| Checked | Name | Title |
|---|
| ☐ | SV-40855r3_rule | COMSEC Account Management - Equipment and Key Storage |
| ☐ | SV-40925r3_rule | COMSEC Account Management - Appointment of Responsible Person |
| ☐ | SV-40970r3_rule | COMSEC Account Management - Program Management and Standards Compliance |
| ☐ | SV-40973r3_rule | COMSEC Training - COMSEC Custodian or Hand Receipt Holder |
| ☐ | SV-40975r3_rule | COMSEC Training - COMSEC User |
| ☐ | SV-40976r4_rule | Classified Transmission - Electronic Means using Cryptographic System Authorized by the Director, NSA |
| ☐ | SV-40980r4_rule | Protected Distribution System (PDS) Construction - Point of Presence (PoP) and Terminal Equipment Protection. This requirement concerns security of both the starting and ending points for PDS within proper physically protected and access controlled environments. |
| ☐ | SV-40982r4_rule | Protected Distribution System (PDS) Construction - Visible for Inspection and Marked |
| ☐ | SV-40984r4_rule | Protected Distribution System (PDS) Construction - Hardened Carrier |
| ☐ | SV-40991r4_rule | Protected Distribution System (PDS) Construction - Sealed Joints |
| ☐ | SV-41000r3_rule | Protected Distribution System (PDS) Construction - Pull Box Security |
| ☐ | SV-41011r4_rule | Protected Distribution System (PDS) Construction - Buried PDS Carrier |
| ☐ | SV-41012r3_rule | Protected Distribution System (PDS) Construction - External Suspended PDS |
| ☐ | SV-41013r3_rule | Protected Distribution System (PDS) Construction - Continuously Viewed Carrier |
| ☐ | SV-41015r3_rule | Protected Distribution System (PDS) Construction - Tactical Environment Application |
| ☐ | SV-41017r3_rule | Protected Distribution System (PDS) Documentation - Signed Approval |
| ☐ | SV-41019r3_rule | Protected Distribution System (PDS) Documentation - Request for Approval Documentation |
| ☐ | SV-41020r3_rule | Protected Distribution System (PDS) Monitoring - Daily (Visual) Checks |
| ☐ | SV-41021r3_rule | Protected Distribution System (PDS) Monitoring - Technical Inspections |
| ☐ | SV-41022r3_rule | Protected Distribution System (PDS) Monitoring - Initial Inspection |
| ☐ | SV-41023r3_rule | Protected Distribution System (PDS) Monitoring - Reporting Incidents |
| ☐ | SV-41024r3_rule | TEMPEST Countermeasures |
| ☐ | SV-41025r3_rule | TEMPEST - Red/Black separation (Processors) |
| ☐ | SV-41026r3_rule | TEMPEST - Red/Black Separation (Cables) |
| ☐ | SV-41027r3_rule | Environmental IA Controls - Emergency Power Shut-Off (EPO) |
| ☐ | SV-41028r3_rule | Environmental IA Controls - Emergency Lighting and Exits - Properly Installed |
| ☐ | SV-41029r3_rule | Environmental IA Controls - Emergency Lighting and Exits - Documentation and Testing |
| ☐ | SV-41031r3_rule | Environmental IA Controls - Voltage Control (power) |
| ☐ | SV-41032r3_rule | Environmental IA Controls - Training |
| ☐ | SV-41033r3_rule | Environmental IA Controls - Temperature |
| ☐ | SV-41034r3_rule | Environmental IA Controls - Humidity |
| ☐ | SV-41036r3_rule | Environmental IA Controls - Fire Inspections/ Discrepancies |
| ☐ | SV-41037r3_rule | Environmental IA Controls - Fire Detection and Suppression |
| ☐ | SV-41039r3_rule | Industrial Security - DD Form 254 |
| ☐ | SV-41040r3_rule | Industrial Security - Contractor Visit Authorization Letters (VALs) |
| ☐ | SV-41041r3_rule | Industrial Security - Contract Guard Vetting |
| ☐ | SV-41042r3_rule | Information Assurance - System Security Operating Procedures (SOPs) |
| ☐ | SV-41043r3_rule | Information Assurance - COOP Plan and Testing (Not in Place for Information Technology Systems or Not Considered in the organizational Holistic Risk Assessment) |
| ☐ | SV-41051r3_rule | Information Assurance - COOP Plan or Testing (Incomplete) |
| ☐ | SV-41055r3_rule | Information Assurance - System Security Incidents (Identifying, Reporting, and Handling) |
| ☐ | SV-41058r3_rule | Information Assurance - System Access Control Records (DD Form 2875 or equivalent) |
| ☐ | SV-41060r3_rule | Information Assurance - System Training and Certification/ IA Personnel |
| ☐ | SV-41133r3_rule | Information Assurance/Cybersecurity Training for System Users |
| ☐ | SV-41139r3_rule | Information Assurance - Accreditation Documentation |
| ☐ | SV-41177r3_rule | Information Assurance - NIPRNET Connection Approval (CAP) |
