The site must successfully complete a security assessment of the CSfC based campus WLAN system to confirm compliance with the CSfC Campus WLAN Capability Package prior to IOC and yearly thereafter.

From CSfC Campus WLAN Policy Security Implementation Guide

Part of Security assessment of campus WLAN system

Associated with IA controls: DCAR-1, DCII-1

SV-48087r1_rule The site must successfully complete a security assessment of the CSfC based campus WLAN system to confirm compliance with the CSfC Campus WLAN Capability Package prior to IOC and yearly thereafter.

Vulnerability discussion

Classified data could be exposed if the campus WLAN system is operated out of compliance with the Commercial Solutions for Classified (CSfC) Campus IEEE 802.11 Wireless Local Area Network (WLAN) Capability Package and any NSA approved deviations to the capability package. The NSA Commercial Solutions for Classified (CSfC) registration process requires CSfC-listed equipment be used in the campus WLAN system. The site should perform a security assessment prior to operating the system to confirm it is compliant and periodically, thereafter, to verify the system is still in compliance with the most recent version of the capability package.

Check content

The security assessment must validate that the site’s CSfC based campus WLAN system is compliant with all technical and non-technical requirements listed in the CSfC Campus IEEE 802.11 Wireless Local Area Network (WLAN) Capability Package. The assessment should be successfully completed (no findings) before the systems Initial Operating Capability (IOC) is achieved and yearly thereafter. It is recommended that the assessment be completed by an organization that is separate from the organization that is setting up and managing the campus WLAN system. -Review the registration agreement between the site and NSA to determine if any deviations from the Campus WLAN Capability Package have been approved by NSA. -Review security assessment reports from assessments completed before IOC or yearly thereafter and interview the site IAM/IAO. Determine the date of the last assessment and if there are any open findings from the report. -If security assessments were not completed prior to IOC or yearly thereafter or if assessments were completed but there were open findings listed in the last report, this is a finding.

Fix text

Conduct security assessments of the campus WLAN system before IOC and yearly thereafter and immediately close any open findings or shut down the system.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer