You are on page 1of 420

System Name

System Owner

<Insert System Name Here>


Designated Accrediting Authority (DAA) Accreditation Status Accreditation Date Period Covered

Certifying Authority (CA)

Certification Date

Mission Assurance Category (MAC)

MAC I

IA Control Subject Area

IA Control Number

IA Control Name

Continuity Continuity Continuity Continuity Continuity Continuity Continuity Continuity Continuity Continuity Continuity Continuity Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration

COAS-2 COBR-1 CODB-3 CODP-3 COEB-2 COED-2 COEF-2 COMS-2 COPS-3 COSP-2 COSW-1 COTR-1 DCAR-1 DCAS-1 DCBP-1 DCCB-2 DCCS-2 DCCT-1 DCDS-1 DCFA-1 DCHW-1 DCID-1 DCII-1 DCIT-1 DCMC-1 DCNR-1 DCPA-1 DCPB-1 DCPD-1 DCPP-1 DCPR-1 DCSD-1 DCSL-1 DCSP-1

Alternate Site Designation Protection of Backup and Restoration Assets Data Backup Procedures Disaster and Recovery Planning Enclave Boundary Defense Scheduled Exercises and Drills Identification of Essential Functions Maintenance Support Power Supply Spares and Parts Backup Copies of Critical Software Trusted Recovery Procedural Review Acquisition Standards Best Security Practices Control Board Configuration Specifications Compliance Testing Dedicated IA Services Functional Architecture for AIS Applications HW Baseline Interconnection Documentation IA Impact Assessment IA for IT Services Mobile Code Non-repudiation Partitioning the Application IA Program and Budget Public Domain Software Controls Ports, Protocols, and Services CM Process IA Documentation System Library Management Controls Security Support Structure Partitioning

Security Design and Configuration Security Design and Configuration Security Design and Configuration Security Design and Configuration Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Enclave and Computing Environment Identification and Authentication Identification and Authentication Identification and Authentication Identification and Authentication Physical and Environmental Physical and Environmental

DCSQ-1 DCSR-3 DCSS-2 DCSW-1 EBBD-3 EBCR-1 EBRP-1 EBRU-1 EBVC-1 ECAD-1 ECAN-1 ECAR-3 ECAT-2 ECCD-2 ECCM-1 ECCR-2 ECCR-3 ECCT-2 ECDC-1 ECIC-1 ECID-1 ECIM-1 ECLC-1 ECLO-2 ECLP-1 ECML-1 ECMT-2 ECND-2 ECNK-1 ECNK-2 ECPA-1 ECPC-2 ECRC-1 ECRG-1 ECRR-1 ECSC-1 ECSD-2 ECTB-1 ECTC-1 ECTM-2 ECTP-1 ECVI-1 ECVP-1 ECWM-1 ECWN-1 IAAC-1 IAGA-1 IAIA-2 IAKM-3 IATS-2 PECF-2 PECS-2

Software Quality Specified Robustness High System State Changes SW Baseline Boundary Defense Connection Rules Remote Access for Privileged Functions Remote Access for User Functions VPN Controls Affiliation Display Access for Need-to-Know Audit Record Content Audit Trail, Monitoring, Analysis and Reporting Changes to Data COMSEC Encryption for Confidentiality (Data at Rest) Encryption for Confidentiality (Data at Rest) Encryption for Confidentiality (Data in Transit) Data Change Controls Interconnection among DoD Systems and Enclaves Host Based IDS Instant Messaging Audit of Security Label Changes Logon Least Privilege Marking and Labeling Conformance Monitoring and Testing Network Device Controls Encryption for Need-To-Know Encryption for Need-To-Know Privileged Account Control Production Code Change Controls Resource Control Audit Reduction and Report Generation Audit Record Retention Security Configuration Compliance Software Development Change Controls Audit Trail Backup Tempest Controls Transmission Integrity Controls Audit Trail Protection Voice over IP Virus Protection Warning Message Wireless Computing and Networking Account Control Group Identification and Authentication Individual Identification and Authentication Key Management Token and Certificate Standards Access to Computing Facilities Clearing and Sanitizing

Physical and Environmental PEDD-1 Physical and Environmental PEDI-1 Physical and Environmental PEEL-2 Physical and Environmental PEFD-2 Physical and Environmental PEFI-1 Physical and Environmental PEFS-2 Physical and Environmental PEHC-2 Physical and Environmental PEMS-1 Physical and Environmental PEPF-2 Physical and Environmental PEPS-1 Physical and Environmental PESL-1 Physical and Environmental PESP-1 Physical and Environmental PESS-1 Physical and Environmental PETC-2 Physical and Environmental PETN-1 Physical and Environmental PEVC-1 Physical and Environmental PEVR-1 Personnel PRAS-2 Personnel PRMP-2 Personnel PRNK-1 Personnel PRRB-1 Personnel PRTN-1 Vulnerabiity and Incident Management VIIR-2 Vulnerabiity and Incident Management VIVM-1

Destruction Data Interception Emergency Lighting Fire Detection Fire Inspection Fire Suppression System Humidity Controls Master Power Switch Physical Protection of Facilities Physical Security Testing Screen Lock Workplace Security Procedures Storage Temperature Controls Environmental Control Training Visitor Control to Computing Facilities Voltage Regulators Access to Information Maintenance Personnel Access to Need-to-Know Information Security Rules of Behavior or Acceptable Use Policy Information Assurance Training Incident Response Planning Vulnerability Management

IS Type

Period Covered ATD

Last Update

ssurance Category (MAC)

Confidentiality Level (CL)

MAC I

Classified

Inherited?

