STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020: STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020:SV-42679r3_rule
V-32342
Position Sensitivity
PE-02.02.01
CAT II
10
Fix #1. Ensure that official organizational manning records identify and reflect Information Assurance (IA) (AKA: Cyber Security) Positions of Trust for each civilian and military position and/or duties in which an employee has cyber security related duties (e.g., privileged access or security oversight) on a DoDIN Information System (IS) (e.g., SIPRNet or NIPRNet). This is required for members of the DoD workforce conducting Cyber Security (AKA: Information Assurance (IA)) functions in assigned duty positions. Examples include but are not limited to: Information System Security Manager (ISSM), Information System Security Officer (ISSO), and System Administrator (SA). These are positions consistent with the IA Workforce Improvement Program (DoD 8570.01-M) that are required to be trained, certified and specially vetted for integrity and loyalty.
Fix #2. Ensure all IA designated positions (e.g., system administrators (SA), information system security manager (ISSM), information system officers (ISSO)) and other information technology related positions identified in manning documents/position descriptions reflect designation of the position sensitivity level (e.g., special-sensitive, critical-sensitive or noncritical-sensitive).
Fix #3. ensure that Information Assurance (IA) (AKA: Cyber) Security Positions of Trust are identified for each contractor employee set of duties contained in statements of work for all positions or duties in which an employee has cyber security related duties (e.g., privileged access or security oversight) on a DoDIN Information System (IS) (e.g., SIPRNet or NIPRNet). This is required for members of the DoD workforce conducting Cyber Security (AKA: Information Assurance (IA)) functions in assigned duty positions. Examples include but are not limited to: Information System Security Manager (ISSM), Information System Security Officer (ISSO), and System Administrator (SA). These are positions consistent with the IA Workforce Improvement Program (DoD 8570.01-M) that are required to be trained, certified and specially vetted for integrity and loyalty.
Fix #4. Ensure for unclassified contracts the statement of work (SOW) and for classified contracts both the SOW and the DD Form 254 (Contract Security Specification) that the documents indicate security clearance levels and/or information system technology related duties for each contractor position or set of duties. The specific purpose is to ensure contract documents contain background investigation requirements along with security clearance and ADP (AKA: IT) position sensitivity level requirements. These must be detailed for each type of work or specified “position” where applicable. The investigation requirements are to be based upon both the security clearance and ADP (AKA: IT) position sensitivity level. This is essentially the same process as designation of position sensitivity for military and DoD civilian positions.
NOTE:
If an organization chooses to no longer use the legacy ADP/IT position sensitivity levels detailed in the cancelled DoD 5200.2-R (PERSEC) then the organization/site must use the OPM Position Designation Tool (PDT) and maintain documentation to reflect the use of the PDT for determination of position sensitivity and background investigation level for each Information Technology (IT) position in the organization.
Request to see and then review organization manning documents (e.g., Joint Table of Distribution and Allowances (JTD)) and position descriptions that indicate the position sensitivity and assigned duties of all information technology (IT) related positions (military and government civilian).
Check #1. Check to ensure that Information Assurance (IA) (AKA: Cyber Security) Positions of Trust are identified for each civilian and military position and/or duties in which an employee has cyber security related duties (e.g., privileged access or security oversight) on a DoDIN Information System (IS) (e.g., SIPRNet or NIPRNet). This is required for members of the DoD workforce conducting Cyber Security (AKA: Information Assurance (IA)) functions in assigned duty positions. Examples include but are not limited to: Information System Security Manager (ISSM), Information System Security Officer (ISSO), and System Administrator (SA). These are positions consistent with the IA Workforce Improvement Program (DoD 8570.01-M) that are required to be trained, certified and specially vetted for integrity and loyalty.
Check #2. Check all IA designated positions (e.g., system administrators (SA), information system security manager (ISSM), information system officers (ISSO)) and other information technology related positions to ensure that manning documents/position descriptions reflect designation of the position sensitivity level (e.g., special-sensitive, critical-sensitive or noncritical-sensitive).
Request to see and then review the statements of work and/or DD Forms 254 (Contract Security Specification) for Contractors supporting the organization.
Check #3. Check to ensure that Information Assurance (IA) (AKA: Cyber) Security Positions of Trust are identified for each contractor employee set of duties contained in statements of work for all positions or duties in which an employee has cyber security related duties (e.g., privileged access or security oversight) on a DoDIN Information System (IS) (e.g., SIPRNet or NIPRNet). This is required for members of the DoD workforce conducting Cyber Security (AKA: Information Assurance (IA)) functions in assigned duty positions. Examples include but are not limited to: Information System Security Manager (ISSM), Information System Security Officer (ISSO), and System Administrator (SA). These are positions consistent with the IA Workforce Improvement Program (DoD 8570.01-M) that are required to be trained, certified and specially vetted for integrity and loyalty.
Check #4. Review all contracting documents for contracts where contractor employees will have access to either the NIPRNet, SIPRNet or both. For unclassified contracts the statement of work should be reviewed and for classified contracts both the statement of work and the DD Form 254 (Contract Security Specification) should be reviewed. Ensure the documents indicate security clearance levels and/or information system technology related duties for each contractor position or set of duties.
