STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020: STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020:SV-40980r4_rule
V-30938
PDS Construction - PoP and Terminal Equipment Protection
CS-04.01.01
CAT I
10
This fix concerns security requirements for the physical locations of both the starting and ending points for Protected Distribution Systems (PDS) within a physical enclave.
All of the following requirements must be met:
1. The PDS must originate within the room or area containing the SIPRNet Point of Presence (PoP) for the facility or area, which must be in a Secret or above Secure Room, Vault, SCIF or alternatively in an Information Processing Systems (IPS) Container with SIPRNet connected equipment (router/switch/PC/laptop/multi-function device (e.g., printer, copier, fax)). An IPS container is a specially designed safe for secured operation of classified network and end user equipment.
2. PDS terminal equipment (wall jacks/ports) must be located in a Secret or higher Controlled Access Area (CAA), Secret or higher vault, Secret or higher Secure Room or in a SCIF.
3. PDS terminating in areas not a Secret or higher CAA (SCAA) may alternatively terminate in an IPS Container with SIPRNet connected equipment (router/switch/PC/laptop/multi-function device (printer, copier, and fax)).
4. If an IPS container is used to secure equipment at a PDS termination point, it must be located within at least a Limited Access Area (LAA). *It cannot ever be located in an Uncontrolled Access Area (UAA).
5. In exceptional situations, when the PDS termination area cannot be access controlled to the level of the data carried by the PDS (e.g., in a multi-use conference room), the PDS termination point (wall jack/port) must be secured with a lock box. Access Controlled to the level of the data carried by the PDS for SIPRNet connections means the PDS termination area must minimally be a secret CAA (SCAA). The lock box must meet the same construction requirements as a pull box for the PDS carrier type. *Specifications for pull boxes and termination lock boxes are covered in rule: Protected Distribution System (PDS) Construction - Accessible Pull Box Security, STIG ID: CS-04.01.03, Rule ID: SV-41000r3_rule Vuln ID: V-30958. A finding for deficient pull box or termination lock box construction should be cited under STIG ID: CS-04.01.03.
6. If a lock box is used to secure a PDS termination/end point (wall jack/port), it must be located within at least a Limited Access Area (LAA). *It cannot ever be located in an Uncontrolled Access Area (UAA).
7. PDS lock boxes located within a LAA must be physically disconnected (cables pulled) from equipment and the lock boxes secured with an approved PDS lock when the lock box is not under the continuous observation and control of a properly cleared person (secret security clearance for SIPRNet).
NOTES:
Access to all PDS points with breakouts must be restricted to personnel cleared at the highest level of the breakout and therefore, the PDS terminal equipment (end point) must either be locked or continuously safeguarded by cleared persons to prevent tampering.
The S&G 8077 changeable combination padlock is the DoD standard/required PDS lock for user termination lock boxes that are opened/closed on a routine or frequent basis. Tamper evident locks (keyed padlocks with seals) are not permitted to be used within the DoD, per guidance from USD (I) Policy.
This check concerns security requirements for the physical locations of both the starting and ending points for Protected Distribution Systems (PDS) within a physical enclave.
Check to ensure:
1. The PDS originates within the room or area containing the SIPRNet Point of Presence (PoP) for the facility or area, which must be in a Secret or above Secure Room, Vault, SCIF or alternatively in an Information Processing Systems (IPS) Container with SIPRNet connected equipment (router/switch/PC/laptop/multi-function device (e.g., printer, copier, fax)). An IPS container is a specially designed safe for secured operation of classified network and end user equipment.
2. PDS terminal equipment (wall jacks/ports) are located in a Secret or higher Controlled Access Area (CAA), Secret or higher vault, Secret or higher Secure Room or in a SCIF.
3. PDS terminating in areas not a Secret or higher CAA may alternatively terminate in an IPS Container with SIPRNet connected equipment (router/switch/PC/laptop/multi-function device (printer, copier, and fax)).
4. If an IPS container is used to secure equipment at a PDS termination point, ensure it is located within at least a Limited Access Area (LAA). *It cannot ever be located in an Uncontrolled Access Area (UAA).
