Title

There must be user documentation describing the correct usage and user responsibilities for an A/B switch. (Cat III impact)

Discussion

The Security Features Users Guide (SFUG) gives the user a single source to find security policy and guidance as to the user’s responsibility for security. The general policies and user responsibilities as apply to A/B switches and any local security policies will be placed in the SFUG or similar document. The ISSO will maintain and distribute to the users a SFUG that describes the correct uses of an A/B switch and the user’s responsibilities.

Check Content

The reviewer will interview the ISSO and view the SFUG or equivalent documentation to verify the following points are discussed. 1. A/B switches should be used only if there is no other solution. 2. A/B switches should be used only to connect multiple peripheral devices to a single IS. 3. A/B switches should never be used to connect a single peripheral to multiple ISs. 4. If an A/B switch is used to connect or share peripheral devices between two or more ISs, the ISs should be intended for the use of a single user within the users work area, and be visible from all ISs that it is attached. If documentation does not exist with the SFUG, describing the correct usage of an A/B switch and the user’s responsibilities, this is a finding.

Fix Text

Create a section in the site's SFUG that contains general security policies and guidance plus the site's security policies and guidance for use of an A/B switch.

Additional Identifiers

Rule ID: SV-6922r2_rule

Vulnerability ID: V-6719

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.