STIGQter STIGQter: STIG Summary:

Traditional Security Checklist

Version: 1

Release: 3 Benchmark Date: 15 Jun 2020

SV-40855r3_ruleCOMSEC Account Management - Equipment and Key Storage
SV-40925r3_ruleCOMSEC Account Management - Appointment of Responsible Person
SV-40970r3_ruleCOMSEC Account Management - Program Management and Standards Compliance
SV-40973r3_ruleCOMSEC Training - COMSEC Custodian or Hand Receipt Holder
SV-40975r3_ruleCOMSEC Training - COMSEC User
SV-40976r4_ruleClassified Transmission - Electronic Means using Cryptographic System Authorized by the Director, NSA
SV-40980r4_ruleProtected Distribution System (PDS) Construction - Point of Presence (PoP) and Terminal Equipment Protection. This requirement concerns security of both the starting and ending points for PDS within proper physically protected and access controlled environments.
SV-40982r4_ruleProtected Distribution System (PDS) Construction - Visible for Inspection and Marked
SV-40984r4_ruleProtected Distribution System (PDS) Construction - Hardened Carrier
SV-40991r4_ruleProtected Distribution System (PDS) Construction - Sealed Joints
SV-41000r3_ruleProtected Distribution System (PDS) Construction - Pull Box Security
SV-41011r4_ruleProtected Distribution System (PDS) Construction - Buried PDS Carrier
SV-41012r3_ruleProtected Distribution System (PDS) Construction - External Suspended PDS
SV-41013r3_ruleProtected Distribution System (PDS) Construction - Continuously Viewed Carrier
SV-41015r3_ruleProtected Distribution System (PDS) Construction - Tactical Environment Application
SV-41017r3_ruleProtected Distribution System (PDS) Documentation - Signed Approval
SV-41019r3_ruleProtected Distribution System (PDS) Documentation - Request for Approval Documentation
SV-41020r3_ruleProtected Distribution System (PDS) Monitoring - Daily (Visual) Checks
SV-41021r3_ruleProtected Distribution System (PDS) Monitoring - Technical Inspections
SV-41022r3_ruleProtected Distribution System (PDS) Monitoring - Initial Inspection
SV-41023r3_ruleProtected Distribution System (PDS) Monitoring - Reporting Incidents
SV-41024r3_ruleTEMPEST Countermeasures
SV-41025r3_ruleTEMPEST - Red/Black separation (Processors)
SV-41026r3_ruleTEMPEST - Red/Black Separation (Cables)
SV-41027r3_ruleEnvironmental IA Controls - Emergency Power Shut-Off (EPO)
SV-41028r3_ruleEnvironmental IA Controls - Emergency Lighting and Exits - Properly Installed
SV-41029r3_ruleEnvironmental IA Controls - Emergency Lighting and Exits - Documentation and Testing
SV-41031r3_ruleEnvironmental IA Controls - Voltage Control (power)
SV-41032r3_ruleEnvironmental IA Controls - Training
SV-41033r3_ruleEnvironmental IA Controls - Temperature
SV-41034r3_ruleEnvironmental IA Controls - Humidity
SV-41036r3_ruleEnvironmental IA Controls - Fire Inspections/ Discrepancies
SV-41037r3_ruleEnvironmental IA Controls - Fire Detection and Suppression
SV-41039r3_ruleIndustrial Security - DD Form 254
SV-41040r3_ruleIndustrial Security - Contractor Visit Authorization Letters (VALs)
SV-41041r3_ruleIndustrial Security - Contract Guard Vetting
SV-41042r3_ruleInformation Assurance - System Security Operating Procedures (SOPs)
SV-41043r3_ruleInformation Assurance - COOP Plan and Testing (Not in Place for Information Technology Systems or Not Considered in the organizational Holistic Risk Assessment)
SV-41051r3_ruleInformation Assurance - COOP Plan or Testing (Incomplete)
SV-41055r3_ruleInformation Assurance - System Security Incidents (Identifying, Reporting, and Handling)
SV-41058r3_ruleInformation Assurance - System Access Control Records (DD Form 2875 or equivalent)
SV-41060r3_ruleInformation Assurance - System Training and Certification/ IA Personnel
SV-41133r3_ruleInformation Assurance/Cybersecurity Training for System Users
SV-41139r3_ruleInformation Assurance - Accreditation Documentation
SV-41177r3_ruleInformation Assurance - NIPRNET Connection Approval (CAP)
SV-41178r3_ruleInformation Assurance - SIPRNET Connection Approval Process (CAP)