5. In exceptional situations, when the PDS termination area cannot be access controlled to the level of the data carried by the PDS (e.g., in a multi-use conference room), ensure the PDS termination point (wall jack/port) is secured with a lock box. Access Controlled to the level of the data carried by the PDS for SIPRNet connections means the PDS termination area must minimally be a secret CAA. The lock box must meet the same construction requirements as a pull box for the PDS carrier type. *Specifications for pull boxes and termination lock boxes are covered in rule: Protected Distribution System (PDS) Construction - Accessible Pull Box Security, STIG ID: CS-04.01.03, Rule ID: SV-41000r3_rule Vuln ID: V-30958. A finding for deficient pull box or termination lock box construction should be cited under STIG ID: CS-04.01.03.
6. If a lock box is used to secure a PDS termination/end point (wall jack/port), ensure it is located within at least a Limited Access Area (LAA). *It cannot ever be located in an Uncontrolled Access Area (UAA).
7. PDS lock boxes located within a LAA are physically disconnected (cables pulled) from equipment and the lock boxes secured with an approved PDS lock when the lock box is not under the continuous observation and control of a properly cleared person (secret security clearance for SIPRNet).
NOTES:
Access to all PDS points with breakouts must be restricted to personnel cleared at the highest level of the breakout and therefore, the PDS terminal equipment (end point) must either be locked or continuously safeguarded by cleared persons to prevent tampering.
The S&G 8077 changeable combination padlock is the DoD standard/required PDS lock for user termination lock boxes that are opened/closed on a routine or frequent basis. Tamper evident locks (keyed padlocks with seals) are not permitted to be used within the DoD, per guidance from USD(I) Policy.
V-30938
False
CS-04.01.01
This check concerns security requirements for the physical locations of both the starting and ending points for Protected Distribution Systems (PDS) within a physical enclave.
Check to ensure:
1. The PDS originates within the room or area containing the SIPRNet Point of Presence (PoP) for the facility or area, which must be in a Secret or above Secure Room, Vault, SCIF or alternatively in an Information Processing Systems (IPS) Container with SIPRNet connected equipment (router/switch/PC/laptop/multi-function device (e.g., printer, copier, fax)). An IPS container is a specially designed safe for secured operation of classified network and end user equipment.
2. PDS terminal equipment (wall jacks/ports) are located in a Secret or higher Controlled Access Area (CAA), Secret or higher vault, Secret or higher Secure Room or in a SCIF.
3. PDS terminating in areas not a Secret or higher CAA may alternatively terminate in an IPS Container with SIPRNet connected equipment (router/switch/PC/laptop/multi-function device (printer, copier, and fax)).
4. If an IPS container is used to secure equipment at a PDS termination point, ensure it is located within at least a Limited Access Area (LAA). *It cannot ever be located in an Uncontrolled Access Area (UAA).
5. In exceptional situations, when the PDS termination area cannot be access controlled to the level of the data carried by the PDS (e.g., in a multi-use conference room), ensure the PDS termination point (wall jack/port) is secured with a lock box. Access Controlled to the level of the data carried by the PDS for SIPRNet connections means the PDS termination area must minimally be a secret CAA. The lock box must meet the same construction requirements as a pull box for the PDS carrier type. *Specifications for pull boxes and termination lock boxes are covered in rule: Protected Distribution System (PDS) Construction - Accessible Pull Box Security, STIG ID: CS-04.01.03, Rule ID: SV-41000r3_rule Vuln ID: V-30958. A finding for deficient pull box or termination lock box construction should be cited under STIG ID: CS-04.01.03.
6. If a lock box is used to secure a PDS termination/end point (wall jack/port), ensure it is located within at least a Limited Access Area (LAA). *It cannot ever be located in an Uncontrolled Access Area (UAA).
7. PDS lock boxes located within a LAA are physically disconnected (cables pulled) from equipment and the lock boxes secured with an approved PDS lock when the lock box is not under the continuous observation and control of a properly cleared person (secret security clearance for SIPRNet).
NOTES:
Access to all PDS points with breakouts must be restricted to personnel cleared at the highest level of the breakout and therefore, the PDS terminal equipment (end point) must either be locked or continuously safeguarded by cleared persons to prevent tampering.
The S&G 8077 changeable combination padlock is the DoD standard/required PDS lock for user termination lock boxes that are opened/closed on a routine or frequent basis. Tamper evident locks (keyed padlocks with seals) are not permitted to be used within the DoD, per guidance from USD(I) Policy.
M
2506