STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 5 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Traditional Security Checklist

Version

V2R8

Release Date

Dec 4, 2025

SCAP Benchmark ID

Traditional_Security_Checklist

Total Checks

145

Tags

other

CAT I: 39CAT II: 66CAT III: 40

These requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (145)

V-245722HIGHCOMSEC Account Management - Equipment and Key Storage V-245723LOWCOMSEC Account Management - Appointment of Responsible Person V-245724LOWCOMSEC Account Management - Program Management and Standards Compliance V-245725MEDIUMCOMSEC Training - COMSEC Custodian or Hand Receipt Holder V-245726MEDIUMCOMSEC Training - COMSEC User V-245727HIGHClassified Transmission - Electronic Means using Cryptographic System Authorized by the Director, NSA V-245728HIGHProtected Distribution System (PDS) Construction - Point of Presence (PoP) and Terminal Equipment Protection. This requirement concerns security of both the starting and ending points for PDS within proper physically protected and access controlled environments.V-245729HIGHProtected Distribution System (PDS) Construction - Hardened Carrier V-245730HIGHProtected Distribution System (PDS) Construction - Pull Box Security V-245731HIGHProtected Distribution System (PDS) Construction - Buried PDS Carrier V-245732HIGHProtected Distribution System (PDS) Construction - External Suspended PDS V-245733HIGHProtected Distribution System (PDS) Construction - Continuously Viewed Carrier V-245734HIGHProtected Distribution System (PDS) Construction - Tactical Environment Application V-245735HIGHProtected Distribution System (PDS) Construction - Alarmed Carrier V-245736MEDIUMProtected Distribution System (PDS) Construction - Visible for Inspection and Marked V-245737MEDIUMProtected Distribution System (PDS) Construction - Sealed Joints V-245738LOWProtected Distribution System (PDS) Documentation - Signed Approval V-245739LOWProtected Distribution System (PDS) Documentation - Request for Approval Documentation V-245740MEDIUMProtected Distribution System (PDS) Monitoring - Daily (Visual) Checks V-245741MEDIUMProtected Distribution System (PDS) Monitoring - Reporting Incidents V-245742LOWProtected Distribution System (PDS) Monitoring - Technical Inspections V-245743LOWProtected Distribution System (PDS) Monitoring - Initial Inspection V-245744MEDIUMEnvironmental IA Controls - Emergency Power Shut-Off (EPO)V-245745MEDIUMEnvironmental IA Controls - Emergency Lighting and Exits - Properly Installed V-245746LOWEnvironmental IA Controls - Emergency Lighting and Exits - Documentation and Testing V-245747LOWEnvironmental IA Controls - Voltage Control (power)V-245748MEDIUMEnvironmental IA Controls - Emergency Power V-245749LOWEnvironmental IA Controls - Training V-245750LOWEnvironmental IA Controls - Temperature V-245751LOWEnvironmental IA Controls - Humidity V-245752LOWEnvironmental IA Controls - Fire Inspections/Discrepancies V-245753LOWEnvironmental IA Controls - Fire Detection and Suppression V-245754MEDIUMTEMPEST Countermeasures V-245755MEDIUMTEMPEST - Red/Black separation (Processors)V-245756MEDIUMTEMPEST - Red/Black Separation (Cables)V-245757MEDIUMForeign National System Access - Identification as FN in Email Address V-245758LOWForeign National System Access - Local Access Control Procedures V-245759HIGHForeign National (FN) Systems Access - Local Nationals Overseas System Access - (SIPRNet or Other Classified System or Classified Network being Reviewed)V-245761MEDIUMForeign National (FN) Systems Access - Local Nationals Overseas System Access - (NIPRNet User)V-245762MEDIUMForeign National (FN) Systems Access - Delegation of Disclosure Authority Letter (DDL)V-245763HIGHForeign National System Access - FN or Immigrant Aliens (not representing a foreign government or entity) System Access - Limited Access Authorization (LAA)V-245764HIGHForeign National (FN) System Access - FN or Immigrant Aliens (not representing a foreign government or entity) with LAA Granted Uncontrolled Access V-245765HIGHForeign National (FN) Physical Access Control - Areas Containing US Only Information Systems Workstations/Monitor Screens, Equipment, Media or Documents V-245766LOWForeign National (FN) Physical Access Control - (Identification Badges)V-245767HIGHForeign National (FN) Administrative Controls - Proper Investigation and Clearance for Access to Classified Systems and/or Information Assurance (IA) Positions of Trust V-245768MEDIUMForeign National (FN) Administrative Controls - Written Procedures and Employee Training V-245769MEDIUMForeign National (FN) Administrative Controls - Procedures for Requests to Provide Foreign Nationals System Access V-245770LOWForeign National (FN) Administrative Controls - Contact Officer Appointment V-245771LOWInformation Assurance - System Security