COAS-2 CAT I Proper Alternate Site Is Not Identified

UNCLASSIFIED Information Assurance Controls Verification & Validation Workbook

InformationInformation AssuranceAssurance ControlsControls VerificationVerification && ValidationValidation WorkbookWorkbook

July 18, 2012

Prepared by:

United States Pacific Command Code J632 Cyber Security Branch, Building 700 Camp H.M. Smith, HI 96861-4029

UNCLASSIFIED UNCLASSIFIED Information Assurance Verification & Validation Workbook

DOCUMENT CHANGE TABLE DATE AUTHOR CHANGES MADE VERSION 27 JUN 2012 ROBBINS, P. DRAFT - MAC II Controls 1.00 MARGOLIN, J 18 JUL 2012 STROHL, I. REFRENCES ADDED 1.01

COAS Alternate Site Designation

2 UNCLASSIFIED Information Assurance Verification & Validation Workbook

An alternate site is identified that permits the restoration of all mission or business essential functions.

YES/NO/NA 1. Do you have a disaster recovery plan (DRP) that is documented? Provide as attachment. 2. Is an alternate site(s) identified within the DRP? Provide the Service Level Agreement (SLA). 3. Does the DRP identify accessibility issues to the alternate site? 4. Does the SLA include procedures or contracts for ordering essential equipment and supplies? 5. Does the SLA identify the prioritization of services? 6. Do you have a Continuity of Operations Plan (COOP) that is documented? Provide as attachment. 7. Does the COOP address: (i) Power Failure, (ii) Natural Disasters, (iii) scheduled and unscheduled outages, and (iv) cyber-security incidents? 8. Do you have a Business Impact Analysis (BIA) that is documented? Provide as attachment. 9. Does the BIA: (i) prioritize mission or business functions, (ii) identify the maximum allowable down-time for systems, and (iii) describe impact to the mission? 10. Do you have a contingency plan that is documented? Provide as attachment. 11. Does the contingency plan list: (i) system administrators and key personnel, and (ii) resources required (hardware, software, facility, and network infrastructure) to support mission-essential functions? References: DODI 8500.2, SP 800-53

Comments:

Signatures below indicate that both parties have reviewed and verified the above control to be:

 Compliant  Non-Compliant  Not Applicable

System Representative: ______Date: ______

Auditor: ______Date: ______

COBR Protection of Backup and Restoration Assets Procedures are in place to assure the protection of backup and restoration hardware.

YES/NO/NA 1. Do you have a documented site backup plan that includes backup, recovery, and protection procedures for assets (SANS, Tapes, software, etc) that are used for data restoration? Provide as attachment. 2. Do you have an inventory that includes descriptions and locations of all backup and restoration assets used for data restoration? Is it documented? Provide as attachment. 3. Do you provide physical (storage) and technical security protection (access controls) for archived backup and restoration assets that are used for data restoration? Is it documented? Provide as attachment and verify with auditor. 4. Do you use fire-rated containers to store media containing backed-up data? Is it documented? Provide as attachment. References: DODI 8500.2

Comments:

CODB Data Backup Procedures Data backup is performed daily, and recovery media is stored off-site at a location that affords protection of the data in accordance with its mission assurance category and confidentiality level.

YES/NO/NA 1. Are backups performed and logged (at least) daily? Are the process and/or procedures documented? Provide as attachment. 2. Are backups tested for reliability and integrity (corruption) (at least) annually? Are test results documented? Provide as attachment. 3. Is the media used for recovery (according to MAC and confidentiality level) protected, stored off-site, and properly labeled? Are the process and/or procedures documented? Is there a SLA with the off-site location? Provide as attachment. 4. Verify with the auditor that system backups are being conducted on a daily basis. Provide activity logs/records (past 48 hours) of recovery as an attachment. 5. Are exceptions governing the storage of recovery media vetted through a Configuration Control Board (CCB)? Provide approved waivers as attachment. References: DODI 8500.2, SP 800-53

Comments:

CODP Disaster and Recovery Planning A disaster plan (including business recovery plans, system contingency plans, facility disaster recovery plans) exists that provides for the resumption of mission or business essential functions within 24 hours of activation.

YES/NO/NA 1. Can mission or business essential functions partially resume within 24 hours of activation? Are the process and/or procedures documented? Provide as attachment. 2. Do you have a disaster recovery plan (DRP) that is documented and signed by the system owner or DAA? Provide as attachment. 3. Does the DRP include a documented Business Continuity/Recovery Plan (SOPs, COOP, emergency and incident response plans, etc)? 4. Does the DRP include a contingency plan that is documented? Provide as attachment. 5. Does the contingency plan list: (i) system administrators and key personnel, and (ii) resources required (hardware, software, facility, and network infrastructure) to support mission-essential functions? 6. Does the DRP include a facility recovery plan listing physical security measures? Provide as attachment. References: DODI 8500.2

Comments:

COEB Enclave Boundary Defense Enclave boundary defense at the alternate site provides security measures equivalent to the primary site.

YES/NO/NA 1. Does the enclave boundary defense architecture for the primary site match the alternate? Is it documented within the SLA or MOU/MOA? Provide as attachment. 2. Is an alternate site(s) identified within the DRP? Provide the Service Level Agreement (SLA). References: DODI 8500.2

Comments:

COED Scheduled Exercises and Drills The continuity of operations or disaster recovery plans is exercised annually.

YES/NO/NA 1. Do you have a Continuity of Operations Plan (COOP) or Disaster Recovery Plan (DRP) that is documented? Provide as attachment. 2. Does the COOP address: (i) Power Failure, (ii) Natural Disasters, (iii) scheduled and unscheduled outages, and (iv) cyber-security incidents? 3. Does the DRP include a documented Business Continuity/Recovery Plan (SOPs, COOP, emergency and incident response plans, etc)? 4. Has a table-top exercise been conducted on all parts of the COOP or DRP within the last 365 days? Are the results documented? Provide as attachment. 5. Do you have Plans of Action & Milestones (POA&M) for deficiencies identified resulting from the table-top exercise? Provide as attachment. 6. Are backups tested for reliability and integrity (corruption) (at least) annually? Are test results documented? Provide as attachment. References: DODI 8500.2, SP 800-53

Comments:

COEF Identification of Essential Functions Mission, business-essential functions and assets are identified for priority restoration planning.

YES/NO/NA 1. Do you have a Continuity of Operations Plan (COOP), Disaster Recovery Plan (DRP), Incident Response, Emergency Plan, or related plan that is/are documented? Provide as attachment. 2. Does the related plan include a documented Business Continuity/Recovery Plan (SOPs, COOP, emergency and incident response plans, etc)? 3. Does the related contingency plan identify the prioritization of IT assets for restoration? References: DODI 8500.2, SP 800-53

Comments:

COMS Maintenance Support Maintenance support for key IT assets is available to respond 24 X 7 immediately upon failure.

YES/NO/NA 1. Are key assets covered by a 24x7 response agreement? Is it documented within the SLA, MOU/MOA, contracts, and/or vendor agreements? Provide as attachment. 2. Is routine and preventive maintance being conducted on key assets? Is it being documented? Provide as attachment. 3. Is the integrity and functionality of appropriate security features being checked after maintenance? 4. Is a log being maintained and updated for (i) time of maintenance, (ii) name of individuals performing the maintenance, (iii) description of the maintenance being performed, and (iv) list of affected equipment. Provide as attachment. References: DODI 8500.2, SP 800-53

Comments:

COPS Power Supply Electrical systems are configured to allow continuous or uninterrupted power to key IT assets. This may include an uninterrupted power supply coupled with emergency generators.

