STIGQter STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020:

Information Assurance - System Access Control Records (DD Form 2875 or equivalent)

DISA Rule

SV-41058r3_rule

Vulnerability Number

V-31011

Group Title

Information Assurance - System Access Control Records

Rule Version

IA-05.02.01

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

1. Written procedures for personnel who request access to a computer system must be developed.

2. A System Authorization Access Request (SAAR) form (DD Form 2875 or equivalent) must be used to define and control individual access for systems. If applicable, the most current version of the DD Form 2875, SAAR must be used. Locally developed or Service level forms may also be used if the same information found on the DD Form 2875 is used.

3. Local or Service level System Authorization Access Request (SAAR) forms must minimally contain appropriate information for checking compliance with security requirements for privileged, routine user, classified and unclassified systems access like on the DD Form 2875. Information required includes identification of the individual requesting access, signature dates, supervisory approval, ISSM and SM approval, investigation level and security clearance required, investigation and security clearance possessed, IA (AKA: ADP) position level and date Information Assurance Training was completed.

4. A separate "User Agreement" must be signed by each user before access is granted. This includes both system "users" and "privileged account holders" (System Administrators...). For privileged users a signed Privileged Access Statement IAW Appendix 4 of DoD 8570.01-M, Information Assurance Workforce Improvement Program is required.

Check Contents

1. Check to ensure there are written procedures for personnel who request access to a computer system.

2. Note in the report finding details what access form is used (locally developed, Service level or DD Form 2875).

3. If applicable - ensure the most current version of the DD Form 2875, System Authorization Access Request (SAAR) is being used.

4. Note what training is required/conducted before system access is granted.

5. Review a sample of system access request forms to ensure the forms contain appropriate information for checking compliance with security requirements for privileged, user, classified and unclassified systems access. Information required will include identification of the individual requesting access, signature dates, supervisory approval, ISSM and SM approval, investigation level and security clearance required, investigation and security clearance possessed, IA (AKA: ADP) position level and date Information Assurance Training was completed.

6. Check to ensure a separate "User Agreement" also exists for both system "users" and for "privileged account holders" (System Administrators...). For privileged users a signed Privileged Access Statement IAW Appendix 4 of DoD 8570.01-M, Information Assurance Workforce Improvement Program is required.

7. In a tactical environment the forms used to control systems access might not be readily accessible in the field. Determine where the forms are maintained and if the location is not within reach, attempt to obtain a sample copy of a completed form via fax, email, etc. Fixed locations with IA staff assigned should have the forms available.

Vulnerability Number

V-31011

Documentable

False

Rule Version

IA-05.02.01

Severity Override Guidance

1. Check to ensure there are written procedures for personnel who request access to a computer system.

2. Note in the report finding details what access form is used (locally developed, Service level or DD Form 2875).

3. If applicable - ensure the most current version of the DD Form 2875, System Authorization Access Request (SAAR) is being used.

4. Note what training is required/conducted before system access is granted.

5. Review a sample of system access request forms to ensure the forms contain appropriate information for checking compliance with security requirements for privileged, user, classified and unclassified systems access. Information required will include identification of the individual requesting access, signature dates, supervisory approval, ISSM and SM approval, investigation level and security clearance required, investigation and security clearance possessed, IA (AKA: ADP) position level and date Information Assurance Training was completed.

6. Check to ensure a separate "User Agreement" also exists for both system "users" and for "privileged account holders" (System Administrators...). For privileged users a signed Privileged Access Statement IAW Appendix 4 of DoD 8570.01-M, Information Assurance Workforce Improvement Program is required.

7. In a tactical environment the forms used to control systems access might not be readily accessible in the field. Determine where the forms are maintained and if the location is not within reach, attempt to obtain a sample copy of a completed form via fax, email, etc. Fixed locations with IA staff assigned should have the forms available.

Check Content Reference

M

Target Key

2506

Comments