UCF STIG Viewer Logo

IT Position Designation


Overview

Finding ID Version Rule ID IA Controls Severity
V-32372 PE-04.02.01 SV-42709r2_rule ECPA-1 PRAS-1 PRAS-2 PRNK-1 Medium
Description
Failure to designate an appropriate IT level could result in an individual having access to an information system without the required investigative and adjudicative prerequisites.
STIG Date
Traditional Security 2013-07-11

Details

Check Text ( C-40820r8_chk )
Checks:
Check #1. Request to see and ensure that organization manning documents (eg., JTD) and position descriptions for Military and Government Civilians and the statement of work and/or DD 254 (Contract Security Specification) for Contractors – are available for identification of current ADP (AKA: IT position) designations.

Check #2. Check to ensure that IT position (AKA: ADP) designations are assigned to each civilian and military position or contractor employee duties contained in statements of work in which an employee has duties requiring access to a Government Information System (IS). * In most cases this will encompass 100% of all employees.

NOTE 1: Personnel Occupying Information Systems Positions Designated ADP-I, ADP-II and ADP-III. DoD military, civilian personnel, consultants, and contractor personnel performing on unclassified automated information systems may be assigned to one of three position sensitivity designations (in accordance with Appendix 10 of DoD 5200.2-R, Personnel Security Program) and MINIMALLY investigated as follows:
ADP-I (AKA: IT-1): SSBI/SBPR/PPR
ADP-II (AKA: IT-2): ANACI /NACI /NACLC/ S-PR
ADP-III (AKA: IT-3): NAC/ENTNAC
Those personnel falling in the above ADP categories who also require access to classified information will, of course, be subject to the appropriate investigative scope for the level of security clearance required. The investigative scope for clearances may exceed but not be less than that required for the designated ADP level.

Check #3. Check to ensure that employees or any persons with Privileged Access (eg.,SA, NSO or IAO) to Information Systems (IS) are in positions identified as ADP I (AKA: IT I) and that a current (5-year PR) or successfully adjudicated SSBI is on file for each incumbent of such positions.

NOTE 2: Privileged access typically provides access to the following system controls IAW Change 3, APPENDIX 1 of the DoD 8570.01-M:
- Access to the control functions of the information system/network, administration of user accounts, etc.
- Access to change control parameters (e.g., routing tables, path priorities, addresses) of routers, multiplexers, and other key information system/network equipment or software.
- Ability and authority to control and change program files, and other users’ access to data.
- Direct access to operating system level functions (also called unmediated access) that would permit system controls to be bypassed or changed.
- Access and authority for installing, configuring, monitoring, or troubleshooting the security monitoring functions of information systems/networks (e.g., network/system analyzers; intrusion detection software; firewalls) or in performance of cyber/network defense operations.

NOTE 3: Certain employees with very limited AND "supervised" privileged access on IS may be in positions designated as IT II and all basic system users should be in positions designated as IT III.

NOTE 4: All designated IA Positions IAW DoD 8570.01-M (IAT Levels I-III or IAM Levels I-III) must be checked, time permitting. Random checks of all other site personnel records should be made.

TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.
Fix Text (F-36294r2_fix)
Fixes:

Ensure that organization manning documents (eg., JTD) and position descriptions for Military and Government Civilians and the statement of work and/or DD 254 (Contract Security Specification) for Contractors – are available for identification of current ADP (AKA: IT position) designations.

Ensure that IT position (AKA: ADP) designations are assigned to each civilian and military position or contractor employee duties contained in statements of work in which an employee has duties requiring access to a Government Information System (IS). * In most cases this will encompass 100% of all employees.

NOTE 1: Personnel Occupying Information Systems Positions Designated ADP-I, ADP-II and ADP-III. DoD military, civilian personnel, consultants, and contractor personnel performing on unclassified automated information systems may be assigned to one of three position sensitivity designations (in accordance with Appendix 10 of DoD 5200.2-R, Personnel Security Program) and MINIMALLY investigated as follows:
ADP-I (AKA: IT-1): SSBI/SBPR/PPR
ADP-II (AKA: IT-2): ANACI /NACI /NACLC/ S-PR
ADP-III (AKA: IT-3): NAC/ENTNAC
Those personnel falling in the above ADP categories who also require access to classified information will, of course, be subject to the appropriate investigative scope for the level of security clearance required. The investigative scope for clearances may exceed but not be less than that required for the designated ADP level.

Ensure that employees or any persons with Privileged Access (eg.,SA, NSO or IAO) to Information Systems (IS) are in positions identified as ADP I (AKA: IT I) and that a current (5-year PR) or successfully adjudicated SSBI is on file for each incumbent of such positions.

NOTE 2: Privileged access typically provides access to the following system controls IAW Change 3, APPENDIX 1 of the DoD 8570.01-M:
- Access to the control functions of the information system/network, administration of user accounts, etc.
- Access to change control parameters (e.g., routing tables, path priorities, addresses) of routers, multiplexers, and other key information system/network equipment or software.
- Ability and authority to control and change program files, and other users’ access to data.
- Direct access to operating system level functions (also called unmediated access) that would permit system controls to be bypassed or changed.
- Access and authority for installing, configuring, monitoring, or troubleshooting the security monitoring functions of information systems/networks (e.g., network/system analyzers; intrusion detection software; firewalls) or in performance of cyber/network defense operations.

NOTE 3: Certain employees with very limited AND supervised privileged access on IS may be in positions designated as IT II and all basic system users should be in positions designated as IT III.