YES/NO/NA 1. Do you have key computing facilities that house key IT assets? Are they documented? Provide as attachment. 2. Do you have an emergency power backup plan for the key computing facilities? Is it documented? Provide as attachment. 3. Are electrical systems installed and configured to allow continuous or uninterrupted power to key IT assets? Verify with the auditor. References: DODI 8500.2, SP 800-53

Comments:

COSP Spares and Parts Maintenance spares and spare parts for key IT assets can be obtained within 24 hours of failure.

YES/NO/NA 1. Are spare parts for key IT assets covered by a 24 hour response agreement? Is it documented within the SLA, MOU/MOA, contracts, and/or vendor agreements? Provide as attachment. References: DODI 8500.2

Comments:

COSW Backup Copies of Critical Software Back-up copies of the operating system and other critical software are stored in a fire rated container or otherwise not collocated with the operational software.

YES/NO/NA 1. Do you have an up-to-date listing of software? Provide as attachment. 2. Does the list of software identify critical software and the OS? 3. Is (at least) one licensed copy of each OS and critical piece of software is stored in a fire rated container or off-site? Verify with the auditor. References: DODI 8500.2

Comments:

COTR Trusted Recovery Recovery procedures and technical system features exist to ensure that recovery is done in a secure and verifiable manner. Circumstances that can inhibit trusted recovery are documented and mitigating procedures have been put in place.

YES/NO/NA 1. Do you have a Continuity of Operations Plan (COOP) and Disaster Recovery Plan (DRP) that is documented? Provide as attachment. 2. Does the COOP address: (i) Power Failure, (ii) Natural Disasters, (iii) scheduled and unscheduled outages, and (iv) cyber-security incidents? 3. Does the DRP include a documented Business Continuity/Recovery Plan (SOPs, COOP, emergency and incident response plans, etc)? 4. Do you have recovery procedures (SOP) that ensures the recovery sequence is safe, secure, stable, verifiable, and successful? Provide as attachment. References: DODI 8500.2

Comments:

DCAR Procedural Review An annual IA review is conducted that comprehensively evaluates existing policies and processes to ensure procedural consistency and to ensure that they fully support the goal of uninterrupted operations.

YES/NO/NA 1. Do you perform scheduled procedural reviews (at least) annually? Are the results documented? Provide as attachment. 2. Do you have a scheduled procedural review scheduled for next year? Provide as attachment. References: DODI 8500.2

Comments:

DCAS Acquisition Standards The acquisition of IA-enabled GOTS and COTS are limited to products evaluated by NSA and Common Criteria (CC), NIAP, FIPS.

YES/NO/NA 1. Do you have IA-enabled GOTS products? Are they listed on the NSA-approved GOTS products list? Provide as attachments. 2. Do you have IA-enabled COTS products? Have those products been evaluated either by the International Common Criteria (CC), NIAP evaluation, or FIPS validation program? Provide as attachments. References: DODI 8500.2

Comments:

DCBP Best Security Practices The DoD Information System security design incorporates best security practices such as single sign- on, PKE, smart card, and biometrics.

YES/NO/NA 1. Do you have a system security document? Provide as attachment. 2. Does the system security design incorporate best security practices such as single sign-on, PKE, smart card, firewalls, DMZ, ACLs, Out-of-Band-Management, identification management (2-factor) and biometrics? ` References: DODI 8500.2

Comments:

DCCB Control Board All information systems are under the control of a chartered Configuration Control Board (CCB) that meets regularly.

YES/NO/NA 1. Do you monitor and control (manage) configuration changes? 2. Do you have a CM Plan? Provide as attachment. 3. Do you have a CCB charter? Provide as attachment. References: DODI 8500.2

Comments:

DCCS Configuration Specifications Use of approved configuration guidance ensures the system is initially free of security issues inherent in newly deployed IA enabled products.

YES/NO/NA 1. Do you deploy IA and IA-enabled products within the enclave? Is it documented? Provide as attachments. 2. Do you have Installation guides, System administration guides, Functional test plans and procedures, and installation manuals? Provide as attachments. 3. Are the IA and IA-enabled products compliant with security guidance documents (STIGS)? Do you have a completed STIG checklist? Provide as attachments. Verify and review with the auditor (STIG review). References: DODI 8500.2

Comments:

DCCT Compliance Testing A comprehensive set of procedures is implemented that test all patches, upgrades, and new Automated Information Systems (AIS) applications.

YES/NO/NA 1. Do you have a CM Plan? Provide as attachment. 2. Does the CM plan include procedures for testing and implementing patches, updates, and new AIS application? Provide as attachment. 3. Are system change requests and approvals documented? Provide as attachment. References: DODI 8500.2

Comments:

DCDS Dedicated IA Services Acquisition or outsourcing of IA services are supported and approved by the DoD Component CIO.

YES/NO/NA 1. Do you outsource IA services such as IDS, Firewall, and key management? Is it documented? Provide as attachment. 2. Is a formal risk analysis report for outsource IA services approved (signed) by the CIO? Provide as attachment. References: DODI 8500.2

Comments:

DCFA Functional Architecture for AIS applications Functional Architecture for Automated Information Systems applications identify all external interfaces, information exchange, protection mechanisms, protection plans, and restoration priorities.

YES/NO/NA 1. Is the system architecture and security related information documented? Provide as attachment. 2. Does the information system security description document (ISSDD) contain all external interfaces, information exchange (flow), interface protection mechanisms, access control roles, access privileges, security requirements, information sensitivity categories, protection plans (Privacy Act, HIPAA) and restoration priorities? References: DODI 8500.2, SP 800-53

Comments:

DCHW HW Baseline A comprehensive baseline inventory of all hardware required to support enclave operations is maintained by the Configuration Control Board (CCB) and as part of the SSA.

YES/NO/NA 1. Do you have a baseline inventory of hardware that includes (at least) the manufacturer, type, model, physical location, and network topology? Provide as attachment. 2. Is the hardware baseline inventory documented and maintained by a Configuration Board? 3. Is a backup copy of the hardware baseline inventory stored in a fire rated container or off-site? Verify and review with the auditor. 4. Is the hardware baseline inventory validated/updated (at least) annually? References: DODI 8500.2, SP 800-53

Comments:

DCID Interconnection Documentation A list of all hosting enclaves is developed and maintained along with evidence of deployment planning, coordination, and the exchange of connection rules and requirements.

YES/NO/NA 1. Do you have a list of current and/or potential hosting enclaves for AIS applications? Provide as attachment. 2. Are there procedures, rules, or requirements for enclave interconnection? Provide as attachment. Verify and review with the auditor. References: DODI 8500.2, SP 800-53

Comments:

DCII IA Impact Assessment Changes to the DoD information system are assessed for IA and accreditation impact prior to implementation.

YES/NO/NA 1. Are all changes to the system reviewed and approved by a Configuration Control Board (CCB)? 2. Are all changes to the system reviewed for IA and accreditation impact? 3. Are all changes to the system documented? Provide as attachment. References: DODI 8500.2

Comments:

DCIT IA for IT Services Acquisition or outsourcing of IT services explicitly addresses Government, service provider, and end user IA roles and responsibilities.

YES/NO/NA 1. Do you have IT services that is procured or outsourced for your systems? 2. Is the acquisition of these services documented in a service agreement or MOA/MOU? Provide as attachment. 3. Are roles and responsibilities clearly defined in the acquisition or contract documentation? Verify and review with the auditor. References: DODI 8500.2

Comments:

DCMC Mobile Code Acquisition or outsourcing of IT services explicitly addresses Government, service provider, and end user IA roles and responsibilities.

YES/NO/NA 1. Do you configure your systems to adequately prohibited (as applicable) the download and execution of mobile code (i.e. Java aplets, ActiveX, and macros)? Verify and review with the auditor. References: DODI 8500.2

Comments:

DCNR Non-repudiation Validated cryptography is used to implement encryption, key exchange, digital signature, and hash.

YES/NO/NA 1. Does your system require digital signature for non-repudiation purposes? Is it documented? Provide as attachment. 2. Are implemented algorithms FIPS 140 compliant? References: DODI 8500.2

Comments:

DCPA Partitioning the Application User interface services are physically or logically separated from data storage and management services.

YES/NO/NA 1. Is your system architecture documented? Do you have a diagram? Provide as attachment. 2. Are web, database, and management servers physically and/or logically separated from each other? References: DODI 8500.2

Comments:

DCPB IA Program and Budget A discrete line item for information assurance is established in programming and budget documentation.

YES/NO/NA 1. Is your system budgeted for Information Assurance? Is it documented? Provide as attachment. References: DODI 8500.2

Comments:

DCPD IA Public Domain Software Controls Freeware or shareware is not used in DoD information system unless absolutely needed for mission success.

YES/NO/NA 1. Is an inventory of software kept? Is it documented? Provide as attachment. 2. Is freeware and/or shareware used? 3. Is the freeware and/or shareware approved for use by CCB and/or waived by the DAA? Is it documented? Provide as attachment. References: DODI 8500.2, SP 800-53

Comments:

DCPP Ports, Protocols, and Services DoD information systems comply with DoD ports, protocols, and services guidance.

YES/NO/NA 1. Is the system architecture and security related information documented? Provide as attachment. 2. Does the information system security description document (ISSDD) identify ports, protocols and services used? 3. Are there any interconnecting enclaves? Is it documented in an MOA/MOU? Provide as attachment. References: DODI 8500.2

Comments:

DCPR Configuration Management Process A configuration management process is implemented.

YES/NO/NA 1. Do you monitor and control (manage) configuration changes? 2. Do you have a CM Plan (approved document defining how CM is executed, monitored, and controlled)? Provide as attachment. 3. Does the CM Plan identify CM roles and responsibilities? 4. Does the CM Plan identify a CCB? 5. Does the CM Plan identify a process to test system changes? 6. Does the CM Plan identify a process to ensure the CM process is effective? 7. Do you have a CCB charter (authorization for a CCB)? Provide as attachment. References: DODI 8500.2

Comments:

DCSD IA Documentation All appointments for required IA roles are established in writing.

YES/NO/NA 1. Is the system architecture and security related information documented? Provide as attachment. 2. Does the information system security description document (ISSDD) identify requirements for (i) data handling, (ii) system redundancy, and (iii) emergency response? 3. Are all personnel assigned to required IA roles established and appointed in writing? Provide as attachment. 4. Does the appointment letters include (at least) required training, security clearance, and Information Assurance Workforce (IAWF) designation? Verify and review with the auditor. References: DODI 8500.2

Comments:

DCSL IA System Library Management Controls System libraries are managed and maintained to protect privileged programs and to prevent or minimize the introduction of unauthorized code.

YES/NO/NA 1. Is access to system source code libraries controlled using Discretionary Access Control Lists (DACLs) protecting privileged programs and the introduction of unauthorized code? Is it documented? Provide as attachment. 2. Does a configuration control board (CCB) review and approve changes to a privileged program? Is it documented? Provide as attachment. References: DODI 8500.2

Comments:

DCSP Security Support Structure Partitioning IA and security service products are physically or logically isolated and protected.

YES/NO/NA 1. Is the system architecture and security related information documented? Provide as attachment. 2. Does the information system security description document (ISSDD) contain schematics or diagrams of the security architecture? 3. Do you have a baseline inventory of hardware that includes (at least) the manufacturer, type, model, physical location, and network topology? Provide as attachment. 4. Do you have an up-to-date listing of software? Provide as attachment. 5. Is the documented software and hardware devices (audit servers, management consoles, firewalls) isolated using partitions and separate network domains? References: DODI 8500.2

Comments:

DCSQ Software Quality Flawed or malformed software that can negatively impact integrity or availability is minimized through software quality requirements.

YES/NO/NA 1. Do you have GOTS (government funded) developed applications? 2. Do you follow a software lifecycle process? Is it documented? Provide as attachment. 3. Are regular code reviews conducted for STIG compliance? Is it documented? Provide as attachment. 4. Do you have COTS products? 5. Are software quality certification, initiatives, and standards (ISO 9000) addressed during development and testing? 6. Do you have a test plan that is approved by a CA or DAA for each product? References: DODI 8500.2

Comments:

DCSR Specified Robustness Only high-robustness GOTS or COTS IA and IA-enabled IT products are used to protect classified information when the information transits networks that are at a lower classification level than the information being transported.

YES/NO/NA 1. Is the system architecture and security related information documented? Provide as attachment. 2. Does the information system security description document (ISSDD) indicate the classification level in which information transits the network? 3. Do you have IA-enabled GOTS (government funded) products? Is it documented? Provide as attachment. 4. Does the IA-enabled GOTS products have EAL rating? 5. Are the IA-enabled GOTS products NSA NIAP or common criteria (CC) approved? 6. Do you have IA-enabled COTS products? Is it documented? Provide as attachment. References: DODI 8500.2

Comments:

DCSS System State Changes System initialization, shutdown, and aborts are configured to ensure that the system remains in a secure state.

YES/NO/NA 1. Do you have an up-to-date listing of hardware and/or software? Provide as attachment. 2. Does hardware and software follow DISA STIGs for operating systems? Verify and review with the auditor. 3. Do you have privileges and permissions that are correctly configured to allow initializing, shutdown, and aborts? 4. Do you keep track of all personnel with system privileges? Review with the auditor. 5. Do you schedule regular tests to ensure the integrity of system states? Are the results documented? Provide as attachment. References: DODI 8500.2

Comments:

DCSW SW Baseline A current and comprehensive baseline inventory of all software.

YES/NO/NA 1. Do you have a baseline inventory of software that includes (at least) the manufacturer, type, version, installation manuals, and procedures? Provide as attachment. 2. Is the software baseline inventory documented and maintained by a Configuration Board? 3. Is a backup copy of the software baseline inventory stored in a fire rated container or off-site? Verify and review with the auditor. 4. Are the changes to the baseline reviewed and approved by a configuration control board? Is it documented? Provide as attachment. References: DODI 8500.2, SP 800-53

Comments:

EBBD Boundary Defense Boundary mechanisms are deployed at the enclave boundary.

YES/NO/NA 1. Do you have a baseline inventory of hardware that includes (at least) the manufacturer, type, model, physical location, and network topology? Provide as attachment. 2. Do you have a baseline inventory of software that includes (at least) the manufacturer, type, version, installation manuals, and procedures? Provide as attachment. 3. Is the system architecture and security related information documented? Provide as attachment. 4. Does the information system security description document (ISSDD) contain schematics or diagrams of the security architecture? Provide as attachment. 5. Is the security architecture (firewalls and IDS) operational? Verify and review with the auditor. 6. Are the firewall rules configured to block unauthorized access? Verify and review with the auditor. 7. Does the information system security description document (ISSDD) identify ports, protocols and services used? 8. Do the firewall audit logs record access attempts? Verify and review with the auditor. References: DODI 8500.2, SP 800-53

Comments:

EBBD Boundary Defense Boundary mechanisms are deployed at the enclave boundary.