Operating Procedures (SOPs)V-245772MEDIUMInformation Assurance - COOP Plan and Testing (Not in Place for Information Technology Systems or Not Considered in the organizational Holistic Risk Assessment)V-245773LOWInformation Assurance - COOP Plan or Testing (Incomplete)V-245774MEDIUMInformation Assurance - System Security Incidents (Identifying, Reporting, and Handling)V-245775MEDIUMInformation Assurance - System Access Control Records (DD Form 2875 or equivalent)V-245776MEDIUMInformation Assurance - System Training and Certification/ IA Personnel V-245777MEDIUMInformation Assurance/Cybersecurity Training for System Users V-245778MEDIUMInformation Assurance - Accreditation Documentation V-245781MEDIUMInformation Assurance - KVM or A/B Switch not listed on the NIAP U.S. Government Approved Protection Products Compliance List (PCL) for Peripheral Sharing Switches V-245782MEDIUMInformation Assurance - KVM Switch (Port Separation) on CYBEX/Avocent 4 or 8 port V-245783MEDIUMInformation Assurance - KVM Switch Use of Hot-Keys on SIPRNet Connected Devices V-245784LOWInformation Assurance - Authorizing Official (AO) and DoDIN Connection Approval Office (CAO) Approval Documentation for use of KVM and A/B switches for Sharing of Classified and Unclassified Peripheral Devices V-245785HIGHInformation Assurance - Classified Portable Electronic Devices (PEDs) Connected to the SIPRNet must be Authorized, Compliant with NSA Guidelines, and be Configured for Data at Rest (DAR) Protection V-245786MEDIUMInformation Assurance - Unauthorized Wireless Devices - Portable Electronic Devices (PEDs) Used in Classified Processing Areas without Certified TEMPEST Technical Authority (CTTA) Review and Authorizing Official (AO) Approval.V-245787LOWInformation Assurance - Unauthorized Wireless Devices - No Formal Policy and/or Warning Signs V-245788HIGHInformation Assurance - Network Connections - Physical Protection of Network Devices such as Routers, Switches and Hubs (Connected to SIPRNet or Other Classified Networks or Systems Being Inspected)V-245789HIGHInformation Assurance - Network Connections - Wall Jack Security on Classified Networks (SIPRNet or other Inspected Classified Network or System) Where Port Authentication Using IEEE 802.1X IS NOT Implemented V-245790MEDIUMInformation Assurance - Network Connections - Physical Protection of Unclassified (NIPRNet) Network Devices such as Routers, Switches and Hubs V-245791MEDIUMIndustrial Security - DD Form 254 V-245792LOWIndustrial Security - Contractor Visit Authorization Letters (VALs)V-245793MEDIUMIndustrial Security - Contract Guard Vetting V-245794MEDIUMInformation Security (INFOSEC) - Safe/Vault/Secure Room Management V-245795HIGHInformation Security (INFOSEC) - Vault/Secure Room Storage Standards - Door Combination Lock Meeting Federal Specification FF-L-2740 V-245796HIGHInformation Security (INFOSEC) - Secure Room Storage Standards - Door Construction V-245797HIGHInformation Security (INFOSEC) - Secure Room Storage Standards Wall and Ceiling Structural Integrity (AKA: True Floor to True Ceiling Connection)V-245798HIGHInformation Security (INFOSEC) - Vault/Secure Room Storage Standards - Openings in Perimeter Exceeding 96 Square Inches V-245799HIGHInformation Security (INFOSEC) - Secure Room Storage Standards Windows - Accessible from the Ground Hardened Against Forced Entry and Shielded from Exterior Viewing of Classified Materials Contained within the Area.V-245800HIGHInformation Security (INFOSEC) - Vault Storage/Construction Standards V-245801HIGHInformation Security (INFOSEC) - Secure Room Storage Standards - Intrusion Detection System (IDS)V-245802HIGHInformation Security (INFOSEC) - Secure Room Storage Standards - Balanced Magnetic Switch (BMS) on Perimeter Doors V-245803HIGHInformation Security (INFOSEC) - Secure Room Storage Standards - Interior Motion Detection V-245804HIGHInformation Security (INFOSEC) - Secure Room Storage Standards - Four (4) Hour Random Checks in Lieu of Using Intrusion Detection System (IDS)V-245805HIGHVault/Secure Room Storage Standards - IDS Transmission Line Security V-245806HIGHVault/Secure Room Storage Standards - IDS Access/Secure Control Units Must be Located within the Secure Room Space V-245807HIGHInformation Security (IS) - Continuous Operations Facility: Access Control Monitoring Methods V-245808HIGHVault/Secure Room Storage Standards - Access Control During Working Hours Using Visual Control OR Automated Entry Control System (AECS) with PIN / Biometrics V-245809HIGHVault/Secure Room Storage Standards - Automated Entry Control System (AECS) and Intrusion Detection System (IDS) Head-End Equipment Protection: The physical location (room or area) containing AECS and IDS head-end equipment (server and/or work station/monitoring equipment) where authorization, personal identification or