UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Traditional Security Checklist


Overview

Date Finding Count (152)
2020-08-26 CAT I (High): 40 CAT II (Med): 71 CAT III (Low): 41
STIG Description
Summary of Changes: This third release of the Traditional Security Checklist provides updates to all existing rules using the identical rule format from Version 1, Release 2. The framework of the previous rules has not been altered. Hence, the content and flow of the checklist does not change significantly. For instance, most of the rule titles remain unchanged; however, individual checks and fixes (AKA: requirements) have been modified to incorporate changes in supporting/referenced Federal or DoD-level publications. Additionally, some checks and fixes have been modified to remedy problems or incorporate recommendations received from Command Cyber Readiness Inspection (CCRI) reviewers and/or organizational customers via the STIG Customer Support issue resolution system. A few rule titles were modified to more accurately reflect the intent of the requirements being evaluated by the rule. Default severity levels for each rule remain unchanged. There is only one new rule, increasing the total from 151 to 152 rules. The added rule is: Rule Title: Environmental IA Controls - Emergency Power, STIG ID: EC-03.03.02, Rule ID: SV-6119r1_rule, Vuln ID: V-61629, Severity: CAT II. For more details on revisions in Version 1, Release 3, see the accompanying Summary of Changes document.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-31529 High Vault/Secure Room Storage Standards - Access Control During Working Hours Using Visual Control OR Automated Entry Control System (AECS) with PIN / Biometrics
V-31284 High Vault/Secure Room Storage Standards - IDS Transmission Line Security
V-31127 High Information Assurance - Classified Portable Electronic Devices (PEDs) Connected to the SIPRNet must be Authorized, Compliant with NSA Guidelines, and be Configured for Data at Rest (DAR) Protection
V-30969 High Protected Distribution System (PDS) Construction - Buried PDS Carrier
V-33456 High Protected Distribution System (PDS) Construction - Alarmed Carrier
V-31132 High Information Assurance - Network Connections - Physical Protection of Network Devices such as Routers, Switches and Hubs (Connected to SIPRNet or Other Classified Networks or Systems Being Inspected)
V-31225 High Foreign National System Access - FN or Immigrant Aliens (not representing a foreign government or entity) System Access - Limited Access Authorization (LAA)
V-31221 High Foreign National (FN) Systems Access - Local Nationals (LN) Overseas System Access - Vetting for Privileged Access
V-31549 High Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) and Intrusion Detection System (IDS) Head-End Equipment Protection: The physical location (room or area) containing AECS and IDS head-end equipment (server and/or work station/monitoring equipment) where authorization, personal identification or verification data is input, stored, or recorded and/or where system status/alarms are monitored must be physically protected.
V-30934 High Classified Transmission - Electronic Means using Cryptographic System Authorized by the Director, NSA
V-30938 High Protected Distribution System (PDS) Construction - Point of Presence (PoP) and Terminal Equipment Protection. This requirement concerns security of both the starting and ending points for PDS within proper physically protected and access controlled environments.
V-30837 High COMSEC Account Management - Equipment and Key Storage
V-31242 High Foreign National (FN) Physical Access Control - Areas Containing US Only Information Systems Workstations/Monitor Screens, Equipment, Media or Documents
V-31991 High Classified Monitors/Displays (Physical Control of Classified Monitors From Unauthorized Viewing)
V-31993 High Monitor Screens - Disable Access by CAC or Token Removal, or Lock Computer via Ctrl/Alt/Del
V-31986 High Storage/Handling of Classified Documents, Media, Equipment - must be under continuous personal protection and control of an authorized (cleared) individual OR guarded or stored in an approved locked security container (safe), vault, secure room, collateral classified open storage area or SCIF.
V-31278 High Information Security (INFOSEC) - Secure Room Storage Standards - Four (4) Hour Random Checks in Lieu of Using Intrusion Detection System (IDS)
V-31275 High Information Security (INFOSEC) - Secure Room Storage Standards - Balanced Magnetic Switch (BMS) on Perimeter Doors
V-31274 High Information Security (INFOSEC) - Secure Room Storage Standards - Intrusion Detection System (IDS)
V-31276 High Information Security (INFOSEC) - Secure Room Storage Standards - Interior Motion Detection
V-31271 High Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Openings in Perimeter Exceeding 96 Square Inches
V-31270 High Information Security (INFOSEC) - Secure Room Storage Standards Wall and Ceiling Structural Integrity (AKA: True Floor to True Ceiling Connection)
V-31273 High Information Security (INFOSEC) - Vault Storage/Construction Standards
V-31272 High Information Security (INFOSEC) - Secure Room Storage Standards Windows - Accessible from the Ground Hardened Against Forced Entry and Shielded from Exterior Viewing of Classified Materials Contained within the Area.
V-31171 High Information Assurance - Network Connections - Wall Jack Security on Classified Networks (SIPRNet or other Inspected Classified Network or System) Where Port Authentication Using IEEE 802.1X IS NOT Implemented
V-31227 High Foreign National (FN) System Access - FN or Immigrant Aliens (not representing a foreign government or entity) with LAA Granted Uncontrolled Access
V-32111 High Classified Material Destruction - Improper Disposal of Automated Information System (AIS) Hard Drives and Storage Media
V-30958 High Protected Distribution System (PDS) Construction - Pull Box Security
V-31268 High Information Security (INFOSEC) - Secure Room Storage Standards - Door Construction
V-31267 High Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Door Combination Lock Meeting Federal Specification FF-L-2740
V-31264 High Foreign National (FN) Administrative Controls - Proper Investigation and Clearance for Access to Classified Systems and/or Information Assurance (IA) Positions of Trust
V-32009 High Destruction of Classified Documents Printed from the SIPRNet Using Approved Devices on NSA Evaluated Products Lists (EPL).
V-30942 High Protected Distribution System (PDS) Construction - Hardened Carrier
V-31215 High Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (SIPRNet or Other Classified System or Classified Network being Reviewed)
V-32008 High Classified Reproduction - SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage.
V-30971 High Protected Distribution System (PDS) Construction - Continuously Viewed Carrier
V-30970 High Protected Distribution System (PDS) Construction - External Suspended PDS
V-30973 High Protected Distribution System (PDS) Construction - Tactical Environment Application
V-31294 High Information Security (IS) - Continuous Operations Facility: Access Control Monitoring Methods
V-31292 High Vault/Secure Room Storage Standards - IDS Access/Secure Control Units Must be Located within the Secure Room Space
V-32457 Medium Intrusion Detection System (IDS) Monitoring Station Personnel - Suitability Checks
V-31897 Medium Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Transmission Line Security: AECS Transmission lines traversing an uncontrolled area (not within at least a Secret Controlled Access Area (CAA) ) shall use line supervision OR Electrical, mechanical, or electromechanical access control devices, which do not constitute an AECS that are used to control access during duty hours must have all electrical components, that traverse outside minimally a Secret Controlled Access Area (CAA), secured within conduit.
V-31286 Medium Vault/Secure Room Storage Standards - Masking of IDS Sensors Displayed at the Intrusion Detection System (IDS) Monitoring Station
V-31125 Medium Information Assurance - KVM Switch Use of Hot-Keys on SIPRNet Connected Devices
V-31124 Medium Information Assurance - KVM Switch (Port Separation) on CYBEX/Avocent 4 or 8 port
V-31128 Medium Information Assurance - Unauthorized Wireless Devices - Portable Electronic Devices (PEDs) Used in Classified Processing Areas without Certified TEMPEST Technical Authority (CTTA) Review and Authorizing Official (AO) Approval.
V-31289 Medium Vault/Secure Room Storage Standards - IDS Alarm Monitoring Indicators, both audible and visual (Alarm Status) must be displayed for each sensor or alarmed zone at the monitoring station.