YES/NO/NA 1. Do you have a baseline inventory of hardware that includes (at least) the manufacturer, type, model, physical location, and network topology? Provide as attachment. 2. Do you have a baseline inventory of software that includes (at least) the manufacturer, type, version, installation manuals, and procedures? Provide as attachment. 3. Is the system architecture and security related information documented? Provide as attachment. 4. Does the information system security description document (ISSDD) contain schematics or diagrams of the security architecture? Provide as attachment. 5. Is the security architecture (firewalls and IDS) operational? Verify and review with the auditor. 6. Are the firewall rules configured to block unauthorized access? Verify and review with the auditor. 7. Does the information system security description document (ISSDD) identify ports, protocols and services used? 8. Do the firewall audit logs record access attempts? Verify and review with the auditor. References: DODI 8500.2

Comments:

EBCR Connection Rules The DoD information system is compliant with established DoD connection rules and approval processes.

YES/NO/NA 1. Does the connection to DoD enclaves follow proper policy and procedures? Provide as attachment. Verify and review with the auditor. 2. Are there connections to external DoD information systems outside the accreditation boundary? Are those connections documented? Provide as attachment. 3. Do you have an interconnection topology of the architecture (network) within the enclave? Provide as attachment. 4. Do you have interconnection agreements? Are they documented (ATC/IATC/MOU/MOA)? Provide as attachment(s). References: DODI 8500.2

Comments:

EBPW Public WAN Connection Connections between DoD enclaves and public WAN require a DMZ.

YES/NO/NA 1. Do you have an interconnection topology of the architecture (network) within the enclave? Provide as attachment. 2. Do you run web services (servers, applications, and email provided by the DMZ)? Is it documented? Provide as attachment. Verify and review with the auditor. References: DODI 8500.2

Comments:

EBRP Remote Access for Privileged Functions Remote access for privileged functions is discouraged.

YES/NO/NA 1. Does the connection to DoD enclaves follow proper policy and procedures? Provide as attachment. Verify and review with the auditor. 2. Do you have an interconnection topology of the architecture (network) within the enclave? Provide as attachment. 3. Do you keep track of all personnel with system privileges? Is it documented? Provide as attachment. Review with the auditor. 4. Are audit logs used on remote access servers (at least the past 3 days)? Provide as attachment. Verify and review with the auditor. 5. Are users authenticated using RADIUS, TACACS+, LDAP, or Active Directory? Verify and review with the auditor. 6. Is network traffic monitored using an IDS? Verify and review with the auditor. 7. Is remote access approved by the DAA? Verify and review with the auditor. 8. Is VPN used for remote access? Verify and review with the auditor. 9. Are there methods to review audit logs? Verify and review with the IAM. References: DODI 8500.2

Comments:

EBRU Remote Access for User Functions Remote sessions to DoD systems are conducted through a remote access server within a DMZ.

YES/NO/NA 1. Are remote access architecture and procedures documented using schematics or diagrams? Provide as attachment. 2. Do you implement NSA or NIST approved cryptography (PKI and/or VPN)? Verify and review with the auditor. 3. Are there procedures for disabling and removing accounts? 4. Do you have secure remote access numbers or internet addresses? References: DODI 8500.2

Comments:

EBVC VPN Controls All VPN traffic is visible to network intrusion detection systems (IDS).

YES/NO/NA 1. Is the IT architecture documented using schematics or diagrams? Provide as attachment. 2. Are your Intrusion Detection Systems (IDS) set-up to monitor all encrypted VPN traffic? 3. Are your Intrusion Detection Systems (IDS) set-up to monitor all unencrypted VPN traffic (PREFFERED)? 4. Does your VPN tunnel terminate prior to the IDS? 5. Is the configuration of IDS documented? Provide as attachment. 6. Do you keep IDS audit records or activity logs (last 5 days)? Is it documented? Provide as attachment. 7. Is a list of used VPNs documented? Provide as attachment. 8. Are the list of VPNs registered with your CNDSP provider? Verify and review with the auditor. References: DODI 8500.2

Comments:

ECAD Affiliation Display Proper assigned of user accounts and email addresses.

YES/NO/NA 1. Do you have email accounts for contractors and foreign nationals? Are they documented? Provide as attachment. 2. Do those email account addresses include “CTR” and foreign national (2-char country code) designations? Verify and review with the auditor (min range 3-5 dept / % of sample). 3. Do those email account display names include “CTR” and foreign national (2-char country code) designations? 4. Do those email account signature blocks include “CTR” and foreign national (2- char country code) designations? References: DODI 8500.2, SP 800-53, IA

Comments:

ECAN Access for Need-to-Know Prevent and detect unauthorized access to system data.

YES/NO/NA 1. Do you keep track of all personnel with access to your shared file system? Is it documented? Provide as attachment. Review with the auditor. 2. Are the permissions on the shared file system limited to appropriate personnel? Is it documented? Verify and review with the auditor. 3. Are policy and procedures established for discretionary access requirements to internal websites? Is it documented? Verify and review with the auditor (min range 3-5 dept / % of sample). 4. Are audit controls used for websites? 5. Are audit trails used for access attempts? Verify and review with the auditor. References: DODI 8500.2, SP 800-53

Comments:

ECAR Audit Record Content – Classified Systems Insufficient security information within audit trails.

YES/NO/NA 1. Do you maintain audit records / logs? Provide as attachment. Verify and review with the auditor. 2. Does the audit records contain essential data: (i) bypass attempts, (ii) covert channel data, and (iii) relevant security actions? Verify and review with the auditor (min range 5-10% of sample). 3. Does the audit records contain essential data: (i) user ID, (ii) access attempts to password files, (iii) timestamps, (iv) event type, (v) success or unsuccessful events or logons, (vi) blocking or blacklisting? Verify and review with the auditor (min range 5-10% of sample). References: DODI 8500.2

Comments:

ECAT Audit Trail, Monitoring, Analysis and Reporting An automated, continuous on-line monitoring and audit capability.

YES/NO/NA 1. Do you have hardware and/or software that have (i) automated, (ii) continuous monitoring, and (iii) audit capabilities? Is it documented? Provide as attachment. 2. Does the document describe the (i) manufacturer, (ii) model / version, and (iii) serial numbers of hardware or software? 3. Does the hardware and/or software alert personnel of unusual activity? 4. Do you have a waiver for hardware and/or software that do not meet requirements in (1)? Is it documented? Provide as attachment. References: DODI 8500.2, IA

Comments:

ECCD Change to Data Data is accessed and changed by only authorized personnel.

YES/NO/NA 1. Do you have policies and procedures regarding the approval of accounts for applications, webpages, or networks? Is it documented? Provide as attachment. Verify and review with the auditor (min range 3-5% of sample). 2. Do you have access logs for your systems? Is it documented? Provide as attachment. 3. Do you conduct user notification of data changes? How? Is it documented? Provide as attachment. References: DODI 8500.2, IA

Comments:

ECCM COMSEC Implement controls regarding proper safeguards, operation, and maintenance of devices.

YES/NO/NA 1. Do you have local directives regarding COMSEC? Is it documented? Provide as attachment. 2. Do you have appointment letters(s) regarding COMSEC? Is it documented? Provide as attachment. 3. Are COMSEC activities implemented in accordance with DoD 8523.1? Verify and review with the auditor. References: DODI 8500.2

Comments:

ECCR-3 Encryption for Confidentiality (Data at Rest) NIST Certified cryptography is used to encrypt stored classified information

YES/NO/NA 1. Does the information system security description document (ISSDD) contain schematics or diagrams of the storage devices? Provide as attachment. Verify and review with the auditor. 2. Do you have data storage device(s)? Is it documented? 3. Does the storage device store SAMI? Is it documented? 4. Are there cleared personnel accessing the SAMI? Is it documented? Provide as attachment. 5. Does the storage device store SAMI? Is it documented? 7. Do you utilize NSA certified encryption methods? Is it documented? Provide as attachment. 8. Do you have manufacturer, model, and version information? Is it documented? 9. Do you have encryption tools installed and enabled on all devices? Verify and review with the auditor. References: DODI 8500.2

Comments:

ECCR-2 Encryption for Confidentiality (Data at Rest) NIST Certified cryptography is used to encrypt stored classified information

YES/NO/NA 1. Does the information system security description document (ISSDD) contain schematics or diagrams of the storage devices? Provide as attachment. Verify and review with the auditor. 2. Do you have data storage device(s)? Is it documented? 3. Does the storage device store non-SAMI? Is it documented? 4. Are there cleared personnel accessing the non-SAMI? Is it documented? Provide as attachment. 5. Does the storage device store non-SAMI? Is it documented? 6. Does the storage device store sensitive information? Is it documented? 7. Do you utilize NSA certified encryption methods? Is it documented? Provide as attachment. 8. Do you have manufacturer, model, and version information? Is it documented? 9. Do you have encryption tools installed and enabled on all devices? Verify and review with the auditor. References: DODI 8500.2

Comments:

ECCT Encryption for Confidentiality Data at Transmit Separation of different classifications of data.

YES/NO/NA 1. Have you classified the level of data being transmitted? Is it documented? Provide as attachment. 2. Do you use encryption for transmitting data in a lower classified network? 3. Do you utilize NSA certified encryption methods? Is it documented? Provide as attachment. Verify and review with the auditor. 4. Do you have manufacturer, model, and version information? Is it documented? 5. Can you confirm that encryption tools are operational (config files or logs)? Provide as attachment. 6. Do you have a data flow diagram? Provide as attachment. 7. Does sensitive data transmit over commercial networks? 8. Is the sensitive data being encrypted at its source? 9. Do you have any approved waivers from your CCB? Provide as attachment. 10. Do you have any pending waiver requests? Provide as attachment. References: DODI 8500.2

Comments:

ECDC Data Change Controls Transaction Rollback.

YES/NO/NA 1. Do you have database management systems? Is it documented? Provide as attachment. 2. Can transactions with your database management systems be ‘rolled back’? Is it documented? Provide as attachment. Verify and review with the auditor. 3. Do you have any approved waivers from your CCB? Provide as attachment. 4. Do you have any pending waiver requests? Provide as attachment. References: DODI 8500.2

Comments:

ECIC Interconnections among DoD Systems and Enclaves Controlled interface is required for interconnections among DoD IS.

YES/NO/NA 1. Do you have security related documents (concept of operations, MOA, diagrams) of the system network interconnectivity? Provide as attachment. 2. Do you have systems that enforce discressionary access controls? Verify and review with the auditor. 3. Do you configure discressionary access controls in accordance with STIGS and DoD policy? Verify and review with the auditor. 4. Is a Cross Domain Solution (CDS) used? 5. Is the CDS on the Unified Cross Domain Management Office (UCDMO) baseline? Provide as attachment. References: DODI 8500.2

Comments:

ECID Host-Based IDS Deployed for major applications and network management assets.

YES/NO/NA 1. Do you have a Host-based IDS (i.e. HBSS)? Is it documented? 2. Do you have a Network-based IDS (i.e. Nitroview, Sourcefire)? Is it documented? 3. Do you use servers that support critical applications? Is it documented? Provide as attachment. 4. Do you have an inventory for servers that includes hardware and software baselines? Is it documented? Provide as attachment. 5. Do you have approved waivers for servers that do not use Host-based IDS? Provide as attachment. 6. Do you have any pending waiver requests from a CCB? Provide as attachment. 7. Do you have any IDS acquisitions in progress? Provide as attachment. 8. Do you have IDS logs? Is it documented? Provide as attachment. 9. Do you have an inventory for all network management assets that includes software? Is it documented? Provide as attachment. References: DODI 8500.2

Comments:

ECIM Instant Messaging Unapproved instant messaging.

YES/NO/NA 1. Do you have a system firewall policy? Is it documented? Provide as attachment. 2. Do you have firewall rules blocking instant messaging services not approved for DoD use (i.e. DCO, Jabber, Net Meeting)? Is it documented? Provide as attachment. References: DODI 8500.2, IA

Comments:

ECLC Audit of Security Label Changes Automatic recording of the creation, deletion, or modification of confidentiality or integrity labels.

YES/NO/NA 1. Do you require automatic confidentiality label monitoring for your system? 2. Do you require automatic integrity label monitoring for your system? 3. Does your system provide audit logs for the creation, deletion, or modification of labels? Verify and review with the auditor (min range 5-10% of sample) 4. Do you have any pending waiver requests from a CCB? Provide as attachment. 5. Do you have approved waivers for systems not audit labeling changes? Provide as attachment. References: DODI 8500.2, SP 800-53

Comments:

ECLO Logon Successive logon attempts are controlled.

YES/NO/NA 1. Do your systems deny access to after (min 3) unsuccessful logon attempts? Verify and review with the auditor. 2. Upon login, does your system provide date and time of last successful/unsuccessful logon? Verify and review with the auditor. 3. Is the number of concurrent logon sessions controlled? Verify and review with the auditor. References: DODI 8500.2

Comments:

ECLP Least Privilege Access procedures enforce the principles of separation of duties and least privilege.

YES/NO/NA 1. Do you have a CONOPs that includes hardware and software, user roles and responsibilities? Provide as attachment. Verify and review with the auditor. 2. Do you have privileged users for test servers and systems? Verify and review with the auditor. 3. Do you have privileged user accounts for test servers and systems? Verify and review with the auditor. 4. Do you have privileged users that have access who shouldn’t? Verify and review with the auditor. 5. Do you have privileged users with non-privileged accounts? Verify and review with the auditor. References: DODI 8500.2

Comments:

ECML Marking and Labeling Mark and label.

YES/NO/NA 1. Are your assets and documents marked and labeled in accordance with DoD 5200.1R classification policy? Verify and review with the auditor. References: DODI 8500.2, SP 800-53, IA

Comments:

ECMT Consent to Monitoring and Penetration Testing Conformance testing program.

YES/NO/NA 1. Do you have an approved consent to monitoring and pen-testing form? Provide as attachment. 2. Do you have a penetration test plan? Is it documented? Provide as attachment. 3. Do you have a schedule, testing methodology and procedures? Is it documented? Provide as attachment. 4. Is pen-testing on your systems conducted by DISA or by an approved agency? References: DODI 8500.2, IA

Comments:

ECND Network Device Controls A network device control program is implemented.

