STIGQter STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020:

Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) and Intrusion Detection System (IDS) Head-End Equipment Protection: The physical location (room or area) containing AECS and IDS head-end equipment (server and/or work station/monitoring equipment) where authorization, personal identification or verification data is input, stored, or recorded and/or where system status/alarms are monitored must be physically protected.

DISA Rule

SV-41832r3_rule

Vulnerability Number

V-31549

Group Title

Vault/Secure Room Storage Standards - AECS/IDS Head-End Equipment Protection

Rule Version

IS-02.01.15

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

1. The physical location containing the primary IDS "head-end" equipment (server and/or work station/monitoring equipment) must be located in a continuously occupied location (eg., guard monitoring station for alarms and CCTV).

2. The continuously occupied space must limit unescorted access to only those employees responsible for monitoring or controlling the IDS and/or AECS. Automated entry control system card/badge readers or cipher locks should be used to fulfill this requirement.

3. If not co-located with the IDS "head-end" equipment; the physical location containing the primary AECS "head-end" equipment must be located in a continuously occupied location OR protected minimally within a room with a BMS alarm contact on each door, window or opening and with interior motion detection sensors that are activated at the end of each duty day.

4. AECS system card readers with coded access cards or badges (not cipher locks or keyed locks) must be used to secure the doors to rooms protecting AECS "head-end" equipment that are not located within a continuously occupied location.

5. Alarms from sensors in the room protecting AECS "head-end" equipment must be monitored at the primary IDS monitoring location.

6. A secondary or supplemental AECS server/workstation or IDS data/monitoring workstation might not be located in a 24/7 occupied work space. In instances when AECS or IDS secondary head-end equipment is not continuously attended by employees responsible for monitoring or controlling it - it must be protected minimally within a room with a BMS alarm contact on each door, window or opening and interior motion detection sensors are installed and activated at the end of each duty day.

7. AECS system card readers with coded access cards or badges (not cipher locks or keyed locks) must be used to secure the doors to rooms protecting secondary IDS or AECS "head-end" equipment that are not located within a continuously occupied location.

8. Alarms from sensors in the room protecting secondary IDS or AECS "head-end" equipment must be monitored at the primary IDS monitoring location.

9. If 4-hour checks are used in lieu of IDS for vaults, secure rooms or collateral classified open storage areas; then 4-hour checks of the room or area used to house the (secondary) IDS and/or (primary/secondary) ACS "head-end" equipment may also be used. The use of 4-hour checks in lieu of IDS to protect (secondary) IDS and/or (primary/secondary) AECS "head-end" equipment must be based on a documented risk assessment.

10. If used, random checks (not to exceed 4-hours) of the room or area used to house the IDS or AECS "head-end" equipment must be documented and maintained on file for a minimum of 90 days.

Check Contents

Requirements Summary:

Protection must be established and maintained for all component devices or equipment that constitute the automated entry control system (AECS) and/or the intrusion detection system (IDS) used to protect a vault, secure room or collateral classified open storage area, which contains SIPRNet assets.

In particular the physical location (room or area) containing AECS and IDS "head-end" equipment (server and/or work station/monitoring equipment) where authorization, personal identification or verification data is input, stored, or recorded and/or where system status/alarms are monitored must be protected.

CHECKS:

Check #1. Check to ensure the physical location containing the primary IDS "head-end" equipment (server and/or work station/monitoring equipment) is in a continuously occupied location (eg., guard monitoring station - for alarms and CCTV). (CAT I)

Check #2. Check to ensure the continuously occupied space limits unescorted access to only those employees responsible for monitoring or controlling the IDS and/or AECS. Automated entry control system card/badge readers or cipher locks may be used to fulfill this requirement. (CAT II)

Check #3. If not co-located with the IDS "head-end" equipment; check to ensure the physical location containing the primary AECS "head-end" equipment is in a continuously occupied location OR protected minimally within a room with a BMS alarm contact on each door, window or opening and with interior motion detection sensors that are activated at the end of each duty day. (CAT II)

Check #4. Check to ensure that AECS system card readers with coded access cards or badges (not cipher locks or keyed locks) are used to secure the doors to rooms protecting AECS "head-end" equipment that are not located within a continuously occupied location. (CAT II)

Check #5. Check to ensure that alarms from sensors in the room protecting AECS "head-end" equipment are monitored at the primary IDS monitoring location. (CAT II)