The specific purpose of the contract document review is to check to ensure that background investigation requirements along with security clearance and ADP (AKA: IT) position sensitivity level requirements are detailed for each type of work or specified “position” where applicable. The investigation requirements are to be based upon both the security clearance and ADP (AKA: IT) position sensitivity level. This is essentially the same process as designation of position sensitivity for military and DoD civilian positions.
NOTES:
1. The intent of checks 1 and 2 is to ensure IA/Cyber Security positions of trust are specifically identified and to ensure position sensitivity is officially designated for each IA position based on security clearance and ADP/IT level; not necessarily to ensure it is correctly designated for each assigned incumbent of a position.
2. The intent of checks 3 and 4 is to ensure IA/Cyber Security positions of trust are specifically identified within SOWs and/or DD Forms 254 and that background investigation requirement (s) are specified in contract documents for identified IA positions based upon security clearance and position ADP/IT levels; not necessarily to ensure it is correctly designated for each individual contractor assigned to a specified position or set of duties.
3. If an organization is choosing to no longer use the former ADP/IT position sensitivity levels then reviewers should not assess based on the ADP/IT criteria. In this instance the organization/site must demonstrate use of the OPM Position Designation Tool (PDT) and maintain documentation to reflect the use of the PDT for each Information Assurance (IA)/Cyber Security position.
TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.
V-32342
False
PE-02.02.01
Request to see and then review organization manning documents (e.g., Joint Table of Distribution and Allowances (JTD)) and position descriptions that indicate the position sensitivity and assigned duties of all information technology (IT) related positions (military and government civilian).
Check #1. Check to ensure that Information Assurance (IA) (AKA: Cyber Security) Positions of Trust are identified for each civilian and military position and/or duties in which an employee has cyber security related duties (e.g., privileged access or security oversight) on a DoDIN Information System (IS) (e.g., SIPRNet or NIPRNet). This is required for members of the DoD workforce conducting Cyber Security (AKA: Information Assurance (IA)) functions in assigned duty positions. Examples include but are not limited to: Information System Security Manager (ISSM), Information System Security Officer (ISSO), and System Administrator (SA). These are positions consistent with the IA Workforce Improvement Program (DoD 8570.01-M) that are required to be trained, certified and specially vetted for integrity and loyalty.
Check #2. Check all IA designated positions (e.g., system administrators (SA), information system security manager (ISSM), information system officers (ISSO)) and other information technology related positions to ensure that manning documents/position descriptions reflect designation of the position sensitivity level (e.g., special-sensitive, critical-sensitive or noncritical-sensitive).
Request to see and then review the statements of work and/or DD Forms 254 (Contract Security Specification) for Contractors supporting the organization.
Check #3. Check to ensure that Information Assurance (IA) (AKA: Cyber) Security Positions of Trust are identified for each contractor employee set of duties contained in statements of work for all positions or duties in which an employee has cyber security related duties (e.g., privileged access or security oversight) on a DoDIN Information System (IS) (e.g., SIPRNet or NIPRNet). This is required for members of the DoD workforce conducting Cyber Security (AKA: Information Assurance (IA)) functions in assigned duty positions. Examples include but are not limited to: Information System Security Manager (ISSM), Information System Security Officer (ISSO), and System Administrator (SA). These are positions consistent with the IA Workforce Improvement Program (DoD 8570.01-M) that are required to be trained, certified and specially vetted for integrity and loyalty.
Check #4. Review all contracting documents for contracts where contractor employees will have access to either the NIPRNet, SIPRNet or both. For unclassified contracts the statement of work should be reviewed and for classified contracts both the statement of work and the DD Form 254 (Contract Security Specification) should be reviewed. Ensure the documents indicate security clearance levels and/or information system technology related duties for each contractor position or set of duties.
The specific purpose of the contract document review is to check to ensure that background investigation requirements along with security clearance and ADP (AKA: IT) position sensitivity level requirements are detailed for each type of work or specified “position” where applicable. The investigation requirements are to be based upon both the security clearance and ADP (AKA: IT) position sensitivity level. This is essentially the same process as designation of position sensitivity for military and DoD civilian positions.
NOTES:
1. The intent of checks 1 and 2 is to ensure IA/Cyber Security positions of trust are specifically identified and to ensure position sensitivity is officially designated for each IA position based on security clearance and ADP/IT level; not necessarily to ensure it is correctly designated for each assigned incumbent of a position.
2. The intent of checks 3 and 4 is to ensure IA/Cyber Security positions of trust are specifically identified within SOWs and/or DD Forms 254 and that background investigation requirement (s) are specified in contract documents for identified IA positions based upon security clearance and position ADP/IT levels; not necessarily to ensure it is correctly designated for each individual contractor assigned to a specified position or set of duties.
3. If an organization is choosing to no longer use the former ADP/IT position sensitivity levels then reviewers should not assess based on the ADP/IT criteria. In this instance the organization/site must demonstrate use of the OPM Position Designation Tool (PDT) and maintain documentation to reflect the use of the PDT for each Information Assurance (IA)/Cyber Security position.
TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.
M
Related STIG rules:
PE-03.02.01 - Validation Procedures for Security Clearance Issuance (Classified Systems and/or Physical Access Granted)
PE-04.02.01 - Information Assurance (IA) Positions of Trust - Identification of Positions or Duties with Privileged Access to Information Systems or Responsibility for Security Oversight of Information Systems
PE-05.02.01 - Background Investigations
PE-06.03.01 - Periodic Reinvestigations
2506