YES/NO/NA 1. Do you have network devices? Is it Documented? Provide as attachment. 2. Do you have network device control procedures? Is it Documented? Provide as attachment. Verify and review with the auditor. 3. Are auditing features enabled on your network devices? Verify and review with the auditor. 4. Do audit reports record detailed security-related events? Verify and review with the auditor. 5. Are network operators familiar with documented procedures? Verify and review with the auditor. References: DODI 8500.2

Comments:

ECNK Encryption for Need to Know Information separated for need to know reasons is encrypted.

YES/NO/NA 1. Does the information system security description document (ISSDD) contain schematics or diagrams of data flow? Provide as attachment. 2. Do you keep track of data flow, servers, and encryption methods within the same classification level? Is it Documented? Provide as attachment. 3. Is the encryption method NIST-certified? Is it Documented? Provide as attachment. Verify and review with the auditor. 4. Is the originating server PKI, SSL, VPN enabled? Verify and review with the auditor. References: DODI 8500.2, IA

Comments:

ECPA Privileged Account Control Role Based Access.

YES/NO/NA 1. Do you have policy for access based on roles? It is documented? Provide as attachment. 2. Do you have authorized privileged users? It is documented? Provide as attachment. 3. Do you have authorized privileged users who have access based on roles? It is documented? Provide as attachment. 4. Do you have user accounts with expired access? 5. Do you have user accounts with unauthorized users? References: DODI 8500.2, SP 800-53

Comments:

ECPC Production Code Change Controls Programmer privileges are reviewed every month.

YES/NO/NA 1. Do you have application servers that are critical? Is it documented? Provide as attachment. 2. Do you have a production system? Verify and review with the auditor. 3. Do you have directories, files, or data containing production code? 4. Do you have limited permissions assigned to application programmers? 5. Are you authorized by the CCB to create or renew programmer accounts (min 3 months)? Is it Documented? Provide as attachment. References: DODI 8500.2

Comments:

ECRC Resource Control Object Reuse.

YES/NO/NA 1. Do you use a DoD approved operating system that supports object reuse (clearing of sensitive information left by a process before allowing another process the opportunity to access an object)? Is it documented? Provide as attachment. 2. Do you have any waivers for operating systems that do not support object reuse? Is it documented? Provide as attachment. 3. Is third party software used to identify residual data after formatting hard disks? References: DODI 8500.2

Comments:

ECRG Audit Reduction and Report Generation Tools for the review of audit records.

YES/NO/NA 1. Do you use Audit reduction tools (Windows event viewer, Solaris praudit)? Is it Documented? Provide as attachment. 2. Do your Audit Logs contain user ID, events, and specific time/date? Verify and review with the auditor. References: DODI 8500.2

Comments:

ECRR Audit Record Retention Maintain audit records.

YES/NO/NA 1. Does your systems contain SAMI? 2. Do you have an audit data storage log (min 4 years) for SAMI? Is it documented? Provide as attachment. 3. Do you have an audit data storage log (min 1 years) for non-SAMI? Is it documented? Provide as attachment. 4. Do you have policy and procedures for audit data backup? Is it documented? Provide as attachment. Verify and review with the auditor. References: DODI 8500.2

Comments:

ECSC Security Configuration Compliance All STIGs are applied.

YES/NO/NA 1. Do you deploy IA and IA-enabled products within the enclave? Is it documented? Provide as attachments. 2. Do you configure the products in accordance with STIGs? Verify and review with the auditor. 3. Do you use SRR scripts, automated test tools, and scanners? Are results documented? Provide as attachments. Verify and review with the auditor. 4. Do you use DISA configuration (STIG) checklists? Verify and review with the auditor. 5. Do you have test, assessment, and mitigation reports? References: DODI 8500.2

Comments:

ECSD Software Development Change Controls Change controls for software development.

YES/NO/NA 1. Do you have a configuration management plan and procedures? Is it documented? Provide as attachments. 2. Do you utilize Software Change Requests (SCRs)? Verify and review with the auditor (sample). 3. Does the CM plan describe how SCRs are prepared, submitted, and processed? Is it documented? Provide as attachments. 4. Do you retain CCB minutes? Is it documented? Provide as attachments. 5. Is separation of duties implemented for software developers/programmers (i.e. separate development, testing, and production)? 6. Do you have development servers and active accounts? Is it Documented? Provide as attachments. Verify and review with the auditor 7. Are account permission settings and rights controlled? Verify and review with the auditor References: DODI 8500.2

Comments:

ECTB Audit Trail Backup Audit Records are Backed up

YES/NO/NA 1. Do you have policy and procedures for backing up audit records? Is it documented? Provide as attachment. Verify and review with the auditor. 2. Do you have backup systems for audit records? Verify and review with the auditor. 3. Are audit records backed up (minimum weekly)? Is it Documented? Provide as attachment. Verify and review with the auditor. 4. Are records backed up to external media? Verify and review with the auditor. 5. Are data backups and records stored on separate media devices? Verify and review with the auditor. References: DODI 8500.2

Comments:

ECTC Tempest Controls Protection against emanations

YES/NO/NA 1. Are you compliant with DoDD S-5200 policy? Verify and review with the auditor. 2. Do you have Tempest measures in place (i.e., CONOPS)? Is it Documented? Provide as attachment. 3. Is your TEMPEST certification current? Provide as attachment. References: DODI 8500.2

Comments:

ECTM Transmission Integrity Controls Integrity mechanisms.

YES/NO/NA 1. Do you have a data flow diagram which includes the medium and protection mechanisms for incoming and outgoing files? Provide as attachment. 2. Do you have protection mechanisms installed? Verify and review with the auditor. 3. Do your protection mechanisms check the integrity of incoming and outgoing files? Verify and review with the auditor. 4. Do you have components that require protection mechanisms? Is it documented? Provide as attachment. 5. Do you use security labels for the transmission of information? Verify and review with the auditor. 6. Do you have procedures for implementing security labels? Is it documented? Provide as attachment. 7. Do you use encryption to prevent unauthorized disclosure? Verify and review with the auditor. 8. Do you use protection mechanisms to prevent or detect session hijacking? (i.e., TCPdump) Verify and review with the auditor. References: DODI 8500.2, IA

Comments:

ECTP Audit Trail Protection Audit Trails are protected.

YES/NO/NA 1. Do you have systems that create audit logs? Is it Documented? Provide as attachment. 2. Do you have permission settings assigned to logs? Verify and review with the auditor. References: DODI 8500.2

Comments:

ECVI VoIP Protection Personal use of VoIP prohibited?

YES/NO/NA 1. Do you use VoIP services? Is it Documented? Provide as attachment. 2. Do you have local policies and procedures on the use of VoIP services? Is it Documented? Provide as attachment. 3. Do you use Firewalls? Is it Documented? Provide as attachment. 4. Do you use VoIP phone for personal use? References: DODI 8500.2

Comments:

ECVP Virus Protection Inadequate virus protection

YES/NO/NA 1. Do you have a virus protection policy? Is it Documented? Provide as attachment. 2. Do you use approved virus protection software? Is it Documented? Provide as attachment. 3. Do you have a current hardware baseline inventory? Provide as attachment. 4. Do you have waivers exempting the use of virus protecting? 5. Are virus definitions updated in accordance with appropriate protection levels? References: DODI 8500.2, SP 800-53

Comments:

ECWM Warning Message Use of warning banners.

YES/NO/NA 1. Do you use warning banners for devices that utilize user interfaces (UI)? Verify and review with the auditor. 2. Do you have waivers exempting the use of warning banners? 3. Is the warning banner content in accordance with DoD policy? Verify and review with the auditor. References: DODI 8500.2

Comments:

ECWN Wireless Computing and Network Implementation of wireless capabilities.

YES/NO/NA 1. Do you utilize wireless (IEEE 802.X) capabilities? Is it documented? Provide as attachment. 2. Are wireless configurations in accordance with DoD 8100.2? Verify and review with the auditor. 3. Have you changed the factory default settings for wireless capabilities? Verify and review with the auditor. References: DODI 8500.2

Comments:

IAAC Account Control Comprehensive account management process.

YES/NO/NA 1. Do you have policies and procedures for user account management? Is it documented? Provide as attachment. 2. Do you have a process for creating & deleting accounts? Is it documented? Provide as attachment. Verify and review with the auditor. 3. Does the process address authorized personnel to create and delete accounts? 4. Does the process address account duplication (multiple accounts for a user)? 5. Does your logon identification server(s) address account duplication (multiple accounts for a user)? Verify and review with the auditor. 6. Do you have logs (past 35 days) for non-active accounts? 7. Are non-active accounts (>30 days) suspended? 8. Are accounts terminated within 48 hours upon request? Verify and review with the auditor. References: DODI 8500.2

Comments:

IAGA Group Authentication Use of group authenticators.

YES/NO/NA 1. Do you use DoD approved group accounts? Is it documented? Provide as attachment. 2. Do your accounts require PKI or DAA approval? 3. Do you have procedures for assigning group accounts? Is it documented? Provide as attachment. Verify and review with the auditor. 4. Do you maintain users? Is it documented? Provide as attachment. References: DODI 8500.2

Comments:

IAIA Individual Identification Identification and Authentication

YES/NO/NA 1. Do you have system software? Is it documented? Provide as attachment. 2. Do you have logon protection enabled for system software? Verify and review with the auditor. 3. Do you have system security documentation (CONOPS)? 4. Do you have policy and procedures on the sharing of passwords? Is it documented? Provide as attachment. 5. Do you have policy and procedures for the registration of users (ID and passwords)? Is it documented? Provide as attachment. 6. Do you transmit passwords over the network? 7. Do you use shadowed passwords? Verify and review with the auditor. 8. Are your passwords configured in accordance with STIG policy? Verify and review with the auditor. 9. Do you have system software components? Is it documented? Provide as attachment. 10. Do your software components encrypt the saved password files? Verify and review with the auditor. 11. Are the password files configured for read only access? Verify and review with the auditor. 12. Do you protect passwords transmitted over the network (SSH, SFTP, SSL, PKI)? Verify and review with the auditor. 13. Do you have a list of default accounts and passwords? Verify and review with the auditor. References: DODI 8500.2

Comments:

Auditor: ______Date: ______IAKM Key Management Symmetric and Asymmetric keys.

YES/NO/NA 1. Do you have an encryption key management plan? Is it Documented? Provide as attachment. 2. Do you use encryption keys in accordance with your key management plan? (Symmetric, asymmetric). Is it Documented? Verify and review with the auditor. 3. Do you use NSA-approved key management technology? Verify and review with the auditor. 4. Do you have a waiver for not using NSA-approved keys? Is it Documented? Provide as attachment. 5. Does your plan address the creation, distribution, storage, retention, and destruction of keys? Verify and review with the auditor. 6. Do you have a COMSEC custodian? Verify and review with the auditor. 7. Do you have a waiver for not using Class 3 or Class 4 DoD PKI? Verify and review with the auditor. 8. Does your key management plan use PKI Class 3 or Class 4 certificates or tokens for asymmetric keys (CAC)? Verify and review with the auditor. References: DODI 8500.2

Comments:

Auditor: ______Date: ______IATS Tokens and Certificate Standards Identification and authentication.

YES/NO/NA 1. Do you have security related documents (concept of operations, 2. Do you have an encryption key management plan? Is it Documented? Provide as attachment. 3. Do you have a waiver for not using Class 3 or Class 4 DoD PKI? Verify and review with the auditor. 4. Does your key management plan include PKI Class 3 or Class 4 certificates? Verify and review with the auditor. 5. Do you use PKI Class 3 or Class 4 certificates and an approved token for access? Verify and review with the auditor. References: DODI 8500.2, IA

Comments:

PECF Access to Computing Facilities Access restricted to only authorized personnel.

YES/NO/NA 1. Do you have access rosters for authorized personnel? Is it Documented? Provide as attachment. 2. Do you have physical access control procedures? Is it Documented? Provide as attachment. 3. Do you keep a visitors log (min. last 24 hrs.)? Provide as attachment. Verify and review with the auditor. 4. Are visitor clearances sent to facilities prior to access? Verify and review with the auditor. 5. Do you have identity verification procedures? Is it Documented? Provide as attachment. Verify and review with the auditor. References: DODI 8500.2

Comments:

PECS Cleaning and Sanitizing Data is cleared and sanitized.

YES/NO/NA 1. Do you policy and procedures for the cleaning and sanitizing of media devices? Is it Documented? Provide as attachment. 2. Do you maintain logs (min. 3 months) for cleaning and sanitizing? Provide as attachment. Verify and review with the auditor. References: DODI 8500.2, IA

Comments:

PEDD Destruction Destruction procedures.

YES/NO/NA 1. Do you have policies and procedures for the destruction of media devices? Is it Documented? Provide as attachment. 2. Do you maintain logs (min. 30 days) for destruction? Provide as attachment. Verify and review with the auditor. References: DODI 8500.2

Comments:

PEDD Data Interception Positioning of data displays.

YES/NO/NA 1. Are your display devices positioned to hide data from unauthorized personnel? Verify and review with the auditor. References: DODI 8500.2, IA

Comments:

PEEL Emergency Lighting Automatic emergency lighting system.

YES/NO/NA 1. Do you have a floor and emergency diagram of your facility? Is it documented? Provide as attachment. 2. Do you have an approved waiver for not using emergency lights? Is it documented? Provide as attachment. 3. Do you perform regularly tests? Is it documented (logs)? Provide as attachment. 4. Do you perform regular maintenance? Is it documented (logs)? Provide as attachment. References: DODI 8500.2, IA

Comments:

PEFD Fire Detection Automatic fire department notification.

YES/NO/NA 1. Do you have smoke or fire detection systems? Verify and review with the auditor. 2. Are the detection systems configured to automatically notify the fire department? Verify and review with the auditor. 3. Do the detection systems have backup power? Verify and review with the auditor. References: DODI 8500.2, IA

Comments:

PEFI Fire Inspection Periodic fire marshal inspection.

YES/NO/NA 1. Do you have periodic inspections by the fire marshal? It is documented? Provide as attachment (min. 2 most recent). References: DODI 8500.2

Comments:

PEFS Fire Suppression Automatic fire suppression system.

YES/NO/NA 1. Do you have smoke or fire detection systems? Verify and review with the auditor. 2. Are the detection systems configured to automatically activate when heat or smoke is present? Verify and review with the auditor. 3. Do you have approved waivers for not using smoke suppression or fire detection systems? It is documented? Provide as attachment (min. 2 most recent). 4. Do you have test procedures and logs for the detection systems? It is documented? Provide as attachment. References: DODI 8500.2

Comments:

PEHC Humidity Controls Automatic humidity controls.

