Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-245763 | FN-03.01.01 | SV-245763r917325_rule | High |
Description |
---|
Failure to verify citizenship and proper authorization for access to either sensitive or classified information could enable personnel to have access to classified or sensitive information to which they are not entitled. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, para 26.c.(2)&(3) NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, AC-2, AC-3, AC-24, CA-1, PS-3, PS-4, PS-5, PM-9, MA-5(4) and IA-4(4) DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DOD Manual 5200.02, Procedures for the DOD Personnel Security Program (PSP), 3 April 2017, Section 6. DOD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DODD 8140.01 Cyberspace Workforce Management DODI 8140.02 Identifying-Tracking and Reporting of Cyberspace Workforce Requirements DODM 8140.03 Cyberspace Workforce Qualification and Management System DOD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals and Section 6. Contractor Operations Abroad, paragraph 10-601.b |
STIG | Date |
---|---|
Traditional Security Checklist | 2023-05-31 |
Check Text ( C-49194r917166_chk ) |
---|
BACKGROUND INFORMATION: Compelling reasons may exist to grant access to classified information to an immigrant alien or a foreign national. Such individuals may be granted a "Limited Access Authorization" (LAA) in those rare circumstances where a non-U.S. citizen - NOT REPRESENTING A FOREIGN GOVERNMENT OR OTHER ENTITY - possesses a unique or unusual skill or expertise that is urgently needed in pursuit of a specific DOD requirement involving access to specified classified information for which a cleared or clearable U.S. citizen is not available. LAAs may be granted only at the SECRET and CONFIDENTIAL level. LAAs for TOP SECRET are prohibited. Interim access is not authorized pending approval of a LAA. 1. Check to ensure that all non-U.S. citizens fitting the above described situation have had an LAA granted prior to being permitted access to sensitive duties, classified information and/or systems. 2. Ensure that the information the non-U S. citizen has access to is approved for release to the persons country or countries of citizenship, in accordance with DOD Directive 5230.11. 3. Ensure the non-U.S. citizen has been the subject of a favorably completed (within the last 5 years) and adjudicated SSBI prior to granting an LAA. If the SSBI cannot provide full investigative coverage, a polygraph examination (if there are no host country legal prohibitions) to resolve the remaining personnel security issues must be favorably completed before granting access. 4. Ensure that if geographical, political, or medical situations prevent the full completion of the SSBI or prevent the polygraph examination to supplement a less than full SSBI, an LAA may be granted only with approval of the DDI(I&S). TACTICAL ENVIRONMENT: This check is applicable where any non-U.S. citizens (not representing a foreign Government or entity) are employed in a tactical environment with access to US Classified or Sensitive Systems. |
Fix Text (F-49149r917167_fix) |
---|
BACKGROUND INFORMATION: Compelling reasons may exist to grant access to classified information to an immigrant alien or a foreign national. Such individuals may be granted a "Limited Access Authorization" (LAA) in those rare circumstances where a non-U.S. citizen - NOT REPRESENTING A FOREIGN GOVERNMENT OR OTHER ENTITY - possesses a unique or unusual skill or expertise that is urgently needed in pursuit of a specific DOD requirement involving access to specified classified information for which a cleared or clearable U.S. citizen is not available. LAAs may be granted only at the SECRET and CONFIDENTIAL level. LAAs for TOP SECRET are prohibited. Interim access is not authorized pending approval of a LAA. 1. All non-U.S. citizens fitting the above described situation must have an LAA granted prior to being permitted access to sensitive duties, classified information and/or systems. 2. The information the non-U S. citizen has access to must be approved for release to the persons country or countries of citizenship, in accordance with DOD Directive 5230.11. 3. The non-U.S. citizen must be the subject of a favorably completed (within the last 5 years) and adjudicated SSBI prior to granting an LAA. If the SSBI cannot provide full investigative coverage, a polygraph examination (if there are no host country legal prohibitions) to resolve the remaining personnel security issues must be favorably completed before granting access. 4. If geographical, political, or medical situations prevent the full completion of the SSBI or prevent the polygraph examination to supplement a less than full SSBI, an LAA may be granted only with approval of the DDI(I&S). NOTE: DODM 8570 requirements will be met until full implementation of DODM 8140.03 requirements. Implementation dates for DOD Manual 8140.03 include a two-year timeline for personnel (civilian and military) in positions coded with cybersecurity work roles and three years for personnel (civilian and military) in positions coded with work roles in any other workforce element. The dates for required qualification would be 15 February 2025 for cybersecurity work roles and the same date in February 2026 for all Defense Cyber Workforce Framework work roles. |