| ☐ | SV-41178r3_rule | Information Assurance - SIPRNET Connection Approval Process (CAP) |
| ☐ | SV-41244r3_rule | Information Assurance - KVM or A/B Switch not listed on the NIAP U.S. Government Approved Protection Products Compliance List (PCL) for Peripheral Sharing Switches |
| ☐ | SV-41259r4_rule | Information Assurance - KVM Switch (Port Separation) on CYBEX/Avocent 4 or 8 port |
| ☐ | SV-41260r3_rule | Information Assurance - KVM Switch Use of Hot-Keys on SIPRNet Connected Devices |
| ☐ | SV-41267r3_rule | Information Assurance - Authorizing Official (AO) and DoDIN Connection Approval Office (CAO) Approval Documentation for use of KVM and A/B switches for Sharing of Classified and Unclassified Peripheral Devices |
| ☐ | SV-41269r3_rule | Information Assurance - Classified Portable Electronic Devices (PEDs) Connected to the SIPRNet must be Authorized, Compliant with NSA Guidelines, and be Configured for Data at Rest (DAR) Protection |
| ☐ | SV-41275r3_rule | Information Assurance - Unauthorized Wireless Devices - Portable Electronic Devices (PEDs) Used in Classified Processing Areas without Certified TEMPEST Technical Authority (CTTA) Review and Authorizing Official (AO) Approval. |
| ☐ | SV-41280r3_rule | Information Assurance - Unauthorized Wireless Devices - No Formal Policy and/or Warning Signs |
| ☐ | SV-41289r3_rule | Information Assurance - Network Connections - Physical Protection of Network Devices such as Routers, Switches and Hubs (Connected to SIPRNet or Other Classified Networks or Systems Being Inspected) |
| ☐ | SV-41344r3_rule | Information Assurance - Network Connections - Wall Jack Security on Classified Networks (SIPRNet or other Inspected Classified Network or System) Where Port Authentication Using IEEE 802.1X IS NOT Implemented |
| ☐ | SV-41372r3_rule | Information Assurance - Network Connections - Physical Protection of Unclassified (NIPRNet) Network Devices such as Routers, Switches and Hubs |
| ☐ | SV-41387r3_rule | Foreign National System Access - Local Access Control Procedures |
| ☐ | SV-41407r3_rule | Foreign National System Access - Identification as FN in E-mail Address |
| ☐ | SV-41411r3_rule | Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (NIPRNet User) |
| ☐ | SV-41417r3_rule | Foreign National (FN) Systems Access - Local Nationals Overseas System Access - (SIPRNet or Other Classified System or Classified Network being Reviewed) |
| ☐ | SV-41430r3_rule | Foreign National (FN) Systems Access - Local Nationals (LN) Overseas System Access - Vetting for Privileged Access |
| ☐ | SV-41432r3_rule | Foreign National (FN) Systems Access - Delegation of Disclosure Authority Letter (DDL) |
| ☐ | SV-41434r3_rule | Foreign National System Access - FN or Immigrant Aliens (not representing a foreign government or entity) System Access - Limited Access Authorization (LAA) |
| ☐ | SV-41436r3_rule | Foreign National (FN) System Access - FN or Immigrant Aliens (not representing a foreign government or entity) with LAA Granted Uncontrolled Access |
| ☐ | SV-41465r3_rule | Foreign National (FN) Physical Access Control - Areas Containing US Only Information Systems Workstations/Monitor Screens, Equipment, Media or Documents |
| ☐ | SV-41466r3_rule | Foreign National (FN) Physical Access Control - (Identification Badges) |
| ☐ | SV-41496r3_rule | Foreign National (FN) Administrative Controls - Contact Officer Appointment |
| ☐ | SV-41502r3_rule | Foreign National (FN) Administrative Controls - Written Procedures and Employee Training |
| ☐ | SV-41506r3_rule | Foreign National (FN) Administrative Controls - Proper Investigation and Clearance for Access to Classified Systems and/or Information Assurance (IA) Positions of Trust |
| ☐ | SV-41516r3_rule | Foreign National (FN) Administrative Controls - Procedures for Requests to Provide Foreign Nationals System Access |
| ☐ | SV-41522r3_rule | Information Security (INFOSEC) - Safe/Vault/Secure Room Management |
| ☐ | SV-41529r3_rule | Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Door Combination Lock Meeting Federal Specification FF-L-2740 |
| ☐ | SV-41531r3_rule | Information Security (INFOSEC) - Secure Room Storage Standards - Door Construction |
| ☐ | SV-41535r3_rule | Information Security (INFOSEC) - Secure Room Storage Standards - Perimeter Construction using Proper Permanent Construction Materials for True Ceiling, Walls and Floors. |
