granted access to the NIPRNET, U.S. military, government civilian, and contractor personnel must minimally have a favorably completed NAC and a Common Access Card (CAC) with PKI Certificates issued. For government civilians a NAC plus Written Inquiries (NACI) must have been requested.

b. At a minimum prior to being granted access to the SIPRNET, U.S. military, government civilian, and contractor personnel must have a favorably completed NAC and have been granted an interim SECRET clearance.

c. Foreign nationals must meet standards, criteria, and guidelines for access to controlled unclassified and classified information IAW DoD Manual 5200.01, DoD 5200.2-R, CJCSI 6510.01F and National Disclosure Policy.

Check #3. For privileged users (eg, SA, IAO, NSO): Check to ensure that privileged users if military or government civilian are in critical sensitive positions and have a successfully adjudicated SSBI with 5-year periodic reviews. Contractors performing work in priviledged IS roles must also undergo sucessful SSBIs with 5-year reviews. Privileged users must undergo an SSBI regardless of of the security clearance level required (eg, even if no clearance or only Confidential or Secret is required). Foreign Nationals or Local Nationals employed by DoD ARE NOT AUTHORIZED to have (IT-I) privileged access to US Information Systems.

TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.

Fix Text (F-36255r3_fix)
Background Information: All positions (military and civilian) must be categorized as either nonsensitive, noncritical-sensitive, or critical-sensitive based on security clearance and/or ADP (AKA: IT) position requirements. The type of background investigation (eg, SSBI, NACI) applicable to the position is based upon the designated position sensitivity. While Contractor personnel are not assigned to positions within DoD organizations, the type of investigation and security clearance requirements for each type or category of work must be detailed in the applicable Statement of Work and/or DD Form 254 (Contract Security Specification). Users of DoD Information Systems (IS) are either privileged users (e.g., system administrators) or general users (e.g., non-IS associated system users). Fixes: Fix #1. Review organizational manning records that indicate the position sensitivity of all employees and review all positions for the correct Information Technology (IT) sensitivity level (AKA: Automated Data Processing (ADP) sensitivity level) and security clearance requirement. *Ensure that the position sensitivity level is correct based on the clearance and IT level. Fix #2. For general users (non-privileged access) of information systems: Ensure they meet the minimum standards, criteria, and guidelines for access to controlled unclassified and classified information, as follows: a. Prior to being granted access to the NIPRNET, U.S. military, government civilian, and contractor personnel must minimally have a favorably completed NAC and a Common Access Card (CAC) with PKI Certificates issued. For government civilians a NAC plus Written Inquiries (NACI) must have been requested. b. At a minimum prior to being granted access to the SIPRNET, U.S. military, government civilian, and contractor personnel must have a favorably completed NAC and have been granted an interim SECRET clearance. c. Foreign nationals must meet standards, criteria, and guidelines for access to controlled unclassified and classified information IAW DoD Manual 5200.01, DoD 5200.2-R, CJCSI 6510.01F and National Disclosure Policy. Fix #3. For privileged users (eg, SA, IAO, NSO): Ensure that privileged users if military or government civilian are in critical sensitive positions and have a successfully adjudicated SSBI with 5-year periodic reviews. Contractors performing work in priviledged IS roles must also undergo sucessful SSBIs with 5-year reviews. Privileged users must undergo an SSBI regardless of of the security clearance level required (eg, even if no clearance or only Confidential or Secret is required). Foreign Nationals or Local Nationals employed by DoD ARE NOT AUTHORIZED to have (IT-I) privileged access to US Information Systems.

Fix Text (F-36255r3_fix)

Background Information:

All positions (military and civilian) must be categorized as either nonsensitive, noncritical-sensitive, or critical-sensitive based on security clearance and/or ADP (AKA: IT) position requirements.

The type of background investigation (eg, SSBI, NACI) applicable to the position is based upon the designated position sensitivity.

While Contractor personnel are not assigned to positions within DoD organizations, the type of investigation and security clearance requirements for each type or category of work must be detailed in the applicable Statement of Work and/or DD Form 254 (Contract Security Specification).

Users of DoD Information Systems (IS) are either privileged users (e.g., system administrators) or general users (e.g., non-IS associated system users).

Fixes:

Fix #1. Review organizational manning records that indicate the position sensitivity of all employees and review all positions for the correct Information Technology (IT) sensitivity level (AKA: Automated Data Processing (ADP) sensitivity level) and security clearance requirement. *Ensure that the position sensitivity level is correct based on the clearance and IT level.

Fix #2. For general users (non-privileged access) of information systems: Ensure they meet the minimum standards, criteria, and guidelines for access to controlled unclassified and classified information, as follows:

a. Prior to being granted access to the NIPRNET, U.S. military, government civilian, and contractor personnel must minimally have a favorably completed NAC and a Common Access Card (CAC) with PKI Certificates issued. For government civilians a NAC plus Written Inquiries (NACI) must have been requested.

b. At a minimum prior to being granted access to the SIPRNET, U.S. military, government civilian, and contractor personnel must have a favorably completed NAC and have been granted an interim SECRET clearance.

c. Foreign nationals must meet standards, criteria, and guidelines for access to controlled unclassified and classified information IAW DoD Manual 5200.01, DoD 5200.2-R, CJCSI 6510.01F and National Disclosure Policy.

Fix #3. For privileged users (eg, SA, IAO, NSO): Ensure that privileged users if military or government civilian are in critical sensitive positions and have a successfully adjudicated SSBI with 5-year periodic reviews. Contractors performing work in priviledged IS roles must also undergo sucessful SSBIs with 5-year reviews. Privileged users must undergo an SSBI regardless of of the security clearance level required (eg, even if no clearance or only Confidential or Secret is required). Foreign Nationals or Local Nationals employed by DoD ARE NOT AUTHORIZED to have (IT-I) privileged access to US Information Systems.