SV-41244r3_ruleInformation Assurance - KVM or A/B Switch not listed on the NIAP U.S. Government Approved Protection Products Compliance List (PCL) for Peripheral Sharing Switches
SV-41259r4_ruleInformation Assurance - KVM Switch (Port Separation) on CYBEX/Avocent 4 or 8 port
SV-41260r3_ruleInformation Assurance - KVM Switch Use of Hot-Keys on SIPRNet Connected Devices
SV-41267r3_ruleInformation Assurance - Authorizing Official (AO) and DoDIN Connection Approval Office (CAO) Approval Documentation for use of KVM and A/B switches for Sharing of Classified and Unclassified Peripheral Devices
SV-41269r3_ruleInformation Assurance - Classified Portable Electronic Devices (PEDs) Connected to the SIPRNet must be Authorized, Compliant with NSA Guidelines, and be Configured for Data at Rest (DAR) Protection
SV-41275r3_ruleInformation Assurance - Unauthorized Wireless Devices - Portable Electronic Devices (PEDs) Used in Classified Processing Areas without Certified TEMPEST Technical Authority (CTTA) Review and Authorizing Official (AO) Approval.
SV-41280r3_ruleInformation Assurance - Unauthorized Wireless Devices - No Formal Policy and/or Warning Signs
SV-41289r3_ruleInformation Assurance - Network Connections - Physical Protection of Network Devices such as Routers, Switches and Hubs (Connected to SIPRNet or Other Classified Networks or Systems Being Inspected)
SV-41344r3_ruleInformation Assurance - Network Connections - Wall Jack Security on Classified Networks (SIPRNet or other Inspected Classified Network or System) Where Port Authentication Using IEEE 802.1X IS NOT Implemented
SV-41372r3_ruleInformation Assurance - Network Connections - Physical Protection of Unclassified (NIPRNet) Network Devices such as Routers, Switches and Hubs
SV-41387r3_ruleForeign National System Access - Local Access Control Procedures
SV-41407r3_ruleForeign National System Access - Identification as FN in E-mail Address
SV-41411r3_ruleForeign National (FN) Systems Access - Local Nationals Overseas System Access - (NIPRNet User)
SV-41417r3_ruleForeign National (FN) Systems Access - Local Nationals Overseas System Access - (SIPRNet or Other Classified System or Classified Network being Reviewed)
SV-41430r3_ruleForeign National (FN) Systems Access - Local Nationals (LN) Overseas System Access - Vetting for Privileged Access
SV-41432r3_ruleForeign National (FN) Systems Access - Delegation of Disclosure Authority Letter (DDL)
SV-41434r3_ruleForeign National System Access - FN or Immigrant Aliens (not representing a foreign government or entity) System Access - Limited Access Authorization (LAA)
SV-41436r3_ruleForeign National (FN) System Access - FN or Immigrant Aliens (not representing a foreign government or entity) with LAA Granted Uncontrolled Access
SV-41465r3_ruleForeign National (FN) Physical Access Control - Areas Containing US Only Information Systems Workstations/Monitor Screens, Equipment, Media or Documents
SV-41466r3_ruleForeign National (FN) Physical Access Control - (Identification Badges)
SV-41496r3_ruleForeign National (FN) Administrative Controls - Contact Officer Appointment
SV-41502r3_ruleForeign National (FN) Administrative Controls - Written Procedures and Employee Training
SV-41506r3_ruleForeign National (FN) Administrative Controls - Proper Investigation and Clearance for Access to Classified Systems and/or Information Assurance (IA) Positions of Trust
SV-41516r3_ruleForeign National (FN) Administrative Controls - Procedures for Requests to Provide Foreign Nationals System Access
SV-41522r3_ruleInformation Security (INFOSEC) - Safe/Vault/Secure Room Management
SV-41529r3_ruleInformation Security (INFOSEC) - Vault/Secure Room Storage Standards - Door Combination Lock Meeting Federal Specification FF-L-2740
SV-41531r3_ruleInformation Security (INFOSEC) - Secure Room Storage Standards - Door Construction
SV-41535r3_ruleInformation Security (INFOSEC) - Secure Room Storage Standards - Perimeter Construction using Proper Permanent Construction Materials for True Ceiling, Walls and Floors.
