STIGQter STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020:

Information Assurance (IA) Positions of Trust - Identification of Positions or Duties with Privileged Access to Information Systems or Responsibility for Security Oversight of Information Systems

DISA Rule

SV-42709r3_rule

Vulnerability Number

V-32372

Group Title

Information Assurance Positions of Trust

Rule Version

PE-04.02.01

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Ensure that organization manning documents (e.g., JTD) and position descriptions for Military and Government Civilians and the statement of work (SOW) and/or DD 254 (Contract Security Specification) for Contractors – are available for identification of Information Assurance (IA) Positions of Trust.

IA (AKA: Cyber Security) Positions of Trust must be identified for each civilian and military position and/or contractor employee duties contained in statements of work for all positions or duties in which an employee has cyber security related duties (e.g., privileged access or security oversight) on a DoDIN Information System (IS) (e.g., SIPRNet or NIPRNet). This is required for members of the DoD workforce conducting Cyber Security (AKA: Information Assurance (IA)) functions in assigned duty positions. Examples include but are not limited to: Information System Security Manager (ISSM), Information System Security Officer (ISSO), and System Administrator (SA). These are positions consistent with the IA Workforce Improvement Program (DoD 8570.01-M) that are required to be trained, certified and specially vetted for integrity and loyalty.

*Ensure that positions identified within manning documents, position descriptions, and SOWs that have Privileged Access or Responsibility for Oversight of Systems Security (e.g., System Administrators, ISSM or ISSO) on DoDIN systems are in positions identified as Critical-Sensitive. This result may be established and/or validated using the legacy ADP Position Criteria (ADP-1 in this instance) or by using the OPM Position Designation Tool (PDT).

NOTE 1: Information Assurance (IA) Positions of Trust are specifically those positions with Privileged Access to an Information System(s) or positions with responsibility for Oversight of Systems Security. Examples are System Administrators (SA), Information System Security Managers (ISSM), Information System Security Officers (ISSO), Information System Engineers, System Designers…

NOTE 2: Information Assurance (IA) Positions of Trust were identified under the Automated Data Processing (ADP) (AKA: Information Technology (IT)) Position Categories and Criteria IAW the DoD 5200.2-R, Personnel Security Program, January 1987. These long established legacy ADP Categories were not included in the update to the DOD PERSEC Program contained in the DOD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), dated 3 April 2017.

NOTE 3: Because many organizations have institutionalized the ADP Categories and Criteria, the use of this legacy methodology for identification and designation of position sensitivity for IT Positions of Trust may still be used in lieu of the OPM Position Designation Tool (PDT) for compliance with requirements in this STIG Rule.

NOTE 4: Personnel Occupying Information Assurance (IA) Positions of Trust under the legacy program are designated ADP-1, ADP-2 and ADP-3. DoD military, civilian personnel, consultants, and contractor personnel performing on unclassified automated information systems may be assigned to one of three position sensitivity designations (in accordance with Appendix 10 of the legacy DoD 5200.2-R, Personnel Security Program) and MINIMALLY investigated as follows:

ADP-I (AKA: IT-1): SSBI/SBPR/PPR/ T5 – Tier 5/T5R – Tier 5 Reinvestigation

ADP-II (AKA: IT-2): ANACI /NACI /NACLC/ S-PR/ T3 - Tier 3/T3R - Tier 3 Reinvestigation

ADP-III (AKA: IT-3): NAC/ENTNAC/ T1 – Tier 1/T2S – Tier 2 with Subject Interview/T2RS - Tier 2 Reinvestigation with Subject Interview. Note that ADP-III/IT-3 positions are all authorized (basic/routine) system users who are not in designated IA positions under the IA Workforce Improvement Program (e.g., not having privileged access or responsibility for systems security oversight).

Those personnel falling in the above ADP categories who also require access to classified information will, of course, be subject to the appropriate investigative scope for the level of security clearance required. The investigative scope for clearances may exceed but not be less than that required for the designated ADP level.

NOTE 5: Privileged access typically provides access to the following system controls IAW Change 4, APPENDIX 1 of the DoD 8570.01-M:
- Access to the control functions of the information system/network, administration of user accounts, etc.
- Access to change control parameters (e.g., routing tables, path priorities, addresses) of routers, multiplexers, and other key information system/network equipment or software.
- Ability and authority to control and change program files, and other users’ access to data.
- Direct access to operating system level functions (also called unmediated access) that would permit system controls to be bypassed or changed.
- Access and authority for installing, configuring, monitoring, or troubleshooting the security monitoring functions of information systems/networks (e.g., network/system analyzers; intrusion detection software; firewalls) or in performance of cyber/network defense operations.

NOTE 6: Certain employees with very limited AND "supervised" privileged access on information systems may be in positions designated as IT-2. Documented procedures must be available for how IT-2 privileged access is checked/supervised by IT-1 privileged access persons. For instance regular review of system audit logs would be a normal part of the supervised privileged access procedure. Additionally, documentation reflecting actual verification/checks by IT-1 persons of work conducted by IT-2 persons must be maintained for audit purposes for at least 90-days.