C/NC/NA

Impact Code

Last Update

NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA

High High Medium Medium High Medium Medium Medium Medium Medium High High Medium High Medium Medium High Medium Medium Medium High High Medium High Medium Medium Low High Medium Medium High High Medium Medium

CAT I CAT II CAT III CAT IV Total:

0 0 0 0 0

NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA

Medium High High High High Medium High High Medium Medium High High Medium High High Medium High High Medium Medium Medium Medium Low Medium High High Medium Medium Medium Medium High Medium Medium Low Medium High High Medium High Medium Medium Medium High Low High High Medium High Medium Medium High High

NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA

High High Medium High Medium High Medium High High Low Medium Medium High Medium Low High High High High High High High High Medium

8500.2 CODB-2

Control Name Data Backup Procedures

CODB-3

Data Backup Procedures

Vulnerability Description VMS STIG ID System images are not being backed up on a weekly basis to the local system and a copy is not being stored on a removable storage device and/or is not being stored off site. V0007984 DSN17.02 Site staff does not ensure backup media is available and up to date prior to software modification. V0007985 DSN17.03

Related IA Controls

ECSC-1 COBR-1, CODB-1, CODB-2, ECSC-1

DCAS-1

Acquisition Standards

The purchase / maintenance contract, or specification, for the Voice/Video/RTS system under review does not contain verbiage requiring compliance and validation measures for all applicable STIGs.

V0008341 DSN03.02

EBCR-1, ECSC-1

DCAS-1

Acquisition Standards

The requirement of DSN APL listing is not being considered during the procurement, installation, connection, or upgrade to the site's Voice/Video/RTS infrastructure.

V0008348 DSN03.07

EBCR-1, ECSC-1

DCAS-1

Acquisition Standards Major software version upgrades have NOT been tested, certified, and placed on the DSN APL before installation. OAM&P / NM and CTI networks are NOT dedicated to the system that they serve in accordance with their separate DSN APL certifications. An OAM&P / NM and CTI network/LAN is connected to the local general use (base) LAN without appropriate boundary protection. An OAM&P / NM and CTI network/LAN is connected to the local general use (base) LAN without appropriate boundary protection. A detailed listing of all modems is not being maintained. EBCR-1, ECSC-1 DCPA-1, EBCR-1, ECSC-1 DCPA-1, EBCR-1, ECSC-1 DCPA-1, EBCR-1, ECSC-1 ECSC-1 DCHW-1, DCID-1, DCSW-1, ECSC-1

V0008535 DSN17.06

DCID-1

Interconnection Documentation

V0008545 DSN04.07

DCID-1

Interconnection Documentation

V0008544 DSN04.08

DCID-1

Interconnection Documentation

V0008542 DSN04.09 V0007987 DSN18.02

DCID-1 DCSD-1

Interconnection Documentation IA Documentation

DCSD-1

IA Documentation

The ISSO/IAO has not established Standard Operating Procedures. V0007935 DSN04.06 Documented procedures do not exist that will prepare for a suspected compromise of a DSN component. V0007972 DSN14.02

ECSC-1

DCSD-1

IA Documentation

EBCR-1 EBCR-1

EBCR-1

EBCR-1 ECAN-1

ECAN-1

ECAN-1

V0007979 A Voice/Video/RTS system is in operation but is not listed on the DSN APL nor is it in V0008345 A Voice/Video/RTS system or device is NOT installed according to the deployment restrictions and/or mitigations contained in the IA test report, Certifying Authority recommendation and/or DSAWG approval documentation. V0008346 Connection A Voice/Video/RTS system or device is Rules NOT installed in the same configuration and being used for the same purpose that was tested for prior to DSAWG approval and DSN APL listing. V0008347 Connection Unauthorized modems are installed. V0007988 Rules Access for Need- Foreign/Local National personnel hired by a to-Know base/post/camp/station for the purpose of operating or performing OAM&P / NM functions on DSN switches and subsystems have not been vetted through the normal process for providing SA clearance as dictated by the local Status of Forces Agreement (SOFA). V0008519 Access for Need- Foreign/Local National personnel have to-Know duties or access privileges that exceed those allowed by DODI 8500.2 E3.4.8. V0008520 Access for Need- The ISSO/IAO does not maintain a DSN to-Know Personnel Security Certification letter on file for each person involved in DSN A/NM duties. V0007981 Connection Rules Connection Rules Audit Record Content Classified Systems Audit of Security Label Changes Audit Record Content Classified Systems Audit of Security Label Changes Audit records do not record the identity of each person and terminal device having access to switch software or databases.

An Information Systems Security Officer/Information Assurance Officer (ISSO/IAO) is not designated for each telecommunications switching system or DSN Site.

DSN16.01 DSN03.04

PECF-1 DCAS-1, ECSC-1

DSN03.05

DCAS-1, ECSC-1

DSN03.06 DSN18.03

DCAS-1, ECSC-1 DCID-1, ECSC-1

DSN06.02

PECF-1

DSN06.03

PECF-1

DSN16.03

PECF-2

ECAR-3

V0007974 DSN15.02 Audit records do not record the time of the access.

ECAR-1, ECAR-3, ECSC-1

ECAR-3

V0007975 DSN15.03

ECAR-1, ECAR-3, ECSC-1

ECAR-3

ECAR-3

ECAT-2

ECCT-2

ECCT-2

ECCT-2

Audit Record Content Classified Systems Audit of Security Label Changes Audit Record Content Classified Systems Audit of Security Label Changes Audit Trail, Monitoring, Analysis and Reporting Encryption for Confidentiality (Data at Transmit) Encryption for Confidentiality (Data at Transmit) Encryption for Confidentiality (Data at Transmit) Logon

The auditing records do not record activities that may change, bypass, or negate safeguards built into the software. ECLC-1, ECSC-1

V0007976 DSN15.04 The auditing process DOES NOT record security relevant actions such as the changing of security levels or categories of information. V0008546 DSN15.07

ECAR-1, ECAR-3, ECSC-1 ECAT-1, ECRG-1, ECSC-1

Audit records are not being reviewed by the ISSO/IAO weekly. V0007978 DSN15.06 Links within the SS7 network are not encrypted. V0007950 DSN09.05

ECSC-1

ECLO-2

ECLP-1

Least Privilege

ECLP-1

Least Privilege

Transport circuits are not encrypted. V0007953 DSN11.01 FIPS 140-2 validated Link encryption mechanisms are not being used to provide end-to-end security of all data streams entering the remote access port of a telephone switch. V0007994 DSN18.09 The option to restrict user access based on duty hours is available but is not being utilized. V0007940 DSN06.04 The ISSO/IAO does not ensure that administration and maintenance personnel have proper access to the facilities, functions, commands, and calling privileges required to perform their job. V0007923 DSN01.03 System administrative and maintenance users are assigned accounts with privileges that are not commensurate with their assigned responsibilities. V0008558 DSN06.05

