From Traditional Security
Part of Information Security (IS) - Continuous Operations Facility
Associated with IA controls: PESS-1, PEPF-2
Failure to control door access to a Continuous Operations Facility containing classified SIPRNET assets may result in immediate and potentially undetected access to classified information, with no capability to immediately alert response forces. Ultimately this could result in the undetected loss or compromise of classified material.
Unless otherwise indicated all the paragraph citations preceding each check are from DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information. The following set of 5 checks for Continuous Operations Access Control Monitoring Method #1 is to be used when an Automated Entry Control System (AECS) Card Reader with Biometrics or Personal Identification Number (PIN) is the primary means of access control to the Continuous Operations Facility: Method 1/Check #1. Appendix to Enclosure 3, para 3.a.(2)(a); para 3.a.(2)(b); para 3.a.(3); para 3.a.(4) -- Check to ensure an Access Control System (ACS) is used that incorporates a coded ID card or badge PLUS either a PIN or Biometrics on both the primary entrance and all secondary doors that may be used for continuous or intermittent access to the secure room space. (CAT I) Method 1/Check #2. Appendix to Enclosure 3, para 2.d.(6); para 2.f.(2)& para 3.a. -- Check to ensure the ACS is controlled and monitored at a continuously manned central monitoring station. (CAT I) Method 1/Check #3. Enclosure 3, para 3 & para 12; Appendix to Enclosure 3, para 2.e(6); Enclosure 2, para 2; -- If there is no IDS employed (*which must be based on a documented risk assessment) on doors or other man-passable openings: Check to ensure the 24/7 secure rooms or collateral secret open storage areas (containing SIPRNet equipment) are continuously occupied by at least one properly cleared employee. (CAT I) Method 1/Check #4. Appendix to Enclosure 3, para 2.e(6) -- If there is no Intrusion Detection System (IDS) employed in the Continuous Operations Facility: Check to ensure that a duress device is available for occupants inside the facility, IF DETERMINED NECESSARY BY A DOCUMENTED RISK ASSESSMENT (RA). If there is no duress device and no RA to validate that there is no need for duress, it is a finding. (CAT II) Method 1/Check #5. Enclosure 3, para 3.b.(3)(a) & (b)-- Where there is no IDS employed in the Continuous Operations Facility and ALL classified (SIPRNet) equipment, devices and media are not under the direct continuous observation and control of area occupants (CLEARED EMPLOYEES): Check to ensure a system of checks of classified assets (especially SIPRNet connected assets) internal to the Continuous Operations Facility, not exceeding 4 hours is established and conducted. (CAT I) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX The following set of 6 checks for Continuous Operations Access Control Monitoring Method #2 is to be used Access is Continuously Monitored by Occupants (Cleared Employees) of the Continuous Operations Facility - all doors are NOT visible - is the primary means of access control to the Continuous Operations Facility: Method 2/Check #1. Appendix to Enclosure 3, para 2.e(6) – When cleared occupants cannot directly and continuously observe all potential entrances into the room, check to ensure an open door alerting system is used to alert occupants of the 24/7 continuous operations. The alerting system MUST cover all access points that cannot be observed by occupants including the primary entrance and all secondary doors that could be used for continuous or intermittent access. (CAT I) Method 2/Check #2. Enclosure 3, para 3 & para 12; Appendix to Enclosure 3, para 2.e(6); Enclosure 2, para 2 -- Check to ensure the 24/7 Continuous Operations Facility is ”continuously occupied” by at least one properly cleared employee. (CAT I) Method 2/Check #3. Appendix to Enclosure 3, para 3.a.(2)(a); para 3.a.(2)(b); para 3.a.(3); para 3.a.(4)-- On those doors not visible to cleared occupants: Check to ensure that an Automated Entry Control System (AECS) is used that incorporates both a coded ID card or badge plus either a PIN or Biometrics. This requirement is for all doors that are not continuously visible including the primary entrance and all secondary doors that may be used for continuous or intermittent access. (CAT I) Method2/Check #4. Appendix to Enclosure 3, para 3.a. & para 3.c. -- Check to ensure doors that are continuously visible to cleared occupants are access controlled minimally by either an AECS using swipe or proximity cards (*not required to have PIN or biometric verification) OR by Electric, Mechanical, or Electromechanical Access Control Devices IAW the specifications of DoD Manual 5200.01, Volume 3, Appendix to Enclosure 3, para 3.c... (CAT I) Method 2/Check #5. Appendix to Enclosure 3, para 2.e(6) -- If there is no IDS employed in the Continuous Operations Facility: Check to ensure that a duress device is available for occupants inside the facility, IF DETERMINED NECESSARY BY A DOCUMENTED RISK ASSESSMENT (RA). If there is no duress device and no RA to validate that there is no need for duress, it is a finding. (CAT II) Method 2/Check #6. Enclosure 3, para 3.b.