Title

The impact of CPCON changes on the cross-directory authentication configuration must be considered and procedures documented. (Cat III impact)

Discussion

When incidents occur that require a change in the Cyber Protection Conditions (CPCON) with the release of USSCI 5200-13 status, it may be necessary to take action to restrict or disable certain types of access based on a directory outside the Component's control. Cross-directory configurations (such as trusts and pass-through authentication) are specifically designed to enable resource access across directories. If conditions indicate an outside directory is at increased risk of compromise in the immediate or near future, actions to avoid a spread of the effects of the compromise must be taken. A trusted outside directory that is compromised could allow an unauthorized user to access resources in the trusting directory.

Check Content

1. Refer to the list of actual manual AD trusts (cross-directory configurations) collected from the site representative. 2. If there are no manual AD trusts (cross-directory configurations) defined, this check is not applicable. For AD, this includes external, forest, or realm trust relationship types. 3. Obtain a copy of the site's supplemental CPCON procedures as required by Strategic Command Directive (SD) 527-1. 4. Verify that it has been determined by the IAM whether CPCON response actions need to include procedures to disable manual AD trusts (cross-directory configurations). The objective is to determine if the need has been explicitly evaluated. 5. If it has been determined that actions to disable manual AD trusts (cross-directory configurations) are not necessary, then this check is not applicable. 6. If it has been determined that actions to disable manual AD trusts (cross-directory configurations) are necessary, verify that the policy to implement these actions has been documented. 7. If actions to disable manual AD trusts (cross-directory configurations) are needed and no policy has been documented, then this is a finding.

Fix Text

Evaluate cross-directory configurations (such as trusts and pass-through authentication) and provide documentation that indicates: 1. An evaluation was performed. 2. The specific AD trust configurations, if any, that must be disabled during changes in CPCON status because they could represent increased risk.

Additional Identifiers

Rule ID: SV-243501r1016334_rule

Vulnerability ID: V-243501

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.