| ☐ | SV-41537r3_rule | Information Security (INFOSEC) - Secure Room Storage Standards Wall and Ceiling Structural Integrity (AKA: True Floor to True Ceiling Connection) |
| ☐ | SV-41538r3_rule | Information Security (INFOSEC) - Vault/Secure Room Storage Standards - Openings in Perimeter Exceeding 96 Square Inches |
| ☐ | SV-41539r3_rule | Information Security (INFOSEC) - Secure Room Storage Standards Windows - Accessible from the Ground Hardened Against Forced Entry and Shielded from Exterior Viewing of Classified Materials Contained within the Area. |
| ☐ | SV-41540r3_rule | Information Security (INFOSEC) - Vault Storage/Construction Standards |
| ☐ | SV-41541r3_rule | Information Security (INFOSEC) - Secure Room Storage Standards - Intrusion Detection System (IDS) |
| ☐ | SV-41542r3_rule | Information Security (INFOSEC) - Secure Room Storage Standards - Balanced Magnetic Switch (BMS) on Perimeter Doors |
| ☐ | SV-41543r3_rule | Information Security (INFOSEC) - Secure Room Storage Standards - Interior Motion Detection |
| ☐ | SV-41544r3_rule | Information Security (INFOSEC) - Secure Room Storage Standards - Structural Integrity Checks |
| ☐ | SV-41545r3_rule | Information Security (INFOSEC) - Secure Room Storage Standards - Four (4) Hour Random Checks in Lieu of Using Intrusion Detection System (IDS) |
| ☐ | SV-41547r3_rule | Vault/Secure Room Storage Standards - IDS Performance Verification |
| ☐ | SV-41552r3_rule | Vault/Secure Room Storage Standards - IDS Transmission Line Security |
| ☐ | SV-41554r3_rule | Vault/Secure Room Storage Standards - Masking of IDS Sensors Displayed at the Intrusion Detection System (IDS) Monitoring Station |
| ☐ | SV-41560r3_rule | Vault/Secure Room Storage Standards - IDS Alarm Monitoring Indicators, both audible and visual (Alarm Status) must be displayed for each sensor or alarmed zone at the monitoring station. |
| ☐ | SV-41561r3_rule | Vault/Secure Room Storage Standards - Intrusion Detection System (IDS) / Automated Entry Control System (AECS) Primary and Emergency Power Supply |
| ☐ | SV-41562r3_rule | Vault/Secure Room Storage Standards - Intrusion Detection System and Automated Entry Control System (IDS/AECS) Component Tamper Protection |
| ☐ | SV-41563r3_rule | Vault/Secure Room Storage Standards - IDS Access/Secure Control Units Must be Located within the Secure Room Space |
| ☐ | SV-41564r3_rule | Vault/Secure Room Storage Standards - Primary IDS Monitoring Location Outside the Monitored Space |
| ☐ | SV-41565r3_rule | Information Security (IS) - Continuous Operations Facility: Access Control Monitoring Methods |
| ☐ | SV-41811r3_rule | Vault/Secure Room Storage Standards - Access Control During Working Hours Using Visual Control OR Automated Entry Control System (AECS) with PIN / Biometrics |
| ☐ | SV-41831r3_rule | Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Records Maintenance, which includes documented procedures for granting and removal of access. |
| ☐ | SV-41832r3_rule | Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) and Intrusion Detection System (IDS) Head-End Equipment Protection:
The physical location (room or area) containing AECS and IDS head-end equipment (server and/or work station/monitoring equipment) where authorization, personal identification or verification data is input, stored, or recorded and/or where system status/alarms are monitored must be physically protected. |
| ☐ | SV-41944r3_rule | Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Keypad Device Protection: Keypad devices designed or installed in a manner that an unauthorized person in the immediate vicinity cannot observe the selection of input numbers. |
| ☐ | SV-42194r3_rule | Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Transmission Line Security:
AECS Transmission lines traversing an uncontrolled area (not within at least a Secret Controlled Access Area (CAA) ) shall use line supervision OR Electrical, mechanical, or electromechanical access control devices, which do not constitute an AECS that are used to control access during duty hours must have all electrical components, that traverse outside minimally a Secret Controlled Access Area (CAA), secured within conduit. |
| ☐ | SV-42205r3_rule | Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Door Locks: Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade and be configured to fail secure in the event of a total loss of power (primary and backup). |
| ☐ | SV-42206r3_rule | Marking Classified - Local or Enclave Classified Marking Procedures must be developed to ensure employees are familiar with appropriate organization Security Classification Guides (SCG), how to obtain guidance for marking classified documents, media and equipment, and where associated forms, classified cover sheets, labels, stamps, wrapping material for classified shipment, etc. can be obtained. |
| ☐ | SV-42207r3_rule | Marking Classified - Equipment, Documents or Media: In a classified operating environment, all unclassified items must be marked in addition to all classified items. |
| ☐ | SV-42275r3_rule | Classified Working Papers are properly marked, destroyed when no longer needed, or treated as a finished document after 180 days. |
| ☐ | SV-42285r3_rule | Storage/Handling of Classified Documents, Media, Equipment - must be under continuous personal protection and control of an authorized (cleared) individual OR guarded or stored in an approved locked security container (safe), vault, secure room, collateral classified open storage area or SCIF. |
| ☐ | SV-42286r3_rule | Non-Disclosure Agreement - Standard Form 312: no person may have access to classified information unless that person has a security clearance in accordance with DoDM 5200.02 and has signed a Standard Form (SF) 312, Classified Information Non-Disclosure Agreement (NDA), and access is essential to the accomplishment of a lawful and authorized Government function (i.e., has a need to know). |
| ☐ | SV-42287r3_rule | Handling of Classified Documents, Media, Equipment - Written Procedures and Training for when classified material/equipment is removed from a security container and/or secure room. |
| ☐ | SV-42288r3_rule | Handling of Classified - Use of Cover Sheets on Documents Removed from Secure Storage |
| ☐ | SV-42290r3_rule | Classified Monitors/Displays (Physical Control of Classified Monitors From Unauthorized Viewing) |
| ☐ | SV-42291r3_rule | Classified Monitors/Displays (Procedures for Obscuration of Classified Monitors) - protection from uncleared persons or those without a need-to-know. |
| ☐ | SV-42292r3_rule | Monitor Screens - Disable Access by CAC or Token Removal, or Lock Computer via Ctrl/Alt/Del |
| ☐ | SV-42293r3_rule | End-of-Day Checks - Organizations that process or store classified information must establish a system of security checks at the close of each duty and/or business day to ensure that any area where classified information is used or stored is secure. SF 701, Activity Security Checklist, shall be used to record such checks. |
| ☐ | SV-42294r3_rule | Classified Reproduction - Written Procedures for SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage.
NOTE: This STIG Rule (AKA: Vulnerability (Vul)) concerns only PROCEDURES for the reproduction (printing, copying, scanning, faxing) of classified documents on Multi-Functional Devices (MFD) connected to the DoDIN. |
| ☐ | SV-42295r3_rule | Classified Reproduction - Following guidance for System to Media Transfer of Data from systems connected specifically to the SIPRNet In-Accordance-With (IAW) US CYBERCOM CTO 10-133A . |
| ☐ | SV-42324r3_rule | Classified Reproduction - SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage. |
| ☐ | SV-42325r3_rule | Destruction of Classified Documents Printed from the SIPRNet Using Approved Devices on NSA Evaluated Products Lists (EPL). |
| ☐ | SV-42407r3_rule | Destruction of Classified and Unclassified Documents, Equipment and Media - Availability of Local Policy and Procedures |
| ☐ | SV-42419r3_rule | Classified Destruction - Hard Drive and Storage Media Sanitization Devices and Plans are not Available for disposal of Automated Information System (AIS) Equipment On-Hand |
| ☐ | SV-42428r3_rule | Classified Material Destruction - Improper Disposal of Automated Information System (AIS) Hard Drives and Storage Media |
| ☐ | SV-42449r3_rule | Classified Emergency Destruction Plans - Develop and Make Available |
| ☐ | SV-42455r3_rule | Security Incident/Spillage - Lack of Procedures or Training for Handling and Reporting |
| ☐ | SV-42467r3_rule | Classification Guides Must be Available for Programs and Systems for an Organization or Site |
| ☐ | SV-42473r3_rule | Controlled Unclassified Information (CUI) - Local Policy and Procedure |