(3)(a) & (b) -- Where there is no IDS employed in the Continuous Operations Facility and ALL classified (SIPRNet) equipment, devices and media are not under the direct continuous observation and control of area occupants (CLEARED EMPLOYEES): Check to ensure a system of checks of classified assets (especially SIPRNet connected assets) internal to the Continuous Operations Facility, not exceeding 4 hours is established and conducted. (CAT I) XXXXXXXXXXXXXXXXXXXX The following set of 5 checks for Continuous Operations Access Control Monitoring Method #3 is to be used when Access is Monitored by Occupants (Cleared Employees) of the Continuous Operations Facility and all doors are visible - is the primary means of access control to the Continuous Operations Facility: Method 3/Check #1. Enclosure 3, para 12; Appendix to Enclosure 3, para 3.a -- Check to ensure that cleared employees who work in the space just inside the Continuous Operations Facility have continuous visual observation of all primary entrance and all secondary doors that may be used for continuous or intermittent access. (CAT I) Method 3/Check #2. Enclosure 3, para 3 & para 12; Appendix to Enclosure 3, para 2.e(6); Enclosure 2, para 2; -- -- Check to ensure the 24/7 Continuous Operations Facility is ”continuously occupied” by at least one properly cleared employee. (CAT I) Method 3/Check #3. Appendix to Enclosure 3, para 3.a. & para 3.c. -- Check to ensure doors that are continuously visible to cleared occupants are access controlled minimally by either an AECS using swipe or proximity cards (*not required to have PIN or biometric verification) OR by Electric, Mechanical, or Electromechanical Access Control Devices IAW the specifications of DoD Manual 5200.01, Volume 3, Appendix to Enclosure 3, para 3.c... (CAT I) Method 3/Check #4. Appendix to Enclosure 3, para 2.e(6)-- If there is no IDS employed in the Continuous Operations Facility: Check to ensure that a duress device is available for occupants inside the facility, IF DETERMINED NECESSARY BY A DOCUMENTED RISK ASSESSMENT (RA). If there is no duress device and no RA to validate that there is no need for duress, it is a finding. (CAT II) Method 3/Check #5. Enclosure 3, para 3.b.(3)(a) & (b) -- Where there is no IDS employed in the Continuous Operations Facility and ALL classified (SIPRNet) equipment, devices and media are not under the direct continuous observation and control of area occupants (CLEARED EMPLOYEES): Check to ensure a system of checks of classified assets (especially SIPRNet connected assets) internal to the Continuous Operations Facility, not exceeding 4 hours is established and conducted. (CAT I) XXXXXXXXXXXXXXXXXXX The following set of 5 checks for Continuous Operations Access Control Monitoring Method #4 is to be used when Access is Monitored by Cleared Employees Directly Outside the Continuous Operations Facility - all doors MUST BE visible - is the primary means of access control to the Continuous Operations Facility: Method 4/Check #1. Appendix to Enclosure 3, para 3.a. - Check to ensure that cleared employees who work in the space just outside the Continuous Operations Facility (containing SIPRNet equipment) are providing continuous visual observation of the primary entrance and all secondary doors that may be used for continuous or intermittent access. They must be continuously present with no gaps in coverage. (CAT I) Method 4/Check #2. Appendix to Enclosure 3, para 3.a. - Check to ensure that cleared employees working outside the Continuous Operations Facility are located directly adjacent to a particular door or set of doors being monitored and are informed concerning their specific responsibilities for monitoring door security/access control. Written procedures must be available to substantiate this. (CAT II) Method 4/Check #3. Appendix to Enclosure 3, para 3.a. & para 3.c.-- Check to ensure doors that are continuously visible and controlled by cleared employees directly outside the Continuous Operations Facility are access controlled minimally by either an AECS using swipe or proximity cards (*not required to have PIN or biometric verification) OR by Electric, Mechanical, or Electromechanical Access Control Devices IAW the specifications of DoD Manual 5200.01, Volume 3, Appendix to Enclosure 3, para 3.c... (CAT I) Method 4/Check #4. Appendix to Enclosure 3, para 2.e(6) – If there is no IDS employed in the Continuous Operations Facility: Check to ensure that a duress device is available for cleared employees monitoring door access from outside the facility, IF DETERMINED NECESSARY BY A DOCUMENTED RISK ASSESSMENT (RA). If there is no duress device and no RA to validate that there is no need for duress, it is a finding. (CAT II) Method 4/Check #5. Enclosure 3, para 3.b.(3)(a) & (b) -- Where there is no IDS employed in the Continuous Operations Facility and ALL classified (SIPRNet) equipment, devices and media are not under the direct continuous observation and control of occupants within the facility (CLEARED EMPLOYEES): Check to ensure a system of checks of classified assets (especially SIPRNet connected assets) internal to the Continuous Operations Facility, not exceeding 4 hours is established and conducted. (CAT I) XXXXXXXXXXXXXXXXXXX The following set of 6 checks for Continuous Operations Access Control Monitoring Method #5 is to be used when Access is Monitored by Closed Circuit Television (CCTV) reporting to a Central Monitoring Station Staffed 24/7 by cleared Guards or Other cleared Security Professionals - all doors MUST HAVE CCTV cameras - is the primary means of access control to the Continuous Operations Facility: Method 5/Check #1. Enclosure 3, para 12; Appendix to Enclosure 3, para 3.a.; para 2.d.(6)& para 2.f.(2) - Check to ensure ALL doors (primary and secondary) are actively monitored via CCTV by cleared guards at a central monitoring facility. (CAT I) Method 5/Check #2. Appendix to Enclosure 3, 3.a.(7) - Check to ensure that CCTV activity is recorded and maintained on file for a minimum of 90 days. (CAT II) Method 5/Check #3. Enclosure 3, para 12; Appendix to Enclosure 3, para 3.a. & para 2.f.(2) - Check to ensure that guards are continuously present at the monitoring location and informed concerning their specific responsibilities for monitoring and responding to potential unauthorized attempts to breach the Continuous Operations Facility. Written procedures must be available. (CAT I) Method 5/Check #4. Enclosure 3, para 3 & para 12; Appendix to Enclosure 3, para 2.e(6); Enclosure 2, para 2; - Check to ensure the 24/7 Continuous Operations Facilities are continuously occupied by at least one properly cleared employee. (CAT I) Method 5/Check #5. Appendix to Enclosure 3, para 3.a. & para 3.c. -- Check to ensure doors that are continuously visible and controlled by CCTV from directly outside the Continuous Operations Facility are access controlled minimally by either an AECS using swipe or proximity cards (*not required to have PIN or biometric verification) OR by Electric, Mechanical, or Electromechanical Access Control Devices IAW the specifications of DoD Manual 5200.01, Volume 3, Appendix to Enclosure 3, para 3.c... (CAT I) Method 5/Check #6. Enclosure 3, para 3.b.(3)(a) & (b) -- Where there is no IDS employed in the Continuous Operations Facility and ALL classified (SIPRNet) equipment, devices and media are not under the direct continuous observation and control of occupants within the facility (CLEARED EMPLOYEES): Check to ensure a system of checks of classified assets (especially SIPRNet connected assets) internal to the Continuous Operations Facility, not exceeding 4 hours is established and conducted. (CAT I) TACTICAL ENVIRONMENT: This check is applicable where Continuous Operations Facilities are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.
Continuous Operations Facilities storing classified SIPRNet assets in the open are not routinely opened or closed using Federal Specification FF-L-2740 combination locks due to being continuously occupied by cleared employees or due to very frequent access requirements for operational reasons. As applicable to the operating environment at a particular site/location, select one or more of the five Methods of Access Control to be used for 24/7 Continuous Operations Facilities. The five methods of access control along with specific requirements/checks are found in the Check Content of this Requirement. More than one method of access control might apply to a particular Continuous Operations Facility or to multiple Continuous Operations Facilities at a single site/location. Based on the access control method(s) used for each individual Continuous Operations Facility at a site, comply with all of the requirements detailed in all of the individual checks applicable to the selected method(s) of access control. Compliance with at least one complete set of checks applicable to a particular method of access control is required for each Continuous Operations Facility.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer