Title

A network attached KVM switch must not be configured to control the power supplied to the ISs attached to the KVM switch or the connectors on the KVM switch that support this feature are not blocked with tamper evident seals. (Cat II impact)

Discussion

If a network attached KVM switch can control the power to the ISs attached to it and the KVM switch is compromised, a denial of service can be caused by powering off all the ISs attached to the KVM switch without accessing the individual ISs. The ISSO will ensure any feature that allows the KVM switch to directly control the power supplied to the ISs is not configured or used, and any connectors on the KVM switch used to support this feature are blocked with a tamper evident seal.

Check Content

With the assistance of the ISSO, verify the network attached KVM switch is not configured to control the power of the ISs attached and all connectors on the KVM switch that support this functionality are blocked with tamper evident seals. If the KVM switch is configured to control the power of connected ISs, this is a finding.

Fix Text

Remove the KVM switch’s control over the power supplied to the ISs and block any connectors on the KVM switch used to support this feature with tamper evident seals. NSA IAD Protective Technologies has tamper evident products available for use, including seals for RJ45, D-sub, and USB ports. These can be obtained by contacting them either on NIPRNet at ptproducts@radium.ncsc.mil or on SIPRNet at ptproducts@nsa.smil.mil. When ordering, please specify that this is for use on a DoD Information System and the government use version is needed.

Additional Identifiers

Rule ID: SV-6916r3_rule

Vulnerability ID: V-6716

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.