ECSC-1

ECSC-1

ECSC-1

ECSC-1

ECSC-1

ECLP-1

Least Privilege

The available option of Command classes or command screening is NOT being used to limit system privileges

ECMT-2

Conformance Monitoring and Testing

V0008554 DSN06.07 The IAO does not conduct and document self-inspections of the DSN components at least semi-annually for security risks. V0007921 DSN01.01

ECSC-1 ECMT-1, ECSC-1

ECMT-2

Conformance Monitoring and Testing Network Device Controls

V0007922 The sites telephone switch is not frequently monitored for changing calling patterns and system uses for possible security concerns. DSN systems are not registered in the DISA VMS. ECMT-1, ECSC-1

DSN01.02

ECND-2

V0007924 DSN02.01 ECND-2 Network Device Controls System Administrators (SAs) responsible for DSN information systems are not registered with the DISA VMS. V0007925 DSN02.02 ECND-2 Network Device Controls The ISSO/IAO and ISSM/IAM, in coordination with the SA, will be responsible for ensuring that all IAVM notices are responded to within the specified time period. IAVMs are not addressed using RTS system vendor approved or provided patches. V0008338 DSN02.04 ECND-2 Network Device Controls DoD voice/video/RTS information system assets and vulnerabilities are not tracked and managed using any vulnerability management system as required by DoD policy. Audit record archive and storage do not meet minimum requirements. V0007977 DSN15.05 A DoD Voice/Video/RTS system or device is NOT configured in compliance with all applicable STIGs or the appropriate STIGs have not been applied to the fullest extent V0008340 DSN03.01 possible. The DAA, IAM, IAO, or SA for the system DOES NOT enforce contract requirements for STIG compliance and validation. V0008342 DSN03.03

ECND-1, ECSC-1

ECND-1, ECSC-1

V0007926 DSN02.03

ECND-1, ECSC-1

ECND-2

Network Device Controls

ECND-1, ECSC-1

V0008339 DSN02.05

ECND-1, ECSC-1 ECTB-1, ECTP-1, ECSC-1

ECRR-1

Audit Record Retention Security Configuration Compliance Security Configuration Compliance

ECSC-1

ECSC-1

ECSC-1

Security Configuration Compliance

Switch administration, ADIMSS, or other Network Management terminals are not located on a dedicated LAN.

V0007930 DSN04.01

ECSC-1

Security Configuration Compliance

Network Management routers located at switch sites are not configured to provide IP and packet level filtering/protection. V0007931 DSN04.02

ECSC-1

Security Configuration Compliance

Administration terminals are used for other day-to-day functions (i.e. email, web browsing, etc). V0007932 DSN04.03 Switch Administration terminals do not connect directly to the switch administration port or connect via a controlled, dedicated, out of band network used for switch administration support. V0007933 DSN04.04 Attendant console ports are available to unauthorized users by not allowing any instrument other than the Attendant console to connect to the Attendant console port. V0007934 DSN04.05

ECSC-1

Security Configuration Compliance

ECSC-1

Security Configuration Compliance

ECSC-1

Security Configuration Compliance

An OAM&P / NM or CTI network DOES NOT comply with the Enclave and/or Network Infrastructure STIGs.

V0008541 DSN04.10

ECSC-1

Security Configuration Compliance Applicable security packages have not been installed on the system. V0007936 DSN05.01

ECSC-1

Security Configuration Compliance All system administrative and maintenance user accounts are not documented. V0008556 DSN06.06

ECSC-1

Security Configuration Compliance

The Direct Inward System Access feature and/or access to Voice Mail is not controlled by either class of service, special authorization code, or PIN. V0007941 DSN07.01

ECSC-1

Security Configuration Compliance

Direct Inward System Access and Voice Mail access codes are not changed semiannually.

V0007942 DSN07.02

ECSC-1

Security Configuration Compliance

Personal Identification Numbers (PIN) assigned to special subscribers used to control Direct Inward System Access and Voice Mail services are not being controlled like passwords and deactivated when no longer required. V0007943 DSN07.03

ECSC-1

Security Configuration Compliance

Privilege authorization, Direct Inward System Access and/or Voice Mail special authorization codes or individually assigned PINS are not changed when compromised. V0007944 DSN07.04 Equipment, cabling, and terminations that provide emergency life safety services such as 911 (or European 112) services and/or emergency evacuation paging systems are NOT clearly identified and marked. V0007945 DSN08.01

ECSC-1

Security Configuration Compliance

ECSC-1

Security Configuration Compliance There is no system installed that can provide emergency life safety or security announcements

V0008537 DSN08.02

ECSC-1

Security Configuration Compliance

A policy is NOT in place and/or NOT enforced regarding the use of unclassified telephone/RTS instruments located in areas or rooms where classified meetings, conversations, or work normally occur.

V0008539 DSN08.03

ECSC-1

Security Configuration Compliance

Voice/Video/RTS devices located in SCIFs do not prevent on-hook audio pick-up and/or do not have a speakerphone feature disabled or are not implemented in accordance with DCID 6/9 or TSG Standard 2. V0008543 DSN08.04

ECSC-1

Security Configuration Compliance SS7 links are not clearly identified and routed separately from termination point to termination point.

V0007946 DSN09.01

ECSC-1

Security Configuration Compliance The SS7 termination blocks are not clearly identified at the MDF.

V0007947 DSN09.02

ECSC-1

Security Configuration Compliance Power cabling that serves SS7 equipment is not diversely routed to separate Power Distribution Frames (PDF) and identified.

V0007948 DSN09.03

ECSC-1

Security Configuration Compliance Power cabling that serves SS7 equipment is not clearly identified at both the termination point and at the fusing position. V0007949 DSN09.04

ECSC-1

Security Configuration Compliance

A DoD VoIP system, device, or network is NOT configured in compliance with all applicable STIGs or the appropriate STIGs have not been applied to the fullest extent possible. V0007952 DSN10.02

ECSC-1

Security Configuration Compliance Physical access to commercial Add/Drop Multiplexers (ADMs) is not restricted.

V0007954 DSN11.02

ECSC-1

Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance

ECSC-1

The ISSO/IAO does not maintain a library of security documentation. V0007955 DSN12.01 Crash-restart vulnerabilities are present on the DSN system component. V0007970 DSN13.15

ECSC-1

The latest software loads and patches are NOT applied to all systems to take advantage of security enhancements.

V0008531 DSN17.04

ECSC-1

Maintenance and security patches are NOT approved by the local DAA prior to installation in the system V0008532 DSN17.05

ECSC-1

Modems are not physically protected to prevent unauthorized device changes. Modem phone lines are not restricted and configured to their mission required purpose (i.e. inward/outward dial only).

V0007986 DSN18.01

ECSC-1

V0007989 DSN18.04

ECSC-1

Modem phone lines are not restricted to single-line operation. The option of Automatic Number Identification (ANI) is available but not being used.

V0007990 DSN18.05

ECSC-1

V0007991 DSN18.06

ECSC-1

Authentication is not required for every session requested.

V0007992 DSN18.07

ECSC-1

Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance Security Configuration Compliance

The option to use the callback feature for remote access is not being used.

V0007993 DSN18.08

ECSC-1

The option to use two-factor authentication when accessing remote access ports is not being used. V0007995 DSN18.10 Administrative/maintenance ports are not being controlled by deactivating or physically disconnecting remote access devices when not in use.

ECSC-1

V0007996 DSN18.11

ECSC-1

Idle connections DO NOT disconnect in 15 min. V0007997 DSN18.12 The DSN component is not configured to be unavailable for 60 seconds after 3 consecutive failed logon attempts.

ECSC-1

V0007998 DSN18.13

ECSC-1

Serial management/maintenance ports are not configured to force out or drop any interrupted user session. V0007999 DSN18.14 An OOB Management DOES NOT comply with the Enclave and/or Network Infrastructure STIGs. V0008518 DSN18.15 OOB management network are NOT dedicated to management of like or associated systems Network management/maintenance ports are not configured to force out or drop any user session that is interrupted for more than 15 seconds.

ECSC-1

ECSC-1

V0008517 DSN18.16

ECSC-1

V0008516 DSN18.17

ECSC-1

A SMU component is not installed in a controlled space with visitor access controls applied. V0008515 DSN20.01

ECSC-1

The SMU ADIMSS connection is NOT dedicated to the ADIMSS network

V0008514 DSN20.02

ECSC-1

The ADIMSS server connected to the SMU is NOT dedicated to ADIMSS functions. V0008513 DSN20.03 The SMU management port or management workstations is improperly connected to a network that is not dedicated to management of the SMU.

ECSC-1

V0008512 DSN20.04

ECTP-1

Audit Trail Protection

Audit records are NOT stored in an unalterable file and can be accessed by individuals not authorized to analyze switch access activity. V0007973 DSN15.01 ECSC-1 A properly worded Login Banner is not used on all system/device management access ports and/or OAM&P/NM workstations. V0008000 DSN19.01 ECSC-1 Access to all management system workstations and administrative / management ports is NOT remotely authenticated. V0008560 DSN13.16 ECSC-1 Strong two-factor authentication is NOT used to access all management system workstations and administrative / management ports on all devices or systems.

ECWM-1 Warning Message

IAAC-1

Account Control

IAAC-1

Account Control

V0008559 DSN13.17

ECSC-1 IAIA-1, ECSC-1

IAIA-2

Individual Users are not required to change their Identification and password during their first session. Authentication Individual Default passwords and user names have Identification and not been changed. Authentication

V0007956 DSN13.01

IAIA-2

V0007957 DSN13.02 IAIA-2 Individual Shared user accounts are used and not Identification and documented by the ISSO/IAO. Authentication V0007958 DSN13.03 IAIA-2 Individual The option to disable user accounts after Identification and 30 days of inactivity is not being used. Authentication V0007959 DSN13.04 IAIA-2 Individual Management access points (i.e. Identification and administrative/maintenance ports, system Authentication access, etc.) are not protected by requiring a valid username and a valid password for access. Individual Passwords do not meet complexity Identification and requirements. Authentication V0007961 DSN13.06 IAIA-2 Individual Maximum password age does not meet Identification and minimum requirements. Authentication V0007962 DSN13.07

IAIA-1, ECSC-1

IAIA-1, ECSC-1

IAIA-1, ECSC-1

V0007960 DSN13.05

IAIA-1, ECSC-1

IAIA-2

IAIA-1, ECSC-1

IAIA-1, ECSC-1

IAIA-2

Individual Users are permitted to change their Identification and passwords at an interval of less than 24 Authentication hours without ISSO/IAO intervention. V0007963 DSN13.08 Individual Password reuse is not set to 8 or greater. Identification and Authentication V0007964 DSN13.09 Individual User passwords can be retrieved and Identification and viewed in clear text by another user. Authentication V0007966 DSN13.10 Individual User passwords are displayed in the clear Identification and when logging into the system. Authentication Individual The option to use passwords that are Identification and randomly generated by the DSN Authentication component is available but not being used. V0007968 DSN13.12 Individual The system is not configured to disable a Identification and users account after three notifications of Authentication password expiration. V0007969 DSN13.13 Individual The ISSO/IAO has not recorded the Identification and passwords of high level users (ADMIN) Authentication used on DSN components and stored them in a secure or controlled manner. V0007965 DSN13.14

IAIA-1, ECSC-1

IAIA-2

IAIA-1, ECSC-1

IAIA-2

IAIA-1, ECSC-1 IAIA-1, ECSC-1

IAIA-2

V0007967 DSN13.11

IAIA-2

IAIA-1, ECSC-1

IAIA-2

IAIA-1, ECSC-1

IAIA-2

IAIA-1, ECSC-1

PECF-2

Access to Computing Facilities

The IAO DOES NOT ensure that all temporary Foreign/Local National personnel given access to DSN switches and subsystems for the purpose of installation and maintenance, are controlled and provided direct supervision and oversight (e.g., escort) by a knowledgeable and appropriately cleared U.S. citizen. V0007937 The DSN system component is not installed in a controlled space with visitor access V0007971 controls applied. System administrators are NOT appropriately cleared. V0007982 Site staff does not verify and record the identity of individuals installing or modifying V0007983 a device or software. Site personnel have not received the proper security training and/or are not familiar with the documents located in the security library. V0007980 DSN06.01 ECSC-1