V-32580 Medium Physical Protection of Unclassified Key System Devices/Computer Rooms in Large Processing Facilities
V-30993 Medium Industrial Security - DD Form 254
V-30997 Medium Information Assurance - COOP Plan and Testing (Not in Place for Information Technology Systems or Not Considered in the organizational Holistic Risk Assessment)
V-30995 Medium Industrial Security - Contract Guard Vetting
V-32138 Medium Security Incident/Spillage - Lack of Procedures or Training for Handling and Reporting
V-32342 Medium Position Sensitivity - Based on Security Clearance and/or Information Technology (IT) Systems Access Level or Responsibility for Security Oversight on Assigned Information Systems (IS)
V-32343 Medium Validation Procedures for Security Clearance Issuance (Classified Systems and/or Physical Access Granted)
V-32132 Medium Classified Emergency Destruction Plans - Develop and Make Available
V-32102 Medium Classified Destruction - Hard Drive and Storage Media Sanitization Devices and Plans are not Available for disposal of Automated Information System (AIS) Equipment On-Hand
V-61629 Medium Environmental IA Controls - Emergency Power
V-30980 Medium TEMPEST Countermeasures
V-30981 Medium TEMPEST - Red/Black separation (Processors)
V-30982 Medium TEMPEST - Red/Black Separation (Cables)
V-30984 Medium Environmental IA Controls - Emergency Lighting and Exits - Properly Installed
V-31548 Medium Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Records Maintenance, which includes documented procedures for granting and removal of access.
V-32477 Medium Intrusion Detection System (IDS) Installation and Maintenance Personnel - Suitability Checks
V-31084 Medium Information Assurance - Accreditation Documentation
V-31908 Medium Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Door Locks: Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade and be configured to fail secure in the event of a total loss of power (primary and backup).
V-30931 Medium COMSEC Training - COMSEC Custodian or Hand Receipt Holder
V-30933 Medium COMSEC Training - COMSEC User
V-31091 Medium Information Assurance - SIPRNET Connection Approval Process (CAP)
V-31090 Medium Information Assurance - NIPRNET Connection Approval (CAP)
V-31011 Medium Information Assurance - System Access Control Records (DD Form 2875 or equivalent)
V-31013 Medium Information Assurance - System Training and Certification/ IA Personnel
V-32263 Medium Controlled Unclassified Information - Encryption of Data at Rest
V-31082 Medium Information Assurance/Cybersecurity Training for System Users
V-32396 Medium Background Investigations - Completed based Upon Position Sensitivity Levels for Information Assurance Positions of Trust
V-31910 Medium Marking Classified - Equipment, Documents or Media: In a classified operating environment, all unclassified items must be marked in addition to all classified items.
V-31994 Medium End-of-Day Checks - Organizations that process or store classified information must establish a system of security checks at the close of each duty and/or business day to ensure that any area where classified information is used or stored is secure. SF 701, Activity Security Checklist, shall be used to record such checks.
V-31996 Medium Classified Reproduction - Following guidance for System to Media Transfer of Data from systems connected specifically to the SIPRNet In-Accordance-With (IAW) US CYBERCOM CTO 10-133A .
V-32265 Medium Controlled Unclassified Information - Posting Only on Web-Sites with Appropriate Encryption; not on Publicly Accessible Web-Sites.
V-32264 Medium Controlled Unclassified Information - Transmission by either Physical or Electronic Means
V-32261 Medium Controlled Unclassified Information - Handling, Storage and Controlling Access to Areas where CUI is Processed or Maintained
V-32150 Medium Classification Guides Must be Available for Programs and Systems for an Organization or Site
V-31008 Medium Information Assurance - System Security Incidents (Identifying, Reporting, and Handling)
V-32180 Medium Controlled Unclassified Information - Document, Hard Drive and Media Disposal
V-31279 Medium Vault/Secure Room Storage Standards - IDS Performance Verification
V-31277 Medium Information Security (INFOSEC) - Secure Room Storage Standards - Structural Integrity Checks
V-32541 Medium Risk Assessment -Holistic Review (site/environment/information systems)
V-30983 Medium Environmental IA Controls - Emergency Power Shut-Off (EPO)
V-31115 Medium Information Assurance - KVM or A/B Switch not listed on the NIAP U.S. Government Approved Protection Products Compliance List (PCL) for Peripheral Sharing Switches
V-32372 Medium Information Assurance (IA) Positions of Trust - Identification of Positions or Duties with Privileged Access to Information Systems or Responsibility for Security Oversight of Information Systems
V-31223 Medium Foreign National (FN) Systems Access - Delegation of Disclosure Authority Letter (DDL)
V-31269 Medium Information Security (INFOSEC) - Secure Room Storage Standards - Perimeter Construction using Proper Permanent Construction Materials for True Ceiling, Walls and Floors.
V-31263 Medium Foreign National (FN) Administrative Controls - Written Procedures and Employee Training
V-31210 Medium Foreign National System Access - Identification as FN in E-mail Address
V-31266 Medium Information Security (INFOSEC) - Safe/Vault/Secure Room Management
V-31265 Medium Foreign National (FN) Administrative Controls - Procedures for Requests to Provide Foreign Nationals System Access
V-30940 Medium Protected Distribution System (PDS) Construction - Visible for Inspection and Marked
V-31293 Medium Vault/Secure Room Storage Standards - Primary IDS Monitoring Location Outside the Monitored Space
V-30949 Medium Protected Distribution System (PDS) Construction - Sealed Joints
V-30976 Medium Protected Distribution System (PDS) Monitoring - Daily (Visual) Checks
V-32159 Medium Controlled Unclassified Information (CUI) - Employee Education and Training
V-32601 Medium Security-in-Depth (AKA: Defense-in-Depth) - Minimum Physical Barriers and Access Control Measures for Facilities or Buildings Containing DoDIN (SIPRNet/NIPRNet) Connected Assets.
V-32600 Medium Restricted Area and Controlled Area Designation of Areas Housing Critical Information System Components or Classified /Sensitive Technology or Data
V-32603 Medium Sensitive Item Control - Keys, Locks and Access Cards Controlling Access to Information Systems (IS) or IS Assets Connected to the DISN
V-32602 Medium Visitor Control - To Facility or Organization with Information System Assets Connected to the DISN
V-32605 Medium Security and Cybersecurity Staff Appointment, Training/Certification and Suitability
V-32606 Medium Security Training - Information Security (INFOSEC) for ALL Employees; Military, Government Civilian and Contractor
V-31190 Medium Information Assurance - Network Connections - Physical Protection of Unclassified (NIPRNet) Network Devices such as Routers, Switches and Hubs
V-31211 Medium Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (NIPRNet User)
V-31291 Medium Vault/Secure Room Storage Standards - Intrusion Detection System and Automated Entry Control System (IDS/AECS) Component Tamper Protection
V-31290 Medium Vault/Secure Room Storage Standards - Intrusion Detection System (IDS) / Automated Entry Control System (AECS) Primary and Emergency Power Supply
V-30979 Medium Protected Distribution System (PDS) Monitoring - Reporting Incidents
V-31657 Low Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Keypad Device Protection: Keypad devices designed or installed in a manner that an unauthorized person in the immediate vicinity cannot observe the selection of input numbers.
V-31129 Low Information Assurance - Unauthorized Wireless Devices - No Formal Policy and/or Warning Signs
V-30992 Low Environmental IA Controls - Fire Detection and Suppression
V-30991 Low Environmental IA Controls - Fire Inspections/ Discrepancies
V-30990 Low Environmental IA Controls - Humidity
V-30996 Low Information Assurance - System Security Operating Procedures (SOPs)
V-30994 Low Industrial Security - Contractor Visit Authorization Letters (VALs)
V-32340 Low Position of Trust - Local Policy Covering Employee Personal Standards of Conduct and Responsibilities
V-32341 Low Position of Trust - Training Covering Employee Standards of Conduct and Personal Responsibilities
V-31976 Low Classified Working Papers are properly marked, destroyed when no longer needed, or treated as a finished document after 180 days.