SV-41537r3_ruleInformation Security (INFOSEC) - Secure Room Storage Standards Wall and Ceiling Structural Integrity (AKA: True Floor to True Ceiling Connection)
SV-41538r3_ruleInformation Security (INFOSEC) - Vault/Secure Room Storage Standards - Openings in Perimeter Exceeding 96 Square Inches
SV-41539r3_ruleInformation Security (INFOSEC) - Secure Room Storage Standards Windows - Accessible from the Ground Hardened Against Forced Entry and Shielded from Exterior Viewing of Classified Materials Contained within the Area.
SV-41540r3_ruleInformation Security (INFOSEC) - Vault Storage/Construction Standards
SV-41541r3_ruleInformation Security (INFOSEC) - Secure Room Storage Standards - Intrusion Detection System (IDS)
SV-41542r3_ruleInformation Security (INFOSEC) - Secure Room Storage Standards - Balanced Magnetic Switch (BMS) on Perimeter Doors
SV-41543r3_ruleInformation Security (INFOSEC) - Secure Room Storage Standards - Interior Motion Detection
SV-41544r3_ruleInformation Security (INFOSEC) - Secure Room Storage Standards - Structural Integrity Checks
SV-41545r3_ruleInformation Security (INFOSEC) - Secure Room Storage Standards - Four (4) Hour Random Checks in Lieu of Using Intrusion Detection System (IDS)
SV-41547r3_ruleVault/Secure Room Storage Standards - IDS Performance Verification
SV-41552r3_ruleVault/Secure Room Storage Standards - IDS Transmission Line Security
SV-41554r3_ruleVault/Secure Room Storage Standards - Masking of IDS Sensors Displayed at the Intrusion Detection System (IDS) Monitoring Station
SV-41560r3_ruleVault/Secure Room Storage Standards - IDS Alarm Monitoring Indicators, both audible and visual (Alarm Status) must be displayed for each sensor or alarmed zone at the monitoring station.
SV-41561r3_ruleVault/Secure Room Storage Standards - Intrusion Detection System (IDS) / Automated Entry Control System (AECS) Primary and Emergency Power Supply
SV-41562r3_ruleVault/Secure Room Storage Standards - Intrusion Detection System and Automated Entry Control System (IDS/AECS) Component Tamper Protection
SV-41563r3_ruleVault/Secure Room Storage Standards - IDS Access/Secure Control Units Must be Located within the Secure Room Space
SV-41564r3_ruleVault/Secure Room Storage Standards - Primary IDS Monitoring Location Outside the Monitored Space
SV-41565r3_ruleInformation Security (IS) - Continuous Operations Facility: Access Control Monitoring Methods
SV-41811r3_ruleVault/Secure Room Storage Standards - Access Control During Working Hours Using Visual Control OR Automated Entry Control System (AECS) with PIN / Biometrics
SV-41831r3_ruleVault/Secure Room Storage Standards - Automated Entry Control System (AECS) Records Maintenance, which includes documented procedures for granting and removal of access.
SV-41832r3_ruleVault/Secure Room Storage Standards - Automated Entry Control System (AECS) and Intrusion Detection System (IDS) Head-End Equipment Protection: The physical location (room or area) containing AECS and IDS head-end equipment (server and/or work station/monitoring equipment) where authorization, personal identification or verification data is input, stored, or recorded and/or where system status/alarms are monitored must be physically protected.
SV-41944r3_ruleVault/Secure Room Storage Standards - Automated Entry Control System (AECS) Keypad Device Protection: Keypad devices designed or installed in a manner that an unauthorized person in the immediate vicinity cannot observe the selection of input numbers.
