Vault/Secure Room Storage Standards - Intrusion Detection System and Automated Entry Control System (IDS/AECS) Component Tamper Protection

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-245815	IS-02.02.06	IS-02.02.06	SV-245815r1138476_rule	2025-12-04	2

Description
Failure to tamper protect IDS/AECS component enclosures and access points external to protected vaults/secure rooms space could result in the undetected modification or disabling of IDS/AECS system components. This could lead to the undetected breach of secure space containing SIPRNet assets and result in the undetected loss or compromise of classified information or materials. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5, PE-6(1) DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraphs 2.d.(8 and 3.a.(5)(b). 32 CFR 117 and 32 CFR 2001 and 2003 as well as DOD Manual 5220.32 Volume 1

Description

Failure to tamper protect IDS/AECS component enclosures and access points external to protected vaults/secure rooms space could result in the undetected modification or disabling of IDS/AECS system components. This could lead to the undetected breach of secure space containing SIPRNet assets and result in the undetected loss or compromise of classified information or materials. REFERENCES: CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraph 34. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4, PE-3, PE-5, PE-6(1) DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Appendix to Enclosure 3, paragraphs 2.d.(8 and 3.a.(5)(b). 32 CFR 117 and 32 CFR 2001 and 2003 as well as DOD Manual 5220.32 Volume 1

ℹ️ Check
Requirements Summary: Protection must be established and maintained for all component devices or equipment that constitute the Automated Entry Control System (AECS) and/or the Intrusion Detection System (IDS) used to protect a vault, secure room or collateral classified open storage area, which contains SIPRNet assets. If access to a junction box or controller will enable an unauthorized modification, then alarmed tamper protection, which is normally provided by a pressure sensitive switch must be used. CHECKS: 1. Check to ensure that IDS/AECS components located both outside and inside the secure area have tamper protection resulting in an alarm signal sent to the primary IDS Monitoring Station. Normally this is provided by a pressure sensitive switch, which automatically sends an alarm signal when the protective enclosure covering component equipment is opened. 2. Check to ensure that ALL IDS/AECS ancillary equipment such as card readers, keypads, communication or interface devices for vaults, secure rooms, or collateral classified open storage areas containing SIPRNet as well as other classified systems assets have tamper resistant enclosures and are securely fastened to the wall or other permanent structure. Control panels and AECS devices located within a Secret or TS Controlled Access Area (CAA) need only a minimal degree of physical security protection sufficient to preclude unauthorized access to the mechanism. TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

ℹ️ Check

Requirements Summary: Protection must be established and maintained for all component devices or equipment that constitute the Automated Entry Control System (AECS) and/or the Intrusion Detection System (IDS) used to protect a vault, secure room or collateral classified open storage area, which contains SIPRNet assets. If access to a junction box or controller will enable an unauthorized modification, then alarmed tamper protection, which is normally provided by a pressure sensitive switch must be used. CHECKS: 1. Check to ensure that IDS/AECS components located both outside and inside the secure area have tamper protection resulting in an alarm signal sent to the primary IDS Monitoring Station. Normally this is provided by a pressure sensitive switch, which automatically sends an alarm signal when the protective enclosure covering component equipment is opened. 2. Check to ensure that ALL IDS/AECS ancillary equipment such as card readers, keypads, communication or interface devices for vaults, secure rooms, or collateral classified open storage areas containing SIPRNet as well as other classified systems assets have tamper resistant enclosures and are securely fastened to the wall or other permanent structure. Control panels and AECS devices located within a Secret or TS Controlled Access Area (CAA) need only a minimal degree of physical security protection sufficient to preclude unauthorized access to the mechanism. TACTICAL ENVIRONMENT: This check is applicable where Vaults/Secure Rooms are used to protect classified materials or systems in a tactical environment. The only exception will be for urgent (short term) tactical operations or other contingency situations where fixed facilities and equipment are not yet present or incapable of being used.

✔️ Fix
Requirements Summary: Protection must be established and maintained for all component devices or equipment that constitute the Automated Entry Control System (AECS) and/or the Intrusion Detection System (IDS) used to protect a vault, secure room, or collateral classified open storage area, which contains SIPRNet assets. If access to a junction box or controller will enable an unauthorized modification, then alarmed tamper protection, which is normally provided by a pressure sensitive switch, must be used. Fixes: 1. IDS/AECS components located both outside and inside the secure area must have tamper protection resulting in an alarm signal sent to the primary IDS Monitoring Station. Normally this is provided by a pressure sensitive switch, which automatically sends an alarm signal when the protective enclosure covering component equipment is opened. 2. ALL IDS/AECS ancillary equipment such as card readers, keypads, communication or interface devices for vaults, secure rooms, or collateral classified open storage areas containing SIPRNet as well as other classified systems assets must have tamper resistant enclosures and be securely fastened to the wall or other permanent structure. Control panels and AECS devices located within a Secret or TS Controlled Access Area (CAA) need only a minimal degree of physical security protection sufficient to preclude unauthorized access to the mechanism.

✔️ Fix

Requirements Summary: Protection must be established and maintained for all component devices or equipment that constitute the Automated Entry Control System (AECS) and/or the Intrusion Detection System (IDS) used to protect a vault, secure room, or collateral classified open storage area, which contains SIPRNet assets. If access to a junction box or controller will enable an unauthorized modification, then alarmed tamper protection, which is normally provided by a pressure sensitive switch, must be used. Fixes: 1. IDS/AECS components located both outside and inside the secure area must have tamper protection resulting in an alarm signal sent to the primary IDS Monitoring Station. Normally this is provided by a pressure sensitive switch, which automatically sends an alarm signal when the protective enclosure covering component equipment is opened. 2. ALL IDS/AECS ancillary equipment such as card readers, keypads, communication or interface devices for vaults, secure rooms, or collateral classified open storage areas containing SIPRNet as well as other classified systems assets must have tamper resistant enclosures and be securely fastened to the wall or other permanent structure. Control panels and AECS devices located within a Secret or TS Controlled Access Area (CAA) need only a minimal degree of physical security protection sufficient to preclude unauthorized access to the mechanism.