Ensure the classified or sensitive information is transmitted over approved communications systems or non-DoD systems, and an NSA Type 1 certified remote access security solution is in place for remote access to a classified network and is only used from an approved location.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19830	SRC-RAP-030	SV-21993r1_rule		High

Description
Failure to use approved communications equipment and security measure can lead to unauthorized disclosure, loss, or compromise of classified information.

STIG	Date
Remote Access Policy STIG	2016-03-28

Details

Check Text ( C-21322r1_chk )
Interview the IAO. Ask if users are allowed to process classified information from remote locations. Work with the traditional reviewers to determine if there is a classified handling/transmitting policy in place for remote access. Also, ask if classified information is tunnelled using communications channels which are not secured to the level of classification transmitted without complying with the DSAWG Position Paper requirements as follows: - C2: The policy is to minimize tunneling classified information over transport other than SIPRNet. The SIPRNet will be the network of choice for C2 traffic. - Classified C2, or related requirements, across the NIPRNet are specifically denied except to meet operationally urgent conditions as defined and approved by the DSAWG and the DISN DAAs. - Non-C2: The Local DAA may approve tunneling classified information across an unclassified IP infrastructure if deemed operationally necessary. This must be documented and approved by the Classified Connection Approval Office (CCAO) and the Classified Data Service Manager (DISA/GS21). Supported rationale will be presented to the CDSM. - Type 1 encryption will be employed. - Must be documented in the DIACAP Implementation Plan (DIP) - Termination of the tunnel will be in facilities authorized to process classified US Government information classified at the Secret level. For the use of an ISP, a GIG Waiver must be issued by the OSD GIG Waiver Panel. SCI will not be tunneled. This does not alter or supersede any other DoD or DCI guidance or policy. **This check applies to Enhanced Compliance Validation visits.

Check Text ( C-21322r1_chk )

Interview the IAO. Ask if users are allowed to process classified information from remote locations.

Work with the traditional reviewers to determine if there is a classified handling/transmitting policy in place for remote access. Also, ask if classified information is tunnelled using communications channels which are not secured to the level of classification transmitted without complying with the DSAWG Position Paper requirements as follows:

- C2: The policy is to minimize tunneling classified information over transport other than SIPRNet. The SIPRNet will be the network of choice for C2 traffic.

- Classified C2, or related requirements, across the NIPRNet are specifically denied except to meet operationally urgent conditions as defined and approved by the DSAWG and the DISN DAAs.

- Non-C2: The Local DAA may approve tunneling classified information across an unclassified IP infrastructure if deemed operationally necessary. This must be documented and approved by the Classified Connection Approval Office (CCAO) and the Classified Data Service Manager (DISA/GS21). Supported rationale will be presented to the CDSM.

- Type 1 encryption will be employed.

- Must be documented in the DIACAP Implementation Plan (DIP)

- Termination of the tunnel will be in facilities authorized to process classified US Government information classified at the Secret level. For the use of an ISP, a GIG Waiver must be issued by the OSD GIG Waiver Panel. SCI will not be tunneled. This does not alter or supersede any other DoD or DCI guidance or policy.

**This check applies to Enhanced Compliance Validation visits.

Fix Text (F-19138r1_fix)
The IAO will ensure classified information is not transmitted over any communications system unless it is transmitted using approved NSA security devices in addition to approved security procedures and practices.