Free DISA STIG and SRG Library | Vaulted

V-36590

The site must successfully complete a security assessment of the CSfC based campus WLAN system to confirm compliance with the CSfC Campus WLAN Capability Package prior to IOC and yearly thereafter.

Finding ID
WIR-CWLAN-01
Rule ID
SV-48087r1_rule
Severity
Cat I
CCE
(None)
Group Title
Security assessment of campus WLAN system
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Classified data could be exposed if the campus WLAN system is operated out of compliance with the Commercial Solutions for Classified (CSfC) Campus IEEE 802.11 Wireless Local Area Network (WLAN) Capability Package and any NSA approved deviations to the capability package. The NSA Commercial Solutions for Classified (CSfC) registration process requires CSfC-listed equipment be used in the campus WLAN system. The site should perform a security assessment prior to operating the system to confirm it is compliant and periodically, thereafter, to verify the system is still in compliance with the most recent version of the capability package.

Fix Text

Conduct security assessments of the campus WLAN system before IOC and yearly thereafter and immediately close any open findings or shut down the system.

Check Content

The security assessment must validate that the site’s CSfC based campus WLAN system is compliant with all technical and non-technical requirements listed in the CSfC Campus IEEE 802.11 Wireless Local Area Network (WLAN) Capability Package. The assessment should be successfully completed (no findings) before the systems Initial Operating Capability (IOC) is achieved and yearly thereafter. It is recommended that the assessment be completed by an organization that is separate from the organization that is setting up and managing the campus WLAN system. -Review the registration agreement between the site and NSA to determine if any deviations from the Campus WLAN Capability Package have been approved by NSA. -Review security assessment reports from assessments completed before IOC or yearly thereafter and interview the site IAM/IAO. Determine the date of the last assessment and if there are any open findings from the report. -If security assessments were not completed prior to IOC or yearly thereafter or if assessments were completed but there were open findings listed in the last report, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

DCAR-1, DCII-1