verification data is input, stored, or recorded and/or where system status/alarms are monitored must be physically protected.V-245810MEDIUMInformation Security (INFOSEC) - Secure Room Storage Standards - Structural Integrity Checks V-245811MEDIUMVault/Secure Room Storage Standards - IDS Performance Verification V-245812MEDIUMVault/Secure Room Storage Standards - Masking of IDS Sensors Displayed at the Intrusion Detection System (IDS) Monitoring Station V-245813MEDIUMVault/Secure Room Storage Standards - IDS Alarm Monitoring Indicators, both audible and visual (Alarm Status) must be displayed for each sensor or alarmed zone at the monitoring station.V-245814MEDIUMVault/Secure Room Storage Standards - Intrusion Detection System (IDS) / Automated Entry Control System (AECS) Primary and Emergency Power Supply V-245815MEDIUMVault/Secure Room Storage Standards - Intrusion Detection System and Automated Entry Control System (IDS/AECS) Component Tamper Protection V-245816MEDIUMVault/Secure Room Storage Standards - Primary IDS Monitoring Location Outside the Monitored Space V-245817MEDIUMVault/Secure Room Storage Standards - Automated Entry Control System (AECS) Records Maintenance, which includes documented procedures for granting and removal of access.V-245818MEDIUMVault/Secure Room Storage Standards - Automated Entry Control System (AECS) Transmission Line Security: AECS Transmission lines traversing an uncontrolled area (not within at least a Secret Controlled Access Area (CAA) ) shall use line supervision OR Electrical, mechanical, or electromechanical access control devices, which do not constitute an AECS that are used to control access during duty hours must have all electrical components, that traverse outside minimally a Secret Controlled Access Area (CAA), secured within conduit.V-245819MEDIUMVault/Secure Room Storage Standards - Automated Entry Control System (AECS) Door Locks: Electric Strikes and/or Magnetic Locking devices used in access control systems shall be heavy duty, industrial grade and be configured to fail secure in the event of a total loss of power (primary and backup).V-245820MEDIUMInformation Security (INFOSEC) - Secure Room Storage Standards - Perimeter Construction using Proper Permanent Construction Materials for True Ceiling, Walls and Floors.V-245821LOWVault/Secure Room Storage Standards - Automated Entry Control System (AECS) Keypad Device Protection: Keypad devices designed or installed in a manner that an unauthorized person in the immediate vicinity cannot observe the selection of input numbers.V-245822MEDIUMMarking Classified - Equipment, Documents or Media: In a classified operating environment, all unclassified items must be marked in addition to all classified items.V-245823LOWMarking Classified - Local or Enclave Classified Marking Procedures must be developed to ensure employees are familiar with appropriate organization Security Classification Guides (SCG), how to obtain guidance for marking classified documents, media and equipment, and where associated forms, classified cover sheets, labels, stamps, wrapping material for classified shipment, etc. can be obtained.V-245824LOWClassified Working Papers are properly marked, destroyed when no longer needed, or treated as a finished document after 180 days.V-245825HIGHStorage/Handling of Classified Documents, Media, Equipment - must be under continuous personal protection and control of an authorized (cleared) individual OR guarded or stored in an approved locked security container (safe), vault, secure room, collateral classified open storage area or SCIF.V-245826LOWNon-Disclosure Agreement - Standard Form 312: no person may have access to classified information unless that person has a security clearance in accordance with DODM 5200.02 and has signed a Standard Form (SF) 312, Classified Information Non-Disclosure Agreement (NDA), and access is essential to the accomplishment of a lawful and authorized Government function (i.e., has a need to know).V-245827LOWHandling of Classified Documents, Media, Equipment - Written Procedures and Training for when classified material/equipment is removed from a security container and/or secure room.V-245828LOWHandling of Classified - Use of Cover Sheets on Documents Removed from Secure Storage V-245829HIGHClassified Monitors/Displays (Physical Control of Classified Monitors From Unauthorized Viewing)V-245830HIGHMonitor Screens - Disable Access by CAC or Token Removal, or Lock Computer via Ctrl/Alt/Del V-245831LOWClassified Monitors/Displays (Procedures for Obscuration of Classified Monitors) - protection from uncleared persons or those without a need-to-know.V-245832MEDIUMEnd-of-Day Checks - Organizations that process or store classified information must establish a system of security checks at the close of each duty and/or business day to ensure that any area where classified information is used or stored is secure. SF 701, Activity Security Checklist, shall be used to record such checks.V-245833HIGHClassified Reproduction - SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage.V-245834MEDIUMClassified Reproduction - Following guidance for System to Media Transfer of Data from systems connected specifically to the SIPRNet In-Accordance-With (IAW) US CYBERCOM CTO 10-133A.V-245835LOWClassified Reproduction - Written Procedures for SIPRNet Connected Classified Multi-Functional Devices (MFD) located in Space Not Approved for Collateral Classified Open Storage. NOTE: This vulnerability concerns only PROCEDURES for the reproduction (printing, copying, scanning, faxing) of classified documents on Multi-Functional Devices (MFD) connected to the DODIN.V-245836HIGHDestruction of Classified Documents Printed from the SIPRNet Using Approved Devices on NSA Evaluated Products Lists (EPL).V-245837HIGHClassified Material Destruction - Improper Disposal of Automated Information System (AIS) Hard Drives and Storage Media V-245838MEDIUMClassified Destruction - Hard Drive and Storage Media Sanitization Devices and Plans are not Available for disposal of Automated Information System (AIS) Equipment On-Hand V-245839LOWDestruction of Classified and Unclassified Documents, Equipment and Media - Availability of Local Policy and Procedures V-245840MEDIUMClassified Emergency Destruction Plans - Develop and Make Available V-245841MEDIUMSecurity Incident/Spillage - Lack of Procedures or Training for Handling and Reporting V-245842MEDIUMClassification Guides Must be Available for Programs and Systems for an Organization or Site V-245843MEDIUMControlled Unclassified Information (CUI) - Employee Education and Training V-245844MEDIUMControlled Unclassified Information - Document, Hard Drive and Media Disposal V-245845MEDIUMControlled Unclassified Information - Handling, Storage and Controlling Access to Areas where CUI is Processed or Maintained V-245846MEDIUMControlled Unclassified Information - Encryption of Data at Rest V-245847MEDIUMControlled Unclassified Information - Transmission by either Physical or Electronic Means V-245848MEDIUMControlled Unclassified Information - Posting Only on Web-Sites with Appropriate Encryption; not on Publicly Accessible Web-Sites.V-245849LOWControlled Unclassified Information (CUI) - Local Policy and Procedure V-245850LOWControlled Unclassified Information - Marking/Labeling Media within Unclassified Environments (Not Mixed with Classified)V-245851LOWClassified Annual Review V-245852LOWPosition of Trust - Knowledge of Responsibility to Self Report Derogatory Information V-245853LOWPosition of Trust - Local Policy Covering Employee Personal Standards of Conduct and Responsibilities V-245854LOWPosition of Trust - Training Covering Employee Standards of Conduct and Personal Responsibilities V-245856MEDIUMValidation Procedures for Security Clearance Issuance (Classified Systems and/or Physical Access Granted)V-245860LOWOut-processing Procedures for Departing or Terminated Employees (Military, Government Civilian and Contractor)V-245861MEDIUMIntrusion Detection System (IDS) Monitoring Station Personnel - Suitability Checks V-245862MEDIUMIntrusion Detection System (IDS) Installation and Maintenance Personnel - Suitability Checks V-245863LOWPhysical Security Program - Physical Security Plan (PSP) and/or Systems Security Plan (SSP) Development and Implementation with Consideration/Focus on Protection of Information System Assets in the Physical Environment V-245864MEDIUMRisk Assessment -Holistic Review (site/environment/information systems)V-245865MEDIUMPhysical Protection of Unclassified Key System Devices/Computer Rooms in Large Processing Facilities V-245866MEDIUMRestricted Area and Controlled Area Designation of Areas Housing Critical Information System Components or Classified /Sensitive Technology or Data V-245867MEDIUMSecurity-in-Depth (AKA: Defense-in-Depth) - Minimum Physical Barriers and Access Control Measures for Facilities or Buildings Containing DODIN (SIPRNet/NIPRNet) Connected Assets.V-245868MEDIUMVisitor Control - To Facility or Organization with Information System Assets Connected to the DISN V-245869MEDIUMSensitive Item Control - Keys, Locks and Access Cards Controlling Access to Information Systems (IS) or IS Assets Connected to the DISN V-245870LOWPhysical Penetration Testing - of Facilities or Buildings Containing Information Systems (IS) Connected to the DISN V-245871MEDIUMSecurity and Cybersecurity Staff Appointment, Training/Certification and Suitability V-245872MEDIUMSecurity Training - Information Security (INFOSEC) for ALL Employees; Military, Government Civilian and Contractor V-245873LOWCounter-Intelligence Program - Training, Procedures and Incident Reporting