STIGQter STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020:

Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Door Locks: Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade and be configured to fail secure in the event of a total loss of power (primary and backup).

DISA Rule

SV-42205r3_rule

Vulnerability Number

V-31908

Group Title

Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Door Locks

Rule Version

IS-02.02.10

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Door Locks. Ensure the following configuration and control considerations are used as appropriate for the type of locks being used in access control systems protecting SIPRNet assets:

1. Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade.

2. Backup batteries and/or emergency power generators should be connected to (AECS) components; however, the total loss of power should be planned for.

3. When used on secure rooms, vaults, or areas protecting SIPRNet equipment; electric strikes on doors will be set to fail secure in the event of power disruption.

4. On the primary ingress/egress door to secure rooms (which contains the combination lock) the strike may be set to fail open to facilitate access to the room in emergencies only if the door is under continuous visual observation when the combination lock is not secure. In this instance the combination lock will be immediately secured and subsequently opened as required to allow access to the room.

5. As an alternative the strike on the primary access door (under continuous visual control) may be set to fail secure and configured to allow for opening of the strike lock with a key.

6. Keys for such locks will be strictly controlled, inventoried periodically and not issued to individuals for retention.

7. KEYS TO SECURE ROOMS WILL NOT BE REMOVED FROM THE SITE.

8. When Magnetic Locks (Mag locks) are used on primary access doors the total loss of ALL power (primary and backup) will cause the lock to fail open. Therefore doors with mag locks installed must be under continuous visual observation when the combination lock is open.

9. Where Mag locks are used on primary access doors and upon a total power failure - the combination lock will be immediately secured and subsequently opened as required to allow access to the room.

10. Secondary doors not used for access (emergency egress only) should use standard locking door latches rather than electric strikes or mag locks.

11. Access hardware on the side of the door that is external to the room must be removed to prevent use of secondary doors for routine ingress.

12. In the event a mag lock is used on a secondary door, the door must be configured to be locked during a power disruption. This can be accomplished with internal sliding deadbolt locks or supplemental door latches. Any secondary door secured with Mag Locks must be under CONTINUOUS visual observation when the interior deadbolt locks are not engaged. Deadbolt locks must not be engaged while the room is occupied - for life safety, but will be secured upon closing the secure room or area.

Always be sure to coordinate door locking and emergency egress considerations with supporting facility risk management(fire/safety) personnel.

Check Contents

Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Door Lock Standards for Areas Containing SIPRNet Assets.

Check to ensure the following configuration and control considerations are used according to the types of locking mechanisms being used, as specified in each check:

Check #1. Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade.

Check #2. Backup batteries and/or emergency power generators should be connected to AECS components; however, the total loss of power (primary and emergency) should also be planned for.

Check #3. When used on secure rooms, vaults or areas protecting SIPRNet equipment, electric strikes on doors will be set to fail secure in the event of power disruption.

Check #4. On the primary ingress/egress door to secure rooms (which contains the combination lock) the strike may be set to fail open to facilitate access to the room in emergencies only if the door is under continuous visual observation when the combination lock is not secure. In this instance the combination lock will be immediately secured and subsequently opened as required to allow access to the room.

Check #5. As an alternative the strike on the primary access door (only those under continuous visual control) may be set to fail secure and configured to allow for opening of the strike lock with a key.

Check #6. Keys for locks as discussed in check 5 will be strictly controlled, inventoried periodically and not issued to individuals for personal retention.

Check #7. KEYS TO SECURE ROOMS WILL NOT BE REMOVED FROM THE SITE.

Check #8. When Magnetic Locks (Mag locks) are used on primary access doors the total loss of ALL power (primary and backup) will cause the lock to fail open. Therefore doors with mag locks installed MUST BE UNDER CONTINUOUS VISUAL OBSERVATION WHEN THE COMBINATION LOCK IS OPEN.

Check #9. Where Mag locks are used on primary access doors and upon a total power failure - the combination lock will be immediately secured and subsequently opened as required to allow access to the room.

Check #10. Secondary doors not used for access (emergency egress only) should use standard locking door latches rather than electric strikes or mag locks.

Check #11. Access hardware on the side of the secondary door that is external to the room must be removed to prevent use of secondary doors for routine ingress.

Check #12. In the event a mag lock or electric strike is used on a secondary door, the door must be configured to be locked during a power disruption. This can be accomplished with internal sliding deadbolt locks or lockable door latches. Electric strikes on secondary doors should be set to fail secure. Any secondary door secured with Mag Locks must be under CONTINUOUS visual observation when the interior deadbolt locks are not engaged. Deadbolt locks must not be engaged while the room is occupied - for life safety, but will be secured upon closing the secure room or area.

TACTICAL ENVIRONMENT: This check is applicable where Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Vulnerability Number

V-31908

Documentable

False

Rule Version

IS-02.02.10

Severity Override Guidance

Vault/Secure Room Storage Standards - Automated Entry Control System (AECS) Door Lock Standards for Areas Containing SIPRNet Assets.

Check to ensure the following configuration and control considerations are used according to the types of locking mechanisms being used, as specified in each check:

Check #1. Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade.

Check #2. Backup batteries and/or emergency power generators should be connected to AECS components; however, the total loss of power (primary and emergency) should also be planned for.

Check #3. When used on secure rooms, vaults or areas protecting SIPRNet equipment, electric strikes on doors will be set to fail secure in the event of power disruption.

Check #4. On the primary ingress/egress door to secure rooms (which contains the combination lock) the strike may be set to fail open to facilitate access to the room in emergencies only if the door is under continuous visual observation when the combination lock is not secure. In this instance the combination lock will be immediately secured and subsequently opened as required to allow access to the room.

Check #5. As an alternative the strike on the primary access door (only those under continuous visual control) may be set to fail secure and configured to allow for opening of the strike lock with a key.

Check #6. Keys for locks as discussed in check 5 will be strictly controlled, inventoried periodically and not issued to individuals for personal retention.

Check #7. KEYS TO SECURE ROOMS WILL NOT BE REMOVED FROM THE SITE.

Check #8. When Magnetic Locks (Mag locks) are used on primary access doors the total loss of ALL power (primary and backup) will cause the lock to fail open. Therefore doors with mag locks installed MUST BE UNDER CONTINUOUS VISUAL OBSERVATION WHEN THE COMBINATION LOCK IS OPEN.

Check #9. Where Mag locks are used on primary access doors and upon a total power failure - the combination lock will be immediately secured and subsequently opened as required to allow access to the room.

Check #10. Secondary doors not used for access (emergency egress only) should use standard locking door latches rather than electric strikes or mag locks.

Check #11. Access hardware on the side of the secondary door that is external to the room must be removed to prevent use of secondary doors for routine ingress.

Check #12. In the event a mag lock or electric strike is used on a secondary door, the door must be configured to be locked during a power disruption. This can be accomplished with internal sliding deadbolt locks or lockable door latches. Electric strikes on secondary doors should be set to fail secure. Any secondary door secured with Mag Locks must be under CONTINUOUS visual observation when the interior deadbolt locks are not engaged. Deadbolt locks must not be engaged while the room is occupied - for life safety, but will be secured upon closing the secure room or area.

TACTICAL ENVIRONMENT: This check is applicable where Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

Check Content Reference

M

Target Key

2506

Comments