SV-42194r3_ruleVault/Secure Room Storage Standards - Automated Entry Control System (AECS) Transmission Line Security: AECS Transmission lines traversing an uncontrolled area (not within at least a Secret Controlled Access Area (CAA) ) shall use line supervision OR Electrical, mechanical, or electromechanical access control devices, which do not constitute an AECS that are used to control access during duty hours must have all electrical components, that traverse outside minimally a Secret Controlled Access Area (CAA), secured within conduit.
SV-42205r3_ruleVault/Secure Room Storage Standards - Automated Entry Control System (AECS) Door Locks: Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade and be configured to fail secure in the event of a total loss of power (primary and backup).
SV-42206r3_ruleMarking Classified - Local or Enclave Classified Marking Procedures must be developed to ensure employees are familiar with appropriate organization Security Classification Guides (SCG), how to obtain guidance for marking classified documents, media and equipment, and where associated forms, classified cover sheets, labels, stamps, wrapping material for classified shipment, etc. can be obtained.
SV-42207r3_ruleMarking Classified - Equipment, Documents or Media: In a classified operating environment, all unclassified items must be marked in addition to all classified items.
SV-42275r3_ruleClassified Working Papers are properly marked, destroyed when no longer needed, or treated as a finished document after 180 days.
SV-42285r3_ruleStorage/Handling of Classified Documents, Media, Equipment - must be under continuous personal protection and control of an authorized (cleared) individual OR guarded or stored in an approved locked security container (safe), vault, secure room, collateral classified open storage area or SCIF.
SV-42286r3_ruleNon-Disclosure Agreement - Standard Form 312: no person may have access to classified information unless that person has a security clearance in accordance with DoDM 5200.02 and has signed a Standard Form (SF) 312, Classified Information Non-Disclosure Agreement (NDA), and access is essential to the accomplishment of a lawful and authorized Government function (i.e., has a need to know).
SV-42287r3_ruleHandling of Classified Documents, Media, Equipment - Written Procedures and Training for when classified material/equipment is removed from a security container and/or secure room.
SV-42288r3_ruleHandling of Classified - Use of Cover Sheets on Documents Removed from Secure Storage
SV-42290r3_ruleClassified Monitors/Displays (Physical Control of Classified Monitors From Unauthorized Viewing)
SV-42291r3_ruleClassified Monitors/Displays (Procedures for Obscuration of Classified Monitors) - protection from uncleared persons or those without a need-to-know.
SV-42292r3_ruleMonitor Screens - Disable Access by CAC or Token Removal, or Lock Computer via Ctrl/Alt/Del
SV-42293r3_ruleEnd-of-Day Checks - Organizations that process or store classified information must establish a system of security checks at the close of each duty and/or business day to ensure that any area where classified information is used or stored is secure. SF 701, Activity Security Checklist, shall be used to record such checks.
SV-42294r3_ruleClassified Reproduction - Written Procedures for SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage. NOTE: This STIG Rule (AKA: Vulnerability (Vul)) concerns only PROCEDURES for the reproduction (printing, copying, scanning, faxing) of classified documents on Multi-Functional Devices (MFD) connected to the DoDIN.
SV-42295r3_ruleClassified Reproduction - Following guidance for System to Media Transfer of Data from systems connected specifically to the SIPRNet In-Accordance-With (IAW) US CYBERCOM CTO 10-133A .
SV-42324r3_ruleClassified Reproduction - SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage.
SV-42325r3_ruleDestruction of Classified Documents Printed from the SIPRNet Using Approved Devices on NSA Evaluated Products Lists (EPL).
SV-42407r3_ruleDestruction of Classified and Unclassified Documents, Equipment and Media - Availability of Local Policy and Procedures
SV-42419r3_ruleClassified Destruction - Hard Drive and Storage Media Sanitization Devices and Plans are not Available for disposal of Automated Information System (AIS) Equipment On-Hand
SV-42428r3_ruleClassified Material Destruction - Improper Disposal of Automated Information System (AIS) Hard Drives and Storage Media
SV-42449r3_ruleClassified Emergency Destruction Plans - Develop and Make Available
SV-42455r3_ruleSecurity Incident/Spillage - Lack of Procedures or Training for Handling and Reporting
SV-42467r3_ruleClassification Guides Must be Available for Programs and Systems for an Organization or Site
SV-42473r3_ruleControlled Unclassified Information (CUI) - Local Policy and Procedure
SV-42476r3_ruleControlled Unclassified Information (CUI) - Employee Education and Training
SV-42497r3_ruleControlled Unclassified Information - Document, Hard Drive and Media Disposal
SV-42578r3_ruleControlled Unclassified Information - Handling, Storage and Controlling Access to Areas where CUI is Processed or Maintained
SV-42579r3_ruleControlled Unclassified Information - Marking/Labeling Media within Unclassified Environments (Not Mixed with Classified)
SV-42580r3_ruleControlled Unclassified Information - Encryption of Data at Rest
SV-42581r3_ruleControlled Unclassified Information - Transmission by either Physical or Electronic Means
SV-42582r3_ruleControlled Unclassified Information - Posting Only on Web-Sites with Appropriate Encryption; not on Publicly Accessible Web-Sites.
SV-42658r3_ruleClassified Annual Review
SV-42673r3_rulePosition of Trust - Knowledge of Responsibility to Self Report Derogatory Information
SV-42677r3_rulePosition of Trust - Local Policy Covering Employee Personal Standards of Conduct and Responsibilities
SV-42678r3_rulePosition of Trust - Training Covering Employee Standards of Conduct and Personal Responsibilities
SV-42679r3_rulePosition Sensitivity - Based on Security Clearance and/or Information Technology (IT) Systems Access Level or Responsibility for Security Oversight on Assigned Information Systems (IS)
SV-42680r3_ruleValidation Procedures for Security Clearance Issuance (Classified Systems and/or Physical Access Granted)
SV-42709r3_ruleInformation Assurance (IA) Positions of Trust - Identification of Positions or Duties with Privileged Access to Information Systems or Responsibility for Security Oversight of Information Systems
SV-42733r3_ruleBackground Investigations - Completed based Upon Position Sensitivity Levels for Information Assurance Positions of Trust
SV-42745r3_rulePeriodic Reinvestigations - Submitted in a Timely Manner based Upon Position Sensitivity and Type of Investigation Required
SV-42762r3_ruleOut-processing Procedures for Departing or Terminated Employees (Military, Government Civilian and Contractor)
SV-42794r3_ruleIntrusion Detection System (IDS) Monitoring Station Personnel - Suitability Checks
SV-42814r3_ruleIntrusion Detection System (IDS) Installation and Maintenance Personnel - Suitability Checks
SV-42819r3_rulePhysical Security Program - Physical Security Plan (PSP) and/or Systems Security Plan (SSP) Development and Implementation with Consideration/Focus on Protection of Information System Assets in the Physical Environment
SV-42878r3_ruleRisk Assessment -Holistic Review (site/environment/information systems)
SV-42917r3_rulePhysical Protection of Unclassified Key System Devices/Computer Rooms in Large Processing Facilities
SV-42937r3_ruleRestricted Area and Controlled Area Designation of Areas Housing Critical Information System Components or Classified /Sensitive Technology or Data
SV-42938r3_ruleSecurity-in-Depth (AKA: Defense-in-Depth) - Minimum Physical Barriers and Access Control Measures for Facilities or Buildings Containing DoDIN (SIPRNet/NIPRNet) Connected Assets.
SV-42939r3_ruleVisitor Control - To Facility or Organization with Information System Assets Connected to the DISN
SV-42940r3_ruleSensitive Item Control - Keys, Locks and Access Cards Controlling Access to Information Systems (IS) or IS Assets Connected to the DISN
SV-42941r3_rulePhysical Penetration Testing - of Facilities or Buildings Containing Information Systems (IS) Connected to the DISN
SV-42942r3_ruleSecurity and Cybersecurity Staff Appointment, Training/Certification and Suitability
SV-42943r3_ruleSecurity Training - Information Security (INFOSEC) for ALL Employees; Military, Government Civilian and Contractor
SV-42944r3_ruleCounter-Intelligence Program - Training, Procedures and Incident Reporting
SV-43876r3_ruleProtected Distribution System (PDS) Construction - Alarmed Carrier
SV-76119r1_ruleEnvironmental IA Controls - Emergency Power