STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020:

Protected Distribution System (PDS) Construction - Buried PDS Carrier

DISA Rule

SV-41011r4_rule

Vulnerability Number

V-30969

Group Title

PDS Construction - Buried Carrier

Rule Version

CS-04.01.04

Severity

CAT I

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

The following requirements must be applied to Exterior PDS:

1. Ensure the buried carrier is constructed of conduit consisting of EMT, rigid pipe, PVC, or a similar type of plastic electrical conduit.

2. Ensure all connections are permanently sealed completely around all mating surfaces (e.g., welding, epoxy, fusion, or PVC glue).

3. Ensure the PDS is buried a minimum of 1 meter (39 inches) below the surface and on the property (in a LOW Threat area within CONUS) owned or leased by the U.S. Government or the contractor having control of the PDS.

NOTE: As an alternative, if the carrier cannot be buried to a 1-meter depth due to soil conditions or blocked passage, a lesser depth may be used within a low threat area with prior approval of the Authorizing Official (AO) if the carrier is encased within the center of mass of approximately 20 centimeters (8 inches) of concrete.

4. Ensure the buried carrier departs and enters a building through the building’s concrete slab or basement wall.

NOTE: As an alternative all portions of the PDS above the 1 meter (39 inches) depth and not within a CAA (e.g., a PDS rising to a pull box on the side of a building) must meet the requirements of a Category 2 hardened carrier.

5. Ensure that Manholes or any other access (e.g., hand hole) to the buried PDS are secured with a PDS lock or an alarm. The PDS lock must be visible for daily inspection. If a PDS lock cannot be used due to the physical construction of the manhole, then a standard locking manhole cover and micro-switch alarm should be used.

NOTE: As an alternative to a PDS lock or approved micro-switch alarms, manhole covers may be completely welded around the opening surface to impede opening and provide for clear evidence of penetration. Spot welding is not acceptable. This alternative is only acceptable on exterior (buried) PDS located within CONUS LOW Threat areas.

NOTE: The USD(I) Policy has determined the PDS Locks referred to in the CNSSI 7003 as Tamper Indicative Padlock with a wire loop seal and Tamper Evident Seal ARE NOT permitted for use in the DoD. Basically this is because neither product was properly vetted and listed by the DoD Lock Program. ONLY the SG 8077 Changeable Combination Padlock is to be used for securing Buried PDS manhole covers protecting SIPRNet within the DoD.

6. If the carrier is buried in a MEDIUM threat location, ensure it is buried a minimum of 1 meter (39 inches) below the surface AND be encased within the center of mass of approximately 20 centimeters (8 inches) of concrete. NOTE: A concrete and steel container of sufficient size (to preclude surreptitious penetration in a period less than two hours as confirmed by laboratory tests) may be used in lieu of the 20 centimeters (8 inches) of concrete.

7. Ensure the PDS is not located within an Uncontrolled Access Area (UAA).

Check Contents

Check Content for exterior PDS.

If the Category 2 hardened carrier is buried:

1. Check to ensure the buried carrier is constructed of conduit consisting of EMT, rigid pipe, PVC, or a similar type of plastic electrical conduit. (CAT I finding)

2. Check that all connections are permanently sealed completely around all mating surfaces (e.g., welding, epoxy, fusion, or PVC glue). (CAT I finding)

3. Check to ensure it is buried a minimum of 1 meter (39 inches) below the surface and on the property (in a LOW Threat area within CONUS) owned or leased by the U.S. Government or the contractor having control of the PDS. NOTE: As an alternative, if the carrier cannot be buried to a 1-meter depth due to soil conditions or blocked passage, a lesser depth may be used within a low threat area with prior approval of the Authorizing Official (AO) if the carrier is encased within the center of mass of approximately 20 centimeters (8 inches) of concrete. (CAT I finding)

4. Check that the buried carrier departs and enters a building through the building’s concrete slab or basement wall. NOTE: As an alternative all portions of the PDS above the 1 meter (39 inches) depth and not within a CAA (e.g., a PDS rising to a pull box on the side of a building) must meet the requirements of a Category 2 hardened carrier. (CAT I finding)

5. Check that Manholes or any other access (e.g., hand hole) to the buried PDS are secured with a PDS lock or an alarm. The PDS lock must be visible for daily inspection. If a PDS lock cannot be used due to the physical construction of the manhole, then a standard locking manhole cover and micro-switch alarm should be used. NOTE: As an alternative to a PDS lock or approved micro-switch alarms, manhole covers may be completely welded around the opening surface to impede opening and provide for clear evidence of penetration. Spot welding is not acceptable. This alternative is only acceptable on exterior (buried) PDS located within CONUS LOW Threat areas. (CAT I finding)

NOTE: The USD(I) Policy has determined the PDS Locks referred to in the CNSSI 7003 as Tamper Indicative Padlock with a wire loop seal and Tamper Evident Seal ARE NOT permitted for use in the DoD. Basically this is because neither product was properly vetted and listed by the DoD Lock Program. ONLY the SG 8077 Changeable Combination Padlock is to be used for securing Buried PDS manhole covers protecting SIPRNet within the DoD.

6. If the carrier is buried in a MEDIUM threat location, check to ensure it is buried a minimum of 1 meter (39 inches) below the surface AND be encased within the center of mass of approximately 20 centimeters (8 inches) of concrete. NOTE: A concrete and steel container of sufficient size (to preclude surreptitious penetration in a period less than two hours as confirmed by laboratory tests) may be used in lieu of the 20 centimeters (8 inches) of concrete. (CAT I finding)

NOTE for Reviewers: If portions of the buried carrier cannot be checked due to being physically inaccessible, conduct whatever physical review is possible and attempt to validate PDS construction by reviewing contract/build documents, engineering drawings or certification documents from installation engineers that contain information about the physical make-up of the buried carrier.

7. Check the PDS is not within an Uncontrolled Access Area (UAA). (CAT I finding)

Vulnerability Number

V-30969

Documentable

False

Rule Version

CS-04.01.04

Severity Override Guidance

Check Content Reference

Potential Impact

The CNSSI 7003 definition of a PDS Lock includes allowance for use of a Tamper Indicative Padlock with a wire loop seal. A Tamper Evident Seal is also defined as a possible alternative for use on Pull Boxes. NOTE: The USD(I) Policy has determined the Tamper Indicative Padlock with a wire loop seal and Tamper Evident Seal ARE NOT permitted for use in the DoD. Basically this is because neither product was properly vetted and listed by the DoD Lock Program. ONLY the SG 8077 Changeable Combination Padlock is to be used for securing Buried PDS manhole covers protecting SIPRNet within the DoD.

The DoD Lock and Key Program has recommended using clear plastic bags (sealed with weather resistant tape) over exterior locks (such as the SG 8077) placed on manhole covers to mitigate the effects of weather. The bags enable the locks to be visually inspected while protecting them from the elements.

Target Key

2506

Protected Distribution System (PDS) Construction - Buried PDS Carrier

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Potential Impact

Target Key

Comments