STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020:

Visitor Control - To Facility or Organization with Information System Assets Connected to the DISN

DISA Rule

SV-42939r3_rule

Vulnerability Number

V-32602

Group Title

Visitor Control - To Facility or Organization

Rule Version

PH-06.02.01

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Review visitor control procedures and implementation and ensure they include verification of clearance/investigation status (where required for access), personal identification of visitor, registering of visitors, proper badging (using DoD issued Common Access Cards (CAC) or other authorized credentials) and escorts.

NOTE: Detailed audit logs of all facility visitors should be maintained for at least 90 days. Automated Entry Control System (AECS) electronic logs may be used to meet this requirement.

Check Contents

Review visitor control procedures and implementation and ensure they include verification of clearance/investigation status (where required for access), personal identification of visitor, registering of visitors, proper badging (using DoD issued Common Access Cards (CAC) or other authorized credentials) and escorts.

NOTE 1: Traditional Security reviewers may be able to evaluate implementation of the visitor process by reviewing how the review team was identified and badged.

NOTE 2: Detailed audit logs of all facility visitors should be maintained for at least 90 days. Automated Entry Control System (AECS) electronic logs may be used to meet this requirement.

NOTE 3: Additional interviews can be conducted with personnel handling the visitor control function.

TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Vulnerability Number

V-32602

Documentable

False

Rule Version

PH-06.02.01

Severity Override Guidance

Review visitor control procedures and implementation and ensure they include verification of clearance/investigation status (where required for access), personal identification of visitor, registering of visitors, proper badging (using DoD issued Common Access Cards (CAC) or other authorized credentials) and escorts.

NOTE 1: Traditional Security reviewers may be able to evaluate implementation of the visitor process by reviewing how the review team was identified and badged.

NOTE 2: Detailed audit logs of all facility visitors should be maintained for at least 90 days. Automated Entry Control System (AECS) electronic logs may be used to meet this requirement.

NOTE 3: Additional interviews can be conducted with personnel handling the visitor control function.

TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments. Not applicable to a field/mobile environment.

Check Content Reference

M

Target Key

2506

Comments