PECF-2

PECF-2

PECF-2

PRTN-1

Access to Computing Facilities Access to Computing Facilities Access to Computing Facilities Information Assurance Training

DSN14.01

ECSC-1

DSN16.04

ECSC-1

DSN17.01

ECSC-1

DSN16.02

ECSC-1

Totals CAT I CAT II CAT III CAT IV Total:

0 0 0 0 0

C/NC/NA

CAT

8500.2 COAS-2

Control Name Alternate Site Designation Protection of Backup and Restoration Assets Data Backup Procedures Disaster and Recovery Planning Enclave Boundary Defense

Vulnerability Description Proper Alternate Site is not Identified

VMS

STIG ID

Related IA Controls

V0008356 COBR-1 Inadequate Protection of Backup and Restoration Assets V0008357 Data backup is not performed daily. V0008360 V0008363

CODB-3

CODP-3

COEB-2

Disaster Recovery Plan does not allow for the resumption of mission or business critical functions within 24 hours. Inadequate Enclave Boundary Defense at the alternate site

V0008365 COED-2 Scheduled Exercises and Drills COEF-2 Identification of Essential Functions COMS-2 Maintenance Support COPS-3 Power Supply COSP-2 Spares and Parts Inadequate exercising of continuity of operations or disaster recovery plans V0008367 Mission and business essential functions and assets are not identified in the COOP/DRP Inadequate Maintenance support for key IT assets Lack of uninterruptible power Maintenance spares and spare parts for key IT assets cannot be obtained within 24 hours of failure Inadequate Back-up Software V0008377 Inadequate Recovery Procedures V0008378 No Annual Comprehensive IA Review V0008379 Unevaluated IA Products Procured V0008380 Inadequate Security Design

V0008369 V0008371 V0008374

V0008376

COSW-1 Backup Copies of Critical SW COTR-1 Trusted Recovery DCAR-1 Procedural Review DCAS-1 Acquisition Standards DCBP-1 Best Security Practices

V0008381 DCCB-2 Control Board Inadequate Configuration Control Board.

V0008383

DCCS-2

Configuration Specifications Compliance Testing

Use of Improper Security Configuration Guidance DCCS-2 Inadequate Deployment Procedures

DCCT-1

V0008386 DCDS-1 Dedicated IA Services DCFA-1 Functional Architecture for AIS Applications DCHW-1 HW Baseline DCID-1 DCII-1 DCIT-1 Interconnection Documentation IA Impact Assessment IA for IT Services Outsourcing Risk Assessment V0008387 Inadequate Functional Architecture Documentation V0008388 Inadequate baseline inventory of hardware V0008389 Inadequate Interconnection Documentation in the SSP Proposed changes not assessed for IA impact Acquisition does not address IA roles and responsibilities. Improper Use of Mobile Code Algorithms are not FIPS 140-2 compliant User interface services not separated A discrete line item for Information Assurance is not established in programming and budget documentation. Unauthorized use of software V0008390 V0008391 V0008392 V0008393 V0008394 V0008395

DCMC-1 Mobile Code DCNR-1 Non-repudiation DCPA-1 Partitioning the Application DCPB-1 IA Program and Budget DCPD-1

V0008396

DCPP-1

Public Domain Software Controls Ports, Protocols, Noncompliance with DOD PPS CAL and Services requirements CM Process IA Documentation System Library Management Controls Security Support Structure Partitioning Software Quality

V0008397

V0008398 DCPR-1 DCSD-1 DCSL-1 Inadequate Configuration Management (CM) process Inadequate IA Documentation Improper management of system libraries V0008401 The security support structure is not isolated V0008402 Software quality requirements not specified V0008403 High Robustness Protection Profiles not met V0008406 Insufficient secure state assurance. V0008408 V0008409 Inadequate Baseline Software Inventory V0008399 V0008400

DCSP-1 DCSQ-1 DCSR-3

Specified Robustness High DCSS-2 System State Changes DCSW-1 SW Baseline

EBBD-3 EBCR-1 EBRP-1

EBRU-1

EBVC-1 ECAD-1 ECAN-1 ECAR-3

Boundary Defense Connection Rules Remote Access for Privileged Functions Remote Access for User Functions VPN Controls Affiliation Display Access for Needto-Know Audit Record Content Classified Systems Audit of Security Label Changes Audit Trail, Monitoring, Analysis and Reporting Changes to Data

Inadequate Boundary Defense V0008412 Noncompliance with connection rules V0008413 Insufficiently controlled remote access for privileged functions V0008415 Insufficiently controlled remote access V0008416 V0008417 V0008418 Improper access to data V0008419 Inadequate audit record content

VPN traffic not visible to IDS Inadequate Affiliation Information

V0008422 Inadequate audit record review

ECAT-2

V0008424 Inadequate access control mechanisms V0008426

ECCD-2

ECCM-1 COMSEC Noncompliance with DoD Directive C5200.5. Inadequate encryption of stored classified information.

V0008427

ECCR-2

Encryption for Confidentiality (Data at Rest) Encryption for Confidentiality (Data at Rest) Encryption for Confidentiality (Data at Transmit)

V0008429 ECCR-3 Inadequate encryption of SAMI

V0008430 ECCT-2 Inadequate encryption of transmitted data

V0008432 V0008433

ECDC-1 ECIC-1

Data Change Transaction journaling not implemented. Controls Interconnections Controlled interface is not used among DoD Systems and Enclaves

V0008434

ECID-1

Host Based IDS

Host-based intrusion detection systems are not properly deployed V0008435 Unapproved Instant messaging

ECIM-1

Instant Messaging

V0008436 ECLC-1 Audit Record Inadequate audit of confidentiality or Content integrity labels Classified Systems Audit of Security Label Changes Logon Successive logon attempts and/or concurrent sessions per user are not controlled Separation of duties and least privilege principles not enforced Failure to properly Mark and Label V0008441 Inadequate Conformance Testing Program V0008443 Ineffective network device control program V0008445 Need-to-Know information is not properly protected SAMI information is not properly protected in transit Roles-base-access is not used Inadequate Control of Application programmer privileges Object reuse is not implemented Audit Tools not available V0008452 Audit records not properly retained V0008453 DoD Security configuration guides not applied. V0008454 Inadequate Software Change Control V0008456 Inadequate audit backup. V0008457 Tempest Requirements not Met V0008458 V0008446 V0008447 V0008448 V0008450 V0008451 ECRG-1 Audit Reduction and Report Generation Audit Record Retention Security Configuration Compliance Software Development Change Controls Audit Trail Backup Tempest Controls