YES/NO/NA 1. Do you have automatic humidity controls? Verify and review with the auditor. References: DODI 8500.2

Comments:

PEMS Master Power Switch Emergency cutoff switch.

YES/NO/NA 1. Do you have master power switches in your server rooms (entrances)? Verify and review with the auditor. 2. Is your master power switch labeled? Verify and review with the auditor. 3. Does your master power switch have a cover? Verify and review with the auditor. References: DODI 8500.2, SP 800-53

Comments:

PEPF Physical Protection of Facility Security of physical access points.

YES/NO/NA 1. Are physical access points protected by guard and/or alarm 24/7? Provide as attachment. Verify and review with the auditor. 2. Do you have approved waivers for exempting the authentication of personnel? Is it documented? Provide as attachment. 3. Do you have a visitor access log? Verify and review with the auditor. 4. Do you have requirements for intrusion alarms? Is it documented? Provide as attachment. 5. Do you have intrusion alarms? Is it documented? Provide as attachment. 6. Do you have approved waivers for exempting the use of intrusion alarms? Is it documented? Provide as attachment. 7. During working hours, are your physical access points protected by guard? Verify and review with the auditor. 8. During non-working hours, are your physical access points locked? Verify and review with the auditor. 9. Do you have all physical access points to the building documented? Provide as attachment. References: DODI 8500.2

Comments:

PEPS Physical Security Testing Penetration testing.

YES/NO/NA 1. Do you schedule periodic pen tests? Is it documented? Provide as attachment (dtd within 1 yr.). 2. Do you have results from the pen tests? Is it documented? Provide as attachment. References: DODI 8500.2

Comments:

PESL Screen Lock Automatic screen lock.

YES/NO/NA 1. Do you use screen lock? Verify and review with the auditor. (min sample 10 workstations). 2. Do you have approved waivers for exempting the use of screen locks? Provide as attachment. 3. Do your users know how to lock their screen? Verify and review with the auditor. 4. Does the screen lock when idle? Verify and review with the auditor. 5. Does the screen lock configured for authentication? Verify and review with the auditor. 6. Does the screen lock cover the entire screen? Verify and review with the auditor. References: DODI 8500.2

Comments:

PESP Workplace Security Procedures Properly handling and storage of information.

YES/NO/NA 1. Do you have policy and procedures for identifying information that needs to be secured? Is it documented? Provide as attachment. 2. Do you have procedures to ensure proper handling and storage of information? Is it documented? Provide as attachment. 3. Do you log end-of-day security checks? Provide as attachment (min. 30 days). References: DODI 8500.2

Comments:

PESS Storage Documents and equipment are stored in approved containers.

YES/NO/NA 1. Do you have policy and procedures for documents and storing equipment? Is it documented? Provide as attachment. 2. Are containers fire and water-proof? References: DODI 8500.2, IA

Comments:

PETC Temperature Controls Automatic temperature controls.

YES/NO/NA 1. Do you have automatic temperature control system installed? Verify and review with the auditor. 2. Do you have approved waivers for exempting the use of automatic temperature control systems? Is it documented? Provide as attachment. References: DODI 8500.2

Comments:

PETN Environmental Control Training Training for the environmental control system.

YES/NO/NA 1. Do you have policy and procedures for periodic training for environmental control systems? Is it documented? Provide as attachment. References: DODI 8500.2, SP 800-53

Comments:

PEVC Visitor Control to Computing Facilities Procedures for visitor access.

YES/NO/NA 1. Do you have approved procedures for controlling visitor access? Provide as attachment. 2. Do you have approved procedures for logging visitor access? Provide as attachment. 3. Do you archive visitor logs? Verify and review with the auditor. References: DODI 8500.2, SP 800-53

Comments:

PEVR Voltage Regulators Implementation of voltage control

YES/NO/NA 1. Do you use automatic voltage controls (UPS)? Verify and review with the auditor (min. 2 facilities). 2. Do you track facilities that house your IT assets? Is it documented? Provide as attachment. References: DODI 8500.2

Comments:

PRAS Access to Information Access authorization.

YES/NO/NA 1. Do you have a list of authorized users? Provide as attachment. 2. Do you restrict access to sensitive information? Is it documented? Provide as attachment. Verify and review with the auditor (min. 5 users). 3. Do you keep contracts on contractors with access to sensitive information? Provide as attachment. Verify and review with the auditor. References: DODI 8500.2, SP 800-53

Comments:

PRMP Maintenance Personnel Maintenance preformed only by authorized personnel.

YES/NO/NA 1. Do you have authorized maintenance personnel? Provide as attachment (rosters/logs). Verify and review with the auditor (updated within 3 months). 2. Do you have policies and procedures for the authorization of maintenance? Is it documented? Provide as attachment. Verify and review with the auditor. References: DODI 8500.2

Comments:

PRNK Access to Need-to-Know Information Individuals must have a valid need to know to access information

YES/NO/NA 1. Do you have an access policy for your information systems? It is documented? Provide as attachment. 2. Do you categorize the information residing on your IS requiring special protection? It is documented? Provide as attachment. 3. Do you have a list of authorized users for each category? References: DODI 8500.2

Comments:

PRRB Security Rules of Behavior or Acceptable Use Policy A set of rules that describe the IA rules, responsibilities, and expectations for IS.

YES/NO/NA 1. Do you have Security Rules of Behavior for Information System? Is it documented? Provide as attachment. 2. Are your rules for system access acknowledged and signed? Is it documented? Verify and review with the auditor. References: DODI 8500.2

Comments:

PRTN Information Assurance Training A program is implemented to ensure all personnel receive IA training.

YES/NO/NA 1. Do you have a Personnel Training Plan that identifies requirements for IA roles? Is it documented? Provide as attachment. 2. Do you have individuals appointed to IA roles? Is it documented? Provide as attachment. Verify and review with the auditor to include contractors (min range 3-5 individuals). 3. Do you have training records for the appointed individuals? Is it documented? Verify and review with the auditor. 4. Are individuals trained in accordance with training plan? Verify and review with the auditor. 5. Have personnel received IA awareness training in accordance with training plan? Verify and review with the auditor to include contractors (min range 3-5 individuals). References: DODI 8500.2, AI

Comments:

VIIR Incident Response Planning An incident response plan exists that identifies CND Service Provider

YES/NO/NA 1. Do you have an incident response plan, related TTPs, incident response team, training and certification records? Is it documented? Provide as attachment. Verify and review with the auditor. 2. Do you have an exercise schedule for your incident response plan? Is it documented? Provide as attachment. 3. Are after action reports conducted? Is it documented? Provide as attachment. 4. Are your incident response plans exercised annually? Verify and review with the auditor. 5. Do you keep logs? Is it documented? Provide as attachment. 6. Do you have logs for the two most recent incidents? Is it documented? Provide as attachment. References: DODI 8500.2, IA

Comments:

VIVM Vulnerability Management A comprehensive vulnerability management process exists.

YES/NO/NA 1. Do you have a vulnerability management policy and/or SOP? Is it documented? Provide as attachment. 2. Does the policy include system notification and compliance reporting for all vulnerability alerts? Is it documented? Verify and review with the auditor. 3. Does your organization receive Information Assurance Vulnerability Alerts (IAVAs)? Verify and review with the auditor. 4. Are personnel responsible for tracking and responding to IAVAs appointed in writing? Is it documented? Provide as attachment. 5. Are personnel conducting vulnerability assessments trained to use scanning tools? Verify and review with the auditor. References: DODI 8500.2

Comments: