UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Traditional Security Checklist


Overview

Date Finding Count (147)
2021-07-14 CAT I (High): 39 CAT II (Med): 68 CAT III (Low): 40
STIG Description
Summary of Changes: Version 2, Release 1 of the Traditional Security Checklist deletes five rules relating to privileged access vetting. There were no other updates to existing rule content from Version 1, Release 3. However, the rule numbers were modified as a result of importing the guidance into a new content management system. The total number of rules decreased from 152 to 147. The deleted rules are: Rule Title: Position Sensitivity - Based on Security Clearance and/or Information Technology Systems Access Level or Responsibility for Security Oversight on Assigned Information Systems (STIG ID: PE-02.02.01; Legacy ID: SV-42679r3_rule, V-32342; Severity: CAT II); Rule Title: Information Assurance Positions of Trust - Identification of Positions or Duties with Privileged Access to Information Systems or Responsibility for Security Oversight of Information Systems (STIG ID: PE-04.02.01; Legacy ID: SV-42709r3_rule, V-32372; Severity: CAT II); Rule Title: Background Investigations - Completed Based Upon Position Sensitivity Levels for Information Assurance Positions of Trust (STIG ID: PE-05.02.01; Legacy ID: SV-42733r3_rule, V-32396; Severity: CAT II); Rule Title: Periodic Reinvestigations - Submitted in a Timely Manner Based Upon Position Sensitivity and Type of Investigation Required (STIG ID: PE-06.03.01; Legacy ID: SV-42745r3_rule, V-32408; Severity: CAT III); Rule Title: Foreign National Systems Access - Local Nationals Overseas System Access - Vetting for Privileged Access (STIG ID: FN-02.01.02; Legacy ID: SV-41430r3_rule, V-31221; Severity: CAT I)

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-245808 High Vault/Secure Room Storage Standards - Access Control During Working Hours Using Visual Control OR Automated Entry Control System (AECS) with PIN / Biometrics
V-245809 High Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) and Intrusion Detection System (IDS) Head-End Equipment Protection: The physical location (room or area) containing AECS and IDS head-end equipment (server and/or work station/monitoring equipment) where authorization, personal identification or verification data is input, stored, or recorded and/or where system status/alarms are monitored must be physically protected.
V-245802 High Information Security (INFOSEC) - Secure Room Storage Standards - Balanced Magnetic Switch (BMS) on Perimeter Doors
V-245803 High Information Security (INFOSEC) - Secure Room Storage Standards - Interior Motion Detection
V-245800 High Information Security (INFOSEC) - Vault Storage/Construction Standards
V-245801 High Information Security (INFOSEC) - Secure Room Storage Standards - Intrusion Detection System (IDS)
V-245806 High Vault/Secure Room Storage Standards - IDS Access/Secure Control Units Must be Located within the Secure Room Space
V-245807 High Information Security (IS) - Continuous Operations Facility: Access Control Monitoring Methods
V-245804 High Information Security (INFOSEC) - Secure Room Storage Standards - Four (4) Hour Random Checks in Lieu of Using Intrusion Detection System (IDS)
V-245805 High Vault/Secure Room Storage Standards - IDS Transmission Line Security
V-245796 High Information Security (INFOSEC) - Secure Room Storage Standards - Door Construction
V-245797 High Information Security (INFOSEC) - Secure Room Storage Standards Wall and Ceiling Structural Integrity (AKA: True Floor to True Ceiling Connection)
V-245795 High Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Door Combination Lock Meeting Federal Specification FF-L-2740
V-245798 High Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Openings in Perimeter Exceeding 96 Square Inches
V-245799 High Information Security (INFOSEC) - Secure Room Storage Standards Windows - Accessible from the Ground Hardened Against Forced Entry and Shielded from Exterior Viewing of Classified Materials Contained within the Area.
V-245785 High Information Assurance - Classified Portable Electronic Devices (PEDs) Connected to the SIPRNet must be Authorized, Compliant with NSA Guidelines, and be Configured for Data at Rest (DAR) Protection
V-245789 High Information Assurance - Network Connections - Wall Jack Security on Classified Networks (SIPRNet or other Inspected Classified Network or System) Where Port Authentication Using IEEE 802.1X IS NOT Implemented
V-245788 High Information Assurance - Network Connections - Physical Protection of Network Devices such as Routers, Switches and Hubs (Connected to SIPRNet or Other Classified Networks or Systems Being Inspected)
V-245763 High Foreign National System Access - FN or Immigrant Aliens (not representing a foreign government or entity) System Access - Limited Access Authorization (LAA)
V-245767 High Foreign National (FN) Administrative Controls - Proper Investigation and Clearance for Access to Classified Systems and/or Information Assurance (IA) Positions of Trust
V-245765 High Foreign National (FN) Physical Access Control - Areas Containing US Only Information Systems Workstations/Monitor Screens, Equipment, Media or Documents
V-245764 High Foreign National (FN) System Access - FN or Immigrant Aliens (not representing a foreign government or entity) with LAA Granted Uncontrolled Access
V-245759 High Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (SIPRNet or Other Classified System or Classified Network being Reviewed)
V-245825 High Storage/Handling of Classified Documents, Media, Equipment - must be under continuous personal protection and control of an authorized (cleared) individual OR guarded or stored in an approved locked security container (safe), vault, secure room, collateral classified open storage area or SCIF.
V-245829 High Classified Monitors/Displays (Physical Control of Classified Monitors From Unauthorized Viewing)
V-245734 High Protected Distribution System (PDS) Construction - Tactical Environment Application
V-245735 High Protected Distribution System (PDS) Construction - Alarmed Carrier
V-245730 High Protected Distribution System (PDS) Construction - Pull Box Security
V-245731 High Protected Distribution System (PDS) Construction - Buried PDS Carrier
V-245732 High Protected Distribution System (PDS) Construction - External Suspended PDS
V-245733 High Protected Distribution System (PDS) Construction - Continuously Viewed Carrier
V-245837 High Classified Material Destruction - Improper Disposal of Automated Information System (AIS) Hard Drives and Storage Media
V-245836 High Destruction of Classified Documents Printed from the SIPRNet Using Approved Devices on NSA Evaluated Products Lists (EPL).
V-245833 High Classified Reproduction - SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage.
V-245830 High Monitor Screens - Disable Access by CAC or Token Removal, or Lock Computer via Ctrl/Alt/Del
V-245727 High Classified Transmission - Electronic Means using Cryptographic System Authorized by the Director, NSA
V-245722 High COMSEC Account Management - Equipment and Key Storage
V-245729 High Protected Distribution System (PDS) Construction - Hardened Carrier
V-245728 High Protected Distribution System (PDS) Construction - Point of Presence (PoP) and Terminal Equipment Protection. This requirement concerns security of both the starting and ending points for PDS within proper physically protected and access controlled environments.
V-245793 Medium Industrial Security - Contract Guard Vetting
V-245790 Medium Information Assurance - Network Connections - Physical Protection of Unclassified (NIPRNet) Network Devices such as Routers, Switches and Hubs
V-245791 Medium Industrial Security - DD Form 254
V-245794 Medium Information Security (INFOSEC) - Safe/Vault/Secure Room Management
V-245819 Medium Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Door Locks: Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade and be configured to fail secure in the event of a total loss of power (primary and backup).
V-245818 Medium Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Transmission Line Security: AECS Transmission lines traversing an uncontrolled area (not within at least a Secret Controlled Access Area (CAA) ) shall use line supervision OR Electrical, mechanical, or electromechanical access control devices, which do not constitute an AECS that are used to control access during duty hours must have all electrical components, that traverse outside minimally a Secret Controlled Access Area (CAA), secured within conduit.
V-245815 Medium Vault/Secure Room Storage Standards - Intrusion Detection System and Automated Entry Control System (IDS/AECS) Component Tamper Protection
V-245814 Medium Vault/Secure Room Storage Standards - Intrusion Detection System (IDS) / Automated Entry Control System (AECS) Primary and Emergency Power Supply
V-245817 Medium Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Records Maintenance, which includes documented procedures for granting and removal of access.
V-245816 Medium Vault/Secure Room Storage Standards - Primary IDS Monitoring Location Outside the Monitored Space
V-245811 Medium Vault/Secure Room Storage Standards - IDS Performance Verification
V-245810 Medium Information Security (INFOSEC) - Secure Room Storage Standards - Structural Integrity Checks
V-245813 Medium Vault/Secure Room Storage Standards - IDS Alarm Monitoring Indicators, both audible and visual (Alarm Status) must be displayed for each sensor or alarmed zone at the monitoring station.
V-245812 Medium Vault/Secure Room Storage Standards - Masking of IDS Sensors Displayed at the Intrusion Detection System (IDS) Monitoring Station
V-245786 Medium Information Assurance - Unauthorized Wireless Devices - Portable Electronic Devices (PEDs) Used in Classified Processing Areas without Certified TEMPEST Technical Authority (CTTA) Review and Authorizing Official (AO) Approval.
V-245781 Medium Information Assurance - KVM or A/B Switch not listed on the NIAP U.S. Government Approved Protection Products Compliance List (PCL) for Peripheral Sharing Switches
V-245780 Medium Information Assurance - SIPRNET Connection Approval Process (CAP)
V-245783 Medium Information Assurance - KVM Switch Use of Hot-Keys on SIPRNet Connected Devices
V-245782 Medium Information Assurance - KVM Switch (Port Separation) on CYBEX/Avocent 4 or 8 port
V-245868 Medium Visitor Control - To Facility or Organization with Information System Assets Connected to the DISN
V-245869 Medium Sensitive Item Control - Keys, Locks and Access Cards Controlling Access to Information Systems (IS) or IS Assets Connected to the DISN
V-245861 Medium Intrusion Detection System (IDS) Monitoring Station Personnel - Suitability Checks
V-245862 Medium Intrusion Detection System (IDS) Installation and Maintenance Personnel - Suitability Checks
V-245864 Medium Risk Assessment -Holistic Review (site/environment/information systems)
V-245865 Medium Physical Protection of Unclassified Key System Devices/Computer Rooms in Large Processing Facilities
V-245866 Medium Restricted Area and Controlled Area Designation of Areas Housing Critical Information System Components or Classified /Sensitive Technology or Data
V-245867 Medium Security-in-Depth (AKA: Defense-in-Depth) - Minimum Physical Barriers and Access Control Measures for Facilities or Buildings Containing DoDIN (SIPRNet/NIPRNet) Connected Assets.
V-245778 Medium Information Assurance - Accreditation Documentation
V-245779 Medium Information Assurance - NIPRNET Connection Approval (CAP)
V-245772 Medium Information Assurance - COOP Plan and Testing (Not in Place for Information Technology Systems or Not Considered in the organizational Holistic Risk Assessment)
V-245774 Medium Information Assurance - System Security Incidents (Identifying, Reporting, and Handling)
V-245775 Medium Information Assurance - System Access Control Records (DD Form 2875 or equivalent)
V-245776 Medium Information Assurance - System Training and Certification/ IA Personnel
V-245777 Medium Information Assurance/Cybersecurity Training for System Users
V-245872 Medium Security Training - Information Security (INFOSEC) for ALL Employees; Military, Government Civilian and Contractor
V-245871 Medium Security and Cybersecurity Staff Appointment, Training/Certification and Suitability
V-245769 Medium Foreign National (FN) Administrative Controls - Procedures for Requests to Provide Foreign Nationals System Access
V-245768 Medium Foreign National (FN) Administrative Controls - Written Procedures and Employee Training
V-245762 Medium Foreign National (FN) Systems Access - Delegation of Disclosure Authority Letter (DDL)
V-245761 Medium Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (NIPRNet User)
V-245848 Medium Controlled Unclassified Information - Posting Only on Web-Sites with Appropriate Encryption; not on Publicly Accessible Web-Sites.
V-245846 Medium Controlled Unclassified Information - Encryption of Data at Rest
V-245847 Medium Controlled Unclassified Information - Transmission by either Physical or Electronic Means
V-245844 Medium Controlled Unclassified Information - Document, Hard Drive and Media Disposal
V-245845 Medium Controlled Unclassified Information - Handling, Storage and Controlling Access to Areas where CUI is Processed or Maintained
V-245842 Medium Classification Guides Must be Available for Programs and Systems for an Organization or Site
V-245843 Medium Controlled Unclassified Information (CUI) - Employee Education and Training
V-245840 Medium Classified Emergency Destruction Plans - Develop and Make Available
V-245841 Medium Security Incident/Spillage - Lack of Procedures or Training for Handling and Reporting
V-245756 Medium TEMPEST - Red/Black Separation (Cables)
V-245757 Medium Foreign National System Access - Identification as FN in E-mail Address
V-245754 Medium TEMPEST Countermeasures
V-245755 Medium TEMPEST - Red/Black separation (Processors)
V-245856 Medium Validation Procedures for Security Clearance Issuance (Classified Systems and/or Physical Access Granted)
V-245741 Medium Protected Distribution System (PDS) Monitoring - Reporting Incidents
V-245740 Medium Protected Distribution System (PDS) Monitoring - Daily (Visual) Checks
V-245745 Medium Environmental IA Controls - Emergency Lighting and Exits - Properly Installed
V-245744 Medium Environmental IA Controls - Emergency Power Shut-Off (EPO)
V-245748 Medium Environmental IA Controls - Emergency Power
V-245820 Medium Information Security (INFOSEC) - Secure Room Storage Standards - Perimeter Construction using Proper Permanent Construction Materials for True Ceiling, Walls and Floors.
V-245822 Medium Marking Classified - Equipment, Documents or Media: In a classified operating environment, all unclassified items must be marked in addition to all classified items.
V-245736 Medium Protected Distribution System (PDS) Construction - Visible for Inspection and Marked
V-245737 Medium Protected Distribution System (PDS) Construction - Sealed Joints
V-245834 Medium Classified Reproduction - Following guidance for System to Media Transfer of Data from systems connected specifically to the SIPRNet In-Accordance-With (IAW) US CYBERCOM CTO 10-133A .
V-245832 Medium End-of-Day Checks - Organizations that process or store classified information must establish a system of security checks at the close of each duty and/or business day to ensure that any area where classified information is used or stored is secure. SF 701, Activity Security Checklist, shall be used to record such checks.
V-245838 Medium Classified Destruction - Hard Drive and Storage Media Sanitization Devices and Plans are not Available for disposal of Automated Information System (AIS) Equipment On-Hand
V-245726 Medium COMSEC Training - COMSEC User
V-245725 Medium COMSEC Training - COMSEC Custodian or Hand Receipt Holder
V-245792 Low Industrial Security - Contractor Visit Authorization Letters (VALs)
V-245784 Low Information Assurance - Authorizing Official (AO) and DoDIN Connection Approval Office (CAO) Approval Documentation for use of KVM and A/B switches for Sharing of Classified and Unclassified Peripheral Devices
V-245787 Low Information Assurance - Unauthorized Wireless Devices - No Formal Policy and/or Warning Signs
V-245860 Low Out-processing Procedures for Departing or Terminated Employees (Military, Government Civilian and Contractor)
V-245863 Low Physical Security Program - Physical Security Plan (PSP) and/or Systems Security Plan (SSP) Development and Implementation with Consideration/Focus on Protection of Information System Assets in the Physical Environment
V-245770 Low Foreign National (FN) Administrative Controls - Contact Officer Appointment
V-245771 Low Information Assurance - System Security Operating Procedures (SOPs)
V-245773 Low Information Assurance - COOP Plan or Testing (Incomplete)
V-245873 Low Counter-Intelligence Program - Training, Procedures and Incident Reporting
V-245870 Low Physical Penetration Testing - of Facilities or Buildings Containing Information Systems (IS) Connected to the DISN
V-245766 Low Foreign National (FN) Physical Access Control - (Identification Badges)
V-245849 Low Controlled Unclassified Information (CUI) - Local Policy and Procedure
V-245758 Low Foreign National System Access - Local Access Control Procedures
V-245752 Low Environmental IA Controls - Fire Inspections/ Discrepancies
V-245753 Low Environmental IA Controls - Fire Detection and Suppression
V-245750 Low Environmental IA Controls - Temperature
V-245751 Low Environmental IA Controls - Humidity
V-245851 Low Classified Annual Review
V-245850 Low Controlled Unclassified Information - Marking/Labeling Media within Unclassified Environments (Not Mixed with Classified)
V-245853 Low Position of Trust - Local Policy Covering Employee Personal Standards of Conduct and Responsibilities
V-245852 Low Position of Trust - Knowledge of Responsibility to Self Report Derogatory Information
V-245854 Low Position of Trust - Training Covering Employee Standards of Conduct and Personal Responsibilities
V-245743 Low Protected Distribution System (PDS) Monitoring - Initial Inspection
V-245742 Low Protected Distribution System (PDS) Monitoring - Technical Inspections
V-245747 Low Environmental IA Controls - Voltage Control (power)
V-245746 Low Environmental IA Controls - Emergency Lighting and Exits - Documentation and Testing
V-245749 Low Environmental IA Controls - Training
V-245824 Low Classified Working Papers are properly marked, destroyed when no longer needed, or treated as a finished document after 180 days.
V-245826 Low Non-Disclosure Agreement - Standard Form 312: no person may have access to classified information unless that person has a security clearance in accordance with DoDM 5200.02 and has signed a Standard Form (SF) 312, Classified Information Non-Disclosure Agreement (NDA), and access is essential to the accomplishment of a lawful and authorized Government function (i.e., has a need to know).
V-245827 Low Handling of Classified Documents, Media, Equipment - Written Procedures and Training for when classified material/equipment is removed from a security container and/or secure room.
V-245821 Low Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Keypad Device Protection: Keypad devices designed or installed in a manner that an unauthorized person in the immediate vicinity cannot observe the selection of input numbers.
V-245823 Low Marking Classified - Local or Enclave Classified Marking Procedures must be developed to ensure employees are familiar with appropriate organization Security Classification Guides (SCG), how to obtain guidance for marking classified documents, media and equipment, and where associated forms, classified cover sheets, labels, stamps, wrapping material for classified shipment, etc. can be obtained.
V-245828 Low Handling of Classified - Use of Cover Sheets on Documents Removed from Secure Storage
V-245738 Low Protected Distribution System (PDS) Documentation - Signed Approval
V-245739 Low Protected Distribution System (PDS) Documentation - Request for Approval Documentation
V-245835 Low Classified Reproduction - Written Procedures for SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage. NOTE: This vulnerability concerns only PROCEDURES for the reproduction (printing, copying, scanning, faxing) of classified documents on Multi-Functional Devices (MFD) connected to the DoDIN.
V-245831 Low Classified Monitors/Displays (Procedures for Obscuration of Classified Monitors) - protection from uncleared persons or those without a need-to-know.
V-245839 Low Destruction of Classified and Unclassified Documents, Equipment and Media - Availability of Local Policy and Procedures
V-245724 Low COMSEC Account Management - Program Management and Standards Compliance
V-245723 Low COMSEC Account Management - Appointment of Responsible Person