V0008437

ECLO-2

V0008439 V0008440

ECLP-1 ECML-1 ECMT-2

Least Privilege Marking and Labeling Conformance Monitoring and Testing Network Device Controls Encryption for Need-To-Know Encryption for Need-To-Know Privileged Account Control Production Code Change Controls Resource Control

ECND-2 ECNK-1 ECNK-2 ECPA-1 ECPC-2 ECRC-1

ECRR-1 ECSC-1

ECSD-2

ECTB-1 ECTC-1

ECTM-2

Transmission Integrity mechanisms are not properly Integrity Controls employed V0008460 Audit Trail Excessive access to audit trails Protection Voice-over-IP Unauthorized use of VOIP (VoIP) Protection Inadequate anti-virus software Inadequate Warning Message Improper Wireless capabilities Implementation V0008465 No comprehensive account management process exists Unapproved group authenticators in use V0008466 V0008467

ECTP-1 ECVI-1

V0008461

ECVP-1 Virus Protection ECWM-1 Warning Message ECWN-1 Wireless Computing and Network IAAC-1 Account Control IAGA-1 IAIA-2

V0008462 V0008463 V0008464

Group Authentication Individual Inadequate Individual Identification and Identification and Authentication Authentication Individual Inadequate Individual Identification and Identification and Authentication Authentication

V0008468 IAIA-2

IAIA-1

V0008511 IAKM-3 IAKM-3 IATS-2 Key Management Insufficient Key management V0008470 Key Management Insufficient Key management V0008471 Token and Certificate Standards Access to Computing Facilities Clearing and Sanitizing Destruction Data Interception Emergency Lighting Fire Detection Fire Inspection Fire Suppression Improper IA method in use V0008473 Unauthorized physical access V0008475 Improper Clearing or Purging Procedures Improper destruction procedures Data Displays incorrectly positioned Inadequate automatic emergency lighting system Inadequate fire detection Inadequate fire safety program Inadequate fire suppression V0008477 V0008478 V0008479 PEEL-2 PEFD-2 PEFI-1 PEFS-2 PEHC-2 PEMS-1 V0008481 V0008483 V0008484 V0008486 Humidity Controls Inadequate Humidity Controls V0008488 Master Power Switch Inadequate master power shut off capability V0008489 IAKM-1, IAKM-2

PECF-2

PECS-2 PEDD-1 PEDI-1

PEPF-2

PEPS-1 PESL-1 PESP-1

Physical Protection of Facilities Physical Security Testing Screen Lock Workplace Security Procedures Storage Temperature Controls Environmental Control Training Visitor Control to Computing Facilities Voltage Regulators Access to Information Maintenance Personnel Access to Needto-Know Information Security Rules of Behavior or Acceptable Use Policy Information Assurance Training Incident Response Planning Vulnerability Management

Inadequate security of physical access points V0008491 A facility penetration testing process is not in place Automatic screen-lock is not functional Inadequate Workplace Security Procedures V0008494 Improper Storage of Documents and Equipment Inadequate Temperature Controls V0008497 Inadequate employee training in the operation of environmental controls. Inadequate Visitor Control. V0008498 V0008495 V0008492 V0008493

PESS-1 PETC-2 PETN-1 PEVC-1

V0008499 Inadequate Voltage Control V0008500 Improper Access to Information V0008502 Inadequate Control of Maintenance Personnel Improper Access granted V0008504

PEVR-1 PRAS-2 PRMP-2 PRNK-1

V0008505 User Agreements are not in place.

PRRB-1

V0008506 Insufficient Information Assurance Training Program V0008507 Insufficient Incident Response Planning V0008509 Vulnerability Management Program is Inadequate V0008510

PRTN-1

VIIR-2

VIVM-1

Totals CAT I CAT II CAT III Total:

0 0 0 0

C/NC/NA

CAT

8500.2 DCII-1

Control Name IA Impact Assessment

Vulnerability Description A VTC management system or endpoint use does not have written approval and acceptance of risk by the responsible DAA.

IP/ISDN IP & ISDN

VMS

V0017709 DCPP-1 Ports, Protocols, VTC ports and protocols cross and Services DoD/Enclave boundaries without prior registration in the DoD Ports and Protocols Database. CM Process Deficient SOP or enforcement regarding the approval and deployment of VTC capabilities. Deficient SOP for, enforcement, usage, or configuration of the auto-answer feature. Deficient SOP or enforcement regarding handling of incoming calls while in a conference. VTC endpoints and other VTC system components do not comply with DoD 8500.2 IA Controls. IP only

V0017718 IP & ISDN V0017708 IP & ISDN V0017596

DCPR-1

DCSD-1

IA Documentation IA Documentation Audit Trail, Monitoring, Analysis and Reporting

DCSD-1

IP & ISDN V0017598 IP & ISDN

ECAT-2

V0017589 ECCT-2 Encryption for Confidentiality (Data at Transmit) Least Privilege VTC media is not encrypted. IP & ISDN

V0017683 A CODEC's local Application Programmers Interface (API) provides unrestricted access to user or administrator configuration settings and CODEC controls without the use of an appropriate password. VTC media is not encrypted. VTU does not use or provide FIPS 140-2 validated encryption module. Secure protocols are not used for CODEC remote control and management. IP & ISDN

ECLP-1

V0017699 ECNK-1 ECNK-1 ECNK-1 Encryption for Need-To-Know Encryption for Need-To-Know Encryption for Need-To-Know IP & ISDN V0017683 IP & ISDN V0017684 IP only V0017701

ECPA-1

Privileged Account Control

ECPA-1

Privileged Account Control

A CODEC's local Application Programmers Interface (API) provides unrestricted access to user or administrator configuration settings and CODEC controls without the use of an appropriate password. Access Control Measures are not implemented for all conferences hosted on a centralized MCU appliance.

IP & ISDN

V0017699 IP & ISDN

V0017719 ECPA-1 Privileged Account Control Access Control Measures are not implemented for all conferences hosted on a centralized MCU appliance. IP & ISDN

V0017720 ECSC-1 Security Configuration Compliance VTC systems are not segregated on the LAN from data systems and other nonintegrated voice communication (VoIP) systems. Software Deficient SOP or enforcement regarding Development the use of software based virtual Change Controls connection between the PC and the VTC CODEC. Audit Trail Protection VTC endpoints and other VTC system components do not comply with DoD 8500.2 IA Controls. IP only

V0017713 IP only

ECSD-2

V0017698 IP & ISDN

ECTP-1

V0017589 ECWM-1 Warning Message ECWN-1 Wireless Computing and Network ECWN-1 Wireless Computing and Network ECWN-1 Wireless Computing and Network A DoD logon Electronic Notice (Warning) and Consent Banner is not displayed prior to logon and acknowledged by the user. VTC endpoints simultaneously connect to a wired LAN and a wireless LAN. IP & ISDN V0017706 IP only V0017715 IP only A VTU endpoint does not have the wireless LAN capability disabled. IP & ISDN A VTU or conference room implemented using wireless components is not protected from external control or compromise.

V0017716

V0017717

IAAC-1

Account Control

Use of media streaming is not documented properly or is not configured securely.

IP only

V0016560 IAAC-1 Account Control Deficient SOP or enforcement for VTC/CODEC streaming. IP only

V0016564 IAAC-1 Account Control Deficient user or administrator training regarding the vulnerabilities with, and operation of, CODEC streaming. IP only

V0017694 IAGA-1 Group Authentication Deficient SOP or enforcement of the SOP for manual password management. IP & ISDN

V0017692 IAIA-2 Individual Inadequate Identification and operator/facilitator/administrator access Authentication control for remote monitoring of a VTU connected to an IP network. Individual Default passwords are not changed. Identification and Authentication Individual Passwords are displayed in clear text when Identification and logging onto a VTU. Authentication Individual Passwords do not meet complexity or Identification and strength. Authentication Individual Different VTU passwords are not used for Identification and different VTU functions. Authentication Individual Classified VTU activated without unique Identification and user login. Authentication IP only

V0017600 IP & ISDN

IAIA-2

V0017687 IAIA-2 IP & ISDN

V0017688 IAIA-2 IP & ISDN

V0017689 IAIA-2 IP & ISDN

V0017690 IAIA-2 IP & ISDN

V0017691

IAIA-2

Individual Deficient SOP or enforcement of the SOP Identification and for manual password management. Authentication

IP & ISDN

V0017692 IAIA-2 Individual Deficient SOP or enforcement of One Time Identification and Use local meeting password. Authentication IP & ISDN

V0017693 IAIA-2 Individual Administrative sessions with the VTU do Identification and not timeout within a maximum of 15 Authentication minutes. IP & ISDN

V0016557 IAIA-2 Individual Use of media streaming is not documented Identification and properly or is not configured securely. Authentication IP only

V0016560 IAIA-2 Individual Deficient SOP or enforcement for Identification and VTC/CODEC streaming. Authentication IP only

V0016564 IAIA-2 Individual Deficient user or administrator training Identification and regarding the vulnerabilities with, and Authentication operation of, CODEC streaming. IP only

V0017694 IAIA-2 Individual A CODEC's local Application Programmers Identification and Interface (API) provides unrestricted access Authentication to user or administrator configuration settings and CODEC controls without the use of an appropriate password. Individual Secure protocols are not used for CODEC Identification and remote control and management. Authentication IP & ISDN

V0017699 IAIA-2 IP only

V0017701

IAIA-2

Individual Access Control Measures are not Identification and implemented for all conferences hosted on Authentication a centralized MCU appliance.

IP & ISDN

V0017719 IAIA-2 Individual Access Control Measures are not Identification and implemented for all conferences hosted on Authentication a centralized MCU appliance. IP & ISDN

V0017720 PEDI-1 Data Interception Deficient SOP or enforcement regarding how to power-off the VTU when it is not actively participating in a conference. Data Interception Deficient SOP or enforcement for microphone and camera disablement when the VTU is required to be powered and inactive (in standby). Maintenance Personnel Insufficient security clearance held by an operator/facilitator/administrator performing remote monitoring activities during a VTC session/conference. IP & ISDN V0017591 IP & ISDN

PEDI-1

V0017592 IP & ISDN

PRMP-2

V0017681 IP & ISDN

PRNK-1

PRRB-1

PRRB-1

Access to Need- Insufficient security clearance held by an to-Know operator/facilitator/administrator Information performing remote monitoring activities during a VTC session/conference. Security Rules of VTC system user agreements are not Behavior or signed or used when a user receives an Acceptable Use endpoint or approval to use an endpoint. Policy Security Rules of User Guides and documentation packages Behavior or have not been developed and distributed to Acceptable Use users that operate and work with VTC Policy endpoints. Information Assurance Training Information Assurance Training Information Assurance Training Deficient user or administrator training regarding the vulnerabilities with, and operation of, CODEC streaming. Inadequate user training for pc presentation sharing that could lead to compromise of other information on the presenting PC. Deficient IA training for VTC system/endpoint users, administrators, and helpdesk representatives.

V0017681 IP & ISDN

V0017711 IP & ISDN

V0017712 IP only V0017694 IP & ISDN

PRTN-1

PRTN-1

V0017697 PRTN-1 IP & ISDN

V0017710

PRTN-1

Information Assurance Training Vulnerability Management

User Guides and documentation packages have not been developed and distributed to users that operate and work with VTC endpoints. Deficient SOP or enforcement regarding the use of software based virtual connection between the PC and the VTC CODEC. A VTC system/device is not running the latest DoD approved patches/firmware/software from system/device vendor.

IP & ISDN

V0017712 IP only

VIVM-1

V0017698 IP & ISDN

VIVM-1

Vulnerability Management

V0017705

Totals CAT I CAT II CAT III Total:

0 0 0 0

STIG ID

Related IA Controls C/NC/NA

CAT

RTS-VTC 3640.00

None.

RTS-VTC 4520.00 RTS-VTC 3620.00 RTS-VTC 1060.00 RTS-VTC 1140.00

None. DCBP-1, ECND-1 DCBP-1, ECSC-1 DCBP-1, ECSC-1, PEDI-1 DCBP-1, IAAC-1, IAIA-1 & 2, ECLO-1 & 2, ECWN1, ECPA-1, ECPA-1, ECLP-1, ECAT-1, ECAR-1, 2, & 3, and ECTP-1

RTS-VTC 1000.00

RTS-VTC 1220.00

ECNK-1, ECSC-1

RTS-VTC 2820.00 RTS-VTC 1220.00 RTS-VTC 1230.00 RTS-VTC 3120.00

DCBP-1, ECPA-1, IAIA-1, IAIA2 ECCT-1, ECSC-1 ECCT-1, ECSC-1 DCBP-1, ECSC-1

RTS-VTC 2820.00

DCBP-1, ECLP-1, IAIA-1, IAIA2

RTS-VTC 5020.00

IAIA-1, IAIA2

RTS-VTC 5120.00

IAIA-1, IAIA2 DCBP-1, ECND-1, DCSP-1 DCBP-1, ECSC-1, VIVM-1, ECND-1 DCBP-1, IAAC-1, IAIA-1 & 2, ECLO-1 & 2, ECWN1, ECPA-1, ECPA-1, ECLP-1, ECAT-2, ECAR-1, 2, & 3, and ECTP-1

RTS-VTC 4120.00

RTS-VTC 2480.00

RTS-VTC 1000.00 RTS-VTC 3420.00 RTS-VTC 4320.00

ECSC-1

None.

RTS-VTC 4360.00

None.

RTS-VTC 4420.00

ECSC-1

RTS-VTC 2340.00

IAIA-1, IAIA2, ECSC-1, DCBP-1

RTS-VTC 2360.00

IAIA-1, IAIA2, ECSC-1, DCBP-1

RTS-VTC 2365.00

IAIA-1, IAIA2, DCBP-1, PRTN-1 IAIA-1, IAIA2, IAAC-1, ECLO-1, ECSC-1, DCBP-1 IAIA-1, ECSC-1, DCBP-1 IAIA-1, ECSC-1, DCBP-1 IAIA-1, ECSC-1, DCBP-1 IAIA-1, ECSC-1, DCBP-1 IAIA-1, ECSC-1, DCBP-1 IAIA-1, ECSC-1, DCBP-1

RTS-VTC 2040.00

RTS-VTC 1162.00

RTS-VTC 2020.00

RTS-VTC 2022.00

RTS-VTC 2024.00

RTS-VTC 2026.00

RTS-VTC 2028.00

RTS-VTC 2040.00

IAIA-1, ECSC-1, DCBP-1, IAGA-1, IAAC-1, ECLO-1

RTS-VTC 2320.00

IAIA-1, IAAC-1, DCBP-1, ECSC-1

RTS-VTC 2325.00

IAIA-1, ECSC-1, DCBP-1

RTS-VTC 2340.00

IAIA-1, IAAC-1, DCBP-1, ECSC-1

RTS-VTC 2360.00

IAIA-1, IAAC-1, DCBP-1, ECSC-1

RTS-VTC 2365.00

IAIA-1, IAAC-1, DCBP-1, PRTN-1

RTS-VTC 2820.00

IAIA-1, DCBP-1, ECLP-1, ECPA-1

RTS-VTC 3120.00

ECSC-1, DCBP-1

RTS-VTC 5020.00

IAIA-1, ECPA-1

RTS-VTC 5120.00 RTS-VTC 1020.00

IAIA-1, ECPA-1 DCSD-1, DCBP-1, ECSC-1 DCSD-1, DCBP-1, ECSC-1

RTS-VTC 1025.00

RTS-VTC 1168.00

PRNK-1, PRMP-1

RTS-VTC 1168.00

PRMP-1, PRMP-2

RTS-VTC 3720.00

None.

RTS-VTC 3740.00 RTS-VTC 2365.00

None.

None.

RTS-VTC 2460.00

None.

RTS-VTC 3660.00

None.

RTS-VTC 3740.00

None. DCBP-1, ECSC-1, ECSD-2, ECND-1 DCBP-1, ECND-1, ECND-2

RTS-VTC 2480.00

RTS-VTC 3320.00

8500.2 COAS-2 COBR-1 CODB-3 CODP-2 COEB-1 COED-1 COEF-2 COMS-2 COPS-2 COSP-1 COSW-1 COTR-1 DCAR-1 DCAS-1 DCBP-1 DCCB-2 DCCS-2 DCCT-1 DCDS-1 DCFA-1 DCHW-1 DCID-1 DCII-1 DCIT-1 DCMC-1 DCNR-1 DCPA-1 DCPB-1 DCPD-1 DCPP-1 DCPR-1 DCSD-1 DCSL-1 DCSP-1 DCSQ-1

Scorecard NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA

CAT I CAT II CAT III CAT IV Total:

0 0 0 0 0

DCSR-3 DCSS-2 DCSW-1 EBBD-3 EBCR-1 EBRP-1 EBRU-1 EBVC-1 ECAD-1 ECAN-1 ECAR-3 ECAT-2 ECCD-2 ECCM-1 ECCR-2 ECCR-3 ECCT-2 ECDC-1 ECIC-1 ECID-1 ECIM-1 ECLC-1 ECLO-2 ECLP-1 ECML-1 ECMT-2 ECND-2 ECNK-1 ECNK-2 ECPA-1 ECPC-2 ECRC-1 ECRG-1 ECRR-1 ECSC-1 ECSD-2 ECTB-1

NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA

ECTC-1 ECTM-2 ECTP-1 ECVI-1 ECVP-1 ECWM-1 ECWN-1 IAAC-1 IAGA-1 IAIA-2 IAKM-3 IATS-2 PECF-2 PECS-2 PEDD-1 PEDI-1 PEEL-2 PEFD-2 PEFI-1 PEFS-2 PEHC-2 PEMS-1 PEPF-2 PEPS-1 PESL-1 PESP-1 PESS-1 PETC-2 PETN-1 PEVC-1 PEVR-1 PRAS-2 PRMP-2 PRNK-1 PRRB-1 PRTN-1 VIIR-1

NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA NA

VIVM-1

NA