Check Contents

Check to ensure that positions identified under STIG Rule: PE-02.02.01, Position Sensitivity - that have Privileged Access or Responsibility for Oversight of Systems Security (e.g., System Administrators, ISSM or ISSO) on DoDIN systems *are in positions identified as Critical-Sensitive. This result may be established and/or validated using the legacy ADP Position Criteria (ADP-1 in this instance) or by using the OPM Position Designation Tool (PDT).

This is required for members of the DoD workforce conducting Cyber Security (AKA: Information Assurance (IA)) functions in assigned duty positions. Examples include but are not limited to: Information System Security Manager (ISSM), Information System Security Officer (ISSO), and System Administrator (SA). These are positions consistent with the IA Workforce Improvement Program (DoD 8570.01-M) that are required to be trained, certified and specially vetted for integrity and loyalty.

NOTE 1: Information Assurance (IA) Positions of Trust are specifically those positions with Privileged Access to an Information System(s) or positions with responsibility for Oversight of Systems Security. Examples are System Administrators (SA), Information System Security Managers (ISSM), Information System Security Officers (ISSO), Information System Engineers, System Designers…

NOTE 2: Formerly Information Assurance (IA) Positions of Trust were identified under the Automated Data Processing (ADP) (AKA: Information Technology (IT)) Position Categories and Criteria IAW the DoD 5200.2-R, Personnel Security Program, January 1987. These long established legacy ADP Categories were not included in the update to the DOD PERSEC Program contained in the DOD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), dated 3 April 2017.

NOTE 3: Because many organizations have institutionalized the ADP Categories and Criteria, the use of this legacy methodology for identification and designation of position sensitivity for IT Positions of Trust may still be used in lieu of the OPM Position Designation Tool (PDT) for compliance with requirements in this STIG Rule.

NOTE 4: Personnel Occupying Information Assurance (IA) Positions of Trust under the legacy program are designated ADP-1, ADP-2 and ADP-3. DoD military, civilian personnel, consultants, and contractor personnel performing on unclassified automated information systems may be assigned to one of three position sensitivity designations (in accordance with Appendix 10 of the legacy DoD 5200.2-R, Personnel Security Program) and MINIMALLY investigated as follows:

ADP-I (AKA: IT-1): SSBI/SBPR/PPR/ T5 – Tier 5/T5R – Tier 5 Reinvestigation

ADP-II (AKA: IT-2): ANACI /NACI /NACLC/ S-PR/ T3 - Tier 3/T3R - Tier 3 Reinvestigation

ADP-III (AKA: IT-3): NAC/ENTNAC/ T1 – Tier 1/T2S – Tier 2 with Subject Interview/T2RS - Tier 2 Reinvestigation with Subject Interview. Note that ADP-III/IT-3 positions are all authorized (basic/routine) system users who are not in designated IA positions under the IA Workforce Improvement Program (e.g., not having privileged access or responsibility for systems security oversight).

Those personnel falling in the above ADP categories who also require access to classified information will, of course, be subject to the appropriate investigative scope for the level of security clearance required. The investigative scope for clearances may exceed but not be less than that required for the designated ADP level.

NOTE 5: Privileged access typically provides access to the following system controls IAW Change 4, APPENDIX 1 of the DoD 8570.01-M:
- Access to the control functions of the information system/network, administration of user accounts, etc.
- Access to change control parameters (e.g., routing tables, path priorities, addresses) of routers, multiplexers, and other key information system/network equipment or software.
- Ability and authority to control and change program files, and other users’ access to data.
- Direct access to operating system level functions (also called unmediated access) that would permit system controls to be bypassed or changed.
- Access and authority for installing, configuring, monitoring, or troubleshooting the security monitoring functions of information systems/networks (e.g., network/system analyzers; intrusion detection software; firewalls) or in performance of cyber/network defense operations.

NOTE 6: Certain employees with very limited AND "supervised" privileged access on information systems may be in positions designated as IT-2. Documented procedures must be available for how IT-2 privileged access is checked/supervised by IT-1 privileged access persons. For instance regular review of system audit logs would be a normal part of the supervised privileged access procedure. Additionally, documentation reflecting actual verification/checks by IT-1 persons of work conducted by IT-2 persons must be maintained for audit purposes for at least 90-days.

NOTE 7: All designated IA Positions IAW DoD 8570.01-M (IAT Levels I-III or IAM Levels I-III) must be checked by reviewers, time permitting. Random checks of all other site personnel records should be made.

TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.

Vulnerability Number

V-32372

Documentable

False

Rule Version

PE-04.02.01

Severity Override Guidance

Check to ensure that positions identified under STIG Rule: PE-02.02.01, Position Sensitivity - that have Privileged Access or Responsibility for Oversight of Systems Security (e.g., System Administrators, ISSM or ISSO) on DoDIN systems *are in positions identified as Critical-Sensitive. This result may be established and/or validated using the legacy ADP Position Criteria (ADP-1 in this instance) or by using the OPM Position Designation Tool (PDT).

This is required for members of the DoD workforce conducting Cyber Security (AKA: Information Assurance (IA)) functions in assigned duty positions. Examples include but are not limited to: Information System Security Manager (ISSM), Information System Security Officer (ISSO), and System Administrator (SA). These are positions consistent with the IA Workforce Improvement Program (DoD 8570.01-M) that are required to be trained, certified and specially vetted for integrity and loyalty.

NOTE 1: Information Assurance (IA) Positions of Trust are specifically those positions with Privileged Access to an Information System(s) or positions with responsibility for Oversight of Systems Security. Examples are System Administrators (SA), Information System Security Managers (ISSM), Information System Security Officers (ISSO), Information System Engineers, System Designers…

NOTE 2: Formerly Information Assurance (IA) Positions of Trust were identified under the Automated Data Processing (ADP) (AKA: Information Technology (IT)) Position Categories and Criteria IAW the DoD 5200.2-R, Personnel Security Program, January 1987. These long established legacy ADP Categories were not included in the update to the DOD PERSEC Program contained in the DOD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), dated 3 April 2017.

NOTE 3: Because many organizations have institutionalized the ADP Categories and Criteria, the use of this legacy methodology for identification and designation of position sensitivity for IT Positions of Trust may still be used in lieu of the OPM Position Designation Tool (PDT) for compliance with requirements in this STIG Rule.

NOTE 4: Personnel Occupying Information Assurance (IA) Positions of Trust under the legacy program are designated ADP-1, ADP-2 and ADP-3. DoD military, civilian personnel, consultants, and contractor personnel performing on unclassified automated information systems may be assigned to one of three position sensitivity designations (in accordance with Appendix 10 of the legacy DoD 5200.2-R, Personnel Security Program) and MINIMALLY investigated as follows:

ADP-I (AKA: IT-1): SSBI/SBPR/PPR/ T5 – Tier 5/T5R – Tier 5 Reinvestigation

ADP-II (AKA: IT-2): ANACI /NACI /NACLC/ S-PR/ T3 - Tier 3/T3R - Tier 3 Reinvestigation

ADP-III (AKA: IT-3): NAC/ENTNAC/ T1 – Tier 1/T2S – Tier 2 with Subject Interview/T2RS - Tier 2 Reinvestigation with Subject Interview. Note that ADP-III/IT-3 positions are all authorized (basic/routine) system users who are not in designated IA positions under the IA Workforce Improvement Program (e.g., not having privileged access or responsibility for systems security oversight).

Those personnel falling in the above ADP categories who also require access to classified information will, of course, be subject to the appropriate investigative scope for the level of security clearance required. The investigative scope for clearances may exceed but not be less than that required for the designated ADP level.

NOTE 5: Privileged access typically provides access to the following system controls IAW Change 4, APPENDIX 1 of the DoD 8570.01-M:
- Access to the control functions of the information system/network, administration of user accounts, etc.
- Access to change control parameters (e.g., routing tables, path priorities, addresses) of routers, multiplexers, and other key information system/network equipment or software.
- Ability and authority to control and change program files, and other users’ access to data.
- Direct access to operating system level functions (also called unmediated access) that would permit system controls to be bypassed or changed.
- Access and authority for installing, configuring, monitoring, or troubleshooting the security monitoring functions of information systems/networks (e.g., network/system analyzers; intrusion detection software; firewalls) or in performance of cyber/network defense operations.

NOTE 6: Certain employees with very limited AND "supervised" privileged access on information systems may be in positions designated as IT-2. Documented procedures must be available for how IT-2 privileged access is checked/supervised by IT-1 privileged access persons. For instance regular review of system audit logs would be a normal part of the supervised privileged access procedure. Additionally, documentation reflecting actual verification/checks by IT-1 persons of work conducted by IT-2 persons must be maintained for audit purposes for at least 90-days.

NOTE 7: All designated IA Positions IAW DoD 8570.01-M (IAT Levels I-III or IAM Levels I-III) must be checked by reviewers, time permitting. Random checks of all other site personnel records should be made.

TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments and is also applicable to a field/mobile environment.

Check Content Reference

M

Potential Impact

Related STIG rules:
PE-02-02-01 - Position Sensitivity - Based on Security Clearance and/or Information Technology (IT) Systems Access Level or Responsibility for Security Oversight on Assigned Information Systems (IS)
PE-03.02.01 - Validation Procedures for Security Clearance Issuance (Classified Systems and/or Physical Access Granted)
PE-05.02.01 - Background Investigations
PE-06.03.01 - Periodic Reinvestigations

Target Key

2506

Comments