Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-32482 | PH-01.03.01 | SV-42819r2_rule | PECF-1 PECF-2 PEPF-1 PEPF-2 PESP-1 PESS-1 | Low |
Description |
---|
Failure to have a physical security program will result in an increased risk to DoD Information Systems; including personnel, equipment, material and documents. |
STIG | Date |
---|---|
Traditional Security | 2013-07-11 |
Check Text ( C-40923r2_chk ) |
---|
Checks: 1. Check to ensure there is a Physical Security Plan, either an organizational/site OR a base/installation security plan in which the the site is considered. NOTE 1: If it is a higher level installation or base plan ensure it addresses security concerns/procedures for the inspected organization or site. Ideally, a local site or organization should always be included in the host installation security plan. If not, then a local (site/organization) plan is specifically required. 2. Check to ensure security requirements of the computer room(s) and open storage areas are addressed and that guidance is provided to counter threats during peacetime, transition to war, and in wartime. 3. Check to ensure the plan also addresses entry/access control procedures for the facility overall and for specific/individual computer rooms or other areas housing network equipment (routers/crypto/switches, etc.). 4. Check to ensure that access control procedures and requirements for various categories of persons expected to access the facility (such as employees, visitors, vendors, facility maintenance, and foreign nationals) are covered. NOTE 2: To be complete the plan should specifically address access control of vendors (ie., vending machine deliveries), cleaning and food service personnel, cleared versus uncleared visitors, foreign national (FN) visitors, FN employees (OCONUS SOFA, liaison, exchange and REL partners). 5. Finally check to ensure the plan addresses security measures and response (Emergency Planning Measures) to include application of Force Protection Conditions, anti-terrorism planning and measures, civil disturbances, natural disasters, crime and any other possible local disruptions of the mission. A thorough plan will include measures designed to detect, delay, assess and respond to intrusions and other emergency situations. NOTE 3: If the plan or any of the critical elements of the plan (everything mentioned here) applicable to the specific site are missing this should be written as a finding. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment. |
Fix Text (F-36407r1_fix) |
---|
Fixes: 1. Ensure there is a Physical Security Plan, either an organizational/site OR a base/installation security plan in which the the site is considered. NOTE 1: If it is a higher level installation or base plan ensure it addresses security concerns/procedures for the inspected organization or site. Ideally, a local site or organization should always be included in the host installation security plan. If not, then a local (site/organization) plan is specifically required. 2. Ensure security requirements of the computer room(s) and open storage areas are addressed and that guidance is provided to counter threats during peacetime, transition to war, and in wartime. 3. Ensure the plan also addresses entry/access control procedures for the facility overall and for specific/individual computer rooms or other areas housing network equipment (routers/crypto/switches, etc.). 4. Ensure that access control procedures and requirements for various categories of persons expected to access the facility (such as employees, visitors, vendors, facility maintenance, and foreign nationals) are covered. NOTE 2: To be complete the plan should specifically address access control of vendors (ie., vending machine deliveries), cleaning and food service personnel, cleared versus uncleared visitors, foreign national (FN) visitors, FN employees (OCONUS SOFA, liaison, exchange and REL partners). 5. Finally, ensure the plan addresses security measures and response (Emergency Planning Measures) to include application of Force Protection Conditions, anti-terrorism planning and measures, civil disturbances, natural disasters, crime and any other possible local disruptions of the mission. A thorough plan will include measures designed to detect, delay, assess and respond to intrusions and other emergency situations. |