Check #6. A secondary or supplemental AECS server/workstation or IDS data/monitoring workstation might not be located in a 24/7 occupied work space. In instances when AECS or IDS secondary head-end equipment is not continuously attended by employees responsible for monitoring or controlling it - Check to ensure it is protected minimally within a room with a BMS alarm contact on each door, window or opening and interior motion detection sensors are installed and activated at the end of each duty day. (CAT I)

Check #7. Check to ensure that AECS system card readers with coded access cards or badges (not cipher locks or keyed locks) are used to secure the doors to rooms protecting secondary IDS or AECS "head-end" equipment that are not located within a continuously occupied location. (CAT II)

Check #8. Check to ensure that alarms from sensors in the room protecting secondary IDS or AECS "head-end" equipment are monitored at the primary IDS monitoring location. (CAT I)

Check #9. If 4-hour checks are used in lieu of IDS for vaults, secure rooms or collateral classified open storage areas; then 4-hour checks of the room or area used to house the (secondary) IDS and/or (primary/secondary) AECS "head-end" equipment may also be used in lieu of an IDS. Check to ensure the use of 4-hour checks in lieu of IDS to protect (secondary) IDS and/or (primary/secondary) AECS "head-end" equipment is based on a documented risk assessment. (CAT II)

Check #10. If used, check to ensure that random checks (not to exceed 4-hours) of the room or area used to house the IDS or AECS "head-end" equipment are documented and maintained on file for a minimum of 90 days. (CAT II)

TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Vulnerability Number

V-31549

Documentable

False

Rule Version

IS-02.01.15

Severity Override Guidance

Requirements Summary:

Protection must be established and maintained for all component devices or equipment that constitute the automated entry control system (AECS) and/or the intrusion detection system (IDS) used to protect a vault, secure room or collateral classified open storage area, which contains SIPRNet assets.

In particular the physical location (room or area) containing AECS and IDS "head-end" equipment (server and/or work station/monitoring equipment) where authorization, personal identification or verification data is input, stored, or recorded and/or where system status/alarms are monitored must be protected.

CHECKS:

Check #1. Check to ensure the physical location containing the primary IDS "head-end" equipment (server and/or work station/monitoring equipment) is in a continuously occupied location (eg., guard monitoring station - for alarms and CCTV). (CAT I)

Check #2. Check to ensure the continuously occupied space limits unescorted access to only those employees responsible for monitoring or controlling the IDS and/or AECS. Automated entry control system card/badge readers or cipher locks may be used to fulfill this requirement. (CAT II)

Check #3. If not co-located with the IDS "head-end" equipment; check to ensure the physical location containing the primary AECS "head-end" equipment is in a continuously occupied location OR protected minimally within a room with a BMS alarm contact on each door, window or opening and with interior motion detection sensors that are activated at the end of each duty day. (CAT II)

Check #4. Check to ensure that AECS system card readers with coded access cards or badges (not cipher locks or keyed locks) are used to secure the doors to rooms protecting AECS "head-end" equipment that are not located within a continuously occupied location. (CAT II)

Check #5. Check to ensure that alarms from sensors in the room protecting AECS "head-end" equipment are monitored at the primary IDS monitoring location. (CAT II)

Check #6. A secondary or supplemental AECS server/workstation or IDS data/monitoring workstation might not be located in a 24/7 occupied work space. In instances when AECS or IDS secondary head-end equipment is not continuously attended by employees responsible for monitoring or controlling it - Check to ensure it is protected minimally within a room with a BMS alarm contact on each door, window or opening and interior motion detection sensors are installed and activated at the end of each duty day. (CAT I)

Check #7. Check to ensure that AECS system card readers with coded access cards or badges (not cipher locks or keyed locks) are used to secure the doors to rooms protecting secondary IDS or AECS "head-end" equipment that are not located within a continuously occupied location. (CAT II)

Check #8. Check to ensure that alarms from sensors in the room protecting secondary IDS or AECS "head-end" equipment are monitored at the primary IDS monitoring location. (CAT I)

Check #9. If 4-hour checks are used in lieu of IDS for vaults, secure rooms or collateral classified open storage areas; then 4-hour checks of the room or area used to house the (secondary) IDS and/or (primary/secondary) AECS "head-end" equipment may also be used in lieu of an IDS. Check to ensure the use of 4-hour checks in lieu of IDS to protect (secondary) IDS and/or (primary/secondary) AECS "head-end" equipment is based on a documented risk assessment. (CAT II)

Check #10. If used, check to ensure that random checks (not to exceed 4-hours) of the room or area used to house the IDS or AECS "head-end" equipment are documented and maintained on file for a minimum of 90 days. (CAT II)

TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Check Content Reference

M

Target Key

2506

Comments