| ☐ | SV-42476r3_rule | Controlled Unclassified Information (CUI) - Employee Education and Training |
| ☐ | SV-42497r3_rule | Controlled Unclassified Information - Document, Hard Drive and Media Disposal |
| ☐ | SV-42578r3_rule | Controlled Unclassified Information - Handling, Storage and Controlling Access to Areas where CUI is Processed or Maintained |
| ☐ | SV-42579r3_rule | Controlled Unclassified Information - Marking/Labeling Media within Unclassified Environments (Not Mixed with Classified) |
| ☐ | SV-42580r3_rule | Controlled Unclassified Information - Encryption of Data at Rest |
| ☐ | SV-42581r3_rule | Controlled Unclassified Information - Transmission by either Physical or Electronic Means |
| ☐ | SV-42582r3_rule | Controlled Unclassified Information - Posting Only on Web-Sites with Appropriate Encryption; not on Publicly Accessible Web-Sites. |
| ☐ | SV-42658r3_rule | Classified Annual Review |
| ☐ | SV-42673r3_rule | Position of Trust - Knowledge of Responsibility to Self Report Derogatory Information |
| ☐ | SV-42677r3_rule | Position of Trust - Local Policy Covering Employee Personal Standards of Conduct and Responsibilities |
| ☐ | SV-42678r3_rule | Position of Trust - Training Covering Employee Standards of Conduct and Personal Responsibilities |
| ☐ | SV-42679r3_rule | Position Sensitivity - Based on Security Clearance and/or Information Technology (IT) Systems Access Level or Responsibility for Security Oversight on Assigned Information Systems (IS) |
| ☐ | SV-42680r3_rule | Validation Procedures for Security Clearance Issuance (Classified Systems and/or Physical Access Granted) |
| ☐ | SV-42709r3_rule | Information Assurance (IA) Positions of Trust - Identification of Positions or Duties with Privileged Access to Information Systems or Responsibility for Security Oversight of Information Systems |
| ☐ | SV-42733r3_rule | Background Investigations - Completed based Upon Position Sensitivity Levels for Information Assurance Positions of Trust |
| ☐ | SV-42745r3_rule | Periodic Reinvestigations - Submitted in a Timely Manner based Upon Position Sensitivity and Type of Investigation Required |
| ☐ | SV-42762r3_rule | Out-processing Procedures for Departing or Terminated Employees (Military, Government Civilian and Contractor) |
| ☐ | SV-42794r3_rule | Intrusion Detection System (IDS) Monitoring Station Personnel - Suitability Checks |
| ☐ | SV-42814r3_rule | Intrusion Detection System (IDS) Installation and Maintenance Personnel - Suitability Checks |
| ☐ | SV-42819r3_rule | Physical Security Program - Physical Security Plan (PSP) and/or Systems Security Plan (SSP) Development and Implementation with Consideration/Focus on Protection of Information System Assets in the Physical Environment |
| ☐ | SV-42878r3_rule | Risk Assessment -Holistic Review (site/environment/information systems) |
| ☐ | SV-42917r3_rule | Physical Protection of Unclassified Key System Devices/Computer Rooms in Large Processing Facilities |
| ☐ | SV-42937r3_rule | Restricted Area and Controlled Area Designation of Areas Housing Critical Information System Components or Classified /Sensitive Technology or Data |
| ☐ | SV-42938r3_rule | Security-in-Depth (AKA: Defense-in-Depth) - Minimum Physical Barriers and Access Control Measures for Facilities or Buildings Containing DoDIN (SIPRNet/NIPRNet) Connected Assets. |
| ☐ | SV-42939r3_rule | Visitor Control - To Facility or Organization with Information System Assets Connected to the DISN |
| ☐ | SV-42940r3_rule | Sensitive Item Control - Keys, Locks and Access Cards Controlling Access to Information Systems (IS) or IS Assets Connected to the DISN |
| ☐ | SV-42941r3_rule | Physical Penetration Testing - of Facilities or Buildings Containing Information Systems (IS) Connected to the DISN |
| ☐ | SV-42942r3_rule | Security and Cybersecurity Staff Appointment, Training/Certification and Suitability |
| ☐ | SV-42943r3_rule | Security Training - Information Security (INFOSEC) for ALL Employees; Military, Government Civilian and Contractor |
| ☐ | SV-42944r3_rule | Counter-Intelligence Program - Training, Procedures and Incident Reporting |
| ☐ | SV-43876r3_rule | Protected Distribution System (PDS) Construction - Alarmed Carrier |
| ☐ | SV-76119r1_rule | Environmental IA Controls - Emergency Power |
STIGQter: STIG Summary: