Security-in-Depth (AKA: Defense-in-Depth) - Minimum Physical Barriers and Access Control Measures for Facilities or Buildings Containing DISN (SIPRNet/NIPRNet) Connected Assets.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-32601 | PH-05.02.01 | SV-42938r2_rule | PEPF-1 PEPF-2 | Medium |
| Description |
|---|
| Failure to use security in-depth can result in a facility being vulnerable to an undetected intrusion or an intrusion that cannot be responded to in a timely manner - or both. |
| STIG | Date |
|---|---|
| Traditional Security | 2013-07-11 |
Details
| Check Text ( C-41040r7_chk ) |
|---|
| Background Information: This set of checks is intended to validate security-in-depth protection measures in place for facilities containing either Unclassified DISN assets (NIPRNet) or Classified (SIPRNet) DISN assets or both. The first two checks are specifically for Unclassified DISN facilities, while checks 3, 4, 5 and 6 are for facilites containing SIPRNet asstes. Where both NIPRNet and SIPRNet assets are contained in a facility - the more strigent standards for SIPRNet will be used. Checks: 1. Check that any facility/building housing Unclassified Information System assets conected to the DISN (such as end user NIPRNet work stations) has at least one physical barrier supplemented by any type of 24/7 access control (keyed locks, reception, guards, Access Control System, Cipher Locks, etc.). 2. Check to ensure that Unclassified Computer Rooms containing equipment connected to the DISN (located within a facility or bldg meeting the standard in #1 above) have an additional layer of physical protection and access control. This check is intended for rooms with key system assets such as servers, routers, etc., rather than end user workstations. 3. Check to ensure that every physical access point to facilities housing DISN workstations that process or display classified information is guarded or alarmed 24/7 (minimum of alarm contacts on the doors) and that intrusion alarms are properly monitored. 4. Check that two forms of identification are required to gain access to a facility housing DISN workstations that process or display classified information (e.g., key card with PIN/biometrics or two forms of picture ID present to a guard or receptionist). NOTE 1: Physical access points to facilities housing DISN workstations that process or display classified information, which are located on an access controlled military installation (or that employ another layer of physical barrier/access control) are not required to have an IDS alarm contact on the doors and need only one level of access control. For instance access control to the facility using only a swipe or prox card (w/o PIN or biometrics) or a guard checking a single picture ID is acceptable. 5. Check to ensure that a visitor log is maintained for facilities or buildings containing DISN workstations that process or display classified information. Access Control System (ACS) log entries may be used to meet this requirement. 6. Where there are Information System assets stored in secure rooms (AKA: collateral classified open storage areas) that are connected to the SIPRNet - check to ensure that the senior agency official has determined in writing that security-in-depth exists. NOTE 2: Checks number 3, 4, 5 and 6 are intended to only assess the appropriateness of physical barriers and access control measures leading to or surrounding Secure Rooms, rather than actual secure room protection measures. Classified Computer Rooms must have additional layers of physical protection and access control, which are implemented IAW Secure Room standards. Again, Secure Room standards are not covered under this check for security-in-depth. They are covered elsewhere on the checklist. To reiterate in another way; these checks are strictly for areas containing classified DISN assets that ARE NOT maintained in spaces approved for collateral classified open storage (such as secure rooms, vaults or SCIFs). Typically the type of applicable area covered by this check will be an area designated as a Secret (or possibly Top Secret) Controlled Access Area (CAA). TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment. |
| Fix Text (F-36516r6_fix) |
|---|
| Background Information: This standard is intended to validate security-in-depth protection measures in place for facilities containing either Unclassified DISN assets (NIPRNet) or Classified (SIPRNet) DISN assets or both. The first two fixes are specifically for Unclassified DISN facilities, while fixes 3, 4, 5 and 6 are for facilites containing SIPRNet asstes. Where both NIPRNet and SIPRNet assets are contained in a facility - the more strigent standards for SIPRNet will be used. Checks: 1. Ensure that any facility/building housing Unclassified Information System assets conected to the DISN (such as end user NIPRNet work stations) has at least one physical barrier supplemented by any type of 24/7 access control (keyed locks, reception, guards, Access Control System, Cipher Locks, etc.). 2. Ensure that Unclassified Computer Rooms containing equipment connected to the DISN (located within a facility or bldg meeting the standard in #1 above) have an additional layer of physical protection and access control. This fix is intended for rooms with key system assets such as servers, routers, etc., rather than end user workstations. 3. Ensure that every physical access point to facilities housing DISN workstations that process or display classified information is guarded or alarmed 24/7 (minimum of alarm contacts on the doors) and that intrusion alarms are properly monitored. 4. Ensure two forms of identification are required to gain access to a facility housing DISN workstations that process or display classified information (e.g., key card with PIN/biometrics or two forms of picture ID present to a guard or receptionist). NOTE 1: Physical access points to facilities housing DISN workstations that process or display classified information, which are located on an access controlled military installation (or that employ another layer of physical barrier/access control) are not required to have an IDS alarm contact on the doors and need only one level of access control. For instance access control to the facility using only a swipe or prox card (w/o PIN or biometrics) or a guard checking a single picture ID is acceptable. 5. Ensure that a visitor log is maintained for facilities or buildings containing DISN workstations that process or display classified information. Access Control System (ACS) log entries may be used to meet this requirement. 6. Where there are Information System assets stored in secure rooms (AKA: collateral classified open storage areas) that are connected to the SIPRNet - ensure that the senior agency official has determined in writing that security-in-depth exists. NOTE 2: Fixess number 3, 4, 5 and 6 are intended to only assess the appropriateness of physical barriers and access control measures leading to or surrounding Secure Rooms, rather than actual secure room protection measures. Classified Computer Rooms must have additional layers of physical protection and access control, which are implemented IAW Secure Room standards. Again, Secure Room standards are not covered under this fix for security-in-depth. They are covered elsewhere on the checklist. To reiterate in another way; these fixes are strictly for areas containing classified DISN assets that ARE NOT maintained in spaces approved for collateral classified open storage (such as secure rooms, vaults or SCIFs). Typically the type of applicable area covered by this fix will be an area designated as a Secret (or possibly Top Secret) Controlled Access Area (CAA). |