V-30985 Low Environmental IA Controls - Emergency Lighting and Exits - Documentation and Testing
V-30988 Low Environmental IA Controls - Training
V-30989 Low Environmental IA Controls - Temperature
V-32482 Low Physical Security Program - Physical Security Plan (PSP) and/or Systems Security Plan (SSP) Development and Implementation with Consideration/Focus on Protection of Information System Assets in the Physical Environment
V-31909 Low Marking Classified - Local or Enclave Classified Marking Procedures must be developed to ensure employees are familiar with appropriate organization Security Classification Guides (SCG), how to obtain guidance for marking classified documents, media and equipment, and where associated forms, classified cover sheets, labels, stamps, wrapping material for classified shipment, etc. can be obtained.
V-31987 Low Non-Disclosure Agreement - Standard Form 312: no person may have access to classified information unless that person has a security clearance in accordance with DoDM 5200.02 and has signed a Standard Form (SF) 312, Classified Information Non-Disclosure Agreement (NDA), and access is essential to the accomplishment of a lawful and authorized Government function (i.e., has a need to know).
V-32408 Low Periodic Reinvestigations - Submitted in a Timely Manner based Upon Position Sensitivity and Type of Investigation Required
V-31989 Low Handling of Classified - Use of Cover Sheets on Documents Removed from Secure Storage
V-31988 Low Handling of Classified Documents, Media, Equipment - Written Procedures and Training for when classified material/equipment is removed from a security container and/or secure room.
V-30928 Low COMSEC Account Management - Program Management and Standards Compliance
V-30987 Low Environmental IA Controls - Voltage Control (power)
V-31243 Low Foreign National (FN) Physical Access Control - (Identification Badges)
V-31995 Low Classified Reproduction - Written Procedures for SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage. NOTE: This STIG Rule (AKA: Vulnerability (Vul)) concerns only PROCEDURES for the reproduction (printing, copying, scanning, faxing) of classified documents on Multi-Functional Devices (MFD) connected to the DoDIN.
V-32156 Low Controlled Unclassified Information (CUI) - Local Policy and Procedure
V-31992 Low Classified Monitors/Displays (Procedures for Obscuration of Classified Monitors) - protection from uncleared persons or those without a need-to-know.
V-30885 Low COMSEC Account Management - Appointment of Responsible Person
V-32262 Low Controlled Unclassified Information - Marking/Labeling Media within Unclassified Environments (Not Mixed with Classified)
V-31004 Low Information Assurance - COOP Plan or Testing (Incomplete)
V-31126 Low Information Assurance - Authorizing Official (AO) and DoDIN Connection Approval Office (CAO) Approval Documentation for use of KVM and A/B switches for Sharing of Classified and Unclassified Peripheral Devices
V-32425 Low Out-processing Procedures for Departing or Terminated Employees (Military, Government Civilian and Contractor)
V-31262 Low Foreign National (FN) Administrative Controls - Contact Officer Appointment
V-32336 Low Position of Trust - Knowledge of Responsibility to Self Report Derogatory Information
V-30974 Low Protected Distribution System (PDS) Documentation - Signed Approval
V-30977 Low Protected Distribution System (PDS) Monitoring - Technical Inspections
V-32604 Low Physical Penetration Testing - of Facilities or Buildings Containing Information Systems (IS) Connected to the DISN
V-32607 Low Counter-Intelligence Program - Training, Procedures and Incident Reporting
V-31199 Low Foreign National System Access - Local Access Control Procedures
V-30975 Low Protected Distribution System (PDS) Documentation - Request for Approval Documentation
V-32321 Low Classified Annual Review
V-32090 Low Destruction of Classified and Unclassified Documents, Equipment and Media - Availability of Local Policy and Procedures
V-30978 Low Protected Distribution System (PDS) Monitoring - Initial Inspection